9a Internal Audits Completed for 2019 Presentation
Financial Stewardship Accountability Transparency Item No. 9a Meeting Date: December 10, 2019 2019 Summary of Internal Audits Glenn Fernandes - Director, Internal Audit December 10, 2019 Pier 69, Commission Chambers 12:00 PM 5:00 PM Operational Excellence Governance 2019 Audit Committee Commissioner Peter Steinbrueck, Committee Chair Commissioner Ryan Calkins, Committee Member Christina Gehrke, Committee Public Member 2 About Internal Audit Internal Audit conducts independent, objective, risk-based audits of the Port's operations, activities and vendors. Our audits add value by helping the Port achieve its mission and result in: financial stewardship, accountability, transparency, governance, and operational excellence. Internal Audit derives its authority from the Port Commission. 3 18 Audits, 1 Summary Report Completed in 2019 Limited Contract Operational (8) Information Technology (6) Compliance (5) Sixt Rent A Car Airport Employee Access1 Security of Personally EAN Holdings, LLC Diversity in Contracting Identifiable Information1 Anton Airfood of Seattle, Inc. Marine Maintenance Shop HIPAA Security Compliance1 Mad Anthony's, Inc. Architectural and Engineering HIPAA Privacy and Breach Airport Tenant Marketing Consultant Rates Compliance Program Closed Network System Security1 Capital Inventory and Control of Checked Baggage Optimization Hardware Assets1 Project (Phase 1) __________________________________ Noise Insulation Program Payment Card Industry (PCI)1,2 Concourse D Hardstand Holdroom Shilshole Bay Marina Customer Facilities Project 1 Security Sensitive Exempt from public disclosure per RCW 42.56.420. 2 This work was performed by an outside firm. Internal Audit provided a summary report to the Audit Committee. 4 Key Themes 2019 Audits identified 13 High Risk and 29 Medium Risk issues for management action The Port has opportunities to strengthen internal controls and related processes Capital Spending Opportunities to reduce costs / be more efficient 5 Highlighted Audits Operational: 1) Marine Maintenance Shop 2) Airport Employee Access1 3) Architectural and Engineering Consultant Rates Capital: 4) Noise Insulation Program 5) Concourse D Hardstand Holdroom IT: 6) Closed Network System Security1 7) HIPAA Security Compliance1 8) HIPAA Privacy and Breach Compliance 9) Inventory and Control of Hardware Assets1 1 Security Sensitive Exempt from public disclosure per RCW 42.56.420 6 Operational - Marine Maintenance Shop (High) - Management self-identified that a process to issue and track keys and badges needs to be developed. Marine Maintenance has the ability to issue badges that allow individuals to access secure Maritime facilities. Comprehensive list of physical access points did not exist Segregation of duties for authorization, custody, distribution did not exist Badges of terminated employees were still active Badge applications, showing authorization not retained Policies and procedures not established Status: In process, with both short term and long term deliverables. 7 Operational - Marine Maintenance Shop (High) - Safeguards and controls have not been designed and implemented to monitor and account for fuel and fleet usage. As a result, an $86,000 fuel adjustment was made to the ending 2018 fuel balance. The cause of the adjustment was not known. Status: Immediate detective controls implemented. Longer term controls in process. 8 Operational Architectural and Engineering Consultant Rates (High) - CPO had not established guidelines for what is determined fair and reasonable. Our testing of over 400 A&E consultants identified many instances where profit margins exceed what the industry deemed reasonable. Below table reflects the profit margins of the firms tested: [Note: Industry standard ranges between 10 15 percent.] Profit 10% and below 11-19% 20-29% 30-39% 40-49% Above 50% Number of Consultants 139 81 79 60 30 18 Status: Forthcoming 9 Operational Architectural and Engineering Consultant Rates (High) - Management approval was not required when hourly rates exceeded the maximum rates produced by the service rate negotiation tool / model. Below table reflects the number of positions that exceeded the maximum and the amount that the Port agreed to pay over the maximum rate for every hour worked: Positions Amount over the Maximum (+2%) 31 $51.05 - $175.03 32 $21.20 - $48.05 103 $.17 - $19.98 166 Status: Forthcoming 10 Operational Architectural and Engineering Consultant Rates (High) - A reconciliation between the final negotiated rates and the contract did not occur. As a result, we were unable to verify that all positions and rates reflected in the contract were accurate. Below table reflects the type and number of exceptions: Position on contract did not exist on the rate tool 108 Rate on rate tool did not agree to the contract 40 Position on rate tool did not exist on the contract 20 168 Status: Forthcoming 11 Operational - Architectural and Engineering Consultant Rates (Medium) - The Central Procurement Office is responsible for procuring all contracts related to public works, consulting services, and goods and services. Governance meetings, for Executive Leadership Team (ELT) oversight of CPO, had not occurred since December 7, 2017. Status: Forthcoming 12 Capital - Noise Insulation Program (High) The Port's controls related to the review of Job Order Contract work proposed and performed by a Job Order Contractor were not functioning effectively. As a result, the Contractor billed the Port an unreasonably high amount and may have billed for more work than was performed. Contractor charged the Port a 51% average mark-up Assuring line items and quantities proposed are appropriate requires a diligent review and necessitates questioning items that appear inaccurate Our work indicated a reasonableness review was not always performed Status: Immediate review controls have been implemented. Long Term controls in process. 13 Capital - Concourse D Hardstand Holdroom (Medium) The Port's consultant did not have adequate knowledge of airport building requirements, which resulted in the design/concept drawings including a building type that was not allowed in airport terminals. The Consultant's error on the design/concept drawings resulted in additional costs to the Port of $142,654. Status: Management is pursuing collection 14 Capital - Concourse D Hardstand Holdroom (Medium) The Contract restricted the Port's ability to audit all contractor and subcontractor records within the lump sum contract. The audit clause only allowed audit of documents related to changes. When audit clauses are restrictive, there is an inherent risk that the Port may end up paying additional costs or not receive expected deliverables, without detection. Status: In process 15 IT Audit - HIPAA Privacy and Breach Compliance (High) The Port had not designated itself as a hybrid entity for the purposes of the HIPAA Rule. The Port had not defined what units within the Port were part of the designated health care component. Status: In process expected completion is 12/31/2019 16 Limited Contract Compliance Self reported revenue from concessionaires and rental car companies Audits focus on compliance with concession agreement Audits Underreported Revenue Due to Port 4 $669,475 $70,435 17 2020 Audit Strategy Continue with current course on Limited Contract Compliance Audits Continue to enhance our operational / performance audit approach Emphasize controls surrounding capital spending 18
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.