Internal Audit Presentation
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit June 11, 2020 Remote Meeting 1:00 PM 3:00 PM Operational Excellence Governance 2020 Audit Plan Update Guiding Principles COVID-19 impact on Port businesses and resources Internal Audit value proposition to respond to COVID-19 impact Advisory (Consulting) Services where needed Professional Standards Advisory (Consulting) Services Generally Accepted Government Auditing Standards (GAGAS) International Professional Practices Framework (IPPF) 2 2020 Audit Plan Proposed Modifications Limited Contract Compliance Operational Information Technology Lenlyn Limited1 Equipment Acquisition, Monitoring & Network Password Management Concourse Concessions, LLS Disposal Secure Configuration for Hardware and McDonald's USA, LLC Ground Transportation Taxi Cabs Software on Mobile Devices, Laptops, Concessions Int'l, INC1 Cash Controls Workstations and Servers Fireworks Outside Services (Professional) 1 T2 Airport Garage Parking System Qdoba Restaurant Corporation Interlocal Agreement Mapping Replacement1 E-Z Rent A Car Delegation of Authority Compliance5 Inventory & Control of Software Assets Capital Biometrics4 Service Tunnel Renewal/Replace Malware Defenses (ICT) Central Terminal Infrastructure Upgrade ____________________________ North Terminal Utilities Upgrade Phase Payment Card Industry (PCI) - Qualified 11 Security Assessor2 AOA Perimeter Fence Line Standards Criminal Justice Information Services Compliance (CJIS)3 1 Due to the COVID-19 Pandemic, these audits will be deferred to the 2021 Audit Plan. 4. This is a focused analysis, not an audit, accordingly we will issue a Memo. 2 This work will be performed by an outside firm. Internal Audit will provide a summary report to the Audit Committee. 5. This is a contingency audit that was approved by the Audit Committee in December of 2019. 3 This work will be performed by the Washington State Patrol. Internal Audit will provide a summary report to the Audit Committee. 3 2020 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Cash Controls Operational Equipment Acquisition, Monitoring and Disposal Operational Network Password Management IT McDonald's USA, LLC Contract Compliance Service Tunnel Renewal/Replace Project Operational - Capital Interlocal Agreement Mapping1 Operational Qdoba Restaurant Corporation Contract Compliance E-Z Rent A Car Contract Compliance Fireworks Contract Compliance AOA Perimeter Fence Line Standards Compliance Operational - Capital Secure Configuration for Hardware and Software on Mobile Devices, IT Laptops, Workstations and Servers Concourse Concessions, LLS Contract Compliance Payment Card Industry (PCI)-Qualified Security Assessor IT Criminal Justice Information Services (CJIS) IT Malware Defenses (ICT only)2 IT Ground Transportation-Taxi Cabs Operational Delegation of Authority Compliance2 Operational Biometrics Population IT Central Terminal Infrastructure Upgrade Operational - Capital Inventory and Control of Software Assets IT Outside Services (Professional) Operational North Terminal Utilities Upgrade-Phase 1 Operational - Capital Lenlyn Limited Contract Compliance Concessions Int'l, INC Contract Compliance T2 Airport Garage Parking System Replacement IT Complete In Process KEY Not Started Defer to 2021 Note 1: Advisory Services Project added per the Commission's request Note 2: Contingency audit approved by the Audit Committee in December of 2019 4 2021 Audits Potential New Audits & Carryover Audits BlackLimited Contract Compliance Operational Information Technology Lenlyn Limited1 Outside Services (Professional)1 T2 Airport Garage Parking Concessions Int'l, INC1 Rent & Concession Deferral System Replacement1 Recovery2 Malware Defenses (Aviation)1 Capitalization of Assets2 Capital North Terminal Utilities Upgrade Phase 11 1 Audits deferred to 2021 from 2020 due to COVID-19 Pandemic. 2 Potential audits considered for 2021. 5 Open Issue Follow-Up Status Aging Report as of June 10, 2020 *1 Two issues outstanding more than two years are: Fishing & Commercial Operations Manual Billing Process at Risk of Error To be built in house - Vendor proposals did not support PCI/cloud based. IT Disaster Recovery Capability (Security Sensitive) Exempt from Public Disclosure per RCW 42.56.420 Issue Not Discussed in Public Session. *2 Four IT issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, three are 1-2 years past the Report Date, and one is more than 2 years past the Report Date. . See Appendix A for a detail listing of outstanding issues aging as of June 10, 2020 6 Audits Completed 1) Qdoba Restaurant Corporation No issues noted (not discussed) 7 Appendix A Aging of Outstanding Issues as of June 10, 2020 8 Appendix A Aging of the Outstanding Issues as of June 10, 2020 Operational, Capital, Information Technology, and Limited Contract Compliance Audits Months/Years Months/Years Days Outstanding Outstanding Days Outstanding Outstanding Type Audit Description Rating Report Date Target Date (from Report Date) (from Report Date) (from Target Date) (from Target Date) Operational Fishing & Commercial Operations Manual Billing Process at Risk of Error High 2/23/2018 3/31/2019 838 More than 2 years 437 1-2 years IT AVM/F&I Data Centers Physical Access to Facilities High 12/4/2018 No Date Supplied 554 1-2 years N/A N/A IT AVM/F&I Data Centers Protection Against Environmental Factors High 12/4/2018 No Date Supplied 554 1-2 years N/A N/A IT Security of PII Security Sensitive High 2/26/2019 12/31/2019 470 1-2 years 162 0-6 months Operational Marine Maintenance Fleet and Fuel High 6/14/2019 12/31/2023 362 6-12 months -1299 Not Due Operational Marine Maintenance Keys and Badges High 6/14/2019 12/31/2023 362 6-12 months -1299 Not Due IT HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 280 6-12 months -51 Not Due IT HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 280 6-12 months -51 Not Due Operational Airport Employee Access Security Sensitive High 9/5/2019 6/30/2020 279 6-12 months -20 Not Due IT Closed Network System Security Security Sensitive High 9/5/2019 12/31/2019 279 6-12 months 162 0-6 months Operational Architecture & Engineering Determine Fair and Reasonable High 12/9/2019 6/30/2020 184 6-12 months -20 Not Due Operational Architecture & Engineering Management Review Over Max High 12/9/2019 6/30/2020 184 6-12 months -20 Not Due Operational Architecture & Engineering Contract Accuracy High 12/9/2019 6/30/2020 184 6-12 months -20 Not Due IT IT Disaster Recovery Capability Security Sensitive Medium 11/29/2017 No Date Supplied 924 More than 2 years N/A N/A IT AVM/F&I Data Centers Physical Facilities Management Medium 12/4/2018 No Date Supplied 554 1-2 years N/A N/A IT IT Change Mgmt & Patch Mgmt Security Sensitive Medium 12/4/2018 6/30/2019 554 1-2 years 346 6-12 months IT Security of PII Security Sensitive Medium 2/26/2019 12/31/2019 470 1-2 years 162 0-6 months IT Security of PII Security Sensitive Medium 2/26/2019 3/31/2020 470 1-2 years 71 0-6 months Capital Concourse D Hardstand Holdroom Audit Clause Restriction Medium 9/3/2019 12/31/2019 281 6-12 months 162 0-6 months Capital Concourse D Hardstand Holdroom Designer Error & Omission Medium 9/3/2019 12/31/2019 281 6-12 months 162 0-6 months IT HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 280 6-12 months -51 Not Due IT HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 280 6-12 months -51 Not Due IT Closed Network System Security Security Sensitive Medium 9/5/2019 3/31/2020 279 6-12 months 71 0-6 months IT Closed Network System Security Security Sensitive Medium 9/5/2019 3/31/2020 279 6-12 months 71 0-6 months IT Closed Network System Security Security Sensitive Medium 9/5/2019 6/30/2020 279 6-12 months -20 Not Due IT Closed Network System Security Security Sensitive Medium 9/5/2019 12/31/2020 279 6-12 months -204 Not Due IT Inventory and Control of HW Assets Security Sensitive Medium 11/12/2019 6/30/2023 211 6-12 months -1115 Not Due Operational Architecture & Engineering Governance Medium 12/9/2019 6/30/2020 184 6-12 months -20 Not Due Operational Equipment Monitoring & Disposal Monitoring of Theft Sensitive Assets Medium 3/11/2020 6/1/2020 91 0-6 months 9 0-6 months IT Network Password Management Security Sensitive Medium 3/20/2020 12/31/2020 82 0-6 months -204 Not Due IT Network Password Management Security Sensitive Medium 3/20/2020 9/30/2020 82 0-6 months -112 Not Due IT Network Password Management Security Sensitive Medium 3/20/2020 12/31/2020 82 0-6 months -204 Not Due Operational Cash Controls Seg. of Duties - Fish Term. & Shilshole Medium 3/25/2020 6/30/2020 77 0-6 months -20 Not Due Operational Cash Controls Procedures - Airport Lost and Found Medium 3/25/2020 6/30/2020 77 0-6 months -20 Not Due Operational Equipment Monitoring & Disposal Asset Disposal Process Low 3/11/2020 3/11/2020 91 0-6 months 91 0-6 months IT Network Password Management Security Sensitive Low 3/20/2020 12/31/2020 82 0-6 months -204 Not Due 9
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.