Internal Audit Presentation, Updates and Approvals
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit September 24, 2020 Remote Meeting 1:30 PM 3:00 PM Operational Excellence Governance Internal Audit Budget - Key Elements Staffing Required Training 2021 Principles: Follow Port guidelines Freeze open positions until 2022 Conduct all required training locally 2 Internal Audit Organization Structure [Note: Vacant position will be placed in the 2022 budget.] 3 Department Overview Internal Audit, through an annual audit plan, provides assurance that the Port's controls are effective and efficient. The department provides material for, and facilitates four public Audit Committee meetings per year. The department also provides advisory services to the Port, to the extent that it does not compromise the department's independence. The department maintains its independence and objectivity by reporting administratively to the Executive Director and functionally to the Audit Committee. 4 Employee Training & Development Related 2020 Revised 2021 Travel & Other Employee Expenses Budget Budget Notes Air Fare $4,300 $0 No travel planned in 2021 Lodging & Other Travel $6,020 $0 Employee Food & Beverage $2,035 $0 Local Transportation $1,230 $360 Travel to audit sites & training Registration/Seminar Fees $22,040 $14,735 CPE training only Membership Dues & Fees $5,570 $5,637 Professional memberships Management Education Expense $0 $0 Subscriptions $420 $0 Employee Recognition $0 $0 Retiree Recognition - HR Only $0 $0 Tuition Reimbursement - HR Only $0 $0 Total $ 41,615 $20,732 5 Budget Overview 2018 2019 2020 2020 2021 Change from 2020 Forecast Expense Category Actual Actual Orig. Budget Forecast Budget $ % Salaries & Benefits $ 1,298,040 $ 1,291,372 $ 1,686,670 $ 1,593,289 $ 1,605,524 $ (12,235) -0.8% Equipment $ 4,773 $ 6,925 $ 4,321 $ 1,372 $ 170 $ 1,202 87.6% Utilities $ - $ - $ - $ - $ - $ - 0.0% Supplies & Stock $ 682 $ 649 $ 600 $ 1,440 $ 351 $ 1,089 75.6% Outside Services $ 174,640 $ 111,531 $ 2,130 $ 2,130 $ 1,558 $ 572 26.9% Travel & Employee $ 36,009 $ 30,858 $ 41,615 $ 19,010 $ 20,732 $ (1,722) -9.1% Promotional $ 150 $ - $ 300 $ - $ - $ - 0.0% General $ 986 $ 2,680 $ 760 $ 660 $ 320 $ 340 51.5% Other $ 5,348 $ 6,199 $ 12,672 $ 6,410 $ 7,911 $ (1,501) -23.4% Total O&M Expenses $ 1,520,628 $ 1,450,214 $ 1,749,068 $ 1,624,311 $ 1,636,566 $ (12,255) -0.8% 6 Internal Audit Charter Update International Standards for the Professional Practice of Internal Auditing (Standard 1000) require periodic review of the Internal Audit Charter. Internal Audit activity is formally defined in the Charter. Periodic review process in place to assure that the Charter is still relevant and reflects our department's activities. Commission's approval following the Executive Director's review and approval. 7 Internal Audit Charter Update (continued) Highlights of this year's updates include: Mission & Scope of Work: The verbiage was updated to be consistent with Internal Audit's Mission as posted internally on the Port's Compass website. Directionally, it is very similar. Independence & Objectivity: Some of the verbiage, using technical terms, was confusing. The verbiage was simplified to allow for a layman to understand it better. Signatories: The original Charter did not have both voting members of the Audit Committee sign the document. Internal Audit felt it more appropriate to have both Commissioners on the Audit Committee sign the Charter. 8 2020 Audit Plan Update New Audit Action to respond to/mitigate emerging risks: Public Health Emergency Leave Program (PHEL) Audit per HR request 9 2020 Audit Plan Approved Modifications Limited Contract Compliance Operational Information Technology Lenlyn Limited1 Equipment Acquisition, Monitoring & Network Password Management Concourse Concessions, LLC Disposal Secure Configuration for Hardware and McDonald's USA, LLC Ground Transportation Taxi Cabs Software on Mobile Devices, Laptops, Concessions Int'l, INC1 Cash Controls Workstations and Servers Fireworks Galleries, LLC Outside Services (Professional) 1 T2 Airport Garage Parking System Qdoba Restaurant Corporation Interlocal Agreement Mapping Replacement1 E-Z Rent A Car, Incorporated Delegation of Authority Inventory & Control of Software Assets Public Health Emergency Leave Program Biometrics1 (PHEL)6 Malware Defenses (ICT) Capital ____________________________ Service Tunnel Renewal/Replace Project Payment Card Industry (PCI) - Qualified Central Terminal Infrastructure Upgrade Security Assessor2 North Terminal Utilities Upgrade Phase Criminal Justice Information Systems 11 (CJIS)3 AOA Perimeter Fence Line Standards Project 1 Due to the COVID-19 Pandemic, these audits will be deferred to the 2021 Audit Plan. 4 This is a focused analysis, not an audit, accordingly we issued a Memo. 2 This work will be performed by an outside firm. Internal Audit will provide a summary report to the Audit Committee. 5 This is a contingency audit that was approved by the Audit Committee in December 2019. 3 This work will be performed by the Washington State Patrol. Internal Audit will provide a summary report to the Audit Committee. 6 Added per HR request. 10 2020 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Cash Controls Operational Equipment Acquisition, Monitoring and Disposal Operational Network Password Management IT McDonald's USA, LLC Contract Compliance Service Tunnel Renewal/Replace Project Operational - Capital Interlocal Agreement Mapping1 Operational E-Z Rent A Car, Incorporated Contract Compliance Qdoba Restaurant Corporation Contract Compliance Fireworks Galleries, LLC Contract Compliance Secure Configuration for Hardware and Software on Mobile Devices, IT Laptops, Workstations and Servers Concourse Concessions, LLC Contract Compliance AOA Perimeter Fence Line Standards Project Operational - Capital Payment Card Industry (PCI)-Qualified Security Assessor IT Criminal Justice Information Systems (CJIS) IT Malware Defenses (ICT only)2 IT Public Health Emergency Leave Program (PHEL)3 Operational Delegation of Authority 2 Operational Central Terminal Infrastructure Upgrade Operational - Capital Ground Transportation-Taxi Cabs Operational Inventory and Control of Software Assets IT Biometrics IT Outside Services (Professional) Operational North Terminal Utilities Upgrade - Phase 1 Operational - Capital Lenlyn Limited Contract Compliance Concessions Int'l, INC Contract Compliance T2 Airport Garage Parking System Replacement IT Complete KEY In Process Defer to 2021 Note 1: Advisory Services Project added per the Commission's request. Note 2: Contingency audit approved by the Audit Committee in December of 2019. Note 3: Added per HR request. 11 2021 Audits Potential New Audits & Carryover Audits BlackLimited Contract Compliance Operational Information Technology Lenlyn Limited1 Outside Services (Professional)1 T2 Airport Garage Parking System Concessions Int'l, INC1 Rent & Concession Deferral Replacement1 Recovery2 Malware Defenses (Aviation)1 Capitalization of Assets2 Biometrics1 Art Program2 South King County Fund2 Capital North Terminal Utilities Upgrade Phase 11 1 Audits deferred to 2021 from 2020 due to COVID-19 Pandemic. 2 Potential audits considered for 2021. [Note: As staff completes the 2020 Audit Plan, the Director will efficiently utilize staff time by assigning audits from the Potential 2021 Audits listed above.] 12 Open Issue Follow-Up Status Aging Report as of September 23, 2020 *1 Two issues outstanding for more than two years are: Fishing & Commercial Operations Manual Billing Process at Risk of Error To be built in house - Vendor was unable to meet ICT requirements. IT Disaster Recovery Capability (Security Sensitive) Exempt from Public Disclosure per RCW 42.56.420 Issue Not Discussed in Public Session. *2 Four IT issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, three are 1-2 years past the Report Date. See Appendix A for a detailed listing of outstanding issues aging as of September 23, 2020. 13 Audits Completed: 1) AOA Perimeter Fence Line Standards Project 2) Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers* 3) Malware Defenses (ICT)* 4) Payment Card Industry (PCI) Qualified Security Assessor1 5) Criminal Justice Information Systems (CJIS)*2 6) E-Z Rent A Car, Incorporated 7) Concourse Concessions, LLC 8) Fireworks Galleries, LLC * Security Sensitive Exempt from Public Disclosure per RCW 42.56.420 Report Not Discussed in Public Session. 1 The PCI Assessment for 2020 was completed by an external consultant, MegaplanIT, L.L.C, engaged by Information Security. Internal Audit reports a summary of the audit results to the Audit Committee. In 2021, Internal Audit will complete this assessment. 2 The CJIS audit is performed by the Washington State Patrol. Internal Audit reports a summary of the audit results to the Audit Committee. 14 AOA Perimeter Fence Line Standards Project Authorization in June 2017 as a Design-bid-build with lump sum project. Original contract sum of $4 million. Executed change orders and potential cost risks $573,000 and an estimated final cost of $4.6 million. Approved contractual substantial completion date of 4/7/2020. Forecasted substantial completion date of 9/30/2020. Scope of Project - To replace approximately 8,100 linear feet of 7-foot AOA perimeter fence with 12-foot plus 1-foot of barbed wire at the top. Audit Objective - To assess the quality of the Port's monitoring of the Project to assure it is meeting project management standards in an efficient and effective manner. 15 1) Rating: Medium The Contractor's lack of experience with the Port's contract provisions and inadequate management of the Project resulted in critical milestones not being met, negatively impacting the completion dates. Contract terms required Substantial Completion by October 9, 2019. Current contract extended Substantial Completion to April 7, 2020. Management anticipates Substantial Completion to occur by the end of September 2020. Port caused delays included design errors and scope changes. Contractor caused delays included the lack of timely development of fall protection compliance documents, in- experience with the Port's contract provisions, and inadequate managing of the Project. The Contract allows the Port to pursue liquidated damages of $1,207 per day after the Substantial Completion date and, starting 60 days after Substantial Completion, $323 per day until Physical Completion is met. 16 Recommendation Upon completion of Project, Port management should calculate and pursue liquidated damages from the Contractor. 17 2) Rating: Medium The Port's processes, during the design phase, can be strengthened to decrease the potential for errors in drawings and scope changes, to avoid additional project costs, and to reduce the need to extend the Project's completion date. In-house design team used to prepare Project's drawings. Port had 17 approved change orders. Port errors resulted in additional costs of $157,016 and 56 contract extension days. Approved Justification Code Summary No. of CO's Amount Contract Extension Error/Omission Designer 7 $150,600 56 Error/Omission Owner 1 6,416 0 Tenant Requested 3 58,280 28 Scope Change 4 147,440 56 COVID-19 Safety Provisions 2 110,0001 41 Total: 17 $472,736 181 days Source: SQL Server Reporting Services Production - Full Trend Log, August 3, 2020 1 The Trend Log lists this as a potential risk but has not yet been approved. The 41-day extension has been approved as a CO. 18 Recommendation Management should strengthen its processes during the design phase to obtain assurance that suggested designs meet safety standards and stakeholder expectations are met. 19 Management Response Issue 1 The team agrees with the recommendation that Liquidated Damages should be imposed in the amount of $1,207 per day for unexcused delays beyond the original Substantial Completion date and $323 per day for unexcused delay beyond the Physical Completion date. The team fully intends to pursue Liquidated Damages and that has been conveyed to the Contractor. Liquidated Damages will be assessed once the Contractor achieves Substantial and Physical Completion when we can quantify the actual unexcused delay. DUE DATE: 12/31/2020 20 Management Response Issue 2 The team agrees with the assessment that the change orders on this project stem from complex and interrelated issues, including both scope changes and design errors. With regard to the errors and omissions components, a few efforts are underway to improve processes such that these risks are minimized for future work. These efforts include documenting the increased depth of understanding of compatibility of gate controller and structural systems for future designers' use, updating of Port Master Specifications and Standards to reflect gate system needs, and updating of typical details. Construction Management will also consider how best to code change orders with complex and interrelated issues. As is the policy for all projects, a Lessons Learned (LL) session will be conducted for this project upon completion. Management will discuss in further detail. (Full response in Audit Report No. 2020-11) DUE DATE: 12/31/2020 21 Payment Card Industry (PCI) Qualified Security Assessor The Payment Card Industry (PCI), through banking and card-brand agreements, requires merchants like the Port of Seattle, to complete an annual Self-Assessment Questionnaire (SAQ) to verify to the Port's merchant bank (acquirer), that the Port's security controls over credit card data processing meet the PCI requirements. The PCI assessment was performed for the reporting year 2020, by an external party, MegaplanIT, L.L.C., with the assistance of Information & Communication Technology, Information Security, and Aviation Maintenance. This firm has performed the assessment for the last three years; however, Internal Audit will perform the assessment for the 2021 reporting year. 22 The 2020 review was completed and signed by Dan Thomas, Chief Financial Officer, on July 30, 2020 and was noted to be "Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby Port of Seattle has demonstrated full compliance with the PCI DSS." Dan Thomas to provide Management Comments 23 E-Z Rent A Car, Incorporated Lease agreement established in June 2010 Gross revenue about $4 - $4.7 million annually Percentage fees paid about $0.4 to $0.5 million annually Concessionaire filed for Chapter 11 bankruptcy in May of 2020 24 1) Rating: Medium X Internal Audit identified $8,904 in under reported customer facility charges (CFC) and approximately $7,297 in under reported revenue. As a result, $16,201 is due to the Port. 25 Recommendation In conjunction with the Port's Legal Department, file a claim, with the appropriate venue, to recover $16,201 in under reported revenue. 26 Management Response Aviation Commercial Management agrees with the audit findings and will work with Port Legal to seek reimbursement through the bankruptcy process, including relevant late fees and interest charges, to the extent they are recoverable, whether through the bankruptcy process or through the applicable lease security instrument. Aviation Commercial Management staff appreciates the Internal Audit staff for their work during the audit process. DUE DATE: 10/01/2020 27 Concourse Concessions, LLC Concourse Concessions commenced at SeaTac in 2004. Lease Agreement No. 002055 entered in 2016. Audit covered three locations: La Pisa Caf, Waji's, Coffee Bean & Tea Leaf. Lease terminated for Coffee Bean & Tea Leaf in September 2019. Year Gross Revenue MAG1 Percentage Fees Total Rent 2017 $7,434,388 $715,776 $259,260 $975,036 2018 $7,539,330 $203,9632 $794,193 $998,156 2019 $7,199,177 $1,066,003 $1,066,003 Total $22,172,895 $919,739 $2,119,456 $3,039,195 Source: Concourse Concessions Monthly Revenue Reports, PeopleSoft Financials, and AFR year-end documents 1 MAG was used for "Minimum Rent" but was eliminated on April 1, 2018. 2 MAG for 2018 reflects three months; January March. 28 From Lease inception to April 1, 2018, the Lease Agreement included a MAG and required the percentage fee to be calculated based on the types of items sold. Percentage fees were billed according to the following concession categories: Combined Annual Gross Receipts Percentage of Gross Sales Non-Branded Food and Beverage 13.5% Branded Food and Beverage 11.5% Alcohol, Beer and Wine 17.5% Souvenir Merchandise 26.5% Advertising and All Others 14.5% Effective April 1, 2018, the Lease Agreement was amended and eliminated the MAG. Additionally, the amended Agreement requires Concourse Concessions to pay the Port a graduated percentage fee based on combined annual gross receipts as shown in the table below: Combined Annual Gross Receipts Percentage of Gross Sales Less than or equal to $2,000,000 12.0% Greater than $2,000,000 but less than or equal to $4,000,000 13.0% Greater than $4,000,000 15.0% 29 1) Rating: Medium Effective April 1, 2018, the Minimum Annual Guarantee (MAG) was removed from the Agreement. As a result, the criteria previously used to calculate the security deposit was eliminated, and the Port was unable to verify the reasonableness of the current security deposit. State law (RCW 53.08.085) requires the surety to be an amount equal to one-sixth of the total rent, but not less than an amount equal to one year's rent or more than an amount equal to three years' rent. One year's surety would have been $715,776 in 2017. However, the law allows the Port Commission to waive the rent security requirement, or lower the amount, at their discretion, which the Port chose to do by approving Policy RE-2. Policy RE-2, last updated on October 20, 1995, provides guidelines for the calculation of the security deposit. RE-2 does not provide criteria to calculate a security deposit amount in situations when there is no MAG. The Agreement requires the security deposit to equal one-half of the MAG. The current security deposit amount of $357,888 was calculated based on the first year's MAG (2017). Once the MAG was eliminated in 2018, the surety amount was carried forward without adjustment due to the absence of criteria. 30 Recommendations 1. Policy RE-2 should be reviewed and revised to address the issues identified in the report. 2. The Agreement should be amended to include criteria for the security deposit calculation, in alignment with the revised Port RE-2 policy. 31 2) Rating: Low Concourse Concessions did not report $12,721 in gross revenue during the period under audit. These amounts were from cash shortages that Concourse Concessions removed from their revenue reports prior to submittal to the Port. As a result, approximately $1,527 in additional percentage fees are due to the Port. 32 Recommendation 1. Seek and recover $1,527 in underpaid Percentage Fees. 33 Management Response Issue 1 Management has identified that this is an issue within many contracts outside of the current contract undergoing audit. Management is seeking Legal review and recommendations for modifications of the Port Policy RE-2 as the current policy is not aligned with industry standards, does not account for varying contract terms, and could be considered a barrier to entry for many small and minority businesses. DUE DATE: 12/31/2020 34 Management Response Issue 2 Management has identified that the tenant did in fact understate their revenues generated at the airport resulting in an incorrect billing of percentage fees due to the Port by the tenant. Management will be seeking immediate payment of fund from the tenant once a final amount (amount owed including interest and late fees) has been determined. DUE DATE: 12/31/2020 35 Fireworks Galleries, LLC Lease agreement established in 2016 Gross revenue about $8 - $9 million annually Percentage fees paid about $1.2 million annually 36 Internal Audit concluded that Fireworks Galleries, LLC, materially complied with the significant terms of the Agreement. 37 Appendix A Aging of Outstanding Issues as of September 23, 2020 38 Appendix A Aging of Outstanding Issues as of September 23, 2020 Operational, Capital, Information Technology, and Limited Contract Compliance Audits Months/Years Months/Years Days Outstanding Outstanding Days Outstanding (from Outstanding Type Audit Description Rating Report Date Target Date (from Report Date) (from Report Date) Target Date) (from Target Date) Operational Fishing & Commercial Operations Manual Billing Process at Risk of Error High 2/23/2018 3/31/2019 943 More than 2 years 542 1-2 years IT AVM/F&I Data Centers Physical Access to Facilities High 12/4/2018 No Date Supplied 659 1-2 years N/A N/A IT AVM/F&I Data Centers Protection Against Environmental Factors High 12/4/2018 No Date Supplied 659 1-2 years N/A N/A Operational Marine Maintenance Fleet and Fuel High 6/14/2019 12/31/2023 467 1-2 years -1194 Not Due Operational Marine Maintenance Keys and Badges High 6/14/2019 12/31/2023 467 1-2 years -1194 Not Due IT HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 385 1-2 years 54 0-6 months IT HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 385 1-2 years 54 0-6 months Operational Airport Employee Access Security Sensitive High 9/5/2019 6/30/2020 384 1-2 years 85 0-6 months Operational Architecture & Engineering Determine Fair and Reasonable High 12/9/2019 6/30/2020 289 6-12 months 85 0-6 months Operational Architecture & Engineering Management Review Over Max High 12/9/2019 6/30/2020 289 6-12 months 85 0-6 months Operational Architecture & Engineering Contract Accuracy High 12/9/2019 6/30/2020 289 6-12 months 85 0-6 months IT IT Disaster Recovery Capability Security Sensitive Medium 11/29/2017 No Date Supplied 1029 More than 2 years N/A N/A IT AVM/F&I Data Centers Physical Facilities Management Medium 12/4/2018 No Date Supplied 659 1-2 years N/A N/A IT IT Change Mgmt & Patch Mgmt Security Sensitive Medium 12/4/2018 6/30/2019 659 1-2 years 451 1-2 years IT Security of PII Security Sensitive Medium 2/26/2019 3/31/2020 575 1-2 years 176 0-6 months IT HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 385 1-2 years 54 0-6 months IT HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 385 1-2 years 54 0-6 months IT Closed Network System Security Security Sensitive Medium 9/5/2019 3/31/2020 384 1-2 years 176 0-6 months IT Closed Network System Security Security Sensitive Medium 9/5/2019 3/31/2020 384 1-2 years 176 0-6 months IT Closed Network System Security Security Sensitive Medium 9/5/2019 6/30/2020 384 1-2 years 85 0-6 months IT Closed Network System Security Security Sensitive Medium 9/5/2019 12/31/2020 384 1-2 years -99 Not Due IT Inventory and Control of HW Assets Security Sensitive Medium 11/12/2019 6/30/2023 316 6-12 months -1010 Not Due Operational Architecture & Engineering Governance Medium 12/9/2019 6/30/2020 289 6-12 months 85 0-6 months IT Network Password Management Security Sensitive Medium 3/20/2020 12/31/2020 187 6-12 months -99 Not Due IT Network Password Management Security Sensitive Medium 3/20/2020 9/30/2020 187 6-12 months -7 Not Due IT Network Password Management Security Sensitive Medium 3/20/2020 12/31/2020 187 6-12 months -99 Not Due Lease/Concession EZ Rent a Car Incorporated Revenue collection Medium 6/22/2020 10/1/2020 93 0-6 months -8 Not Due IT Secure Configuration for Hardware and Security Sensitive Medium 8/21/2020 12/31/2021 33 0-6 months -464 Not Due Software on Mobile Devices, Laptops, Workstations and Servers IT Secure Configuration for Hardware and Security Sensitive Medium 8/21/2020 12/31/2020 33 0-6 months -99 Not Due Software on Mobile Devices, Laptops, Workstations and Servers IT Secure Configuration for Hardware and Security Sensitive Medium 8/21/2020 12/31/2021 33 0-6 months -464 Not Due Software on Mobile Devices, Laptops, Workstations and Servers IT Malware Defenses Security Sensitive Medium 9/4/2020 6/30/2021 19 0-6 months -280 Not Due IT Malware Defenses Security Sensitive Medium 9/4/2020 6/30/2021 19 0-6 months -280 Not Due Capital AOA Perimeter Fence Line Liquidated damages collection Medium 9/8/2020 12/31/2020 15 0-6 months -99 Not Due Capital AOA Perimeter Fence Line Design phase processes Medium 9/8/2020 12/31/2020 15 0-6 months -99 Not Due Lease/Concession Concourse Concessions LLC RE-2 policy review Medium 9/10/2020 12/31/2020 13 0-6 months -99 Not Due IT Network Password Management Security Sensitive Low 3/20/2020 12/31/2020 187 6-12 months -99 Not Due Lease/Concession Concourse Concessions LLC Revenue collection Low 9/10/2020 12/31/2020 13 0-6 months -99 Not Due 39
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.