INTERNAL AUDIT Internal Audit Work Plan INTERNAL AUDIT March 24, 2017 2017 Proposed Flexible Work Plan Wpslioh dsptt fvoduipoammy up adiieve uie Ppsu’t Gpamt Internal Audit 2017 – Page 2 TABLE OF CONTENTS Internal Audit 2017 – Page 3 Internal Audit VISION Promote operational excellence at the Port MISSION The - added audit services that result in: • Stronger accountability for meeting or exceeding strategic and operational performance expectations • Fiscal integrity including detection and deterrence of fraud, waste, and abuse • Greater transparency in governance and decision making • Improved investment of public resources to advance trade and commerce, promote industrial growth, stimulate economic developm ent , and create jobs Through independent and objective audits, we provide the Port Commission with assurance and opportunities for enhanced effici enc y and effectiveness of management practices in: Governance Risk Assessment Controls Compliance Vision Promote operational excellence at the Port Mission The Internal Audit Department conducts risk - based operational/performance audits. Our frequent reviews of Port operations and activities provide value - added audit services that result in:  Stronger accountability for meeting or exceeding strategic and operational performance expectations  Fiscal integrity including detection and deterrence of fraud, waste, and abuse  Greater transparency in governance and decision making  Improved investment of public resources to advance trade and commerce, promote industrial growth, stimulate economic development, and create jobs Through independent and objective audits, we provide the Port Commission with assurance and opportunities for enhanced efficiency and effectiveness of management practices in Governance, Risk Assessment, Controls, and Compliance. Audit Standards Audit Work Guided by Professional Standards – Government Auditing Standards (issued by the Comptroller General of US) and by International Professional Practices Framework (issued by The Institute of Internal Auditors) Striving for excellence Risk of inconsistent guidance and/or oversight, and poor strategic direction that do not achieve Port objectives and/or Century Agenda Goals . Internal Audit 2017 – Page 4 Internal Audit identifies key risks using the best practice framework to optimize Risk Best Practice Framework Strategic / Governance Risk We perform a risk assessment over Port operations annually to drive our Flexible Work Plan . The plan is established based on: • IA department’s institutional knowledge • D iscussions with key Port leadership • D ata analytics • P rior audit history It is developed and designed to align our audit strategy with Port goals and objectives. Internal Audit Strategy Risk of ineffective and inefficient Port operations, including lack of accountability due to inappropriate process and management . Operational Risk Risk of not meeting Public expectations . Diminishing Port’s reputation and loss of public trust . Accountability / Transparency Risk Risk of misreporting financial and other non - financial information from Port operation results . Reporting Risk Risk of significant negative impact to Port operations due to unmitigated IT vulnerabilities . Information Technology (IT) Risk Risk of noncompliance or lack or adherence to applicable laws and regulations (federal, state, local laws and Port policies, procedures and agreements) . Compliance Risk For simplification we group risks into 6 auditable units: Internal Audit 2017 – Page 5 Each auditable unit is assessed and rated on a scale of 1 to 5 for impact and likelihood Risk We evaluate each auditable unit for impact and likelihood for all items within the Port’s Audit Universe . Risk drivers / attributes are defined for the impact and likelihood of each auditable unit. We start by compiling an Audit Universe. The Port’s Audit Universe includes: • Business units • Departments • Lease Agreements • Information Technology • Port Governance and Policies • Port Specific Programs/ Initiatives Note: This is an example for illustration purposes only. Overall Impact and Likelihood ratings are multiplied to derive a final quantitative determinant. Average Overall Risk rating used in Final Risk Score. Internal Audit 2017 – Page 6 The final medium, and high. Risk (continued) High r isk focus creates value Internal Audit 2017 – Page 7 Fiscal Proposed 2017 Work Plan Risk Rating Summary Non - Lease Audit Coverage 72% Internal Audit risk assessment and scoring resulted in the following proposed audits by category Audit Type Count Est. Hours Hours % Central Accounting Processing Systems 1 600 7% Comprehensive Operational /Department 7 2,950 33% 3rd Party Management Agreement 0 0 0% Limited Operational – Port - wide Programs 6 1,950 22% Information Technology 2 400 4% Consulting Services and Contingency 540 6% Lease & Concession Agreements 7 2,500 28% Internal Audit 2017 – Page 8 Greater transparency through assurance and accountability Recommended Projects In 2017 Audits Suggested for 2017 1 Disbursements/Accounts Payable Cycle -- Management controls, including controls over vendor master file 1 Airport Parking Garage & Employee/Tenant Parking 2 Maritime StormWater Utility 3 SeaTac – Utilities 4 Maritime Maintenance Shop 5 Terminal 91 Dockage 6 Fishermen’s Terminal 7 AV Commercial Management (AV Business Development) None Proposed in 2017 1 Promotional Hosting and Trade Business & Community Expense – Review Program Governance, Compliance & Management Controls 2 Capital Program 3 Port/Private Partnership – P - 66 Norwegian Cruise Line Partnership Tenant/Improvement - $15 million Port reimbursements. 4 Aviation Tenant/Improvement Reimbursements – Delta Lounge $13 million Port Contribution 5 On/Off Boarding of Port Consultants/Contractors - (Review Physical & System Application Access Controls of Port consultants/contractors) 6 Port Travel Expenses – Corporate Travel Card Program 1 IT Change Management Diagnostic 2 Business Continuity/Disaster Recovery Review Departments/Compreh ensive Operational Programs 3rd Party Management Limited Operational Information Technology (IT) Central Accounting Processing System Cont’d Internal Audit 2017 – Page 9 Greater transparency through assurance and accountability Recommended Pspjedut Io 2017 (Cpou’e) Audits Suggested for 2017 1 Avis/ Budget Car Rental LLC 2 Hertz Rent - A - Car 3 4 5 6 7 Doug Fox Parking/ATZ Eastside for Hire – New 2016 Airport Agreement Host International, Inc. Dufry – Seattle JV (Duty Free Shop) Bell Street P - 66 Parking Revenue 1 Implementation of a Port - wide moorage system to ensure effective controls and PCI compliance 2 Seaport Alliance 3 Transportation Network Companies (TNCs, i.e. Uber, Lyft & Wingz ) – currently the Port has a Pilot Program 4 5 6 2017 Work Plan – Risk Assessment Aviation Janitorial Program etc. Concession Agreements Consulting Services and Contingency Internal Audit 2017 – Page 10 A flexible risk based approach maximizes benefits to the Port Proposed 2017 Work Plan 2016 Carryover Audits 2016 Work Plan Audits in Progress Bell Harbor International Conference/ WTC Center The Club at SEA Lounges (Airport Lounges) 3 rd Party Management Significant Revenue/Other Resources by Category ($ in 000's ) $ Amount Airlines Rental & Landing Fees per SLOA Agreements 253,452 Passenger Facility Charge (PFC) 81,462 Space Rental 74,745 Airport Parking (parking garage & employees/tenants) 73,090 Tax Levy 71,678 Car Rental 33,703 Customer Facility Charge (CFC) 34,374 Food & Beverage (concession fees) 51,310 Maritime Berthage & Moorage/Dockage 14,765 Others 38,566 Total $727,146 Internal Audit 2017 – Page 11 Greater transparency through assurance and accountability Port of Seattle Revenues & Other Resources by Category Significant Revenue/Other Resources by Category Key Risks • Strategic/Governance risk • Operational • Accountability / Transparency • Reporting • Compliance *financial d ata used in this presentation is for planning purposes only and may not tie/agree with the Port year - end financial statements . Source: PeopleSoft & PropWorks as of December 07, 2016 . The majority of Port revenues are derived from airlines rental and landing fees; and PFC Internal Audit 2017 – Page 12 Greater transparency through assurance and accountability Port - wide Expenditures by Category The majority of Port expenditure are salaries, wages and benefits; outside services (personal & professional); and major constructions. *financial d ata used in this presentation is for planning purposes only and may not tie/agree with the Port year - end financial statements . Source: PeopleSoft & PropWorks as of December 07, 2016 . Significant Expenditures by Category Key Risks • Strategic/Governance risk • Operational • Accountability / Transparency • Reporting • Compliance Significant Expenditures by Category ($ in 000's) $ Amount Salaries, Wages & Benefits 194,631 Outside Services 61,153 General Expense 20,477 Utilities 20,297 Travel 2,364 Others 20,024 Total $ 318,947 Via Duct Contribution $ 147,700 Construction work in progress spent 169,195 Internal Audit 2017 – Page 13 Focused and logical actions driving Century Agenda Strategies and Objectives Central Accounting Processing System Audits Proposed 2017 Work Plan: • Disbursements/Accounts Payable -- Management controls, including controls over vendor master file Note: Central Accounting Systems are a Focus of External Financial auditor . Payroll Last Audit – No Significant Issues Accounts Receivable/Revenue Last Audit – No Significant Issues Disbursements/Accounts Payable Last Audit – No Significant Issues Last Audit – No Significant Issues General Ledger Last Audit – No Significant Issues Port of Seattle Central Accounting Processing Systems: • Airport Parking Garage & Employee/Tenant Parking • Maritime Stormwater Utility • SeaTac - Utilities • Maritime Maintenance Shop • Terminal 91 Dockage – Change of Management • Fisherman Terminal • AV Commercial Management (AV Business Development) *financial d ata used in this presentation is for planning purposes only and may not tie/agree with the Port year - end financial statements . Source: PeopleSoft & PropWorks as of December 07, 2016 . Internal Audit 2017 – Page 14 Greater transparency through assurance and accountability Proposed 2017 Work Plan Department Audits At the Port, there are approximately 75 Business Units with 171 departments . Commission directives and Port objectives are carried out in the Port departments. Our focus is on efficiency and effectiveness of department programs, including compliance, accountability, and reporting. Key Risks • Strategic / Governance • Operational • Accountability / Transparency • Reporting – Financial and non - financial • Information Technology • Compliance Note : Departments not a udited have been subject to Cross Functional Program Audits such as : P - card, Travel, Payroll, Inventory . Audited 45% Not Audited 55% Departmental Audit -- 5 - Year History Coverage Internal Audit 2017 – Page 15 Greater transparency through assurance and accountability These 3 rd Party Agreements below are currently under audit as part of the 2016 work plan. • Airport Club Lounges • Bell Harbor Conference Center • World Trade Center - Club No 3 rd party agreement audits are planned in 2017 3 rd Party Management Agreements Port 3 rd party operations are Port activities that are run and operated by a third - party on behalf of the Port. The third - party operator is paid a management fee. These operations are risky because the Port is accountable for all operation costs, but does not run the day - to - day operation. Note – the Port owns the facilities that house these operations. Key Risks • Operational • Accountability / Transparency • Reporting • Compliance *financial d ata used in this presentation is for planning purposes only and may not tie/agree with the Port year - end financial statements . Source: PeopleSoft & PropWorks as of December 07, 2016 . $1,139 11% $6,046 59% $916 9% $2,182 21% Expenses (in 000’t ) Airport Club Lounges Bell Harbor Conference World Trade Center - Club World Trade Center - Offices $2,521 16% $6,039 40% $1,091 7% $5,590 37% Revenues (in 000’t ) Airport Club Lounges Bell Harbor Conference World Trade Center - Club World Trade Center - Offices Space and Land rental agreements generate fixed fee revenue based on square footage etc. To ensure accuracy and complete reporting to the port, these agreements are deemed low risk. Lease and concession agreements generate revenue to the Port based on Lessee self - reported gross receipts . These agreements are deemed high risk, and Internal Audit has recovered over $7.7 million in underreporting. Common agreement types include :  SLOA Airline Agreements  Land Rental  Space Rental  Lease and Concession Internal Audit 2017 – Page 16 Economic Vitality through Developing, Negotiating, and Managing Agreements Lease & Concession and Other Agreements The Port earns most of its revenues from lease & concession and other agreements. *financial d ata used in this presentation is for planning purposes only and may not tie/agree with the Port year - end financial statements . Source: PeopleSoft & PropWorks as of December 07, 2016 . Non - agreement receipt types include :  Parking  Berthage and Moorage  ID Badge Fees  Others 471 77.9% 134 22.1% Agreements SLOA III, Space & Land Rental Agreements Lease & Concession Agreement 457,041 63% 187,925 26% 71,678 10% 10,503 1% Port Revenues & Other Resources ($ in 000’t ) Agreement Non-Agreement Tax Levy Federal Grants Agreements not audited are deemed low risk. Internal Audit 2017 – Page 17 Greater transparency through assurance and accountability Lease & Concession Agreements *T o date, Internal Audit has recovered approximately $7.7 million in underreporting concession fees.  Doug Fox Parking Lot /AZT  Hertz Rent - A - Car  Avis/Budget Car Rental LLC  Eastside for Hire - New 2016 Airport Agreement for Customer pick up  Host International, Inc.  Dufry – Seattle JV (Duty Free shop)  Bell Street P66 Parking Revenue Key Risks • Operational • Accountability /Transparency • Reporting • Compliance Proposed 2017 Work Plan *financial d ata used in this presentation is for planning purposes only and may not tie/agree with the Port year - end financial statements . Source: PeopleSoft & PropWorks as of December 07, 2016 . 73 54 % 61 46 % Concession Agreements Audit Not Audited The focus of this audit category is efficiency and effectiveness of Port - wide programs, including compliance, accountability, and reporting. Such Port - wide programs include: Port travel, purchasing P - card program, inventory program, cost allocation, janitorial services, small business initiative etc. Commission directives and Port objectives are carried out in these Port - wide programs or activities. Key Risk • Strategic/Governance • Operational • Accountability/Transparency • Reporting • Compliance Proposed 2017Work Plan • Promotional Hosting and Trade Business Expenses -- $1.1 million in 2016. • Capital Program • Port/Private Partnership – P - 66 Norwegian Cruise Line partnership & Construction - $15 Million Port Contribution • Aviation Tenant Reimbursements – Delta Lounge $13 million Port contribution • Port - wide On/Off Boarding of Port Consultants/Contractors - (Physical & System Application Access controls) • Port Travel Expenses – Corporate Travel Card Program Internal Audit 2017 – Page 18 Greater transparency through assurance and accountability Limited Operational Programs ( Port - Wide) The 2017 Capital Budget reflects the Port's continuing commitment through investment of $651.6 million in development , expansion, and renewal of Port facilities. Major projects include: • North Satellite Modernization • International Arrivals Facility • Center Runway Reconstruction • Optimized Baggage Handling System Internal Audit 2017 – Page 19 Greater transparency through assurance and accountability Proposed 2017 Work Plan Limited Operational Program – Capital Program • International Arrivals Facility Key Risks • Strategic/Governance • Operational • Accountability/Transparency • Compliance Committed Capital Projects ($ in 000's) 2017 Budget 2017 - 2021 CIP Aviation Division 501,539 1,781,572 Maritime Division 29,531 56,130 Economic Development Division 7,765 13,553 Corporate & Others 7,219 30,676 Total Committed 546,054 1,881,931 Business Plan Prospective Projects 105,523 820,523 Total CIP 651,577 2,702,454 *Source: Port of Seattle 2017 Budget and Business Plan Like in the past years, Internal Audit information technology projects are outsourced to external IT firms. These audits are managed by internal audit staff . Key Risk • Information technology Proposed 2017 Work Plan Per Information Technology Port - wide Risk Assessment • IT Change Management Diagnostic • Business Continuity/Disaster Recovery Review Internal Audit 2017 – Page 20 Working cross functionally to achieve Port’s Goals Information Technology The Port uses technology for innovation and to drive success of its strategies and programs. Therefore, information technology is critical to Port success, and is an integral part of the Internal Audit annual work plans. The following is a list of consulting services we propose to provide in 2017 . Internal Audit 2017 – Page 21 A partnership approach maximizes benefits to the Port Proposed 2017 Work Plan Consulting Services & Contingency Consulting Projects/Contingency • Implementation of a Port - wide moorage system to ensure effective controls and PCI compliance • Seaport Alliance?? • Transportation Network Companies (TNCs, i . e . Uber, Lyft & Wingz ) – currently the Port has a Pilot Program • Aviation Janitorial Program • Others as needed • 2017 Work Plan – Risk Assessment Maritime Seaport Alliance Aviation We partner and provide consulting services to Port management in order to improve Port programs and/or services. In consulting services, Port management owns and takes accountability of the projects. Others Joyce Kirangi, Director Certifications: CPA, CGMA Internal Audit 2016 – Page 22 Internal Audit Team and Organizational Structure Spencer Bright, Senior Auditor Certifications: CGAP, CIA, CFE Margaret Songtantaruk, Senior Auditor Certifications: CFE, CB Dan Chase, Senior Auditor Certifications: CPA, CIDA Dandan Wang, Senior Auditor Certifications: CPA, CIA Ritika Marwaha, Internal Auditor Roneel Prasad, Internal Auditor Dan Chase, Acting Audit Manager Certifications: CPA, CIDA Pamela Bailey, Sr. Administrative Assistant Certifications: PACE Questions? Internal Audit 2016 – Page 23