INTERNAL AUDIT 












* Contract with ESFH will not be renewed. Legal settlement/contract modification with ESFH addresses risk. 
** Audits will be performed in 2019 by an external audit firm.

2019 Proposed Budget 
2017 Actual              2018 Budget               2018 Forecast            2019 Budget
Amount     %        Amount       %        Amount      %      Amount     %
Salaries/Wages and Benefits (1)                 $1,264,939  78.90%    $ 1,561,708            85.43%     $ 1,488,145            85.85%    $ 1,704,674  89.57%
Outside Services (2)                               296,757          18.51%            207,280          11.34%          188,280          10.86%       147,000           7.72%
Equipment Expense                               8,463        0.53%            11,380         0.62%          11,380   0.66%        5,000        0.26%
Office Supplies & Stock                               954       0.06%              1,000         0.05%            1,000         0.06%         1,000         0.05%
Travel, Training, and Other Emp Expenses (3)       22,498          1.40%             38,040          2.08%           38,000   2.19%        38,070          2.00%
General Expenses                                  4,138         0.26%              2,240         0.12%            2,240         0.13%         2,760         0.15%
Trade Business & Community                             0.00%                                       150       0.01%          300       0.02%
Telecommunications                              5,419        0.34%             6,420        0.35%           4,325        0.25%        4,320        0.23%
$1,603,168    100%        $1,828,068    100%       $1,733,520    100%    $1,903,124    100%
1) 2019 Budget includes one additional head. 
2) Outside Services reflects a significant reduction from 2018, as we outsource fewer
Information Technology (IT) Audits and utilize our in house IT auditor to perform these audits. 
3) Travel, Training & Other Employee Expenses is primarily for training and development of our
internal audit staff. 
Overall a 4.11% Increase from 2018 Budget.

Benchmarking  Internal Audit (IA) 
A comparison of similar Ports with Aviation & Maritime Functions, shows
that the IA function at the Port of Seattle is leaner than its peers. 
Port Authority        2017         Auditors 
Passengers 
Phoenix Sky Harbor    44 MM      6* 
Port of Seattle          47 MM       9 
San Diego             22 MM      12 
Massachusetts        38 MM      13 
Los Angeles            85 MM      22 
New York            132 MM      73** 
Notes: (see appendix for more detail) 
*PHX does not have maritime operations; additionally, IT audits are performed by the
City of Phoenix Audit Staff (comparable data was not available). 
** NY Port Authority has certain transit functions, maritime, and three airports;
attributing to their large internal audit functions.

2018 Internal Audit
Reporting Structure /                      Glenn Fernandes 
Director 
Organization Chart 
Operational & Compliance                                        Bruce Klouzal 
Capital Audits 
Dan Chase                                               Lead IT Auditor 
Manager  Grade 29 
Manager, Grade 31                                             Grade 29 

Ritika Marwaha 
Spencer Bright - Acting 
Sr. Internal Auditor                    Manager 

Open                   Dandan Wang 
Internal Auditor               Sr. Internal Auditor 

Margaret Songtantaruk 
Sr. Internal Auditor 

Roneel Prasad 
Internal Auditor

Importance of Capital Audits 
The Port of Seattle is spending approximately $1B in Capital per year. It is
important that we build and develop our Capital Audit skill set within IA. 
Recently issued audit reports: 
International Arrivals Facility 
Fundamental components of the Design-Build process were missing. 
Norwegian Cruise Terminal (Pier 66) 
Monitoring and approval of change orders. 
Delta Lounge 
Deficiencies in the oversight of Port funds used by Delta. 
North Satellite 
$31.8 MM in additional costs due to a failure to obtain a legally binding
agreement with Alaska. 
$1.2 MM that needed to be recouped from Alaska.

Outside Services 
HIPAA  Required Audit $80,000 
The Department of Health & Human Services
requires that this be done periodically. 
Capital Audit Expert Consultant - $50,000 
Funding is for an expert construction consultant,
that can partner with our audit team in 2019, on a
capital audit engagement.

AUDITS 
1)  Cruise Related Investments 
2)  Cash Controls  Sea-Tac Parking Garage 
3)  Interim West Side Fire Station 
4)  T2 ParkingSoft System 
5)  Fox Rent-A-Car 




7

INTERNAL AUDIT 
Cruise Related Investments 
Revenue
2017 ~ $17.6 MM 
2018 ~ $15.4 MM (YTD
Aug.) 
Passengers
2017 / 2018 ~ 1.1 MM 


Hosts more passengers than any other Port on the West Coast. 
Eleven different ships offering Alaska cruise itineraries. 

8

INTERNAL AUDIT 
Results 
Medium - Port Management did not correctly utilize all data available when 
presenting the economic benefit of the baggage valet program to the 
Commission. This resulted in a potential overstatement of the economic 
benefit to the Seattle area. 
2017 Port Baggage Valet Study 
1,253 passenger's surveyed 
64% went directly to airport 

Visit Seattle methodology of $63.64 includes $17.63 in transportation 
costs to airport. Net of $46.01 in incremental spend. 


9

INTERNAL AUDIT 

Management Response 
The Maritime Division and the Cruise team will ensure we use the best 
available data as we move forward. As the program matures, we will 
continue to refine the program as well as refine the ways we can measure 
impacts. We are committed to reporting those as accurately as possible 
and, in the future will not include transportation costs or the estimates for 
spending by the portion of passengers that went to the airport unless we 
have reliable data showing that they spend incremental money that would 
not have been spent without the program. We appreciate the review as we 
strive to improve our program. 



10

INTERNAL AUDIT 
Cash Control  Sea-Tac Parking Garage 
2017 Parking Revenue 
Cash - $3.3 MM 
Credit Card - $78 MM 

2018 Revenue (YTD Aug. 31) 
Cash - $2 MM 
Credit Card - $52 MM 

Largest parking facility in the region with more than 13,000 stalls 


11

INTERNAL AUDIT 

Results 
Medium - Opportunities exist to enhance access controls to the cash 
counting room and to reduce the amount of the $20,000 change fund. 

Management Response 
The door code will be changed every three months. 
A work order was placed to install a card reader. 
The working fund will be reduced by $4,000. 



12

INTERNAL AUDIT 
Interim West Side Fire Station 
Aircraft Rescue Fire Fighting Station 
$5.5 MM 
Minimum estimated life four years 
FAA requires emergency response - three minutes to midpoint of farthest 
runway 





13

INTERNAL AUDIT 

Management Letter Discussion

INTERNAL AUDIT 
RESULTS 
Medium - We identified sections of the cost estimate, that in our opinion, 
did not appear to align with industry practice and in some cases appeared 
excessive. 
Allowance - $513,000 (30%) 
Contingencies  $730,000 
Construction $467,000 (15%) 
Project $263,000 (5%) 

Recommendations 
Defer Commission authorization (i.e. 30% or 50% design) 
Lean review to minimize costs and related inefficiencies 

15

INTERNAL AUDIT 
Management Response (Summarized) 
Design Development Allowance 
Ranges between 20-30% at conceptual planning 
30% was used because of unknowns and risks 
Located within Airfield Operating Area 
Dust protection, security requirements, job conditions 
Reduced to 15% at 60% design 
Will be reduced to zero at 100% design 


16

INTERNAL AUDIT 
Management Response (Summarized) 
Construction Contingency ($467,000) 
Used for change orders 
New construction - 5% / Renovation project  15% 
Reduced contingency to 12% 
Project Contingency ($263,000) 
Used for unanticipated circumstances or cost overruns 
i.e.  sewer  fees,  connection  fees,  other  fees,  jurisdictional 
complications 
Project cost is now estimated at $5.8 MM 
Increased fencing, plumbing fixtures, mechanical, electrical 

17

Information Technology Audit 
T2 ParkingSoft System Audit 
June 1, 2018  August 31, 2018 
Prepared by Protiviti in partnership with the Port of Seattle Internal Audit department 





18

T2 ParkingSoft System Audit                  INTERNAL AUDIT 
BACKGROUND 
The Port of Seattle engaged ParkingSoft in 2017 to implement a new parking system for the
SeaTac airport parking garage. The Port of Seattle's Internal Audit department partnered
with Protiviti to perform an audit of ParkingSoft system during the period of June 2018 and
August 2018. The audit was focused on system access controls, a review of historical issues
to assess reasons for downtime, and other risks related to the new system that might
compromise system stability. 
The previous Parking garage management system, Entervo by Scheidt & Bachmann (S&B),
was operated at SeaTac Airport for approximately five (5) years before the current
ParkingSoft system was installed. Early in its lifecycle it was determined that Entervo would
not be able to support future functionality requirements necessary to support the airport's
business development initiatives. The nature of the system's architecture also created
several inherent risks including single points of failure, challenging patching and
maintenance procedures, limited system and transactional logging, and problematic access
administration. 

19

T2 ParkingSoft System Audit                  INTERNAL AUDIT 
AUDIT OBJECTIVE 
The scope of this audit included the processes and practices performed by Port of Seattle
to manage the parking system installed at SeaTac airport, as well as addressing historical
event reports to evaluate overall system stability and reliability. 
AUDIT SCOPE AND METHODOLOGY 

Evaluation of Access
Review of Historical Issues:             Assessing Other Risks: 
Controls: 
Review of access                  Evaluation of functionality         Review of firewall settings
provisioning and de-                and controls implemented          and network diagram from
provisioning processes.              to address historical issues.          T2. 
Documentation review of          Incident management             Analysis of provided
the overall access                   process walkthrough,               technical system
management process.             including common                documentation. 
Review of appropriateness         maintenance requirements        System architecture
of access including roles             for system components              documentation review. 
within the system.                   from both Information and
Communications
Technology and Aviation
Maintenance Departments. 

20

T2 ParkingSoft System Audit                  INTERNAL AUDIT 
AUDIT RESULT 
The results of the audit demonstrate that the Port of Seattle has taken steps to
increase the stability and security of this parking system over previous systems.
These steps included: 
Transferring certain operational responsibilities to a third party 
Selecting a system architecture that included redundancies and reduced
potential single points of failure 
Including functionality such as unique transaction IDs 

Four opportunities for improvement identified during this audit are included on
the following slides. 

21

T2 ParkingSoft System Audit                  INTERNAL AUDIT 
IMPROVEMENT #1 
Monitoring of Devices 
Monitoring exists, but was limited; Alerting capabilities are system-wide and are not
currently implemented to alert personnel of unusual activity or outages on individual
devices. This may present a risk of uncollected revenue due to isolated system issues. 
Recommendations 
Work with T2 to ensure events are monitored with appropriate detail and converge to
provide alerts of issues and abnormal activity. 
Management Response 
Management concurs that there is value in providing additional monitoring to alert on the
lack of transactions from field devices and will pursue that option with T2. 
(See Audit Report for details on Management Response) 

22

T2 ParkingSoft System Audit                  INTERNAL AUDIT 
IMPROVEMENT #2 
Monitoring of Vendor Responsibilities 
The vendor does not provide SSAE-18 (SOC1) and/or SOC2 or ISO 27001 certification
reports to describe its control environment and provide assurance around its ongoing
operational activities. The design of the system is such that the vendor is contractually
responsible for managing certain portions of the system infrastructure on behalf of the
Port. 
Recommendations 
The Port should request that T2 undertake an assurance mechanism, such as a SSAE-18
(SOC1) and/or SOC2 or ISO 27001 certification, to provide ongoing visibility into the
effectiveness of key operations. 
Management Response 
Management agrees and has formally requested that T2 provide protection against the
risks called out in this finding and will work with them to ensure that the appropriate
protections are in place. 
23

T2 ParkingSoft System Audit                  INTERNAL AUDIT 
IMPROVEMENT #3 
Physical Access to Port of Seattle Managed Assets 
Key infrastructure supporting the parking system is located in a room which serves
multiple purposes. As a result, more individuals than necessary may have physical access
to these systems, and the systems may be exposed to dust, vibration, and other
environmental risks that could impact system availability and maintenance over time. 
Recommendations 
Controls should be implemented to ensure that any actions performed on these systems
are clearly traceable in the event of an issue. The server room should either be dedicated
to hosting the systems, or additional safeguards should be implemented, such as cages
and cameras, in order to limit access to key systems and provide accountability. 
Management Response 
Because physical access to the room is already restricted and contains access control and
a camera, we feel this is low risk. However, we will investigate the feasibility of adding
locking doors to the server racks to address the recommendation of the audit. 
24

T2 ParkingSoft System Audit                  INTERNAL AUDIT 
IMPROVEMENT #4 
Firewall Settings and Review 
Opportunities were identified to further restrict configurations within the firewall.
Recommendations 
1.  Perform a full review of the current firewall rules and configurations, and implement a
process to review configurations every six months. 
2.  Ensure all firewall rules have full business justifications, and can be linked to change
tickets and approvals. 
Management Response 
We concur. Legacy firewall settings on the port managed firewalls have been analyzed
and removed where not in use. We have also requested that T2 review the remaining
rules and confirm that they are required for the general operations of the Parking and
Revenue Control System. In addition, we have asked T2 to review their managed firewall
settings and confirm that they comply with the 6 month firewall review cycle.
25

INTERNAL AUDIT 



Minimum Annual Guarantee - 10% of Gross Revenue 
Customer Facility Charge - $6 per rental 
2014  2017 
Percentage Fees ~ $1.1 MM / Year 
CFC Fees ~ $1.5 MM / Year 



26

INTERNAL AUDIT 

Result 
Medium -  Fox  owes  $52,150  in  additional  Percentage  Fees. 
(Incidental Revenue) 
Medium - Fox owes $10,578 in additional CFC fees. (Waived CFCs) 

Management Response 
Management  will  seek  to  recover  the  fees,  together  with  any 
applicable late fees and interest charges. Management will also 
communicate  both  verbally  and  in  writing  their  obligations  with 
respect to revenues and CFC's. 


27