Item 4. Audit Committee Presentation
Port of Seattle Audit Committee December 7, 2018 P69, Commission Chambers 1:00 PM 3:00 PM 1 INTERNAL AUDIT COMPREHENSIVE 2018 AUDIT STATUS COMPLETED AUDITS - 2017 AUDIT PLAN CARRYOVER Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Host International, Inc. Limited Compliance Delta Lounge Operational P66 Norwegian Cruise Line Partnership Operational Employee Parking Operational Transportation Network Companies Operational Terminal 91 Dockage Operational 2018 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Beecher's Handmade Cheese Limited Compliance Disbursements / Accounts Payable Operational Sky Chef's Inc. Limited Compliance Capital - N. Satellite Operational Dollar Rent a Car Limited Compliance TNC's Rematch (EKPI's) Operational Fox Rent-A-Car Limited Compliance Thrifty Car Rental Limited Compliance Parking Soft System (Protiviti) IT Capital - Westside Fire Station Operational Cruise Related Investments Operational Add: Cash Controls - Seatac Parking Garage Operational Change Management - AVM (Point B) IT Seatac Utilities Operational Capital - IAF Operational Data Centers - AVM IT Marine Maintenance Shops*** Operational Add: Personally Identifiable Information IT Add: Sixt Rent-A-Car LLC Limited Compliance Remove: Taxi Cabs (Eastside for Hire)* Operational Remove: Northwest Seaport Alliance** Operational Complete Key: In Process / Carryover to 2019 Audit Plan Add / Remove from Audit Plan * Contract with ESFH will not be renewed. Legal settlement/contract modification with ESFH addresses risk. ** Audits will be performed in 2019 by an external audit firm. ***Internal Audit was unable to complete this audit. Audit will be reassigned and completed in 2019. Key 2019 Audit Plan Drivers Audit Committee/ Commission Mandates Budget Spend/ Policy Financial Mandates Implications Audit Audit Enterprise Universe/ Plan Risk Audit Assessment History Executive Public Director/ Comments/ Executive Concerns Leadership INTERNAL AUDIT Lease and Concession Audit Plan Approach Approximately 111 leases Total Economic Agreement Year Revenues Sea-Tac Development 2017 $112 MM $109 MM $3 MM 2018 107 MM 104 MM 3 MM Total $219 MM $213 MM $6 MM Approach Number of Rating Leases Revenue Percentage Frequency Annual High 9 $113 MM 52% 4 year cycle 2-3 Medium 24 85 MM 39% 8 year cycle 2-3 Low 78 21 MM 9% As needed 111 $219 MM 100% 6 4 INTERNAL AUDIT Lease and Concession Audit Plan Approach Proposed 2019 Audits 2017/2018 Name Division Rating Revenues Enterprise Rent A Car* Aviation High $23,799,715 Anton Airfood Aviation Medium 3,568,762 Sixt Rent A Car LLC Aviation Medium 2,672,348 Mad Anthony's Maritime Low 913,840 Total $30,954,665 Contingency** Lenlyn Limited Aviation Medium 2,642,404 ALClear, LLC Aviation Low 403,679 $3,046,083 Two Year Concession Audit History by Revenue Proposed Audited Not Audited 2019 $134,193,901 $53,851,434 $30,954,665 * Includes: National, Alamo, and Enterprise ** If resources exist, at director's discretion audit will be moved to the 2019 Audit Plan. 5 INTERNAL AUDIT Capital Projects Audit Plan Approach 102 approved projects Division Budget Expense to Date Aviation $3,594 MM $925 MM Non-Aviation 125 MM 45 MM $3,719 MM $970 MM Proposed 2019 Audits Name Management Rating Budget Note Checked Baggage Recap/Optimization Yellow $445 MM Behind Schedule/Budget Increase Noise Insulation Programs (FAA Part 150) N/A Various Commission Request Concourse D Hardstand Terminal Yellow 37MM Shilshole Tenant Service Building Red 10 MM Management Contingency* Rating Budget Cruise Terminal Yellow 100 MM * If resources exist, at director's discretion audit will be moved to the 2019 Audit Plan. 6 INTERNAL AUDIT Information Technology Audit Plan Approach Proposed 2019 Audits Name Risk (from IT Audit Universe) Selection Criteria Security of Personally Identifiable Information High Emerging Risk HIPAA Compliance High Regulatory Requirement Payment Card Industry (PCI) Quality Security Assessor High Contractual Requirement Closed Network System Security Critical Emerging Risk T2 Airport Garage Parking System Replacement High Management Request Selection Criteria Explanation Emerging Risk Selected from IT Audit Universe based on risk and perceived benefit to the Port Regulatory Requirement Periodic Review of HIPAA Compliance is required under 164.308(a)(8) Evaluation Contractual Requirement Annual review required by contract for Port Credit Card processing Management Request Requested by Sr. Management in Risk Interviews Contingency* Inventory and Control of Hardware Assets * If resources exist, at director's discretion these will be moved to the 2019 Audit Plan. 7 Proposed 2019 Audit Plan INTERNAL AUDIT Limited Contract Information Operational Compliance Technology Sixt Rent A Car LLC1 Airport security Security of Personally screening program Identifiable Information1 Enterprise Rent A Car Diversity Program HIPAA Compliance Anton Airfood Marine Maintenance PCI-Quality Security Mad Anthony's Assessor Marketing Fund- Capital Closed Network System Concessions Baggage Optimization Security Noise Insulation T2 Airport Garage Programs (FAA Part 150) Parking System Concourse D Hardstand Replacement Terminal Shilshole Tenant Service Building 1 Approved addition to plan at 9/28/2018 Audit Committee Meeting 2 Internal Audit was unable to complete this audit. Audit will be reassigned and completed in 2019. 8 INTERNAL AUDIT Contingency Audits - if resources exist, at director's discretion, these will be moved to the 2019 Audit Plan. Limited Contract Information Operational Compliance Technology Lenlyn Limited 2019 Taxi Cab Contract Inventory and Control of AlClear, LLC Hardware Assets Capital Cruise Terminal 9 INTERNAL AUDIT 2018 / 2017 Recoveries 2018 Audits Amount Dollar Rent -A-Car $22,164 *Fox Rent-A-Car, Inc. 98,310 *Thrifty Car Rental 203,764 **North Satellite Renovation and Expansion Project 1,532,281 Total $1,856,519 * Agreed to pay, but not yet collected. **Not collected 2017 Audits Amount Hertz Car Rental $58,554 Bell Harbor International Conference Center 26,387 Airport Lounge Development Corporation 118,745 Clear Channel Outdoor, Inc. 11,259 TNC (Uber, Wingz, Inc.) 37,993 Total $252,938 10 INTERNAL AUDIT 2017 / 2018 Controllable Cost Over-Runs Audit Amount North Satellite Renovation and Expansion Project $31,800,000 Delta Lounge 190,000 International Arrivals Facility Labor Burden $8,200,000 11,000,000 International Arrivals Facility Insurance 2,800,000 Total $42,990,000 45,790,000 11 INTERNAL AUDIT Tracking of Significant Overdue Issues Audit Owner Issue Status North Satellite Jeffrey August 2017 Port Management communicated to the June 20, 2018 letter provided to Alaska Renovation Brown Commission that a request was made to Alaska seeking requesting ~ $1.5 MM and Expansion reimbursement of $1.2 MM Project Not invoiced IA recommended to seek reimbursement On / Off HR A process has not been established to account for and Processes and procedures have not Boarding of Director manage / monitor independent contractors and contingent been implemented Consultants workers and Policy developed Contractors IA recommended a system to track non-port workers Centralized Tom $55,000 overpayment to VIP Legal is drafting amendment for International Tanaka commission approval ~ $300,000 Support IA recommended amendment to contract Services Agreement INTERNAL AUDIT Audits 1) Sea-Tac Utilities 2) International Arrivals Facility (IAF) 3) AV/M and F&I Data Centers 4) AV/M IT Change Management and Patch Management 5) Thrifty Car Rental 13 INTERNAL AUDIT Sea-Tac Utilities Established as a utility in 2001 Water, Natural Gas, Electricity, Garbage, Waste Water Approximately $16 MM utility costs ~50% billed through metered use 14 Results INTERNAL AUDIT 1. Medium Metered Accounts Over 750 Metered Accounts Process to validate the completeness of metered accounts list or the accuracy of the reads Incorrect Billing Broken & Missing Meters 15 INTERNAL AUDIT Results 2. Medium Timely Billing Timely notification of billing information within Port Departments. Lease Additions, Terminations, Adjustmentsetc 56% of notifications provided late Late billings to tenants 74% of time for Electricity 88% of time for Water/Gas 16 INTERNAL AUDIT MANAGEMENT RESPONSE Management to discuss in person. Detailed response presented in audit report. 17 INTERNAL AUDIT International Arrivals Facility (IAF) September 2018, GMP amendment approved with Clark Construction - $774 MM Overall program cost - $968 MM Estimated completion May 2020 Pay Application Process Robust / Well Established Approach identify red flags that might impede successful and timely completion of IAF Identify areas where we can improve on future capital projects 18 INTERNAL AUDIT Opportunities 1. Medium - Set Labor Multiplier at market rates Labor multiplier for Clark set at 88.7% in new GMP Labor increased from 35.7% to 88.7% U.S. Labor Statistics Seattle Region = 30% Industry Standard Rate Between 30% - 40% $11 MM to $8.2 MM increased payroll costs Non-audit clause included in GMP contract 19 INTERNAL AUDIT Opportunities 2. Medium - Set General Liability Insurance (GLI) range from Risk Management GLI set at $7.49 per $1,000 of contract in new GMP Port's Risk Management recommends $3.95 External consultant calculated Seattle @ $3.85 $2.8 million in additional insurance cost Non-audit clause included in GMP contract 20 INTERNAL AUDIT Opportunities 3. Medium - Require Not-to-Exceed (NTE) contracts with subcontractors NTE vs. Lump-Sum Contracts with Subcontractors NTE = Actual Cost + % for Overhead & Profit Lump Sum = 100% of contract value, regardless of actual cost 21 INTERNAL AUDIT MANAGEMENT RESPONSE Management to discuss in person. Detailed response presented in audit report. 22 INTERNAL AUDIT AV/M and F&I Data Centers The Data Centers/IDFs (Intermediate Distribution Frames) contain the Airport's servers, applications and network infrastructure which are critical to airport operations. Areas reviewed during this audit: Physical Security Cleanliness Fire Detection/Suppression Emergency Power Seismic bracing Other related controls 23 INTERNAL AUDIT RESULTS I. Physical Access to Facilities High Many rooms in the sample allowed access to hundreds of people with no legitimate business need. Examples: For one of the server rooms 82 people had key card access, while 1560 had physical key access For one of the telecommunication rooms 577 people had key card access, while 1472 had physical key access. For another server room In 2017; 32 individuals in the Police Department used the back door approximately 6000 times, which dropped to only 3 times in 2018 (this was due to construction in the garage, which limited access to the garage from the rooms' back door) 24 INTERNAL AUDIT RESULTS II. Physical Facilities Management Medium - 77% of the rooms in the sample contained varying levels of flammable material, clutter, dust, and storage of inappropriate materials (including Christmas trees, old equipment, carts, etc.). Rooms with gas fire suppression lacked warning signage as required by state law. CO2 is being used as a Fire Suppression System in one of the rooms reviewed. The Environmental Protection Agency (EPA) states: "At concentrations greater than 17 percent, such as those encountered during carbon dioxide fire suppressant use, loss of controlled and purposeful activity, unconsciousness, convulsions, coma and death occur within 1 minute of initial inhalation of carbon dioxide" The room additionally lacked State Law and NFPA (National Fire Protection Association) Standard #12 required warning signs to alert people. 25 INTERNAL AUDIT Examples Clutter, Dust, Storage 26 INTERNAL AUDIT Example CO2 Fire Suppression in Generator Room INTERNAL AUDIT RESULTS III. Protection Against Environmental Factors High - 35% of the rooms reviewed did not have fire suppression capability and 55% did not have fire extinguishers. Four rooms had Halon fire extinguishers which are ozone-depleting and do not support the Port's value for being a responsible steward of the environment. Types of Fire Extinguishers being used: Halon Halotron ABC Ammonium Phosphate Foam 28 INTERNAL AUDIT Examples Halon Fire Extinguishers 29 INTERNAL AUDIT MANAGEMENT RESPONSE Management to discuss in person. Detailed response presented in audit report. 30 INFORMATION TECHNOLOGY AUDIT AVIATION MAINTENANCE IT CHANGE MANAGEMENT AND PATCH MANAGEMENT January 2014 November 2018 Prepared by Point B in partnership with the Port of Seattle Internal Audit department 31 INTERNAL AUDIT BACKGROUND Change Management Patch Management A broadly accepted, industry Processes and controls that best-practice that governs govern the identification, the identification, assessment, prioritization, prioritization, authorization, testing, and application of release, and communication critical application and of all changes to production security patches to the environments production environments 32 RESULTS INTERNAL AUDIT The following diagram compares the AV/M IT Change Management and Patch Management process maturities to a standard Capability Maturity Model. While reflecting many best practices, the internal processes and controls require further maturation in order to meet the requirements of a critical infrastructure environment 33 INTERNAL AUDIT RESULTS I. IT Change Management Medium AV/M's IT Change Management processes are straightforward and repeatable, but require further maturation. The established processes also need to be consistently followed in order to meet the requirements of critical infrastructure environments. 34 INTERNAL AUDIT RESULTS II. Patch Management Medium - While some technologies (Windows servers and desktops) are appropriately managed, AV/M does not maintain the control processes and tools necessary for effectively managing patch compliance over the full breadth of systems they support. For example; patch management is not effective for unsupported Microsoft operating systems and applications, or for Linux operating systems. 35 INTERNAL AUDIT MANAGEMENT RESPONSE Management to discuss in person. Detailed response presented in audit report. 36 INTERNAL AUDIT Thrifty Car Rental Minimum Annual Guarantee - 10% of Gross Revenue Customer Facility Charge - $6 2014 2017 Percentage Fees ~ $1.5 MM / Year CFC Fees ~ $2.1 MM / Year 37 INTERNAL AUDIT Results 1. Medium - $10,358 due in additional Percentage Fees. (Incidental Revenue) 2. Medium - $111 ,912 due in additional CFC fees. (Waived CFCs) Management Response Management will seek to recover the fees (including audit costs), together with any applicable late fees and interest charges. Management will also communicate both verbally and in writing their obligations with respect to revenues and CFC's. 38
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.