1. Audit Committee Report
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit December 9, 2021 Remote Meeting 2:30 PM 4:00 PM Operational Excellence Governance 2021 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Noise Monitor Data Accuracy Operational South King County Fund Operational Central Terminal Infrastructure Upgrade (Construction and Closeout Phases) Operational - Capital Malware Defenses - Aviation Maintenance IT Seattle-Tacoma International Limousine Association (STILA) Contract Compliance Biometrics IT Art Program Operational Restroom Renovations Phase 3 Prototype Operational - Capital Lenlyn Limited Contract Compliance Rasier, LLC1 Operational Lyft, Inc.1 Operational Fruit & Flower, LLC d/b/a Floret Contract Compliance Baggage Optimization - Phase 2 Operational - Capital Payment Card Industry (PCI) Compliance IT Rent and Concession Deferral Recovery Operational Continuous Vulnerability Management IT Data Recovery2 IT North Terminals Utilities Upgrade - Phase 1 Operational - Capital Capitalization of Assets Operational Dilettante Chocolate, Inc. Contract Compliance T2 Airport Garage Parking System Replacement 3 IT Complete KEY Deferred to 2022 1. Reclassified from Limited Contract Compliance to Operational and consolidated into one report. 2. This is a contingency audit that was approved by the Audit Committee in December 2020. 3. Due to implementation delays, this audit will be deferred to the 2022 Audit Plan. 2 2021 Audit Plan Update 19 audit reports were completed in 2021 as planned: Operational (6), Capital Projects (4), IT (5), and Limited Contract Compliance (4). Audits identified 4 High Risk, 12 Medium Risk, and 5 Low Risk rated issues for management action. Internal Audit's 2021 value proposition to respond to COVID-19 impact and associated business risks: Audit of Rent and Concession Deferral Recovery - Direct relevance of the Port's financial relief to tenants and repayment activities Capital Project Audits Incorporated COVID-19 related expenses and change orders into audits Cruise Terminals of America 2020 Cruise Season Rent Credit Review The Port has opportunities to reduce change orders, schedule delays and design issues. 3 2021/2020 Suggested Recoveries Lease/Concession: 2021 Audits Amount Seattle-Tacoma International Limousine Association $157,284 Lenlyn Limited 12,023 Total $169,307 2020 Audits Amount Concourse Concessions, LLC $1,527 McDonald's USA, LLC 10,265 E-Z Rent A Car, Incorporated 16,201 Total $27,993 Capital1: 2021 Audits Amount Central Terminal Infrastructure Upgrade Project (Construction and Closeout Phases) $18,200 Restroom Renovations Phase 3 Prototype 12,314 Total $30,514 2020 Audits Amount AOA Perimeter Fence Line Standards Project $232,000 Total $232,000 1. Since 2018, Internal Audit has recommended $2.5 MM in capital project recoveries, of which $850,000 has been recovered. 4 2021/2020 Controllable Cost Over-Runs1 Audit 2020 Amount 2021 Amount Service Tunnel Renewal/Replacement Project $160,000 0 AOA Perimeter Fence Line Standards Project 106,000 0 Baggage Optimization Project - Phase 2 0 $29,000 Tota l $266,000 $29,000 1. Since 2018, Internal Audit has identified $46 MM in capital project controllable costs. 5 Operational Audit Approach Risk interviews held with a sample of Port leaders, including: Airport Operations Aviation Commercial Management Environment and Sustainability Finance Government Relations Human Resources Health and Safety Aviation Security Common Risk Themes identified from interview data: Resources COVID mandate, aging workforce, tight labor market Payroll Administrative Professionals approving time, accuracy of vacation/sick accruals, PHEL misuse Grants FAA compliance, pass-through entity Construction Impact to operations and need for improved communication Governance New commissioners, changing priorities Input from Commissioners and Executive Director 6 Proposed 2022 Operational Audits Audit Risk Input Purpose Payroll Controls Risk interviews Evaluate current processes/controls to assure proper time approval, vacation/sick accruals, and PHEL use. Emergency Procurement Commissioner Evaluate current processes/controls to assure emergency Request procurement compliance with applicable laws and Port policies. Federal Grant Administration (CRRSA & ARP) Risk interviews Evaluate current processes/controls to assure compliance with applicable federal grant requirements (e.g., eligibility, allocation methodology, agreements, etc.). Community & Sustainability Initiatives Risk interviews Evaluate governance and current processes/controls to assure compliance with applicable laws and Port policies, and safeguarding Port assets. Contingency Audit1 Contractor COVID-19 Vaccination Compliance2 1. If resources exist, at Internal Audit Director's discretion, this audit will be moved to the 2022 Audit Plan. 2. This audit was requested by the Executive Director to assure mandated COVID-19 vaccination compliance by contractors, pending an updated Port policy. 7 Capital Projects Audit Approach 19 projects currently under contract >$5MM1, 2 Risk rating of projects utilizing six attributes: Project Size (Construction Costs) Change Orders (Original Contract Sum) Contract Type Schedule Budget Known Concerns (Errors & Omissions, Potential Claims, Scope Changes, etc.) 1. Contract costs as of November 2021. Does not include total project cost (Port's internal/soft cost). 2. See Appendix A - Capital Risk Universe - Projects Currently Under Contract, Risk Rating Methodology. 8 Proposed 2022 Capital Audit Plan Rating1 Project Schedule Budget Contract Amount International Arrivals Facility (IAF) Red Red $798.7MM Interim Westside Fire Station Red Red 5.6MM North Satellite (NSAT) Renovation & Expansion (Closeout) Green Red 500.1MM South Satellite (SSAT) High Voltage AC Infrastructure Upgrade Yellow Yellow 31.2MM Post IAF Airline Realignment2 Required by RCW 39.10.385 Not Yet Under Contract C-1 Building Expansion2 Required by RCW 39.10.385 Not Yet Under Contract Main Terminal Low Voltage2 Required by RCW 39.10.385 Not Yet Under Contract Total $1,335.6MM Contingency Audit3 Capital Project Management4 1. Ratings generated from Internal Audit's risk assessment, utilizing the following systems: Quarterly Capital Improvement Projects, Contractor Data system, etc. See Appendix A Capital Risk Universe Projects Currently Under Contract, Risk Rating Methodology. 2. RCW 39.10.385 requires an independent auditor perform an audit of subcontractor changes to the Port on GCCM projects, where the subcontractor was selected through an alternative selection process. This audit work will be performed by external, contractor auditors under Internal Audit's supervision. 3. If resources exist, at Internal Audit Director's discretion, this audit will be moved to the 2022 Audit Plan. 4. Purpose: Operational audit of overall project management, including: project prioritization, prevention of schedule delays and budget over-runs, and best practices related to the Majority-In-Interest (MII) approach. 9 Information Technology Audit Plan Approach Seven Year Plan: Since the Port had not had a comprehensive Information Technology Audit program prior to 2018, we decided in 2019, that our new Information Technology Audit Program1 would focus on those high risk, high value controls, identified by the Center for Internet Security2 (CIS, 18 control areas, 153 controls). We are using risk input from Information Security to assist us in determining the order in which to perform the CIS audits. Additionally, we will add audits based on executive management concerns or on the basis of emerging threats. Once we cycle through those 18 high risk areas (we have completed six as of date), we will branch out into looking at other Information Technology General Controls, and we will move to a more classic risk assessment process of assessing risk, likelihood and impact, to determine what will be on our annual Information Technology audit plan. 1. See Appendix B Information Technology Audit Universe. 2. https://www.cisecurity.org/controls/cis-controls-list/ 10 Information Technology Audit Plan Proposed 2022 Audits/Assessments Name Risk1 Selection Criteria T2 Airport Garage Parking System Replacement2 N/A Management Request Account Management (ICT) High Center for Internet Security Account Management (Aviation Maintenance) High Center for Internet Security Audit Log Management (ICT) High Center for Internet Security Audit Log Management (Aviation Maintenance) High Center for Internet Security Incident Response Management (ICT) High Center for Internet Security Incident Response Management (Aviation Maintenance) High Center for Internet Security Contingency Audits3 Name Risk1 Selection Criteria Network Infrastructure Management (ICT) High Center for Internet Security Network Infrastructure Management (Aviation Maintenance) High Center for Internet Security Email and Web Browser Protections (ICT) High Center for Internet Security 1. See Appendix B Information Technology Audit Universe. 2. Deferred from the 2020 Audit Plan. 3. If a proposed audit cannot be performed, at the Internal Audit Director's discretion, this audit will be moved to the 2022 Audit Plan. 11 Lease and Concession Audit Plan Approach 126 leases in the risk universe1 Risk rating of leases primarily based on: Three-year revenues Prior audit history Cycle frequency Total Economic Agreement Year Revenues Aviation Development Maritime 2019 $128 MM $122 MM $2 MM $4 MM 2020 40 MM 34 MM 1 MM 5 MM 20212 33 MM 28 MM 1 MM 4 MM Total $201 MM $184 MM $4 MM $13 MM Number 2019-2021 Rating of Leases Revenue Percentage Frequency High 11 $109 MM 54% 5-7 year cycle 3 Medium 24 63 MM 31% 10-year cycle Low 91 29 MM 15% As needed Total 126 $201 MM 100% 1. See Appendix C Lease/Concession Risk Universe. 2. Actuals through 8/31/2021. 3. Updated for 2022 due to COVID-19 pandemic impact on tenants. 12 Proposed 2022 Lease and Concession Audits 2019-2021 Name Division Rating Revenues In-Ter-Space Services, Inc. DBA Clear Channel Airports Aviation High $11.3 MM Avis Budget Car Rental Aviation High 9.4 MM Hertz Corporation Aviation High 6.1 MM Total $26.8 MM Contingency Audit1 Host International, Inc. Aviation High $10.2 MM 1. If resources exist, at Internal Audit Director's discretion, this audit will be moved to the 2022 Audit Plan. 13 Historical Reports Overview 2018 2022 Report Type 20181 2019 2020 2022 2021 (Proposed) Operational 8 4 6 6 4 Operational - Capital 5 4 3 4 72 Information Technology 3 6 6 5 73 Limited Contract Compliance 6 5 5 4 3 Total 22 19 20 19 21 1. 2018 included six audits carried over from the 2017 audit plan. The First Quarter Audit Committee Meeting discussed 2017 Audits. 2. Includes three audits required by RCW 39.10.385; State Law requires an independent auditor perform an audit of subcontractor changes to the Port on GCCM projects, where the subcontractor was selected through an alternative selection process. This audit work will be performed by external, contractor auditors under Internal Audit's supervision. 3. Includes six audits that reflect a separation of three audits (Account Management, Account Log Management, and Incident Response Management) for two respective departments; ICT and Aviation Maintenance. 14 Proposed 2022 Audit Plan Limited Contract Compliance Operational Information Technology In-Ter-Space Services, Inc. DBA Payroll Controls T2 Airport Garage Parking System Clear Channel Airports Emergency Procurement Replacement1 Avis Budget Car Rental Federal Grant Administration (CRRSA & Account Management (ICT) Hertz Corporation ARP) Account Management (Aviation Community & Sustainability Initiatives Maintenance) Audit Log Management (ICT) Capital Audit Log Management (Aviation International Arrivals Facility (IAF) Maintenance) Interim Westside Fire Station Incident Response Management (ICT) North Satellite (NSAT) Renovation & Incident Response Management Expansion Closeout (Aviation Maintenance) South Satellite (SSAT) High Voltage AC Infrastructure Upgrade Post IAF Airline Realignment2 C-1 Building Expansion Construction Phase2 Main Terminal Low Voltage2 1. Moved to 2022 audit plan; approved at 6/28/2019 Audit Committee meeting. 2. RCW 39.10.385 requires an independent auditor perform an audit of subcontractor changes to the Port on GCCM projects, where the subcontractor was selected through an alternative selection process. This audit work will be performed by external, contractor auditors under Internal Audit's supervision. 15 Contingency Audits - If resources exist, at Internal Audit Director's discretion, these audits will be moved to the 2022 Audit Plan. Limited Contract Compliance Operational Information Technology Host International, Inc. Contractor COVID-19 Vaccination Network Infrastructure Management Compliance (ICT) Network Infrastructure Management Capital (Aviation Maintenance) Capital Project Management Email and Web Browser Protections (ICT) 16 Open Issue Follow-Up Status Aging Report as of December 9, 2021 1. Twelve issues outstanding for one to two years from the Target Date consist of: Architecture & Engineering (4) - Fair and Reasonable Rate Determination; Management Review Over Max Rates; Contract Rate Accuracy; and Governance: A lean project to evaluate the rate negotiation process is scheduled for Q1, 2022. Resource constraints has made it challenging to resolve the audit issues. A Governance team has been selected; meetings to begin in 2022. Information Technology Audits (8) (Security Sensitive) - Exempt from Public Disclosure per RCW 42.56.420 Issues Not Discussed in Public Session. They are: Security of Personal Identifiable Information (2), HIPAA Security (4), Closed Network System Security (1), and Network Password Management (1). 2. Four Information Technology issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more than two years past the Report Date: Disaster Recovery Capability (1), and AV/M Facilities & Infrastructure Data Centers (3). See Appendix D for a detailed listing of outstanding issues aging as of December 9, 2021. 17 Audits Completed in Fourth Quarter, 2021 1) Capitalization of Assets 2) North Terminals Utilities Upgrade Phase 1 3) Rent and Concession Deferral Recovery 4) Payment Card Industry (PCI) Compliance* [Note: Slide 31 contains only the non-security sensitive contents from the audit report for discussion purposes.] 5) Continuous Vulnerability Management* 6) Data Recovery* 7) Dilettante Chocolate, Inc. *Security Sensitive Exempt from Public Disclosure per RCW 42.56.420 Issues Not Discussed in Public Session 18 Capitalization of Assets Port Accounting Policy AC-8b establishes standards for capitalization of major expenses. Construction Costs recorded against Construction Work-in- Process (CWIP) when: The asset has a useful life of three years or more The Port has ownership and control Total costs of at least $20,000 As of December 31, 2020: CWIP: $1.347 billion Capital Assets: $8.164 billion 19 #1) Rating: Low A Standard Operating Procedure was documented and adopted in February 2021. However, internal controls need to be enhanced whereby project leads review and approve their work, a year end re-confirmation is performed, and a final notification is sent out to all stakeholders. Doing so will reduce the likelihood that assets are not transferred from Construction Work-in- Process to Capital Assets in the correct period. 20 Recommendations Annual Review Process - Program Leads should formally review and approve information before it is submitted to Capital Services. Facility Asset Review Meeting (FARM) The year-end FARM should include a final opportunity for stakeholders to re-confirm the accuracy of project status. Notification - After asset transfers have been recorded, Capital Services should provide a notification to key stakeholders so that they can validate the accuracy of what was recorded. 21 Management Response Annual Review Process Management agrees that all projects reviewed will include a review and sign-off from the appropriate Program Leads. Facility Asset Review Meeting (FARM) - Management disagrees with recommendation that a FARM should be scheduled at the end of the year to reconfirm assets for every project. Instead, Management will evaluate making a FARM required for qualifying projects in the design phase, where preliminary asset plans are developed, and again during construction, prior to asset plan submission, to ensure a timely, coordinated asset plan final submission. Notification - Management agrees with this recommendation and will implement this process for year-end reporting. DUE DATE: 3/31/2022 Management will discuss in detail. (Full response in Audit Report No. 2021-12) 22 North Terminal Utilities Upgrade Phase 1 The North Terminal Utilities Upgrade Phase 1 replaced the existing 45-year-old undersized steam, condensate, and chilled water supply, return piping from the Central Mechanical Plant, and created a redundant interconnected piping loop in two phases. Key Elements of Phase 1: Upsized piping from the Central Mechanical Plant to points of connection for the Concourse D Annex and North Satellite. Provided critical improvements for the planned 2021 opening of the newly renovated North Satellite. 23 North Terminal Utilities Upgrade Phase 1 Project approved by Commission in June 2016 for $21.3 MM. The Engineer's Estimate for Phase 1 was $11,653,000. Four bids were received; three bids exceeded the estimate by at least 15%. Winning bidder, James W. Fowler Co., submitted a bid for $12,184,750; 4.5% over the Engineer's Estimate. Final construction cost is $13.36 MM, including $1.17 MM in change orders. 24 1) Rating: Medium Internal Audit noted instances where the Port's Standard Operating Procedures were not followed for Change Orders. Instances included: Contractor submitting inadequate documentation to justify change orders Failure to complete a required estimate Inadequate review of contractor timesheets 25 Recommendations Management should strengthen the control over documentation, approval, and compliance with Standard Operating Procedures. Although the Port is not responsible for the contractor, or their subcontractors, to submit accurate certified payroll reports to the Washington Department of Labor and Industries (L&I). 26 Management Response The Engineering Construction Management and Central Procurement Office (CPO) Construction Contracting teams agree with the findings. Key areas of focus for Construction Management to address these issues will be on training and oversight of staff who are less experienced with Port processes, both FTEs and Consultants. In addition to referencing published Standard Operating Procedures, we will continue to reinforce our processes through regular meetings with staff, with an expanded attendee list to include Consultants, to increase overall understanding of these processes and best practices for enforcement of the contract and management of changes. We will continue to coordinate with our CPO Construction Contracting partners to strengthen controls and ensure all required elements are in place before executing changes to the Contract. DUE DATE: 12/31/2021 Management will discuss in detail. (Full response in Audit Report No. 2021-20) 27 Rent and Concession Deferral Recovery ("Program") Since April 2020, the Port Commission has authorized short-term economic relief to customers, airlines, concessionaires, and tenants to address impacts of the economic crisis resulting from the COVID-19 pandemic. Based on approvals by the Port Commission via Motions 2020-07 and 2020- 13, the Port created and implemented the Program. The Port and the tenants or concessionaires entered into deferral agreements detailing the arrangement that included a repayment plan. As of December 31, 2020, the deferred charges were $61.1 MM, including $4.1 MM of Norwegian Cruise Line Holdings (NCL). As of October 27, 2021, the outstanding deferred charges were $2.7 MM, of which NCL had the largest balance of $2 MM. 28 Rent and Concession Deferral Recovery ("Program") Internal Audit identified monitoring controls that are significant to the current processes, including: The Executive Director's quarterly recovery status/action reporting to the Port Commission Legal department's involvement/oversight Executive oversight meetings Business leaders' ongoing monitoring engagement Centralized function's use of a tracking tool, and an associated quality review by Accounting and Financial Reporting (AFR) A sample of business leaders interviewed expressed concern about the uncertainty of the COVID-19 pandemic, new requirements, and related impact on the Port and tenants. Detail testing for a sample of six deferral agreements noted participating tenants' compliance with Program requirements. 29 No Issues Based on the work we performed, Internal Audit concluded that the current processes and related internal controls are operating as intended, to assure Program compliance with applicable laws and Port policies. 30 Payment Card Industry (PCI) Compliance Internal Audit completed an Information Technology audit of the Port of Seattle's (Port's) compliance with the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1, dated, June 2018 for the period August 2020 through September 2021. Organizations that store, process, or transmit credit card data must comply with relevant PCI DSS requirements, and compliance must be attested on an annual basis. The Port accepts credit card payments for parking and moorage services at its facilities, including Seattle-Tacoma International Airport and various Marinas in Seattle. Based on the work we performed, and the information gathered, Internal Audit concluded that the Port has achieved reasonable compliance with the PCI DSS requirements for Merchants. There were a small number of non-compliant requirements at the initial point of review in the audit that were corrected during the audit. Security Sensitive Exempt from Public Disclosure per RCW 42.56.420 Issues Not Discussed in Public Session 31 Dilettante Chocolate, Inc. Lease Agreement established in 2016 Gross revenues about $3.85 MM annually (prior to COVID-19) Concession fees paid about $593,000 annually (prior to COVID-19) 32 No Issues Internal Audit concluded that Dilettante Chocolate, Inc. materially complied with the significant terms of the Agreement. 33 Appendix A Capital Risk Universe & Risk Rating Methodology B Information Technology Audit Universe C Lease/Concession Risk Universe D Aging of Outstanding Issues as of December 9, 2021 34 Appendix A Capital Risk Rating Methodology Attributes (A) Project Size (Construction Costs) Points $5MM to $10MM 1 >$10MM to $15MM 2 >15MM to $25MM 3 >$25MM to $50MM 4 >$50MM 5 (B) Change Orders (original contract sum) Points 0 to 5% 1 5.1% to 7.5% 2 7.6% to 10% 3 10.1% to 15% 4 >15% 5 (C) Contract Type Points Lump sum 1 Unit Price or T&M 2 GMP w/ Shared Savings or TRA 3 GMP w/ no shared savings 4 Cost Plus no GMP 5 (D) Schedule Points On Schedule 1 Potential Schedule Overrun 3 Schedule Overrun 5 (E) Budget Points On Budget 1 Potential Budget Overrun 3 Over Budget 5 T&M: Time and Materials GMP: Guaranteed Maximum Price Points TRA: Tenant Reimbursement Agreement (F) Known Concerns (E&O, claims, scope change, complexity) Subjective- Audit Knowledge 1-5 E&O: Errors and Omissions 35 Appendix A Capital Risk Universe (Projects >$5MM) Attributes (A) (B) (C) (D) (E) (F) Total Prior Audit 1IAF nearing completion. Unknown Change Order 1 International Arrivals Facility (IAF) 5 5 4 5 5 5 29 2017; 2018 (CO) coding changes in Trend Log. Project has 2 Interim Westside Fire Station 2 5 4 5 5 5 26 2018 encountered numerous issues. Over budget and 3 North Satellite (NSAT) Renovation & Expansion (Closeout) 5 3 3 1 5 4 21 2018 schedule. Delays have caused other Projects to fall 4 South Satellite (SSAT) High Voltage AC Infrastructure Upgrade 4 4 1 1 5 4 19 behind schedule. Commission request to review Safedock Upgrade and Expansion 1 3 1 5 5 4 19 project. Consultant will assist Internal Audit during North Terminal Utilities Upgrade - Phase 1 2 2 1 5 5 2 17 2021 the audit. P66 Interior Modernization 1 5 1 4 5 1 17 2Overbudget. Schedule approximately one year Checked Baggage Recap/Optimization Phase II 5 1 1 1 1 5 14 2021 behind. Multiple difficulties encountered during Sites 23-25 Restoration 3 1 4 1 3 2 14 the Project. Electrical Ground Support Equip. Charge Stations (Ph 2A & 2B) 4 1 1 3 1 3 13 3NSAT- Second largest project. Substantial Concourse C New Power Center 1 4 1 1 3 2 12 completion in 2021. $31MM in COs. Suggest a Parking Garage Elevators Modernization (Phase I & II) 3 1 1 3 1 2 11 closeout audit. Air Cargo Road Safety Improvements 2 1 1 3 1 2 10 4Potential for budget and schedule overruns. 2021 Airfield Improvement 3 1 1 1 1 2 9 $2.9MM in COs, including $674K in scope changes, Concourse C New Power Center 2 2 1 1 1 2 9 $529K Errors & Omissions (E&O) Designer, $385K Electric Utility Supervisory Controls & Data Acquisition (SCADA) 1 1 1 1 1 1 6 COVID-19 reimbursements. Has not been Parking Revenue Infrastructure 1 1 1 1 1 1 6 previously audited. T91 Northwest Fender Replacement 1 1 1 1 1 1 6 Dining, Retail & Infrastructure Modernization - 36 Appendix B Information Technology Audit Universe Inherent Inherent # IT General Controls Audits # IT General Controls Audits Risk Risk 1 CIS - Inventory and Control of Enterprise Assets - V8 HIGH 21 Parking Revenue Control System (T2 ParkingSoft) HIGH 2 CIS - Inventory and Control of Software Assets - V8 HIGH 22 Change Management HIGH 3 CIS - Data Protection - V8 HIGH 23 Datacenter Operations HIGH 4 CIS - Secure Configuration of Enterprise Assets and Software - V8 HIGH 24 Disaster Recovery Program HIGH 5 CIS - Account Management - V8 HIGH 25 HIPAA Privacy Compliance HIGH 6 CIS - Access Control Management - V8 HIGH 26 HIPAA Security Compliance HIGH 7 CIS - Continuous Vulnerability Management - V8 HIGH 27 Industrial Control System Security HIGH 8 CIS - Audit Log Management - V8 HIGH 28 IT Governance HIGH 9 CIS - Email and Web Browser Protections - V8 HIGH 29 IT Risk Management HIGH 10 CIS - Malware Defenses - V8 HIGH 30 Periodic User Access Reviews HIGH 11 CIS - Data Recovery - V8 HIGH 31 Physical & Environmental Security HIGH 12 CIS - Network Infrastructure Management - V8 HIGH 32 Portable Media Security HIGH 13 CIS - Network Monitoring and Defense - V8 HIGH 33 Project Management HIGH 14 CIS - Security Awareness and Skills Training - V8 HIGH 34 Security Program HIGH 15 CIS - Service Provider Management - V8 HIGH 35 System and Software Development HIGH 16 CIS - Application Software Security - V8 HIGH 36 Transmission Protection HIGH 17 CIS - Incident Response Management - V8 HIGH 37 Triennial WA State Patrol Audit of CJIS Compliance HIGH 18 CIS - Penetration Testing - V8 HIGH 38 Vendor Management HIGH 19 Annual Review of Payment Card Industry (PCI) Compliance HIGH 20 Password Management HIGH Completed Audits On the 2022 Audit Plan 37 Appendix C Lease/Concession Risk Universe High Risk: Name Contract 2019 2020 2021* Total EAN HOLDINGS LLC AIR001281 $ 12,283,311 $ 1,968,842 $ 1,055,696 $ 15,307,849 AIRPORT MANAGEMENT SERVICES LLC AIR002018 6,461,469 2,596,134 2,877,387 11,934,990 IN-TER-SPACE SERVICES, INC AIR002224 7,106,850 3,758,091 476,229 11,341,170 LOUIS DREYFUS COMPANY WASHINGTON LLC SEA002603 3,414,447 4,428,624 3,395,266 11,238,337 RASIER LLC AIR002022 8,020,014 2,465,688 - 10,485,702 HOST INTERNATIONAL, INC AIR002019 6,191,054 2,008,238 1,987,837 10,187,129 AIRPORT MANAGEMENT SERVICES LLC AIR002017 5,984,582 1,683,344 2,007,993 9,675,920 AVIS BUDGET CAR RENTAL AIR001282 7,643,276 1,063,457 677,206 9,383,939 DUFRY - SEATTLE JV AIR001661 6,343,533 1,234,549 - 7,578,082 LYFT AIR002023 4,953,342 1,564,344 - 6,517,686 HERTZ CORPORATION AIR001278 5,277,443 388,300 451,355 6,117,098 $ 73,679,321 $ 23,159,611 $ 12,928,970 $ 109,767,903 *Actuals through 8/31/2021 38 Appendix C Lease/Concession Risk Universe (continued) Medium Risk: Name Contract 2019 2020 2021* Total SKY CHEFS INC AIR002512 $ 2,083,334 $ 1,954,910 $ 1,733,860 $ 5,772,104 GATE GOURMET INT'L AIR000042 3,478,670 1,366,033 895,591 5,740,294 DOUG FOX TRAVEL/ATZ AIR001718 3,292,322 685,911 1,480,890 5,459,123 REPUBLIC PARKING NORTHWEST INC SEA000425 1,663,944 942,091 524,858 3,130,893 EASTSIDE FOR HIRE, INC AIR002100 2,842,695 - - 2,842,695 HOST INTERNATIONAL, INC AIR000435 2,597,830 (8,866) 149,283 2,738,247 FLYING FOOD FARE INC AIR000086 1,761,803 700,578 272,080 2,734,462 SKY CHEFS INC AIR001849 2,679,284 - - 2,679,284 HOST INTERNATIONAL, INC AIR002247 1,412,532 635,557 540,294 2,588,384 DTG OPERATIONS INC AIR001279 1,920,146 218,557 180,525 2,319,228 RASIER LLC AIR002579 - - 2,110,532 2,110,532 SIXT RENT A CAR LLC AIR001632 1,597,449 377,404 101,768 2,076,621 CMC INVESTMENTS INC AIR001280 1,688,013 199,510 154,657 2,042,180 FOX RENT A CAR INC AIR001285 1,470,104 412,400 152,523 2,035,026 ALCLEAR, LLC AIR002048 1,504,597 440,790 76,523 2,021,910 QDOBA RESTAURANT CORPORATION AIR002096 1,247,335 554,298 160,208 1,961,842 SSP AMERICA SEA LLC AIR002237 955,140 432,579 536,224 1,923,944 CONCOURSE CONCESSIONS LLC AIR002055 1,105,501 410,875 398,404 1,914,780 MCDONALD'S USA LLC AIR001606 1,213,833 526,217 160,774 1,900,824 STELLAR BAMBUZA SEA LLC AIR002240 585,553 492,431 804,127 1,882,111 SEATTLE RESTAURANT ASSOCIATES AIR000439 1,815,188 - - 1,815,188 FIREWORKS AIR002101 1,095,226 319,362 380,979 1,795,566 BEECHER'S HANDMADE CHEESE, LLC AIR001562 978,751 344,064 449,098 1,771,912 SEATAC BAR GROUP LLC AIR002053 1,159,507 262,464 287,395 1,709,366 $ 40,148,757 $ 11,267,164 $ 11,550,592 $ 62,966,514 *Actuals through 8/31/2021 39 Appendix C Lease/Concession Risk Universe (continued) Low Risk: Name Contract 2019 2020 2021* Total HOST LPI SEA FB LLC AIR002361 $ 933,168 $ 348,589 $ 417,872 $ 1,699,629 CONCOURSE CONCESSIONS LLC AIR002362 560,520 455,518 569,107 1,585,145 SSP AMERICA SEA LLC AIR002238 613,177 439,960 529,013 1,582,150 LENLYN LIMITED AIR001788 1,309,915 191,423 - 1,501,338 LYFT AIR002578 - - 1,491,683 1,491,683 SSP AMERICA SEA LLC AIR002358 973,521 238,623 207,587 1,419,731 BAMBUZA SEA-TAC VENTURES AIR002365 518,543 343,255 456,928 1,318,726 PALLINO SEATAC LLC AIR002241 561,190 275,294 337,653 1,174,136 SODEXO AMERICA, LLC AIR001513 710,436 295,492 92,316 1,098,244 1915 KCHOUSE CONCEPTS-SEATAC LLC AIR002265 563,846 233,102 295,526 1,092,474 MAD ANTHONY'S INC CHINOOK SEA000043 460,825 373,214 258,349 1,092,388 DILETTANTE CHOCOLATES INC AIR002094 558,368 247,005 255,881 1,061,253 SEATTLE TACOMA INTL LIMOUSINE ASSOC* AIR001991 836,843 188,272 - 1,025,115 FRUIT & FLOWER LLC DBA FLORET AUTHORITY AIR002063 650,709 122,942 139,359 913,011 THE YARROW GROUP LLC AIR002233 501,082 305,327 87,880 894,289 INMOTION SEA LLC AIR002103 498,982 102,181 108,229 709,393 MAD ANTHONY'S INC PIER 66 SEA000294 379,625 198,552 80,632 658,810 PAYLESS CAR RENTAL, INC AIR001451 505,845 43,023 39,428 588,296 SMARTE CARTE INC AIR000629 375,755 144,442 41,409 561,606 ANTON AIRFOOD AIR000374 551,170 - - 551,170 BF FOODS LLC AIR002232 37,710 243,552 262,691 543,953 SEATTLE CHOCOLATES COMPANY LLC AIR002093 248,752 84,713 110,046 443,512 E-Z RENT-A-CAR AIR001439 360,823 25,798 - 386,621 SEATTLE AIR VENTURES JV AIR002355 207,880 97,552 69,364 374,796 ALCLEAR, LLC AIR002634 - - 374,453 374,453 TERMINAL GETAWAY SPA SEATTLE, LLC AIR002095 272,051 38,309 47,894 358,255 SUNS INC AIR002054 197,069 45,359 55,260 297,689 WBB C.I. CREWS, LLC AIR002468 - 118,791 178,273 297,064 SUB POP RECORDS AIR001816 188,922 58,637 45,773 293,332 EX OFFICIO LLC AIR000580 274,446 - - 274,446 AIRPORT MANAGEMENT SERVICES LLC AIR002430 179,625 62,912 25,017 267,553 *Actuals through 8/31/2021 40 Appendix C Lease/Concession Risk Universe (continued) Low Risk (continued): Name Contract 2019 2020 2021* Total TASTE INC dba VINO VOLO AIR000839 248,894 - - 248,894 MAREL SEATTLE INC SEA001010 150,000 93,852 - 243,852 LADY YUM LLC AIR002331 156,109 35,826 - 191,936 SILVERCAR, INC AIR002203 145,626 36,691 - 182,316 MSM CORPORATION SEA002783 64,765 66,425 39,366 170,557 BILL & NICK INCORPORATED SEA000016 72,879 55,253 37,312 165,444 PUBLICANS, INC SEA002494 63,880 56,967 39,598 160,445 PLANEWEAR LLC AIR001971 115,744 38,404 - 154,148 LATRELLES EXPRESS INC AIR002287 134,348 - - 134,348 SECURITY POINT MEDIA, LLC AIR002437 125,312 - - 125,312 BF FOODS LLC AIR002491 44,210 80,738 - 124,949 LADY YUM LLC AIR002467 - 40,993 80,320 121,312 AIRPORT MANAGEMENT SERVICES LLC AIR000437 93,229 9,955 - 103,184 SHILSHOLE BAY FUEL DOCK SEA002355 38,617 38,592 25,728 102,936 PLANEWEAR LLC AIR002372 - 14,213 74,901 89,114 SMARTE CARTE INC AIR002097 72,748 8,643 2,631 84,022 AIRPORT MANAGEMENT SERVICES LLC AIR001773 73,470 6,914 - 80,384 CHALO LLC AIR002270 45,707 18,749 14,642 79,098 SMARTE CARTE INC AIR002588 - - 77,294 77,294 GLASSYBABY LLC AIR002123 71,905 - - 71,905 GUNWOO & JINAH INC SEA003337 - 37,868 32,767 70,634 UNITED INDIANS OF ALL TRIBES FOUNDATION AIR002387 30,962 18,086 19,292 68,341 SHARA LLC DBA SHOW PONY AIR002330 42,027 10,296 6,348 58,670 CAFE PACIFIC CATERING, INC AIR002124 50,537 7,011 205 57,753 CERTIFIED FOLDER DISPLAY SERVICE INC AIR001641 31,854 17,462 1,000 50,315 CONCOURSE CONCESSIONS LLC AIR002545 - 2,361 46,353 48,715 BF FOODS LLC AIR002393 46,038 - - 46,038 ME & MOM'S HATS DBA SEATTLE HAT$ AIR002141 36,796 9,107 - 45,903 MARMOT MOUNTAIN LLC DBA EXOFFICIO AIR002364 - 37,319 - 37,319 REPUBLIC PARKING NORTHWEST INC SEA000424 16,472 15,572 1,393 33,437 DILETTANTE CHOCOLATES INC AIR001657 31,403 - - 31,403 *Actuals through 8/31/2021 41 Appendix C Lease/Concession Risk Universe (continued) Low Risk (continued): Name Contract 2019 2020 2021* Total DELTA AIR LINES INC AIR002309 16,981 6,260 6,738 29,979 HAN EUN CORPORATION SEA002621 24,877 - - 24,877 ALASKA AIRLINES INC AIR002299 13,344 4,304 6,777 24,426 MAC-GRAY SERVICES SEA002097 13,899 9,513 - 23,413 ASANDA AIR II LLC AIR002409 17,218 - - 17,218 BF FOODS LLC AIR002375 17,115 - - 17,115 AMERICAN EXPRESS TRAVEL AIR001877 8,715 1,703 2,003 12,420 PALLINO SEATAC LLC AIR002283 12,395 - - 12,395 WINGZ, INC AIR002020 8,916 2,376 - 11,292 LUCKY SHOE SHINE LLC AIR002466 3,836 3,555 3,712 11,103 US BANK AIR001505 - 10,525 - 10,525 CONCOURSE CONCESSIONS LLC AIR002374 10,069 - - 10,069 LUCKY SHOE SHINE LLC AIR001888 9,617 - - 9,617 SSP AMERICA SEA LLC AIR002370 - 9,017 - 9,017 CLIPPER FERRY SERVICES INC SEA003017 8,342 - - 8,342 TRICOPIAN DBA FUELROD AIR002469 17 4,259 3,338 7,614 CLEAN ENERGY FUELS CORP AIR001655 4,114 1,970 987 7,071 SSP AMERICA SEA LLC AIR002369 - 6,635 - 6,635 AIRPORT MANAGEMENT SERVICES LLC AIR002284 6,600 - - 6,600 UNITED AIRLINES AIR002327 4,886 602 - 5,487 MASSAGE BAR AIR002286 5,283 - - 5,283 FIREWORKS AIR001644 4,737 - - 4,737 GLOBAL CONCESSIONS GROUP LLC AIR002632 - - 2,533 2,533 MAC-GRAY SERVICES SEA001479 1,446 946 82 2,474 AIRPORT MANAGEMENT SERVICES LLC AIR002529 - 1,363 1,003 2,367 PLANEWEAR LLC AIR002501 172 703 1,346 2,220 WINGZ, INC AIR002580 - - 1,361 1,361 ZEEBA WA, LLC DBA ZEEBA RENT-A-VAN AIR002226 1,004 - - 1,004 FLY BABY LLC DBA LIGHTLY AIR002572 - - 11 11 $ 16,227,915 $ 6,142,866 $ 7,106,666 $ 29,477,447 *Actuals through 8/31/2021 42 Appendix D Aging of Outstanding Issues as of December 9, 2021 Operational, Capital, Information Technology, and Limited Contract Compliance Audits Months/Years Months/Years Days Outstanding Outstanding Days Outstanding Outstanding Type Audit Description Rating Report Date Target Date (from Report Date) (from Report Date) (from Target Date) (from Target Date) Operational Audit Fishing & Commercial Operations Maritime Manual Billing Process at risk of error High 2/23/2018 12/31/2021 1,385 More than 2 years -22 Not Due IT Audit AV/M Facility & Infrastructure Data Centers Physical Assess to Facilities High 12/4/2018 No date supplied 1,101 More than 2 years N/A N/A IT Audit AV/M Facility & Infrastructure Data Centers Protection against environmental factors High 12/4/2018 No date supplied 1,101 More than 2 years N/A N/A Operational Audit Marine Maintenance Shop Keys and badges tracking High 6/14/2019 12/31/2023 909 More than 2 years -752 Not Due IT Audit HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 827 More than 2 years 496 1-2 years IT Audit HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 827 More than 2 years 496 1-2 years Operational Audit Architecture & Engineering Fair and reasonable rate determination High 12/9/2019 6/30/2020 731 More than 2 years 527 1-2 years Operational Audit Architecture & Engineering Management review over max rates High 12/9/2019 6/30/2020 731 More than 2 years 527 1-2 years Operational Audit Architecture & Engineering Contract rate accuracy High 12/9/2019 6/30/2020 731 More than 2 years 527 1-2 years Operational Audit Ground Transportation - Taxicabs Reconciliation process High 12/1/2020 12/31/2021 373 1-2 years -22 Not Due IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 10 0-6 months -387 Not Due IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 10 0-6 months -387 Not Due IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 10 0-6 months -387 Not Due IT Audit Disaster Recovery Capabilities Security Sensitive Medium 11/29/2017 No date supplied 1,471 More than 2 years N/A N/A IT Audit AV/M Facility & Infrastructure Data Centers Physical Facilities Management Medium 12/4/2018 No date supplied 1,101 More than 2 years N/A N/A IT Audit Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 12/31/2019 1,017 More than 2 years 709 1-2 years IT Audit Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 3/31/2020 1,017 More than 2 years 618 1-2 years IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 827 More than 2 years 496 1-2 years IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 827 More than 2 years 496 1-2 years IT Audit Closed Network Systems Security Security Sensitive Medium 9/5/2019 6/30/2020 826 More than 2 years 527 1-2 years IT Audit Inventory and Control of Hardware Assets Security Sensitive Medium 11/12/2019 6/30/2023 758 More than 2 years -568 Not Due Operational Audit Architecture & Engineering Governance Medium 12/9/2019 6/30/2020 731 More than 2 years 527 1-2 years IT Audit Network Password Management Security Sensitive Medium 3/20/2020 9/30/2020 629 1-2 years 435 1-2 years IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2020 629 1-2 years 343 6-12 months IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2021 629 1-2 years -22 Not Due IT Audit Secure Configuration for Hardware and Software on Mobile Devices, Security Sensitive Medium 8/21/2020 12/31/2021 475 1-2 years -22 Not Due Laptops, Workstations and Servers IT Audit Secure Configuration for Hardware and Software on Mobile Devices, Security Sensitive Medium 8/21/2020 12/31/2021 475 1-2 years -22 Not Due Laptops, Workstations and Servers Lease and Concession Audit Concourse Concessions, LLC RE-2 policy review Medium 9/10/2020 12/31/2020 455 1-2 years 343 6-12 months IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 380 1-2 years -22 Not Due IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 380 1-2 years -22 Not Due IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 380 1-2 years -22 Not Due IT Audit Malware Defenses - Aviation Maintenance Security Sensitive Medium 3/17/2021 12/31/2022 267 6-12 months -387 Not Due IT Audit Continuous Vulnerability Management Security Sensitive Medium 11/29/2021 6/30/2022 10 0-6 months -203 Not Due IT Audit Data Recovery Security Sensitive Medium 11/29/2021 4/30/2022 10 0-6 months -142 Not Due Operational Audit TNCs (Lyft, Inc. & Rasier, LLC) Additional research on variances Low 8/26/2021 10/31/2021 105 0-6 months 39 0-6 months Operational Audit Capitalization of Assets Enhancing internal controls Low 11/24/2021 3/31/2022 15 0-6 months -112 Not Due IT Audit Continuous Vulnerability Management Security Sensitive Low 11/29/2021 12/31/2022 10 0-6 months -387 Not Due 43
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.