1. Presentation
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit April 7, 2022 Remote Meeting 2:30 PM 4:30 PM Operational Excellence Governance Internal Audit Organization Structure [Note: In addition, there is one vacant, Senior Internal Auditor position that is deferred to the 2023 budget.] 2 Auditing Standards 3 Internal Audit Director's Annual Communication Annual communication required by the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing (IIA Standards) on: Organizational Independence Internal Audit Charter Quality Assurance and Improvement Program Open Issue Follow-up and Monitoring Process 4 Independence Requirement IIA Standard 1110 requires annual confirmation of organizational independence. Internal Audit Department (IA) continues to maintain organizational independence by reporting functionally to the Audit Committee and administratively to the Executive Director. 5 Quality Assurance Requirement IIA Standard 1310, 1311, and 1312 require both an internal and external quality assurance and improvement program. External assessments (Peer Reviews) need to occur at least every five years. Generally Accepted Government Auditing Standards (GAGAS)/Government Accountability Office (GAO) require an external peer review every three years. Most recently, in December 2018, an external peer review was conducted by the Association of Local Government Auditors (ALGA). Currently, we are in the process of scheduling the ALGA external peer review for later this year. IA's annual self-assessment was last performed in August 2021. Reviewed IA's written polices and procedures (IA Handbook); internal monitoring procedures; a sample of audit engagements and workpapers; and interviewed management and staff on the IA Handbook. Assessment concluded that IA's internal quality control system was suitably designed and operating effectively to provide a reasonable assurance of compliance with GAGAS and IIA Standards. It offered some enhancement opportunities. 6 Open Issue Status Aging Report as of April 7, 2022 1. Fourteen issues outstanding for over one year from the Target Date consist of: Concourse Concessions LLC (1) - Port RE-2 Policy Review Need/Surety Amount Inconsistency: SEA intended to perform a complete analysis on the ADR lease requirements, with the participation by core departments (AV Commercial Management, Legal, Finance & Budget, and AFR); however, this effort has been on hold due to priorities such as tenant economic relief programs. A more definitive timeline for completion will be established by management. Architecture & Engineering (4) - Fair and Reasonable Rate Determination; Management Review Over Max Rates; Contract Rate Accuracy; and Governance: A lean project to evaluate the rate negotiation process was scheduled for Q1, 2022. Resource constraints has made it challenging to resolve the audit issues. A Governance team has been selected; meetings to begin in 2022. Information Technology Audits (9) (Security Sensitive) - Exempt from Public Disclosure per RCW 42.56.420 Issues Not Discussed in Public Session. They are: Security of Personal Identifiable Information (2), HIPAA Security (4), Closed Network System Security (1), and Network Password Management (2). 2. Four Information Technology issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more than two years past the Report Date: Disaster Recovery Capability (1), and Aviation Maintenance and Facilities & Infrastructure Data Centers (3). See Appendix D for a detailed listing of outstanding issues aging as of April 7, 2022. 7 Approved 2022 Audit Plan Limited Contract Compliance Operational Information Technology In-Ter-Space Services, Inc. DBA Payroll Controls T2 Airport Garage Parking System Clear Channel Airports Emergency Procurement Replacement1 Avis Budget Car Rental Federal Grant Administration (CRRSA & Account Management (ICT) The Hertz Corporation ARP) Account Management (Aviation Community & Sustainability Initiatives Maintenance) Audit Log Management (ICT) Capital Audit Log Management (Aviation International Arrivals Facility (IAF) Maintenance) Interim Westside Fire Station Security Incident Response North Satellite (NSAT) Renovation & Management (ICT) Expansion Closeout Security Incident Response South Satellite (SSAT) High Voltage AC Management (Aviation Maintenance) Infrastructure Upgrade Post IAF Airline Realignment2 C-1 Building Expansion Construction Phase2 Main Terminal Low Voltage2 1. Moved to 2022 audit plan; approved at 6/28/2019 Audit Committee meeting. 2. RCW 39.10.385 requires an independent auditor to perform an audit of subcontractor changes to the Port on GCCM projects, where the subcontractor was selected through an alternative selection process. This audit work will be performed by external, contractor auditors under Internal Audit's supervision, and will be an ongoing, multi-year project through an IDIQ contract. 8 2022 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec ACH Payment Fraud1 Operational Emergency Procurement Operational Payroll Controls Operational Federal Grant Administration (CRRSA & ARP) Operational Community & Sustainability Initiatives Operational Interim Westside Fire Station Operational - Capital North Satellite (NSAT) Renovation & Expansion Closeout Operational - Capital South Satellite (SSAT) High Voltage AC Infrastructure Upgrade Operational - Capital International Arrivals Facility (IAF) Operational - Capital Post IAF Airline Realignment2 Operational - Capital C-1 Building Expansion Construction Phase2 Operational - Capital Main Terminal Low Voltage2 Operational - Capital Account Management (ICT) IT Account Management (Aviation Maintenance) IT Audit Log Management (Aviation Maintenance) IT Security Incident Response Management (ICT) IT Security Incident Response Management (Aviation Maintenance) IT T2 Airport Garage Parking System Replacement 3 IT Audit Log Management (ICT) IT The Hertz Corporation Contract Compliance In-Ter-Space Services, Inc. dba Clear Channel Airports Contract Compliance Avis Budget Car Rental Contract Compliance Complete KEY In Process Not Started 1. This audit was added as part of the Port's action to mitigate emerging fraud risk. 2. RCW 39.10.385 requires an independent auditor to perform an audit of subcontractor changes to the Port on GCCM projects, where the subcontractor was selected through an alternative selection process. This audit work will be performed by external, contractor auditors under Internal Audit's supervision, and will be an ongoing, multi-year project through an IDIQ contract. 3. Due to implementation delays, this audit was deferred to the 2022 Audit Plan. 9 Audits Completed in the First Quarter, 2022 1) ACH Payment Fraud 2) Interim Westside Fire Station 3) Account Management (ICT)* 4) Account Management (Aviation Maintenance)* * Security Sensitive Exempt from Public Disclosure per RCW 42.56.420 Report Not Discussed in Public Session. 10 ACH Payment Fraud Internal Audit (IA) completed a targeted audit of the processes that contributed to eight payments totaling $572,682.79, being wired into fraudulent bank accounts. The payments were for the Port of Seattle's (Port's) Opportunity Youth Initiative and were intended for the Seattle Parks Foundation (Seattle Parks) and the Urban League of Metropolitan Seattle (Urban League). The purpose of the audit was to identify the control breakdowns that allowed the fraud to occur and to recommend ways to reduce the likelihood of future misappropriations. The criminal aspect of this case was handed off to the Port Police for their continuing investigation. 11 Fraud Overview Seattle Parks Foundation Urban League Falisha Kurji Coordinator Latonya Stuckey, A/P Specialist Email compromised Email compromised o Funds wired to fraudulent accounts o Funds wired to fraudulent accounts $184,675.02 ($48,997.39 returned) $388,007.38 Spoofed Domain names copied and used as Spoofed Domain names copied and used as bait: bait: Michelle@SeattlePraksFoundation.org mcamara@urbanIeague.org ("Parks" changed to "Praks") jdelapena@urbanIeague.org Michelle Benetua Director of Strategic alawton@urbanIeague.org Partnerships and Programs (lower case "l" changed to upper case "I") 12 Millions in illegal profits dering An email account is Multiple transfers are made compromised through Social engineering fraud involving foreign banks/ malware, employee The victim is manipulated into providing instititions intrusion, etc. :TCUHELEaUR ER #-ECareful 13 58 Users AFR Core Services (three employees): = Manager = Records Management Specialist Procedure failure/not Be = Administrative Professional occurring as intended. Procedure requires Be Add/Modify Vendor staff to validate - Information; including Approve Vendor Changes changes before approving banking information "Be Denied Approved / (UEYTTS No validation of information notified of Changes live in denial Peoplesoft 14 1) Rating: High Internal controls to validate changes to supplier information, including banking information, were not functioning as intended. Supervisory oversight needed improvement for this critical role. The Administrative Professional tasked with approving these changes was not performing the appropriate verification of changes, as required. When documented processes are not followed or enforced, internal controls typically do not operate as intended and the likelihood of fraud and errors increase. Policy AC-18 needed to be updated to align to current practices. The established segregation of duties, are an important control. However, both the individual inputting the data and the individual approving the data, need to do their respective jobs correctly. 15 Recommendations 1. We recommend AFR management develop an oversight function to identify, when critical requirements, such as confirming bank account changes, have not been performed. We also suggest that management update any policies that are no longer followed. 2. To aid in authenticating bank information, AFR management should consider investing in a software service that assists in bank verification by providing account holder name, bank name, account holder tax ID number, etc. This vital information will provide the verifier at the Port, the appropriate tools to authenticate changes and additions to bank account information. 16 2) Rating: High Procedures to confirm the authenticity of supplier requested bank account changes were not placed at the appropriate level. A contributing factor to the fraud was excessive reliance placed on less experienced staff, which allowed them to perform a critical review. The skills required to perform this essential review did not align with the individual's position within the organization. An Administrative Professional had the responsibility to validate and approve supplier requests for all bank accounts changes. 1/1/2021 1/24/2022 - Port Administrative Professional approved 216 changes and a Record Management Specialist approved 47 changes. Additionally, according to Human Resource records, the individual had not attended the Port's required Information Security Awareness training in both calendar years, 2020 and 2021. 17 Recommendations 1. We recommend assigning the approver validation function to an individual with the appropriate skillset, background, and knowledge. This individual should also receive the appropriate training on a regular basis as a requirement of their job. 18 3) Rating: High Fifty-eight Port of Seattle employees had the ability to add and modify supplier information, including sensitive banking information, although these changes do not go live in PeopleSoft until the AFR Core Services Team approves them. Adequate controls did not exist to assure that supplier information, including banking and contact information, was entered accurately, consistently, and correctly. Additionally, with the high number of users, the risk of internal fraud increases, because an employee could change bank account data, putting the onus on one individual to approve these changes. A critical piece of information is contact phone number, which is essential, so sensitive information, such as a change to banking account data, can be verified; however, this was not a required field in PeopleSoft. Most of the changes did not have phone numbers entered and only a few had email addresses entered. A lack of information makes validating the authenticity of the request more difficult. Per the AC-18 Supplier Management Policy and Procedures, if a supplier requests a change using email, staff validates the authenticity of the request via a phone call, using the contact information in the supplier module. Conversely, if the request is made via phone call, it is validated through email. 19 Recommendations 1. We recommend reducing the number of individuals, who have system access to request additions or modifications to supplier information. We also recommend structuring the supplier module of the PeopleSoft system, so that certain fields are required to be entered (supplier phone number/email address), either via system controls, if possible, or else via policy. 20 4) Rating: High Detective controls to identify fraudulent activity and payments did not exist. Instead, the Port was only notified of the fraud by the client, approximately two months after the fact. Some detective controls existed within the ACH payment process, including: Senior Disbursements Manager's daily review of the Accounts Payable journal against payments. Monthly bank reconciliation that agrees payment details. Review of the Wells Fargo report that identifies remittance irregularities, such as the supplier's bank account cancellation. However, these controls do not necessarily detect fraud. If fraud detection controls had existed, management could have identified the breakdown earlier. Instead, both fraud instances were only identified when the suppliers alerted the Port, about 60 days after the initial ACH payments to the fraudsters. 21 Recommendations We recommend implementing general detective controls based on best practices, to detect abnormalities with banking/ACH information changes, these might include: 1. Sending a confirmation notification of any changes to the supplier. This would include banking changes and address changes; if an address changes, it should go to both the old and new addresses. 2. Implementing a management review/sign-off of paperwork/validations for all banking/ACH information changes, utilizing a system generated exception report, to determine if they have met expectations. 3. Monitoring daily ACH payment activity details for abnormalities and timely corrective action, using a fraud focus. 22 Re: [EXTERNAL] P-00320769 - SPF Invoice and Report August 2021 oMichelle BenetuaTo Smith, Peter; Muller, Gail; @ Beasley, ve Zaman,Bushra Cc falisha@seattleparksfoundation.org > ~ Spoofed Domain Name ~~ Hi Peter, _ Compromised Email The details we use last week can't receive payment for now that's why payment was returned. . ~~ You can use the ACH detail below for tomorrow and all future payment. ACH PAYMENT ONLY TS : Bank Name : Dollar Bank P Poor Grammar Account Number :[llllloo14 _ Routing Number : 243074385 rd ~~ A Kindly confirm details are well receive, we will keep you posted once we receive funds on Friday. Thanks. 23 Would a bank send you such a letter for Urban League of Metropolitan Seattle a bank account RE: BANK VERIFICATION change? hs letter certify that Urban League of Metropolitan Seattle owns | the Following with Citi Bank. BANK NAME: Citi Bank ROUTING NUMBER: 271070801 ACCOUNT NUMBER: IE 1236 A ADDRESS: 3535 N. Central Ave Chicago, IL 60634 This letter is not to be quoted r 1 to without the bank's | ~ . The bank has noduty and Poor grammar II no responsibility to updatcor ||| the or "set forthin this letter. TT Citibank will only prepare this document upon I" TT Citibank should Sincerely, Client Service Officer be one word Darren Rochrich \ (misspelled). A This paragraph would not be typical in a request to change banking information. Signature does not say Darren Roehrich and is typed below Darren's name. 24 5) Rating: Medium The methodology to assure that vulnerable employees received required training was not functioning effectively. Our review of training records indicated that, of the seven Port employees who either directly or indirectly received the fraudulent emails, only two had completed the Port's mandatory Information Security Awareness training in 2021. Additionally, Port-wide, only 51 percent or 1,036 of the 2,041 employees had completed the annual training. In 2021, the Port required all employees to complete security awareness training (ICT Information Security Awareness Learning Needs). Every employee initially received the training upon hire, thereafter employees were required to complete annual refresher training. Training topics covered: General Phishing Spear Phishing Business Email Compromise (BEC) Scams Insider Threats 25 Recommendations 1. We recommend that all Port employees (and contractors) that are involved in the process of creating, modifying, or requesting changes to supplier banking information, receive additional focused training on cybersecurity and the risks related to Business Email Compromise scams twice per year. If training is not taken, we recommend that user access be disabled until completed. 2. We also recommend that all employees (and contractors) that use a Port computer or have a Port email account, be required to complete the existing Security Awareness Training, and we recommend developing a system to assure that individuals complete such training by the due date. 26 Management Response Issue 1 Recommendations: We agree. Management oversight has been strengthened to ensure that compliance with existing protocols is well documented for all critical validations such as bank account changes. The documentation is stored centrally and reviewed regularly. Extract reports from the Supplier data files are also generated weekly for manager review, including the comments section that documents the validation steps taken for completeness. DUE DATE: Completed Policy updates will be made including for any new protocols implemented. DUE DATE: In-progress, 5/31/2022 A bank account verification service solution is being reviewed with demos already provided by two potential providers. Such a service would augment, not replace, current validation control protocols in place. DUE DATE: 4/30/2022 (Vendor selection) Management will discuss in detail. (Full response in Audit Report No. 2022-01) 27 Management Response Issue 2 Recommendations: We agree in part. We agree that key to any team or individuals performing work effectively is adherence to clearly established policy and procedures, which does exist at the Port, and having the necessary skill sets along with ongoing training. Administrative Professionals at the Port prove themselves to be a very capable and valuable resource. The refinements pursued should not preclude opportunities for and the ability to leverage the talents of Administrative Professionals, by reference to their position or capabilities in the Port organization. Ongoing training and enhanced oversight, as recommended, would support success in this arena. DUE DATE: Completed Management will discuss in detail. (Full response in Audit Report No. 2022-01) 28 Management Response Issue 3 Recommendations: We agree. A controls centric LEAN process improvement project was immediately initiated. This involved the Central Procurement Office and Accounting & Financial Reporting Department, facilitated by the Office of Strategic Initiatives (OSI) certified LEAN specialists. The team identified and is continuing to implement several enhancements, two of which parallel the recommendations. Changes have been instituted to the ACH bank account request initiation and verification process. It refines this function to a small, centralized team of about four or five charged with this responsibility. The team includes the manager and lead of the AFR accounts payable operations who make direct contact with the Supplier and then enter and initiate the requests. The requests continue to be administered by the manager and team of the AFR core services operations to independently validate and approve or deny requested additions and changes. The work is performed in conformance with established protocol, is monitored, and will be augmented with ongoing training. DUE DATE: Completed 29 Management Response Issue 3 (continued) Changes have been implemented to make the collection of key Supplier information a requirement and at an early point during the procurement process. The objective is that any requests to setup or change Supplier information cannot be initiated unless the required information is obtained and entered to initiate the request process. The substance of this control was implemented earlier on first through procedural controls where requests not containing the required data is denied and returned to the requester. A PeopleSoft Financials system modification that automates the inability to submit and initiate requests if the required Supplier information is not entered in the data fields online, has since been programmed. Testing was completed and this systemdriven control has been timely implemented. This action strengthens controls to assure completeness in the Supplier data files for key information. DUE DATE: Completed Management will discuss in detail. (Full response in Audit Report No. 2022-01) 30 Management Response Issue 4 Recommendations: We agree, with clarification as provided below. Although a primary focus continues to be enhancements to strengthen preventative controls, we acknowledge benefits to implementing effective detective controls as well. We look forward to working with Internal Audit to explore any such measures that would offer a reliable protocol to detect fraud. We explored sending a system generated notification triggered by any changes made to the Supplier company. While this is possible to do, this potential detective control relies on Suppliers to be diligent to read their email and, most importantly, reply back to the Port. Bank account pre-noting which auto-generates and sends an email notification to Suppliers is also dependent on replies back to serve as effective detective controls. DUE DATE: Under review, 4/30/2022 (Decision) An exception report has been implemented to enhance visibility and management oversight. A central SharePoint library is used to store the documented efforts involving the administration and independent validation of requested additions or changes to Supplier banking information. DUE DATE: Completed 31 Management Response Issue 4 (continued) Daily review of bank statement activity, investigating and resolving ACH returns, and pre-review of ACH payments pending release will continue, to assure timely attention for corrective action along with an enhanced fraud focus. DUE DATE: Completed Management will discuss in detail. (Full response in Audit Report No. 2022-01) 32 Management Response Issue 5 Recommendations: We agree. After technical issues with the updated Learning Management System (LMS) tool at the Port of Seattle are resolved through the Human Resources (HR) Department, we expect to see a more accurate listing of individuals who have received annual awareness refresher training. In addition, the Port has recently invested in a more robust cyber awareness training solution through the Information Security Department aimed at user behavior patterns which concentrates training in the areas most needed. The Information Security Department is also currently developing an internal process to monitor and track awareness training based on data from the new training platform. DUE DATE: In-progress, 6/30/2022 Since this incident, Information Security has conducted advanced training for all teams in the Accounting & Financial Reporting (AFR) Department at their request, which was focused on Business Email Compromises. Similar training is scheduled for all teams in the Central Procurement Office (CPO) including CPO-Purchasing, CPO-Construction, and CPO-Service Agreements. DUE DATE: Completed, March 2022 & Ongoing training throughout the year 33 Management Response Issue 5 (continued) Information Security will continue to offer its monthly cyber awareness seminars, routine messaging, and special learning events to ensure a Port-wide content awareness campaign. This is in addition to the department's Port intra-net site hosted resources aimed at broadly educating Port staff. Information Security will continue to conduct Phishing exercises, including one recently conducted among 2,244 Port email recipients which has broadened awareness throughout the organization. DUE DATE: Ongoing training throughout the year Management will discuss in detail. (Full response in Audit Report No. 2022-01) 34 Interim Westside Fire Station Project (IWFS) The building is a stand-alone, fully functional fire station on the west side of the airfield to meet Federal Aviation Administration (FAA) mandated airfield firefighting requirements. This new fire station will provide necessary accommodations to house five firefighters and two Aircraft Rescue Fire Fighting (ARFF) vehicles for 24/7/365 operations. Originally approved as a modular building, using the design-bid-build project delivery method with a total project cost of $5.5 million. Date Action Amount ($) May 2019 Stand-alone building approval 5,500,000 October 2019 Budget increase 3,679,000 February 2021 Budget increase 609,000 September 2021 Budget increase 300,000 Total 10,088,000 35 Interim Westside Fire Station Project (continued) In May 2019, the project delivery method was changed to Design-Build as a stand-alone building. Approximately $850,000 was spent prior to the change. Macro-Z-Technologies (MZT) was awarded the contract on October 31, 2019, for $4.95 million. With approval of additional days during the Project, Substantial Completion was scheduled to occur on April 23, 2021. With approved change orders, the construction contract, with MZT, now stands at $5.6 million. Total Project costs to date, including Port soft costs, is $9,010,000. The Project is 11 months behind schedule and Substantial Completion has not yet been achieved. 36 1) Rating: Medium The Contractor did not complete the Project by the Substantial Completion date, resulting in a delay of use of the fire station. On two occasions, the Projects Construction Management (CM) team issued Letters of Forbearance (LOFs). These letters provided MZT an opportunity to meet Substantial Completion without the Port assessing Liquidated Damages (LD). MZT did not respond to either letter. On March 4, 2022, the Port issued a letter to MZT and its surety that MZT was in material breach of the contract. Estimated liquidated damages to date is $683,000. The Port has withheld $300,000 to cover potential liquidated damages. Internal Audit estimates the Port would incur approximately $203,000 in additional inspector costs that were not included in the LD calculation and that it would not be able to assess. 37 Recommendations Upon completion of the Project, Port management should calculate and pursue liquidated damages from the Contractor. Port management should consider contractor performance in future solicitations. 38 2) Rating: Medium The Port was potentially overbilled approximately $106,983 out of $140,942 in COVID-19 Not-to-Exceed change orders. Payment for COVID- 19 related expenses were approved prior to receiving accurate and complete supporting documentation from the Contractor. The intent of this change order was to reimburse MZT for additional costs that would be incurred in order to meet Port's COVID-19 safety requirements beyond State mandated ones. Errors were primarily due to MZT billing when employees were not on-site, and lack of supporting documentation for billed costs. The documentation that the Port relies on was not always accurate. Opportunity exists for Port management to improve the change order review process, and seek and recover any amount due to the Port. 39 Issue 2: COVID-19 Change Order (continued) Questioned Costs ($) Issue Includes 20% Markup The Port was billed for 12 days when a Supervisor was not onsite. $10,467 One instance where a Supervisor was onsite for six hours but billed eight hours. From September 2020 through February 2021: 87,362 One Supervisor was assigned dual duties, not meeting the requirement for a full-time, COVID-19 Supervisor. Internal Audit was not provided documentation to determine the number of daily hours that differentiated between his Supervisory duties and his regular duties. One Supervisor where Internal Audit was not provided documentation, as requested, to verify the hours billed. Six instances where the Daily Force Account Field Documents were submitted that included the Supervisor's time, although the Supervisor was not on site. MZT did not submit Daily Force Account Field Documents for five days. One full-time Supervisor was billed at $89 per hour instead of their actual rate of $52 per hour per change order terms. 8,568 The Port's Resident Engineer (RE) recommended that MZT be paid $586 without requiring the supporting documentation from MZT. 586 MZT did not submit Daily COVID-19 written reports of activities, as required. The Port paid $900 for handwashing stations and disinfection costs even though MZT did not submit receipts, as required. Internal Audit was unable to substantiate the actual costs that MZT incurred. MZT did not submit actual invoices for subcontractor costs as required by the change order and requested by the Port's RE. The RE created an estimate of costs, however, Internal Audit was unable to substantiate the actual costs of the $20,942 billed to and paid by the Port. Total Questioned Costs: $106,983 40 Recommendations Port personnel should require contractors to submit all required supporting documentation related to change orders prior to approving payments. Additionally, given that we have encountered similar results in previous audits where contractors have inaccurately reported labor hours on Daily Force Account Field Documents, we recommend that the Construction Management (CM) Standard Operating Procedures be updated to require contractors submit payroll reports as additional supporting documentation. CM should seek and recover any amount due to the Port from the overbilling. 41 Management Response Issue 1 Liquidated Damages Management agrees that liquidated damages should be imposed for unexcused days. The team fully intends to pursue liquidated damages and that has been previously conveyed to the Contractor. Future Solicitations Management agrees and currently has a process to evaluate, including contractor performance in a solicitation. The team intends to review our acquisition planning process to ensure these options are clear for our customers. DUE DATE: 12/31/22 Management will discuss in detail. (Full response in Audit Report No. 2022-04) 42 Management Response Issue 2 Force Account Requirements The Port's Engineering, Central Procurement Office and Legal departments will meet to consider modifications to the Force Account process in future contracts. Recover Any Overbillings A reconciliation change order will be issued to close out Change Order 20 based on validated actual costs incurred by the contractor, once Physical Completion is achieved. We will require the additional documentation identified by Internal Audit from the contractor as part of the validation process and deduct any amounts overpaid. DUE DATE: 12/31/22 Management will discuss in detail. (Full response in Audit Report No. 2022-04) 43 Appendix A Aging of Outstanding Issues as of April 7, 2022 44 Appendix A Aging of Outstanding Issues as of April 7, 2022 Operational, Capital, Information Technology, and Limited Contract Compliance Audits Days Outstanding Days Outstanding Type Audit Description Rating Report Date Target Date (from Report Date) (from Target Date) IT Audit AV/M Facility & Infrastructure Data Centers Security Sensitive High 12/4/2018 No date supplied 1220 N/A IT Audit AV/M Facility & Infrastructure Data Centers Security Sensitive High 12/4/2018 No date supplied 1220 N/A Operational Audit Marine Maintenance Shop Keys and badges tracking High 6/14/2019 12/31/2023 1028 -633 IT Audit HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 946 615 IT Audit HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 946 615 Operational Audit Architecture & Engineering Determine fair and reasonable High 12/9/2019 6/30/2020 850 646 Operational Audit Architecture & Engineering Management review over max High 12/9/2019 6/30/2020 850 646 Operational Audit Architecture & Engineering Contract accuracy High 12/9/2019 6/30/2020 850 646 IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 129 -268 IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 129 -268 IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 129 -268 Operational Audit ACH Payment Fraud Changes to supplier information High 3/30/2022 5/31/2022 8 -54 Operational Audit ACH Payment Fraud Detective controls High 3/30/2022 4/30/2022 8 -23 IT Audit Disaster Recovery Capability Security Sensitive Medium 11/29/2017 No date supplied 1590 N/A IT Audit AV/M Facility & Infrastructure Data Centers Security Sensitive Medium 12/4/2018 No date supplied 1220 N/A IT Audit Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 12/31/2019 1136 828 IT Audit Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 3/31/2020 1136 737 IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 946 615 IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 946 615 IT Audit Closed Network System Security Security Sensitive Medium 9/5/2019 6/30/2020 945 646 IT Audit Inventory and Control of Hardware Assets Security Sensitive Medium 11/12/2019 6/30/2023 877 -449 Operational Audit Architecture & Engineering Governance Medium 12/9/2019 6/30/2020 850 646 IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2021 748 554 IT Audit Network Password Management Security Sensitive Medium 3/20/2020 9/30/2020 748 462 IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2020 748 97 IT Audit Secure Configuration for Hardware and Software on Mobile Security Sensitive Medium 8/21/2020 12/31/2021 594 97 Devices, IT Audit Secure Configuration for Hardware and Software on Mobile Security Sensitive Medium 8/21/2020 12/31/2021 594 97 Devices, Lease and Concession Audit Concourse Concessions LLC RE-2 policy review Medium 9/10/2020 12/31/2020 574 462 IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 499 97 IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 499 97 IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 499 97 IT Audit Malware Defenses - Aviation Maintenance Security Sensitive Medium 3/17/2021 12/31/2022 386 -268 IT Audit Continuous Vulnerability Management Security Sensitive Medium 11/29/2021 6/30/2022 129 -23 IT Audit Data Recovery Security Sensitive Medium 11/29/2021 4/30/2022 129 -84 IT Audit Account Management - ICT Security Sensitive Medium 3/15/2022 12/31/2022 23 -268 IT Audit Account Management - ICT Security Sensitive Medium 3/15/2022 12/31/2022 23 -268 IT Audit Account Management - ICT Security Sensitive Medium 3/15/2022 6/1/2023 23 -328 IT Audit Account Management - ICT Security Sensitive Medium 3/15/2022 3/1/2023 23 -420 IT Audit Account Management - Aviation Maintenance Security Sensitive Medium 3/22/2022 12/31/2022 16 -268 IT Audit Account Management - Aviation Maintenance Security Sensitive Medium 3/22/2022 12/31/2022 16 -268 IT Audit Account Management - Aviation Maintenance Security Sensitive Medium 3/22/2022 12/31/2022 16 -268 Capital Interim Westside Fire Station Project Liquidated Damages Medium 3/25/2022 12/31/2022 13 -268 Capital Interim Westside Fire Station Project COVID-19 Change Orders Medium 3/25/2022 12/31/2022 13 -268 Operational Audit ACH Payment Fraud Required training Medium 3/30/2022 6/30/2022 8 -84 IT Audit Continuous Vulnerability Management Security Sensitive Low 11/29/2021 12/31/2022 129 -268 45
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.