1. Presentation
Audit Committee Presentation
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit June 17, 2022 Pier 69, Commission Chambers 2:00 PM – 4:00 PM Operational Excellence Governance Welcome New Public Member – Sarah Holmstrom Ms. Holmstrom is a Certified Public Accountant (CPA) with over 15 years of experience working with various federal, state, and local governmental agencies. She served as Chief Financial Officer for over ten years with two Native American organizations in Washington State. Currently, she is a Finance Leader for Amazon Web Services working in infrastructure financial planning and analysis. 2 2022 Audit Plan – Guiding Principles Professional Standards – Attestation & Advisory (Consulting) Services Generally Accepted Government Auditing Standards (GAGAS) International Professional Practices Framework (IPPF) Internal Audit (IA) responds to emerging business risks: Operational Audit of ACH Payment Fraud – Identified control breakdowns that allowed the fraud to occur, and recommended ways to reduce the likelihood of future misappropriations. IT Audits – Enterprise risk of cybersecurity has been heightened globally, and the Port is no exception. IT audits review general IT controls related to cybersecurity. Capital Project Audits – RCW 39.10.385 requires an independent audit of final cost reconciliation of any subcontractor selected through an alternative process, when the General Contractor Construction Management (GCCM) project delivery method is used. 3 Open Issue Status – Aging Report as of June 2, 2022 1. Eleven issues outstanding for over one year from the Target Date consist of: Concourse Concessions LLC (1) - Port RE-2 Policy and Surety Amount Review: Aviation Commercial Management team is reviewing this issue and others related to lease documents holistically. The team has started the work on updating the leases and will have the lease updates finalized by Q4, 2022. The priority at this point is the issuance of the American Rescue Plan Act Grant for concession relief. Architecture & Engineering (4) - Fair and Reasonable Rate Determination; Management Review Over Max Rates; Contract Rate Accuracy; and Governance: A lean project to evaluate the rate negotiation process was scheduled for Q1, 2022. Resource constraints has made it challenging to resolve the audit issues. A Governance team has been selected; meetings to begin in 2022. Information Technology Audits (6) (Security Sensitive) - Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session. They are: Security of Personal Identifiable Information (1), HIPAA Security (3), Closed Network System Security (1), and Network Password Management (1). 2. Four Information Technology issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more than two years past the Report Date: Disaster Recovery Capability (1), and Aviation Maintenance and Facilities & Infrastructure Data Centers (3). See Appendix A for a detailed listing of outstanding issues aging as of June 2, 2022. 4 Approved 2022 Audit Plan Limited Contract Compliance Operational Information Technology • In-Ter-Space Services, Inc. DBA • Payroll Controls1 • T2 Airport Garage Parking System Clear Channel Airports • Emergency Procurement Replacement3 • Avis Budget Car Rental • Federal Grant Administration • Account Management (ICT) • The Hertz Corporation • Community & Sustainability Initiatives • Account Management (Aviation Maintenance) Capital • Audit Log Management (ICT) • International Arrivals Facility (IAF) • Audit Log Management (Aviation • Interim Westside Fire Station Maintenance) • North Satellite (NSAT) Renovation & • Security Incident Response Expansion Closeout Management (ICT & Aviation • South Satellite (SSAT) High Voltage AC Maintenance)4 Infrastructure Upgrade • Post IAF Airline Realignment2 • C-1 Building Expansion Construction Phase2 • Main Terminal Low Voltage2 1. Per the audit client’s request, this audit has been deferred to the 2023 Audit Plan. 2. RCW 39.10.385 requires that an independent auditor perform an audit of subcontractor charges to the Port on GCCM projects, where the subcontractor was selected through an alternative selection process. This audit work will be performed by external contractor auditors under Internal Audit’s supervision. 3. Moved to 2022 audit plan; approved at 6/28/2019 Audit Committee meeting. 4. Two separate audits were originally planned for ICT and Aviation Maintenance; however, they were combined for efficiency, due to substantially similar processes. 5 2022 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec ACH Payment Fraud1 Operational Emergency Procurement Operational Federal Grant Administration Operational Community & Sustainability Initiatives Operational Interim Westside Fire Station Operational - Capital North Satellite (NSAT) Renovation & Expansion Closeout Operational - Capital South Satellite (SSAT) High Voltage AC Infrastructure Upgrade Operational - Capital International Arrivals Facility (IAF) Operational - Capital Post IAF Airline Realignment2 Operational - Capital C-1 Building Expansion Construction Phase2 Operational - Capital Main Terminal Low Voltage2 Operational - Capital Account Management (ICT) IT Account Management (Aviation Maintenance) IT Audit Log Management (Aviation Maintenance) IT Security Incident Response Management (ICT & Aviation Maintenance)3 IT T2 Airport Garage Parking System Replacement 4 IT Audit Log Management (ICT) IT The Hertz Corporation Contract Compliance In-Ter-Space Services, Inc. dba Clear Channel Airports Contract Compliance Avis Budget Car Rental Contract Compliance Payroll Controls5 Operational Complete In Process KEY Not Started Deferred to 2023 1. This audit was added as part of the Port's action to mitigate emerging fraud risk. 2. RCW 39.10.385 requires an independent auditor to perform an audit of subcontractor charges to the Port on GCCM projects, where the subcontractor was selected through an alternative selection process. This audit work will be performed by external, contractor auditors under Internal Audit’s supervision, and will be an ongoing, multi-year project through an IDIQ contract. 3. Two separate audits were originally planned for ICT and Aviation Maintenance; however, they were combined for efficiency, due to substantially similar processes. 4. Due to implementation delays, this audit was deferred to the 2022 Audit Plan. 5. Per the audit client's request, this audit has been deferred to the 2023 Audit Plan. 6 Audits Completed in the Second Quarter, 2022 1) North Satellite Renovation & Expansion – Independent Audit Results 2) Emergency Procurement 3) Audit Log Management (Aviation Maintenance)* 4) The Hertz Corporation 5) In-Te r-Space Services, Inc. DBA Clear Channel Airports * Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Report Not Discussed in Public Session. 7 North Satellite Renovation and Expansion – Independent Audit Results RCW 39.10.385 requires an independent audit of subcontractor costs, when subcontractors are selected through an alternative means. R.L. Townsend & Associates, LLC. was engaged to perform the audit for Hermanson (MC/CM)* and ECA (EC/CM)*. The report documented audit adjustments and costs avoided. Internal Audit is performing a separate audit and will look at areas that R.L. Townsend did not look at. The results of that engagement will be presented to the Audit Committee in September. *Mechanical Contractor/Construction Manager (MC/CM), and Electrical Contractor/Construction Manager (EC/CM). 8 North Satellite Renovation and Expansion – Independent Audit Results Procedures Performed: Reviewed job cost accounting records. Reviewed subcontracts for alternates, allowances, and unit rates. Reviewed subcontractor Change Order supporting documentation for correct fees, labor rates, potential duplicates, math errors, or any unusual items. Reviewed monthly EC/CM and MC/CM pay application requests for accuracy, allowable expenses, and proper support. 9 North Satellite Renovation and Expansion – Independent Audit Results Results of R.L. Townsend & Associates’ review: Agreed Description to Credit Cost Avoidance Total MC/CM Audit Discussion Items $ 355,837 $ 490,448 $ 846,285 EC/CM Audit Discussion Items 668,234 636,240 1,304,474 Total $ 1,024,071 $ 1,126,688 $ 2,150,759 Payroll tax adjustments accounted for $814,973 (80%) and overbillings accounted for another $178,116 (10%), of the $1,024,071 in Agreed to Credits. Pay application reviews identified avoidable costs prior to Port payments. These avoidable costs were primarily due to schedule of values inaccuracies and labor costs. 10 Emergency Procurement On March 16, 2020, the Port of Seattle’s Executive Director (ED) formally declared an emergency due to the COVID-19 outbreak. The intent of the declaration was to “minimize the impact of COVID-19 to Port of Seattle operations, its employees, contractors, and public health.” The ED formally announced authorization to expedite the “award of any necessary contracts including those for goods and services, personal services, professional services, and public works in accordance with all applicable laws, regulations, and policies…” Emergency purchase provisions are guided by the Revised Code of Washington (RCW). RCW 39.04.280 defines emergency as “unforeseen circumstances beyond the control of the municipality.” This RCW and other related RCWs broadly waive competitive bidding requirements to expediate the procurement process. 11 Emergency Procurement Table 1 reflects the annual costs and types of purchases for the period beginning March 16, 2020, through March 31, 2022. Table 2 on the following slide, reflects COVID-19 costs incurred on capital projects as of May 3, 2022 (not included in scope of audit). Table 1 Period Cleaning Services Masks Sanitizer Supplies Total 2020 (March 16 - December 31) $915,378 $239,323 $274,488 $1,178,337 $2,607,526 2021 1,519,083 0 180,146 144,010 1,843,239 2022 (January 1 - March 31) 0 0 0 10,699 10,699 Total $2,434,461 $239,323 $454,634 $1,333,046 $4,461,464 12 Emergency Procurement Table 2 Settlement of Division Direct COVID-19 Safety Costs Other COVID-19 Related Costs Total Aviation $7,348,378 $1,112,371 $8,460,749 Maritime 183,364 98,170 281,534 Economic Development 12,653 0 12,653 Total $7,544,395 $1,210,541 $8,754,936 13 No Issues Internal Audit concluded that purchases were made within the Port’s delegation of authority limits and followed RCW requirements. We also validated that those costs appeared reasonable. 14 The Hertz Corporation (Hertz) The Port entered into a Consolidated Rental Car Facility Lease Agreement with Hertz in July 2008. Agreement requires a Minimum Annual Guarantee equal to 85% of the total paid to the Port for the previous year. Agreement requires a daily Customer Facility Charge (CFC) of $6.00 on vehicle transactions. Effective January 1, 2021, the CFC increased to $6.50. Approximately $24 million was paid to the Port during the audit period (June 2018 - May 2021). 15 #1) Rating: Medium Hertz’s systems and records were unable to clearly discern which customers were eligible to receive a CFC waiver. Internal Audit identified 3,081 rental tickets, totaling approximately $173,000, where CFC was not charged and remitted. Hertz asserted that about $164,000 were insurance replacement rentals and, therefore, allowable exclusions. 16 Recommendations Internal Audit recommends that the Port should collect the $9,181 plus any accrued interest and/or penalties. Internal Audit will partner with Aviation Commercial Management and will recommend an appropriate course of action based on data provided by Hertz. 17 Management Response Aviation Commercial Management (AVCM) will continue working with Hertz and Internal Audit to review the variances identified through this audit, Hertz’s documentation supporting the variances, and determine the total under-reported CFC charges due to the Port and will seek collection accordingly. AVCM is continuing conversations with both Hertz and Internal Audit to review the variances identified and will continue to work together to ensure all CFCs owed to the Port under the agreement have been collected. We appreciate the efforts of the Internal Audit team for their work on this audit. DUE DATE: 9/30/2022 18 In-Ter-Space Services, Inc. DBA Clear Channel Airports Renewed, ten-year Lease Agreement was established in 2017 for a promotional and advertising services concession. Agreement requires a Minimum Annual Guarantee equal to 85 percent of the total paid to the Port for the previous year. Percentage fee is equal to 67 percent of gross sales, including the first seven percent specified as Contract Rent. For the audit period (January 2019 – December 2021): Gross revenues - $22 million Percentage Fees – $13.2 million Contract Rent – $1.5 million 19 No Issues Internal Audit concluded that In-Te r-Space Services, Inc. materially complied with the significant terms of the Agreement. 20 Appendix A – Aging of Outstanding Issues as of June 2, 2022 21 Appendix A – Aging of Outstanding Issues as of June 2, 2022 Operational, Capital, Information Technology, and Limited Contract Compliance Audits Days Outstanding Days Outstanding Type Audit Description Rating Report Date Target Date (from Report Date) (from Target Date) IT Audit AVM/Facility &Infrastructure Data Centers Physical access to facilities High 12/4/2018 No date supplied 1,276 N/A IT Audit AVM/Facility &Infrastructure Data Centers Protection against environmental factors High 12/4/2018 No date supplied 1,276 N/A Operational Audit Marine Maintenance Shop Keys and badges tracking High 6/14/2019 12/31/2023 1,084 -577 IT Audit HIPAA Security Audit Security Sensitive High 9/4/2019 7/31/2020 1,002 671 IT Audit HIPAA Security Audit Security Sensitive High 9/4/2019 7/31/2020 1,002 671 Operational Audit Architecture & Engineering Determine fair and reasonable rates High 12/9/2019 6/30/2020 906 702 Operational Audit Architecture & Engineering Management review over max rates High 12/9/2019 6/30/2020 906 702 Operational Audit Architecture & Engineering Contract rate accuracy High 12/9/2019 6/30/2020 906 702 IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 185 -212 IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 185 -212 IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 185 -212 Operational Audit ACH Payment Fraud Changes to supplier information High 3/30/2022 5/31/2022 64 2 Operational Audit ACH Payment Fraud Detective controls High 3/30/2022 4/30/2022 64 33 IT Audit Disaster Recovery Capability Security Sensitive Medium 11/29/2017 No date supplied 1,646 N/A IT Audit AVM/Facility &Infrastructure Data Centers Physical facilities management Medium 12/4/2018 No date supplied 1,276 N/A IT Audit Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 3/31/2020 1,192 793 IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 1,002 671 IT Audit Closed Network System Security Security Sensitive Medium 9/5/2019 6/30/2020 1,001 702 IT Audit Inventory and Control of Hardware Assets Security Sensitive Medium 11/12/2019 6/30/2023 933 -393 Operational Audit Architecture & Engineering Governance Medium 12/9/2019 6/30/2020 906 702 IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2021 804 153 IT Audit Network Password Management Security Sensitive Medium 3/20/2020 9/30/2020 804 610 IT Audit Secure Configuration for Hardware and Software on Mobile Devices, Security Sensitive Medium 8/21/2020 12/31/2021 650 153 Laptops, Workstations and Servers IT Audit Secure Configuration for Hardware and Software on Mobile Devices, Security Sensitive Medium 8/21/2020 12/31/2021 650 153 Laptops, Workstations and Servers Lease and Concession Audit Concourse Concessions LLC RE-2 policy review Medium 9/10/2020 12/31/2020 630 518 IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 555 153 IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 555 153 IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 555 153 IT Audit Malware Defenses - Aviation Maintenance Security Sensitive Medium 3/17/2021 12/31/2022 442 -212 IT Audit Continuous Vulnerability Management Security Sensitive Medium 11/29/2021 6/30/2022 185 -28 IT Audit Data Recovery Security Sensitive Medium 11/29/2021 4/30/2022 185 33 IT Audit Account Management - ICT Security Sensitive Medium 3/15/2022 6/1/2023 79 -364 IT Audit Account Management - ICT Security Sensitive Medium 3/15/2022 3/1/2023 79 -272 IT Audit Account Management - Aviation Maintenance Security Sensitive Medium 3/22/2022 12/31/2022 72 -212 IT Audit Account Management - Aviation Maintenance Security Sensitive Medium 3/22/2022 12/31/2022 72 -212 IT Audit Account Management - Aviation Maintenance Security Sensitive Medium 3/22/2022 12/31/2022 72 -212 Capital Interim Westside Fire Station Project Liquidated damages Medium 3/25/2022 12/31/2022 69 -212 Capital Interim Westside Fire Station Project COVID-19 change orders Medium 3/25/2022 12/31/2022 69 -212 Operational Audit ACH Payment Fraud Required training Medium 3/30/2022 6/30/2022 64 -28 IT Audit Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2023 0 -577 IT Audit Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2022 0 -212 IT Audit Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2022 0 -212 IT Audit Continuous Vulnerability Management Security Sensitive Low 11/29/2021 12/31/2022 185 -212 22
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.