1. Presentation
Port
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit December 8, 2022 P69 Commission Chambers 2:30 PM – 4:30 PM Operational Excellence Governance Internal Audit Update – Outreach Project - Ongoing Goals, Scope and Stakeholders To promote the awareness and understanding of the Port’s Internal Audit process, and the significance of internal controls and risk mitigations internally and externally through outreach, education, and socialization. To help the small entities that the Port has business with and that have limited resources to educate and train their staff on internal controls. Deliverables and Timeline No. Deliverables Target Completion Date Completed 0 Project Plan Creation September 2022 September 2022 1 IA Website Upgrade: December 2022 December 2022 1A New Resources Section December 2022 December 2022 1A-1 Links to Standards, Professional Organizations December 2022 December 2022 1A-2 Links to Cybersecurity Resources December 2022 December 2022 1A-3 External Peer Review Reports December 2022 December 2022 1B Audit Process Flowchart Illustration First Quarter 2023 In Process 2 Risk and Control Training: First Quarter 2023 Planning 2A Design of Training Material First Quarter 2023 Planning 2B Design of Training Session(s) First Quarter 2023 Planning 2C Training Scheduling and Logistics (Onsite & In-house) First Quarter 2023 Planning 2 2022 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec ACH Payment Fraud1 Performance Emergency Procurement Performance Federal Grant Administration - Aviation Division Performance South King County Community Impact Fund2 Performance Interim Westside Fire Station Performance - Capital North Satellite Renovation & Expansion Project (NSAT) Performance - Capital South Satellite Infrastructure Upgrade Project (SSAT) Performance - Capital International Arrivals Facility (IAF) Performance - Capital Post IAF Airline Realignment3 Performance - Capital C-1 Building Expansion Construction Phase3 Performance - Capital Main Terminal Low Voltage3 Performance - Capital Account Management (ICT) IT Account Management (Aviation Maintenance) IT Audit Log Management (Aviation Maintenance) IT Security Incident Response Management (ICT & Aviation Maintenance)4 IT T2 Airport Garage Parking System Replacement IT Audit Log Management (ICT) IT The Hertz Corporation Contract Compliance In-Ter-Space Services, Inc. dba Clear Channel Airports Contract Compliance Avis Budget Car Rental LLC Contract Compliance Payroll Controls5 Performance Complete KEY Deferred to 2023 1. This audit was added to respond to a known fraud that had occurred and to mitigate future fraud risk. 2. The original audit title, “Community and Sustainability Initiatives,” per the 2022 Audit Plan, was updated as the audit scope was further refined. 3. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit work is performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. 4. Two separate audits were originally planned for ICT and Aviation Maintenance; however, they were combined for efficiency, due to substantially similar processes. 5. Per the audit client's request, this audit has been deferred to the 2023 Audit Plan. 3 2022 Audit Plan Update 17 audit reports were completed in 2022: Performance (4), Capital Projects (4), IT (6), and Limited Contract Compliance (3). Audits identified 4 High Risk, 19 Medium Risk, and 3 Low Risk rated issues for management action. In addition, a construction audit of the International Arrivals Facility, performed jointly with HPM, LLC, a contracted consulting firm, has identified 8 issues. Adapted workplan and recommended improvements to control weaknesses, when Port was hit with the ACH Fraud. Internal Audit’s 2022 value proposition to respond to COVID-19 impact and associated business risks: Audit of Federal Grant Administration in Aviation Division – Scope included the COVID-19 relief grants. Capital Project Audits – Incorporated COVID-19 related expenses and change orders into audits. Cruise Terminals of America – 2021 Cruise Season Rent Credit Review. 4 2022/2021 Suggested Recoveries Lease/Concession: 2022 Audits Amount The Hertz Corporation $9,181 Avis Budget Car Rental LLC 2,645 Total $11,826 2021 Audits Amount Seattle-Tacoma International Limousine Association $157,284 Lenlyn Limited 12,023 Total $169,307 Capital: 2022 Audits Amount Interim Westside Fire Station $789,957 NSAT Renovation and Expansion - RL Townsend Review1 1,024,071 NSAT Renovation and Expansion - Internal Audit Review 79,118 International Arrivals Facility2 25,443,411 Total $27,336,557 2021 Audits Amount Central Terminal Infrastructure Upgrade $18,200 Restroom Renovations Phase III Prototype 12,314 Total $30,514 1. Independent Audit as required by RCW 39.10.385 2. Draft report 5 2022/2021 Controllable Cost Over-Runs1 Audit 2021 Amount 2022 Amount Baggage Optimization Project- Phase 2 $29,156 North Terminal Utilities Upgrade $3,000 Interim Westside Fire Station $1,053,832 NSAT Renovation and Expansion - R.L. Townsend Review $1,126,688 Tota l $32,156 $2,180,520 6 Performance Audit Plan Approach Monitoring of Emerging Enterprise Risks Risk interviews held with a sample of Port leaders, from the departments, including: Legal Aviation Commercial Management Strategic Initiatives Finance External Relations Equity, Diversity & Inclusion Aviation PMG Aviation Security Maritime PMG Aviation Maintenance Engineering Maritime Labor Relations Police Information Security Information Communications & Technology 7 Performance Audit Plan Approach (continued) Key Risk Themes identified from Risk Assessment Data: Human Capital Staffing/Recruiting Talent Management Retention Cybersecurity Supply Chain Electrical Capacity and Related Infrastructure Balancing Environmental, Financial, and Social Objectives 8 Proposed 2023 Performance Audits Audit Risk Input Purpose Payroll Controls 2021 interviews/ Evaluate current processes/controls to assure proper time Carryover approval, vacation/sick accruals, etc. Airport Parking Garage Audit Universe Assess controls over cash handling, parking garage access, and compliance with regulations. Equity Policy Directive Compliance Mgmt. Request Evaluate Port-wide compliance with the Equity Policy Directive. Social & Environmental Reporting Audit Universe Assess accuracy of data presented to Management and Commission. Assess controls to mitigate “Greenwashing.” Fishermen’s Terminal Mgmt. Request Evaluate current revenue process, policies and procedures to assure accurate, complete, and timely revenue billing and collections. Contingency Audits1 Police Department Evidence Room Audit Universe Assess controls over property/funds to assure they are in accordance with internal policies and laws. Human Capital – Recruiting Risk Assessment Evaluate current processes/controls to assure critical positions are filled in a timely manner to assure continuity of operations. Banking (Wires Transfer Control) Audit Universe Evaluate controls to assure they are functioning as intended and able to mitigate the risk of internal and external fraud. 1. If resources exist, at Internal Audit Director’s discretion, these audits will be moved to the 2023 Audit Plan. 9 Capital Projects Audit Plan Approach Audits as mandated by RCW 39.10.385 - All General Contractor/Construction Manager (GC/CM) Projects Risk Assessment Meetings 49 projects currently with project budget >$5MM1 Other Risk considerations: Project Size (Construction Costs) Change Orders (Original Contract Sum) Contract Type Schedule Budget Known Concerns (Errors & Omissions, Potential Claims, Scope Changes, etc.) 1. Source: Port of Seattle Accounting and Financial Reporting Department; CS-ACTIVE_WP Report as of October 13, 2022 10 Proposed 2023 Capital Audit Plan Project Engineer’s Estimated Budget T-5 Berth Modernization1 $184MM Supply Chain Disruption Management1 Not Applicable Post IAF Airline Realignment - GC/CM Construction2 Bidding Phase C Concourse Expansion GC/CM2 Not yet under contract Main Terminal Low Voltage System Upgrade GC/CM2 $55MM T-117 Sites 23-25 Restoration Construction Project GC/CM2 $14MM Contingency Audit3 Concourse A Building Expansion for Lounges/DELTA TRA Parking Garage Elevator Modernization 1. Identified during risk assessment meetings with Port management. 2. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. Work will be performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. Internal Audit will perform continuous cost reviews of these projects, review areas not looked at by the contract auditors, and also partner with the contract auditors as needed. Internal Audit will issue an audit report on areas covered. 3. If resources exist, at Internal Audit Director’s discretion, this audit will be moved to the 2023 Audit Plan. 11 Information Technology Audit Plan Approach Seven-Year Plan: Since the Port had not had a comprehensive Information Technology Audit program prior to 2018, we decided in 2019, that our new Information Technology Audit Program1 would focus on those high risk, high value controls, identified by the Center for Internet Security2 (CIS, 18 control areas, 153 controls). We are using risk input from Information Security to assist us in determining the order in which to perform the CIS audits. Additionally, we will add audits based on executive management concerns, regulatory requirements, or based on emerging threats. Once we cycle through those 18 high risk areas (we have completed nine as of this presentation), we will branch out into looking at other Information Technology General Controls, and we will move to a more classic risk assessment process of assessing risk likelihood and impact, to determine what will be on our annual Information Technology audit plan. 1. See Appendix A – Information Technology Audit Universe. 2. https://www.cisecurity.org/controls/cis-controls-list/ 12 Information Technology Audit Plan Proposed 2023 Audits/Assessments Name Risk1 Selection Criteria Email and Web Browser Protections High Center for Internet Security Network Infrastructure Management (ICT) High Center for Internet Security Network Infrastructure Management (Aviation Maintenance) High Center for Internet Security Security Awareness and Skills Training High Center for Internet Security Contingency Audits2 Name Risk1 Selection Criteria Network Monitoring and Defense (ICT) High Center for Internet Security Network Monitoring and Defense (Aviation Maintenance) High Center for Internet Security Penetration Testing High Center for Internet Security TSA Cybersecurity3 High Regulatory 1. See Appendix A – Information Technology Audit Universe. 2. If a proposed audit cannot be performed, at the Internal Audit Director’s discretion, this audit will be moved to the 2023 Audit Plan. 3. TSA is in the process of mandating audits. These will be required in either 2023 or 2024. 13 Lease and Concession Audit Plan Approach Approximately 120 leases in the risk universe1 Risk rating of leases primarily based on: Three-year revenues Prior audit history Cycle frequency Total Maritime/Economic Agreement Year Revenues Aviation Development 2020 $51 MM $45 MM $6 MM 2021 94 MM 87 MM 7 MM 2022 70 MM 65 MM 5 MM Total $215 MM $197 MM $18 MM 2020-2022 Number Percentage Frequency Rating Revenues of Leases of Revenue (Cycle) High $115 10 53% 5-7 years Medium 66 24 31% 10 year Low 34 87 16% As needed Total $215 121 100% 1. See Appendix B – Lease/Concession Risk Universe. 14 Proposed 2023 Lease and Concession Audits Revenue January 2020 Name Division Rating - August 2022 1 Louis Dreyfus Company Washington, LLC Maritime High $13.1 MM Seattle Air Ventures, JV (AIR002018, AIR002733)2 Aviation High 9.9 MM Seattle Air Ventures, JV (AIR002017, AIR002732)2 Aviation High 7.5 MM Doug Fox Travel/ATZ Aviation Medium 5.1 MM Tota l $35.6 MM Contingency Audits3 Gate Gourmet International Aviation Medium $5.1 MM Host International, LLC Aviation Medium 5.0 MM Tota l $10.1 MM 1. January 2020 – August 2022 Approximate Concessionaire Revenue – should not be used for other financial purposes. 2. Seattle Air Ventures (Hudson Group HG Retail LLC) has 2 leases covering 13 stores at SeaTac. Our proposed audit will cover a selection of stores from each lease. 3. If resources exist, at Internal Audit Director’s discretion, these audit will be moved to the 2023 Audit Plan. 15 Historical Reports Overview 2019 – 2023 2023 Report Type 2019 2020 2021 2022 (Proposed) Performance 4 6 6 4 5 Performance – Capital 4 3 4 41 63 Information Technology 6 6 5 62 4 Limited Contract Compliance 5 5 4 3 44 Total 19 20 19 17 19 1. Included one audit, that was performed jointly with a consulting firm, for International Arrivals Facility (IAF) Project. 2. Included four audits that reflected a separation of two audits (Account Management and Account Log Management) for two respective departments; ICT and Aviation Maintenance. 3. Includes four independent audits that are required by RCW 39.10.385 RCW 39.10.385, and paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit work will be performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. Internal Audit will perform continuous cost reviews of these projects, review areas not looked at by the contract auditors, and also partner with the contract auditors as needed. Internal Audit will issue an audit report on areas covered. 4. Seattle Air Ventures (Hudson Group HG Retail LLC) has 2 leases covering 13 stores are SeaTac. Our proposed audit will cover a selection of stores from each lease. 16 Proposed 2023 Audit Plan Limited Contract Compliance Performance Information Technology • Louis Dreyfus Company Washington, • Payroll Controls1 • Email and Web Browser Protection LLC • Airport Parking Garage • Network Infrastructure Management • Seattle Air Ventures, JV (AIR002018, • Equity Policy Directive Compliance (ICT) AIR002733) • Social and Environmental Reporting • Network Infrastructure Management • Seattle Air Ventures, JV (AIR002017, • Fishermen’s Terminal (Aviation Maintenance) AIR002732) • Security Awareness and Skills Training • Doug Fox Travel/ATZ Capital • T-5 Berth Modernization • Supply Chain Disruption Management • Post IAF Airline Realignment – GC/CM Construction2 • C Concourse Expansion GC/CM2 • Main Terminal Low Voltage System Upgrade GC/CM2 • T-117 Sites 23-25 Restoration Construction Project GC/CM2 1. Per the audit client’s request, this audit has been deferred to the 2023 Audit Plan. 2. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit work will be performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. Internal Audit will perform continuous cost reviews of these projects, review areas not looked at by the contract auditors, and also partner with the contract auditors as needed. Internal Audit will issue an audit report on areas covered. 17 Contingency Audits - If resources exist, at Internal Audit Director’s discretion, these audits will be moved to the 2023 Audit Plan. Limited Contract Compliance Performance Information Technology • Gate Gourmet International • Police Department Evidence Room • Network Monitoring and Defense (ICT) • Host International, LLC • Human Capital – Recruiting • Network Monitoring and Defense • Banking (Wire Transfer Controls) (Aviation Maintenance) • Penetration Testing • TSA Cybersecurity1 Capital • Concourse A Building Expansion for Lounges/DELTA TRA • Parking Garage Elevator Modernization 1. TSA is in the process of mandating audits. These will be required in either 2023 or 2024. 18 Open Issue Status – Aging Report as of November 22, 2022 1. Nine issues outstanding for over one year from the Target Date consist of: Concourse Concessions LLC (1) - Port RE-2 Policy and Surety Amount Review Architecture & Engineering (3) - Fair and Reasonable Rate Determination; Management Review Over Max Rates; and Contract Rate Accuracy Information Technology Audits (5) (Security Sensitive) - Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session. They are: Security of Personal Identifiable Information (1), HIPAA Security (2), Closed Network System Security (1), and Network Password Management (1). 2. Four Information Technology issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more than two years past the Report Date: Disaster Recovery Capability (1), and Aviation Maintenance and Facilities & Infrastructure Data Centers (3). See Appendix C for a detailed listing of outstanding issues aging as of November 22, 2022. 19 Audits Completed in Fourth Quarter, 2022 1) International Arrivals Facility 2) South Satellite Infrastructure Upgrade Project 3) South King County Community Impact Fund 4) Federal Grant Administration – Aviation Division 5) T2 Airport Garage Parking System Replacement* 6) Audit Log Management (ICT)* *Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session 20 International Arrivals Facility Project - Prior Audits Port of Seattle Internal Audit Report No. 2017-14, dated November 2, 2017 Important elements of the design-build approach were missing resulting in unexpected costs due to rework and delayed payments. Internal controls needed to be enhanced to validate invoice totals to payments. HPM, LLC - Report, issued August 10, 2018 HPM was contracted by the Port’s construction management contractor, AECOM, to perform an interim review prior to the final Guaranteed Maximum Price (GMP). Clark Construction was instructed to administer subcontractor contracts on a Not-to-Exceed basis. Clark administered subcontracts as lump sum. Any savings that may occur from cost or process efficiencies over time would go to the subcontractor and not to Clark Construction and then the Port. General Liability Insurance (GLI) Rate Clark charged a stipulated rate of 0.749% for GLI instead of actual cost. HPM estimated 0.385% was more accurate. Estimated cost avoidance to the Port of $2 million. 21 International Arrivals Facility Project - Prior Audits (continued) HPM, LLC- Report, issued August 10, 2018 (continued) Duplicated Cost of Paid-Time-Off (PTO) Personnel multiplier of 35.7% included a component for PTO. Costs duplicated in stipulated portion of the General Conditions. Estimated an overstatement of General Condition labor costs of $720,000 annually. Change Order and Early Work Authorization (EWA) support. Clark supporting documentation in summary format. Recommendation that Clark present detailed cost data with any change order or EWA to ensure the Port’s analysis can be performed in a timely and accurate manner. Port of Seattle Internal Audit- Report No. 2018-14, dated December 7, 2018 Labor multiplier increased from 35.7% to 88.7% on final GMP with “not subject to audit” clause. If Seattle region personnel multiplier of 30% to 45% was used, Port would have saved between $8.2- $11 million. GMP maintained the $7.49/$1000 GLI rate. Port Risk Management’s recommended coverage would have cost the Port $3.95/$1,000. The Port incurred approximately $2.8 million in avoidable costs. 22 International Arrivals Facility Project [DRAFT REPORT – SUBJECT TO FURTHER CHANGES.] GMP through Owner Change Order (OCO) No. 66 totals $782,904,088. • Amendment No. 1 “reset” the project, closed all previous claims. Audit Limitations (Audit Report 2022-17): NTE OCOs not reconciled as of audit. Several Work Authorizations and Clark subcontractor change orders (SCOs) did not have adequate detailed support. Unclear Valley Electric sick time/Paid Family Medical Leave (PFML) payment of $310,329 approved. Clark recorded costs plus contract lump sum and percentage-based charges exceed GMP by significant amount. 23 [DRAFT REPORT – SUBJECT TO FURTHER CHANGES.] Audit Observations: 1. Overstated Subcontract Labor and Labor Burden Charges estimated to range from $4,527,000 to $9,232,000. FROM ISSUE LOG (ASSIGNED TO SCO FOR ALLOWANCE Total SCOs Labor Value in Finding from Extrapolated Subcontractor OR CONT) Reviewed Sample Size SCO Labor % Detailed SCOs Error% Findings APOLLO MECHANICAL $9,759,064 $3,767,538 38.61% $2,217,683 59% $500,162 22.553% $795,409 CONTRACTORS CECCANTI, INC. 8,124,511 431,908 5.32% 177,948 41% 3,583 2.01% 63,822 CONCO 1,725,003 129,448 7.50% 70,785 55% 4,734 6.69% 58,350 CROWN CORR INC. 4,199,981 981,955 23.38% 445,520 45% 33,721 7.57% 110,509 VALLEY ELECTRIC CO OF MT 24,706,001 1,092,942 4.42% 527,242 48% 90,052 17.08% 1,945,581 VERNON INC TOTAL1 $48,514,560 $6,403,791 15.85% $3,439,177 49.67% $632,253 11.18% $2,973,671 1 The Sample Size, Labor, and Error percentages are the average of the individually listed percentages. 24 Audit Observations: (continued) [DRAFT REPORT – SUBJECT TO FURTHER CHANGES.] Combined Analysis of % Finding of Labor for Non-Sampled Subcontractors two tables with the addition of the $632,253 of findings Low High Low 4,527 4,962 5,392 5,827 6,262 6,692 % Labor of SCO 4,937 5,412 5,892 6,367 6,847 7,327 for Non- 5,342 5,867 6,387 6,912 7,432 7,962 Sample 5,752 6,317 6,887 7,457 8,027 8,592 Subcontractors High 6,157 6,772 7,387 8,002 8,612 9,232 25 Audit Observations: (continued) [DRAFT REPORT – SUBJECT TO FURTHER CHANGES.] 2. Audit reconciled allowances show the remaining allowances to be returned to the Port total approximately $2,273,738. 3. Allowance credits not traced back to Clark issued subcontractor changes totaled $521,775. 4. Clark recorded $329,947 for Valley Electric reimbursement of 2018 sick time and 2019 PFML pay, including Clark mark-up, which appear to duplicate costs included in the labor rates. 5. Port Work Authorization amounts did not reconcile to the recorded Clark Issue amount, resulting in credits due of $272,605. 26 Audit Observations: (continued) [DRAFT REPORT – SUBJECT TO FURTHER CHANGES.] 6. Clark “Furniture Not Reimbursed by Owner” of $220,547 does not appear to be reimbursable. 7. Allowance usage not traced back to SCOs totaled $129,799. Total Potential GMP Adjustments range from $8.3 Million to $12.9 Million. Clark had not responded to the audit questions sent on 11/07/22 as of November 30, 2022. 27 Audit Observations: (continued) [DRAFT REPORT – SUBJECT TO FURTHER CHANGES.] Liquidated Damages (LDs): The Port has not issued substantial or physical completion. Calculated liquidated damages as of November 30, 2022, totals $17,168,000. Days Late to Amount Due Milestone 11/30/22 to Date 1 914 $ 9,140,000 2 750 7,500,000 3 660 528,000 Calculated LDs $ 17,168,000 28 Post Audit GMP: [DRAFT REPORT – SUBJECT TO FURTHER CHANGES.] Current Executed GMP Amount through Change Order No. 66 $ 782,904,088 Less: Overstated Subcontractor Labor & Labor Burden Rates (4,527,000) Less: Allowance Reconciliation (2,273,738) Less: Unlocated Subcontractor Credits Due (521,775) Less: Unsupported Port Allowance Usage Valley Electric Sick & PFML (329,947) Less: Work Authorization & Clark Issue Amounts Not in Alignment (272,605) Less: Questioned Contingency Transfer & Usage (220,547) Less: Unsupported Allowance and Contingency Usages (129,799) Subtotal GMP Amount After Audit $ 774,628,677 Less: Liability Insurance Charge Reduction 1 (59,591) Less: Payment & Performance Bond Charge Reduction 1 (55,618) Less: Clark Fee Charge Reduction 1 (379,078) Total GMP Amount After Audit $ 774,134,390 1. Clark’s percentage-based mark-ups were included in the Valley Electric amount of $329,947, therefore, this amount was not subject to the liability insurance, bond, or fee charges. Please note Observation No. 1 has a range of $4,527,000 to $9,232,000. To be conservative, we have reported the low end of the exception range. 29 [DRAFT REPORT – SUBJECT TO FURTHER CHANGES.] Improvement Recommendations: Contractor review and vet all subcontractor labor rates, compliance with contract terms and statutory tax limitations. Revision of Port labor rate sheets to account for tax limitations. Port should require allowance/contingency usage: Requests be adequately supported. Reconciled by Contractor periodically with SCO cross references and amounts tying to Port records and approvals. Readiness assessments to align Port and contractor controls should occur before the project begins. 30 [DRAFT REPORT – SUBJECT TO FURTHER CHANGES.] Management Response: Comments from Clark Construction as needed/in person. Management to discuss in person. Detailed responses will be presented in the audit report. 31 South Satellite Infrastructure Upgrade Project The South Satellite Infrastructure Upgrade Project (SSIUP) improved the effectiveness, reliability, and increased the capacity of the Heating, Ventilation, and Air Conditioning system. Construction estimate was approximately $33 million. Two bids received, both bids were below the engineer’s construction cost estimate. James W Fowler Co. (JWF) was the lowest responsible bidder and awarded the contract in the amount of $28.36 million. There were $2.7 million in approved Change Orders (COs), increasing total construction cost to $31.1 million. Highlights: Port management and JWF responded quickly to our requests for documents. The Project was completed on-time and under budget. Based on our discussions with management, it appears that there was a positive working relationship between the Port and JWF, which resulted in a successful Project. 32 1) Rating: Low We identified opportunities for Port management to strengthen controls over reconciliation of Not to Exceed (NTE) COs. Additionally, we identified instances where Standard Operating Procedures (SOPs) were not followed. Going forward, management has made corrections based on recommendations from prior audits, and these should be reflected in future projects. Instances where Force Accounting (FA) sheets were not attached with the inspector daily reports, the COs had not been reconciled, and required signatures were missing from the daily FA sheets. Final reconciliation for several of the NTE COs was still pending. For some of these COs, work was completed two years earlier. Payments were approved by the Resident Engineer after reviewing the FA sheets that the contractor had provided, however, it is always a good practice to reconcile COs as soon as possible, because it will help reduce risks associated with getting money back from the contractor and finding sufficient supporting documentation. We recommended that management should update current SOPs to require more timely reconciliation of NTE COs. The SOPs should specify a reasonable timeframe. 33 Management Response Engineering – Construction Management agrees the reconciliation of “Not to Exceed” Change Orders should be done as soon as practicable, but we need to further investigate if there is specific, reasonable timeframe we can commit to based on project needs and staffing resources. At a minimum, we will add language to SOP 40.01 Change Management to indicate this reconciliation process should be performed ‘as soon as practicable.’ Management will discuss in detail. (Full response in Audit Report No. 2022-15) 34 South King County Community Impact Fund South King County Fund In 2019, the Port pledged $10 million, funded over a five-year period, to provide environmental benefits to near airport communities impacted by airport noise. South King County Community Impact Fund (SKCCIF) In November 2021, the name was changed to the SKCCIF and aims to develop equity-based partnerships and to provide resources and support in historically underserved, ethnically, and culturally diverse near-airport communities. Aligned to Port Mission To promote economic opportunities and quality of life in the region by advancing job creation in an equitable, accountable, and environmentally responsible manner. 35 South King County Community Impact Fund Environmental Program is governed by RCW 35.21.278 Contracts with community service organizations for public improvement. Contract values and reimbursements from January 1, 2021 – June 30, 2022: Organization Contract Value 2021 2022 Bridging Cultural Gaps $19,974 $14,050 $0 Tilth 14,800 5,535 9,265 Friends of Normandy Park 11,163 4,867 4,474 Federal Way Korean American Association 20,000 0 0 Multicultural Self-Sufficiency Movement 9,000 0 0 Puget Soundkeeper Alliance 10,902 0 0 Bhutanese Community Resource Center 13,488 6,500 0 Summer Search (Congolese Basketball Team) 19,000 0 3,075 Summer Search (Expanding Environmental Justice) 19,990 0 0 Partner in Employment 19,977 0 19,977 $158,294 $30,952 $36,791 36 South King County Community Impact Fund Economic Recovery Program is governed by RCW 53.08.245 Economic development programs authorized - job training and education. Contract values and reimbursements from January 1, 2021 – June 30, 2022: Organization Contract Value 2021 2022 African Chamber of Commerce PNW $100,000 $21,539 $70,128 African Community Housing and Development 99,903 61,000 38,903 Asian Counseling and Referral Service 70,000 35,500 28,250 Business Ending Slavery and Trafficking (BEST) 100,000 61,800 15,162 Cares of Washington 91,160 77,387 13,773 Chief Seattle Club 100,000 57,500 42,500 El Centro de la Raza 99,985 75,000 24,985 Highline College Foundation 90,839 5,750 43,250 Partner in Employment 100,000 79,375 20,625 Washington Maritime Blue 99,995 99,995 0 $951,882 $574,845 $297,576 37 1) Rating: Medium Approvals were not always documented, expense reimbursements were not always supported with receipts, and expenses sometimes exceeded thresholds allowable by the contract. Although the financial impact is relatively small, these exceptions could be considered non-compliance with contract terms. Twenty-five percent (25%), or 25 of 99 invoices did not have a documented approval. Expense reimbursements sometimes exceeded contract thresholds (see following page). 38 1) Rating: Medium (continued) Organization Contract Description Reimbursement ($) Amount not allowed ($) Description of Reimbursement Summer Search Refreshments $31.25 / event X 32 events = $1,000 97.04 65.79 13 Coins - Brainstorming Dinner Refreshments $31.25 / event X 32 events = $1,000 135.84 104.59 Buffalo Wild Wings - Park Cleaning Event Refreshments $31.25 / event X 32 events = $1,000 38.04 6.79 McDonalds - Park Cleaning Event Refreshments $31.25 / event X 32 events = $1,000 211.39 173.35 Taste of Congo - Park Cleaning Event Refreshments $31.25 / event X 32 events = $1,000 40.24 8.99 Jack in the Box - Park Cleaning Event Refreshments $31.25 / event X 32 events = $1,000 37.89 6.64 Target - Refreshments Refreshments $31.25 / event X 32 events = $1,000 94.69 63.44 Taste of Congo - Park Cleaning Event Partner in Employment Crew Lead $25 * 360 hours = $9,000 9,352.50 352.50 Staff / Contractor Time Youth Stipend $1,000 * 5 youths = $5,000 9,826.00 4,826.00 Volunteer Support Highline College Foundation Class Roster of Enrolled Participants in RiVET, AutoCAD or 32,000.00 12,470.00 Class Roster Civil3D courses ($19,530) Friends of Normandy Park 2 weed wrenches X $10.25 = $20.50 79.24 58.74 Weed Wrench 20 gloves X $1 = $20 187.24 167.24 Gardening Gloves Refreshments $35 / event X $6 events - $210 39.53 4.53 Starbucks Coffee Refreshments $35 / event X $6 events - $210 39.53 4.53 Starbucks Coffee Bhutanese Community Resource Center 1 Hand Washing Station X $70 = $70 79.18 9.18 Handwashing Station 25 boxes garbage bags X $20 = $500 523.76 23.76 Garbage Bags 25 compost bins X $46 = $1,150 1,277.10 127.10 Compost Bins Tilth Staff Training / Volunteer Coordination $30 X 260 hours = $7,800 7,923.70 123.70 Staff Support Guest Instructor Stipend $250 X 4 speakers = $1,000 1,700.00 700.00 Guest Instructors Project Supplies $3,000 3,526.30 526.30 Project Supplies Bridging Cultural Gaps Plants $500 1,800.00 1,300.00 Plants 39 Recommendations Maintain documentation to evidence approval. Broaden contract reimbursement requirements. Granularity of contract language impacts efficiencies Grass roots organizations/limited resources More time for stakeholder partnerships/community engagement 40 Management Response External Relations and Office of Diversity, Equity and Inclusion staff agrees with the audit report findings and will work to implement stronger managerial controls. Staff have implemented a procedure to address approvals not always being documented. Implementing broader contract language is fully supported by both External Relations and the Office of Diversity, Equity and Inclusion. We will work diligently and in partnership with the Central Procurement Office to ensure whenever possible broader language is used which impacts Port efficiencies internally across multiple departments, and with our community partners. The authority to execute contracts with broader language exists with CPO, and their Service Agreements team who would need to authorize the new simplified contract language. DUE DATE: 6/30/2023 Management will discuss in detail. (Full response in Audit Report No. 2022-12) 41 Federal Grant Administration – Aviation Division The Airport Improvement Program (AIP) is a major federal grant program, managed by the Federal Aviation Administration (FAA), which provides funds to public-use airports for planning and development. FAA AIP funding for FY2021 to the Port was $135,865,813, including COVID-19 Relief funding of $100,373,161. COVID-19 Relief grants have been administered and provided by the FAA to eligible airports, including Seattle-Tacoma International Airport, through the existing AIP model, as a mechanism for expeditious fund distribution. Internal Audit leveraged the overall risk and control assessments, and audit work and related testing for certain areas (e.g., COVID-19 Relief grants) of the AIP grants, performed by Moss Adams, the Port’s Independent Auditor. This is required as part of the 2021 Annual Single Audit for a non-federal entity that spends greater than $750,000 of federal funds in a fiscal year. 42 Federal Grant Administration – Aviation Division Internal Audit identified monitoring controls that are important to the current processes, including: FAA Airport District Office’s (ADO’s) involvement in all phases of grant administration (i.e., annual planning, application approval, progress reporting, claims/reimbursements, and close-out). Port Commission’s review and approval of the annual capital investment plan, budget, and status briefings. Legal department’s agreement reviews. CPO’s construction contracting and procurement processes and protocols. Business leaders’ ongoing monitoring engagement and grant coordination meetings internally and with FAA. Quality review and tracking of grants and claims by AV F&B, and AFR, which respectively possess subject matter expert knowledge. A sample of 16 business leaders and staff interviewed were knowledgeable on and aware of the grant requirements through the grant life cycle. A follow-up on one issue, related to inconsistent grant compliance, from our 2019 audit of the Noise Insulation Program, noted that the Port had strengthened monitoring controls over the Highline School District, a sub-recipient of AIP grant through the Port. 43 No Issues Based on the work we performed, we concluded that controls were designed effectively and operating as intended. We also concluded that key stakeholders were aware of federal grant requirements throughout the life cycle of the AIP grants, and in the critical areas of grant administration. 44 Appendix A – Information Technology Audit Universe B – Lease/Concession Risk Universe C – Aging of Outstanding Issues as of November 22, 2022 45 Appendix A – Information Technology Audit Universe Inherent Residual Inherent Residual # IT General Controls Audits # IT General Controls Audits Risk Risk Risk Risk 1 CIS - Inventory and Control of Enterprise Assets - V8 HIGH MED 19 Annual Review of PCI Compliance HIGH LOW 2 CIS - Inventory and Control of Software Assets - V8 HIGH MED 20 Password Management HIGH MED 3 CIS - Data Protection - V8 HIGH 21 Parking Revenue Control System Upgrade (T2 FLEX) HIGH LOW 4 CIS - Secure Configuration of Enterprise Assets and Software - V8 HIGH MED 22 Change Management HIGH LOW 5 CIS - Account Management - ICT - V8 HIGH LOW 23 Datacenter Ops HIGH 5 CIS - Account Management - Aviation Maintenance - V8 HIGH LOW 24 Disaster Recovery Program HIGH 6 CIS - Access Control Management - V8 HIGH 25 HIPAA Privacy Compliance HIGH LOW 7 CIS - Continuous Vulnerability Management - V8 HIGH HIGH 26 HIPAA Security Compliance HIGH LOW 8 CIS - Audit Log Management - ICT - V8 HIGH LOW 27 Industrial Control System Security HIGH HIGH 8 CIS - Audit Log Management - Aviation Maintenance - V8 HIGH MED 28 IT Governance HIGH 9 CIS - Email and Web Browser Protections - V8 HIGH 29 IT Risk Management HIGH 10 CIS - Malware Defenses - V8 HIGH LOW 30 Periodic User Access Reviews HIGH 11 CIS - Data Recovery - V8 HIGH LOW 31 Physical & Environmental Security HIGH 12 CIS - Network Infrastructure Management - ICT - V8 HIGH 32 Portable Media Security HIGH 12 CIS - Network Infrastructure Management - Aviation Maintenance - V8 HIGH 33 Project Management HIGH 13 CIS - Network Monitoring and Defense - V8 HIGH 34 Security Program HIGH 14 CIS - Security Awareness and Skills Training - V8 HIGH 35 System and Software Development HIGH 15 CIS - Service Provider Management - V8 HIGH 36 Transmission Protection HIGH 16 CIS - Application Software Security - V8 HIGH 37 Triennial WA State Patrol Audit of Criminal Justice Information Services (CJIS) Compliance HIGH 17 CIS - Incident Response Management - ICT/Aviation Maintenance - V8 HIGH LOW 38 Vendor Management HIGH 18 CIS - Penetration Testing - V8 HIGH 39 800 MHZ Communication System HIGH 40 TSA Cybersecurity HIGH Completed Audits 41 Cyber Insurance Review HIGH On the 2023 Audit Plan 46 Appendix B – Lease/Concession Risk Universe High Revenue: Name Contract 2020 2021 2022* Total EAN HOLDINGS LLC AIR001281 $ 4,616,143 $ 9,350,157 $ 8,260,473 $ 22,226,773 AVIS BUDGET CAR RENTAL AIR001282 2,679,856 9,301,830 7,944,330 19,926,016 LOUIS DREYFUS COMPANY WASHINGTON LLC 4,428,624 5,320,348 3,345,156 13,094,127 RASIER LLC AIR002579 - 4,558,640 5,749,954 10,308,594 HERTZ CORPORATION AIR001278 1,670,800 4,383,314 3,904,114 9,958,229 IN-TER-SPACE SERVICES, INC AIR002224 4,133,091 3,523,561 1,799,471 9,456,123 SKY CHEFS' INC AIR002512 1,954,910 3,581,139 3,343,726 8,879,775 AIRPORT MANAGEMENT SERVICES LLC AIR002018 3,008,321 5,019,999 - 8,028,320 LYFT AIR002578 - 3,423,928 3,994,890 7,418,818 AIRPORT MANAGEMENT SERVICES LLC AIR002017 2,072,782 3,911,367 - 5,984,149 TOTAL $ 24,564,528 $ 52,374,282 $ 38,342,115 $ 115,280,923 *Actuals through 8/31/2022. 47 Appendix B – Lease/Concession Risk Universe (continued) Medium Revenue: Name Contract 2020 2021 2022* Total GATE GOURMET INT'L AIR000042 $ 1,366,033 $ 1,712,065 $ 2,036,764 $ 5,114,862 DOUG FOX TRAVEL/ATZ AIR001718 1,185,911 2,779,141 1,093,325 5,058,377 HOST INTERNATIONAL, INC AIR002019 2,110,973 2,849,201 - 4,960,173 DTG OPERATIONS INC DBA THRIFTY CAR RENTA AIR001279 605,403 2,236,182 2,096,789 4,938,374 FOX RENT A CAR INC AIR001285 752,329 1,719,671 1,487,544 3,959,544 CMC INVESTMENTS INC AIR001280 608,815 1,615,818 1,686,525 3,911,158 SIXT RENT A CAR LLC AIR001632 451,089 1,364,508 1,323,647 3,139,244 REPUBLIC PARKING NORTHWEST INC SEA000425 942,091 890,826 954,556 2,787,472 STELLAR BAMBUZA SEA LLC AIR002240 487,002 1,607,043 650,281 2,744,325 RASIER LLC AIR002022 2,465,688 2,465,688 ALCLEAR LLC AIR002634 - 1,183,847 1,119,225 2,303,072 FLYING FOOD FARE INC AIR000086 699,678 664,402 719,049 2,083,129 MCDONALD'S USA LLC AIR001606 598,668 959,136 479,406 2,037,210 HOST INTERNATIONAL, INC AIR002247 645,243 932,656 440,344 2,018,243 CONCOURSE CONCESSIONS LLC AIR002362 459,245 1,055,619 472,136 1,987,000 ALCLEAR LLC AIR002048 1,293,395 686,056 1,979,451 SEATTLE AIR VENTURES JV AIR002733 1,904,714 1,904,714 SSP AMERICA SEA LLC AIR002237 416,464 1,027,232 431,916 1,875,612 BEECHER'S HANDMADE CHEESE, LLC AIR001562 402,730 800,375 661,764 1,864,869 HSI BFF SEA FB LLC AIR002680 - 659,126 1,194,744 1,853,871 SSP AMERICA SEA LLC AIR002238 432,024 1,003,579 415,475 1,851,078 QDOBA RESTAURANT CORPORATION AIR002096 614,648 858,053 351,133 1,823,834 DUFRY - SEATTLE JV AIR001661 1,731,280 - - 1,731,280 HOST LPI SEA FB LLC AIR002361 356,279 880,251 384,527 1,621,058 TOTAL $ 18,624,988 $ 27,484,786 $ 19,903,863 $ 66,013,637 *Actuals through 8/31/2022. 4848 Appendix B – Lease/Concession Risk Universe (continued) Low Revenue: Name Contract 2020 2021 2022* Total SODEXO AMERICA LLC AIR001513 $ 345,768 $ 758,835 $ 506,351 $ 1,610,954 BAMBUZA SEA-TAC VENTURES AIR002365 359,917 842,295 383,453 1,585,664 LYFT AIR002023 1,564,344 - - 1,564,344 SEATTLE AIR VENTURES JV AIR002732 1,517,561 1,517,561 FIREWORKS AIR002101 387,312 758,161 285,730 1,431,203 SEATTLE AIR VENTURES JV AIR002366 - 370,983 1,044,405 1,415,388 DUFRY - SEATTLE JV AIR002665 - 920,544 448,630 1,369,174 CONCOURSE CONCESSIONS LLC AIR002055 404,319 723,072 195,145 1,322,536 PALLINO SEATAC LLC AIR002241 304,578 583,360 241,121 1,129,059 SEATAC BAR GROUP LLC AIR002053 255,399 625,631 243,765 1,124,796 1915 KCHOUSE CONCEPTS-SEATAC LLC AIR002265 262,302 489,339 351,086 1,102,727 THE YARROW GROUP LLC AIR002233 333,701 518,217 227,425 1,079,343 MAD ANTHONY'S INC CHINOOK SEA000043 373,214 355,755 260,446 989,415 BF FOODS LLC AIR002232 276,977 459,352 213,414 949,742 DILETTANTE CHOCOLATES INC AIR002094 278,554 457,907 194,578 931,039 PAYLESS CAR RENTAL INC AIR001451 143,888 333,638 363,323 840,850 SSP AMERICA SEA LLC AIR002358 238,623 400,331 195,886 834,840 US BANK AIR001505 292,524 437,800 53,250 783,574 WBB C.I. CREWS, LLC AIR002468 118,791 345,273 229,143 693,207 CI CREWS SEA LLC AIR002624 - 208,553 464,153 672,706 SSP AMERICA SEA LLC AIR002370 9,017 210,008 436,758 655,782 FRUIT & FLOWER LLC DBA FLORET AUTHORITY AIR002063 160,659 296,965 159,506 617,130 DOUG FOX TRAVEL/ATZ AIR002729 - - 574,265 574,265 MAD ANTHONY'S INC PIER 66 SEA000294 198,552 179,788 181,187 559,527 HOST INTERNATIONAL, INC AIR002678 - 148,800 381,013 529,813 *Actuals through 8/31/2022. 49 Appendix B – Lease/Concession Risk Universe (continued) Low Revenue (continued): Name Contract 2020 2021 2022* Total HOST INTERNATIONAL, INC AIR000435 $ 182,562.29 $ 332,842.00 - $ 515,404.29 HOST INTERNATIONAL, INC AIR002679 - 168,492 322,736 491,228 MARMOT MOUNTAIN LLC DBA EXOFFICIO AIR002364 37,319 181,969 207,204 426,493 INMOTION SEA LLC AIR002103 133,727 189,233 78,992 401,951 SEATTLE CHOCOLATES COMPANY LLC AIR002093 99,875 201,976 82,199 384,050 SEATTLE AIR VENTURES JV AIR002355 95,358 165,004 75,158 335,520 SMARTE CARTE INC AIR002588 199,237 105,475 304,713 LENLYN LIMITED AIR001788 298,549 - - 298,549 SSP AMERICA SEA LLC AIR002369 6,635 177,071 110,365 294,071 SUNS INC AIR002054 44,332 121,433 119,950 285,716 LADY YUM LLC AIR002467 43,936 148,203 66,931 259,070 AIRPORT MANAGEMENT SERVICES LLC AIR002430 62,912 166,522 - 229,433 TRAVEL CONTENT LLC AIR002628 - 112,500 112,500 225,000 PLANEWEAR LLC AIR002372 14,213 143,380 64,282 221,876 SMARTE CARTE INC AIR000629 170,844 41,409 - 212,253 LATRELLES EXPRESS INC AIR002486 - 33,362 178,434 211,796 SUB POP RECORDS AIR001816 58,637 108,222 38,139 204,998 AIRPORT CHANNEL AIR002445 162,707 37,500 - 200,207 CONCOURSE CONCESSIONS LLC AIR002545 2,361 95,584 87,672 185,617 TERMINAL GETAWAY SPA SEATTLE, LLC AIR002095 54,917 79,097 50,855 184,868 BILL & NICK INCORPORATED SEA000016 55,253 72,105 57,448 184,806 MSM CORPORATION SEA002783 66,425 67,541 45,080 179,047 GLACIER FISH COMPANY LLC SEA003383 - 150,000 - 150,000 E-Z RENT-A-CAR AIR001439 116,895 - - 116,895 GUNWOO & JINAH INC SEA003337 37,868 48,250 26,511 112,629 SHILSHOLE BAY FUEL DOCK SEA002355 38,592 38,706 25,728 103,025 LATRELLE'S FLIGHT KITCHEN LP AIR002531 - - 96,595 96,595 MAREL SEATTLE INC SEA001010 93,852 - - 93,852 PUBLICANS INC SEA002494 56,967 28,607 - 85,574 BF FOODS LLC AIR002491 80,738 - - 80,738 *Actuals through 8/31/2022. 50 Appendix B – Lease/Concession Risk Universe (continued) Low Revenue (continued): Name Contract 2020 2021 2022* Total LENLYN LIMITED AIR002664 - $ 41,493.80 $ 38,150.23 $ 79,644.03 PUBLICANS INC SEA003537 - 29,252 46,795 76,047 SMARTE CARTE INC AIR002097 13,059 39,158 23,616 75,833 CHALO LLC AIR002270 23,681 29,790 18,836 72,307 UNITED INDIANS OF ALL TRIBES FOUNDATION AIR002387 17,929 39,729 10,055 67,714 CLEAN ENERGY FUELS CORP AIR001655 1,970 6,012 40,449 48,431 PLANEWEAR LLC AIR001971 38,404 - - 38,404 DELTA AIR LINES INC AIR002309 6,260 15,657 15,617 37,533 SILVERCAR, INC AIR002203 36,691 - - 36,691 LADY YUM LLC AIR002331 35,826 - - 35,826 SHARA LLC DBA SHOW PONY AIR002330 10,296 15,026 4,697 30,018 ALASKA AIRLINES INC AIR002299 4,304 13,836 10,364 28,504 SSP AMERICA SEA LLC AIR002617 - - 27,681 27,681 CERTIFIED FOLDER DISPLAY SERVICE INC AIR001641 18,462 4,000 - 22,462 REPUBLIC PARKING NORTHWEST INC SEA000424 15,572 3,118 2,345 21,035 GLOBAL CONCESSIONS GROUP LLC AIR002632 - 9,820 5,876 15,696 AIRPORT MANAGEMENT SERVICES LLC AIR000437 15,557 - - 15,557 CERTIFIED FOLDER DISPLAY SERVICE INC AIR002625 - 9,858 5,460 15,318 TRICOPIAN DBA FUELROD AIR002469 4,259 6,372 3,259 13,890 AMERICAN EXPRESS TRAVEL AIR001877 1,703 5,408 6,585 13,695 LUCKY SHOE SHINE LLC AIR002466 3,496 6,301 2,191 11,988 MAC-GRAY SERVICES SEA002097 9,513 - - 9,513 ME & MOM'S HATS DBA SEATTLE HAT$ AIR002141 9,000 - - 9,000 AIRPORT MANAGEMENT SERVICES LLC AIR002529 1,448 2,668 3,859 7,976 WINGZ, INC AIR002580 - 3,078 4,589 7,667 AIRPORT MANAGEMENT SERVICES LLC AIR001773 6,914 - - 6,914 PLANEWEAR LLC AIR002501 703 2,591 1,339 4,633 UNITED AIRLINES AIR002327 602 455 2,083 3,140 WINGZ, INC AIR002020 2,376 - - 2,376 MAC-GRAY SERVICES SEA001479 946 104 48 1,097 BABY FOODIE LLC AIR002702 - - 90 90 FLY BABY LLC DBA LIGHTLY AIR002572 - 34 33 66 TOTAL $ 8,602,881 $ 13,816,610 $ 11,377,868 $ 33,797,360 *Actuals through 8/31/2022. 51 Appendix C – Aging of Outstanding Issues as of November 22, 2022 Performance, Capital, Information Technology, and Limited Contract Compliance Audits Days Outstanding Days Outstanding Audit Type Audit Description Rating Report Date Target Date (from Report Date) (from Target Date) IT AVM/Facility &Infrastructure Data Centers Physical access to facilities High 12/4/2018 No date supplied 1449 N/A IT AVM/Facility &Infrastructure Data Centers Protection against environmental High 12/4/2018 No date supplied 1449 N/A Performance Marine Maintenance Shop Keys and badges tracking High 6/14/2019 12/31/2023 1257 -404 IT HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 1175 844 Performance Architecture & Engineering Determine fair and reasonable rates High 12/9/2019 6/30/2020 1079 875 Performance Architecture & Engineering Management review over max rates High 12/9/2019 6/30/2020 1079 875 Performance Architecture & Engineering Contract rate accuracy High 12/9/2019 6/30/2020 1079 875 IT Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 358 -39 IT Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 358 -39 IT Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 358 -39 IT Disaster Recovery Capability Security Sensitive Medium 11/29/2017 No date supplied 1819 N/A IT AVM/Facility &Infrastructure Data Centers Physical facilities management Medium 12/4/2018 No date supplied 1449 N/A IT Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 3/31/2020 1365 966 IT HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 1175 844 IT Closed Network System Security Security Sensitive Medium 9/5/2019 6/30/2020 1174 875 IT Inventory and Control of Hardware Assets Security Sensitive Medium 11/12/2019 6/30/2023 1106 -220 IT Network Password Management Security Sensitive Medium 3/20/2020 12/31/2021 977 326 IT Network Password Management Security Sensitive Medium 3/20/2020 9/30/2020 977 783 IT Secure Configuration for Hardware and Software Security Sensitive Medium 8/21/2020 12/31/2021 823 326 on Mobile Devices, Laptops, Workstations and Servers IT Secure Configuration for Hardware and Software Security Sensitive Medium 8/21/2020 12/31/2021 823 326 on Mobile Devices, Laptops, Workstations and Servers Lease/Concession Concourse Concessions LLC RE-2 policy review Medium 9/10/2020 12/31/2020 803 691 IT Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 728 326 IT Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 728 326 IT Continuous Vulnerability Management Security Sensitive Medium 11/29/2021 6/30/2022 358 145 IT Account Management - ICT Security Sensitive Medium 3/15/2022 6/1/2023 252 -191 IT Account Management - ICT Security Sensitive Medium 3/15/2022 3/1/2023 252 -99 Performance ACH Payment Fraud Required training Medium 3/30/2022 6/30/2022 237 145 IT Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2023 173 -404 IT Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2022 173 -39 IT Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2022 173 -39 Lease/Concession The Hertz Corporation Investigate Under-collections Medium 6/3/2022 12/31/2022 172 -39 IT T2 Airport Garage Parking System Replacement Security Sensitive Medium 11/11/2022 6/2/2023 11 -192 IT Audit Log Management - ICT Security Sensitive Medium 11/22/2022 1/31/2023 0 -70 IT Audit Log Management - ICT Security Sensitive Medium 11/22/2022 6/1/2023 0 -191 52
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.