Port Audit Committee Slides

1. Presentation

Port Audit Committee Slides

Financial Stewardship Accountability Transparency
Port of Seattle Audit Committee
Internal Audit Update
Glenn Fernandes - Director, Internal Audit

September 7, 2023
P69 Commission Chambers
9:00 AM – 11:00 AM

Operational Excellence Governance

Department Overview Item #4
Internal Audit, through an annual audit plan, provides assurance that
the Port’s controls are effective and efficient. The department facilitates
four public Audit Committee meetings per year and non-public Audit
Committee meetings as needed.
The department facilitates RCW required Independent Audits on General
Constructor/Construction Management (GC/CM) Projects and periodically
performs the required Payment Card Industry Audit.
The department provides advisory services to the Port, to the extent that it
does not compromise the department’s independence.
The department maintains its independence and objectivity by reporting
functionally to the Audit Committee and administratively to the
Executive Director.
2

2024 Department Major Initiatives Item #4
 Manage RCW Required Independent Audits for GC/CM Capital Projects.
 Enhance Concession Audit Program and increase volume.
 Standardize repetitious functions.
 Enhance usage of automation tools.
 Minimize impact to concessionaires.
 Develop a tracking and enforcement system to assure compliance with
the Equity Policy Directive including:
 Anti Human Trafficking Policies
 Potential Third-Party Code of Conduct

Internal Audit Organization Structure Item #4

2024 Budget Overview Item #4
Note: Run report from AI and paste results here. To edit, double click on table or right click,
choose Worksheet Object, open Excel worksheet.
Internal Audit (2280) 2022 2023 2024 2023 to 2024 2023 to 2024
Line Account Description Budget Budget Budget Budget Change $ Budget Change %
1 Salaries and Benefits $ 1,706,357 $ 1,979,053 $ 2,083,191 $ 104,138 5.3%
2 Equipment Expense $ 2,749 $ 4,063 $ 563 $ (3,500) (86.1%)
3 Supplies & Stock $ 1,000 $ 1,000 $ 1,000 $ - 0.0%
4 Outside Services $ 297,090 $ 140,928 $ 42,095 $ (98,833) (70.1%)
5 Travel & Other Employee Exp $ 27,695 $ 52,261 $ 52,287 $ 26 0.0%
6 Promotional Expenses $ - $ - $ - $ - 0.0%
7 General Expenses $ 3,893 $ 702 $ 505 $ (197) (28.1%)
8 Other Expenses $ 8,890 $ 8,801 $ 8,397 $ (404) (4.6%)
9 Total Charges To Capital $ (180,000) $ (139,408) $ - $ 139,408 (100.0%)
Non-Payroll Subtotal $ 161,317 $ 68,347 $ 104,847 $ 36,500 53.4%
Total $ 1,867,674 $ 2,047,401 $ 2,188,038 $ 140,637 6.9%

Item #4
New Budget Request
Operating &
Full Year 2024 Cash Priority
Item # Short Description Maintenance Request Type No. of FTEs
including Capital (H/M/L)
Expenses
1 Outside Temp Services – Backfill $40,000 $40,000 One-Time 0 Medium
for Staff on Maternity Leave
To ta l $40,000 $40,000 0

(Capitalized) Outside Services Item #4
GC/CM Audit Costs (Outside Services) are now directly capitalized to the projects and are not reflected
in the expense budget. Below is a summary of GC/CM Spend for informational purposes.
Estimated
Estimated Audit Spend
Project Construction Project Timing
over Life of Project
Cost
Post IAF Airline Realignment $65 MM $222,445 In Process Estimated completion 2027
C Concourse Expansion Project $49.2 MM $304,000 In Process Estimated completion 2026
Main Terminal Low Voltage Project $55 MM $73,555 In Process Estimated completion 2026
South Concourse Evolution $1 B $900,000 Estimated 1st Qtr. 2024 - 2032
Primary Fire Station (Eastside) $15 MM $13,500 Estimated 3rd Qtr. 2023 - 2026
Industrial Wastewater Treatment Plant - $92 MM $82,800 Estimated 3rd Qtr. 2024 - 2029
Heavy Civil GC/CM
Baggage Optimization 3 $300 MM $270,000 Estimated 3rd Qtr. 2023 - 2027
Concourse HVAC Improvement $200 MM $180,000 Estimated 2nd Qtr. 2025 - 2031
Renewal/Replacement Program (CHIRRP)
Terminal 25 Restoration (Heavy Civil GC/CM) Not Available Not Available Estimated 2025 - 2028
Main Terminal Improvement Program $520 MM $499,200 Estimated 4th Qtr. 2024 - 2034
To ta l $2.296 B $2,545,500

Open Issue Status – Aging Report as of August 23, 2023 Item #5

1. Eight issues outstanding for over one year from the Target Date consist of:
 Architecture & Engineering (2) - Fair and Reasonable Rate Determination and Management Review Over Max Rates: CPO-1, Port Policy for Consulting Services, was
updated to include a definition that aligns to the RCW 39.80.050, Procurement of Architectural and Engineering Services – Contract Negotiations. However, a specific
mark-up has not been defined. This appears to be on the agenda for the Procurement Council in September of 2023.
 Information Technology Audits (6) (Security Sensitive - Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session.): These are:
Closed Network System Security (1), Network Password Management (2), Secure Configuration for Hardware & Software on Mobile Devices, Laptops, Workstations and
Servers (2), and Continuous Vulnerability Management (1).
2. Three Information Technology issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more
than two years past the Report Date: Aviation Maintenance and Facilities & Infrastructure Data Centers (3).
See Appendix A for a detailed listing of outstanding issues, including: Report Finding, Issue Owners, and Current Status, as of August 23, 2023.

Approved 2023 Audit Plan Item #6
Limited Contract Compliance Performance Information Technology
• Louis Dreyfus Company Washington LLC • Port-wide Payroll Controls • Email and Web Browser Protections (ICT and
• Seattle Air Ventures, JV1 • Airport Parking Garage Aviation Maintenance)4
• ATZ, Inc. dba Doug Fox Parking • Equity Policy Directive Compliance2 • Network Infrastructure Management (ICT)7
• Social and Environmental Reporting • Network Infrastructure Management (Aviation
• Fishermen’s Terminal Maintenance)
• Police Department3,4 • Security Awareness and Skills Training
Capital
• T-5 Berth Modernization
• Supply Chain Disruption Management
• C Concourse Expansion (Pre-construction) GC/CM5
• Main Terminal Low Voltage System Upgrade GC/CM5
• T-117 Sites 23-25 Restoration Construction Project
GC/CM5
• Concourse A Building Expansion for Lounges/DELTA
TRA3
• Post IAF Airline Realignment GC/CM Constructio5,6
1. Two separate audits were originally planned for different lease agreements; however, they were combined for administrative efficiency, due to substantially similar processes.
2. This audit is deferred to 2024. The policy was recently approved by the Commission, and it is too early to assess compliance with it.
3. This is a contingency audit per the Approved 2023 Audit Plan.
4. The audit name has changed to reflect the expanded audit scope.
5. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit work will be performed by
external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. Year-end status report will be provided at the December Audit Committee. Internal Audit will perform
continuous cost reviews of these projects, review areas that are not looked at by the contract auditors, and partner with the contract auditors as needed. Internal Audit will issue an audit report on areas covered.
6. Due to construction delays, this audit is deferred to 2024.
7. Due to resource constraints, this audit is deferred to 2024.

Item #6
2023 AUDIT PLAN STATUS
Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Port-wide Payroll Controls Performance
Airport Parking Garage Performance
Social and Environmental Reporting Performance
Fishermen's Terminal Performance
Police Department1,2 Performance
Supply Chain Disruption Management Performance - Capital
Terminal 5 Berth Modernization Project Performance - Capital
C Concourse Expansion (Pre-construction) GC/CM3 Performance - Capital
Main Terminal Low Voltage System Upgrade GC/CM3 Performance - Capital
T-117 Sites 23-25 Restoration Construction Project GC/CM3 Performance - Capital
Concourse A Building Expansion for Lounges/DELTA TRA1 Performance - Capital
Email and Web Browser Protections (ICT and Aviation Maintenance)2 IT
Network Infrastructure Management (Aviation Maintenance) IT
Security Awareness and Skills Training IT
Louis Dreyfus Company Washington LLC Contract Compliance
Seattle Air Ventures, JV 4 Contract Compliance
ATZ, Inc. dba Doug Fox Parking Contract Compliance
Equity Policy Directive Compliance5 Performance
Post IAF Airline Realignment - GC/CM Construction3,5 Performance - Capital
Network Infrastructure Management (ICT)5 IT
Complete
In Process
KEY
Not Started
Deferred to 2024
1. This is a contingency audit per the Approved 2023 Audit Plan.
2. The audit name has changed to reflect the expanded audit scope.
3. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit
work will be performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. Year-end status report will be provided at the December
Audit Committee. Internal Audit will perform continuous cost reviews of these projects, review areas that are not looked at by the contract auditors, and also partner with the contract auditors
as needed. Internal Audit will issue an audit report on areas covered.
4. Two separate audits were originally planned for different lease agreements; however, they were combined for administrative efficiency, due to substantially similar processes.
5. This audit is deferred to 2024.

Item #s 7, 8, and 12
Audits Completed in Third Quarter, 2023
1) C Concourse Expansion Project (Pre-Construction) (Item #7)
2) Main Terminal Low Voltage System Upgrade Project (Pre-Construction)
(Item #8)
3) Louis Dreyfus Company Washington LLC (Item #12)

C Concourse Expansion Project (Pre-Construction) Item #7
The Concourse C Expansion Project spans the C and D Concourses with
additional dining and retail, adding amenities such as an Interfaith Prayer and
Meditation room, a Nursing Suite, and an all-new, more than 20,000 square
foot Alaska Airlines Lounge.
The project will increase the existing 81,000 square foot building into a 226,530
square foot facility.
Turner Construction Company (Turner) was selected as the General
Constructor/Construction Manager (GC/CM) for this project in December 2020.
The pre-construction work started in December 2020 and is anticipated to be
completed in the fall of 2023.

C Concourse Expansion Project (Pre-Construction) Item #7
The pre-construction contract total at the time of the report was approximately
$4.44 million, which included approximately $1.94 million in change orders.
RCW 39.10.385 requires an independent auditor to confirm the proper accrual
of costs for any alternatively selected subcontractors. R.L. Townsend &
Associates LLC, a nationally recognized, Construction Audit firm, was engaged to
perform this part of the work.
Our work focused on review of GC/CM expenses for accuracy and contract
compliance.
Additionally, we performed a “Labor Rate Analysis,” by looking at the build-up
of Labor Rates used in the contract.

Item #7
1) Rating: Medium
The model that was used to determine billable rates for contractor’s
staff, utilized inputs that could result in paying higher than market
rates for labor.
There are generally two industry standard approaches an owner can take when approving
contractor rates: 1) using a Rate Tool or “market rate” analysis, which uses an in-house
model to price each position title, or 2) using a Cost-Plus approach, which includes
negotiating a profit margin and vetting the build-up of proposed rates.
CPO used a Rate Tool that integrates Market Survey Data, Port Historical Data, and Firm
Data, to negotiate rates for each position title.
Turner was paid the negotiated rate for each position, which was generated from the rate
tool.
Within the contract, Turner used a rate build-up for each position, which equaled the
negotiated rate.
14

Issue Continued:
Attached to Contract
Negotiated Rate by
Internal Rate Tool Turner’s Rate Build-up
Position/Individual

We looked at Turner’s Rate Build-up to identify anything that was incorrect, excessive, etc.
In essence, we performed a Cost-Plus Build-up, which we then compared to the Negotiated Rate.
We identified several items that would be questioned if a Cost-Plus method was employed, such as:
 Lack of detail on the build-up of “Base Cost.”
 Benefits charged in Turner’s model included items that are often not allowed. For example:
End of Year Premium Pay Bonuses/Staff Retention
Tuition Reimbursement Employee Assistance Programs
 General Liability Insurance rate of 1.2% vs Industry Standard Range of 0.50 % - 0.75%.
 A Virtual Design and Construction rate of between $5 and $75 per hour. After discussions with
Turner, they indicated that these rates should be $6.14.
 “B&O tax” percentage of 2.5% vs Washington State Construction B&O rate of 0.471%.

Item #7
Issue Continued:
 Upon a recalculation of adjusted rates with the information provided by Turner, we determined
that, if a Cost-Plus methodology had been employed, the billed cost to the Port could have
been between approximately $160,316 and $257,974 less than the rates generated from the
Port’s rate tool, dependent on the negotiated fee with the contractor.
Additionally:
 The Agreement language on allowable billable rate build-up was vague, which increased the
risk of rate components being included that normally would not be or, included in multiple
areas.
 Examples include: the Agreement stated in part, “The hourly labor rates cover the GC/CM's
direct and indirect costs or expenses…. including but not limited to..." Additionally, it allowed
for the inclusion of "home office overhead and profit" without specifying further details,
leading to a broad interpretation of allowable items.

Item #7
Recommendations
1. CPO should either modify the inputs to the current rate tool or
employ a Cost-Plus approach.
2. CPO should work with Legal to strengthen preconstruction services
agreement language to help decrease the possibility of
misinterpretation.

2) Rating: Medium Item #7
The Port’s oversight process and documentation could be improved to support
justifications for approving rates above the Market Maximum, and collaboration
with other departments or teams.
 We reviewed CPO’s “market rate” analysis process and noted some of Turner’s staff members
were not subject to negotiation, nor was any documented evidence of the negotiation found. The
total that was billed so far to the project for these staff members was $1.34 million.
 We observed instances where certain Turner employees were approved rates that exceeded the
Market Maximum allowed rate for their respective titles. CPO explained that such approvals over
the maximum were permissible, in certain cases, if the contractor provided documentation
justifying the higher rate, and the rate was within the Port’s Historical Maximum. However, no
records were maintained.
 Reasons cited for the absence of documentation was that the rate analyst, responsible for
approving these rates, was no longer employed by the Port.
 Based on our review, we were unable to ascertain whether rates for all Turner staff members were
subject to negotiation or if the approval of higher rates (above the Market Maximum) was
adequately supported.
18

Item #7
Recommendations
1. CPO should establish a comprehensive documentation process, and
clear guidelines for negotiations and approvals of rates for
contractor staff. This includes maintaining records of negotiations,
justifications for rates above the Market Maximum, and
collaboration with other departments or teams.

Item #7
Management Response – Issue 1
Management does not concur with the finding.
Port negotiated fair and reasonable billing rates, and the review of
cost information did not account for risk and contract administration.
Potential savings from cost reimbursement contracts were
miscalculated.

DUE DATE: 12/31/2023 Management will discuss in detail. (Full response in Audit Report No. 2023-09)

Item #7
Management Response – Issue 2
Port did conduct negotiations of all contract rates, and we
believes the negotiations were documented appropriately. We
will take the opportunity to review our process, guidance
documents, and record retention.

DUE DATE: 12/31/2023 Management will discuss in detail. (Full response in Audit Report No. 2023-09)

3) Rating: Medium Item #7
We identified opportunities for Port Management to strengthen controls during the pay
application review process. Additionally, we identified several instances where there has
been a lack of adherence to the stipulated Agreement. These observations highlight
opportunities to enhance oversight and assure compliance with contractual
requirements.
 Review process: We reviewed Pay Applications (PA) 1-27 and noted instances where supporting documentation was not
present, and/or contract requirements were not followed. Examples included:
 After PA 11, timesheets were not submitted. Upon inquiry, Port Management confirmed that they had given the
direction to discontinue the practice due to excessive workload involved.
 Our test of billed hours determined that the Port had been overbilled $997.05. Turner indicated that they would
make the adjustment on the May 2023 PA. We verified that there was an adjustment on PA 29.
 A total of $924,039 in forecasted payments were spread across 27 pay applications, resulting in an average monthly
payment of $34,224. There was no dedicated review process in place to ensure the completion of services and
subsequent reimbursement to the Port for these forecasted prepayments. We noted that, while Washington State
Law does not explicitly prohibit prepayments, the Agreement only allowed reimbursements of actual incurred costs.
 Personnel and staff changes occurred during the pre-construction phase, and Port Management failed to provide
the necessary support stipulated in the contract for certain changes. These individuals worked hours totaling around
$190,000, without verification from the Port. To validate the cost reasonableness, we directly sought support from
Turner, who supplied agreed-upon rates for most of these individuals.
22

Item #7
Recommendations
1. Maintain timesheets for everyone to track the days worked, with
careful verification of hours and rates during the Pay Application
review process.
2. Follow existing Standard Operating Procedures to pay for services
rendered.
3. Maintain supporting documentation of Port Management approval
for all key personnel changes. For any staff change including key or
supplemental staff, there should be support provided for a
negotiated agreed upon rate.

Item #7
Management Response
Engineering Construction Management agrees with these
recommendations and will continue to train staff to improve
compliance with existing requirements. Additionally, Engineering
Construction Management will ensure Standing Operating
Procedures thoroughly capture GC/CM specific procedures.

DUE DATE: 12/31/2023 Management will discuss in detail. (Full response in Audit Report No. 2023-09)

Main Terminal Low Voltage System Upgrade Project Item #8
(Pre-Construction)
General Contractor/Construction Manager (GC/CM) contract was executed on August 9,
2019, with M.A. Mortenson.
Initial Not-to-Exceed amount was $1.5 million but was expected to increase since design
was less than 30% complete.
In August of 2021, an additional $1.5 million was authorized to fund the remainder of the
Pre-Construction services, bringing the total budget to $3 million.
Pre-Construction was completed in November 2022 with an anticipated construction
completion in early 2026.
Total budgeted cost is approximately $120 million, with a 7% Women-Owned and
Minority-Owned Business Enterprise aspirational goal.
Areas reviewed:
 Change Orders - No deficiencies noted.
 Pay Applications - Recommendations for improvement noted.
 Contingency - Recommendations for improvement noted.
25

1) Rating: Medium Item #8
We identified opportunities for Engineering Construction Management to
strengthen controls during the pay application review process. Additionally,
supporting documentation to show compliance with the Port’s Standard Operating
Procedure 40.08, State law, and the Contract, was not always maintained.
Non-labor costs totaling $1,223 were overpaid for expenses identified in the contract as
non-reimbursable costs (including security badges, delivery services and parking).
Timesheets were not submitted by the GC/CM as required. Our review identified a total of
$7,387 in overpayments.
Documentation of approval for a Key Personnel change (Project Manager) was not
maintained, as required by the contract.
The Contingency budget and Other Stipulated Direct Costs budget were used for expenses
related to completing pre-construction areas, not for expenses outlined in the contract and
change order. Additionally, the Port’s approval for using these budgets was not maintained.

Recommendations Item #8
Construction Management should:
1. Review overpayments identified in the audit and collect overpayment from
the GC/CM, as appropriate.
2. Assure compliance with Standard Operating Procedure 40.08, the Washington
State Auditor’s Budgeting, Accounting and Reporting System (BARS) GAAP
Manual 3.1.4.10/RCW 43.09.200, and the Contract, by requiring the GC/CM to
submit all required documentation to support transactions. For example,
timesheets should be obtained as supporting documentation for the Pay
Applications.
3. Maintain supporting documentation of Port management approval for all key
personnel changes. For any staff changes, including key or supplemental staff,
there should be support provided for a negotiated agreed upon rate.
27

Management Response Item #8
1. Engineering Construction Management will review the identified
overpayments and collect reimbursement as appropriate.
2. Engineering Construction Management, in collaboration with Central
Procurement Office (CPO), and AV/Waterfront Project Management, will
review documentation requirements for GC/CM preconstruction services
contracts and ensure all SOPs contain GC/CM specific procedures.
3. Engineering Construction Management agrees with the recommendation and
will continue to train staff to improve compliance with these existing
requirements.
DUE DATE: 12/31/2023 Management will discuss in detail. (Full response in Audit Report No. 2023-10)

Item #12
Louis Dreyfus Company Washington LLC (Louis Dreyfus)
As a company, it has had an active presence in the US since 1909 and is involved
in diverse industries worldwide.
Top exporter of various agricultural commodities, such as cotton, soybeans,
wheat and corn.
Operator of the Port’s Grain Facility at Terminal 86.
Terminal is a completely automated grain facility, which assures quick and
efficient movement of commodities from trucks and/or rail cars to silos and
ships’ holds.
Total storage capacity is approximately 4 million bushels (101,000 metric tons)
WA State Department of Agriculture is responsible for the independent
certification of grain quality and quantity.

Item #12
Louis Dreyfus Company Washington LLC (Louis Dreyfus)
 Breakdown of commodities exported during audit period:

Commodity Year
(in Metric Tons) 2020 2021 2022
Yellow Corn 1,240,437 1,904,159 1,859,757
Soybeans 2,751,841 1,485,865 1,870,459
Grain Sorghum 247,526 467,779 660,395
Total 4,239,804 3,857,803 4,390,611

Item #12
Louis Dreyfus Company Washington LLC (Louis Dreyfus)
Lease agreement between Louis Dreyfus and the Port was signed in November
2014, allowing Louis Dreyfus to operate the Terminal.
Monthly payment consists of base rent and a concession fee (tonnage rent fee)
based on loaded ship tonnage.
The table below reflects the yearly base rent and tonnage rent during the audit
period:
Year Tonnage Rent Base Rent Total
2020 $ 4,273,743 $ 1,097,511 $ 5,371,254
2021 $ 5,451,248 $ 1,082,405 $ 6,533,652
2022 $ 5,077,095 $ 1,085,105 $ 6,162,200
Total $ 14,802,086 $ 3,265,021 $ 18,067,106

Item #12
No Issues
Internal Audit concluded that Louis Dreyfus materially complied
with the significant terms of the Agreement.

Appendix
A – Aging of Outstanding Issues as of August 23, 2023

Appendix A – Aging of Outstanding Issues as of August 23, 2023
Performance, Capital, Information Technology, and Limited Contract Compliance Audits
Days Outstanding Days Outstanding
Audit Type Audit Rating Report Date Target Date (from Report Date) (from Target Date) Issue Owner Report Finding Current Status from Management as of 8/23/2023
IT AVM/Facility & Infrastructure Data Centers High 12/4/2018 No date supplied 1723 N/A Director, Aviation Security Physical Access to Facilities F&I Response: There is a project to add card readers to
All rooms in our sample were protected with varying levels of communications room doors in the passenger terminal areas.
restricted access. Some were well protected, allowing few The project is scheduled to be at physical completion in Q2
individuals access, while others allowed access to hundreds of 2025.
people with no legitimate business need.
IT AVM/Facility & Infrastructure Data Centers High 12/4/2018 No date supplied 1723 N/A Director, Aviation Security Protection Against Environmental Factors F&I Response: Project U00494 replacing water-based
Facilities should be protected against fire and water damage. sprinklers with clean-agent fire suppression in 6 critical
In our sample of 31 rooms, 35% of the rooms did not have fire communications rooms (MDR 1, MDR 2, MDR 3, MER/ES,
suppression capability and 55% did not have fire MER/VD, CER) has anticipated Substantial Completion date of
extinguishers. Four rooms had Halon fire extinguishers which Q2 2026. Alternatives to Halon clean-agent fire suppression
are ozone-depleting and do not support the Port’s value for have been investigated, but major drawbacks exist (e.g. PFAS,
being a responsible steward of the environment. asphyxiation from CO2, large space requirements). Water
Mist per NFPA 750 may be a promising solution. No update on
other rooms nor fire extinguishers. More discussion is needed
regarding fire rating of communications room doors.
Performance Architecture & Engineering High 12/9/2019 6/30/2020 1353 1149 Director, Central Procurement CPO had not established guidelines for what is determined fair CPO-1, Port Policy for Consulting Services, was updated to
Office and reasonable. Our testing of over 400 A&E consultants include a definition that aligns to the RCW 39.80.050,
identified many instances where profit markups exceed what Procurement of Architectural and Engineering Services –
the industry deemed reasonable. Contract Negotiations. However, a specific mark-up has not
been defined. This appears to be on the agenda for the
Procurement Council in September of 2023.
Performance Architecture & Engineering High 12/9/2019 6/30/2020 1353 1149 Director, Central Procurement Management approval was not required when hourly rates CPO-1, Port Policy for Consulting Services, was updated to
Office exceeded the maximum rates produced by the service rate include a definition that aligns to the RCW 39.80.050,
negotiation tool / model. Procurement of Architectural and Engineering Services –
Contract Negotiations. However, a specific mark-up has not
been defined. This appears to be on the agenda for the
Procurement Council in September of 2023.
IT Security Awareness and Skills Training High 3/23/2023 6/1/2023 153 83 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session

Appendix A – Aging of Outstanding Issues as of August 23, 2023
Performance, Capital, Information Technology, and Limited Contract Compliance Audits
Days Outstanding Days Outstanding
Audit Type Audit Rating Report Date Target Date (from Report Date) (from Target Date) Issue Owner Report Finding Current Status from Management as of 8/23/2023
Performance Port-wide Payroll Controls High 6/14/2023 12/31/2023 70 -130 Director, Aviation Maintenance The Maximo System used by the Aviation Maintenance Work-in-Progress: AVM is changing work processes in
Department (AVM) had generated semi-annual, preventive Maximo for appropriate work tracking. AVM will be
maintenance work orders for certain retired assets, requiring performing a gap assessment with the asset management
maintenance staff to spend up to 3 hours for each vendors to define processes, which will close the gap that
unnecessary work order over 10 years. was defined in the audit processes. Some of that work is done
in 2023 and more in 2024 to codify the onboarding and
disposal process. AVM has several systems and processes
that have to be coordinated across multiple groups at the
Port: AVM, AV Facilities & Infrastructure, AV Program
Management Group, and Engineering/Construction
Management, and Port Construction Services.
IT AVM/Facility & Infrastructure Data Centers Medium 12/4/2018 No date supplied 1723 N/A Director, Aviation Security Physical Facilities Management F&I Response: No change in status from previous quarter -
In our sample of 31 rooms, we noted that 52% of the rooms Project scope is being reviewed by F&I managers prior to
had equipment on the racks that was not properly secured, submittal.
and that 16% of equipment racks (while securely bolted to the
floors) lacked seismic bracing.
IT Closed Network Systems Security Medium 9/5/2019 6/30/2020 1448 1149 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
IT Inventory and Control of Hardware Assets Medium 11/12/2019 6/30/2023 1380 54 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
IT Network Password Management Medium 3/20/2020 12/31/2020 1251 965 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
IT Network Password Management Medium 3/20/2020 9/30/2020 1251 1057 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
IT Secure Configuration for Hardware and Software Medium 8/21/2020 12/31/2021 1097 600 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
IT Secure Configuration for Hardware and Software Medium 8/21/2020 12/31/2021 1097 600 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
on Mobile Devices, Laptops, Workstations and Chief Information Officer
IT Continuous Vulnerability Management Medium 11/29/2021 6/30/2022 632 419 Director, Aviation Maintenance Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session

Appendix A – Aging of Outstanding Issues as of August 23, 2023
Performance, Capital, Information Technology, and Limited Contract Compliance Audits

Days Outstanding Days Outstanding
Audit Type Audit Rating Report Date Target Date (from Report Date) (from Target Date) Issue Owner Report Finding Current Status from Management as of 8/23/2023
IT Account Management - ICT Medium 3/15/2022 6/1/2023 526 83 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
IT Audit Log Management - Aviation Maintenance Medium 6/2/2022 12/31/2022 447 235 Director, Aviation Maintenance Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
Contract The Hertz Corporation Medium 6/3/2022 12/31/2022 446 235 Director, Aviation Commercial Hertz’s systems and records were unable to clearly discern Aviation Commercial Management continues to be in contact
Compliance Management which customers were eligible to receive a CFC waiver. with Hertz and Avis.
Internal Audit identified 3,081 rental tickets, totaling
approximately $173,000, where the CFC was not charged and
remitted. Hertz asserted that approximately $164,000 were
insurance replacement rentals and therefore allowable
exclusions.
IT T2 Airport Garage Parking System Replacement Medium 11/11/2022 6/2/2023 285 82 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
Chief Information Security Officer
Performance Fishermen's Terminal Medium 3/20/2023 3/31/2024 156 -221 Director, Maritime Operations and Billing and collection procedures at Fishermen’s Terminal were A request for an additional FTE to strengthen segregation of
Security informal and internal controls needed to be strengthened. We duties was submitted and pending budget approval.
identified underbilling of revenue and a sizable accounts
receivables balance primarily managed by one individual.
IT Security Awareness and Skills Training Medium 3/23/2023 6/1/2023 153 83 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
IT Security Awareness and Skills Training Medium 3/23/2023 6/1/2023 153 83 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
Chief Information Officer
Performance Port-wide Payroll Controls Medium 6/14/2023 1/31/2024 70 -161 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session
Performance Social and Environmental Reporting Medium 6/20/2023 12/31/2023 64 -130 Director, Diversity in Contracting The Diversity in Contracting 2022 Annual Report contained Report was issued, 6/20/2023. No update required at this
duplicate WMBE firms. This highlights the need to perform time.
validation procedures (internal controls) so that duplicates can
be identified and removed.

Limitations of Translatable Documents

PDF files are created with text and images are placed at an exact position on a page of a fixed size.

Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.

PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.