1. Presentation
Port Audit Committee Slides
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit September 7, 2023 P69 Commission Chambers 9:00 AM – 11:00 AM Operational Excellence Governance Department Overview Item #4 Internal Audit, through an annual audit plan, provides assurance that the Port’s controls are effective and efficient. The department facilitates four public Audit Committee meetings per year and non-public Audit Committee meetings as needed. The department facilitates RCW required Independent Audits on General Constructor/Construction Management (GC/CM) Projects and periodically performs the required Payment Card Industry Audit. The department provides advisory services to the Port, to the extent that it does not compromise the department’s independence. The department maintains its independence and objectivity by reporting functionally to the Audit Committee and administratively to the Executive Director. 2 2024 Department Major Initiatives Item #4 Manage RCW Required Independent Audits for GC/CM Capital Projects. Enhance Concession Audit Program and increase volume. Standardize repetitious functions. Enhance usage of automation tools. Minimize impact to concessionaires. Develop a tracking and enforcement system to assure compliance with the Equity Policy Directive including: Anti Human Trafficking Policies Potential Third-Party Code of Conduct 3 Internal Audit Organization Structure Item #4 4 2024 Budget Overview Item #4 Note: Run report from AI and paste results here. To edit, double click on table or right click, choose Worksheet Object, open Excel worksheet. Internal Audit (2280) 2022 2023 2024 2023 to 2024 2023 to 2024 Line Account Description Budget Budget Budget Budget Change $ Budget Change % 1 Salaries and Benefits $ 1,706,357 $ 1,979,053 $ 2,083,191 $ 104,138 5.3% 2 Equipment Expense $ 2,749 $ 4,063 $ 563 $ (3,500) (86.1%) 3 Supplies & Stock $ 1,000 $ 1,000 $ 1,000 $ - 0.0% 4 Outside Services $ 297,090 $ 140,928 $ 42,095 $ (98,833) (70.1%) 5 Travel & Other Employee Exp $ 27,695 $ 52,261 $ 52,287 $ 26 0.0% 6 Promotional Expenses $ - $ - $ - $ - 0.0% 7 General Expenses $ 3,893 $ 702 $ 505 $ (197) (28.1%) 8 Other Expenses $ 8,890 $ 8,801 $ 8,397 $ (404) (4.6%) 9 Total Charges To Capital $ (180,000) $ (139,408) $ - $ 139,408 (100.0%) Non-Payroll Subtotal $ 161,317 $ 68,347 $ 104,847 $ 36,500 53.4% Total $ 1,867,674 $ 2,047,401 $ 2,188,038 $ 140,637 6.9% 5 Item #4 New Budget Request Operating & Full Year 2024 Cash Priority Item # Short Description Maintenance Request Type No. of FTEs including Capital (H/M/L) Expenses 1 Outside Temp Services – Backfill $40,000 $40,000 One-Time 0 Medium for Staff on Maternity Leave To ta l $40,000 $40,000 0 6 (Capitalized) Outside Services Item #4 GC/CM Audit Costs (Outside Services) are now directly capitalized to the projects and are not reflected in the expense budget. Below is a summary of GC/CM Spend for informational purposes. Estimated Estimated Audit Spend Project Construction Project Timing over Life of Project Cost Post IAF Airline Realignment $65 MM $222,445 In Process Estimated completion 2027 C Concourse Expansion Project $49.2 MM $304,000 In Process Estimated completion 2026 Main Terminal Low Voltage Project $55 MM $73,555 In Process Estimated completion 2026 South Concourse Evolution $1 B $900,000 Estimated 1st Qtr. 2024 - 2032 Primary Fire Station (Eastside) $15 MM $13,500 Estimated 3rd Qtr. 2023 - 2026 Industrial Wastewater Treatment Plant - $92 MM $82,800 Estimated 3rd Qtr. 2024 - 2029 Heavy Civil GC/CM Baggage Optimization 3 $300 MM $270,000 Estimated 3rd Qtr. 2023 - 2027 Concourse HVAC Improvement $200 MM $180,000 Estimated 2nd Qtr. 2025 - 2031 Renewal/Replacement Program (CHIRRP) Terminal 25 Restoration (Heavy Civil GC/CM) Not Available Not Available Estimated 2025 - 2028 Main Terminal Improvement Program $520 MM $499,200 Estimated 4th Qtr. 2024 - 2034 To ta l $2.296 B $2,545,500 7 Open Issue Status – Aging Report as of August 23, 2023 Item #5 1. Eight issues outstanding for over one year from the Target Date consist of: Architecture & Engineering (2) - Fair and Reasonable Rate Determination and Management Review Over Max Rates: CPO-1, Port Policy for Consulting Services, was updated to include a definition that aligns to the RCW 39.80.050, Procurement of Architectural and Engineering Services – Contract Negotiations. However, a specific mark-up has not been defined. This appears to be on the agenda for the Procurement Council in September of 2023. Information Technology Audits (6) (Security Sensitive - Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session.): These are: Closed Network System Security (1), Network Password Management (2), Secure Configuration for Hardware & Software on Mobile Devices, Laptops, Workstations and Servers (2), and Continuous Vulnerability Management (1). 2. Three Information Technology issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more than two years past the Report Date: Aviation Maintenance and Facilities & Infrastructure Data Centers (3). See Appendix A for a detailed listing of outstanding issues, including: Report Finding, Issue Owners, and Current Status, as of August 23, 2023. 8 Approved 2023 Audit Plan Item #6 Limited Contract Compliance Performance Information Technology • Louis Dreyfus Company Washington LLC • Port-wide Payroll Controls • Email and Web Browser Protections (ICT and • Seattle Air Ventures, JV1 • Airport Parking Garage Aviation Maintenance)4 • ATZ, Inc. dba Doug Fox Parking • Equity Policy Directive Compliance2 • Network Infrastructure Management (ICT)7 • Social and Environmental Reporting • Network Infrastructure Management (Aviation • Fishermen’s Terminal Maintenance) • Police Department3,4 • Security Awareness and Skills Training Capital • T-5 Berth Modernization • Supply Chain Disruption Management • C Concourse Expansion (Pre-construction) GC/CM5 • Main Terminal Low Voltage System Upgrade GC/CM5 • T-117 Sites 23-25 Restoration Construction Project GC/CM5 • Concourse A Building Expansion for Lounges/DELTA TRA3 • Post IAF Airline Realignment GC/CM Constructio5,6 1. Two separate audits were originally planned for different lease agreements; however, they were combined for administrative efficiency, due to substantially similar processes. 2. This audit is deferred to 2024. The policy was recently approved by the Commission, and it is too early to assess compliance with it. 3. This is a contingency audit per the Approved 2023 Audit Plan. 4. The audit name has changed to reflect the expanded audit scope. 5. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit work will be performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. Year-end status report will be provided at the December Audit Committee. Internal Audit will perform continuous cost reviews of these projects, review areas that are not looked at by the contract auditors, and partner with the contract auditors as needed. Internal Audit will issue an audit report on areas covered. 6. Due to construction delays, this audit is deferred to 2024. 7. Due to resource constraints, this audit is deferred to 2024. 9 Item #6 2023 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Port-wide Payroll Controls Performance Airport Parking Garage Performance Social and Environmental Reporting Performance Fishermen's Terminal Performance Police Department1,2 Performance Supply Chain Disruption Management Performance - Capital Terminal 5 Berth Modernization Project Performance - Capital C Concourse Expansion (Pre-construction) GC/CM3 Performance - Capital Main Terminal Low Voltage System Upgrade GC/CM3 Performance - Capital T-117 Sites 23-25 Restoration Construction Project GC/CM3 Performance - Capital Concourse A Building Expansion for Lounges/DELTA TRA1 Performance - Capital Email and Web Browser Protections (ICT and Aviation Maintenance)2 IT Network Infrastructure Management (Aviation Maintenance) IT Security Awareness and Skills Training IT Louis Dreyfus Company Washington LLC Contract Compliance Seattle Air Ventures, JV 4 Contract Compliance ATZ, Inc. dba Doug Fox Parking Contract Compliance Equity Policy Directive Compliance5 Performance Post IAF Airline Realignment - GC/CM Construction3,5 Performance - Capital Network Infrastructure Management (ICT)5 IT Complete In Process KEY Not Started Deferred to 2024 1. This is a contingency audit per the Approved 2023 Audit Plan. 2. The audit name has changed to reflect the expanded audit scope. 3. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit work will be performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. Year-end status report will be provided at the December Audit Committee. Internal Audit will perform continuous cost reviews of these projects, review areas that are not looked at by the contract auditors, and also partner with the contract auditors as needed. Internal Audit will issue an audit report on areas covered. 4. Two separate audits were originally planned for different lease agreements; however, they were combined for administrative efficiency, due to substantially similar processes. 5. This audit is deferred to 2024. 10 Item #s 7, 8, and 12 Audits Completed in Third Quarter, 2023 1) C Concourse Expansion Project (Pre-Construction) (Item #7) 2) Main Terminal Low Voltage System Upgrade Project (Pre-Construction) (Item #8) 3) Louis Dreyfus Company Washington LLC (Item #12) 11 C Concourse Expansion Project (Pre-Construction) Item #7 The Concourse C Expansion Project spans the C and D Concourses with additional dining and retail, adding amenities such as an Interfaith Prayer and Meditation room, a Nursing Suite, and an all-new, more than 20,000 square foot Alaska Airlines Lounge. The project will increase the existing 81,000 square foot building into a 226,530 square foot facility. Turner Construction Company (Turner) was selected as the General Constructor/Construction Manager (GC/CM) for this project in December 2020. The pre-construction work started in December 2020 and is anticipated to be completed in the fall of 2023. 12 C Concourse Expansion Project (Pre-Construction) Item #7 The pre-construction contract total at the time of the report was approximately $4.44 million, which included approximately $1.94 million in change orders. RCW 39.10.385 requires an independent auditor to confirm the proper accrual of costs for any alternatively selected subcontractors. R.L. Townsend & Associates LLC, a nationally recognized, Construction Audit firm, was engaged to perform this part of the work. Our work focused on review of GC/CM expenses for accuracy and contract compliance. Additionally, we performed a “Labor Rate Analysis,” by looking at the build-up of Labor Rates used in the contract. 13 Item #7 1) Rating: Medium The model that was used to determine billable rates for contractor’s staff, utilized inputs that could result in paying higher than market rates for labor. There are generally two industry standard approaches an owner can take when approving contractor rates: 1) using a Rate Tool or “market rate” analysis, which uses an in-house model to price each position title, or 2) using a Cost-Plus approach, which includes negotiating a profit margin and vetting the build-up of proposed rates. CPO used a Rate Tool that integrates Market Survey Data, Port Historical Data, and Firm Data, to negotiate rates for each position title. Turner was paid the negotiated rate for each position, which was generated from the rate tool. Within the contract, Turner used a rate build-up for each position, which equaled the negotiated rate. 14 Issue Continued: Attached to Contract Negotiated Rate by Internal Rate Tool Turner’s Rate Build-up Position/Individual We looked at Turner’s Rate Build-up to identify anything that was incorrect, excessive, etc. In essence, we performed a Cost-Plus Build-up, which we then compared to the Negotiated Rate. We identified several items that would be questioned if a Cost-Plus method was employed, such as: Lack of detail on the build-up of “Base Cost.” Benefits charged in Turner’s model included items that are often not allowed. For example: End of Year Premium Pay Bonuses/Staff Retention Tuition Reimbursement Employee Assistance Programs General Liability Insurance rate of 1.2% vs Industry Standard Range of 0.50 % - 0.75%. A Virtual Design and Construction rate of between $5 and $75 per hour. After discussions with Turner, they indicated that these rates should be $6.14. “B&O tax” percentage of 2.5% vs Washington State Construction B&O rate of 0.471%. 15 Item #7 Issue Continued: Upon a recalculation of adjusted rates with the information provided by Turner, we determined that, if a Cost-Plus methodology had been employed, the billed cost to the Port could have been between approximately $160,316 and $257,974 less than the rates generated from the Port’s rate tool, dependent on the negotiated fee with the contractor. Additionally: The Agreement language on allowable billable rate build-up was vague, which increased the risk of rate components being included that normally would not be or, included in multiple areas. Examples include: the Agreement stated in part, “The hourly labor rates cover the GC/CM's direct and indirect costs or expenses…. including but not limited to..." Additionally, it allowed for the inclusion of "home office overhead and profit" without specifying further details, leading to a broad interpretation of allowable items. 16 Item #7 Recommendations 1. CPO should either modify the inputs to the current rate tool or employ a Cost-Plus approach. 2. CPO should work with Legal to strengthen preconstruction services agreement language to help decrease the possibility of misinterpretation. 17 2) Rating: Medium Item #7 The Port’s oversight process and documentation could be improved to support justifications for approving rates above the Market Maximum, and collaboration with other departments or teams. We reviewed CPO’s “market rate” analysis process and noted some of Turner’s staff members were not subject to negotiation, nor was any documented evidence of the negotiation found. The total that was billed so far to the project for these staff members was $1.34 million. We observed instances where certain Turner employees were approved rates that exceeded the Market Maximum allowed rate for their respective titles. CPO explained that such approvals over the maximum were permissible, in certain cases, if the contractor provided documentation justifying the higher rate, and the rate was within the Port’s Historical Maximum. However, no records were maintained. Reasons cited for the absence of documentation was that the rate analyst, responsible for approving these rates, was no longer employed by the Port. Based on our review, we were unable to ascertain whether rates for all Turner staff members were subject to negotiation or if the approval of higher rates (above the Market Maximum) was adequately supported. 18 Item #7 Recommendations 1. CPO should establish a comprehensive documentation process, and clear guidelines for negotiations and approvals of rates for contractor staff. This includes maintaining records of negotiations, justifications for rates above the Market Maximum, and collaboration with other departments or teams. 19 Item #7 Management Response – Issue 1 Management does not concur with the finding. Port negotiated fair and reasonable billing rates, and the review of cost information did not account for risk and contract administration. Potential savings from cost reimbursement contracts were miscalculated. DUE DATE: 12/31/2023 Management will discuss in detail. (Full response in Audit Report No. 2023-09) 20 Item #7 Management Response – Issue 2 Port did conduct negotiations of all contract rates, and we believes the negotiations were documented appropriately. We will take the opportunity to review our process, guidance documents, and record retention. DUE DATE: 12/31/2023 Management will discuss in detail. (Full response in Audit Report No. 2023-09) 21 3) Rating: Medium Item #7 We identified opportunities for Port Management to strengthen controls during the pay application review process. Additionally, we identified several instances where there has been a lack of adherence to the stipulated Agreement. These observations highlight opportunities to enhance oversight and assure compliance with contractual requirements. Review process: We reviewed Pay Applications (PA) 1-27 and noted instances where supporting documentation was not present, and/or contract requirements were not followed. Examples included: After PA 11, timesheets were not submitted. Upon inquiry, Port Management confirmed that they had given the direction to discontinue the practice due to excessive workload involved. Our test of billed hours determined that the Port had been overbilled $997.05. Turner indicated that they would make the adjustment on the May 2023 PA. We verified that there was an adjustment on PA 29. A total of $924,039 in forecasted payments were spread across 27 pay applications, resulting in an average monthly payment of $34,224. There was no dedicated review process in place to ensure the completion of services and subsequent reimbursement to the Port for these forecasted prepayments. We noted that, while Washington State Law does not explicitly prohibit prepayments, the Agreement only allowed reimbursements of actual incurred costs. Personnel and staff changes occurred during the pre-construction phase, and Port Management failed to provide the necessary support stipulated in the contract for certain changes. These individuals worked hours totaling around $190,000, without verification from the Port. To validate the cost reasonableness, we directly sought support from Turner, who supplied agreed-upon rates for most of these individuals. 22 Item #7 Recommendations 1. Maintain timesheets for everyone to track the days worked, with careful verification of hours and rates during the Pay Application review process. 2. Follow existing Standard Operating Procedures to pay for services rendered. 3. Maintain supporting documentation of Port Management approval for all key personnel changes. For any staff change including key or supplemental staff, there should be support provided for a negotiated agreed upon rate. 23 Item #7 Management Response Engineering Construction Management agrees with these recommendations and will continue to train staff to improve compliance with existing requirements. Additionally, Engineering Construction Management will ensure Standing Operating Procedures thoroughly capture GC/CM specific procedures. DUE DATE: 12/31/2023 Management will discuss in detail. (Full response in Audit Report No. 2023-09) 24 Main Terminal Low Voltage System Upgrade Project Item #8 (Pre-Construction) General Contractor/Construction Manager (GC/CM) contract was executed on August 9, 2019, with M.A. Mortenson. Initial Not-to-Exceed amount was $1.5 million but was expected to increase since design was less than 30% complete. In August of 2021, an additional $1.5 million was authorized to fund the remainder of the Pre-Construction services, bringing the total budget to $3 million. Pre-Construction was completed in November 2022 with an anticipated construction completion in early 2026. Total budgeted cost is approximately $120 million, with a 7% Women-Owned and Minority-Owned Business Enterprise aspirational goal. Areas reviewed: Change Orders - No deficiencies noted. Pay Applications - Recommendations for improvement noted. Contingency - Recommendations for improvement noted. 25 1) Rating: Medium Item #8 We identified opportunities for Engineering Construction Management to strengthen controls during the pay application review process. Additionally, supporting documentation to show compliance with the Port’s Standard Operating Procedure 40.08, State law, and the Contract, was not always maintained. Non-labor costs totaling $1,223 were overpaid for expenses identified in the contract as non-reimbursable costs (including security badges, delivery services and parking). Timesheets were not submitted by the GC/CM as required. Our review identified a total of $7,387 in overpayments. Documentation of approval for a Key Personnel change (Project Manager) was not maintained, as required by the contract. The Contingency budget and Other Stipulated Direct Costs budget were used for expenses related to completing pre-construction areas, not for expenses outlined in the contract and change order. Additionally, the Port’s approval for using these budgets was not maintained. 26 Recommendations Item #8 Construction Management should: 1. Review overpayments identified in the audit and collect overpayment from the GC/CM, as appropriate. 2. Assure compliance with Standard Operating Procedure 40.08, the Washington State Auditor’s Budgeting, Accounting and Reporting System (BARS) GAAP Manual 3.1.4.10/RCW 43.09.200, and the Contract, by requiring the GC/CM to submit all required documentation to support transactions. For example, timesheets should be obtained as supporting documentation for the Pay Applications. 3. Maintain supporting documentation of Port management approval for all key personnel changes. For any staff changes, including key or supplemental staff, there should be support provided for a negotiated agreed upon rate. 27 Management Response Item #8 1. Engineering Construction Management will review the identified overpayments and collect reimbursement as appropriate. 2. Engineering Construction Management, in collaboration with Central Procurement Office (CPO), and AV/Waterfront Project Management, will review documentation requirements for GC/CM preconstruction services contracts and ensure all SOPs contain GC/CM specific procedures. 3. Engineering Construction Management agrees with the recommendation and will continue to train staff to improve compliance with these existing requirements. DUE DATE: 12/31/2023 Management will discuss in detail. (Full response in Audit Report No. 2023-10) 28 Item #12 Louis Dreyfus Company Washington LLC (Louis Dreyfus) As a company, it has had an active presence in the US since 1909 and is involved in diverse industries worldwide. Top exporter of various agricultural commodities, such as cotton, soybeans, wheat and corn. Operator of the Port’s Grain Facility at Terminal 86. Terminal is a completely automated grain facility, which assures quick and efficient movement of commodities from trucks and/or rail cars to silos and ships’ holds. Total storage capacity is approximately 4 million bushels (101,000 metric tons) WA State Department of Agriculture is responsible for the independent certification of grain quality and quantity. 29 Item #12 Louis Dreyfus Company Washington LLC (Louis Dreyfus) Breakdown of commodities exported during audit period: Commodity Year (in Metric Tons) 2020 2021 2022 Yellow Corn 1,240,437 1,904,159 1,859,757 Soybeans 2,751,841 1,485,865 1,870,459 Grain Sorghum 247,526 467,779 660,395 Total 4,239,804 3,857,803 4,390,611 30 Item #12 Louis Dreyfus Company Washington LLC (Louis Dreyfus) Lease agreement between Louis Dreyfus and the Port was signed in November 2014, allowing Louis Dreyfus to operate the Terminal. Monthly payment consists of base rent and a concession fee (tonnage rent fee) based on loaded ship tonnage. The table below reflects the yearly base rent and tonnage rent during the audit period: Year Tonnage Rent Base Rent Total 2020 $ 4,273,743 $ 1,097,511 $ 5,371,254 2021 $ 5,451,248 $ 1,082,405 $ 6,533,652 2022 $ 5,077,095 $ 1,085,105 $ 6,162,200 Total $ 14,802,086 $ 3,265,021 $ 18,067,106 31 Item #12 No Issues Internal Audit concluded that Louis Dreyfus materially complied with the significant terms of the Agreement. 32 Appendix A – Aging of Outstanding Issues as of August 23, 2023 33 Appendix A – Aging of Outstanding Issues as of August 23, 2023 Performance, Capital, Information Technology, and Limited Contract Compliance Audits Days Outstanding Days Outstanding Audit Type Audit Rating Report Date Target Date (from Report Date) (from Target Date) Issue Owner Report Finding Current Status from Management as of 8/23/2023 IT AVM/Facility & Infrastructure Data Centers High 12/4/2018 No date supplied 1723 N/A Director, Aviation Security Physical Access to Facilities F&I Response: There is a project to add card readers to All rooms in our sample were protected with varying levels of communications room doors in the passenger terminal areas. restricted access. Some were well protected, allowing few The project is scheduled to be at physical completion in Q2 individuals access, while others allowed access to hundreds of 2025. people with no legitimate business need. IT AVM/Facility & Infrastructure Data Centers High 12/4/2018 No date supplied 1723 N/A Director, Aviation Security Protection Against Environmental Factors F&I Response: Project U00494 replacing water-based Facilities should be protected against fire and water damage. sprinklers with clean-agent fire suppression in 6 critical In our sample of 31 rooms, 35% of the rooms did not have fire communications rooms (MDR 1, MDR 2, MDR 3, MER/ES, suppression capability and 55% did not have fire MER/VD, CER) has anticipated Substantial Completion date of extinguishers. Four rooms had Halon fire extinguishers which Q2 2026. Alternatives to Halon clean-agent fire suppression are ozone-depleting and do not support the Port’s value for have been investigated, but major drawbacks exist (e.g. PFAS, being a responsible steward of the environment. asphyxiation from CO2, large space requirements). Water Mist per NFPA 750 may be a promising solution. No update on other rooms nor fire extinguishers. More discussion is needed regarding fire rating of communications room doors. Performance Architecture & Engineering High 12/9/2019 6/30/2020 1353 1149 Director, Central Procurement CPO had not established guidelines for what is determined fair CPO-1, Port Policy for Consulting Services, was updated to Office and reasonable. Our testing of over 400 A&E consultants include a definition that aligns to the RCW 39.80.050, identified many instances where profit markups exceed what Procurement of Architectural and Engineering Services – the industry deemed reasonable. Contract Negotiations. However, a specific mark-up has not been defined. This appears to be on the agenda for the Procurement Council in September of 2023. Performance Architecture & Engineering High 12/9/2019 6/30/2020 1353 1149 Director, Central Procurement Management approval was not required when hourly rates CPO-1, Port Policy for Consulting Services, was updated to Office exceeded the maximum rates produced by the service rate include a definition that aligns to the RCW 39.80.050, negotiation tool / model. Procurement of Architectural and Engineering Services – Contract Negotiations. However, a specific mark-up has not been defined. This appears to be on the agenda for the Procurement Council in September of 2023. IT Security Awareness and Skills Training High 3/23/2023 6/1/2023 153 83 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session 34 Appendix A – Aging of Outstanding Issues as of August 23, 2023 Performance, Capital, Information Technology, and Limited Contract Compliance Audits Days Outstanding Days Outstanding Audit Type Audit Rating Report Date Target Date (from Report Date) (from Target Date) Issue Owner Report Finding Current Status from Management as of 8/23/2023 Performance Port-wide Payroll Controls High 6/14/2023 12/31/2023 70 -130 Director, Aviation Maintenance The Maximo System used by the Aviation Maintenance Work-in-Progress: AVM is changing work processes in Department (AVM) had generated semi-annual, preventive Maximo for appropriate work tracking. AVM will be maintenance work orders for certain retired assets, requiring performing a gap assessment with the asset management maintenance staff to spend up to 3 hours for each vendors to define processes, which will close the gap that unnecessary work order over 10 years. was defined in the audit processes. Some of that work is done in 2023 and more in 2024 to codify the onboarding and disposal process. AVM has several systems and processes that have to be coordinated across multiple groups at the Port: AVM, AV Facilities & Infrastructure, AV Program Management Group, and Engineering/Construction Management, and Port Construction Services. IT AVM/Facility & Infrastructure Data Centers Medium 12/4/2018 No date supplied 1723 N/A Director, Aviation Security Physical Facilities Management F&I Response: No change in status from previous quarter - In our sample of 31 rooms, we noted that 52% of the rooms Project scope is being reviewed by F&I managers prior to had equipment on the racks that was not properly secured, submittal. and that 16% of equipment racks (while securely bolted to the floors) lacked seismic bracing. IT Closed Network Systems Security Medium 9/5/2019 6/30/2020 1448 1149 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Inventory and Control of Hardware Assets Medium 11/12/2019 6/30/2023 1380 54 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Network Password Management Medium 3/20/2020 12/31/2020 1251 965 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Network Password Management Medium 3/20/2020 9/30/2020 1251 1057 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Secure Configuration for Hardware and Software Medium 8/21/2020 12/31/2021 1097 600 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Secure Configuration for Hardware and Software Medium 8/21/2020 12/31/2021 1097 600 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session on Mobile Devices, Laptops, Workstations and Chief Information Officer IT Continuous Vulnerability Management Medium 11/29/2021 6/30/2022 632 419 Director, Aviation Maintenance Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session 35 Appendix A – Aging of Outstanding Issues as of August 23, 2023 Performance, Capital, Information Technology, and Limited Contract Compliance Audits Days Outstanding Days Outstanding Audit Type Audit Rating Report Date Target Date (from Report Date) (from Target Date) Issue Owner Report Finding Current Status from Management as of 8/23/2023 IT Account Management - ICT Medium 3/15/2022 6/1/2023 526 83 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Audit Log Management - Aviation Maintenance Medium 6/2/2022 12/31/2022 447 235 Director, Aviation Maintenance Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session Contract The Hertz Corporation Medium 6/3/2022 12/31/2022 446 235 Director, Aviation Commercial Hertz’s systems and records were unable to clearly discern Aviation Commercial Management continues to be in contact Compliance Management which customers were eligible to receive a CFC waiver. with Hertz and Avis. Internal Audit identified 3,081 rental tickets, totaling approximately $173,000, where the CFC was not charged and remitted. Hertz asserted that approximately $164,000 were insurance replacement rentals and therefore allowable exclusions. IT T2 Airport Garage Parking System Replacement Medium 11/11/2022 6/2/2023 285 82 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session Chief Information Security Officer Performance Fishermen's Terminal Medium 3/20/2023 3/31/2024 156 -221 Director, Maritime Operations and Billing and collection procedures at Fishermen’s Terminal were A request for an additional FTE to strengthen segregation of Security informal and internal controls needed to be strengthened. We duties was submitted and pending budget approval. identified underbilling of revenue and a sizable accounts receivables balance primarily managed by one individual. IT Security Awareness and Skills Training Medium 3/23/2023 6/1/2023 153 83 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Security Awareness and Skills Training Medium 3/23/2023 6/1/2023 153 83 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session Chief Information Officer Performance Port-wide Payroll Controls Medium 6/14/2023 1/31/2024 70 -161 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session Performance Social and Environmental Reporting Medium 6/20/2023 12/31/2023 64 -130 Director, Diversity in Contracting The Diversity in Contracting 2022 Annual Report contained Report was issued, 6/20/2023. No update required at this duplicate WMBE firms. This highlights the need to perform time. validation procedures (internal controls) so that duplicates can be identified and removed. 36
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.