11b. Presentation
2023 Internal Audit Annual Report
Financial Stewardship Accountability Transparency Item No. 11b attach Meeting Date: February 13, 2024 2023 Internal Audit Annual Report Glenn Fernandes - Director, Internal Audit February 13, 2024 P69 Commission Chambers 12:00 PM – 5:00 PM Operational Excellence Governance 2023 Audit Committee Commissioner Hamdi Mohamed, Committee Chair Commissioner Sam Cho, Committee Member Sarah Holmstrom, Committee Public Member 2 About Internal Audit Internal Audit conducts independent, objective, risk-based audits of the Port’s operations, technology, activities, and vendors. Our audits add value by helping the Port achieve its mission and contribute to: financial stewardship, accountability, transparency, governance, and operational excellence. Internal Audit derives its authority from the Port Commission. The Director is a dual report, who reports functionally to the Audit Committee and administratively to the Executive Director. 3 ■ Combined Assurance to Break Down Silos: The governing body, management, and internal audit have their distinct responsibilities, but all activities need to be aligned with the objectives and collectively grow the value of the organization. ■ Beyond the Three Lines Model: Today’s environment of risk bedlam requires us to go a step further. Collaboration is a business imperative and a platform we can use to generate even greater enterprise value. Source: The Institute of Internal Auditors, THE IIA’S THREE LINES MODEL – An Update of the Three Lines of Defense, published in July 2020. 4 2023 Audit Plan Update 16 audit reports were completed in 2023: 5 Performance, 5 Capital Projects, 3 Information Technology , and 3 Limited Contract Compliance. Audits identified 4 High Risk, 16 Medium Risk, and 7 Low Risk rated issues for management action. GC/CM Construction Projects are increasing at the Port; real-time auditing, as required by RCW 39.10.385, continues to identify cost savings. Audit reports are shared with Audit Committee Members, and for transparency, are also posted to the Port’s external facing website. [Audit reports can be found at https://www.portseattle.org/page/internal-audit-reports.] 5 16 Audits Completed in 2023 Limited Contract Compliance Performance Information Technology • Louis Dreyfus Company Washington • Port-wide Payroll Controls • Email and Web Browser Protections (ICT LLC • Airport Parking Garage and Aviation Maintenance) • Seattle Air Ventures • Social and Environmental Reporting • Network Infrastructure Management • ATZ, Inc. dba Doug Fox Parking • Fishermen’s Terminal (Aviation Maintenance) • Police Department Seizures and Evidence • Security Awareness and Skills Training Room Capital/Construction • Terminal 5 Berth Modernization • Supply Chain Disruption Management • C Concourse Expansion (Pre-construction) GC/CM1 • Main Terminal Low Voltage System Upgrade GC/CM1 • T-117 Sites 23-25 Restoration Construction Project GC/CM1 1. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit work is performed by external, independent auditors through Service Agreements. A year-end status report is provided at the December Audit Committee. Internal Audit also performs audits of these projects and reviews areas that are not looked at by the independent auditors. Internal Audit issues an audit report on areas covered. 6 Information Technology (IT) Audits IT audits are generally security sensitive and are discussed in non- public sessions. Our IT Audit Program focuses on high risk, high value controls, identified by the Center for Internet Security (CIS, 18 control areas, 153 controls). CIS controls are a prioritized set of best practices for cyber defense. Three audits were completed in 2023. Over the last 5 years, we have completed 11 of 18 key CIS audits. 7 Information Technology (IA) Audits Key objectives of 2023 IT Audits included: Assess the effectiveness of IT controls. Identify Cybersecurity risks. Assure compliance with relevant regulations and industry standards. Safeguard critical information assets. Maintain the integrity of systems and data. Support the overall organizational goals and objectives. 8 Capital/Construction Audits Five Capital/Construction audits were completed in 2023. Projects audited had estimated Capital Spend of $182 million. Key Recommendations/Improvements included: Strengthening contract language to decrease the potential for misinterpretation. Improve Pay Application and Change Order review processes by maintaining adequate supporting documentation. Establish a comprehensive documentation process, and clear guidelines related to negotiating and approving labor rates. Collect overpayments made to contractors. 9 Highlighted Performance Audits 1) Airport Parking Garage 2) Port-wide Payroll Controls 3) Fishermen’s Terminal 10 Airport Parking Garage The audit focused on the Public Parking and the Employee Parking operations at the main parking garage at Seattle-Tacoma International Airport (SEA) for the period January 2022 through July 2023. We evaluated controls over: 1) cash handling, 2) parking garage access, and 3) compliance with applicable laws, rules, and regulations. Key Improvement Opportunities included: 603 instances of misuse of complimentary parking cards issued to organizations that have business at the Airport. 99 active cards that were assigned to employees who were no longer employed by the Port, 16 of which continued to use their cards after separation from the Port. Controls to deactivate complimentary parking cards at the end of lease agreements. One lessee’s parking card was still active and continued to be used after lease termination. 11 Port-wide Payroll Controls The audit scope included: system access controls, segregation of duties, common payroll fraud assessments/testing, and different time-recording systems used by some business areas that might increase risk exposure to the Port. As of 12/31/2022, the salaries and benefits were the Port’s largest operating expenses, $317,574,261, representing roughly 67% of the total operating expenses. Key Improvement Opportunities included: The Maximo System used by Aviation Maintenance Department had generated semi-annual, preventive maintenance work orders for certain retired assets, requiring maintenance staff to spend up to 3 hours for each unnecessary work order over 10 years. A lifeline system – Sayfglida fall protection cable located on the Central Terminal roof at Seattle-Tacoma International Airport had been marked “Out of Service, DO NOT USE” by physical signs, therefore, requiring no regular maintenance. 12 Fishermen’s Terminal The Audit was requested by the Director of Maritime Operations and Security. The audit focused on the billing processes, segregation of duties, and standard operating procedures. Key Improvement Opportunities included: Billing and collection procedures at Fishermen’s Terminal were informal and internal controls needed to be strengthened. Some Auxiliary Services were billed incorrectly using outdated rates from prior years. The billing and collection process for the sizeable accounts receivable balance (roughly $900K total outstanding) was only managed by one individual. 13 2024 Audit Strategy Stay independent and objective. Enhance processes, by viewing work through an “equity lens.” Incorporate an Equity, Diversity, and Inclusion objective into select audit programs and distinctively reflect the effort in audit reports. Streamline existing concession audit processes. Continue to focus on Capital Delivery (Financial, Quality, and Schedule). Continue to focus on the remaining “Center for Internet Security” audits that will provide the groundwork for well-established cybersecurity controls. Meet New TSA Cybersecurity Audit Requirements. 14
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.