Attachment Disbursements Accounts Payable for Audit Meeting on Jun 25, 2018 1:00pm at Pier 69

Disbursements Accounts Payable

INTERNAL AUDIT REPORT
OPERATIONAL AUDIT
DISBURSEMENTS/ACCOUNTS PAYABLE

January 2017 – December 2017

ISSUE DATE: JUNE 19, 2018
REPORT NO. 2018-03

Disbursements/Accounts Payable
January 2017 – December 2017
INTERNAL AUDIT

TABLE OF CONTENTS

EXECUTIVE SUMMARY ................................................................................................................................................. 3
BACKGROUND .............................................................................................................................................................. 4
AUDIT SCOPE AND METHODOLOGY ........................................................................................................................... 5
SCHEDULE OF FINDINGS AND RECOMMENDATIONS............................................................................................... 6
APPENDIX A: RISK RATINGS ...................................................................................................................................... 10
APPENDIX B: COMPLETE MANAGEMENT RESPONSE ............................................................................................. 11

Disbursements/Accounts Payable
January 2017 – December 2017
EXECUTIVE SUMMARY
Internal Audit (IA) completed an audit of the Disbursements / Accounts Payable process within the
Accounting and Financial Reporting Department (AFR) for the period January 1, 2017 through December
31, 2017. The audit was performed to evaluate the design of internal controls and in some cases, the
operating effectiveness of those controls. Although considered, our audit was not designed to identify
fraud.
AFR Management has a strong understanding and appreciation of effective internal controls. This “tone at
the top” mindset permeates to individuals performing key tasks within the disbursements process and
contributed to our evaluation and conclusions.
In 2017, AFR processed over 14,000 vendor payments, totaling approximately $675 million. Payment
requests are decentralized, originating mainly outside AFR. AFR processes Port payments, and is one
control component within the Port’s disbursements process. The decentralized nature of Port
disbursements requires controls to be developed and followed both within and outside AFR. Therefore,
the collective efforts of these controls holistically contribute to the overall effectiveness of the
disbursements process.
The issues identified align to best practices and are offered in the spirit of continuous improvement.
1) A Port wide delegation of authority for approving invoice payments should be reviewed and approved
by Executive Management and memorialized into Executive Policy (EX-2) guidance. Delegations of
authority establish approval limits that generally correlate to the individual’s level and responsibility
within the organization.
2) Opportunities were identified to improve internal controls. These opportunities include, implementing
controls to disable user access when no longer needed, validating the accuracy of invoices entered
into PeopleSoft, and segregating the responsibility of adding and approving vendors. These changes
to internal controls align to best practices and would further refine processes.
These issues are discussed in more detail beginning on page six.
We extend our appreciation to AFR, Central Procurement Office, and the Treasury Department for their
assistance and cooperation during the audit.

Glenn Fernandes, CPA
Director, Internal Audit

RESPONSIBLE MANAGEMENT TEAM
Dan Thomas, Chief Financial Officer
Rudy Caluza, Director Accounting and Financial Reporting
Duane Hill, Senior Manager Disbursements

Disbursements/Accounts Payable
January 2017 – December 2017

BACKGROUND

The Disbursements function within the Accounting and Financial Reporting Department (AFR) reviews
supporting documentation, general ledger coding, and enters invoice data into PeopleSoft.
In early 2017, AFR began using COR360, a third party software designed to streamline and control
invoice payments. COR360 gives employees, including those outside AFR, approval authority to request
payment for invoices. The majority of department invoices, with the exception of Major Capital Projects
and Port Construction Services, use COR360. Invoices processed outside of COR360, are approved
manually and stored in the Records Center on the Port of Seattle’s internal website (Compass).
Accounts Payable (AP) Specialists create vouchers in PeopleSoft daily. These vouchers run through an
overnight validation process and are posted for payment upon validation. Once in PeopleSoft, the Port
uses two general methods to disburse funds (checks and electronic funds transfer). Live checks are
generated and counted by an AP Specialist. A second individual (i.e. Travel Card Administrator or Payroll
Senior Accountant) recounts and agrees the number of checks to the results from a PeopleSoft query.
The table below reflects detail on the transaction type (method), amount, and count of disbursements for
the period January 1, 2017 through December 31, 2017:
2017 DISBURSEMENTS BY TYPE

Method Amount % by Amount Count % by Count
Check $76,467,068 11% 6,174 43%
Electronic Payments* 598,010,956 89% 8,137 57%
TOTAL $674,478,024 100% 14,311 100%
* Includes ACH, wire, and EFT

Disbursements/Accounts Payable
January 2017 – December 2017

AUDIT SCOPE AND METHODOLOGY

We conducted this performance audit in accordance with Generally Accepted Government Auditing
Standards and the International Standards for the Professional Practice of Internal Auditing. Those
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide
a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions based on our audit
objectives.
The period audited was January 2017 – December 2017. We used a risk-based approach from the
planning phase to the testing phase. We assessed risks and identified controls to mitigate those risks. We
gathered information through document requests, research, interviews, and observations. Our audit
included the following procedures:
Process Understanding
• Created flow charts to obtain a comprehensive understanding of the disbursements process.
• Identified risks and internal controls within the flow charts.
• Evaluated the design of internal controls to determine if control gaps existed.
Control Testing
1. COR360 Approval Hierarchy
• Reviewed the hierarchy for reasonableness and completeness.
• Walked through one transaction to determine whether the workflow process properly
followed the approval hierarchy.
2. New Vendor Setup Approval
• Compared vendor addresses and phone numbers (if available), from PeopleSoft to payroll
records, to identify matches. When matches were identified, we analyzed payments to
determine if they were appropriate.
• Selected 26 vendors judgmentally to determine whether they were registered with the
appropriate State Department of Revenue.
3. User Access
• Evaluated user roles, including vendor requests and approvals, within PeopleSoft.

Disbursements/Accounts Payable
January 2017 – December 2017
SCHEDULE OF FINDINGS AND RECOMMENDATIONS
1) RATING: MEDIUM
A Port wide delegation of authority for approving invoice payments should be reviewed and
approved by Executive Management and memorialized into Executive Policy (EX-2) guidance.
Delegations of authorities establish approval limits that generally correlate to the individual’s
level and responsibility within the organization.
Delegations balance the risk an organization is willing to grant to an employee’s level within the
organization, without compromising operational efficiencies. Generally, the higher the individual’s
position, the higher the amount an individual can authorize.
Port Policy EX-2 includes “…limits of authority for conducting regular day-to-day business transactions.”
EX-2, Attachment A, contains 16 Port wide delegation schedules. These schedules identify individuals
authorized to execute major construction contracts, small works contracts, and consulting agreements.
The schedule also includes general positions that are authorized to enter into contracts for the purchase
of goods and services. EX-2 does not include an authorization schedule for payment approval.
AFR management indicated that approval limits were established in COR360 by working with various
individuals throughout the Port, thus the delegation of authority already exists.
IA evaluated the limits and identified individuals, whose approval authority appeared excessive. When
discussed with the direct managers of these individuals, they concurred that the limits seemed excessive.
Recommendations:
1) Perform a reasonableness check, and if necessary, confirm with Senior Management that the limits
are accurate.
2) Obtain CFO review and approval of the limits within COR360 and attach the approved schedule within
the appendix of the EX-2 Policy.
Management Action Plan:
We acknowledge that the auditor recommendation enhances visibility in the control environment. As
recommended, a higher Executive-level review and affirmation of payment authorization delegations will
be implemented, to augment department management authorized delegations. AFR will extract the
payment delegations currently contained in COR360 and incorporate them into the executive level EX-2
delegation schedules. (Refer to Appendix B for complete response).
DUE DATE: September 30, 2018

Disbursements/Accounts Payable
January 2017 – December 2017

2) RATING: MEDIUM
Opportunities were identified to improve internal controls. These opportunities include,
implementing controls to disable user access when no longer needed, validating the accuracy of
invoices entered into PeopleSoft, and segregating the responsibility of adding vendors. These
changes to internal controls align to best practices and would further refine processes.
1) User Access (As of March 2018)
Thirty eight individuals within the Central Procurement Office (CPO) had the ability to enter new vendor
data and request approval. We identified two individuals, whose access should have been removed, one
who transferred to a department outside of CPO and another whose access was no longer required to
perform his job responsibilities.
One hundred ninety six individuals had approval authority within COR360. We identified one individual,
who was no longer an employee of the Port, but was not removed from the COR360 approval hierarchy.
COR360 is a web-based application and does not require access to the Port’s network. Therefore, an
individual who no longer works for the Port who previously had a user name and password, could still
login to COR360.
2) COR360 Invoice Validation
COR360 Invoices are manually entered into PeopleSoft. A validation process does not exist to assure
that invoice details and amounts are entered correctly into PeopleSoft.
3) New Vendor Setup
In certain instances, new vendors are added and approved within AFR. Although different individuals
perform these functions, to align with industry standards, vendor setup should be restricted to CPO.
Additionally, moving this control out of AFR allows CPO to focus on the vendor selection and approval
process and AFR to focus on the disbursement process.
Recommendations:
1) Perform a quarterly user access review to identify and remove access when an employee transfers
departments or the need is no longer necessary (i.e. an employee’s employment terminates).
2) Until an automatic feed can be developed, AFR should implement a control to validate the accuracy of
COR360 invoices that are manually entered into PeopleSoft.
3) Partner with CPO to assess controls and best practices for establishing and approving new vendors.
This could also include transferring certain responsibilities to CPO, if necessary.
Management Action Plan:
1) As recommended, quarterly user access reviews will be put in place to identify and remove access
when an employee transfers departments or the need is no longer necessary. Further, AFR has put in
place a review against COR360 payment delegations, each time notice is received from HR that an
employee has terminated Port employment. This proactive step is consistent with existing control
protocols AFR has in place to administer user access controls in the Port’s PeopleSoft payroll
administration and Concur travel/business expense systems.
2) We will institute batch total controls between COR360 output and PeopleSoft Financials accounts
payable system input, to validate completeness.

Disbursements/Accounts Payable
January 2017 – December 2017
3) AFR will work in partnership with CPO to assess this change.
DUE DATE: September 30, 2018

Disbursements/Accounts Payable
January 2017 – December 2017
1) EFFICIENCY OPPORTUNITY

COR360 was implemented, as a Port wide tool, to expedite invoice payments and to establish an
approval hierarchy within the application. However, not all groups use COR360 to process
invoices.
AFR implemented COR360, as a Port wide paperless accounts payable electronic invoicing system. The
system was implemented to centrally receive, electronically scan, and approve vendor invoices more
efficiently, while supporting AFR’s goal to pay vendor invoices more timely by leveraging technology. The
majority of the Port, with approximately 320 users and 75 departments, use COR360.
In June 2017, AFR met with Capital Development to discuss COR360. At that time, a decision was made
to postpone the use of COR360 until a deeper understanding of Capital Development business processes
was obtained. Invoices within Capital Development generally contain numerous pages of detail, are
reviewed by multiple individuals, and are typically high amounts (exceeding $1 million).
Management Action Plan:
Management within Capital Development has agreed to have future discussions with AFR to explore
opportunities to leverage COR360.

Disbursements/Accounts Payable
January 2017 – December 2017

APPENDIX A: RISK RATINGS
Findings identified during the course of the audit are assigned a risk rating, as outlined in the table below. The
risk rating is based on the financial, operational, compliance or reputational impact the issue identified has on
the Port. Items deemed “Low Risk” will be considered “Exit Items” and will not be brought to the final report.
Port Commission/
Rating Financial Internal Controls Compliance Public
Management
Large financial
impact Noncompliance
High probability
with applicable Important
Missing, or inadequate for external audit
Remiss in Federal, State,
HIGH key internal controls issues and/or
responsibilities and Local Laws, Requires immediate
negative public
of being a or Port Policies attention
perception
custodian of
public trust
Partial controls Inconsistent Potential for Relatively important
compliance with external audit
Moderate
MEDIUM Not adequate to identify Federal, State, issues and/or May or may not
financial impact
noncompliance or and Local Laws, negative public require immediate
misappropriation timely or Port Policies perception attention
Generally
Internal controls in place Low probability
complies with
but not consistently for external audit
Federal, State and Lower significance
Low financial efficient or effective issues and/or
LOW/ Local Laws or Port
impact negative public
Exit Items Policies, but some May not require
Implementing/enhancing perception
minor immediate attention
controls could prevent
discrepancies
future problems
exist
Efficiency An efficiency opportunity is where controls are functioning as intended; however, a modification would make
Opportunity the process more efficient

1 0

Disbursements/Accounts Payable
January 2017 – December 2017
APPENDIX B: COMPLETE MANAGEMENT RESPONSE
Finding & Recommendation #1
A Port wide delegation of authority for approving invoice payments should be reviewed and approved by
Executive Management and memorialized into Executive Policy (EX-2) guidance. Delegations of authority
establish approval limits that generally correlate to the individual’s level and responsibility within the
organization.
Management Response:
As the auditor notes, current Port-wide documented delegations of authority reflect delegation schedules
that identify individuals authorized to execute procurements, such as major construction contracts, small
works contracts, consulting agreements and other purchases. Payments are at the end stream of these
approved procurements and once the goods/services are received, the Port has a contractual obligation
to make payment.
There are payment controls inherent in the Port’s financial systems. The procurement process at the
front-end encompasses the Central Procurement Office (CPO) issuing purchase orders against which
approved payments submitted to the Accounting & Financial Reporting (AFR) department for
goods/services received must match against key control criteria. If required criteria such as quantity, unit
cost, amount and purchase order maximum amount of the approved procurements are not met, the
payment will be rejected by the PeopleSoft Financials system, regardless of whether payment approval
was given. These payments represent at least 90% of payments made by AFR.
In implementing COR360’s online workflow and electronic approval process, delegations of payment
authority were established with the management of each respective Port department. Such management
authorized delegations to initiate and approve payments are well documented and established in the
COR360 system. This is required for the system to administer the electronic workflow payment initiation
and review/approval control points for each Port department. Through this implementation protocol,
payment delegations of authority have been established involving the respective Port department
management.
Nevertheless, we acknowledge that the auditor recommendation enhances visibility in the control
environment. As recommended, a higher Executive-level review and affirmation of payment authorization
delegations will be implemented, to augment department management authorized delegations. AFR will
extract the payment delegations currently contained in COR360 and incorporate them into the executive
level EX-2 delegation schedules.
While we agree with the recommendation, however, we respectfully ask how this rises to the level of an
audit finding. The recommendation forwards an observation to refine upon solid internal controls already
in place. Formal delegation of payment authority does exist, is established with each respective
department’s management that is accountable for the operational oversight responsibility, is fully
documented in the COR360 system, and is executed accordingly by the systems electronic workflow for
all payment requests and approvals. Further, the delegation of authority is established through
appropriate department management, which conforms with internal control protocols that are required in
order for control points to be meaningful. They should rest with individuals at the appropriate levels of

1 1

Disbursements/Accounts Payable
January 2017 – December 2017
management having the necessary operational knowledge to effectively execute the expected judgment
and control. Formally adding the payment delegation schedule into EX-2 delegation process provides an
enhancement for visibility at the executive level, but does not correct any internal control
deficiency. Formal delegation of authority for payments are established appropriately involving
management in the respective Port departments.
Finding & Recommendation #2
Opportunities were identified to improve internal controls. These opportunities include, implementing
controls to disable user access when no longer needed, validating the accuracy of invoices entered into
PeopleSoft, and segregating the responsibility of adding vendors. These changes to internal controls
align to best practices and would further refine processes.
Management Response:
As a preface, we respectfully offer an overarching point in reference to the three opportunities for
refinements offered by the auditor. We value and embrace the recommendations. However, as a public
agency, it is important to note to the public that the Port has well-designed, robust and effectively
operating internal controls in place over payments. The Port of Seattle is rigorously audited by two major
external audit entities. The Washington State Auditor’s Office (SAO) annually audits the Port for public
funds/assets accountability and legal/regulatory compliance. Moss Adams, the Port’s independent
Certified Public Accounting firm, annually audits the Port’s financial statements and federal regulatory
compliance over major grants and passenger facilities charge (PFC) accountability and spending. With
these audits taking a rigorous holistic approach to auditing the Port’s system of internal controls, we are
proud that year-after-year they have affirmed that effective internal controls are in place with no notable
deficiencies. Moreover, the effectiveness of the Port’s internal controls is tried and proven, demonstrating
a solid record of no fraud or misappropriation in the payment of public funds, with all payments
administered by the Port’s centralized accounting operations and systems.
1) User Access (As of March 2018)
Management Response:
The Central Procurement Office (CPO) annually administers formally required updates of EX-2
delegations of authority. Also, the Port has focused to provide an effective off-boarding process for
employees leaving the Port. This would include immediate notification and action to cancel all
delegations of authority, as is the case for canceling all systems access authorizations. This should also
apply to employees transferring to another department thereby, requiring immediate changes to any
delegations and system access authorizations as well. The Accounting & Financial Reporting (AFR)
department will work in partnership with CPO and the Human Resources (HR) department to assess any
necessary refinements to protocols or compliance to ensure timely notification and changes to
delegations of authority for and COR360 system access by Port departments.
It is important to note that the Port has proactive preventative controls are in place. COR360 is typically
set-up with separate initiation and approval(s) for payments, such that segregation of duties exist
between those who can initiate payment requests and those who can approve them. Hence, whether a
current or terminated employee, individuals typically will not be able to access the COR360 system and
unilaterally initiate and approve payments on their own. Further, the Port financial system’s procurement

1 2

Disbursements/Accounts Payable
January 2017 – December 2017
purchase order controls (described above) for payments, independent of the COR360 review/approval
process, are also in place. These controls reject payments that do not meet certain control criteria,
regardless of whether they have been approved through the COR360 electronic workflow. Moreover, the
AFR accounts payable team scrutinizes payment requests from COR360 as they enter them into the
PeopleSoft system for payment execution.
Nevertheless, we acknowledge that the recommendation enhances the control environment. As
recommended, quarterly user access reviews will be put in place to identify and remove access when an
employee transfers departments or the need is no longer necessary. Further, AFR has put in place a
review against COR360 payment delegations, each time notice is received from HR that an employee
has terminated Port employment. This proactive step is consistent with existing control protocols AFR
has in place to administer user access controls in the Port’s PeopleSoft payroll administration and Concur
travel/business expense systems.
2) COR360 Invoice Validation
Management Response:
As industry best practice, the Accounting & Financial Reporting (AFR) department implemented in 2017,
a third-party cloud-based system designed to streamline and control invoice payments. The COR360
system brings benefits and efficiencies to the Port including electronic receipt of vendor billing invoices,
centralized automated scanning of invoices/supporting documentation, automated initiation of payment
vouchers, online completion of payment requests, and electronic workflow that route invoices/payment
requests to the appropriate Port departments personnel for online review/approval. The system
enhances internal controls over the payment initiation and review/approval process, facilitates more
timely payment of Port obligations, establishes electronic records for the full payment stream, eliminates
paper and misrouted/lost invoices, and tracks the status of invoices and payments processing at any
point in time. Moreover, this solution costing the Port about $36k in annual user licensing fees is much
more cost-effective than the Port procuring and maintaining its own system.
COR 360 was to be implemented in two phases. Phase one, to implement the online electronic
environment for the Port’s payments, which is completed pending follow-up with two departments that
were deferred. Phase two, which we are embarking upon to implement the best solution to provide
systems interfaces, currently focused on COR360 and the Port’s PeopleSoft accounts payable financial
system module. System interfaces would enable automated intra-system payment data integrity checks.
In the interim, however, manual controls are in place. First, after each accounts payable specialist inputs
the payment data from COR360 and before the payment files are approved to be run in PeopleSoft
Financials, the accounts payable manager performs a review of the pending payments for observed
irregularities or questionable items. Second, after the payments are produced and before they are
released, an AFR senior manager reviews a print-out of all payments pending release for observed
irregularities or questionable items. As an added measure of control through visibility, AFR has designed
and is implementing an automated exceptions report for each accounts payable payment run that will
identify any payments made to AFR accounts payable staff, AFR senior managers, AFR director and/or
the Chief Financial Officer.
Nevertheless, we acknowledge that the recommendation enhances the control environment during the

1 3

Disbursements/Accounts Payable
January 2017 – December 2017
interim period. We will institute batch total controls between COR360 output and PeopleSoft Financials
accounts payable system input, to validate completeness. This will augment the above described two-tier
review controls already in place. As part of the Phase two implementation, automated transactional data
accuracy checks at the detailed level will be possible and executed through implementation of the
systems interface solution.
3) New Vendor Setup
Management Response:
We respect that the auditor’s recommendation is founded on industry best practice, that the approval and
establishment of vendors in a payment system be done in operations outside of the department
administering payments. AFR will work in partnership with CPO to assess this change.

1 4

Limitations of Translatable Documents

PDF files are created with text and images are placed at an exact position on a page of a fixed size.

Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.

PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.