INTERNAL AUDIT REPORT 
OPERATIONAL AUDIT 
DISBURSEMENTS/ACCOUNTS PAYABLE 

January 2017 – December 2017 

ISSUE DATE: JUNE 19, 2018 
REPORT NO. 2018-03



Disbursements/Accounts Payable 
January 2017 – December 2017 
INTERNAL AUDIT 


TABLE OF CONTENTS 

EXECUTIVE SUMMARY ................................................................................................................................................. 3 
BACKGROUND .............................................................................................................................................................. 4 
AUDIT SCOPE AND METHODOLOGY ........................................................................................................................... 5 
SCHEDULE OF FINDINGS AND RECOMMENDATIONS............................................................................................... 6 
APPENDIX A: RISK RATINGS ...................................................................................................................................... 10 
APPENDIX B: COMPLETE MANAGEMENT RESPONSE ............................................................................................. 11 











2

          Disbursements/Accounts Payable 
January 2017 – December 2017 
EXECUTIVE SUMMARY 
Internal Audit (IA) completed an audit of the Disbursements / Accounts Payable process within the
Accounting and Financial Reporting Department (AFR) for the period January 1, 2017 through December
31, 2017. The audit was performed to evaluate the design of internal controls and in some cases, the
operating effectiveness of those controls. Although considered, our audit was not designed to identify
fraud. 
AFR Management has a strong understanding and appreciation of effective internal controls. This “tone at
the top” mindset permeates to individuals performing key tasks within the disbursements process and
contributed to our evaluation and conclusions. 
In 2017, AFR processed over 14,000 vendor payments, totaling approximately $675 million. Payment
requests are decentralized, originating mainly outside AFR. AFR processes Port payments, and is one
control  component  within  the  Port’s  disbursements  process.  The  decentralized  nature  of  Port
disbursements requires controls to be developed and followed both within and outside AFR. Therefore, 
the  collective  efforts  of  these  controls  holistically  contribute  to  the  overall  effectiveness  of  the
disbursements process. 
The issues identified align to best practices and are offered in the spirit of continuous improvement. 
1) A Port wide delegation of authority for approving invoice payments should be reviewed and approved
by Executive Management and memorialized into Executive Policy (EX-2) guidance. Delegations of
authority establish approval limits that generally correlate to the individual’s level and responsibility
within the organization. 
2) Opportunities were identified to improve internal controls. These opportunities include, implementing
controls to disable user access when no longer needed, validating the accuracy of invoices entered
into PeopleSoft, and segregating the responsibility of adding and approving vendors. These changes
to internal controls align to best practices and would further refine processes. 
These issues are discussed in more detail beginning on page six. 
We extend our appreciation to AFR, Central Procurement Office, and the Treasury Department for their
assistance and cooperation during the audit. 



Glenn Fernandes, CPA 
Director, Internal Audit 

RESPONSIBLE MANAGEMENT TEAM 
Dan Thomas, Chief Financial Officer 
Rudy Caluza, Director Accounting and Financial Reporting 
Duane Hill, Senior Manager Disbursements 

3

          Disbursements/Accounts Payable 
January 2017 – December 2017 

BACKGROUND 

The Disbursements function within the Accounting and Financial Reporting Department (AFR) reviews 
supporting documentation, general ledger coding, and enters invoice data into PeopleSoft. 
In early 2017, AFR began using COR360, a third party software designed to streamline and control
invoice payments. COR360 gives employees, including those outside AFR, approval authority to request
payment for invoices. The majority of department invoices, with the exception of Major Capital Projects
and Port Construction Services, use COR360. Invoices processed outside of COR360, are approved
manually and stored in the Records Center on the Port of Seattle’s internal website (Compass). 
Accounts Payable (AP) Specialists create vouchers in PeopleSoft daily. These vouchers run through an
overnight validation process and are posted for payment upon validation. Once in PeopleSoft, the Port
uses two general methods to disburse funds (checks and electronic funds transfer). Live checks are
generated and counted by an AP Specialist. A second individual (i.e. Travel Card Administrator or Payroll
Senior Accountant) recounts and agrees the number of checks to the results from a PeopleSoft query. 
The table below reflects detail on the transaction type (method), amount, and count of disbursements for
the period January 1, 2017 through December 31, 2017: 
2017 DISBURSEMENTS BY TYPE 

Method                          Amount     % by Amount      Count   % by Count 
Check                                  $76,467,068                 11%         6,174            43% 
Electronic Payments*                     598,010,956                  89%          8,137             57% 
TOTAL                              $674,478,024               100%        14,311          100% 
* Includes ACH, wire, and EFT 







4

          Disbursements/Accounts Payable 
January 2017 – December 2017 

AUDIT SCOPE AND METHODOLOGY 

We conducted this performance audit in accordance with Generally Accepted Government Auditing
Standards and the International Standards for the Professional Practice of Internal Auditing. Those
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide
a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions based on our audit
objectives. 
The period audited was January 2017 – December 2017. We used a risk-based approach from the
planning phase to the testing phase. We assessed risks and identified controls to mitigate those risks. We
gathered information through document requests, research, interviews, and observations. Our audit
included the following procedures: 
Process Understanding 
• Created flow charts to obtain a comprehensive understanding of the disbursements process. 
• Identified risks and internal controls within the flow charts. 
• Evaluated the design of internal controls to determine if control gaps existed. 
Control Testing 
1.  COR360 Approval Hierarchy 
• Reviewed the hierarchy for reasonableness and completeness. 
• Walked through one transaction to determine whether the workflow process properly
followed the approval hierarchy. 
2.  New Vendor Setup Approval 
• Compared vendor addresses and phone numbers (if available), from PeopleSoft to payroll
records, to identify matches. When matches were identified, we analyzed payments to
determine if they were appropriate. 
• Selected 26 vendors judgmentally to determine whether they were registered with the
appropriate State Department of Revenue. 
3.  User Access 
• Evaluated user roles, including vendor requests and approvals, within PeopleSoft. 




5

          Disbursements/Accounts Payable 
January 2017 – December 2017 
SCHEDULE OF FINDINGS AND RECOMMENDATIONS 
1) RATING: MEDIUM
A Port wide delegation of authority for approving invoice payments should be reviewed and
approved by Executive Management and memorialized into Executive Policy (EX-2) guidance.
Delegations of authorities establish approval limits that generally correlate to the individual’s
level and responsibility within the organization. 
Delegations balance the risk an organization is willing to grant to an employee’s level within the
organization,  without  compromising  operational  efficiencies.  Generally,  the  higher  the  individual’s
position, the higher the amount an individual can authorize. 
Port Policy EX-2 includes “…limits of authority for conducting regular day-to-day business transactions.”
EX-2, Attachment A, contains 16 Port wide delegation schedules. These schedules identify individuals
authorized to execute major construction contracts, small works contracts, and consulting agreements.
The schedule also includes general positions that are authorized to enter into contracts for the purchase
of goods and services. EX-2 does not include an authorization schedule for payment approval. 
AFR management indicated that approval limits were established in COR360 by working with various
individuals throughout the Port, thus the delegation of authority already exists. 
IA evaluated the limits and identified individuals, whose approval authority appeared excessive. When
discussed with the direct managers of these individuals, they concurred that the limits seemed excessive. 
Recommendations: 
1)  Perform a reasonableness check, and if necessary, confirm with Senior Management that the limits
are accurate. 
2) Obtain CFO review and approval of the limits within COR360 and attach the approved schedule within
the appendix of the EX-2 Policy. 
Management Action Plan: 
We acknowledge that the auditor recommendation enhances visibility in the control environment. As
recommended, a higher Executive-level review and affirmation of payment authorization delegations will
be implemented, to augment department management authorized delegations. AFR will extract the
payment delegations currently contained in COR360 and incorporate them into the executive level EX-2
delegation schedules. (Refer to Appendix B for complete response). 
DUE DATE: September 30, 2018 





6

          Disbursements/Accounts Payable 
January 2017 – December 2017 

2) RATING: MEDIUM
Opportunities  were  identified  to  improve  internal  controls.  These  opportunities  include,
implementing controls to disable user access when no longer needed, validating the accuracy of
invoices entered into PeopleSoft, and segregating the responsibility of adding vendors. These
changes to internal controls align to best practices and would further refine processes. 
1) User Access (As of March 2018) 
Thirty eight individuals within the Central Procurement Office (CPO) had the ability to enter new vendor
data and request approval. We identified two individuals, whose access should have been removed, one
who transferred to a department outside of CPO and another whose access was no longer required to
perform his job responsibilities. 
One hundred ninety six individuals had approval authority within COR360. We identified one individual, 
who was no longer an employee of the Port, but was not removed from the COR360 approval hierarchy.
COR360 is a web-based application and does not require access to the Port’s network. Therefore, an
individual who no longer works for the Port who previously had a user name and password, could still
login to COR360. 
2) COR360 Invoice Validation 
COR360 Invoices are manually entered into PeopleSoft. A validation process does not exist to assure
that invoice details and amounts are entered correctly into PeopleSoft. 
3) New Vendor Setup 
In certain instances, new vendors are added and approved within AFR. Although different individuals
perform these functions, to align with industry standards, vendor setup should be restricted to CPO.
Additionally, moving this control out of AFR allows CPO to focus on the vendor selection and approval
process and AFR to focus on the disbursement process. 
Recommendations: 
1) Perform a quarterly user access review to identify and remove access when an employee transfers
departments or the need is no longer necessary (i.e. an employee’s employment terminates). 
2) Until an automatic feed can be developed, AFR should implement a control to validate the accuracy of
COR360 invoices that are manually entered into PeopleSoft. 
3) Partner with CPO to assess controls and best practices for establishing and approving new vendors.
This could also include transferring certain responsibilities to CPO, if necessary. 
Management Action Plan: 
1) As recommended, quarterly user access reviews will be put in place to identify and remove access
when an employee transfers departments or the need is no longer necessary. Further, AFR has put in
place a review against COR360 payment delegations, each time notice is received from HR that an
employee has terminated Port employment. This proactive step is consistent with existing control
protocols AFR has in place to administer user access controls in the Port’s PeopleSoft payroll
administration and Concur travel/business expense systems. 
2) We will institute batch total controls between COR360 output and PeopleSoft Financials accounts
payable system input, to validate completeness. 

7

          Disbursements/Accounts Payable 
January 2017 – December 2017 
3) AFR will work in partnership with CPO to assess this change. 
DUE DATE: September 30, 2018 


















8

          Disbursements/Accounts Payable 
January 2017 – December 2017 
1) EFFICIENCY OPPORTUNITY

COR360 was implemented, as a Port wide tool, to expedite invoice payments and to establish an
approval hierarchy within the application. However, not all groups use COR360 to process
invoices. 
AFR implemented COR360, as a Port wide paperless accounts payable electronic invoicing system. The
system was implemented to centrally receive, electronically scan, and approve vendor invoices more
efficiently, while supporting AFR’s goal to pay vendor invoices more timely by leveraging technology. The
majority of the Port, with approximately 320 users and 75 departments, use COR360. 
In June 2017, AFR met with Capital Development to discuss COR360. At that time, a decision was made
to postpone the use of COR360 until a deeper understanding of Capital Development business processes
was obtained. Invoices within Capital Development generally contain numerous pages of detail, are
reviewed by multiple individuals, and are typically high amounts (exceeding $1 million). 
Management Action Plan: 
Management within Capital Development has agreed to have future discussions with AFR to explore
opportunities to leverage COR360. 












9

          Disbursements/Accounts Payable 
January 2017 – December 2017 

APPENDIX A: RISK RATINGS 
Findings identified during the course of the audit are assigned a risk rating, as outlined in the table below. The
risk rating is based on the financial, operational, compliance or reputational impact the issue identified has on
the Port. Items deemed “Low Risk” will be considered “Exit Items” and will not be brought to the final report. 
Port Commission/
Rating        Financial         Internal Controls         Compliance           Public 
Management 
Large financial
impact                                    Noncompliance
High probability
with applicable                                Important 
Missing, or inadequate                         for external audit
Remiss in                                 Federal, State,
HIGH                       key internal controls                        issues and/or
responsibilities                                   and Local Laws,                           Requires immediate
negative public
of being a                                    or Port Policies                               attention 
perception 
custodian of
public trust 
Partial controls             Inconsistent          Potential for      Relatively important 
compliance with      external audit
Moderate
MEDIUM                  Not adequate to identify    Federal, State,     issues and/or     May or may not
financial impact 
noncompliance or       and Local Laws,     negative public     require immediate
misappropriation timely      or Port Policies         perception            attention 
Generally
Internal controls in place                            Low probability
complies with
but not consistently                             for external audit
Federal, State and                       Lower significance 
Low financial       efficient or effective                              issues and/or
LOW/                                         Local Laws or Port
impact                                                         negative public
Exit Items                                                  Policies, but some                         May not require
Implementing/enhancing                         perception 
minor                          immediate attention 
controls could prevent
discrepancies
future problems 
exist 
Efficiency    An efficiency opportunity is where controls are functioning as intended; however, a modification would make
Opportunity                                      the process more efficient 







1 0

          Disbursements/Accounts Payable 
January 2017 – December 2017 
APPENDIX B: COMPLETE MANAGEMENT RESPONSE 
Finding & Recommendation #1 
A Port wide delegation of authority for approving invoice payments should be reviewed and approved by
Executive Management and memorialized into Executive Policy (EX-2) guidance. Delegations of authority 
establish approval limits that generally correlate to the individual’s level and responsibility within the
organization. 
Management Response: 
As the auditor notes, current Port-wide documented delegations of authority reflect delegation schedules
that identify individuals authorized to execute procurements, such as major construction contracts, small
works contracts, consulting agreements and other purchases. Payments are at the end stream of these
approved procurements and once the goods/services are received, the Port has a contractual obligation
to make payment. 
There are payment controls inherent in the Port’s financial systems. The procurement process at the
front-end encompasses the Central Procurement Office (CPO) issuing purchase orders against which
approved  payments  submitted  to  the  Accounting  &  Financial  Reporting  (AFR)  department  for
goods/services received must match against key control criteria. If required criteria such as quantity, unit
cost, amount and purchase order maximum amount of the approved procurements are not met, the
payment will be rejected by the PeopleSoft Financials system, regardless of whether payment approval
was given. These payments represent at least 90% of payments made by AFR. 
In implementing COR360’s online workflow and electronic approval process, delegations of payment
authority were established with the management of each respective Port department. Such management
authorized delegations to initiate and approve payments are well documented and established in the
COR360 system. This is required for the system to administer the electronic workflow payment initiation
and review/approval control points for each Port department. Through this implementation protocol,
payment delegations of authority have been established involving the respective Port department
management. 
Nevertheless, we acknowledge that the auditor recommendation enhances visibility in the control
environment. As recommended, a higher Executive-level review and affirmation of payment authorization
delegations will be implemented, to augment department management authorized delegations. AFR will
extract the payment delegations currently contained in COR360 and incorporate them into the executive
level EX-2 delegation schedules. 
While we agree with the recommendation, however, we respectfully ask how this rises to the level of an
audit finding. The recommendation forwards an observation to refine upon solid internal controls already
in  place. Formal  delegation  of  payment  authority  does  exist,  is  established  with  each  respective
department’s management that is accountable for the operational oversight responsibility, is fully
documented in the COR360 system, and is executed accordingly by the systems electronic workflow for
all  payment  requests  and  approvals.  Further,  the  delegation  of  authority  is  established  through
appropriate department management, which conforms with internal control protocols that are required in
order for control points to be meaningful. They should rest with individuals at the appropriate levels of

1 1

          Disbursements/Accounts Payable 
January 2017 – December 2017 
management having the necessary operational knowledge to effectively execute the expected judgment
and control. Formally adding the payment delegation schedule into EX-2 delegation process provides an
enhancement  for  visibility  at  the  executive  level,  but  does  not  correct  any  internal  control
deficiency.  Formal  delegation  of  authority  for  payments  are  established  appropriately  involving
management in the respective Port departments. 
Finding & Recommendation #2 
Opportunities were identified to improve internal controls. These opportunities include, implementing
controls to disable user access when no longer needed, validating the accuracy of invoices entered into
PeopleSoft, and segregating the responsibility of adding vendors. These changes to internal controls
align to best practices and would further refine processes. 
Management Response: 
As a preface, we respectfully offer an overarching point in reference to the three opportunities for
refinements offered by the auditor. We value and embrace the recommendations. However, as a public
agency, it is important to note to the public that the Port has well-designed, robust and effectively
operating internal controls in place over payments. The Port of Seattle is rigorously audited by two major
external audit entities. The Washington State Auditor’s Office (SAO) annually audits the Port for public
funds/assets accountability and legal/regulatory compliance.  Moss Adams, the Port’s independent
Certified Public Accounting firm, annually audits the Port’s financial statements and federal regulatory
compliance over major grants and passenger facilities charge (PFC) accountability and spending. With
these audits taking a rigorous holistic approach to auditing the Port’s system of internal controls, we are
proud that year-after-year they have affirmed that effective internal controls are in place with no notable
deficiencies. Moreover, the effectiveness of the Port’s internal controls is tried and proven, demonstrating
a solid record of no fraud or misappropriation in the payment of public funds, with all payments
administered by the Port’s centralized accounting operations and systems. 
1) User Access (As of March 2018) 
Management Response: 
The Central Procurement Office (CPO) annually administers formally required updates of EX-2
delegations of authority. Also, the Port has focused to provide an effective off-boarding process for
employees leaving the Port.  This would include immediate notification and action to cancel all
delegations of authority, as is the case for canceling all systems access authorizations. This should also
apply to employees transferring to another department thereby, requiring immediate changes to any
delegations and system access authorizations as well. The Accounting & Financial Reporting (AFR)
department will work in partnership with CPO and the Human Resources (HR) department to assess any
necessary refinements to protocols or compliance to ensure timely notification and changes to
delegations of authority for and COR360 system access by Port departments. 
It is important to note that the Port has proactive preventative controls are in place. COR360 is typically
set-up with separate initiation and approval(s) for payments, such that segregation of duties exist
between those who can initiate payment requests and those who can approve them. Hence, whether a
current or terminated employee, individuals typically will not be able to access the COR360 system and
unilaterally initiate and approve payments on their own. Further, the Port financial system’s procurement

1 2

          Disbursements/Accounts Payable 
January 2017 – December 2017 
purchase order controls (described above) for payments, independent of the COR360 review/approval
process, are also in place. These controls reject payments that do not meet certain control criteria,
regardless of whether they have been approved through the COR360 electronic workflow. Moreover, the
AFR accounts payable team scrutinizes payment requests from COR360 as they enter them into the
PeopleSoft system for payment execution. 
Nevertheless, we acknowledge that the recommendation enhances the control environment.   As
recommended, quarterly user access reviews will be put in place to identify and remove access when an
employee transfers departments or the need is no longer necessary. Further, AFR has put in place a
review against COR360 payment delegations, each time notice is received from HR that an employee
has terminated Port employment. This proactive step is consistent with existing control protocols AFR
has in place to administer user access controls in the Port’s PeopleSoft payroll administration and Concur
travel/business expense systems. 
2) COR360 Invoice Validation 
Management Response: 
As industry best practice, the Accounting & Financial Reporting (AFR) department implemented in 2017,
a third-party cloud-based system designed to streamline and control invoice payments. The COR360
system brings benefits and efficiencies to the Port including electronic receipt of vendor billing invoices,
centralized automated scanning of invoices/supporting documentation, automated initiation of payment
vouchers, online completion of payment requests, and electronic workflow that route invoices/payment
requests to the appropriate Port departments personnel for online review/approval.  The system
enhances internal controls over the payment initiation and review/approval process, facilitates more
timely payment of Port obligations, establishes electronic records for the full payment stream, eliminates
paper and misrouted/lost invoices, and tracks the status of invoices and payments processing at any
point in time. Moreover, this solution costing the Port about $36k in annual user licensing fees is much 
more cost-effective than the Port procuring and maintaining its own system. 
COR 360 was to be implemented in two phases. Phase one, to implement the online electronic
environment for the Port’s payments, which is completed pending follow-up with two departments that
were deferred. Phase two, which we are embarking upon to implement the best solution to provide
systems interfaces, currently focused on COR360 and the Port’s PeopleSoft accounts payable financial
system module. System interfaces would enable automated intra-system payment data integrity checks. 
In the interim, however, manual controls are in place. First, after each accounts payable specialist inputs
the payment data from COR360 and before the payment files are approved to be run in PeopleSoft
Financials, the accounts payable manager performs a review of the pending payments for observed
irregularities or questionable items. Second, after the payments are produced and before they are
released, an AFR senior manager reviews a print-out of all payments pending release for observed
irregularities or questionable items. As an added measure of control through visibility, AFR has designed
and is implementing an automated exceptions report for each accounts payable payment run that will
identify any payments made to AFR accounts payable staff, AFR senior managers, AFR director and/or
the Chief Financial Officer. 
Nevertheless, we acknowledge that the recommendation enhances the control environment during the

1 3

          Disbursements/Accounts Payable 
January 2017 – December 2017 
interim period. We will institute batch total controls between COR360 output and PeopleSoft Financials
accounts payable system input, to validate completeness. This will augment the above described two-tier
review controls already in place. As part of the Phase two implementation, automated transactional data
accuracy checks at the detailed level will be possible and executed through implementation of the
systems interface solution. 
3) New Vendor Setup 
Management Response: 
We respect that the auditor’s recommendation is founded on industry best practice, that the approval and
establishment of vendors in a payment system be done in operations outside of the department
administering payments. AFR will work in partnership with CPO to assess this change. 














1 4