Financial Stewardship               Accountability                    Transparency    Item No. 11b attach 1
Meeting Date: December 8, 2020

2020 Summary of Internal Audits
Glenn Fernandes - Director, Internal Audit

December 8, 2020
Remote Meeting
12:00 PM  5:00 PM

Operational Excellence                      Governance

2020 Audit Committee
Commissioner Ryan Calkins, Committee Chair
Commissioner Stephanie Bowman, Committee Member
Christina Gehrke, Committee Public Member


2

About Internal Audit
Internal Audit conducts independent, objective, risk-based
audits of the Port's operations, activities and vendors.
Our audits add value by helping the Port achieve its mission and
contribute to: financial stewardship, accountability,
transparency, governance, and operational excellence.
Internal Audit derives its authority from the Port Commission.
Internal Audit is a catalyst in the Port's sound governance and
risk management.
3

Institute of Internal Auditors (IIA) - Combined Assurance

The governing body,
management,andinternalaudit
have their distinct
responsibilities, but all activities
need to be aligned with the
objectives of the organization.
The basis for successful
coherence is regular and
effective coordination,
collaboration, and
communication.

Source: The Institute of Internal Auditors, THE IIA'S THREE LINES MODEL  An Update of the Three Lines of Defense, published in July 2020.

4

17 Audits, 1 Analysis Memo, 2 Summary Reports Completed in 2020
Limited Contract Compliance (5)                Operational (9)                      Information Technology (6)
Concourse Concessions, LLC           Equipment Acquisition, Monitoring &            Network Password Management
McDonald's USA, LLC                   Disposal                                      Secure Configuration for Hardware and
Fireworks Galleries, LLC                Ground Transportation  Taxi Cabs                 Software on Mobile Devices, Laptops,
Qdoba Restaurant Corporation         Cash Controls                                 Workstations and Servers
E-Z Rent A Car, Incorporated            Interlocal Agreement Mapping1                  Inventory & Control of Software Assets
Delegation of Authority2                         Malware Defenses (ICT)2
Public Health Emergency Leave Program        ____________________________
(PHEL)3                                         Payment Card Industry (PCI) 
Qualified Security Assessor4
Capital                                              Criminal Justice Information Systems (CJIS)5
Service Tunnel Renewal/Replace Project
Central Terminal Infrastructure Upgrade
(Bid and Design Phases)
AOA Perimeter Fence Line Standards Project

1 This is a focused analysis, not an audit, accordingly we issued a Memo.             4 This work was performed by an outside firm. Internal Audit provided a summary report to the Audit Committee.
2 This contingency audit was approved by the Audit Committee in December 2019.    5 This work was performed by the Washington State Patrol. Internal Audit provided a summary report to the Audit Committee.
3 This audit was added per HR request.

5

Key Themes
2020 Audits identified 3 High Risk, 21 Medium Risk, and 4 Low Risk
rated issues for management action.
Internal Audit responded to the unprecedented pandemic risk to the
Port by initiating and completing, a time-sensitive advisory project on
FEMA Reimbursement and a Public Health Emergency Leave Audit.
The Port has opportunities to strengthen internal controls and related
processes to mitigate business risks.
The Port has opportunities to reduce change orders, schedule delays,
and design issues on future projects.
6

Highlighted Audits
1) Cash Controls
2) Public Health Emergency Leave Program (PHEL)
3) Ground Transportation - Taxicabs


7

Operational - Cash Controls
Audit scope included - Fishermen's Terminal (FT), Shilshole Bay Marina (SBM),
and Airport Lost and Found (L&F)
Cash is the most liquid of assets and is inherently susceptible to
misappropriation
Evaluated the design and effectiveness of internal controls supporting cash
processes
Audit Time Period: January 2019  December 2019
Audit Criteria, including:
RCW 43.09.240 - Deposit of collections
RCW 63.21.060 - Duties of governmental entity acquiring lost propertyDisposal of property
Internal controls principles (e.g., Segregation of duties, review/approval by authorized personnel)

8

Operational - Cash Controls
Cash Receipts by Location:
Department                                        2018 Revenue      2019 Revenue     Total Revenue  % of Total Revenue
Airport Public / Employee Parking                             $3,343,444          $2,971,534            6,314,978                87.3%
Shilshole Bay Marina Operations                               294,835                     233,551                     528,386                 7.3%
Bell Harbor Int. Conf. Center/World Trade Center                  19,942                    133,639                      153,582                 2.1%
Fishermen's Terminal Operations                                60,301                     84,941                    145,242                 2.0%
Aviation Customer Service (Airport Lost & Found)*                14,531         *           43,000        **           57,531                 0.8%
Bell Harbor (Pier 66) Marina                                       13,584                       6,352                     19,936                  0.3%
Accounting and Financial Reporting                                7,080                     5,049                    12,129                 0.2%
Total                                 $3,753,717          $3,478,067         $7,231,784                 100%
*  Reflects non-claimed currency deposited into Port's account.
** April through December / Hallmark contract commenced April 2019 (does not include foreign currency).


9

Operational  Cash Controls
(Medium)  Segregation of Duties were not integrated into the cash
processes at Fishermen's Terminal and Shilshole Bay Marina. Staff levels
were limited at these locations, however, introducing a few key control
enhancements to the existing processes could reduce the risk of
misappropriation.
A fundamental element of internal control is the segregation of key duties. The basic idea underlying segregation of
duties is that no employee or group of employees should be in a position both to perpetrate and conceal errors or
fraud in the normal course of their duties. In general, the principal incompatible duties to be segregated are:
Custody of cash
Authorization or approval of related transactions affecting cash
Recording or reporting of related transactions
Reconciliations
Status: Management has completed action plans to strengthen the
segregation of duties in the cash handling process.
10

Operational  Cash Controls
(Medium)  The Airport (SEA) Lost and Found staff did not follow
established procedures on cash handling. Accordingly, during our testing,
we were unable to verify transactions where currency received was
accurately recorded, retained, released to the claimant, or deposited to
the Port's bank account.
During the audit period, April through December 2019, total cash turned over to the
Lost and Found, was approximately $43,000 (excluding foreign currencies), of which
approximately $28,500 was not claimed and deposited into the Port's bank account.

Status: Management has completed action plans to reinforce the
enhanced cash handling procedures to the contracted company personnel.
11

Operational - Public Health Emergency Leave Program (PHEL)
Audit requested by the Senior Director of Human Resources.
Audit Objective - To determine whether the use of PHEL was in alignment with
Port policy.
PHEL was originally authorized for up to 80 hours and extended to 240 hours in
April of 2020 for specific circumstances related to COVID-19.
As of July 2020, 952 Port employees used approximately 155,000 hours of PHEL at
an estimated cost, to the Port, of $7.7 million.
Internal Audit's testing included - interviewing supervisors from multiple
departments and review of supporting documents.
Testing covered 287 employees who used 54,075 hours.

12

Operational  Public Health Emergency Leave Program (PHEL)
(High)  The lack of centralized administration of the PHEL program, and vague
policy language increased the potential that PHEL was abused or approved for
unintended purposes.
Multiple Departments/Teams Involved:
Total Rewards (HR) - Tracked employees who met high-risk category or had children whose schools
or daycare centers were closed.
Health and Safety (HR) - Tracked employees exposed to, experienced symptoms of, or tested
positive for COVID-19. Health and Safety, however, did not monitor or track the number of PHEL
hours an employee used.
Departments Approved for Minimum Essential Staffing - Policy did not address how PHEL was to be
used for minimum essential staffing. Departments were given flexibility on how to allocate, track
hours, and monitor PHEL use. Some managers allowed staff to take PHEL through a rotational basis,
so that there was an "equitable opportunity."
Status: Management has completed action plans to strengthen the controls over
documentation, approval, and compliance monitoring.
13

Operational  Public Health Emergency Leave Program (PHEL)
(High)  Port management did not have adequate procedures in place to
monitor the potential of employees collecting unemployment insurance
benefits and receiving compensation from the Port concurrently.
Families First Coronavirus Response Act (FFCRA) created an opportunity for employees to
use leave without pay and collect unemployment.
Multiple departments and a third-party vendor had separate independent roles in payroll
coding, monitoring the PHEL program, and approving unemployment claims.
Internal Audit identified three employees who reported compensable time on their
timesheets and received unemployment benefits simultaneously.
Status: Management has completed action plans to improve unemployment
monitoring procedures.
14

Operational  Ground Transportation  Taxi Cabs
In May 2019, the Port of Seattle Commission, through motion number
2019-03, established a two-year pilot program for the on-demand (flat
rate/for hire) service at the Seattle  Tacoma International Airport. The
program included the following key elements:
The Port earns an all-inclusive per-trip fee of six dollars ($6.00) per outbound trip.
Currently, 409 vehicles are in the program.
Owner/operators that were offering on-demand taxi and flat-rate for-hire services
under the previous program (East Side for Hire) were retained for the pilot program
through September 30, 2021.
Through Commission motion, activity fees were deferred for the period March 25,
2020 through July 31, 2020 to provide relief due to COVID-19.

15

Operational  Ground Transportation  Taxi Cabs
(High)  The reconciliation process to identify and resolve differences between
the Port's Automated Vehicle Identification (AVI) system and the in-house
phone billing application (App.) needs to be enhanced and performed on a
timely basis. Both the AVI system and application are technology-based tools
that, when functioning as intended, should produce little to no variance, which
will indicate that vehicles are being billed accurately.
The App. Count, which bills the driver, was 3,100 higher than the AVI count, which tracks vehicles
activity, in November of 2019.
Internal Audit noted a significant improvement in August of 2020, trip volumes were significantly
lower as well, and we did not have sufficient data to conclude as to whether the issues had been
fixed.
Status: Management will continue to work with BI and aspire to a 100% match
between AVI and App.
16

Operational  Ground Transportation  Taxi Cabs
(Medium)  An Information Technology Control for ensuring that only
authorized individuals had access to the Taxi application, had failed.
Although not exploited, an error in coding allowed all users of the Port's
Enterprise network to have limited access to the application.
Users in the Taxi application can enable or disable taxi operators signed up in the program. While this
does not appear to affect the number of billed trips, an issue with approved access could potentially
allow unauthorized vehicles to be added to the system or inappropriately denied access.
Status: Completed. A fix was deployed in October 2020, preventing non-
authorized users from logging into the application. Management will request a
list of authorized users from ICT on a quarterly basis to validate users in the
App.
17

IT Audits
Continued efforts to perform baseline Center for Internet Security audits (completed
three in 2020) to help ensure the Port has a solid foundation of IT controls. We
completed the following in 2020:
1)  Network Password Management1
2)  Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers1 4
3)  Inventory & Control of Software Assets1 4
4)  Malware Defenses (ICT)1 4
5)  Payment Card Industry (PCI)  Qualified Security Assessor 2
6)  Criminal Justice Information Systems (CJIS)1 3
1 Security Sensitive  Exempt from public disclosure per RCW 42.56.420; these will not be discussed.
2 This work was performed by an external Qualified Security Assessor. Internal Audit provided a summary report to the Audit Committee.
3 This work was performed by the Washington State Patrol. Internal Audit provided a summary report to the Audit Committee.
4 This is a Center for Internet Security control audit.
Status: Security Sensitive audits were discussed in non -public sessions. The 2020 PCI
review completed by an external firm resulted in an overall COMPLIANT rating.
18

Limited Contract Compliance
Self reported revenue from concessionaires and rental car companies
Audits focus on compliance with concession agreement
Two audits not performed due to COVID-19 (Lenlyn Limited and Concessions
International, LLC)
Audits                     Underreported Revenue                      Due to Port
5                           $189,522                           $27,993*
1) Concourse Concessions, LLC*
2) McDonald's USA, LLC
3) Fireworks Galleries, LLC
4) Qdoba Restaurant Corporation
5) E-Z Rent A Car, Incorporated
* In process of collecting - $1,527.

19

2021 Audit Strategy
Stay independent.
Emphasis on developing staff with existing resources.
Identify control weaknesses through audits, with an increased
focus on partnering with management.
Continue to focus on Capital Delivery (Financial, Quality, &
Schedule).
Focus on the 20 "Center for Internet Security" audits that will
provide the groundwork for well-established cybersecurity
controls.
20