Audit Committee Presentation
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit December 10, 2020 Remote Meeting 1:30 PM 3:30 PM Operational Excellence Governance 2020 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Cash Controls Operational Equipment Acquisition, Monitoring and Disposal Operational Network Password Management IT McDonald's USA, LLC Contract Compliance Service Tunnel Renewal/Replace Project Operational - Capital Interlocal Agreement Mapping1 Operational E-Z Rent A Car, Incorporated Contract Compliance Qdoba Restaurant Corporation Contract Compliance Fireworks Galleries, LLC Contract Compliance Secure Configuration for Hardware and Software on Mobile Devices, IT Laptops, Workstations and Servers Concourse Concessions, LLC Contract Compliance AOA Perimeter Fence Line Standards Project Operational - Capital Payment Card Industry (PCI)-Qualified Security Assessor IT Criminal Justice Information Systems (CJIS) IT Malware Defenses (ICT only)2 IT Public Health Emergency Leave Program (PHEL)3 Operational Delegation of Authority 2 Operational Central Terminal Infrastructure Upgrade (Bid and Design Phases) Operational - Capital Ground Transportation -Taxi Cabs Operational Inventory and Control of Software Assets IT Biometrics IT Outside Services (Professional) Operational North Terminal Utilities Upgrade - Phase 1 Operational - Capital Lenlyn Limited Contract Compliance Concessions Int'l, LLC Contract Compliance T2 Airport Garage Parking System Replacement IT Complete KEY In Process Defer to 2021 Note 1: Advisory Services Project added per the Commission's request. Note 2: Contingency audit approved by the Audit Committee in December 2019. Note 3: Added per HR's request. 2 2020 Audit Plan Update 17 audit reports, 1 analysis memo, and 2 summary reports completed in 2020 as planned: Operational (6), Capital Projects (3), IT (6), and Limited Contract Compliance (5). Audits identified 3 High Risk, 21 Medium Risk, and 4 Low Risk rated issues for management action. In addition, Internal Audit responded to emerging risks to the Port by performing a time-sensitive audit (PHEL), and two advisory service projects: FEMA Public Assistance Program Coronavirus (COVID-19) and Capital Asset Construction Work In Progress. The Port has opportunities to strengthen internal controls and related processes to mitigate business risks. The Port has opportunities to reduce change orders, schedule delays and design issues. 3 2020/2019 Suggested Recoveries Lease/Concession: 2020 Audits Amount Concourse Concessions, LLC $1,527 McDonald's USA, LLC 10,265 E-Z Rent A Car, Incorporated 16,201 Total $27,993 2019 Audits Amount Sixt Rent A Car $43,299 EAN Holdings, LLC 6,159 Anton Airfood of Seattle, Inc. 5,420 Mad Anthony's, Inc. 15,557 Total $70,435 Capital: 2020 Audits Amount AOA Perimeter Fence Line Standards Project $232,000 Total $232,000 2019 Audits Amount Concourse D Hardstand Holdroom $60,000 Checked Baggage Optimization Project (Phase 1) 629,142 Total $689,142 4 2020/2019 Controllable Cost Over-Runs Audit 2019 Amount 2020 Amount Noise Insulation Program* $660,140 0 Shilshole Bay Marina Customer Facilities Project** 186,400 0 Service Tunnel Renewal/Replacement Project 0 $160,000 AOA Perimeter Fence Line Standards Project 0 106,000 Total $846,540 $266,000 * Calculated assuming a 16% margin markup vs. 51%. ** Calculated based on design changes and revision back to original design. 5 Operations Audit Approach Risk Universe: 56 departments* Risk scoring Six Risk Categories (Compliance, Reputation, Safety, Financial, Fraud, Strategy) Subjective (Commission Requests, Management Input, Prior Audit History) Low 1 - High 5 Low 1 - High 10 Low 0-24 Medium 25-34 Division/Department Audit ComplianceReputation Safety Financial Fraud Strategy Subjective Score High 35-40 Central Procurement Office Outside Services (Professional)** 5 4 1 5 5 5 10 35 High Accounting & Financial Reporting Rent & Concessional Deferral Recovery 4 3 1 5 4 3 10 30 Medium Legal - Attorney Services Outside Services (Professional)** 5 4 2 4 2 3 10 30 Medium Aviation, Corporate and Maritime Finance Capitalization of Assets 3 3 2 4 4 3 10 29 Medium and Budget Aviation/Maritime - Art Collection Art Program 3 2 1 3 3 5 10 27 Medium Aviation Environment and Sustainability - Noise Monitor Data Accuracy 4 5 1 1 1 5 10 27 Medium Aviation Environmental Services South King County Fund * See Appendix A Operations Audit Universe. ** Includes two departments. 6 Capital Projects Audit Approach 22 projects currently under contract >$1MM* Risk rating of projects utilizing six attributes: Project Size (Construction Costs) Change Orders (Original Contract Sum) Contract Type Schedule Budget Known Concerns (Errors & Omissions, Potential Claims, Scope Changes, etc.) Division Current Contract Amount YTD Cost as of Oct. 2020 Aviation $1,710 MM $1,426 MM Non-Aviation 11 MM 9 MM Total** $1,721 MM $1,435 MM * See Appendix B - Capital Risk Universe - Projects Currently Under Contract, Risk Rating Methodology. ** Contract costs as of October 2020. Does not include total project cost (Port's internal/soft cost). 7 2021 Proposed Capital Project Audit Plan Rating* Name Schedule Budget Contract Amount Central Terminal Infrastructure Upgrade (Construction Phase) Red Red $12.3MM North Terminals Utilities Upgrade Phase 1 Green Red 12.8MM Checked Baggage Recap/Optimization- Phase II Green Red 293.7MM Restroom Renovations Phase 3 Prototype Red Red 3.5MM Total $322.3MM Rating* Contingency Audits** Schedule Budget Contract Amount North Satellite (NSAT) Renovation & Expansion Red Red $492.9MM International Arrivals Facility Red Red 829.3MM Total $1,322.2MM Ratings generated from Internal Audit's risk assessment, utilizing the following systems: Quarterly Capital Improvement Projects, Contractor Data system, etc. See Appendix B Capital Risk Universe Projects Currently Under Contract, Risk Rating Methodology. ** If resources exist, at Internal Audit Director's discretion, these audits will be moved to the 2021 Audit Plan. 8 Information Technology Audit Plan Approach The Port did not have a comprehensive IT Audit program prior to 2018. Our IT Audit program* focuses on high risk, high value controls, identified by the Center for Internet Security** (CIS, 20 control areas, 171 controls). We are using risk input from Information Security to assist us in determining the order in which to perform the CIS audits. Additionally we will add audits based on executive management concerns or emerging threats. Once we cycle through those 20 high risk areas (we will have completed four by year end 2020), we will likely branch out into looking at other IT General Controls and move to a more classic risk assessment process of assessing risk, using likelihood and impact, to determine what will be on our annual IT audit plan. * See Appendix C IT Audit Universe ** https://cybernetsecurity.com/industry-papers/CIS-Controls%20Version-7-cc-FINAL.PDF - page 1 9 Information Technology Audit Plan Proposed 2021 Audits/Assessments Name Risk (from IT Audit Universe) Selection Criteria T2 Airport Garage Parking System Replacement* N/A Management Request Biometrics* N/A Audit Committee Request Malware Defenses Aviation Maintenance High Center for Internet Security Continuous Vulnerability Management High Center for Internet Security Payment Card Industry (PCI) Internal Security Assessor High Contractual Requirement Contingency Audits** Name Risk (from IT Audit Universe) Selection Criteria Data Recovery Capabilities High Center for Internet Security Wireless Access Control High Center for Internet Security * Deferred to the 2021 Audit Plan from 2020 due to COVID-19 Pandemic. ** If a proposed audit cannot be performed, at the Internal Audit Director's discretion and based on management resources, these audits will be moved to the 2021 Audit Plan. 10 Lease and Concession Audit Plan Approach 129 leases in the risk universe* Risk rating of leases primarily based on the three-year revenues, prior audit history, and prescribed audit cycle/frequency Other key factors taken into considerations, include: Lease agreement status Record retention period for audit Concession business type Port's Business Manager workload Total Agreement Year Revenues Aviation Economic Development Maritime 2018 $126 MM $118 MM $2 MM $6 MM 2019 126 MM 120 MM 2 MM 4 MM 2020** 37 MM 33 MM 1 MM 3 MM Total $289 MM $ 271MM $5 MM $13 MM Number of 2018-2020 Rating Leases Revenue Percentage Frequency High 11 $165 MM 57% 5-year cycle*** Medium 21 88 MM 31% 10-year cycle*** Low 97 36 MM 12% As needed Total 129 $289 MM 100% * See Appendix D Lease Concession Risk Universe. ** Annualized using a simple average, based on actual data as of 8/31/2020. *** Changed from 4-year to 5-year cycle (High Risk), and 8-year to 10-year cycle (Medium Risk). 11 2021 Lease and Concession Audits 2018-2020 Name Division Rating Revenues Rasier, LLC Aviation High $17,276,898 Lyft Aviation High 10,393,254 Lenlyn Limited* Aviation Medium 2,960,535 Seattle Tacoma Int'l Limousine Assoc. Aviation Low 1,848,469 Dilettante Chocolate Inc Aviation Low 1,288,769 Fruit & Flower, LLC** Aviation Low 1,221,769 Total $34,989,662 Contingency Audit*** Dufry Seattle JV Aviation High $14,606,006 Total $14,606,006 * Deferred to the 2021 audit plan from 2020 due to COVID-19 Pandemic. ** Replaced Concessions International, LLC that was deferred to the 2021 plan from 2020 due to COVID-19 Pandemic, based on the Concessions' contract termination as of 9/30/2018 and the three-year record retention for audit. *** If resources exist, at Internal Audit Director's discretion, this audit will be moved to the 2021 Audit Plan. 12 Historical Reports Overview 2017 2021 2021 Report Type 2017* 2018** 2019 2020 (Proposed) Operational 11 8 4 6 5 Operational - Capital 1 5 4 3 4 Information Technology 2 3 6 6 5 Limited Contract Compliance 8 6 5 5 6 Total 22 22 19 20 20 * 2017 included 9 audits carried over from the 2016 audit plan. The 1st and 2nd Quarter Audit Committee Meetings discussed 2016 Audits. ** 2018 included 6 audits carried over from the 2017 audit plan. The 1st Quarter Audit Committee Meeting discussed 2017 Audits. 13 Proposed 2021 Audit Plan Limited Contract Compliance Operational Information Technology Rasier, LLC Rent & Concession Deferral Recovery T2 Airport Garage Parking System Lyft Capitalization of Assets Replacement1 Lenlyn Limited1 Art Program Malware Defenses Aviation Seattle Tacoma Int'l Limousine Noise Monitor Data Accuracy Maintenance Association South King County Fund Continuous Vulnerability Management Dilettante Chocolate, INC Biometrics1 Fruit & Flower, LLC (DBA Floret Payment Card Industry (PCI) - Internal Authority) Capital Security Assessor2 Central Terminal Infrastructure Upgrade (Construction Phase) North Terminal Utilities Upgrade Phase 11 Checked Baggage Recap/Optimization - Phase II Restroom Renovations Phase 3 Prototype 1 Moved to 2021 audit plan from 2020 due to COVID-19 Pandemic. 2 This work (which is not an audit) will be performed by Internal Audit. 14 Contingency Audits - if resources exist, at Internal Audit Director's discretion, these audits will be moved to the 2021 Audit Plan. Limited Contract Compliance Operational Information Technology Dufry Seattle JV Outside Services (Professional)1 Data Recovery Capabilities Architectural & Engineering Consultant Wireless Access Control Rates Follow-Up Audit Capital North Satellite (NSAT) Renovation & Expansion International Arrivals Facility 1 Moved to 2021 audit plan from 2020 due to COVID-19 Pandemic. 15 Open Issue Follow-Up Status Aging Report as of December 10, 2020 * Six issues outstanding for more than two years are: 1 - Fishing & Commercial Operations Manual Billing Process at Risk of Error To be built in house - Vendor was unable to meet ICT requirements. Commission approved $410,000 additional funding for the Vessel Management System via Unanimous Consent on September 22, 2020. Security Sensitive Exempt from Public Disclosure per RCW 42.56.420 Issue Not Discussed in Public Session. 1 - IT Disaster Recovery 1 - IT Change Management and Patch Management 3 - AVM/F&I Data Centers See Appendix E for a detailed listing of outstanding issues as of December 10, 2020. 16 Audits Completed in Fourth Quarter, 2020 1) Ground Transportation Taxi Cabs 2) Public Health Emergency Leave Program (PHEL) 3) Central Terminal Infrastructure Upgrade (Bid and Design Phases) 4) Delegation of Authority 5) Inventory & Control of Software Assets* *Security Sensitive Exempt from Public Disclosure per RCW 42.56.420 Not Discussed in this Public Session. 17 Ground Transportation Taxi Cabs In May 2019, the Port of Seattle Commission, through motion number 2019-03, established a two-year pilot program for the on-demand (flat rate/for hire) service at the Seattle Tacoma International Airport. The program included the following key elements: The Port earns an all-inclusive per-trip fee of six dollars ($6.00) per outbound trip. Currently, 409 vehicles are in the program. Owner/operators that were offering on-demand taxi and flat-rate for-hire services under the previous program (East Side for Hire) were retained for the pilot program through September 30, 2021. Through Commission motion, activity fees were deferred for the period March 25, 2020 through July 31, 2020 to provide relief due to COVID-19. 18 The reconciliation process to identify and resolve differences between the Port's Automated Vehicle Identification (AVI) system and the in-house phone billing application (App.) needs to be enhanced and performed on a timely basis. Both the AVI system and application are technology-based tools that, when functioning as intended, should produce little to no variance, which will indicate that vehicles are being billed accurately. The App. Count, which bills the driver, was 3,100 higher than the AVI count, which tracks vehicles activity, in November of 2019. Internal Audit noted a significant improvement in August of 2020, trip volumes were significantly lower as well, and we did not have sufficient data to conclude as to whether the issues had been fixed. 19 (High) Issue continued: Beginning in March of 2020 through June 2020, fees due from operators were deferred until March 31, 2021. Thereafter a 1% interest rate was levied on outstanding balances. During this time, the app. was turned off and manual counts of vehicle trips were performed. The decision was made to use the lower of the manual counts, performed by ABM, or the AVI counts, to bill taxi operators. Internal Audit tested the month of May 2020 and identified a 4.3% variance. This is reflected in the table below: May 2020 AVI count (without Code 11 trips) 2,899 ABM manual count 2,778 Difference 121 20 Recommendations Management should continue to engage the Business Intelligence department (BI) which possesses subject matter expertise for building a technology-based reconciliation. Internal Audit recommend that BI fully develop the reconciliation based on input from both Operations and Business Development. 21 2) Rating: Medium An Information Technology Control for ensuring that only authorized individuals had access to the Taxi application, had failed. Although not exploited, an error in coding allowed all users of the Port's Enterprise network to have limited access to the application. Users in the Taxi application can enable or disable taxi operators signed up in the program. While this does not appear to affect the number of billed trips, an issue with approved access could potentially allow unauthorized vehicles to be added to the system or inappropriately denied access. Internal Audit identified an individual with access to the Taxi application but did not appear on a list of authorized users maintained by the Information and Communications Technology department (ICT). Upon investigation, ICT identified a coding flaw in the application that allowed the access noted above to all users of the Enterprise network. The coding flaw has been corrected, and ICT has modified their coding requirement to prevent it from reoccurring. 22 3) Rating: Low The process to assure that all vehicles in the taxicabs program were inspected within a specified/predetermined frequency, needed to be improved. Prior to the COVID Pandemic, vehicle inspections were carried out on a random basis, which did not assure that all vehicles were inspected. Operator agreements state "Operator's vehicles, employees, agents and drivers may be inspected for cleanliness, proper equipment, good appearance, safe operating conditions and violation of any laws" Inspections for two vehicles, from a sample of fifteen, had not been performed. Aligns to "best in class" Ground Transportation customer experience. 23 Management Response Issue 1 The Ground Transportation (GT) team has a system in place to consistently perform monthly reconciliations/comparisons of the Taxi App's trip activity and the AVI system trip activity. That process continues to be refined and streamlined as the Pilot Program advances. While we aspire to a 100% match and reconciliation, the process of recording trip activity requires a manual scan of each vehicle accessing the Taxi curb in the airport garage. Challenges remain with the Taxi App and the AVI system recording equivalent numbers of trips. The Taxi App records revenue-generating trips only, as manually scanned by an ABM employee and has risk for human error (missed scan, double scan etc.), while the AVI system reports ALL exits from the Airport. We will continue to work with BI to look at the process and have a goal of matching all trips. We'll also continue to investigate a technology solution that will support both the current Pilot Program and its successor. DUE DATE: Completed* Management will discuss in detail. (Full response in Audit Report No. 2020-16) *Internal Audit plans to verify completeness by 12/31/2020. 24 Management Response Issue 2 A fix for this defect was deployed in October 2020. This fix applied corrected authorization logic. Audit logs for the application were also reviewed to look for cases where inappropriate personnel would have made any modifications. This review did not find evidence of the defect being inappropriately exploited. Since the bug was introduced, additional testing practices have been developed. These testing practices include checks specific to this type of defect and are expected to help prevent this in the future. As the On-Demand Taxi Pilot Program was implemented, the Ground Transportation Manager provided ICT with a list of staff who should be given access to the Taxi App in order to authorize and de-authorize vehicles. The Ground Transportation team will continue to work with our ICT partners to ensure authorized users have access. Ground Transportation will request a list of authorized users from ICT on a quarterly basis to validate users in the Taxi App. DUE DATE: Completed Management will discuss in detail. (Full response in Audit Report No. 2020-16) 25 Management Response Issue 3 There is not a specific requirement for Port staff to license or inspect Taxi/Flat Rate vehicles. However, prior to the COVID-19 pandemic, each on-demand taxi was physically inspected by Ground Transportation staff each regularly. This is in addition to the work performed by the Department of Licensing and King County. With the Pilot Program, there is not a requirement for the Port to conduct inspections, only that Operators are to make their vehicles available for inspection as requested by the Port GT team. Given the more recent concerns about the safety of doing in-person, onsite vehicle inspections, we have modified our inspection process; Since March 2020, the inspection process has become a virtual review of driver credentials, i.e., for-hire license, business license, vehicle insurance, etc. We partner with King County for current information related to driver credentials and by contacting drivers directly to see how they've been faring during this pandemic and collect any missing information. Effective January 1, 2021 our process will include: Vehicles and operating documents will be inspected on a quarterly basis. Each GT Controller will be assigned a specific set of vehicles for inspection. Inspections will primarily be accomplished by reviewing operating documents (licenses, insurance, operating agreement) Lead GT Controllers will review the list of active vehicles monthly for compliance. DUE DATE: 01/01/2021 Management will discuss in detail. (Full response in Audit Report No. 2020-16) 26 Public Health Emergency Leave Program (PHEL) Audit requested by the Senior Director of Human Resources. Audit Objective - To determine whether the use of PHEL was in alignment with Port policy/applicable laws. PHEL was originally authorized for up to 80 hours and extended to 240 hours in April of 2020 for specific circumstances related to COVID-19. As of July 2020, 952 Port employees used approximately 155,000 hours of PHEL at an estimated cost, to the Port, of $7.7 million. Internal Audit's testing included - interviewing supervisors from multiple departments and review of supporting documents. Testing covered 287 employees who used 54,075 hours. 27 1) Rating: High The lack of a centralized administration of the PHEL program, and vague policy language increased the potential that PHEL was abused or approved for unintended purposes. Multiple Departments/Teams Involved: Total Rewards (HR) - Tracked employees who met high-risk category or had children whose schools or daycare centers were closed. Health and Safety (HR) - Tracked employees exposed to, experienced symptoms of, or tested positive for COVID-19. Health and Safety, however, did not monitor or track the number of PHEL hours an employee used. Departments Approved for Minimum Essential Staffing - Policy did not address how PHEL was to be used for minimum essential staffing. Departments were given flexibility on how to allocate, track hours, and monitor PHEL use. Some managers allowed staff to take PHEL through a rotational basis, so that there was an "equitable opportunity." Continued 28 Issue 1: Observations from Testing PHEL was approved to care for extended family members. Employees were allowed to quarantine, and use PHEL, without notifying Health and Safety. During interviews, it was alleged that: Some employees viewed PHEL hours as an entitlement and used for vacation. Some employees were not truthful of COVID-19 exposure and/or health conditions. Some managers expressed concerns that people took advantage of PHEL but were unable to substantiate it. Employees who could telework, used PHEL, without meeting allowable criteria. Employees exceeded PHEL hours, which was hard to identify. (Lack of a system control) 29 2) Rating: High Port management did not have adequate procedures in place to monitor the potential of employees collecting unemployment insurance benefits and receiving compensation from the Port concurrently. Federal Families First Coronavirus Response Act created an opportunity for employees to use leave without pay and collect unemployment. Multiple departments and a third-party vendor had separate independent roles in payroll coding, monitoring the PHEL program, and approving unemployment claims. Internal Audit identified three employees who reported compensable time on their timesheets and received unemployment benefits simultaneously. Root Causes Lack of accountability within Port departments. Payroll coding errors are an on-going concern. Neither the third-party vendor, nor the Port, received weekly unemployment claims to compare to timesheets. 30 Management Response Issue 1 Human Resources (HR) concurs with many of the auditors' observations and has implemented action plans to strengthen the controls over documentation, approval, and compliance monitoring. In an effort to honor employee privacy and keep medical information confidential while still managing the Port's response to employees exposed to, or diagnosed with COVID-19, we segregated oversight of PHEL use based on the situation while facilitating communication between HR staff about PHEL availability and usage. We have also updated our internal HR processes to facilitate stronger connections and communications between the various HR employees whose subject matter expertise requires that they engage with employees or managers and answer questions or address administration of PHEL. We are also updating our administrative document and reviewing the PHEL FAQs to make needed updates. We are encouraging employees to contact our central PHEL program administrator with questions or concerns about potential inappropriate use of PHEL. HR will follow up and address questions or concerns as appropriate. DUE DATE: Completed Management will discuss in detail. (Full response in Audit Report No. 2020-14) 31 Management Response Issue 2 Human Resources (HR) concurs with the Audit findings and implemented action plans to improve unemployment monitoring procedures. We are taking steps to better monitor the potential for employees to receive unemployment benefits and Port compensation simultaneously. DUE DATE: 12/31/2020 Management will discuss in detail. (Full response in Audit Report No. 2020-14) 32 Central Terminal Infrastructure Upgrade (Bid and Design Phases) The purpose of the Central Terminal Infrastructure Upgrade project (CTIUP) is to provide an additional 10,000 square feet of airport, dining and retail space to the Central Terminal and associated vertical circulation. Project will be reviewed in two parts: This audit focused on the bid and design phases. The second audit will review the construction and closeout phases. Osborne Construction was awarded the contract for $9.3M. There have been $2.9M in executed change orders and potential cost risks increasing the forecasted construction budget to $12.2M. The initial expected date of substantial completion was December 26, 2019. 278 approved days extended substantial completion to September 29, 2020. The Project was substantially completed in late November 2020. 33 1) Rating: Medium The lack of involvement, participation, and collaboration between the key stakeholders during the review and approval of designs resulted in additional project costs and schedule delays. No mandatory requirement for key stakeholders to provide feedback and approve key design milestones in a timely manner. Full approval of each design milestone may decrease the potential for scope changes after the design is approved. Opportunity for the project management team to be more involved with stakeholders to assure they have a complete understanding of projects and the impact of scope changes after designs have been approved. 34 Management Response Three key points from the Aviation Division in response to the audit findings: Since this project went through the bid and design phase there have been significant changes to project processes, that if in place at the time, could have mitigated the cost increases. The first relevant project process change, made in 2020, was additional requirements during the project definition phase. Two significant changes to construction sequencing and project design were made as a conscious business decisions to meet customer service needs and to gain revenue, which offset the cost of the changes. Finally, Aviation Project Management is developing additional process changes to address the recommendation of mandatory design review participation. Changes include designation of mandatory reviewers for each project beginning or already in design and development of communications expectations for non-technical design reviewers (e.g. Aviation business management). These changes will be complete in Q2 2021. DUE DATE: 6/30/2021 Management will discuss in detail. (Full response in Audit Report No. 2020-18) 35 Delegation of Authority The Port's Delegation of Responsibility and Authority to the Executive Director (ED), as amended, as of June 13, 2017, incorporated Commission Resolutions 3605, 3628, and 3704. Established general redelegations from the Commission to the Executive Director (ED). Policy EX-2 captures the ED's administrative, monetary, and contractual redelegations of his authority to Port staff. Limits are established based on the individual's business needs and are typically commensurate with the individual's title/position in the company. Prior to entering into an agreement, Commission approval is required for contracts that exceed $300,000. 36 This audit employed a unique approach. While Internal Audit (IA) conducted the audit using protocols consistent with Internal Audit Standards, IA partnered with the Strategic Initiatives Department so that any recommendations resulting from the audit could then be implemented leveraging the knowledge and insight gained from the audit experience. John Okamoto, under the direction of the Port's Chief Operating Officer, Dave Soike, provided outside expertise and perspective. Mr. Okamoto serves on the Executive Review Panel and provides recommendations to the ED and the Commission related to the International Arrivals Facility. No Internal Control Deficiencies were noted. 37 1) Efficiency Opportunity In March 2010, the Port's Delegation of Authority limit was established at $300,000. The limit requires Commission approval for expenditures that exceed $300,000. Re-evaluating the limit using a risk-based approach could result in increasing the limit, thereby allowing the Commission to maintain a more strategic focus while providing greater autonomy for the Executive Director and staff to carry out day-to-day business. 38 Of the contracts executed over a 19-month period ending July 31, 2020, Commission approval was required for 74, which represented 98 percent of the overall spend. Major Construction / Service Agreements # of contracts Amount % of Spend > $300,000 74 $598,831,699 98% < $300,000 136 10,063,130 2% 210 $608,894,829 100% IfCommission delegated authority increased from $300,000 to $1,000,000, Commission approval would still be required for 95 percent of the overall spend. Major Construction / Service Agreements Contracts Amount % of Spend >$10,000,000 6 $418,496,152 69% $5,000,001 - $10,000,000 11 73,677,331 12% $3,000,001 - $5,000,000 15 63,031,110 10% $1,000,001 - $3,000,000 14 25,113,715 4% $300,001 - $1,000,000 28 18,513,391 3% $0 - $300,000 136 10,063,130 2% 210 $608,894,829 100% 39 Internal Audit also performed limited benchmarking with other Government Agencies in Washington State. The information provides a reference point for comparison that may be useful when evaluating current delegated limits. Agency Governing Body Delegate Amount Delegated King County 9-member council King County Executive No limit* City of Seattle 9-member council City Mayor No limit* Sound Transit 18-member board Chief Executive Officer $5,000,000 Northwest Seaport Alliance 10-member commission Chief Executive Officer $300,000 Port of Seattle 5-member commission Executive Director $300,000 Port of Tacoma 5-member commission Executive Director $300,000 * Council approves a budget (King County biennially; City of Seattle annually). Management is not required to obtain Council approval if the contract amount is within the Agency's adopted appropriation authority. 40 Recommendations Management should work with the Commission to identify if the current process and thresholds can be modified to maintain/increase transparency and governance. Sound Transit held an open public meeting in 2018, prior to making substantial changes to their delegation of authority. Consider leveraging standing committees to achieve efficiencies and increase transparency. Apply a risk-based approach, to determine items that require full Commission attention. Risk factors not only include financial exposure that Commission is willing to delegate to management, but should also include non-financial factors, such as social, environmental, reputational or regulatory elements. If limits are raised, we also recommend frequent (monthly) and robust reporting to the Commission and the public. 41 Management Response - Remarks by John Okamoto View from independent eyes from an elected official, and senior executive responsible for delivery of "mega-projects." Clean audit affirms the Port has created a culture of compliance since 2007. BUT, with an unintended consequence of significant administrative inefficiencies and opportunity cost for Commission policy focus. Audit highlights opportunity to achieve efficiencies as compared to other public agencies and allow Commission to focus in on more critical issues. Risks of lifting the $300k delegation of authority can be managed by affirming existing policy controls adopted by the Commission, implementing appropriate administrative controls, enhancing public transparency of project status and changes, and continued Commission oversight through sub-committees and identification of high priority projects. 42 Management Response Delegation of Audit Results Test of a 1.5-year period demonstrates the delegation system is performing well and as designed Delegations can be complex, yet testing demonstrates guidance documents clearly laid out and being followed by staff An efficiency opportunity was identified What kind of efficiency How to best identify an appropriate adjustment 43 Management Response Efficiency Opportunity Delegation level was set 10 years ago. Since then the capital construction and consulting have grown tremendously. Delegation Level Who Approves What Benefit If $300,000 Commission Action 98% Status Quo Executive Director - 2% If $1,000,000 Commission Action - 95% Saves 28 actions per year. Added Commission time for strategy and mission focus. Executive Director - 5% Added Staff Efficiency (Microsoft and cart examples) If 10,000,000 Commission Action - 69% Saves 68 actions per year. Added Commission time for strategy and mission focus. Executive Director - 31% Added Staff Efficiency 44 Management Response - Comparator Agencies AGENCY DELEGATION 5 YEAR CAPITAL BUDGET King County No limit within bi-annual budget $5 B City Seattle No limit within bi-annual budget $5.2 B UW 15,000,000 $3.7 B Sound Transit 5,000,000 $1.9 B Port of Seattle 300,000 $3.4 B NWSA 300,000 $440 M San Fran. Int. Airport 1,000,000 $4.8 B Staff will research, gather data, and analyze, to find best balance with transparency and process checks and balances (procedures and control mechanisms). 45 Management Response - Objectives and Values for Staff Approach Objectives: Find best balance for efficient delegation level(s) while ensuring transparency and governance that best matches the Port's Business. Efficiency for Commission, staff and partners Values: Free Commission time for strategies and mission priorities, while delegating lesser risk items to Executive Director. Find transparent means to assure Commission awareness and involvement commensurate with delegation (quarterly briefs, action items, monthly reports, dashboards, 1:1's, ED briefs, and others). 46 Management Response Staff Approach Six Areas in Work Plan Establish Multi-departmental & Business Unit Team Transparency Reporting - What Port does not - What other agencies do - "Voice of customers" Commission Efficiency Develop efficient check and balances vs. delegation Delegation level Propose options, weigh risks, and test vs. transparency and efficiency Identify Optimum Recommendation(s) Update Commission at the end of Q1 2021 47 Appendix A Operations Risk Universe B Capital Risk Universe & Risk Rating Methodology C IT Risk Universe D Lease/Concession Risk Universe E Aging of Outstanding Issues as of December 10, 2020 48 Appendix A Operations Risk Universe Score Level 35-40 High 25-34 Medium 0-24 Low Division Department Sub Department Compliance Reputation Safety Financial Fraud Strategy Subjective Score Level Aviation Aviation Maintenance Mechanical Systems; Electrical, Electronics and STS; 5 5 5 5 5 5 10 40 High Facilities, Fleet, Systems and Grounds; Asset Management and Logics; Custodial Services (Aviation Sign Shop) Police Department Police Department Police Department 5 5 5 3 4 5 10 37 High Chief Financial Officer Information Communication Information Communication Technology 5 5 1 5 5 5 10 36 High Technology Chief Financial Officer Information Security Information Security 5 5 1 5 5 5 10 36 High Human Resources HR Systems HR Systems 5 5 1 5 5 5 10 36 High Chief Financial Officer Risk Management Credentials/ID Badges (Physical Access; Security 5 5 5 3 5 5 8 36 High Strategy/Intelligence/Compliance; Employee Security Screening Program; Security Key Management) Aviation Commercial Management Parking Revenue Management; Airport Dining and 4 5 3 5 4 5 10 36 High Retail; Aviation Business Development and Analysis; Properties (including Airport Lease Agreements) Aviation Emergency Preparedness Emergency Preparedness 4 5 5 3 3 5 10 35 High Central Procurement Office Central Procurement Office Service Agreements; (includes delegation of 5 4 1 5 5 5 10 35 High authority) Chief Financial Officer Risk Management Emergency Preparedness 4 5 5 3 3 5 10 35 High Central Procurement Office Central Procurement Office Purchasing; (includes delegation of authority; P- 5 4 1 5 5 5 10 35 High Card) Legal Workplace Responsibility Office Workplace Responsibility Office (Code of Conduct 5 5 2 5 4 4 10 35 High Guidance and Support) Chief Financial Officer Aviation, Corporate and Maritime Treasury 5 5 1 5 5 3 10 34 Medium Finance and Budget Aviation Airport Operations Safety Management Operations 5 5 5 3 3 5 8 34 Medium 49 Appendix A Operations Audit Universe (continued) Score Level 35-40 High 25-34 Medium 0-24 Low Division Department Sub Department Compliance Reputation Safety Financial Fraud Strategy Subjective Score Level Aviation Aviation Security Credential Center (Physical Access; Security 5 5 5 2 4 3 10 34 Medium Strategy/Intelligence/Compliance; Employee Security Screening Program; Security Key Management) Maritime Maritime Environment & Environment & Sustainability *Reporting to Sr. 5 5 3 3 2 5 9 32 Medium Sustainability Director Environment & Sustainability Maritime Maritime Operations and Maritime Ops 4 3 4 4 2 4 10 31 Medium Security Chief Financial Officer Accounting & Financial Reporting Accounts Receivable (Revenue Services) 4 3 1 5 4 3 10 30 Medium Chief Financial Officer Accounting & Financial Reporting Billing 4 3 1 5 4 3 10 30 Medium Human Resources Employee Relations Employee Relations 5 5 1 3 1 5 10 30 Medium Human Resources Health and Safety Health and Safety 3 5 5 2 1 4 10 30 Medium Legal Attorney Services Attorney Services 5 4 2 4 2 3 10 30 Medium Chief Financial Officer Accounting & Financial Reporting Accounts Payable (Disbursements) 4 3 1 5 4 3 10 30 Medium Chief Financial Officer Accounting & Financial Reporting Payroll 4 3 1 5 4 3 10 30 Medium Economic Development Diversity in Contracting WMBE Utilization in Contracting/Outreach 5 5 1 2 3 5 8 29 Medium Aviation Airport Operations Landside (Airport Transit Ops, Employee Parking, 5 4 3 2 2 4 9 29 Medium Public Parking, Ground Transportation) Chief Financial Officer Aviation, Corporate and Maritime Funding and Financing (Budget and Business Plan; 4 3 1 5 4 3 9 29 Medium Finance and Budget Financial Reporting) 50 Appendix A Operations Audit Universe (continued) Score Level 35-40 High 25-34 Medium 0-24 Low Division Department Sub Department Compliance Reputation Safety Financial Fraud Strategy Subjective Score Level Equity, Diversity and Equity, Diversity and Inclusion Equity, Diversity and Inclusion infused into 4 5 1 2 2 5 10 29 Medium Inclusion infused into Corporate Culture, Corporate Culture, Strategies and Goals Strategies and Goals Chief Financial Officer Aviation, Corporate and Maritime Asset Management and Inventory (Physical Assets; 3 3 2 4 4 3 10 29 Medium Finance and Budget CIP) Human Resources Employee Records Employee Records (Offboarding: 5 5 1 1 3 3 10 28 Medium Separation/Retiring Employees) Chief Financial Officer Risk Management Claims Management 5 4 1 4 3 3 8 28 Medium Aviation Art Collection Art Collection 3 2 1 3 3 5 10 27 Medium Labor Relations Collective Bargaining Agreement Collective Bargaining Agreement Negotiations 4 4 1 2 2 4 10 27 Medium Negotiations Maritime Art Collection Art Collection 3 2 1 3 3 5 10 27 Medium Aviation Airport Operations (206)787-SAFE 5 5 5 2 2 5 3 27 Medium Aviation Airport Operations Cargo Operations 4 4 5 2 4 5 3 27 Medium Chief Financial Officer Risk Management Incident Reporting 5 4 5 3 3 4 3 27 Medium Aviation Airport Operations Airfield Operations 5 4 5 2 2 4 5 27 Medium Chief Financial Officer Risk Management Insurance Programs 5 3 3 5 2 4 5 27 Medium Maritime Cruise Operations and Maritime Cruise 2 5 3 5 2 5 5 27 Medium Marketing Maritime Cruise Operations and Maritime Cruise Services Management 2 5 3 5 2 5 5 27 Medium Marketing 51 Appendix A Operations Audit Universe (continued) Score Level 35-40 High 25-34 Medium 0-24 Low Division Department Sub Department Compliance Reputation Safety Financial Fraud Strategy Subjective Score Level Equity, Diversity and Equity Goals and Objectives Equity Goals and Objectives Incorporated 4 5 1 2 2 5 8 27 Medium Inclusion Incorporated Maritime Portfolio & Asset Management Maritime Portfolio *Reporting to Managing Director 3 3 1 5 3 4 8 27 Medium Economic Development Engineering, Environment Aviation Environmental Services Aviation Environmental Services (Noise Program; 4 5 1 1 1 5 10 27 Medium and Sustainability Contaminated Soil and Groundwater; Air Quality and Climate; Recycling and Hazardous Waste Programs; SEPA/NEPA; Water Resources and Wetlands; South King County Fund) Aviation Airport Operations Snow Operations 4 3 5 3 1 4 6 26 Medium Legal Public Records Public Records (Records Management; Email 5 5 1 1 1 3 10 26 Medium Management; Open Public Meetings; Records Center - SharePoint) Labor Relations External Labor Relations External Labor Relations 5 5 1 5 2 4 3 25 Medium Labor Relations Internal Labor Relations Internal Labor Relations 5 5 1 5 2 4 3 25 Medium Chief Financial Officer Risk Management Contracting Insurance Information 5 3 2 5 2 3 5 25 Medium Maritime Marine Maintenance Marine Maintenance 3 3 5 3 3 3 5 25 Medium Maritime Maritime Environment & Habitat *Reporting to Sr. Director Environment & 4 5 2 2 2 5 5 25 Medium Sustainability Sustainability Maritime Maritime Environment & Stormwater Utility *Reporting to Sr. Director 5 4 4 3 1 3 5 25 Medium Sustainability Environment & Sustainability Aviation Airport Operations Fire Department (Fire Suppression; Prevention; 4 4 5 1 1 3 7 25 Medium Training) Economic Development Tourism Development Tourism Development 1 4 1 3 1 4 10 24 Low Human Resources Talent Development Talent Development (Job 5 4 1 3 4 5 2 24 Low Evaluation/PerformanceLink) 52 Appendix A Operations Audit Universe (continued) Score Level 35-40 High 25-34 Medium 0-24 Low Division Department Sub Department Compliance Reputation Safety Financial Fraud Strategy Subjective Score Level Economic Development Real Estate Development Real Estate & Economic Development 3 3 1 5 3 4 5 24 Low Aviation Airport Operations Customer Service Operations 3 4 2 2 3 4 6 24 Low Equity, Diversity and Workforce Development Workforce Development 1 4 1 2 1 4 10 23 Low Inclusion Aviation Airport Building Department Landscape Design Standards 4 3 3 3 3 4 3 23 Low Chief Financial Officer Accounting & Financial Reporting Financial Reporting and Controls 4 3 1 5 4 3 3 23 Low Chief Financial Officer Accounting & Financial Reporting General Ledger 4 3 1 5 4 3 3 23 Low Chief Financial Officer Accounting & Financial Reporting Travel Card System and Information 4 3 1 5 4 3 3 23 Low Chief Financial Officer Aviation, Corporate and Maritime Cost Recovery (Budget) 4 3 1 5 4 3 3 23 Low Finance and Budget Chief Financial Officer Risk Management Driver Safety Program 5 3 5 3 1 3 3 23 Low Strategic Initiatives Strategic Initiatives Strategic Planning 3 5 2 3 2 5 2 22 Low Engineering, Maritime Environmental and Maritime Environmental and Planning 3 4 3 1 1 5 5 22 Low Environment and Planning Sustainability External Relations Community Engagement Community Engagement (Community Relations) 1 5 1 1 1 5 8 22 Low Human Resources Total Rewards Total Rewards (Spirit and Wellness) 3 4 1 3 3 5 2 21 Low Maritime Maritime Operations and Security Fishermen's Terminal 2 3 3 2 4 5 2 21 Low Maritime Maritime Operations and Security Fishing and Commercial Vessel Management 2 3 3 2 4 5 2 21 Low Maritime Maritime Finance & Budget Finance & Budget *Reporting to Chief Financial 4 3 1 3 3 4 3 21 Low Officer Aviation Airport Innovation Continuous Process Improvement 3 4 2 2 2 5 2 20 Low 53 Appendix A Operations Audit Universe (continued) Score Level 35-40 High 25-34 Medium 0-24 Low Division Department Sub Department Compliance Reputation Safety Financial Fraud Strategy Subjective Score Level Maritime Marine Maintenance Parks Maintenance 1 5 4 2 1 5 2 20 Low Strategic Initiatives Strategic Initiatives Continuous Process Improvement 3 4 2 2 2 5 2 20 Low External Relations Government Relations Government Relations 3 5 1 2 1 3 5 20 Low Chief Financial Officer Risk Management Foreign Travel 4 4 4 3 2 1 1 19 Low Human Resources Talent Acquisition Talent Acquisition 3 5 1 3 1 5 1 19 Low Economic Development Facilities Management Order an Office Chair 1 1 1 2 2 1 10 18 Low External Relations Strategic Communications Strategic Communications 3 5 1 2 1 5 1 18 Low Aviation Airport Operations Terminal Operations 2 4 4 2 1 2 3 18 Low Maritime Cruise Operations and Maritime Maritime 1 4 1 4 1 5 1 17 Low Marketing Maritime Cruise Operations and Maritime Maritime Marketing 1 4 1 4 1 5 1 17 Low Marketing Maritime Cruise Operations and Maritime Operations 1 4 1 4 1 5 1 17 Low Marketing Maritime Maritime Operations and T91 Docks 2 3 3 3 2 3 1 17 Low Security Economic Development Facilities Management AOB Facilities Amenities and Services 1 1 1 1 1 1 10 16 Low Economic Development Facilities Management P69 Facilities: Amenities and Services (Non-Aviation 1 1 1 1 1 1 10 16 Low ID badge credentialing; Amenities (Coffee Rooms, Janitorial Svcs, Privacy Rooms)) Economic Development Facilities Management STOC Facilities Amenities and Services 1 1 1 1 1 1 10 16 Low Maritime Maritime Operations and Maritime Industrial Center 2 1 4 2 2 2 2 15 Low Security Maritime Maritime Operations and Recreational Boating 2 2 3 2 2 2 2 15 Low Security Aviation Airport Building Department ABD Permits Central (Permit Forms; Policies; 5 1 2 1 1 1 2 13 Low Procedures; Interpretations) Economic Development Facilities Management Airport Office Building (AOB) 1 1 1 1 1 1 7 13 Low Economic Development Facilities Management P69 Mail, Shipping, and Receiving 1 1 1 2 3 1 2 11 Low Economic Development Facilities Management Parking Access Card 1 1 1 1 1 1 5 11 Low 54 Appendix A Operations Audit Universe (continued) Score Level 35-40 High 25-34 Medium 0-24 Low Division Department Sub Department Compliance Reputation Safety Financial Fraud Strategy Subjective Score Level Aviation Airport Building Department Accela Civic Platform 3 1 1 1 1 1 2 10 Low Aviation Airport Building Department Accela E-Permit Portal 3 1 1 1 1 1 2 10 Low Economic Development Facilities Management Employee Parking Validation 1 1 1 1 2 1 3 10 Low Economic Development Facilities Management Fleet Vehicle Reservations 1 1 1 1 1 1 3 9 Low Chief Financial Officer Business Intelligence Data Doctor/Data Analytical & Training Assistance 1 1 1 1 1 2 1 8 Low Aviation Airport Innovation Disruption Summit 1 1 1 1 1 1 1 7 Low Aviation Airport Innovation Innovation Awards 1 1 1 1 1 1 1 7 Low Aviation Airport Innovation Shark Tank 1 1 1 1 1 1 1 7 Low Chief Financial Officer Risk Management Business Card Requests 1 1 1 1 1 1 1 7 Low Chief Financial Officer Risk Management In Remembrance 1 1 1 1 1 1 1 7 Low Chief Financial Officer Risk Management Port Notary Program 1 1 1 1 1 1 1 7 Low Economic Development Facilities Management Office Space Service Request 1 1 1 1 1 1 1 7 Low Aviation Airport Innovation Business Intelligence Spotlight n/a n/a n/a n/a n/a n/a 3 3 Low Aviation Airport Innovation Airport Innovation n/a n/a n/a n/a n/a n/a 1 1 Low Aviation Airport Innovation Innovation Cabinet n/a n/a n/a n/a n/a n/a 1 1 Low External Relations AV Public Affairs AV Public Affairs n/a n/a n/a n/a n/a n/a 1 1 Low Human Resources Organizational Development Organizational Development n/a n/a n/a n/a n/a n/a 1 1 Low Internal Audit Internal Audit Internal Audit n/a n/a n/a n/a n/a n/a N/A 0 Low 55 Appendix A Operations Audit Universe (continued) Score Level 35-40 High 25-34 Medium 0-24 Low Division Department Sub Department Compliance Reputation Safety Financial Fraud Strategy Subjective Score Level Aviation Aviation Project Management Capital n/a n/a n/a n/a n/a n/a N/A 0 Low Aviation Facilities & Capital Programs Capital (Aviation Utilities) n/a n/a n/a n/a n/a n/a N/A 0 Low Central Procurement Office Central Procurement Office Construction - Capital n/a n/a n/a n/a n/a n/a N/A 0 Low Chief Financial Officer Accounting & Financial Reporting Business Technology n/a n/a n/a n/a n/a n/a N/A 0 Low Chief Financial Officer Accounting & Financial Reporting Capital Services n/a n/a n/a n/a n/a n/a N/A 0 Low Engineering, Environment Engineering Services Engineering Construction Management n/a n/a n/a n/a n/a n/a N/A 0 Low and Sustainability Engineering, Environment Engineering Services Engineering Construction Safety n/a n/a n/a n/a n/a n/a N/A 0 Low and Sustainability Engineering, Environment Engineering Services Engineering Design Services n/a n/a n/a n/a n/a n/a N/A 0 Low and Sustainability Engineering, Environment Engineering Services Engineering Survey and Mapping n/a n/a n/a n/a n/a n/a N/A 0 Low and Sustainability Maritime Seaport Project Management Seaport Project Management n/a n/a n/a n/a n/a n/a N/A 0 Low Group Port Construction Services Port Construction Services Capital n/a n/a n/a n/a n/a n/a N/A 0 Low 56 Appendix B Capital Risk Rating Methodology Attributes (A) Project Size (construction costs) Points $1 to $25MM 1 >$25MM to $50MM 2 >50MM to $75MM 3 >$75MM to $100MM 4 >$100MM 5 (B) Change Orders (compared to original contract sum) Points 0 to 5% 1 5.1 to 7.5% 2 7.6 to 10% 3 10 .1 to 15% 4 >15% 5 (C) Contract Type Points Lump sum 1 Unit Price or T&M or TRA 2 GMP w/ Shared Savings 3 GMP w/ no shared savings 4 Cost Plus 5 (D) Schedule Points On Schedule 1 Potential Schedule Overrun 3 Schedule Overrun 5 (E) Budget Points Under Budget 1 Potential Budget Overrun 3 Over Budget 5 (F) Known Concerns (errors & omissions, potential claims, scope change etc.) Points Subjective- Audit Knowledge 1-5 57 Appendix B Capital Risk Universe (Projects >$1MM) Attributes 1 Contingency audit. Complicated project nearing completion. (A) (B) (C) (D) (E) (F) Total Prior Audit Commission interest on lessons learned. Consideration of a third- 1 International Arrivals Facility (IAF) 5 5 3 5 5 5 28 2017; 2018 party construction audit firm conducting a thorough review of the life 2 North Satellite (NSAT) Renovation & Expansion 5 1 3 5 5 4 23 2018 cycle of the project. 3 Central Terminal Infrastructure Upgrade (Construction Phase) 1 5 1 5 5 5 22 2020 4 Restroom Renovations Phase 3 Prototype 1 4 1 5 5 3 19 2 Contingency audit. Second largest project. Scheduled completion in 2021. $31MM in change orders (CO's). Has not been audited since 5 North Terminal Utilities Upgrade - Phase 1 2 2 1 1 5 4 15 2018; however, there is an outside construction audit firm that has 6 Checked Baggage Recap/Optimization Phase II 5 1 1 1 1 5 14 been actively working with management throughout the project, Restroom Renovations Phase 2 Enabling Work 1 5 1 1 1 4 13 including CO and pay application review. 2020- Airfield Pavement Program 1 2 1 3 3 3 13 AFLD Pavement Program 2016-2020- 2019 Airfield Improvement 1 5 3 1 1 1 12 3 $9.3MM in CO's. $500K designer Errors & Omissions (E&O); $1.2MM Garage Elevator Shafts & Vestibules Owner E&O. Bid & design phases audited in 2020. Construction & 1 1 1 5 3 1 12 closeout phase to be reviewed in 2021. SD Pond Bird Deterrent Improvement 1 2 5 1 1 1 11 Shilshole Bay Marina Paving- Combined with SBM Tenant Bldgs. 1 1 1 1 5 1 10 2019 4 Original contract $3MM. CO's total $517K (16%). COVID-19 CO's total Rental Car Facility (RCF) Pavement Remediation 1 1 1 5 1 1 10 $106K. Over budget/schedule. Emerging risk in construction of Lora Lake Apartment Site Remediation & Lora Lake Fill 1 1 1 3 1 2 9 contractors using COVID-19 to decrease potential liquidated damages Remote Aircraft De-icing 1 1 1 3 1 1 8 and/or increase revenue. Interim Westside Fire Station 1 2 1 1 1 2 8 2018 SSAT HVAC Infrastructure Upgrade 5 Original Commission approved total project budget of $21.3MM for 2 1 1 1 1 1 7 full redundant loop utility (heating/cooling). Lowest bid came in at Variable Frequency Drive 1 2 1 1 1 1 7 $33MM. $600K in CO's early in project. Taxiways Relocation L & Q Mitigation 1 1 1 1 1 1 6 Fire Pump Replacement- BES 1 1 1 1 1 1 6 6 Large, complicated multi-year project. Engineer's estimate was Safedock Upgrade and Expansion 1 1 1 1 1 1 6 $179MM. Winning bid was $294MM. Phase I reviewed in 2019 with Concourse C New Power Center 1 1 1 1 1 1 6 issues. 58 Appendix C IT Risk Universe Inherent Inherent # IT General Controls Audits Risk # IT General Controls Audits Risk 1 CIS - Inventory and Control of Hardware Assets HIGH 22 Endpoint Protection HIGH 2 CIS - Inventory and Control of Software Assets HIGH 23 Portable Media Security HIGH 3 CIS - Continuous Vulnerability Management (includes patching) HIGH 24 Transmission Protection HIGH 4 CIS - Controlled Use of Administrative Privileges HIGH 25 Password Management HIGH CIS - Secure Configuration for Hardware and Software on Mobile Devices, HIGH 26 Identity & Access Management HIGH 5 Laptops, Workstations and Servers 6 CIS - Maintenance, Monitoring and Analysis of Audit Logs HIGH 27 Disaster Recovery Program HIGH 7 CIS - Email and Web Browser Protections HIGH 28 IT Risk Management HIGH 8 CIS - Malware Defenses HIGH 29 Physical & Environmental Security HIGH 9 CIS - Limitation and Control of Network Ports, Protocols, and Services HIGH 30 Change Management HIGH 10 CIS - Data Recovery Capabilities HIGH 31 Datacenter Ops HIGH CIS - Secure Configuration for Network Devices (e.g., Firewalls, Routers and HIGH 32 IT Governance HIGH 11 Switches) 12 CIS - Boundary Defense HIGH 33 Periodic User Access Reviews HIGH 13 CIS - Data Protection HIGH 34 System and Software Development HIGH 14 CIS - Controlled Access Based on the Need to Know HIGH 35 Vendor Management HIGH 15 CIS - Wireless Access Control HIGH 36 Security Program HIGH 16 CIS - Account Monitoring and Control HIGH 37 HIPAA Security Compliance HIGH 17 CIS - Implement a Security Awareness and Training Program HIGH 38 HIPAA Privacy Compliance HIGH 18 CIS - Application Software Security HIGH 39 Annual Review of PCI Compliance HIGH 19 CIS - Incident Response and Management HIGH 40 Triennial WA State Patrol Audit of CJIS Compliance HIGH 20 CIS - Penetration Tests and Red Team Exercises HIGH 41 Project Management MEDIUM 21 Industrial Control System Security HIGH 59 Appendix D Lease/Concession Risk Universe High Risk: Name Contract 2018 2019 2020* Grand Total ENTERPRISE RENT A CAR AIR001281 $12,428,124 $12,283,311 $2,214,868 $26,926,303 RASIER LLC AIR002022 6,569,772 8,020,014 2,687,112 17,276,898 AVIS BUDGET CAR RENTAL AIR001282 7,590,103 7,639,291 1,229,522 16,458,917 IN-TER-SPACE SERVICES, INC AIR002224 6,331,082 4,481,850 4,674,651 15,487,582 DUFRY - SEATTLE JV AIR001661 6,929,809 6,343,533 1,332,665 14,606,006 AIRPORT MANAGEMENT SERVICES LLC AIR002018 5,935,338 6,531,640 2,106,025 14,573,003 AIRPORT MANAGEMENT SERVICES LLC AIR002017 6,554,650 6,196,783 1,476,354 14,227,786 HOST INTERNATIONAL, INC AIR002019 4,771,768 6,191,054 1,441,020 12,403,842 HERTZ CORPORATION AIR001278 5,311,454 5,277,443 869,942 11,458,839 LOUIS DREYFUS COMPANY WASHINGTON LLC SEA002603 4,734,772 3,414,447 2,586,336 10,735,555 LYFT AIR002023 3,710,868 4,953,342 1,729,044 10,393,254 Total $70,869,758 $71,334,728 $22,349,557 $164,574,985 * Annualized based on 8/31/2020 actuals. 60 Appendix D Lease/Concession Risk Universe (continued) Medium Risk: Name Contract 2018 2019 2020* Grand Total GATE GOURMET INT'L AIR000042 $2,874,824 $3,478,670 $1,284,754 $7,638,248 EASTSIDE FOR HIRE, INC AIR002100 4,381,776 2,842,695 - 7,224,472 SKY CHEFS INC AIR001849 4,361,880 2,679,284 - 7,041,164 DOUG FOX TRAVEL/ATZ AIR001718 3,238,379 3,292,322 496,264 7,026,965 HOST INTERNATIONAL, INC AIR000435 4,417,740 2,597,830 (138,231) 6,877,339 SEATTLE RESTAURANT ASSOCIATES AIR000439 2,980,072 1,815,188 - 4,795,260 REPUBLIC PARKING NORTHWEST INC SEA000425 1,819,256 1,663,944 1,002,218 4,485,417 DTG OPERATIONS INC AIR001279 1,887,620 1,920,146 250,181 4,057,947 CMC INVESTMENTS INC AIR001280 1,989,383 1,688,013 302,181 3,979,576 FLYING FOOD FARE INC AIR000086 1,501,111 1,761,803 699,594 3,962,507 SKY CHEFS INC AIR002512 - 2,083,334 1,852,394 3,935,728 SIXT RENT A CAR LLC AIR001632 1,627,902 1,597,449 253,458 3,478,809 FOX RENT A CAR INC AIR001285 1,548,053 1,470,104 387,376 3,405,533 LENLYN LIMITED AIR001788 1,406,196 1,305,120 249,220 2,960,535 ANTON AIRFOOD AIR000374 2,151,032 551,170 - 2,702,202 QDOBA RESTAURANT CORPORATION AIR002096 1,095,768 1,247,335 446,637 2,789,740 MCDONALD'S USA LLC AIR001606 1,001,593 1,213,833 500,375 2,715,801 CONCOURSE CONCESSIONS LLC AIR002055 1,035,852 1,104,870 345,172 2,485,894 FIREWORKS AIR002101 1,040,112 1,095,226 243,430 2,378,768 SEATAC BAR GROUP LLC AIR002053 927,016 1,159,507 290,414 2,376,937 BEECHER'S HANDMADE CHEESE, LLC AIR001562 932,595 977,769 306,356 2,216,719 Total $42,218,159 $37,545,612 $8,771,792 $88,535,563 * Annualized based on 8/31/2020 actuals. 61 Appendix D Lease/Concession Risk Universe (continued) Low Risk: Name Contract 2018 2019 2020* Grand Total SSP AMERICA SEA LLC AIR002358 $655,434 $973,521 $247,074 $1,876,029 SEATTLE TACOMA INTL LIMOUSINE ASSOC AIR001991 852,551 836,843 159,075 1,848,469 SODEXO AMERICA, LLC AIR001513 657,525 710,436 240,870 1,608,830 SSP AMERICA SEA LLC AIR002237 - 955,140 460,923 1,416,063 DILETTANTE CHOCOLATES INC AIR002094 527,782 558,368 202,617 1,288,767 MAD ANTHONY'S INC CHINOOK SEA000043 487,492 460,825 373,214 1,321,530 HOST LPI SEA FB LLC AIR002361 - 933,168 331,334 1,264,501 FRUIT & FLOWER LLC DBA FLORET AUTHORITY AIR002063 449,369 650,709 121,661 1,221,739 MAD ANTHONY'S INC PIER 66 SEA000294 393,839 379,625 368,040 1,141,504 PAYLESS CAR RENTAL, INC AIR001451 449,314 505,889 59,040 1,014,243 AIRPORT MANAGEMENT SERVICES LLC AIR000437 892,273 93,229 14,933 1,000,435 INMOTION SEA LLC AIR002103 427,031 498,982 73,767 999,780 SSP AMERICA SEA LLC AIR002238 - 613,177 430,541 1,043,718 HOST INTERNATIONAL, INC AIR002247 25,322 887,298 31,250 943,870 STELLAR BAMBUZA SEA LLC AIR002240 - 585,553 365,421 950,974 CONCESSIONS INT'L INC. AIR002148 850,980 - - 850,980 SMARTE CARTE INC AIR000629 373,310 375,755 123,564 872,630 CONCOURSE CONCESSIONS LLC AIR002362 560,520 323,059 883,579 E-Z RENT-A-CAR AIR001439 426,103 360,823 38,698 825,623 PALLINO SEATAC LLC AIR002241 561,190 252,563 813,753 ALCLEAR, LLC AIR002048 290,121 443,845 27,610 761,576 EX OFFICIO LLC AIR000580 479,082 274,446 - 753,528 BAMBUZA SEA-TAC VENTURES AIR002365 - 518,543 282,568 801,111 THE YARROW GROUP LLC AIR002233 - 501,082 279,318 780,400 1915 KCHOUSE CONCEPTS-SEATAC, LLC AIR002265 - 563,846 174,090 737,936 TASTE INC dba VINO VOLO AIR000839 328,398 248,894 - 577,291 TERMINAL GETAWAY SPA SEATTLE, LLC AIR002095 236,089 272,051 51,113 559,253 SEATTLE CHOCOLATES COMPANY LLC AIR002093 209,306 248,752 63,240 521,298 SUB POP RECORDS AIR001816 215,595 188,922 57,083 461,599 BF FOODS LLC AIR002375 428,084 17,115 - 445,199 SUNS INC AIR002054 192,233 197,069 42,704 432,007 PROJECT HORIZON AIR000618 340,199 - - 340,199 SILVERCAR, INC AIR002203 150,177 145,626 35,966 331,769 SEATTLE AIR VENTURES JV AIR002355 5,894 207,880 119,810 333,584 * Annualized based on 8/31/2020 actuals. 62 Appendix D Lease/Concession Risk Universe (continued) Low Risk (continued): Name Contract 2018 2019 2020* Grand Total MAREL SEATTLE INC SEA001010 150,000 150,000 - 300,000 LADY YUM, LLC AIR002331 97,429 156,109 53,739 307,277 LATRELLES EXPRESS INC AIR002287 127,276 134,348 - 261,625 PLANEWEAR LLC AIR001971 111,510 115,744 36,123 263,377 AIRPORT MANAGEMENT SERVICES LLC AIR002430 - 179,625 69,109 248,734 BF FOODS LLC AIR002232 - 37,710 217,438 255,147 FIREWORKS AIR001644 193,170 4,737 - 197,907 BILL & NICK INCORPORATED SEA000016 70,659 72,879 59,288 202,826 DILETTANTE CHOCOLATES INC AIR001657 148,050 31,403 - 179,453 SMARTE CARTE INC AIR002097 78,819 72,748 10,598 162,164 AIRPORT MANAGEMENT SERVICES LLC AIR001773 76,815 73,470 10,371 160,656 GLASSYBABY LLC AIR002123 81,974 71,905 - 153,879 SECURITY POINT MEDIA, LLC AIR002437 - 125,312 - 125,312 AIRPORT CHANNEL AIR000988 110,673 2,700 - 113,373 PALLINO SEATAC LLC AIR002283 96,392 12,395 - 108,787 CAFE PACIFIC CATERING, INC AIR002124 48,034 50,622 10,573 109,229 BF FOODS LLC AIR002491 - 44,210 72,537 116,747 CHALO LLC AIR002270 40,795 45,707 14,861 101,363 QDOBA RESTAURANT CORPORATION AIR000619 91,587 - - 91,587 AIRPORT MANAGEMENT SERVICES LLC AIR002284 82,645 6,600 - 89,245 ME & MOM'S HATS DBA SEATTLE HAT$ AIR002141 36,855 37,318 13,661 87,834 SHARA LLC DBA SHOW PONY AIR002330 30,950 42,027 11,168 84,145 BF FOODS LLC AIR002393 36,376 44,556 - 80,931 CERTIFIED FOLDER DISPLAY SERVICE INC AIR001641 33,492 31,854 17,081 82,427 MASSAGE BAR AIR002286 64,744 5,283 - 70,028 IVARS INC AIR000615 66,461 - - 66,461 FOOD SYSTEMS UNLIMITED INC AIR000616 65,386 - - 65,386 SHILSHOLE BAY FUEL DOCK SEA002355 38,592 25,753 - 64,345 PALLINO SEATAC LLC AIR000613 61,720 - - 61,720 US BANK AIR001505 - - 76,821 76,821 WBB C.I. CREWS, LLC AIR002468 - - 73,283 73,283 CONCOURSE CONCESSIONS LLC AIR002374 46,962 10,069 - 57,031 * Annualized based on 8/31/2020 actuals. 63 Appendix D Lease/Concession Risk Universe (continued) Low Risk (continued): Name Contract 2018 2019 2020* Grand Total HAN EUN CORPORATION SEA002621 29,479 24,877 - 54,356 LATRELLES EXPRESS INC AIR000614 53,959 - 53,959 WINGZ, INC AIR002020 39,120 8,916 2,907 50,943 REPUBLIC PARKING NORTHWEST INC SEA000424 10,267 16,472 21,645 48,384 DELTA AIR LINES INC AIR002309 18,031 16,981 6,250 41,262 MAC-GRAY SERVICES SEA002097 17,524 13,899 10,038 41,461 CLIPPER FERRY SERVICES, INC SEA003017 27,919 8,342 (0) 36,261 UNITED INDIANS OF ALL TRIBES FOUNDATION AIR002387 - 30,962 4,098 35,061 FIREHOUSE EXPRESS, LLC AIR001565 33,366 - - 33,366 ASANDA AIR II LLC AIR002409 11,990 17,218 - 29,208 GUNWOO & JINAH INC SEA003337 - - 29,778 29,778 LUCKY SHOE SHINE, LLC AIR001888 14,176 9,617 - 23,792 ALASKA AIRLINES INC AIR002299 6,643 13,344 4,744 24,732 LADY YUM, LLC AIR002131 21,278 - - 21,278 CLEAN ENERGY FUELS CORP AIR001655 13,528 4,114 1,639 19,281 AMERICAN EXPRESS TRAVEL AIR001877 7,823 8,715 2,003 18,540 PUBLICANS, INC SEA002494 9,095 7,791 - 16,886 LADY YUM, LLC AIR002467 - - 17,543 17,543 MASSAGE BAR AIR000933 12,912 - - 12,912 HOST INTERNATIONAL, INC AIR002150 12,623 - - 12,623 UNITED AIRLINES AIR002327 4,551 4,886 902 10,339 SHARA LLC DBA SHOW PONY AIR002129 7,675 - - 7,675 LUCKY SHOE SHINE, LLC AIR002466 - 3,836 4,321 8,157 MAC-GRAY SERVICES SEA001479 1,902 1,446 522 3,870 ZEEBA WA, LLC DBA ZEEBA RENT-A-VAN AIR002226 1,782 1,004 - 2,787 TRICOPIAN DBA FUELROD AIR002469 17 3,347 3,363 SEATTLE RENT A WRECK AIR001621 2,282 - - 2,282 PLANEWEAR LLC AIR002501 - 172 429 601 DELTA AIR LINES INC AIR001740 - - - - ALASKA AIRLINES INC AIR001720 - - - - UNITED AIRLINES AIR001725 - - - - Total $12,788,790 $17,106,815 $6,207,963 $36,103,568 * Annualized based on 8/31/2020 actuals. 64 Appendix E Aging of Outstanding Issues as of December 10, 2020 Operational, Capital, Information Technology, and Limited Contract Compliance Audits Months/Years Days Outstanding Months/Year's Outstanding Days Outstanding Outstanding Type Audit Description Rating Report Date Target Date (from Report Date) (from Report Date) (from Target Date) (from Target Date) Operational Audit Fishing & Commercial Operations Maritime Manual Billing Process at risk of error High 2/23/2018 12/31/2021 1021 More than 2 years -386 Not Due IT Audit AVM/F&I Data Centers Security Sensitive High 12/4/2018 No date supplied 737 More than 2 years N/A N/A IT Audit AVM/F&I Data Centers Security Sensitive High 12/4/2018 No date supplied 737 More than 2 years N/A N/A IT Audit HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 463 1-2 years 132 0-6 months IT Audit HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 463 1-2 years 132 0-6 months Operational Audit Airport Employee Access Security Sensitive High 9/5/2019 6/30/2020 462 1-2 years 163 0-6 months Operational Audit Architecture & Engineering Determine fair and reasonable High 12/9/2019 6/30/2020 367 1-2 years 163 0-6 months Operational Audit Architecture & Engineering Management review over max High 12/9/2019 6/30/2020 367 1-2 years 163 0-6 months Operational Audit Architecture & Engineering Contract accuracy High 12/9/2019 6/30/2020 367 1-2 years 163 0-6 months Operational Audit Ground Transportation - Taxicabs Reconciliation process High 12/1/2020 12/31/2020 9 0-6 months -21 Not Due IT Audit ICT Audit Disaster Recovery Security Sensitive Medium 11/29/2017 No date supplied 1107 More than 2 years N/A N/A IT Audit IT Change Management and Patch Management Security Sensitive Medium 12/4/2018 6/30/2019 737 More than 2 years 529 1-2 years IT Audit AVM/F&I Data Centers Security Sensitive Medium 12/4/2018 No date supplied 737 More than 2 years N/A N/A IT Audit Security of PII Security Sensitive Medium 2/26/2019 12/31/2019 653 1-2 years 345 6-12 months IT Audit Security of PII Security Sensitive Medium 2/26/2019 3/31/2020 653 1-2 years 254 6-12 months Operational Audit Marine Maintenance Shop Keys and badges tracking Medium 6/14/2019 12/31/2023 545 1-2 years -1116 Not Due Operational Audit Marine Maintenance Shop Fleet and fuel internal controls Medium 6/14/2019 12/31/2023 545 1-2 years -1116 Not Due IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 463 1-2 years 132 0-6 months IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 463 1-2 years 132 0-6 months IT Audit Closed Network Systems Security Security Sensitive Medium 9/5/2019 3/31/2020 462 1-2 years 254 6-12 months IT Audit Closed Network Systems Security Security Sensitive Medium 9/5/2019 3/31/2020 462 1-2 years 254 6-12 months IT Audit Closed Network Systems Security Security Sensitive Medium 9/5/2019 6/30/2020 462 1-2 years 163 0-6 months IT Audit Inventory and Control of Hardware Assets Security Sensitive Medium 11/12/2019 6/30/2023 394 1-2 years -932 0-6 months Operational Audit Architecture & Engineering Governance Medium 12/9/2019 6/30/2020 367 1-2 years 163 0-6 months IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2022 265 6-12 months -751 0-6 months IT Audit Network Password Management Security Sensitive Medium 3/20/2020 9/30/2020 265 6-12 months 71 0-6 months IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2020 265 6-12 months -21 0-6 months IT Audit Secure Configuration for Hardware and Software on Security Sensitive Medium 8/21/2020 12/31/2021 111 0-6 months -386 0-6 months Mobile Devices, Laptops, Workstations and Servers IT Audit Secure Configuration for Hardware and Software on Security Sensitive Medium 8/21/2020 12/31/2020 111 0-6 months -21 0-6 months Mobile Devices, Laptops, Workstations and Servers IT Audit Secure Configuration for Hardware and Software on Security Sensitive Medium 8/21/2020 12/31/2021 111 0-6 months -386 0-6 months Mobile Devices, Laptops, Workstations and Servers IT Audit Malware Defenses Security Sensitive Medium 9/4/2020 6/30/2021 97 0-6 months -202 0-6 months IT Audit Malware Defenses Security Sensitive Medium 9/4/2020 6/30/2021 97 0-6 months -202 0-6 months Capital Audit AOA Perimeter Fence Liquidated damages Medium 9/8/2020 12/31/2020 93 0-6 months -21 Not Due Capital Audit AOA Perimeter Fence Design Process Medium 9/8/2020 12/31/2020 93 0-6 months -21 Not Due Lease and Concession Audit Concourse Concessions LLC RE-2 policy review Medium 9/10/2020 12/31/2020 91 0-6 months -21 Not Due Capital Audit Central Terminal Infrastructure Upgrade Add'l costs & scheduling delays Medium 11/24/2020 6/30/2021 16 0-6 months -202 Not Due IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 16 0-6 months -386 0-6 months IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 16 0-6 months -386 0-6 months IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 16 0-6 months -386 0-6 months IT Audit Network Password Management Security Sensitive Low 3/20/2020 12/31/2020 265 6-12 months -21 0-6 months Lease and Concession Audit Concourse Concessions LLC Percentage fees due to Port Low 9/10/2020 12/31/2020 91 0-6 months -21 Not Due 65
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.