5. Port of Seattle Presentation
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit September 9, 2021 Remote Meeting 2:30 PM 4:30 PM Operational Excellence Governance Internal Audit Budget - Key Elements Staffing (Payroll Costs) Outside Services Some required by RCW 39.10.385 (11) Staff Training 2022 Principles: Follow Port guidelines Leverage independent resources for RCW 39.10.385 (11) required audits Invest in staff training and development 2 RCW 39.10.385 (11) Applies to general contractor/construction manager (GC/CM) projects. When in the best interest of the public, a GC/CM may select one or more subcontractors using alternative methods. When above $3 Million, "An independent audit, paid for by the public body, must be conducted to confirm the proper accrual of costs." The Port is initiating more projects using the GC/CM method. Internal Audit will lead management of these independent audits in 2022. Independent audit costs are viewed as part of the cost of the project and are capitalized with the project. 3 Internal Audit Organization Structure [Note: Two vacant positions need to be filled. One will be filled in 2022 and the other one will be deferred to the 2023 budget.] 4 Department Overview Internal Audit, through an annual audit plan, provides assurance that the Port's controls are effective and efficient to mitigate business risks. The department provides the material for and facilitates quarterly public and non-public Audit Committee meetings each year. The department also provides advisory services to the Port, to the extent that it does not compromise its independence. The department maintains its independence and objectivity by reporting administratively to the Executive Director and functionally to the Audit Committee. 5 New Budget Requests - Overview Item Priority One-Time Request for Amount No. High-level Description (H/M/L) (Y/N) FTEs Requested 1 External Peer Review H Y N/A $15,000 2 GC/CM Independent Audit - Main Terminal Low H Y 0 60,000 Voltage System Upgrade Project* 3 GC/CM Independent Audit - Airline Realignment H Y 0 120,000 Project* 4 International Arrivals Facility - External Audit H Y 0 100,000 Resources Total 0 $295,000 *Required by RCW 39.10.385 (11) 6 New Budget Requests - Details Item 1 - External Peer Review Description: This is an estimated cost for a Peer Review with the Association of Local Government Auditors (ALGA), as required every three years. Justification: Internal Audit has been certified by ALGA since 2012 and has passed every Peer Review. This verifies that Internal Audit is consistently following Government Auditing Standards and the International Standards for the Professional Practice of Internal Auditing. Items 2 & 3 GC/CM Independent Audits Description: GC/CM Independent Audits per RCW 39.10.385 (11) - Main Terminal Low Voltage System Upgrade Project & Airline Realignment Project. Justification: RCW requires an independent auditor to perform an audit of subcontractor charges to the Port on GC/CM projects, where the subcontractor was selected through an alternative selection process and their contract exceeds $3 Million. 7 New Budget Requests - Details Item 4 External Audit Resources Description: Capital Audit Expert Consulting Services for International Arrivals Facility (IAF) Project. Justification: The Audit Committee has requested a detailed review of costs related to the IAF project to identify any potential overbillings. Additionally, this project would identify process improvements, which the Port may utilize in future projects. 8 Employee Training & Development Related Travel & Other Employee Expenses 2021 Budget 2022 Budget Notes Air Fare $0 $2,905 Travel for training Lodging & Other Travel 0 3,580 Employee Food & Beverage 0 1,200 Local Transportation 360 770 Travel to audit sites & training Registration/Seminar Fees 14,735 13,510 Training costs Membership Dues & Fees 5,637 5,610 Professional memberships Management Education Expense 0 0 Subscriptions 0 120 Puget Sound Business Journal Employee Recognition 0 0 Retiree Recognition - HR Only 0 0 Tuition Reimbursement - HR Only 0 0 Total $20,732 $27,695 9 Budget Overview 2019 2020 2021 2022 Change from 2021 Budget Expense Category Actuals Actuals Budget Budget $ % Salaries & Benefits $1,291,372 $1,510,454 $1,605,524 $1,706,357 $100,833 6.3% Equipment 6,925 275 170 2,749 2,579 1517.1% Supplies & Stock 649 70 351 1,000 649 184.9% Outside Services 111,531 1313 1,558 297,090 295,532 18968.7% Travel & Employee 30,858 19967 20,732 27,695 6,963 33.6% Promotional 0 0 0 0 0 0.0% Genera l 2,680 -545 320 3,893 3,573 1116.6% Telecom/ Workman's Comp 6,199 7974 7,911 8,890 979 12.4% Total Charges to Capital 0 0 0 -180,000 -180,000 Total O&M Expenses $1,450,214 $1,539,509 $1,636,566 $1,867,674 $231,108 14.1% Changes in certain Port-wide assumptions that drive entity-wide allocations, might cause small changes for certain line items. 10 Approved 2021 Audit Plan Limited Contract Compliance Operational Information Technology Lenlyn Limited Rent and Concession Deferral Recovery T2 Airport Garage Parking System Seattle-Tacoma International Capitalization of Assets Replacement1 Limousine Association (STILA) Art Program Malware Defenses Aviation Dilettante Chocolate, Inc. Noise Monitor Data Accuracy Maintenance Fruit & Flower, LLC d/b/a Floret South King County Fund Continuous Vulnerability Management Lyft, Inc.3 Biometrics Rasier, LLC3 Payment Card Industry (PCI) - Internal Security Assessor Capital Data Recovery Capabilities2 Central Terminal Infrastructure Upgrade (Construction and Closeout Phases) North Terminals Utilities Upgrade Phase 1 Baggage Optimization - Phase 2 Restroom Renovations Phase 3 Prototype 1: Due to implementation delays, this audit will be deferred to the 2022 Audit Plan. 3: Reclassified from Limited Contract Compliance to Operational. 2: This is a contingency audit that was approved by the Audit Committee in December 2020. 11 2021 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Noise Monitor Data Accuracy Operational South King County Fund Operational Central Terminal Infrastructure Upgrade (Construction and Closeout Phases) Operational - Capital Malware Defenses - Aviation Maintenance IT Seattle-Tacoma International Limousine Association (STILA) Contract Compliance Biometrics IT Art Program Operational Restroom Renovations Phase 3 Prototype Operational - Capital Lenlyn Limited Contract Compliance Rasier, LLC3 Operational Lyft, Inc.3 Operational Fruit & Flower, LLC d/b/a Floret Contract Compliance Baggage Optimization - Phase 2 Operational - Capital Payment Card Industry (PCI) - Internal Security Assessor IT Rent and Concession Deferral Recovery Operational Continuous Vulnerability Management IT Data Recovery Capabilities2 IT North Terminals Utilities Upgrade - Phase 1 Operational - Capital Capitalization of Assets Operational Dilettante Chocolate, Inc. Contract Compliance T2 Airport Garage Parking System Replacement 1 IT Complete KEY In Process Deferred to 2022 1: Due to implementation delays, this audit will be deferred to the 2022 Audit Plan. 2: This is a contingency audit that was approved by the Audit Committee in December 2020. 3: Reclassified from Limited Contract Compliance to Operational. 12 Open Issue Follow-Up Status Aging Report as of September 9, 2021 *1 Fifteen issues outstanding for more than two years consist of: One issue - Fishing & Commercial Operations - Manual Billing Process at Risk of Error To be built in house / Commission approved $410,000 additional funding / implementation date, Q4 2021. Two issues Marine Maintenance Shop - One issue related to keys/badges tracking and the other issue related to fleet and fuel internal controls. Twelve issues - IT Audits (Security Sensitive) - Exempt from Public Disclosure per RCW 42.56.420 Issues Not Discussed in Public Session. They are: Disaster Recovery Capability (1), AV/M Facilities & Infrastructure Data Centers (3), and Security of Personal Identifiable Information (2), HIPAA Security (4), and Closed Network System Security (2). *2 Four IT issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more than two years past the Report Date. See Appendix A for a detailed listing of outstanding issues aging as of September 9, 2021. 13 Audits Completed: 1) Baggage Optimization Project Phase 2 2) TNC (Lyft, Inc. & Rasier, LLC) 3) Fruit & Flower, LLC d/b/a Floret 14 Baggage Optimization Project - Phase 2 The Baggage Optimization Project replaces six individual baggage screening systems and centralizes operations. Key Elements of Phase 2 will: Replace conveyor systems to the north portion of the bag well. Construct the final baggage sortation matrix (make system more efficient). Move concession storage to their final locations. Move maintenance shop to its permanent location. Add screening capacity with more Explosive Detective System machines. 15 Baggage Optimization Project - Phase 2 (continued) Engineer's Estimate was $179,157,000. Winning bidder, Hensel Phelps, submitted a bid for $293,937,000, 64% over the Engineer's Estimate. Due to the bids coming in high, the project received a negative vote on the Majority in Interest ballot from the Managing Airline partners at Seattle- Tacoma International Airport. After the expiration of a required 180-day period, the Port awarded the contract to Hensel Phelps. The Port reduced the time of the project by six months, by making various efficiency changes, but only received a $2.6 Million deduct change order from Hensel Phelps. 16 Estimator's (BNP Associates, Inc.) Explanation for High Bids Port's Project Labor Agreement with Unions was not factored into BNP's Estimate. Both bidders requested a one-year project extension during the bid process, which resulted in approximately 33% additional overhead costs. This additional year was not included in the estimate. Unproductive hours required by the Port (requirement for Contractor to move material in and out daily). Decrease in eligible contractors because of prequalification statements made by the Port. Cost of steel increase between Phase 1 and Phase 2. 17 1) Rating: Low The audit identified a discrepancy of $29,156 had occurred because Hensel Phelps submitted a change order cost proposal to the Port for one of its subcontractors, that differed from the documented agreed-upon amount between Hensel and the subcontractor. According to Hensel, they did not keep adequate supporting documentation to justify the discrepancy. Hensel addressed the discrepancy during the course of the audit by initiating a change order with the subcontractor. 18 Management Action Plan No Action Plan is necessary. During the audit, Hensel Phelps remedied the discrepancy by initiating another change order with the subcontractor. DUE DATE: Completed 19 TNC (Lyft, Inc. & Rasier, LLC) Internal Audit (IA) completed an audit of Lyft, Inc. and Rasier LLC, referred to as Transportation Network Company (TNC), for the period April 2017 through March 2021. The Port entered into agreements with Lyft, Inc. and Rasier, LLC d/b/a Uber (TNCs) for the pick-up and drop-off of passengers from Seattle-Tacoma International Airport. TNCs connect passengers through a mobile application, which, among other things, provides information about the pick-up time and trip duration, and manages the payment process. TNCs' trip activities are captured through the interaction of the Port's geo- fence, the General Positioning System (GPS) and the TNC Apps. 20 TNC (Lyft, Inc. & Rasier, LLC) (continued) TNCs' combined revenues for the audit period were as shown below: 2017 (Apr-Dec) 2018 2019 2020 2021 (Jan-Jul) $914,987 $4,031,466 $12,973,434 $10,280,640 $8,079,650 Internal Audit conducted an independent match rate by collecting a sample of 126 pick-up trips on three different dates and tracing these observations to the TNCs' monthly reports. Five out of the 126 observations did not have an exact match. The match rate was between 96% to 98%. 21 1) Rating: Low Internal Audit identified an opportunity for the enhancement of internal controls to assess the accuracy of the TNCs' reported trip data. While management has implemented a control of performing a match rate between the Port's own observation of the TNCs' activities and the TNCs' self reported activities, no additional work was conducted to determine the root cause of the resulting variances and whether corrective measures were necessary. 22 Recommendation Management should: Understand the reasons for the variances and adapt processes to minimize them. Establish a tolerance threshold that would trigger when additional research is needed. 23 Management Response Aviation Commercial Management staff agreed with the key elements of the audit recommendation, and a threshold and process will be developed with a targeted completion date of the end of October 2021. DUE DATE: 10/31/2021 Management will discuss in detail. (Full response in Audit Report No. 2021-10 & 11) 24 Fruit & Flower, LLC d/b/a Floret Lease Agreement established in 2016 Gross revenue about $7.5 million annually (prior to COVID-19) Concession fees paid about $600,000 annually (prior to COVID-19) 25 No Issues Internal Audit concluded that Fruit & Flower, LLC d/b/a Floret materially complied with the significant terms of the Agreement. 26 Appendix A Aging of Outstanding Issues as of September 9, 2021 27 Appendix A Aging of Outstanding Issues as of September 9, 2021 Operational, Capital, Information Technology, and Limited Contract Compliance Audits Months/Years Months/Years Days Outstanding Outstanding Days Outstanding Outstanding Type Audit Description Rating Report Date Target Date (from Report Date) (from Report Date) (from Target Date) (from Target Date) Operational Audit Fishing & Commercial Operations Maritime Manual Billing Process at risk of error High 2/23/2018 12/31/2021 1,294 More than 2 years -113 Not Due IT Audit AV/M Facility & Infrastructure Data Centers Security Sensitive High 12/4/2018 No date supplied 1,010 More than 2 years N/A N/A IT Audit AV/M Facility & Infrastructure Data Centers Security Sensitive High 12/4/2018 No date supplied 1,010 More than 2 years N/A N/A Operational Audit Marine Maintenance Shop Keys and badges tracking High 6/14/2019 12/31/2023 818 More than 2 years -843 Not Due Operational Audit Marine Maintenance Shop Fleet and fuel internal controls High 6/14/2019 12/31/2023 818 More than 2 years -843 Not Due IT Audit HIPAA Security Audit Security Sensitive High 9/4/2019 7/31/2020 736 More than 2 years 405 1-2 years IT Audit HIPAA Security Audit Security Sensitive High 9/4/2019 7/31/2020 736 More than 2 years 405 1-2 years Operational Audit Architecture & Engineering Determine fair and reasonable High 12/9/2019 6/30/2020 640 1-2 years 436 1-2 years Operational Audit Architecture & Engineering Management review over max rates High 12/9/2019 6/30/2020 640 1-2 years 436 1-2 years Operational Audit Architecture & Engineering Contract accuracy High 12/9/2019 6/30/2020 640 1-2 years 436 1-2 years Operational Audit Ground Transportation - Taxicabs Reconciliation process High 12/1/2020 12/31/2021 282 6-12 months -113 Not Due IT Audit Disaster Recovery Capabilities Security Sensitive Medium 11/29/2017 No date supplied 1,380 More than 2 years N/A N/A IT Audit AV/M Facility & Infrastructure Data Centers Security Sensitive Medium 12/4/2018 No date supplied 1,010 More than 2 years N/A N/A IT Audit Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 12/31/2019 926 More than 2 years 618 1-2 years IT Audit Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 3/31/2020 926 More than 2 years 527 1-2 years IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 736 More than 2 years 405 1-2 years IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 736 More than 2 years 405 1-2 years IT Audit Closed Network Systems Security Security Sensitive Medium 9/5/2019 3/31/2020 735 More than 2 years 527 1-2 years IT Audit Closed Network Systems Security Security Sensitive Medium 9/5/2019 6/30/2020 735 More than 2 years 436 1-2 years IT Audit Inventory and Control of Hardware Assets Security Sensitive Medium 11/12/2019 6/30/2023 667 1-2 years -659 Not Due Operational Audit Architecture & Engineering Governance Medium 12/9/2019 6/30/2020 640 1-2 years 436 1-2 years IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2022 538 1-2 years -478 Not Due IT Audit Network Password Management Security Sensitive Medium 3/20/2020 9/30/2020 538 1-2 years 344 6-12 months IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2020 538 1-2 years 252 6-12 months IT Audit Secure Configuration for Hardware and Software on Mobile Devices, Security Sensitive Medium 8/21/2020 12/31/2021 384 1-2 years -113 Not Due Laptops, Workstations and Servers IT Audit Secure Configuration for Hardware and Software on Mobile Devices, Security Sensitive Medium 8/21/2020 12/31/2021 384 1-2 years -113 Not Due Laptops, Workstations and Servers Lease and Concession Audit Concourse Concessions, LLC RE-2 policy review Medium 9/10/2020 12/31/2020 364 6-12 months 252 6-12 months IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 289 6-12 months -113 Not Due IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 289 6-12 months -113 Not Due IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 289 6-12 months -113 Not Due IT Audit Malware Defenses - Aviation Maintenance Security Sensitive Medium 3/17/2021 12/31/2022 176 0-6 months -478 Not Due Lease and Concession Audit Lenlyn Limited Underreported Revenue Medium 5/28/2021 6/30/2021 104 0-6 months 71 0-6 months Operational Audit Art Program Governance, Funding, Staffing/Resources Medium 6/4/2021 12/31/2021 97 0-6 months -113 Not Due Operational Audit TNCs (Lyft, Inc. & Rasier, LLC) Additional research on variances Low 8/26/2021 10/31/2021 14 0-6 months -52 Not Due 28
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.