1. Audit Committee Report
Financial Stewardship Accountability Transparency
Port of Seattle Audit Committee
Internal Audit Update
Glenn Fernandes - Director, Internal Audit
December 9, 2021
Remote Meeting
2:30 PM 4:00 PM
Operational Excellence Governance
2021 AUDIT PLAN STATUS
Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Noise Monitor Data Accuracy Operational
South King County Fund Operational
Central Terminal Infrastructure Upgrade (Construction and Closeout Phases) Operational - Capital
Malware Defenses - Aviation Maintenance IT
Seattle-Tacoma International Limousine Association (STILA) Contract Compliance
Biometrics IT
Art Program Operational
Restroom Renovations Phase 3 Prototype Operational - Capital
Lenlyn Limited Contract Compliance
Rasier, LLC1 Operational
Lyft, Inc.1 Operational
Fruit & Flower, LLC d/b/a Floret Contract Compliance
Baggage Optimization - Phase 2 Operational - Capital
Payment Card Industry (PCI) Compliance IT
Rent and Concession Deferral Recovery Operational
Continuous Vulnerability Management IT
Data Recovery2 IT
North Terminals Utilities Upgrade - Phase 1 Operational - Capital
Capitalization of Assets Operational
Dilettante Chocolate, Inc. Contract Compliance
T2 Airport Garage Parking System Replacement 3 IT
Complete
KEY
Deferred to 2022
1. Reclassified from Limited Contract Compliance to Operational and consolidated into one report.
2. This is a contingency audit that was approved by the Audit Committee in December 2020.
3. Due to implementation delays, this audit will be deferred to the 2022 Audit Plan.
2
2021 Audit Plan Update
19 audit reports were completed in 2021 as planned: Operational (6), Capital
Projects (4), IT (5), and Limited Contract Compliance (4).
Audits identified 4 High Risk, 12 Medium Risk, and 5 Low Risk rated issues for
management action.
Internal Audit's 2021 value proposition to respond to COVID-19 impact and
associated business risks:
Audit of Rent and Concession Deferral Recovery - Direct relevance of the Port's financial relief to tenants
and repayment activities
Capital Project Audits Incorporated COVID-19 related expenses and change orders into audits
Cruise Terminals of America 2020 Cruise Season Rent Credit Review
The Port has opportunities to reduce change orders, schedule delays and design
issues.
3
2021/2020 Suggested Recoveries
Lease/Concession:
2021 Audits Amount
Seattle-Tacoma International Limousine Association $157,284
Lenlyn Limited 12,023
Total $169,307
2020 Audits Amount
Concourse Concessions, LLC $1,527
McDonald's USA, LLC 10,265
E-Z Rent A Car, Incorporated 16,201
Total $27,993
Capital1:
2021 Audits Amount
Central Terminal Infrastructure Upgrade Project (Construction and Closeout Phases) $18,200
Restroom Renovations Phase 3 Prototype 12,314
Total $30,514
2020 Audits Amount
AOA Perimeter Fence Line Standards Project $232,000
Total $232,000
1. Since 2018, Internal Audit has recommended $2.5 MM in capital project recoveries, of which $850,000 has been recovered.
4
2021/2020 Controllable Cost Over-Runs1
Audit 2020 Amount 2021 Amount
Service Tunnel Renewal/Replacement Project $160,000 0
AOA Perimeter Fence Line Standards Project 106,000 0
Baggage Optimization Project - Phase 2 0 $29,000
Tota l $266,000 $29,000
1. Since 2018, Internal Audit has identified $46 MM in capital project controllable costs.
5
Operational Audit Approach
Risk interviews held with a sample of Port leaders, including:
Airport Operations Aviation Commercial Management
Environment and Sustainability Finance
Government Relations Human Resources
Health and Safety Aviation Security
Common Risk Themes identified from interview data:
Resources COVID mandate, aging workforce, tight labor market
Payroll Administrative Professionals approving time, accuracy of vacation/sick accruals,
PHEL misuse
Grants FAA compliance, pass-through entity
Construction Impact to operations and need for improved communication
Governance New commissioners, changing priorities
Input from Commissioners and Executive Director
6
Proposed 2022 Operational Audits
Audit Risk Input Purpose
Payroll Controls Risk interviews Evaluate current processes/controls to assure proper time approval,
vacation/sick accruals, and PHEL use.
Emergency Procurement Commissioner Evaluate current processes/controls to assure emergency
Request procurement compliance with applicable laws and Port policies.
Federal Grant Administration (CRRSA & ARP) Risk interviews Evaluate current processes/controls to assure compliance with
applicable federal grant requirements (e.g., eligibility, allocation
methodology, agreements, etc.).
Community & Sustainability Initiatives Risk interviews Evaluate governance and current processes/controls to assure
compliance with applicable laws and Port policies, and safeguarding
Port assets.
Contingency Audit1
Contractor COVID-19 Vaccination Compliance2
1. If resources exist, at Internal Audit Director's discretion, this audit will be moved to the 2022 Audit Plan.
2. This audit was requested by the Executive Director to assure mandated COVID-19 vaccination compliance by contractors, pending an updated Port policy.
7
Capital Projects Audit Approach
19 projects currently under contract >$5MM1, 2
Risk rating of projects utilizing six attributes:
Project Size (Construction Costs)
Change Orders (Original Contract Sum)
Contract Type
Schedule
Budget
Known Concerns (Errors & Omissions, Potential Claims, Scope Changes, etc.)
1. Contract costs as of November 2021. Does not include total project cost (Port's internal/soft cost).
2. See Appendix A - Capital Risk Universe - Projects Currently Under Contract, Risk Rating Methodology.
8
Proposed 2022 Capital Audit Plan
Rating1
Project Schedule Budget Contract Amount
International Arrivals Facility (IAF) Red Red $798.7MM
Interim Westside Fire Station Red Red 5.6MM
North Satellite (NSAT) Renovation & Expansion (Closeout) Green Red 500.1MM
South Satellite (SSAT) High Voltage AC Infrastructure Upgrade Yellow Yellow 31.2MM
Post IAF Airline Realignment2 Required by RCW 39.10.385 Not Yet Under Contract
C-1 Building Expansion2 Required by RCW 39.10.385 Not Yet Under Contract
Main Terminal Low Voltage2 Required by RCW 39.10.385 Not Yet Under Contract
Total $1,335.6MM
Contingency Audit3
Capital Project Management4
1. Ratings generated from Internal Audit's risk assessment, utilizing the following systems: Quarterly Capital Improvement Projects, Contractor Data system, etc. See Appendix
A Capital Risk Universe Projects Currently Under Contract, Risk Rating Methodology.
2. RCW 39.10.385 requires an independent auditor perform an audit of subcontractor changes to the Port on GCCM projects, where the subcontractor was selected through an
alternative selection process. This audit work will be performed by external, contractor auditors under Internal Audit's supervision.
3. If resources exist, at Internal Audit Director's discretion, this audit will be moved to the 2022 Audit Plan.
4. Purpose: Operational audit of overall project management, including: project prioritization, prevention of schedule delays and budget over-runs, and best practices related
to the Majority-In-Interest (MII) approach.
9
Information Technology Audit Plan Approach
Seven Year Plan:
Since the Port had not had a comprehensive Information Technology Audit program
prior to 2018, we decided in 2019, that our new Information Technology Audit
Program1 would focus on those high risk, high value controls, identified by the
Center for Internet Security2 (CIS, 18 control areas, 153 controls).
We are using risk input from Information Security to assist us in determining the
order in which to perform the CIS audits.
Additionally, we will add audits based on executive management concerns or on the
basis of emerging threats.
Once we cycle through those 18 high risk areas (we have completed six as of date),
we will branch out into looking at other Information Technology General Controls,
and we will move to a more classic risk assessment process of assessing risk,
likelihood and impact, to determine what will be on our annual Information
Technology audit plan.
1. See Appendix B Information Technology Audit Universe.
2. https://www.cisecurity.org/controls/cis-controls-list/
10
Information Technology Audit Plan
Proposed 2022 Audits/Assessments
Name Risk1 Selection Criteria
T2 Airport Garage Parking System Replacement2 N/A Management Request
Account Management (ICT) High Center for Internet Security
Account Management (Aviation Maintenance) High Center for Internet Security
Audit Log Management (ICT) High Center for Internet Security
Audit Log Management (Aviation Maintenance) High Center for Internet Security
Incident Response Management (ICT) High Center for Internet Security
Incident Response Management (Aviation Maintenance) High Center for Internet Security
Contingency Audits3
Name Risk1 Selection Criteria
Network Infrastructure Management (ICT) High Center for Internet Security
Network Infrastructure Management (Aviation Maintenance) High Center for Internet Security
Email and Web Browser Protections (ICT) High Center for Internet Security
1. See Appendix B Information Technology Audit Universe.
2. Deferred from the 2020 Audit Plan.
3. If a proposed audit cannot be performed, at the Internal Audit Director's discretion, this audit will be moved to the 2022 Audit Plan.
11
Lease and Concession Audit Plan Approach
126 leases in the risk universe1
Risk rating of leases primarily based on:
Three-year revenues
Prior audit history
Cycle frequency
Total Economic
Agreement Year Revenues Aviation Development Maritime
2019 $128 MM $122 MM $2 MM $4 MM
2020 40 MM 34 MM 1 MM 5 MM
20212 33 MM 28 MM 1 MM 4 MM
Total $201 MM $184 MM $4 MM $13 MM
Number 2019-2021
Rating of Leases Revenue Percentage Frequency
High 11 $109 MM 54% 5-7 year cycle 3
Medium 24 63 MM 31% 10-year cycle
Low 91 29 MM 15% As needed
Total 126 $201 MM 100%
1. See Appendix C Lease/Concession Risk Universe.
2. Actuals through 8/31/2021.
3. Updated for 2022 due to COVID-19 pandemic impact on tenants.
12
Proposed 2022 Lease and Concession Audits
2019-2021
Name Division Rating Revenues
In-Ter-Space Services, Inc. DBA Clear Channel Airports Aviation High $11.3 MM
Avis Budget Car Rental Aviation High 9.4 MM
Hertz Corporation Aviation High 6.1 MM
Total $26.8 MM
Contingency Audit1
Host International, Inc. Aviation High $10.2 MM
1. If resources exist, at Internal Audit Director's discretion, this audit will be moved to the 2022 Audit Plan.
13
Historical Reports Overview 2018 2022
Report Type 20181 2019 2020 2022
2021
(Proposed)
Operational 8 4 6 6 4
Operational - Capital 5 4 3 4 72
Information Technology 3 6 6 5 73
Limited Contract Compliance 6 5 5 4 3
Total 22 19 20 19 21
1. 2018 included six audits carried over from the 2017 audit plan. The First Quarter Audit Committee Meeting discussed 2017 Audits.
2. Includes three audits required by RCW 39.10.385; State Law requires an independent auditor perform an audit of subcontractor changes to the Port on GCCM projects,
where the subcontractor was selected through an alternative selection process. This audit work will be performed by external, contractor auditors under Internal Audit's
supervision.
3. Includes six audits that reflect a separation of three audits (Account Management, Account Log Management, and Incident Response Management) for two respective
departments; ICT and Aviation Maintenance.
14
Proposed 2022 Audit Plan
Limited Contract Compliance Operational Information Technology
In-Ter-Space Services, Inc. DBA Payroll Controls T2 Airport Garage Parking System
Clear Channel Airports Emergency Procurement Replacement1
Avis Budget Car Rental Federal Grant Administration (CRRSA & Account Management (ICT)
Hertz Corporation ARP) Account Management (Aviation
Community & Sustainability Initiatives Maintenance)
Audit Log Management (ICT)
Capital Audit Log Management (Aviation
International Arrivals Facility (IAF) Maintenance)
Interim Westside Fire Station Incident Response Management (ICT)
North Satellite (NSAT) Renovation & Incident Response Management
Expansion Closeout (Aviation Maintenance)
South Satellite (SSAT) High Voltage AC
Infrastructure Upgrade
Post IAF Airline Realignment2
C-1 Building Expansion Construction Phase2
Main Terminal Low Voltage2
1. Moved to 2022 audit plan; approved at 6/28/2019 Audit Committee meeting.
2. RCW 39.10.385 requires an independent auditor perform an audit of subcontractor changes to the Port on GCCM projects, where the subcontractor was selected through an alternative selection process.
This audit work will be performed by external, contractor auditors under Internal Audit's supervision.
15
Contingency Audits - If resources exist, at Internal Audit Director's discretion,
these audits will be moved to the 2022 Audit Plan.
Limited Contract Compliance Operational Information Technology
Host International, Inc. Contractor COVID-19 Vaccination Network Infrastructure Management
Compliance (ICT)
Network Infrastructure Management
Capital (Aviation Maintenance)
Capital Project Management Email and Web Browser Protections
(ICT)
16
Open Issue Follow-Up Status Aging Report as of December 9, 2021
1. Twelve issues outstanding for one to two years from the Target Date consist of:
Architecture & Engineering (4) - Fair and Reasonable Rate Determination; Management Review Over Max Rates; Contract Rate Accuracy; and Governance: A lean
project to evaluate the rate negotiation process is scheduled for Q1, 2022. Resource constraints has made it challenging to resolve the audit issues. A Governance
team has been selected; meetings to begin in 2022.
Information Technology Audits (8) (Security Sensitive) - Exempt from Public Disclosure per RCW 42.56.420 Issues Not Discussed in Public Session.
They are: Security of Personal Identifiable Information (2), HIPAA Security (4), Closed Network System Security (1), and Network Password Management (1).
2. Four Information Technology issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more
than two years past the Report Date: Disaster Recovery Capability (1), and AV/M Facilities & Infrastructure Data Centers (3).
See Appendix D for a detailed listing of outstanding issues aging as of December 9, 2021.
17
Audits Completed in Fourth Quarter, 2021
1) Capitalization of Assets
2) North Terminals Utilities Upgrade Phase 1
3) Rent and Concession Deferral Recovery
4) Payment Card Industry (PCI) Compliance*
[Note: Slide 31 contains only the non-security sensitive contents from the audit report for discussion purposes.]
5) Continuous Vulnerability Management*
6) Data Recovery*
7) Dilettante Chocolate, Inc.
*Security Sensitive Exempt from Public Disclosure per RCW 42.56.420 Issues Not Discussed in Public Session
18
Capitalization of Assets
Port Accounting Policy AC-8b establishes standards for
capitalization of major expenses.
Construction Costs recorded against Construction Work-in-
Process (CWIP) when:
The asset has a useful life of three years or more
The Port has ownership and control
Total costs of at least $20,000
As of December 31, 2020:
CWIP: $1.347 billion
Capital Assets: $8.164 billion
19
#1) Rating: Low
A Standard Operating Procedure was documented and
adopted in February 2021. However, internal controls
need to be enhanced whereby project leads review and
approve their work, a year end re-confirmation is
performed, and a final notification is sent out to all
stakeholders. Doing so will reduce the likelihood that
assets are not transferred from Construction Work-in-
Process to Capital Assets in the correct period.
20
Recommendations
Annual Review Process - Program Leads should formally review
and approve information before it is submitted to Capital Services.
Facility Asset Review Meeting (FARM) The year-end FARM
should include a final opportunity for stakeholders to re-confirm
the accuracy of project status.
Notification - After asset transfers have been recorded, Capital
Services should provide a notification to key stakeholders so that
they can validate the accuracy of what was recorded.
21
Management Response
Annual Review Process Management agrees that all projects reviewed
will include a review and sign-off from the appropriate Program Leads.
Facility Asset Review Meeting (FARM) - Management disagrees with
recommendation that a FARM should be scheduled at the end of the
year to reconfirm assets for every project. Instead, Management will
evaluate making a FARM required for qualifying projects in the design
phase, where preliminary asset plans are developed, and again during
construction, prior to asset plan submission, to ensure a timely,
coordinated asset plan final submission.
Notification - Management agrees with this recommendation and will
implement this process for year-end reporting.
DUE DATE: 3/31/2022 Management will discuss in detail. (Full response in Audit Report No. 2021-12)
22
North Terminal Utilities Upgrade Phase 1
The North Terminal Utilities Upgrade Phase 1 replaced the existing
45-year-old undersized steam, condensate, and chilled water supply,
return piping from the Central Mechanical Plant, and created a
redundant interconnected piping loop in two phases.
Key Elements of Phase 1:
Upsized piping from the Central Mechanical Plant to points of
connection for the Concourse D Annex and North Satellite.
Provided critical improvements for the planned 2021 opening of
the newly renovated North Satellite.
23
North Terminal Utilities Upgrade Phase 1
Project approved by Commission in June 2016 for $21.3 MM.
The Engineer's Estimate for Phase 1 was $11,653,000.
Four bids were received; three bids exceeded the estimate by
at least 15%.
Winning bidder, James W. Fowler Co., submitted a bid for
$12,184,750; 4.5% over the Engineer's Estimate.
Final construction cost is $13.36 MM, including $1.17 MM in
change orders.
24
1) Rating: Medium
Internal Audit noted instances where the Port's Standard
Operating Procedures were not followed for Change Orders.
Instances included:
Contractor submitting inadequate documentation to
justify change orders
Failure to complete a required estimate
Inadequate review of contractor timesheets
25
Recommendations
Management should strengthen the control over
documentation, approval, and compliance with Standard
Operating Procedures.
Although the Port is not responsible for the contractor, or
their subcontractors, to submit accurate certified payroll
reports to the Washington Department of Labor and
Industries (L&I).
26
Management Response
The Engineering Construction Management and Central Procurement Office (CPO)
Construction Contracting teams agree with the findings.
Key areas of focus for Construction Management to address these issues will be on
training and oversight of staff who are less experienced with Port processes, both
FTEs and Consultants. In addition to referencing published Standard Operating
Procedures, we will continue to reinforce our processes through regular meetings
with staff, with an expanded attendee list to include Consultants, to increase overall
understanding of these processes and best practices for enforcement of the contract
and management of changes.
We will continue to coordinate with our CPO Construction Contracting partners to
strengthen controls and ensure all required elements are in place before executing
changes to the Contract.
DUE DATE: 12/31/2021 Management will discuss in detail. (Full response in Audit Report No. 2021-20)
27
Rent and Concession Deferral Recovery ("Program")
Since April 2020, the Port Commission has authorized short-term economic
relief to customers, airlines, concessionaires, and tenants to address impacts
of the economic crisis resulting from the COVID-19 pandemic.
Based on approvals by the Port Commission via Motions 2020-07 and 2020-
13, the Port created and implemented the Program.
The Port and the tenants or concessionaires entered into deferral agreements
detailing the arrangement that included a repayment plan.
As of December 31, 2020, the deferred charges were $61.1 MM, including
$4.1 MM of Norwegian Cruise Line Holdings (NCL).
As of October 27, 2021, the outstanding deferred charges were $2.7 MM, of
which NCL had the largest balance of $2 MM.
28
Rent and Concession Deferral Recovery ("Program")
Internal Audit identified monitoring controls that are significant to the current
processes, including:
The Executive Director's quarterly recovery status/action reporting to the Port Commission
Legal department's involvement/oversight
Executive oversight meetings
Business leaders' ongoing monitoring engagement
Centralized function's use of a tracking tool, and an associated quality review by Accounting and
Financial Reporting (AFR)
A sample of business leaders interviewed expressed concern about the
uncertainty of the COVID-19 pandemic, new requirements, and related impact on
the Port and tenants.
Detail testing for a sample of six deferral agreements noted participating tenants'
compliance with Program requirements.
29
No Issues
Based on the work we performed, Internal Audit
concluded that the current processes and related
internal controls are operating as intended, to assure
Program compliance with applicable laws and Port
policies.
30
Payment Card Industry (PCI) Compliance
Internal Audit completed an Information Technology audit of the Port of Seattle's
(Port's) compliance with the Payment Card Industry Data Security Standard (PCI DSS)
version 3.2.1, dated, June 2018 for the period August 2020 through September 2021.
Organizations that store, process, or transmit credit card data must comply
with relevant PCI DSS requirements, and compliance must be attested on an
annual basis.
The Port accepts credit card payments for parking and moorage services at its facilities,
including Seattle-Tacoma International Airport and various Marinas in Seattle.
Based on the work we performed, and the information gathered, Internal
Audit concluded that the Port has achieved reasonable compliance with the PCI
DSS requirements for Merchants.
There were a small number of non-compliant requirements at the initial point of review
in the audit that were corrected during the audit.
Security Sensitive Exempt from Public Disclosure per RCW 42.56.420 Issues Not Discussed in Public Session
31
Dilettante Chocolate, Inc.
Lease Agreement established in 2016
Gross revenues about $3.85 MM annually (prior to COVID-19)
Concession fees paid about $593,000 annually (prior to COVID-19)
32
No Issues
Internal Audit concluded that Dilettante Chocolate, Inc.
materially complied with the significant terms of the
Agreement.
33
Appendix
A Capital Risk Universe & Risk Rating Methodology
B Information Technology Audit Universe
C Lease/Concession Risk Universe
D Aging of Outstanding Issues as of December 9, 2021
34
Appendix A Capital Risk Rating Methodology
Attributes
(A) Project Size (Construction Costs) Points
$5MM to $10MM 1
>$10MM to $15MM 2
>15MM to $25MM 3
>$25MM to $50MM 4
>$50MM 5
(B) Change Orders (original contract sum) Points
0 to 5% 1
5.1% to 7.5% 2
7.6% to 10% 3
10.1% to 15% 4
>15% 5
(C) Contract Type Points
Lump sum 1
Unit Price or T&M 2
GMP w/ Shared Savings or TRA 3
GMP w/ no shared savings 4
Cost Plus no GMP 5
(D) Schedule Points
On Schedule 1
Potential Schedule Overrun 3
Schedule Overrun 5
(E) Budget Points
On Budget 1
Potential Budget Overrun 3
Over Budget 5 T&M: Time and Materials
GMP: Guaranteed Maximum Price
Points
TRA: Tenant Reimbursement Agreement
(F) Known Concerns (E&O, claims, scope change, complexity)
Subjective- Audit Knowledge 1-5 E&O: Errors and Omissions
35
Appendix A Capital Risk Universe (Projects >$5MM)
Attributes
(A) (B) (C) (D) (E) (F) Total Prior Audit 1IAF nearing completion. Unknown Change Order
1 International Arrivals Facility (IAF) 5 5 4 5 5 5 29 2017; 2018 (CO) coding changes in Trend Log. Project has
2 Interim Westside Fire Station 2 5 4 5 5 5 26 2018 encountered numerous issues. Over budget and
3 North Satellite (NSAT) Renovation & Expansion (Closeout) 5 3 3 1 5 4 21 2018 schedule. Delays have caused other Projects to fall
4 South Satellite (SSAT) High Voltage AC Infrastructure Upgrade 4 4 1 1 5 4 19 behind schedule. Commission request to review
Safedock Upgrade and Expansion 1 3 1 5 5 4 19 project. Consultant will assist Internal Audit during
North Terminal Utilities Upgrade - Phase 1 2 2 1 5 5 2 17 2021 the audit.
P66 Interior Modernization 1 5 1 4 5 1 17 2Overbudget. Schedule approximately one year
Checked Baggage Recap/Optimization Phase II 5 1 1 1 1 5 14 2021 behind. Multiple difficulties encountered during
Sites 23-25 Restoration 3 1 4 1 3 2 14 the Project.
Electrical Ground Support Equip. Charge Stations (Ph 2A & 2B) 4 1 1 3 1 3 13 3NSAT- Second largest project. Substantial
Concourse C New Power Center 1 4 1 1 3 2 12 completion in 2021. $31MM in COs. Suggest a
Parking Garage Elevators Modernization (Phase I & II) 3 1 1 3 1 2 11 closeout audit.
Air Cargo Road Safety Improvements 2 1 1 3 1 2 10 4Potential for budget and schedule overruns.
2021 Airfield Improvement 3 1 1 1 1 2 9 $2.9MM in COs, including $674K in scope changes,
Concourse C New Power Center 2 2 1 1 1 2 9 $529K Errors & Omissions (E&O) Designer, $385K
Electric Utility Supervisory Controls & Data Acquisition (SCADA) 1 1 1 1 1 1 6 COVID-19 reimbursements. Has not been
Parking Revenue Infrastructure 1 1 1 1 1 1 6 previously audited.
T91 Northwest Fender Replacement 1 1 1 1 1 1 6
Dining, Retail & Infrastructure Modernization -
36
Appendix B Information Technology Audit Universe
Inherent Inherent
# IT General Controls Audits # IT General Controls Audits
Risk Risk
1 CIS - Inventory and Control of Enterprise Assets - V8 HIGH 21 Parking Revenue Control System (T2 ParkingSoft) HIGH
2 CIS - Inventory and Control of Software Assets - V8 HIGH 22 Change Management HIGH
3 CIS - Data Protection - V8 HIGH 23 Datacenter Operations HIGH
4 CIS - Secure Configuration of Enterprise Assets and Software - V8 HIGH 24 Disaster Recovery Program HIGH
5 CIS - Account Management - V8 HIGH 25 HIPAA Privacy Compliance HIGH
6 CIS - Access Control Management - V8 HIGH 26 HIPAA Security Compliance HIGH
7 CIS - Continuous Vulnerability Management - V8 HIGH 27 Industrial Control System Security HIGH
8 CIS - Audit Log Management - V8 HIGH 28 IT Governance HIGH
9 CIS - Email and Web Browser Protections - V8 HIGH 29 IT Risk Management HIGH
10 CIS - Malware Defenses - V8 HIGH 30 Periodic User Access Reviews HIGH
11 CIS - Data Recovery - V8 HIGH 31 Physical & Environmental Security HIGH
12 CIS - Network Infrastructure Management - V8 HIGH 32 Portable Media Security HIGH
13 CIS - Network Monitoring and Defense - V8 HIGH 33 Project Management HIGH
14 CIS - Security Awareness and Skills Training - V8 HIGH 34 Security Program HIGH
15 CIS - Service Provider Management - V8 HIGH 35 System and Software Development HIGH
16 CIS - Application Software Security - V8 HIGH 36 Transmission Protection HIGH
17 CIS - Incident Response Management - V8 HIGH 37 Triennial WA State Patrol Audit of CJIS Compliance HIGH
18 CIS - Penetration Testing - V8 HIGH 38 Vendor Management HIGH
19 Annual Review of Payment Card Industry (PCI) Compliance HIGH
20 Password Management HIGH
Completed Audits
On the 2022 Audit Plan
37
Appendix C Lease/Concession Risk Universe
High Risk:
Name Contract 2019 2020 2021* Total
EAN HOLDINGS LLC AIR001281 $ 12,283,311 $ 1,968,842 $ 1,055,696 $ 15,307,849
AIRPORT MANAGEMENT SERVICES LLC AIR002018 6,461,469 2,596,134 2,877,387 11,934,990
IN-TER-SPACE SERVICES, INC AIR002224 7,106,850 3,758,091 476,229 11,341,170
LOUIS DREYFUS COMPANY WASHINGTON LLC SEA002603 3,414,447 4,428,624 3,395,266 11,238,337
RASIER LLC AIR002022 8,020,014 2,465,688 - 10,485,702
HOST INTERNATIONAL, INC AIR002019 6,191,054 2,008,238 1,987,837 10,187,129
AIRPORT MANAGEMENT SERVICES LLC AIR002017 5,984,582 1,683,344 2,007,993 9,675,920
AVIS BUDGET CAR RENTAL AIR001282 7,643,276 1,063,457 677,206 9,383,939
DUFRY - SEATTLE JV AIR001661 6,343,533 1,234,549 - 7,578,082
LYFT AIR002023 4,953,342 1,564,344 - 6,517,686
HERTZ CORPORATION AIR001278 5,277,443 388,300 451,355 6,117,098
$ 73,679,321 $ 23,159,611 $ 12,928,970 $ 109,767,903
*Actuals through 8/31/2021
38
Appendix C Lease/Concession Risk Universe (continued)
Medium Risk:
Name Contract 2019 2020 2021* Total
SKY CHEFS INC AIR002512 $ 2,083,334 $ 1,954,910 $ 1,733,860 $ 5,772,104
GATE GOURMET INT'L AIR000042 3,478,670 1,366,033 895,591 5,740,294
DOUG FOX TRAVEL/ATZ AIR001718 3,292,322 685,911 1,480,890 5,459,123
REPUBLIC PARKING NORTHWEST INC SEA000425 1,663,944 942,091 524,858 3,130,893
EASTSIDE FOR HIRE, INC AIR002100 2,842,695 - - 2,842,695
HOST INTERNATIONAL, INC AIR000435 2,597,830 (8,866) 149,283 2,738,247
FLYING FOOD FARE INC AIR000086 1,761,803 700,578 272,080 2,734,462
SKY CHEFS INC AIR001849 2,679,284 - - 2,679,284
HOST INTERNATIONAL, INC AIR002247 1,412,532 635,557 540,294 2,588,384
DTG OPERATIONS INC AIR001279 1,920,146 218,557 180,525 2,319,228
RASIER LLC AIR002579 - - 2,110,532 2,110,532
SIXT RENT A CAR LLC AIR001632 1,597,449 377,404 101,768 2,076,621
CMC INVESTMENTS INC AIR001280 1,688,013 199,510 154,657 2,042,180
FOX RENT A CAR INC AIR001285 1,470,104 412,400 152,523 2,035,026
ALCLEAR, LLC AIR002048 1,504,597 440,790 76,523 2,021,910
QDOBA RESTAURANT CORPORATION AIR002096 1,247,335 554,298 160,208 1,961,842
SSP AMERICA SEA LLC AIR002237 955,140 432,579 536,224 1,923,944
CONCOURSE CONCESSIONS LLC AIR002055 1,105,501 410,875 398,404 1,914,780
MCDONALD'S USA LLC AIR001606 1,213,833 526,217 160,774 1,900,824
STELLAR BAMBUZA SEA LLC AIR002240 585,553 492,431 804,127 1,882,111
SEATTLE RESTAURANT ASSOCIATES AIR000439 1,815,188 - - 1,815,188
FIREWORKS AIR002101 1,095,226 319,362 380,979 1,795,566
BEECHER'S HANDMADE CHEESE, LLC AIR001562 978,751 344,064 449,098 1,771,912
SEATAC BAR GROUP LLC AIR002053 1,159,507 262,464 287,395 1,709,366
$ 40,148,757 $ 11,267,164 $ 11,550,592 $ 62,966,514
*Actuals through 8/31/2021
39
Appendix C Lease/Concession Risk Universe (continued)
Low Risk:
Name Contract 2019 2020 2021* Total
HOST LPI SEA FB LLC AIR002361 $ 933,168 $ 348,589 $ 417,872 $ 1,699,629
CONCOURSE CONCESSIONS LLC AIR002362 560,520 455,518 569,107 1,585,145
SSP AMERICA SEA LLC AIR002238 613,177 439,960 529,013 1,582,150
LENLYN LIMITED AIR001788 1,309,915 191,423 - 1,501,338
LYFT AIR002578 - - 1,491,683 1,491,683
SSP AMERICA SEA LLC AIR002358 973,521 238,623 207,587 1,419,731
BAMBUZA SEA-TAC VENTURES AIR002365 518,543 343,255 456,928 1,318,726
PALLINO SEATAC LLC AIR002241 561,190 275,294 337,653 1,174,136
SODEXO AMERICA, LLC AIR001513 710,436 295,492 92,316 1,098,244
1915 KCHOUSE CONCEPTS-SEATAC LLC AIR002265 563,846 233,102 295,526 1,092,474
MAD ANTHONY'S INC CHINOOK SEA000043 460,825 373,214 258,349 1,092,388
DILETTANTE CHOCOLATES INC AIR002094 558,368 247,005 255,881 1,061,253
SEATTLE TACOMA INTL LIMOUSINE ASSOC* AIR001991 836,843 188,272 - 1,025,115
FRUIT & FLOWER LLC DBA FLORET AUTHORITY AIR002063 650,709 122,942 139,359 913,011
THE YARROW GROUP LLC AIR002233 501,082 305,327 87,880 894,289
INMOTION SEA LLC AIR002103 498,982 102,181 108,229 709,393
MAD ANTHONY'S INC PIER 66 SEA000294 379,625 198,552 80,632 658,810
PAYLESS CAR RENTAL, INC AIR001451 505,845 43,023 39,428 588,296
SMARTE CARTE INC AIR000629 375,755 144,442 41,409 561,606
ANTON AIRFOOD AIR000374 551,170 - - 551,170
BF FOODS LLC AIR002232 37,710 243,552 262,691 543,953
SEATTLE CHOCOLATES COMPANY LLC AIR002093 248,752 84,713 110,046 443,512
E-Z RENT-A-CAR AIR001439 360,823 25,798 - 386,621
SEATTLE AIR VENTURES JV AIR002355 207,880 97,552 69,364 374,796
ALCLEAR, LLC AIR002634 - - 374,453 374,453
TERMINAL GETAWAY SPA SEATTLE, LLC AIR002095 272,051 38,309 47,894 358,255
SUNS INC AIR002054 197,069 45,359 55,260 297,689
WBB C.I. CREWS, LLC AIR002468 - 118,791 178,273 297,064
SUB POP RECORDS AIR001816 188,922 58,637 45,773 293,332
EX OFFICIO LLC AIR000580 274,446 - - 274,446
AIRPORT MANAGEMENT SERVICES LLC AIR002430 179,625 62,912 25,017 267,553
*Actuals through 8/31/2021
40
Appendix C Lease/Concession Risk Universe (continued)
Low Risk (continued):
Name Contract 2019 2020 2021* Total
TASTE INC dba VINO VOLO AIR000839 248,894 - - 248,894
MAREL SEATTLE INC SEA001010 150,000 93,852 - 243,852
LADY YUM LLC AIR002331 156,109 35,826 - 191,936
SILVERCAR, INC AIR002203 145,626 36,691 - 182,316
MSM CORPORATION SEA002783 64,765 66,425 39,366 170,557
BILL & NICK INCORPORATED SEA000016 72,879 55,253 37,312 165,444
PUBLICANS, INC SEA002494 63,880 56,967 39,598 160,445
PLANEWEAR LLC AIR001971 115,744 38,404 - 154,148
LATRELLES EXPRESS INC AIR002287 134,348 - - 134,348
SECURITY POINT MEDIA, LLC AIR002437 125,312 - - 125,312
BF FOODS LLC AIR002491 44,210 80,738 - 124,949
LADY YUM LLC AIR002467 - 40,993 80,320 121,312
AIRPORT MANAGEMENT SERVICES LLC AIR000437 93,229 9,955 - 103,184
SHILSHOLE BAY FUEL DOCK SEA002355 38,617 38,592 25,728 102,936
PLANEWEAR LLC AIR002372 - 14,213 74,901 89,114
SMARTE CARTE INC AIR002097 72,748 8,643 2,631 84,022
AIRPORT MANAGEMENT SERVICES LLC AIR001773 73,470 6,914 - 80,384
CHALO LLC AIR002270 45,707 18,749 14,642 79,098
SMARTE CARTE INC AIR002588 - - 77,294 77,294
GLASSYBABY LLC AIR002123 71,905 - - 71,905
GUNWOO & JINAH INC SEA003337 - 37,868 32,767 70,634
UNITED INDIANS OF ALL TRIBES FOUNDATION AIR002387 30,962 18,086 19,292 68,341
SHARA LLC DBA SHOW PONY AIR002330 42,027 10,296 6,348 58,670
CAFE PACIFIC CATERING, INC AIR002124 50,537 7,011 205 57,753
CERTIFIED FOLDER DISPLAY SERVICE INC AIR001641 31,854 17,462 1,000 50,315
CONCOURSE CONCESSIONS LLC AIR002545 - 2,361 46,353 48,715
BF FOODS LLC AIR002393 46,038 - - 46,038
ME & MOM'S HATS DBA SEATTLE HAT$ AIR002141 36,796 9,107 - 45,903
MARMOT MOUNTAIN LLC DBA EXOFFICIO AIR002364 - 37,319 - 37,319
REPUBLIC PARKING NORTHWEST INC SEA000424 16,472 15,572 1,393 33,437
DILETTANTE CHOCOLATES INC AIR001657 31,403 - - 31,403
*Actuals through 8/31/2021
41
Appendix C Lease/Concession Risk Universe (continued)
Low Risk (continued):
Name Contract 2019 2020 2021* Total
DELTA AIR LINES INC AIR002309 16,981 6,260 6,738 29,979
HAN EUN CORPORATION SEA002621 24,877 - - 24,877
ALASKA AIRLINES INC AIR002299 13,344 4,304 6,777 24,426
MAC-GRAY SERVICES SEA002097 13,899 9,513 - 23,413
ASANDA AIR II LLC AIR002409 17,218 - - 17,218
BF FOODS LLC AIR002375 17,115 - - 17,115
AMERICAN EXPRESS TRAVEL AIR001877 8,715 1,703 2,003 12,420
PALLINO SEATAC LLC AIR002283 12,395 - - 12,395
WINGZ, INC AIR002020 8,916 2,376 - 11,292
LUCKY SHOE SHINE LLC AIR002466 3,836 3,555 3,712 11,103
US BANK AIR001505 - 10,525 - 10,525
CONCOURSE CONCESSIONS LLC AIR002374 10,069 - - 10,069
LUCKY SHOE SHINE LLC AIR001888 9,617 - - 9,617
SSP AMERICA SEA LLC AIR002370 - 9,017 - 9,017
CLIPPER FERRY SERVICES INC SEA003017 8,342 - - 8,342
TRICOPIAN DBA FUELROD AIR002469 17 4,259 3,338 7,614
CLEAN ENERGY FUELS CORP AIR001655 4,114 1,970 987 7,071
SSP AMERICA SEA LLC AIR002369 - 6,635 - 6,635
AIRPORT MANAGEMENT SERVICES LLC AIR002284 6,600 - - 6,600
UNITED AIRLINES AIR002327 4,886 602 - 5,487
MASSAGE BAR AIR002286 5,283 - - 5,283
FIREWORKS AIR001644 4,737 - - 4,737
GLOBAL CONCESSIONS GROUP LLC AIR002632 - - 2,533 2,533
MAC-GRAY SERVICES SEA001479 1,446 946 82 2,474
AIRPORT MANAGEMENT SERVICES LLC AIR002529 - 1,363 1,003 2,367
PLANEWEAR LLC AIR002501 172 703 1,346 2,220
WINGZ, INC AIR002580 - - 1,361 1,361
ZEEBA WA, LLC DBA ZEEBA RENT-A-VAN AIR002226 1,004 - - 1,004
FLY BABY LLC DBA LIGHTLY AIR002572 - - 11 11
$ 16,227,915 $ 6,142,866 $ 7,106,666 $ 29,477,447
*Actuals through 8/31/2021
42
Appendix D Aging of Outstanding Issues as of December 9, 2021
Operational, Capital, Information Technology, and Limited Contract Compliance Audits
Months/Years Months/Years
Days Outstanding Outstanding Days Outstanding Outstanding
Type Audit Description Rating Report Date Target Date (from Report Date) (from Report Date) (from Target Date) (from Target Date)
Operational Audit Fishing & Commercial Operations Maritime Manual Billing Process at risk of error High 2/23/2018 12/31/2021 1,385 More than 2 years -22 Not Due
IT Audit AV/M Facility & Infrastructure Data Centers Physical Assess to Facilities High 12/4/2018 No date supplied 1,101 More than 2 years N/A N/A
IT Audit AV/M Facility & Infrastructure Data Centers Protection against environmental factors High 12/4/2018 No date supplied 1,101 More than 2 years N/A N/A
Operational Audit Marine Maintenance Shop Keys and badges tracking High 6/14/2019 12/31/2023 909 More than 2 years -752 Not Due
IT Audit HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 827 More than 2 years 496 1-2 years
IT Audit HIPAA Security Security Sensitive High 9/4/2019 7/31/2020 827 More than 2 years 496 1-2 years
Operational Audit Architecture & Engineering Fair and reasonable rate determination High 12/9/2019 6/30/2020 731 More than 2 years 527 1-2 years
Operational Audit Architecture & Engineering Management review over max rates High 12/9/2019 6/30/2020 731 More than 2 years 527 1-2 years
Operational Audit Architecture & Engineering Contract rate accuracy High 12/9/2019 6/30/2020 731 More than 2 years 527 1-2 years
Operational Audit Ground Transportation - Taxicabs Reconciliation process High 12/1/2020 12/31/2021 373 1-2 years -22 Not Due
IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 10 0-6 months -387 Not Due
IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 10 0-6 months -387 Not Due
IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 10 0-6 months -387 Not Due
IT Audit Disaster Recovery Capabilities Security Sensitive Medium 11/29/2017 No date supplied 1,471 More than 2 years N/A N/A
IT Audit AV/M Facility & Infrastructure Data Centers Physical Facilities Management Medium 12/4/2018 No date supplied 1,101 More than 2 years N/A N/A
IT Audit Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 12/31/2019 1,017 More than 2 years 709 1-2 years
IT Audit Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 3/31/2020 1,017 More than 2 years 618 1-2 years
IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 827 More than 2 years 496 1-2 years
IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 827 More than 2 years 496 1-2 years
IT Audit Closed Network Systems Security Security Sensitive Medium 9/5/2019 6/30/2020 826 More than 2 years 527 1-2 years
IT Audit Inventory and Control of Hardware Assets Security Sensitive Medium 11/12/2019 6/30/2023 758 More than 2 years -568 Not Due
Operational Audit Architecture & Engineering Governance Medium 12/9/2019 6/30/2020 731 More than 2 years 527 1-2 years
IT Audit Network Password Management Security Sensitive Medium 3/20/2020 9/30/2020 629 1-2 years 435 1-2 years
IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2020 629 1-2 years 343 6-12 months
IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2021 629 1-2 years -22 Not Due
IT Audit Secure Configuration for Hardware and Software on Mobile Devices, Security Sensitive Medium 8/21/2020 12/31/2021 475 1-2 years -22 Not Due
Laptops, Workstations and Servers
IT Audit Secure Configuration for Hardware and Software on Mobile Devices, Security Sensitive Medium 8/21/2020 12/31/2021 475 1-2 years -22 Not Due
Laptops, Workstations and Servers
Lease and Concession Audit Concourse Concessions, LLC RE-2 policy review Medium 9/10/2020 12/31/2020 455 1-2 years 343 6-12 months
IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 380 1-2 years -22 Not Due
IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 380 1-2 years -22 Not Due
IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 380 1-2 years -22 Not Due
IT Audit Malware Defenses - Aviation Maintenance Security Sensitive Medium 3/17/2021 12/31/2022 267 6-12 months -387 Not Due
IT Audit Continuous Vulnerability Management Security Sensitive Medium 11/29/2021 6/30/2022 10 0-6 months -203 Not Due
IT Audit Data Recovery Security Sensitive Medium 11/29/2021 4/30/2022 10 0-6 months -142 Not Due
Operational Audit TNCs (Lyft, Inc. & Rasier, LLC) Additional research on variances Low 8/26/2021 10/31/2021 105 0-6 months 39 0-6 months
Operational Audit Capitalization of Assets Enhancing internal controls Low 11/24/2021 3/31/2022 15 0-6 months -112 Not Due
IT Audit Continuous Vulnerability Management Security Sensitive Low 11/29/2021 12/31/2022 10 0-6 months -387 Not Due
43
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.