1. POS Audit Committee
Presentation
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit September 8, 2022 Pier 69, Commission Chambers 2:30 PM – 4:30 PM Operational Excellence Governance Quality Assurance – External Peer Review Generally Accepted Government Auditing Standards (GAGAS)/ Government Accountability Office (GAO) require an external peer review every three years. Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, require both an internal and external quality assurance and improvement program. External assessments need to occur at least every five years. An external peer review was conducted by the Association of Local Government Auditors (ALGA) in August of 2022. 2 Quality Assurance – ALGA Opinion Based of the results of our review, it is our opinion that during the period November 1, 2018, through October 31, 2021, the Port of Seattle Internal Audit Department’s internal quality control system was suitably designed and operating effectively to provide reasonable assurance of conformance with the Standards for assurance engagements and compliance with Government Auditing Standards, resulting in a rating of pass. 3 Internal Audit 2023 Budget - Key Elements Staffing (Payroll Costs) Outside Services – Required by RCW 39.10.385 (11) Staff Training 2023 Principles: Follow Port guidelines. Leverage independent resources for RCW 39.10.385 (11) required audits. Invest in staff training and development. 4 Internal Audit Organization Structure *This position was frozen due to the pandemic. We are requesting that this position be unfrozen. 5 Department Overview Internal Audit, through an annual audit plan, provides assurance that the Port’s controls are effective and efficient to mitigate business risks. The department provides the material for and facilitates quarterly public and non-public Audit Committee meetings each year. The department also provides advisory services to the Port, to the extent that it does not compromise our independence. The department maintains its independence and objectivity by reporting functionally to the Audit Committee, and administratively to the Executive Director. 6 RCW 39.10.385 (11) The Port is initiating several projects using the GC/CM method. RCW 39.10.385 applies to general contractor/construction manager (GC/CM) projects. When in the best interest of the public, a GC/CM may select one or more subcontractors using alternative methods. An independent audit, paid for by the public body, must be conducted to confirm the proper accrual of costs. Internal Audit leads management of these independent audits. Independent audit costs are viewed as part of the cost of the project and are capitalized with the project. 7 New Budget Requests – Overview Item Priority One-Time Request for Amount No. High-level Description (H/M/L) (Y/N) FTEs Requested 1 GC/CM Independent Audit - Main Terminal Low H N 0 $21,331 Voltage System Upgrade Project* 2 GC/CM Independent Audit - Concourse C H N 0 101,263 Expansion* 3 GC/CM Independent Audit - Airline Realignment H N 0 11,814 Project* 4 GC/CM Independent Audit - Concourse B, C & D H N 0 5,000 Low Voltage Upgrade Project* 5 Unfreeze Vacant Concession Auditor Position M Y 1 116,399 Total 1 $255,807 *Required by RCW 39.10.385 (11). 8 New Budget Requests - Details Items 1-4 GC/CM Independent Audits Description: GC/CM Independent Audits per RCW 39.10.385 (11). Justification: RCW 39.10.385 (11) requires an independent audit of subcontractor charges, paid for by the Port, to confirm the proper accrual of costs. Item 5 Concession Auditor Description: Unfreeze Concession Auditor Position. Justification: The Port has approximately 125 tenants that pay the Port percentage revenue with concession sales of over $130 MM in pre-pandemic volume. During the Pandemic, we froze the position and eased off performing Concession Audits. In 2022, we completed only three concession audits. We recommend filling this position to allow adequate coverage of concession revenues. 9 Employee Training & Development Related Travel & Other Employee Expenses 2022 Budget 2023 Budget Notes Air Fare $2,905 $5,100 Travel for training Lodging & Other Travel 3,580 6,440 Employee Food & Beverage 1,200 715 Local Transportation 770 841 Travel to audit sites & training Registration/Seminar Fees 13,510 31,660 Training costs Membership Dues & Fees 5,610 7,385 Professional memberships Management Education Expense 0 0 Subscriptions 120 120 Puget Sound Business Journal Employee Recognition 0 0 Retiree Recognition - HR Only 0 0 Tuition Reimbursement - HR Only 0 0 Total $27,695 $52,261 10 Budget Overview Change 2019 2020 2021 2022 2023 from 2022 Expense Category Actuals Actuals Actuals Budget Budget $ Salaries & Benefits $1,291,372 $1,510,454 $1,268,322 $1,706,357 $1,979,053 $272,696 Equipment 6,925 275 241 2,749 4,063 1,314 Supplies & Stock 649 70 177 1,000 1,000 0 Outside Services 111,531 1,313 1,224 297,090 140,928 (156,162) Travel & Employee 30,858 19,967 17,503 27,695 52,261 24,566 Promotional 0 0 0 0 0 0 General 2,680 (545) 500 3,893 702 (3,191) Telecom/Workman's Comp 6,199 7,974 7,879 8,890 8,801 (89) Total Charges to Capital 0 0 0 (180,000) (139,408) 40,952 Total O&M Expenses $1,450,214 $1,539,509 $1,295,846 $1,867,674 $2,052,401 $179,726 [Note: Numbers are rounded up to the nearest dollar.] Changes in certain Port-wide assumptions that drive entity-wide allocations, might cause small changes for certain line items. 11 Open Issue Status – Aging Report as of August 24, 2022 1. Ten issues outstanding for over one year from the Target Date consist of: Concourse Concessions LLC (1) - Port RE-2 Policy and Surety Amount Review: Aviation Commercial Management is reviewing this issue and others related to lease documents holistically. The team is working on updating the leases and will have the lease updates finalized by Q4, 2022. The priority at this point is the issuance of the American Rescue Plan Grant for concession relief. Architecture & Engineering (4) - Fair and Reasonable Rate Determination; Management Review Over Max Rates; Contract Rate Accuracy; and Governance Information Technology Audits (5) (Security Sensitive) - Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session. They are: Security of Personal Identifiable Information (1), HIPAA Security (2), Closed Network System Security (1), and Network Password Management (1). 2. Four Information Technology issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more than two years past the Report Date: Disaster Recovery Capability (1), and Aviation Maintenance and Facilities & Infrastructure Data Centers (3). See Appendix A for a detailed listing of outstanding issues aging as of August 24, 2022. 12 Approved 2022 Audit Plan Limited Contract Compliance Operational Information Technology • In-Ter-Space Services, Inc. DBA • Payroll Controls1 • T2 Airport Garage Parking System Clear Channel Airports • Emergency Procurement Replacement • Avis Budget Car Rental • Federal Grant Administration • Account Management (ICT) • The Hertz Corporation • Community & Sustainability Initiatives • Account Management (Aviation Maintenance) Capital • Audit Log Management (ICT) • International Arrivals Facility (IAF) • Audit Log Management (Aviation • Interim Westside Fire Station Maintenance) • North Satellite (NSAT) Renovation & • Security Incident Response Expansion Project Management (ICT & Aviation • South Satellite (SSAT) High Voltage AC Maintenance) 3 Infrastructure Upgrade • Post IAF Airline Realignment2 • C-1 Building Expansion Construction Phase2 • Main Terminal Low Voltage2 1. Per the audit client’s request, this audit has been deferred to the 2023 Audit Plan. 2. RCW 39.10.385 requires that an independent auditor perform an audit of subcontractor charges to the Port on GC/CM projects, where the subcontractor was selected through an alternative selection process. This audit work is performed by external contractor auditors under Internal Audit’s supervision. 3. Two separate audits were originally planned for ICT and Aviation Maintenance; however, they were combined for efficiency, due to substantially similar processes. 13 2022 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec ACH Payment Fraud1 Operational Emergency Procurement Operational Federal Grant Administration Operational Community & Sustainability Initiatives Operational Interim Westside Fire Station Operational - Capital North Satellite (NSAT) Renovation & Expansion Project Operational - Capital South Satellite (SSAT) High Voltage AC Infrastructure Upgrade Operational - Capital International Arrivals Facility (IAF) Operational - Capital Post IAF Airline Realignment2 Operational - Capital C-1 Building Expansion Construction Phase2 Operational - Capital Main Terminal Low Voltage2 Operational - Capital Account Management (ICT) IT Account Management (Aviation Maintenance) IT Audit Log Management (Aviation Maintenance) IT Security Incident Response Management (ICT & Aviation Maintenance)3 IT T2 Airport Garage Parking System Replacement IT Audit Log Management (ICT) IT The Hertz Corporation Contract Compliance In-Ter-Space Services, Inc. dba Clear Channel Airports Contract Compliance Avis Budget Car Rental LLC Contract Compliance Payroll Controls4 Operational Complete In Process KEY Not Started Deferred to 2023 1. This audit was added as part of the Port's action to mitigate emerging fraud risk. 2. RCW 39.10.385 requires an independent auditor to perform an audit of subcontractor charges to the Port on GC/CM projects, where the subcontractor was selected through an alternative selection process. This audit work is performed by external, contractor auditors under Internal Audit’s supervision, and will be an ongoing, multi-year project through an IDIQ contract. 3. Two separate audits were originally planned for ICT and Aviation Maintenance; however, they were combined for efficiency, due to substantially similar processes. 4. Per the audit client's request, this audit has been deferred to the 2023 Audit Plan. 14 Audits Completed in the Third Quarter, 2022 1) North Satellite Renovation and Expansion Project 2) Security Incident Response Management (ICT & Aviation Maintenance) 3) Avis Budget Car Rental LLC 15 North Satellite Renovation and Expansion Project The North Sea-Tac Airport Renovation Program (NorthSTAR) was a collaborative effort between the Port and Alaska Air Group, Inc. Opened in July 2021, creating an efficient “Curb to Gate” operation. The North Satellite Renovation and Expansion Project (NSAT) is the largest segment of the NorthSTAR Program. The NSAT component: Expands North Satellite from 12 to 20 contact gates. First permanent nursing suite, first permanent secure site pet relief, and first purpose-build airside loading dock. Increases the Airport Dining and Retail program by 10 stores. 16 North Satellite Renovation and Expansion Project Port’s portion of NSAT: $712 million. Alaska Airlines portion of NSAT: approximately $41 million. Hensel Phelps was selected as the General Contractor/Construction Manager (GC/CM) for the construction portion with an initial construction contract of $458 million. During the project, there was a net total of $30 million in change orders, resulting in a total construction contract cost of approximately $488 million. The Port contracted with the firm, R.L. Townsend and Associates, LLC, to perform the independent audit. 17 1) Rating: Medium Overtime costs were not properly reviewed to assure payment accuracy and compliance with both Port Standard Operating Procedures and Washington State Law. Lack of supporting documentation and billing errors resulted in questioned costs of $79,118. Force Account Change Orders and Written Authorizations totaling more than $2.3 million, were requested by the Port, to help mitigate and reduce schedule delays due to project changes. Contractors regularly worked more than 12 to 16 hours a day; some worked upwards of 20 to 23 hours a day and over 88 hours in a seven-day period. We were not always able to confirm contractors were on-site for extended work shifts, because the Port does not require contractors to have a daily attendance log, sign-in sheet, or other means to document, when contractors were working. We did confirm that the Port paid for these hours in the pay applications. 18 1) Rating: Medium (continued) Pre-Approval: Documentation did not exist for any change orders reviewed. Post-Approval: Documentation lacked approvals for two change orders reviewed: Change Order Approvals Present Approvals Missing 721 554 231 1096 658 107 Review Process: Instances when supporting documentation was inaccurate or not present, totaling $79,118. Examples include: Supporting documentation could not be located and invoices were missing. Hours reported on Certified Payroll Reports did not match hours on Daily Force Account Field Documentation. Inconsistencies between the number of contractors reported on site by the Inspector and the number of contractors paid by the Port. 19 Recommendations Enhance the review process to assure compliance with Force Account overtime requirements and payment accuracy. Also, hold the GC/CM accountable for adequate oversight and correct billings. Implement a policy that requires contractors on Port projects to maintain a way to track on site personnel to prevent fraud, waste or abuse as it relates to time theft. Examples may include badge swiping at arrival and departure from the job site or sign in and out sheets. Construction Management should seek and recover any amount due to the Port from overbillings and unsupported costs. 20 Management Response Response #1 – Force Account Requirements Port Engineering – Construction Management, Central Procurement Office (CPO), Project Management, and Legal will meet to consider modifications to the Force Account process in future contracts. Response #2 – Policy to track contractor personnel on site Port Engineering – Construction Management, Central Procurement Office (CPO), Project Management, and Legal will meet to consider adding a requirement for Contractors to track all personnel on site in future contracts. Response #3 – Recover any Overbilling In coordination with Hensel Phelps, Port Engineering – Construction Management will ensure validation of actual costs incurred by the contractor. The items identified by Internal Audit shall be addressed as part of the validation process and we will deduct any amounts overpaid. DUE DATE: 12/31/2022 Management will discuss in detail. 21 2) Rating: Low The Port does not have a policy limiting contractors from working extended hours and consecutive days, causing an increased risk of negative impacts on safety and performance. Construction work is a physically demanding and dangerous job. Overtime can increase stress and fatigue, while decreasing alertness and good judgment. There were 1,657 instances in which MidMountain Contractors worked 12 or more hours in a day, however, the use of overtime did not have a negative result on safety for this project. Hours Worked in a Day Number of Instances 12 780 13 274 14 224 15 157 16 76 17 83 18 36 19 11 20 - 23 16 22 2) Rating: Low (continued) Consecutive Days - Our testing showed MidMountain Contractors worked upwards of 25 days in a row, with an average total of 10 to 11 hours each day. Contractor Consecutive Days Hours Daily Average (Hours) 1 25 257 10 2 24 261 11 3 24 250 10 4 24 249 10 5 24 247 10 6 17 166 10 7 16 159 10 8 15 155 10 9 12 128 11 10 12 102 9 11 11 108 10 12 10 109 11 13 9 100 11 14 9 97 11 15 9 96 11 16 8 92 12 17 8 88 11 23 Recommendation Review the Port’s safety policies to determine if there should be a limit on the number of hours a contractor can work in a day and the number of consecutive days a contractor can work at the Port. 24 Management Response Port Engineering - Construction Management, Engineering - Construction Safety, Engineering - Construction Labor, Risk Management, Legal, and Project Management will meet to consider adding a limit to hours/days worked for contractor personnel to future contracts. DUE DATE: 12/31/2022 Management will discuss in detail. 25 Security Incident Response Management This audit covered the period January 2021 through July 2022 and was performed to evaluate the adequacy of internal controls related to the processes for developing and maintaining an incident response capability to prepare, detect, and quickly respond to an attack. The scope of this audit covered the Enterprise network; managed by the Port of Seattle’s (Port’s) Information and Communication Technology (ICT) department, and the Access Control System (ACS) network, Industrial Control System (ICS) network, and OpsLan network; managed by the Port’s Aviation Maintenance (AV/M) department. 26 Security Incident Response Management Security Incident Response is part of the 18 critical Center for Internet Security (CIS) controls. The CIS security controls are a prioritized set of best practices created to protect organizations and data from cyberattack vectors. According to the CIS controls; a comprehensive cybersecurity program includes protections, detections, response, and recovery capabilities. The primary goal of incident response is to identify threats on the enterprise, respond to them before they can spread, and remediate them before they can cause harm. 27 No Issues Our audit focused on the overall design and effectiveness of the security incident process to assure the protection of critical information and systems. Based on the results of our audit, we concluded that the security incident response processes for the Enterprise network and the OpsLan, ACS, and ICS networks, were operating effectively. 28 Avis Budget Car Rental LLC (Avis) The Port entered into a Consolidated Rental Car Facility Lease Agreement (Agreement) with Avis in July 2008. The Agreement requires a Minimum Annual Guarantee equal to 85% of the total paid to the Port for the previous Agreement Year. The Agreement requires a daily Customer Facility Charge (CFC) of $6.00 on vehicle rental transactions. Effective January 1, 2021, the CFC increased to $6.50. Approximately $38 million was paid to the Port during the audit period (June 2018 - May 2021). 29 1) Rating: Low Internal Audit identified approximately $2,645 of CFCs not billed to the customer and subsequently remitted to the Port. The Agreement requires the Operator to bill a daily CFC on vehicle rental transactions, and to remit the full amount to the Port, regardless of whether or not the full amount is actually collected. We also identified $109,835.50 of CFCs that appeared to be over charged to the customers. 30 Recommendations We recommend collecting $2,645.60 plus any accrued interest and/or penalties. We also recommend Aviation Commercial Management request an explanation regarding what caused the overbilling of $109,835.50 to determine whether systems and processes need to be adjusted. 31 Management Response Aviation Commercial Management staff agrees with the findings and will pursue the collection of under-reported CFCs. We will continue to work with Avis/Budget and Internal Audit on the potential overbilling to better understand their methodology for calculating CFCs, including the “up to” provision, which may significantly lower the final figures. We will also work to have the tenant rectify any identified errors in their calculation parameters. DUE DATE: 12/31/2022 Management will discuss in detail. 32 Appendix A – Aging of Outstanding Issues as of August 24, 2022 33 Appendix A – Aging of Outstanding Issues as of August 24, 2022 Operational, Capital, Information Technology, and Limited Contract Compliance Audits Days Outstanding Days Outstanding Type Audit Description Rating Report Date Target Date (from Report Date) (from Target Date) IT Audit AVM/Facility &Infrastructure Data Centers Physical access to facilities High 12/4/2018 No date supplied 1359 N/A IT Audit AVM/Facility &Infrastructure Data Centers Protection against environmental factors High 12/4/2018 No date supplied 1359 N/A Operational Audit Marine Maintenance Shop Keys and badges tracking High 6/14/2019 12/31/2023 1167 -494 IT Audit HIPAA Security Audit Security Sensitive High 9/4/2019 7/31/2020 1085 754 Operational Audit Architecture & Engineering Determine fair and reasonable rates High 12/9/2019 6/30/2020 989 785 Operational Audit Architecture & Engineering Management review over max rates High 12/9/2019 6/30/2020 989 785 Operational Audit Architecture & Engineering Contract rate accuracy High 12/9/2019 6/30/2020 989 785 IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 268 -129 IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 268 -129 IT Audit Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 268 -129 IT Audit Disaster Recovery Capability Security Sensitive Medium 11/29/2017 No date supplied 1729 N/A IT Audit AVM/Facility &Infrastructure Data Centers Physical facilities management Medium 12/4/2018 No date supplied 1359 N/A IT Audit Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 3/31/2020 1275 876 IT Audit HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 1085 754 IT Audit Closed Network System Security Security Sensitive Medium 9/5/2019 6/30/2020 1084 785 IT Audit Inventory and Control of Hardware Assets Security Sensitive Medium 11/12/2019 6/30/2023 1016 -310 Operational Audit Architecture & Engineering Governance Medium 12/9/2019 6/30/2020 989 785 IT Audit Network Password Management Security Sensitive Medium 3/20/2020 12/31/2021 887 236 IT Audit Network Password Management Security Sensitive Medium 3/20/2020 9/30/2020 887 693 IT Audit Secure Configuration for Hardware and Software on Mobile Devices, Security Sensitive Medium 8/21/2020 12/31/2021 733 236 Laptops, Workstations and Servers IT Audit Secure Configuration for Hardware and Software on Mobile Devices, Security Sensitive Medium 8/21/2020 12/31/2021 733 236 Laptops, Workstations and Servers Lease and Concession Audit Concourse Concessions LLC RE-2 policy review Medium 9/10/2020 12/31/2020 713 601 IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 638 236 IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 638 236 IT Audit Inventory and Control of Software Assets Security Sensitive Medium 11/24/2020 12/31/2021 638 236 IT Audit Malware Defenses - Aviation Maintenance Security Sensitive Medium 3/17/2021 12/31/2022 525 -129 IT Audit Continuous Vulnerability Management Security Sensitive Medium 11/29/2021 6/30/2022 268 55 IT Audit Data Recovery Security Sensitive Medium 11/29/2021 4/30/2022 268 116 IT Audit Account Management - ICT Security Sensitive Medium 3/15/2022 6/1/2023 162 -281 IT Audit Account Management - ICT Security Sensitive Medium 3/15/2022 3/1/2023 162 -189 IT Audit Account Management - Aviation Maintenance Security Sensitive Medium 3/22/2022 12/31/2022 155 -129 IT Audit Account Management - Aviation Maintenance Security Sensitive Medium 3/22/2022 12/31/2022 155 -129 IT Audit Account Management - Aviation Maintenance Security Sensitive Medium 3/22/2022 12/31/2022 155 -129 Capital Interim Westside Fire Station Project Liquidated Damages Medium 3/25/2022 12/31/2022 152 -129 Capital Interim Westside Fire Station Project COVID-19 Change Orders Medium 3/25/2022 12/31/2022 152 -129 Operational Audit ACH Payment Fraud Required training Medium 3/30/2022 6/30/2022 147 55 IT Audit Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2023 83 -494 IT Audit Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2022 83 -129 IT Audit Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2022 83 -129 Lease and Concession Audit The Hertz Corporation Investigate Under-collections Medium 6/3/2022 12/31/2022 82 -129 Capital North Satellite Renovation and Expansion Project Overtime Medium 8/19/2022 12/31/2022 5 -129 Capital North Satellite Renovation and Expansion Project Safety Low 8/19/2022 12/31/2022 5 -129 34
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.