11a. Presentation

2022 Internal Audit Annual Report

Financial Stewardship               Accountability                    Transparency    Item No. 11a supp
Meeting Date: January 24, 2023

2022 Internal Audit Annual Report
Glenn Fernandes - Director, Internal Audit

January 24, 2023
AOB Conference Center
12:00 PM – 5:00 PM

Operational Excellence                      Governance

              2022 Audit Committee
Commissioner Sam Cho, Committee Chair
Commissioner Hamdi Mohamed, Committee Member
Sarah Holmstrom, Committee Public Member


                  About Internal Audit
 Internal Audit conducts independent, objective, risk-based
audits of the Port’s operations, technology, activities and
 Our audits add value by helping the Port achieve its mission and
contribute to: financial stewardship, accountability,
transparency, governance, and operational excellence.
 Internal Audit derives its authority from the Port Commission.
 The Director is a dual report, who reports functionally to the
Audit Committee and administratively to the Executive Director.

                                                                                             ■  Combined Assurance to Break
Down Silos:
The governing body, management,
andinternalaudit have their
distinct responsibilities, but all
activities need to be aligned with
the objectives and collectively
grow the value of the organization.
■  Beyond the Three Lines Model:
Today’s environment of risk
bedlam requires us to go a step
further. Collaboration is a business
imperative and a platform we can
use to generate even greater
enterprise value.

Source: The Institute of Internal Auditors, THE IIA’S THREE LINES MODEL – An Update of the Three Lines of Defense, published in July 2020.


                        The Association of Local Government

Certificate of Compliance
Port of Seattle Internal Audit
Recognizing that the organization’s internal quality control system was suitably designed
and operating effectively to provide reasonable assurance of compliance with Government
Auditing Standards and the International Standards for the Professional Practice of Internal
Auditing for assurance and consulting engagements during the period November 1, 2018
through October 31, 2021.

Crvive STohes

Corrie Stokes
ALGA Peer Review Committee Chair


                     17 Audits Completed in 2022
Limited Contract Compliance                 Performance                     Information Technology
•  In-Ter-Space Services, Inc. DBA Clear        •  Payroll Controls1                                         •  T2 Airport Garage Parking System
Channel Airports                         •  Emergency Procurement                             Replacement
•  Avis Budget Car Rental LLC                    •  Federal Grant Administration – Aviation              •  Account Management (ICT)
•  The Hertz Corporation                            Division                                                   •  Account Management (Aviation
•  South King County Community Impact Fund2            Maintenance)
•  ACH Payment Fraud3                                    •  Audit Log Management (ICT)
•  Audit Log Management (Aviation
Capital                                                   Maintenance)
•  International Arrivals Facility (IAF)                     •  Security Incident Response Management
•  Interim Westside Fire Station                              (ICT & Aviation Maintenance) 5
•  North Satellite Renovation & Expansion
Project (NSAT)
•  South Satellite Infrastructure Upgrade Project
•  Post IAF Airline Realignment4
•  C-1 Building Expansion Construction Phase4
•  Main Terminal Low Voltage4
1. Per the audit client’s request, this audit has been deferred to the 2023 Audit Plan.
2. The original audit title, “Community and Sustainability Initiatives,” per the 2022 Audit Plan, was updated as the audit scope was further refined.
3. This audit was added to respond to a known fraud that had occurred and to mitigate future fraud risk.
4. RCW 39.10.385 requires an independent audit, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit
work is performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. The work is ongoing.
5. Two separate audits were originally planned for ICT and Aviation Maintenance; however, they were combined for efficiency, due to substantially similar processes.


2022 Audit Plan Update
The 17 completed Audits identified 4 High Risk, 19 Medium Risk, and
3 Low Risk rated issues for management action.
The audits included a construction audit of the International Arrivals
Facility that was performed jointly with HPM, LLC. This audit report is
in draft form and will be finalized for the April 2023 Audit Committee
Adapted workplan and recommended improvements to control
weaknesses, when Port was hit with the ACH Fraud.
[Audit reports can be found at https://www.portseattle.org/page/internal-audit-reports.]


     Information Technology Audits
Information Technology Audits are generally security sensitive and are discussed in
non-public sessions.
Six audits were completed in 2022.
Foundational Information Technology Controls – Center for Internet Security (CIS) –
18 Key Audits
Ongoing efforts to perform CIS audits to help assure the Port has a solid foundation
of information technology controls. We completed 5 CIS related Audits in 2022; over
the four years, we have completed 9 of 18 key CIS audits.


     Limited Contract Compliance Audits
Self reported revenue from concessionaires and rental car companies.
Audits focus on compliance with lease agreement terms.
Three audits performed in 2022:
1)  In-Ter-Space Services, Inc. DBA Clean Channel Airports
2)  Avis Budget Car Rental LLC
3)  The Hertz Corporation

# of Audits That Had Findings         Under-reported Revenue (CFC)*                          Due to Port
2                          $11,826                              $11,826
* Customer Facility Charge


          Highlighted Performance Audits
1) ACH Payment Fraud
2) South King County Community Impact Fund


     Performance - ACH Payment Fraud
 Internal Audit (IA) completed a targeted audit of the processes that
contributed to eight payments totaling $572,682, being wired into
fraudulent bank accounts.
 The payments were for the Port of Seattle’s (Port’s) Opportunity Youth
Initiative and were intended for the Seattle Parks Foundation (Seattle
Parks) and the Urban League of Metropolitan Seattle (Urban League).
 The purpose of the audit was to identify the control breakdowns that
allowed the fraud to occur and to recommend ways to reduce the
likelihood of future misappropriations.
 The criminal aspect of this case was led by Port Police, but subsequently
handed off to a Homeland Security task force.

Seattle Parks Foundation                       Urban League
Funds wired to fraudulent accounts:            Funds wired to fraudulent accounts:
$184,675 ($48,997 returned – Account         $388,007 ($307,523 Funds frozen and returned
Closed)                                      by Citibank)
Initial Net Loss                $135,678          Net Loss                       $80,485

Crime Insurance Recovery  $110,678        Crime Insurance Recovery  $ 55,485
Loss to Port (Deductible)    $ 25,000         Loss to Port (Deductible)    $ 25,000



Fraud Overview
Seattle Parks Foundation                       Urban League
•  Falisha Kurji – Coordinator                      •  Latonya Stuckey, A/P Specialist
•  Email compromised                              •  Email compromised
o Funds wired to fraudulent accounts          o Funds wired to fraudulent accounts
$184,675.02 ($48,997.39 returned)            $388,007.38
Spoofed Domain names copied and used as    Spoofed Domain names copied and used as
bait:                                                bait:
Michelle@SeattlePraksFoundation.org         mcamara@urbanIeague.org
(“Parks” changed to “Praks”)                   jdelapena@urbanIeague.org
Michelle Benetua – Director of Strategic        alawton@urbanIeague.org
Partnerships and Programs                    (lower case “l” changed to upper case “I”)


          58 Users
AFR Core Services (three employees):
=  Manager

=  Records Management Specialist                  Procedure failure/not
Be                      = Administrative Professional      occurring as intended.
Procedure requires
Be       Add/Modify Vendor                       staff to validate
gill                                                      -        changes before
Information; including                       Approve Vendor Changes
banking information
“Be                                         Denied        Approved
No validation of
information                                                                         notified of            Changes live in
denial                 Peoplesoft


    Performance - South King County Community Impact Fund
South King County Fund
In 2019, the Port pledged $10 million, funded over a five-year period, to provide
environmental benefits to near airport communities impacted by airport noise.
South King County Community Impact Fund (SKCCIF)
In November 2021, the name was changed to the SKCCIF and aims to develop
equity-based partnerships and to provide resources and support in historically
underserved, ethnically, and culturally diverse near-airport communities.
Aligned to Port Mission
To promote economic opportunities and quality of life in the region by advancing
job creation in an equitable, accountable, and environmentally responsible
[See Appendix A for additional Program information.]

        1) Rating: Medium
Approvals were not always documented, expense reimbursements were not
always supported with receipts, and expenses sometimes exceeded thresholds
allowable by the contract. Although the financial impact is relatively small, these
exceptions could be considered non-compliance with contract terms.
Twenty-five percent (25%), or 25 of 99 invoices did not have a documented
Expense reimbursements sometimes exceeded contract thresholds.
[See Appendix B for details.]


Maintain documentation to evidence approval.
Broaden contract reimbursement requirements.
Granularity of contract language impacts efficiencies
Grass roots organizations/limited resources
More time for stakeholder partnerships/community engagement

Status: Report was just issued. Management action target completion by


                  2023 Audit Strategy
Stay independent and objective.
Enhance processes, by viewing work through an “equity lens.”
Streamline existing concession audit processes.
Continue to focus on Capital Delivery (Financial, Quality, and
Continue to focus on the 18 “Center for Internet Security”
audits that will provide the groundwork for well-established
cybersecurity controls.


     Appendix A - South King County Community Impact Fund
(Additional Program Information)
Environmental Program is governed by RCW 35.21.278 Contracts with
community service organizations for public improvement.
Contract values and reimbursements from January 1, 2021 – June 30, 2022:
Organization                                                      Contract Value             2021              2022
Bridging Cultural Gaps                                                           $19,974           $14,050                  $0
Tilth                                                                                               14,800                 5,535                  9,265
Friends of Normandy Park                                                      11,163             4,867              4,474
Federal Way Korean American Association                                      20,000                 0                  0
Multicultural Self-Sufficiency Movement                                               9,000                  0                   0
Puget Soundkeeper Alliance                                                    10,902                 0                  0
Bhutanese Community Resource Center                                       13,488            6,500                 0
Summer Search (Congolese Basketball Team)                                  19,000                0             3,075
Summer Search (Expanding Environmental Justice)                              19,990                 0                  0
Partner in Employment                                                         19,977                 0             19,977
$158,294          $30,952           $36,791


     Appendix A - South King County Community Impact Fund
(Additional Program Information) (continued)
 Economic Recovery Program is governed by RCW 53.08.245 Economic
development programs authorized - job training and education.
 Contract values and reimbursements from January 1, 2021 – June 30, 2022:
Organization                                                    Contract Value            2021              2022
African Chamber of Commerce PNW                                     $100,000         $21,539          $70,128
African Community Housing and Development                                 99,903           61,000            38,903
Asian Counseling and Referral Service                                           70,000            35,500             28,250
Business Ending Slavery and Trafficking (BEST)                                100,000            61,800             15,162
Cares of Washington                                                        91,160           77,387            13,773
Chief Seattle Club                                                               100,000            57,500              42,500
El Centro de la Raza                                                            99,985            75,000             24,985
Highline College Foundation                                                    90,839             5,750             43,250
Partner in Employment                                                      100,000           79,375             20,625
Washington Maritime Blue                                                    99,995           99,995                  0
$951,882        $574,846         $297,576
[Note: Numbers are rounded to the nearest dollar.]


     Appendix B - South King County Community Impact Fund
(Audit Issue Details - Expense Reimbursements Exceeding Contract Thresholds)
Organization                         Contract Description                                          Reimbursement ($)   Amount not allowed ($)     Description of Reimbursement
Summer Search                     Refreshments $31.25 / event X 32 events = $1,000                           97.04                  65.79    13 Coins - Brainstorming Dinner
Refreshments $31.25 / event X 32 events = $1,000                              135.84                   104.59     Buffalo Wild Wings - Park Cleaning Event
Refreshments $31.25 / event X 32 events = $1,000                               38.04                     6.79     McDonalds - Park Cleaning Event
Refreshments $31.25 / event X 32 events = $1,000                              211.39                   173.35     Taste of Congo - Park Cleaning Event
Refreshments $31.25 / event X 32 events = $1,000                               40.24                     8.99     Jack in the Box - Park Cleaning Event
Refreshments $31.25 / event X 32 events = $1,000                               37.89                     6.64     Target - Refreshments
Refreshments $31.25 / event X 32 events = $1,000                               94.69                    63.44     Taste of Congo - Park Cleaning Event
Partner in Employment                 Crew Lead $25 * 360 hours = $9,000                                        9,352.50                   352.50     Staff / Contractor Time
Youth Stipend $1,000 * 5 youths = $5,000                                    9,826.00                 4,826.00     Volunteer Support
Highline College Foundation            Class Roster of Enrolled Participants in RiVET, AutoCAD or                   32,000.00                12,470.00     Class Roster
Civil3D courses ($19,530)

Friends of Normandy Park              2 weed wrenches X $10.25 = $20.50                                           79.24                    58.74     Weed Wrench
20 gloves X $1 = $20                                                        187.24                   167.24     Gardening Gloves
Refreshments $35 / event X $6 events - $210                                    39.53                     4.53     Starbucks Coffee
Refreshments $35 / event X $6 events - $210                                    39.53                     4.53     Starbucks Coffee
Bhutanese Community Resource Center 1 Hand Washing Station X $70 = $70                                          79.18                     9.18     Handwashing Station
25 boxes garbage bags X $20 = $500                                         523.76                    23.76     Garbage Bags
25 compost bins X $46 = $1,150                                            1,277.10                   127.10     Compost Bins
Tilth                                  Staff Training / Volunteer Coordination $30 X 260 hours = $7,800               7,923.70                   123.70     Staff Support

Guest Instructor Stipend $250 X 4 speakers = $1,000                          1,700.00                   700.00     Guest Instructors
Project Supplies $3,000                                                    3,526.30                   526.30     Project Supplies
Bridging Cultural Gaps                 Plants $500                                                               1,800.00                 1,300.00     Plants



Limitations of Translatable Documents

PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.