4. Presentation
01 Port of Seattle Audit Committee Slides
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit April 6, 2023 P69 Commission Chambers 9:00 AM – 11:00 AM Operational Excellence Governance Internal Audit Organization Structure Item #4 2 Auditing Standards Item #4 New updates to Standards are forthcoming. We’ll update our Operational Policies and Procedures Handbook, accordingly. A comprehensive An update of Chapter 5 update/overhaul of the – Quality and Peer IIA IPPF Standards is Review is underway to underway to modernize enhance how audit and transform them; to organizations manage ensure their relevance audit quality. and responsiveness to today’s challenges. Release of new Standards, now named, “Global Internal Audit Standards” is expected in late 2023; officially effective in late 2024. 3 Item #4 Internal Audit Director’s Annual Communication Annual communication is required by the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing (IIA Standards) on: Organizational Independence Internal Audit Charter Quality Assurance and Improvement Program Open Issue Follow-up and Monitoring Process 4 Independence Requirement Item #4 IIA Standard 1110 requires annual confirmation of organizational independence. Internal Audit Department continues to maintain organizational independence by reporting functionally to the Audit Committee and administratively to the Executive Director. 5 Internal Audit Charter Item #4 The Charter was most recently updated in October 2020. The Charter defines Internal Audit Department’s: Authority and Accountability Mission and Scope Responsibility Independence and Objectivity Commitment to Quality 6 Quality Assurance Requirement Item #4 Generally Accepted Government Auditing Standards (GAGAS)/ Government Accountability Office (GAO) require an external peer review every three years. Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, require both an internal and external quality assurance and improvement program. External assessments need to occur at least every five years. An external peer review was most recently conducted by the Association of Local Government Auditors (ALGA) in August of 2022. Internal Audit’s periodic, quality self-assessment was last performed in August 2021 and will be performed again in the third quarter of this year. 7 Open Issue Status – Aging Report as of March 23, 2023 Item #5 1. Eleven issues outstanding for over one year from the Target Date consist of: Concourse Concessions LLC (1) - Port RE-2 Policy and Surety Amount Review Architecture & Engineering (3) - Fair and Reasonable Rate Determination; Management Review Over Max Rates; and Contract Rate Accuracy Information Technology Audits (7) (Security Sensitive - Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session.) These are: Security of Personal Identifiable Information (1), Closed Network System Security (1), HIPAA Security (1), Network Password Management (2), and Secure Configuration for Hardware & Software on Mobile Devices, Laptops, Workstations and Servers (2). 2. Four Information Technology issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more than two years past the Report Date: Disaster Recovery Capability (1), and Aviation Maintenance and Facilities & Infrastructure Data Centers (3). See Appendix A for a detailed listing of outstanding issues aging as of March 23, 2023. 8 Internal Audit Update – Outreach Project Item #6 Goals, Scope, and Stakeholders To promote the awareness and understanding of the Port’s Internal Audit process, and the significance of internal controls and risk mitigations internally and externally through outreach, education, and socialization. To help small entities that the Port does business with and that have limited resources to educate and train their staff on internal controls. Deliverables and Timeline No. Deliverables Target Completion Date Completed 0 Project Plan Creation September 2022 September 2022 1 IA Website Upgrade: December 2022 December 2022 1A New Resources Section December 2022 December 2022 1A-1 Links to Standards, Professional Organizations December 2022 December 2022 1A-2 Links to Cybersecurity Resources December 2022 December 2022 1A-3 External Peer Review Reports December 2022 December 2022 1B Audit Process Illustrations First Quarter 2023 January 2023 2 Internal Controls Training: Second Quarter 2023 In Progress 2A Training Design - Content, Delivery Methods & Target Audience First Quarter 2023 February 2023 2B Training Material Development Second Quarter 2023 Planning 2C Training Scheduling and Logistics Second Quarter 2023 Planning 9 Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade) Item #6 Internal Audit | Port of Seattle (portseattle.org) 10 Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade) Item #6 11 Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade) Item #6 12 Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade) Item #6 13 Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade) Item #6 14 Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade) Item #6 15 Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade) Item #6 16 Internal Audit Update – Outreach Project (Phase 2: Internal Controls Training ) Item #6 Researched and identified some best practices on internal controls training. Worked on preliminary training program design, including: Components: Risks – What does Risk mean? Where do they exist? What are Workplace Risks? How do we manage them? Controls - What are Internal Controls? Why do we need them? Types of Controls? Who is responsible? Q&A Delivery Methods: In-person Live Session Slide Show and/or Video use Handout/flyers Target Audience: Internal – Port managers and staff External – Interested parties and individuals in the training, or certain target audience Actual training material development, and logistics & coordination with appropriate departments (e.g., HR, ICT, OEDI, etc.) will occur in the second quarter, 2023. 17 Approved 2023 Audit Plan Item #7 Limited Contract Compliance Performance Information Technology • Louis Dreyfus Company Washington, LLC • Payroll Controls • Email and Web Browser Protection (ICT and • Seattle Air Ventures, JV (AIR002018, • Airport Parking Garage Aviation Maintenance)4 AIR002733) • Equity Policy Directive Compliance • Network Infrastructure Management (ICT) • Seattle Air Ventures, JV (AIR002017, • Social and Environmental Reporting • Network Infrastructure Management (Aviation AIR002732) • Fishermen’s Terminal Maintenance) • Doug Fox Travel/ATZ • Security Awareness and Skills Training Capital • T-5 Berth Modernization • Supply Chain Disruption Management • Post IAF Airline Realignment – GC/CM Construction1,2 • C Concourse Expansion GC/CM1 • Main Terminal Low Voltage System Upgrade GC/CM1 • T-117 Sites 23-25 Restoration Construction Project GC/CM1 • Concourse A Building Expansion for Lounges/DELTA TRA3 1. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit work will be performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. Year-end status report will be provided at the December Audit Committee. Internal Audit will perform continuous cost reviews of these projects, review areas that are not looked at by the contract auditors, and partner with the contract auditors as needed. Internal Audit will issue an audit report on areas covered. 2. Project start may potentially be delayed to 2024, with an estimated completion date in 2027. 3. This is a contingency audit per the Approved 2023 Audit Plan. 4. Audit name has changed to note that it now includes both ICT and Aviation Maintenance. 18 Item #7 2023 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Payroll Controls Performance Airport Parking Garage Performance Equity Policy Directive Compliance Performance Social and Environmental Reporting Performance Fishermen's Terminal Performance Supply Chain Disruption Management Performance - Capital Terminal 5 Berth Modernization Project Performance - Capital Post IAF Airline Realignment - GC/CM Construction1,2 Performance - Capital C Concourse Expansion GC/CM1 Performance - Capital Main Terminal Low Voltage System Upgrade GC/CM1 Performance - Capital T-117 Sites 23-25 Restoration Construction Project GC/CM1 Performance - Capital Concourse A Building Expansion for Lounges/DELTA TRA3 Performance - Capital Email and Web Browser Protection (ICT and Aviation Maintenance)4 IT Network Infrastructure Management (ICT) IT Network Infrastructure Management (Aviation Maintenance) IT Security Awareness and Skills Training IT Louis Dreyfus Company Washington, LLC Contract Compliance Seattle Air Ventures, JV (AIR002018, AIR002733) Contract Compliance Seattle Air Ventures, JV (AIR002017, AIR002732) Contract Compliance Doug Fox Travel/ATZ Contract Compliance Complete KEY In Process Not Started 1. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit work will be performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. Year-end status report will be provided at the December Audit Committee. Internal Audit will perform continuous cost reviews of these projects, review areas that are not looked at by the contract auditors, and also partner with the contract auditors as needed. Internal Audit will issue an audit report on areas covered. 2. Project start may potentially be delayed to 2024, with an estimated completion date in 2027. 3. This is a contingency audit per the Approved 2023 Audit Plan. 4. Audit name has changed to note that it now includes both ICT and Aviation Maintenance. 19 Item #s 8-11 Audits Completed in First Quarter, 2023 1) Fishermen’s Terminal (Item #8) 2) Terminal 5 Berth Modernization Project (Item #9) 3) Supply Chain Disruption Management (Item #10) 4) Security Awareness and Skills Training* (Item #11) *Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session 20 Fishermen’s Terminal Item #8 Audit Period: January 2022 to December 2022. Included Fishermen’s Terminal, Salmon Bay Marina, and Maritime Industrial Center. Purpose: To evaluate billing processes. To evaluate segregation of duties. To assess internal controls, including whether standard operating procedures were drafted and followed. This Audit focused on the Marina Management System and did not focus on PeopleSoft Financials. 21 Fishermen’s Terminal Item #8 Background: Fishermen’s Terminal (FT) Offers short-term and long-term freshwater moorage for both fishing and commercial vessels, as well as recreational boats. Includes over 227,000 square feet of office, retail, restaurant, and warehouse space. Salmon Bay Marina (SaBM) Located inside the Ballard Locks, next to the Ballard Bridge. Offers covered and uncovered freshwater monthly moorage for recreational boats. Maritime Industrial Center (MIC) Offers short-term and daily moorage for vessels up to 76 meter in length. Over 1,500 linear feet of concrete dock space for loading and repair/maintenance work. 22 Fishermen’s Terminal Item #8 Background (continued): Internal Audit performed a walkthrough of the entire facility and noted the aging infrastructure at SaBM, net sheds at FT, and the building that is slated to become MIC. Main concern was the roofing at SaBM, which was at risk of structural failure: Engineer’s assessment report identified “significant risks of structural instability” and “notable risk of fire” due to the lack of a sprinkler system. Estimated cost to repair the structure was $1.3M, cost to remove the roof was $2.8M, and a total roof replacement cost was $13.5M. 23 Revenue Breakdown for 2020, 2021, and 2022: Item #8 FT: Revenue Source 2020 2021 2022 Berthage and Moorage $2,175,639 $2,175,067 $2,358,758 Concession Services 657,232 614,430 663,961 Space Rental 148,541 107,867 120,390 Utility Sales Revenue 88,596 144,947 128,817 Other Equipment Rental 34,571 38,253 33,551 Maintenance Service Fees 11,028 16,003 12,516 Other Services Revenue 63,781 67,014 67,544 $3,179,388 $3,163,581 $3,385,537 SaBM: Revenue Source 2020 2021 2022 Berthage and Moorage $831,065 $871,038 $934,283 Concession Services 6,728 6,888 7,003 Utility Sales Revenue 28,351 28,236 30,692 Other Services Revenue 6,251 6,756 6,643 $872,395 $912,918 $978,621 MIC: Revenue Source 2020 2021 2022 Berthage and Moorage $188,424 $118,516 $100,983 Space Rental 37,641 28,438 39,003 Other Equipment Rental 2,391 911 1,606 Other Services Revenue 9,964 10,323 10,164 $238,420 $158,188 $151,756 24 Item #8 A/R Aging Summary: As of January 31, 2023: Days Past Due Current 1-30 31-60 61-90 91-120 Over 120 Total FT $337,638 $90,586 $58,315 $29,632 $25,181 $254,688 $796,040 SaBM 74,154 10,405 5,112 3,413 2,380 8,760 104,224 Total $411,792 $100,991 $63,427 $33,045 $27,561 $263,448 $900,264 25 Rating: Medium Item #8 Billing and collection procedures at Fishermen’s Terminal were informal and internal controls needed to be strengthened. Underbilling of auxiliary services: three out of five samples related to Land Storage were billed incorrectly using outdated rates from prior years; $36,500 (estimate) underbilled for 2022. Rate charged for the Nordby Conference Room was outdated, resulting in approximately $1,700 in lost revenue for 2022. The billing and collection process for the sizeable accounts receivable balance (roughly $900K total outstanding) is only managed by one individual. 26 Recommendations Item #8 Billing and collection processes should be documented and formalized. Review and oversight over the processes should be required and well understood. This should include who performs the review, when it is conducted, and what is being reviewed. Permissions and user access within Marina Management System (MMS) should be reviewed and evaluated to assure that individuals cannot delete or make adjustments in the system without approval. 27 Item #8 Management Response Management will work to create a structure that will accomplish a separation of duties to ensure integrity in the revenue management program (Billing and Collection). Management will work to design a structure that will achieve the recommended “separation of duties” and will evaluate whether an additional position is needed. Processes and reporting systems will also be brought up to date, allowing for better tracking, reporting, and information retention. DUE DATE: 3/31/2024 Management will discuss in detail. (Full response in Audit Report No. 2023-03) 28 Terminal 5 Berth Modernization Project Item #9 Terminal 5 has long been considered a premier container cargo facility on the West Coast, due to its naturally deep berth, wide footprint, and availability of an on-dock rail yard, allowing containers to be directly loaded from a ship onto rail lines. Ultra-large container ships are entering the market, with a container capacity of more than 10,000 twenty-foot equivalent units (TEU) and vessels of 18,000-TEU capacity. The new container ships require larger, heavier cranes with a longer reach, which in turn requires strengthening the dock and upgrading utilities. In response to these industry changes, the Northwest Seaport Alliance proposed improvements at Terminal 5 to accommodate larger vessels. 29 Terminal 5 Berth Modernization Project Item #9 The Northwest Seaport Alliance approved the Terminal 5 Improvement Program (Program) on February 26, 2019. Our audit focused on the Terminal 5 Berth Modernization Project, which is the largest portion of the Program. Contract awarded to Orion Construction in May 2019; amount: $159,986,390. Construction began in July 2019. Total Program Costs: Description Amount April 2019 Authorized Project Cost $ 340,000,000 July 2021 Authorized Increase $ 50,000,000 December 2021 Authorized Increase $ 2,500,000 August 2022 Authorized Increase $ 61,500,000 Total Program Costs (as of December 31, 2022) $ 454,000,000 30 Terminal 5 Berth Modernization Project Item #9 When the unit price work item bid quantity exceeds the actual quantity by more than 125%, the contract allows for renegotiation of the unit price. We obtained the actual cost of the eight-unit price work items in the sample and prepared a comparison of the contractor’s actual cost and bid price. We provided this information to the Construction Management team. 31 1) Rating: Low Item #9 In most instances, the Port’s internal controls over the review process for Pay Applications worked well to assure billings pertaining to unit price work items were accurate and supported. However, our audit identified instances, in which Pay Applications were missing supporting documentation or billed incorrectly, resulting in a potential overbilling of $124,771. Focused audit testing on unit price work items that exceeded 125% of the bid quantity. Eight largest items tested, totaling $15,353,134. Documentation was readily available for the audit; we observed receipts and hand- written notes with corrections. However, we found instances, in which supporting documentation could not be located or was billed incorrectly, totaling $124,771 (0.9% of the tested sample). 32 Recommendations Item #9 If the contractor is unable to provide supporting documentation, Construction Management should seek and recover any amount due. 33 Management Response Item #9 The full amount of $124,771 will be credited from the next Pay Estimate processed for this project unless the Contractor provides missing documentation. Outside of this audit, Construction Management is confident these discrepancies would have been identified and corrected during the independent verification process required when each Unit Price Bid Item is completed, in line with our standard operating procedures as part of the closeout of the project. DUE DATE: 6/30/2023 Management will discuss in detail. (Full response in Audit Report No. 2023-02) 34 Supply Chain Disruption Management Item #10 The COVID-19 pandemic disrupted global supply chains due to government-imposed shutdowns, demand instability, labor shortages, and bottlenecks in shipping and transportation, affecting the construction industry’s ability to access key materials and equipment. The objective of the audit was to: Identify how the Port is addressing supply chain disruption management Assess the adequacy of its risk response plan Determine how the Port’s measures align with other agencies and the construction industry We benchmarked other agencies and companies to identify best practices for mitigating supply chain risks. We also interviewed personnel from the Port to understand current processes in place. Based on the work performed, we concluded that the Port has established processes through close coordination between multiple departments including, the Central Procurement Office, the Project Management Group, and Construction Management. These processes addressed key risks from supply chain disruption. They also aligned with processes used by other agencies and the results of our research within the construction industry. 35 Appendix A – Aging of Outstanding Issues as of March 23, 2023 36 Appendix A – Aging of Outstanding Issues as of March 23, 2023 Performance, Capital, Information Technology, and Limited Contract Compliance Audits Days Outstanding Days Outstanding Audit Type Audit Description Rating Report Date Target Date (from Report Date) (from Target Date) IT AVM/Facility & Infrastructure Data Centers Physical access to facilities High 12/4/2018 No date supplied 1570 N/A IT AVM/Facility & Infrastructure Data Centers Protection against environmental factors High 12/4/2018 No date supplied 1570 N/A Performance Architecture & Engineering Determine fair and reasonable rates High 12/9/2019 6/30/2020 1200 996 Performance Architecture & Engineering Management review over max rates High 12/9/2019 6/30/2020 1200 996 Performance Architecture & Engineering Contract rate accuracy High 12/9/2019 6/30/2020 1200 996 IT Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 479 82 IT Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 479 82 IT Continuous Vulnerability Management Security Sensitive High 11/29/2021 12/31/2022 479 82 IT Security Awareness and Skills Training Security Sensitive High 3/23/2023 6/1/2023 0 -70 IT Disaster Recovery Capability Security Sensitive Medium 11/29/2017 No date supplied 1940 N/A IT AVM/Facility & Infrastructure Data Centers Physical facilities management Medium 12/4/2018 No date supplied 1570 N/A IT Security of Personal Identifiable Information Security Sensitive Medium 2/26/2019 3/31/2020 1486 1087 IT HIPAA Security Security Sensitive Medium 9/4/2019 7/31/2020 1296 965 IT Closed Network System Security Security Sensitive Medium 9/5/2019 6/30/2020 1295 996 IT Inventory and Control of Hardware Assets Security Sensitive Medium 11/12/2019 6/30/2023 1227 -99 IT Network Password Management Security Sensitive Medium 3/20/2020 12/31/2020 1098 812 IT Network Password Management Security Sensitive Medium 3/20/2020 9/30/2020 1098 904 IT Secure Configuration for Hardware and Software Security Sensitive Medium 8/21/2020 12/31/2021 944 447 on Mobile Devices, Laptops, Workstations and Servers IT Secure Configuration for Hardware and Software Security Sensitive Medium 8/21/2020 12/31/2021 944 447 on Mobile Devices, Laptops, Workstations and Servers Contract Compliance Concourse Concessions LLC RE-2 policy review Medium 9/10/2020 12/31/2020 924 812 IT Continuous Vulnerability Management Security Sensitive Medium 11/29/2021 6/30/2022 479 266 IT Account Management - ICT Security Sensitive Medium 3/15/2022 6/1/2023 373 -70 IT Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2023 294 -283 IT Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2022 294 82 IT Audit Log Management - Aviation Maintenance Security Sensitive Medium 6/2/2022 12/31/2022 294 82 Contract Compliance The Hertz Corporation Investigate Under-collections Medium 6/3/2022 12/31/2022 293 82 IT T2 Airport Garage Parking System Replacement Security Sensitive Medium 11/11/2022 6/2/2023 132 -71 IT Audit Log Management (ICT) Security Sensitive Medium 11/22/2022 1/31/2023 121 51 Performance Fishermen's Terminal Billing and Collections Medium 3/20/2023 3/31/2024 3 -374 IT Security Awareness and Skills Training Security Sensitive Medium 3/23/2023 6/1/2023 0 -70 IT Security Awareness and Skills Training Security Sensitive Medium 3/23/2023 6/1/2023 0 -70 37
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.