4. Presentation

01 Port of Seattle Audit Committee Slides

Financial Stewardship                    Accountability                       Transparency
Port of Seattle Audit Committee
Internal Audit Update
Glenn Fernandes - Director, Internal Audit

April 6, 2023
P69 Commission Chambers
9:00 AM – 11:00 AM

Operational Excellence                    Governance

   Internal Audit Organization Structure         Item #4



2

  Auditing Standards                          Item #4
New updates to Standards are forthcoming. We’ll update our Operational Policies and Procedures Handbook, accordingly.

A comprehensive                                                          An update of Chapter 5
update/overhaul of the                                                         – Quality and Peer
IIA IPPF Standards is                                                                   Review is underway to
underway to modernize                                                     enhance how audit
and transform them; to                                                         organizations manage
ensure their relevance                                                            audit quality.
and responsiveness to
today’s challenges.
Release of new
Standards, now named,
“Global Internal Audit
Standards” is expected
in late 2023; officially
effective in late 2024.



3

                                                                                                           Item #4
Internal Audit Director’s Annual Communication
Annual communication is required by the Institute of Internal
Auditors’ International Standards for the Professional Practice of
Internal Auditing (IIA Standards) on:
 Organizational Independence
 Internal Audit Charter
 Quality Assurance and Improvement Program
 Open Issue Follow-up and Monitoring Process

4

    Independence Requirement              Item #4
IIA Standard 1110 requires annual confirmation of
organizational independence.
Internal Audit Department continues to maintain
organizational independence by reporting functionally to
the Audit Committee and administratively to the Executive
Director.


5

   Internal Audit Charter                       Item #4
The Charter was most recently updated in October 2020.
The Charter defines Internal Audit Department’s:
Authority and Accountability
Mission and Scope
Responsibility
Independence and Objectivity
Commitment to Quality

6

   Quality Assurance Requirement            Item #4
Generally Accepted Government Auditing Standards (GAGAS)/
Government Accountability Office (GAO) require an external peer review
every three years.
Institute of Internal Auditors’ International Standards for the Professional
Practice of Internal Auditing, require both an internal and external quality
assurance and improvement program. External assessments need to
occur at least every five years.
An external peer review was most recently conducted by the Association
of Local Government Auditors (ALGA) in August of 2022.
Internal Audit’s periodic, quality self-assessment was last performed in
August 2021 and will be performed again in the third quarter of this year.
7

           Open Issue Status – Aging Report as of March 23, 2023       Item #5



1. Eleven issues outstanding for over one year from the Target Date consist of:
 Concourse Concessions LLC (1) - Port RE-2 Policy and Surety Amount Review
 Architecture & Engineering (3) - Fair and Reasonable Rate Determination; Management Review Over Max Rates; and Contract Rate Accuracy
 Information Technology Audits (7) (Security Sensitive - Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session.)
These are: Security of Personal Identifiable Information (1), Closed Network System Security (1), HIPAA Security (1), Network Password Management (2), and Secure
Configuration for Hardware & Software on Mobile Devices, Laptops, Workstations and Servers (2).
2. Four Information Technology issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more
than two years past the Report Date: Disaster Recovery Capability (1), and Aviation Maintenance and Facilities & Infrastructure Data Centers (3).
See Appendix A for a detailed listing of outstanding issues aging as of March 23, 2023.

8

    Internal Audit Update – Outreach Project                   Item #6
Goals, Scope, and Stakeholders
 To promote the awareness and understanding of the Port’s Internal Audit process, and the
significance of internal controls and risk mitigations internally and externally through outreach,
education, and socialization.
 To help small entities that the Port does business with and that have limited resources to educate
and train their staff on internal controls.
Deliverables and Timeline
No.                          Deliverables                                Target Completion Date                        Completed
0      Project Plan Creation                                                 September 2022                      September 2022
1      IA Website Upgrade:                                                 December 2022                       December 2022
1A    New Resources Section                                           December 2022                     December 2022
1A-1     Links to Standards, Professional Organizations                             December 2022                        December 2022
1A-2     Links to Cybersecurity Resources                                         December 2022                        December 2022
1A-3     External Peer Review Reports                                           December 2022                        December 2022
1B     Audit Process Illustrations                                         First Quarter 2023                      January 2023
2      Internal Controls Training:                                          Second Quarter 2023                        In Progress
2A      Training Design - Content, Delivery Methods & Target Audience            First Quarter 2023                     February 2023
2B      Training Material Development                                    Second Quarter 2023                        Planning
2C      Training Scheduling and Logistics                                   Second Quarter 2023                        Planning

9


Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade)  Item #6
Internal Audit | Port of Seattle (portseattle.org)












10

    Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade)  Item #6





11

    Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade)  Item #6





12

    Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade)  Item #6





13

   Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade)  Item #6





14

    Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade)  Item #6





15

   Internal Audit Update – Outreach Project (Phase 1 – Website Upgrade)  Item #6





16

   Internal Audit Update – Outreach Project (Phase 2: Internal Controls Training ) Item #6
Researched and identified some best practices on internal controls training.
Worked on preliminary training program design, including:
 Components:
Risks – What does Risk mean? Where do they exist? What are Workplace Risks? How do we manage them?
Controls - What are Internal Controls? Why do we need them? Types of Controls? Who is responsible?
Q&A
 Delivery Methods:
 In-person Live Session
 Slide Show and/or Video use
 Handout/flyers
 Target Audience:
 Internal – Port managers and staff
 External – Interested parties and individuals in the training, or certain target audience
Actual training material development, and logistics & coordination with appropriate
departments (e.g., HR, ICT, OEDI, etc.) will occur in the second quarter, 2023.
17

  Approved 2023 Audit Plan                           Item #7
Limited Contract Compliance                              Performance                                   Information Technology
•  Louis Dreyfus Company Washington, LLC            •  Payroll Controls                                                    •  Email and Web Browser Protection (ICT and
•  Seattle Air Ventures, JV (AIR002018,                 •  Airport Parking Garage                                               Aviation Maintenance)4
AIR002733)                                  •  Equity Policy Directive Compliance                      •  Network Infrastructure Management (ICT)
•  Seattle Air Ventures, JV (AIR002017,                 •  Social and Environmental Reporting                             •  Network Infrastructure Management (Aviation
AIR002732)                                  •  Fishermen’s Terminal                                    Maintenance)
•  Doug Fox Travel/ATZ                                                                                                             •  Security Awareness and Skills Training
Capital
•   T-5 Berth Modernization
•   Supply Chain Disruption Management
•   Post IAF Airline Realignment – GC/CM Construction1,2
•   C Concourse Expansion GC/CM1
•   Main Terminal Low Voltage System Upgrade GC/CM1
•   T-117 Sites 23-25 Restoration Construction Project
GC/CM1
•   Concourse A Building Expansion for Lounges/DELTA
TRA3
1. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit work
will be performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. Year-end status report will be provided at the December Audit
Committee. Internal Audit will perform continuous cost reviews of these projects, review areas that are not looked at by the contract auditors, and partner with the contract auditors as needed.
Internal Audit will issue an audit report on areas covered.
2. Project start may potentially be delayed to 2024, with an estimated completion date in 2027.
3. This is a contingency audit per the Approved 2023 Audit Plan.
4. Audit name has changed to note that it now includes both ICT and Aviation Maintenance.

18

                                                                                                           Item #7
2023 AUDIT PLAN STATUS
Audit Title                                              Type               Jan   Feb  Mar  Apr  May  Jun   Jul   Aug  Sep   Oct  Nov  Dec
Payroll Controls                                                                 Performance
Airport Parking Garage                                                        Performance
Equity Policy Directive Compliance                                            Performance
Social and Environmental Reporting                                          Performance
Fishermen's Terminal                                                      Performance
Supply Chain Disruption Management                                      Performance - Capital
Terminal 5 Berth Modernization Project                                       Performance - Capital
Post IAF Airline Realignment - GC/CM Construction1,2                          Performance - Capital
C Concourse Expansion GC/CM1                                           Performance - Capital
Main Terminal Low Voltage System Upgrade GC/CM1                         Performance - Capital
T-117 Sites 23-25 Restoration Construction Project GC/CM1                      Performance - Capital
Concourse A Building Expansion for Lounges/DELTA TRA3                      Performance - Capital
Email and Web Browser Protection (ICT and Aviation Maintenance)4            IT
Network Infrastructure Management (ICT)                                   IT
Network Infrastructure Management (Aviation Maintenance)                 IT
Security Awareness and Skills Training                                          IT
Louis Dreyfus Company Washington, LLC                                     Contract Compliance
Seattle Air Ventures, JV (AIR002018, AIR002733)                                 Contract Compliance
Seattle Air Ventures, JV (AIR002017, AIR002732)                                 Contract Compliance
Doug Fox Travel/ATZ                                                       Contract Compliance
Complete
KEY                                         In Process
Not Started
1. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit
work will be performed by external, contract auditors through a multi-year, Indefinite Delivery, Indefinite Quantity (IDIQ) contract. Year-end status report will be provided at the December
Audit Committee. Internal Audit will perform continuous cost reviews of these projects, review areas that are not looked at by the contract auditors, and also partner with the contract auditors
as needed. Internal Audit will issue an audit report on areas covered.
2. Project start may potentially be delayed to 2024, with an estimated completion date in 2027.
3. This is a contingency audit per the Approved 2023 Audit Plan.
4. Audit name has changed to note that it now includes both ICT and Aviation Maintenance.

19

                                                                                                             Item #s 8-11
Audits Completed in First Quarter, 2023
1) Fishermen’s Terminal (Item #8)
2) Terminal 5 Berth Modernization Project (Item #9)
3) Supply Chain Disruption Management (Item #10)
4) Security Awareness and Skills Training* (Item #11)
*Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session




20

    Fishermen’s Terminal                      Item #8
Audit Period: January 2022 to December 2022.
Included Fishermen’s Terminal, Salmon Bay Marina, and
Maritime Industrial Center.
Purpose:
To evaluate billing processes.
To evaluate segregation of duties.
To assess internal controls, including whether standard operating procedures
were drafted and followed.
This Audit focused on the Marina Management System and
did not focus on PeopleSoft Financials.
21

   Fishermen’s Terminal                      Item #8
Background:
 Fishermen’s Terminal (FT)
 Offers short-term and long-term freshwater moorage for both fishing and commercial
vessels, as well as recreational boats.
 Includes over 227,000 square feet of office, retail, restaurant, and warehouse space.
 Salmon Bay Marina (SaBM)
 Located inside the Ballard Locks, next to the Ballard Bridge.
 Offers covered and uncovered freshwater monthly moorage for recreational boats.
 Maritime Industrial Center (MIC)
 Offers short-term and daily moorage for vessels up to 76 meter in length.
 Over 1,500 linear feet of concrete dock space for loading and repair/maintenance work.

22

   Fishermen’s Terminal                      Item #8
Background (continued):
Internal Audit performed a walkthrough of the entire facility and noted
the aging infrastructure at SaBM, net sheds at FT, and the building that
is slated to become MIC.
Main concern was the roofing at SaBM, which was at risk of structural
failure:
Engineer’s assessment report identified “significant risks of structural instability”
and “notable risk of fire” due to the lack of a sprinkler system.
Estimated cost to repair the structure was $1.3M, cost to remove the roof was
$2.8M, and a total roof replacement cost was $13.5M.

23

    Revenue Breakdown for 2020, 2021, and 2022:            Item #8
FT:      Revenue Source               2020        2021         2022
Berthage and Moorage        $2,175,639     $2,175,067       $2,358,758
Concession Services               657,232                 614,430                  663,961 
Space Rental                     148,541                107,867                  120,390 
Utility Sales Revenue                88,596                144,947                   128,817 
Other Equipment Rental            34,571                38,253                  33,551 
Maintenance Service Fees          11,028                16,003                  12,516 
Other Services Revenue             63,781          67,014                  67,544 
$3,179,388     $3,163,581       $3,385,537
SaBM:    Revenue Source          2020     2021      2022
Berthage and Moorage          $831,065       $871,038        $934,283
Concession Services                 6,728                 6,888                  7,003 
Utility Sales Revenue                28,351                 28,236                   30,692 
Other Services Revenue              6,251           6,756                  6,643 
$872,395       $912,918        $978,621
MIC:    Revenue Source           2020      2021       2022
Berthage and Moorage          $188,424       $118,516        $100,983
Space Rental                      37,641                28,438                   39,003
Other Equipment Rental             2,391                  911                1,606 
Other Services Revenue             9,964               10,323                  10,164 
$238,420       $158,188        $151,756


24

                                                                                                          Item #8
A/R Aging Summary:
As of January 31, 2023:

Days Past Due
Current     1-30      31-60     61-90     91-120   Over 120    Total
FT           $337,638   $90,586   $58,315   $29,632   $25,181   $254,688   $796,040
SaBM         74,154        10,405         5,112         3,413     2,380      8,760    104,224
Total           $411,792  $100,991   $63,427   $33,045   $27,561   $263,448   $900,264



25

        Rating: Medium                                                                          Item #8
Billing and collection procedures at Fishermen’s Terminal
were informal and internal controls needed to be
strengthened.
 Underbilling of auxiliary services: three out of five samples related to
Land Storage were billed incorrectly using outdated rates from prior
years; $36,500 (estimate) underbilled for 2022.
 Rate charged for the Nordby Conference Room was outdated, resulting
in approximately $1,700 in lost revenue for 2022.
 The billing and collection process for the sizeable accounts receivable
balance (roughly $900K total outstanding) is only managed by one
individual.
26

   Recommendations                                 Item #8
Billing and collection processes should be documented and
formalized.
Review and oversight over the processes should be required
and well understood. This should include who performs the
review, when it is conducted, and what is being reviewed.
Permissions and user access within Marina Management
System (MMS) should be reviewed and evaluated to assure
that individuals cannot delete or make adjustments in the
system without approval.
27

                                                                                                          Item #8
Management Response
Management will work to create a structure that will accomplish
a separation of duties to ensure integrity in the revenue
management program (Billing and Collection).
Management will work to design a structure that will achieve the
recommended “separation of duties” and will evaluate whether
an additional position is needed.
Processes and reporting systems will also be brought up to date,
allowing for better tracking, reporting, and information
retention.
DUE DATE: 3/31/2024      Management will discuss in detail. (Full response in Audit Report No. 2023-03)

28

    Terminal 5 Berth Modernization Project    Item #9
Terminal 5 has long been considered a premier container cargo facility on the
West Coast, due to its naturally deep berth, wide footprint, and availability of
an on-dock rail yard, allowing containers to be directly loaded from a ship onto
rail lines.
Ultra-large container ships are entering the market, with a container capacity of
more than 10,000 twenty-foot equivalent units (TEU) and vessels of 18,000-TEU
capacity.
The new container ships require larger, heavier cranes with a longer reach,
which in turn requires strengthening the dock and upgrading utilities.
In response to these industry changes, the Northwest Seaport Alliance
proposed improvements at Terminal 5 to accommodate larger vessels.

29

    Terminal 5 Berth Modernization Project    Item #9
The Northwest Seaport Alliance approved the Terminal 5 Improvement Program
(Program) on February 26, 2019.
Our audit focused on the Terminal 5 Berth Modernization Project, which is the
largest portion of the Program.
Contract awarded to Orion Construction in May 2019; amount: $159,986,390.
Construction began in July 2019.
Total Program Costs:
Description                                            Amount
April 2019 Authorized Project Cost                         $ 340,000,000
July 2021 Authorized Increase                             $  50,000,000
December 2021 Authorized Increase                     $   2,500,000
August 2022 Authorized Increase                         $  61,500,000
Total Program Costs (as of December 31, 2022)             $ 454,000,000

30

     Terminal 5 Berth Modernization Project   Item #9
When the unit price work item bid quantity exceeds the
actual quantity by more than 125%, the contract allows for
renegotiation of the unit price.
We obtained the actual cost of the eight-unit price work
items in the sample and prepared a comparison of the
contractor’s actual cost and bid price.
We provided this information to the Construction
Management team.

31

        1) Rating: Low                                                                                     Item #9
In most instances, the Port’s internal controls over the review process for Pay
Applications worked well to assure billings pertaining to unit price work items
were accurate and supported. However, our audit identified instances, in which
Pay Applications were missing supporting documentation or billed incorrectly,
resulting in a potential overbilling of $124,771.
Focused audit testing on unit price work items that exceeded 125% of the bid
quantity.
Eight largest items tested, totaling $15,353,134.
Documentation was readily available for the audit; we observed receipts and hand-
written notes with corrections.
However, we found instances, in which supporting documentation could not be
located or was billed incorrectly, totaling $124,771 (0.9% of the tested sample).

32

    Recommendations                         Item #9
If the contractor is unable to provide supporting
documentation, Construction Management should
seek and recover any amount due.



33

   Management Response                      Item #9
The full amount of $124,771 will be credited from the next
Pay Estimate processed for this project unless the Contractor
provides missing documentation.
Outside of this audit, Construction Management is confident
these discrepancies would have been identified and corrected
during the independent verification process required when
each Unit Price Bid Item is completed, in line with our
standard operating procedures as part of the closeout of the
project.
DUE DATE: 6/30/2023      Management will discuss in detail. (Full response in Audit Report No. 2023-02)

34

   Supply Chain Disruption Management     Item #10
 The COVID-19 pandemic disrupted global supply chains due to government-imposed
shutdowns, demand instability, labor shortages, and bottlenecks in shipping and transportation,
affecting the construction industry’s ability to access key materials and equipment.
 The objective of the audit was to:
 Identify how the Port is addressing supply chain disruption management
 Assess the adequacy of its risk response plan
 Determine how the Port’s measures align with other agencies and the construction industry
 We benchmarked other agencies and companies to identify best practices for mitigating supply
chain risks. We also interviewed personnel from the Port to understand current processes in
place.
 Based on the work performed, we concluded that the Port has established processes through
close coordination between multiple departments including, the Central Procurement Office,
the Project Management Group, and Construction Management. These processes addressed
key risks from supply chain disruption. They also aligned with processes used by other agencies
and the results of our research within the construction industry.
35

                  Appendix
A – Aging of Outstanding Issues as of March 23, 2023



36

      Appendix A – Aging of Outstanding Issues as of March 23, 2023
Performance, Capital, Information Technology, and Limited Contract Compliance Audits
Days Outstanding   Days Outstanding
Audit Type                               Audit                                        Description                  Rating    Report Date     Target Date    (from Report Date)  (from Target Date)
IT                        AVM/Facility & Infrastructure Data Centers                    Physical access to facilities                   High              12/4/2018   No date supplied                 1570                  N/A
IT                        AVM/Facility & Infrastructure Data Centers                    Protection against environmental factors      High              12/4/2018   No date supplied                 1570                  N/A
Performance            Architecture & Engineering                                Determine fair and reasonable rates         High            12/9/2019         6/30/2020               1200                996
Performance            Architecture & Engineering                                Management review over max rates          High            12/9/2019         6/30/2020               1200                996
Performance            Architecture & Engineering                                Contract rate accuracy                     High            12/9/2019         6/30/2020               1200                996
IT                        Continuous Vulnerability Management                         Security Sensitive                             High            11/29/2021        12/31/2022                  479                   82
IT                        Continuous Vulnerability Management                         Security Sensitive                             High            11/29/2021        12/31/2022                  479                   82
IT                        Continuous Vulnerability Management                         Security Sensitive                             High            11/29/2021        12/31/2022                  479                   82
IT                        Security Awareness and Skills Training                         Security Sensitive                             High              3/23/2023           6/1/2023                     0                  -70
IT                        Disaster Recovery Capability                                  Security Sensitive                             Medium         11/29/2017   No date supplied                 1940                  N/A
IT                        AVM/Facility & Infrastructure Data Centers                    Physical facilities management               Medium          12/4/2018   No date supplied                 1570                  N/A
IT                        Security of Personal Identifiable Information                   Security Sensitive                             Medium          2/26/2019          3/31/2020                 1486                 1087
IT                        HIPAA Security                                                Security Sensitive                             Medium           9/4/2019          7/31/2020                 1296                  965
IT                        Closed Network System Security                               Security Sensitive                             Medium           9/5/2019          6/30/2020                 1295                  996
IT                        Inventory and Control of Hardware Assets                      Security Sensitive                             Medium         11/12/2019          6/30/2023                 1227                  -99
IT                        Network Password Management                              Security Sensitive                             Medium          3/20/2020        12/31/2020                 1098                  812
IT                        Network Password Management                              Security Sensitive                             Medium          3/20/2020          9/30/2020                 1098                  904
IT                        Secure Configuration for Hardware and Software               Security Sensitive                             Medium          8/21/2020        12/31/2021                  944                  447
on Mobile Devices, Laptops, Workstations and Servers
IT                        Secure Configuration for Hardware and Software               Security Sensitive                             Medium          8/21/2020        12/31/2021                  944                  447
on Mobile Devices, Laptops, Workstations and Servers
Contract Compliance     Concourse Concessions LLC                                 RE-2 policy review                          Medium         9/10/2020        12/31/2020                 924                 812
IT                        Continuous Vulnerability Management                         Security Sensitive                             Medium         11/29/2021          6/30/2022                  479                  266
IT                        Account Management - ICT                                    Security Sensitive                             Medium          3/15/2022           6/1/2023                  373                  -70
IT                        Audit Log Management - Aviation Maintenance                Security Sensitive                             Medium           6/2/2022        12/31/2023                  294                 -283
IT                        Audit Log Management - Aviation Maintenance                Security Sensitive                             Medium           6/2/2022        12/31/2022                  294                   82
IT                        Audit Log Management - Aviation Maintenance                Security Sensitive                             Medium           6/2/2022        12/31/2022                  294                   82
Contract Compliance     The Hertz Corporation                                      Investigate Under-collections                Medium          6/3/2022        12/31/2022                 293                  82
IT                        T2 Airport Garage Parking System Replacement                Security Sensitive                             Medium         11/11/2022           6/2/2023                  132                  -71
IT                        Audit Log Management (ICT)                                  Security Sensitive                             Medium         11/22/2022          1/31/2023                  121                   51
Performance            Fishermen's Terminal                                     Billing and Collections                      Medium         3/20/2023         3/31/2024                   3               -374
IT                        Security Awareness and Skills Training                         Security Sensitive                             Medium          3/23/2023           6/1/2023                     0                  -70
IT                        Security Awareness and Skills Training                         Security Sensitive                             Medium          3/23/2023           6/1/2023                     0                  -70

37



Limitations of Translatable Documents

PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.