11b. Presentation

2023 Internal Audit Annual Report

Financial Stewardship               Accountability                    Transparency    Item No. 11b attach
Meeting Date: February 13, 2024

2023 Internal Audit Annual Report
Glenn Fernandes - Director, Internal Audit

February 13, 2024
P69 Commission Chambers
12:00 PM – 5:00 PM

Operational Excellence                      Governance

              2023 Audit Committee
Commissioner Hamdi Mohamed, Committee Chair
Commissioner Sam Cho, Committee Member
Sarah Holmstrom, Committee Public Member


                 About Internal Audit
Internal Audit conducts independent, objective, risk-based audits of
the Port’s operations, technology, activities, and vendors.
Our audits add value by helping the Port achieve its mission and
contribute to: financial stewardship, accountability, transparency,
governance, and operational excellence.
Internal Audit derives its authority from the Port Commission.
The Director is a dual report, who reports functionally to the Audit
Committee and administratively to the Executive Director.


                                                                                             ■  Combined Assurance to Break
Down Silos:
The governing body, management, 
and internal audit have their
distinct responsibilities, but all 
activities need to be aligned with
the objectives and collectively
grow the value of the organization.
■  Beyond the Three Lines Model:
Today’s environment of risk
bedlam requires us to go a step
further. Collaboration is a business
imperative and a platform we can
use to generate even greater
enterprise value.

Source: The Institute of Internal Auditors, THE IIA’S THREE LINES MODEL – An Update of the Three Lines of Defense, published in July 2020.


2023 Audit Plan Update
16 audit reports were completed in 2023: 5 Performance, 5 Capital
Projects, 3 Information Technology , and 3 Limited Contract
Audits identified 4 High Risk, 16 Medium Risk, and 7 Low Risk rated
issues for management action.
GC/CM Construction Projects are increasing at the Port; real-time
auditing, as required by RCW 39.10.385, continues to identify cost
Audit reports are shared with Audit Committee Members, and for
transparency, are also posted to the Port’s external facing website.
[Audit reports can be found at https://www.portseattle.org/page/internal-audit-reports.]


                 16 Audits Completed in 2023
Limited Contract Compliance                        Performance                             Information Technology
• Louis Dreyfus Company Washington      • Port-wide Payroll Controls                           • Email and Web Browser Protections (ICT
LLC                                  • Airport Parking Garage                          and Aviation Maintenance)
• Seattle Air Ventures                         • Social and Environmental Reporting                • Network Infrastructure Management
• ATZ, Inc. dba Doug Fox Parking             • Fishermen’s Terminal                                   (Aviation Maintenance)
• Police Department Seizures and Evidence         • Security Awareness and Skills Training
• Terminal 5 Berth Modernization
• Supply Chain Disruption Management
• C Concourse Expansion (Pre-construction)
• Main Terminal Low Voltage System Upgrade
• T-117 Sites 23-25 Restoration Construction
Project GC/CM1
1. RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs, for General Contractor/Construction Manager (GC/CM) projects. This audit work is performed by
external, independent auditors through Service Agreements. A year-end status report is provided at the December Audit Committee. Internal Audit also performs audits of these projects and reviews areas that are not
looked at by the independent auditors. Internal Audit issues an audit report on areas covered.


     Information Technology (IT) Audits
IT audits are generally security sensitive and are discussed in non-
public sessions.
Our IT Audit Program focuses on high risk, high value controls,
identified by the Center for Internet Security (CIS, 18 control areas,
153 controls).
CIS controls are a prioritized set of best practices for cyber defense.
Three audits were completed in 2023.
Over the last 5 years, we have completed 11 of 18 key CIS audits.


     Information Technology (IA) Audits
Key objectives of 2023 IT Audits included:
Assess the effectiveness of IT controls.
Identify Cybersecurity risks.
Assure compliance with relevant regulations and industry standards.
Safeguard critical information assets.
Maintain the integrity of systems and data.
Support the overall organizational goals and objectives.


     Capital/Construction Audits
Five Capital/Construction audits were completed in 2023.
Projects audited had estimated Capital Spend of $182 million.
Key Recommendations/Improvements included:
Strengthening contract language to decrease the potential for misinterpretation.
Improve Pay Application and Change Order review processes by maintaining
adequate supporting documentation.
Establish a comprehensive documentation process, and clear guidelines related
to negotiating and approving labor rates.
Collect overpayments made to contractors.


          Highlighted Performance Audits
1) Airport Parking Garage
2) Port-wide Payroll Controls
3) Fishermen’s Terminal


     Airport Parking Garage
The audit focused on the Public Parking and the Employee Parking operations
at the main parking garage at Seattle-Tacoma International Airport (SEA) for
the period January 2022 through July 2023.
We evaluated controls over: 1) cash handling, 2) parking garage access, and
3) compliance with applicable laws, rules, and regulations.
Key Improvement Opportunities included:
 603 instances of misuse of complimentary parking cards issued to organizations that
have business at the Airport.
 99 active cards that were assigned to employees who were no longer employed by the
Port, 16 of which continued to use their cards after separation from the Port.
 Controls to deactivate complimentary parking cards at the end of lease agreements. One
lessee’s parking card was still active and continued to be used after lease termination.


     Port-wide Payroll Controls
The audit scope included: system access controls, segregation of duties, common
payroll fraud assessments/testing, and different time-recording systems used by
some business areas that might increase risk exposure to the Port.
As of 12/31/2022, the salaries and benefits were the Port’s largest operating
expenses, $317,574,261, representing roughly 67% of the total operating
Key Improvement Opportunities included:
 The Maximo System used by Aviation Maintenance Department had generated semi-annual,
preventive maintenance work orders for certain retired assets, requiring maintenance staff to
spend up to 3 hours for each unnecessary work order over 10 years.
 A lifeline system – Sayfglida fall protection cable located on the Central Terminal roof at
Seattle-Tacoma International Airport had been marked “Out of Service, DO NOT USE” by
physical signs, therefore, requiring no regular maintenance.


     Fishermen’s Terminal
The Audit was requested by the Director of Maritime Operations and Security.
The audit focused on the billing processes, segregation of duties, and standard
operating procedures.
Key Improvement Opportunities included:
 Billing and collection procedures at Fishermen’s Terminal were informal and internal
controls needed to be strengthened.
 Some Auxiliary Services were billed incorrectly using outdated rates from prior years.
 The billing and collection process for the sizeable accounts receivable balance (roughly
$900K total outstanding) was only managed by one individual.


                  2024 Audit Strategy
 Stay independent and objective.
 Enhance processes, by viewing work through an “equity lens.”
 Incorporate an Equity, Diversity, and Inclusion objective into select audit
programs and distinctively reflect the effort in audit reports.
 Streamline existing concession audit processes.
 Continue to focus on Capital Delivery (Financial, Quality, and Schedule).
 Continue to focus on the remaining “Center for Internet Security”
audits that will provide the groundwork for well-established
cybersecurity controls.
 Meet New TSA Cybersecurity Audit Requirements.


Limitations of Translatable Documents

PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.