1. Presentation
Port of Seattle Audit Committee
Financial Stewardship Accountability Transparency Port of Seattle Audit Committee Internal Audit Update Glenn Fernandes - Director, Internal Audit March 28, 2024 P69 Commission Chambers 10:00 AM – 12:00 PM Operational Excellence Governance Internal Audit Organization Structure Item #4 2 Auditing Standards Item #4 New updates to Standards were released in the first quarter of this year. We’ll update our Operational Policies and Procedures Handbook and train staff by effective dates, accordingly. Newly structured, Global This 2024 Revision, Internal Audit Standards, released on February 1, of which features 2024, includes a include the application requirement for an audit of standards to the organization to: Public Sector, were 1) design and implement released on January 9, its system of quality 2024, and will become management by effective January 9, December 15, 2025; and 2025. 2) complete an evaluation of the quality management system by December 15, 2026. 3 Item #4 [Source: The Institute of Internal Auditors] 4 Item #4 [Source: The Institute of Internal Auditors] 5 Item #4 Internal Audit Director’s Annual Communication Annual communication is required by the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing (IIA Standards) on: Internal Audit Charter Organizational Independence Quality Assurance and Improvement Program Open Issue Follow-up and Monitoring Process 6 Internal Audit Charter Item #4 The Charter was most recently updated in September 2020. The Charter defines Internal Audit Department’s: Authority and Accountability Mission and Scope Responsibility Independence and Objectivity Commitment to Quality 7 Independence Requirement Item #4 IIA Standards require annual confirmation of organizational independence of the internal audit function. Internal Audit Department continues to maintain organizational independence by reporting functionally to the Audit Committee and administratively to the Executive Director. 8 Quality Assurance Requirement Item #4 Generally Accepted Government Auditing Standards (GAGAS)/Government Accountability Office (GAO) require an external peer review every three years. IIA Standards require both an internal and external quality assurance and improvement program. External assessments need to occur at least every five years. An external peer review was most recently conducted by the Association of Local Government Auditors (ALGA) in August of 2022. Internal Audit’s periodic, quality self-assessment was most recently performed in the first quarter of this year. Reviewed IA’s written polices and procedures (IA Handbook); internal monitoring procedures; a sample of audit engagements and workpapers; and interviewed management and staff on the IA Handbook. Assessment concluded that IA’s internal quality control system was suitably designed and operating effectively to provide a reasonable assurance of compliance with GAGAS and IIA Standards. It offered some enhancement opportunities. 9 Open Issue Status – Aging Report as of March 13, 2024 Item #5 1. Three issues outstanding for over one year from the Target Date are: Information Technology Audits (3) (Security Sensitive - Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session.): Closed Network System Security (1), and Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers (2). 2. Three Information Technology issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, they are more than two years past the Report Date: Aviation Maintenance and Facilities & Infrastructure Data Centers (3). See Appendix A for a detailed listing of outstanding issues, including: Report Finding, Issue Owners, and Current Status, as of March 13, 2024. 10 Approved 2024 Audit Plan Item #6 Limited Contract Compliance Performance Information Technology • Stellar Bambuza SEA LLC Performance • Application Software Security • Seattle Food Partners LLC • Fire Department - PFAS Use, Storage, and • Network Infrastructure Management • 1915 KCHouse Concepts – SEATAC Phase-out (ICT) LLC • Time Approval Controls • TSA Cybersecurity2 • Pallino SeaTac LLC • Delegation of Authority • Equity Policy Directive • Utility Management – Port-wide Capital • Concourse A Building Expansion for Lounges/Delta TRA1 • T-117 Sites 23-25 Restoration Project GC/CM Closeout • TSE- Phase 2 Bollards and ADA Ramps • Parking Garage Elevator Modernization 1. This audit was started in the Fourth Quarter of 2023 and was completed in the First Quarter of 2024. 2. TSA is in the process of mandating audits. These will be required in 2024. 11 Internal Audit Capital GC/CM Continuous Audits Item #6 RCW 39.10.385 requires an independent audit, paid for by the public body, to confirm the proper accrual of costs. We procure the independent auditor, provide oversight of work performed, and assist in fieldwork as needed. The independent auditor will provide the Audit Committee with annual updates and final reports upon completion of each project. Capital GC/CM Continuous Audits • Main Terminal Low Voltage System Upgrade • Post IAF Airline Realignment • C Concourse Expansion Project • Eastside Fire Station • Baggage Optimization Phase 3 • Concourse Low Voltage Upgrade • South Concourse Evolution 12 Construction Contract Review Item #6 Historically, missing or unclear contract language has resulted in audit findings. Remediation is generally deferred to future contracts. At the direction of the Audit Committee: Going forward Internal Audit (IA) will review all Alternative Works construction contracts. In partnership with Port Management, IA will attend contract review meetings. IA will make recommendations, but will not own the process, thereby, maintaining independence. IA will seek outside expertise as needed. Proactive approach – but does not imply that we will not perform our regular construction audits on these projects. 13 Item #6 2024 AUDIT PLAN STATUS Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Fire Department - PFAS Use, Storage, and Phase-out Performance Time Approval Controls Performance Delegation of Authority Performance Equity Policy Directive Compliance Performance Utility Management - Port-wide Performance Concourse A Building Expansion for Lounges/DELTA TRA1 Performance - Capital T-117 Sites 23-25 Restoration Project GC/CM Closeout Performance - Capital TSE-Phase 2 Bollards and ADA Ramps Performance - Capital Parking Garage Elevator Modernization Performance - Capital Application Software Security (ICT) IT Network Infrastructure Management (ICT) IT TSA Cybersecurity2 IT Stellar Bambuza SEA LLC Contract Compliance Seattle Food Partners LLC Contract Compliance 1915 KCHouse Concepts - SEATAC LLC Contract Compliance Pallino SeaTac LLC Contract Compliance Complete KEY In Process Not Started 1. This audit was started in the Fourth Quarter of 2023 and was completed in the First Quarter of 2024. 2. TSA is in the process of mandating audits. These will be required in 2024. 14 Item #s 7-9 Audits Completed in First Quarter - 2024 1) Concourse A Building Expansion for Lounges – Delta TRA (Item #7) 2) Payment Card Industry (PCI) – Qualified Security Assessor (QSA) Assessment Results (Item #8) 3) Pallino SeaTac, LLC (Item #9) 15 Concourse A Expansion for Lounges- Delta TRA Item #7 The Concourse A Expansion for Lounges Project is being conducted under a Tenant Reimbursement Agreement (TRA) between the Port and Delta Air Lines. The TRA is being administered as a Hensel Phelps was selected as the general Guaranteed Maximum Price (GMP) contractor. contract in the amount of $133.7 million. The Project includes the design and construction of a 52,000 square foot building addition in Concourse A, including 36,000 square feet of new leasable space. Design of the base building was approved by the Port Commission in April 2021 with construction anticipated to be completed in the fall of 2024. 16 1) Rating: High Item #7 An implicit agreement between Hensel Phelps and the Port’s Risk Management Department settled on $10 Million in Commercial General Liability Insurance (GLI) at an estimated cost of $559,500. Hensel Phelps subsequently materially overbilled the Port for $100 Million in GLI, at a cost of $1,120,784. TRA stipulates minimum Commercial General Liability Insurance limit: $15 million. Hensel requested a decrease “per occurrence limit” to $10 million, and the Port agreed. Hensel billed approximately $1.1 million in insurance invoices, which included $100 million “per occurrence” coverage. (invoice totaling $1.1 million, instead of estimated $560K.) Using Risk Management’s estimate, would also have decreased the final GMP by $1.1 million. Port has deferred reimbursement until approval from the Port’s Risk Management team. Scope limitation: With the assistance of the Port’s Project Management Group, we made multiple requests to obtain subcontractor bid documents and subcontracts for the Contractor Controlled Insurance Program. Hensel refused to provide the documents although we explained the audit reasons for the requested documents. Accordingly, our audit scope was limited, and we were unable to conclude whether subcontractor contracts included additional insurance that was being passed on to the Port, or that any insurance credits were properly passed on to the Port. 17 Item #7 Recommendations 1. Contract insurance language should be updated to outline both minimum and maximum insurance requirements that will be reimbursed, thereby preventing the Port from incurring costs for additional insurance coverage. 2. TRA language should be updated to specifically describe the documents that are subject to audit and consequences if those documents are not provided when requested. 3. Risk Management should make the determination on what the final reimbursable insurance cost should be. Additionally, the total Guaranteed Maximum Price (GMP) should be adjusted accordingly. 4. When estimating a GMP, Port estimators should use amounts recommended by Risk Management instead of amounts proposed by contractors. 18 2) Rating: Medium Item #7 Hensel Phelps’ Request for Reimbursement Submittal (RRS) for General Requirements did not include adequate supporting documentation. General Requirements: Direct Costs Associated with the project. TRA requires adequate documentation for reimbursement. Hensel submitted accounting system printouts, not invoices. Invoices are crucial for expense validation to assure expenses are project-specific and accurate. 19 Example of Hensel accounting system printouts used Item #7 20 Example of Hensel Accounting System Printouts Used Item #7 21 Item #7 Recommendations 1. RRS approvers should obtain proper documentation in order to reconcile General Requirements costs previously reimbursed and require supporting documentation for future reimbursement requests. 2. Standard Operating Procedures should be updated to reflect the need for actual invoices as adequate support for reimbursement requests. 22 3) Rating: Medium Item #7 The Port has an opportunity to revise its procedures on future TRA projects in order to decrease the potential of reimbursing unallowable or duplicate costs within General Conditions. General Conditions (GCs) cover Hensel’s indirect costs, such as staff salaries, safety, computers, and site management costs. Range of components that may be included in GCs heightens the potential that those costs may be billed elsewhere in the contract, or otherwise unallowable if not properly vetted and monitored. Agreement between Hensel and Delta outlined allowable and non-allowable GCs, however, the Agreement allowed Hensel to submit proposed GC costs as a lump sum amount without requiring documentation. Risks of allowing lump sum GCs: Short-term staff reduction affecting management Reluctance to spend necessary GC funds Shifting GC costs to subcontractors Moving costs into GCs to avoid scrutiny Early billing of GCs 23 Recommendations Item #7 1. Although we suggest GCs to be reimbursed on a cost basis, if the Port continues to allow TRAs to use lump sum GCs, Port management should, at a minimum, require a detailed expected scope of work in the GC costs prior to agreeing to a G M P. 2. Port management should reimburse no more than the approved GC line item agreed in the GMP (plus any GC increase that may occur from Change Orders). If the General Conditions line item is increased on the Schedule of Values, the Port should require justification prior to approving the change. 24 Item #7 Management Response – Issue 1 The following is a general portion of the response to all recommendations. The project team includes: AV Project Management Group, AV Project Controls, Port Risk Management, Port Engineering - Construction Management, AV Business & Properties, and AV Commercial Management. Other necessary departments may be added to this team as the process proceeds. A multi-year initiative to reevaluate and change the aspects of the TRA process is underway with Port stakeholders. Some of the measurable improvements are expected to be implemented in 2024 and others in 2025. The recommendations of this internal audit will be incorporated into this effort. Management Response to Item #1: The project team agrees with the recommendation in improving future TRA contract language and will work with other project delivery groups and Risk Management to establish clear guidelines as they relate to acceptable insurance requirements and thresholds. DUE DATE: 12/18/2024 Management will discuss in detail. (Full response in Audit Report No. 2024-01) 25 Item #7 Management Response – Issue 2 The Project Team will work with Aviation Departments that generate TRAs to determine the required documentation for reimbursement for General Requirements. Standard Operating Procedures will be updated to require adequate backup documentation to support reimbursement requests. DUE DATE: 09/04/2025 Management will discuss in detail. (Full response in Audit Report No. 2024-01) 26 Item #7 Management Response – Issue 3 The project team agrees with the recommendations. TRA contract language will be modified to require, at minimum, a detailed scope of work in General Conditions costs, prior to agreeing to Final GMP. Standard Operating Procedures will be updated to require justification of an increase in General Conditions prior to approving the change. DUE DATE: 12/18/2024 Management will discuss in detail. (Full response in Audit Report No. 2024-01) 27 Payment Card Industry (PCI) – Qualified Security Assessor Item #8 (QSA) Assessment Results The 2023 PCI assessment was completed on December 14, 2023, by Secured Net Solutions Inc., an external party, and a Qualified Security Assessor (QSA). The work was performed to assure the Port’s compliance with the Payment Card Industry Data Security Standard (PCI DSS) version 3.2.1. Organizations that store, process, or transmit credit card data must comply with relevant PCI DSS requirements, and compliance must be attested on an annual basis. PCI requires merchants to complete an annual Self-Assessment Questionnaire (SAQ) to verify to their acquirer (merchant bank) that their security controls over credit card data handling meet the PCI requirements. 28 Payment Card Industry (PCI) – Qualified Security Assessor Item #8 (QSA) Assessment Results The Port accepts credit card payments for taxi driver usage fees, moorage services at its marina facilities, and parking at the Seattle- Tacoma International Airport. The Port received an overall “Compliant” rating, demonstrating full compliance with the PCI DSS. 29 Item #9 Pallino SeaTac, LLC Internal Audit performed an attestation engagement to assess compliance with the Lease and Concession Agreement. We performed specific, agreed-upon procedures to review concession fees for completeness, accuracy, and timeliness. Period Reviewed: January 2023 – June 2023. We identified no exceptions. 30 Appendix A – Aging of Outstanding Issues as of March 13, 2024 31 Appendix A – Aging of Outstanding Issues as of March 13, 2024 Performance, Capital, Information Technology, and Limited Contract Compliance Audits Days Outstanding Days Outstanding Audit Type Audit Title Rating Target Date Report Date (from Report Date) (from Target Date) Issue Owner Report Finding Current Status from Management as of 3/13/2024 IT AVM/Facility & Infrastructure Data Centers High No date supplied 12/4/2018 1926 N/A Director, Aviation Facilities and Capital Program Physical Access to Facilities Project PM Response: Access control in communication rooms project just completed All rooms in our sample were protected with varying levels of restricted access. 90% Design review. We are scheduled for Commission Authorization for Construction in Some were well protected, allowing few individuals access, while others May 2024. Upcoming Target Milestones: Advertisement in June 2024; Issue NTP (Notice allowed access to hundreds of people with no legitimate business need. to Proceed) for Construction late September 2024, and Substantial Completion Q4 2025. IT AVM/Facility & Infrastructure Data Centers High No date supplied 12/4/2018 1926 N/A Director, Aviation Facilities and Capital Program Protection Against Environmental Factors F&I Response: Project U00494 to add clean agent fire suppression in six rooms has been Facilities should be protected against fire and water damage. In our sample of placed on hold since the evaluation of the clean agent product requires a feasibility 31 rooms, 35% of the rooms did not have fire suppression capability and 55% study on the impact of the product on the user, equipment, environment, and space for did not have fire extinguishers. Four rooms had Halon fire extinguishers which installation. There is no timeframe for the feasibility study. The study's scope and work are ozone-depleting and do not support the Port’s value for being a responsible needs to be discussed. Once the fire extinguishers are replaced, the Fire Department steward of the environment. will take over inspection and maintenance. Performance Port-wide Payroll Controls High 12/31/2023 6/14/2023 273 73 Director, Aviation Maintenance The Maximo System used by the Aviation Maintenance Department (AVM) had AVM is deleting/or changing the work tasks associated with disposed of or replaced generated semi-annual, preventive maintenance work orders for certain retired maintenance items in its Computerized Maintenance Management System (CMMS), to assets, requiring maintenance staff to spend up to 3 hours for each eliminate the misreporting or duplication of work required. This will be part of AVM's unnecessary work order over 10 years. preventative maintenance optimization (PMO) project that will begin in AVM in 2024. Performance Airport Parking Garage High 12/31/2024 11/30/2023 104 -293 Director, Airport Operations Complimentary Parking – We identified 603 instances of misuse of The Transportation Access Program Manager is project managing each recommendation complimentary parking cards issued to organizations that have business at the to ensure the right staff are working on the appropriate issue in a timely fashion and Airport. The cards, and the associated Port policy, allowed their staff to park at documenting progress for management. All four recommended items are being worked the Airport Parking Garage for 24 hours or less. This amounted to on towards individual, target completion dates. One item related to card reissue is no approximately $74,000 in unbilled parking revenue, during our 18-month test longer relevant as a result of the discontinued practice. period. Performance Airport Parking Garage High 12/31/2024 11/30/2023 104 -293 Director, Airport Operations Complimentary Parking – The Port needed to enhance controls relating to The Transportation Access Program Manager is project managing each recommendation retrieving and shutting off complimentary parking cards for employees who to ensure the right staff are working on the appropriate issue in a timely fashion and leave the Port. By looking at the 1,397 active employee parking cards, we documenting progress for management. All three recommended items are being worked identified 99 active cards that were assigned to employees who were no longer on towards individual, target completion dates. One item related to Employee ID number employed by the Port, 16 of which continued to use their cards after separation in the parking system is complete as the data field's existence. from the Port. 32 Appendix A – Aging of Outstanding Issues as of March 13, 2024 Performance, Capital, Information Technology, and Limited Contract Compliance Audits Days Outstanding Days Outstanding Audit Type Audit Title Rating Target Date Report Date (from Report Date) (from Target Date) Issue Owner Report Finding Current Status from Management as of 3/13/2024 Capital Concourse A Building Expansion for Lounges - Delta TRA High 12/18/2024 3/13/2024 0 -280 Chief Engineer/Director, Engineering Services An implicit agreement between Hensel Phelps and the Port’s Risk Management Report was just issued. Director Aviation Project Management Department settled on $10 Million in Commercial General Liability Insurance Director Risk Management (GLI) at an estimated cost of $559,500. Hensel Phelps subsequently materially Director Aviation & Business Properties overbilled the Port for $100 Million in GLI, at a cost of $1,120,784. IT AVM/Facility & Infrastructure Data Centers Medium No date supplied 12/4/2018 1926 N/A Director, Aviation Facilities and Capital Program Physical Facilities Management F&I Response: F&I is working on an engineering contract with Engineering to provide an In our sample of 31 rooms, we noted that 52% of the rooms had equipment on assessment for seismic, (2-hour) fire rating, and any additional fire suppression for their the racks that was not properly secured, and that 16% of equipment racks communication rooms. The goal is to get as many rooms evaluated as possible. The (while securely bolted to the floors) lacked seismic bracing. contract is for work this year. IT Closed Network Systems Security Medium 6/30/2020 9/5/2019 1651 1352 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Secure Configuration for Hardware and Software Medium 12/31/2021 8/21/2020 1300 803 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session on Mobile Devices, Laptops, Workstations and Servers IT Secure Configuration for Hardware and Software Medium 12/31/2021 8/21/2020 1300 803 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session on Mobile Devices, Laptops, Workstations and Servers Director, Aviation Maintenance IT Account Management - ICT Medium 6/1/2023 3/15/2022 729 286 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Security Awareness and Skills Training Medium 6/1/2023 3/23/2023 356 286 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Security Awareness and Skills Training Medium 6/1/2023 3/23/2023 356 286 Chief Information Security Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session Performance Port-wide Payroll Controls Medium 1/31/2024 6/14/2023 273 42 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Email and Web Browser Protections (ICT and AVM) Medium 3/31/2024 8/29/2023 197 -18 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session IT Email and Web Browser Protections (ICT and AVM) Medium 3/31/2024 8/29/2023 197 -18 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session Director, Aviation Maintenance IT Email and Web Browser Protections (ICT and AVM) Medium 3/31/2024 8/29/2023 197 -18 Chief Information Officer Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session Chief Information Security Officer 33 Appendix A – Aging of Outstanding Issues as of March 13, 2024 Performance, Capital, Information Technology, and Limited Contract Compliance Audits Days Outstanding Days Outstanding Audit Type Audit Title Rating Target Date Report Date (from Report Date) (from Target Date) Issue Owner Report Finding Current Status from Management as of 3/13/2024 Limited Contract Compliance Seattle Air Ventures Medium 6/30/2024 11/29/2023 105 -109 Director, Aviation Commercial Management In 2021, a variance of $142,500 in gross sales was reported between the No update requested for this audit period. Follow up will be performed prior to June 30, externally audited financial statements and the amount previously reported to 2024. the Port. We also identified differences between point-of-sale revenue and the general ledger. Performance Airport Parking Garage Medium 6/1/2024 11/30/2023 104 -80 Director, Airport Operations Complimentary Parking – Controls to deactivate complimentary parking cards The Transportation Access Program Manager is project managing each recommendation at the end of lease agreements, were not functioning as intended. From a to ensure the right staff are working on the appropriate issue in a timely fashion and sample of ten, we identified one terminated lessee whose parking card was documenting progress for management. All four recommended items are being worked still active and continued to be used. on towards individual, target completion dates. Performance Airport Parking Garage Medium 11/30/2024 11/30/2023 104 -262 Director, Airport Operations Complimentary Parking – Controls to deactivate complimentary parking cards The Transport Access Program Manager is project managing each recommendation to at the end of a 12-month duration (unless reapplied and renewed), for ensure the right staff are working on the appropriate issue in a timely fashion and contractors, consultants, and airline workers, were not functioning as intended. documenting progress for management. All four recommended items are being worked Online request forms were not used or, if used, some were incomplete or on towards individual, target completion dates. inaccurately reflected in the parking system. IT Network Infrastructure Management (AVM) Medium 12/31/2026 12/8/2023 96 -1023 Director, Aviation Maintenance Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 – Issues Not Discussed in Public Session Capital Concourse A Building Expansion for Lounges - Delta TRA Medium 9/24/2025 3/13/2024 0 -560 Chief Engineer/Director, Engineering Services Hensel Phelps’ request for Reimbursement Submittal (RSS) for General Report was just issued. Director Aviation Project Management Requirements did not include adequate supporting documentation. Director Aviation & Business Properties Capital Concourse A Building Expansion for Lounges - Delta TRA Medium 12/18/2024 3/13/2024 0 -280 Chief Engineer/Director, Engineering Services The Port has an opportunity to revise its procedures on future TRA projects in Report was just issued. Director Aviation Project Management order to decrease the potential of reimbursing unallowable or duplicate costs Director Aviation & Business Properties within General Conditions. 34
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.