Financial Stewardship
Accountability
Transparency
Item No. 11a_supp
Meeting Date: January 14, 2025
2024 Internal Audit Annual Report
Glenn Fernandes - Director, Internal Audit
January 14, 2025
P69 Commission Chambers
12:00 PM - 5:00 PM
Operational Excellence
Governance
2024 Audit Committee
 Commissioner Toshiko Hasegawa, Committee Chair
 Commissioner Ryan Calkins, Committee Member
 Sarah Holmstrom, Committee Public Member
Substitutes
 Commissioner Hamdi Mohamed
 Commissioner Fred Felleman
2
Internal Audit Charter - Authority and Accountability
Approved by Audit Committee, Commission President, and Executive
Director.
 The Internal Audit Department derives its authority from the Port of
Seattle Commission.
 Internal Audit conducts audits and reviews of Port departments,
programs, functions, systems, contracts, and activities.
 The Director is a dual report, who reports functionally to the Audit
Committee and administratively to the Executive Director.
3
Internal Audit Charter - Authority and Accountability
The Director and his or her staff are authorized to:
Have full, free and unrestricted access to all Port functions, activities,
personnel, records, property, and other relevant materials necessary to
accomplish their work.
Access information from contracted third parties and handle the information
in accordance with contractual terms.
Handle documents provided to Internal Audit in the same prudent manner as
by those employees who are normally accountable for them.
Have full access to the Audit Committee and to the Port Commission, as
needed.
4
Internal Audit Charter - Authority and Accountability
The Director and his or her staff are authorized to:
Allocate resources, set frequencies, select subjects, determine scope of work,
and apply the techniques required to accomplish audit objectives.
Obtain the necessary assistance of personnel in units of the Port where they
perform audits, as well as other specialized services from within or outside
the Port.
Report issues related to the processes for controlling the activities of the Port
and its tenants, customers and vendors, including potential improvements to
those processes, and provide information concerning such issues through
resolution.
5
■
Combined Assurance to Break
Down Silos:
The governing body, management,
andinternal audit have their
distinct responsibilities, but all
activities need to be aligned with
the objectives and collectively
grow the value of the organization.
■
Beyond the Three Lines Model:
Today's environment of risk
bedlam requires us to go a step
further. Collaboration is a business
imperative and a platform we can
use to generate even greater
enterprise value.
Source: The Institute of Internal Auditors, THE IIA'S THREE LINES MODEL - An Update of the Three Lines of Defense, published in July 2020.
6
2024 Audit Plan Update
 16 audit reports were completed in 2024: 6 Performance, 4 Capital
Projects, 1 Information Technology, and 5 Limited Contract
Compliance
 Audits identified 10 High Risk, 14 Medium Risk, and 3 Low Risk rated
issues for management action
 Seven active GC/CM Construction Projects, continuous auditing:
 Required by RCW 39.10.385
 Continue to identify cost savings
 Audit reports are shared with Audit Committee Members, and for
transparency, are also posted to the Port's external facing website
[Audit reports can be found at https://www.portseattle.org/page/internal-audit-reports.]
7
2024 AUDIT PLAN STATUS
Audit Title
Fire Department - PFAS Use, Storage, and Phase-out
Time Approval Controls
Delegation of Authority
Equity Policy Directive Compliance
Utility Management - Port-wide
1
Partner in Employment
2
Concourse A Building Expansion for Lounges/DELTA TRA
T-117 Sites 23-25 Restoration Project GC/CM Closeout
TSE - Phase 2 Bollards and ADA Ramps
Parking Garage Elevator Modernization
Application Software Security
3
Network Infrastructure Management (ICT)
3
TSA Cybersecurity
4
Payment Card Industry (PCI) QSA Assessment Results
Stellar Bambuza SEA, LLC
Seattle Food Partners, LLC
1915 KCHouse Concepts - SEATAC, LLC
Pallino SeaTac, LLC
5
Seattle Chocolate Company, LLC
Type
Jan
Feb Mar Apr May Jun
Jul
Aug Sep
Oct Nov Dec
Performance
Performance
Performance
Performance
Performance
Performance
Performance - Capital
Performance - Capital
Performance - Capital
Performance - Capital
IT
IT
IT
IT
Contract Compliance
Contract Compliance
Contract Compliance
Contract Compliance
Contract Compliance
1. This audit was added to the 2024 Plan to assess the impact of fraud allegations.
2. This audit was started in the Fourth Quarter of 2023 and completed in the First Quarter of 2024.
3. This audit was deferred due to the recent Cybersecurity Incident.
4. This audit was performed by an external consultant and managed by InfoSec.
5. This audit was added from the 2024 Contingency Audit Plan.
Complete
KEY In Process
Deferred
8
Performance Audits Focus
 Six Performance audits were completed in 2024
 Key Observations Included:
 PFAS at tenant locations
 Managing overtime when excessive
 Need for enhancements on water leak detection
 Opportunities to improve controls at small organizations
9
Capital/Construction Audits
Four Capital/Construction audits were completed in 2024
 Projects audited had estimated Capital Spend of $152 million
 Key Observations Included:
 Port's closeout expense reconciliation process was effective and met industry
standards
 Revise Tenant Reimbursement Agreement processes to decrease the potential of
unallowable or duplicate costs
 Improve Pay Application review processes by maintaining adequate
supporting documentation
 Obtain Port Risk Management approval of insurance coverage and costs prior
to formalizing contracts
 Seven GC/CM Projects; RCW required audits
 Estimated spend of $1.5B
10
Information Technology (IT) Audits
 One IT audit was completed in 2024
 Focus on enhancing cybersecurity controls
 Discussed in non-public session
11
2025 Audit Strategy
 Stay independent and objective
 Cyber Incident Recovery
 Community Initiatives
 Closed Network Systems
 Continue to focus on Capital Delivery (Financial, Quality, and Schedule)
 Complete RCW Required GC/CM Audits
Internal Audit Outreach Program - Small Business Entities/Grant Recipients
that Partner with the Port
12
Questions
Glenn Fernandes
Director, Internal Audit
13