Port of Seattle Audit Committee

December 7, 2018
P69, Commission Chambers
1:00 PM - 3:00 PM

1

INTERNAL AUDIT

COMPREHENSIVE 2018 AUDIT STATUS
COMPLETED AUDITS - 2017 AUDIT PLAN CARRYOVER
Audit Title

Type

Jan

Host International, Inc.

Limited Compliance

Delta Lounge

Operational

P66 Norwegian Cruise Line Partnership

Operational

Employee Parking

Operational

Transportation Network Companies

Operational

Terminal 91 Dockage

Operational

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jun

Jul

Aug

Sep

Oct

Nov

Dec

2018 AUDIT PLAN STATUS
Audit Title

Type

Beecher's Handmade Cheese

Limited Compliance

Disbursements / Accounts Payable

Operational

Sky Chef's Inc.

Limited Compliance

Capital - N. Satellite

Operational

Dollar Rent a Car

Limited Compliance

TNC's Rematch (EKPI's)

Operational

Fox Rent-A-Car

Limited Compliance

Thrifty Car Rental

Limited Compliance

Parking Soft System (Protiviti)

IT

Capital - Westside Fire Station

Operational

Cruise Related Investments

Operational

Jan

Feb

Mar

Add: Cash Controls - Seatac Parking Garage Operational
Change Management - AVM (Point B)

IT

Seatac Utilities

Operational

Capital - IAF

Operational

Data Centers - AVM

IT

Marine Maintenance Shops***

Operational

Add: Personally Identifiable Information

IT

Add: Sixt Rent-A-Car LLC

Limited Compliance

Remove: Taxi Cabs (Eastside for Hire)*

Operational

Remove: Northwest Seaport Alliance**

Operational

Key:

Complete
In Process / Carryover to 2019 Audit Plan
Add / Remove from Audit Plan

* Contract with ESFH will not be renewed. Legal settlement/contract modification with ESFH addresses risk.
** Audits will be performed in 2019 by an external audit firm.
***Internal Audit was unable to complete this audit. Audit will be reassigned and completed in 2019.

Apr

May

Key 2019 Audit Plan Drivers

Budget
Spend/
Financial
Implications

Audit
Committee/
Commission
Mandates
Policy
Mandates

Audit
Plan

Audit
Universe/
Audit
History

Executive
Director/
Executive
Leadership

Public
Comments/
Concerns

Enterprise
Risk
Assessment

INTERNAL AUDIT

Lease and Concession Audit Plan Approach
 Approximately 111 leases
Agreement Year
2017
2018
Total

Total
Revenues
$112 MM
107 MM
$219 MM

Sea-Tac
$109 MM
104 MM
$213 MM

Economic
Development
$3 MM
3 MM
$6 MM

 Approach
Rating
High
Medium
Low

Number of
Leases
9
24
78
111

Revenue
$113 MM
85 MM
21 MM
$219 MM

Percentage
52%
39%
9%
100%

Frequency Annual
4 year cycle
2-3
8 year cycle
2-3
As needed
6

4

INTERNAL AUDIT

Lease and Concession Audit Plan Approach
Proposed 2019 Audits
Name
Enterprise Rent A Car*

Division
Aviation

Rating
High

2017/2018
Revenues
$23,799,715

Anton Airfood

Aviation

Medium

3,568,762

Sixt Rent A Car LLC
Mad Anthony's

Aviation

Medium

2,672,348

Maritime

Low

913,840

Total

$30,954,665

Medium
Low

2,642,404
403,679

Contingency**
Lenlyn Limited
ALClear, LLC

Aviation
Aviation

$3,046,083

Two Year Concession Audit History by Revenue

Audited
$134,193,901

* Includes: National, Alamo, and Enterprise
** If resources exist, at director's discretion audit will be moved to the
2019 Audit Plan.

Proposed
2019
$30,954,665

Not Audited
$53,851,434

5

INTERNAL AUDIT

Capital Projects Audit Plan Approach
 102 approved projects
Division

Budget

Expense to Date

Aviation

$3,594 MM

$925 MM

125 MM

45 MM

$3,719 MM

$970 MM

Non-Aviation

Proposed 2019 Audits
Name
Checked Baggage Recap/Optimization
Noise Insulation Programs (FAA Part 150)
Concourse D Hardstand Terminal
Shilshole Tenant Service Building

Contingency*
Cruise Terminal

Management Rating
Yellow
N/A
Yellow
Red

Budget
$445 MM
Various
37MM
10 MM

Management
Rating
Yellow

Budget
100 MM

Note
Behind Schedule/Budget Increase
Commission Request

* If resources exist, at director's discretion audit will be moved
to the 2019 Audit Plan.
6

INTERNAL AUDIT

Information Technology Audit Plan Approach
Proposed 2019 Audits
Name
Security of Personally Identifiable Information
HIPAA - Compliance
Payment Card Industry (PCI) - Quality Security Assessor
Closed Network System Security
T2 Airport Garage Parking System Replacement

Selection Criteria
Emerging Risk
Regulatory Requirement
Contractual Requirement
Management Request

Risk (from IT Audit Universe)
High
High
High
Critical
High

Selection Criteria
Emerging Risk
Regulatory Requirement
Contractual Requirement
Emerging Risk
Management Request

Explanation
Selected from IT Audit Universe based on risk and perceived benefit to the Port
Periodic Review of HIPAA Compliance is required under § 164.308(a)(8) - Evaluation
Annual review required by contract for Port Credit Card processing
Requested by Sr. Management in Risk Interviews

Contingency*
Inventory and Control of Hardware Assets

* If resources exist, at director's discretion these will be moved
to the 2019 Audit Plan.

7

INTERNAL AUDIT

Proposed 2019 Audit Plan
Limited Contract
Compliance
• Sixt Rent A Car LLC1
• Enterprise Rent A Car
• Anton Airfood
• Mad Anthony's
• Marketing FundConcessions

Operational
• Airport security
screening program
• Diversity Program
• Marine Maintenance²

Capital
• Baggage Optimization
• Noise Insulation
Programs (FAA Part 150)
• Concourse D Hardstand
Terminal
• Shilshole Tenant Service
Building

Information
Technology
• Security of Personally
Identifiable Information1
• HIPAA - Compliance
• PCI-Quality Security
Assessor
• Closed Network System
Security
• T2 Airport Garage
Parking System
Replacement

1 Approved addition to plan at 9/28/2018 Audit Committee Meeting
2 Internal Audit was unable to complete this audit.

Audit will be reassigned and completed in 2019.
8

INTERNAL AUDIT

Contingency Audits - if resources exist, at director's
discretion, these will be moved to the 2019 Audit
Plan.
Limited Contract
Compliance
• Lenlyn Limited
• AlClear, LLC

Operational
• 2019 Taxi Cab Contract

Information
Technology
• Inventory and Control of
Hardware Assets

Capital
• Cruise Terminal

9

INTERNAL AUDIT

2018 / 2017 Recoveries
2018 Audits
Dollar Rent -A-Car
*Fox Rent-A-Car, Inc.
*Thrifty Car Rental
**North Satellite Renovation and Expansion Project
* Agreed to pay, but not yet collected.
**Not collected

Total

Amount
$22,164
98,310
203,764
1,532,281
$1,856,519

Total

Amount
$58,554
26,387
118,745
11,259
37,993
$252,938

2017 Audits
Hertz Car Rental
Bell Harbor International Conference Center
Airport Lounge Development Corporation
Clear Channel Outdoor, Inc.
TNC (Uber, Wingz, Inc.)

10

INTERNAL AUDIT

2017 / 2018 Controllable Cost Over-Runs
Audit
North Satellite Renovation and Expansion Project
Delta Lounge
International Arrivals Facility - Labor Burden
International Arrivals Facility - Insurance
Total

Amount
$31,800,000
190,000
$8,200,000 - 11,000,000
2,800,000
$42,990,000 - 45,790,000

11

INTERNAL AUDIT

Tracking of Significant Overdue Issues
Audit
Owner
Issue
Status
North Satellite Jeffrey  August 2017 Port Management communicated to the  June 20, 2018 letter provided to Alaska
Renovation
Brown
Commission that a request was made to Alaska seeking requesting ~ $1.5 MM
and Expansion
reimbursement of $1.2 MM
Not invoiced
Project
IA recommended to seek reimbursement
On / Off
Boarding of
Consultants
and
Contractors

 Processes and procedures have not
HR  A process has not been established to account for and
been implemented
Director
manage / monitor independent contractors and contingent
workers

Centralized
International
Support
Services
Agreement

Tom  $55,000 overpayment to VIP
Tanaka
IA recommended amendment to contract

Policy developed

IA recommended a system to track non-port workers
 Legal is drafting amendment for
commission approval ~ $300,000

INTERNAL AUDIT

Audits
1)
2)
3)
4)
5)

Sea-Tac Utilities
International Arrivals Facility (IAF)
AV/M and F&I Data Centers
AV/M IT Change Management and Patch Management
Thrifty Car Rental

13

INTERNAL AUDIT

Sea-Tac Utilities
Established as a utility in 2001
Water, Natural Gas, Electricity, Garbage,
Waste Water
Approximately $16 MM utility costs

~50% billed through metered use

14

Results

INTERNAL AUDIT

1. Medium - Metered Accounts
Over 750 Metered Accounts
Process to validate the completeness of
metered accounts list or the accuracy of the
reads

Incorrect Billing
Broken & Missing Meters
15

Results

INTERNAL AUDIT

2. Medium - Timely Billing
Timely notification of billing information
within Port Departments.
Lease Additions, Terminations,
Adjustments...etc
56% of notifications provided late
Late billings to tenants
74% of time for Electricity
88% of time for Water/Gas

16

INTERNAL AUDIT

MANAGEMENT RESPONSE

Management to discuss in person.
Detailed response presented in audit
report.

17

INTERNAL AUDIT

International Arrivals Facility (IAF)
 September 2018, GMP amendment approved with
Clark Construction - $774 MM
 Overall program cost - $968 MM
 Estimated completion May 2020

 Pay Application Process Robust / Well Established
 Approach - identify red flags that might impede
successful and timely completion of IAF
 Identify areas where we can improve on future capital
projects
18

INTERNAL AUDIT

Opportunities
1. Medium - Set Labor Multiplier at market rates
Labor multiplier for Clark set at 88.7% in new
GMP
Labor increased from 35.7% to 88.7%
 U.S. Labor Statistics Seattle Region = 30%
 Industry Standard Rate Between 30% - 40%
 $11 MM to $8.2 MM increased payroll costs
 Non-audit clause included in GMP contract
19

INTERNAL AUDIT

Opportunities
2. Medium - Set General Liability Insurance (GLI)
range from Risk Management
GLI set at $7.49 per $1,000 of contract in new
GMP
 Port's Risk Management recommends $3.95
 External consultant calculated Seattle @ $3.85
 $2.8 million in additional insurance cost
 Non-audit clause included in GMP contract

20

INTERNAL AUDIT

Opportunities
3. Medium - Require Not-to-Exceed (NTE)
contracts with subcontractors
 NTE vs. Lump-Sum Contracts with
Subcontractors
• NTE = Actual Cost + % for Overhead & Profit
• Lump Sum = 100% of contract value,
regardless of actual cost

21

INTERNAL AUDIT

MANAGEMENT RESPONSE

Management to discuss in person.
Detailed response presented in audit
report.

22

INTERNAL AUDIT

AV/M and F&I Data Centers
The Data Centers/IDFs (Intermediate Distribution Frames) contain the
Airport's servers, applications and network infrastructure which are
critical to airport operations.
Areas reviewed during this
audit:
 Physical Security
 Cleanliness
 Fire Detection/Suppression
 Emergency Power
 Seismic bracing
 Other related controls

23

INTERNAL AUDIT

RESULTS
I. Physical Access to Facilities
High - Many rooms in the sample allowed access to hundreds of people
with no legitimate business need.

Examples:
 For one of the server rooms- 82 people had key card access, while
1560 had physical key access
 For one of the telecommunication rooms - 577 people had key card
access, while 1472 had physical key access.

 For another server room - In 2017; 32 individuals in the Police
Department used the back door approximately 6000 times, which
dropped to only 3 times in 2018 (this was due to construction in the
garage, which limited access to the garage from the rooms' back door)
24

INTERNAL AUDIT

RESULTS
II. Physical Facilities Management
Medium - 77% of the rooms in the sample contained varying levels of
flammable material, clutter, dust, and storage of inappropriate materials
(including Christmas trees, old equipment, carts, etc.). Rooms with gas
fire suppression lacked warning signage as required by state law.

CO2 is being used as a Fire Suppression System in one of the rooms
reviewed. The Environmental Protection Agency (EPA) states:
"At concentrations greater than 17 percent, such as those encountered
during carbon dioxide fire suppressant use, loss of controlled and
purposeful activity, unconsciousness, convulsions, coma and death
occur within 1 minute of initial inhalation of carbon dioxide"
The room additionally lacked State Law and NFPA (National Fire
Protection Association) Standard #12 required warning signs to alert
people.
25

INTERNAL AUDIT

Examples - Clutter, Dust, Storage

26

INTERNAL AUDIT

Example - CO2 Fire Suppression
in Generator Room

INTERNAL AUDIT

RESULTS
III. Protection Against Environmental Factors
High - 35% of the rooms reviewed did not have fire suppression
capability and 55% did not have fire extinguishers. Four rooms had Halon
fire extinguishers which are ozone-depleting and do not support the
Port's value for being a responsible steward of the environment.
Types of Fire Extinguishers being used:
 Halon
 Halotron
 ABC
 Ammonium Phosphate
 Foam

28

INTERNAL AUDIT

Examples - Halon Fire Extinguishers

29

INTERNAL AUDIT

MANAGEMENT RESPONSE

Management to discuss in person.
Detailed response presented in audit
report.

30

INFORMATION TECHNOLOGY AUDIT
AVIATION MAINTENANCE
IT CHANGE MANAGEMENT AND PATCH
MANAGEMENT

January 2014 - November 2018

Prepared by Point B in partnership with the Port of Seattle Internal Audit
department

31

INTERNAL AUDIT

BACKGROUND
Change Management
A broadly accepted, industry
best-practice that governs
the identification,
prioritization, authorization,
release, and communication
of all changes to production
environments

Patch Management
Processes and controls that
govern the identification,
assessment, prioritization,
testing, and application of
critical application and
security patches to the
production environments

32

RESULTS

INTERNAL AUDIT

The following diagram compares the AV/M IT Change Management and Patch
Management process maturities to a standard Capability Maturity Model. While
reflecting many best practices, the internal processes and controls require further
maturation in order to meet the requirements of a critical infrastructure
environment

33

INTERNAL AUDIT

RESULTS
I. IT Change Management
Medium - AV/M's IT Change Management processes are
straightforward and repeatable, but require further
maturation. The established processes also need to be
consistently followed in order to meet the requirements of
critical infrastructure environments.

34

INTERNAL AUDIT

RESULTS
II. Patch Management
Medium - While some technologies (Windows servers and
desktops) are appropriately managed, AV/M does not
maintain the control processes and tools necessary for
effectively managing patch compliance over the full breadth
of systems they support.

For example; patch management is not effective for
unsupported Microsoft operating systems and applications,
or for Linux operating systems.
35

INTERNAL AUDIT

MANAGEMENT RESPONSE

Management to discuss in person.
Detailed response presented in audit
report.

36

INTERNAL AUDIT

Thrifty Car Rental
Minimum Annual Guarantee - 10% of
Gross Revenue
Customer Facility Charge - $6

2014 - 2017
• Percentage Fees ~ $1.5 MM / Year
• CFC Fees ~ $2.1 MM / Year

37

INTERNAL AUDIT

Results
1. Medium - $10,358 due in additional Percentage
Fees. (Incidental Revenue)

2. Medium - $111,912 due in additional CFC fees.
(Waived CFCs)
Management Response
 Management will seek to recover the fees
(including audit costs), together with any applicable
late fees and interest charges. Management will
also communicate both verbally and in writing their
obligations with respect to revenues and CFC's.

38