Port of Seattle Audit Committee
Revised September 13, 2019

September 13, 2019
Pier 69, Commission Chambers
11:00 AM - 1:00 PM

2020 Proposed Budget
• Staffing flat year-over-year.
• From 2017 through 2019 we focused on staff
development.
• 2020 utilizing staff for IT & Capital Audits.
• No outside consultants in 2020.
• Overall a decrease of 8.38% in year-over-year budget.
Key Drivers

Glenn Fernandes

Internal Audit
Organization
Structure

Director

Pam Bailey
Sr. Administrative
Assistant

Operational & Compliance
Dan Chase
Sr. Manager - Internal Audit

Spencer Bright
Manager - Capital Audit

Rumiko Okuma

Open

Sr. Internal Auditor

Internal Auditor

Bruce Klouzal
Manager - IT Audit

Ritika Marwaha
Sr. Internal Auditor

Jennifer Albrecht
Internal Auditor

Nikita Goyal
Internal Auditor

Open
Internal Auditor

3

2020 Proposed Budget

INTERNAL AUDIT

2018 Actual
Amount
Salaries/Wages and Benefits
Outside Services

$

2019 Budget
%

1,300,252 85.51%
174,640 11.48%

Amount

2019 Forecast
%

$ 1,713,416 89.44%

Amount

%

$ 1,511,339 89.97%

2020 Budget
Amount

%

$ 1,699,700 96.84%

147,000

7.67%

115,051

6.85%

2,130

0.12%

Equipment Expense

4,773

0.31%

6,680

0.35%

6,680

0.40%

4,321

0.25%

Office Supplies & Stock

682

0.04%

1,000

0.05%

1,000

0.06%

600

0.03%

36,009

2.37%

39,670

2.07%

39,670

2.36%

41,615

2.37%

General Expenses

986

0.06%

3,260

0.17%

2,460

0.15%

760

0.04%

Trade Business & Community

150

0.01%

300

0.02%

300

0.02%

300

0.02%

3,135

0.21%

4,320

0.23%

3,356

0.20%

5,760

0.33%

$1,520,627

100%

$1,915,646

100%

$1,679,856

100%

$1,755,186

100%

Travel, Training, and Other Emp Expense

Telecommunications

8.4% decrease
4

2019 Audit Plan
Limited Contract
Compliance
• Sixt Rent A Car LLC
• Enterprise Rent A Car
• Anton Airfood
• Mad Anthony's
• Marketing FundConcessions

INTERNAL AUDIT

Operational
• Airport Security Screening Program
• Diversity Program
• Marine Maintenance
• A&E Consultant Rates1

• Capital
• Baggage Optimization
• Noise Insulation Programs (FAA Part 150)
• Concourse D Hardstand Terminal
• Shilshole Tenant Service Building

Information
Technology
• Security of Personally
Identifiable Information
• HIPAA - Compliance
• PCI-Quality Security Assessor
• Closed Network System
Security
• Inventory and Control of
Hardware Assets1
• T2 Airport Garage Parking
System Replacement2

1 Addition to 2019 audit plan; approved at 6/28/2019 Audit Committee Meeting
2 Moved to 2020 audit plan; approved at 6/28/2019 Audit Committee Meeting

5

2019 AUDIT PLAN STATUS
Audit Title

Type

Sixt Rent A Car LLC

Limited Compliance

Marketing Fund-Concessions

Limited Compliance

Security of Personally Identifiable Information

IT

Noise Insulation Programs (FAA Part 150)

Operational - Capital

Marine Maintenance

Operational

Mad Anthony's

Limited Compliance

Baggage Optimization

Operational - Capital

Anton Airfood

Limited Operational

Diversity Program

Operational

Closed Network System Security

IT

Airport Security Screening Program

Operational

Concourse D HardstandTerminal

Operational - Capital

HIPAA Compliance

IT

PCI Quality Security Assessor

IT

Add: Architectural, Engineering & Related SupportServices

Operational

Enterprise Rent ACar

Limited Operational

Shilshole Tenant Service Building

Operational - Capital

Add: Inventory and Control of Hardware Assets

IT

Moved to 2020: T2 Airport Garage Parking System Replacement

IT

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Complete

Key:

In Process

Removed/Added to AuditPlan

6

INTERNAL AUDIT

Audit Follow-Up
1) Concession Audits
• For 2019 audits, have been billed and collected.
2) Operational
• No issues past their due date.
3) Information Technology
• Three issues past due date.
• Two are close to being completed.
• One on T2's SOC II needs internal discussion on acceptance
of risk.

7

INTERNAL AUDIT

Audits Completed

1) Concourse D Hardstand Terminal
2) Airport Employee Access*
3) HIPAA Privacy/Breach
4) Closed Networks*
5) HIPAA Security*
6) Payment Card Industry (PCI)*

*Security Sensitive - Exempt from Public Disclosure per RWC 42.56.420

8

INTERNAL AUDIT

Concourse D Hardstand Terminal
➢Holdroom opened October 31, 2018

➢Design-build with a lump sum contract

➢Total cost: $35 million, including $1.7 million in change orders

➢Holdroom is approximately 32,400 square feet and includes six
gate like areas
9

INTERNAL AUDIT

Results
➢ Medium: The Port's consultant did not have adequate
knowledge of airport building requirements, which resulted in the
design/concept drawings including a building type that was not
allowed in airport terminals.
➢ The Consultant's error on the design/concept drawings resulted
in additional costs to the Port of $142,654.

10

INTERNAL AUDIT

Results (Continued)
➢ Medium: The Contract restricted the Port's ability to audit all
contractor and subcontractor records within the lump sum
contract.
➢ The audit clause only allows audit of documents related to
changes.
➢ When audit clauses are restrictive, there is an inherent risk that
the Port may end up paying additional costs or not receive
expected deliverables, without detection.

11

INTERNAL AUDIT

Airport Employee Access
➢Regulations
• Section 8, SeaTac Airport Schedule of Rules and
Regulations No.5 - Security Compliance
• TSA regulations - 49 CFR Parts 1542, 1544, and 1546 Security Program
• TSA definition of "Insider Threats"
➢Employee screening
• Includes Port of Seattle employees, concession workers,
contractors, and consultants
• Background check and training prior to badge issuance
12

INTERNAL AUDIT

Results
➢ Three issues which are deemed security sensitive and exempt from
public disclosure.

➢ Discussed in 1:1 with Audit Committee Members.

13

INTERNAL AUDIT

HIPAA PRIVACY/BREACH
Presented by:
Julia Huddleston, CIPP/US, CIPM
CFO & COO
Apgar & Associates
➢Compliance audit of the Health Insurance Portability and
Accountability Act's (HIPAA) Privacy/Breach requirements
➢Existing processes and controls in place for protected health
information (PHI) were assessed against the HIPAA
Privacy/Breach Rules using the federal Office for Civil Rights
(OCR) Audit Protocol to determine the level of compliance and
identify areas for improvement
14

INTERNAL AUDIT

HIPAA PRIVACY/BREACH

➢Portland, OR based
➢Developing and implanting practical, workable solutions since
2004
➢Clients range from single physician office, to mid-size technology
companies, to multi-national corporations

1

INTERNAL AUDIT

Results
➢ High: The Port had not designated itself as a hybrid entity for
the purposes of the HIPAA Rule. The Port had not defined what
units within the Port were part of the designated health care
component.

16

INTERNAL AUDIT

Results
➢ Medium: The Port's understanding of what systems and
applications create, receive, use, maintain or transmit PHI and
EPHI was incomplete. Combined with the hybrid entity issue,
this could result in team members having more access to
sensitive information than allowed by law and regulation.

17

INTERNAL AUDIT

Results
➢ Medium: The Port did not consistently enter into and manage
business associate agreements with vendors that use, disclose,
maintain or transmit the Port's PHI and EPHI to perform a
business function for the Port.

18

INTERNAL AUDIT

Results
➢ Medium: HIPAA Privacy and Breach Training were not being
provided to Port employees within a reasonable timeframe.

19

INTERNAL AUDIT

Results
➢ Medium: The Port did not provide any four-factor risk
assessment required under federal law to document how the
organization made the determination that there was a low risk of
compromise to PHI from the acquisition, access, use, or
disclosure of protected health information in a manner not
permitted under the Privacy Rule.

20

INTERNAL AUDIT

MANAGEMENT RESPONSE
Management to discuss in person. Detailed response
presented in audit report.

21

INTERNAL AUDIT

Closed Networks
➢Evaluated the adequacy of internal controls related to the IT
security of selected Port Industrial Control Systems (ICS)

➢Review of three ICS:
• Internal Waste Treatment Plant (IWTP)
• Auxiliary Utility Facility (AUF)
• Airfield Lighting Controls and Monitoring System (ALCMS)

22

INTERNAL AUDIT

Results
➢ Five issues which are deemed security sensitive
and exempt from public disclosure.

➢ Discussed in 1:1 with Audit Committee Members.

23

INTERNAL AUDIT

HIPAA SECURITY
➢Compliance audit of the Health Insurance Portability and
Accountability Act's (HIPAA) Security requirements

➢Existing processes and controls in place for electronic protected
health information (EPHI) were assessed against the HIPAA
Security Rules using the federal Office for Civil Rights (OCR)
Audit Protocol to determine the level of compliance and identify
areas for improvement

24

INTERNAL AUDIT

Results
➢ Five issues which are deemed security sensitive and exempt from
public disclosure.

➢ Discussed in 1:1 with Audit Committee Members.

25

INTERNAL AUDIT

PCI (External Assessment)
➢2019 review completed on August 25, 2019
➢The Payment Card Industry (PCI) requires merchants to
complete an annual Self-Assessment Questionnaire (SAQ)
•

Verify to the Port's acquirer (merchant bank) that the
Port's security controls over credit card data handling
meet the PCI requirements

26

INTERNAL AUDIT

Results
➢ Four issues which are deemed security sensitive and exempt from
public disclosure.

➢ Discussed in 1:1 with Audit Committee Members.

27