Financial Stewardship

Accountability

Transparency

Port of Seattle Audit Committee
Glenn Fernandes - Director, Internal Audit

December 9, 2019
Pier 69, Commission Chambers
10:00 AM - 12:00 PM
Revised: December 9, 2019

Operational Excellence

Governance

2019 AUDIT PLAN STATUS
Audit Title

Type

Sixt Rent A Car

Contract Compliance

Airport Tenant Marketing Program

Contract Compliance

Security of Personally Identifiable Information

IT

Noise Insulation Program

Operational - Capital

Marine Maintenance Shop

Operational

Mad Anthony's, Inc.

Contract Compliance

Checked Baggage Optimization Project (Phase 1)

Operational - Capital

Anton Airfood of Seattle, Inc.

Contract Compliance

Diversity In Contracting

Operational

Closed Network System Security

IT

Airport Employee Access

Operational

Concourse D Hardstand Holdroom

Operational - Capital

HIPAA Security Compliance

IT

HIPAA Privacy and Breach Compliance

IT

Payment Card Industry (PCI)

IT

Added: Architectural and Engineering Consultant Rates

Operational

EAN Holding, LLC

Contract Compliance

Shilshole Bay Marina Customer Facilities Project

Operational - Capital

Added: Inventory and Control of Hardware Assets

IT

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Deferred to 2020: T2 Airport Garage Parking System ReplacementIT
Key:

Complete
Deferred/Added to Audit Plan

2

2019 Audit Plan Update
➢ 19 reports; 18 audit reports and 1 summary report completed in 2019
as planned: Operational (4), Capital Projects (4), IT (6), and Limited
Contract Compliance (5)

➢ Audits identified 13 High Risk and 29 Medium Risk issues for
management action
➢ The Port has opportunities to strengthen internal controls and related
processes
➢ Capital Spending - Opportunities to reduce costs / be more efficient

3

2019/2018 Suggested Recoveries
Lease/Concession:
2019 Audits
Sixt Rent A Car
EAN Holdings, LLC
Anton Airfood of Seattle, Inc.
Mad Anthony's, Inc.

Amount
$43,299
6,159
5,420
15,557

Total

$70,435

Total

Amount
$22,164
98,310
194,135
$314,609

Total

Amount
$142,654*
$545,000 - 801,000*
$687,654 - 943,654

Total

Amount
$1,532,281**
$1,532,281

2018 Audits
Dollar Rent A Car
Fox Rent A Car, Inc.
Thrifty Car Rental

Capital:
2019 Audits
Concourse D Hardstand Holdroom
Checked Baggage Optimization Project - Phase 1

2018 Audits
North Satellite Renovation and Expansion Project
* Management is in process of collecting
** Management has not collected

4

2019/2018 Controllable Cost Over-Runs
Audit
North Satellite Renovation and Expansion Project
Delta Lounge
International Arrivals Facility - Labor Burden
International Arrivals Facility - Insurance
Noise Insulation Program*
Shilshole Bay Marina Customer Facilities Project**
Total

2018 Amount
$31,800,000
190,000
8,200,000 - 11,000,000
2,800,000

$42,990,000 - 45,790,000

2019 Amount

$660,140
186,400
$846,540

* Calculated assuming a 16% margin markup vs. 51%
** Calculated based on design changes and revision back to original design
Note: Does not include controllable cost over-runs from the Architectural & Engineering Consultant Rates Audit

5

Lease and Concession Audit Plan Approach
➢ Approximately 125 leases*
Total
Revenues
$117 MM
125 MM
111 MM
$353 MM

Agreement Year
2017
2018
2019**
Total

Sea-Tac
$109 MM
117 MM
105 MM
$331 MM

Economic Development
$8 MM
8 MM
6 MM
$22 MM

➢ Approach
Rating
High
Medium
Low
Total

Number of
Leases
11
24
90
125

2017-2019
Revenue
$193 MM
126 MM
34 MM
$353 MM

Percentage
55%
36%
9%
100%

Frequency
4 year cycle
8 year cycle
As needed

* See Appendix A - Lease Concession Risk Universe
** Annualized using a simple average, based on actual data as of 8/31/2019

6

2020 Lease and Concession Audit Plan
[Note: Audits of all high-risk rated lease agreements were completed within the last four years.]

Name
LenLyn Limited
Concourse Concessions, LLC
McDonald's USA, LLC
Concessions Int'l, INC
Fireworks
Qdoba Restaurant Corporation
E-Z Rent A Car

Division
Aviation
Aviation
Aviation
Aviation
Aviation
Aviation
Aviation

Rating
Medium
Medium
Medium
Medium
Medium
Medium
Low
Total

2017-2019
Revenues
$4,045,676
2,911,734
2,711,165
2,389,253
2,180,293
2,136,208
1,219,262
$17,593,591

Contingency Audit*
Avis Budget Car Rental

Aviation

High
Total

$21,629,115
$21,629,115

* If resources exist, at Internal Audit Director's discretion, this audit will be moved to the 2020 Audit Plan .

7

Capital Projects Audit Approach

➢ 25 projects currently under contract*
➢ Risk rating of projects utilizing six attributes:
✓ Project Size (Construction Costs)
✓ Change Orders (Original Contract Sum)
✓ Contract Type
✓ Schedule
✓ Budget
✓ Known Concerns (Errors & Omissions, Potential Claims, Scope Changes, etc.)

Division
Aviation
Non-Aviation
Total**

Current Contract Amount
$1,461 MM
18 MM
$1,479 MM

Construction Cost to Date
$890 MM
0
$890 MM

* See Appendix B - Capital Risk Universe - Projects Currently Under Contract, Risk Rating Methodology.
** Contract costs as of August 2019. Does not include soft costs.

8

2020 Proposed Capital Audit Plan
Rating*
Name
Service Tunnel Renewal/Replace
Central Terminal Infrastructure Upgrade
North Terminals Utilities Upgrade - Phase 1
AOA Perimeter Fence Line Standards Compliance

Schedule
Red
Red
Green
Red

Budget
Yellow
Red
Red
Yellow
Total

Contract Amount
$25.1MM
12.3MM
12.1MM
4.4MM
$53.9MM

Budget
Green
Green
Total

Contract Amount
$4.3MM
9.1MM
$13.4MM

Rating
Contingency Audits**
Flight Corridor Safety Program
Lora Lake Site Remediation

Schedule
Red
Yellow

* Ratings generated from Internal Audit's risk assessment, utilizing the following systems: Quarterly Capital Improvement Projects, Contractor Data system, etc.
See Appendix B - Capital Risk Universe - Projects Currently Under Contract, Risk Rating Methodology.
** If resources exist, at Internal Audit Director's discretion, these audits will be moved to the 2020 Audit Plan.
9

Information Technology Audit Plan Approach
Emerging Risks:
➢ Selected from the IT Audit Universe based on risk and perceived benefit to the Port*

Center for Internet Security**:
➢ A series of 20 foundational and advanced cybersecurity actions that collectively form
a defense-in-depth set of best practices, which can eliminate the most common
attacks
➢ Developed by a community of IT experts who apply their first-hand experience as
cyber defenders
➢ The February 2016 "California Data Breach Report" by the CA Attorney General,
recommended that "The 20 controls in the Center for Internet Security's Critical
Security Controls, define a minimum level of information security that all
organizations that collect or maintain personal information should meet."
* See Appendix C - IT Audit Universe
** https://cybernetsecurity.com/industry-papers/CIS-Controls%20Version-7-cc-FINAL.PDF - page 1

10

Information Technology Audit Plan
Proposed 2020 Audits
Name
Network Password Management
Secure Configuration for Hardware and Software on Mobile Devices,
Laptops, Workstations and Servers
T2 Airport Garage Parking System Replacement
Inventory and Control of Software Assets

Risk (from IT Audit
Universe)
High
High
High
High

Selection Criteria
Emerging Risk
Emerging Risk
Management Request for 2019; deferred to 2020
Emerging Risk

Proposed 2020 Status Reports
Name
Payment Card Industry (PCI) - Qualified Security Assessor
Criminal Justice Information Services (CJIS)

Contingency Audit*
Malware Defenses

Annual review required by banking and card-brand agreements
Triennial audit by Washington State Patrol

Risk (from IT Audit Universe)
High

Selection Criteria
Center for Internet Security

* If a proposed audit cannot be performed, at the Internal Audit Director's discretion, this audit will be moved to the 2020 Audit Plan.

11

Historical Reports Overview 2017 - 2020
2020
Report Type

2017*

2018**

2019

(proposed)

Limited Contract Compliance

8

6

5

7

Operational

11

8

4

4

Operational - Capital

1

5

4

4

Information Technology

2

3

6

6

22

22

19

21

st

nd

* 2017 included 9 audits carried over from the 2016 audit plan. The 1 and 2 Quarter Audit Committee Meetings discussed 2016 Audits.
st

** 2018 included 6 audits carried over from the 2017 audit plan. The 1 Quarter Audit Committee Meeting discussed 2017 Audits.

12

Proposed 2020 Audit Plan
Limited Contract Compliance
•
•
•
•
•
•
•

Lenlyn Limited
Concourse Concessions, LLS
McDonald's USA, LLC
Concessions Int'l, INC
Fireworks
Qdoba Restaurant Corporation
E-Z Rent A Car

•
•
•
•

Operational

Information Technology

Asset Disposal Process
Ground Transportation - Taxi Cabs
Cash Controls
Professional Services

• Network Password Management
• Secure Configuration for Hardware
and Software on Mobile Devices,
Laptops, Workstations and Servers
• T2 Airport Garage Parking System
Replacement1
• Inventory and Control of Software
Assets
• Biometrics
____________________________
• Payment Card Industry (PCI) Qualified Security Assessor2
• Criminal Justice Information
Services (CJIS)3

Capital
• Service Tunnel Renewal/Replace
• Central Terminal Infrastructure
Upgrade
• North Terminal Utilities Upgrade -
Phase 1
• AOA Perimeter Fence Line Standards
Compliance

1 Moved to 2020 audit plan; approved at 6/28/2019 Audit Committee Meeting.
2 This work will be performed by an outside firm. Internal Audit will provide a summary report to the Audit Committee.
3 This work will be performed by the Washington State Patrol. Internal Audit will provide a summary report to the Audit Committee.

13

Contingency Audits - if resources exist, at Internal Audit Director's
discretion, these audits will be moved to the 2020 Audit Plan.
Limited Contract Compliance
• Avis Budget Car Rental

Operational
• Delegation of Authority
Compliance
• Architectural & Engineering
Consultant Rates Follow-Up Audit

Information Technology
• Malware Defenses

Capital
• Flight Corridor Safety Program
• Lora Lake Site Remediation

14

Audits Completed in Fourth Quarter, 2019
1) Architectural & Engineering Consultant Rates
2) Shilshole Bay Marina Customer Facilities Project
3) Inventory and Control of Hardware Assets*
4) EAN Holdings, LLC

*Security Sensitive - Exempt from Public Disclosure per RCW 42.56.420 - Not Discussed

15

Architectural & Engineering Consultant Rates
➢Architectural and Engineering costs account for approximately
10-20 percent of capital costs
➢$3.6 billion in capital spending over the next five years
➢RCW 39.80.050 states "The agency shall negotiate a contract
with the most qualified firm...at a price which the agency
determines is fair and reasonable"

16

Results

➢High: CPO had not established guidelines for what is
determined fair and reasonable. Our testing of over 400 A&E
consultants identified many instances where profit margins
exceeded what the industry deemed reasonable.
✓ Below table reflects the profit margins of the firms tested: [Note: Industry
standard ranges between 10 - 15 percent.]

17

Recommendations
➢The Procurement Council should determine what the Port
deems a fair and reasonable rate and should document the
rationale for transparency.

➢CPO should engage a third party to perform an independent
model validation of the rate tool, so that management can gain
confidence that the model produces accurate market rates.

18

Results
➢High: Management approval was not required when hourly
rates exceeded the maximum rates produced by the service
rate negotiation tool/model.
✓ Below table reflects the number of positions that exceeded the maximum and
the amount that the Port agreed to pay over the maximum rate for every hour
worked:

19

Recommendations
➢ CPO should implement a management review process when consultant
rates exceed the maximum. This review should be documented and
contain established criteria and approval thresholds (i.e., up to 20% over
the maximum) for both the Services Agreement Manager and Planning
and Analytics Manager to approve.

➢ If the thresholds exceed their authority or if agreement cannot be
reached, approval should be escalated to the appropriate person (i.e.,
director, COO) for approval, as required by the authority guidelines.

20

Results
➢High: A reconciliation between the final negotiated rates and
the contract did not occur. As a result, we were unable to verify
that all positions and rates reflected in the contract were
accurate.
✓ Below table reflects the type and number of exceptions:

21

Recommendations
➢CPO should retain documentation to evidence the agreed upon
rate and position.

➢CPO should the use this documentation, to verify that the rates
are accurately captured into the contract before it is executed.

22

Results
➢Medium: The Central Procurement Office is responsible for
procuring all contracts related to public works, consulting
services, and goods and services. Governance meetings, for
Executive Leadership Team (ELT) oversight of CPO, had not
occurred since December 7, 2017.

23

Recommendations
➢ The Chief Operating Officer should lead an effort to determine the
meeting frequency and information that is deemed necessary to
perform effective governance.
➢ We also recommend that, at a minimum, the CFO and the Port's
Managing Directors of Aviation and Maritime, attend these meetings.

➢ Finally, we recommend developing a charter that defines the purpose,
objective, and voting rights (if necessary) within the Governance
Committee.

24

Shilshole Bay Marina Customer Facilities Project
➢ Construction of three new buildings, including: two large, multi-use buildings
(restroom, shower and laundry) located in the south and central areas of the
Marina, plus a smaller restroom/shower building at the north end.
➢ Total project estimate: $15 million with lump-sum design-bid-build method

➢ Project Timeline:
2014 - Conceptual phase → January 2015 - Funding approval → May 2017 -
Anticipated substantial completion of construction → September 2019 - Actual
construction began → Estimated completion in Q2, 2020
➢ The initial bids received in 2018: 33% higher than the engineer's estimate. Rebidded
in June 2018, Western Ventures Construction was awarded the contract.

25

Results

➢Medium: An opportunity exists to improve internal controls by
requesting that Tetra Tech provide individual names on
invoices. This would provide the detail required for the Port to
assure that individuals being billed for services performed have
the appropriate experience, fall into the appropriate job
category, and are billed at the correctly negotiated rate.

26

Recommendation

➢Port management should request that Tetra Tech provide
individual names on invoices so that the Port can monitor
which consultants are working on the Project. Individual names
can be compared to the Level of Effort, and if there are names
that are not in line with the Level of Effort, invoice reviewers
have the ability to work with the Rate Negotiations Team to
assure the Port is billed a fair and reasonable rate.

27

Inventory and Control of Hardware Assets*
➢ Evaluated the adequacy of internal controls related to IT hardware asset
management
➢ As data breaches continue to increase in severity and scale today,
organizations need to ensure the basic security controls are in place to
keep data safe from attack

➢ Focused on the first of twenty control objectives from the Center for
Internet Security (CIS), which was devised for an organization to be
certain of what devices are on the network and are effectively defended
*Security Sensitive - Exempt from Public Disclosure per RCW 42.56.420 - Issue Not Discussed in Public Session

28

EAN Holdings, LLC
➢EAN Holdings (Enterprise Rent-A-Car, Alamo Rent-A-Car, and
National Rent-A-Car)
➢Percentage fee equal to 10% of gross revenues

➢EAN generates $12 million annually in percentage fees and
$14 million in Customer Facility Charges

29

Results
➢Medium: Internal Audit identified one late payment for
Percentage Fees owed for the month of October 2016. As a
result, a late fee of $6,159 is due to the Port.

Status: In process of collection
30

Appendix A - Lease/Concession Risk Universe
High Risk:

Name
ENTERPRISE RENT A CAR
AVIS BUDGET CAR RENTAL
DUFRY - SEATTLE JV
RASIER LLC
AIRPORT MANAGEMENT SERVICES LLC
HERTZ CORPORATION
IN-TER-SPACE SERVICES, INC
EASTSIDE FOR HIRE, INC (New Contract)
HOST INTERNATIONAL, INC
LOUIS DREYFUS COMPANY WASHINGTON LLC
AIRPORT MANAGEMENT SERVICES LLC

Year Report
Contract
Issued
AIR001281
2019 $
AIR001282
2017
AIR001661
2017
AIR002022
2017
AIR002017
2017
AIR001278
2017
AIR002224
2017
AIR002100
2017
AIR000435
2017
SEA002603
2017
AIR002018
2017
Total
$

2017
11,795,625 $
7,581,317
6,948,870
4,812,691
5,809,324
5,141,903
2,872,851
5,128,377
5,819,739
4,727,693
4,460,353
65,098,745 $

2018
12,428,124 $
7,589,972
6,929,809
6,569,772
6,287,731
5,311,454
6,324,797
4,408,877
4,460,347
4,734,772
4,551,881
69,597,535 $

2019*
10,439,761 $
6,457,827
6,590,999
6,613,020
4,807,242
5,130,177
4,483,914
3,763,749
2,827,794
3,639,559
3,640,814
58,394,856 $

Total
34,663,511
21,629,115
20,469,678
17,995,483
16,904,297
15,583,535
13,681,562
13,301,004
13,107,880
13,102,024
12,653,048
193,091,136

* Annualized based on 8/31/2019 actuals

31

Appendix A - Lease/Concession Risk Universe (continued)
Medium Risk:
Name
HOST INTERNATIONAL, INC
SKY CHEFS INC
LYFT
DOUG FOX TRAVEL/ATZ
GATE GOURMET INT'L
SEATTLE RESTAURANT ASSOCIATES
CMC INVESTMENTS INC
REPUBLIC PARKING NORTHWEST INC
ANTON AIRFOOD
DTAG
AIRPORT MANAGEMENT SERVICES LLC
FLYING FOOD FARE INC
LENLYN LIMITED
SIXT RENT A CAR LLC
FOX RENT A CAR INC
CLEAR CHANNEL WORLDWIDE
CONCOURSE CONCESSIONS LLC
MCDONALD'S USA, LLC $
BEECHER'S HANDMADE CHEESE, LLC
SEATAC BAR GROUP LLC
SEATTLE TACOMA INTL LIMOUSINE ASSOC
CONCESSIONS INT'L INC.
FIREWORKS
QDOBA RESTAURANT CORPORATION

Contract
AIR002019
AIR001849
AIR002023
AIR001718
AIR000042
AIR000439
AIR001280
SEA000425
AIR000374
AIR001279
AIR000437
AIR000086
AIR001788
AIR001632
AIR001285
AIR000950
AIR002055
AIR001606
AIR001562
AIR002053
AIR001991
AIR002148
AIR002101
AIR002096

2017
2,433,655
3,769,424
2,081,719
3,109,296
2,638,361
2,874,131
1,843,234
1,795,978
1,984,773
1,517,830
1,567,398
1,419,046
1,248,767
1,300,372
1,245,147
3,668,207
1,012,207
686,877
850,522
915,387
857,636
1,538,273
167,088
$ 40,525,328
$

2018
4,771,768
4,353,390
3,710,868
3,238,383
2,874,824
2,980,072
1,989,383
1,819,256
2,151,032
1,887,620
1,601,369
1,501,111
1,406,196
1,627,902
1,548,053
1,035,852
998,367
932,595
927,016
852,551
850,980
1,040,112
1,095,768
$ 45,194,467
$

2019*
4,971,366
3,988,427
4,119,210
3,222,648
2,959,631
2,343,216
1,616,993
1,372,031
826,726
1,456,492
1,595,023
1,232,285
1,390,713
1,084,721
1,214,369
863,675
1,025,920
912,326
842,070
786,721
973,093
1,040,441
$ 39,838,097
$

Grand Total
12,176,788
12,111,241
9,911,797
9,570,327
8,472,816
8,197,419
5,449,609
4,987,264
4,962,531
4,861,942
4,763,789
4,152,442
4,045,676
4,012,995
4,007,569
3,668,207
2,911,734
2,711,165
2,695,443
2,684,474
2,496,908
2,389,253
2,180,293
2,136,208
$ 125,557,892

$

* Annualized based on 8/31/2019 actuals

32

Appendix A - Lease/Concession Risk Universe (continued)
Low Risk:
Name
SODEXO AMERICA, LLC
PAYLESS CAR RENTAL, INC
SSP AMERICA SEA, LLC
MAD ANTHONY'S INC. (Fisherman's Terminal)
EX OFFICIO LLC
E-Z RENT-A-CAR
MAD ANTHONY'S INC PIER 66
SMARTE CARTE INC
DILETTANTE CHOCOLATES INC
HOST INTERNATIONAL, INC
FRUIT & FLOWER LLC DBA FLORET AUTHORITY
TASTE INC dba VINO VOLO
QDOBA RESTAURANT CORPORATION
INMOTION SEA, LLC
ALCLEAR, LLC
FIREWORKS
PROJECT HORIZON
IVARS INC
PALLINO SEATAC LLC
FOOD SYSTEMS UNLIMITED INC
LATRELLES EXPRESS INC
HOST LPI SEA FB, LLC
SUB POP RECORDS
TERMINAL GETAWAY SPA SEATTLE, LLC
Suns Inc.
SEATTLE CHOCOLATES COMPANY LLC
BF FOODS LLC
1915 KCHOUSE CONCEPTS-SEATAC, LLC
CONCOURSE CONCESSIONS LLS
PALLINO SEATAC LLC

Contract
AIR001513
AIR001451
AIR002358
SEA000043
AIR000580
AIR001439
SEA000294
AIR000629
AIR002094
AIR002247
AIR002063
AIR000839
AIR000619
AIR002103
AIR002048
AIR000612
AIR000618
AIR000615
AIR000613
AIR000616
AIR000614
AIR002361
AIR001816
AIR002095
AIR002054
AIR002093
AIR002375
AIR002265
AIR002362
AIR002241

$

2017
545,360
621,917
491,070
492,375
443,324
387,129
374,177
62,366
3,099
319,112
886,845
37,423
129,735
614,187
458,339
721,122
706,807
657,835
546,481
205,038
26,689
102,747
23,517
-

$

2018
657,525
449,314
654,274
487,492
479,082
426,103
393,839
373,310
527,782
25,322
449,369
328,398
91,587
427,031
290,121
193,170
340,199
66,461
61,720
65,386
53,959
215,595
236,089
192,233
209,306
428,084
-

$

2019*
610,069
468,472
797,635
423,101
394,493
349,835
373,050
364,171
520,990
1,019,231
591,529
347,103
473,532
481,588
7,106
595,049
149,308
254,511
168,989
221,002
25,673
404,412
396,486
393,273

$

Grand Total
1,812,953
1,539,702
1,451,909
1,401,663
1,365,950
1,219,262
1,154,017
1,111,659
1,111,137
1,044,553
1,043,997
994,613
978,432
937,987
901,444
814,463
798,538
787,583
768,527
723,221
600,440
595,049
569,941
517,288
463,969
453,824
453,757
404,412
396,486
393,273

* Annualized based on 8/31/2019 actuals

33

Appendix A - Lease/Concession Risk Universe (continued)
Low Risk (continued):
Name
BAMBUZA SEA-TAC VENTURES
THE YARROW GROUP, LLC
SSP AMERICA SEA, LLC
DILETTANTE CHOCOLATES INC
LATRELLES EXPRESS INC
PLANEWEAR, LLC
MAREL SEATTLE INC
STELLAR BAMBUZA SEA, LLC
SILVERCAR, INC
MASSAGE BAR
SMARTE CARTE INC
DILETTANTE CHOCOLATES INC
LADY YUM, LLC
AIRPORT CHANNEL
GLASSYBABY LLC
AIRPORT MANAGEMENT SERVICES LLC
BILL & NICK INCORPORATED
FIREWORKS
SSP AMERICA SEA, LLC
CAFE PACIFIC CATERING, INC
AIRPORT MANAGEMENT SERVICES LLC
SHILSHOLE BAY FUEL DOCK
PALLINO SEATAC LLC
BF FOODS LLC
ME & MOM'S HATS DBA SEATTLE HAT$
CERTIFIED FOLDER DISPLAY SERVICE INC
SECURITY POINT MEDIA, LLC
AIRPORT MANAGEMENT SERVICES LLC
WINGZ, INC
HAN EUN CORPORATION

Contract
AIR002365
AIR002233
AIR002238
AIR001657
AIR002287
AIR001971
SEA001010
AIR002240
AIR002203
AIR000933
AIR002097
AIR000621
AIR002331
AIR000988
AIR002123
AIR001773
SEA000016
AIR001644
AIR002237
AIR002124
AIR002430
SEA002355
AIR002283
AIR002393
AIR002141
AIR001641
AIR002437
AIR002284
AIR002020
SEA002621

2017
136,680
95,907
145,302
27,537
229,227
63,859
219,481
102,297
69,566
92,902
63,661
183,979
46,297
38,592
24,204
33,178
44,885
29,311

2018
148,050
122,279
111,510
150,000
150,177
12,912
78,819
97,429
110,673
81,974
76,815
70,659
48,089
38,592
96,392
36,376
38,961
33,492
82,645
39,120
29,479

2019*
357,758
357,476
355,020
47,104
201,523
97,649
273,820
76,702
78,369
121,654
4,050
65,330
46,771
60,293
170,867
39,403
119,822
38,592
18,592
66,833
36,641
27,355
93,984
9,899
6,417
28,508

Grand Total
357,758
357,476
355,020
331,835
323,802
305,065
295,302
273,820
254,416
242,299
221,047
219,481
219,082
217,020
216,870
216,489
194,613
183,979
170,867
133,665
119,822
115,925
114,985
103,209
99,806
94,024
93,984
92,545
90,422
87,298

* Annualized based on 8/31/2019 actuals

34

Appendix A - Lease/Concession Risk Universe (continued)
Low Risk (continued):
Name
CLIPPER FERRY SERVICES, INC
CHALO, LLC
LADY YUM, LLC
MASSAGE BAR
FIREHOUSE EXPRESS, LLC
SHARA, LLC DBA SHOW PONY
CONCOURSE CONCESSIONS LLS
MSM INCORPORATED
HOST INTERNATIONAL, INC
SEATTLE CHOCOLATES COMPANY LLC
SHARA, LLC DBA SHOW PONY
BUTTER LONDON INC
MAC-GRAY SERVICES
REPUBLIC PARKING NORTHWEST INC
LUCKY SHOE SHINE, LLC
CLEAN ENERGY FUELS CORP
Asanda Air II LLC
FILO FOODS LLC
PUBLICANS, INC
AMERICAN EXPRESS TRAVEL$
DELTA AIR LINES INC
UNITED INDIANS OF ALL TRIBES FOUNDATION
THE WISHING STONE
SEATTLE AIR VENTURES JV
UNITED AIRLINES
ALASKA AIRLINES INC
SEATTLE RENT A WRECK
ME & MOM'S HATS DBA SEATTLE HAT$
MAC-GRAY SERVICES
ZEEBA WA, LLC DBA ZEEBA RENT-A-VAN

Contract
SEA003017
AIR002270
AIR002131
AIR002286
AIR001565
AIR002330
AIR002374
SEA002783
AIR002150
AIR001970
AIR002129
AIR000941
SEA002097
SEA000424
AIR001888
AIR001655
AIR002409
AIR002151
SEA002494
AIR001877
AIR001740
AIR002387
AIR001670
AIR002355
AIR001725
AIR001720
AIR001621
AIR001926
SEA001479
AIR002226

2017
31,238
2,404
51,692
37,112

$

61,143
33,203
43,002
34,283
41,072
16,654
17,271
11,934
19,107
27,839
9,262
6,690
20,792
14,436
10,000
5,660
2,200
4,401
1,880
11,006,835

2018
27,919
40,795
21,278
64,744
33,366
30,950
46,962
12,623
7,675
17,524
10,267
14,176
13,528
11,990
9,095
7,710
5,894
2,282
1,902
1,782
$ 10,159,652

2019*
22,811
30,107
7,925
35,867
15,104
5,724
12,101
11,651
3,984
20,550
9,138
7,988
15,922
6,184
375
1,507
$ 12,837,977

Grand Total
81,968
73,306
72,970
72,669
70,478
66,818
62,066
61,143
45,827
43,002
41,957
41,072
39,902
39,639
37,761
36,618
32,540
27,839
27,495
22,312
20,792
15,922
14,436
12,078
10,000
5,660
4,481
4,401
4,157
3,289
$ 34,004,575

* Annualized based on 8/31/2019 actuals

35

Appendix B - Capital Risk Universe (Projects Currently Under Contract)
International Arrivals Facility (IAF)
1 Central Terminal Infrastructure Upgrade
Checked Baggage Recap/Optimization Phase I
Highline School Noise Insulation
2 Service Tunnel Renewal Renewal/Replace
3 AOA Perimeter Fence Line Standards Compliance
4 North Terminals Utilities Upgrade - Phase 1
Terminal Security Enhancements- Phase I Windows
Chiller Panel Upgrade
Airport Dining and Retail Infrastructure Modernization
Central Terminal Enhancements
5 Lora Lake Site Remediation
Concourse D Hardstand Terminal
NorthSTAR North Satellite Lobbies
Mechanical Energy Conservation
Holdroom Seating For Concourses B & C
6 Flight Corridor Safety Program
BHICC P66 Interior Modernization
SSAT HVAC Infrastructure Upgrade
Shilshole Bay Marina Paving- Combined with SBM
Tenant Bldgs.
SD Pond Bird Deterrent Improvement
Condominium Sound Insulation
Restroom Renovations Phase 2 Enabling Work
Variable Frequency Drive
Fishermen's' Terminal Docks 3,4,5 & 6 Fixed Pier
Improvements

(A)
5
1
2
1
1
1

(B)
5
5
2
5
1
3

Attributes
(C)
(D)
3
5
1
5
1
5
1
5
1
5
1
5

(E)
5
5
5
1
3
3

(F)
5
5
5
3
5
3

Total
28
22
20
16
16
16

Prior Audit
2017; 2018
2019
2019

See Description 4 for project risk indicators

1
1
1
1
1
1
5
1
1
1
1
1
1

4
4
1
1
1
2
1
1
4
5
1
1
1

1
1
1
1
1
1
1
1
1
1
1
1
1

5
5
5
5
3
1
1
5
1
5
1
1
1

1
1
3
3
1
5
1
1
1
5
1
1
1

1
1
2
1
4
1
1
1
1
4
2
1
1

13
13
13
12
11
11
10
10
9
21
7
6
6

1
1
1
1
1

1
1
1
1
1

1
1
1
1
1

1
1
1
1
1

1
1
1
1
1

1
1
1
1
1

6
6
6
6
6

1 $720k designer E&O; $500k Owner E&O; $460k scope changes
July 19, 2019 budget increased by $2.5 MM to $19.3 MM.

2 $911k designer E&O
$225k scope change
3 Bid protest; numerous change orders; scope change

2019
Closed 2019

2019

4 Original project budget of $21.3 MM for full redundant loop utility
(heating/cooling). Lowest bid came in at $33 MM. Stakeholder meeting
decided to put in 2 phases. Phase 1 budgeted at $12 MM. Will go back to
commission for Phase 2 request of additional $28 MM.
Project approved for RFP in October 2019.
5 Contingency audit. Overall budget $9.1 MM delayed due to lake fill redesign and approval time from DOE. Impact of delay was $75k for work
suspension. 15 open trends with potential cost of $700k.
6 Contingency audit. Numerous change orders and scope changes resulting in
cost escalation from original budget.

36

Appendix B - Capital Risk Rating Methodology
Attributes
(A)

(B)

(C)

(D)

(E)

Project Size (construction costs)

Points

$1 to $50 MM

1

>$50 MM to $75 MM

2

>75 MM to $100 MM

3

>$100 MM to $250 MM

4

>$250 MM

5

Change Orders (original contract sum)
0 to 5%

Points
1

6 to 7.5%

2

8 to 10%

3

10 to 15%

4

>15%

5

Contract Type
Lump sum

Points
1

Unit Price or T&M

2

GMP w/ Shared Savings

3

GMP w/ no shared savings

4

Cost Plus

5

Schedule

Points

On Schedule

1

Potential Schedule Overrun

3

Schedule Overrun

5

Budget

Points

Under Budget

1

Potential Budget Overrun

3

Over Budget

5
Points

(F)

Known Concerns (errors & omissions, potential claims, scope change etc.)
Subjective- Audit Knowledge

1-5

37

Appendix C - IT Audit Universe
IT General Controls Audits

1 CIS - Inventory and Control of Hardware Assets
2 CIS - Inventory and Control of Software Assets
3 CIS - Continuous Vulnerability Management (includes patching)
4 CIS - Controlled Use of Administrative Privileges
5 CIS - Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
6 CIS - Maintenance, Monitoring and Analysis of Audit Logs
7 CIS - Email and Web Browser Protections
8 CIS - Limitation and Control of Network Ports, Protocols, and Services
9 CIS - Data Recovery Capabilities
10 CIS - Secure Configuration for Network Devices (e.g., Firewalls, Routers and Switches)
11 CIS - Boundary Defense
12 CIS - Data Protection
13 CIS - Controlled Access Based on the Need to Know
14 CIS - Wireless Access Control
15 CIS - Account Monitoring and Control
16 CIS - Implement a Security Awareness and Training Program
17 CIS - Application Software Security
18 CIS - Incident Response and Management
19 CIS - Penetration Tests and Red Team Exercises
20 Industrial Control System Security

Inherent
Risk
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH

IT General Controls Audits

21
22
23
24
25
26
27
28
29
30
31
32
33
35
36
37
38
34
39
40

Inherent Risk

CIS - Malware Defenses
Endpoint Protection - may be a duplicate of CIS - Malware Defenses
Portable Media Security
Transmission Protection
Password Management

HIGH

Identity & Access Management
Disaster Recovery Program
IT Risk Management
Physical & Environmental Security
Change Management
Datacenter Ops
IT Governance
Periodic User Access Reviews
System and Software Development
Vendor Management
Security Program
HIPAA Security Compliance
Project Management
Triennial WA State Patrol Audit of CJIS Compliance
Annual Review of PCI Compliance

HIGH

HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
Medium
Medium
Medium

38

Appendix D - Operations Audit Universe

Division

Regulatory/
Contractual
Compliance
(Weight = 5)

Reputation
(Weight = 5)

Safety
(Weight = 5)

Financial
(Weight = 5)

Fraud
(Weight = 5)

Strategy
(Weight = 5)

Risk Score
Total

Risk Assessment
Level (High,
Medium, Low)

5

4

5

4

4

4

26

Hi gh

Aviation

Department
Airport Operations

Corporate

Central Procurement Office

Department Services
Landside (Airport Transit Ops, Employee & Public Parking, Public Parking,
Ground Transportation)
Purchasing (Goods & Services)

5

4

1

5

5

5

25

Hi gh

Corporate

Central Procurement Office

Service Agreements (Consulting)

5

4

1

5

5

5

25

Hi gh

Aviation

Security

Security Key Management

5

5

5

2

5

3

25

Hi gh

Aviation

Airport Operations

Air Cargo Operations

4

4

5

2

4

5

24

Hi gh

Corporate

Police Department

Law Enforcement Activities/Emergency Responses

5

5

5

2

4

3

24

Hi gh

Corporate

Risk Management

Incident Reporting

5

4

5

3

3

4

24

Hi gh

Marine

Non-Aviation ID Badge Credentialing

5

5

5

1

4

4

24

Hi gh

Aviation

Seaport Security & Emergency
Management
Security

Credential Center

5

5

5

2

4

3

24

Hi gh

Aviation
Corporate

Security
Workplace Responsibility

Physical Access
Code of Conduct Guidance and Support

5

5

5

2

4

3

24

Hi gh

5

5

2

4

4

4

24

Hi gh

Marine

Environmental and Planning

Permitting & Compliance/Public Outreach/Stormwater/Habitat/
Energy Sustainability

5

5

3

3

2

5

23

Medi um

Corporate

Central Procurement Office

P-Card

5

4

1

4

5

4

23

Medi um

Corporate

Central Procurement Office

PRMS/Roster

5

4

1

4

5

4

23

Medi um

Aviation

Environmental

SEPA/NEPA

5

5

5

2

1

5

23

Medi um

Aviation

Security

Security Strategy/Intelligence/Compliance

5

5

5

2

3

3

23

Medi um

Aviation

Airport Operations

Air Service Development

4

4

3

4

2

5

22

Medi um

Aviation

Airport Operations

Airfield Operations

5

4

5

2

2

4

22

Medi um

Marine

Cruise

CTA / NCL

2

5

3

5

2

5

22

Medi um

Corporate

Human Resources

Development and Diversity

5

4

1

3

4

5

22

Medi um

Corporate
Aviation

Financial & Budget
Environmental

Treasury (Investment, Banking, Cash Management)
Water Resources and Wetlands

4

4

1

5

4

4

22

Medi um

5

5

3

2

1

5

21

Medi um

Aviation

Environmental

Air Quality and Climate

5

5

3

2

1

5

21

Medi um

Aviation

Environmental

Recycling and Hazardous Waste Programs

5

5

3

2

1

5

21

Medi um

Aviation

Environmental

Contaminated Soil and Groundwater

5

5

3

2

1

5

21

Medi um

Economic Development

Diversity in Contracting

WMBE Utilization in Contracting/Outreach

5

5

1

2

3

5

21

Medi um

Aviation

Noise Programs

Noise Programs

4

5

1

4

3

4

21

Medi um

Corporate

Human Resources

Offboarding: Separation/Retiring Employees

5

3

4

2

4

3

21

Medi um

Corporate

Risk Management

Enterprise Risk Management

3

3

4

3

4

4

21

Medi um

Aviation

Security

Employee Security Screening Program

3

5

5

2

2

3

20

Medi um

39

Appendix D - Operations Audit Universe (continued)

Department

Department Services

Regulatory/
Contractual
Compliance
(Weight = 5)

Reputation
(Weight = 5)

Safety
(Weight = 5)

Financial
(Weight = 5)

Fraud
(Weight = 5)

Strategy
(Weight = 5)

Risk Score
Total

Risk Assessment
Level (High,
Medium, Low)

Division
Corporate

Legal

Legal Services

5

4

2

4

2

3

20

Medi um

Corporate

Human Resources

Health and Safety

3

5

5

2

1

4

20

Medi um

Aviation

Airport Operations

Snow Operations

4

3

5

3

1

4

20

Medi um

Aviation

Aviation Maintenance

Mechanical Systems

3

3

5

3

4

2

20

Medi um

Aviation

Aviation Maintenance

Electrical, Electronics and STS

3

3

5

3

4

2

20

Medi um

Aviation

Aviation Maintenance

Facilities, Fleet, Systems and Grounds

3

3

5

3

4

2

20

Medi um

Aviation

Aviation Maintenance

Asset Management and Logics

3

3

3

5

4

2

20

Medi um

Corporate

Accounting & Financial Reporting

Financial Reporting & Revenue Services

4

3

1

5

4

3

20

Medi um

Corporate

Health & Safety

Health and Safety Program Management

3

5

5

2

1

4

20

Medi um

Corporate

Risk Management

Claims Management

5

4

1

4

3

3

20

Medi um

Corporate

Human Resources

Employee Relations

5

5

1

3

1

5

20

Medi um

Corporate

Risk Management

Driver Safety Program

5

3

5

3

1

3

20

Medi um

Marine

Marine Maintenance

3

3

5

3

3

3

20

Medi um

Economic Development

Portfolio & Asset Management

Commercial Real Estate Asset Management

3

3

1

5

3

4

19

Medi um

Economic Development

Real Estate & Economic Development

Real Estate & Economic Development

3

3

1

5

3

4

19

Medi um

Corporate

Human Resources

Total Rewards

3

4

1

3

3

5

19

Medi um

Aviation

Commercial Management

Parking Revenue Management

4

3

1

5

3

3

19

Medi um

Economic Development

P69 Facilities Management

Security

3

4

4

2

3

3

19

Medi um

Corporate

Financial & Budget

Finance

4

2

1

5

4

3

19

Medi um

Marine

Fishermen's Terminal

2

3

3

3

3

5

19

Medi um

Corporate

Accounting & Financial Reporting

Disbursements

3

3

1

5

5

2

19

Medi um

Aviation

Commercial Management

Airport Dining and Retail

4

3

1

4

3

3

18

Medi um

Aviation

Commercial Management

Aviation Business Development and Analysis

4

3

1

4

3

3

18

Medi um

Aviation

Commercial Management

Properties (including Airport Lease Agreements)

4

3

1

4

3

3

18

Medi um

Aviation

Facilities & Infrastructure

Design Review/Standards

5

3

4

2

1

3

18

Medi um

Marine

Finance

4

3

1

3

3

4

18

Medi um

Aviation

Finance & Budget

Financial Reporting

5

2

1

3

4

3

18

Medi um

Aviation

Finance & Budget

CIP

4

2

1

4

4

3

18

Medi um

Aviation

Finance & Budget

Physical Asset

4

2

1

4

4

3

18

Medi um

Aviation

Fire Department

Fire Suppression

4

4

5

1

1

3

18

Medi um

40

Appendix D - Operations Audit Universe (continued)

Division

Department Services

Risk Assessment
Total Score
Level
24-30
High
18-23
Medium
0-17
Low

Regulatory/
Contractual
Compliance
(Weight = 5)

Reputation
(Weight = 5)

Safety
(Weight = 5)

Financial
(Weight = 5)

Fraud
(Weight = 5)

Strategy
(Weight = 5)

Risk Score
Total

Risk Assessment
Level (High,
Medium, Low)

Aviation

Department
Fire Department

Fire Prevention

4

4

5

1

1

3

18

Medi um

Aviation

Fire Department

Fire Training

4

4

5

1

1

3

18

Medi um

Corporate

Financial & Budget

Budget

4

2

1

4

4

3

18

Medi um

Corporate

Strategic Initiatives

3

4

2

2

2

5

18

Medi um

Corporate

Human Resources

Careers and Talent Acquisition

3

5

1

3

1

5

18

Medi um

Corporate

Human Resources

Employee Engagement

3

5

1

3

1

5

18

Medi um

Aviation

Finance & Budget

Budget & Business Plan

4

2

1

5

2

4

18

Medi um

Aviation

Airport Operations

Customer Service Operations

3

4

2

2

2

4

17

Low

Corporate

Labor Relations

Collective Bargaining Agreements

4

4

1

2

2

4

17

Low

Corporate

Public Affairs

Social Responsibility

5

4

1

2

1

4

17

Low

Corporate

Records Management

Public Records, Open Public Meetings

4

4

1

2

2

4

17

Low

Corporate

Public Affairs

Strategic Communications

3

5

1

2

1

5

17

Low

Corporate

Environment and Sustainability COE

No info in Compass Dept page

3

3

3

2

2

3

16

Low

Aviation

Planning

Airport Statistics

3

3

1

3

1

5

16

Low

Aviation

Planning

Surveys

3

3

1

3

1

5

16

Low

Aviation

Planning

Comprehensive Development Plan (CDP)

3

3

1

3

1

5

16

Low

Corporate

Accounting & Financial Reporting

Accounting & Business Technology

2

2

1

4

4

3

16

Low

Corporate

Commission

2

5

1

1

2

5

16

Low

Corporate

Public Affairs

Media Services

2

5

1

2

1

5

16

Low

Corporate

Risk Management

Risk Financing

3

3

1

4

1

4

16

Low

Corporate

Records Management

Records Management

5

3

1

2

2

3

16

Low

Corporate

Spirit & Wellness

Wellness Program

2

3

4

2

1

4

16

Low

Aviation

Aviation Maintenance

Custodial Services

1

5

3

2

1

4

16

Low

Corporate

Public Affairs

Government Relations

3

5

1

2

1

3

15

Low

Corporate

Records Management

Record Center - SharePoint

4

3

1

2

2

3

15

Low

Aviation

Facilities & Infrastructure

Aviation Utilities

4

2

3

2

3

1

15

Low

Corporate

Records Management

Email Management

5

2

1

2

2

3

15

Low

Aviation

Airport Operations

Operations Succession Preparation (OSP) Program

2

3

1

2

2

4

14

Low

Economic Development

Tourism Development

Tourism Development

1

4

1

3

1

4

14

Low

Corporate

Public Affairs

Community Engagement

1

5

1

1

1

5

14

Low

41

Appendix D - Operations Audit Universe (continued)

Department Services

Regulatory/
Contractual
Compliance
(Weight = 5)

Reputation
(Weight = 5)

Safety
(Weight = 5)

Financial
(Weight = 5)

Fraud
(Weight = 5)

Strategy
(Weight = 5)

Risk Score
Total

Risk Assessment
Level (High,
Medium, Low)

Division
Corporate

Department
Human Resources

Spirit and Wellness

2

3

2

2

1

4

14

Low

Aviation

Community Development

Community Relations

2

5

1

1

1

4

14

Low

Marine

Recreational Boating

2

2

3

2

2

2

13

Low

Aviation

Airport Training

Airport Training

2

2

3

1

1

4

13

Low

Economic Development

Workforce Development

Job Opportunities/Training for Local Communities

1

4

1

2

1

4

13

Low

Aviation

Customer Service

1

5

1

1

1

4

13

Low

Corporate

Human Resources

Job Evaluation/PerformanceLink

3

3

1

1

2

3

13

Low

Aviation

Building Department

Building/Mechanical/Plumbing/Grading Permit Issue

5

1

2

1

1

1

11

Low

1

1

1

3

4

11

Low

Aviation

Facilities & Infrastructure

Aviation Art

1

Economic Development

P69 Facilities Management

Art Collection

1

1

1

1

3

4

11

Low

1

3

1

1

1

10

Low

Aviation

Facilities & Infrastructure

Aviation Sign Shop

3

Economic Development
Corporate

P69 Facilities Management
Business Intelligence

Mail/Shipping/Receiving
Data Doctor/Data Analytical & Training Assistance

1
1

1
1

1
1

2
1

3
1

1
2

9
7

Low
Low

Economic Development

P69 Facilities Management

Event Planning

1

1

1

1

1

2

7

Low

Economic Development
Aviation

Administration
Airport Office Building

1
n/a

1
n/a

1
n/a

1
n/a

1
n/a

1
n/a

6
0

n/a
n/a

Capital Development

Capital Development

Airport PMG

n/a

n/a

n/a

n/a

n/a

n/a

0

n/a

Capital Development

Capital Development

Engineering

n/a

n/a

n/a

n/a

n/a

n/a

0

n/a

Capital Development

Capital Development

Port Construction Services

n/a

n/a

n/a

n/a

n/a

n/a

0

n/a

Capital Development

Capital Development

Seaport Project Management

n/a

n/a

n/a

n/a

n/a

n/a

0

n/a

Aviation

Community Development

Noise Programs Office

n/a

n/a

n/a

n/a

n/a

n/a

0

n/a

Corporate

Executive

n/a

n/a

n/a

n/a

n/a

n/a

0

n/a

Corporate

ICT

n/a

n/a

n/a

n/a

n/a

n/a

0

n/a

Corporate

Internal Audit

n/a

n/a

n/a

n/a

n/a

n/a

0

n/a

Economic Development

P69 Facilities Management

Amenities (Coffee Rooms, Janitorial Svcs, Privacy Rooms)

1

1

1

1

1

1

6

n/a

Economic Development

P69 Facilities Management

Clipper Café

1

1

1

1

1

1

6

n/a

Aviation

Police

Law Enforcement Activities/Emergency Responses

n/a

n/a

n/a

n/a

n/a

n/a

0

n/a

Corporate

Project Labor Agreement

n/a

n/a

n/a

n/a

n/a

n/a

0

n/a

Aviation

Public Affairs

n/a

n/a

n/a

n/a

n/a

n/a

0

n/a

42