Financial Stewardship

Accountability

Transparency

Item No. 9a
Meeting Date: December 10, 2019

2019 Summary of Internal Audits
Glenn Fernandes - Director, Internal Audit

December 10, 2019
Pier 69, Commission Chambers
12:00 PM - 5:00 PM

Operational Excellence

Governance

2019 Audit Committee
• Commissioner Peter Steinbrueck, Committee Chair
• Commissioner Ryan Calkins, Committee Member

• Christina Gehrke, Committee Public Member

2

About Internal Audit
• Internal Audit conducts independent, objective, risk-based
audits of the Port's operations, activities and vendors.
• Our audits add value by helping the Port achieve its
mission and result in: financial stewardship, accountability,
transparency, governance, and operational excellence.
• Internal Audit derives its authority from the Port
Commission.
3

18 Audits, 1 Summary Report Completed in 2019
Limited Contract
Compliance (5)
•
•
•
•
•

Sixt Rent A Car
EAN Holdings, LLC
Anton Airfood of Seattle, Inc.
Mad Anthony's, Inc.
Airport Tenant Marketing
Program

•
•
•
•

•
•
•
•

Operational (8)

Information Technology (6)

Airport Employee Access1
Diversity in Contracting
Marine Maintenance Shop
Architectural and Engineering
Consultant Rates

• Security of Personally
Identifiable Information1
• HIPAA Security Compliance1
• HIPAA Privacy and Breach
Compliance
• Closed Network System Security1
• Inventory and Control of
Hardware Assets1

Capital
Checked Baggage Optimization
Project (Phase 1)
Noise Insulation Program
Concourse D Hardstand
Holdroom
Shilshole Bay Marina Customer
Facilities Project

__________________________________

• Payment Card Industry (PCI)1,2

1 Security Sensitive - Exempt from public disclosure per RCW 42.56.420.
2 This work was performed by an outside firm. Internal Audit provided a summary report to the Audit Committee.

4

Key Themes
• 2019 Audits identified 13 High Risk and 29 Medium Risk issues
for management action
• The Port has opportunities to strengthen internal controls and
related processes

• Capital Spending - Opportunities to reduce costs / be more
efficient

5

Highlighted Audits
Operational:
1)
2)
3)

Marine Maintenance Shop
Airport Employee Access1
Architectural and Engineering Consultant Rates

Capital:
4) Noise Insulation Program
5) Concourse D Hardstand Holdroom

IT:
6)
7)
8)
9)

Closed Network System Security1
HIPAA Security Compliance1
HIPAA Privacy and Breach Compliance
Inventory and Control of Hardware Assets1

1 Security Sensitive - Exempt from public disclosure per RCW 42.56.420

6

Operational - Marine Maintenance Shop
(High) - Management self-identified that a process to issue and
track keys and badges needs to be developed. Marine
Maintenance has the ability to issue badges that allow
individuals to access secure Maritime facilities.
✓ Comprehensive list of physical access points did not exist
✓ Segregation of duties for authorization, custody, distribution did not exist
✓ Badges of terminated employees were still active
✓ Badge applications, showing authorization not retained
✓ Policies and procedures not established

Status: In process, with both short term and long term deliverables.
7

Operational - Marine Maintenance Shop
(High) - Safeguards and controls have not been designed and
implemented to monitor and account for fuel and fleet usage. As
a result, an $86,000 fuel adjustment was made to the ending
2018 fuel balance. The cause of the adjustment was not known.

Status: Immediate detective controls implemented. Longer term
controls in process.
8

Operational - Architectural and Engineering Consultant Rates
(High) - CPO had not established guidelines for what is determined fair
and reasonable. Our testing of over 400 A&E consultants identified many
instances where profit margins exceed what the industry deemed
reasonable.
✓ Below table reflects the profit margins of the firms tested: [Note: Industry standard
ranges between 10 - 15 percent.]
Profit
Number of
Consultants

10% and below

11-19%

20-29%

30-39%

40-49%

Above 50%

139

81

79

60

30

18

Status: Forthcoming
9

Operational - Architectural and Engineering Consultant Rates
(High) - Management approval was not required when hourly rates
exceeded the maximum rates produced by the service rate negotiation
tool / model.
✓ Below table reflects the number of positions that exceeded the maximum and the
amount that the Port agreed to pay over the maximum rate for every hour worked:
Positions
31
32
103
166

Amount over the Maximum (+2%)
$51.05 - $175.03
$21.20 - $48.05
$.17 - $19.98

Status: Forthcoming
10

Operational - Architectural and Engineering Consultant Rates
(High) - A reconciliation between the final negotiated rates and the
contract did not occur. As a result, we were unable to verify that all
positions and rates reflected in the contract were accurate.
✓ Below table reflects the type and number of exceptions:
Position on contract did not exist on the rate tool
Rate on rate tool did not agree to the contract
Position on rate tool did not exist on the contract

108
40
20
168

Status: Forthcoming
11

Operational - Architectural and Engineering Consultant Rates
(Medium) - The Central Procurement Office is responsible for
procuring all contracts related to public works, consulting
services, and goods and services. Governance meetings, for
Executive Leadership Team (ELT) oversight of CPO, had not
occurred since December 7, 2017.

Status: Forthcoming
12

Capital - Noise Insulation Program
(High) - The Port's controls related to the review of Job Order Contract
work proposed and performed by a Job Order Contractor were not
functioning effectively. As a result, the Contractor billed the Port an
unreasonably high amount and may have billed for more work than was
performed.
✓ Contractor charged the Port a 51% average mark-up
✓ Assuring line items and quantities proposed are appropriate requires a diligent
review and necessitates questioning items that appear inaccurate

✓ Our work indicated a reasonableness review was not always performed

Status: Immediate review controls have been implemented. Long Term
controls in process.
13

Capital - Concourse D Hardstand Holdroom
(Medium) - The Port's consultant did not have adequate
knowledge of airport building requirements, which resulted in
the design/concept drawings including a building type that was
not allowed in airport terminals. The Consultant's error on the
design/concept drawings resulted in additional costs to the Port
of $142,654.

Status: Management is pursuing collection
14

Capital - Concourse D Hardstand Holdroom
(Medium) - The Contract restricted the Port's ability to audit all
contractor and subcontractor records within the lump sum
contract. The audit clause only allowed audit of documents
related to changes. When audit clauses are restrictive, there is an
inherent risk that the Port may end up paying additional costs or
not receive expected deliverables, without detection.

Status: In process
15

IT Audit - HIPAA Privacy and Breach Compliance
(High) - The Port had not designated itself as a hybrid entity for
the purposes of the HIPAA Rule. The Port had not defined what
units within the Port were part of the designated health care
component.

Status: In process - expected completion is 12/31/2019
16

Limited Contract Compliance
• Self reported revenue from concessionaires and rental car
companies

• Audits focus on compliance with concession agreement
Audits

Underreported Revenue

Due to Port

4

$669,475

$70,435

17

2020 Audit Strategy
• Continue with current course on Limited Contract Compliance
Audits

• Continue to enhance our operational / performance audit
approach
• Emphasize controls surrounding capital spending

18