Port of Seattle Audit Committee

Internal Audit Update

Glenn Fernandes - Director, Internal Audit

June 11, 2020

Remote Meeting

1:00 PM – 3:00 PM

Financial Stewardship

Accountability

Transparency

Operational Excellence Governance

2020 Audit Plan Update – Guiding Principles

➢ COVID-19 impact on Port businesses and resources

➢ Internal Audit value proposition to respond to COVID-19 impact

✓ Advisory (Consulting) Services where needed

➢ Professional Standards – Advisory (Consulting) Services

✓ Generally Accepted Government Auditing Standards (GAGAS)

✓ International Professional Practices Framework (IPPF)

2020 Audit Plan – Proposed Modifications

1 Due to the COVID-19 Pandemic, these audits will be deferred to the 2021 Audit Plan. 4. This is a focused analysis, not an audit, accordingly we will issue a Memo.

2 This work will be performed by an outside firm. Internal Audit will provide a summary report to the Audit Committee. 5. This is a contingency audit that was approved by the Audit Committee in December of 2019.

3 This work will be performed by the Washington State Patrol. Internal Audit will provide a summary report to the Audit Committee.

Limited Contract Compliance Operational Information Technology

•

Lenlyn Limited

•

Concourse Concessions, LLS

•

McDonald’s USA, LLC

•

Concessions Int’l, INC

•

Fireworks

•

Qdoba Restaurant Corporation

•

E-Z Rent A Car

•

Equipment Acquisition, Monitoring &

Disposal

•

Ground Transportation – Taxi Cabs

•

Cash Controls

•

Outside Services (Professional)

•

Interlocal Agreement Mapping⁴

•

Delegation of Authority Compliance

Capital

•

Service Tunnel Renewal/Replace

•

Central Terminal Infrastructure Upgrade

•

North Terminal Utilities Upgrade –

Phase

•

AOA Perimeter Fence Line Standards

Compliance

•

Network Password Management

•

Secure Configuration for Hardware and

Software on Mobile Devices, Laptops,

Workstations and Servers

•

T2 Airport Garage Parking System

Replacement

•

Inventory & Control of Software Assets

•

Biometrics

•

Malware Defenses (ICT)⁵

____________________________

•

Payment Card Industry (PCI) - Qualified

Security Assessor

•

Criminal Justice Information Services

(CJIS)

Audit Title Type Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Cash Controls Operational

Equipment Acquisition, Monitoring and Disposal Operational

Network Password Management IT

McDonald's USA, LLC Contract Compliance

Service Tunnel Renewal/Replace Project Operational - Capital

Interlocal Agreement Mapping

Operational

Qdoba Restaurant Corporation Contract Compliance

E-Z Rent A Car Contract Compliance

Fireworks Contract Compliance

AOA Perimeter Fence Line Standards Compliance Operational - Capital

Secure Configuration for Hardware and Software on Mobile Devices,

Laptops, Workstations and Servers

Concourse Concessions, LLS Contract Compliance

Payment Card Industry (PCI)-Qualified Security Assessor IT

Criminal Justice Information Services (CJIS) IT

Malware Defenses (ICT only)

Ground Transportation-Taxi Cabs Operational

Delegation of Authority Compliance

Operational

Biometrics Population IT

Central Terminal Infrastructure Upgrade Operational - Capital

Inventory and Control of Software Assets IT

Outside Services (Professional) Operational

North Terminal Utilities Upgrade-Phase 1 Operational - Capital

Lenlyn Limited Contract Compliance

Concessions Int'l, INC Contract Compliance

T2 Airport Garage Parking System Replacement IT

Complete

In Process

Not Started

Defer to 2021

Note

: Advisory Services Project added per the Commission's request

Note

: Contingency audit approved by the Audit Committee in December of 2019

2020 AUDIT PLAN STATUS

KEY

2021 Audits – Potential New Audits & Carryover Audits

Black

1 Audits deferred to 2021 from 2020 due to COVID-19 Pandemic.

2 Potential audits considered for 2021.

Limited Contract Compliance Operational Information Technology

•

Lenlyn Limited

•

Concessions Int’l, INC

•

Outside Services (Professional)

•

Rent & Concession Deferral

Recovery

•

Capitalization of Assets

Capital

•

North Terminal Utilities Upgrade –

Phase 1

•

T2 Airport Garage Parking

System Replacement

•

Malware Defenses (Aviation)

Open Issue Follow-Up Status – Aging Report as of June 10, 2020

See Appendix A for a detail listing of outstanding issues aging as of June 10, 2020

Two issues outstanding more than two years are:

▪ Fishing & Commercial Operations – Manual Billing Process at Risk of Error – To be built in house - Vendor proposals did not support PCI/cloud based.

▪ IT Disaster Recovery Capability (Security Sensitive) – Exempt from Public Disclosure per RCW 42.56.420 – Issue Not Discussed in Public Session.

Four IT issues do not have Target Dates and are not included in this chart. These issues are in the process of being addressed, however, three are 1-2 years

past the Report Date, and one is more than 2 years past the Report Date. .

1) Qdoba Restaurant Corporation

✓ No issues noted (not discussed)

Audits Completed

Appendix

A – Aging of Outstanding Issues as of June 10, 2020

Appendix A – Aging of the Outstanding Issues as of June 10, 2020

Operational, Capital, Information Technology, and Limited Contract Compliance Audits

Type Audit Description Rating Report Date Target Date

Days Outstanding

(from Report Date)

Months/Years

Outstanding

(from Report Date)

Days Outstanding

(from Target Date)

Months/Years

Outstanding

(from Target Date)

Operational Fishing & Commercial Operations Manual Billing Process at Risk of Error High 2/23/2018 3/31/2019 838 More than 2 years 437 1-2 years

IT AVM/F&I Data Centers Physical Access to Facilities

High 12/4/2018 No Date Supplied 554 1-2 years N/A N/A

IT AVM/F&I Data Centers Protection Against Environmental Factors

High 12/4/2018 No Date Supplied 554 1-2 years N/A N/A

IT Security of PII Security Sensitive

High 2/26/2019 12/31/2019 470 1-2 years 162 0-6 months

Operational Marine Maintenance Fleet and Fuel High 6/14/2019 12/31/2023 362 6-12 months -1299 Not Due

Operational Marine Maintenance Keys and Badges High 6/14/2019 12/31/2023 362 6-12 months -1299 Not Due

IT HIPAA Security Security Sensitive

High 9/4/2019 7/31/2020 280 6-12 months -51 Not Due

IT HIPAA Security Security Sensitive

High 9/4/2019 7/31/2020 280 6-12 months -51 Not Due

Operational Airport Employee Access Security Sensitive High 9/5/2019 6/30/2020 279 6-12 months -20 Not Due

IT Closed Network System Security Security Sensitive

High 9/5/2019 12/31/2019 279 6-12 months 162 0-6 months

Operational Architecture & Engineering Determine Fair and Reasonable High 12/9/2019 6/30/2020 184 6-12 months -20 Not Due

Operational Architecture & Engineering Management Review Over Max High 12/9/2019 6/30/2020 184 6-12 months -20 Not Due

Operational Architecture & Engineering Contract Accuracy High 12/9/2019 6/30/2020 184 6-12 months -20 Not Due

IT IT Disaster Recovery Capability Security Sensitive

Medium 11/29/2017 No Date Supplied 924 More than 2 years N/A N/A

IT AVM/F&I Data Centers Physical Facilities Management

Medium 12/4/2018 No Date Supplied 554 1-2 years N/A N/A

IT IT Change Mgmt & Patch Mgmt Security Sensitive

Medium 12/4/2018 6/30/2019 554 1-2 years 346 6-12 months

IT Security of PII Security Sensitive

Medium 2/26/2019 12/31/2019 470 1-2 years 162 0-6 months

IT Security of PII Security Sensitive

Medium 2/26/2019 3/31/2020 470 1-2 years 71 0-6 months

Capital Concourse D Hardstand Holdroom Audit Clause Restriction Medium

9/3/2019

12/31/2019 281 6-12 months 162 0-6 months

Capital Concourse D Hardstand Holdroom Designer Error & Omission Medium

9/3/2019

12/31/2019 281 6-12 months 162 0-6 months

IT HIPAA Security Security Sensitive

Medium 9/4/2019 7/31/2020 280 6-12 months -51 Not Due

IT HIPAA Security Security Sensitive

Medium 9/4/2019 7/31/2020 280 6-12 months -51 Not Due

IT Closed Network System Security Security Sensitive

Medium 9/5/2019 3/31/2020 279 6-12 months 71 0-6 months

IT Closed Network System Security Security Sensitive

Medium 9/5/2019 3/31/2020 279 6-12 months 71 0-6 months

IT Closed Network System Security Security Sensitive

Medium 9/5/2019 6/30/2020 279 6-12 months -20 Not Due

IT Closed Network System Security Security Sensitive

Medium 9/5/2019 12/31/2020 279 6-12 months -204 Not Due

IT Inventory and Control of HW Assets Security Sensitive

Medium 11/12/2019 6/30/2023 211 6-12 months -1115 Not Due

Operational Architecture & Engineering Governance Medium 12/9/2019 6/30/2020 184 6-12 months -20 Not Due

Operational Equipment Monitoring & Disposal Monitoring of Theft Sensitive Assets Medium

3/11/2020

6/1/2020 91 0-6 months 9 0-6 months

IT Network Password Management Security Sensitive

Medium 3/20/2020 12/31/2020 82 0-6 months -204 Not Due

IT Network Password Management Security Sensitive

Medium 3/20/2020 9/30/2020 82 0-6 months -112 Not Due

IT Network Password Management Security Sensitive

Medium 3/20/2020 12/31/2020 82 0-6 months -204 Not Due

Operational Cash Controls Seg. of Duties - Fish Term. & Shilshole Medium 3/25/2020 6/30/2020 77 0-6 months -20 Not Due

Operational Cash Controls Procedures - Airport Lost and Found Medium 3/25/2020 6/30/2020 77 0-6 months -20 Not Due

Operational Equipment Monitoring & Disposal Asset Disposal Process Low

3/11/2020

3/11/2020 91 0-6 months 91 0-6 months

IT Network Password Management Security Sensitive

Low 3/20/2020 12/31/2020 82 0-6 months -204 Not Due