Financial Stewardship Accountability Transparency Item No. 11a_supp Meeting Date: December 9, 2025 2025 Internal Audit Annual Report Glenn Fernandes - Director, Internal Audit December 9, 2025 P69 Commission Chambers 12:00 PM - 5:00 PM Operational Excellence Governance 2025 Audit Committee  Commissioner Ryan Calkins, Committee Chair  Commissioner Hamdi Mohamed, Committee Member  Sarah Holmstrom, Committee Public Member Substitutes  Commissioner Fred Felleman 2 ■ Combined Assurance to Break Down Silos: The governing body, management, and internalaudit have their distinct responsibilities, but all activities need to be aligned with the objectives and collectively grow the value of the organization. ■ Beyond the Three Lines Model: Today's environment of risk bedlam requires us to go a step further. Collaboration is a business imperative and a platform we can use to generate even greater enterprise value. Source: The Institute of Internal Auditors, THE IIA'S THREE LINES MODEL - An Update of the Three Lines of Defense, published in July 2020. 3 2025 Key Initiatives  Information Technology  Cybersecurity  Operations Technology  Capital Delivery  2024 Cyber-Event Recovery 4 2025 Audit Plan Update  13 audit reports were completed in 2025: 5 Performance, 4 Capital Project, 4 Information Technology Reports  Additionally, 10 Limited Contract Compliance Reviews and 2 Capital Project Reviews were completed  Audits identified 8 High Risk, 10 Medium Risk, and 7 Low Risk rated issues for management action  General Contractor/Construction Manager (GC/CM) Projects; real-time auditing, as required by RCW 39.10.385 - 7 projects in process  Audit reports are shared with Audit Committee Members, and for transparency, are also posted to the Port's external facing website [Audit reports can be found at https://www.portseattle.org/page/internal-audit-reports.] 5 2025 AUDIT PLAN STATUS Report Title Type Recovery Effort - Data Integrity - Maritime Banking/Fraud Controls Community Initiatives - ANEW Consultants/Contractor Management Port Management Governance Committees Terminal 91 Berths 6 & 8 Maritime Center at Fishermen's Terminal 2023 Airfield Projects - Contract 2 Widen Arrivals Roadway 1 Recovery Effort - Data Integrity - Construction Management 1 Club at SEA - Pre-Construction Closeout Cost Reconciliation Closed Network System - Satellite Transit System (STS) (AVM) Third-Party Risk Management (ICT & AVM) Access Control Management (AVM) Access Control Management (ICT) Baggage Conveyor System (AVM) 2 New IT Environment - Information Technology General Controls (ITGC) Gate Gourmet, Inc. BF Foods, LLC Concourse Concessions, LLC SSP America SEA, LLC (Ballard Brew Hall) SSP America SEA, LLC (Mi Casa Cantina) SSP America SEA, LLC (Le Grand Comptoir) SSP America SEA, LLC (Camden Food Co.) Sun's, Inc. The Yarrow Group, LLC LaTrelle's Flight Kitchen, LP (Wendy's) 1 Performed as a Review at Management Request 2 Deferred at the request of Management 2 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Performance Performance Performance Performance Performance Performance - Capital Performance - Capital Performance - Capital Performance - Capital Performance - Capital Performance - Capital IT IT IT IT IT IT Contract Compliance Contract Compliance Contract Compliance Contract Compliance Contract Compliance Contract Compliance Contract Compliance Contract Compliance Contract Compliance Contract Compliance Complete KEY In Process Not Started Deferred 6 Performance Audits  Five Performance completed in 2025  Key Observations Included:  (Consultants/Contractors) On-and off-boarding procedures, between departments are inconsistent and are not well understood.  (Community Initiatives) Deliverables within contracts are modified and changed verbally without evidence of written documentation and appropriate review. Port Mgmt. Governance Committees/TBCD (Governance Committees) No issues noted (TBCD) Procedural Documents did not exist. Additionally, Resolution 2779 covering Promotional Hosting, is approximately 50 years old. Internal policy documents have not been updated in six years. 7 Capital/Construction Audits  Seven GC/CM Projects were being continuously audited as required by RCW 39.10.385  Estimated Spend of $1.5B  Pay applications (billings) from key subcontractors, are reviewed for compliance to contracts  Issues identified by Independent Auditors are generally corrected when identified 8 Capital/Construction Audits  Four Capital/Construction audits were completed in 2025  Projects audited had estimated Capital Spend of $176 million  Two Capital/Construction reviews were completed at management's request  Key Observations from Audits Included:  (T91 Berths 6 & 8) Engineering Construction Management did not obtain sufficient documentation from the contractor to adequately review pay applications for accuracy. This resulted in a net overpayment of $147,377. 9 Information Technology (IT) Audits  Four IT audits were completed in 2025  Focus on critical Information Technology controls (including Cybersecurity controls) and essential Operational Technology Systems  Issues discussed in non-public session 10 2026 Audit Strategy  IT - focus on protecting key systems and networks from emerging risks and evolving threat landscapes  Capital Delivery - focus on Financial, Quality, and Schedule  Complete RCW Required GC/CM Audits  Operational focus on key controls in various business units 11 Questions Glenn Fernandes Director, Internal Audit 12