INTERNAL AUDIT REPORT Operational Audit Recovery Effort - Data Integrity - Maritime August 2024 - August 2025 Issue Date: December 4, 2025 Report No. 2025-24 This report is a matter of public record, and its distribution is not limited. Additionally, in accordance with the Americans with Disabilities Act, this document is available in alternative formats on our website. Recovery Effort - Data Integrity - Maritime TABLE OF CONTENTS Executive Summary ................................................................................................................................................. 3 Background ............................................................................................................................................................. 4 Audit Scope and Methodology ............................................................................................................................... 5 Appendix A: Risk Ratings ......................................................................................................................................... 6 2 Recovery Effort - Data Integrity - Maritime Executive Summary Internal Audit (IA) completed an audit titled Recovery Effort - Data Integrity - Maritime for the period August 2024, through August 2025. Based on internal discussions and scoping decisions, the audit solely focused on Maritime. The audit was performed to gain an overall understanding and to determine whether the Port's processes, specifically related to revenue billing and payroll, operated effectively during and immediately after the cyber event. IA tested the flow and transfer of information from each respective department to Accounting and Financial Reporting (AFR) Billing. The Maritime Division oversees the cruise business, four recreational marinas, Terminal 91, Fishermen's Terminal, various industrial and commercial properties, along with the central harbor portfolio, and conference and event centers. On August 24, 2024, the Port identified system outages consistent with a cyberattack. Incident response processes were initiated, and systems were deliberately taken "off-line." The Port partnered with third parties and federal partners and restored systems, once it was deemed safe. Due to the manual nature of processes within Maritime, the impact of monitoring and accounting for revenue was minimally impacted. For example, prior to the cyberattack, Fishermen's Terminal staff performed daily boat checks to determine what boats are moored. This check is performed twice each day and the information was recorded by hand in a notebook and then entered into the Marina Vessel Management System (MVMS). The manual recording continued, uninterupted, and the information was entered into MVMS once it was restored, several months later. In general, we concluded that Port management's, monitoring, compliance, and internal controls aligned with established policies and procedures. We did not identify any issues that warranted reporting. Glenn Fernandes, CPA Director, Internal Audit Responsible Management Team Stephanie Jones Stebbins, Managing Director Maritime Lisa Lam, Director, Accounting and Financial Reporting Delmas Whittaker, Chief Operating Officer Maritime 3 Recovery Effort - Data Integrity - Maritime Background In August 2024, the Port experienced a widescale cyberattack carried out by a known criminal organization called Rhysida. Unusual and unathorized activity was detected and isolated but the attack impacted Port businesses and hindered many services. The Maritime Division within the Port manages industrial property connected with maritime business, marinas, Fishermen's Terminal, cruise, grain and maritime operations. They are tasked with overseeing the cruise business, four recreational marinas, Terminal 91, Fishermen's Terminal, various industrial and commercial properties, along with the central harbor portfolio and conference and event centers. The table below reflects operating revenues (in 000s) from each Maritime sector as of 2024, 2023, and 2022 (Source: 2024 Annual Comprehensive Financial Report). Maritime Division Cruise Operations Recreational Boating Maritime Portfolio Fishing and Operations Grain Terminal Other Total Maritime Operating Revenues 2024 2023 2022 36,723 17,663 6,875 10,567 4,478 12 76,318 40,372 16,584 6,070 10,451 1,887 (81) 75,283 29,197 14,957 8,608 9,524 4,297 179 66,762 Based on total operating revenues over the past three years, we opted to focus on the following three departments during our audit: Cruise Operations, Recreational Boating, and Fishing and Operations. While each of the departments has its own unique processes and procedures, they all heavily rely on manual controls, such as twice daily boat checks and secondary reviews when reporting revenues. Recordkeeping is primarily captured in Excel before being submitted to AFR and/or PeopleSoft. The manual nature of processes minimized the impact of monitoring and accounting for revenue. However, because PeopleSoft was offline, customer billings were delayed. Payroll processing was also affected. To make sure employees were paid on time, the Port's Payroll team opted to pay employees based on their last paycheck immediately prior to the cyberattack. This occurred for one pay period until an interim process was used that relied on excel spreadsheets to track employee hours. Finally, when systems, including Maximo and PeopleSoft were restored, payroll processes resumed to "normal" operations. However, many corrections and adjustments were identified. These corrections and adjustments were identified when Payroll prepared individual reconciliation statements for each employee. Payments to underpaid employees were made by the middle of November. Employees who received overpayments were contacted individually and given the option to pay back the amount in full or set up repayment plans. As of early 2025, Payroll has been fully back to normal operations. 4 Recovery Effort - Data Integrity - Maritime Audit Scope and Methodology We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards (GAGAS) and The Institute of Internal Auditors' Global Internal Audit Standards. These standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides such a basis. We used a risk-based, judgmental approach to select items for testing. As a result, the findings reflect only the items tested and should not be interpreted as representative of, or extrapolated to, the entire population. The period audited was August 2024, through August 2025 and included the following procedures: Interviews and Process Walkthroughs • Conducted walkthroughs and inquiries with key employees in the selected departments (Cruises, Fishing, and Recreational Boating) to gain an understanding of: o Each department's typical daily operations, as well as their operations post-cyberattack o How revenue is being recorded and billed • Conducted inquiries with the Port's Payroll department to gain an understanding of how Payroll was processed immediately after the cyberattack, as well as how both overpayments and underpayments were resolved • Conducted walkthroughs and inquiries with Marine Maintenance to gain an understanding of how payroll was processed until Maximo was reinstated Document Review • Obtained and reviewed key documents, such as: o Internal Excel workbooks and spreadsheets prepared by each department for AFR o PeopleSoft reports (i.e. Billing Batch Detail Reports, Interface Detail Summary) o Payroll records and pay stubs for selected employees o Listings of over and underpayments to employees Validation and Testing • Billing of Revenue: o Selected two months from the audit period (September 2024 and July 2025) and performed detail testing for each of the three departments selected o Verified that the internally prepared revenue schedules agreed to PeopleSoft o Investigated and inquired about variances • Payroll Processing: o Selected ten hourly Maritime employees and tested five different pay periods for each o Verified and recalculated each employee's paystub to check the mathematical accuracy of total earnings using hours submitted multiplied by hourly rate o Investigated and inquired about variances o Verified that each employee was appropriately included in the listing of over and underpayments 5 Recovery Effort - Data Integrity - Maritime Appendix A: Risk Ratings Observations identified during the audit are assigned a risk rating, as outlined in the table below. Only one of the criteria needs to be met for an observation to be rated High, Medium, or Low. Low rated observations will be evaluated and may or may not be reflected in the final report. Rating High Financial/ Operational Impact Significant Internal Controls Compliance Missing or partial controls Non-compliance with Laws, Port Policies, Contracts Partial controls Medium Low Moderate Minimal Not functioning effectively Functioning as intended but could be enhanced Partial compliance with Laws, Port Policies Contracts Mostly with Laws, Port Policies, Contracts 6 Public High probability for external audit issues and / or negative public perception Moderate probability for external audit issues and / or negative public perception Low probability for external audit issues and/or negative public perception Commission/ Management Requires immediate attention Requires attention Does not require immediate attention