INTERNAL AUDIT REPORT Operational Audit – Port-wide Payroll Controls January 2022 – December 2022 Issue Date: June 14, 2023 Report No. 2023-06 TABLE OF CONTENTS Executive Summary 2 Background 3 Audit Scope and Methodology 5 Schedule of Findings and Recommendations 6 Appendix A: Risk Ratings 14 Appendix B: Central Terminal Roof Inspection Cable and Surrounding Condition 15 Appendix C: Various Red Tags Used at the Port 16 Executive Summary Internal Audit (IA) completed an audit of the Port of Seattle (Port)-wide payroll controls for the period January 2022 through December 2022. The audit was performed to evaluate the current payroll process and related internal controls (preventive and detective) to determine if they were operating as intended to manage business risk. The audit scope included: system access controls, segregation of duties, common payroll fraud assessments/testing, and different timekeeping sub-systems used by some business areas, that might increase risk exposure to the Port. In general, the relevant controls we reviewed in the payroll process were reasonably designed and operating effectively, including controls to identify and correct exceptions from time submissions on the HCM system. However, our audit identified opportunities where internal controls could be enhanced or developed. These opportunities are listed below and discussed in more detail beginning on page 6. 1. (High) The Maximo System used by the Aviation Maintenance Department had generated semi-annual, preventive maintenance work orders for certain retired assets, requiring maintenance staff to spend up to 3 hours for each unnecessary work order over 10 years. 2. (Medium) User access to the Human Capital Management (HCM) Payroll system included five Information and Communication Technology (ICT) personnel with administrative access. Administrative access by certain ICT personnel should be limited to times when such access is necessary to fix problems and should be removed when not required. Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 3. (Low) There are currently no hard stops configured in the HCM system to prevent employees from modifying their time after supervisory approval. We also noted one efficiency opportunity for the Port, which will help streamline timekeeping and payroll sub-processes at the Port. This is discussed in more detail on page 11. 1. Different timekeeping sub-systems were used by business areas. This, coupled with the complexity of Collective Bargaining Agreements’ pay rate structures for represented employees, increases the risk of errors. Manual intervention was needed to continuously validate time data in the various systems, resulting in operational inefficiencies. We extend our appreciation to Port management and staff for their assistance and cooperation during this audit. Glenn Fernandes, CPA Director, Internal Audit Responsible Management Team Matt Breed, Chief Information Officer Stephanie Jones Stebbins, Interim Deputy Executive Director Rudy Caluza, Director, Accounting Finance and Reporting Lance Lyttle, Managing Director, Aviation Katie Gerard, Senior Director, Human Resources Mike Tasker, Director, Aviation Maintenance Ed Goodman, Director, ICT Project Engineering Dan Thomas, Chief Financial Officer Background The Port of Seattle (Port) employed approximately 2,530 full-time equivalents (FTEs) for all or part of 2022, including: Interns, Veteran Fellows, Commissioners, Emergency Hires, Regular, Temporary, Full-time, and Part-time workers. Per the Port’s Subclass Responsibility Report, as of 12/31/2022, salaries and benefits of these employees were the Port’s largest operating expense at $317,574,261. This represented roughly 67% of the total operating expenses of $474,793,281. According to the Association of Certified Fraud Examiners’ 2020 study1 of over 2,000 fraud cases, payroll fraud (e.g., Ghost Employee scheme, falsified wages, etc.), was one of the most common types of occupational frauds affecting organizations, including governments. The study included approximately 200 payroll fraud cases (9%), with an average loss of $62,000. Payroll fraud occurred to large employers with over 100 employees at more than twice the rate as that in small employers with less than 100 employees. Typically, payroll fraud lasted for two years before being uncovered. Given the high percentage of the total expenditure spent on salaries and benefits, the Port’s payroll fraud risk could increase if effective internal controls were not functioning as intended. Payroll Cycle As shown in the below illustration, the Port’s payroll process involves multiple departments, including Human Resources (HR) and Accounting Finance Reporting (AFR). Additionally, every employee takes part in this process when they record time and receive payment for time worked. Timekeeping & Payroll Systems Since 1997, the Port has used the Human Capital Management system (HCM), which is an Application Pillar of the Port’s PeopleSoft Suite, consisting of the following modules: Payroll for North America, Time and Labor, Benefits, ePerformance, Core HR, and Taleo. HCM is used to manage everything from hiring to resignation, and retains all HR, Payroll, and Benefit information. Timekeeping and Payroll systems like HCM, keep track of worked hours, and calculate wages, withholding taxes and other deductions. Along with HCM, at least three other systems were being used to track and manage shifts, schedules, attendance, and work orders. These sub-systems are: Maximo (Aviation and Maritime Maintenance Departments), TeleStaff (Fire Department), and PlanIt (Police Department). Only the Maximo system is currently interfaced with HCM to push time data into HCM. Payroll Processing The Central Payroll Team (Central Payroll) within the Accounting and Financial Reporting Department (AFR), consisting of one manager and four staff, completes its rigorous process from receipt of timesheet submission to production of the final payroll register within 2.5 days for each bi-weekly pay period, for approximately 2,320 active employees. Pay periods end on Saturday, and time reports must be submitted to Central Payroll no later than 12:00 p.m., on the following Monday. Between Monday and Wednesday, the Central Payroll Team conducts a process of verifying the submitted time, addressing all system-flagged exceptions, and producing a final confirmed payroll register. Bank uploads for direct deposits and hard copy checks typically occur by close-of-business Wednesday, and direct deposits are available in employees’ personal bank accounts on Friday morning. Audit Scope and Methodology We conducted the engagement in accordance with Generally Accepted Government Auditing Standards and the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and conduct an engagement to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our engagement objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our engagement objectives. In some instances, we used non-statistical random sampling methods to determine the samples selected for our audit test work. In those cases, the results of our work cannot be projected to the population as a whole. We expanded our audit procedures to review certain issues related to Aviation Maintenance’s Maximo work order/time recording system, which were brought to our attention by the Health and Safety Department. We excluded the Fire Department from pay transaction testing, due to a Rapid Process Improvement Event that had been progressing with the Continuous Process Improvement Team. The period audited was January 2022 through December 2022. Multiple methodologies were applied to gather and analyze information pertinent to the objective and scope of this audit, including the following: Interviews & Process Walkthroughs Interviewed and performed process walkthroughs with over 20 Port managers and staff within AFR, HR Total Rewards, and other departments, including those that were utilizing different timekeeping systems, to gain an understanding of: * Current timekeeping, payroll, and payment processes. * Related preventive and detective controls in place. * Opportunities for improvement in their areas. Document Review Reviewed key documents related to payroll processes, including the following: * Port Policies, departmental policies & procedures, and associated training materials. * HR’s entire HCM Security Roll Report identifying all Port employees’ user access/security roles, AFR’s Quarterly Security Review Reports for payroll-specific security roles, and role definitions. * Competitive Bargaining Agreements that specified pay rate schedules. * Payroll processing – HCM Payroll system-generated reports/registers and related worksheets. * Payroll liability account journals/reconciliations, payroll bank account reconciliations, and G/L recordings. Testing * “Ghost Employee” Tests – Performed multiple comparative analyses of all employees on payroll, against those per the HR current and terminated employee lists, and followed up on unmatched instances. * Payroll Transaction Test – Randomly selected a sample of 20 employees (mix of non-represented and represented employees) and tested: pay rates, timekeeping accuracy/timeliness, supervisory review/approval, overtime pre-approval, time correction approval and documentation, payroll deductions and tax withholding reporting, G/L recording, payments, and payroll bank account reconciliations. Observations * Safeguarding of manual paycheck stocks and a laser printer at Pier 69. * Pictures of “Red Tag” signs from the Central Terminal roof. Schedule of Findings and Recommendations The Maximo System used by the Aviation Maintenance Department had generated semi-annual, preventive maintenance work orders for certain retired assets, requiring maintenance staff to spend up to 3 hours for each unnecessary work order over 10 years. Internal Audit followed up on a concern related to lifeline systems at the Seattle-Tacoma International Airport (SEA), and certain related time recording matters with Aviation Maintenance Department (AVM), as follows: Time Recorded for a Red-Tagged Lifeline System A lifeline system – Sayfglida fall protection cable, located on the Central Terminal (CTE) roof at SEA (Location: ST-TER-MT-PEN; associated Asset No. 71778) had been marked “Out of Service, DO NOT USE” by physical signs, therefore, requiring no regular maintenance. We sampled some red tags used by other departments, and noted basic information for red tagging – reason, date, and authorized personnel signature, which the physical signs did not have. (See Appendix B for the photos of the physical signs, and Appendix C for various red tags used at the Port). Our audit procedures found that the lifeline system had been in the “red-tagged” status for over 10 years. We also noted that the current, “Out of Service” physical signs had been placed in April 2021. If an asset was red-tagged, it would be possible to place it in a “Down” status in Maximo. However, there was an indication that the process of using a “Down” status was not in use. While Maximo users had the ability to use it, they would likely need training on how to use it. Regular maintenance service tickets for the “CTE roof inspection of Sayfglida fall protection cable,” have been auto created/pushed to work orders in Maximo every six months for over 10 years, and work time has been recorded by carpenters each time (0.5 – 3 full hours). Even after the lifeline system was visibly marked “Out of Service”, in April 2021, work orders continued to be auto-generated and work time (0.5 – 1.5 hours) was recorded for safety inspections on a piece of equipment that could not be used. Such work orders waste resources that could have been used elsewhere. In the relevant work orders for the lifeline system, we noted a lack of documentation, as required by the AVM Work Rules; Section 2.6, as to what was accomplished, and recommend detailed notes, explaining what had been done. Without relevant work documentation, as required by the AVM Work Rules, we were unable to determine what work had actually been done or whether related recorded time was supported, valid, or accurate. Responsibilities for preventive maintenance on lifeline systems have recently been transferred to Health & Safety, which should address the issue for lifeline systems. However, other systems will face a similar problem. Recommendations: 1. AVM Management should take the Sayfglida fall protection cable asset out of service in the Maximo System. Additionally, the related auto-generated work orders against these retired assets should be cancelled. 2. AVM Management should develop a process to retire out of service assets and reflect them as retired in Maximo on a timely basis. This should prevent the system from auto-generating preventative maintenance work orders for these assets. Management Response/Action Plan: 1. Completed. 2. Aviation Maintenance leadership has identified dates to share the issue with the team and will then look to assign a process owner. Much of this should fall under the project manager, as part of the onboarding, they should define the assets being disposed of as well. The challenge is with how assets are booked currently, old way, versus new way. It is much easier with how we have booked assets as part of the onboarding process today, but the assets we are replacing today with new assets are hard to deal with. So there is a challenge with defining a deadline. We will continue to work the issue. Security Sensitive – Exempt from Public Disclosure per RCW 42.56.420 User access to the Human Capital Management (HCM) Payroll system included five Information and Communication Technology (ICT) personnel with administrative access. Administrative access by certain ICT personnel should be limited to times when such access is necessary to fix problems and should be removed when not required. Segregation of Duties (SOD) is a basic building block of sustainable risk management and internal controls. The principle of SOD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable.2 In Information Technology (IT), SOD is used to allow users the ability to use applications, and to allow IT personnel the ability to implement, configure, update, modify and fix problems within the applications. However, in order to fix problems and issues, Enterprise Resource Planning (ERP) Developers may require administrative access for short periods of time. We reviewed the Human Resources’ HCM Security Roll Report identifying all Port employees’ user access/security roles, as well as the Accounting Finance and Reporting’s (AFR’s) Quarterly Security Review Reports for payroll-specific security roles, and role definitions. We noted that, besides the ERP Administrator, four ICT personnel had been provided full-time administrative access to the HCM Payroll system. While this is helpful for timely problem resolution, it also increases the risk of fraud and unintentional errors. ICT management suggested a compensating control for the Central Payroll Team to run audit tables in PeopleSoft to identify who had changed what information. In response to Internal Audit’s inquiry, AFR Financial Systems & Lean Initiatives has identified and provided a list of about two dozen audit tables that are available for the Central Payroll Team to query against. Recommendations: 1. ICT should hire an additional ERM Administrator as planned and reduce the number of its personnel with full-time administration access. After hiring an ERP Administrator, and after things stabilize, ICT should develop a check-out system or equivalent for requesting, approving, and documenting administrator access requests by ERM Developers. 2. Central Payroll Team should utilize HCM’s certain, available audit tables to query against, for periodic monitoring of who made changes to the tables for appropriateness. Management Response/Action Plan: 1. ICT response We appreciate the work of Internal Audit looking at this item and raising awareness about it. We also very much appreciate the partnership with Internal Audit on this to help us all improve the Port of Seattle. Questions related to segregation of duties have been raised previously with risk mitigations put in place to address them. However, a decision was made in 2022 to hire an additional PeopleSoft Administrator. That hiring process is underway. The addition of that headcount to the team provides options that were not previously available. Our team looked at the elevated access of developers on the PeopleSoft team as it applies to multiple system layers. Once the additional PeopleSoft Administrator is hired and integrated with the team, the intent is to revoke both the ERP Manager and ERP Developers’ elevated access to production database, operating system, and file server levels. The intent is to replace this with access that still allows developers to view but not edit those elements of the system. The ERP Administrators will retain administrative rights given their job duties and the expected separation of work from developers. Application-level access for the ERP Developers and the ERP Manager are expected to initially stay as is. An audit recommendation was that Central Payroll utilize available audit tables for periodic monitoring of changes. We agree with that to help mitigate risks and recommend that practice whether developers have access or not. There are also already controls in place where developers do not push their own code to production. Once the additional PeopleSoft Administrator is hired and integrated into the team, application-level access will be relooked at to see if additional changes can be made while balancing the potential impact on production support. If we can reasonably remove the ongoing access, we would like to do so and will absolutely consider the idea of time limited access for developers. 2. AFR response We agree. Central Payroll Administration has already implemented an audit report to monitor changes to the tables for appropriateness. Any changes performed outside of Payroll Administration are identified and reviewed, especially changes that affect deductions and earning code tables, and a report is generated and reviewed daily. There are currently no hard stops configured in the HCM system to prevent employees from modifying their time after supervisory approval. Preventive controls attempt to prevent or deter undesirable acts from occurring. They are proactive, designed to prevent a loss, an error, or an omission. Proper approval by authorized personnel is a key preventive control in the timekeeping and payroll processes to establish the accuracy and completeness of the submitted time for payments. Employees should not be able to approve or modify their own time after supervisory approval. However, any employee time changes after supervisory approval do not affect time & leave balances in the payroll system. Any change would only result in a difference in balance reflected on payroll check stubs and the HCM summary page. According to Central Payroll management, reprocessing the changed time requires Central Payroll’s approval after obtaining authorization and related support from the employee’s department. Otherwise, the changed time by an employee would not impact payroll payments. Central Payroll management was not aware of any particular reasons why hard stops had not been configured into the HCM system. The Team is currently looking into a solution by locking down timesheets for not only the previous pay periods but also the current pay period that is being processed. Recommendation: Accounting Financial and Reporting should implement hard stop configurations into the HCM system to prevent employees from modifying their time after supervisory approval. Management Response/Action Plan: We agree. It is noteworthy that once Central Payroll Administration pulls and processes time entered and approved by departments for payment, subsequent changes to time sheets do not affect the pay processed and a solid detailed audit record supporting these payments is maintained. Nevertheless, this is a good internal control recommendation to mitigate any record disparities. Steps are underway with ICT PeopleSoft developers to make the system change to lock down approved timesheets once Payroll Administration pulls and processes them. This is currently being tested and scheduled to move to production by 3rd Quarter 2023. Different timekeeping sub-systems were used by business areas. This, coupled with the complexity of Collective Bargaining Agreements’ pay rate structures for represented employees, increases the risk of errors. Manual intervention was needed to continuously validate time data in the various systems, resulting in operational inefficiencies. An efficiency opportunity is where controls are functioning as intended; however, a modification would make the process more efficient. We have identified such an opportunity, which will help streamline timekeeping and payroll sub-processes at the Port. Along with PeopleSoft HCM system, three other systems were internally used by certain departments to track shifts, schedules, time & attendance, and/or to manage work orders. These systems are: Maximo, used by the Aviation Maintenance (AVM) and the Marine Maintenance (MM) Departments, TeleStaff, used by the Fire Department, and PlanIt, used by the Police Department. Maximo is the only system that is currently interfaced with HCM, which eliminates the need for manual entry. The following, two tables capture the dynamics and complexity faced by the Port with timekeeping and payroll processes: Table 1 - 2022 FTE Breakdown Highlighting Departments with various Scheduling/Timekeeping Systems [Source: HRIS query summary of Port employees during all or part of 2022, IA process walkthroughs with departments, and Labor Relations' information on Collective Bargaining Agreements.] Table 2 – Time Entry Flow to HCM by Department/Employee Type [Source: Internal Audit’s process walkthroughs with departments, and the Port’s process narratives that have been updated for the Port’s financial statement audits.] All salaried (non-represented) employees across departments, as well as represented employees from the Police Department enter their time directly into HCM. Both AVM’s and MM’s employees schedule/record their time in Maximo, and the time data of represented employees is pushed to HCM via an integration process. Fire Department employees use the Telestaff scheduling system, which was customized by Kronos. The department’s Time Administrator individually enters represented employees time into HCM. Most of the Time Administrators and managers we interviewed expressed some level of frustration about the significant amount of time spent each pay period to validate and correct time data for accuracy. They also described the complexity of the Collective Bargaining Agreements’ (CBA) pay rate structures for represented employees and the time-consuming process to finalize and reflect the approved pay rates in their time-keeping systems. This is because the current process involves multiple stakeholders in Port processes (i.e., Labor Relations, HR Total Rewards, AFR Central Payroll, and Legal). Retroactive adjustments are common because of the prolonged negotiation process, contract signing, uploading of new pay rates into HCM, and departments’ own time-keeping systems (if used). The Central Payroll Team processed approximately 2,000 corrections/adjustments per pay period in 2022, which were requested after the time submission cut-off. Opportunity may exist to analyze data to identify correction patterns (e.g., types of corrections, departments, causes, etc.), and utilize the analysis for communication/education/training to departments. The Fire Department’s Rapid Process Improvement is currently underway with the Port’s Continuous Process Improvement’s (CPI) Team. Recommendations: Port of Seattle management should: 1. Reduce the number of timekeeping sub-systems. 2. Continue regular meetings with the Payroll Manager to discuss, clarify, and resolve issues timely. 3. Utilize available HCM system-generated reports to proactively analyze, identify, and resolve corrections and error patterns, such as types of corrections, departments, causes, etc. 4. Increase timekeeping and approval training/education/communication to department management and staff. 5. Continue CPI’s Rapid Process Improvement efforts to streamline the time validation and correction processes taken by the above-mentioned departments. Management Response/Action Plan: We agree. 1. Standardization and a single timekeeping sub-system into HCM would be the long-term solution for the Port. The Port has 26 collective bargaining agreements in place, many with detailed complex pay provisions. For the more complex, such as the Police and Fire departments, separate timekeeping systems at the department level are necessary to support, track time, and implement the pay provisions. The Port is exploring other timekeeping solutions that would be flexible and adaptable to these varying and complex timekeeping requirements, and that would support a practical interface with the Port’s centralized payroll processing system HCM. 2. Recurring meetings with central Payroll Administration and key departments are continuing for the purpose of bringing visibility to and discuss pay issues, and specific Payroll staff aligned with specific labor agreements are assigned to departments to be a main point of contact for payroll support. It is important to note that employees in departments enter their time worked, the department time administrators validate the time entered for propriety, and the managers in those departments knowledgeable of approved work review and approve for payment. The Port’s central payroll administration operations process such approved time from Port departments for payment. 3. The HCM system is able to generate a report to identify adjustments, however, not the reason for the corrections. The Port’s central Payroll Administration provides a standardized correction form for departments to request and submit timesheet adjustments, which will be modified to include a field to provide a reason for the adjustment requests. Central Payroll Administration will enter the reason code into HCM and in the Main General Adjustment (GA) spreadsheet upon processing the requested corrections and adjustments. This will help track, analyze, and identify root cause of the issues and provide the departments with the opportunity to avoid reoccurrence. 4. Central Payroll Administration is currently working to produce formal tutorials and training documentation that will be available centrally through the Port’s Learning Management System (LMS). All new timekeepers and approvers must complete the class before security access to transact in HCM is granted. Existing time administrators and approvers will be required to take a refresher course every two years. In addition, the Port’s Payroll site on Compass is being enhanced to provide a central resource for information most asked by departments. 5. The Office of Strategic Initiatives, Continuous Process Improvement (CPI), is spearheading an effort to streamline the time validation/correction process for the Fire Department. CPI has captured the current state with Port department timekeeping administrators and identified key pain points in the process. CPI has been working with Payroll Administration, Human Resources, Labor Relations, and Fire Department on this initiative and this effort will continue through 2023. As of this date, the following process improvements have been implemented: a. An issues log has been created in Payroll Administration to track pay error, root cause, corrective action, and date of resolution. b. Departments have been set up to separately run queries to view and confirm their pay changes. This allows departments to confirm that the Personal Action (PA) submitted have been processed. c. Approvers of time and pay in the departments have been given View Only access to timesheets as current reports used to approve time entered are difficult to read. Appendix A: Risk Ratings Findings identified during the audit are assigned a risk rating, as outlined in the table below. Only one of the criteria needs to be met for a finding to be rated High, Medium, or Low. Findings rated Low will be evaluated and may or may not be reflected in the final report. Rating Financial Stewardship Internal Controls Compliance Public Commission/ Management High Significant Missing or not followed Non-compliance with Laws, Port Policies, Contracts High probability for external audit issues and / or negative public perception Requires immediate attention Medium Moderate Partial controls Not functioning effectively Partial compliance with Laws, Port Policies Contracts Moderate probability for external audit issues and / or negative public perception Requires attention Low Minimal Functioning as intended but could be enhanced Mostly complies with Laws, Port Policies, Contracts Low probability for external audit issues and/or negative public perception Does not require immediate attention Efficiency Opportunity An efficiency opportunity is where controls are functioning as intended; however, a modification would make the process more efficient. Appendix B: Central Terminal Roof Inspection Cable and Surrounding Condition Appendix C: Various Red Tags Used at the Port 1 Association of Certified Fraud Examiners, Report to the Nations – 2020 Global Study on Occupational Fraud and Abuse. 2 https://us.aicpa.org/interestareas/informationtechnology/resources/value-strategy-through-segregation-of-duties --------------- ------------------------------------------------------------ --------------- ------------------------------------------------------------ Port-wide Payroll Controls