►
From YouTube: January 26, 2016 Audit
Description
Minneapolis Audit Committee Meeting
A
Good
morning,
I'm
going
to
call
to
order
this
meeting
of
the
Minneapolis
Audit
Committee
for
Tuesday
January
26th.
My
name
is
Lynn
I,
palmisano
and
I'm.
The
chair
of
this
committee
with
me
on
the
dais,
are
the
following
committee:
members
councilmember
John
Quincy
park
and
recreation
Oh
Commissioner
tad
a
committee
member
tab
is
running
late,
but
will
be
here
in
vice
chair
mark
o/s
and
members
that
nail
please
let
the
record
reflect
that
we
have
a
quorum.
Colleagues,
we
have
a
very
full
agenda.
A
B
A
Been
moved
and
seconded
to
adapt
the
agenda
I'll
fave,
all
those
in
favor
aye
opposed
the
eyes.
Have
it
in
the
agenda
is
adopted
before
we
move
on
to
today's
presentation.
We
need
to
accept
the
minutes
from
our
last
meeting,
which
was
on
October
20th
2015
I'll
move
adoption
of
those
minutes,
all
those
in
favor
aye
opposed
the
eyes.
Have
it
knows
minutes
are
adopted.
Colleagues
in
a
the
next
item
on
our
agenda
is
an
addendum
to
the
records
management.
A
C
The
the
audit
team
decided
to
perform
some
additional
testing
based
on
one
of
the
findings
in
the
records
management
audit
that
we
present
it
at
the
October
meeting
and
so
I
wanted
to
quickly
go
over
the
result
of
that.
The
the
objective
of
this
test
was
to
understand
the
access
controls
around
peoplesoft
HR,
and
so
the
original,
the
original
finding
had
mists
quantified
the
the
number
of
employees,
and
so
we
looked
at
it
a
different
way
to
get
a
better
sense
of
what
was
really
going
on
with
that,
and
so
in.
C
The
approach
that
we
took
was
looking
at
all
employees
that
had
terminated
their
employment
with
the
city
from
january,
first
to
late
November
of
2015,
and
then
we
compared
their
date
of
termination
to
when
their
access
to
PeopleSoft
HR
was
cut
off
the
challenge
here,
and
some
of
the
results
aren't
as
conclusive
as
we'd
like
them.
To
be.
Is
that
the
control
that
HR
has
in
place-
and
we
can
see
that
it's
is
happening-
changes
someone's
access
to
just
self-service?
Only
that's
that's
the
goal.
C
When
an
employee
leaves
the
city,
we
allow
them
30
days
to
go
into
peoplesoft
HR
and
look
at
their
personal
information.
It
might
be
about
their
retirement
funds,
it
might
be
about
their
benefits
might
be
about
their
paycheck.
It's
called
self
service
and
the
idea
is
after
30
days
and
we
cut
that
off
when,
when
we
try
to
go
back
and
audit
that
we
can't,
we
can't
see
what
types
of
access
they
had
before,
that
we
can
just
see
their
last
level
of
access.
C
So
it's
hard
to
tell
what
their
access
was
after
they
terminated
until
unless
they
were
not
terminated.
When
we
pulled
the
data
when
we
pulled
the
data,
all
of
the
terminated
employees
accounts
were
locked
after
that
30
day
period.
What
we
did
find
there
was
over
1300
terminations
this
year.
The
little
over
a
thousand
the
security
profiles
remained
unlocked
for
that
self-service
over
those
30
days.
C
C
Another
thing
is
that
we're
currently
not
using
logging
when
we're
making
some
of
these
changes
and
that's
why
we
can't
tell
what
level
of
access
that
someone
had
prior
to
their
the
final
access
that
they
have
recorded
in
the
system
and
so
I
wanted
to
wanted
to
actually
draw
this
out,
because
it
might
help
to
explain
what's
going
on.
C
Is
this
microphone
work
over
here?
Okay,
so,
as
you
can
see
here,
we
have
a
little
chronological
display,
the
first
Chevron
being
the
last
date
of
employment
and
hear
what
the
goal
is
is
to
limit
their
HR
profile
to
that
self
service
and
then
the
next
Chevron
is
this
HR
profile
lock.
So
it's
we
can
tell
that
HR
has
a
process
to
go
in
and
look
for
profiles
that
have
hit
that
30
day,
mark
that
let
self-service
mark
30
days
after
termination
and
then
completely
lock
that
profile
down.
C
C
What
we're
seeing
with
the
with
the
data
that
we
looked
at
this
year
is
that
teams
within
the
city
aren't
great
at
always
getting
this
information
termination
information
into
the
system
or
two
HR
so
what's
happening,
is
we'd
like
to
see
a
day
30
that
account
locked,
but
this
might
be
day
30,
let's
just
say
day,
30
plus
for
examples
sake.
Someone
might
have
gone
in
and
realized.
Oh,
you
know
we
have
this
employee
that
is
left
the
city
now
we're
going
to
enter
their
termination
date.
C
So
then
it
goes
back
to
here
and
the
HR
control
will
catch
that.
But
what
the
gap
here
is
that
we're
not
consistently
getting
that
termination
date
or
that
information
either
the
department
can
do
it
themselves.
Some
departments
do
themselves
or
some
departments
have
each
other,
do
it
in
a
timely
fashion
and
that's
why
we're
seeing
the
results
that
we're
seeing?
D
Tuttle
is
eric
is
I
was
trying
to
understand,
is
in
reading
into
and
I
couldn't.
So
this
is
helpful
to
me.
Is
there
a
way
to
fix
that?
Is
there
a
way
through
creating
some
kind
of
protocol
about
fixing
that
second
date
about
how
many
days
out
that
could
occur?
Rosette,
not
reasonable.
In
this
case,
the.
C
C
B
C
Counsel
or
chair
Palmisano
Commissioner
to
have
there's
a
potential
for
that,
because
we
can
see
a
weakness
in
the
control
there.
There's
there's
a
potential
for
an
opportunity
for
that
to
happen.
We'd
have
to
do
some
specific
testing
and
audit
work
to
determine
around
payroll
to
determine
whether
or
not
people
were
paid
beyond
their
last
date
of
employment.
A
C
Had
several
recommendations
for
HR
really
starting
from
not
allowing
access
to
the
system
at
all
after
the
30
days,
ranging
to
if
we're
going
to
remain
allowing
this
access?
Let's
put
some
more
controls
in
place
in
HR,
was
they've
already
worked
on
several
of
these
recommendations.
The
only
one
that
they
didn't
agree
with
was
one
of
the
recommendations
was
to
to
have
the
portal
so
with
HR,
peoplesoft,
HR
and
PeopleSoft
finance.
There's
a
web
portal
that
you
can
access
that,
and
so
they
don't
have
to
go
through
the
city's
Network
to
get
onto
those.
C
One
of
the
recommendations
was
for
that
portal
to
be
self
service
access.
Only
like
you
couldn't
have
elevated
access.
If
you
were
an
HR
supervisor
or
manager
or
director,
you
couldn't
use
the
portal
to
do
your
work
at
home.
You
would
have
to
use
your
laptop
and
VPN
in
and
go
through
the
network.
They
didn't
agree
with
that
recommendation,
but
all
the
rest
that
they
did
agree
with.
B
A
We
go
through
the
audit
work
plan
to
prioritize
a
little
bit
more
analysis
into
this,
but
are
there
any
other
questions
from
the
committee
em
on
this?
One?
With
that
item
may
I
have
a
motion
to
receive
this
audit
addendum
report
and
direct
staff
to
publish
this
addendum
great
second,
a
second
all
those
in
favor
aye
opposed.
E
A
C
This
going
to
go
back,
this
audit
came
about
when
we
were
working
on
the
records
management
audit,
which
is
one
of
the
large
audits
we
did
last
year.
We
because
of
the
scope
of
it.
We
didn't
get
into
a
detailed
analysis
with
a
need
within
any
department
about
their
records.
In
with
with
working
with
HR,
the
department
did
have
an
appetite
for
us
to
help
them
get
an
understanding
of
personnel
files,
which
of
which
were
decentralized
a
number
of
years
ago
in
the
city
to
see
whether
or
not
those
personnel
files
were
maintained
adequately.
C
We
felt
that
that
was
important
as
well
was
something
that
we
couldn't
cover
in
the
records
management
audit
because
of
some
scope,
limitations
and
resource
limitations.
So
we
thought
that
this
would
be
a
good
audit,
a
somewhat
quick
audit
to
get
done
this
or
in
2015.
There
were
this
up
and
I'll
note.
C
This
audit
did
include
the
park
and
rec
board
commissioner
tabs
request,
so
the
park
board
does
have
some
independent
HR
functions,
and
so
there
is,
we
did
a
separate
testing
of
the
park
board
and
the
city,
and
so
the
findings
are
separate
as
well.
So
we
had
three
findings
for
the
city,
the
first
one
being
existence
in
completeness
of
personnel
and
medical
files.
C
We
noted
that
81
out
of
the
107
files,
there
was
some
document
that
was
missing,
so
the
HR
has
a
very
long
laundry
list
of
things
that
could
end
up
in
someone's
personnel
file
or
medical
file.
We
asked
them
to
identify
some
of
the
key
pieces.
Are
the
critical
pieces
of
information
for
our
testing
because
we
didn't
want
to
test
for
all
of
them.
These
might
have
ranged
from
an
applica
signed
application
and
offer
letter,
there's
a
lot
of
components
and
they're.
C
Not
all
of
these
things
were
critical
to
the
personnel
file
being
unusable
if
they're
just
pieces
of
information
in
there
that
weren't
available
and
some
of
them
rightfully
so
we've
moved
to
Neoga
of
the
new,
recruiting
and
hiring
system
for
some
new
employees.
We
noticed
that
some
of
that
information
was
in
there.
It
was
still
electronic,
and
so
you
know
we
have
some
commentary
on
that
that
I'll
talk
about
at
the
end
of
these
findings.
C
The
second
finding
is
around
accessibility
in
separation
of
personnel
file,
so
for
all
the
departments
that
we
tested,
we
looked
into
where
their
files
were
kept,
that
they
were
in
locked
cabinets
and
that
the
medical
files
were
separate
from
the
personnel
files.
One
thing
that
we
noted,
when
departments
will
archive
their
personnel
files
and
a
number
of
years
after
an
employee
leaves
the
city,
so
those
will
go
to
HR
and
they'll
hold
them
for
a
while
and
then
they'll
send
them
off
for
a
longer-term
storage.
C
If
necessary,
we
wanted
to
make
sure
that
those
archive
files
were
secure
as
well.
They
are
within
the
HR
department,
in
a
storage
room
and
the
storage
room
is
used
for
some
other
things.
Well,
there's
other
things
that
are
stored
there.
So
we
got
the
key
logs
from
NBC
to
get
a
sense
of
how
many
people
have
potentially
have
access
to
that
room
where
these
files
were
on
cabinets,
but
on
unlocked
cabinet
so
accessible
to
anyone
that
could
get
in
the
room.
C
C
So
HR
had
done
some
work
into
the
accuracy
of
I
nines,
but
wanted
us
to
look
into
how
well
we
thought
the
i9
representatives
throughout
the
city
understood
the
process
and
the
risks
and
the
ramifications
of
not
performing
I
nines
appropriately,
so
we
created
a
questionnaire
and
for
the
city
of
Minneapolis.
We
facilitated
those
questions
with
with
a
certain
number
of
i9
reps
and
then
the
park
board.
They
did
that
for
us
and
gave
those
results
back
to
us.
C
There
was
somewhat
similar
in
that
the
reps
probably
need
some
updated
understanding
of
why
we
do
I
nines
how
quickly
we
need
to
do
them.
What
some
of
the
ramifications
of
not
doing
them
at
all
or
not
doing
them
in
a
timely
fashion
are,
and
we
noticed,
a
direct
correlation
between
people
that
do
them
more
often
and
an
understanding
of
why
and
how
we
do
them
in
the
importance
there
were.
There
were
many
more
i9
reps
in
Park
and
Rec,
probably
because
they
have
a
lot
more
locations
that
they
work
in
I.
C
Think
anyone
who
was
a
potential
that
hiring
supervisor
could
have
been
at
I,
nine
rep
or
in
the
city
there's
there's
far
fewer
I
think
there
was
about
it
if
I'm
correct,
and
so
this
can
be
fixed
pretty
easily
with
some
some
training
communication
and
maybe
some
realignment
of
who
facilitates
the
i9
process.
It
is
an
important
process,
a
couple
commentaries
that
came
out
of
this
work.
C
The
first
one
was
around
electronic
files
and
we
noticed
and
will
continue
to
notice
that
we're
going
to
have
more
electronic
documentation
of
things
that
are
going
to
end
up
in
the
personnel
files
and
the
medical
files,
and
so
we
mentioned
HR
that
they
should
start
to
consider
how
to
handle
this
at
this
time.
It's
it's
sort
of
unknown,
but
anyone
who
should
have
access
to
those
someone's
personnel
file
should
also
have
equal
access
to
any
electronic
documents
that
we
don't
manually
print
out.
Input
in
those
vials.
C
The
other
one
due
to
the
noticing
how
many
keys
were
made
for
that
that
door
in
the
HR
department
we'd
recommend
that
the
city
do
a
physical
access
review
for
doors
that
still
have
keys,
not
electronic
badges
to
maybe
get
a
quick
sense
of
how
many
are
out
there
and
is
there
a
need
to
rekey
some
of
the
doors
in
the
city?
Are
the
controls
adequate
about
getting
keys
back
from
terminated
employees
either
back
to
two
and
then
be
or
to
the
department?
C
A
Do
you
have
a
question
from
any
other
questions
from
the
committee?
I've
had
the
opportunity
to
speak,
you
know
through
agenda
setting
and
that
sort
of
thing
with
our
director
of
HR
and
I
know
that
the
purview
of
this
committee
is
not
to
direct
a
work
of
our
enterprise
departments.
You
appreciate
the
conversations
that
we've
had
in
this
I.
Welcome
it.
If
someone
from
HR
mr.
A
Ciampa,
who
I
see
here
in
the
audience,
wants
to
comment
on
some
of
the
work
already
being
done
to
mitigate
these
things,
I
welcome
that
if
you
wanted
to
just
come
up
and
then
I
also
know,
we
have
Theresa
sheikha
in
the
audience.
If
you'd
like
to
you
know,
comment
on
some
of
these
I
know
that
a
lot
of
this
was
useful.
A
F
Yes,
thank
you.
I'm
bill
champa
from
human
resources,
I'm
a
manager
and
I'm
here
representing
a
chief
HR
officer,
patients,
Ferguson
and
so
first
of
all,
I
want
to
thank
the
committee
and
I
want
to
thank
will
Tetzel.
This
is
a
audit
that
we
actually
asked
for
as
he
mentioned,
and
so
this
is
very
important.
Information
to
us.
F
Patients
first
and
has
been
with
the
city
for
two
years,
and
this
has
been
a
big
priority
since
she's
been
here
and
we
were
we've
been
working
on
some
of
these
and
this
reaffirmed
a
lot
of
what
we
already
thought
we
knew,
but
this
was
very
reaffirming
to
us
and
quite
helpful,
so
a
couple
of
quick
things
of
what
what
we've
been
doing.
The
access
to
the
room.
First
of
all,
I,
will
tell
you
that
that's
a
room,
a
storage
room
that
not
many
people
in
HR
even
know
exists.
F
That
said,
there's
the
key
access
and
there's
that
problem,
we've
already
remedied
that
or
the
process
of
changing
that.
So
the
only
two
people
have
access
to
that
room:
two
trained
people,
in
addition,
we're
working
longer
term
on
the
card
access.
So
we
know
exactly
who
goes
in
and
out
of
that
room
and
can
audit
that
on
an
annual
basis.
So
we're
working
on
that
we're
also
working
on
locked
file,
cabinets
in
in
that
room
and
I
think
the
biggest
the
biggest
piece
that
this
report
reaffirmed
in
that
I.
F
Think
many
of
your
questions
address
is
really
the
responsibility
out
in
our
departments.
We
have
a
couple
of
different
key
personnel.
This
process
is
largely
decentralized
them.
The
maintenance
of
personnel,
medical
files,
so
educating
those
folks,
training,
those
folks
and
then
holding
them
accountable,
is
extremely
important
and
we're
working
on
all
three
of
those.
We
have
started.
A
E
Commissioner
tab
committee
members
I
appreciate
your
allowing
me
to
come
up.
I
appreciated
that
Commissioner
tab
invited
us
to
be
a
part
of
this.
It
doesn't
hurt
to
be
checked
on
and
we
are
separate
from
the
city.
You
know
we
work
with
them
an
HR
on
some
things.
Our
file
room
and
the
I-9
process
is
separate.
We
have
the
luxury
of
having
much
smaller
amounts
of
data,
and
it's
in
one
spot.
I
can
say
that
the
security,
what
wasn't
mentioned
is
all
the
doors.
E
In
fact,
two
of
them
we
have
an
IT
that
we
have
smart
cards
so
that
can
be
turned
off
instantly,
which
is
nice
that
we
can
control
who
has
access.
We
do
phi.
Our
filing
system
is
different
and
we
started
about
eight
years
ago
the
League
of
myth.
So
cities
recommends
we
have
separate
files
and
it's
it's
more
efficient
for
us
and
I
know.
The
city
probably
can't
do
that,
but
when
a
supervisor
wants
to
come
in
because
our
people
move
around,
they
bid
and
they
move
around
and
they
see
the
performance.
E
All
we
have
to
do
is,
as
a
small
HR
department
pull
out
that
performance
file.
We
don't
have
to
go
through
the
whole
personnel
file
to
pull
it
out.
We
find
it
really
efficient
as
far
the
I
9's
to
go
back
to
our
personnel
files.
We've
had
neoga
of
much
longer
than
the
city
did,
which
is
the
electric
electronic
hiring
process,
so
ours
applications
were
electronic.
Much
sooner
than
the
city
was
so
I
think
that
that
kind
of
got
reflected
in
the
audit.
We
didn't
have
them
their
electronic,
whereas
the
city
wasn't
for
the
i9.
E
We
are
looking
to
go
back
to
e-verify.
We
had
verified
many
years
ago
and
it
was
in
conflict
with
the
city.
They
had
a
stopped
because
of
the
judges
or
something
was
coming
on,
and
we
just
we
had
to
stop
it,
but
we're
going
back
to
what
we
found.
We
can
do
it
separate
from
the
city
in
the
city's
doing
it,
we
will
retrain
our
supervisors.
That
was
one
of
the
recommendations.
E
A
You
thank
you
for
your
interest
in
for
seeking
out
internal
audit
to
do
this
specific
audit.
You
know
this
is
a
healthy
process.
We
learn
things
and
a
great
thing
is
as
soon
as
we
do.
Our
departments
take
immediate
action
to
to
fortify
and
correct
our
processes
so
I'm
glad
about
that
super.
Thank
you.
A
A
Opposed
the
eyes
have
it
and
report
will
be
received
in
the
staff
will
publish
it
next
on
our
agenda.
Is
the
internal
audit
department's
annual
report
for
2015
summarizing
our
2015
audit
plan
and
those
results
also
client,
satisfaction,
surveys
and
staff,
editing
and
budgeting
request
updates.
Mr.
Tuttle
thank.
C
You,
madam
chair,
the
the
ordinance
for
the
city,
requires
that
internal
audit
publish
and
enter
report,
but
not
what
was
in
it
so
who
gave
a
shot
appreciate
any
feedback
for
information
that
you
guys
would
like
to
see
in
there
or
would
expect
to
see
in
there.
I'll
give
you
some
highlights.
You
receive
the
report.
C
We
had
six
projects
that
we
completed
this
year,
two
audits
in
for
consultations.
Out
of
those
we
had
15
findings
or
out
of
the
two
audits
we
had
15
findings,
so
a
consultation
won't
have
findings
per
se.
Those
findings
consisted
of
33
recommendations,
so
a
finding
really
talks
about
a
risk
that
needs
to
be
addressed
and
there
might
be
multiple
recommendations
within
that
binding
mm-hmm.
C
Oui
oui
when
I
joined
a
little
over
a
year
ago,
the
prior
audit
team
had
about
24
audit
findings
that
were
still
outstanding,
so
we
decided
that
we
should
work
on
closing
those
outs.
We've
closed
out,
21
of
those
in
2015,
some
of
which
were
folded
into
some
findings
and
recommendations
that
we
had
in
some
of
our
current
bodies
of
work.
Some
of
them
were
folded
into
some
of
the
state
auditor
findings
that
the
finance
department
is
working
on
so
rather
than
sort
of
double
dip.
C
On
some
of
that
work,
we
found
that
there
was
some
parallels
between
issues
that
the
auditor
had
seen
in
the
past
and
some
of
the
things
that
are
currently
being
worked
on
here
in
the
future.
So
we
made
a
note
to
aggregate
those
and
close
them
out
together.
Mm-Hmm,
as
I
mentioned,
the
audits
done
in
2015
produced
14
findings.
When
we
issue
an
audit
report,
management
will
respond
to
that
report.
C
Sometimes
those
responses
will
include
a
remediation
plan
and
end
dates
and
such
sometimes
they
don't
because
they
need
to
go
back
and
figure
out
exactly
how
to
do
that.
So
we'll
be
working
here
in
short,
ordered
with
these
14
findings
in
the
departments
that
they're
related
to
to
understand
what
the
remediation
plans
are
get
some
goals
in
there
for
dates
and
then
build
out
our
spreadsheet.
So
we
can
start
tracking
those
you'll
hear
much
more
about
that
in
them.
In
the
next
meeting
in
March.
C
Lastly,
I
wanted
to
talk
about
client
satisfaction,
surveys
I,
I
pinged
a
couple
pure
city
auditor's
to
find
out
how
they
were
serving
their
clients
and
got
a
few
examples
of
surveys
and
then
took
the
questions
on
there
that
I
thought
or
applicable
to
us.
We
tried
to
keep
them
pretty
general,
so
it
wasn't.
We
didn't
elicit
emotional
responses,
most
people
don't
enjoy
being
audited,
and
so
we
didn't
want
to.
Let
people
take
that
out
on
us,
but
rather
how?
How
well
are
we
doing
what
we
should
be
doing
from
it?
C
The
survey
results
came
in
at
an
average
of
eighty-two
percent,
which
I
think
is
a
decent
balance
too
high
and
I
would
question
whether
or
not
we're
being
too
easy
on
people
or
not
digging
deep
enough
into
some
of
the
real
issues
too
low,
and
we're
probably
not
doing
our
job
well
enough
for
communicating
well
enough
for
creating
hostile
environments
so
on
and
so
forth.
So
and
82
is
a
good
spot
to
be
there.
In
that
satisfaction,
survey.
A
A
G
And
I
was
wondering
what
bothered
me
about
the
eighty-two
percent
and
it's
I
just
curious
about
the
individual,
the
four
components
of
that.
Where
are
we
stronger?
Where
are
we
you
know?
Usually
what
my
experience
has
been
is
when
you
get
to
the
recommendations,
part
that
goes
you
know,
sort
of
lower
would
drag
the
aggregate
down.
Is
there
or
would
you
say,
82
represents
the
client
satisfaction
across
the
four
items
that
you
looked
at.
Your
ask
for
yeah.
C
I'll
tell
you
how
we
calculated
these
and
then
speak
to
that
madam
chair
and
councilman
voice,
so
as
to
not
skew
the
results
we
we
took.
We
created
a
score
for
each
project
because
some
of
the
projects
might
have
ten
respondents.
Some
might
have
one
or
two,
and
so
we
didn't
want
those
tend
to
over
skew
the
score.
So
each
each
project
that
we
have
gets
its
individual
score
and
it's
based
on
those
five
components
in
looking
at
those
five
components
in
aggregate
there's
a
little
shift
towards
some.
C
G
C
A
Mr.
Tetzel
I
just
want
to
say
this
is
exactly
what
I'd
hoped
for
when
we
imagined
a
fully
functional
audit
team
a
couple
years
ago,
we've
cleaned
up
old
findings,
we've
you
know,
I
I,
hope
people
are
all
pleased
with
that.
We've
we've
got
a
feedback
loop,
a
productive
feedback
loop
and
that's
really
important
and
about
our
working
relationship
is
an
internal
audit
group
with
clients
around
the
enterprise.
Are
there
any
thoughts
or
questions
from
others
may
have
a
motion
to
receive
and
file
the
2015
internal
audit
annual
report?
A
A
I'm
also
pleased
that
our
last
item
under
new
business
today
is
the
2016
audit
plan.
Part
of
our
role
as
a
committee
is
to
review
and
approve
a
yearly
audit
plan
that
guides
the
work
of
our
audit
department
through
the
rest
of
the
year.
So,
mr.
Tetzel,
could
you
go
forward
with
what
we
will
do
this
year?
Thank.
C
You,
madam
chair
mm-hmm,
the
the
process
to
come
to
our
audit
plan
was
similar
to
last
year.
We
conduct
risk
assessment
meetings
with
departments
and
divisional
leaders.
We
solicit
information
from
Council
and
from
the
mayor's
office,
and
we
just
got
information
from
the
work
that
we
do
in
the
experiences
we
have
and
the
meetings
that
we
have
throughout
the
year.
So
it's
it's
a
continual
process
and
I
want
to
note
that
that
again,
the
audit
plan
is
a
point
in
time.
We
always
try
to
stay.
C
A
pretty
is
appraised
as
we
can
on
emerging
risks
and
if
something
comes
up
that
is
more
important
or
more
pressing
than
something.
That's
on
the
plan
we
like
to
exercise
our
right
to
to
reprioritize
and
change
that
and-
and
my
job
is
to
is-
to
communicate
that
to
the
Audit
Committee.
If
there's
something
that
comes
up
that
I,
that
I
don't
agree
with,
or
that
I
would
like
the
committee's
opinion
on
that
all
wait
till
the
next
meeting.
Otherwise
I'll
typically
run
it
by
the
chair
and
make
some
of
those
changes
as
they
occur.
C
The
2015
plan
changed
dramatically.
As
was
expected.
We
didn't
get
to
all
the
departments
before
we
put
the
plan
out,
so
we
met
with
Public
Works
and
see
ped
over
the
summer
and
those
meetings
drove
some
pretty
significant
changes
in
the
plan.
The
2016
audit
plan
consists
of
14
projects.
Four
of
those
are
carryover
projects
from
last
year
and
I'll
talk
about
those
as
well.
There's
eight
audits,
five
consultations
and
one
program
audit,
and
that
program
out
is
a
carryover
from
the
prior
year.
C
So
I'll
go
through
the
projects
on
the
list
and
then
you
can
either
interrupter.
We
can
talk
about
questions
at
the
end.
These
are
in
alphabetical
order,
they're
not
prioritized
in
order
of
risk
or
importance,
but
the
2016
ones
are
first
and
then
the
carryover
ones
are
the
last
four,
so
they're,
not
mixed
in
together.
The
first
project
is
an
audit
of
the
accounts
payable
processes
here,
and
the
objective
is
to
evaluate
key
processes
and
controls
around
payment,
timeliness,
accuracy
and
fraud.
C
C
The
third
project
is
around
IT
projects
and
management.
This
is
a
consultation,
and
the
objective
of
this
consultation
is
to
determine
if
the
city
has
adequate
project
management
processes
and
tools
to
guide
system.
Implementations.
I
want
to
note
here
right
now
we're
experiencing
a
lot
of
system
implementations
of
the
city
rightfully,
so
the
the
management
of
those
projects
doesn't
solely
lie
on
the
IT
department.
Certain
departments
are
all
over
the
spectrum
in
how
engaged
they
are
in
in
a
project
implementation,
and
so
this
isn't
specifically
focused
on
the
ITP
mo.
C
C
The
police
department
uses
the
license
plate
reader
software
and
there
is
some
legislation
out
there
that
it
will
require
a
biannual
review
of
this.
The
first
audit
or
binding
will
audit
sorry.
The
first
audit
will
be
due
in
2017,
and
so
the
police
department
wanted
us
to
come
in
and
look
at
that
license
plate
reader
program
and
based
on
some
of
the
language
in
that
legislation,
give
the
city
and
opinion
of
anything
that
they
need
to
improve
to
prepare
themselves
for
these.
For
this
audit.
C
If
the
audit
goes
well
and
there
aren't,
any
recommendations
will
probably
look
to
to
post
this
as
the
first.
The
first
required
audit
of
the
system,
so
it'll
be
it'll,
be
similar
to
what
we
would
do
in
the
next
steps,
but
this
is
really
a
proactive
approach
to
making
sure
that
that
the
controls
and
processes
in
place
around
this
are
adequate.
C
The
next
project
on
the
audit
plan
is
on
the
park
and
rec
board.
It's
around
worker
safety,
and
this
is
a
this-
is
an
audit,
and
the
objective
of
that
is
to
determine
if
the
parking
right
board
has
practices
and
procedures
in
place
to
both
prevent
injuries
and
adequately
address
injuries
that
do
happen.
The
park
board
has
has
done
quite
a
bit
of
work
around
this
as
of
late
and
they've
asked
us
to
come
in
and
help
them
get
an
understanding
of
how
adequate
those
processes
are.
C
The
next
project
on
the
plan
is
off
street
parking
operator,
and
this
is
an
audit
with
an
objective
to
evaluate
the
service
level
agreements
in
city
and
vendors
adherence
to
contractual
requirements,
as
you
all
probably
are
aware
of
in
October
of
2015,
we
continue
to
work
under
ABM
to
operate
the
off
street
parking
in
the
city.
The
contract
is
somewhat
different
than
it
has
been
in
the
past.
C
The
next
project
on
the
list
is
a
peoplesoft
finance
access
audit,
similar
to
the
work
that
I
presented
first
year.
In
the
meeting,
we've
done
some
pretty
significant
access
testing
on
the
HR
peoplesoft
module.
We
want
to
do
the
same
thing
on
the
finance
peoplesoft
module
part
of
that
being
that
the
city
doesn't
have
an
enterprise-wide
approach
to
monitor,
system
access
and
so
we're
going
to
hit
some
of
these
big
systems
and
then
work
with
with
departments
or
divisions
to
to
see
if
we
can
improve
our
access
monitoring
with
visiting.
C
The
next
project
is
peoplesoft
web
portal
security,
and
this
is
an
audit
and
the
objective
to
determine
the
adequacy
of
security
controls
for
the
peoplesoft
web
portal.
So
if
you'll
remember,
we,
we
talked
about
the
HR
access
to
people's
off
there's.
There's
a
web
portal
for
people
saw
finance
and
PeopleSoft
HR,
where
an
employee
can
access
that
system
remotely
not
through
the
federated
network,
and
so
we
want
to
look
at
some
of
this.
The
security
controls
that
we
have
on
that
web
portal
to
make
sure
that
they're
adequate
enough
to
prevent
any
malicious
activity.
C
The
next
project
is
a
police
body,
camera
pre
requirement
review
so
similar
to
the
license
plate
reader
right
now,
there's
pending
legislation
of
a
try
annual
audit
of
body
camera
processes
around
the
data
that's
collected
there.
So
as
we
get
a
better
understanding
of
the
language
and
where
that's
landing,
the
police
department
again
asked
us
to
come
in
similarly
to
the
body
camera
pilot
program,
consultation
that
we
did
last
year
help
them
understand
any
gaps
or
opportunities
that
they
have
in
adhering
to
the
tri-annual
audit
requirements
going
forward.
G
C
Fix
that
sorry
about
them,
the
last
of
the
2016
projects,
transportation
management
organization-
this
isn't
audit
around
third
party
governance,
which
I'll
talk
about
in
my
outer
update
and
this
audit,
the
objective
will
be
looking
into
some
grant
compliance,
but
not
limited
to
that.
There's
an
organization
called
move
Minneapolis
under
the
TMO
that
will
be
giving
some
audit
work
around
the
last
four
projects
I'll
go
through
a
little
bit
quicker
because
you've
heard
about
them
before
a
CPL
own
life
cycle
were
in
the
fieldwork
phase.
Of
that
it's
a
very
large
audit.
C
I
would
anticipate
that
coming
to
the
mayo
meeting
Elms,
which
is
enterprise,
land
management
system
implementation,
this
sort
of
ad
hoc
consulting
that
we
do
on
that.
That
I
think
that
is
slated
for
an
October
implementation
of
October
2016
implementation.
There
there's
the
NCR,
neighborhood
programming
and
support
program
audit
that
we've
out
sourced
that
should
come
to
the
March
audit
committee
meeting
they're
wrapping
up
some
final
pieces
of
that
report
and,
lastly,
police
records
management
system
implementation.
C
This
was
something
that
was
on
the
plan
for
last
year,
but
it's
the
bulk
of
the
work
is,
will
happen.
This
year
lives
in
contract
negotiations
now
so
we'll
plug
in
a
little
bit
later
in
the
year
to
to
help
the
police
department
understand
some
of
the
configuration
considerations,
then
they're
making
and
just
generally
address
some
of
the
risks
of
such
a
large
scale
system
implementation
that
touches
so
many
other
systems
within
it.
C
D
You,
madam
chair,
just
one
quick
question:
mr.
Tetzel,
concerning
the
scope
of
the
civil
rights
contract,
compliance
audit,
just
a
scoping
question:
it
says:
review
the
the
execution,
consistency
and
accuracy
of
the
respective
processes
I
take
it
you're.
Just
the
scope
of
your
audit
is
just
to
look
at
how
the
contract
is
the
solicitation
process
and
the
award
process
you're
not
following
it
all
the
way
through
to
the
end,
to
see
if
what
was
contracted
for
was
actually
provided
or
we're.
Not.
Madam.
C
H
Madam
chair
members,
my
name
is
Tim
homestead
I
work
with
backboard
consultants.
We
provide
the
IT
audit
services
for
the
city
of
Minneapolis
I'm
just
wanted
to
talk
about
how
we
completed
the
IT
audit
risk
assessment
in
alignment
and
coordination
will
Tetzel
and
his
team.
We
took
the
approach
very
similar
to
2
l's
operational
out
of
staff,
where
we
interviewed
key
leaders,
key
stakeholders
and
key
project
managers
to
identify
projects
and
scoped.
For
this
year,
we
based
the
analysis
on
inherent
risk.
I
H
H
A
C
Did
want
to
mention
that,
although
it's
a
challenge,
we
had
a
huge
amount
of
potential
projects
for
this
year,
or
so
it
really
speaks
volumes
to
how
forthcoming
department
heads
didn't
and
divisional
leaders
were
in
our
risk
assessment
process,
because
there's
a
still
a
really
high
demand
for
the
services
and
the
value
that
we
can
provide
to
the
city.
So
the
challenge
being
balancing
what
people
ask
for
with
what
we
independently
think
the
city
needs
from
an
audit
perspective,
but
that's
a
good
problem.
We
have
from
my
family.
A
Super
here
this
is
the
end,
then,
of
the
presentation
I'm
on
it
super
with
acknowledgement.
This
is
a
guide
and
we're
constantly
assessing
risks
and
there's
a
lot
that
you're
looking
at
may
have
a
motion
to
receive
and
file.
This
2016
annual
audit
plan
super
all
those
in
favor,
please
say:
aye
aye
opposed
the
eyes,
have
it
and
that
report
will
be
received
and
I'll
direct
staff
to
publish
it.
I
also
have
from
your
earlier
presentation
mr.
Tetzel
I
I
want
to
make
a
staff
direction
in
regards
to
the
2016
audit
plan.
A
Thank
you
for
this
audit
plan.
It
this
plan
and
the
items
on
it
vary
a
lot
in
in
size
and
in
scope.
I
like
that
most
of
them
were
were
ones
that
were
requested
you
not
all
of
them.
Some
are
on
the
leading
edge
of
policy
like
data
privacy
standards
and
the
like
I
think
that's
going
to
be
really
informative
and
help
us
to
really
say
on
top
of
those
things.
A
Some
is
on
all
the
flux
of
multiple
IT
system,
implementations
going
on
which
we
all
feel
the
pain
of
around
the
enterprise
and
from
our
customer
service.
Endpoint
from
the
public
that
we
serve,
I
really
appreciate
that
in
it,
in
light
of
the
human
resources,
personnel
file,
maintenance
and
audit
report,
and
some
of
the
things
that
came
up
in
that
I'd
like
to
make
a
motion
to
direct
staff
that,
within
the
scope
of
the
2016
work
plan,
could
you
analyze
the
enterprise
practices
for
employees
that
terminate
employment
with
the
city?
A
Could
you
report
back
on
this
plan
update?
You
know
how
that
might
get
into
this
2016
plan
at
your
next
at
our
next
scheduled
audit
committee
meeting
I'm
curious
what
policy
issues
could
be
put
in
place
given
best
practices,
research,
I'm
curious,
what
our
recommendations
and
methods
that
could
help
us
drive
a
better
accountability
to
be
really
diligent
when
an
employee
leaves
the
city
for
us
to
be
very
specific.
It
seems
like
in
part
that
accountability
isn't
really
with
HR,
but
it's
with
the
individual
departments.
A
That's
hard
to
make
consistent,
but
I
know
there's
some
things
out
there
that
we
could
do
to
make
a
pretty
to
help
drive
accountability,
to
make
an
impact
fairly
quickly.
Here
so
I'd
like
to
put
make
that
motion
to
try
and
incorporate
an
analysis
of
that
within
this
year's
audit
plan.
Could
I
have
a
second
super,
a
motion
on
this
all
in
favor,
please
say:
aye
aye
opposed
Thank
You.
Mr.
C
C
C
You
have
asked
in
the
past
for
an
update
on
the
state
auditor
findings
and
what
we
do
and
what
we've
what
we've
done
here
is
we
don't
I
want
to
be
clear
on
what's
getting
presented
here.
Audit
does
not
go
in
and
validate
the
remediation
of
the
state
auditor
findings.
Rather
we
just
corroborate
with
the
finance
department,
specifically
the
controller
on
their
progress
today
and
then
keep
you
guys
appraised
of
what
that
is.
Happily,
there's
really
just
two
things
that
are
outstanding.
C
One
is
around
loan,
see
documentation,
that's
going
to
require
a
system
implementation,
and
so
that's
why
you
see
in
August
of
2017
date.
The
min
system
which
are
currently
using
is
getting
replaced
and
it's
something
that
we're
helping
them
look
at
helping
IT
gather
some
minimum
requirements
on
in
the
work
that
we're
doing
and
and
the
other
one
being
the
prompt
payment
of
invoices
and
they're
continually
working
on
that.
C
I
will
say,
but
by
by
June
I,
think
we
hope
to
see
that
finding
drop
off
of
the
audits
or
the
state
auditor's
report
in
meeting
with
with
AP
and
our
risk
assessment
process.
We
got
a
better
understanding
of.
Why
we're.
Why
we're
seeing
these
late
payments
on
the
state
auditor's
report
or
their
opinion
of
it?
And
it's
not
that
the
invoice
doesn't
get
to
AP
timely.
It
said
it
doesn't
get
back.
C
Ap
sends
it
up
for
approval
encoding
that
sometimes
it
doesn't
get
back
to
them
and
enough
time
for
them
to
payment
to
pay
it.
So
they
won't
pay
it
until
it's
approved
by
the
appropriate
person
in
the
city,
and
sometimes
those
approvals
can
take
a
while,
because
either
the
invoice
isn't
clear
and
it
gets
potentially
misrouted
or
there's
a
lot
of
information
that
the
person
on
their
needs
to
check
off
to
make
sure
that
we
are
paying
it.
C
C
Sometimes
we
don't
get
a
clean
invoice
so
making
sure
that
when
we
get
findings
like
this
from
the
state
that
that
those
two
dates
they're
comparing
are
from
that
clean
invoice
date,
not
just
the
invoice
date
that
comes
from
a
from
a
vendor
I
mean
you
could
put
any
invoice
that
you
wanted
on
till
you
could
put
it
already
a
year
passed
and
once
we
get
it,
it's
already
overdue.
So
hopefully
that
will
help
out
a
little
bit.
I
C
Mentioned
before,
but
I'll
bring
it
up
again.
There's
there's
three
of
the
24
findings
from
the
prior
audit
team
left
open
we're
currently
working
on
those
and
getting
traction
on
those
and
the
two
audits
from
20
15
produced
those
14
findings
again
working
with
those
departments
and
leaders
on
their
remediation
plans
and
dates
and
we'll
have
once
we
get
that
solidified.
That
will
be
much
more
transparent
to
myself
and
the
Audit
Committee.
And
then
we
will
stay
appraised
of
the
progress
on
those
and
report
to
you
that
at
each
meeting.
C
One
of
the
things
that
I
mentioned
last
year
was
this
idea
of
third-party
governance,
and
so
I
wanted
to
get
back
to
it,
because
we're
solidifying
this
more
and
more
in
the
audit
department,
I'll
first
explain
what
I
mean
by
third-party
governance.
A
third
party
could
be
a
vendor.
It
could
be
a
partner,
a
strategic
partner.
It
could
be
a
grant
sub-recipient
any
entity
that
we
contract
with
or
work
through,
to
do
to
provide
services
or
do
something
on
behalf
of
the
city.
C
One
we
put
together
this
this
illustration
to
help
understand
how
we're
going
to
approach
this
work,
and
if
you
remember
in
some
of
our
earlier
discussions,
we
talked
about
this
three
lines
of
defense:
the
internal
audit
mall
three
lines
of
defense.
We
take
that
same
approach
with
third-party
governance
and
trying
to
illustrate
how
or
visualize
what
this
looks
like.
So
the
first
line
of
defense
for
the
city
is
really
the
contract,
execution
or
the
grant
execution
and
that
vendor
risk
management.
This
happens
with
the
city
employees
who
deal
directly
with
these
third
parties.
C
It
usually
lives
in
the
department's.
The
second
line
of
defense
are
functions
of
the
enterprise
that
help
facilitate
that
process,
so
contract
management,
finance
management,
grant
management,
I,
t
security
management,
the
City
Attorney's.
So
there's
there's
a
lot
of
functions
that
happen
within
the
city
to
to
help
that
first
line
of
defense,
when
they
both
arrange
for
a
contract
to
be
executed,
but
in
the
facilitation
of
the
continual
facilitation
of
that
again,
we
see
yourselves
as
that
third
line
of
defense,
but
differently
from
the
models
that
you've
seen
before.
C
A
You
I
just
want
to
jump
in
here
and
say
yeah.
This
is
the
speaks
to
one
of
the
audits,
a
fairly
small
audit
on
our
2016
work
plan
it.
It
is
important-
and
we
have
seen
in
the
past
when
we've
worked
with
partners
that
didn't
have
the
kinds
of
checks
and
balances
that
we
expect
from
from
a
city
relationship.
A
C
You
manager,
a
few
things
that
we're
doing
in
in
this
regard
to
third
party
governance,
we're
building
out
some
templates
for
departments
to
use,
so
they
can
sort
of
plot
their
third
parties
and
help
get
a
visual
understanding
of
where
those
high-risk
ones
are
where
they
should
be
focusing
some
of
their
activities.
We're
also
developing
some
sort
of
core
audit
procedures.
C
So,
if
we're
doing
an
audit
of
an
area-
and
it
happens
to
be
something
where
there's
a
third
party
involved-
we
can
pull
some
of
these
perceived
standard
procedures
out
and
execute
them
where
they
make
sense.
I
get
some
of
this
work
and
sort
of
get
that
coverage.
You
know
push
this
theme
through
some
of
the
work
that
we're
already
doing
so
we're
putting
together
some
of
those
sort
of
standard,
auto
procedures
that
we
can
plug
and
play
into
some
of
the
audit
work
that
we're
going
to
pull
off
this
year
and
then
accounts
payable.
C
The
accounts
payable
audit
on
the
audit
plan
is
also,
if
you
think
about
it,
a
second
line
of
defense
here
in
the
third
party
governance
work.
So
we're
going
to
look
at
them
and
get
an
understanding
of
some
of
the
how
they're
managing
some
of
that
third-party
risk
that
they
own
from
an
accounts
payable
perspective.
This.
This
is
a
big
effort,
indels
it'll
roll
out
sort
of
slowly,
but
we
want
to
start
a
little
bit
stronger
this
year
in
and
getting
departments
involved.
A
Great
questions
or
comments
on
this
part
nope
may
have
a
motion
trees,
even
file.
The
update
from
the
internal
auditor
and.
G
A
Those
in
favor,
please
say
aye
aye
opposed
the
eyes.
Have
it
in
this
report
will
be
received
and
filed.
The
next
item
on
our
agenda
is
the
performance
review
of
our
internal
auditor.
Well,
Tetzel.
The
committee
will
adjourn
to
room
321,
that's
the
weber
pond
room
and
for
those
on
the
dais,
that's
off
to
your
right
for
that
performance,
review
and
we'll
be
looking
to
have
a
closed
session
on
that.
Thank
you.