Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
City of Minneapolis, MN / 2019 Minneapolis City Council and Committee Meetings / 19 Aug 2019
City of Minneapolis, MN / 2019 Minneapolis City Council and Committee Meetings / 19 Aug 2019
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: August 19, 2019 Audit Committee

Description

Minneapolis Audit Committee Meeting

https://lims.minneapolismn.gov

A

I remember seeing that video.

B

Good morning welcome to our regularly scheduled audit committee. My name is Lenny Palmisano I'm, the chair of this committee, I'm joined by members, David Fisher, Scott, Neil and councilmember Jeremy Schrader. We are a quorum of this committee and are authorized to conduct the city's business. I want to welcome. Welcome back you get lasso, eight she's returned after medical family leave and we're thrilled to have you back and I will point out before you the agenda. We are accepting the minutes of June 10th.

B

We have an audit plan update, including one IT consult report to consider and publish. Today. We also have our regular report of the internal auditor and then announcements. After this we will be a journey willoughby's, which is essentially functionally continuing this meeting to September 11th, so that we can also receive the police off duty work- audit report that isn't quite done at this time. So that's the agenda before you may have a move to adopt the minutes.

A

All.

B

Those in favor, please signify by saying aye aye. All those opposed that carries. May I also have a motion to accept the minutes that are before you from June 10th. Okay, all those in favor, please signify by saying aye aye opposed that carries next, we'll go through our well the way it looks on it.

B

This is a little bit different than it has been in the past, but we will start with our new business, which is the draft IT analytics hub console report before you and here to guide us through that today is our director ginger Bigby, welcome.

C

Thank You chair Palmisano audit committee members, I'd like to introduce our IT and cybersecurity audit can Sultan Sam butterman from Baker Tilly who completed the IT analytics hub, consult she'll present. The report then we'd like to invite up arrow Kilson, who is IT director of data and analytics services to speak about management responses. Sam.

D

Perfect, so just a brief summary for you, you know. Data and information at the city of Minneapolis is a really valuable asset and and really this audit was conducted in accordance with the IT data and analytics services team and really formed, which was really formed to help aid departments and the understanding using of data and and really making an accessible across departments and across the enterprise to help drive efficiencies. And so after the team was formed.

D

The IT analytics hub has matured over the past two years to help drive informed data making decisions and, as that analytics hub, has continued to mature.

D

There was a request for audit consultation that came in which kind of leads to the scope and approach that internal audit took to work with the ite analytics hub team and really kind of the two primary objective of the consultation was to first look at data governance and provide kind of best practices, recommendations around policies, standards processes to really help support initiatives than the I to data data strategy that was created when this group was formed.

D

The second kind of portion of the scope that we looked at was IT analytics hub access management, so really looking at logical access controls around the analytics hub to understand how they're operating today and kind of value-added recommendations there, which really reads leads into you, know for kind of overall recommendations or high-level observations that we had as the result of the consultation.

D

So the first results our recommendation with that the city should work to formally develop a data, governance, Charter and really creation of a dated governance charter helps communicate the value of data governance to business users. It really provides direction and control over the data and information so that you that have access to it can trust and rely on it and really kind of what you see on the screen.

D

Now, with all the different benefits that data governance can help drive, but it really clearly defines people access inventory of data content, quality security, so really creating governing principles and controls that help drive data governments, as it relates to information and information security.

B

Mis butterman, we do have a data governance workgroup in your work with the city. Do you have any conversations with that workgroup so.

D

We did talk with the IT data and analytics hub team and had discussion about the working group and some of the initiatives that they're trying to drive and really I think. This recommendation is to work to create kind of a formal data governance policy that maybe some of those informal initiatives or goals that they've taken on really solidifying them in some sort of a governing document. That will help formalize and communicate the importance of those initiatives that they're taking on and.

B

Also, do you tend to see in your work in through consulting that other cities? Other municipalities have taken on a policy whether it be in an ordinance or just a more of an internal policy and municipal level policy. Yes,.

D

Chair Paula, Paula Sano, that's a that's a good question and I think as it relates to the IT analytics table or the analytics hub in general.

D

I think creating an internal policy I think is a good starting point and then I think, as it relates to other municipalities that that I've worked with typically is an internally driven policy, and then it also correlate to the IT governance policy so kind of having two separate ones, one related to data governance and one related to IT governance, but but really in a very city by city, as as it relates to, if it's formalized in in the definition of an ordinance or it's just something, that's internally governed. Thank you. Thank you.

D

So that was really. The first recommendation was, is really that formal creation of a data governance Charter to help communicate the value.

D

The second recommendation that you know we had based on the result of our conversation with management, was working to develop a data classification policy and really a data classification policies. Primary purpose is to ensure that information is handled or managed with the threat that it poses to the organization and based on our conversations with the IT analytics hub group. You know we do understand that.

D

There's the Minnesota government data practices acts which which the city is in compliance with and really you know, kind of building upon that through the creation of a formalized data classification policy. So the first step would be to ensure compliance and alignment with the Practices Act, but then, above and beyond, you know, performing a risk assessment of the data and information collected by the analytics hub and really an initial assessment should be performed on each related data set to assign an associated level of risk, which will really help manage things above and beyond.

D

Just the baseline data Practices Act, but but go in to date, taking a risk-based approach and how to classify information and data. And then, after the risk assessment is performed, you know really the creation of a risk management plan based on that risk assessment. And again this is specific to information that's collected as part of as part of the analytics hub. So really taking a three pronged approach to creation of a data classification policy.

D

You know working through the Practices Act, which we have shown on the screen here and then up and then building upon that through the creation of risk and risk through the through the creation of a risk assessment process and assigning risks, and then creation of a risk management plan for each associated risk.

D

The third recommendation that we had as a result of the consultation was to work to gather more enterprise support through the following methods.

D

So the first item on here was operationalizing the enterprise data strategy, so creating an enterprise data strategy statement to create a roadmap for how to obtain handle, manage and store data through the key pillars defined within the existing data strategy, which are listed here so so really taking making the data data governance policy for how we should manage information, creating a data classification policy for how to classify it and then creating a data strategy to communicate to business users of the analytics hub. You know what those three different approaches are.

D

The second way to establish or gain enterprise support is the creation of a working group and data stewards. So we previously mentioned the the one working group that exists, but I think, above and beyond that.

D

Creating a working group to a stab to establish any high priority or high rule is high risk related data issues and then second, would be the creation or assignment of data stewards, so defining a data steward across each business department to help ensure that the quality and the accuracy of the information coming from individual departments is complete and accurate as it's being passed off to the analytics hub and I.

D

Think part of that as well in my discussion with with the stakeholder group, was understanding that those folks that serve and those data stewardship roles really need education and training to evaluate the quality and the accuracy of the information that's being passed to the analytics hub, so making sure that those people have a chance to develop. Those skill sets.

D

The third way that we identified to establish enterprise support was the creation of a champion story so, based on my discussion, the analytics hub has, in certain departments, really helped in driving data, make make data made decisions, and so creation of a champion story of the department who's really been able to leverage the analytics hub to its full potential, to create a one-pager summary to share with other departments on here's a way to leverage and really drive value through the analytics hub.

D

Because, based on some of our initial discussion, it sounds like there may be some departments within the city that are more heavily relying on it and some that maybe aren't relying on it at all, so creating kind of a one-pager summary to provide to other departments to help understand what the analytics hub can do was another recommendation that we had here.

D

The last recommendation was related to some of those logical access, internal controls. So, as part of our work with the analytics hub, we looked at kind of logical access controls so who has information contained within it? The analytics hub is it appropriate, and how is that access reviewed and as a result of that, we had kind of some more detailed kind of recommendations so for access requests a lot of time, users that are being granted access to the information.

D

The request is just done, informally through an email, so so really kind of creating a formalized approach to requesting that access, so that it's documented appropriately through a service ticket will just help ensure that least privileged access is followed.

D

The second recommendation that we had in relation to logical access controls was transfers. So right now when transfers happen throughout the city, the analytics hub team is just notified kind of on an ad-hoc basis. There's not really a timeliness aspect associated with it. Nor is there necessarily a requirement for that. So the recommendation would be that employee transfers are part of kind of the overall transfer process within the city when it comes to logical access to ensure that these privileged access is being followed.

D

I think the risk that we see here organizationally is that oftentimes we have folks transferring between lots of depart and then over time they get more and more privileges as they transfer and so really following that that best practice of lease privileged access to ensure that users don't have access to data that they don't. They don't need as part of their job requirements.

D

Ms.

B

Butterman I'm not sure how to put that into context. One piece is that one of the ways we can be less siloed as an enterprises, and we have people working in different departments. You know bringing that transfer of skill or transfer of knowledge and knowing how something works moving to a different department and maybe seeing how some cross-pollination of data would be more valuable. I appreciate that, yes, the least privileged access piece is is important, but how often does that happen?

B

Do you have a sense of how often people are transferring within the city to different departments? I do.

D

Not have insight into how often the the that people are transferring within departments I. Think overall, though, I think it's a risk that it should be noted and I see what you're saying as it relates to you know: keeping things siloed versus working organizationally across the enterprise I think the in informing the analytics hub that someone is moving department areas I think is key to determine whether they do need access to that debt or not. There may be instances where someone does need to retain those privileges but I think oftentimes.

D

What we can see happen or a risk that we do see is that over time, more and more privileges are granted with no revoking of privileges that they don't need. So just ensuring that you know we are following the best practice of least privileged access and then, if additional, if additional approvals or additional access is needed, we can always request that information.

D

But I think this helps ensure that when we think about data classification, that we don't have individuals who maybe have access to restricted or confidential information, that in a new role, don't need that so sent anymore. Sure. Okay, thanks yep.

B

And then actually, if I may, since we have pause, mr. Fisher has some questions as well. Good.

A

About this IT stuff, I'm miss bottom, and thank you for being here today with respect to the discussion about transfers. If you also made recommendations concerning employees or a leading city, employment and their how they are terminated from access, correct.

D

Chair Paula, Paula, Sano and committee member Fischer, we did review that as part of our review of logical access controls. We felt that though the D provisioning and termination process, as it related to the IT analytics hub, was being done in accordance with best practices, so as it relates to when an employee is terminated, it's part of the overall D provisioning process to ensure that their access is removed.

D

The analytics hub, as opposed to some of these other recommendations that we have here, it's maybe more of an ad hoc request or something that's happening not in accordance with like an enterprise driven process, I see.

A

Thank you. If I may, a couple of other questions, you've indicated the recommendation of our public creation of a champion story and just do departments have the option of whether you use the analytics hub or not to populate it or to receive data from it. Correct.

D

And I believe as when aro speaks, he'll speak in more detail to this as well, but my understanding of the analytics hub is that departments can and use or not use it as much as they would like, which is why we had the recommendation of the creation of a champion story, because in my discussion we found that there are some departments like I. Think the police department is one of those that really leverages the analytic hub to create data.

D

That's usable that can help just drive decision making skills and then there's other departments at the cities who have chosen not to use the analytics up at all.

D

So there is no requirement that departments have to be using the analytics hub and that's why we had the recommendation of the creation of a champion story, because, based on the information that I've received, it sounded, like some departments, may not understand kind of the value or the results that can that can occur from from the utilization of it and so creation of a champion story or selecting a department or group to highlight and kind of outline. This was the year.

D

This is the problem: here's how the analytics hook help solved it and kind of creating a one-pager or summary we're hoping would help would help garner enterprise support for some of those groups that aren't currently using the analytics up today.

A

And do you see this is an issue that should be better addressed, I mean obviously you're. Creating the champion story would would help so you're indicating perhaps that this is an analytic tool, there's not being best utilized to the benefit of the departments that are ignoring it.

A

Would that be a pretty collision I.

D

Think that there is the opportunity for departments, enterprise-wide tomorr, fully utilize, the IT analytics hub I, think. Currently, it is on a department by department basis who is choosing to utilize. It I think there is a lot of value in leveraging a tool that we have a specific department and a team built up around it and that I think of best practice recommendation what it would be that it is used enterprise-wide. However, I think we need to get this I think that's.

D

The relation of this recommendation is to kind of gather that Enterprise support to provide site into how it's used, what its utilized for and how it can help those departments that aren't utilizing it now. I think the other thing to take into consideration is there may be some departments that have legacy ways of how they're populating reports or data or information that they don't want to have to go through the process of kind of recreating it in a different tool.

D

But I think there is more value, the more departments that are using the analytics hub, because it helps with the cross sharing of data and then also helps to create kind of a streamlined process. For how information is being collected. The security surrounding the information in the analytics hub, as well as how that information can be utilized for cross event across departmental reporting.

A

And you find, in your examination that there's any training that is the animal the IT group provides for the use of the analytical analytics hub, I. Think.

D

That would be part of the secondary recommendation here: the creation of working groups and data stewards so to provide that training. I think there are instances when training has been requested by the analytics hub team for a different department and they've been able to fulfill that request. I, don't know if there's a training, that's provided enterprise-wide on an ongoing basis by any means, but I think the creation of as well data stewards.

D

So having that identified person within these Associated, Department or business line could help to kind of provide insight or clarity into maybe some of those common questions that end-users have okay.

A

Well, thank you very much.

D

So continuing on to the last portion of recommendation, 4 was user access reviews so a best practice we have as part of IT general controls is that a user access review is performed on a lease an annual basis.

D

Currently there is no user access review, that's being performed on the IT analytics hub, so the recommendation would create a formalized user access review process and again this goes in in combination with the provisioning and de-provisioning and transfer control to two and sure that users don't have access beyond stated job responsibilities and so I think in correlation to creating a data governance policy, creating a data classification policy.

D

These logical access controls tie really nicely into those other recommendations which will help ensure that you know end users can only view information that is related to their job functioning and nothing beyond that. So that was the last recommendation that we had as a result of the IT analytics hub consultation.

D

Is there any other questions that I can answer at this time before arrow comes up to speak to some of the management responses, I'm not seeing.

B

Any thank you for your time. Thank.

D

You to the folks.

B

In welcome.

B

Mr. Cookson, as you come up here, could you help remind us and just kind of set the context for this consult like what was it? We were looking to get out of this specific consult from the perspective of your.

E

Home asan, one of the goals of this, is to take the leads to focus on the governance component, because what we are doing right now is implementing a data strategy which is laying the foundation for the architecture. The skill sets the standards, the policy of maintaining information, consolidating it into our analytics hub and also identifying opportunities for improving data quality once that foundation. Is there the way to make sure that that data strategy is moving forward?

E

Is by creating this data governance, which of course, as you mentioned before, would be under the information governance policies is consider these as work groups. That will create some recommendations for the information policy. Terrific.

B

Thank you. Go.

E

Ahead: okay, so first I wanted to lay out the fact that we are working on a data strategy which is related to data governance that are complementary. You actually will be releasing the broader data strategy when we get to the state of data in autumn, so we'll relay out the all components. What we've done is by assembling the team, creating standards and creating this analytics hub and, among other things, what we're doing is making sure that their standards repeatable.

E

We have structures that can control the access we have tools by which we can identify data quality issues or, and also, first and foremost, bring data together, so that departments can work together. So the analytics hub is just this one: implementation of the broader data strategy. The data strategy, extends also, to any time we're bringing a new application, we're developing an application, we're making sure that the standards of access did quality.

E

The fact that those making sure that the new systems that are coming in adhere to some of our goals that support our analytics and reporting goals. So, as you see here, first we're looking at the data strategy, we've taken an approach of developing a data strategy to create the standards, as I mentioned before our first implementation.

E

Our most notable implementation is through the analytics hub, as well as through working with implementation of new business systems and making sure that there's our sexual standards followed there, but with this analytics hub, people actually have a tangible example of what data means to them, means them and also the opportunities of or an needs for, overall data governance. So by creating this analytics hub, which is a centralized repository of data from business systems across the city. Now we have something tangible to talk about.

E

Instead of just saying we want governance and let's talk about in the abstract, here's a tangible example of this. It is.

E

Part of the overall governance, because of now we can reference the standards and procedures that will be recommended from the IT group, and now we need the department's to come up step up now that we have this platform. How do we use it properly?

E

I should say also the data strategy and some of the components that you see in here would be working not with just IT analytic data, analytic services, but in conjunction with, as I mentioned before, the department's, the city clerk's office and our new newly hired chief information security officer, dia, Abu, chakra who's, a great addition to the city and he'll be working with us with us closely to make sure that the access, the structure, the security groups that we've created will be carried out and he'll continuously work with us and make sure that we're those are resilient and they're continuing to be vital.

E

So what the data strategy and the work that we've done is the hard work that we have to do. That's really the foundational work before we can get some other, really beneficial outcomes that you might see from being data-driven.

E

So as we walk through this and again we'll be walking through, this is just our these first two slides that I'm, showing hourly the base portions a one-pager essentially on those two sides of the Analects.

E

Excuse me the data strategy, and so we lay out what it means why we need it here, the basic area, so the focuses that we look at standards and procedures all the way from the creation of data collection of data through how it's stored, how its accessed, how the tools that we have and the information that we have so people can use that data properly. All the way to some of the things that we would learn out of using the data and then remembering that we can circle back so that we can prove the data.

E

We can also tighten down some access, if need be. So with this in mind as we talk about the data governance strategy and we go through these recommendations. Now we have this actual technical implementation by which we can build the structure that includes the departments and formalizes that and we'll make that recommendation to the information, governance policy committee and it'll be added as part of the policy. So as I mentioned before, when we are looking at the first appreciation of data governments charter, this would be a charter for that workgroup am underneath the governance policy.

E

So we agree with this again. Our mean reaction to response to this overall study is that we've created a technical platform. Now we know we have to make these formalized groups and operationalize our data strategy so that people know how people departments we also are clear to the public, how we're maintaining the information, and then we also are- will be driving, get collaboration with departments, understanding that the information is important to us and it needs to be kept at a higher standard.

E

With the start of a nation to the creation of data classification policy and risk, this again is one of the examples of what we have the platform's. We have the tools to monitor or to track and classify the information. This will be in conjunction with our chief information security officer from a security classification and also that the city clerk's for data practices so we're pulling together a a structure.

E

A data structure will elute, we will be classifying it and documenting it, and there'll be a central repository by which you can identify information that is perhaps secure.

E

Perhaps what the data means, but it will also be able to pull all of those different disciplines together and so that we have a better control of a better understanding of what our information is, where it is and who has access to it so that any of our policies and procedures in order to maintain or gangrene and grant access to some information again with, in conjunction with the city clerk and our chief information security officer, we have a much higher level of confidence that that can be implemented consistently.

E

There they established the enterprise support through working groups and data strategy. We are in the process of working with some of the groups to work along with data.

E

The way that most information, actually all of the information that comes into the analytics hub, is turret engagement with the departments they have a data, need they have a reporting need, so we work along with them, add their information into the analytics hubs, so that's accessible both to them and to a broader audience within the city and also, as part of the console, occasionally identify some information that shouldn't be necessarily available to the rest of the of the user base.

E

So we have this structure now we just need to bring the departments in order to play a part with that. So we have started with pilots on formalizing their the department's roles, particularly the police department. Public works around the mobility activities that you've seen recently and then also with cpad, particularly with the development services department, so working with these departments to implement the standards, and it's important that the people within the departments are collecting information are the ones you know most about it.

E

So we work with them to make sure that we identify the standards so by the recommendation for this audit is now we need to formalize it and make all of these things much more visible to people describe the groups discard the roles, make it clear to what the individual departments to the individual departments, the roles that they need to put forward and then also what are the benefits and what are the responsibilities of the people that might be in the role say, for example, stewards or or what is the impact to point about before of departments and other departments who actually want to be using each other's departments we're all in this together?

E

Obviously, if you wanna be data-driven, there needs to be some sharing of information, and then we need to each of the efforts of adding information will actually be just additive. We're building in that central place we're not making in sets of data marts throughout the city, we're working together in that central place to therefore weaken centralized stairs. We can centralize the governance, we can centralize the security and we can look at the information in the context of other departments. Therefore, data quality improves.

B

Mr. Cookson, a question are coming from mr. Neal. Thank.

F

You, madam chair mr. Cookson, it seems that the the classification of the data is a pretty important staff, ending it process and I'm wondering how that's done now and how you envision that happening in the future. Is it self classified by whoever creates the data or is there? Is there somebody else? That's that's getting involved in that process to sort of classify it from the outside.

E

Chair Paul, Masson, Kuhn limiter. You know that actually is an example of the broader effort that we have and the description of going from the data strategy into governance we've created. We have the skill set and we've created the discipline and as we review the data within our group in conjunction with the city clerks who are identifying those those classifications for each of these things, also adding in as I mentioned before, a new chief information security officer.

E

So, but what you hear is that these things are being done within the heads of the small group of people. We now need to kind of bring it out and bring it to more of the light of day and operationalize it. So it's not just this small group of people who are implementing, so the standards are being enforced, they're just not documented, and there isn't a and there isn't a formal way that we would say.

E

First, you need to the department needs to offer a representative data steward and we work through with them to identify the different categories. But again they might have an idea that something should be classified as such, but there's a state law and also some industry standards that we would might say. Otherwise. Thank you. What should have arrived.

E

Thank you part of the conversation when it relates to the strength and logical axis control. We were mentioning about transfers, there's been a good process when somebody enters the city or exits. The city of removing the access to this information. Part of the reason that we went to the analytics hub is to centralize the security from the data of that people have access to before. There were a lot of tools.

E

There are a lot of repositories and it was scattered throughout and the perhaps of different level of rigor about accessing and removing access to the datasets, but going together to that single analytics hub, we now have there's a single place: we've created a standardized structure of security groups, so that's people leave. They can be added or be removed, as people come in they're, given only that which they need if they move from one department to another.

E

Again, most of the analytes hub is available to everyone, but there are those data sets that are not that shouldn't be available to them just because of the nature of the information. So, by creating these standards now we have something to attach these documented structures and governance to we can easily enforce it. So again, it's an example of with the data strategy.

E

We can say that we want to formalize access control and in conjunction with the chief information security officer, but instead of us having to say that we can do this a couple of years from now. We actually have it in place, and now we can formalize it, and we can implement immediately keeps the attention if people can see direct impact for what they're doing, by applying it immediately with the analytics hub, which again it's just a portion of the overall data strategy, but it is one that will impact the most.

E

The most number of people are the greatest number of people.

B

Thank you, I'm, not seeing any other current questions or comments from my colleagues. I want to thank you for this. We've had state of data reports over the past couple of years, and we have this small but very mighty IT and data and analytics team led by you, mr. Tupman.

B

It's really important, because what movement, what miss butterman said at the very beginning, is critical, that the data of our city is a big asset and nobody gets to begin from start to lay this foundation from the beginning before there is all of this information. It's always going to be a retrofit of sorts and helping us get appropriate controls over it and and to have control over it so that we can direct it for the better for the betterment of all the city services we provide it.

B

This is the hard part of that, so I really appreciate you and your team, and your availing yourselves or working on this consult with Baker Tilly. So thanks.

E

For bubbling, I would like to add speaking of the team, to thank Pam health who's, a bigger it was a very significant part of the creation and implementation of the data strategy, and this report so great asset to the city. Superb,.

B

Thank you, ma'am thanks for your time with no further questions about this specific consult, I'm going to make a motion to both receive and file the report and direct staff to publish the report. Lest there be any concerns from my colleagues, can I have a motion for.

F

That.

B

You may kiss thank you all those in favor, please signify by saying aye aye opposed that carries, and this council rotation report has received and filed and also published next we'll go through the auditor update with director baby.

C

Thank You Tara, Palmisano, Audit Committee members of to thank miss Bart Ehrman and mr. Kosan for presenting the IT analytics hub, consult report. I wanted to add two comments on that. It was a consultation because the analytics analytics hub has only been around a couple of years and it's still under development. So we thought waiting in now was an easier opportunity to make some minor course corrections before a program is fully developed and fully implemented. Then you come in and do an audit it's hard to to redo things from the beginning.

C

So we really appreciate the analytics hub, inviting us in for the consult. I also wanted to speak to committee member Neal's question about data classification. As a reminder, we had a records management audit in 2015. One of the findings was coming up with the formal data classification methodology that audit issue is still open and it's due to be remediated December of 2020. So this all kind of works together with our enterprise data, governance approach, committees and work groups.

C

I think that the city is coming together to get a handle on this, so I'm excited about what lies ahead. For 2020.

C

Okay for our audit work and process, our big audit right now under way is the police off duty audit, the off-duty work at it. So we are analyzing police off duty, work, policies and procedures, looking at processes and internal controls and analyzing raw data to see where we can offer the most value.

C

We are finishing field work this week, we're beginning to vet issues with management. We expect the report to be ready in two to three weeks and we have a journey audit committee sessions, September 11th, to present that final report, because off-duty work is not managed by the city.

C

We needed time to interview management, really understand all the disparate processes and understand what's working well, where we might have some process improvements, so the police making themselves available and all the precincts we really appreciate their time and for a time we had only two people and the on the audit team to get through this work.

C

So we appreciate everyone hanging in there and I will be wrapping up this week for the off-duty work, more specifically we're looking at policies and procedures and oversight and monitoring under governance for processes that would include how site coordinators coordinate, off-duty work, how the city approves sites for off-duty work, which officers are approved to work at which sites how data might be collected and aggregated, how our systems are working for these processes and efficient use of city resources such as use of squad cars for off-duty work.

C

The data analysis is obtaining raw data that is available and analyzing it, and how? What might we better be able to leverage that for informed decision-making going forward, we're also doing benchmarking? So we've worked with approximately ten law enforcement agencies around the country, who have been so kind as to answer a short survey, provide us copies of their policies and procedures, so we're creating a summary of all of that work that will also be in the report.

C

Are there any questions on this audit in progress.

C

The park board enterprise risk assessment, consultation is in progress. We provided training in spring, they needed the summer off because that's their really busy time. So we have the first work group scheduled in September and then the first pilots scheduled in September. The work group is designed to do a mock run, in effect we're going to get together with the eight subject matter. Experts, the first pilot in September will be information technology, so we'll do a mock run of that pilot. Make sure everyone's clear on their roles and responsibilities then conduct the pilot.

C

As a reminder, the enterprise risk assessment is area by area. What are the risks to delivering services within this function? Then? What are your controls to mitigate that risk?

C

How are we allocating resources wherever we find that there are gaps or remediation needed, then there would be a management action plan, so this subject matter, expert team is going to be tasked with monitoring that management action plan and assigning the action plans to appropriate management, in effect that they're building out a second line of defense, where the first line of defense are the frontline managers and the people carrying out the day-to-day activities.

B

Director baby, can you tell me who will you be working with specifically at the park board for these different who are part of these pilot programs and maybe what's a little bit about the difference between the functional difference between the workshop and the first pilot.

C

Sure, chair Palmisano audit committee members, Jennifer Ringgold, is the deputy superintendent at the park board. Who is spearheading this initiative? She has identified eight subject: man sorry-sorry subject matter experts across the park board, which includes the Park Police these eight subject matter. Experts from various departments will conduct all of the assessments and all the functional areas so that as they learn, they can implement the same process and have some consistency throughout the first workshop is a mock trial.

C

Run of the first pilot, so will will pretend to go through the first pilot and work out any kinks so that when we do do the first pilot a couple weeks later, we'll be working with the actual information technology managers.

C

An information technology is the first pilot. The second pilot is going to be the aquatics and Ice Arena Department, and that will probably follow in October, depending on how the the first one goes in September. Then internal audit will then pull back unless there is a need for us to continue helping with the pilots and park board. Subject matter. Expert team will continue doing this for all of the park board functions in 2020.

C

I'd like to introduce a common Aled, a internal auditor who will speak on the status of the contract, amendments on it.

G

Madam chair for the community members, my name is Colin I'm, a member of one of the foreman of the team. I would like to provide an object on the entire amendment audits. The objective of this audit is to ensure key control in the city environment processes, properly design and operating if effectively to mitigate operational compliance and fraud. Risk we've issue the scope memo in June and we are in process of conducting walkthrough with procurement and IT, analytic, hot and the field work will start this week.

B

Thank you. Many questions or concerns I would.

G

Like now, what you told we get four more updates. Thank you. Thank.

B

You Miss lasso, head.

H

Thank you come on good morning, everyone chair, Palmisano community members, I just wanted to provide a quick update on the citywide grant management audits. We completed phase one back in June I think the report was present presented at the June. Are the committee meeting? We are in the process of kicking off phase two which will have a focus on see ped, so we'll be reviewing grant management processes and controls at CPD, and we are hoping to start this audit by the end of the month or the first first week of September.

H

So that's just a quick update on the grant management audit for now and we'll have more updates at the next Audit Committee meeting. So I'll turn it over to ginger for more updates and then I'll come back for professional.

B

Stuff before you go just young question, can you clarify the need for the Phase two for the CPA audit sure.

H

Palmisano committee members, when we first started the grant management audit, we had selected two city departments to review and sip ed was one of them, but due to some scheduling conflict we had to postpone the department and because his City such a big Department for the city. We wanted to take time to really review their processes and we issued the first report and we'll go back in with UC. But now. Thank you. You're welcome.

C

Thank you. You get going onto our continuous monitoring slide. We have three processes that were actively involved with continuous monitoring, so there's some risk based on either prior audit work or emerging risks we're following up usually for a period of a year or so. If a sufficient progress is not made, then this area could end up become going on the audit plan again or if sufficient progress has been made.

C

We would just continue to monitor more informally through our annual enterprise risk assessment, so neighborhood and Community Relations we're still looking for that strong financial policy, that's communicated to the neighborhood each Neighborhood Association that receives funds. It's in progress NCR is changing their audit process and their financial policies. So we have one more meeting with them. This fall to see how that's going and that will determine whether they're on the audit plan again for 2020 data management, governance and privacy I.

C

We I just spoke about a prior 2015 audit that still has open audit issues, so we're monitoring for to make sure that the issues are on track to be remediated, and that includes privacy. So privacy has been working with City, Council and other city departments on developing principles.

C

The information security officer is working on a framework for information security, building out their risk management, so we're just keeping a pulse on all of that activity: finance, internal controls, that's internal controls over financial reporting finance has been working very hard to build out an internal control program they're on track to complete all of their control testing by the end of October. So right now we meet with them quarterly and we expect that to be completed by the end of the year.

C

The financial internal controls, if you're interested, would include accounts payable, accounts, receivable cash procurement, debt, capital management. What are the key controls over those processes and that's what this team would be testing and monitoring?

C

We have special projects, so we had been reporting on enterprise complaint management. That's still progressing, we're calling that a special project, because internal audit is a key player in that process. We most recently met with the city coordinator and we're looking at a single way to report complaints. We have very different needs from internal audit to city attorney and HR, where most of the complaints lie.

C

So how can we capture all of the data that all of us need in one reporting process we're also accessing the tool that we currently have improving access so that we can build out its capability?

C

One new special project is a special request by C ped, the C ped living cities program that they're going to be sending us over some documents about how C ped might contribute to a living city's program. That will be a revolving line of credit for the north side, they'll be sending over a documentation to internal audit where we'll review internal controls, financial management, conflicts of interest, ensuring that city, employee roles are appropriate for this program are.

C

There any other questions on that part of the update I.

C

Don't.

B

See any no okay.

C

Thank you I'd like to call up our other IT audit and cyber security consultant Tim McClaren from a wild card. We put him in a bit of a difficult spot to talk about security issue follow-up, because security reports as a reminder are non-public. So we're not supposed to specifically say what the security issue was, but Tim will provide us an update as best as he can on the progress of management of remediation of those issues. Tim.

B

Welcome mr. McClory morning.

I

Yeah, so we've been working with traffic and parking services to go through all their audit issues and closed them, and our relationship with them have been very positive. They've been very receptive to going through the issues and it's also exciting, because in closing one issue we found other issues that we could also close, so they have real impact of their security and their ability to ward off any malicious actors that could be on the network. So yeah it's been pretty fun, so you have a few more issues. We need to close.

I

There's no reason for us to think that we wouldn't get them closed on time, because we've been had a good working relationship with them so far, so so yeah I think that's all I've got so.

B

I do want to remind my colleagues that a very general nature of mr. McClaren's update is because that 2018 audit report, the Public Works traffic systems, was not in public, so the number of issues the severity all of those things couldn't can't really be discussed here on the dais. But it sounds like you're here to assure us that the management team is making adequate progress to resolve. All of the issues. Is that correct? That is.

I

Correct and.

B

You'll also help us make sure that any identity and any identified security concerns will be certainly remediated before these issues formally get closed right. That.

I

Is correct any.

B

Very general questions or comments from my colleagues, mr. Warsaw. No sorry councilman were sunny. What's.

J

The timeline to close out the the ongoing issues.

I

Chair amazon, moe, neighbor, worse ami I, believe end of November is the date that we have set with them.

I

Any other questions.

B

Third, thank you thank you for being here.

I

All right, thank you very much for having thank.

C

You Tim Tim, is also here were having some pre-planning discussions with police management on the body, worn camera and automated license plate reader, biennial audits that are coming up. This fall, so Ken attend will be kicking us off. With that I'd like to introduce internal auditor, Travis comm, who will speak to audit issue, follow up.

K

Welcome Thomas are members of the committee I'm just kind of simply follow up on the other issues, so we do have three other non public art reports that we still have open issues. I was still working through meeting and they're all making sure the remediate effectively through they have PeopleSoft webs Porter security, audit, water treatment and distribution. A key audit, as well as a peace information, security, IT audit I mean this kind of overview of our stats. The past couple months since I last met. We currently have 21 open audio issues.

K

Two of them I would touch on in a second here. We, how do we open them for some different circumstances, Cameron I kind of touched on that in a second and then we have an overdue odd issue from the police information security. Audit I was again I have a lot of specifics, but we believe they're all working through mediated I'm, just kind of reading on documentation that there is something in place that we can review and we've been in contact with management on that class as well.

K

We have 16 that was so entirely us and we may be able to close two sons. Last audit committee two eyes met, so they reopen other issues and the previously marked as valuation progress, but up on the view, discussion really opened them for the first ones, return to duty, MPD third party audit, so we're trying to do it, determination, and that was because a new process, so it's put in place and they kind of want to make sure it's effective and sustainable.

K

So we'll come back in and review it once it's kind of it and incomplete that way, as well as the police body, worn cameras is one outstanding issue: the mobile video access that, with the documentation and information we see, we felt pretty savvy better to retest as part of the upcoming pls audit body on camera coming up and next about months here as well there, and then this next two slides here, this kind of big detail, the ones that are open as well as validation, progress and the due dates and kind of what we're tracking as well and now like to turn over to your arm.

K

Yes, a lot for the state auditor findings.

H

Madam chair committee, members I'd like now to provide a brief update on the state auditors, 2008 financial audit. Please note that they've been offered the opportunity to present their important they'll, be here at the October 21st artists committee meeting to present the findings, but I just wanted to provide a summary and this audience was completed for the city, the park board and the Municipal Building Commission.

H

So just to give you a summary of their findings for the city, they have two new findings and one that was previously identified and not yet resolved and for the park board. There's one new finding and one that remain unresolved from last year and from the Municipal Building Commission, one new finding was identified and, as I said, I just wanted to provide a brief summary they'll, be here in October to present a full report.

H

So there are any questions at this time.

B

It looks like on our printed agenda that the state auditor Julie blaha will also be here for that yeah great I, don't see any questions. Okay, it's so.

H

I'd like to provide some administrative updates now and the first one is related to our department self-assessment.

H

So we are peer to peer review, so we've completed the first step, which is the self-assessment so basically making sure that our practices aligned with standards and the next step will be to update our policy and procedures and then have a peer review in 2020. So we think we on track to get the policy updated and have the peer of John 2020, and the next thing I wanted to talk about.

H

Is our training we've been keeping up to date with our trainings just to maintain our CPD requirements and also keep abreast of all the new developments in the industry and our department, members of attended trainings from aisaka, the IIA and the association of certified for examiner's, and we had our q2 training back in in june in the leaf and in terms of upcoming items, as I mentioned, the state auditors will be here in october to present their report and the police of duty are.

H

The report will be presented at the inn on September 11th, any questions all right. Thank you and now turn it over to ginger to complete our presentation.

C

Thank you. You get a chair, Palmisano audit committee members. We have two new audits we'd like to add to the audit plan. So I'll go right back to the beginning of the presentation.

C

Thank you, okay. The first audit we'd like to add is an a citywide giftcard audit. This will include the few departments that handle gift cards within the city. We are also going to conduct a survey of all city departments and functions boards and commissions that might handle gift cards, so we can be aware of those departments that may be handling gift cards and but not purchasing through the city, and then we expect to be able to pretty quickly wrap up this gift card audit and report, hopefully by the October 21st audit committee meeting.

B

There may be so all city departments will be included. Yes,.

C

Share Palmisano audit committee members, not that many departments handle gift cards, so the purpose of the survey is to find out if some departments are handling gift cards and we're not aware we're aware of just a few, and will this include the perk board. Yes, this will include the park board. They don't handle many gift cards, but they do handle some and they've already contributed management assistance to this process.

B

Are there any questions? Mr. Fisher Thank.

A

You, chair mamasan, no biggie remind me what gift card is Thank.

C

You, chair Palmisano out a committee member Fisher, a gift card is a card that is worth cash. It could be a target it's generally purchased from a particular vendor. So, for example, Target used with the Health Department as an incentive for an agreed upon process such as the health department's use of gift cards to incentivize attendance at training or health awareness clinics.

C

There could be various reasons for the gift card: youth, violence, prevention, cleaning, lead from your homes that sort of thing, so it has to be approved by the city or it could be approved by a grant, so grant funds could be used in some cases to purchase gift cards if it specifically says so in the grant. Also, we we also received gifts, gift cards from other organizations, so, for example, the Health Department receives some gift cards purchased through Hennepin County Hennepin County gives us the gift card, so now we're stewards of the gift cards.

C

We have to make sure that we have good controls over handling the gift cards in those cases and that we can track them appropriately.

C

Thank you.

F

And also just to clarify, does the city itself so the.

C

Way it would work a chair, Palmisano audit committee, member Neal, for example. The health department could contact the controller Lyle Hodges who would approve. If the purpose is appropriate, he would approve purchase of the gift cards, then a check could be issued or the check could be written out to target.

C

If you're going to purchase a certain number of gift cards from Target, then an employee would go to Target and purchase those gift cards for that purpose and they should be stored in a safe under proper, lock and key limited access to the gift cards, and then they should be appropriately tracked. Also, when gift cards are dispensed, there needs to be a signed form that the recipient received that gift card for the state of purpose. So there's a lot of documentation needed to ensure appropriate controls are in place.

B

Director baik VA, like how you have it on here, but just reviewing the effectiveness of these policies and making sure we have internal controls for them. I'm happy to to make that motion to approve adding this as an audit to our 2019 audit plan. I'll entertain a second Thank You councilmember Warsaw me seconded it all in favor, please signify by saying aye aye opposed that carries. Thank.

C

You our second audit that we would like to the add to the audit plan is an information technology, cyber security risk assessment. It would be an audit to assess the maturity and readiness of our cyber security program. We've met with IT deputy chief information serve both cousins and the new deputy, sorry chief information security officer, dia Abu chakra.

C

They they have a lot of work in progress, they're building out their risk management function as well, so we we determined that spring 2020 would probably be a good time for audit to come in and assess the maturity and readiness of the program. That's under development right now, I'm.

B

Happy to move to add that to next year's audit plan, any questions or thoughts.

B

Although sorry Ali will make the motion ISM 1 when I second, that councilmember Schrader. Second to that motion, all those in favor, please signify by saying aye aye opposed that carries.

C

Thank you and chair Palmisano audit can may be members. The last thing I'd like to draw your attention to is the appendix, at the very back of your handout.

C

And the appendix is just a full listing of the current audit plan for 2019 and 2020, so there are two that have the word ad in red. Those are for the two audits that you just approved: one change to the left for the water network, integration, consultation we've been working with the water management team. They have that in progress, but there are delaying the implementation of their new program. So we it looks like quarter to 2020 will be a better time for that consultation as they prepare implementation of their their new program.

B

Okay, I believe this audit plan is appropriately very ambitious and you've had some limited resources this past year. So I really appreciate how thoughtful you and your department has been at planning your work and making sure that it's always the most relevant and the most timely I think this is thanks to our heart citizen members, mr. Fisher mr. Neal, who have helped us get this level of rigor in detail in terms of what we expect from the audit Department, and you have you've- certainly responded to this. Are there any questions or thoughts about this plan?

B

I'm not seeing any I'll move to receive and file this update, as this update report and the work plan within it from our internal audit Department all those in favor, please signify by saying aye aye opposed that carries the committee members. Are there any announcements or anything that you'd like to add today? I will note that, as a reminder, the police off duty work. Audit report was not done, but it did seem like as soon as it was done. It would be most timely to get that into the public space.

B

So as soon as it is ready, we do believe September 11th M is is an appropriate date to shoot. For so I will adjourn us to the September 11th meeting at 10:00 a.m. here in Council, Chambers I know we won't have everybody here, but I appreciate those that can make it for the purpose of receiving the police off duty work audit report. We also might add a couple of other items at that time. I think you mentioned one earlier in your audit report. So until then thank you.

B

We are adjourned.