►
From YouTube: August 19, 2019 Audit Committee
Description
Minneapolis Audit Committee Meeting
https://lims.minneapolismn.gov
B
Good
morning
welcome
to
our
regularly
scheduled
audit
committee.
My
name
is
Lenny
Palmisano
I'm,
the
chair
of
this
committee,
I'm
joined
by
members,
David
Fisher,
Scott,
Neil
and
councilmember
Jeremy
Schrader.
We
are
a
quorum
of
this
committee
and
are
authorized
to
conduct
the
city's
business.
I
want
to
welcome.
Welcome
back
you
get
lasso,
eight
she's
returned
after
medical
family
leave
and
we're
thrilled
to
have
you
back
and
I
will
point
out
before
you
the
agenda.
We
are
accepting
the
minutes
of
June
10th.
B
We
have
an
audit
plan
update,
including
one
IT
consult
report
to
consider
and
publish.
Today.
We
also
have
our
regular
report
of
the
internal
auditor
and
then
announcements.
After
this
we
will
be
a
journey
willoughby's,
which
is
essentially
functionally
continuing
this
meeting
to
September
11th,
so
that
we
can
also
receive
the
police
off
duty
work-
audit
report
that
isn't
quite
done
at
this
time.
So
that's
the
agenda
before
you
may
have
a
move
to
adopt
the
minutes.
A
B
Those
in
favor,
please
signify
by
saying
aye
aye.
All
those
opposed
that
carries.
May
I
also
have
a
motion
to
accept
the
minutes
that
are
before
you
from
June
10th.
Okay,
all
those
in
favor,
please
signify
by
saying
aye
aye
opposed
that
carries
next,
we'll
go
through
our
well
the
way
it
looks
on
it.
C
Thank
You
chair
Palmisano
audit
committee
members,
I'd
like
to
introduce
our
IT
and
cybersecurity
audit
can
Sultan
Sam
butterman
from
Baker
Tilly
who
completed
the
IT
analytics
hub,
consult
she'll
present.
The
report
then
we'd
like
to
invite
up
arrow
Kilson,
who
is
IT
director
of
data
and
analytics
services
to
speak
about
management
responses.
Sam.
D
Perfect,
so
just
a
brief
summary
for
you,
you
know.
Data
and
information
at
the
city
of
Minneapolis
is
a
really
valuable
asset
and
and
really
this
audit
was
conducted
in
accordance
with
the
IT
data
and
analytics
services
team
and
really
formed,
which
was
really
formed
to
help
aid
departments
and
the
understanding
using
of
data
and
and
really
making
an
accessible
across
departments
and
across
the
enterprise
to
help
drive
efficiencies.
And
so
after
the
team
was
formed.
D
So
the
first
results
our
recommendation
with
that
the
city
should
work
to
formally
develop
a
data,
governance,
Charter
and
really
creation
of
a
dated
governance
charter
helps
communicate
the
value
of
data
governance
to
business
users.
It
really
provides
direction
and
control
over
the
data
and
information
so
that
you
that
have
access
to
it
can
trust
and
rely
on
it
and
really
kind
of
what
you
see
on
the
screen.
B
D
We
did
talk
with
the
IT
data
and
analytics
hub
team
and
had
discussion
about
the
working
group
and
some
of
the
initiatives
that
they're
trying
to
drive
and
really
I
think.
This
recommendation
is
to
work
to
create
kind
of
a
formal
data
governance
policy
that
maybe
some
of
those
informal
initiatives
or
goals
that
they've
taken
on
really
solidifying
them
in
some
sort
of
a
governing
document.
That
will
help
formalize
and
communicate
the
importance
of
those
initiatives
that
they're
taking
on
and.
B
D
I
think
creating
an
internal
policy
I
think
is
a
good
starting
point
and
then
I
think,
as
it
relates
to
other
municipalities
that
that
I've
worked
with
typically
is
an
internally
driven
policy,
and
then
it
also
correlate
to
the
IT
governance
policy
so
kind
of
having
two
separate
ones,
one
related
to
data
governance
and
one
related
to
IT
governance,
but
but
really
in
a
very
city
by
city,
as
as
it
relates
to,
if
it's
formalized
in
in
the
definition
of
an
ordinance
or
it's
just
something,
that's
internally
governed.
Thank
you.
Thank
you.
D
D
The
second
recommendation
that
you
know
we
had
based
on
the
result
of
our
conversation
with
management,
was
working
to
develop
a
data
classification
policy
and
really
a
data
classification
policies.
Primary
purpose
is
to
ensure
that
information
is
handled
or
managed
with
the
threat
that
it
poses
to
the
organization
and
based
on
our
conversations
with
the
IT
analytics
hub
group.
You
know
we
do
understand
that.
D
There's
the
Minnesota
government
data
practices
acts
which
which
the
city
is
in
compliance
with
and
really
you
know,
kind
of
building
upon
that
through
the
creation
of
a
formalized
data
classification
policy.
So
the
first
step
would
be
to
ensure
compliance
and
alignment
with
the
Practices
Act,
but
then,
above
and
beyond,
you
know,
performing
a
risk
assessment
of
the
data
and
information
collected
by
the
analytics
hub
and
really
an
initial
assessment
should
be
performed
on
each
related
data
set
to
assign
an
associated
level
of
risk,
which
will
really
help
manage
things
above
and
beyond.
D
Just
the
baseline
data
Practices
Act,
but
but
go
in
to
date,
taking
a
risk-based
approach
and
how
to
classify
information
and
data.
And
then,
after
the
risk
assessment
is
performed,
you
know
really
the
creation
of
a
risk
management
plan
based
on
that
risk
assessment.
And
again
this
is
specific
to
information
that's
collected
as
part
of
as
part
of
the
analytics
hub.
So
really
taking
a
three
pronged
approach
to
creation
of
a
data
classification
policy.
D
So
the
first
item
on
here
was
operationalizing
the
enterprise
data
strategy,
so
creating
an
enterprise
data
strategy
statement
to
create
a
roadmap
for
how
to
obtain
handle,
manage
and
store
data
through
the
key
pillars
defined
within
the
existing
data
strategy,
which
are
listed
here
so
so
really
taking
making
the
data
data
governance
policy
for
how
we
should
manage
information,
creating
a
data
classification
policy
for
how
to
classify
it
and
then
creating
a
data
strategy
to
communicate
to
business
users
of
the
analytics
hub.
You
know
what
those
three
different
approaches
are.
D
D
Think
part
of
that
as
well
in
my
discussion
with
with
the
stakeholder
group,
was
understanding
that
those
folks
that
serve
and
those
data
stewardship
roles
really
need
education
and
training
to
evaluate
the
quality
and
the
accuracy
of
the
information
that's
being
passed
to
the
analytics
hub,
so
making
sure
that
those
people
have
a
chance
to
develop.
Those
skill
sets.
D
The
last
recommendation
was
related
to
some
of
those
logical
access,
internal
controls.
So,
as
part
of
our
work
with
the
analytics
hub,
we
looked
at
kind
of
logical
access
controls
so
who
has
information
contained
within
it?
The
analytics
hub
is
it
appropriate,
and
how
is
that
access
reviewed
and
as
a
result
of
that,
we
had
kind
of
some
more
detailed
kind
of
recommendations
so
for
access
requests
a
lot
of
time,
users
that
are
being
granted
access
to
the
information.
D
The
second
recommendation
that
we
had
in
relation
to
logical
access
controls
was
transfers.
So
right
now
when
transfers
happen
throughout
the
city,
the
analytics
hub
team
is
just
notified
kind
of
on
an
ad-hoc
basis.
There's
not
really
a
timeliness
aspect
associated
with
it.
Nor
is
there
necessarily
a
requirement
for
that.
So
the
recommendation
would
be
that
employee
transfers
are
part
of
kind
of
the
overall
transfer
process
within
the
city
when
it
comes
to
logical
access
to
ensure
that
these
privileged
access
is
being
followed.
D
I
think
the
risk
that
we
see
here
organizationally
is
that
oftentimes
we
have
folks
transferring
between
lots
of
depart
and
then
over
time
they
get
more
and
more
privileges
as
they
transfer
and
so
really
following
that
that
best
practice
of
lease
privileged
access
to
ensure
that
users
don't
have
access
to
data
that
they
don't.
They
don't
need
as
part
of
their
job
requirements.
D
B
Butterman
I'm
not
sure
how
to
put
that
into
context.
One
piece
is
that
one
of
the
ways
we
can
be
less
siloed
as
an
enterprises,
and
we
have
people
working
in
different
departments.
You
know
bringing
that
transfer
of
skill
or
transfer
of
knowledge
and
knowing
how
something
works
moving
to
a
different
department
and
maybe
seeing
how
some
cross-pollination
of
data
would
be
more
valuable.
I
appreciate
that,
yes,
the
least
privileged
access
piece
is
is
important,
but
how
often
does
that
happen?
B
D
Not
have
insight
into
how
often
the
the
that
people
are
transferring
within
departments
I.
Think
overall,
though,
I
think
it's
a
risk
that
it
should
be
noted
and
I
see
what
you're
saying
as
it
relates
to
you
know:
keeping
things
siloed
versus
working
organizationally
across
the
enterprise
I
think
the
in
informing
the
analytics
hub
that
someone
is
moving
department
areas
I
think
is
key
to
determine
whether
they
do
need
access
to
that
debt
or
not.
There
may
be
instances
where
someone
does
need
to
retain
those
privileges
but
I
think
oftentimes.
D
What
we
can
see
happen
or
a
risk
that
we
do
see
is
that
over
time,
more
and
more
privileges
are
granted
with
no
revoking
of
privileges
that
they
don't
need.
So
just
ensuring
that
you
know
we
are
following
the
best
practice
of
least
privileged
access
and
then,
if
additional,
if
additional
approvals
or
additional
access
is
needed,
we
can
always
request
that
information.
D
A
D
Chair
Paula,
Paula,
Sano
and
committee
member
Fischer,
we
did
review
that
as
part
of
our
review
of
logical
access
controls.
We
felt
that
though
the
D
provisioning
and
termination
process,
as
it
related
to
the
IT
analytics
hub,
was
being
done
in
accordance
with
best
practices,
so
as
it
relates
to
when
an
employee
is
terminated,
it's
part
of
the
overall
D
provisioning
process
to
ensure
that
their
access
is
removed.
A
D
And
I
believe
as
when
aro
speaks,
he'll
speak
in
more
detail
to
this
as
well,
but
my
understanding
of
the
analytics
hub
is
that
departments
can
and
use
or
not
use
it
as
much
as
they
would
like,
which
is
why
we
had
the
recommendation
of
the
creation
of
a
champion
story,
because
in
my
discussion
we
found
that
there
are
some
departments
like
I.
Think
the
police
department
is
one
of
those
that
really
leverages
the
analytic
hub
to
create
data.
D
So
there
is
no
requirement
that
departments
have
to
be
using
the
analytics
hub
and
that's
why
we
had
the
recommendation
of
the
creation
of
a
champion
story,
because,
based
on
the
information
that
I've
received,
it
sounded,
like
some
departments,
may
not
understand
kind
of
the
value
or
the
results
that
can
that
can
occur
from
from
the
utilization
of
it
and
so
creation
of
a
champion
story
or
selecting
a
department
or
group
to
highlight
and
kind
of
outline.
This
was
the
year.
A
D
Think
that
there
is
the
opportunity
for
departments,
enterprise-wide
tomorr,
fully
utilize,
the
IT
analytics
hub
I,
think.
Currently,
it
is
on
a
department
by
department
basis
who
is
choosing
to
utilize.
It
I
think
there
is
a
lot
of
value
in
leveraging
a
tool
that
we
have
a
specific
department
and
a
team
built
up
around
it
and
that
I
think
of
best
practice
recommendation
what
it
would
be
that
it
is
used
enterprise-wide.
However,
I
think
we
need
to
get
this
I
think
that's.
D
The
relation
of
this
recommendation
is
to
kind
of
gather
that
Enterprise
support
to
provide
site
into
how
it's
used,
what
its
utilized
for
and
how
it
can
help
those
departments
that
aren't
utilizing
it
now.
I
think
the
other
thing
to
take
into
consideration
is
there
may
be
some
departments
that
have
legacy
ways
of
how
they're
populating
reports
or
data
or
information
that
they
don't
want
to
have
to
go
through
the
process
of
kind
of
recreating
it
in
a
different
tool.
D
But
I
think
there
is
more
value,
the
more
departments
that
are
using
the
analytics
hub,
because
it
helps
with
the
cross
sharing
of
data
and
then
also
helps
to
create
kind
of
a
streamlined
process.
For
how
information
is
being
collected.
The
security
surrounding
the
information
in
the
analytics
hub,
as
well
as
how
that
information
can
be
utilized
for
cross
event
across
departmental
reporting.
A
D
That
would
be
part
of
the
secondary
recommendation
here:
the
creation
of
working
groups
and
data
stewards
so
to
provide
that
training.
I
think
there
are
instances
when
training
has
been
requested
by
the
analytics
hub
team
for
a
different
department
and
they've
been
able
to
fulfill
that
request.
I,
don't
know
if
there's
a
training,
that's
provided
enterprise-wide
on
an
ongoing
basis
by
any
means,
but
I
think
the
creation
of
as
well
data
stewards.
D
These
logical
access
controls
tie
really
nicely
into
those
other
recommendations
which
will
help
ensure
that
you
know
end
users
can
only
view
information
that
is
related
to
their
job
functioning
and
nothing
beyond
that.
So
that
was
the
last
recommendation
that
we
had
as
a
result
of
the
IT
analytics
hub
consultation.
B
E
Home
asan,
one
of
the
goals
of
this,
is
to
take
the
leads
to
focus
on
the
governance
component,
because
what
we
are
doing
right
now
is
implementing
a
data
strategy
which
is
laying
the
foundation
for
the
architecture.
The
skill
sets
the
standards,
the
policy
of
maintaining
information,
consolidating
it
into
our
analytics
hub
and
also
identifying
opportunities
for
improving
data
quality
once
that
foundation.
Is
there
the
way
to
make
sure
that
that
data
strategy
is
moving
forward?
E
E
Ahead:
okay,
so
first
I
wanted
to
lay
out
the
fact
that
we
are
working
on
a
data
strategy
which
is
related
to
data
governance
that
are
complementary.
You
actually
will
be
releasing
the
broader
data
strategy
when
we
get
to
the
state
of
data
in
autumn,
so
we'll
relay
out
the
all
components.
What
we've
done
is
by
assembling
the
team,
creating
standards
and
creating
this
analytics
hub
and,
among
other
things,
what
we're
doing
is
making
sure
that
their
standards
repeatable.
E
We
have
structures
that
can
control
the
access
we
have
tools
by
which
we
can
identify
data
quality
issues
or,
and
also,
first
and
foremost,
bring
data
together,
so
that
departments
can
work
together.
So
the
analytics
hub
is
just
this
one:
implementation
of
the
broader
data
strategy.
The
data
strategy,
extends
also,
to
any
time
we're
bringing
a
new
application,
we're
developing
an
application,
we're
making
sure
that
the
standards
of
access
did
quality.
E
The
fact
that
those
making
sure
that
the
new
systems
that
are
coming
in
adhere
to
some
of
our
goals
that
support
our
analytics
and
reporting
goals.
So,
as
you
see
here,
first
we're
looking
at
the
data
strategy,
we've
taken
an
approach
of
developing
a
data
strategy
to
create
the
standards,
as
I
mentioned
before
our
first
implementation.
E
Our
most
notable
implementation
is
through
the
analytics
hub,
as
well
as
through
working
with
implementation
of
new
business
systems
and
making
sure
that
there's
our
sexual
standards
followed
there,
but
with
this
analytics
hub,
people
actually
have
a
tangible
example
of
what
data
means
to
them,
means
them
and
also
the
opportunities
of
or
an
needs
for,
overall
data
governance.
So
by
creating
this
analytics
hub,
which
is
a
centralized
repository
of
data
from
business
systems
across
the
city.
Now
we
have
something
tangible
to
talk
about.
E
E
E
E
Excuse
me
the
data
strategy,
and
so
we
lay
out
what
it
means
why
we
need
it
here,
the
basic
area,
so
the
focuses
that
we
look
at
standards
and
procedures
all
the
way
from
the
creation
of
data
collection
of
data
through
how
it's
stored,
how
its
accessed,
how
the
tools
that
we
have
and
the
information
that
we
have
so
people
can
use
that
data
properly.
All
the
way
to
some
of
the
things
that
we
would
learn
out
of
using
the
data
and
then
remembering
that
we
can
circle
back
so
that
we
can
prove
the
data.
E
We
can
also
tighten
down
some
access,
if
need
be.
So
with
this
in
mind
as
we
talk
about
the
data
governance
strategy
and
we
go
through
these
recommendations.
Now
we
have
this
actual
technical
implementation
by
which
we
can
build
the
structure
that
includes
the
departments
and
formalizes
that
and
we'll
make
that
recommendation
to
the
information,
governance
policy
committee
and
it'll
be
added
as
part
of
the
policy.
So
as
I
mentioned
before,
when
we
are
looking
at
the
first
appreciation
of
data
governments
charter,
this
would
be
a
charter
for
that
workgroup
am
underneath
the
governance
policy.
E
So
we
agree
with
this
again.
Our
mean
reaction
to
response
to
this
overall
study
is
that
we've
created
a
technical
platform.
Now
we
know
we
have
to
make
these
formalized
groups
and
operationalize
our
data
strategy
so
that
people
know
how
people
departments
we
also
are
clear
to
the
public,
how
we're
maintaining
the
information,
and
then
we
also
are-
will
be
driving,
get
collaboration
with
departments,
understanding
that
the
information
is
important
to
us
and
it
needs
to
be
kept
at
a
higher
standard.
E
With
the
start
of
a
nation
to
the
creation
of
data
classification
policy
and
risk,
this
again
is
one
of
the
examples
of
what
we
have
the
platform's.
We
have
the
tools
to
monitor
or
to
track
and
classify
the
information.
This
will
be
in
conjunction
with
our
chief
information
security
officer
from
a
security
classification
and
also
that
the
city
clerk's
for
data
practices
so
we're
pulling
together
a
a
structure.
E
E
So
we
have
this
structure
now
we
just
need
to
bring
the
departments
in
order
to
play
a
part
with
that.
So
we
have
started
with
pilots
on
formalizing
their
the
department's
roles,
particularly
the
police
department.
Public
works
around
the
mobility
activities
that
you've
seen
recently
and
then
also
with
cpad,
particularly
with
the
development
services
department,
so
working
with
these
departments
to
implement
the
standards,
and
it's
important
that
the
people
within
the
departments
are
collecting
information
are
the
ones
you
know
most
about
it.
E
Obviously,
if
you
wanna
be
data-driven,
there
needs
to
be
some
sharing
of
information,
and
then
we
need
to
each
of
the
efforts
of
adding
information
will
actually
be
just
additive.
We're
building
in
that
central
place
we're
not
making
in
sets
of
data
marts
throughout
the
city,
we're
working
together
in
that
central
place
to
therefore
weaken
centralized
stairs.
We
can
centralize
the
governance,
we
can
centralize
the
security
and
we
can
look
at
the
information
in
the
context
of
other
departments.
Therefore,
data
quality
improves.
F
You,
madam
chair
mr.
Cookson,
it
seems
that
the
the
classification
of
the
data
is
a
pretty
important
staff,
ending
it
process
and
I'm
wondering
how
that's
done
now
and
how
you
envision
that
happening
in
the
future.
Is
it
self
classified
by
whoever
creates
the
data
or
is
there?
Is
there
somebody
else?
That's
that's
getting
involved
in
that
process
to
sort
of
classify
it
from
the
outside.
E
Chair
Paul,
Masson,
Kuhn
limiter.
You
know
that
actually
is
an
example
of
the
broader
effort
that
we
have
and
the
description
of
going
from
the
data
strategy
into
governance
we've
created.
We
have
the
skill
set
and
we've
created
the
discipline
and
as
we
review
the
data
within
our
group
in
conjunction
with
the
city
clerks
who
are
identifying
those
those
classifications
for
each
of
these
things,
also
adding
in
as
I
mentioned
before,
a
new
chief
information
security
officer.
E
So,
but
what
you
hear
is
that
these
things
are
being
done
within
the
heads
of
the
small
group
of
people.
We
now
need
to
kind
of
bring
it
out
and
bring
it
to
more
of
the
light
of
day
and
operationalize
it.
So
it's
not
just
this
small
group
of
people
who
are
implementing,
so
the
standards
are
being
enforced,
they're
just
not
documented,
and
there
isn't
a
and
there
isn't
a
formal
way
that
we
would
say.
E
First,
you
need
to
the
department
needs
to
offer
a
representative
data
steward
and
we
work
through
with
them
to
identify
the
different
categories.
But
again
they
might
have
an
idea
that
something
should
be
classified
as
such,
but
there's
a
state
law
and
also
some
industry
standards
that
we
would
might
say.
Otherwise.
Thank
you.
What
should
have
arrived.
E
Thank
you
part
of
the
conversation
when
it
relates
to
the
strength
and
logical
axis
control.
We
were
mentioning
about
transfers,
there's
been
a
good
process
when
somebody
enters
the
city
or
exits.
The
city
of
removing
the
access
to
this
information.
Part
of
the
reason
that
we
went
to
the
analytics
hub
is
to
centralize
the
security
from
the
data
of
that
people
have
access
to
before.
There
were
a
lot
of
tools.
E
There
are
a
lot
of
repositories
and
it
was
scattered
throughout
and
the
perhaps
of
different
level
of
rigor
about
accessing
and
removing
access
to
the
datasets,
but
going
together
to
that
single
analytics
hub,
we
now
have
there's
a
single
place:
we've
created
a
standardized
structure
of
security
groups,
so
that's
people
leave.
They
can
be
added
or
be
removed,
as
people
come
in
they're,
given
only
that
which
they
need
if
they
move
from
one
department
to
another.
E
Again,
most
of
the
analytes
hub
is
available
to
everyone,
but
there
are
those
data
sets
that
are
not
that
shouldn't
be
available
to
them
just
because
of
the
nature
of
the
information.
So,
by
creating
these
standards
now
we
have
something
to
attach
these
documented
structures
and
governance
to
we
can
easily
enforce
it.
So
again,
it's
an
example
of
with
the
data
strategy.
E
We
can
say
that
we
want
to
formalize
access
control
and
in
conjunction
with
the
chief
information
security
officer,
but
instead
of
us
having
to
say
that
we
can
do
this
a
couple
of
years
from
now.
We
actually
have
it
in
place,
and
now
we
can
formalize
it,
and
we
can
implement
immediately
keeps
the
attention
if
people
can
see
direct
impact
for
what
they're
doing,
by
applying
it
immediately
with
the
analytics
hub,
which
again
it's
just
a
portion
of
the
overall
data
strategy,
but
it
is
one
that
will
impact
the
most.
B
B
It's
really
important,
because
what
movement,
what
miss
butterman
said
at
the
very
beginning,
is
critical,
that
the
data
of
our
city
is
a
big
asset
and
nobody
gets
to
begin
from
start
to
lay
this
foundation
from
the
beginning
before
there
is
all
of
this
information.
It's
always
going
to
be
a
retrofit
of
sorts
and
helping
us
get
appropriate
controls
over
it
and
and
to
have
control
over
it
so
that
we
can
direct
it
for
the
better
for
the
betterment
of
all
the
city
services
we
provide
it.
B
E
B
F
C
Thank
You
Tara,
Palmisano,
Audit
Committee
members
of
to
thank
miss
Bart
Ehrman
and
mr.
Kosan
for
presenting
the
IT
analytics
hub,
consult
report.
I
wanted
to
add
two
comments
on
that.
It
was
a
consultation
because
the
analytics
analytics
hub
has
only
been
around
a
couple
of
years
and
it's
still
under
development.
So
we
thought
waiting
in
now
was
an
easier
opportunity
to
make
some
minor
course
corrections
before
a
program
is
fully
developed
and
fully
implemented.
Then
you
come
in
and
do
an
audit
it's
hard
to
to
redo
things
from
the
beginning.
C
So
we
really
appreciate
the
analytics
hub,
inviting
us
in
for
the
consult.
I
also
wanted
to
speak
to
committee
member
Neal's
question
about
data
classification.
As
a
reminder,
we
had
a
records
management
audit
in
2015.
One
of
the
findings
was
coming
up
with
the
formal
data
classification
methodology
that
audit
issue
is
still
open
and
it's
due
to
be
remediated
December
of
2020.
So
this
all
kind
of
works
together
with
our
enterprise
data,
governance
approach,
committees
and
work
groups.
C
C
Okay
for
our
audit
work
and
process,
our
big
audit
right
now
under
way
is
the
police
off
duty
audit,
the
off-duty
work
at
it.
So
we
are
analyzing
police
off
duty,
work,
policies
and
procedures,
looking
at
processes
and
internal
controls
and
analyzing
raw
data
to
see
where
we
can
offer
the
most
value.
C
C
The
data
analysis
is
obtaining
raw
data
that
is
available
and
analyzing
it,
and
how?
What
might
we
better
be
able
to
leverage
that
for
informed
decision-making
going
forward,
we're
also
doing
benchmarking?
So
we've
worked
with
approximately
ten
law
enforcement
agencies
around
the
country,
who
have
been
so
kind
as
to
answer
a
short
survey,
provide
us
copies
of
their
policies
and
procedures,
so
we're
creating
a
summary
of
all
of
that
work
that
will
also
be
in
the
report.
C
The
park
board
enterprise
risk
assessment,
consultation
is
in
progress.
We
provided
training
in
spring,
they
needed
the
summer
off
because
that's
their
really
busy
time.
So
we
have
the
first
work
group
scheduled
in
September
and
then
the
first
pilots
scheduled
in
September.
The
work
group
is
designed
to
do
a
mock
run,
in
effect
we're
going
to
get
together
with
the
eight
subject
matter.
Experts,
the
first
pilot
in
September
will
be
information
technology,
so
we'll
do
a
mock
run
of
that
pilot.
Make
sure
everyone's
clear
on
their
roles
and
responsibilities
then
conduct
the
pilot.
C
C
Sure,
chair
Palmisano
audit
committee
members,
Jennifer
Ringgold,
is
the
deputy
superintendent
at
the
park
board.
Who
is
spearheading
this
initiative?
She
has
identified
eight
subject:
man
sorry-sorry
subject
matter
experts
across
the
park
board,
which
includes
the
Park
Police
these
eight
subject
matter.
Experts
from
various
departments
will
conduct
all
of
the
assessments
and
all
the
functional
areas
so
that
as
they
learn,
they
can
implement
the
same
process
and
have
some
consistency
throughout
the
first
workshop
is
a
mock
trial.
C
An
information
technology
is
the
first
pilot.
The
second
pilot
is
going
to
be
the
aquatics
and
Ice
Arena
Department,
and
that
will
probably
follow
in
October,
depending
on
how
the
the
first
one
goes
in
September.
Then
internal
audit
will
then
pull
back
unless
there
is
a
need
for
us
to
continue
helping
with
the
pilots
and
park
board.
Subject
matter.
Expert
team
will
continue
doing
this
for
all
of
the
park
board
functions
in
2020.
G
Madam
chair
for
the
community
members,
my
name
is
Colin
I'm,
a
member
of
one
of
the
foreman
of
the
team.
I
would
like
to
provide
an
object
on
the
entire
amendment
audits.
The
objective
of
this
audit
is
to
ensure
key
control
in
the
city
environment
processes,
properly
design
and
operating
if
effectively
to
mitigate
operational
compliance
and
fraud.
Risk
we've
issue
the
scope
memo
in
June
and
we
are
in
process
of
conducting
walkthrough
with
procurement
and
IT,
analytic,
hot
and
the
field
work
will
start
this
week.
H
Thank
you
come
on
good
morning,
everyone
chair,
Palmisano
community
members,
I
just
wanted
to
provide
a
quick
update
on
the
citywide
grant
management
audits.
We
completed
phase
one
back
in
June
I
think
the
report
was
present
presented
at
the
June.
Are
the
committee
meeting?
We
are
in
the
process
of
kicking
off
phase
two
which
will
have
a
focus
on
see
ped,
so
we'll
be
reviewing
grant
management
processes
and
controls
at
CPD,
and
we
are
hoping
to
start
this
audit
by
the
end
of
the
month
or
the
first
first
week
of
September.
H
H
Palmisano
committee
members,
when
we
first
started
the
grant
management
audit,
we
had
selected
two
city
departments
to
review
and
sip
ed
was
one
of
them,
but
due
to
some
scheduling
conflict
we
had
to
postpone
the
department
and
because
his
City
such
a
big
Department
for
the
city.
We
wanted
to
take
time
to
really
review
their
processes
and
we
issued
the
first
report
and
we'll
go
back
in
with
UC.
But
now.
Thank
you.
You're
welcome.
C
Thank
you.
You
get
going
onto
our
continuous
monitoring
slide.
We
have
three
processes
that
were
actively
involved
with
continuous
monitoring,
so
there's
some
risk
based
on
either
prior
audit
work
or
emerging
risks
we're
following
up
usually
for
a
period
of
a
year
or
so.
If
a
sufficient
progress
is
not
made,
then
this
area
could
end
up
become
going
on
the
audit
plan
again
or
if
sufficient
progress
has
been
made.
C
We
would
just
continue
to
monitor
more
informally
through
our
annual
enterprise
risk
assessment,
so
neighborhood
and
Community
Relations
we're
still
looking
for
that
strong
financial
policy,
that's
communicated
to
the
neighborhood
each
Neighborhood
Association
that
receives
funds.
It's
in
progress
NCR
is
changing
their
audit
process
and
their
financial
policies.
So
we
have
one
more
meeting
with
them.
This
fall
to
see
how
that's
going
and
that
will
determine
whether
they're
on
the
audit
plan
again
for
2020
data
management,
governance
and
privacy
I.
C
C
The
information
security
officer
is
working
on
a
framework
for
information
security,
building
out
their
risk
management,
so
we're
just
keeping
a
pulse
on
all
of
that
activity:
finance,
internal
controls,
that's
internal
controls
over
financial
reporting
finance
has
been
working
very
hard
to
build
out
an
internal
control
program
they're
on
track
to
complete
all
of
their
control
testing
by
the
end
of
October.
So
right
now
we
meet
with
them
quarterly
and
we
expect
that
to
be
completed
by
the
end
of
the
year.
C
C
We
have
special
projects,
so
we
had
been
reporting
on
enterprise
complaint
management.
That's
still
progressing,
we're
calling
that
a
special
project,
because
internal
audit
is
a
key
player
in
that
process.
We
most
recently
met
with
the
city
coordinator
and
we're
looking
at
a
single
way
to
report
complaints.
We
have
very
different
needs
from
internal
audit
to
city
attorney
and
HR,
where
most
of
the
complaints
lie.
C
One
new
special
project
is
a
special
request
by
C
ped,
the
C
ped
living
cities
program
that
they're
going
to
be
sending
us
over
some
documents
about
how
C
ped
might
contribute
to
a
living
city's
program.
That
will
be
a
revolving
line
of
credit
for
the
north
side,
they'll
be
sending
over
a
documentation
to
internal
audit
where
we'll
review
internal
controls,
financial
management,
conflicts
of
interest,
ensuring
that
city,
employee
roles
are
appropriate
for
this
program
are.
C
C
Thank
you
I'd
like
to
call
up
our
other
IT
audit
and
cyber
security
consultant
Tim
McClaren
from
a
wild
card.
We
put
him
in
a
bit
of
a
difficult
spot
to
talk
about
security
issue
follow-up,
because
security
reports
as
a
reminder
are
non-public.
So
we're
not
supposed
to
specifically
say
what
the
security
issue
was,
but
Tim
will
provide
us
an
update
as
best
as
he
can
on
the
progress
of
management
of
remediation
of
those
issues.
Tim.
I
Yeah,
so
we've
been
working
with
traffic
and
parking
services
to
go
through
all
their
audit
issues
and
closed
them,
and
our
relationship
with
them
have
been
very
positive.
They've
been
very
receptive
to
going
through
the
issues
and
it's
also
exciting,
because
in
closing
one
issue
we
found
other
issues
that
we
could
also
close,
so
they
have
real
impact
of
their
security
and
their
ability
to
ward
off
any
malicious
actors
that
could
be
on
the
network.
So
yeah
it's
been
pretty
fun,
so
you
have
a
few
more
issues.
We
need
to
close.
B
I
do
want
to
remind
my
colleagues
that
a
very
general
nature
of
mr.
McClaren's
update
is
because
that
2018
audit
report,
the
Public
Works
traffic
systems,
was
not
in
public,
so
the
number
of
issues
the
severity
all
of
those
things
couldn't
can't
really
be
discussed
here
on
the
dais.
But
it
sounds
like
you're
here
to
assure
us
that
the
management
team
is
making
adequate
progress
to
resolve.
All
of
the
issues.
Is
that
correct?
That
is.
B
B
C
You
Tim
Tim,
is
also
here
were
having
some
pre-planning
discussions
with
police
management
on
the
body,
worn
camera
and
automated
license
plate
reader,
biennial
audits
that
are
coming
up.
This
fall,
so
Ken
attend
will
be
kicking
us
off.
With
that
I'd
like
to
introduce
internal
auditor,
Travis
comm,
who
will
speak
to
audit
issue,
follow
up.
K
Welcome
Thomas
are
members
of
the
committee
I'm
just
kind
of
simply
follow
up
on
the
other
issues,
so
we
do
have
three
other
non
public
art
reports
that
we
still
have
open
issues.
I
was
still
working
through
meeting
and
they're
all
making
sure
the
remediate
effectively
through
they
have
PeopleSoft
webs
Porter
security,
audit,
water
treatment
and
distribution.
A
key
audit,
as
well
as
a
peace
information,
security,
IT
audit
I
mean
this
kind
of
overview
of
our
stats.
The
past
couple
months
since
I
last
met.
We
currently
have
21
open
audio
issues.
K
Two
of
them
I
would
touch
on
in
a
second
here.
We,
how
do
we
open
them
for
some
different
circumstances,
Cameron
I
kind
of
touched
on
that
in
a
second
and
then
we
have
an
overdue
odd
issue
from
the
police
information
security.
Audit
I
was
again
I
have
a
lot
of
specifics,
but
we
believe
they're
all
working
through
mediated
I'm,
just
kind
of
reading
on
documentation
that
there
is
something
in
place
that
we
can
review
and
we've
been
in
contact
with
management
on
that
class
as
well.
K
We
have
16
that
was
so
entirely
us
and
we
may
be
able
to
close
two
sons.
Last
audit
committee
two
eyes
met,
so
they
reopen
other
issues
and
the
previously
marked
as
valuation
progress,
but
up
on
the
view,
discussion
really
opened
them
for
the
first
ones,
return
to
duty,
MPD
third
party
audit,
so
we're
trying
to
do
it,
determination,
and
that
was
because
a
new
process,
so
it's
put
in
place
and
they
kind
of
want
to
make
sure
it's
effective
and
sustainable.
H
Madam
chair
committee,
members
I'd
like
now
to
provide
a
brief
update
on
the
state
auditors,
2008
financial
audit.
Please
note
that
they've
been
offered
the
opportunity
to
present
their
important
they'll,
be
here
at
the
October
21st
artists
committee
meeting
to
present
the
findings,
but
I
just
wanted
to
provide
a
summary
and
this
audience
was
completed
for
the
city,
the
park
board
and
the
Municipal
Building
Commission.
H
So
just
to
give
you
a
summary
of
their
findings
for
the
city,
they
have
two
new
findings
and
one
that
was
previously
identified
and
not
yet
resolved
and
for
the
park
board.
There's
one
new
finding
and
one
that
remain
unresolved
from
last
year
and
from
the
Municipal
Building
Commission,
one
new
finding
was
identified
and,
as
I
said,
I
just
wanted
to
provide
a
brief
summary
they'll,
be
here
in
October
to
present
a
full
report.
B
H
So
we
are
peer
to
peer
review,
so
we've
completed
the
first
step,
which
is
the
self-assessment
so
basically
making
sure
that
our
practices
aligned
with
standards
and
the
next
step
will
be
to
update
our
policy
and
procedures
and
then
have
a
peer
review
in
2020.
So
we
think
we
on
track
to
get
the
policy
updated
and
have
the
peer
of
John
2020,
and
the
next
thing
I
wanted
to
talk
about.
H
C
C
Thank
you,
okay.
The
first
audit
we'd
like
to
add
is
an
a
citywide
giftcard
audit.
This
will
include
the
few
departments
that
handle
gift
cards
within
the
city.
We
are
also
going
to
conduct
a
survey
of
all
city
departments
and
functions
boards
and
commissions
that
might
handle
gift
cards,
so
we
can
be
aware
of
those
departments
that
may
be
handling
gift
cards
and
but
not
purchasing
through
the
city,
and
then
we
expect
to
be
able
to
pretty
quickly
wrap
up
this
gift
card
audit
and
report,
hopefully
by
the
October
21st
audit
committee
meeting.
C
Share
Palmisano
audit
committee
members,
not
that
many
departments
handle
gift
cards,
so
the
purpose
of
the
survey
is
to
find
out
if
some
departments
are
handling
gift
cards
and
we're
not
aware
we're
aware
of
just
a
few,
and
will
this
include
the
perk
board.
Yes,
this
will
include
the
park
board.
They
don't
handle
many
gift
cards,
but
they
do
handle
some
and
they've
already
contributed
management
assistance
to
this
process.
C
You,
chair
Palmisano
out
a
committee
member
Fisher,
a
gift
card
is
a
card
that
is
worth
cash.
It
could
be
a
target
it's
generally
purchased
from
a
particular
vendor.
So,
for
example,
Target
used
with
the
Health
Department
as
an
incentive
for
an
agreed
upon
process
such
as
the
health
department's
use
of
gift
cards
to
incentivize
attendance
at
training
or
health
awareness
clinics.
C
There
could
be
various
reasons
for
the
gift
card:
youth,
violence,
prevention,
cleaning,
lead
from
your
homes
that
sort
of
thing,
so
it
has
to
be
approved
by
the
city
or
it
could
be
approved
by
a
grant,
so
grant
funds
could
be
used
in
some
cases
to
purchase
gift
cards
if
it
specifically
says
so
in
the
grant.
Also,
we
we
also
received
gifts,
gift
cards
from
other
organizations,
so,
for
example,
the
Health
Department
receives
some
gift
cards
purchased
through
Hennepin
County
Hennepin
County
gives
us
the
gift
card,
so
now
we're
stewards
of
the
gift
cards.
C
Way
it
would
work
a
chair,
Palmisano
audit
committee,
member
Neal,
for
example.
The
health
department
could
contact
the
controller
Lyle
Hodges
who
would
approve.
If
the
purpose
is
appropriate,
he
would
approve
purchase
of
the
gift
cards,
then
a
check
could
be
issued
or
the
check
could
be
written
out
to
target.
C
If
you're
going
to
purchase
a
certain
number
of
gift
cards
from
Target,
then
an
employee
would
go
to
Target
and
purchase
those
gift
cards
for
that
purpose
and
they
should
be
stored
in
a
safe
under
proper,
lock
and
key
limited
access
to
the
gift
cards,
and
then
they
should
be
appropriately
tracked.
Also,
when
gift
cards
are
dispensed,
there
needs
to
be
a
signed
form
that
the
recipient
received
that
gift
card
for
the
state
of
purpose.
So
there's
a
lot
of
documentation
needed
to
ensure
appropriate
controls
are
in
place.
B
Director
baik
VA,
like
how
you
have
it
on
here,
but
just
reviewing
the
effectiveness
of
these
policies
and
making
sure
we
have
internal
controls
for
them.
I'm
happy
to
to
make
that
motion
to
approve
adding
this
as
an
audit
to
our
2019
audit
plan.
I'll
entertain
a
second
Thank
You
councilmember
Warsaw
me
seconded
it
all
in
favor,
please
signify
by
saying
aye
aye
opposed
that
carries.
Thank.
C
You
our
second
audit
that
we
would
like
to
the
add
to
the
audit
plan
is
an
information
technology,
cyber
security
risk
assessment.
It
would
be
an
audit
to
assess
the
maturity
and
readiness
of
our
cyber
security
program.
We've
met
with
IT
deputy
chief
information
serve
both
cousins
and
the
new
deputy,
sorry
chief
information
security
officer,
dia
Abu
chakra.
C
B
C
C
And
the
appendix
is
just
a
full
listing
of
the
current
audit
plan
for
2019
and
2020,
so
there
are
two
that
have
the
word
ad
in
red.
Those
are
for
the
two
audits
that
you
just
approved:
one
change
to
the
left
for
the
water
network,
integration,
consultation
we've
been
working
with
the
water
management
team.
They
have
that
in
progress,
but
there
are
delaying
the
implementation
of
their
new
program.
So
we
it
looks
like
quarter
to
2020
will
be
a
better
time
for
that
consultation
as
they
prepare
implementation
of
their
their
new
program.
B
Okay,
I
believe
this
audit
plan
is
appropriately
very
ambitious
and
you've
had
some
limited
resources
this
past
year.
So
I
really
appreciate
how
thoughtful
you
and
your
department
has
been
at
planning
your
work
and
making
sure
that
it's
always
the
most
relevant
and
the
most
timely
I
think
this
is
thanks
to
our
heart
citizen
members,
mr.
Fisher
mr.
Neal,
who
have
helped
us
get
this
level
of
rigor
in
detail
in
terms
of
what
we
expect
from
the
audit
Department,
and
you
have
you've-
certainly
responded
to
this.
Are
there
any
questions
or
thoughts
about
this
plan?
B
I'm
not
seeing
any
I'll
move
to
receive
and
file
this
update,
as
this
update
report
and
the
work
plan
within
it
from
our
internal
audit
Department
all
those
in
favor,
please
signify
by
saying
aye
aye
opposed
that
carries
the
committee
members.
Are
there
any
announcements
or
anything
that
you'd
like
to
add
today?
I
will
note
that,
as
a
reminder,
the
police
off
duty
work.
Audit
report
was
not
done,
but
it
did
seem
like
as
soon
as
it
was
done.
It
would
be
most
timely
to
get
that
into
the
public
space.
B
So
as
soon
as
it
is
ready,
we
do
believe
September
11th
M
is
is
an
appropriate
date
to
shoot.
For
so
I
will
adjourn
us
to
the
September
11th
meeting
at
10:00
a.m.
here
in
Council,
Chambers
I
know
we
won't
have
everybody
here,
but
I
appreciate
those
that
can
make
it
for
the
purpose
of
receiving
the
police
off
duty
work
audit
report.
We
also
might
add
a
couple
of
other
items
at
that
time.
I
think
you
mentioned
one
earlier
in
your
audit
report.
So
until
then
thank
you.