►
From YouTube: January 13, 2020 Audit Committee
Description
Minneapolis Audit Committee Meeting
https://lims.minneapolismn.gov
A
Good
afternoon,
you'll
notice
that
I
am
NOT
going
to
use
the
gavel
to
call
this
meeting
to
order,
and
the
reason
is
because
we
have
a
very
unexpected,
very
sick
fourth
member
of
committee
here
today
to
get
quorum,
so
he
won't
be
able
to
be
with
us.
We
hope
he
feels
well
soon,
but
we
are
going
to
because
this
is
our
audit
directors
last
meeting
run
through
this
meeting
and
just
not
take
any
formal
actions
as
a
committee.
A
What
we
will
then
do
at
our
next
scheduled
meeting
on
February
10th
is
the
three
of
us
as
well
as
council.
Member
were
Sami,
who
had
intended
to
be
here
today,
except
he's
dealing
with
food
poisoning
will
be
equipped
to
do
the
formal
actions
as
a
quorum
of
this
committee
of
everything
we
were
going
to
do
here
today.
A
It
will
mean
one
strange
thing,
which
is:
we
would
be
looking
to
approve
the
consultation
of
the
sexual
assault
kits
evaluation,
and
we
will
also
be
hearing
that
report
on
February
10th,
but
I
think
that
that
this
is
the
best
way
to
proceed,
and
this
is
natural.
It's
been
a
few
months
already
that
work
had
what
work
will
have
begun
to
when
it
ends
and
I
think
that's
most
appropriate
and
it
also
honors
everybody's
time.
That's
here
today,
and
so
let's
go
ahead
and
proceed.
You'll
see
the
agenda
before
you
and
these.
A
This
will
guide
our
informal
conversation
today.
You'll
also
see
meeting
minutes
from
our
last
October
21st
meeting,
also
before
you
were
available
to
the
public,
is
just
to
cover
off
and
formalize
the
closed
session
meeting
that
we
have
every
year
and
this
was
to
do
a
formal
evaluation
of
our
internal
auditor
and
so
that
letter
is
available
on
limbs
or
at
the
request
of
anybody
of
committee.
We're
very
pleased
with
our
internal
audit
directors
performance
model
a
little
bit
more
to
say
at
the
announcements
part
after
we're
done
with
the
rest
of
this.
A
B
Thank
You
chair
Palmisano
audit
committee
members,
we'll
start
with
the
biennial
automated
license
plate
reader
audit
and
the
body
worn
camera
biennial
audit.
Our
IT
audit
consultant
is
not
here.
He
was
not
able
to
reschedule
on
short
notice.
We
did
not
participate
in
that
audit.
The
IT
audit
consultant
performed
this
independently
to
comply
with
the
statute
and
the
best
Barratt
possible.
So
he
prepared
the
slides,
I
will
read
through
them
and
then
we
still
have
commander
glam,
B
and
Granger.
They
do
have
to
step
out
shortly.
B
The
primary
objective
of
the
engagement
for
the
automated
license
plate
reader
audit
and
please
excuse
my
reading
some
of
the
slides.
Today
we
evaluated
the
police
automated
license
plate
reader
policies,
procedures
and
processes
to
ensure
internal
controls
are
in
place
in
compliance
with
statute
Minnesota
statute.
Thirteen
point
eight
to
four,
primarily
the
auditor
reviewed,
examined
and
assessed
the
policies
and
procedures
for
operation
of
the
license
plate
reader
automated
license
plate
reader
processes
to
determine
if
there
are
any
opportunities
opportunities
for
improvement,
to
support
compliance
efforts.
B
Let's
skip
through
the
definitions
here
on
the
audit
scope,
it
shows
some
additional
statutes
that
come
into
play
and
you
can
read
in
more
detail
in
your
if,
in
your
audit
report
and
I'll
skip
through
to
the
highlights
of
the
audit,
the
methodology
included
frameworks
from
the
AICPA
Isacc
COBIT
and
the
infrastructure
library
for
information
technology
and
then
the
planning
phase
field
work.
They
reporting
phase
that's
pretty
standard
and
then
we're
getting
into
some
of
the
objectives
that
were
tested
directly
and
the
automated
license
plate.
B
Reader
audit
number
one
that
actually
had
an
issue
audit
discovered
that
there
was
not
a
defined
standard
operating
procedures
in
place.
The
implementation
of
standard
operating
procedures
related
to
automated
license
plate
reader
handling
of
data
and
processes
will
allow
for
efficient
and
consistent
operations.
B
Management
response,
which
is
owned
by
commander
girl,
occur
and
Lieutenant
Rugal
said
that
they
would
be
in
the
process
of
creating
a
draft
standard
operating
procedures,
it's
being
developed
to
facilitate
the
handling
of
their
license
plate
reader
operations.
Our
IT
auditor
confirmed
that
this
has
been
completed.
B
Issue
number
two.
There
are
currently
no
controls
in
place
to
determine
if
the
license
plate
reader
system
has
been
compromised
by
a
malicious
actor.
Mpd
is
not
actively
monitoring
for
unauthorized
users,
so
the
management
response-
and
this
has
not
been
addressed.
This
is
in
progress,
IT
and
the
City
Clerk's
office
are
working
to
establish
a
department-wide
incident
response
plan
to
supplement
their
detection
capabilities
and,
as
you'll
recall,
from
our
prior
data
governance
and
IT
and
cybersecurity
work.
B
Another
control
objective
was
establishing
policy
that
addresses
the
mandates
associated
with
the
statute.
The
policy
is
defined
as
oh.
This
is
the
MPD
policy
for
automated
license
plate
reader
and
was
last
updated,
July
2015.
It
is
important
that
policies
are
reviewed
periodically
and
updated.
After
reviewing
the
policy
and
comparing
its
contents
to
the
mandate,
there
were
no
recommendations.
We
are
in
compliance.
B
Another
control,
objective
police,
automated
license
plate
reader
system
data
collected,
should
be
limited
to
license
plate
numbers
date.
Time.
Location
of
collected
data
on
vehicles
and
pictures
are
limited
to
license
plates
vehicles
and
areas
surrounding
the
vehicle.
After
testing
select
sample
of
the
evidence,
audit
determined
that
we
comply
with
policy.
B
No
exceptions
were
noted.
Data
classification
license
plate
reader
data
is
automatically
classified
as
non
public.
Access
to
data
is
limited
to
police
personnel
system
access
to
license
plate.
Readers
is
limited
to
officers
that
have
been
trained
at
and
have
been
granted
permissions
upon
analysis.
The
auditor
evaluated
who
has
been
trained
to
use
the
system
relative
to
who
has
access
auditor
determined
that
a
police
has
limited
access
to
the
system
and
administrative
functions.
No
exceptions
were
noted.
Joy.
B
Were
in
compliance,
yeah
I
reviewed
that
with
the
IT
auditor
this
morning,
just
to
confirm
that
we
do
call
out
any
exceptions
that
were
noted.
Another
control
license
plate
reader
data
is
only
matched
with
internal
databases
license
plate.
Reader
data
is
not
collected
from
or
placed
into
a
centralized
repository.
B
The
information
center
is
that
suit
security
information
center
strategic
information
center
is
that
commander
glam
P
is
a
commander.
Girl
occurs.
Team.
Okay,
commander
girl
occurs
team.
The
strategic
information
center
has
created
user
roles
which
allow
for
personnel
to
perform
their
role
within
the
Information
Center.
Without
granting
excessive
access
upon
review,
the
auditor
evaluated
the
license
plate
reader
usage
data
to
determine
if
the
six
system
access
is
limited.
The
auditor
observed
that
defined
roles
within
the
system
and
associated
those
with
roles
with
the
accounts.
No
exceptions
were
noted.
B
That
a
destruction,
the
police,
configured
the
license
plate
reader
system
to
automatically
destroy
collected,
license
plate
reader
data
after
period
of
60
days,
the
auditor
validated
that
the
tools
Doody
delete
the
data,
the
handling
of
chapter
5
B
deletion
of
data
has
not
been
formalized
at
time
of
the
audit.
The
creation
of
the
standard
operating
procedures
addresses
handling
these
requests.
No
further
risk
is
noted.
This
was
fixed
during
the
engagement.
B
Another
audit
objective
license
plate
reader
requests
to
the
strategic
information
center
are
made
via
email,
phone
and
office
drop,
an
office
drop
ins,
sorry,
police
personnel
and
other
government
agencies
submit
requests
that
can
include
dates,
license-plate
numbers
and
case
numbers
upon
review
of
a
sample
of
requests
from
internal
officers
and
external
agencies.
The
agencies
sharing
requests
in
fulfilment.
The
auditor
observed
that
the
strategic
information
center
does
not
explicitly
state
how
the
receiving
agency
is
expected
to
handle
the
data.
C
B
Have
that
at
my
fingertips,
but
we
have
the
auditor
online,
so
we
can
ask
that
question
quickly
and
I
can.
If
it's
okay,
chair
Palmisano
committee
member
Fischer
I'll
go
on
to
the
next
one
and
then
Travis
can.
Let
me
know
when
he
has
an
answer
to
that
question.
Usually,
sampling
is
not
strictly
random.
You
take
a
more
thoughtful
approach
missing
an
extreme
analysis.
You
try
to
identify
anomalies
in
the
data
and
then
you
do
a
random
sample
of
what's
left
over,
but
I
would
have.
A
B
This
is
our
first
report,
where
our
team
didn't
actually
participate
in
the
testing,
but
we
do
have
someone
here
that
participated.
Ryan
Patrick.
He
helped
with
the
video
footage
to
review
his
team.
We
usually
use
them
every
two
years
for
video
footage
review.
So
if
there
are
any
questions
around
that,
mr.
Patrick
would
probably
be
able
to
answer
that.
B
Do
we
have
an
answer?
All
random
okay,
chair
Palmisano
committee,
member
Fischer,
all
of
the
samples
were
random.
In
this
example,
welcome
I
write
another
control
objective,
the
license
plate
reader
software
logs
maintain
maintain
the
time
data
was
collected,
total
number
of
vehicle
plates
recorded
number
of
vehicle
plates
recorded
that
are
associated
with
crimes
or
investigative
data
and
location
data
was
recorded.
The
strategic
Information
Center
provided
the
license
plate
reader
data
over
the
retention
period
that
confirms
they
log
appropriate
data.
No
exceptions
were
noted
in
testing
this
control.
B
A
Thank
you,
commanders,
Granger
and
glam
T
for
being
present
with
us
today.
I
know
you
have
to
leave
shortly
and
this
shouldn't
take
long,
because
this
is
the
state-level
body-worn
camera
audit
report
and
we
do
such
a
more
thorough
job
internally.
Now,
thanks
to
the
great
work
of
Commander,
Granger
and
others
that
have
been
pulled
into
that
effort,
so
go
ahead.
Thank.
B
You,
the
primary
objective
of
the
body,
worn
camera
by
nanak
biennial
audit
engagement,
was
to
come
conduct.
The
biennial
review
of
the
minneapolis
police
department,
use
of
body-worn
cameras,
the
auditor
it
evaluated
the
police
policies,
procedures
and
processes
around
body,
worn
cameras
to
ensure
internal
controls
are
in
place
in
compliance
with
Minnesota
statute
3.8
to
5.
B
B
Overall,
with
both
biennial
audits,
MPD
is
compliant
with
minnesota
statutes
and
for
both,
the
biennial
audits
of
one
page
summary
will
be
sent
to
the
state
legislators
confirming
compliance.
The
auditor
identified
four
areas
of
improvement,
which
include
access,
removal
for
separated
personnel,
standard
operating
procedures,
cohesive
handling,
a
failed
equipment
and
citywide
incident
response
policy.
B
The
first
control
that
was
tested.
The
auditor
observed
that
removal
of
access
to
the
system
after
police
personnel
have
been
terminated,
may
take
an
extended
amount
of
time.
Auditor
determined
that
it
took
an
average
of
38
days
to
remove
access
for
the
sample
of
users,
reviewed
management,
response
notification
from
human
resources
of
a
person.
Separation
can
come
three
to
four
months
early
or
it
can
be
immediate.
Please
now
use
a
calendar
notification
system
to
create
automated
reminders
of
separation.
B
Issue
number
two:
the
records
information
unit,
while
working
with
the
records
information
union
administrators,
the
auditor
discovered
that
there
is
not
a
defined
standard
operating
procedures
in
place.
The
implementation
of
standard
operating
procedures
will
facilitate
the
proper
release
and
sharing
of
body-worn
camera
and
data
standard
operating
procedures
will
allow
for
efficient
and
consistent
operations.
It
also
facilitates
future
body,
more
camera
audits
and
offer
protection
from
potential
liability.
B
B
Issue
number
three
handling
of
failed
equipment.
The
auditor
conducted
interviews
with
police
supervisors
and
noted
that
supervisors
handled
failed
equipment
differently.
So
we're
talking
about
body,
more
cameras
that
might
be
broken
or
malfunctioning
places.
Current
of
management
response
police
are
currently
developing
a
spare
camera
program.
Police
will
provide
spare
cameras
to
officers
along
with
training
for
personnel
on
how
to
provision
cameras
for
use.
In
these
cases,
police
expect
the
spare
cameras
and
training
to
be
available
by
January,
1st
and
I'm,
going
to
check
with
commander
Granby
no.
E
B
B
However,
auditor
observed
that,
while
there
are
measures
in
place
for
breach
detection,
there
is
no
cohesive
plan
for
a
response
to
breach
management's
response
polices.
Working
police
are
working
with
information
technology
and
the
City
Clerk's
office
to
establish
a
department-wide
incident
response
plan
to
supplement
their
detection
capabilities.
Police
are
actively
working
to
establish
more
formalized
processes
and
city.
It
will
take
the
lead
on
the
incident
response
plan,
and
this
is
a
big
part
of
cybersecurity
and
the
IT
approach.
Thank.
D
Constant
air,
Palmisano
and
customer
Schrader,
it
matter
of
fact,
commander
Granger
now
we're
talking
about
it
today.
We
hope
to
have
it
in
place
by
March
1st.
So
it's
right
on
the
edge
we
had
something
in
place.
Where
did
he
go
by
December
31st,
but
it
was
essentially
going
to
be
a
self-service
and
we
were
never
quite
comfortable
with
allowing
somebody
to
come
in
drop
off
a
malfunctioning
camera
and
pick
one
up
and
go
it
it
just
we're
never
comfortable
with
that
aspect
of
it.
D
We've
since
come
up
with
a
way
to
have
coverage
where
approximately
21
hours
a
day,
we
will
have
personnel
available
to
physically
swap
those
cameras
and
the
whole
key
is
because
these
cameras
are
assigned
to
an
officer.
It
creates
an
absolute
nightmare
for
the
auditors
when
you
don't
have
that
name
associated
with
the
camera.
This
plan,
we've
put
in
place
will
now
make
sure
that
that
camera
is
always
reassigned
to
the
officer
rather
than
you're
just
saying
unassigned
again,
it's
just
a
nightmare.
D
I've
had
to
go
back
and
try
and
figure
out
who's
running
this
camera
who's,
making
these
videos.
So
this
will
take
care
of
it.
It's
just
a
matter
of
getting
some
equipment
in
and
we're
gonna
do
it
in
conjunction
with
the
next
generation
of
body.
Cameras
is
coming
out,
we'll
get
new
equipment
in
and
we're
gonna
move
forward.
So
we
are
pretty
confident
by
March.
First
we'll
have
that
in
place.
Okay,.
F
C
B
Palmisano
committee
member
fisher,
it
has
to
cover
citywide
risks,
but
it's
primarily
driven
by
the
City
Clerk's
office
and
IT,
and
in
fact
audit
will
be
reviewing
that
in
quarter
one
when
we
have
our
IT
cybersecurity
governance
review,
it's
a
consultation
this
year
and
then
it
will
be
an
audit
the
following
year,
so
with
the
new
city
suite
and
IT,
and
they
are
making
that
a
top
priority.
Cybersecurity
risks
continue
to
increase
so
Incident
Response
is
a
big
part
of
that.
B
A
Yeah
I
am
I,
also
have
a
couple
questions:
I'm,
sorry,
but
commander
clampy.
Thank
you
back
just
first,
going
back
to
councilmember
Schrader's
point
I
with
this
camera
program,
I
get
that
we
need
to
have
a
consistent
process
for
all
precincts,
but
I
also
believe
the
I've
heard
when
we've
been
working
on
how
we
measure
body
camera
compliance
that
at
times
it
seems
that
there
has
been
like
two
different
cameras
assigned
to
one
individual,
so
I
think.
Could
you
could
you
help
me
understand
that?
How
do
we?
A
D
Chair
Palmisano,
that's
correct,
it's
somewhat
informal,
so
we
can,
you
know
essentially,
if
somebody's
not
working
in
their
cameras
sitting
there
and
you
need
a
camera
we
can.
We
can
do
that.
We
do
have
spare
cameras
that
we've
given
to
people,
so
they
would
have
to
assigned
to
their
name.
It's
just
not
formalized.
This
is
gonna
formalize
it
and
take
away
kind
of
those
I.
Don't
want
to
use
the
word
loophole
because
it's
not
a
loophole.
It's
just
an
alternate
way
of
doing
it.
We're
gonna,
formalize
it
and
say
no
you're
gonna.
A
Thank
you
and
then
issue
number
four.
Do
they
does
this
issue
mean
this
wild
card
mean
unauthorized
access
and
data
exfiltration?
Does
that
mean
when
I
read
this
slide,
I?
Think
of
somebody
like
maliciously
hacking
into
either
axons
cloud,
because
we
don't
store
this
data
ourselves.
We
pay
for
axon
to
store
it
right
or
to
hacking
into
a
camera
and
like
kind
of
being
able
to
see
whatever
might
be
getting
recorded
on
that
camera.
D
Community,
chair,
Palmisano,
I
think
you're
correct
is
anywhere
there
could
be
a
breach,
whether
it
be
the
software
or
the
hardware.
I
know
with
the
new
IT
security
director.
They
taken
a
very
aggressive
approach
to
looking
at
these
things,
and
it's
very
welcomed
in
our
part,
so
I
think
anywhere.
There's
an
opportunity
to
have
that
cyber
break-in,
whether
it
be
to
the
back-end
system
at
axon
or
to
our
physical
cameras.
That
is
the
plan
for
and
then
taking
it
even
further
with
the
LPR
and
all
of
our
systems.
I
think
that's
the
plan
anywhere.
C
B
Regarding
the
review
of
the
written
policy,
police
has
an
established
policy
that
addresses
the
mandates
associated
with
the
statute.
The
policy
is
defined
as
4-2
to
3
in
the
police
department,
the
auditor
reviewed
the
policy
and
compared
its
contents
to
the
mandate
and
did
not
find
any
issue,
so
it
is
in
compliance.
B
Data
classification
data
collected
by
body-worn
cameras
automatically
has
the
designation
of
nonpublic
for
data
to
be
released
to
the
public.
A
request
must
be
made
and
content
is
reviewed
by
the
records
information
unit.
The
auditor
evaluated
a
sample
of
data
collected
by
the
body-worn
camera
system
and
examine
the
process
for
sharing
data
with
other
agencies
and
releasing
data
to
the
public.
The
body
worn
camera
data
is
assigned
a
category
which
automatically
defines
its
retention
characteristics.
B
Police
have
also
put
in
place
supervisor
review
review
processes
to
evaluate
a
sample
of
data
to
verify
classification.
This
review
process
reduces
risk,
the
data
will
be
purged
from
the
system
and
uncertainly
and
no
exceptions
were
noted
and
I
did
have
a
quick
question
for
commander
Granger.
Do
you
randomly
test
periodically
data
classification
of
the
video
footage
in
your
auditing.
G
B
G
B
Data
maintenance
and
destruction
data
has
an
automated
retention
period
that
ranges
from
a
minimum
of
one
year
and
up
to
seven
years
and
a
common
retention
problem
is
that
when
we
know
what
the
data
destruction
timeframe
is,
we
don't
go
and
destroy
the
data,
so
we
put
the
city
at
additional
liability
additional
risk
when
we
don't
destroy
data
when
it
should
be
destroyed.
So
it's
important
to
have
a
system
in
place
to
manage
data
destruction.
B
Police
has
defined
a
category
of
significant
events
which
are
maintained
for
at
least
seven
years
and
must
be
manually
deleted
upon
analysis.
There
were
1113
samples
of
recorded
data
that
were
selected
randomly
the
sample
selection
was
focused
on
high-risk
categories.
There
were
now
no
data
destruction,
exceptions
noted.
B
Public
data
requests
handling
and
redaction
the
records
information
unit
receives
requests
via
email
or
walk-ins,
similar
to
the
license
plate
reader
data
to
release
body,
worn
camera
camera
data
to
the
public.
The
record
information
unit
processes,
these
requests
by
validating
that
the
individual
making
the
request
is
authorized
to
receive
the
data
footage
is
then
appropriately
redacted.
The
software
would
be
auditor
determined
that
the
software
was
able
to
obfuscate,
both
video
and
audio
and
create
a
new
file
that
preserves
the
initial
copy.
The
new
file
is
then
shared
with
the
requester.
B
Data
access
and
security
access
is
granted
by
written
permission
from
commander
of
technology
and
Support
Services
Division.
There
are
roles
based
access
controls
in
place
that
limit
access
to
data
by
the
job.
The
roles
defined
within
the
portal
are
fine-tuned
and
restrictive.
The
number
of
administrators
within
the
system
have
been
limited,
and
this
is
the
system
that
handles
body-worn
camera
footage.
We
observed
that
removal
of
access
to
the
system
after
personnel
have
been
terminated
may
take
an
extended
amount
of
time
and
that
issue
was
identified
at
the
beginning
of
the
report.
B
Body-Worn
camera
use
in
the
event
of
equipment
failure,
supervisors
advised
their
officers
to
report
the
issue
to
the
technology
unit.
This
again
is
a
repeat
of
issue
number
two,
so
I'm
going
to
skip
that
body-worn
camera
procurement,
body-worn
camera,
has
procurement
processes
in
place
that
integrate
the
requirements
associated
with
the
Minnesota
statute.
There
have
not
been
any
major
procurements
that
fall
within
the
audit
period,
which
was
basically
two
years
since
the
prior
biennial
audit
and
that
wraps
it
up
for
the
two
biennial
audits.
Are
there
any
questions?
Thank.
A
B
Okay,
we
have
the
contract
amendments,
audit
phase,
one
and
before
I
introduce
the
auditor
to
speak
on
this
audit
I
wanted
to
thank
finance
and
procurement
for
their
involvement
in
this
audit.
This
was
a
broader
based
audit
that
looked
at
the
control
environment
over
changes
to
contracts
of
contract
amendments,
any
types
of
changes
to
contracts.
During
this
audit,
one
particular
area
of
contract
changes
are
under
construction
contracts.
B
There
are
a
lot
more
complex
and
a
very
high-dollar
tracks,
so
that
has
actually
spun
off
to
another
audit
that
is
in
progress
and
I
will
speak
more
on
that
specifically
construction
audits,
a
little
bit
later.
So
this
contract
amendments
on
audit
is
just
big
picture:
risk
and
control
environment
for
contract
amendments
and
I'd
like
to
introduce
auditor
Travis
clampy.
The
lead
auditor
from
Baker
Tilly
is
not
here
today.
E
Palmisano
and
was
of
the
committee,
so
this
we
connected
a
view
of
the
contract,
change
among
processes
and
based
most
of
you,
Internet
related.
The
change
in
amend
processes
and
procedures
are
hockey.
We
designed
this
this
efficiently
mitigate
risk
of
fraud,
waste
and
abuse,
I'm
first
going
to
go
in
lesson
background
and
then
some
and
then
the
scoping
approach
and
the
results
of
this
review.
E
I'm
citizens,
law
definition,
so
contract
amendments
or
in
an
agreed-upon
change
to
contract,
price
terms
or
scope
of
services
such
as
atom,
removing
work,
I'm
changing
the
terms
or
duration
of
the
contract
and
I
was
attractive.
Big,
be
mentioned.
We
construction
contracts
were
specifically
called
out
of
this
review
and
they
would
be
covered,
maybe
cover
more
Duff
in
the
construction
contracts.
Are
they
there's
two
broad
types
of
contracts
is
procurement
contracts
and
then
not
procurement
contracts.
Chemical
contracts
are
good
for
goods
and
services
that
are
sourced
through
the
procurement
division
and
system.
E
Procurement,
bio
is
worthless.
The
department
staff
his
first
bids
execute
them
in
mint
contracts
and
throughout
the
whole
process.
Examples
include
professional
services
contracts
such
as
RFPs
Master
contracts
and
buying
services
contracts.
The
pricing
contracts
form
of
contracting
construction
contracts.
The
other
aspect
is
also
non
procurement
contracts,
so
use
are
not
source
procurement,
I'm,
the
original
within
a
department
or
function
responsible
for
the
contract
and
they
uploaded
into
the
procurement
system
for
the
to
facility
signatures
and
payment
throughout
the
process.
Examples
include
real
estate
transactions,
revenue
contracts,
grant
agreements
memos
ever
understanding
indirect
powered
agreements.
E
So
with
this
agenda
process
for
procurement
contracts,
so
the
department
contract
manager,
we
notified
the
commit
I'm
gonna
memory
is
requested
for
time
extension
increasing
funds
or
for
the
change
of
scope
of
work.
I'm,
the
buyer
we've
used.
They
requested
my
men
to
determine
if
POC
the
permanent
review
committee,
approval
or
council
approval
is
required,
depending
on
the
terms
of
the
contract
and
the
type
and
recording
activities
to
facilitate
committee
and
council
review,
otherwise
about
reviews
and
approves
our
contract
in
my
met
and
facilitates
department.
E
Collaboration
improvers
in
the
procurement
system,
as
in
the
final,
is
audited
for
signatures,
and
then
the
contract
order
is
increased
or
adjusted
as
well
as
appropriate
in
the
system.
So
the
POC,
the
permit
review
committee,
was
established
by
the
City
Council
to
review
our
request
for
proposals
for
professional
services
contracts
over
175,000.
They
were
reviewed
by
the
committee
prior
to
the
issuance
to
fight
for
uniformity
in
format
and
journal
conditions
and
to
ensure
conformity
with
the
city,
ordinances
policies
and
civil
rights
course.
E
The
torment
must
obtain
PRC
approval
to
waiver
from
the
RFP
process
prior
to
requesting
our
City
Council
approval
for
the
moment,
and
then
the
contract
amendment
or
the
the
trust
world
changed
has
changed
over
years
and
throughout
the
swab
of
this
audit,
there's
three
different
time
periods
that
were
evaluated
with
the
foreign
thrust
force.
We
that
this
applies
to
with
the
most
we
should
change
occurring
a
journey
first,
when
eighteen
for
the
raising
from
a
hundred
thousand
two
hundred
seventy
five
thousand.
E
So
now,
procurement
contracts
to
cement
contracts,
not
sourcing
the
human
division
department,
contract
managers
worked
with
the
State
Attorney's
Office
and
obtains
constant,
prove,
Oh,
firmly
action,
plan,
approval
and
insurance,
and
other
documents
is
needed.
The
final
amendment,
the
final
amendment
document,
is
a
imported
into
the
procurement
system
for
approvers
and
electronic
signatures
for
Part
A
Minneapolis
party
migration
board
Parker
contracts.
The
process
for
amending
point
for
contract
is
similar.
E
Contract
process
superseded
appointments
and
they
worked
with
the
was
a
to
they
work
with
the
board
attorney
but
utilized
a
city
cop
or
city's
Civil
Rights
requirements.
However,
the
requirement
is
one
hundred
thousand
dollars
for
all
that
competitive
bid
threshold
and
then
months
ago,
Building
Commission,
the
city
procurement
assist
embassy
with
buying
services,
but
not
with
non-governmental
professional
services
contracts.
They
may
need
you
guys
had
it
been
County
work,
human
processes
for
some
contracts
I'm.
E
However,
the
city
facilitates
payments
for
NBC
and,
as
such,
contract
information
is
uploaded
into
this
and
stored
with
your
city
procurement
system.
So
the
scope
and
approach
just
go:
oh,
let's
go
for
this
included
a
review,
an
assessment
of
the
design,
opt-in,
effectiveness
of
controllers,
you
from
contracts
from
contract
amendments
taking
place
from
Germany
1st
2015
through
June,
1st
2019,
I'm
governance,
contract
change
and
a
moment
processes
and
data
availability
and
reporting
were
tested,
and
this
is
kind
of
a
quick
diagram
of
what
was
in
scope
I'm.
E
So
in
scope
and
out
of
scope
for
this
review.
Subacute
contracts
on
our
gimmick
contracts
were
in
scope
with
this
one,
our
construction
contract
to
be
covered
in
the
construction
audit.
The
procurement
system
overall
is
also
being
covered
in
a
permit
system,
post
and
limitation,
user
access
management
and
workflow
review,
as
currently
in
planning
stage
and
then
park
board
contracts.
Also
seeking
additional
coverage
through
the
office
of
the
state
auditor
agreed
upon
procedures
for
contract
compliance
and
then
grant
agreements
we
didn't
well.
E
I'm,
so
a
re
okay,
no
review,
but
human
and
non-human
contract
amendment
data
for
the
puritan
scope
in
order
1485
unique
contracts
with
amendments.
During
the
time
period
we've
judged
my
theory
started
81
contracts
to
review
that
covered
each
of
the
three
competitive
bidding
stress
wards
and
then
also
come
from
the
following
categories
so
below
the
applicable
competitive
bidding
threshold,
175,000
I'm
Emily,
resulting
in
total
contract
change
above
the
threshold
and
below
2
million
and
a
members
over
2
million
dollars
and
amendments
resulting
and
the
largest
total
contract
value
change.
E
As
part
of
that
81
in-depth
review
and
as
well
as
for
data
data
availability
reporting,
we
assess
the
availability,
completeness
and
accuracy
of
documentation
and
reporting
of
contract
changes
and
amendments.
As
we
saw
through
this
audit,
two
issues
were
identified
and
the
first
being
changes
in
the
key
contract.
Amendment
procedures
were
not
formally
logged,
which
is
weird
as
moderate,
and
an
oversight
and
monitoring
of
some
city
contract
change
causes
knee
strengthening,
also
a
moderate
issue.
E
So
for
this
first
one
is
going
to
be
covered
in
kind
of
three
separate
parts
here:
kind
of
for
the
responsible
function,
so,
first
for
the
cumulative
vision
for
key
motivation
policies
and
seizures
for
managing
contracts
and
changes.
I'm
making
on
the
department's
internet
pages
I'm
keep
as
you
just
haven't,
updated
reflect
changes
with
the
new
procurement
system
implementation.
E
Every
training
team
who
ever
cleared
management
logs
in
are
available
to
indicate
nature
and
timing
of
key
changes.
Some
fire
keys
procedures
not
much
be
pertain,
maybe
plow
nested
on
some
paper
pages.
Yet,
for
example,
general
agreement
form
contract
versions
from
fire.
Us
identify
the
bottom
of
sub
page
within
the
contract
within
the
intranet
site.
A
link
for
help
on
the
standard
contract
forming
page
includes
references
to
some
staff.
We
have
been
separated
from
the
city
for
several
years.
E
Our
management
continues
to
update
documentation,
as
well
as
a
part
of
the
change
of
the
system
at
creative
ability
2019.
So
the
May
procurement
management
response
in
October
2015,
the
city
conducted
procurement
to
pursue
tech,
not
options
for
creating
a
digital
purchasing
portal
for
sourcing
of
products
and
services.
Procurement
implemented
an
electronic
system
for
sourcing
a
contract
management
in
February
19.
E
This
major
system
changed
significant
reduced
paper,
copies,
reduce
approval
and
processing
time
and
implemented
an
electronic
signature
process,
as
it
was
a
major
overhaul
of
procurement
and
contracting
processes,
which
also
required
many
changes
within
the
documents
and
the
procedure
documents.
The
system
has
been
used
to
nine
months.
This
audit
was
performed,
but
humans
stood
in
the
process
of
making
final
updates.
As
to
the
internal
and
external
websites,
reference'
was
given
to
updating
external
documents.
First,
it's
create
a
positive
experience
for
suppliers
updates
to
the
documents
are
necessary
as
minor
enhancements.
E
Improvements
are
made
to
the
system
based
on
input
from
both
internal
and
external
users.
Current
versions
of
various
documents
will
provide
to
the
internal
audit
team
procurement
will
continue
to
develop
update
these
procedural
documents
whenever
process
or
procedure
changes
are
made.
I'm
working
with
the
IT
department
procurement
will
develop
a
mechanism
to
save
an
outdated
procedures
on
the
website
and
the
target
remediation
for
this
project
is
the
summer
31st
2020
as
well
under
issue
1
I,
was
degree
for
the
neighborhood
and
communications
on
some
of
their
specific
contracts.
E
Uncie
are
responsible
for
amendments
associated
with
neighborhood
we've,
an
amazing
revitalization
program
or
NRP
contracts
on
these
contracts
of
funding,
a
with
the
city's
neighborhood
associations,
third-party
vendors
and
departments
and
jurisdictions
to
help
implement
neighborhood
products
and
programs
and
see
our
staff
have
institutional
knowledge
in
managing
and
running
these
contracts.
However,
the
key
this
process
and
procedures
as
part
of
this
process
enough
documented
an
nco
management
response
with
the
management
to
ensure
keen
on
procurement.
Contract
procedures
are
documented.
Leave
you
updated
periodically
management.
E
We
do
develop
especially
to
formally
track
key
procedural
changes
with
the
effective
dates
and
approval
suffered
them
via
ask
to
begin
using
spreadsheets
for
any
contract
and
monitoring
activities
that
are
currently
performed
on
people
and
the
target
mediation
need
for.
This
is
September
30th,
2020
and
then
the
third
part
of
this
issue,
I'm
linked
to
the
Minneapolis
Park
and
Recreation
Board,
to
meet
the
park
board,
has
a
separate
elected
partner
board.
E
There
is
a
governing
body
for
this
tablet
or
the
establishment
super
tenant
Authority
the
park
will
maintain
its
financial
policies
and
procedures
manual
that
outline
contract
amendment
procedure
specific
to
the
park
board.
These
tupid
documents
have
not
been
revised
recently
and
do
not
reflect
city
changes
in
their
competitive
sourcing
volume.
Its
brush
rules
and
processes,
specifically
maestro
mentions
$100,000
threshold.
That
was
changed,
whether
it
so
far
was
a
hundred
thousand
dollar
threshold
or
the
city's
now
175
thousand
competitive
threshold.
E
Poor
management
response
management
will
ensure
keen
on
procurement
contract
besiegers
are
documented,
reviewed
and
updated
periodically
management
we
develop
a
specially
to
former
each
key
procedural
changes
with
the
effective
dates
and
approver
staff
will
be
asked
to
you.
Spreadsheets
as
well
and
update
that,
and
just
for
this
one,
the
target
remediation
date
is
September,
30th
2020,
as
well
now
for
the
second
issue:
issue:
2
oversight,
monitoring
of
subsidy
contract
receipt
processes
in
each
strengthening
for
this
one,
a
couple
of
different
aspects
were
identified:
potential
department
by
passive
commit
controls.
E
Some
contract
changes
may
be
submitted
to
approval
I'm.
Joking,
like
to
the
Ways
and
Means
Committee
of
the
city,
comments
apply
to
procurement
management
review.
It
is
possible
for
Department
staff
to
act
moments
either
through
the
agenda
through
limbs,
without
procurement
approval
by
passing
the
procurement
control
that
might
meant
I'm
Sarah
procurement
resources
do
review
the
Ways
and
Means
agenda
for
submission
for
in
search
for
amendments
bypass
the
procurement
control
environment.
E
However,
this
review
is
conducted
during
the
Ways
and
Means
Committee
agenda-setting
processes
and,
as
such
staff
has
a
short
timeframe
to
review
and
affirm
anything
on
the
agenda
throughout
this
process.
I'm
increasing
the
risk
are
inappropriate.
Changes
may
be
reviewed
and
approved
by
the
City
Council.
E
E
However,
key
outcomes
such
as
over
always
also
the
view
are
not
included
in
the
log
I'm,
including
including
aspects
such
as
key
outcomes,
a
more
data
in
the
log
Rifai
data
for
high-level
trending
analysis
and
data-driven
decision-making
thought
the
whole
process
I'm,
not
procurement,
contracts,
not
review.
My
contract
changes
are
not
centrally
managed,
instead
Henry
within
appointments,
which
may
result
in
good
manual
and
consistent
processes
in
managing
voting.
A
floating
contract
amendment
specifically
non
procurement
contracts
and
associated
amendments
are
not
fully
integrated
into
the
procurement
system.
E
I'm,
specifically,
the
human
system
is
not
being
used
for
professional
service
contracts
resulting
in
manual
and
are
sufficient
processes
and
a
weaker
overall
controller
volume
it
to
those
entities
with
contracts
that
you
go
through
procurement,
but
also
impact
city
residents,
management
response.
So
for
the
first
part
in
the
overall
assessment
of
procurement,
risk
and
controls,
fairness
management
was
completed,
collaborative
track
process
risk
assessment,
with
input
from
impact
stakeholders
to
ensure
key
risk
and
the
mitigating
primary
controls
are
monitored.
E
Expectations
for
marching
those
controls
are
also
be
documented,
and
then
the
potential
department
by
tokuma
controls,
wins
enhancements
have
been
discussed
with
the
city,
collective
human.
How
the
quest
will
be
prioritized
as
many
other
system
enhancements
are
needed:
management
in
the
cities,
clerk
office
or
an
agreement
that
says
this
is
a
priority,
but
changes
were
not
likely
to
occur
in
2020
due
to
the
higher
was
prioritized
changes
that
must
be
implemented
before
limbs
can
be
updated
for
PRC
review.
E
The
results
of
analysis
management
were
enhanced,
the
PRC
tracking,
especially
to
include
a
few
key
fields
reflecting
khomeini
activities
and
outcomes
that
can
be
used
for
analysis
and
then
a
decentralized
contract
processes.
City
ordinance
regulates
the
extent
of
contract
responsibilities
of
city
procurement
office
regarding
boards.
E
Under
the
ordinance,
the
human
is
not
responsible
for
the
sourcing
of
professional
technical
services
for
point
board
or
the
embassy
or
ins
requires
that
those
purchases
manage
on
the
state
statutes
to
be
completely
sourced
by
the
city
procurement
and
that
is
currently
being
accomplished
as
in
compliance
with
applicable
parliaments,
and
then
they
target
remediation
date.
For
this
overall
issue
is
December
31st
2020.
B
A
A
Improvement
is
a
part
of
what
we
should
do
here,
I'm
glad
that
this
was
completed
and
that
we're
willing
to
share
it
and
we're
all
eager
to
just
keep
on
doing
the
work
so
that
we
can
get
to
that
next
easier
place,
because
we
want
it
to
be
easier
to
do
business
here
at
the
city
and
to
do
these
kinds
of
procurement
transactions
is,
is
critical
to
meet
some
of
the
needs
and
interests
that
we
have
in
getting
services
from
our
target
market.
I.
A
B
B
That
we'll
talk
about
is
the
construction
contract
changes
specifically,
so
we
have
a
specialist
from
Baker
Tilly
that
does
this
full-time
test
construction
contracts
across
the
country
and
we've
already
had
some
initial
discussions
with
Public
Works
about
how
that
might
look
for
us
and
what
is
the
best
value-add
approach
without
slowing
down
the
construction
process?
So
we've
come
to
come
to
an
agreement
and
everybody's
excited
to
get
that
going.
So
we
actually
have
another
meeting
on
Wednesday
this
week.
For
that.
A
Yes,
thank
you.
So
what
we
would
have
done
today
is
to
formally
endorse
and
set
up
a
special
project
that
is
in
progress
by
by
request
and
suggestion,
and
collaboration
between
the
police
department
and
internal
audit.
I
do
anticipate
that
February
10th
is
when
we
will
hear
all
about
that
in
a
wrap-up
kind
of
way,
but
director
Bigby
you've
been
leading
this
effort.
Did
you
want
to
share
anything
about
it?
Right
now
sure.
B
Chair
Palmisano
audit
committee
members,
we
kicked
this
off
January,
sorry
December
10th,
but
we
really
got
to
work
the
first
week
of
January,
so
our
team
has
been
hard
at
work.
Looking
at
the
inventory,
let
me
read
from
the
scope
memo,
so
I
can
tell
you
exactly
what
we've
agreed
agreed
to
do
in
this
special
project.
B
So
three
key
points
for
this
special
project:
we're
going
to
verify
the
count
of
all
untested
sexual
assault,
evidence
kits
for
which
Minneapolis
Police
are
responsible,
given
that
they
found
a
lot
of
kits
the
summer
that
they
suspected
were
untested.
More
research
had
to
be
done
and
they
came
up
with
about
1700.
So
we
want
to
validate
that
count.
We
want
to
review
the
internal
controls
around
the
sexual
assault,
evidence
kit
handling.
How
do
we
take
in
the
kits?
B
Do
we
meet
the
10-day,
a
10-day
notification
so
once
we're
notified
that
there's
a
kit
you
have
ten
days
to
pick
it
up
once
you
have
the
kit,
you
have
60
days
to
get
it
to
BCA
for
testing
if
it
needs
to
be
tested,
so
we
want
to
make
sure
we
have
good
process
and
process
this
in
place
to
do
that
now,
then.
Finally,
we
want
to
look
at
this
backlog
of
sexual
assault.
Evidence
kits
that
may
need
to
be
tested.
B
What
is
the
plan
to
get
these
tested
and
what
controls
do
we
have
around
that?
So
we're
actually
wrapping
up?
We
finished
the
inventory
count
today.
We
still
have
to
do
some
analysis
and
get
all
of
our
data
together.
So
we
won't
report
any
final
numbers
till
we
do
our
quality
checks
by
next
week.
We
should
be
able
to
wrap
everything
up.
We
think
that
we
have
pretty
good
processes
in
place
the
police
department,
especially
under
the
direction
of
Lieutenant
Darcy
horn
and
the
Hennepin
County
eternity.
That's
leading
this
initiative
is
Christina.
B
Warren
she's
been
working.
They
both
have
been
working
very
closely
with
us
and
we've
walked
through
their
processes.
We
offered
some
very
minor
suggestions
on
prioritizing
how
to
handle
their
spreadsheets
for
prioritizing
work
and
sharing
spreadsheets,
but
they
have
come
up
with
their
own
risk,
ranking
and
prioritization.
That
looks
good.
We
didn't
find
any
need
for
improvement
there.
So
we'll
wrap
all
this
up
and
summarize
that
in
a
memo
by
the
end
of
January
and
share
it
with
management,
get
any
of
their
feedback,
and
it
will
be
ready
for
audit
committee
on
February
10th.
B
Welcome
that
it
was
hard
work,
doing
the
inventory
count.
I
think
traversing
komlin
have
participated
in
that
and
after
the
first
or
second
day,
I
came
down
with
the
flu,
so
we
borrowed
a
finance
person
from
internal
controls
to
help
with
the
inventory
count
so
that
that
was
a
painstaking
process
and
it
was
very
worth
it,
and
we
also
like
to
thank
lead
from
police
for
his
time.
He
had
to
be
side
by
side
with
us
that
we
were
never
unattended
in
the
cooler.
C
B
Council,
chair
Palmisano
committee,
member
Fischer,
so
some
other
seals
are
broken.
Some
are
broken
accidentally
because
one
side
is
sealed.
The
other
side
is
not
some
had
already
been
tested
and
brought
back
the
because
the
processes
were
more
inconsistent
with
the
older
kits.
So
we
are
noting
what
we
observe
and
then
often
it
takes
talking
to
number
of
subject
matter
experts
to
find
out
what
actually
happened
with
this
box
over
the
last
30
years.
B
So
we
are
counting
kits
that
appear
to
be
untested
and
we're
counting
kits
that
appear
to
be
tested
or
are
restricted,
we're
counting
everything
and
we're
matching
that
up
with
the
police
list.
That
only
counts
some
portions
of
that.
So
we're
going
to
turn
over
a
comprehensive
inventory
to
the
police
when
we're
done
and
then
we'll
also
make
sure
our
counts
match
up
with
theirs
for
what
we
think
are
untested.
Now,
when
you
have
1700
starting
it
doesn't
mean
that
all
those
1700
are
untested
and
should
have
been
tested.
B
It
means
we
can't
tell
by
visually
looking
at
the
physical
box.
So
then
you
have
to
do
additional
research
in
the
pimp
system
in
capers.
Looking
at
supplements-
and
that's
where
the
head
of
account
attorney
is
extremely
valuable
in
doing
that
additional
research,
then
that
research
determines
yes,
this
kit
needs
to
be
tested
or
no
it's
restricted
or
for
some
other
reason
it
would
not
be
tested
then,
so
only
a
sub
portion
of
that
1700
will
actually
go
to
the
BCA,
the
Bureau
of
Criminal
Apprehension
for
the
testing
and
they
are
dude.
B
That's
a
weekly
iteration,
so
about
20
kits
per
week,
are
getting
picked
up
on
average
and
being
sent
to
BCA.
So
it's
a
continually
working
process,
then
that
will
continue
until
that
backlog
has
been
worked
completely.
Meanwhile,
you
have
new
kits
coming
in
to
have
to
be
handled
properly,
so
they
already
have
a
process
in
place.
Now
the
the
sixth,
the
10-day
notification
and
the
60-day
has
to
get
to
BCA.
B
So
we
validated
that
everything
on
hand
that
has
been
collected
more
recently
is
following
the
current
process,
this
design
answer
and
then
in
February
10th
we're
going
to
try
to
get
miss
Christina,
Warren,
and/or,
lieutenant
Darci
here
to
answer
any
additional
questions
on.
What's
happened
in
the
past
and
clarify
any
of
that.
B
H
You
Japanese
arrow
for
the
committee
members
I'm,
going
to
give
you
brief
update
on
the
community
planning
and
economy
development
support,
grant
management
project.
The
objective
of
C
parent
management
audit
is
to
assess
the
control
environment
for
managing
grants
at
dissipate.
Department
the
plan
is
completed
and
the
field
work
is
in
progress
at
the
end
30%
of
the
award
is
completed.
H
A
B
Seeing
any
the
construction
contact
contracts
audit
are,
as
I
mentioned
before,
our
Baker
Tilley
audit
expert
will
be
coming
in
and
working
with,
Public
Works
and
see
ped.
Primarily,
we
haven't
had
the
kickoff
meeting
with
C
ped
yet
because
the
the
sample
selection
has
not
been
made,
so
he
should
be
doing
that
this
week,
we've
already
started
some
discussions
with
Public
Works.
We
also
have
already
talked
with
park
board
and
we
will
be
including
construction
contracts
with
park
board
and
we
have
spoken
with
finance
and
will
be
including
any
finance
managed
construction
contracts.
B
I'm
on
the
next
project,
okay,
I'll,
go
on
if
I
don't
see
any
questions:
the
procurement
system,
post,
implementation,
workflow
and
user
access
management,
IT
audit
is
being
led
by
Baker
Tilley.
This
audit
objective
is
to
review
the
design
and
effectiveness
of
controls
around
procurement,
automated
workflows
and
user
access
management.
If
controls
are
weak,
the
risk
of
error
or
fraud
may
not
be
appropriately
mitigated
and
users
may
circumvent
processes
or
create
their
own
work.
Arounds.
B
After
talking
with
procurement
management,
we
agreed
that
a
workflow
analysis
would
be
included
in
this
review
and
not
just
user
access
management
review.
We
think
that
will
add
the
best
value
in
this
review.
The
planning
discussions
are
completed
and
the
scope
memo
draft
was
in
progress.
Then
the
holidays
happened,
so
I
expect
that
scope
memo
will
be
issued
shortly.
B
The
park
board
grant
management
audit
we've
collected
some
policies
and
procedures.
We
do
have
to
put
that
on
hold
momentarily
because
we
do
have
a
small
team,
so
we
want
to
get
the
sexual-assault
evidence.
Kit
done
the
construction
contract
audit,
some
of
our
higher
priority
reviews
and
then
we'll
be
ready
to
kick
off
this
review.
B
The
annual
enterprise
risk
assessment,
we
have
completed
our
conversations
and
we're
working
with
Baker
Tilley
to
prioritize
our
projects
and
have
a
report
ready
for
you
by
February
10th.
Last
year's
report
came
out
in
February,
so
we'll
try
to
keep
the
same
cadence.
We
already
have
a
pretty
full
audit
program,
so
audit
plan.
We
will
probably
suggest
to
add
a
few
audits
to
the
audit
plan
and
then
have
a
number
of
prioritized
projects
from
which
to
choose
once
that
plan
gets
completed.
H
H
The
city
clerk
office
expect
to
present
nest
city
state
of
DLL
holy
committee
and
applaud
2020.
We
will
be
working
with
neighborhood
and
community
relations
and
see
our
department.
The
NCO
department
is
working
now
with
finance
department
to
improve
financial
policy
requirement
and
oversight
of
the
new
neighborhood
spending
of
city
reimbursed
fund
I.
C
B
To
clarify
they
have
an
inventory
of
controls,
chair
Palmisano
and
committee
member
Fischer.
Not
all
of
the
controls
are
key
controls,
so
the
objective
is
to
test
key
controls,
for
example
a
bank
reconciliation.
Well,
you
might
have
three
secondary
controls
around
bank
reconciliations,
but
it
you
have
to
at
least
test
the
key
control
you
wouldn't
want
to
test
secondary
controls.
Unless
you
have
the
resources
available
and
you
have
already
finished
all
the
key
controls,
so
I
think
at
this
time,
financed
with
two
people.
They
might
have
three
now
on
internal
controls.
C
C
B
You
chair
Palmisano
committee,
member
Fischer
management
is
still
responsible
for
them,
but
to
go
in
and
test
by
a
quality
assurance
function
like
the
internal
control
team.
It
doesn't
make
sense
because
you
might
have
three
secondary
controls
and
if
they
fail,
you
would
still
have
a
primary
control
that
would
work
so
that
primary
control
has
to
be
did
it.
The
secondary
controls
offer
additional
assurance
so
they're
good
to
identify
and
make
sure
that
they
are
working
appropriately.
B
One
reason
why
we're
doing
continuous
monitoring
is
because
finance
of
internal
controls
finances
building
out
that
function
and
that
had
been
as
prior
state
auditor
finding.
So
they
worked
very
hard
to
identify
their
controls.
They
have
a
very
good
understanding
of
risks
and
controls.
We're
very
happy
with
the
framework
that
they
have
set
up,
but
it
takes
time
to
get
that
all
running
and
operating
effectively.
B
E
Choco
Misano
committee
member
Fischer,
just
an
update
as
of
the
otic
issues
eastern
us,
a
December,
9th
2019
I'm
here,
21
open
audit
issues
at
the
time,
including
those
two
new
ones
from
the
contract
members
audit
one.
Those
to
consider
we
opened
two
were
considered
overdue
11
about
issues
in
progress
as
well
as
we
had
closed
eight
since
the
October
audit
committee,
when
eight
more
other
issues
are
expected
to
be
closed
by
March
31st
frame
20
with
the
update.
E
So
we
continue
to
make
good
progress
and
work
with
management
throughout
process
I'm,
just
an
update
on
a
non-public
post,
Auto
issues.
The
public
works
traffic
signal
system
audit,
which
was
a
non
public
published
August
27
2018,
has
been
completely
closed.
Our
public
works
traffic
staff
work
with
internal
audit
to
ensure
all
identified
other
issues
having
successfully
remediated
and
report
is
considered
forwards
with
other.
It
are
the
audit
issues
mediated.
E
We
do
have
two
more
non
public
audit
issues,
reports
that
have
issues
in
that
we're
following
up
on
our
PeopleSoft
web
portal,
security,
IT
audit,
as
well
as
a
police
information
security,
IT
audit
I'm
an
easy
way
to
against
some
security
issues,
and
we
continue
to
work
with
management
feel
this
process
on
them
to
also
working
on
to
overdue
other
issues.
Following
up
on
me,
asian
efforts
with
management,
one
is
a
non
public
audit
issue
from
the
police
information
security
audit,
as
well
as
the
other,
was
a
AG
contract
management.
E
Audit
and
we've
been
working
with
management
on
a
remediation
plan.
I'm
stopped
for
that
one
and
we
have
to
be
closed
out
by
the
end
of
march
and
on
march,
twenty
twenty
and
then
here
again
it's
just
kind
of
a
teacher
of
our
the
public.
I'm
open
other
issues
as
well
as
he
overdue,
and
we
open
ones
as
well
as
just
the
regular
state
auditor
update
I'm
finding
some
who
presented
at
the
October
audit
committees
as
well.
B
Alright,
our
IT
and
cybersecurity
risk
November,
18th
RIT,
our
internal
audit
staff
and
the
chief
information
security
officer
and
the
privacy
director
I
believe,
is
his
title,
attended
the
cyber
threats
in
the
public
sector
and
that
was
hosted
by
met,
can't
counsel
and
it
was
presented
by
the
FBI,
the
US
Attorney's
Office
and
the
cyber
security
and
infrastructure
security
agency,
and
they
provided
updates
and
tips
on
collaboration
between
the
private
sector,
federal
agencies
and
local
government
on
how
to
better
protect
ourselves
from
cyber
security
risk.
It
was
very
beneficial
we
enjoyed
that
in.
B
B
Upcoming,
our
next
audit
committee
meeting
is
February
10th
and
internal
audit.
Redbook
professional
peer
review
has
been
scheduled
for
the
fourth
quarter
2020.
This
will
be
the
first
ever
peer
review
for
the
city's
internal
audit
department.
So
it's
I
think
it's
a
big
deal
and
I'll
mute
municipalities
strive
to
have
their
peer
review
and
once
you
do
pass
peer
review,
you
have
the
peer
review
every
three
to
five
years,
depending
on
who
does
the
peer
review
in
which
book
you're
complying
with.
A
One
moment
mr.
Fisher.
A
Think
everybody
by
now
has
heard
that
director,
Big
B
is
leaving
our
city,
and
this
is
this
will
be
her
last.
This
is
not
an
official
meeting,
but
if
it
was,
this
would
have
been
her
last
audit
meeting
director,
Big
B
I,
think
I
speak
for
every
member
of
the
Audit
Committee,
even
those
not
present
today
when
I
say
that
we
are
sad
to
see
you
go
while
this
came
as
a
bit
of
a
surprise
to
everyone.
A
While
building
out
an
ambitious
and
impressive
work
plan
you
usually
get
one
or
the
other
and
the
other
suffers,
but
you've
you've
had
an
opportunity.
You
you've
really
done
great
work
in
doing
both
of
those
things,
so
we
are
sad
to
see
director
big,
believe
us,
but
we're
very
appreciative
of
her
efforts,
leading
this
department
and
her
commitment
to
the
city,
and
we
wish
you
the
best
as
you
go
through
this
big
transition.
Thank
you.
B
Thank
You,
chair
Palmisano
and
audit
committee
members
and
I
really
appreciate
your
support
for
the
internal
audit
function.
It
has
been
a
pleasure
working
here
and
we
really
appreciate
your
interest
in
our
department
in
all
of
our
activities
and
I
did
want
to
mention.
Our
advisory
services
are,
I
think
add
a
lot
of
value
to
the
city.
So
a
couple
of
other
things
that
just
recently
came
up
are
commenting
or
attending
a
session
where
somebody
in
the
city
is
prevented,
presenting
something
on
internal
controls.
So
NCR
is
coming
up
in
a
couple
of
weeks.
B
G
A
Mm-Hmm,
that
is
absolutely
the
kind
of
audit
Department
that
we
we
need
in
is
particularly
effective
here
at
our
city,
with
that
I'm
pleased
to
announce
that
in
the
interim,
but
we
undergo
inappropriate
and
throw
a
search
for
director.
Bigby's
successor
I
have
asked
mr.
Ryan
Patrick
to
serve
our
city
and
our
department
as
interim
director,
and
he
has
accepted
mr.
Patrick.
Mr.
Patrick
brings
important
audit
credentials
and
a
legal
background
to
his
work.
He
has
a
terrific
reputation,
both
within
and
across
our
city,
from
his
work
in
the
legal
rights
center
in
Minneapolis.
A
He's
done
a
lot
of
work
in
Washington
DC
in
civil
rights
and
for
the
past
nine
years
he's
worked
in
our
Civil
Rights
Department,
so
I
know
how
highly
director,
Korbel
and
OPC
our
director
Jafar
regard
him.
In
fact,
they
they
both
had
been
sitting
here
for
quite
some
time
too
enthusiastically
here
in
support
of
you,
mr.
Patrick
and
I'm
thrilled
to
share
they
have
been
so
supportive
of
this
idea.
A
They've
both
been
waiting
a
long
time
here
and
director
Korbel
had
had
to
go
out
just
a
couple
minutes
ago,
but
thank
you,
director,
Jafar
for
putting
mr.
Patrick
on
loan
from
your
department
and
Thank
You
mr.
Patrick,
for
accepting
this
this
role
as
interim
and
sitting
here
and
really
being
involved
in
the
transition.
Thank
you.