►
From YouTube: February 8, 2021 Audit Committee
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Good
morning,
welcome
to
the
regular
meeting
of
the
audit
committee
for
february,
8th
2021,
I'm
lenny
palmisano,
and
I
chair
this
committee.
As
we
begin,
I
will
note
for
the
record
that
this
meeting
has
remote
participation
by
members
of
our
audit
committee
and
city
staff
as
authorized
under
minnesota
statute,
section
13d
.021
due
to
the
declared
local
public
health
emergency.
B
The
city
will
be
recording
and
posting
this
meeting
to
the
city's
website
and
youtube
channel
as
a
means
of
increasing
public
access
and
transparency.
Audit
committee
meetings
are
public
and
subject
to
minnesota
open
meeting
law.
At
this
time
I
will
ask
the
clerk
to
call
the
role,
so
we
can
verify
a
quorum
for
this
meeting.
I
will
note
we
have
a
new
clerk
or
we
have
another
season
clerk
with
us
as
irene
casper
our
long
time
clerk
for
this
committee
has
retired.
We
have
peggy
menchek
welcome
peggy
thank.
A
C
C
B
Record
reflect
that
we
have
a
quorum
colleagues
in
recognition
of
february
as
black
history
month,
fire
chief
brian
tyner
challenged
council
members
to
open
each
public
meeting
with
a
historical
fact
tied
to
black
history
month.
So
in
that
spirit,
on
this
day
in
black
history,
in
1944,
harry
mcalpin
became
the
first
black
reporter
allowed
into
a
white
house
press
conference
having
served
as
a
navy
workers
correspondent
and
later
a
reporter
for
the
national
negro
press
association
and
atlanta
daily
world
mcalpin
was
invited
to
cover
the
white
house,
starting
with
a
press
conference
with
president
franklin.
B
Roosevelt
roosevelt
himself
had
extended
the
invitation
for
mcalpin
to
attend
the
press
conference.
However,
the
white
house
press
correspondents
association,
which
is
not
a
government
agency,
didn't
want
him.
There
didn't
want
to
admit
him
to
their
club
and
tried
to
block
his
entry
into
the
press
conference.
The
head
of
the
association
even
attempted
to
bribe
mcgalpin
not
to
attend
the
press
conference
offering
to
give
him
credentials
and
membership
into
the
association
if
he
declined
to
attend
the
presidential
press
conference,
but
mcalpin
refused
to
be
bullied
out
of
this
opportunity
and
chose
the
press
conference
anyway.
B
At
the
end
of
that
conference,
he
approached
president
roosevelt,
roosevelt
in
front
of
the
entire
press
corps
shook
mcalpin's
hand
and
said
to
him
harry
I'm
glad
you're
here,
mckelpin's
appearance
at
the
press
conference
being
the
first
black
reporter
allowed
in
the
press
pool
inside
the
white
house
was
so
notable
that
the
new
york
times
captured
the
event
for
its
february
9th
edition
that
year,
throughout
his
time
in
washington
dc
covering
the
presidential
beat,
he
was
never
permitted
membership
in
the
correspondence
association.
Nor
was
he
permitted
to
attend
their
annual
dinners.
B
Nevertheless,
due
to
his
hard
work
and
excellent
reporting,
three
years
later
in
1947,
the
negro
newspaper,
publishers,
association
and
a
handful
of
african-american
correspondents
were
given
press
credentials
by
the
congressional
press
galleries,
as
well
as
the
us
state
department.
Mcalpin
pioneered
the
way
for
other
black
reporters
and
news
correspondents
to
join
the
ranks
of
the
nation's
top
ranked
journalists.
B
B
A
B
A
B
C
B
A
B
New
item
number
three,
which
is
the
2021
enterprise
risk
assessment,
published
as
item
number
four
on
the
agenda
today,
and
I
will
turn
this
over
to
director
patrick
welcome.
F
Thank
you,
chair,
paul
masano,
and
I
will
be
presenting
first,
the
narrative
for
the
2021
risk-based
assessment
covering
activities
in
2020
and
what
we
anticipate
for
the
year
to
come.
I
have
a
powerpoint
should
be
queued
up
for
this
yep,
that's
it
so
if
we
can
just
happen
to
the
first
slide,
so
first
I'll
talk
about
our
approach
and
methodology,
essentially
how
we
conducted
the
risk
assessment.
Next
I'll
talk
about
the
summary
of
the
results.
F
So
we
align
our
annual
enterprise
risk
assessment
with
the
institute
of
internal
auditors,
professional
practices
frameworks
we're
conducting
this
in
compliance
with
generally
accepted
auditing
standards,
and
part
of
that
is
considering
all
the
key
strategic
risks
to
all
city
departments.
This
is
an
enterprise
risk
assessment
and
it's
important
to
note
that
we
define
risk
broadly.
F
F
One
project,
if
you
recall
we
met
with
local
government
auditors
on
a
regular
basis
and
also
surveyed
audit
departments
around
the
country
to
hear
about
how
they
were
impacted
by
kovid
and
how
their
cities
were
and
how
they
were
incorporating
in
into
their
risk
assessment,
and
that
that
helped
us
inform
these
conversations
we
had
in
the
surveys
we
sent
to
the
enterprise.
F
We
also
look
at
trends
in
the
industry
of
internal
auditing.
We
attend
a
lot
of
continuing
education
events
that
talk
about
current
topics.
We
think
about
external
events
that
are
happening
both
in
the
city
and
around
the
world
and
prior
audit
work
that
we
did.
So
all
those
things
inform
how
we
go
about
conducting
our
risk
assessment.
F
Primarily,
the
big
thing
that
we
do
in
the
risk
assessment
is
interview,
key
department
staff.
We
use
a
survey
for
the
entire
enterprise,
but
it's
those
interviews
that
really
are
kind
of
the
gold
for
this
project.
Of
course,
looking
at
budgets
and
those
types
of
activities
is
important,
but
department,
heads
and
those
working
in
the
departments
are
are
really
the
people
who
know
what's
going
on.
They
are
the
process
owners
they
are
experiencing
the
impact
of
what's
been
occurring
and
they
they
know
what
their
strategies
are
moving
forward.
F
So
we
did.
We
did
conduct
a
number
of
significant
number
of
interviews
with
department,
heads
and
staff.
F
Let's
move
to
the
next
line.
How
do
we
then
use
those
interviews
to
inform
how
we're
going
to
go
about
doing
audit
work,
but
we
think
about
risk
and
that's
any
event
that
might
impact
the
ability
of
a
department
to
achieve
its
goals.
F
F
You
know
a
significant
control
failure
in
a
department
how
that
might
impact
both
that
department
and
the
city
enterprise,
then
the
other
important
thing
to
note,
particularly
over
the
past
year's
velocity,
and
that
is
how
quickly
is
the
situation
changing
either
the
probability
the
impact,
the
the
work
that's
going
on
in
the
department
when
things
are
in
a
state
of
rapid
change
or
flux.
That
can
certainly
increase
the
likelihood
and
impact
that
something
might
have.
F
So
it's
it's
really
important,
particularly
over
the
past
year,
as
it's
been
so
tumultuous
to
think
about
velocity
when
we're
when
we're
planning
what
might
mitigate
risks.
So
you
might
think
of
a
key
risk
to
a
department,
something
a
control.
Failure
might
go
wrong,
but
when
we
speak
with
department
heads
and
we
look
at
the
work,
that
departments
are
doing
if
they're
taking
risk
mitigation
strategies,
particularly
conducting
risk
assessments,
they
have
their
own
internal
controls
team.
F
They
have
plans
in
place
to
reduce
the
probability
event
that
that
will
significantly
drop
them
down
on
the
the
probability
scale
and
that
that's
pretty
important.
When
we're
planning
audit
work,
we
can
look
at
the
activities
the
department's
doing
validate
that
they're
occurring
and
that
might
make
them
less
of
a
candidate
for
for
future
audit
work
and
it's
important
that
those
departments
are
kind
of
working
on
their
own
risk
assessments
as
the
process
owners
throughout
the
year.
F
Let's
move
to
the
next
slide,
so
this
is
our
2021
enterprise
risk
assessment
heat
map.
So,
if
you
see
on
the
the
scale
on
the
left,
you
have
probability
so
as
something
moves
from
the
bottom
of
the
scale
to
the
top.
We
think
there's.
It's
a
higher
likelihood
that
an
adverse
event
might
occur
and
then
on
the
bottom
you
have
impact,
and
so
this
is
kind
of
how
we
think
about
the
enterprise
as
a
whole.
F
So
when
we're
thinking
about
audit
planning,
we
want
to
think
about
facing
our
coverage
on
where,
where
people
stand
on
this
risk
assessment,
heat
map,
as
things
are
in
the
upper
right
hand,
corner
and
departments
are
in
the
upper
right
hand
corner.
We
may
want
to
devote
more
audit
attention
to
those
entities,
things
that
are
closer
to
the
lower
left-hand
corner
and
in
the
middle
we
want
to
provide
enterprise
coverage.
F
There
are
a
lot
of
risks
that
they
can't
control.
Obviously,
we
need
to
provide
them
with
attention
and
support,
but
there
are
a
lot
of
things
that
that
put
them
at
risk
of
loss
of
life
that
create
significant
reputational
risks
and
harms
for
the
city,
a
possibility
of
compliance
failures
that
have
significant
impacts
on
the
city
functions.
F
So
the
second
bullet
point.
These
are
items
that
have
moved
closer
to
that
upper
right
hand,
corner
and
I'll.
Explain
why
the
city
clerk's
office,
one
of
the
things
that
they're
primarily
responsible
for
is
data
management
data
requests.
They
they
play
a
key
role
in
data
governance
in
the
city,
as
does
it
over
the
past
year,
and
this
is
something
we
saw
in
our
covid
phase
one
and
then
again
in
our
covid
phase.
F
Two
as
people
spread
out
across
the
city
working
from
home
working
remotely
data
spread
out
as
well
and
access
to
data
systems
spread
out
at
the
same
time
they
they
are
frequently
bombarded
anytime.
There's
a
major
city
event,
they're
bombarded
with
a
lot
of
requests
and
there's
a
lot
of
data
that
people
want
access
to,
so
keeping
them
functioning
and
healthy
with
the
risk
assessment,
along
with
recognition
of
the
current
challenges
they're
facing
and
the
things
that
have
changed
over
the
past
year,
elevates
them
into
a
higher
category.
F
911
experienced
in
emergency
communications
in
general,
experienced
a
significant
amount
of
impact
over
the
last
year
during
the
civil
unrest
and
in
conversations
with
them
that
I'll
kind
of
discuss
a
little
bit
later
on
noting
that
technology
in
that
field
is
changing
and
trying
to
keep
up
with
the
the
demands
and
perhaps
modernization
and
changes
to
their
work.
It
elevated
them
to
a
higher
probability
category
human
resources.
F
Also
in
the
past
year,
we've
really
seen
a
big
impact
on
city
staffing
from
one
thing
to
the
next:
everyone
moving
to
remote
work
being
one
thing:
the
impacts
of
covet
on
the
city,
staff,
early
retirement
and
and
I'll
talk
about
that
generally,
but
human
resources
being
the
key
business
partner
dealing
with
employee
relations
that
they
need
their
systems
functioning
well
in
in
a
healthy
state
because
they
are
dealing
with
a
lot
of
unique
challenges
that
have
been
presented
in
the
last
year.
F
So
on
to
bullet
point,
three
finance
we've
been
in
a
lot
of
discussions
with
finance
finance
for
two
reasons
has
moved
down.
One
is
that
they
they
have
significant
audit
coverage,
both
between
our
work
and
the
work
of
the
state
auditor.
They
do
receive
a
fair
amount
of
attention
and
audit
coverage
and
and
though
that
work
continues
via
following
up
on
open
audit
issues
and
whatnot,
but
also
they
have
an
internal
controls
team
and
in
the
past
year,
they've
hired
a
risk
manager.
F
In
that
sense,
the
the
risk
the
impact
is
still
there,
but
because
they
take
these
steps,
they
are
less
likely
to
experience
that
risk
parks
is
similar.
They
underwent
in
the
past
year
and
continue
to
work
on
a
very
comprehensive
risk
assessment,
an
annual
enterprise
risk
assessment,
so
they've
taken
on
some
of
this
work
on
their
own
and
by
doing
that
risk
assessment
on
their
own.
As
the
process
owners
close
to
the
work
they
they
can
take
steps
to
actually
mitigate
some
of
those
risks.
F
F
It's
not
to
say
they
haven't
faced
significant
challenges
over
the
past
year.
They
certainly
have,
and-
and
it's
worth
recognizing,
but
it's
also
worth
recognizing
the
good
work
that
they're
doing
and
work
that
we'd
like
to
see
across
the
enterprise
in
risk
identification.
F
Emergency
management
is
also
been
undergoing.
A
fair
amount
of
work
over
the
past
year
related
to
table
topping
working
with
each
department
on
coop
plans
and
take
undertaking
a
lot
of
activities
to
lower
the
risk
that
they're
not
going
to
be
able
to
successfully
respond
to
an
event
that
reduces
their
probability
some.
But
I
would
note
they're
still
quite
high
on
the
scale,
because
an
impact
on
emergency
management
would
be
significant,
they're,
just
recognizing
and
kind
of
trained
to
deal
with
risk
management
in
a
way
that
not
every
department
is
so.
B
If
I
could
just
interject
here
for
a
moment,
committee
member
fisher
has
joined
the
call
as
or
the
meeting
here
as
well.
I
wanted
to
make
that
note
and
committee
member
fisher.
If
you
could
just
verbalize
your
presence,
so
we
can
have
it
for
the
record
recorded.
E
G
Want
to
assure
the
committee,
I've
been
on
at
least
a
few
and
have
tried
to
vote
since
the
beginning
of
the
meeting
and
apparently
was
not
audible.
B
That's
that's
all
right,
mr
fisher,
we
we
can
hear
you
now
and
have
noted
your
attendance.
Ms
johnston
has
a
question
or
comment.
E
Yes,
thank
you
sheriff
palmisano.
I
was
just
wondering
if
director
patrick
could
could
say
a
few
more
words
about
how
the
folks
get
on
the
heat
map
and
where
they,
how
that
how
that
occurs.
I
it
sounds
like
it's
through
conversations
with
departments,
but
is
there
any
sort
of
other
factors
that
come
into
play.
F
Yes,
absolutely
and
that's
that's
one
of
the
situations
where
it's
worth
noting
both
trends
in
the
industry.
So,
for
example,
I
t
doesn't
necessarily
come
out
in
a
conversation
with
them,
the
velocity
and
the
velocity
that
impacts
both
the
probability
and
seriousness
of
an
event
occurring.
So,
even
though
that
might
not
be
part
of
a
conversation
just
the
by
the
fact
that
we're
attending
trainings
and
paying
attention
to
trends
in
the
industry,
it
might
cause
us
to
elevate
them
on
the
the
heat
map
and
then
also
beyond
that.
F
Looking
at
world
events,
so
looking
at
how
key
events
that
are
occurring
around
the
city
may
be
impacting
departments
that
might
that
might
elevate
their
risks
so
part
of
it
is
that
in
industry
trends,
the
kind
of
field
of
auditing
as
it's
developing
prior
audit
coverage
and
response
to
open
audit
issues.
F
F
Yeah,
that's
what
I'd
say.
We
also
take
into
account
department,
size
and
budgets
and
stuff
like
that,
so
you
may
want
to
devote
in
some
instances
attention
to
departments
with
you
know
larger
budgets
or
more
financial
transactions,
possibly,
but
it's
worth
noting
that
smaller
departments
can
have
a
massive
impact
on
on
the
city
as
well,
when
we're
thinking
beyond
financial
and
compliance
risks
and
we're
thinking
about
both
operational
cyber
security
and
reputational
harm.
It's
it's
it's
possible
that
even
smaller
departments
can
have
a
very
big
impact
on
on
how
the
city
functions.
G
F
And
thank
you,
mr
pitcher.
That's
a
great
question.
They
actually
moved
up
compared
to
prior
years,
so
they
moved
up
to
a
higher
higher
tier
and
I
think
you're,
absolutely
right
in
that
some
of
their
work
does
tied
directly
to
the
police
department.
F
I
would
say
in
in
that
instance:
it's
it's
certainly
worth
working
with
civil
rights
because
they
moved
up
higher
on
the
probability
and
and
the
potential
impact
scale
would
say
the
police,
as
they
work
with
civil
rights,
might
create
more
of
the
risk
events
that
impact
civil
rights,
and
so
some
of
our
work
with
police
ties
directly
to
their
work.
F
If
you
think
about
the
body
camera
auditing
system
that
we
we
discussed
last
year,
moving
into
this
year
and
follow-up
work
that
we
might
be
doing
with
them
in
the
future,
I
think
some
of
the
police-related
consultation
work
does
tie
directly
to
civil
rights.
F
Related
work
and
we'd
certainly
keep
them
in
mind
as
a
key
partner
in
that
they
are,
and
perhaps
velocity
would
be
a
good
thing
to
mention
for
them
as
well,
because
they
are
adding
a
bunch
of
new
employees
per
the
last
year's
budget
and
they
do
have
that
new
auditing
structure
in
place,
which
is
a
new
function
for
civil
rights.
So
I
I
take
your
point.
F
I
think
it's
absolutely
worth
taking
into
consideration
and
we
had
a
great
conversation
with
the
interim
director
of
civil
rights,
frank
reed
and
prior
conversation
before
director
corbil
left,
specifically
about
the
the
things
that
they
were
facing.
I
think
I
take
your
point
and-
and
we
will
take
that
into
consideration
as
we
continue
to
adjust
and
think
about
the
audit
plan.
A
Thank
you,
chair,
palmisano
and
director
practitioners
did
want
to
follow
up
on
kind
of
this
kind
of
line
of
questioning
on
the
heat
map.
The
department,
with
the
the
most
probably
like
the
highest
probability
of
the
biggest
impact,
is
the
police
department
it'd
be
helpful
for
me
to
learn
a
little
bit
more
about
how
it
got
there.
You
talked
a
little
bit
about,
I
think,
first,
to
start
out
with.
Is
that
normal
for
every
city
just
because
of
the
line
of
work
that
they
do
or
is
there?
A
F
Council
members,
trade-
this
is
something
we
are
seeing
nationally
so
that
it's
pretty
common
for
public
safety
organizations
to
be
higher
tier
than
many
others
us.
This
isn't
perhaps
out
of
step
with
what
you
might
see
nationally
as
as
a
entity
that
experiences
both.
You
know,
high
impact
and
high
probability.
F
I
think
it's
worth
noting
in
minneapolis
the
significant
events
that
have
occurred
over
the
last
year
and
the
kind
of
ongoing
flux
with
the
department.
They
couldn't
necessarily
move
up
higher
in
the
scale
than
they
already
were
before,
but
they
are,
they
are
experiencing
a
lot
of
events
and
involved
in
a
lot
of
events
that
create
risk.
F
Currently,
so
you'll
hear
less
of
me
talking
about
police
in
this
presentation
than
you
might
think,
given
their
position
in
the
heat
map,
but
I'd
call
back
to
our
july
risk
assessment
where
we,
we
came
up
with
20
plus
projects
specifically
related
to
addressing
risks
in
the
police
department,
and
so
we
use
some
of
that
to
inform
our
audit
work
moving
forward
and
that's
why
they
have.
I
believe
four
additional
items
for
audit
on
the
audit
plan
as
it
stands
currently
and
I
didn't
recommend
removing
any
of
those
audits.
F
So
I
I
did
rely
some
on
the
work
that
we
did
last
year
to
inform
our
work
moving
forward,
but
they
did.
They
did
merit
a
specific
department
risk
assessment
and
we
did
it
rapidly
back
back
last
year.
So
that's
why
you
might
not
hear
me
talk
about
them
as
much
despite
the
fact
that
they
they
do
occupy
that
that
category.
A
Thank
you.
I
you
know
on
that.
I
think
I
was
a
little
surprised
seeing
how
many
audits
that
are
happening
for
the
department
I
kind
of
expected
to
see
them
move
down
a
little
bit,
especially
to
your
comment
about
like
that.
A
You
take
into
account
like
how
much
the
department
is
doing
on
its
own
and
in
light
of
what
other
departments
have
done
is
could
you
could
you
talk
a
little
bit
more
about
either
what
you'd
like
to
see
in
mpd
if
they
were
going
to
address
some
of
these
issues
or
what
kind
of
things
you
look
at
or
kind
of
what
what's
done
in
other
cities,
to
kind
of
alleviate,
some
of
that
risk.
F
So
there
what
we
would
consider
inherent
risks
there
is
inherent
risk
in
every
operation,
just
just
based
on
the
nature
of
work.
Some
some
activities
have
very
low
inherent
risk.
It's
just
just
normal
operating
business.
They
carry
that
some
have
very
high
in
here
I
mean
police,
have
a
very
high
inherent
risk
in
general,
and
when
you
take
risk
management
strategies
undertake
risk
management
strategies,
you
can,
you
can
lower
the
probability
of
that
risk,
but
it
never
never
actually
goes
away
what's
left
over
after
that
is
kind
of
the
residual
risk.
F
So
you
would
like
to
see
in
departments
that
have
high
risk,
a
concrete
plan
of
the
risks
that
they're
facing
them
them,
taking
steps
that
are
generally
accepted
kind
of
in
the
field
to
recognize
and
address
those
risks.
F
You
see,
I.t
having
a
cyber
security
specialist
and
a
chief
information
security
officer,
it's
an
important
position,
because
they're
specifically
doing
a
lot
of
that
kind
of
work.
So
what
I'd
like
to
I
mean
what
we
would
like
to
see
in
police
is
certainly
the
continuous
and
ongoing
identification
efforts
to
to
suss
out
where
they're
experiencing
problems
and
then
plans
in
place
to
address
those
problems.
F
So
when
we
were
undertaking
our
risk
assessment
last
year
when
we
were
working
specifically
with
the
police
department,
a
lot
of
the
projects
that
you
saw
identified
on
that
were
areas
where
we
in
conversations
didn't
necessarily
see
see
that
kind
of
identification
and
readiness
to
act
on
it.
F
It's
it's
a
it's,
a
fine
balancing
act
between
resources
and
and
skill
sets,
and
I
think
it's
important
to
think
about
having
audit
in
those
conversations,
at
least
at
the
beginning,
as
departments
are,
are
doing
their
own
risk
assessments.
So
we
plan
just
like
we
spend
a
significant
amount
of
time
with
finance
and
working
with
them
on
their
the
risk
assessment
work
that
they're
doing.
A
F
So
I'm
gonna
summarize
three
key
takeaways
that
we
got
from
these
conversations
and
looking
at
all
the
information
that
we
received
and
there
the
city
is
facing
some
significant
challenges.
Right
now
and
audit
can
certainly
help
with
these
strategies.
But
it's
going
to
take
it's
going
to
take
some
significant
work
to
really
identify
how
we
can
be
supportive
so
that
we
are
laser
beam
focused
on
providing
that
type
of
coverage,
because
we're
a
small
department
but
at
the
same
time,
can
have
a
pretty
big
impact
on
how
these
operations
play
out.
F
So,
in
discussions
with
department
heads,
you
often
see
staffing
concerns
as
one
of
the
chief
concerns
year
after
year
that
people
people
express
their
their
concern
with
resources
having
adequate
staff
being
able
to
hire
for
the
positions
they
need,
but
one
of
the
things
that
we
heard
this
year
that
was
different,
it
was
it
was
different
in
nature.
F
To
what
we've
heard
in
past
years,
specifically
related
to
staffing,
was
that
employee,
burnout
and
retention
kind
of
scored
off
the
charts
with
with
every
every
person
we
talked
to
and
in
talking
to
our
key
partners.
This.
This
really
brought
a
lot
of
concerns
to
them.
They
knew
that
they
had
fewer
employees
because
people
were
retiring
and
leaving
the
city.
They
knew
that
employees
were
being
tasked
with
doing
more
work.
F
The
last
year
has
has
involved
a
lot
of
rapid
change
responses
to
crisis
events
in
events
that
really
impacted
the
health
and
well-being
of
employees,
their
mental
health
and
their
physical
health.
I
mean
it
has
been
a
very
stressful
year
for
for
government
employees
and
department.
Heads
are
worried
that
their
employees
are
burning
out
and
also
potentially
leaving
the
city.
So
retention
is
a
is
a
big
concern
and
burnout
is
a
really
big
concern
and
how
is
this
tied
to
risk?
Well,
it
elevates
kind
of
your
operational
and
compliance
risks.
F
It
impacts
many
of
these
risk
categories,
so
just
from
a
health
and
safety
perspective.
If
employees
are
burned
out
and
working
more
hours,
if
they're
driving
around
in
their
car
or
they're
required
to
make
fast
decisions
that
might
elevate
the
likelihood
that
they
they
presented,
health
and
safety
risk
exposure
to
coronavirus,
elevates
health
and
safety
risks.
F
We
also
worry
about
kind
of
an
institutional
knowledge
drain.
So
if
if
senior
employees
are
leaving
the
city
via
early
retirement
and
people
are
leaving
the
city
taking
other
job
opportunities
because
they're
burned
out
at
the
city,
you
might
see
an
institutional
knowledge
ring
where
we
have
operations
that
go
on
in
the
city
on
a
day-to-day
basis
that
are
very
important.
F
But
as
you've
seen
in
past,
audit
projects
may
lack
the
kind
of
policy
and
procedure
documents
so
that
the
next
person
stepping
into
that
role,
can
take
it
up
and
act
on
it
immediately,
so
that
institutional
knowledge
drain
can
can
really
elevate
operations,
operational
risks,
because
we
can't
perform
critical
operations
without
the
knowledge
that
we
need
to
do
them
and
compliance
risks.
If
people
aren't
are
less
seasoned
and
don't
know,
don't
have
the
same
information
that
their
predecessor
might
have,
we
may
be,
you
know,
in
jeopardy
of
of
potential
non-compliance.
F
Obviously,
burnout
affects
errors
and
judgments,
so
people's
work
may
not
be
of
the
same
quality
that
you'd
want
it
to
be.
They
may
be
having
trouble,
completing
projects
and
then
reputational
harm
as
employees
burn
out
and
and
experience
problems
leaving
the
city
could
cause
reputational
harm
to
the
city.
F
So
this
is
not
just
supported
by
conversations
in
the
multiple
conversations
I
had
with
our
hr
director
this.
This
information
is
supported
by
data.
They
have
a
significant
amount
of
data
that
that
we'll
be
discussing
as
we
do
our
project
planning
related
to
employee
mental
health
and
burnout.
So
this
is
reflected
in
in
the
types
of
things
they're,
seeing
through
surveys,
requests
and
and
separations.
It's
it's
just
an
important
thing
to
recognize.
F
This
is
a
hard
subject
to
address,
and
I've
been
working
directly
with
our
hr
director
on
on
figuring
out
exactly
how
audit
can
be
supportive
of
this.
Could
it
be
related
to
hiring
employee
support,
but
this
is
this
is
a
risk
that
we
have
to
address.
It's
just
a
tricky
one
to
do
so
so
in
over
the
next
month.
I
I
plan
to
continue
to
work
with
our
hr
director
and
other
city
leadership,
to
figure
out
how
audit
can
be
supportive
of
the
enterprise
in
our
work.
F
So
I
would
expect
one
more
addition
to
the
audit
plan
that
you
won't
see
necessarily
on
here
to
come
between
now
and
our
next
meeting.
As
we
continue
those
conversations.
G
Yes,
director,
patrick,
in
addition
to
the
the
burnout
issue,
which
I
consider
to
be
fairly
significant,
all
of
us
are,
of
course,
at
the
end
of
our
rope
here.
What
about
the?
I
think
you
referred
to
this
in
your
audit
plan
coming
up,
but
what
about
the
use
of
technology
cell
phones,
computers,
etc
that
we're
relying
on
employees
to
use
at
home?
G
I,
for
instance,
I'm
using
my
personal
computer.
My
personal
phone
for
these
contacts,
and
obviously
the
city
is,
is
secure
enough
that
I
can't
get
in
very
easily,
but
I'm
worried
about
other
employees
of
the
city,
if
they're,
using
both
both
using
their
own
equipment
for
communication
and
then
overlapped
with
this
idea
of
burnout
and
risk.
G
F
I
think,
as
I
discuss
the
next
slide,
I
I
will
definitely
discuss
what
you're
talking
about,
and
I
will
tie
it
back
to
the
first
first
item
identified:
that's
an
astute
observation
and
and
you're
absolutely
right.
This
is
something
that
we've
seen
so
our
our
second
key
finding
first
part
was
interesting
in
that
for
those
departments
that
could
transition
to
remote
work,
most
reported
that
it
went
well
that
they
initially
had
some
speed
bumps
in
getting
the
system
set
up.
F
Getting
people
used
to
meeting
remotely
access
to
technology
and
the
things
that
they
needed
surprising.
It
went
surprisingly
well
for
a
lot
of
people,
and
people
seem
to
like
the
some
of
the
work
from
home
opportunities.
So
that
was
an
interesting
result.
We
did
just
didn't
hear
for
those
departments
that
went
to
work
remotely,
but
that
the
specific
transition
to
remote
work
was
the
biggest
impact
they
had.
F
F
So
our
our
city's
cell
phone
policy,
the
enterprise
cell
phone
policy,
is
rather
old
and
you
know
this
is
something
that
could
be
looked
at
every
year
because
we're
all
walking
around
at
this
point
with
super
computers
in
our
pockets
that
we
couldn't
have
imagined
20
years
ago,
the
power
that
they
had
and
as
people
went
to
work
remotely
their
mobile
phone.
Their
personal
device
became
significantly
more
important
and
used
as
as
they
work
so
you're.
Absolutely
right.
F
F
The
mobile
phone
issue
is
a
significant
one.
We
have
both
department
issued
cell
phones,
so
departments
may
have
their
own
policies
on
how
they
issue
and
use
cell
phones,
and
then
we
also
have
employees
using
their
personal
phones
and
that
that
creates
you
know
some
significant
cyber
security
risks
and
it
also
creates
some
interesting
risks
when
it
comes
to
the
storage
and
maintenance
of
data.
Like
I
mentioned
earlier
in
the
presentation
with
the
clerk's
office,
it's
it's.
F
I
think
we
can
understand
the
pretty
easily
the
risks
associated
to
with
cyber
security
and
uncontrolled
devices,
but
also
the
thinking
about
how
we
may
have
data
now
spread
out
across
cell
phones.
That
is
potentially
public
data
that
could
be
accessed.
People
might
request
it,
but
now
it's
spread
spread
across
a
much
wider
network.
So
I
think
this
presents
some
interesting
risks,
both
in
terms
of
cyber
security
and
in
terms
of
governance
and
adequate
policy
related
to
covering
cell
phones.
F
So
people
need
constant
access
to
their
work
when
they
are
struggling
to
access
the
files
they
need
and
having
to
use
other
other
technology
and
and
using
technology
like
the
web
platforms
we
use
to
meet
and
stuff,
it
does
tie
back
to
issue
one
when
employees
are
struggling
to
use
the
new
technology
that
increases
burnout,
they
might
have
to
work
harder
to
do
the
basic
things
that
were
pretty
simple
in
their
office,
but
now
is
significantly
more
complex
as
they
move
to
to
the
work
from
home
environment.
F
F
So
I
think
the
two
are
related
someone's
stressed
out
and
burned
out
and
struggling
to
use.
Government
provided
city
provided
technology.
They
may
just
turn
to
an
easier
to
use
device
or,
like
you
see
in
bullet
point
three.
These
you
know
free
software
applications
and
shadow
systems
is
what
they
refer
to
them
as
that
are
outside
of
it.
F
Control,
if
you
think
about
kind
of
the
free
services
that
one
could
get
on
the
internet
a
decade
ago,
access
to
email,
basic
stuff
for
free
versus
what
you
can
get
right
now,
signing
up
for
a
google
drive
account
with
cloud
storage
and
access
to
very
powerful
analytics
software
for
free
employees
may
be
turning
to
systems
to
share
files
to
to
do
their
work.
That
they've
created
accounts
for
that
are
completely
outside
of
it
control,
and
this
just
presents
some
significant
risks.
F
Like
I
mentioned,
with
access
to
data
and
and
governance
risks,
you
also
have
the
risk
that,
for
example,
an
employee
is
using
maintains
the
account
to
one
of
these
that
contains
a
large
amount
of
data
that
the
city
needs.
They
leave
the
enterprise
and
they
take
their
password
with
them,
or
they
change
their
password
and
delete
the
information.
F
We
could
lose
a
significant
work
product
if
people
are
using
these
systems
outside
of
it
control
and,
at
the
same
time,
it's
it's
very
hard
to
control
as
people
need
to
complete
their
work
and
are
are
experiencing.
This
stress
may
turn
to
these
systems
and
it
it's
time
to
evaluate
how
this
is
proliferated
across
the
city
and
of
course
I
mean
this
elevates
our
cyber
security
risks.
It
elevates
our
compliance
risks.
F
If
people
are
asking
for
government
data
and
it's
stored
in
a
disparate
number
of
systems
spread
across
the
city,
we
may
not
be
able
to
comply
accurately
with
data
requests
and
it
increases
operational
risk
when
these
systems
fail
or
aren't
supported,
someone
leaves
our
operations
might
be
disrupted
significantly
and
it
is
not
supporting
those
systems,
so
they
they
can't
necessarily
help
out
with
that.
B
I
will
just
add,
as
as
you
go
to
key
finding
three,
that
it
was
interesting
in
a
in
a
yearly
review
in
an
annual
review
with
our
tax
assessor
department
just
late
last
week,
council
member
fletcher-
and
I
were
in
that
conversation
and
our
assessor,
rebecca
malmquist,
said
that
you
know
before
the
pandemic.
B
They
had
come
to
the
conclusion
that
they
would
never
be
able
to
work
in
a
distributed
environment
that
they
would
need
to
work
in
the
office
and
then,
within
a
week
you
know,
were
operating
remotely
and
have
been
operating
remotely
given
the
pandemic.
So
that
switch
speaks
to
what
you're
saying
right
and
how
quickly
some
of
these
changes
happened
and
some
of
the
work
arounds
that
people
came
up
with
in
order
to
do
their
job
effectively.
G
B
Yeah
council
member
fletcher
has
a
question
or
comment.
D
Thank
you
triple
solo.
I
I
I
appreciated
the
note
at
the
end,
mr
patrick,
about
this
being
something
that
existed
as
a
risk
before
the
pandemic.
I
think
working
from
home
has
given
people
an
occasion
to
explore
new
tools
and
feel
a
little
more
permission
to
explore
new
tools
because
they're
problem
solving
for
this
new
work
environment,
but
I
it
had
been
an
ongoing
conversation
that
I'd
been
having
with
it.
D
With
a
couple
of
I.t
directors,
now
about
the
extent
to
which
people
weren't
being
given
adequate
tools
to
do
the
jobs,
they
were
trying
to
do
that.
Rit
infrastructure
wasn't
keeping
up
with
people's
expectations
of
what
it
should
be
able
to
do,
and
therefore
people
were
finding
all
kinds
of
creative
work
arounds.
D
I
think
this
was
also
a
theme
of
the
communications
audit
that
we
saw
a
proliferation
of
social
media
accounts
that
ostensibly
represent
the
city
in
some
form,
but
aren't
centrally
controlled,
wouldn't
necessarily
have
an
administrative
password
available
to
I.t.
If
the
employee,
who
had
set
up
the
that
account
left
so
so
I
think
that
you
know
there
are
significant
risks
associated
with
the
slow
movement
of
technology
that
have
led
people
to
seek
alternative
systems
that
are
resulting
as
mr
fisher
fears
in
data
being
stored
in
other
cloud
apps.
D
I
know
just
casually
a
lot
of
city
employees
who
can't
sort
of
make
heads
or
tails
out
of
a
consistent
use
of
a
fairly
confusing
implementation
of
a
lot
of
microsoft.
Tools
are
just
falling
back
on
google
docs.
If
that's
what
they're
comfortable
with
and
obviously
that
that
exists
on
a
server,
that's
not
administered
by
it,
and
that
was
happening
before
everybody
started
working
from
home,
you
know
it's.
D
It's
certainly
something
that
I
think
we
run
the
risk
of
if
we
don't
provide
tools
and
training
to
help
people
use
the
systems
that
we
set
up,
that
have
the
kinds
of
safeguards
and
the
kinds
of
storage,
the
kinds
of
data
retention
policies
that
we
need
to
enforce,
that
that
people
are
gonna,
find
workarounds
and
and
ways
to
do
their
job.
D
So
I
I
think
in
general,
I
I
would
caution
against
over
interpreting
this
as
a
work
from
home
problem,
because
I,
I
think,
there's
maybe
a
broader
problem
of
I.t,
not
keeping
up
with
people's
expectations
of
what
we
should
be
able
to
do
with
our
technology
infrastructure,
both
phones
and
data
management
generally,
and
we
have
an
opportunity
to
catch
up
and
limit
that
risk.
F
And
I
I
think,
a
couple
of
that
that
raises
a
a
great
point.
I
think
kind
of
one
key
thing
from
the
world
of
auditing
is,
if
you're
auditing
a
process-
and
you
see
someone
working
and
they're,
not
necessarily
following
the
policy.
But
what
you
observe
is
that
person's
process
that
they're
they're
following
is
far
more
effective
and
efficient
than
what's
documented.
F
F
People
can't
be
non-compliant
with
the
data
practices,
act,
maintaining
documents
and
whatnot
in
safe
and
secure
ways,
but
as
we
as
we
look
at
this
issue
and
look
at
employees
of
cell
phones
and
whatnot,
it's
important
yes
to
recognize
that
if
people
are
are
seeking
out
these
tools,
it's
likely
for
some
purpose.
F
And
I
think,
tied
to
the
work
from
home
more
closely
is
employee
use
of
cell
phones.
I
mean
a
lot
of
the
stuff
was
happening
prior
you're,
absolutely
correct
that
these
these
issues
were
happening
long
before
everyone
started
to
work
from
home,
and
the
policies
in
those
arenas
may
be
a
bit
outdated
and
need
need
updating.
F
E
Thank
you
to
your
problems.
I
don't
know,
and
I
think
that
director
patrick
just
re-raised
the
issue
that
I
was
going
to
raise,
which
is
we
really
do
need
to
revisit
the
policies
associated
with
this,
and
there
may
be
specific
things
that
we
have
to
do
that
maybe
are
a
little
less
convenient
to
maintain
the
security
of
the
data
and
the
devices
and
etc
and
so
forth.
It
may
be
that
we
have
to
move
away
from
you
know
having
personal
devices,
but
the
policy
piece
of
it.
E
I
think
maybe
hasn't,
as
I
think
director
patrick
mentioned
earlier,
hasn't
kept
up
with
the
technology,
and
I
just
think
we
should
reiterate
the
importance
of
of
that
piece
of
this.
So
that's
all
just
a
comment.
Thank
you.
E
B
F
I
think
absolutely
and
it's
it's
hard
to
keep
pace
with
the
rate
of
technology
changes,
but
that's
why
it's
important
to
have
a
good
governance
structure
in
place,
because
you're
not
you're,
going
to
be
able
to
update
policy
so
quickly
that
you're
keeping
up
with
the
rate
at
which
technology
changes.
But
if
you
have
a
very
good
structure
and
foundation
for
how
you
think
about
data
governance,
access
to
data
and
and
how
you
use
systems
it
can,
it
can
bolster
it
even
as
as
technology
changes.
F
There
are
no
more
questions
I'll
move
on
to
the
next
slide,
so
key.
Finding
three
in
conversations
with
department
heads,
we
noted
that
there
is
some
significantly
aged
infrastructure
in
key
areas
that
really
limit
their
functionality
and
presents
both
security
risks.
F
It
presents
compliance
risks
and
cyber
security
risks,
so
this
outdated
technology
that
is
outdated
to
the
point
of
where
it's
unsupported
by
the
vendors
and
systems
that
we're
using
it
just
poses
significant
risks
and
and
that
aged
infrastructure
is
the
risk,
is
compounded
in
areas
related
to
emergency
management,
also
thinking
about
emergency
communications,
if
there's,
if
there's
significantly
old
equipment,
that
is
no
longer
working
effectively
and
systems
not
working
effectively
in
the
realm
of
emergency
management,
if
there's
a
crisis
it,
it
can
have
a
profound
impact
on
how
we're
able
to
respond
to
that
crisis.
F
F
F
It's
important
to
really
recognize
a
couple
of
key
points
that
affect
how
we
do
our
work.
One
obviously
is
audit
resources.
We
had
a
hundred
employees.
We
could
work
with
every
department
constantly
and
be
running
as
many
audits
as
we
needed
to
as
we
as
many
as
we
wanted
to,
but
you
know
we're
a
department
in
the
city
and
we
need
to
use
our
staff
effectively
and
our
resources
for
contractors
effectively
to
hit
those
high-risk
areas.
F
So,
as
we
plan,
while
we
may,
you
know
want
to
think
about
how
we
do
work
in
the
future,
it's
important
to
really
recognize
our
resources
and
and
use
those
in
an
effective
way.
It's
also
important
to
think
about
prior
audit
coverage.
We
want
to
provide
broad
coverage
to
the
entire
city
right.
We
support
the
entire
enterprise
so
working
in
areas
that
we
don't
normally
work
in
and
and
making
sure
that
everyone
gets.
F
F
F
F
So,
recommendations
for
related
audits,
so
one
we
need
to
address
the
control
environment
related
to
employee
retention
and
burnout.
So
there's
the
environment
is,
is
currently
experiencing
profound
impacts
and
we
need
to
look
at
the
related
controls
that
might
help
reduce
the
probability
that
it
gets
to
a
catastrophic
state.
Our
key
business
partner
in
this
is
first
going
to
be
human
resources,
although
I
would
say
that
this
is
an
enterprise-wide
issue.
F
So
that's
we're
taking
some
additional
time
to
really
hone
in
on
exactly
how
we
can
be
supportive
of
this
and
credit
to
director
ferguson.
We've
we've
had
a
number
of
great
conversations,
and
I
I
do
anticipate
having
something
on
the
plan
in
the
very
near
future.
After
we
really
hammer
out
what
that
might
be
to
the
next
slide,
so
second
recommendation:
we
need
to
conduct
a
review
of
the
processing
controls
related
to
work
related
mobile
phone
usage.
F
I
say
work
related,
not
work
mobile
phones
because
we
are
using
both
personal
and
work
issued
cell
phones.
We
need
to.
We
need
to
look
back
into
that
process.
What
current
policy
exists,
how
they're
being
used?
This
is
just
absolutely
relevant
right
now
and
needs
to
be
addressed,
so
our
key
business
partner
in
this
will
likely
be
it
and
with
the
support
of
the
city
clerk.
F
We
also
need
to
review
the
processing
controls
related
to
departments
use
of
third-party
software
and
applications.
These
are
the
shadow
systems
that
I
I
discussed
in
in
my
prior
presentation,
recognizing
how
they're
impacting
city
work
right
now.
It's
it's
time
that
we
review
the
processing
controls
related
to
those
again.
Our
key
business
partner
is
going
to
be
I.t
with
support
of
the
city.
Clerk
move
the
next
slide,
and
the
final
recommendation
is
to
work
with
the
minneapolis
emergency
communications
center
to
conduct
an
assessment
of
their
system.
F
Architecture
we'll
likely
need
a
vendor
to
help
with
this.
This
is
a
pretty
specialized
field,
but
we
certainly
have
a
knowledge
of
the
process
of
how
to
carry
out
this,
but
given
its
critical
nature
and
impact
on
the
enterprise,
we'll
likely
use
a
vendor
to
assist
with
this,
and
our
key
business
partner
would
be
the
emergency
communications
center
move
to
the
next
line.
F
So
we
also
have
two
required
additions
to
the
audit
plan.
The
first
is
there:
was
a
court
order
court
agreement
that
part
of
the
court
order,
the
city
agreed
to
use
internal
audit
or
independent
audit
to
look
at
dvs
systems,
so
the
department
of
vehicle
services
systems
access
and
breach
investigations.
F
So,
specifically,
access
to
the
department
of
motor
vehicles
driver's
license.
Look
up
personal
information,
look
up,
there's
significant
rules
related
to
how
that's
used,
and
in
the
past
the
city
has
been
sued
a
number
of
times
related
to
improper
access
to
the
dbs
system,
and,
as
part
of
this,
this
agreement,
internal
audit,
agreed
to
conduct
an
an
audit
related
to
the
process
and
controls
the
city
implements
for
access
to
the
system,
as
well
as
an
audit
of
the
investigative
process
used
by
the
city
to
address
dvs
access
violations.
F
So
this
is
something
that's
required
to
be
carried
out
this
year
and
we
intend
to
start
that
project
shortly.
The
next
is
the
biennial
body,
worn
camera
and
automated
license
plate
reader
audit.
So
this
is
in
compliance
with
state
laws
regarding
bwcs
and
alpr's.
This
is
something
you've
seen
in
the
past.
They
can
vary
in
scope.
I
know
not.
F
B
Director,
patrick,
I
just
wanted
to
mention
for
my
colleagues
that
might
not
know
as
much
about
if
you
could
go
back.
One
slide.
The
first
bullet
point
on
the
previous
slide.
This
is
the
first
time
that
a
judge
has
written
into
an
order
work
for
our
audit
department.
So
this
is
not
something
that
this
committee
took
a
vote
to
decide
to
put
on
the
work
plan.
B
This
is
something
that
comes
from
a
judge
and
I
think,
as
I
worked
with
the
city
attorney
on
what
that
would
mean
for
our
city
enterprise,
that
it
really
speaks
to
the
role
of
internal
audit
in
our
city,
and
it
certainly
is,
I
think,
an
endorsement
of
the
good
work
that
our
audit
team
has
done
in
the
past.
B
A
Sure
bob
tony
I
wanted
to
follow
up
on
that
like.
I
definitely
think
that
that
is
remarkable
to
say
that
the
to
have
a
judge
say
the
audit
committee
should
be
the
one
in
charge,
but
I
also
don't
want
it
lost
that
it
also
points
to
wanting
to
have.
You
know
more
outside
look
like
a
third
party
and
really
the
reasons
for
this
committee.
Looking
at
a
department.
A
I
think
I
am
a
little
concerned
that
that
was
one
of
those
issues,
but
I
do
you
know
definitely
agree
with
you
that
this
is
the
role
of
that
committee,
but
I
do
think
we
need
to
keep
an
eye
on
that,
just
to
make
sure
that
we
are
asking
departments
to
make
those
changes
before
being
ordered
by
a
court.
B
F
I
was
not
able
to
find
past
examples
of
that
that
happening,
but
I
do
think
it's
a
recognition
that
internal
audit
is
a
important
partner
in
assessing
these
types
of
issues
and-
and
I
look
forward
to
the
opportunity
to
work
on
something
that
came
about
in
a
pretty
unique
way,
so
we're
recommending
four
items
be
put
on
hold
for
the
time
being,
so
I
don't
rather
than
remove
them
from
the
audit
plan,
as
I
think
they're,
I
think
they
all
have
valuable
components
to
them,
just
recognizing
resources
and
what
we
need
to
address
in
the
next
six
to
eight
months.
F
I
think
it's
important
that
they
be
placed
on
hold
for
now.
As
we
see
how
work
progresses
over
the
next
year,
we
can.
We
can
consider
re-looking
at
some
of
these,
but
I
think
at
least
the
gis,
governance
and
I.t
general
controls
and
some
of
the
security
incident
event
monitoring.
Some
of
this
will
be
somewhat
addressed
in
our
in
our
broader
governance
conversations,
but
it's
I.
F
I
think
we
should
leave
them
on
the
plan
as
on
hold,
but
perhaps
wait
until
we
complete
some
of
these
other
key
risk
projects
before
we
address
those
move
to
the
next
slide.
F
Trying
to
hit
every
department
in
the
enterprise
every
year
in
one
big
chunk,
doesn't
necessarily
make
for
the
most
in-depth
opportunities
to
work
with
department
heads
you
get
a
lot
of
information
and
hear
a
lot
of
priorities,
but
it's
a
bit
more
of
a
drinking
from
a
fire
hose
situation.
That
is
necessarily
helpful
for
us.
F
This
will
keep
us
more
agile
if
new
issues
are
popping
up
as
long
as
we're
in
the
room
and
having
more
opportunities
to
meet
with
people
we'll
be
hearing
about
these
things
closer
to
real
time,
and
I
think
it
will
just
make
for
a
more
in-depth,
a
conversation
and
then,
at
the
same
time,
when
we're
working
with
groups
like
that
throughout
the
year,
we
can
promote
the
idea
of
a
department
risk
assessment.
F
So
again,
the
park
board
did
an
excellent
job
on
their
their
department
risk
assessment.
It's
a
comprehensive
plan,
and
this
is
an
activity
that,
with
appropriate
resources
departments,
might
want
to
undertake
themselves
when
they're,
identifying
their
risks
and
creating
their
own
risk
assessments.
We
can
validate
their
work
and
make
sure
that
they're
doing
it
appropriately,
and
we
can
rely
on
some
of
that
information
as
we
do
our
planning,
but
it
really
does
that
exercise
gets
departments
to
think
about
risk
and
controls
in
a
way
that
you
might
not
in
your
normal.
F
But
we
will
continue
to
provide
the
annual
summary.
So
we
can
move
to
the
next
slide.
B
I
just
want
to
comment
on
that
and
see,
if
maybe
mr
fisher
who's
been
here
on
the
audit
committee
for
a
while
here
with
me,
had
any
questions
or
concerns
about
that.
I
think
this
makes
great
sense,
given
both
the
size,
the
small
size
of
our
audit
department
and
being
able
to
do
that
work
and
the
idea
of
being
able
to
be
more
thorough,
thorough
on
a
rolling
basis
and
also
given
that
we've
taken
on
as
a
committee.
The
practice
of
of
having
this
audit
plan
be
something
organic
that
changes
over
time.
B
G
G
Palmisano,
thank
you
for
for
that
comment.
I've
been
one
that
has
usually
questioned
our
auditor
director
of
audit.
Whether
staffing
is
at
an
appropriate
level
to
meet
the
needs
of
the
city
a
year
ago.
I
know
that
we
had
advocated
for
a
new
fte
and
information
technology,
audit
manager,
for
instance.
I
don't
believe
that
position
has
ever
been
filled
and
now
we're
in
a
hiring
freeze.
G
I
certainly
think
that
director,
patrick
you,
are
taking
an
appropriate
approach.
Do
this
as
best
you
can
with
the
resources
you
have,
but
we
do
have
to
recognize
as
an
audit
committee,
that
there
are
many
risks
in
what
the
city
is
doing
right
now.
There's
a
lot
of
pressure
and
those
risks
need
to
be
moderated
as
you
go
forward,
I
think
you're
doing
that
taking
a
recruited.
G
To
this,
at
the
same
time,
we
have
to
recognize
that
in
the
future,
we're
going
to
have
to
try
to
staff
up
in
order
to
meet
the
demands
of
the
city.
F
If
I
may
add,
the
enterprise
risk
assessment
is
something
that
it's
very
important,
I
think
for
the
people,
with
institutional
knowledge
in
the
department
are
my
staff
who
have
significant
institutional
knowledge.
It
really
helps
with
the
risk
assessment
when
you
do
understand
the
enterprise
and
the
operations
taking
place
so
having
both
those
relationships
with
department,
heads
and
people
working
in
departments
that
you're
getting
real
feedback
is
incredibly
beneficial.
So
this
is
not
even
though
we
do
have
money
for
for
vendors
to
help
work
with
this.
F
This
is
this
is
an
area
where
it
really
requires
kind
of
the
personal
touch
of
city
staff
and
it's.
It
is
a
lot
of
work
to
do.
Well,
that's
why
I
want
to
encourage
departments
to
undertake
some
of
it
themselves,
because
yeah
with
four
people,
it's
very
challenging
to
get
into
the
level
of
depth
that
one
might
want
for
the
enterprise
risk
assessment.
F
So,
moving
on,
I'm
sorry
did
I
cut
somebody
up
moving
on
to
the
next
slide.
This
is
our
proposed.
This
is
part
of
our
proposed
2021
audit
plan.
It's
it's
spread
across
several
slides,
because
it's
very
ambitious
so
first
thing
noting
that
we
have
two
audits
currently
in
place.
F
There
are
two
projects
currently
in
place:
the
field,
training
officer
program,
special
project
that
we
you'll
get
an
update
on
that
a
bit
later
in
the
meeting-
and
you
know
primarily
we're
focused
on
the
risk
assessment
today,
but
you'll
have
a
fair
amount
of
updates
and
then
we're
beginning
and
moving
into
field
work
on
the
city
attorney
post,
lawsuit
process,
improvement
projects,
so
those
are
both
in
progress.
Now
we're
also
going
to
be
starting
the
mentioned.
F
F
The
larger
a
project
that's
going
to
take
a
significant
amount
of
time
that
was
on
the
audit
plan.
We'd
also
like
to
start
the
directed
activity,
data
analysis
from
past
meetings,
then
quarter
two
projects,
you'll
see
data
governance
and
personal
work.
Personal
and
work
issued
cell
phone
policies
and
controls
so
that
policies
and
controls
related
to
cell
phones
is,
is
the
new
ad
data.
Governance
has
been
on
the
plan,
but
the
two
are
tied
closely
together.
F
The
consultation
on
data
governance
of
the
city
with
it
and
the
city
clerk's
office
is
really
critical
and
I
think
we
have
a
lot
of
work
right
now.
That
is
going
to
dovetail
nicely
with
one
another,
and
that
is
certainly
true
for
those
two
in
quarter
three,
you
know
we
wanted
to
start
kind
of
some
of
the
look
back
at
how
cities
complied
with
their
own
coop
plans
and
how
coup
plans
worked
effectively
in
our
covid
phase
3
project,
and
I
think,
some
of
when
we
initially
thought
we'd
start.
F
That
project
was
based
on
an
perhaps
a
naive
idea
that
the
pandemic
would
be
winding
down
at
this
point.
But
we
know
that's
certainly
not
the
case,
and
it's.
F
Obviously,
longer
before
it
makes
sense
to
really
look
back
at
how
those
things
played
out
and
do
do
comprehensive
audit
work
related
to
it,
but
also
in
quarter
three
we'd
like
to
begin
our
project,
a
new
one
related
to
the
911
architecture.
Analysis.
That's
a
new
ad
go
to
the
next
slide.
F
So
also
quarter
three
third-party
software
systems
using
controls.
That
is
an
ad.
We
would
like
to
do
at
that
point,
along
with
the
biennial
body,
worn
camera
and
alpr
audit.
We
do.
We
do
have
our
resources
available
to
us
for
for
contractors,
and
I
imagine
they'll
be
helping
out
with
the
last
three
projects
that
I
mentioned.
Is
it
does
involve
a
fair
amount
of
cyber
or
I.t
knowledge,
and,
like
you
mentioned
mr
fisher,
we
don't.
We
don't
have
an
I.t
auditor
currently
on
staff,
but
we
can.
F
We
can
hire
a
consultant
for
those
and
then
the
remainder
of
the
projects,
affordable,
housing,
equity
and
post
hire
to
separation
process.
I
moved
this
one
back
again,
because
the
data
related
to
employee
separation
in
the
police
department
right
now
is,
I
don't
know
if
the
last
year
reflects
what
would
normally
happen
in
the
police
department
and
looking
at
the
reasons
why
people
were
separating
the
last
year
compared
to
three
years
ago
compared
to
what
might
be
the
case
two
years
from
now.
F
It
may
not
be
the
most
illustrative
example,
but
perhaps
in
quarter
four,
we
can
begin
that
with
a
bit
more
normal
of
a
data
set.
It's
good
that
we're.
I
think
we
took
a
bite
out
of
this
issue
in
looking
at
the
field
training
officer
program,
so
I
didn't
want
to
abandon
this
this
concept
altogether.
F
The
field
training
officer
program
is
like
the
one
of
the
last
important
parts
of
the
hiring
process,
but
also
the
person's
an
employee
at
that
point,
so
that
was
not
covered
in
the
phase
one
project
but
would
have
been
covered
in
phase
two.
So
we've
taken
a
smaller
bite
out
of
that
project,
but
plan
to
continue
to
address
it
and
then
also
revenue
and
collections.
F
Things
have
been
definitely
challenging
over
the
past
year,
as
things
have
gone
remote.
So
it's
going
to
be
worthwhile
to
hold
off
on
that
for
the
moment,
and
hopefully
things
resume
a
more
normal
pace
and
we
can
look
back
both
at
how
it
occurred
and
the
controls
related
to
whatever
new
environment
that
we're
facing.
If
there's
one
thing,
I've
learned
in
the
past
years
just
expect
the
unexpected.
F
So
what
we're
facing
moving
forward
and
maybe
have
a
bit
better
understanding
of
what
the
what
the
world
is
going
to
look
like
moving
forward
after
that
and
then
again
we
have
these
projects
on
hold.
I
would
note
that
this
is
a
a
very
ambitious
audit
plan.
I
don't
I
it's
possible
that
we
don't
get
to
all
these
projects
this
year.
F
We
need
to
devote
the
attention
and
time
to
them
to
make
them
very
quality
projects,
and
while
I
have
dates
on
on
these
quarters,
specifically,
I
think
it's
worth
noting
that
we
will
continue
to
try
and
hit
those
target
goals,
while
recognizing
the
fact
that
audit
work
has
been
a
bit
more
challenging
to
conduct
in
the
current
environment.
We
have
a
lot
going
on
around
the
city,
so
those
are
those
are,
you
know,
dates.
F
We
would
like
to
begin
these
process
these
projects,
but
we
will
have
to
address
that
as
resources
and
and
risk
events
necessitate
the
other
yeah,
so
that
that
is
the
proposed
audit
plan.
It's
a
bit
different
in
prior
quarters
or
prior
audit
meetings.
What
we
were
doing
was
redlining
the
audit
plan
and
adding
and
removing,
but
just
based
on
on
one
plan,
given
that
we've
just
performed
the
enterprise
risk
assessment.
F
What
I've
provided
is
a
clean
copy
of
the
audit
plan.
It
has,
I
I've
described,
what's
being
placed
on
hold
and
what's
being
added,
but
rather
than
redlining
the
old
plan
starting
afresh
with
this
new
new
audit
plan,
as
proposed.
B
Thank
you
director,
so
this
is.
This
is
also
the
whole
2021.
Risk-Based
integrated
audit
plan,
part
of
the
presentation
right.
So
this
would
be.
I
would
invite
any
more
discussion
as
people
might
have
it,
but
then
I
would
be
looking
to
both
receive
and
file
the
enterprise
risk
assessment
and
then
also
approve
this
audit
plan.
Are
there
any
other
questions
or
comments
or
discussion
from
the
committee
members.
G
F
Chair
palmisano
and
committee
member
fisher-
yes,
we
are
part
of
our
audit
work
and
you'll
see
this
later
in
the
auditor
update.
We
are
always
working
on
our
continuous
monitoring
projects,
so
the
sexual
assault
kit
project
has
been
in
continuous
monitoring
and
you'll,
get
an
update
on
that
and
we're
always
working
to
try
and
close
open
audit
issues.
So
that
is
a
ongoing
business
function
for
us
and
you'll
continue
to
get
those
at
every
meeting
I
mean
it.
F
B
B
B
F
I
do
and
we
will
roll
right
into
the
auditor
update
and
go
to
the
next
slide.
F
So
again,
the
contents
of
this
presentation
will
be
we'll
discuss
our
completed
and
in
progress.
Audit
work
right
now
and
I'll
also
kind
of
describe
the
other
activities
going
on
in
the
background,
because
there
are
other
projects
that
that
audit
is
working
on
right
now
that
do
impact
staff
time
and
are
worth
worth
noting,
but
provide
brief
updates
on
the
field,
training
officer,
special
project
and
the
post
lawsuits
process
improvement.
F
So
one
more
sorry,
one
more
after
this,
we
have
a
lot
of
header
slides.
So
again.
In
june,
we
performed
our
police
related
risk
assessment
and
modified
our
plan
to
include
projects
specifically
related
to
the
police
department
and
the
field
training
officer
program
ranked
high
in
the
list
of
potential
projects.
F
It's
again
that
first
opportunity,
where
someone's
riding
around
with
a
field,
training
officer
in
the
field,
new
new
officer
in
training,
potentially
ready
to
hit
the
streets
and
then
also
the
events
of
last
summer,
increase
scrutiny
of
the
fto
program
leading
to
a
greater
interest
in
it.
We
can
move
ahead
of
slide,
so
we
agreed
upon
procedures.
F
I
think
one
of
the
biggest
chunks
of
this
process
is
all
the
interviews
that
we're
conducting
there's
a
lot
of
documentation,
but
really
talking
to
the
people
who
are
involved
in
the
program,
both
the
sergeant
lieutenant
working
in
the
the
training
unit,
the
officers
themselves
who
are
out
doing
field
training,
the
sergeants
and
then
the
the
officers
in
training.
So
the
ftos
and
the
officers
in
training,
doing
in-depth
interviews
using
a
random
selection
process
has
been
extremely
beneficial.
People
have
been
very
forthcoming
and
we've
learned
a
lot
from
those
meetings.
F
I
think
we
will
have
continue
to
have
these
follow-up
discussions
with
management
as
we
complete
our
field
work
section
and
finish
reviewing
data,
but
I
would
note
the
project
is:
is
running
well,
we've
we've
received
a
lot
of
participation
and
it
should
be
an
interesting
report
when
it's
completed,
move
to
the
next
one
and
keep
going
so
this
one.
The
post
lawsuits
process
improvement
was
on
on
our
plan
again,
and
this
is
specifically
reviewing
when
the
city
faces
a
judgment.
F
Either
a
settlement
loses
loses
in
court,
whatever
it
might
be.
What
insight
do
we
glean
from
that
and
how
do
we
use
successful,
unsuccessful
settlements
to
address
control
gaps
and
prevent
future
similar
incidents
from
occurring?
So
are
we
as
a
city,
effectively
mitigating
risk
using
the
data
that
we're
continuously
getting
based
on
lawsuits
and
our
scope
is
again
reviewing
the
documentation?
F
It's
a
significant
amount
of
it
and
then
looking
at
the
processes
in
place
to
ensure
that
the
departments
themselves
are
are
taking
lawsuits
into
consideration
in
modifying
their
controls
and
policies
and
then
verifying
how
departments
are
responding
to
that
information
and
selecting
lawsuits
to
determine
we
need.
We
need
to
trace,
after
a
lawsuit,
trying
to
trace
what
happened
in
response
to
that
lawsuit.
F
So
our
scope
memo
is
completed.
We've
been
holding
planning
meetings
with
the
city
attorney.
It's
been
well
received,
they've
been
very
receptive.
Our
final
scope
memo
is
out
and
we
are
sending
our
initial
document
requests
this
week
and
beginning
field
work
so
that
project
is
currently
underway.
F
So
there
are.
There
are
a
couple
of
other
audit
related
items
that
I
think
are
worth
noting
right
now.
One
is
the
we've
been
working
on
the
after
action
review
related
to
last
summer's
civil
unrest,
so
we've
been
working,
selecting
a
vendor
getting
them
prepared.
F
I
would
note
the
next
step
in
that
the
the
approval
of
the
contract
is
pending
for
wednesday,
so
that
that
work
should
begin
shortly.
But
that's
you
know
necessitated
staff
time
in
the
background
to
complete
that,
along
with
our
normal
audit
issue,
follow-ups
and
whatnot.
So
that
is
the
other
big
project
that
audit
will
be
tangentially
involved
in
a
vendor
is
doing
that.
It's
a
truly
outside
independent
look,
but
we
serving
as
a
contract
manager
will
be
helping
kind
of
make
sure
that
that
process
happens
efficiently
and
effectively.
F
I
Thank
you,
chuck
palasana
members
of
the
committee,
so
here's
just
a
brief
prior
audit
issue
kind
of
we
always
do
so.
Just
to
note,
we
have
seven
that
are
open,
nine,
that
we
marked
as
overdue
and
then
twelve
that
we're
currently
validating
progress.
But
I
like
to
point
out
that
we
have
seven
that
we
were
able
to
close
out
since
our
last
audit
committee
and
then
we're
kind
of
touching
the
details
on
a
couple
slides
here
for
the
next
slide
here.
I
I
I'm
trying
to
better
for
some
of
these
older
audit
issues,
kind
of
direct
them
to
the
right
resource
or
the
right
function
for
ish
or
instance.
A
number
of
them
were
I.t
related,
so
kind
of,
instead
of
being
related
to
I'm
under
finance
or
police
department
kind
of
making
sure
that
we're
talking
the
right
people
in
the
nit
to
kind
of
get
the
updates
and
make
sure
that
they
are
being
worked
on
kind
of
appropriately
on
the
next
slide.
I
Here,
here's
just
a
summary
of
the
seven
that
were
able
to
close
out
since
the
last
auto
committee.
Six
of
them
were
in
finance.
We've
been
working
closely
with
lori
johnson
and
her
team
to
kind
of
get
these
making
sure
that
we're
making
progress
on
them.
So
the
first
one
was
related
to
mpd
third-party
audit
and
then
the
last
ones
were
more
recent
ones
from
our
payroll
audit
issues
and
their
grant
management
and
gift
card
audits
in
2019
and
then
on.
I
The
next
slide
here
is
just
kind
of
a
regular,
open,
overdue
audit
issue
detail,
so
we've
been
continuing
to
discuss
with
it
specifically
a
number
of
these,
as
well
as
with
the
kind
of
the
police
department
on
kind
of
these
open
status.
Open
audit
issues,
as
well
as
kind
of
making
sure
that
these
overdue
ones
are
being
kind
of
remediated
like
to
point
out
that
you
can.
I
We
expect
a
number
of
these
to
be
kind
of
close
to
being
able
to
be
closed
or
kind
of
immediately
before
the
next
audit
committee,
as
we
continue
to
kind
of
discuss
with
them
on
what
needs
to
be
done,
and
the
next
slide
here
is
just
kind
of
a
regular
validation
in
progress
ones
that
we've
also
ones
that
were
absolutely
received.
Report
and
listening
to
finishing
our
work
and
kind
of
making
sure
that
they're
closed
out
and
then
on
the
next
slide.
I
It's
just
kind
of
we
do
have
two
yet
two
audit
reports
that
non-public
that
we
do
have
open
audit
issues
for
related
to
I.t
issues
that,
as
I
said,
we've
kind
of
been
working
with
it
closely
on
some
of
these
to
make
sure
that,
and
we
kind
of
anticipate
before
the
next
audit
committee.
A
number
of
these
to
be
updated
due
dates
or
kind
of
good
to
close
out
continuing
as
we
continue
to
move
along
on
our
work
and
throughout
these.
I
J
J
J
H
Good
morning
chaired
members,
I
was
asked
today
to
speak
about
our
current
auditing
of
neighborhood
organizations
and
how
we
assess
your
risk
factors.
So
some
of
those
risk
factors
are
staff
and
board
turnover
previous
auditing
issues,
reimbursements
that
the
neighborhood
organizations
submit
to
the
city
of
minneapolis,
and
we
deny
for
inappropriate
charges.
H
Community
feedback,
both
with
community
members,
board
members
and
staff
of
organization,
and
then
what
we've
instituted
in
the
last
year
and
a
half
year
and
a
half
two
years
is
actually
is
an
internal
risk
assessment
by
all
of
the
ncr
neighborhood
specialists
are
contracted
third-party
auditors,
as
well
as
the
internal
auditors
department.
Next
slide,
please.
H
So
when
a
neighborhood
request
for
reimbursements,
they're
reviewed
by
bob
cooper
and
dfd's
team
and
then
the
neighborhood
specialist
assigned
to
that
to
that
neighborhood,
we
if
we
have
questions
or
something
seems
out
of
the
ordinary,
we
ask
for
descriptions
of
the
reimbursements
and
then,
if
it
doesn't
seem
to
align
with
previous
expenditures
or
requests,
we
request
additional
verification.
H
It
should
be
noted
that
about
95
of
all
reimbursements
requests
are
are
continuing,
they're
the
same
as
as
previous
requests,
because
it's
it's
a
kind
of
a
static
operation
by
neighborhoods
next
slide.
Please.
H
So
all
of
our
requests
have
to
be
in
line
with
state
nrp
law,
city
of
minneapolis
ordinances,
program,
descriptions,
legal
opinions,
contract
terms
and
then
again,
previous
reimbursement
requests.
Ncr
also
provides
training
to
staff
and
boards
on
what
is
an
acceptable
expenditure
and
then,
on
top
of
the
city,
the
city
of
reviews.
Each
board
has
an
expectation
that
they
would
actually
they
would
take
a
look
at
their
expenditures
to
make
sure
that
they're
in
line
in
their
there's,
no
malfeasance
that
go
along
with
that.
B
H
H
H
How
is
the
information
being
distributed
to
community
members
and
then
really
to
to
use
what
we
learn
to
see
if
there's
actually
any
risk
factors
and
again
95
of
the
time?
There
are
no
issues?
It's
a
lack
of
communication
or
a
lack
of
transparency
within
the
neighborhood
that
we
ultimately
advise
them
to
correct.
B
J
Next
slap,
please
ness
is
a
sexual
assault.
Examination
kit,
update
between
november
2019
and
december
2020,
268
kids
were
tested
by
bca
out
of
1758
identified
kids
to
be
tested
or
for
further
as
evaluation,
so
research.
Recently,
the
testing
has
increased
due
to
the
second
scientist
added
to
the
project
and
the
mpd
management,
with
the
grants
they've
received
is
working
with
bca
to
add
more
scientists
to
increase
the
pace
of
the
testing.
J
B
B
Seeing
any
questions
about
this
right
now,
I
do
want
to
mention
that
I
think
the
dates
on
the
previous
slide
were
off
by
just
by
a
year
just
a
mistake
on
the
slide
not
about
the
work,
I'm
not
seeing
any
questions
or
comments.
Mr
a
lady.
F
Sir
think,
just
a
couple
of
things
to
note
in
an
interesting
twist
commander,
then
lieutenant
horn,
who
you
may
remember
from
our
prior
sexual
assault
kit
work,
has
been
moved
to
the
training
unit
and
is
now
commander
horn,
and
we
will
be
working
closely
with
her
as
the
fto
project
winds
up.
F
So
she
just
can't
escape
the
auditors,
but
she's
been
great
to
work
with,
and
I
look
forward
to
continuing
that
work
as
we
as
we
close
out
the
fto
special
project
with
that
that
is,
the
auditor
update
that
we've
created
again
my
team.
Thank
them.
So
much
they've
done
a
lot
of
great
work
over
the
last
quarter
and
I'm
very
thankful.
Their
assistance
thankful
for
the
audit
committee
and
all
the
thoughtful
questions
you've
had
today
as
we
incorporate
that
into
our
ongoing
risk
analysis.
B
B
B
I
did
want
to
point
out
and
I've
I've
put
a
link
in
the
meeting
chat
to
our
charter.
Commission.
You
know
if
you
go
to
our
city
website
and
look
up
our
calendar
and
see
the
work
lately
of
the
charter.
Commission
they've
been
up
to
quite
a
lot
and
one
of
the
new
subcommittees
of
the
charter
commission
has
been
about
having
a
number
of
conversations
across
the
city
enterprise
about
government
restructuring
in
their
current
in
their
most
recent
draft
of
potential
changes
to
the
city
charter
on
government
restructuring.
B
Just
last
week
they
published
a
draft
two,
and
I
I
wanted
just
to
mention
that
here,
because
it
does
bring
audit
into
a
charter
committee
or
sorry,
a
charter
department
and
really
flushes
out
audit
in
a
new
way
in
our
city
and
there's
a
lot
of
unknowns.
Yet
this
is
a
very
preliminary
draft
and
the
timeline
on
which
the
charter
commission
is
considering.
B
This
is
they've,
basically
outlined
all
of
february,
for
drafting
and
changes
to
what
people,
what
the
kinds
of
feedback
that
they've
been
getting
from
people,
both
internally
and
externally,
outside
the
city
enterprise.
B
It
does
relate
to
audit
in
a
lot
of
ways
I'm
going
to
ask
if,
if
they
would
be
willing
to
to
speak
directly
with
our
director
of
internal
audit
about
it
because
they
haven't
yet
so
again,
there's
there's
a
lot
of
unknowns,
but
I
think
that
maybe
this
could
stimulate
some
conversation
about
it,
probably
offline
amongst
members
of
our
audit
committee,
director
patrick,
was
there
anything
you
wanted
to
mention
about
the
charter
commission's
efforts,
as
it
relates
to
audit
thus
far.
F
I'm
happy
to
be
involved
in
the
discussions
it
it.
You
know
I'm
getting
up
to
speed
on
it.
I
think
audit
has
a
lot
to
provide
input
on
related
to
it,
and
I'm
excited
about
the
opportunity
to
look
at
how
audit
can
provide
more
comprehensive
coverage
to
the
city
of
minneapolis.
I
think
again,
it's
very
preliminary.
I
anticipate
this
being
a
fair
amount
of
work
for
us
just
to
really
understand
it
and
provide
the
kind
of
quality
input
that
you
need
on
this
project,
but
again
excited
about
the
opportunity.
B
Yeah,
thank
you.
I
wanted
to
clue
in
my
other
committee
members
at
the
beginning
of
that
discussion,
instead
of,
as
things
continue
to
move
on
in
drafting
with
the
charter
commission.
So
thank
you
seeing
no
further
business
before
us
and
without
any
objections
I
will
ask
the
clerk
to
receive
and
file
those
announcements
and
also
declare
this
meeting
adjourned.