►
From YouTube: February 7, 2022 Audit Committee
Description
Additional information at:
https://lims.minneapolismn.gov
B
I'm
going
to
welcome
the
new
members
of
this
audit
committee,
specifically
our
new
park,
commissioner
kathia
bene
as
well
as
my
new
council
colleagues,
council
members,
payne,
chug,
thai
and
koski.
At
this
time.
I
will
ask
the
clerk
to
please
call
the
role
so
that
we
can
verify
a
quorum
for
this
meeting.
C
B
B
B
Could
I
have
a
motion
to
adopt
that
agenda
accordingly,
so
moved?
Second,
thank
you
that
was
moved
by
committee
member
fisher
and
seconded
by
council
member
payne
I'll.
Ask
the
clerk
to
call
the
roll
on
that
motion
to
adopt.
C
B
D
D
B
There
are
six
eyes
thank
you
next,
we'll
move
on
to
new
business
and
take
items
five
and
six
first,
due
to
a
scheduling
conflict
for
our
city
clerk.
Colleagues,
as
you
know,
the
committee
structure
has
changed
pursuant
to
our
recent
election
last
november,
and
now
the
structure
of
audit
committee
will
end
up
living
in
charter.
B
There
are
several
changes
forthcoming
and
we
know
that
we'll
be
doing
there's
a
lot
of
work
to
be
done
till
we
structurally
get
to
that
point
with
us
to
help
give
us
a
report
and
ground
us
in
that
is
our
city
clerk,
casey
carl,
to
help
us
understand
how
we
will
be
recon
reconstituting,
reconstructing
the
independent
audit
committee.
Mr
clerk,
thank
you
for
being
here
and
thank
you
for
presenting.
E
To
us
absolutely
thank
you,
madam
chair
and
good
morning
to
the
committee
members.
As
noted,
my
name
is
casey
carl.
I
have
the
privilege
of
serving
as
the
city's
clerk.
The
first
item
I'm
bringing
to
committee
today
is
a
proposed
directive
to
your
auditor
that
would
align
with
the
directive
that
was
issued
to
both
the
auditor
and
me
by
the
city
council
this
past
december,
which,
as
your
chair
noted,
was
the
result
of
the
voter
approved
change
in
government
structure.
E
So
this
is
essentially
elevating
the
role
of
the
audit
committee
and
its
independent
nature
within
the
city's
constitution.
The
charter
is
simple,
essentially
functioning
as
a
constitution,
it's
codified
under
article
4
in
section
4.2
g.
E
The
amendment
also
prescribes
that
not
more
than
half
of
the
audit
committee's
members
may
be
council
members
or
individuals
who
have
ever
served
as
members
of
the
city
council.
So
to
be
brief,
and
just
say,
the
the
proposal
here
is
to
direct
your
auditor
in
conjunction
with
work,
I
noted
was
already
being
done
to
examine
how
legislative
departments
and
legislative
audit
functions
are
configured
in
select
peer
jurisdictions
given
by
the
council
last
year.
E
We
wanted
to
include
an
examination
of
how
audit
committees
in
those
jurisdictions
also
are
formed
and
created
and
operate
so
that
we
could
glean
any
insights
or
ideas
that
might
be
relevant
to
our
work
here
in
minneapolis,
in
creating
a
new
structure
for
the
independent
audit
committee
and
its
operation
going
forward,
I'm
happy
to
respond
to
questions.
Otherwise.
I
would
defer
any
additional
comments
to
mr
patrick
that
he
may
have
as
well.
F
Thank
you,
chair
palmisano,
and
thank
you,
mr
carl,
I'm
looking
forward
to
undertaking
this
work.
What
we
have
before
us
right
now
is
a
real
opportunity,
and
I
am
absolutely
capable
and
willing
to
take
on
this
staff
of
direction.
G
F
Yes,
vice
chair
fisher,
we
have
been
doing
some
work
in
the
background,
as
this
was
also
a
staff
direction
that
was
provided
by
council
to
the
clerk's
office
and
and
other
city
members.
So
we
have
been
doing
some
work,
this
isn't
out
of
the
blue
and
that
will
allow
us
to
kind
of
hit
the
ground
running
with
the
staff
direction.
From
an
audit
perspective,.
F
G
Thank
you
very
much.
Okay,
I'm
satisfied.
B
Thanks
are
there
any
other
questions
from
my
fellow
committee
members
or
others
on
the
call,
I'm
not
seeing
anyone
in
queue
I'll
just
reiterate
that
these
things
seemed
most
important
to
appropriately
give
direction
from
this
committee
to
our
auditor
and
it
kind
of
separates.
There
was
another
staff
direction
given
at
council
late
last
year,
and
this
one
most
appropriately
comes
from
this
committee
to
ask
the
auditor
for
some
recommendations,
so
that
suggested
staff
direction
is
printed
on
the
agenda
today,
and
could
I
entertain
a
motion
accordingly
for
the
direction
that's
on
the
agenda.
B
Thank
you.
It
was
moved
by
committee
member
fisher
and
seconded
by
committee.
Member
singleton.
I
think,
let's
see
I'll,
ask
the
clerk
to
please
call
the
role
on
committee
member
fisher's
motion
to
direct
city
clerk
and
internal
auditor
to
research
and
report
back
recommendations
to
restructure
the
audit
committee
consistent
with
the
changes
made
under
charter
amendment
number
184
recommendations
should
be
reported
back
early
enough
to
enable
the
audit
committee
to
evaluate
and
submit
its
recommendations
for
informed
policy
making
by
the
city
council
in
revising
applicable
sections
of
the
municipal
cold
code.
B
E
Thank
you
again,
madam
chair,
similar
to
the
previous
item
restructuring
the
audit
committee,
the
voter
approval
of
charter,
amendment
number
184,
elevated
and
expanded
the
position
of
internal
auditor
now
retitled
city
auditor.
That
position
assumes
a
primary
responsibility
not
only
for
the
continued
function
of
internal
audit,
but
also
for
expanded
functions
tied
to
legislative
post,
audit
reports,
policy,
research
and
analysis,
work
consultation,
as
well
as
support
for
the
council's
legislative
oversight,
functions
in
evaluating
the
performance
of
the
city's
enterprise.
E
The
proposal
I've
put
before
the
committee
with
your
approval,
madam
chair,
is
to
direct
the
clerk
in
consultation
with
the
city's
human
resources
department
to
complete
the
work
and
to
incorporate
any
feedback
or
recommendations
from
this
body
in
that
work.
Obviously,
the
work
of
creating
the
actual
position,
which
includes
the
necessary
grading
classification,
compensation
and
related
matters,
is
something
for
the
city
council
to
do,
however,
because
this
body
is
the
appointing
authority
for
that
new,
elevated
and
expanded
position.
E
I
wanted
to
begin
with
the
directive
from
this
body
and
would
also
obviously
want
to
collaborate
with
the
committee
as
we
proceed
with
the
work
of
reconstituting
the
important
position
of
city
auditor
within
the
city
enterprise.
I'm
happy
to
respond
to
questions
madam
chair,
but
request
the
committee's
favorable
action
on
this
request.
B
I'm
not
seeing
any
right
now.
Are
we
ready
to
make
a
motion
accordingly.
G
I
will
move
here
comes
now.
I
will
move
the
city
audit,
reclassification
motion.
I
B
C
B
F
Thank
you,
chair,
palmisano
and
good
morning,
audit
committee
members,
I'm
going
to
be
talking
through
the
2022
enterprise
risk
assessment
today
before
I
do
so.
I'd
like
to
just
formally
thank
my
team.
F
If
you
recall
from
the
last
meeting
we're
operating
down
one
staff
member,
so
travis,
comm
and
common
alley
day
really
helped
with
this.
A
small
team
of
three
people
conducting
an
enterprise
assessment
is
a
pretty
massive
undertaking
and
they
stepped
up
and
did
an
outstanding
job.
I
note
that
we're
in
the
process
of
hiring
two
more
staff
and
we're
in
the
final
phases
of
that
so
hopefully
we'll
have
more
hands
on
the
work
in
the
very
near
future.
F
F
What
we
are
doing
during
the
risk
assessment
is
our
independent
assessment
of
how
our
processes
at
the
city
control
and
prevent
risk
events
from
occurring.
We
use
that
to
identify
the
audible
programs
within
the
city
and
the
risk
areas
we
experience,
and
this
is
what
allows
us
to
efficiently
deploy
our
audit
resources.
The
work
that
audit
does
is
based
on
risk.
Everything
that
we
do
is
centered
around
risk
and
adding
value
back
to
the
city
by
making
sure
that
these
processes
that
prevent
risk
are
functioning
in
a
healthy
manner.
F
The
next
slide,
the
framework
we
use
comes
from
the
in
internal
auditors
professional
practices
framework.
That's
that's
issued
by
the
institute
of
internal
auditors.
It's
an
internationally
accredited
standard.
We
consider
key
strategic
operational
compliance,
financial
I.t
risks,
fraud
and
others.
So
these
are
the
major
categories.
F
If
you
look
in
the
report,
you'll
see
definitions
for
each
of
those,
but
obviously
each
are
critically
important
and
and
we're
using
those
key
categories
as
we're
assessing
risk.
The
way
we
carry
this
out
is
a
combination
of
interviews,
surveys,
industry,
research
and
prior
audit
findings.
We
did
a
massive
number
of
interviews
for
this
project.
We
sent
an
enterprise-wide
survey
to
identify
risks
that
we
might
not
get
out
of
interviews
and
to
also
supplement
our
information
that
we
got
from
interviews
and
then
also
there's
a
lot
of
industry
research.
F
We
include
all
city
of
minneapolis
programs,
along
with
the
park
and
recreation
board.
We
consider
the
budget
of
the
program,
the
nature
of
the
activity
and
prior
audit
coverage.
We
want
to
make
sure
we're
providing
enterprise
coverage
so
that
each
program
is
getting
some
level
of
attention
from
audit.
F
Obviously,
that's
not
possible
with
the
size
of
the
staff
to
hit
every
program
within
a
year
or
a
couple
year
period,
but
we
want
to
make
sure
that
we're
providing
broad
coverage
for
the
entire
city
and
we
rate,
risks
in
terms
of
likelihood
severity
and
velocity
likelihood
being
the
the
probability
of
an
event
happening
severity.
How
much
of
an
impact
would
it
have
on
the
city
if
it
were
to
occur
and
velocity?
F
How
quickly
is
the
nature
of
the
risk
changing
over
time
and
as
things
as
we
write
things
higher
a
high
likelihood
high
severity
high
velocity
event?
That's
something
that
deserves
audit
attention,
whereas
things
on
on
the
lower
ends
of
the
spectrum
we
may
want
to
cover,
because
we
provide
that
enterprise
coverage,
but
not
as
regularly
when
we're
planning
our
audit
plan.
We
do
consider
mitigation
efforts.
F
So
if
we
work
with
the
department-
and
we
see
that
they
have
strong
internal
control
processes,
a
risk
management
team
things
like
that,
then
we
are
less
likely
to
need
to
do
as
much
audit
work,
because
that
department
is
doing
a
lot
to
reduce
the
inherent
risk
and
the
keeping
things
at
a
healthy
level.
And
of
course,
we
can't
eliminate
risk.
F
F
F
Look
at
those
objectives
and
making
sure
make
sure
that
they're
doing
their
own
activities
to
mitigate
risks
and
monitoring
outcomes,
making
sure
their
own
programs
are
functioning
in
a
healthy
way.
So
it's
our
goal
to
foster
that
internal
risk
assessment
process
and
we
will
consult
with
departments
like
we
did
with
the
park
board
on
performing
their
own
internal
risk
assessments
as
they're
they're,
directly
connected
to
the
work
and
oftentimes
of
the
best
understanding
of
the
things
that
they're
likely
to
experience.
F
So
that
will
be
an
ongoing
goal.
As
long
as
audit
exists
is
to
foster
those
internal
risk
assessment
programs,
I
will
pause
for
any
questions
about
the
methodology.
Otherwise,
I'll
move
right
into
key
findings.
B
G
Thank
you
chairman.
A
direct,
accurate
risk
is
a
term
that's
used
throughout
the
report,
and
I
appreciate
the
advanced
nature
of
the
assessment
that
you'll
be
doing
as
you're
aware.
I'm
sure
that
risk
comes
in
different
forms.
There
is
what
I
call
the
smoldering
type
of
risk.
That
is
something
that's
kind
of,
but
suddenly
blows
up.
There's
are
sudden
types
of
risk,
that
is
those
that
aren't
anticipated
and
are
new
and
then
there's
basically
something
the
catastrophic
crisis.
F
Yes,
vice
chair
fisher,
we
do
look
at
those
those
types
of
risk.
I
would
say
the
smoldering
risk.
That's
always
present.
We
would
call
that
kind
of
a
high
probability,
perhaps
low
severity
event.
The
kind
of
second
category
that
you
talked
about,
something
that
pops
up
and
and
something
that
we
weren't
necessarily
anticipating,
could
be
a
high
velocity
event.
F
F
Anything
that
would
be
could
potentially
prevent
a
department
or
a
program
from
achieving
its
goals,
but
we're
considering
those
those
different
types
of
events,
all
the
way
from
things
that
are
a
relatively
stable
risk
environment,
even
though
a
high
amount
of
risk
occurs
versus
things
that
are
new
and
emerging,
and
that's
where
those
conversations
with
department
heads
as
well
as
industry.
Research
is
really
important
as
we're
thinking
about
things
like
supply,
chain
disruptions
and
things
of
that
nature.
I
F
Thank
you
for
the
good
question,
commissioner
ebene
I'll
I'll
talk
briefly
about
audit
structure
and
it's
pretty
unique
in
the
city.
We
sit
outside
of
the
normal
organizational
chart
and
report
directly
to
the
audit
committee.
So
our
work
flows
through
the
audit
committee.
The
audit
committee
provides
direction
and
then
we
do
our
assessments,
knowing
that
we
don't
report
up
through
the
normal
chain
of
command.
F
That
gives
us
the
independence
to
report
back
on,
perhaps
unpopular
audit
findings
and
and
keep
the
legitimacy
of
the
organization
intact,
because
we
aren't,
we
aren't
concerned
about
the
same
normal
reporting
requirements.
So
if
you
look
at
the
city,
organizational
chart,
you'll
see
us
kind
of
off
on
the
side.
We
don't
report
directly
to
council,
we
report
to
this
disappointed
body
and
and
that's
how
that's,
how
work
flows
up
and
and
staff
directions
are
given.
I
I
think
that's
that's
what
I
wanted
to
know.
Thank
you
so
much.
G
Thank
you,
chair
pop
style
director.
Just
one
last
question
does
do
the
assessments.
This
is
probably
more
of
the
action
plan,
so
I
might
be
getting
together
myself
a
bit,
but
do
the
assessments
that
are
being
done
on
risk
working
with
the
individual
departments
include
an
assessment
of
training
of
individuals
and
how
to
monitor
and
implement
risk
management
practices.
F
Thank
you
vice
chair
fischer,
I
training.
I
would
look
at
as
a
one
type
of
control
within
a
department,
so
effective
training
is
a
control
that
reduces
the
risk
of
let's
say,
operational
non-compliance.
F
Bad
training
means
that
people
don't
follow
policies
or
aren't
aware
of
them.
So
I
would
consider
that
a
control
and
as
we're
doing
our
enterprise
risk
assessment.
We
are
looking
around
the
city
and
looking
at
areas
where
there
are
risks
and
then
in
an
audit
we
would
probably
evaluate
whether
their
controls
were
functioning
in
a
healthy
manner.
So
we
might
not
assess
the
training
program
within
the
risk
assessment,
but
if
we
were
to
deem
it
relevant
to
a
high
risk
area,
then
training
would
be
a
thing
we
might
audit.
F
D
Thank
you,
madam
chair,
and
a
question
for
you,
director,
patrick,
how
does
audit
and
the
open
data
practices
law
intersect,
especially
when
it
comes
to
your
independence
and
access
to
data
necessary
to
conduct
your
assessments.
F
Do
you
mean
how
do
we
receive
data?
I
can
say
that
our
audit
reports
are
published.
We,
unless
there
is
a
security
reason
for
us
to
not
not
publish
something
we
didn't
bought
it
last
year,
a
review
of
emergency
communications,
risk
assessment
and
infrastructure
analysis
that
contain
non-public
information
and
therefore,
that
report
isn't
isn't
published
everything
else
that
we
do
is
published.
We
that
that's
an
important
part
of
our
own
audit
standards
is
to
make
sure
that
our
our
findings
are
publicly
accessible
and
that
people
are
aware
of
what
we're
doing
for.
D
F
Understood
committee
member
payne,
we
in
in
our
ordinance
and
in
charter,
have
free
full
and
unrestricted
access
to
information
necessary
to
conduct
our
audits.
It
doesn't
mean
that
we
generally
have
blanket
access
to
everything,
but
if
we
are
performing
audit
testing
or
doing
audit
work
as
it
relates
to
our
normal
business,
we
would
have
free,
full
and
unrestricted
access
to
that
information,
and
that
includes
people
places
and
things.
H
Thank
you,
chair,
promisano,
director,
patrick,
are
the
results
of
the
risk
assessment,
shared
citywide
with
other
departments,
and
I
guess
I'm
thinking
particularly
for
risks
that
are
identified,
that
don't
necessarily
make
it
into
the
annual
work
plan.
Are
those
just
the
fact
that
there
are
certain
areas
of
high
risks
that
that
the
department
doesn't
have
time
to
take
on
in
that
year?
Is
that
information
conveyed
across
the
enterprise.
F
Committee,
member
singleton,
that
information
is
conveyed,
so
we'll
do
some
follow-up
check-ins.
After
the
risk
assessments
published,
it
will
we'll
communicate
back
with
the
parties
who
who
are
specifically
identified
and
people
who
the
risk
assessment
I'll
note,
not
every
item
on
the
risk
assessment
leads
to
an
audit
or
a
consultation.
There
are
areas
that
we
just
cannot
cover,
based
on
our
workload
and
and
other
things
that
are
happening
at
the
city,
and
so
we
do
convey
that
information
back.
F
We
don't
publish
necessarily
every
risk
that
we've
heard
from
every
party,
but
we
do
regularly
communicate
with
the
relevant
oddities
and
and
those
around
the
city.
What
what
we
would
consider
a
healthy
risk
environment-
it's
not
our
job
per
se
to
control
risk
that
that's
really
up
to
management
and
so
giving
them
feedback
on
where
we
see
risk
is
important.
I
Thank
you
one
more
follow-up
question,
just
as
I
sort
of
frame
this
all
in
my
mind,
so
the
the
risk
assessment
model
for
audit
isn't
isn't
something
I
was
sort
of
prepared
to
to
really
know
about.
Before
joining
this
committee,
it
seems
that
it's
mostly
been,
I
think,
often
a
financial
or
a
model,
but
that
that
I
think
this
is
a
very
interesting
model
for
this.
Does
the
city
also
have
a
risk
management
department
and
is
that
a
separate
function
here
completely.
F
Committee,
member
of
any
that
we
actually
an
internal
audit,
don't
we
do
some
financial
testing
and
we
do
financial
controls
testing,
but
our
our
mission
as
internal
audit
is
less
focus
on
finance,
but
more
so
focus
on
the
entirety
of
the
enterprise.
So
most
of
the
audits,
we
do
don't
involve
financial
controls,
testing
part
of
the
reason
for
that
is
we.
The
state
auditor,
does
review
our
financial
statements
for
compliance
and
and
things
related
to
appropriate
grant
management
in
some
aspects,
as
they
pertain
to
state
and
federal
grants.
F
So
there
there
is
financial
tests
that
are
occurring
at
the
state
level
for
the
city.
When
we
do
work
with
finance
and
other
departments,
we
do
our
own
testing
and
risks
there
are
are
identified.
We
do
have
two
two
teams
within
finance
that
are
relevant
to
your
question.
One
is
we
have
an
internal
controls
team
that
is
regularly
reviewing
and
testing
key
controls
in
in
financial
in
in
finance
and
how
the
city
allocates
resources.
Spends
money
receives
funds.
F
So
there
is
that,
and
there
is
a
we
have
a
risk
manager
within
finance
as
well
who's
looking
also
at
risks,
particularly
as
they
pertain
to
finance,
but
also
has
some
some
broader
authority.
We
don't
have
a
risk
assessment
committee,
yet
I
understand
that
that's
a
possibility
in
the
future
and
audit
would
have
some
role
to
play
in
that.
F
But
perhaps
the
reason
you
don't
see
finance
pop
up
as
frequently
on
our
audit
plan,
as
you
might
in
some
other
jurisdictions,
is
because
we
do
have
a
internal
controls
team
that
we
regularly
work
with
and
a
risk
manager.
You
don't
see
that
in
in
every
department
and
so
departments
who
don't
have
their
own
teams
like
that,
may
be
more
prone
to
risk
because
again,
those
are
control
processes
within
the
department
that
help
lower
inherent
risk
to
a
healthy
level.
B
And
thank
you
for
asking
that
question.
That's
an
important
grounding
for
everybody
on
this
team,
and
it
didn't
occur
to
me
that
that
wasn't
something
that
we,
you
know
that
we
were
all
grounded
in
just
yet,
but
that's
an
important
distinction
and
what
is
one
of
the
things
that
makes
our
internal
audit
work
in
the
past,
maybe
a
little
different
and
important,
and
as
we
move
into
the
future
with
also
a
legislative
audit
function,
I
think
it's
really
interesting
as
to
the
places
this
can
go.
B
All
right,
mr
patrick,
were
you
done
with
that
presentation?
Oh
no,
you
were
yep
you're
at
the
slide.
Go
ahead.
F
We're
getting
to
the
good
stuff
now
the
key
findings
and
thank
you,
everybody
for
the
excellent
questions.
Sometimes
the
concept
of
risk
assessment,
I'm
familiar
with
it
at
this
point
and
forget
to
cover
it
in
the
reasons
for
it
in
more
detail,
and
I
I
really
appreciate
those
clarifying
questions
so
now
we'll
move
on
to
key
findings
and
I'll
note
again
that
not
every
risk
we
heard
is
covered
in
the
key
findings.
These
are.
F
These
are
some
of
the
the
highest
highest
risk
things
that
we
perceive
at
the
city
and
some
with
with
little
control.
So
I'll
talk
through
the
key
findings
and
I'll
talk
through
some
other
risks
that
you
don't
necessarily
see
detailed
in
here
and
the
reasons
why
they're
not
detailed,
and
then
this
will
inform
you'll,
see
throughout
the
audits
that
we
are
recommending
for
the
2022
rolling
audit
plan.
F
So
just
broad
categories,
you
can
see
the
first,
the
first
one
being
cyber
security
risks
I'll
talk
through
the
conversations
in
more
detail,
but
I
think
everybody
is
keenly
aware
of
the
cyber
security
risks.
Local
governments
are
facing
the
next
three
kind
of
fall
into
a
similar
bucket
and
I'll
talk
about
why,
during
that
part,
but
they
have
to
do
with
staffing,
employee
wellness
and
employee
retention.
F
Next,
we'll
talk
about
some
of
the
grant
funds
and,
as
it
relates
to
the
pandemic,
we'll
talk,
finally
about
policy
frameworks
and
then
we'll
touch
briefly
on
the
regulatory
and
political
environment
move
to
the
next
slide.
Okay,
cyber
security,
regular
ransomware
attacks
are
on
the
rise.
This
is
no
secret.
That
municipalities
are
one
of
the
biggest
targets
for
ransomware
attacks
and
they
have
a
severe
significant
impact.
F
They
can
take
down
city
services
for
long
periods
of
time,
expose
non-public
and
confidential
data
and
just
damage
the
city's
reputation
and
that's
beyond
just
the
cost.
The
significant
costs
that
occur
when
ransomware
attacks
manage
to
hit
a
municipality
once
a
attack
hits
it
takes
significant
efforts
to
mitigate
the
damage,
and
it
takes
a
large
amount
of
time
to
to
remedy
that.
F
So
we
have
two
proposed
engagements
specifically
to
target
I.t
I.t
processing
controls
generally
as
they
relate
to
ransomware,
but
also
just
in
general,
cyber
security
attacks.
F
One
flows
from
the
infrastructure
assessment
that
we
did
with
mecc
last
year,
and
it
is
a
something
that
came
up
during
that,
but
a
spin-off
that
we
thought
was
critically
important
and
that's
mecc
has
a
variety
of
partners
outside
of
the
city
that
access
the
mecc's,
mec
minneapolis
immunity,
emergency
communications
center,
I'm
going
to
try
and
avoid
using
acronyms
my
apologies
already.
The
emergency
communication
center
has
a
variety
of
other
relationships
with
government
entities
who
cannot
access
the
system
and
they're
not
unique.
In
that
respect.
There
are.
F
There
are
systems
throughout
the
city
where
third
parties
have
access
the
thing
we
would
like
to
test
in
this.
This
consultation
is
looking
at
those
areas
where
there
are
third-party
access
to
the
emergency
communication
system
to
ensure
that
there's
sufficient
security
in
place
so
that
it
doesn't
increase
the
likelihood
of
our
our
ransomware
or
other
cybersecurity
attacks.
We
obviously
have
more
control
over
the
things
that
we
do
internally.
F
Allowing
third
party
access
does
expose
us
potentially
to
more
risk,
and
internal
audit
will
assess
what
types
of
risks
are
involved
in
that
and
whether
the
city
is
appropriately
controlling
those
risks
to
a
healthy
level.
That
is
one
proposed
engagement.
The
second
is
a
more
direct
response
to
potential
ransomware
and
cybersecurity
attacks
and
that's
to
look
at
our
continuity
of
operations,
plans
to
stop
making
sure
that
they
are
established
by
departments,
they're,
updated,
they're,
consistent
with
industry,
best
practices
to
mitigate
the
effects
of
a
ransomware
attack.
F
That
is
the
kind
of
the
cyber
security
portion?
I'm
happy
to
answer
any
questions
about
that
I'll
note
that
we've
had
great
participation
and
cooperation
with
our
it
team.
They
they
provided
a
lot
of
input
on
this
and
looking
forward
to
working
with
them
on
this
absolutely
critical
subject.
F
Vice
chair
fischer,
we
we
noted
an
increase
in
attacks,
not
successful
attacks
over
the
last
several
years.
So
from
a
velocity
standpoint,
I
would
say
that
the
the
nature
of
this
risk
is
changing
rapidly
and
that's
that's
been
true
in
the
I.t
sector
in
general,
it's
not
necessarily
unique
to
the
city
of
minneapolis,
but
perhaps
because
of
our
higher
profile
as
a
city
in
in
recent
years
and
and
other
other
things
we
we
have
become
targeted
more
regularly
than
we
were
in
the
past.
F
So
if
you'll
note
from
the
2021
risk
assessment,
we
listed
this
as
one
of
our
top
risks
and
I
will
say
that
the
the
risk
has
become
a
reality
in
some
regards
and
it's
still
ongoing
in
a
significant
way
and
that's
why
we're
bringing
it
back
with
some
focused
targeted
audit
work,
we're
facing
staffing
and
resourcing
challenges.
F
We
spoke
with
a
number
of
departments
that
were
operating
at
75
capacity
and
lower
some
had
had
fewer
retention
issues,
but
every
party
we
spoke
with
across
the
enterprise
responded
to
this
in
one
way
or
another:
the
likelihood
that
employees
are
leaving
the
city
at
an
accelerated
rate
having
a
harder
time
recruiting
and
that
burnout
issues
are
impacting
all
city
staff
and
these
significantly
complicated
department
capabilities.
F
We've
had
difficulties
in
recruiting
and
hiring
and
key
parties
at
the
city
identified
this,
as
potentially
reputational
damages
we've
experienced
as
an
employer
the
past
couple
of
years.
We
know
what
events
have
occurred
and
and
we've
we
understand
the
challenges
that
staff
are
facing
and
so
hiring
when
your
reputation
is
somewhat
damaged.
We
we've
heard
from
some
departments
that
they're
getting
fewer
than
50
of
the
number
of
applicants.
They
were
for
similar
positions
several
years
ago
and
again
hiring
people
when
there's
an
understanding
of
an
increased
workload.
F
It
just
compounds
the
problem,
one
of
the
biggest
there
are
a
variety
of
things
associated
with
retention
issues
that
it's
a
bigger
deal
when
a
long-term
employee
leaves
the
city.
F
We
know
that
early
retirement
incentives
allowed
some
people
to
leave
and
retire
earlier
than
possible,
but
employees
in
general
take
key
knowledge
with
them
when
they
leave
and
when
people
are
leaving
at
an
accelerated
rate
and
you're
having
drop-offs
in
departments
having
chunks
of
people,
leaving
departments
you're
having
whole
knowledge
sectors
in
the
city
that
are
leaving
when
they
go
and
making
sure
that
we're
not
experiencing
such
a
severe
knowledge
gap
is
a
really
important
thing.
F
Shots
have
been
fired
at
city
vehicles,
city
employees
have
been
assaulted
and
threatened,
and
it's
not
the
normal
city
departments
that
have
experienced
this
in
the
past.
It's
people
who
weren't
were
doing
a
job.
This
was
not
a
feature
of
their
job.
At
all,
they've
been
asked
to
do
something
different
from
the
norm
and
they're
engaging
in
activities
that
are
well
outside
of
what
their
normal
job
responsibilities
might
have
been
in
the
past,
even
though
it
does
somewhat
square
with
their
their
work.
F
But
now
they're
they're,
experiencing
significant
safety
concerns
that
further
leads
to
mental
stress
burnout
and
a
desire,
perhaps
not
to
work
at
the
city,
and
so
that's
just
kind
of
exacerbating
an
already
existing
problem.
But
that
was
reported
from
from
a
variety
of
different
departments
who,
in
the
past,
did
not
necessarily
see
this
as
a
large,
a
large
risk
for
them.
F
We
are
proposing
two
engagements
related
to
to
these
critical
issues.
One
is
a
hiring
and
promotion
process
audit,
specifically
to
look
at
the
process
and
controls
related
to
hiring
and
promotion,
ensuring
they're
operating
efficiently
and
sufficiently
to
attract
and
retain
staff.
So
this
is
a
big
project.
There's
no
doubt
that
this
is
a
big
one,
but
one
of
the
issues
we
heard
during
the
risk
assessment
concerned
both
equity
and
hiring
and
challenges
in
the
duration
and
ways
hiring
took
place.
F
If
we
can't
hire
employees
in
an
efficient
manner,
manner,
they're
likely
to
opt
out
of
the
hiring
process,
we
may
not
get
them
and
promotions
and
job
class
changes,
and
things
like
that
to
respond
to
new
duties
and
whatnot
are
related
and
really
important
to
keeping
staff
engaged
and
feeling
feeling
respected
at
the
city.
So
we
think,
based
on
the
retention
that
we're
experiencing
at
the
city,
then
knowing
full
well
that
we
need
to
do
a
fair
amount
of
hiring.
F
And
the
second
is
an
organizational
culture
risk
assessment,
so
it's
an
in-depth
risk
analysis
of
workplace
culture
as
it
relates
to
employer
retention
and
well-being.
So
this
directly
addresses
the
issue
of
retention
and
employee
burnout.
This
is
a
common
thing,
that's
popping
up
in
the
field
of
audit,
and
there
are
a
number
of
frameworks
that
we've
explored
for
doing
this.
So
this
isn't.
This
is
a
new
thing
we've
invented.
F
This
is
something
that's
happening
in
municipalities
across
the
country,
seeing
value
being
added
back
when
we
we
actually
understand
the
full
full
environment
in
which
employees
are
experiencing
burnout
stress
why
they're
leaving
internal
audit
is
uniquely
positioned
to
do
that
type
of
analysis.
F
D
F
Committee,
member
payne,
there
are
organizational
best
practices
and
frameworks,
absolutely
that
we
do
benchmarking
depending
on
the
project.
We
do
some
more
benchmarking
than
other,
and
this
would
be
an
instance
where,
yes,
benchmarking
would
be
an
important
thing
in
industry.
Best
practices
would
be
key
for
us,
both
industry,
best
practices
in
the
in
the
field
of
organizational
culture,
audits
and
risk
assessments,
but
also
in
organizational
health
and
structure.
F
We
we
think
this
is
a
pretty
pretty
unique
project.
It's
not
something
that
audit
here
has
engaged
in
necessarily
in
the
past,
but
one
that
the
field
has
really
grown,
and
we
think
there's
enough
support
and
resources
to
do
this
in
a
in
a
really
impactful
way.
B
Thank
you,
committee
member
fisher.
G
Thank
you
for
sure,
pump,
saddle
director,
patrick.
I
read
this
part
of
your
report
with
kind
of
a
rising
concern.
I
guess-
and
I
have
to
ask
this-
you
mentioned
that
you
feel
that
there's
enough
support
to
adding
warrant
to
the
audit
plan-
and
I
have
asked
how
widespread
is
the
belief
that
this
is
a
concern.
Have
you
found
this
to
be
a
general
response
from
departments
across
city
government,
or
is
this
more
localized
to
a
certain
type
or
grouping
of
departments.
F
Vice
chair
fisher,
we
found
this
concern
shared
widely
across
the
enterprise.
There
were
very
few
incidents
where
concern
wasn't
expressed
about
our
current
employees,
well-being
and
retention.
This
was
a
this
was
a
common
feature
of
our
conversations.
F
F
A
risk
assessment
would
allow
us
to
identify
what
specific
issues
we're
facing
in
a
much
greater
depth
and
what
control
processes
exist
and
then
work
with
the
enterprise
to
help
potentially
remediate
some
of
those
as
they
design
their
own
new
control
processes.
If
there
aren't
aren't
ones
currently
in
place.
G
F
Thank
you
committee,
our
vice
chair
fisher,
that
I
am
bolstered
by
the
fact
that
the
our
professional
organization
that
we
we
follow
and
and
the
field
of
auditing
has
come
up
with
some
pretty
good
techniques
for
doing
this
type
of
work.
So
we're
not
going
to
be
walking
into
this
blind
per
se,
but
you're
right.
It's
a
it's
a
massive
undertaking.
I
expect
this
project
will
take
more
time
than
than
a
more
part
and
parcel
audit
project
that
we
might
engage
in
otherwise.
I
Thank
you,
chair
palmisano,
just
a
quick
question.
I
see
the
park
board
is
part
participating
perhaps
on
the
second
item,
but
not
the
first
is
that,
at
the
request
of
the
park
board
our
level
of
involvement,
if
you
could
clarify,
thank
you.
F
Thank
you
committee,
member
of
na.
We
discuss
this
with
park
board.
We
can
always
include
park
board
in
our
work
and
we'll
reach
out
to
them
as
we
design
our
project
to
see
if
they'd
like
to
be
engaged
in
it.
Our
primary
findings,
during
our
risk
assessment
related
to
hiring
and
promotions,
came
more
so
from
from
the
city
enterprise,
but
can
also
explore
that
subject
with
the
park
board.
F
B
Thank
you.
I
was
just
wondering
director,
patrick
if
you
could
speak
just
briefly
to,
and
I
understand
that
our
hr
department
has
tried
to
do
something
similar
in
the
past,
but
you
mentioned
in
your
earlier
comments
that
this
would
take
more
of
an
audit
lens
to
that
work.
And
can
you
help
me
understand-
or
maybe
you
have
to
get
into
it-
to
even
see
more,
what's
been
done
in
the
past
by
hr,
but
how
those
two
approaches
would
be
different.
F
Thank
you,
chair
palmisano.
We
will
work
directly
with
hr
on
this
project
and
they'll
they'll
be
a
great
partner
on
this.
I
think
audit
has
a
different.
Your
correct
audit
has
a
different
lens
to
look
through
these
things.
What
we're
looking
at
are
the
risks
mirrored
with
currently
existing
control
processes,
so
we're
not
necessarily
testing
in
a
risk
assessment,
whether
those
controls
are
functioning
effectively.
What
we're
looking
for
is
kind
of
a
catalog
of
what's
occurring
and
where
it's
not
happening,
hr
we're
not
primarily
concerned
necessarily
with
what
hr
is
doing,
but
more
also.
F
What
is
the
enterprise
doing?
What
are
department
leaders
and
managers
and
middle
management
doing
across
the
enterprise
to
promote
a
healthy
workplace
culture?
So
I
see
this
as
adding
to
the
work
that
hr
has
done,
not
redoing
the
work
and,
I
think
they'll
in
my
conversations
with
them.
I
think
they'll
see
value
arise
from
this
as
it
helps
them
work
across
the
enterprise.
F
So
the
third
kind
of
piece
related
to
employee
engagement,
it's
a
bit
of
a
tangent,
but
I
think
very
important
for
understanding,
employee
concerns
and
it's
related
to
internal
investigations.
So
this
came
up
also
in
multiple
different
areas,
and
it
was
the
various
pathways
for
internal
complaints
and
investigations
to
arise
in
the
city.
It
seems
that
there
are
quite
a
number
of
different
ways.
A
complaint
could
be
resolved
if
I'm
an
employee
filing
a
complaint
about
another
employee,
an
ethics
claim
an
hr
claim,
a
fraud,
waste
or
abuse
claim
they're.
F
Just
so
many
different
avenues.
One
can
take
to
actually
do
that
where
the
issue
arises
is
when
there
are
inconsistent
standards
and
outcomes,
it
impacts
employees,
confidence
in
the
system,
so
knowing
that
one
case
took
its
path
through
this
certain
process
versus
another
case,
there
involve
a
similar
set
of
facts
with
significantly
different
outcomes.
It
does
not
give
employees
the
sense
of
internal
fairness
that
one
might
want
out
of
an
investigative
system,
and
so
as
we're
thinking
about
employee
stress,
with
their
level
of
engagement
with
the
city.
F
Considering
that
employee
complaints
are
an
important
part
of
that,
we
think
it's
important
also
to
have
make
sure
that
controls
are.
Investigations
are
a
critical
control
for
the
city.
They
help
prevent
future
misconduct
and,
if
they're
not
potentially
happening
in
a
way,
that's
that's
efficient
or
consistent
or
beneficial.
Then
we
are
missing
a
real
opportunity
to
improve
both
employee
morale
and
and
the
way
we
function
as
a
city.
F
During
the
pandemic,
there
was
a
significant
increase
in
grant
and
external
funds
for
the
city.
A
lot
of
money
flowed
into
the
city
in
a
short
period
of
time
and
absolutely
necessary
during
during
such
a
crisis.
For
that
to
happen,
we
needed
to
respond
rapidly
to
an
ever
shifting
environment,
but,
as
we
know,
this
increase
in
funds
and
perhaps
using
funds
and
managing
them
in
ways
that
are
different
because
of
that
rapid
response.
F
It
does
create
additional
risks
to
the
city's
finance
and
procurement
processes,
and
we
do
know
this
rapid
increase
in
funds.
Asthma,
add
more
risk
to
grant
management,
knowing
that
grants
have
significant
requirements
attached
to
them
for
reporting
and
managing
those
grants.
If
you
don't
manage
those
properly
and
report
them
properly,
it
can
be
a
significant
blow
to
the
city,
and
it's
we
did
hear
during
risk
assessment
conversations
that
some
departments
don't
follow
the
city's
normal
ground
management
process.
We
have
a
grant
management
team
that
lives
in
finance
and
procurement.
F
F
So
we
do
have
one
proposed
engagement
for
this,
and
that
is
looking
specifically
at
department
managed
grants.
So
these
are
grants
that
are
managed
outside
of
the
grant
management
team.
They
may
receive
some
level
of
support
or
they
may
be
doing
their
own
reporting
to
determine
whether
or
not
those
grants
managed
outside
of
the
system
have
adequate
controls
to
ensure
compliance
managed
effectively
and
are
reported
effectively.
F
B
Mr
patrick,
would
that
then
include
the
american
relief
program
allocations
to,
or
is
that
done,
all
through
finance.
F
Finance
has
taken
a
role
in
reporting
and
grant
management
in
that
sense,
so
it's
likely
that
that
would
not
necessarily
be
with
the
scope
of
this
project.
D
F
A
committee
member
payne:
this
would
be
funds
that
come
externally
that
carry
reporting
requirements
and
management
requirements.
So
no
matter
the
source.
G
F
Vice
chair
fischer,
recalling
a
past
audit,
we
did
talk
some
about
centralization,
of
grant
management
processes
so
that
that
has
come
up
in
audit
before
I'm
not
equipped
right
now
to
speak
about
the
current
appetite
for
centralization.
But
I
think
this
project
will
hit
on
some
similar
themes
and
explore
the
effectiveness
of
a
non-centralized
grant
management
system.
G
Well,
thank
you.
I
hope
that
we
kind
of
keep
that
in
mind.
I'm
sure
it's
a
city
council,
determination
of
how
that
might
be
handled,
but
I
appreciate
it
if
you
kind
of
kept
that-
and
you
know
back
your
mind
as
you
move
through
this
process-
absolutely.
F
Next
I'll
talk
about
enterprise
policy
and
move
to
the
next
slide,
so
this
both
comes
from
this
risk
arose
both
from
conversations
with
parties
inside
the
city
and
also
recent
audits.
F
If
you
think
just
about
our
mobile
device
management
audit,
we
noted
policies
that
hadn't
been
reviewed
since
2003
and
and
other
related
audits
have
found
similar
issues
with
routinely
reviewing
policies
making
sure
that
policies
are
in
harmony
with
one
another,
so
that
two
enterprise
policies
don't
conflict
and
and
in
general,
a
consistent
approach
to
policy
creation,
both
at
the
department
level
and
up.
But
what
specifically
we're
talking
about
here
is
less
a
review
of
all
the
policies,
but
more
so
looking
at
a
policy
framework,
that's
widely
implemented.
F
There
are
different
ways
in
which
one
can
implement
a
policy
making
in
a
policy
framework
and
the
city
clerk's
office
is
in
engaged
in
helping
establish
something
like
this,
and
so
this
would
be
consulting
with
the
city
clerk's
office
as
they
build
out
a
policy
framework
making
sure
that
since
audit
will
be
policies,
are
such
a
critical
part
of
audit
work
that
we
are
helping
them
as
they
develop.
F
This
policy
and
policy
framework
and
implement
it
at
an
enterprise
level
move
to
the
next
line,
and
so
the
engagement
we've
had
a
kind
of
placeholder
item
on
the
audit
plan
for
the
past
year
or
so
related
to
an
information
governance,
consultation.
F
It's
been
a
lot
of
things
have
come
up
in
the
past
couple
of
years
that
have
slowed
that
project
down,
but
it's
now
very
much
picking
up
steam
again
and
I
think
implementation
of
question
one
is
also
playing
a
role
in
why
this
is
important
to
do
now.
We
want
to
focus
our
attention,
because
this
is
such
a
broad
project
on
on
pretty
much
one
area
as
it
relates
both
to
policy,
but
also
to
I.t
related
issues
and
that's
information
governance.
F
How
do
we
establish
policies
specifically
as
they
relate
to
information
governance
in
the
city?
How
do
we
maintain
data?
How
do
we
release
data
information,
governance
really
really
important
thing
right
now
and
therefore
critical
that
we
provide
some
assistance
on
this
on
this
issue
as
we
create
and
maintain
data
a
massive
amount
on
a
daily
basis.
I
I
think
it's
just
really
interesting
to
me
and
it's
it's
also
an
interesting
place
to
start,
and
I
understand
why
you're
starting
there.
Perhaps
this
is
obvious,
but
oftentimes
policies
that
are
have
a
regulatory
basis.
The
the
regulatory
requirements
build
into
themselves
of
policy
review
cycles,
and
things
like
that.
So
I
think
that
that's
a
really
it's
a
nice
grounding.
I
think,
for
this
type
of
thing,
essentially
a
policy
on
policy,
but
I
just
wanted
to
throw
that
out
there.
Thank
you.
F
Absolutely
committee
member
of
na-
that
is
that
is
certainly
the
case
and
making
sure
that
those
types
of
things
are
happening:
the
routine
review
revisions,
harmonizing
policies
across
departments.
This
is
these
are
the
types
of
things
we're
hoping
to
address
and
I
should
say
the
city
clerk
is
hoping
to
address.
We
are
providing
a
consultation
and
assistance
to
them
as
they
do
it
using
our
unique
audit
lens,
because
we
audit
policy
on
a
regular
basis,
we're
uniquely
positioned
to
provide
that
assistance.
B
F
G
F
Sheriff
fisher
that
I'll
do
a
little
decoding
of
auditor
speak.
The
immature
environment
to
which
I
referred
was
that
we
people
lacked
the
capacity
to
do
the
type
of
work
to
implement
that
project
at
that
time,
both
internal
audit
resources
and
resources
around
the
city
to
really
make
that
project
stick,
so
the
environment
wasn't
mature
to
allow
us
to
contribute
to
to
that
work
in
a
meaningful
way.
F
Now
really
feels
like
a
we're
in
a
different
state
and
and
ready
to
take
that
on
to
chair
palmisano's
point,
we
did
have
some
regular
reporting
back
to
the
committee
from
the
city
clerk's
office
in
the
past,
and
perhaps
it
would
be
beneficial
to
to
have
another
presentation,
that
kind
of
recaptures
some
of
that
knowledge
from
from
prior
audit
findings
and
our
consultation
and
connect
with
the
city
clerk,
that's
something
we
do
as
we.
We
launch
this
project.
F
F
F
We
completed
some
of
those
projects
prior
to
the
beginning
of
the
state
department
of
human
rights
and
the
federal
department
of
justice
investigations
of
the
minneapolis
police
department,
but
we
don't.
We
pause
some
of
our
mpd
audit
work
because
we
didn't
want
to
conflict
with
what
those
investigations
were
covering.
F
We
saw
our
operations
touching
on
a
number
of
different
things
and
therefore
are
us
doing
work
and
then
being
preempted
by
those
bodies
would
lead
to
confusion
and,
frankly,
a
stress
on
audit
resources
that
perhaps
we
couldn't
bear
we're
a
small
team
required
to
provide
enterprise
coverage.
F
F
We
have
resources
in
the
future
to
continue
doing
law
enforcement
audits
and,
as
we
see
the
results
of
the
department
of
justice
and
minnesota
department
of
human
rights
reports
coming
out,
we'll
use
those
to
fuel
our
risk
assessment
and
do
further
law
enforcement.
Audit
work
in
the
future,
that
is,
that,
will
not
go
away.
G
G
It
gives
me
some
concern,
so
I
have
to
express
this
and
I
think
it
should
be
expressed
in
old
media
that
the
process
is
getting
in
the
way
of
progress
and
I'm
hoping
that
we
keep
an
eye
as
as
city
council
speaking
as
a
citizen
now
as
the
city
council,
we're
monitoring
whether
we're
spending
too
much
time
on
investigation
and
too
little
time
on
trying
to
find
solutions.
G
I
can
tell
you
I
don't
like
getting
up
in
the
morning
and
seeing
the
headline
on
the
start.
You
calling
off
the
police
department
one
more
time
this
week
and
having
a
feeling
that
nothing
really
is
being
done
to
address
some
of
the
issues
that
it
concerns
us
so
I'll,
express
that
and
leave
it
for
a
comment
for
anyone
who
will
thanks.
G
J
Thank
you,
terry
palmisano.
I
just
wanted
to
open
up
the
conversation,
possibly
reintroducing
the
past
work
that
I
know
has
been
done
around
kordina,
police,
accountability,
accountability,
auditor
and
team.
I
think
it's
time
that
we
bring
this
back
into
the
equation
when
we're
talking
about
this
department.
J
I
hear
committee
member
fisher's
words,
but
I
think
that
we
need
to
continue
this
work,
and
this
would
be
a
way
for
us
to
do
this.
This
structure
and
team
would
create
the
proper
checks
and
balances
with
the
police,
mayor
and
city
council,
and
I
just
wanted
to
open
up
that
conversation
again
and
see
if
there'd
be
an
appetite
to
work
with
you,
director,
ryan,
patrick,
on
this
in
the
coming
weeks
and
and
to
so
that
we
could
move
swiftly.
F
Committee,
member
koski,
I'm
happy
to
work
with
you
on
on
that.
That
is
something
that's
been
discussed
in
the
past.
As
audit
is
uniquely
situated,
I'm
happy
to
take
staff
direction
or
anything
that
you
deem
necessary
for
for
our
office
to
either
add
that
to
our
current
question,
one
implementation,
research
that
we
have
going
on.
That's
one
possibility-
or
it
can
be
its
own
independent
item.
D
Thank
you,
madam
chair.
I
just
wanted
to
echo
committee
member
koski
in
supporting
the
unique
position
that
audit
is
in
with
its
independence
and
access
to
data
as
being
a
potentially
effective
means
of
of
police
oversight,
and
I'm
signed
me
up
to
work
on
that
and
investigate
that
as
a
process
going
forward.
B
Thank
you,
committee
member
singleton.
H
Thank
you,
chair,
palmisano,
director,
patrick
earlier.
You
mentioned
that
the
finance
department,
for
example,
has
its
own
internal
risk
assessment
structures
in
place
that
help
to
mitigate
and
identify
risks
does
npd
have
any
any
sort
of
official
structures
within.
I
know
it
has
an
internal
affairs
department,
but
I
view
that
as
being
a
pretty
different
department.
F
Committee,
member
singleton,
that's
a
great
question:
there
is
a
quality
assurance
unit
that
existed
and
we've
had
some
past
reports
from
the
commander
who
led
that
division.
It
was
specifically
related
to
body
worn
camera
compliance.
That
was,
that
was
the
majority
of
the
work
they
were
doing
as
far
as
new
structures
or
structures
that
look
broader.
I
have
a
take
a
more
broad
approach
to
assessing
risk
in
the
police
department.
F
I'm
not
aware
of
a
current
program
that
exists,
but
that
would
be
worth
checking
in
with
mtd
about
what
they're,
what
they're
doing
in
that
that
area,
I'm
happy
to
reach
out.
B
Thank
you,
it's
great
to
see
some
a
new
city
council
and
others
that
have
a
lot
of
energy
around
this
again.
It's
something
that
we've
worked
on
a
lot
in
the
past,
but
maybe
it's
time
to
revisit
so
go
ahead.
Mr
patrick.
F
Thank
you,
chair
palmisano,
with
that
I'll
move
to
the
next
point
here
and
that's
back
on
one
slide
back
yeah.
Sorry,
we,
we
talked
a
lot
about
bullet
point,
one
I'll
go
through
the
rest.
No
one
of
the
things
that
came
up
during
the
risk
assessment
was
heightened.
Political
tensions
that
could
create
an
unstable
regulatory
environment.
F
Parties
noted
that
at
the
state
and
federal
level
there
was
perhaps
a
greater
attention
being
paid
to
the
city
of
minneapolis
and
perhaps
a
negative
way
than
there
was
in
the
past,
depending
on
the
constitution
or
the
the
com.
How
the
state
and
federal
government
is
composed.
We
could
see
potential
legislative
impacts
on
how
the
city
operates.
F
I
don't
I
don't
have
any
specifics,
but
it
is
worth
noting
that
we
have
a
number
of
elections
coming
up
at
the
state
and
federal
level,
and
it's
worth
being
aware
of
the
fact
that
that
could
create
this
unstable
regulatory
environment
where
we're
dealing
with
new
things
that
we
don't
necessarily
have
a
handle
on
right.
This
minute,
there's
no
audit
project
associated
with
that.
Again,
it's
a
risk
we
identified,
and
it's
worth
worth
being
aware
of
and
keeping
track
of.
F
The
third
is
supply
chain
issues.
We
we
had
discussions
about
this.
They
could
impact
procurement
fleet
management,
normal
operations.
Some
departments
did
report
that
they
had
a
harder
time
getting
supplies
getting
getting
things
that
they
needed
to
do
their
jobs
or
those
supplies
were
more
expensive
than
they
were
in
years
past,
which
can
certainly
impact
budgets.
F
They
reported
currently
that
they
were,
they
were
fine
in
their
their
operations.
It
wasn't
wasn't
detracting
from
it
now,
but
if
these
problems
continue
to
occur,
it
might
be
worth
looking
at
audit
projects
in
the
future
related
to
it
and
then
obviously,
the
ongoing
thing
that
we're
all
continuously
aware
of
is
that
related
to
the
kovic
19
pandemic,
noting
that
remote
work
is
still
occurring
and
will
continue
to
occur
for
the
foreseeable
future.
F
In
some
extent,
while
others
are
other
departments
and
and
employees
are
returning
to
work
in
the
near
future,
once
we
had
risks
related
to
changing
to
the
remote
environment,
we
have
risks
related
to
returning
to
the
in-person
environment.
F
We
have
on
our
audit
plan
the
general
placeholder
of
covent
phase
three
projects,
a
lot
of
the
work
that
we're
doing
does
touch
on
the
impacts
of
covet
on
our
environment,
but
we
will.
We
will
continue
to
do
consultations
and
some
work
with
departments
related
to
these
issues,
specifically
coveted
related
issues
as
they
arise.
B
I
do
want
to
just
quickly
mention
something
tangible.
You
mentioned
the
supply
chain
issues,
and
I
want
to
point
to
one
way:
we've
felt
pain,
points
about
that
all
over
the
city
have
actually
been
in
in
simple
things
like
fixing
street
lights
that
are
out
that
are
ours,
particularly
park,
parkway
street
lights,
that
that
supply
chain
issues
have
just
had
a
really
elongated
impact
on
getting
some
of
our
basic
infrastructure
maintained.
F
Yes,
terry
palmisano,
that's
that's
something
that
came
up
and
and
absolutely
it's
those
types
of
things
that
are
that
are
notable
and
making
sure
that
we
have
good
continuity
of
operations,
plans
that
deal
with
what
what
if
we
do,
have
further
supply
chain
issues
or
can't
get
the
things
we
need
that's
worth
exploring
in
the
future
from
our
assessment
during
the
risk
assessment,
the
departments
we're
we're
managing
now,
but
that
might
be
something
to
explore
further
down
the
road
if
these
issues
continue
to
occur,.
F
F
Yeah,
oh
I
yes
chair,
palmisano
I'll
just
talk
about
it
briefly
and
then
I
know
the
the
step
for
this
is
to
receive
and
file
the
report
and
then
there's
another
item
to
actually
adopt
the
plan.
But
I
just
wanted
to
talk
through
some
of
the
basic
highlights
and
what
we've
done
this
year
for
the
playing
cause.
There
are
some
other
additions
and
subtractions
that
that
we're
proposing
super
thanks.
So
just
noting
that
the
communication
spend
audit
is
ongoing,
it's
in
the
final
reporting
phases.
F
It's
almost
done
that
the
work
is
providing
a
lot
of
value
back
so
in
april,
we'll
have
a
more
well
the
lengthy
discussion
about
the
results
of
that
report.
We
do
need
to
add
the
park
police
body,
worn
camera
and
license
plate
reader
audit
to
the
agenda
to
the
plan.
That
is
a
biennial
requirement
from
state
law.
F
If
you
recall
the
past
year,
we
did
the
minneapolis
police
department,
bwc
alpr
audit.
This
is
the
the
same
service
but
providing
it
to
the
park.
Please
you
could
you
will
note,
on
this
plan,
you'll
see
all
the
the
audits
that
I
I
spoke
to
completed
a
lot
of
the
audit
work
we
had
from
last
year
and
therefore
you
don't
see
a
lot
of
carryover
items
from
from
from
the
prior
year.
I
know
one
thing
is:
we
did
take
the
date
off
of
the
audit
plan.
F
We
in
past
years
had
like
a
quarter
where
those
projects
would
start
very
rarely
did
that
actually
align
with
when
project
started
and
to
give
our
ourselves
more
flexibility
to
address
things
as
needs
arise.
I
don't
think
the
data
is
relevant.
This
is
a
2022
annual
plan,
so
these
projects
were
are
likely
as
we
can
to
be
completed
in
this
coming
year.
Then
the
last
thing
it
does
is
allows
us
to
work
with
department.
F
F
That's
that's
really
what
drives
when
when
projects
occur
and
are
our
own
needs
and
assessments
of
when
these
need
to
happen
so
yeah,
you
will
see
that
the
projects
on
the
plan
that
we
intend
to
complete
in
2022
there's
another
slide
that
follows
this
is
this
is
about
half
of
the
plan.
F
You
could
just
show
the
next
slide
then
see
yeah
the
one,
a
couple
of
carryover
items,
the
coven
19
related
consultation
project.
So
that's
a
general
allows
us
to
work
with
various
departments
on
those
consultations
and
then
the
other
carryover
item
is
the
third
party
software
systems
use
and
controls.
F
So
that
is
something
that
we
spoke
to
last
year,
that
is
departments
using
software
that
they
didn't
obtain
through
it
to
complete
their
objectives
for
good
reasons,
sometimes,
but
not
always
using
the
best
controls
and
and
could
expose
us
to
risk
and
loss
of
data.
So
that's
a
carryover
item
and
we
would
like
to
address
that
in
the
coming
year.
If
we
can.
B
All
right
seeing
no
further
questions
or
comments
from
committee
members
and
without
objection
I
will
direct
the
clerk
to
receive
and
file
this
item.
This
all
culminates
into
the
next
item
of
our
agenda
this
morning
for
your
consideration,
which
is
our
2022
annual
risk-based
internal
audit
plan.
We
have,
as
you
know,
a
very
small
team
here
to
resource
and
help
review.
All
of
that
work
that
you
just
heard
about
so
next
up
on
our
agenda
today
is
our
plan
for
this
year.
F
I
can
speak
to
it
specifically
this.
This
just
mirrors
the
last
few
slides
of
the
presentation
you
saw.
These
are
the
plan.
This
is
the
2022
plan
as
it
stands
this
would.
By
adopting
this
plan,
it
gives
us
the
authority
to
conduct
this
and
and
again
that
freefall
and
unrestricted
access
to
data,
because
we're
doing
audit
work
as
attached
to
these
projects,
but
we
do
our
work
at
the
consent
of
the
audit
committee.
B
Thank
you.
Are
there
any
further
questions
or
comments
from
my
colleagues
on
this?
B
G
F
Yes,
vice
chair
fisher,
there
are
two
projects
currently
on
hold
one
related
to
affordable
housing.
That
has
been
on
the
plan
for
some
time
that
that
risk
is
a
a
large
one
that
currently
exists
at
the
city.
I
think
implementation
of
question
one
the
use
of
additional
resources.
We
saw
this
environment
as
changing
rapidly
and
therefore
capturing
at
a
moment
in
time
for
an
audit
might
not
be
appropriate
at
the
moment.
F
We
would
like
to
add
it
to
this
year's
plan
and
if
we
both
get
through
audits,
that
we
need
to
that,
we
identified
as
high
risk
for
the
our
current
year
and
have
the
space
to
do
so
with
our
addition
of
additional
staff
and
and
what
we
can
do,
or
we
strike
projects
from
the
plan
because
we
don't
feel
they're
an
appropriate
use
of
resources.
These
would
be
the
first
that
would
jump
back
onto
the
plan.
F
The
second
is
revenue
and
collections
again
because
of
the
way
kovid
has
has
created
some
remote
revenue
and
collections
and
new
means
of
collecting
revenue,
as
well
as
perhaps
placing
strains
on
old
means
of
collecting
revenue.
We
did
see
this
as
an
important
item,
but
again
the
the
environment
is
changing
rapidly
as
we
go
back
to
work
in
the
office
and
it's
just
been
a
challenging
moving
target
to
assess.
But
that
would
be
something
that
would
pop
onto
the
audit
plan
if
we
were
to
strike
something
else
and
move
it
up.
B
C
B
F
Thank
you,
chair,
paul
masano.
I
just
want
to
provide
a
brief
update
on
work
and
flight,
open
audit
issues
and
a
follow-up
to
any
continuous
monitoring
that
we
have
ongoing,
move
to
the
next
slide.
So,
first
we'll
talk
about
completed
and
in
progress,
work,
we'll
talk
about
prior
audit
issue,
follow-up
and
then
again
continuous
monitoring
move
to
the
next
slide.
F
One
more
our
communications
financial
audit
is
ongoing
for
commit
new
committee
members.
We
were
looking
at
how
the
city
tracks
spending
for
communications
activities
and
develop
an
accurate
enterprise
spend
much
like
other
departments.
We
have
a
communications
department,
but
we
have
decentralized
communications
activities
occurring
at
the
city.
F
Given
the
importance
of
rapid
and
effective
communication
to
the
community
and
all
that's
occurred
over
the
past
few
years,
we
thought
it
a
good
idea
to
have
a
catalog
of
how
we're
how
we're
spending
and
whether
or
not
we're
spending
things
using
our
best
practices
so
that
field
work
is
underway.
F
We
mid-february
will
have
a
completed
report,
so
we
are
very
close
to
having
a
completed
report
that
will
come
to
the
april
audit
committee
meeting.
More
importantly,
we'll
have
it
back
to
the
audit
client
so
that
they
can
get
that
information
and
use
it
as
we
continue
these
government
structure
questions.
F
Our
second
ongoing
project
is
the
office
of
police
contact
review
body,
worn
camera
audit
process.
This
was
a
special
project
to
assist
the
office
of
police
conduct
review.
They
had
a
mandate
for
a
body,
worn
camera
audited
process,
we're
covering
the
first
risk
assessment
through
the
completed
audit.
This
has
been
a
challenge,
as
management
and
staff
have
changed,
and
processes
have
changed
in
the
opcr.
F
Move
into
our
audit
issue
follow-up.
So
if
you
recall
at
the
beginning
of
last
year,
I
don't
remember
what
the
sum
total
of
the
number
of
open
audit
issues
were,
but
it
was
a
lot
higher
than
what
we
have
now.
We
have
five
issues
open
that
aren't
due.
We
have
seven
overdue
audit
issues,
and
then
we
have
three:
three
of
those
issues
are
being
validated
currently,
so
management
is
sp.
Excuse
me.
F
These
reports
have
one
or
more
audit
issues
open
overdue
or
invalidation.
So,
looking
back
at
the
2019
pims
report,
the
off
duty,
audit
contracts,
amendment
audit,
the
park
board,
grant
administration
process
audit
and
the
mobile
device
audit
we
complete
at
the
end
of
last
year.
We
can
have
the
next
slide
actually
has
these
in
detail,
so
the
police
off
duty
on
it.
F
If
you
recall
at
the
last
meeting,
we
talked
about
how
there
is
a
current
procurement
for
new
technology
that
would
help
manage
this
and
likely
remediate
some
of
these
issues,
but
that
process
will
take
time.
I'd
also
note
that
there's
been
both
for
this
and
other
police
related
audit
items,
a
lot
of
turnover
and
and
changes
in
command
staff.
I
wanted
to
potentially
bring
someone
here
to
talk
about
this,
but
those
changes
don't
necessarily
allow
for
that.
F
At
the
moment,
I
would
expect,
in
april
we'll
have
a
have
more
of
an
update,
as
as
command
staff
gets
their
feet
underneath
them
and
knows
where
they're
at
on
that
project.
So
I
don't
see
the
the
procurement
for
the
new
technology
enhancements
being
delayed.
However,
the
people
who
are
in
charge
of
monitoring
that
may
change
over
the
next
year
and
have
changed
currently.
B
If
I
may,
mr
patrick,
I
did
just
want
to
notice
that
I
have
been
invited
to
and
been
part
of
some
all
that
my
schedule
a
lot
will
allow,
but
not
all
of
the
technology
enhancement
briefings
of
different
vendors
that
might
help
to
satisfy.
You
know
a
new
approach
to
off
duty.
One
of
the
complications
there
is
that
many
of
the
different
products
out
there
to
help
a
city
the
size
of
ours
manage
off
duty
have
very
different
attributes
that
they're
offering
with
it.
B
So
I
do
think
that
these
will
probably
all
be
at
least
issues
number
one
and
two
on
the
police
off
duty
will
be
remediated
together.
When
that
specific
scope
is
chosen
and
then
it
will
go
through
counsel
for
the
rfp.
I
believe
and
we'll
see
more
of
this,
but
at
this
point
in
time
I
guess
I
would
just
offer
that
that
work
continues
and
I've.
F
And
thank
you
chair
palmisano.
I
see
a
technology
solutions
as
hopefully
being
able
to
remediate
one
and
three
they're
they're,
pretty
directly
related
oversight
and
monitoring
will
obviously
be
easier
with
technology
enhancements
and
policy
will
likely
be
tied
to
that
technology.
F
So
it's
it's
a
bit
of
a
package
deal
and
the
fact
that
this
this
system's
procurement
is
is
in
progress
is
a
very
good
sign.
That's
right.
F
And
finally,
I'll
talk
a
bit
about
our
continuous
monitoring,
particularly
the
sexual
assault,
examination
kit,
testing,
so
some
history
for
the
newer
audit
committee
members
and
people
who
weren't
familiar
with
the
project
back
in
2015,
the
bca
did
a
survey
of
untested
sexual
assault,
examination
kits
and
in
2019
the
police
department
found
the
number
of
untested
kits
were
greater
than
17
000
in
in
residing
in
the
city.
B
F
F
Me
thank
you
for
the
corrections
1700
out
of
those
kits
not
there
are
restricted
and
unrestricted
kits
unrestricted
kits
for
testing
restricted,
kits,
have
a
restriction
on
them
for
a
variety
of
reasons
why
they
wouldn't
be
tested
at
the
end
of
the
day
about
1
000,
exactly
1,
368
kits
would
be
tested.
F
Mpd
and
the
mayor
requested
internal
audit
consult
with
the
police
department
to
examine
this
process,
and
internal
audit
did
a
number
of
process
improvements
were
made.
You
can
look
back
at
some
of
the
past
auditor
updates
and
I
can
walk
through
it
with
anybody
who's
interested
at
a
later
date.
What
progress
they
made
on
that
front,
but
primarily
at
this
point
we've
been
monitoring
the
backlog
of
kids
and
next
slide,
happy
to
report
that
all
of
the
backlog
kits
are
now
taken
to
the
bca,
so
they
have
been
moved
from
mpd
to
the
bca's
hands.
F
If
you
look
at
the
progress
over
over
time,
this
is
a
they've
significantly
ramped
up
their
their
testing
capabilities
and
therefore
kits
are
flowing
out
at
them
are
being
tested
at
a
at
a
healthy
rate,
and
we
should
complete
this
project.
I
think
earlier
than
the
earlier
anticipated
timeline,
because
they've
hired
more
staff
and
put
more
resources
towards
it.
B
If
I
may,
mr
patrick,
on
the
previous
slide,
I
just
want
to
make
clear
that
the
difficulty
isn't
about
literally
getting
kits
to
the
bca,
but
there's
a
process
for
that,
and
they
have
to
be
able
to
store,
along
with
every
other
cities,
on
tested
resources
and
then
test
them
within.
Is
it
a
certain
amount
of
time
after
they
get
to
the
bca,
or
can
you
help
explain
that
first
bullet
point
in
a
little
bit
more
detail
as
to
what
that
means.
F
Yes,
chair
palmisano
there
is,
there
are
time
benchmarks
for
getting
the
kit
to
the
bca
and
testing
requirements
that
weren't
being
met
for
a
variety
of
reasons.
I'd
I'd
encourage
people
to
look
at
the
report.
For
for
that
detail,
there
were
difficulties
at
a
number
of
different
steps
in
that
process.
Why
kids
weren't
going
to
the
bca
when
they
should
have
moved
faster
and
then,
when
the
kits
were
tested
at
the
bca?
F
Some
of
this
was
staffing
resources.
You
had
kind
of
a
funnel
bottleneck
process
in
certain
areas.
So
again
I'd
refer
back
to
the
report.
It's
been
a
bit
since
I
refreshed
my
memory
on
it.
I'd
say
one
of
the
auditors
on
my
staff
has
been
doing
the
continuous
monitoring
of
the
project,
unfortunately
he's
out
of
the
office
today.
So
I
I
can't
call
on
him,
but
yeah
we
we've
made
a
city,
has
made
a
lot
of
progress
on
this.
B
B
That
is
a
state
law
that
helps
to
centralize
some
of
the
tracking
on
these
kits
across
different
jurisdictions,
and
I
think
that
that's
a
huge
improvement
for
how
survivors
are
able
to
get
these
things
tested
and
hopefully
find
justice
through
through
this
kind
of
data,
collection
and
testing.
So
thank
you.
F
That
concludes
the
auditor
update.
I'm
happy
to
answer
any
remaining
questions.
What
one
thing
I'd
note
is
that
we
were
to
have
a
field
training
officer
update
at
this
meeting,
based
on
their
consultation
from
last
year.
Commander
horn,
who
was
our
point
of
contact
and
a
great
partner
to
work
with,
was
very
engaged
with
audit
and
creating
these.
These
changes
has
retired
and
we
are
now
we'll
need
to
reconnect
with
new
people.
The
the
there's
been
like
most
of
command
staff.
There's
been
some
turnover
in
that
area.
B
B
Not
seeing
any
so
seeing
no
further
business
before
us.
Thank
you.
Thank
you
for
all
this
presenting
done
today.
Thank
you
to
my
colleagues
for
considering
this
large
body
of
work
without
objection,
I
will
declare
this
meeting
adjourned.
Thank
you.
Everyone.