►
From YouTube: Audit Committee - May 29, 2019 (1 of 2)
Description
Audit Committee meeting - May 29, 2019 - Audio Stream
Agenda and background materials can be found at http://www.ottawa.ca/agendas.
A
A
C
A
Thank
you
very
much.
Three
agenda
items
today.
Item
number
one
consolidated
financial
statements:
Lizzy
toffee
now
see
that
I
think
that
I
will
do
me
to
it
that
we
have
guests
from
Ernst
and
Young,
who
will
have
a
presentation
and
from
our
staff
we'll
have
a
presentation.
Let's,
let's
hold
this
item
item
number
two.
The
sinking
fund
financial
statement
did
any.
There
is
no
presentation
on
that,
and
there
are
no
speakers.
A
A
D
Okay,
Thank
You
mr.
chair
I
will
present
the
financial
statements
for
the
year
ended:
December,
31st
2018.
We
also
have
Ernst
and
Young
with
us
today,
Susie
jean
jean
yak,
the
ey
partner
responsible
for
this
audit
and
the
audit
manager.
Lisa
go
Dane
they're
here
they
are
here
to
present
the
results
of
the
audit
after
I've
made
my
presentation,
Sivaji
Ernst,
&,
Young
Kimo,
presently,
a
total
of
vilification,
digital
finance
e.
At
a
conclusion,
the
map
presentation
suitable
any
fiscal
Scotty.
Are
they
sound
doom
industries.
D
So
the
city's
financial
status
remains
strong.
We
are
reporting
a
surplus
for
the
year,
ended
December,
31st
2018
of
609
million,
which
is
different
from
the
19
million
surplus
reported
at
the
end
of
2018
for
budget
purposes.
Financial
statements
are
reported
based
on
Canadian
public
sector
accrual
accounting
standards,
whereas
the
budget
is
reported
on
a
modified
cash
basis.
D
Their
surplus
is
higher
on
an
accrual
basis
because
it
recognizes
the
revenue
that
are
not
included
on
a
cash
or
budget
basis,
such
as
assets
contributed
from
developers
and
the
share
of
earnings
from
hydro,
also
on
an
accrual
basis.
Expenses
include
the
annual
depreciation
of
the
historical
cost
of
assets,
which
tends
to
be
lower
cost
than
what
is
contributed
to
capital
annually
on
a
budget
basis
to
replace
these
assets.
D
The
city's
overall
accumulated
surplus
increased
by
613
million
in
2018.
Most
of
that
increase
is
due
to
the
annual
surplus
overall
net
debt
has
increased,
but
so
has
the
value
of
non-financial
assets.
This
reflects
the
increased
investment
in
capital.
Our
net
debt
is
2.2
billion,
but
this
is
offset
by
total
non-financial
assets
of
16
billion.
This
represents
the
amount
to
service
future
generations
and
includes
our
tangible
capital
assets
and
reserves.
D
Less
future
liabilities
accounts
receivable
increased
merely
due
to
receivables
from
the
federal
and
provincial
levels
of
government
for
public
transfer,
public
transit
infrastructure
funding
PTF
and
at
the
combined
water/wastewater
funding
investment
in
government
business
enterprise
represents
the
net
assets
for
hydro
Ottawa,
which
we
report
on
a
financial
statements
on
an
equity
basis.
The
city
received
dividends
from
hydro
Ottawa
in
the
amount
of
22
million
in
2018
related
to
results
from
2017
operations.
D
On
the
liability
side,
we
had
an
increase
in
accounts
payable
and
accrued
liabilities,
which
included
additional
payables
for
Confederation
line,
as
well
as
additional
accruals
for
brownfields
relating
to
the
Zippy
development
on
the
Ottawa
River
deferred
revenue
primarily
includes
the
development
charges
collected,
but
not
spent.
It's
not
spent
yet
on
projects
that
were
intended
to
fund
in
2018.
There
was
an
increase
in
the
collection
of
development
charges
and
a
decrease
in
the
development
charge
transfers
to
projects
which
resulted
in
an
overall
increase
in
the
development
charge,
deferred
revenue.
D
So
employee
future
benefits
increased
this
year.
These
liabilities
represent
benefits,
earned
but
not
payable
until
future
years.
The
amount
payable
in
the
current
year
is
budgeted
for
each
year
and
changes
primarily
because
of
changes
in
actuarial
assumptions
and
legislation.
This
future
liability
is
an
estimation
and
may
or
may
not
reflect
the
actual
amounts
that
could
be
paid
in
that
future.
The
most
significant
changes
include:
post
retirement
and
post
employment
benefits
the
increase
by
39
million
dollars,
mainly
due
to
an
increase
in
long
term,
disability
claims
and
post
retirement
benefits.
D
D
When
you
look
at
the
debt
level
compared
to
the
total
costs
of
the
city's
gross
assets,
it
represents
eight
point:
nine
percent
of
those
assets-
that's
the
equivalent
of
a
thirty
five
thousand
dollar
mortgage
on
a
four
hundred
thousand
dollar
home
principal
and
interest
payments
are
restricted
in
two
ways.
Council
has
established
specific
targets
for
debt
and
whereby
principal
and
interest
payments
for
tax
and
rate
supported
debt
are
not
to
exceed
a
combined
target
of
eight
point.
Five
percent
of
the
city's
own
source
revenue
in
2018.
This
percentage
was
five
point.
D
Nine
six
percent,
the
provincial
measure,
looks
at
the
cost
of
debt
issued
including
mortgages
as
a
percentage
of
own
source
revenues,
and
that
limit
is
25
percent
in
2018.
This
measure
is
calculated
at
eight
point,
two
percent,
as
far
which
is
far
below
the
provincial
limit
compared
to
other
large
municipalities.
Ottawa
continues
to
have
one
the
lowest
total
debt
per
capita,
the
overall
value
of
the
assets
based
on
cost
increased
by
nine
hundred
and
eighty
eight
million
in
2018.
The
most
significant
construction
projects
contributed
to
the
increase
is
the
Confederation
Line
stage
one.
D
This
is
reported
under
assets
under
control
in
assets
under
construction.
It
was
a
four
the
value
about
one
hundred
fifty
six
million
Confederation
line,
Stage
two
also
reported
in
assets
under
construction
of
123
million
roads,
222
million
water
wastewater
infrastructure,
294
million
and
I
just
want
to
state
that
the
roads
number
also
includes
things
like
bridges
and
culverts.
So
it's
not
just
roads.
We
classify
other
assets
within
that
category,
as
you
can
see
from
the
chart,
water
and
wastewater
infrastructure
makes
up
20%
of
the
total,
tangible
capital
asset
net
book
value.
A
E
Thank
you
very
much
mr.
chair,
so
I'm
going
to
present
as
a
partner
on
the
audit
for
the
City
of
Ottawa
I'm,
going
to
present
our
audit
results
related
to
the
financial
statements
at
a
high
level.
We
are
substantially
complete
the
audit
we
do
completely
consider.
We
do
continue
our
procedures
until
June
12th,
which
is
the
date
when
Council
will
actually
approve
the
financial
statements.
So
we
will
inform
the
committee
if
anything
is
identified
in
that
period
we
have
you'll
see
in
the
financial
statements
our
draft
audit
opinion,
which
is
an
unmodified
opinion.
E
We
have
a
clean
audit
opinion
in
those
financial
statements
at
this
point
in
time
it
has
changed
in
its
structure.
If
you
look
at
it
so
that
the
actual
audit
report,
the
opinion
now
comes
first
and
then
the
basis
of
opinion
and
then
management
and
the
auditor's
responsibilities.
So
if
you
look
at
it,
it
has
changed
and
just
wanted
to.
Let
you
know
that
so
moving
into
our
presentation.
E
So
the
areas
of
audit
emphasis
are
generally
a
lot
of
the
larger
line
items
on
the
financial
statements
as
well
as
those
areas
where
there
are
significant
estimates.
The
first
is
the
revenue
recognition.
This
is
a
very
significant
line
item
at
4.1
billion
in
total
revenue.
We
look
at
different
types
of
revenue.
E
Investments
in
financial
instruments
is
another
area,
focus
they're
very
significant
at
the
city
at
approximately
1.2
billion,
so
we
do
confirm
that
the
investments
exist
with
the
custodian.
We
look
at
the
market
value
of
those
investments,
as
well
as
the
carrying
value
of
them,
and
we
look
at
whether
there
are
any
impairments
that
we
will
require
would
would
would
be
required
to
be
recognized
on
the
financial
statements
and
we
didn't
identify
any
issues.
E
Another
area
of
focus
is
employee
future
benefits.
There
are
a
lot
of
assumptions
in
employee
future
benefits
and
we
have
we
obtained
the
actuarial
valuation
from
the
cities
actually
actuaries,
and
we
actually
have
insight
in-house
actuaries
as
well
that
review
the
actuarial
valuation.
We
look
at
the
specific
assumptions
around
the
OC
Transpo
pension
plan,
the
CEO
SF,
so
superannuation
fund,
post
employment
and
retirement
benefits,
as
well
as
the
WSIB
accrual.
We
did
identify
two
differences
which
were
not
adjusted
on
the
financial
statements
are
corrected.
E
They
both
relate
to
issues
that
were
identified
in
prior
years
and
continue
in
the
current
year.
The
first
relates
to
the
superannuation
fund,
where
the
city
is
not
accruing.
The
cost
of
indexation
of
that
plan,
which
is
approximately
this
estimated
at
fifteen
point
five
million,
resulting
in
an
understatement
of
the
liability,
and
the
second
is
related
to
a
pre-existing
plan,
provision
of
approximately
6.5
million,
which
should
be
an
increase
to
the
liability
and
should
have
been
taken
in
a
prior
year,
but
is
being
amortized
into
the
liability
over
the
expected
average
remaining
service
life.
E
E
Other
area
focuses
tangible
capital
assets,
as
Isabel
mentioned.
These
are
a
significant
asset
on
the
financial
statements
at
16
billion
dollars.
So
we
do
do
a
fair
amount
of
work
around
additions,
disposals
amortization.
We
do
an
extensive
data,
analytic
program
with
all
of
the
data
from
the
city's
financial
statements
related
to
the
tangible
capital
assets,
and
we
also
review
significant
agreements.
In
this
case,
we
focused
on
the
Ottawa
light
rail
transit
agreement
and
how
the
costs
and
related
transfer
payments
and
commitments
were
recorded
in
the
financial
statements.
E
As
a
result
of
our
work,
we
did
identify
a
couple
of
differences
in
this
area
as
well,
both
again
related
to
prior
years
that
are
flowing
through
the
statements
in
the
current
year.
One
related
to
an
overstatement
of
the
depreciation
expense
in
the
current
year,
resulting
in
an
understatement
of
the
annual
surplus
of
15.5
million
and
the
second
related
to
an
overstatement
of
the
tangible
capital
asset
balance
of
approximately
13.5
million,
which
is
being
amortized.
It's
a
delayed
amortization,
so
it
is
resulting
in
an
understatement
of
the
annual
surplus.
By
about
point,
4
million.
E
We
focus
also
on
commitments
and
the
disclosure
related
to
commitments.
We
look
at
the
existence,
completeness
and
valuation
of
those
commitments
and
specifically
related
to
the
note
disclosure
in
the
financial
statements
and
we
focus
on
the
net
long-term
debt,
which
is
also
a
significant
balance
in
the
city's
financial
statements.
We
confirm
the
debt
the
occurrence
of
the
repayments.
We
verify
the
completeness
of
the
principal
and
the
related
disclosure,
as
well
as
the
interest
expense.
We
did
identify
a
difference
that
was
also
existed
in
the
prior
year.
E
Financial
statements
exist
again
in
the
current
year,
which
is
the
netting
of
225
million
of
long-term
receivable
with
long-term
debt.
We
would
generally
expect
this
to
be
shown
gross,
but
the
city
has
shown
at
net,
because
the
substance
of
the
transaction
is
that
these
two,
the
receivable
and
the
payable
mimic
each
other
in
their
payment
streams
and
are
expected
to
be
received
and
repaid
on
on
a
direct
essentially
directly
as
one
comes
in
the
other
goes
out
it.
The
same
is
done
with
the
interest,
income
and
expense
related
to
that
transaction.
E
It
does
result
in
an
understatement
of
total
financial
liabilities,
but
also
an
understatement
of
total
financial
assets.
So
the
net
impact
is
nil
on
the
net
debt
and
no
impact
on
the
annual
surplus
and
minimal
impact
on
the
city's
debt
service
ratio
in
the
final
area.
I
won't
go
into
a
lot
of
detail.
E
There
were
a
couple
of
other
myths
and
uncorrupted
differences
that
were
identified
primarily
related
to
payables
that
were
recorded
just
in
the
wrong
year,
so
essentially
a
cutoff
issue
which
results
in
an
overall
understatement
of
the
annual
or
surplus
of
approximately
4.4
million.
All
other
differences
were
corrected
by
management.
There
were
five
new
accounting
standards
implemented
by
the
city
this
year
and
we
were
comfortable.
E
F
E
F
F
D
For
this
cos,
f-fine
it
fund
itself
funds
55%
of
the
indexation,
the
city
annually.
We
put
in
our
budget
the
remaining
45%
to
bring
it
up
to
100%,
that's
approved
every
year
as
part
of
the
budget.
At
any
point
in
time,
Council
could
decide
not
to
supplement
that
amount,
and
so
that's
why
we
don't
show
it
as
a
future
commitment.
Okay,.
G
G
The
one
thing
that
I
noted
was
in
terms
of
as
people
move
on
to
retirement
the
the
expense
of
long-term
disabilities
and,
of
course,
if
there's
any
major
changes
coming
up
due
to
pressures
from
provincially
we're
going
to
have
more
of
that.
Is
this
something
that's
just
sort
of
getting
more
out
of
control
that,
in
terms
of
the
the
costs
of
actually
laying
people
off.
D
Are
you
responding
to
the
future
benefits
and
liability
yeah
that
that
is
an
amount
that
increases
with
each
of
the
claims?
So,
for
example,
you
WSIB
and
Ltd
for
those
claims
we
add
additional
liability
for
future
claims,
there's
an
actuarial
assumption
and
estimation
done
for
those
future
claims
every
year.
Those
claims
are
increasing
and
that's
what's
reflected
what
that's
what's
reflected
in
those
increases.
So.
D
H
Thank
you,
Thank
You,
mr.
chair
and
just
follow-up
on
the
council's
Kavanagh.
So
I
almost
I
asked
the
same
question
daily
about
the
unfunded
liability.
Are
we
in
in
compared
to
other
municipality
of
our
size?
Are
we
have
enough
funding
forceful
for
that
fire
for
the
unfunded,
because
one
thing
becomes
heaven
I'll
touch
on
and
I
think
it's
not
just
in
all
municipalities
cross
everywhere.
There
is
more,
you
know
more
you
paying
sometimes
more
than
but
you
have.
D
So
then
we
completed
a
full
review
of
our
reserves
and
the
unfunded
benefits
liability
was
one
of
them.
M&Amp;P
came
in
and
looked
at
our
risk
using
a
risk
management
framework.
Looking
at
what
is
how
much
do
you
want
to
put
us
out?
You
don't
want
to
put
a
hundred
percent
of
that
liability,
because
it
is
just
an
estimate.
D
You
want
to
put
away
a
reasonable
amount,
and
so,
in
those
years,
when
you
are
short
in
your
budget,
you
could
draw
down
on
those
reserves
and
the
they
recommended
that
we
maintain
I
believe
it
was
around
twelve
percent
of
the
overall
liability
as
a
reserve
and
the
remain
would
reign.
There
would
be
unfunded
and
that
was
based
on
best
practices.
Okay,.
H
So
it,
and
so
we're
still
followed
the
best
practice
without
the
other
question
is
about
the
22
million
dollar.
You
talk
about
the
the
endowment
from
hydro
investment.
You
said,
22
million.
Is
that
a
set
number
or
I
thought
the
number
was
anything
over.
20
million
can
go
back
to
the
operation
because
some
some
of
our
card
put
something
to
that
perspective
to
be
spent
if
it's
over
20
million,
but
in
me,
is
when
you
mention
22.
Is
there
a
set
number
in
your
mind
so.
D
That's
it's
actually
I
rounded
up
it's
twenty
one
point:
nine
million
and
that's
what
we
would
have
received
in
20:18,
reflecting
2017
operations,
anything
over
the
20
million,
but
in
our
financial
statements
we
report
the
full
21.9
and
then
but
anything
over
and
above
the
20
million.
That's
what
we
would
use
for.
Yeah
and
Marian
can
answer
at
the
row.
So
counselor.
I
There's
two
things
with
Hydra:
one
is
the
endowment
fund
and
that's
where
your
200
million
reference
is
to
and
we
earn
six
and
a
half
percent
on
that
fund,
but
that's
not
part
of
what
they
that's
just
part
of
normal
operations.
What
they're
referring
to
is
the
actual
dividend
itself
and
we
budget
every
year,
20
million
for
the
dividend,
and
last
year
we
received
21.9.
So
that's
the
reference
so
there's
there's
actually
two
sources
of
funding
coming
in
from
one
directly
from
hydro
and
one
from
when
we
basically
cashed
in
the
debt
several
years
ago.
I
J
A
Thank
you
very
much.
I
have
a
couple
of
questions
and,
and
it
picks
up
on
counselor,
Cavanaugh's
and
counsel
else,
Antares
questions
with
respect
to
future
liabilities
and
pension
and
health
I
see
on
our
report
on
page
26,
page
29,
I,
believe
health
care
inflation
rate
is
currently
at
2%
and
future
5.9
percent.
D
That
this
is
these
are
amounts
that
are
developed
by
our
actuaries
immerser,
conducts
a
review
every
three
years
and
provides
these
estimates.
There's
three
inflation
estimates
there's
one
for
overall
inflation,
which
is
at
2%,
there's
a
salary
increase
estimate
of
one
point:
nine,
nine
to
two
point:
five:
the
five
point:
nine
was
actually
graded
down
to
four
percent
and
that's
the
one
related
to
inflation
rate
related
specifically
to
health
care,
so
they
have
an
inflation
rate
associated
with
the
healthcare
costs
and
it
was
at
five
point:
nine.
A
A
E
Do
in
the
city
engages
actuaries
to
do
the
evaluation,
and
then
you
I,
as
part
of
our
audit
process,
has
internal
actuaries
as
well.
That
review
the
city's
actuaries
valuation
and
particular
look
at
the
assumptions
and
make
sure
they're
reasonable
and
resulting
in
an
appropriate
liability
on
the
financial
statements.
A
Since
the
close
of
these,
since
the
closes
these
financial
statements,
there
was
a
significant
accident
and-
and
we
were
served
with
a
notice
of
lawsuit
yesterday-
and
the
provincial
government,
which
is
a
funder
of
the
City
of
Ottawa,
has
has
said
that
there
there
would
be
cuts
and
then
they
reversed.
How
does
this
enter?
How
do
these
events
enter
into
your
report
with
respect
to
subsequent
events
and
future
liabilities?
Are
you
able
to
to
provide
us
assurance
that
you
you
are
that
these
are
accounted
for
and
reported
on.
E
So
the
event
happened
after
the
UN,
so
it
is
a
subsequent
event.
We
look
at
whether
it
is
determinable
and
whether
an
estimate
can
actually
be
made
at
this
point
in
time.
We
wouldn't,
as
we
wouldn't
accrue
in
the
2017
financial
statements,
because
the
event
took
place.
Sorry
in
the
2018
financial
statements,
because
the
event
took
place
in
2019,
but
it
is
something
that
is
caught
up
in
your
general
disclosure
related
to
your
contingent
legal
liabilities
and
I.
E
E
G
Thank
you,
I
have
a
question
in
terms
of
the
surplus
for
most
people
out
there.
They
look
at
the
numbers
and
they
see
that
in
2018
we
have
a
higher
annual
surplus
and
wonder.
You
know
why
we
didn't
spend
more
money
on
on
programs
etc,
and
one
of
the
biggest
factors
that
we
saw
in
terms
of
what
we
expect
will
see
more
spending
on
is
winter
maintenance
it's
a
beautiful
day
outside
today,
but
we
know
all
know
how
much
work
and
and
how
much
effort
it
took
this
winter
on
winter
maintenance.
D
Yes,
so
there's
a
difference
between
what
we
budget
and
what
we
report
in
terms
of
our
financial
statements.
Financial
statements
are
reported
on
an
accrual
basis,
and
it
includes
non-cash
items
so
for
I
would
give
an
example
contributed
capital
developers
put
in
assets
on
behalf
of
the
city.
That's
considered
contributed
capital,
it
shows
us
as
a
number
within
our
surplus,
but
it's
not
money
that
actually
came
over
to
the
city
that
we
have
to
spend,
and
so
what
that's?
G
Thank
you,
I'm
used
to
school
board
where
a
surplus
meant
that
we
have
our
enrollment
went
up
and
it's
always
hard
to
predict,
and
you
know
it's
one
of
those
things
that
we
we
don't
know
in
advance
and
we
just
have
to
budget
as
close
as
possible.
So
so
it's
a
little
different
here,
but
but
in
terms
of
overall
spending,
it
looks
like
that.
We,
you
know
we
could
have
spent
a
bit
more
like
on
our
programming,
because
that's
a
significant
difference,
almost
50%
more
from
the
year
before
it
was,
it
was
I.
G
D
When
I
just
need
some
clarification,
when
you
say
50%
more,
you
talk
about
the
462
million
versus
the
609
again,
those
are
mostly
non-cash
of
reflections.
The
the
surpluses
were
like
on
a
cash
basis.
The
surpluses
were
fairly
consistent
between
2017
and
2018,
so
it
would
have
been
additional,
contributed
capital
and
changes
in
depreciation
and
those
non-cash
items.
Okay,
so
in.
A
Budget
is
done
on
a
cash
basis,
while
the
the
financial
statements
are
done
on
an
accrual
basis,
and
thus,
the
and
and
in
in
your
report,
there's
a
reconciliation
of
those
yes,
which
perhaps
we
could.
We
could
talk
about
with
any
any
interested
member
of
counsel.
How
that
copy
of
that?
Oh,
thank
you
so
making.
A
Thank
you
seeing
no
further
questions.
The
report
recommendation
is
that
the
Audit
Committee
recommend
Council
approved
the
draft
2018
City
of
Ottawa
consolidated
financial
statements.
Is
that
carried
carried?
Thank
you
very
much,
and
thank
you
very
much
for
your
free
report
and
for
your
service
on
to
item.
Excuse
me
on
to
item
number
three
and
the
office
of
the
Auditor
General
report
on
audit
follow-ups,
and
while
they
are
while
are
the
Auditor
General
is,
is
taking
a
seat.
I
will
ask
the
vice
chairman
to
introduce
a
motion.
Please.
A
Thank
you
for
sharing
that
Carrie
Carrie.
Thank
you.
So
the
Auditor
General
is
going
to
present
a
report
on
six
audits,
six
audit
follow-ups
that
he
and
his
office
have
completed
and
in
discussion.
We
will
stop
at
the
end
of
each
audit
for
questions
by
members
of
the
committee,
and
that
is
because
for
continuity
and
efficiency,
and
because,
as
I've
said
before,
we
will
be
revolving
into
into
a
closed
session,
and
so
I
will
leave
that
to
the
artery
general.
Please
I.
B
B
B
I'm
joined
at
the
table
by
the
two
deputy
Auditor
General's,
Sonya,
Brennan
and
ed
minor
Illya.
Do
verification
that
eyelash
wanna
be
sure
ed
minor,
a
Madame
Sonja
Brennan
I'd,
also
like
at
this
time
to
I,
know
be
going
in
in-camera
at
the
end,
but
I
didn't
want
to
go
any
further
without
thanking
the
efforts
put
into
these
into
this
work
by
the
staff.
The
the
management
and
the
staff
provide
time
to
us
when
we
do
the
audits
and
then,
of
course,
the
provide
time
to
us
again
later
when
we
do
the
the
follow
ups.
B
So
mr.
chair
I
would
like
to
to
reiterate
the
the
process
that
we
go
through
in
the
field
work,
whether
we're
doing
an
audit
or
whether
we're
doing
a
follow-up.
We
always
kick
off
our
our
project
with
a
meeting
with
staff,
and
then
we
provide
debriefings
throughout
the
course
of
our
work
and
they
can
be
they
can
be
anytime,
and
once
we've
completed
our
work,
we
debrief
the
management
of
the
area
under
audit
or
under
follow-up.
B
We
and
we
indicate
our
findings.
We
prepare
a
draft
report,
it's
sent
to
a
staff
for
fact
review
and
that
that
can
take
four
to
five
weeks,
depending
on
the
complexity
of
the
of
the
area
under
review.
And
then
we
prepare
a
final
report
where
we
require
management
comments
and
once
again,
that
can
take
another
four
to
five
weeks.
Now
that
time
period
can
change
depending
on
activities
within
the
area
under
review,
and
there
are,
there
have
been
instances
where,
for
example,
an
activity
like
the
flood.
B
B
So
the
standards
also
indicate
that
the
timing
and
scope
of
both
audits
and
follow-ups
or
at
the
discretion
of
the
Auditor
General
but
I,
can
assure
you
that
that
before
we
do
any
work,
we
absolutely
make
sure
that
we
provide
adequate
notice
before
we
go
in
and
we
ensure
that
we're
not
going
to
that.
We're
going
to
minimize
the
effect
on
the
operations
of
the
the
area
under
review.
B
So
Michelle
appraises
now
the
processes
the
verification
can
park
at
f--
as
the
lake
at
faso,
la
planificación
de
travis,
related
a
elective,
let
abysmal
the
report,
a
finalement
of
has
the
suivi
larezo.
Also
do
a
poor
marino,
say
the
discreet
a
lease
we
V.
There
are
four
phases
in
in
our
audit
process.
The
planning
phase
the
fielding
fieldwork
phase
before
we,
where
we
actually
go
in
and
do
the
work.
B
The
reporting
phase,
where
we
developed
a
draft
report
and
a
final
report,
and
we
present
that
to
the
council
in
our
annual
report,
as
we
did
last
month
and
then
the
follow-up
phase
and,
of
course,
today
we're
presenting
reports
from
that
final
phase.
So
we
conduct
follow-up
reports
on
all
audits
and,
as
I
indicated,
we
generally
wait
to
three
years
after
an
auto
report
is
completed,
to
provide
ample
time
for
the
management
to
implement
the
recommendations
and
the
follow-up
really
closes
the
circle.
B
B
We
present
an
audit
report
and
then
management
promises
to
counsel
in
that
out
report
that
they're
going
to
implement
those
recommendations
within
a
certain
time
period,
and
then
we
do
this
follow-up
to
check
on
the
promises
that
were
made
to
to
counsel,
and
we
report
back
to
committee
and
counsel
with
the
with
the
the
progress
on
that
implementation,
leras
or
the
suivi.
The
verification
permit,
the
beautiful
guru,
the
verification
general,
the
very
FINA
program,
complete
paladin,
actual
survey,
they
project
the
verification.
B
B
So
when
we
did
those
three
audits
in,
I
T
we
brought
in
outside
experts
to
help
us
to
perform
that
audit,
and
we
indicated
that
to
you
when
we
provided
the
reports,
and
it's
no
surprise
that
that
we
brought
in
experts
from
KPMG
to
assist
us
in
the
the
follow-up
to
those
audits
to
ensure
that
we
had
acknowledged
experts.
Looking
at
that
area
of
expertise.
B
Looking
at
that's
a
subject
area,
the
final
item
will
be
provided
in
camera
when
we
presented
that
audit
a
couple
of
years
ago,
that
audit
was
was
presented
in
camera
and
there
will
be
no.
There
was
no
reporting
out
and
other
than
indicating
the
progress
on
the
recommendation.
So
far
on
that
audit
everything
will
be
presented
in
camera.
B
So
saluted
I
can
use
agave,
it's
say,
Claire
the
direction
of
Sargassum
respect
a
and
the
process.
The
verification
and
I
can
confirm
to
our
committee
that
management
continues
to
be
committed
to
the
audit
process
and
you'll
see
that
there
has
been
some
progress
on
implementation
of
the
recommendations
in
all
of
the
reports
that
that
were
providing
here,
Sankranthi
spore,
so
they
recommend
a
she
also
completed.
A
third
set
for
Sunday
recognize
Sharon
santanico.
B
Mr.
chair
50,
56
percent
of
the
the
recommendations
from
the
six
audit
reports
of
representing
today
are
complete
and
37
percent
of
the
recommendations
are
in
process
parameter,
mala
verification.
The
Persian
the
lecturer
at
MIT
is
eight.
They
can
tell,
though,
the
gestural
implement
a
tool,
a
recommendation
or
don't
pour
new
in
the
public
who
the
who
know
the
ideas,
so
no
verification.
K
Morning
sure
the
first
report
that
were
giving
the
results
of
our
follow-up
on
is
the
audit
we
did
of
the
automated
meter
reading
project
that
audit
can
conclude
for
recommendations
and
we
found
that
all
of
them
had
been
fully
implemented.
So
we
have
no
real
further
detail
comments,
although
we
willing
to
entertain
any
questions,
should
there
be
any
gave.
L
Good
morning,
mr.
chair,
the
original
audit
of
accounts
payable
was
an
independent
assessment
of
the
control
framework
in
place
for
the
processing
of
City
payables.
In
this
audit
opportunities
were
identified.
Opportunities
were
identified
in
the
use
of
potential
use
for
more
automation,
with
the
technology
already
available,
to
drive
greater
process
efficiency
and
to
maximize
potential
cost
savings.
We
also
identified
areas
where
there
were
specific
controls
that
we
felt
should
be
strengthened
in
this
process.
L
Seven
recommendations
were
made
in
our
report
in
the
follow-up
you'll
see
that
we
concluded
to
were
fully
complete
three
partially
complete
one
not
started,
and
one
no
longer
applicable.
With
respect
to
the
three
partially
completed
recommendations.
The
audit
we
recommended
that
for
a
key
control
where
enhanced
system
access
is
granted.
So
this
is
within
the
financial
system,
si
P
there
is
ability
for
users
to
have
what's
called
enhanced
system,
there's
a
risk
with
this
type
of
access
in
the
granting
process.
So
there
are
specific
controls
around
it.
L
Where
there's
a
check
to
make
sure
the
conflict
is
within
a
sort
of
a
risk,
tolerance
and
then
it's
it
appropriately
approved.
We
had
recommended
that
when
this
occurs,
there's
a
procedure
written
and
that
it's
documented
that
this
has
been
done
by
the
employee
responsible.
What
we
found
in
our
testing
is
that
the
documentation
wasn't
consistently
kept,
so
there
was
no
way
to
assure
whether
or
not
the
actual
control
would
be
carried
out
every
time.
L
So
in
summary,
there
wasn't
really
assurance
that
the
penalties
were
being
recorded
or
tracked
and
really
the
the
reasoning
behind.
That
was
that
you
know
if
we're
tracking
those
expenses
management
can
see
that
they're
incurring
charges
that
are
unnecessary
and
they
can
take
actions
to
prevent
that
from
occurring
again
and
and
third
item
that
was
partially
complete.
The
original
audit
recommended
that
the
city
leverage
existing
technology
to
automate
monitoring
of
potential
discounts,
so
another
potential
for
cost
savings
on
invoice
payments.
L
The
system
enhancements
they
were
deferred
and
they'll,
be
addressed
with
a
new
solution.
So
the
existing
solution,
where
this
was
to
take
place,
is
being
replaced.
A
management's
indicated
that
will
occur
sometime
in
2020,
so
they've
deferred
that
particular
action
and
we'll
we'll
look
to
address
it
in
the
with
a
new
solution.
L
In
terms
of
the
item
that
we've
assessed
has
not
started.
We
had
we'd
recommended
and
management
agree
that
a
control
related
to
fraud
risk
and
this
control
is
around
the
ability
to
change
sensitive
what
we
call
vendor
master
information.
So,
within
the
financial
system,
there's
a
database
of
the
vendor
information,
so
vendors
name,
address
and
banking
information,
so
the
ability
to
change
this
information
has
to
be
carefully
controlled
and
with
appropriate
approvals,
we
had
recommended
that
the
they
embed
the
control
right
in
the
system,
so
there's
no
bypass.
L
It's
it's
right
right
in
the
system
and
the
the
user
or
the
administrator
can't
can't
change
the
information
without
appropriate
approval,
and
that
approval
involves
seeing
that
there's
adequate
documentation
for
that
changes
were
made
to
the
process,
but
we
didn't
they
didn't
they
weren't,
specifically
the
same
as
what
we
we'd
recommended.
In
our
opinion,
they
didn't
address
that
that
area
of
risk
management
is
indicated
that
again
with
the
new
solution
that
they
would
that
they
would
address
this
particular
item
with
that
implementation.
L
L
That
means
what
we
had
found
that
there
was
there
was
no
way
to
to
prevent
or
detect
a
situation
when
a
vendor
when
an
invoice
from
a
vendor
was
paid
with
a
p-card.
If
that
vendor
also
emailed
the
invoice
directly
to
accounts
payable,
it
could
be
processed
again
and
paid
without
necessarily
being
noticed.
L
This
was
a
weakness
in
the
control
area
that
that
was
already
known
by
accounts
payable
they'd
indicated
that
they're
looking
on
a
way
to
to
resolve
the
issue
and
automate
the
information
so
that
they
could
they
could
analyze
and
detect
whether
or
not
there
are
any
duplicates
paid.
Through
this
method,
we
recommended
that
they
notify
purchasing
card
users
of
this
risk.
L
We're
not
sure
that
people
knew
that
this
was
a
possible
risk
to
let
them
know
that
they
were
responsible
to
put
in
a
process
to
make
sure
that
they
prevented
duplicate
payments
that
could
occur
through
this
method.
We
have
seen
that
that
notification
has
been
done
so,
as
you
you've
heard
there,
a
number
of
actions
incomplete
and
some
of
which
will
be
addressed
by
solution
replacing
the
existing
technology
in
in
approximately
a
year's
time.
So
I
can
answer
any
questions.
If
you
have
any
so.
F
L
It's
the
responsibility
of
the
cardholder,
so
each
business
area
has
people
responsible
for
the
purchasing
cards
and
then
they
may
have
say
more
other
people
who
are
processing
payments
through
the
system.
So
if
one
doesn't
see
the
other
and
an
invoice
is
sent
twice
or
pay,
it
could
be
paid
two
times.
F
F
Well,
do
we
agree
that
it
doesn't
make
sense
that
the
cardholder
does
not,
like
you
know,
Kevin
while
he's
here
he's
got
people
that
have
a
credit
card
to
go
out
and
get
you
know
what
they
have
to
buy
plywood
to
fix
something.
Why
should
they
be
responsible?
Make
sure
that
the
the
building
supply
company
doesn't
send
an
invoice
in
through
finance
I'm,
not
following?
Why
wouldn't
we
make
a
recommendation
that
accounts
payable
takes
responsibility
for
that?
The.
L
It's
within
the
business
process
they've
set
up,
who
has
responsibility
to
pay
invoices
or
control
and
monitor
purchasing
cards,
so
really
the
the
recommendation
that
we
made
isn't
specific
to
who
exactly
carries
it
out,
but
each
business
unit,
the
that
responsibility
and
they
all
do
they
need
to
look
at
what
they're
doing
and
make
sure
that
between
the
nut,
the
different
people
who
approve
payments
that
they
have
something
in
place
that
will
will
detect
these
things.
We
didn't
specify
that
it
was
the
purchasing
card
holders
because
it
may
not.
L
M
Mr.
chair,
it's
the
responsibility
of
the
person
making
the
purchase,
whether
they're,
paying
with
a
purchasing
card
or
approving
an
invoice
to
make
sure
that
they
are
only
approving
that
invoice
once
and
that
the
invoice
is
correct
and
they've
received
the
goods
and
they're
to
the
satisfaction
in
the
city
and
so
whether
that's
being
received
by
an
invoice
through
accounts
payable.
That
would
then
be
workflow
to
the
user
or
with
the
purchasing
card
directly.
It's
that
individual,
that's
responsible
for
ensuring
the
correctness
of
the
payment.
F
So
if
it
comes
in,
let's
use
that
scenario
I
drew
them
and
I
hope
Kevin
doesn't
mind,
we'll
use
them
as
an
example.
If
he
makes
a
purchase
on
the
card,
he's
obviously
responsible
to
make
sure
that
the
proper
documentation
of
that
purchase
with
the
card
is
submitted
for
approval,
but
if
they
send
an
invoice
they
be,
and
let's
say,
cash-
wait
because
they're
out
of
business,
okay,
cash
weigh
sends
an
invoice
to
the
City
of
Ottawa.
F
M
M
F
M
F
M
Mr.
charity,
the
account
to
capture
the
late
fees
was
created.
The
finding
was
around
the
communication
around
how
that
information
is
coded
in
the
system.
That
communication
has
been
updated
as
part
of
the
contract
administration
policy
and
associated
training
that
was
developed
in
response
to
the
audit
of
Road
services,
where
we
go
through
the
responsibilities
of
invoice,
receipt
and
approval
and
the
associated
components.
But.
M
That's
right:
this
is
ongoing
training,
that's
going
to
be
provided
regularly.
We
are
providing
this
this
training
across
the
corporation.
In
addition,
as
a
result
of
changes
made
to
the
construction
act,
which
are
implementing
a
prompt
payment
regime
and
associated
penalties,
we
are
working
with
our
high
volume
invoice
approvers
to
ensure
that
they
have
a
process
to
pay
their
invoices
in
accordance
with
the
legislation
and
not
incur
late
fees.
B
B
M
The
contract
administration
policy
was
finalized
in
December
of
last
year
and
the
training
is
being
implemented
throughout
this
year,
beginning
with
Road
services
and
then
across
the
corporation,
so
not
everybody's
at
each
other.
Not
everyone
has
received
the
training
yet,
but
the
policy
is
in
place
which
governs
all
contracts.
F
Okay,
not
everybody
is
trained.
Yet,
what's
the
timeline
to
get
everybody
trained
and
on
important
issues
such
as
late
fees,
would
it
not
make
sense
to
send
some
sort
of
a
memo
out
as
well
so
that
they
know
the
ones
that
are
using
it?
I
think
you
said
the
high-volume
users
are
being
trained
first
or
no.
That.
M
That
is
correct
in
it
well,
in
accordance
with
the
construction
act
changes.
So
what
I
would
say
is
that,
as
part
of
the
contract
Paul
that
contract
administration
policy
update,
communication
was
sent
out
across
the
corporation,
including
through
management
updates,
to
make
sure
that
those
people
that
are
responsible
for
administering
contracts
understand
their
roles
and
responsibilities.
M
In
addition,
we
have
an
another
layer
of
training
which
goes
through
not
only
invoice
approval
processes,
but
also
dealing
with
supplier
performance
and
in
general
contract
administration,
which
we
are
rolling
out
as
an
enhanced
level
of
training
over
and
above
the
policy.
So
the
communication
has
been
forwarded
across
okay.
Thank.
F
You
so
my
last
question
and
is
on
the
I
believe
two
of
the
six
recommendations.
At
the
time
of
your
follow
up.
Mr.
auto
general
I
believe
two
of
the
six
recommendations
were
done
and
when
I
read
the
report,
it
says
they're
following
up
on
the
other
four,
but
isn't
that
typically,
the
response
of
the
original
audit
I'm
a
little
concerned
that
that's
what
you're
getting
at
the
follow-up
stage,
because
shouldn't
everything
basically
be
implemented
by
the
time
you
do
the
follow
up
as
a
not
the
expectation.
B
Mr.
chair,
when
we
decide
to
to
do
our
follow
ups,
we
look
at
the
the
management
comments
from
the
original
audit
where
they
indicated
when
they
would
be
implementing
the
the
solutions
to
the
recommendations
and
that's
why
we
give
two
to
three
years
generally
before
we
go
in
to
do
that
work.
This
audit
was
presented
in
2015
and
we
did
our
work
in
the
late
summer
and
fall
of
2000
and
and
18,
and
this
was
what
we
found
that
some
of
the
items
hadn't
been
completed.
Thank.
F
M
Mr.
chair,
following
the
audit,
there
were
two
unexpected
changes
in
the
technology
marketplace,
both
on
how
si
P
administers
its
payment
modules
and
a
notice
to
the
city
that
the
mark
view
system
would
be
discontinued
effect
at
the
end
of
this
year,
and
so
we
determined
it
would
not
be
in
the
city's
best
interest
to
invest
in
configuration.
Changes
to
software,
we
know
need
to
be
replaced.
So
we
have
taken
the
recommendations
and
made
these
key
business
requirements
of
the
new
source
to
pay
solution
which
is
to
be
implemented
in
q1
of
2020.
C
C
So,
are
you
saying
that
you're
not
based
on
the
recommendation,
you
have
three
partially
your
43%
working
on
them
and
then
there
is
a
recommendation
as
I
understood
that
it's
going
to
be
pushed
to
2020
and
that's
because
what?
If,
because
that
the
software
is
you're
not
going
to
spend
you're,
not
going
to
put
resources
to
reconfigure
what
we
have
right
now?
Are
we
implementing
something
in
you
in
2020.
M
C
My
second
that
lead
for
my
next
question
was
we
are
we
comparing
year
after
year,
because
this
audit
done
in
2015
I
know
we
have
follow-up
in
2018,
but
are
we
making
sure
that
the
numbers
are
decreasing
not
increasing
by
making
sure
we're
not
double
paying
the
payment
and
adding
some
other
process
to
make
sure
to
cross
our
eyes
and
making
sure
we're
not
doubling
and
paying
over
payment
for
the
unpaid
bills?
That's.
M
C
M
So
this
recommendation
had
to
do
with
the
automation
of
the
vendor
master
maintenance
controls
how
vendor
master
information
is
maintained
in
the
new
solution
may
be
different
than
how
it
is
currently
maintained
in
core
si
P,
and
so
as
a
result.
This
is
also
a
recommendation
be
addressed
as
part
of
the
new
tool
in.
C
H
L
L
That
was
over
a
period
of
one
year.
Duplicate
payments
are
not
not
uncommon,
but
certainly
we
want
to
ensure,
as
does
accounts
payable,
that
that
the
city
prevents
them
is
the
better
approach,
because
it
there's
cost
and
time
and
effort
after
the
fact
once
you've
done
it
to
to
then
recover
that
cost
and
investigate
those
those
payments.
It's
always
better
to
have
good
controls
in
place
at
the
front
end
to
prevent
them
from
happening,
but
there's
also
a
duplicate
payment
check
analysis.
H
You
know
it's
a
good
measure
and
obviously
doesn't
matter
what
the
amount
is
is
still
City
taxpayers
money
we
need
to
protect,
but
at
the
same
time
it's
good
sometimes
to
put
it
into
perspective,
because
obviously
the
city
do
a
lot
of
payment
out.
So
in
a
real
life,
that's
a
very,
very
small
percentage
if
we're
gonna
put
it
in
a
percentage
perspective.
H
Now,
because
what
we
hear
is
the
other
way
around
people
complain
how
the
city
quickly
too
charge
them
delay
payment
or
something
to
their
soul,
elect
you
know
how
much
you
collect
from
the
other
side
of
this
world,
like
in
overpayment
from
resident
or
delay
payment,
I
should
say
well.
People
are
delay
in
payment.
How
much
we
collect
a
year.
M
So
mr.
chair,
the
the
city
has
a
prompt
payment
opportunity
as
well.
In
2015,
the
the
city's
achievement
rate
was
45%
and
we
were
we
received
around
four
hundred
and
eighty
thousand
since
that
time,
we've
taken
an
opportunity
to
apply
a
more
strategic
perspective
to
how
we
monitor
prompt
payment
opportunities,
have
an
increase
that
achievement
rate
to
over
90
percent
and
1.2
million
dollars.
Okay,.
J
J
How
many
invoices
are
issued
each
year,
but
I
can
I
can
well
imagine
they're
in
the
thousands
right
in
the
initial
audit
we
I
noticed
it
cost
us
almost
well
over
$8
in
to
issue
an
invoice,
and
that's
indicated
as
one
of
the
second
highest
costs
in
the
province
and
I'm.
Just
wondering
who
do
we
compare
to
and
why
is
it
so
expensive
to
issue
an
invoice.
M
So
mr.
chair,
to
answer
your
first
question,
the
city
processes
around
300,000
invoices
a
year
if
I
understand
correctly,
that
the
cost
is
with
a
payment
by
cheque,
not
the
receipt
of
the
invoice.
We've
actually
gone
through
a
process
to
eliminate
check
payments
for
trade
payable
vendors,
and
this
was
completed
at
the
end
of
2017.
But.
M
M
M
J
You
for
that
my
next
question
and
it
relates
to
recommendation
1
on
on
the
audit
and
it's
the
city,
was
to
formalize
the
requirement
to
retain
documentation
and
we
find
that
the
Auditor
General
has
determined
that
documentation
is
not
always
retained
and
documentation.
We
need
in
order
to
track
everything,
we
need
the
documents.
So
if
the
documents
are
not
being
retained
as
per
the
recommendation
of
the
city,
audit
of
the
Auditor
General
and
management
has
responded
that
they
need
this
and
they
accept
this
recommendation
when
we
don't,
when
staff
do
not
retain
the
documentation.
J
D
This
was
related
to
a
specific
process
where,
when
we
were
assigning
a
delegation
of
duties
or
assigning
roles
and
responsibilities
to
an
individual
or
a
user,
to
make
sure
that
there's
segregation
of
duties
and
there's
a
report,
that's
gets
printed
by
ASAP
to
see
if
there's
any
conflicts
and
that's
the
report
that
was
not
retained.
So
there
they
went
through
the
entire
process,
got
approvals
from
the
supervisor
that
they
had
Authority
for
those
roles
and
responsibilities,
but
the
documentation
which
it
was
a
cess
AP
report,
and
that
was
just
two
incidents.
D
B
When,
when
we
find
that
there
are
processes
that
has
been
put
in
place
to
solve
a
particularly
if
it
isn't
being
followed
and
we
bring
it
to
their
attention
and
management,
corrects
their
process
to
make
sure
that
their
corrects
what
is
can
corrects
to
practices
so
that
they
follow
policy
and
procedures,
then
we're
satisfied
with
that.
Okay,.
G
You
very
much
I
really
appreciate
that
this
has
been
done.
I
see
this
is
sort
of
the
nuts
and
bolts
of
what
we
you
know
what
we
do
accounts
payable.
It's
you
know
it's
our
everyday
business
and
for
most
people
would
be
kind
of
boring,
but
it's
really
important
and
I'm
glad
that
it's
being
looked
at.
My
question
is
in
regards
to
how
we
compare
with
other
municipalities.
Is
this
something
that's
an
an
issue
for
other
municipalities
or
others
doing
better?
G
G
B
Chair
through
you
to
the
councillor,
there
was
a
there's,
a
practice
that
exists
in
the
in
in
the
province
called
the
Ontario
Municipal
benchmarking
index
and
some
participating
municipalities
submit
data
which
allows
them
to
compare
their
costs
or
their
activities.
Their
efficiency
against
other
municipalities
and
the
City
of
Ottawa
participated
in
that
project
for
a
number
of
years,
and
it's
my
understanding
that
that
that
we
no
longer
participate
in
some
areas.
Is
that
correct,
yep.
I
We
took
a
pause
on
it,
the
amount
of
effort
to
compile
the
data
and
submit
it
year
after
year
after
year
was
significant,
and
so
we
came
forward
to
Council
and
said
these
are
the
things
we're
going
to
stop
doing
for
a
while
until
we
get
ourselves
organized.
So
that's
the
reason
why
we
no
longer
participate
in
Army.
G
I
Was
it
was
most
of
the
municipalities
in
Ontario?
Unfortunately,
when
you're
the
second
largest
city,
you
don't
really
compare
with
almost
everybody
other
than
Toronto,
which
is
four
times
our
size,
and
then
your
next
is
basically
Hamilton,
which
is
half
our
size.
So
it's
it
becomes
problematic
to
compare
yourself
just
given
your
size,
but
it
was
an
initiative
that
at
least
the
the
significant
portion
of
municipalities
in
Ontario
participated
in
okay.
G
M
G
Thank
you,
I,
agree
that
you
know
comparing
ourselves
in
Ontario
was
not
very
effective.
It'd
be
more
useful
to
compare
ourselves
nationally,
because
there
are
other
cities
that
are
of
comparison
to
to
us,
and
you
know
not
trying
to
create
a
competition
between
municipalities,
but
it's
good
to
know
what
other
people
do
because
it.
You
know
this
is
everyday
stuff,
and
you
know
why
reinvent
the
wheel,
if
others
have
found
ways
to
prevent
some
of
the
concerns
we
have.
Thank
you
thank.
A
You
to
councillor
Cavanaugh
and
and
colleagues
just
a
couple
of
questions.
Mr.
McDonald,
with
back
to
the
sensitive
vendor
field,
just
want
to
point
out
first
a
comment
and
then
two
questions.
The
recommendation
by
the
Auditor
General
was
made
in
2015,
and
here
we
are
in
2019
and
and
we
are
looking
to
change
to
the
source
to
pay
in
2020,
but
nothing
has
been
done
in
that
in
that
period.
A
So
my
disappointment
that
in
four
years,
apparently,
nothing
has
been
done
on
that.
You
just
mentioned
that
other
municipalities
and
the
federal
government
are
implementing
source
to
pay,
and
that's
that's
new
information.
I
hadn't
seen
that
in
the
documentation,
my
question
was:
how
have
we
made
sure
that
source
to
pay
is
going?
Is
it
is
it
a?
Is
it
a
module
of
SA
P
is
source
to
pay
a
module
of
sa
P,
or
is
it
separate
so.
M
Mr.
chair,
the
the
source
to
pay
solution
that
the
city
has
selected
is
a
module
of
SA,
P.
Okay
and
it's
with
the
elimination
of
mark
view.
It's
provided
an
opportunity
for
the
city
to
look
at
how
to
integrate,
streamline
and
automate
a
number
of
the
tasks
that
are
being
completed,
completed
by
finance
procurement
and
accounts
payable,
which
are
currently
managed
in
fragmented
and
siloed
systems.
And
so
there
really
is
an
opportunity
to
improve
the
process
and
automation.
A
M
So
in
selecting
the
the
solution,
we
did
go
through
a
detailed
business
case,
analysis
and
market
assessment
to
ensure
that
a
solution
we
would
ultimately
select
would
meet
our
business
requirements.
We've
also
engaged
a
system
integrator
which
is
currently
taking
those
business
requirements,
including
the
audit
recommendations
and
designing
the
solution
to
be
configured
for
the
city,
which
is
on
which
is
underway.
Right
now
was.
A
So
there's
documentation
with
respect
to
the
risks
and
the
benefits
of
the
source,
to
pay
so
loose,
that's
correct
and
it
forms
part
of
the
business
case.
Okay.
My
second
question
is:
you
spoke
about
training,
with
respect
to
questions,
around
penalties
and
late
payments
and
that's
important
to
track
and
to
reduce
and
to
to
correct
errors,
and
you
spoke
about
training.
But
how
have
you
addressed
the
issues
of
ensuring
while
employees
have
been
trained?
What
process
is
in
place
to
ensure
that
the
procedures
are
being
followed
and
that
the
training
has
been
implemented?
M
So
mr.
chair,
the
contract
administration
is
a
departmental
responsibility.
Is
the
person
managing
the
contract
that's
responsible
to
ensure
that
they
are
adhering
to
the
policy?
That
being
said,
we
are
continuing
to
partner
with
the
groups
at
the
various
operational
departments
in
terms
of
training,
as
well
as
with
the
implementation
or
vendor
performance
management
program.
M
There
are
a
number
of
reviews
that
supply
Services
is
undertaking
to
make
sure
that
the
key
activities
associated
with
managing
vendor
performance
are
being
undertaken,
such
as
a
completion
of
expectations,
a
final
evaluation
and
review
of
any
non
performing
contractors
to
ensure
that
there
isn't
any
larger
issues
that
needs
to
be
addressed.
You're.
A
M
Mr.
chair
Accounts
Payable
would
not
be
in
a
position
to
identify
that
the
invoice
is
correct.
It
would
needs
to
be
the
person
that
is
receiving
the
goods
and
services
to
validate
that
they
have
received
the
goods
and
services
and
that
it
is
in
coordinates
with
the
contract
and
that
the
rates
are
correct.
Accounts
payable
is
responsible
for
administering
the
payment
process
following
that
approval
and
that.
A
Payment
process
is
separate,
it
is
there's,
there's
the
original
peel
or
order
of
goods
and
services.
But
the
issue
that
we're
dealing
with
is
because
of
a
system
breakdown
or
an
error
which
happens
that
there
is
additional
costs
incurred
by
the
city
by
the
taxpayers
of
our
city,
and
that
is
what
we
want
to
reduce
and
so
I'd
like
to
know.
A
B
K
Mr.
chair,
the
next
dot
have
we
followed
up,
was
the
2014
audit
of
winter
operations,
capacity,
planning
and
performance
measurement?
We
found
17
of
the
20
audits
had
been
fully
implemented
and
three
were
had
been
partially
implemented.
One
of
the
recommendations
that
was
partially
implemented
related
to
the
mix
of
internal
versus
external
resources
that
are
used
in
in
in
winter
operations.
K
As
you
recall,
the
city
had
KPMG
conduct
a
winter
operations
review
in
2016
and
in
that
review,
KPMG
assessed
some
of
the
costs
and
benefits
and
efficiencies
of
outsourcing
management
is
now
in
the
process
of
assessing
the
staff
levels
and
the
equipment
at
their
various
City
yards
and
their
plan
is
a
shift
staff
and
equipment
between
the
yards
as
they
require
balancing
to
make
sure
it's
based
on
their
workload.
Management
wants
to
get
this
done
first
and
then
they're
going
to
consider
adjusting
the
mix
of
internal
and
external
resources
as
such.
K
K
The
recommendations
were
to
enhance
monthly
financial
reporting
by
providing
information
and
commentary
on
key
cost
drivers
and
to
improve
reporting
on
key
performance
indicators
that
go
beyond
financial
information.
We
found
that
management
had
reviewed
the
feasibility
of
enhancing
the
KPI
reporting
and
they
expected
to
produce
a
revised
Road
services
dashboard
at
the
end
of
this
month
in
June
of
2019.
As
we
conducted
our
work
in
January
of
this
year,
both
management
and
the
OAG
assessed.
This
recommendation
is
being
partially
completed.
G
Thank
you
very
much,
I
think
it's
really
important
that
we
we
look
at
this,
especially
going
forward
when
we're
looking
at.
You
know
updating
our
whole
operations
for
for
winter
maintenance.
So
I
really
appreciate
this
report.
One
of
the
concerns
we
I
really
appreciate.
Actually
recommendation
number
two
about
regards
to
climate
change,
because
that's
probably
the
key
thing
that
is
in
terms
of
what
we're
looking
at
going
forward
in
terms
of
what
we
find
as
as
an
issue
we
had
like
a
horrendous
winter
I,
don't
know
what
else
I
can
call
it,
and
it
was.
B
Chair
through
you
to
the
counselor,
a
prudent
manager
is
regularly
looking
at
the
risks
that
they
face
in
the
area
under
their
authority
and
in
the
same
way
that
we
look
at
at
the
the
risks
in
an
area.
When
we
go
in
to
look
at
what
errors
we're
going
to
focus
on
in
an
audit,
we
would
expect
of
the
prudent
manager
would
be
doing
the
the
same
thing
and
when
there
are
Changez,
prudent
manager
would
include
and
corporate
changes
into
their
activities
to
to
address
those
and
and
I
think.
K
Mr.
chair
I'll
make
a
few
remarks
and
then
I'll
hand
it
over
to
mr.
Levesque.
We
have
two
initiatives
underway
right
now.
As
you
may
be
aware,
councillor
chair
Blaye
directed
the
department
to
do
a
service
delivery
review
before
this
coming
winter
and
that's
underway.
Right
now,
and
then
we
will
be
gearing
up
for
our
maintenance
quality
standard
review
that
councillor
Cavanaugh
has
just
mentioned.
O
Just
to
build
on
what
mr.
Wylie
had
conveyed
mr.
chair
is
part
of
the
service
delivery
review,
we'll
be
assessing
our
resources,
equipment,
contract
of
services
and
beats
to
ensure
that
we
have
a
consistent
service
delivery
and
deployment
model
going
for
it.
So
that'll
be
a
big
part
of
what
we're
doing
this
year
and
looking
at
how
we
deploy
as
far
as
managing
these
different
weather
events
that
we
experience.
G
C
Thank
you.
Probably
you
answered
my
question,
but
I
have
a
I'm.
Looking
at
the
recommendation
and
that's
been
I
know
this
audit
is
follow-up
from
2014
we've
done.
We
have
20
of
them.
We
have
28
recommendation
17
completed
the
partially
completed
that
the
three
partially
not
completed.
Do
you
have
a
timeline
for
those
and
how
those
are
going
to
be
impacted
by
the
service
review
that
we
transported
from
committee,
a
Transportation
Committee.
We
asked
you
to
come
back
for
us
with
a
review
by
20
by
the
end
of
2019
for
our
service
delivery
model.
O
So,
just
to
address
the
the
recommendation.
Mr.
chair,
with
regards
to
the
the
KPIs
and
performance
measures,
we've
spent
a
lot
of
time,
putting
together
new
business
processes,
as
well
as
reporting
mechanisms
to
collect
the
data
with
regards
to
our
winter
operations,
in
addition
to
investing
in
technology
such
as
GPS,
so
that
we
can
shock
our
performance
with
regards
to
our
operation.
So
we
have
spent
quite
a
bit
of
time
putting
those
things
in
place
so
that
this
winter
going
forward.
O
The
final
step
will
be
to
put
the
dashboard
in
place
that
we
have
all
the
data
readily
available
that
meets
the
recommendations
that
we
agreed
to
at
the
Auditor
General.
The
the
other
component
was
around
the
optimal
mix
of
internal
and
external
resources.
Really
that's
been
something
that
we've
had
in
place
within
each
area
throughout
the
city.
As
far
as
assessing
that
at
an
area
level.
O
Right
now,
as
I
mentioned
previously,
we're
looking
at
bringing
together
a
consistent
process
where
we
look
at
all
of
our
resources,
equipment
and
beats
and
making
sure
that
we
have
a
consistent
deployment
model
and
service
delivery
model.
And,
as
you
mentioned,
that's
something
that
will
be
finalized
by
the
end
of
this
year
in
2019.
So.
C
O
C
C
But
again
winter
is
not
giving
us
any
mercy
and
I
know
that
we
have
challenged
with
weather
and
snow
and
I
know
that
consistently
across
the
city,
we
don't
have
consistent,
beats
I'm,
just
wondering
why
the
delay
and
why
we're
still
not
implementing
those,
because
you
know
if
these
things
needed
for
our
operation,
to
improve
the
safety
on
our
road
and
to
making
sure
our
technologies
implemented.
Why
it's
taking
us
that
long,
it's
20!
This
is
started
in
2014,
I!
Think.
K
Is
mr.
Levesque
pointed
out,
there
was
quite
a
bit
of
work
in
in
technology
upgrades
installing
all
that
in
the
equipment
and
other
business
processes
that
have
all
accumulated
to
this
year,
and
it
won't
to
answer
your
first
question
that
won't
impact
our
service
delivery
review.
That's
under
right.
That
won't
be
impacted.
In
fact,
I
think
the
the
the
the
things
we're
putting
in
place
for
this
winter
will
actually
enhance
the
service
Dilber
review
because
we'll
have
full
visibility.
The
operation
through
our
dashboard.
That's.
C
Exactly
what
I'm
trying
to
get
to
so
yeah?
So
that's
I'm
happy
to
hear
that,
because
I
want
to
make
sure
that
we
are
not
starting
something
new
at
the
end
of
the
year
and
then
we're
going
to
go
back
from
square
one
to
say.
Okay,
we
should
have
follow
this
recommendation
because
we
need
to
be
ahead.
Not
behind.
That's
that's
my
point.
K
J
Thank
You,
chair
I,
guess
my
question
is
actually
a
good
follow-up,
I.
Think
to
all
my
colleagues
questions
the
first
one
is
specifically
and
what
we're
talking
about
quality
of
standards
and
and
trying
to
implement
better
service
delivery.
Going
back
to
2014
recommendation
number
four
was
that
we
assess
the
cost,
benefits
and
efficiencies
of
outsourcing
and
establishing
an
optimal
mix
of
internal
and
external
sources
that
would
have
given
us.
If
we
had
done
this
back
in
2014,
this
would
given
it
would
have
given
us
some
valuable
information
as
we're
moving
forward,
but
number
four.
J
J
O
So
it
is
partially
complete
and
through
our
work
with
the
the
Auditor
General
mr.
chair,
we
did
say
this
is
an
ongoing
process
and
something
that
is
a
part
of
our
operation.
So
when
we
look
at
contracts
when
they
expire,
that's
the
time
that
we
take
that
business
case
approach
and
do
that
cost-benefit
analysis
us
to
okay.
How
do
we
move
forward?
Is
it
with
internal
resources?
Or
do
we
looked
at
a
contracted
services
for
that
activity?
O
So
it's
something
that
I
know
when
we
work
with
the
a
the
Auditor
General
that
we
explained
to
them
that
really
it's
it's
an
ongoing
process
and
it's
something
that
should
be
a
part
of
the
operation
on
an
annual
basis
as
contracts
expire.
Then
we
look.
Do
that
analysis
and
look
at
the
cost.
Benefits
of
internal
resources
versus
contracted
services
are.
J
K
Chair
I
think
there's
two
things
that
the
councillors
speaking
to
to
just
build
on
what
mr.
Levesque
said
regarding
taking
a
look
at
contracts
as
they
come
up.
We
did
just
have
a
large
contract
maintenance
of
the
174
that
came
up.
We
did
a
complete
business
case
on
it
and
it
was
determined
that
it
was
better
to
be
contracted
out,
so
that
was
retained.
K
The
standards
review
will
be
coming
up
in
the
future
and
that's
where
we'll
have
a
closer
look
at
our
maintenance
quality
standards
and
if
there
are
improvements
or
adjustments
to
be
made
on
maintenance
quality
standards,
the
work
we're
doing
this
winter.
Although
we're
not
changing
the
standards,
we're
still
going
to
be
working
towards
our
council
approved
standards.
K
J
Okay,
thank
you
on
recommendation,
ten
in
2014
it
was
recommended
through
the
Auditor
General
that
there
would
be
enhanced
monthly
financial
reporting,
giving
commentary
and
the
performance
associated
cost
drivers.
This
would
be
like
monthly
Lane
kilometer
costs
impact
a
monthly
precipitation
all
the
things
that
were
apparently
measuring
right
now,
because
it
impacts
service
delivery
management.
At
that
time
agreed
with
this
recommendation,
it
was
passed
by
City
Council.
Yet
there
was
a
corporate
alignment
in
2016
and
basically
abandoned
what
this
was
going
to
do.
J
O
O
With
within
our
operation,
no,
so
that's
something,
even
though
the
audit
happened
in
2014,
as
I
had
mentioned
previously,
there
was
quite
a
bit
of
work
that
needed
to
be
done
to
get
the
business
processes
in
place
to
get
the
system,
mechanisms
and
reporting
mechanisms
in
place
so
that
we
could
obtain
that
data
in
order
to
pull
it
together
in
a
dashboard
format.
That's
centralized
and
how's
all
the
information
that
we
can
view
it
kind
of
more
broadly
and
in
a
dashboard
type
format.
Well,.
J
O
O
J
So,
okay
and
I
just
had
one
question
about
the
salt
truck
deliveries.
I
know
that
we've
you've
notified
I've
told
staff
not
to
to
tell
the
salt
trucks
that
they're
going
to
be
measured
and
I.
Guess
we've
been
told
that
staff
are
not
doing
that.
How
do
we
know
that
staff
aren't
notifying
them?
Is
there
some
way
to
verify
whether
or
not
you
know
the
salt
truck
just
comes
in
without
knowing
and
when
it's
going
to
be
measured.
O
So
mr.
chair,
those
expectations
are
obviously
clearly
instructed
to
staff
at
the
beginning
of
every
year.
In
addition
to
what
our
standard
operating
procedures
are
for
actually
receiving
salt
and
in
the
case,
what
we
do
do
weighing
other
salt
trucks,
that's
how
all
outlined
in
kind
of
the
expectations
and
the
orientation
we
do
with
staff
at
the
beginning
of
the
winter
season.
Obviously
referencing
the
standard
operating
procedures
that
we
had
put
in
place,
but.
O
The
I
think
there's
a
miscommunication
within
kind
of
our
our
audit
with
the
Auditor
General
I
know
that
point
was
raised,
but
then
we
had
come
back
and
we
said
that
wasn't
an
issue
within
our
operation,
where
we
actually
had
staff
notifying
the
the
truck
drivers.
We
were
going
to
be
weighing
that
day.
We
did
do
clarification.
O
We
did
follow
up
once
that
was
brought
to
our
attention
and
I
believe
when
I
read
when
you
read
through
the
audit,
you
can
see
that
that
wasn't
actually
happening
within
the
operation.
However,
we
did
take
it
seriously
and
said
that
we
do
need
to
have
expectations
clearly
that
laid
out
for
staff
and
we
do
need
a
standard
operating
procedure
which
we
have
put
together
and.
K
Chair,
the
all
operating
standard
procedures
are
given
to
staff
and
they're
trained
on
them,
and
I
will
add
that
the
Auditor
General
wants
to
elaborate
the
the
whole
process
of
weighing
salt
trucks
coming
in
was
honored
by
the
Auditor,
General,
stuff
and
I.
Think
they
were
fairly
satisfied.
Yeah
I
would
add,
we
we
did.
We
tested
a
couple
of
salt
truck
wings.
I
mean
the
extent
we
could.
We
can
certainly
tell
the
drivers
of
the
salt
trucks
didn't
know
they
were
going
to
be
weighed.
B
G
I
just
wanted
to
talk
about
parked
cars
because
it's
mentioned
a
few
times
and
the
recommendations,
and
it's
one
of
those
ongoing
things
with
people
scrambling
to
get
their
cars
off
the
road,
but
I
wanted
to
know
how
much
of
a
cost
it
does
that
put
on
our
system
when,
when
those
cars
are
in
the
way,
is
that
really
slow
like
because
it's
mentioned
a
couple
of
times
and
the
recommendations?
Is
this
a
really
big
big
problem
in
terms
of
costs.
K
Sure
it's
hard
to
qualify
or
quantify.
It
is
definitely
an
impediment
to
our
plowing
operations
in
order
to
rectify
it.
We've
been
working
with
their
bylaw
partners,
but
we've
also
implemented,
as
your
fart,
probably
aware,
one-sided
parking
for
problematic
areas
and
that's
something
that
we've
started
a
couple
years
back
and
we're
continuing
to
improve
to
expand
upon.
As
as
we
go
forward.
K
G
You
I
know
it
would
the
amount
of
snow
we
got
this
winter.
The
the
problem
is
where
to
put
the
snow,
and
so
every
time
there's
things
in
the
way
these
are.
These
are
major
major
problems.
I
just
wanted
to
know
in
terms
of
cost
saving,
because
it's
asking
for
efficiencies.
How
do
you
see
that
that's
possible
with
with
winters
like
we
had
last
year
this
past
year,
the
how
in
terms
of
finding
any
kind
of
efficiencies
Joe.
A
O
A
O
A
One
more
with
respect
to
again
Vice
Chair
me
and
about
recommendation
17
in
the
salt
trucks.
I'll
just
bring
to
your
attention
that
the
recommendation
was
that
winter
operations
ensure
that
all
operation
technicians
do
not
notify
delivery
trucks
in
advance
that
they
will
be
weighed
and
I
recognize.
You
said
that
it,
you
didn't
observe
that,
but
you
did
agree
with
the
recommendations.
K
A
B
Commercial
depositors
will
repeal
a
lemon
tea
committee,
poor
poor
lady,
near
to
us
suivi
in
the
Vltava,
a
vacant
expound
on
amount
technology
in
fellatio.
So
thus
we'd
like
governor
mas
de
te
caps
or
another
recommendation
also
completa
may
rest
assured
a
certain
known,
but
the
sector
are
associated.
L
Thank
you,
IT
governance
is
a
formal
framework,
provides
structured
organizations
to
ensure
that
the
IT
investments
that
are
made
in
the
operations
support
the
businesses
objectives.
Essentially,
it
ensures
that
the
organization
is
aligning
its
IT
strategy
and
operations
with
the
organization's
strategy
and
objectives,
and
it's
in
an
integral
part
of
the
overall
governance
of
the
city
operations.
It's
as
you've
heard
in
many
times
and
and
no
technology
touches
almost
every
every
operation
of
the
city.
In
the
original
audit,
we
examined
how
the
existing
practices
at
the
city
compared
to
leading
practices
and
standards.
L
Measurable
objectives
were
lacking
among
managers
and
the
CIOs
annual
performance
evaluations,
such
as
successfully
implementing
projects
on
time
or
within
budget.
We
also
found,
at
the
time
of
the
audit
that
the
extent
of
turnover
at
the
CIO
position
had
been
substantial
for
a
number
of
years,
affecting
the
the
important
leadership
that
is
is
fundamental
to
good,
good
IT
governance.
L
L
L
So
some
good
progress
had
been
made
and
a
number
of
key
activities
had
been
completed,
although
there
were
still
a
number
of
areas,
important
areas
that
require
further
remediation,
IPS
has
established
visible
linkages
between
IT
services
and
the
city's
broad
objectives,
both
through
a
new
intake
process,
as
well
as
the
I
TS
strategic
work
plan
covering
the
period
from
2018
to
2020.
We
found
that,
although
the
IITs
scorecard
had
been
discontinued,
it
was
replaced
with
a
different
mechanism
called
the
client
dashboard.
L
The
dashboard
at
the
time
of
our
work
is
still
in
a
pilot
phase
and
still
needs
to
be
fully
implemented
in
considering
the
area
around
performance
measurement
objectives
and
key
results.
Metrics
and
I'll
refer
to
these
as
okrs.
These
were
introduced
in
the
I
TS
strategic
work
plan,
where
each
branch
responsible
is
responsible
for
developing
key
results
that
align
to
the
I
TS
objectives
and
that
directly
support
the
strategic
directive
of
the
corporation.
L
It
was
also
recommended
in
the
original
audit
that
objectives
for
the
CIO
be
measurable.
The
CIO
had
completed
his
last
performance,
evaluation
and
performance
objectives
were
outlined
by
the
oak
that
were
just
mentioned.
However,
again,
the
some
of
the
risks
and
the
actions
that
were
in
the
original
audit
report
were
not
included,
and
thus,
as
we
see
not
completed,
although
the
CIO
has
focused
on
many
key
strategic
points
to
further
the
the
city's
IT
organization
is
important.
That
high-risk
items
requiring
remediation
be
a
continued
focus.
L
In
our
original
audit,
we
outlined
that
the
extent
of
turnover
at
the
CIO
position
has
been
substantial.
This
is
continued
in
since
2012
June
there
have
been
another
seven
individuals,
either
in
a
full-time
or
acting
role.
In
this
position,
the
original
audit
recommended
that
the
recruitment
of
an
experienced
and
appropriately
qualified
CIO
be
expedited.
At
that
time
there
was
a
I
believe,
a
temporary
CIO
in
the
position,
and
that
had
followed
a
period
of
turnover.
L
We
noted
that
the
most
recent
full-time
CIO
was
appointed
in
July
2016.
There
was
no
internal
or
external
search
that
held
for
the
fulfilment
of
this
position.
The
selection
of
an
appropriate
candidate
for
the
critical
CIO
position
is
one
that
should
not
be
be
made
lightly
and
we
felt
that
it
did
not
align
with
our
recommendation.
J
You,
chair
I,
don't
think
we
really
have
to
overstate
the
importance
of
information
technology
in
our
world
today
we
had
an
incident
not
that
long
ago
and
we're
hearing
continually
about
breaches
in
government
and
companies
that
is
costing
everybody
a
lot
of
money.
I
am
concerned
about
the
number
of
CIOs
that
we've
had
over
the
past
several
years
and
I'm
just
wondering
at
why?
Why
the
why
the
high
turnover
number
one
I
guess
is
what
I'm
saying
and
the
other
question
I
have
is
why
there
was
no
external
or
internal
search
for
a
CIO.
I
All
the
temp
temp
to
that
counselor,
so
we
have
had
a
succession
of
CIOs
in
the
City
of
Ottawa,
our
prior
cio
prior
to
mr.
Carlucci,
taking
on
the
acting
assignment
was
one
of
our
longest
serving.
He
was
here
for
26
months.
It,
strong,
IT
leadership
skills
are
a
commodity.
That's
sought
by
many
corporations.
It's
it's
actually
fairly
rare.
We
were
fortunate
to
have
mr.
Bashir
for
26
months
and
I
can
tell
you,
after
doing
a
worldwide
search,
the
city
of
Seattle,
basically
poached
him
from
us
to
become
their
chief
technology
officer
and
I.
I
Think
we
benefited
greatly
from
his
employment
with
the
city
of
Ottawa
and
mr.
Carlucci
is
continuing
on
with
the
same
work
plan,
with
the
same
objectives
that
mr.
Bashir
had
in
place.
I
can't
help
that
technology
is
an
industry
where
there's
a
high
turnover
in
and
especially
at
the
senior
leadership
level.
The
City
of
Ottawa
by
comparison
doesn't
pay,
perhaps
as
well
as
private
sector,
does
and
I'm
certain
mr.
Bashir's,
making
a
heck
of
a
lot
more
money
in
Seattle
than
he
was
here.
So
it's
hard
for
us
to
keep
them
in
place.
I
But
what
we've
done
in
interim,
though,
is
when
mr.
Bashir
came
in
was
he
made
certain
that
he
had
a
management
team
in
place?
That
was
there
if
the
in
the
event
that
he
would
leave
his
position,
that
that
management
team
would
be
able
to
continue
on
that
they
wouldn't
be
journalist.
The
development
of
the
okay.
Ours
is
one
of
the
prime
tools
to
make
certain
that
happens
because
those
okay,
ours
are
for
a
three-year
period,
and
so
they
continually
work
on
those
they
continually
evaluate
their
progress
toward
them.
I
J
A
J
I
Your
job
description,
which
identifies
your
the
qualifications,
we're
looking
for
is
in
at
the
senior
leadership
level,
is
more
or
less
a
guideline.
What
you're
really
looking
for
is
someone
who's
going
to
fit
into
your
organization
and
be
able
to
make
effective
change.
Mr.
Bashir
was
a
known
entity.
He
had
been
working
for
the
city
as
the
director
of
economic
development.
The
city
manager
knew
him
very
well
knew
his
capabilities.
He
was
the
right
person
at
that
time
to
make
that
significant
change
in
IT.
So
will
we
change
the
criteria?
I?
I
Just
a
brief
update
on
that,
when
the
decision
was
made
that
with
my
departure,
that
the
corporate
services
department
is
actually
going
to
be
split
into
two
and
combined
with
service
innovation
and
performance
development,
and
there
will
be
a
new
GM
in
place,
the
decision
was
made
by
the
city
manager
that,
when
only
when
the
new
GM
is
in
place,
will
the
search
for
a
new
CIO
begin,
because
that
person
needs
to
be
involved
in
that
decision-making
process.
We
are
in
the
process
right
now
of
hiring
a
new
GM
of
the
innovative
client
services
department.
I
J
We
discussing
I,
don't
know
the
correct
amount
of
the
proper
amount
of
authority
and
compensation
to
attract
the
best
candidates.
I.
We
don't
really
want
to
have
a.
We
continue
to
have
a
revolving
door
so
give
them
they.
Given
the
I,
guess
the
circumstances
out
there
right
now,
it's
it
might
be
in
our
best
interest
to
try
to
do
something
to
we
always.
I
Look
at
that
as
part
of
when
we're
trying
to
attract
talent,
but
I
can
say
that,
and
this
speaks
to
the
issue
of
succession
planning
in
this
organization.
In
2016,
when
I
inherited
the
IT
department,
I
can
tell
you
there
was
a
total
of
zero
employees
who
would
have
stepped
forward
to
be
the
CIO
I
can
tell
you
I
had
my
choice
of
candidates
for
the
acting
position.
I
There
are
a
number
of
internal
candidates
who
are
now
interested
because
of
the
succession
planning
we've
done
to
make
certain
that
they
have
the
skills
to
be
able
to
step
forward.
That
would
be
interested
in
the
position,
but,
yes,
counselor.
We
always
look
at
the
compensation.
Unfortunately,
we're
public
sector
there's
limits
on
what
we
can
do.
But,
yes,
if
we
had
an
external
candidate
who
had
a
compensation
requirement,
that
was
above
what
we
are
able
to
provide,
we
would-
and
that
was
the
person
we
thought
was
the
best
fit.
Q
You
mr.
chair,
so
two
issues
I
want
to
ask
a
few
questions
on
on
this
particular
IT
governance.
Follow-Up
audit:
first
I'll
follow
on
to
councilor
man's
issue
around
the
role
of
the
CIO
I
I.
Think
as
a
city
I
would
like
to
see
us
aspire
to
have
someone
in
that
role
for
more
than
twenty
six
months,
I
come
from
this
world
in
a
past
life
I
understand
it's
a
very
unique
skill
set.
The
ability
to
pay
is
is
tough
in
this
setting.
Q
But
having
said
that,
from
a
governance
perspective,
I
have
some
very
serious
concerns
around
the
seemingly
short
stay
of
that
position
and
I
think
that
we
need
to
be
addressing
those
concerns
as
we
move
forward
with
this
plan.
Whatever
it
may
look
like
addressing
some
of
the
other
items
that
were
raised
as
outstanding
I'm
curious.
If
staff
can
circle
back
or
provide
comments
as
to
where
they're
at
on
the
outstanding
items
and
we've
addressed
the
CIO
one
but
the
others,
and
whether
that's
being
reflected
in
the
IT
roadmap
or
where
that
report
will
come
back.
N
Thank
You
chair
with
respect
to
that
question,
as
the
CIO
I
have
taken
ownership
of
these
audits.
They
are
very
important
that
we
complete
them.
We've
put
a
lot
of
work
into
those
particular
audits
with
regards
to
the
the
Governance
three
of
the
ones
that
are
partial,
relate
to
the
CIO
there's
two
additional
ones
that
are
partial
and
as
part
of
the
rating
with
the
OIG.
If
you're,
not
a
hundred
percent,
you
don't
get
a
complete.
You
basically
get
a
not
complete.
N
We
put
a
lot
of
work
into
place
with
that
and
we
feel
that
I've
put
the
right
resources
into
it.
When
I
found
out
about
the
audits
I
quickly
got
myself
up
to
speed
on
all
three
audits:
I
ensure
that
they
were
as
part
of
our
work
plan.
After
the
auditor
left
in
2018,
they
were
still
part
of
our
work
plan
in
2018.
They
are
part
of
our
work
plan
in
2019.
I
have
the
right
resources
that
they
are
dedicated
to
those
particular
resources.
I
met
with
my
management
team,
I
told
them.
N
This
is
a
top
priority
if
Chris
Fulton
as
the
manager
of
security
or
bad
give
us
the
manager
of
Technology
Solutions
comes
to
you
with
regards
to
some
of
the
audit
work.
We
have
to
make
this
a
top
priority,
because
we
all
agree
that
we
want
to
get
it
completed
in
the
management
team
as
a
whole
was
behind
me
for
that,
for
that
support.
So
I
have
a
lot
of
confidence
that
the
two
remaining
items
with
regards
to
the
risk
management
and
moving
upwards.
Q
I
I
The
remaining
three
revolve
around
the
issue
of
the
CIO,
his
qualifications
and
his
his
performance
objectives
and
had
the
succession
planning
and
unfortunately,
I
can't
say
that
we
agree
with
the
auditors
conclusions
on
those,
so
the
city
manager,
as
part
of
his
role,
will
be
looking
at
just
exactly
what
you
said.
Counselor
sides
around:
what
is
the
appropriate
structure
to
have
in
place
and
do
we
want
to
consider
a
CTO
versus
a
CIO
and
all
of
those
weathers
at
the
senior
leadership
table,
etc.
B
C
C
Thanks
and
just
to
confirm
that
I
have
spoken
with
the
city
manager
about
the
IT
subcommittee
playing
an
active
role
in
making
sure
that
the
items
that
have
been
identified
by
the
auditor
continue
to
be
followed
up.
So
we
don't
need
to
necessarily
wait
for.
The
auditor
will
be
seeking
answers
from
staff
about
their
progress
at
IT
subcommittee
as
well.
I'm
keen
for
us
to
be
a
part
of
a
productive
part
of
the
conversation.
G
Thank
you
I'm
quite
aware
that
there's
a
overall
shortage
of
IT
expertise
out
there
very
much
and
I'm
wondering
about
our
counterparts
in
other
cities
again.
This
is
this
is
obviously
something
that
they're
probably
dealing
with.
Do.
We
have
any
information
about
that
in
terms
of
comparing
ourselves
in
terms
of
their
ability
to
hold
on
to
IT
experts,
because
I'm
sure
that
they're,
it's
probably
a
common
problem,
since
it's
an
industry-wide
situation.
Mr.
G
That's
interesting
because
I
was
I
was
thinking
in
terms
of
raising
it
with
FCM.
In
terms
of
you
know,
this
is
this
is
something
that
we
have
to
look
at
in
the
future,
because,
obviously
it's
not
just
getting
the
the
person
now
a
CIO,
but
also
just
in
terms
of
you
know,
next
steps
of
making
sure
we
have
replacements
and
we
train
people
up
for
these
positions.
G
B
J
You
just
a
follow-up
to
what
councillor
Cavanaugh
was
asking
the
technology,
as
we
know,
is
evolving
so
rapidly
it's
hard
to
keep
up
with
of
its
reading
an
article
on
the
weekend
about
the
bad
guys
you
we
cannot
in
any
way
keep
up
with
the
bad
guys
with
the
role
of
CIO,
is
their
ongoing
expertise
and
training
and
communications
with
I.
Don't
know
experts
in
the
field
about
the
you
know:
the
risks
the
where
the
breaches
could
possibly
happen.
P
Yeah,
that's
one
of
the
the
major
challenges
that
we
face
is
keeping
up
with
the
evolving
threats.
They're
they're
becoming
more
sophisticated,
as
you
mentioned,
and
more
tailored
and
targeted
to
us.
They
do
their
research
before
they.
They
basically
try
and
attack
us.
So
yeah.
It's
been
a
constant
stay
in
touch
with
industry
trends.
We
subscribe
to
a
number
of
services
so
that
we're
aware
of
the
evolving
threats.
We
have
strong
partnerships
with
CGI
our
managed
security
service
provider
and
with
Microsoft
we
rely
heavily
on
their
threat
intelligence.
F
You
mr.
chair
mr.
Ahlers
general,
when
you
look,
this
is
a
theme
in
your
audit
and
and
the
follow-up
is
the
the
role
of
the
CIO
and
and
how
critical
it's
been
that
we
haven't
had
a
steady
cio
is
part
of
your
review.
Did
you
see
if
there
was
any
exit
interviews
done
as
a
normal
practice
with
senior
managers,
especially
there
should
have
been
some
sort
of
an
exit
interview
done?
Was
there
any
theme
in
those
under
interviews
as
to
why
we're
losing.
B
F
I
I
Prior
to
that,
we
had
a
number.
We
had
two
CIOs
who
actually
retired
and
I
can
say
that
the
most
successful
CEOs
we've
had
in
the
corporation
have
actually
been
the
internal
ones.
Every
time
we've
brought
in
someone
from
the
outside,
it's
been
a
struggle
because
the
culture
at
the
City
of
Ottawa
is
is
different
than
the
private
sector
and
it's
different
than
the
federal
government.
I
I
I
So
one
of
the
tools
that
he
was
able
to
implement
it's
a
at
a
very
cost.
Effective
price
was
a
online
platform
called
Pluralsight.
Where
don't
have
the
latest
numbers
of
how
many
hours
of
training
we've
taken,
but
I've
I
recall
for
2018,
it
was
well
over
2000
hours
of
training,
so
staff
can
go
on
they
we
find
they
go
on
in
evenings
and
weekends.
They
can
go
online
and
get
training
on
I.t
areas
that
are
evolving.
There's
thousands
of
training
items
on
that
platform.
I
In
addition
to
that,
we
looked
at
all
of
the
staff
and
looked
at
where
they
wanted
to
progress
and
came
up
with
learning
and
development
plans
for
them.
We
have
defined
a
number
of
areas
where
we
require
certifications
and
we've
outlined
to
staff.
If
you
want
to
go
and
get
a
certification
in
this
particular
area,
we're
willing
to
pay
for
in
most
cases,
it
requires
a
fee
to
take
the
exam,
but
for
the
training
beforehand.
So
we've
established,
certifications,
we've
also,
and
one
of
the
most
I
think
beneficial
things
that
mr.
I
Bashir
was
able
to
do
and
we're
continuing
with
is
we
have
connections
with
major
technology
companies
in
the
rest
of
Canada
and
the
United
States,
and
we've
been
able
to
bring
our
employees
to
those
areas,
for
example
believe
it
was
Microsoft.
We
were
able
to
bring
two
employees
two
of
our
management
team
and
they
were
able
to
basically
shadow
some
of
the
executives
in
that
high-tech
company
for
a
week
to
learn
how
they're
doing
things.
So
it's
not
only
is
it
is
it
course
learning,
but
it's
online
learning,
it's
shadowing.
I
C
We
have
some
of
our
employees
who
have
had
the
opportunity
to
learn
new
skills
on
working
with
some
of
our
biggest
vendors
and
who
even
have
the
opportunity
now
to
talk
to
other
municipalities,
about
some
of
the
work
that
they've
been
doing
and
to
try
to
lead
the
way
or
to
talk
to
other
municipalities
about
the
cost
savings
that
they've
been
able
to
find.
We
don't
rely
in
a
situation
where
staff
have
learned
to
do
it
themselves
as
much
on
consulting
dollars,
which
are
very
expensive.
I
Absolutely
correct
counselor
we
were
able
to
in
2017,
we
came
forward
with
a
report
that
basically
reduced
our
consulting
budget
and
transferred
those
dollars
into
compensation
and
basically
a
you
cut,
a
hundred
percent
of
your
consulting,
and
you
only
need
a
third
of
it
for
staff,
because
that's
basically
what
consultants
cost
versus
a
staff
person.
But
in
addition
to
that
I
can
say
we
are
seen
as
leaders
in
a
lot
of
areas
around
that.
A
prime
example
of
that
is
when
we
upgraded
from
our
sa
P
platform
last
year.
I
We
did
that
completely
with
our
own
resources.
That's
almost
unheard
of
in
the
industry,
and
we
did
it
because
staff
were
able
to
have
the
appropriate
training
beforehand.
We
only
use
the
consultants
basically
to
come
up
with
an
overall
plan
and
guide
us,
but
it
was
staff
who
did
the
work,
and
that
is
something
that
I
think
the
City
of
Ottawa
should
be
pretty
proud
of,
because
it
basically
saved
us
hundreds
of
thousands
of
dollars
and
that's.
A
A
I
just
want
to
point
out,
while
you
mentioned
fit
and
leadership,
and
a
change
agent
as
as
important
characteristics
of
of
a
new
permanent
CIO
and
I
recognize
that
I
think
what
you've
heard
from
others
is
that
there
are
some
some
skills
and
education
and
experience
that
are
that
are
important
and
you've
mentioned
that
you're
developing
those
skills
within
within
our
internal
candidates
and
and
that
is
an
important
source
of
of
recruitment
and
retention
of
recruitment
for
the
new
CIO.
And
so,
if
I
simply
wanted
to
emphasize
that
mr.
Agee
did
you
want
to
mr.
B
To
say
that
I
think
it's
I
think
it's
excellent,
that
these,
that
the
that
the
penny
has
dropped
and
that
a
change
has
has
come
about
the
the
the
two
individuals
that
were
brought
in
to
do
the
original
audits
and
to
do
the
follow-up
audits
were
struck
by
the
lack
of
certifications
in
some
areas
and
I.
Think
it's
it's.
It's
excellent
that
the
that
IT
has
changed
their
approach
and
is
has
begun
to
to
encourage
certifications,
because
that's
one
area
where
they
were
certainly
lacking,
and
maybe
that
contributed
to
to
some
of
these,
to
turnover.
B
A
I
appreciate
that
and
I
recognize
in
your
assessment.
It
is
an
incomplete
recommendation
and
you
have
used
the
word
certification.
There
is
independent
certification
and
I'm
sure
the
our
senior
leadership
management
team
has
made
note
of
that
and
and
that
there
will
be
further
discussion
on
on
this,
and
that
is
if
there's
no
other
questions
on
to
you,
mr.
Artur
general,
with
the
I
audit
of
IT
risk.
A
L
You
so
as
we
we
just
spent
the
last
little
while
talking
about
technology
is
critically
important
and
it's
it's
an
integral
part
of
the
operations
of
the
city
and
with
that
technology
comes
risk,
and
we
found-
and
this
is
with
any
organization
and
including
municipalities
that
there's
an
inherent
risk
relating
to
IT
in
virtually
every
activity
and
function
at
the
city
based
on
our
audit
and
2015.
Our
assessment
indicator
a
low
level
of
maturity
in
most
city
departments
for
IT
risk
management.
L
We
found
this
to
be
mainly
due
to
governance
and
leadership
issues
such
as
high
CEO
turnover,
as
well
as
the
authority,
the
scope
and
the
span
of
the
CIO
across
the
organization.
At
the
time
of
our
audit,
the
city
had
not
developed
a
standalone
IT
risk
management
framework
with
governance,
including
clear
responsibilities
and
accountabilities
for
city
management
that
would
be
capable
to
support
amateur
risk
culture
in
our
original
audit
as
well.
L
L
This
is
a
significant
risk,
as
there
weren't
still
are
several
departmental
IT
groups
which
operate
fully
or
in
part
independently
from
IT
s.
In
addition
to
these
independent
IT
groups,
there
were
a
number
of
examples
at
that
time,
where
business
lines
had
acquired
third-party
applications
or
leveraged
cloud-based
solutions
for
their
business
without
its's
involvement,
the
risk
to
the
city,
to
the
extent
these
applications
or
solutions
were,
would
access,
city,
computers,
use,
city
networks
or
otherwise.
L
Connect
to
the
city
infrastructure
presents
significant
risk
if
unmonitored,
unchecked
or
unknown,
without
a
complete,
documented
and
comprehensive
inventory
of
all
IT
components
and
applications
that
rely
on
the
city's
IT
infrastructure.
It
is
not
possible
to
build
a
risk
register
that
identifies
all
these
risks
and
would
identify
potential
requirements
for
corrective
action
as
well.
L
L
L
We
found
that
policies
for
governance
had
been
aligned
with
the
goals
of
the
city's
enterprise
risk
management
framework,
but
the
annual
risk
validation
process,
which
is
a
key
process
in
the
IT
risk
management
framework,
was
still
being
developed
at
the
time
of
the
audit.
It
had
originally
been
expected
to
be
complete
at
the
end
of
2016
in
the
updates
shown
in
our
report.
It
was
then
updated
to
be
completed
at
the
end
of
2018,
but
remains
incomplete
roles
and
responsibilities
have
become
more
clearly
defined
with
the
introduction
of
the
IT
risk
management
framework.
L
In
our
report,
we
suggest
that
the
potential
issues
with
this
process
they
that
it
needs
to
be
revisited
and
ensure
that
there's
clarity
and
consistency
across
the
different
policies.
One
example
of
this
was
with
respect
to
an
issue
identified
where
there
was
going
to
be
private
resident
information
that
would
be
stored
out
of
country.
L
We
further
identified
that
some
resources
continue
to
lack
formal
risk
training
to
assist
with
performing
risk
assessment
responsibilities.
We
also
found
that
the
IT
inventory
universe
has
not
been
completed,
and
this
would
serve
to
support
the
identification
of
potential
IT
risks.
This
was
due
in
at
the
end
of
2017
for
the
identification
of
IT
risks
for
existing
technology
at
the
city.
An
attempt
was
made
across
to
service
areas
out
of
53,
to
to
assess
risks
of
an
existing
technology
in
place.
J
Thank
you.
Given
the
discussion
we
had
previous
to
this
presentation
by
the
Audit
Committee,
we
talked
about
training
and
I.
I
came
away
from
that
discussion,
feeling
that
we
had
been
doing
a
good
job
training
and
ensuring
that
our
staff
are
up
on
the
latest
ways
of
mitigating
risk,
but
I'm
just
wondering
I'm
a
little
disturbed
by
these
recommended.
These
findings
from
the
Auditor
General's
report
is
that
the
the
training
is
not
there.
The
knowledge
is
not
there.
P
P
Every
single
person
within
my
branch
has
technical
certifications
in
security
field
and
in
risk
where
the
Auditor
General
is
referring
to
individuals
not
having
expertise
in
risk
assessments
is
on
the
BSS
side
in
one
of
our
processes.
Doing
validations
of
risks
we've
since
recognized
that,
as
as
a
inconsistency
have.
P
Yes,
that
we're
addressing
so
those
be
SSS
risk,
they
call
themselves
risk
practitioners,
don't
do
any
identification
of
risk
all
risk.
Technical
and
technical
security
risk
is
being
assessed
by
a
member
of
my
team
that
has
the
proper
training
and
that's
that's
the
way
that
it
works
right
now,
with
with
all
the
assessments
that
happen
and.
I
We
were
using
in
order
to
advance
this
objective,
the
skill
set
or
the
the
talents
of
our
business
support
services
units
in
each
department,
but
we
were
very
careful
that
those
people
were
actually
not
responsible
for
identifying
and
mitigating
risks.
That's
actually
always
done
under
the
supervision
of
somebody
who
is
an
accredited
risk
practitioner
so
that
we're
having
we
have
confidence
in
the
results
that
are
coming
out.
You
can.
J
Call
me
naive,
but
this
this
audit
was
brought
down
four
years
ago
and
we're
still
working
on
this,
and
that
worries
me.
Why
is
it
taking?
Why
is
it
taking
so
long
to
do
this,
I
mean
a
hacker,
can
take
I,
don't
know
it's
it's
minutes
to
breach
our
system,
get
word
we're
still
working
on
this
for
years
later,
I
I
think
that
this
is
unacceptable.
P
P
Have
to
have
it
a
hundred
percent
done
so
in
order
to
get
a
complete
on
on
these
recommendations
for
risk
management,
we
have
to
be
a
hundred
percent
done
so
when,
at
the
time
of
this
follow
up,
what
we're
saying
is
75
percent
of
the
deliverables
leading
to
completion
of
all
of
the
recommendations
for
this
report
were
complete.
The
reason
why
we
weren't
getting
a
hundred
percent
done
on
some
of
them
was
as
a
result
of
two
items.
P
In
particular,
one
was
the
inconsistencies
on
the
approval
authority
and
the
other
one
was
the
annual
validation
process
or
exercise
that
validation
process
was
finalized
in
late
2018
after
this
assessment,
and
it
was
unable
to
assess
at
the
time
because
we
hadn't
actually
gone
through
one
of
the
execution
of
that
process,
which
is
actually
planned
for
q4
of
this
year.
So
you
know
we
have
done
significant
foundational
work
to
satisfy
this
audit.
P
A
couple
of
those
things
in
particular
are
the
well
established
technology
security,
risk
management,
governance
structure
that
we
have
in
place
that
has
been
utilized
to
to
accept,
approve,
reject,
deny
risks,
technology
and
technology
security
risks
at
the
city.
We
also
have,
as
was
mentioned
earlier,
a
framework
that
has
been
developed
by
certified
risk
practitioners
and
that
governs
how
we
do
our
risk.
P
We
have
supporting
processes
that
actually
feed
into
our
risk
register
system
that's
been
put
in
place
and
that
risk
register
system
has
been
the
actually
the
biggest
thing
for
us
in
managing
our
risks.
It's
fully
automated.
It
takes
input
from
our
risk.
Assessments
templates
automatically
loads
it
into
the
database.
It
alerts
us
when
action
items
are
due,
which
is
something
that
we
never
had
before.
That
in
itself
is,
is
a
huge
benefit
for
us
to
effectively
manage
risk
here
at
the
city.
J
P
N
Additional
item
that
I'd,
like
that,
if
that's
okay,
mr.
chair,
is
I've
met
with
their
technology
solutions
manager
once
we
found
out
the
status
of
these
audits
and
what
we're
going
to
be
doing
is
we're
going
to
be
assigned
in
an
internal
project
manager
to
help
finalize
a
lot
of
these
items.
So
a
lot
of
work
has
been
done,
we're
saying
75%,
but
in
some
areas
it
might
even
be
more
than
75%,
as
mr.
Fulton
alluded
to.
N
You
know,
with
regards
to
the
exceptions,
the
validations
and
then
the
misunderstanding
of
the
other
training
with
regards
to
BSS.
It
gave
us
an
incomplete
on
all
of
our
items,
but
a
lot
of
work
has
been
done.
Security
is
very
important
NIT
as
the
CIO.
That's
one
of
the
things
that
we
talk
about
on
a
bi-weekly
basis
of
management
meetings,
team
we've
had
our
okrs,
which
is
our
work
plan.
We
review
it
monthly
and
one
of
the
things
that
we
do
is
we
don't
work
in
silos
previously
before
2016?
N
You
know
the
applications
did
their
work
security
that
their
work,
another
areas
of
the
work
we
work
very
closely
well
together
and
we
will
reallocate
the
appropriate
resources
just
as
we're
doing
with
regards
to
the
technology
solutions.
Manager.
I'm
asking
give
me
a
PM
to
help
me
finish
these
audits
and
I'm.
Confident
if
we
put
that
in
place
with
the
hard
work
that
we've
already
done,
and
we
take
security
really
really
very
seriously
at
the
at
our
department,
we
will
get
these
completed
by
q4
2019.
Q
Thank
You
mr.
chair,
putting
into
context
that
this
audit
was
done,
I
believe
it's
2015
and
we're
now
doing
the
follow
up
the
I
teen
landscape.
Obviously,
the
risk
landscape
has
grown
tremendously
over
that
period
of
time.
Of
course,
as
taxpayers
continue
to
demand
services
in
more
digital
and
other
ways.
How
how
are
you
addressing
that
changing
risk
landscape,
and
is
that
reflected,
as
you've
mentioned,
the
new
risk
assessment
systems
that
you've
put
in
place.
P
As
all
new
projects
and
initiate
initiatives
are
run
through
technology,
solutions
on
intake
were
involved
right
from
the
beginning,
so
every
single
change,
major
change
that
takes
place.
A
member
of
my
staff
with
the
client
focus
area,
looks
at
reviews
assesses
that
change,
depending
on
the
risk
approach
that
we
take
with
that
certain
change,
meaning.
How
big
is
it
is
it
is
it
bigger
than
a
breadbox?
Is
it
small?
We
have
different
assessment
methodologies
that
we
use
with
each
one
of
those
circumstances
that
information
is
is
now
rolled
up
into
our
risk
register.
P
If
there
is
any
area
that
we
feel
that
isn't
being
properly
mitigated,
that's
where
we
engage
the
technical
security
risk
management,
governance
structure
and
ask
for
their
approval.
That's
where
we're
now
involving
them.
There
was
an
inconsistency
for
a
while,
where
we
weren't
properly
utilizing
that,
but
that's
now
been
addressed
within
our
processes,
and
we
are
updating
the
framework
to
reflect
that
and
that
framework
will
go
up
for
approval
very
shortly
to
the
tsrm
for
approval.
Does.
Q
Q
One
other
maybe
more
point
of
clarification
because
I
think
I
missed.
You
were
referring
to
the
risk,
validation
process
and
then
further
the
evaluation
process
and
a
comment
that
in
the
past
there
was
a
gap
there
in
that,
some
of
that
the
validation
or
excuse
me,
a
validation
process
was
stopping
at
the
CIO,
so
not
getting
the
level
attention
that
necessarily
needed.
So
what
is
the
the
measure
that's
been
put
in
place
now
right.
P
P
So
that's
the
hierarchy,
and
we
took
a
quite
a
bit
of
an
effort
to
properly
define
that
within
our
exemption
process.
That
has
now
just
been
incorporated
into
our
risk
management
framework
and,
like
I
mentioned
earlier,
that
will
be
going
to
approval
for
tsrm
to
approve
it.
We've
been
operating
ever
since
the
gap
was
identified
by
the
auditor
we
modified.
Our
processes
to
now
include
the
tsrm
with
all
major
high-risk
approvals.
P
Q
H
H
Managing
security,
but
I
mean
we
heard
from
some
of
the
colleague.
The
hacker
can
can
always
be
one
step
ahead.
Is
it
because
it's
lack
of
investment
like
all
what
we're
talking
here
is
about
management
risk,
but
not
stopping.
So
is
it
fair
to
say
we're
not
investing
enough?
Neither
any
level
of
government
in
Canada
actually
spent
enough
on
them.
N
You
chair,
we
invest
in
technology
security
solutions.
We
look
at
world-class
solutions
that
are
put
in
place.
Our
budget
has
actually
increased
from
2017
to
2019.
We
put
a
bigger
emphasis
on
that
for
us
that
is
money
well
spent.
We
do
look
at
as
I
mentioned
the
the
best
in
breed
we've
put
in
significant
improvements
in
having
those
solutions
available
for
us
that
can
help
us
with
regards
to
some
of
these
risks
that
are
out
there.
P
And
in
just
add
that
we
do
employ
industry
best
solutions
in
a
number
of
our
defense
layers,
so
we
have
what's
called
depth
and
defense
many
layers.
If
one
layer
doesn't
catch
it,
the
other
layer
world
will
pick
it
up
and
like
I
mentioned,
we
have
a
lot
of,
or
there
are
all
industry
best
solutions
in
a
number
of
areas.
We
don't
like
to
discuss
on
a
public
forum
what
those
particular
defense
mechanisms
are,
but
we
do
have
a
lot
of
industry
best
practices
once
I
understand.
H
Where
you're
going
with
this,
but
my
question
is
if
other
level
who
you
depend
on
for
for
their
filter
for
their
assistance,
they're
not
making
enough
investment
in
that
field,
so
that
mean
you're
going
to
be
short
on
your
end
as
well.
That's
that's
what
I'm
trying
to
connect
it,
because
we
hear
time
and
time
again,
Canada
is
one
of
the
lower
spending
country.
One
comes
through
cyber
security.
P
As
Saad
mentioned,
or
Sandro
mentioned
earlier,
we've
we
have
increased
our
budget
I
think
it
was.
Was
it
25
percent
we
calculated
over
the
past
two
years
to
help
with
making
sure
we're
monitoring
our
technology
ecosystem
properly
and
meaning
everything
that
that
IT
looks
after
on
behalf
of
the
city.
P
So
we
have
strong
partnerships
with
CGI,
as
mentioned
earlier,
and
in
Microsoft
now,
with
the
office
365
program,
were
we
were
taking
advantage
of
a
number
of
very
key
security
components
from
that
whole
contract
that
we've
taken
in
on
with
Microsoft
and
one
another
one
that
I
should
mention
that's
very,
very
important
with
the
recent
wire
transfer
fraud
that
was
presented
not
too
long
ago.
Our
branch
was
commended
for
our
incident
response
plans
and
we
also
have,
as
a
part
of
that
implemented
a
cyber
security
awareness,
training
program,
corporate-wide
and
I
just
took
the
numbers.
P
G
You
under
recommendation
number
four:
it
talks
about.
You
know
working
with
the
different
departments
and
there's
obviously
big
differences
in
each
department.
Is
it
possible-
or
maybe
it's
already
in
effect
or
hopefully
it
is?
This
is
having
department
by
department
having
lieutenants
in
each
department
where
you
have
an
IT
person
who
is
the
go-to
person
in
each
department,
so
that
you're,
you
know
you
can
all
meet
together
and
and
and
talk
because
of
the
the
differences
there's.
G
P
Yeah,
that's
a
good
question.
We
have
reps
that
focus
on
all
the
different
client
groups
and
service
areas
throughout
the
city.
Technology
solutions
intake
has
as
a
rep
that
deals
with
the
key
stakeholders
within
each
one
of
those
those
areas
we
like
I,
mentioned
earlier,
that
corporate
wide
training
program
that
is
corporate
wide,
not
just
IT
as
well.
So
we
maintain
a
strong
relationship
with
with
all
those
different
service
areas,
and
that
was
a
challenge
for
us
too
to
go
in
and
gather
the
risk
information
from
those
areas
and
incorporated
into
our
risk
register.
But.
I
Console
if
I
could
add
something
with
respect
to
the
training,
one
of
the
things
that
mr.
Bashir
was
very
conscious
of
the
fact
is,
we
do
have
what
we
refer
to
as
federated
partners,
the
IT,
the
major
IT
groups
in
the
other
departments
that
operate
their
own
systems
that
are
just
their
own
systems.
He
wanted
those
people
to
be
as
up-to-date
as
our
IT
people,
so
our
Pluralsight
are
our
online
training
platform.
I
He
bought
licenses
so
that
all
of
those
members
in
the
federated
partners
could
also
participate
in
online
training
to
keep
their
skills
up
to
date.
So
there
is
an
understanding
that
the
role
that
IT
plays
is
also
has
to
influence
what
our
federated
partners
do
as
they
set
the
standards,
but
we
want
to
make
certain
that
they're
up
to
speed
and
have
the
skill
sets
and
know
what's
going
on
in
IT
on
a
regular
basis.
I
G
Very
helpful
but
I'm
wondering
if
it's
necessary
to
even
actually
have
an
employee
who's
from
your
department
regularly
working
inside
these
departments
not
just
overseeing
but
but
actually
going
in
there
to
work
on
the
culture
changes.
And
it
is
an
opportunity
and
training
is
really
important
and
that
we
keep
training
them
up.
But
if
we're
talking
about
the
Secession
planning
and
building
up,
not
just
for
the
CIO
but
just
in
terms
of
generally
I
hope
that
we'll
take
that
as
an
opportunity.
A
J
B
A
And
how
does
that?
How
does
that
impact
future
risk
and
I?
Just
like
a
comment?
First
from
the
Auditor
General,
with
respect
to
the
work
that
you've
done
on
IT
risk
management
in
terms
of
a
centralized,
focused
IT
service
department
versus
a
decentralized
and
and
the
Business
Service,
the
BSS
departments
within
each
segment
of
city,
ops,.
B
There
are
certainly
issues
that
we
will
talk
about
in
in-camera
specifically,
but
we
have
talked
about
a
central
authority
with
responsibility
for
overall
IT
issues
in
an
organization
with
17,000
people
for
billion
dollar
budget.
It
isn't
rare
to
have
other
groups
in
you
know
another
in
other
departments,
with
a
requirement
for
a
strong
IT
presence.
B
I
mean
that
that
model
exists
in
many
organizations,
but
you
are
you're
correct
without
without
a
single
overriding
authority
over
IT,
that
itself
presents
some
risks
and
when,
when
there
are
problems
in
the
identification
of
risk
and
the
management
of
those
risks,
as
we
have
we
identified
in
this
particular
initial
audit
report
and
in
the
follow-up
its
it
makes
much
more
complicated
when
you
have
a
federated
partners.
I
think
is
that
the
term
that
that
IT
uses,
where
you
have
limited
limited
control
over
what
what
they
can
do
so
it
there's.
B
P
Thank
you.
Mr.
chair,
we
have
developed
the
ite
risk
management
framework
which
states
that
technology
and
technology
security
risk
is
owned
by
the
CIO
for
all
of
the
city.
So
what
is
that
central
authority?
We
have
been
working
with
what
we
do
call
our
technology
partners
to
ensure
that
they
are
following
the
same
practices.
We
are
with
NIT,
we've
been
working
with
them
on
developing
their
SCADA
standards
and
on
developing
vulnerability
and
penetration
testing
plans
of
their
environments,
similar
to
practices
that
we
do
within
our
own
environment
and.
A
Thank
you
for
that,
but
in
and
and
I
acknowledge
it,
but
in
reading
the
report,
mr.
Fulton
and
mr.
Carlucci
I'm
not
convinced
that
the
IT
s
Department
has
a
good
handle
on
all
the
risks
within
all
the
departments.
I
think
I'm,
not
the
the
incomplete
recommendations
indicate
that
and
I
think
as
you
choose
to
mitigate
or
to
accept
risks
or
to
find
the
resources
to
reduce
the
risks
or
to
eliminate
the
risks
as
much
as
possible.
A
You
need
to
have
a
good
inventory
of
those
risks,
and
that
is
what
has
not
been
completed
or
there's
no
evidence,
and
you
have
said
mr.
Fulton,
that
unless
you
would
get
a
hundred
percent,
you
know
we
have
an
incomplete.
It's
not
like
we're
at
95
percent
or
just
on
the
cusp.
There
is
a
not
all
the
recommendations
are
are
technical.
A
Many
are
cultural
change.
Leadership
change,
not
that
there's
not
leadership
here.
I
acknowledge
that
you
we've
talked
about
the
CIO
turnover,
but
the
the
vision
and
and
the
the
leadership
to
mitigate
those
risks
and
I
hope
that
that
is
the
message
that
you
are
receiving
here.
For
example,
you
refer
to
penetration,
testing
and
and
in
reading
the
report
in
the
original
report,
you
know
how
that
is
done
and
how
efficient
that
is
and
who
you've
employed
to
do
that.
A
Penetration
testing
is
not
clear,
not
to
me
and
I,
don't
know
if
it
is
clear
to
other
members
of
this
committee
so
that
you
can
properly
evaluate
and
mitigate
or
accept
those
risks,
and
so
I'd
like
to
see
change
on
that
and
and
I
guess.
My
question
is
now
to
the
Auditor
General,
the
0
of
8,
on
on
the
recommendations,
mister
auditor
general,
that
you
know
they're,
serious
and
and
they're
not
complete.
A
B
B
What
we
would
be
prepared
to
do
in
this
circumstances,
because
of
the
the
importance
of
the
function
and
and
the
areas
left
undone
we
would
be
prepared
to
when
we
go
in
to
do
a
follow
up
of
a
remote-access,
which
is
another
audit
report
that
that
was
done
on
the
follow-up
is
just
is
just
coming
due.
We
would
follow
up
the
balance
of
the
recommendations
that
that
we
we
now
raid
as
as
incomplete,
and
then,
when
we
report
back
with
the
the
follow-up
on
remote
access,
we
would
also
report
back
on
the
the.
B
A
N
You
mr.
chair,
absolutely,
this
is
a
top
priority
for
the
IT
management
team,
as
well
as
for
myself,
I
am
taking
ownership
of
these
audits
I.
One
of
the
other
items
that
I
did
do
was
I
reached
out
to
the
OIG
to
ask
if
I
can
have
a
meeting
to
get
a
status,
because
I
was
very
new
to
this,
and
they
granted
that
meeting
with
me
and
at
that
time,
I
expressed
that
I'd
be
very
interested
in
a
follow
up
on
the
follow
up.
N
So
I
would
take
that
as
well,
because
just
to
show
the
committee,
this
is
very
important
to
us.
We
have
made
a
lot
of
work
and
we
want
to
prove
it
that
we
have
done
this
work,
and
you
will
see
that
the
the
recommendations
that
have
been
provided,
I
think
are
very
good,
some
very
good
recommendations
and
we
always
want
to
improve
ourselves
to
try
to
be
even
a
better
organization
than
we
already
are
so
I'm
very
comfortable
that
the
work
will
be
completed
this
year.
N
I
will
make
sure
that
the
resources
are
available
in
order
for
us
to
complete
it,
as
I
mentioned
I'm
going
to
get
an
internal
IT
project
manager
to
help
with
that,
to
kind
of
just
keep
the
lines
going,
keeping
that
profile
for
us
and
as
I
mentioned,
we
also
talked
about
it
at
our
managing
and
monthly
meetings,
and
this
will
be
one
of
the
topics
that
we'll
talk
about
as
well.
Thank.
A
B
Chair
the
the
final
audit
of
the
the
final
follow-up
of
the
three
follow-ups
that
we
did
is
the
audit
of
IT
security
incident
handling
in
response,
and
just
overall
we
can
say
that
we
assessed
six
of
the
11
recommendations
is
fully
implemented
with
four
partially
implemented
and
one
that
we
were
unable
to
assess
and
our
presentation
will
be
in
camera
and
it's
the
appropriate
thing
kits
the
appropriate
time
for
us
to
go.
In-Camera
Thank.
A
J
Do
Thank
You
chair
this
is
a
verbal
direction.
I
would
like
to
direct
the
city
manager's
office
to
provide
the
audit
committee
with
digital
copies
of
the
audit
recommendation
tracking
report
that
is
currently
maintained
by
the
city
manager's
office
and
I'd
like
to
receive
this
document
by
the
end
of
the
business
day
today
or
at
the
end
of
this
week,
whichever
you
can,
whatever
you
can
deliver
through.
J
F
A
J
Complete,
therefore,
be
it
resolved
that
the
Audit
Committee
direct
city
staff
to
provide
an
update
on
all
auditory,
kiman
Dacians
heard
here
today,
which
are
considered
partially
complete
by
the
Auditor
General
at
the
next
Audit
Committee.
So
let
we'd
like
to
what
the
intent
of
this
is
to
get
an
update
on
the
work
that
has
been
going
to
be
taking
place
on
these
recommendations
before
the
next
meeting.
Okay,.
A
J
J
H
A
H
C
A
C
F
H
I'm
not
going
to
have
a
sale,
but
I
mean
follow
up
on
a
follow
up.
We
already
have
this
follow
up
and
I
think
eventually
the
Auditor
General
will
come
back
with
the
summary
of
all.
Your
audit
am
I
correct
that
you
will
be
coming
back
to
tell
us
what's
been
standing
and
what's
need
to
be
complete,
we
don't
want
to
waste
more
staff
time
when
we
need
other
auditor
to
take
place,
then
go
back
and
follow
up
on
a
follow-up,
so
we
heard
today
and
staff
agree
some
of
the
this
has
not
been
completed.
H
B
Understanding,
I
guess,
there's
two
things
that
I
to
comments
I'll
make
one
is
what
we
said
that
we
would
do
because
of
the
importance
of
the
IT
in
completes.
We
would
in
when
we're
doing
another
follow
up
likely
in
late
2019
early
2020.
We
would
also
follow
up
on
further
follow
up
on
the
implementation
of
those
incomplete,
so
that
would
be
the
IT
and
completes
sorry.
My
understanding
of
what
was
just
read
was
that
staff
would
come
back
to
to
let
the
committee
know
their
status
of
on
the
in
completes.
B
H
P
All
of
the
audit
deliverables
that
our
old
standing
are
still
a
part
of
our
ok,
our,
which
is
our
objective
and
key
results.
That's
a
part
of
a
work
plan.
We
can
present
those
to
the
IT
subcommittee,
the
status
on
the
completion
of
those,
so
that
can
be
accomplished
through
that
mechanism.
If
need
be,
we
will
definitely
welcome
the
opportunity
to
go
through
a
second
follow-up
to
prove
that
to
this
committee
and
IT
subcommittee,
that
we
will
get
full
completion
by
the
end
of
this
year
by.
F
You
mr.
chair
I
agree
with
counselor
Ellis.
In
theory
this
may
be
a
bit,
especially
if
you're
talking
about
all
the
different
audit
follow-ups
today
to
be
asking
for
that
before
the
next
meeting.
What
I'd
like
to
suggest,
maybe
as
an
amendment
to
to
your
motion
counselor,
is
a
Eve
asks
you've
given
direction
to
mr.
box
to
get
back
to
you
with
the
list
of
incomplete
recommendations.
F
J
That
boat
yeah
I
like
that,
but
at
the
same
time
many
of
these
recommendations
are
four
or
five
years
past
due
I
think
we
it's
just
incumbent
on
us
to
keep
on
top
of
this
and
figure
out.
They
we've
heard
a
lot
of
promises
here
today.
I
think
that
six
audits
going
to
six
departments
to
get
an
update
on
the
progress
they're
making
on
the
promises
that
they
made
today
to
complete
the
tasks
of
the
recommendations.
Is
it
asking
a
lot?
It's.
F
Wouldn't
they
be
the
ones
to
be
doing
the
the
the
follow-up
on.
What's
the
remaining
work,
because
it's
going
to
be
part
of
their
work
plan,
it
shouldn't
be
part
of
the
audit
committees
work
plan.
We
we've
shown
the
recommendation,
so
the
AG
provides
the
recommendations
and
observations
of
what
he
finds
it
sent
up
to
the
departments
and
the
the
various
oversight
committees
to
follow
up
past.
The
follow-ups
is
that
fair
assessment
like
this.
J
A
A
B
J
A
A
J
Sorry
that,
in
accordance
with
the
procedure,
bylaw
20
19-8,
the
Audit
Committee
revolve
in-camera
pursuant
to
subsection
13
1a.
The
security
of
the
property
of
the
city
based
upon
the
rationale
set
out
in
the
legal
implications
section
of
the
report,
titled
office
of
the
Auditor
General
report
on
audit
follow-ups
and
detailed
audit
follow-ups
report
in
order
to
receive
from
the
Auditor
General
the
follow-up
to
the
2015
audit
of
information
technology
security
incident
handling
and
response.