3. COUNCIL AUDIT
WORKING GROUP - MANDATE, MEMBERSHIP AND |
Committee RecommendationS
That Council:
1. Approve the changes
with respect to implementation for the following 2005 Audit recommendations,
and related May 2006 Council Motions, as outlined in Document 1, specifically:
a) Procurement Audit recommendation no. 13
b) Management Control Framework
recommendation no. 4
c) Internet Usage recommendation nos.
7(h), 10, 13 and 15
2. Receive for
information the ongoing status tracking report as of March 9, 2007, as outlined
in Document 2; and
3. Approve the mandate
and membership for the Council Audit Working Group, as outlined in Document 3.
RecommandationS du comité
Que le Conseil :
1. Approuve
les modifications touchant la mise en application des recommandations de
vérification de 2005 suivantes, et les motions du Conseil de mail 2006 qu s’y
rapportent, tel que précisé dans le document 1 :
a) Recommandation no 13 sur
la vérification des acquisition
b) Recommandation no 4 sur
le cadre de contrôle sur la gestion
c) Recommandations no 7 h),
12, 13 et 15 sur l’utilisation d’Internet
2. Reçoive,
à titre d’information, le rapport de suivi sur les mesures en cours daté du 9
mars 2007, tel que précisé dans le document 2; et
3. Approuve
le mandat et les effectifs du groupe de travail du Conseil sur la vérification,
tel que précisé dans le document 3.
Documentation
1. Council
Audit Working Group’s report dated 4 April 2007
(ACS2007-CMR-OCM-0002).
2. Extract of Draft Minute, 1 May 2007.
Report
to/Rapport au :
Corporate Services and Economic Development Committee
Comité des services organisationnels
et du développement économique
and Council / et au Conseil
4 April 2007 / le 4 avril 2007
Submitted by/Soumis par : Council Audit Working Group /
Groupe de travail du Conseil sur la
vérification
Contact
Person/Personne ressource : Kent Kirkpatrick, City Manager /
Directeur des services municipaux
(613) 580-2424 x 25657,
kent.kirkpatrick@ottawa.ca
REPORT RECOMMENDATIONS
That the Corporate Services
and Economic Development Committee recommend Council:
1. Approve the
changes with respect to implementation for the following 2005 Audit
recommendations, and related May 2006 Council Motions, as outlined in Document
1, specifically:
a) Procurement Audit recommendation no. 13
b) Management Control Framework
recommendation no. 4
c) Internet Usage recommendation nos. 7(h),
10, 13 and 15
2. Receive for
information the ongoing status tracking report as of March 9, 2007, as outlined
in Document 2; and
3. Approve the
mandate and membership for the Council Audit Working Group, as outlined in
Document 3.
RECOMMANDATIONS DU
RAPPORT
Que le Comité des
services organisationnels et du développement économique recommande au Conseil :
1. D’approuver les
modifications touchant la mise en application des recommandations de
vérification de 2005 suivantes, et les motions du Conseil de mail 2006 qu s’y
rapportent, tel que précisé dans le document 1 :
a) Recommandation no 13 sur
la vérification des acquisition
b) Recommandation no 4 sur
le cadre de contrôle sur la gestion
c) Recommandations no 7 h),
12, 13 et 15 sur l’utilisation d’Internet
2. De recevoir, à titre
d’information, le rapport de suivi sur les mesures en cours daté du 9 mars
2007, tel que précisé dans le document 2; et
3. D’approuver le mandat et
les effectifs du groupe de travail du Conseil sur la vérification, tel que
précisé dans le document 3.
BACKGROUND
On May 24, 2006, City Council considered the City’s Auditor General 2005 Annual Report and 2005 Detailed Audit Reports (ACS2006-OAG-BVG-0001). Included in the 2005 Annual Report were the following audit reports:
In conjunction with consideration of the Annual Report and audit recommendations, City Council also passed the following two Motions:
That a special committee be established which would
include four members of Council and Senior Management Team to ensure
implementation of Council approved recommendations and that Councillors Glenn
Brooks, Gord Hunter, Jacques Legendre and Rick Chiarelli be appointed to that
special committee.
CARRIED
That the Special Committee report to the Corporate Services and Economic Development Committee on any issues raised.
CARRIED
Since the establishment of this Council/Management Audit Working Group in May 2006, the group has been meeting on an as needed basis with the City Manager, the Auditor General and City staff as required.
The Corporate Services and Economic Development Committee and City Council, at its meetings of October 17 and October 24, 2006 respectively, considered and approved the first quarterly report on the 2005 audit recommendations action status as well as an adjustment to implementation of recommendations for the 2005 Procurement Process audit.
The purpose of this report is to provide the Corporate Services and Economic Development Committee and Council with the following:
DISCUSSION
The CAWG was created to oversee the implementation of the audit recommendations and provide a body for discussion with the Auditor General, selected members of Council and senior management to further discuss the audit recommendations under dispute or where circumstances may have changed.
When considering the total number of recommendations coming forward from the Auditor General through his audit reports, it should be noted that there were an overwhelming number of recommendations supported by management that are being implemented on an ongoing basis. In looking at the overall picture, the number of recommendations that require further discussion by the CAWG represent a very small percentage.
The primary focus of the CAWG has been to receive additional background information from the 2005 audit recommendations where the Auditor General and management had differing opinions, and to formulate recommendations for decision by CSEDC and Council on the disputed item. These management responses have been the subject of discussions between the Auditor General, the City Manager and the CAWG. In most cases, consensus has been achieved on revisions to the implementation of the audit recommendations; in other cases further discussion and analysis is required. A workplan has now been developed to resolve all outstanding issues and the issues should be resolved by the end of May 2007. In addition, to the 2005 outstanding audit recommendations, CSEDC recently referred, for approval to the CAWG, the implementation of the Deloitte Consulting recommendations from the City of Ottawa Branch-by-Branch Overtime Review Final Report. These recommendations are to be completed by June 1, 2007, and reported back to CSEDC and Council no later than June 30, 2007, confirming the completion of the implementation of all the recommendations. However, a first review of the workplan indicates, staff will not be finished with the implementation of some of the recommendations until 2008.
The October 2006 audit status report to Council, dealt with the Procurement audit, approving a change in the proposed level of delegated authority from the City Manger to the Deputy City Manager of recommendation 13. However, further discussion was required, in respect, to the proposed limit of 100K on all Standing Offers. During a CAWG group meeting, held on January 29, 2007, the CAWG and the Auditor General agreed to the recommended revisions whereby there would be no limit to standing offers for IT SAP resources with the approval of the CCSO. However, Standing Offers for engineering contracts would be limited to a $100K.
Discussion and consensus to amendments around the implementation of recommendations of issue for the Internet Usage and Management Control Framework audits were achieved at a meeting of the CAWG held on March 6, 2007.
For recommendation 4 in the Management Control Framework audit, the CAWG and the Auditor General agreed to the recommended revisions whereby management agreed to develop a new corporate integrated risk management policy or modify the existing policy, develop a template that would be used to capture the 3-5 most significant risks for each branch and how those risks are addressed, and develop a course to be offered in the latter part of 2008 on risk management relating to the application of these concepts. This will be done in conjunction with the branch business plans and the corporate contingency plans. It is estimated the cost of the policy development, training material development and delivery will be approximately $150,000, which will be included as a budget pressure for 2008.
For the Internet Usage audit, recommendation 7(h) the Auditor General agreed that to enable system logging on all devices would be cost-prohibitive from both a system performance and storage space perspective. Therefore it was agreed that IT would address the recommendation using a phased-in approach, to enable system logging, for select devices based on a report recently completed by Allstream. For recommendation 10, the CAWG and the Auditor General agreed to the recommended revisions that it would be impractical to forbid staff from using non City resources to process City data and assets. It was agreed that the existing communications protocols and the three layers of existing security are adequate enough to prevent the City from virus threats. For recommendation 13, the parties agreed to the recommended revisions whereby management has agreed to implement the Information Technology Infrastructure Library framework, which will ensure that roles and responsibilities within the ITS branch are clearly documented. For recommendation 15, the parties agreed to the recommended revisions that an enterprise wide e-mail encryption solution would not be practical to impose on external partners, as there are not any national/international standards. Instead, management will continue to communicate to staff that sensitive information should not be transmitted via the City’s e-mail system, as well management will be developing a managed Secure File Sharing service planned for mid-2007 which will allow clients to securely exchange information and data.
Management continues to implement the 2005 audit recommendations within the agreed upon timelines and resources. An updated status tracking report of all ongoing recommendations, including the responses that require resolution, is attached in Document 2.
As outlined in the May 24, 2006 Council Motion, the CAWG was established and the membership named as follows: Councillors Brooks, Chiarelli, Hunter and Legendre. The May 24 motion also referenced the Senior Management Team, which is represented by the City Manager and the appropriate Department Heads and/or Directors depending on the issue under discussion. The Auditor General is not considered a member of the CAWG but attends meetings as required.
The CAWG recommends that the Corporate Services and Economic Development Committee and Council approve its mandate as outlined in Document 3. At this time, it has requested that its mandate focus on the implementation of the audit recommendations and issues requiring resolution. Further revisions or an expanded mandate may be subject to the mid-term 2006-2010 Governance report that will be brought forward at a later date.
With respect to membership, the CAWG believed that a staggered membership of two members serving for two years and two members serving for four years would be beneficial. Members of the CAWG were canvassed and recommend that CSEDC and Council approve the following:
Councillor Appointment Term
Gord Hunter May 24, 2006 to May 31, 2008 (2 year term)
Glenn Brooks May 24, 2006 to May 31, 2008 (2 year term)
Jacques Legendre May 24, 2006 to November 2010 (4 year term)
Rick Chiarelli May 24, 2006 to November 2010 (4 year term)
Prior to the expiration of the two-year term, members of Council will be canvassed to determine who might be interested in serving on this working group.
It is anticipated that following the election of November 2010, membership for all four positions will be recommended through the standard Nominating Committee process.
CONSULTATION
The Auditor General has not been involved in the status tracking process on an ongoing basis, but upon request, participated in the discussion and agreement to the revised implementation for the recommendations outlined in Document 1. If requested, the Auditor General will review and provide further comment on the content of the status tracking documents at a future date, noting the desire not to interfere with the completion of the 2006 audit plan at this time.
Consultation was held with the applicable Department Heads as part of drafting this report. Consultation will continue as part of the ongoing discussions related to the implementation surrounding some of the audit recommendations.
Public consultation is not applicable and was not conducted as part of this report. Members of the public may address the Corporate Services and Economic Development Committee during its consideration of the report.
FINANCIAL IMPLICATIONS
Estimated 2008 costs associated with the proposed revised implementation of the Management Control Framework recommendation No. 4 are $150K for policy development, training material development and delivery. Funds are not available within the City’s existing budget, and will be brought forward as a one-time pressure in the 2008 Draft Operating Budget.
Costs associated with the revised implementation of the Internet Usage recommendation Nos. 7(h), 10, 13 and 15 can be accommodated within Information Technology Services existing budget envelope.
There are no financial implications associated with the remaining report
recommendations.
SUPPORTING DOCUMENTATION
Document 1: 2005 Audit Recommendations and Management Comments – Requested revisions with respect to implementation of recommendations for the Procurement Process, Management Control Framework and Internet Usage audits. (Attached to the report.)
Document 2: Status tracking as of March 9,
2006.
(Document issued separately and is on file with the City Clerk.)
Document 3: CAWG mandate and membership. (Attached to the report.)
DISPOSITION
The applicable Department Head and staff will continue to work on the implementation of the audit recommendations as noted.
The Council Audit Working Group and the City Manager will continue to work with the Auditor General on the resolution and implementation of recommendations that are subject to further discussion.
Document 1
Recommendation No. 1
1. Approve the changes with respect to implementation for the Procurement audit recommendation no. 13, the Management Control Framework audit recommendation no. 4, and the Internet Usage audit recommendation nos. 7(h), 10, 13 and 15, and related May 2006 Council Motions, as outlined in Document 1;
Audit
Recommendation |
Action
Required Based on Dept. Head Action Plan |
Comments (Risks,
issues regarding implementation) |
Related
Council Motion |
Status
Update / Request for Approval of revised Implementation |
Procurement
Audit Rec. 13 Supply Management ensure
that all Standing Offer Agreements have an original maximum cap for call-up
of $100,000 with the total value of amendments not to exceed a further
$50,000, or 50% of the original call-up, without the approval of the City
Manager. |
Standing
Offers are reviewed in relation to the good or service required and the needs
of the city client. The majority of
standing offer call-ups are restricted in $$ to the 100k limit, although
exceptions do make sense on occasion. Amendments to standing offer call-ups, which exceed
50% of the original approved call-up, will require approval of the City
Manager. |
Management agrees that
there should be a 50% cap on amendments to call-ups but recognizes that in
the case of PWS & Infrastructure Services, there are instances where
there may be the need to exceed these limits. These exceptions require the
City Manager's approval. Also recommend continuing to
seek Level 2 management approval for amendments (as in recommendation #3). |
No |
Complete. Council approval on 25
October 2006 dealt with the second half of the recommendation, which deals
with approval of amendments. At its 29 January 2007
meeting, CAWG dealt with the remaining piece and recommended approval of no
limit to standing offers for IT SAP resources with the approval of the
CCSO. Standing offers for engineering
contracts would have a limit of 100K. |
Audit Recommendation |
Action
Required Based on Dept. Head Action Plan |
Comments (Risks, issues regarding implementation) |
Related
Council Motion |
Status
Update / Request for Approval of revised Implementation |
Management
Control Framework Audit Rec. 4 That the CCPR Officer introduce integrated risk management within the
City, as part of the planning and performance management cycle. This would include such activities as: a) development of an
integrated risk management policy; b) development of
tools and approaches for risk management; and, c) Provision of risk
management training. |
|
Although Management agrees
with the Auditor General’s recommendation in principle, we do not believe it
would be practical to implement this recommendation at this time. The
cost/benefit of implementing a full blown, organization-wide risk management
initiative is not clear, nor is it clear that this is a widely accepted best
practice in municipal governance. To
our knowledge, in the few cases where Canadian municipalities have experimented
with them, implementation has not been successful. Our priority at this
point, from a management control framework perspective, is on rolling out the
planning framework and developing and implementing the performance
measurement and reporting framework, throughout the organization over the
next 2-3 years. |
No |
Ongoing. A business case for the
potential implementation of an integrated risk management framework was
completed in January 2007. Staff
recommendation remains deferring implementation of such a framework to focus
on other priorities. CAWG considered the
business case at its 6 March 2007 meeting.
As a result, CPPRO will undertake the following to address the Auditor
General’s recommendation: a)
modify the existing
risk management policy or develop a new Corporate integrated risk management
policy by 2008; b)
introduce into its
guidance for the preparation of branch business plans, a section that
outlines the potential risks to the achievement of the branch objectives; |
|
|
Nonetheless, certain steps
we are taking to enhance the Corporate planning process, such as the
presentation of a comprehensive environmental scan, which will identify risks
to be considered in developing the City Corporate Plan and Departmental
Business plans, will address this issue.
We also developed an estimate of the cost involved in implementing an
integrated risk framework on a Corporate-wide basis and included this
activity for consideration by Council in the 2007 budget submission. |
|
c)
develop a template
that can be used to capture the 3-5 most significant risks are addressed –
this will be integrated with the branch business plan templates and will be
made available in 2008 for the 2009 business planning cycle; d)
develop a course to be
offered in the latter part of 2008 on risk management relating to the application
of these concepts and the use of the template. This course will be offered
to management staff involved in the evaluation of risk as part of the
business planning process. We
estimate the cost of policy development, training material development and
delivery is $150K, which we will include as a budget pressure for 2008. |
Audit Recommendation |
Action
Required Based on Dept. Head Action Plan |
Comments (Risks,
issues regarding implementation) |
Related
Council Motion |
Status
Update / Request for Approval of revised Implementation |
Internet Usage Audit Rec. 7 h) That IT Services enable
system logging on all devices. |
Over the course of 2007/2008 ITS will procure a
system log server and selectively identify devices to feed log data to it
based on a recently approved workplan. |
Management does not agree
with this recommendation. Industry best practices do
not support full logging on all devices at all times due to the high cost. IT
Services implements additional logging and alerting on a selective basis, such
as with certain high-risk devices or where there is a concern with a
particular device. As part of the Enterprise
Security Review project initiated in Q1 2005, IT Services has contracted a
third party security company to perform a detailed review of logging and
monitoring processes and systems, including an assessment of the cost impact
of these recommendations. The review will be completed in Q1 2006. If
additional logging is required, a budget pressure will be identified in the
2007 budget. IT Services has implemented alerting for device failure on all
servers and network devices. IT Services has updated all
firewalls to receive a synchronized time from NRC. |
No |
Ongoing. As a result of discussions
at the March 6 meeting of CAWG and subsequent discussions with the Auditor
General, the following 2007 work plan was deemed acceptable: March 2007 Updated Work
Plan for 2007 - Q3-Q4: Procure a
system-logging server to act as the repository for log data. Q4: Adjust levels of
logging on network devices and begin feeding log data to the system-logging
server. 2008 Q1-Q2: Evaluate and procure
available log auditing and analyis tools. Both in-house and outsourced
solutions will be evaluated. Q2-Q3: Develop formal log
analysis and auditing procedures. Q4: Implement formal log
analysis and auditing procedures. |
Audit Recommendation |
Action
Required Based on Dept. Head Action Plan |
Comments (Risks,
issues regarding implementation) |
Related
Council Motion |
Status
Update / Request for Approval of revised Implementation |
Internet
Usage Audit Rec. 10 That IT Services ensure the
policy prohibit the use of non-City approved computing resources for
processing City data and assets. |
To further formalize the existing approval process
for non-City devices, IT Security has drafted a procedure for assessing and
safely utilizing non-city assets on the City network with the approval of IT
Security. No further action is required. |
Management does not agree
with this recommendation. Such restrictions would prohibit the use of web-mail
from home computers. However, the Responsible Computing Policy does stress
employee obligations to safeguard electronic information whether being
processed at a City facility or not. |
No |
Complete. CAWG dealt with this item
at its 6 March 2007 meeting. As a
result, it was agreed that the Responsible Computing Policy would be updated
to reflect prohibition of non-City assets connecting to network and the
requirement to protect City information assets when accessed via web-mail. |
Audit Recommendation |
Action
Required Based on Dept. Head Action Plan |
Comments (Risks,
issues regarding implementation) |
Related
Council Motion |
Status
Update / Request for Approval of revised Implementation |
Internet
Usage Audit Rec. 13 That IT Services: a)
review organization roles
and responsibilities with accompanying agreements, such as Service Level
Agreements (SLAs). b)
clearly define roles /
responsibilities and define processes to ensure control implementation and
monitoring is covered. |
a)
IT Services has
reviewed existing roles and responsibilities and believes they are clearly
defined and effective. b)
Organizational control
mechanisms are already fully implemented and maintained across the entire
branch. |
Management disagrees with
these recommendations. IT Services has reviewed
existing organizational roles and responsibilities, and believes that these
roles and responsibilities are clearly delineated and effective. Separation
of duties and other organizational control mechanisms are fully implemented
and maintained across the entire branch. |
No |
Ongoing. CAWG dealt with this item
at its 6 March 2007 meeting. As a
result, it was agreed that: a)
over the course of
2007/2008, ITS will perform a review of the 2003 IM/IT Security Strategy in
order to confirm governance, roles and responsibilities. As well, ITS is adopting
the Information Technology Infrastructure Library (ITIL) framework for
Information Technology Services, which includes establishing documented
operational level agreements (OLA’s) between service providers within an organization.
The ITIL framework will phased-in over the course of 2008/2009. b)
over the course of
2007/2008, ITS will perform a review of the 2003 IM/IT Security Strategy in
order to confirm governance, roles and responsibilities. |
Audit
Recommendation |
Action
Required Based on Dept. Head Action Plan |
Comments (Risks,
issues regarding implementation) |
Related
Council Motion |
Status
Update / Request for Approval of revised Implementation |
Internet
Usage Audit Rec. 15 That IT Services identify tools for encryption of sensitive e-mail
content. |
Management
disagrees with this recommendation. The revised Computing Policy stipulates
that sensitive information should not be transmitted via e-mail. An
enterprise wide e-mail encryption solution would be for internal use only and
would not be compatible with external partners. |
Management disagrees with this recommendation. The revised Responsible Computing Policy, section 7.1, as approved by
City management in September 2005 stipulates that sensitive information is not
to be transmitted via the corporate e-mail system. An enterprise wide e-mail encryption solution would be for internal
use only and would not necessarily be compatible with external partners, as
there is no national or international standard for e-mail encryption. Should an enterprise-wide e-mail encryption solution be required, it
is estimated to cost $100,000 and require 2 FTEs (or equivalent) to
administer. A budget pressure would be identified for the 2007 budget. |
No |
CAWG dealt with this item
at its 6 March 2007 meeting. The ITS Branch is evaluating
a secure file exchange service that can be used with City business partners
to exchange sensitive documents. It is anticipated that this service will be
available in Q4 2007-Q1 2008. |
·
Review the
audit status tracking report as required, to ensure that staff have implemented
the approved audit recommendations. Submit quarterly the status report to CSEDC
and Council for information.
·
Approve the
workplan for resolving recommendations under dispute.
·
Receive
additional background information on disputed items, from both staff and the
Auditor General, when there is a disagreement between the two parties. Formulate recommendations (in terms of
direction to staff) for decision by CSECD and Council on the disputed item.
·
Receive
background information when a recommendation has changed since the approved
audit recommendations (i.e. staff cannot implement the recommendation or a
change in resources is required to implement) and direct staff on next steps.
·
Undertake any
additional or ad hoc work or oversight role as directed by the CSEDC and City
Council.
·
Ensure that
the committee membership rotates by changing the membership by two councillors
every two years, with the revised membership approved by the CSEDC and/or
Nominating Committee and Council.
Gord Hunter May 24, 2006 to May 31,
2008 (2 year term)
Glenn Brooks May 24, 2006 to May 31, 2008 (2 year term)
Jacques Legendre May 24, 2006 to November 2010 (4 year term)
Rick Chiarelli May 24, 2006 to November 2010 (4 year term)
·
Meetings will
be held as required.
Corporate Services and Economic Development Committee Report 7 |
|
Comité
des services organisationnels et du développement économique rapport
7 |
Extract of draft Minutes 8 1
may 2007 |
|
Extrait de l’ébauche du procès-verbal 8 – 1er
mai 2007 |
COUNCIL
AUDIT WORKING GROUP - MANDATE, MEMBERSHIP
AND 2005 AUDIT RECOMMENDATIONS - QUARTERLY ACTION STATUS REPORT
gROUPE
DE TRAVAIL DU CONSEIL SUR LA VÉRIFICATION - MANDAT, EFFECTIFS ET
RECOMMANDATIONS DE VÉRIFICATION
DE 2005 - RAPPORT DE SITUATION TRIMESTRIEL
acs2007-CMR-OCM-0002 city-wide / À l’Échelle de la
ville
Responding to questions from
Councillor El-Chantiry with respect to the recommendations on internet usage,
Mr. Kirkpatrick explained part of the role of the Council Audit Working Group
(CAWG) was to work with staff and the Auditor General, in areas where there was
disagreement, to come up with solutions for recommendation to the Corporate
Services and Economic Development Committee.
He indicated staff had registered disagreement with the Auditor
General’s recommendations with respect to internet usage because they felt the
recommendations did not give sufficient recognition to access controls and
internet monitoring tools that were in place.
In response to a further question from Councillor El-Chantiry, Councillor Chiarelli confirmed that the Council members of the CAWG had met and were generally in the opinion that staff did not raise strong enough objections to the Auditor General’s 2005 recommendations with respect to internet usage because some of the solutions would have been far more expensive to implement than what could ever be justified in terms of the return. Furthermore, as directors of the corporation, he did not believe Council wanted to restrict access to the internet such that it would result in reduced productivity.
Following this brief exchange, the Committee approved the report recommendations.
That the
Corporate Services and Economic Development Committee recommend Council:
1. Approve the changes with
respect to implementation for the following 2005 Audit recommendations, and
related May 2006 Council Motions, as outlined in Document 1, specifically:
a) Procurement Audit recommendation no. 13
b) Management Control Framework recommendation
no. 4
c) Internet Usage recommendation nos. 7(h), 10,
13 and 15
2. Receive for information
the ongoing status tracking report as of March 9, 2007, as outlined in Document
2; and
3. Approve the mandate and
membership for the Council Audit Working Group, as outlined in Document 3.
CARRIED