Welcome to the regular meeting of the audit committee for February 23rd, 2026.

I am Elliot Payne and I am the chair of this committee.

I want to offer a friendly reminder to all members, staff, and the public that these meetings are broadcast live to enable greater public participation.

These broadcasts include real-time captioning as a further method to increase the accessibility of our proceedings to the community.

Therefore, all speakers need to be mindful of the rate of their speech so that our captioners can fully capture and transcribe all comments for the broadcast.

We ask all speakers to moderate the speed and clarity of their comments.

At this time, I will ask the clerk to call the roll so that we can verify a quorum for this meeting.

Committee member Chungtai.

Present.

Engelhardt is absent.

Host Bine.

Present.

Omar is absent.

Williams, present.

Vice Chair Singleton.

Present.

Chair Payne.

Present.

There are five members present.

Let the record reflect that we have a quorum.

Colleagues, our agenda is before us may have a motion to adopt the agenda.

So moved.

Second.

All those in favor say aye.

Aye.

Opposed say nay.

The ayes have it, and the agenda is adopted.

Next we have the acceptance of minutes from our when was our last meeting, Mr.

Clerk?

We are accepting two pairs of minutes from our December 8th, 2025, and our organizational meeting of January 26th, 2026.

Excellent.

May have may have that motion.

So moved.

Second.

All those in favor say aye.

Aye.

Opposed say nay.

Ayes have it.

And the minutes are accepted.

We have.

One, two, three, four.

Five items in new business today.

And we will begin with item number three, which has to do with our biannual body one camera audit report.

And I will welcome up Mr.

Puja.

Welcome.

Thank you.

Good morning, Chair Payne and the members of the audit committee.

My name is Darthapoodel, and I'm the director of internal audit.

Our office recently completed the state mandated binary audit of the MPD's body warning camera program.

This audit ensures MPD follows state requirement on how BWC data are collected, stored, used, and deleted.

This is the overview of the presentation.

I'm going to present about the background, audit and objectives, scope and methodology, conclusion and results, observations, recommendations, and the management action plans.

Minnesota statute requires law enforcement agencies that use body one cameras to arrange for an independent biennial audit to determine whether state statute requirements are met.

The MPD engaged the independent office of city auditor to perform this audit, which was designed to ensure MPD maintains the highest standards of transparency and data integrity.

In the past, we contracted an external uh vendor to perform this audit.

However, now with the auditors who have expertise in reviewing the body one cameras as well as the IT audit, we decided to brought this audit in-house.

So the objective of this audit was to assess compliance with regulations and review relevant policies, procedures, and secure routine controls as required by Minnesota Statute 13.825 sub nine.

So the review focused on BWC requirements to verify if the BWC data are collected and classified appropriately.

Data are retained according to the state statute requirements.

The data is shared appropriately with other agencies.

Their routine procedures are in place to govern access to non-public recordings.

And on the issue, uh agency issued BWC are used to document officer activities and that MPD personnel are adhering to BWC policy and procedures.

So our scope covered uh related activities from January 1st, 2023 to December 31st, 2024.

As a methods, uh we met with MPD to gain an understanding of the BWC program.

We also requested received and reviewed relevant documentations such as their policy manuals, any associated SOPs with it.

Additionally, we also obtained direct access to Exxon Evidence.com, which houses all the body one camera footages to perform an independent review of the video and associated data.

And the key risk areas, at least from this artist's perspective, is the compliance piece, which we're trying to make sure they follow the state statute as well as the operational piece where like how their process works.

So overall conclusion, we determined that MPD complied with state regulations related to body one camera use.

However, although MPD complied with legal requirements, we developed three recommendations to help MPD further align with best practices that we'll cover on the following slides.

So those three recommendations are related to MPD should establish a process for independent third-party review assessment reports.

MPD should further develop and formally approve existing BWC SOPs and MPD should update password configuration requirements.

So the first observation is related to independent third party assessment report review.

MPD should establish a process for independent third-party review as of assessment reports.

So when we're talking about the assessment reports, specifically we're talking about the SOC 2 and SOC 3 reports.

So the SOC 2 reports includes detailed information on the effectiveness of controls related to security, availability, process integrity, confidentiality, and privacy.

It is intended for those with a deeper understanding of the internal workings of these controls.

So this report is made available from Exxon, the service provider for review.

However, these reviews are not currently being performed.

So at least I want to uh let the R community know.

So this is like enterprise-wide issue, so it's not specific to MPD based on the resources that IT have and also the departments, uh sometimes these are not done, and from audits perspective, we'd like the departments to do at least on an annual basis.

So we so that's what we recommend.

So we could recommend that MPD management define a process to periodically request review and document SOC2 or equivalent assurance reports, including documenting roles and responsibilities for performing these reviews.

So the next um recommendation is related to standard operating procedures.

So standard operating procedures meet statute requirements.

However, there is further uh needs for the development.

So when we look at the return procedures, it adequately captures what needs to be done, but we also want to focus on how it's done as well so that we can train any new employees and re train some of the existing employees as well.

And in addition to that, we also reviewed the body one camera activation review SOP, which is one of the specific SOPs used by the implementation unit, and it describes the activation review process, including staff roles, review steps, and the use of tools such as tableau and smart sheets.

However, this uh SOP was recently developed, so hadn't had a chance to go through that uh formal approval process from MPD management.

So basically, we're recommending to formally approve those SOP as well.

So the third um observe um basic and recommendation is related to the password configuration requirements.

So when we looked at the Exxon uh system, um the evidence.com, um, the right now the application is configured to require a minimum six um characters length, but based on the uh best uh industry practices, it's required to have at least eight characters long, and we when we reviewed the system, we have the ability to set that to at least 10.

Uh so it's a quick fix as well.

Uh so we're recommending to increase that length from six to at least eight.

As for the management action plan, um, as the observations recommendation made by audit our suggestions to strengthen the BWC program.

And since MPD is compliant with the state statute, these are more suggestions and not required.

But uh we encourage MPD to adopt uh our recommendation to strengthen the BWC program and meet uh best practices standards as well.

And we did have conversation with the MPD in that regard, and they recognize the need for it and they have said at least uh they'll work on resolving some of these issues in future.

Uh uh any questions.

Thank you for that report.

Any questions?

Uh member hosebine.

Thank you, Chair Payne.

Um I appreciate the executive summary that you had good cooperation through this.

I just wanted to check.

So the body of activities that were reviewed were a two-year period ending December 31st, 2024.

Yes.

Um, do you think anything that you saw would potentially warrant a double check more soon, especially the last two months or the last year, that would warrant just a quicker refresh on some of these um reviews.

So based on um, so normally the scope-wise uh how we choose is so we don't miss any of the years.

So that that was the reason we selected the time when the last body warrant camera reviews were performed, and what was the scope of that?

We just select the two years after that.

So that was one of the reasons why we selected for the period that were not covered by the earlier review.

Uh but um we will be reviewing those uh in the next um biennial audit.

Okay.

But from uh training perspective, uh policy and procedures, so we do do review those um on a current basis because those are the ones that they'll be using.

But so from SOPs and policy and procedures, we do review uh on like a current practices, but from the footage and testing standpoint, we do look at the um all the evidence based on the scope.

Yeah, and I saw that you recommended moving to uh annual uh third-party assessment with MPD too.

So that'll help with that delay and um kind of what you can cover versus what would be within the two years.

So thank you.

Any other questions?

I just had a quick question on the third party assessment.

Is this something that has happened at least sometime in the past, but we just aren't leveraging it routinely, or is this something that has not been done yet?

I'm not aware of that happening in the past.

But Exxon do have, so we did validated uh when we went to the Exxon website, so that report is available uh for us to review.

And also in addition to that, right now the IT department is uh because most of the time SOC2 report is more for the in a private industry to make sure so uh IT is working with Gob Ramp, which is more tailored towards federal, state, and local government as well.

So it's like a similar process.

So right now they're in conversation to make all the vendors to go through that assessment process as well.

So it's so that it's more um up to date because SOC2, it's performed annually, but once we go through that gob ramp, it's on monthly basis.

So that if something is wrong or something is inadequate in the system, we'll know within a month versus in annual basis.

So IT is working on those aspects of the assessment as well.

So we just need to make sure we do that in the future.

Great.

Seeing no further questions or comments, I will direct the clerk to receive and file that report.

Thank you, Mr.

Pujal.

Next, we have item number four, which is receiving and filing a report on the MPD biannual automated license plate reader outper audit.

And Mr.

Pooja.

Thank you, Chair Payne and the member of the audit committee.

Similar to Body One Camera, we also performed and completed the state mandated binary audit of the Minneapolis departments.

As well, and this ensures this audit ensures MPDs follows state requirements on how ALPR data are collected, stored, used, and deleted.

Similar to body one camera, as an overview, I'm gonna briefly talk about the background audit objectives, scope and methods, conclusion and results, observation recommendations, and management action plan.

So automated license plate reader technology may be used to support a wide range of public safety activities, including revoked suspended driver introduction, stolen vehicle recovery, enforcement of traffic regulations, apprehension of individuals subject to an outstanding warrant, and criminal and terrorist investigations and introductions.

ALPR devices enable police officers to recognize and take immediate actions against vehicles and persons who are subject to investigative detention or arrest.

The data collected by ALPRs can also provide investigative leads to identify unknown vehicles to gather data about known suspect vehicles and to locate potential suspects, witnesses or victims in the vicinity of a crime scene.

So Minnesota state statute required law enforcement agencies that use ALPR to arrange an independent binary audit to determine whether state statute requirements are met.

So as a result, MPD engaged the independent office subsidy auditor to perform this audit, which was designed to ensure the highest standards of transparency and data integrity.

So the audit objective of this audit was to assess compliance with regulations and review relevant policies, procedures, and security controls as required by Minnesota statute 13.824 sub six.

So in terms of scope and method, this review focused on LPR requirements to verify if LPR data are collected, classified, and used appropriately.

The LPR data are destroyed accordingly to this requirements of the statute.

LPR data are locked accurately, and there are written procedures in place to make sure when we're authorizing the access of data and also making sure the MPD personnel are adhering to LPR policies and procedures, our scope covered related activities from January 1st, 2023 to December 31st, 2024.

Similar to BWC, we met with MPD to understand the LPR program process and practices, reviewed the relevant policies, procedures, and documentations.

And in this one, we obtained access to inside LPR, which is the system they use for the housing LPR data to independently review the LPR information.

And again, here similar to BWC, the key risk areas that we covered is primarily the compliance risk and also the operational side of it.

So the conclusion is that we determined that MPD complied with state regulation uh related to ALPR use?

Uh although they complied with the legal requirements, we developed two recommendations that we'll cover in the upcoming slides.

Uh so the first one is again similar to the um BWC audit as well, um establish the process for independent third-party review assessment reports.

And uh the next one is MPD should further develop and formally approve existing LP ALPRs SOPs.

So the first issue is exactly the same as the BWC, um, first issue number one as well.

Uh MPD does not have documented process to um periodically evaluate third party service provided performance for the automated license plate reader system.

As a result, assessment reports have not been requested or reviewed as a part of the ongoing vendor oversight.

So basically, we uh recommend MPD to do that in future.

And the second one is similar as well regarding the standard uh operating procedures.

So standard uh operating procedures meet the statute uh requirements but need further development and then uh approval as well, specifically related to system access, data retention, deletion, and the periodic access reviews.

Uh as a result, we recommend MPD management to further develop and formally approve procedures related to those key areas.

Um again uh observations and recommendations made by audit or suggestion to strengthen the LPR program since the MPD is compliant with the state statute, management actions are not required.

However, we encourage MPD to adopt the recommendation to strengthen the program and meet uh best practices, and also I would like to quickly thank um Ryan Franson uh who led both of these audits.

He's one of the community safety auditors as well as Ella Kings.

Uh, she's the senior auditor, uh, who focused on the IT portion of it.

So I'd like to formally thank them for this audit, performing both these audits.

Now I stand for any questions.

Thank you for that presentation.

Are there any questions from members?

Vice Chair Singleton.

Uh thank you for this audit.

Um I had a couple of questions related to how I guess I'll start with um is um license plate reader data shared with other agencies, um, both locally and federally.

And and I guess preliminarily, was that within the scope of this audit?

Uh yes.

So basically, there have so there are certain requirements that we need to meet if that happens, but yeah, we do review those portions as well.

And were you able to I guess um second part of my question is there's been a lot in the news recently about um uh the service provider Flock or the software provider.

Yes.

Um is that something that MPD uses and to my knowledge, MPD doesn't use Flock system.

And did you see any concerns within the audit around how LPR data might be shared with with federal agencies?

Uh at least uh from my perspective, we didn't see any issues related to how MPD is using the ALPR system.

Okay, thank you.

I was uh leading reading through the statutes, and it looks like an outside agency would have to make a request.

Yes.

Uh do we know of any requests from outside agencies as a part of this audit?

Uh we did select the scope was uh from 2023 and 2024.

So I don't think, was there any specific requests?

Uh and then the other part of the statute, uh it looks like the retention schedule is 60 days, and I know that um there has been some interest uh from like organizations like ACLU in terms of a lot of the federal activity that's happened uh during metro surge around uh what our retention schedules were as it related to potential potentially using some of that video footage as evidence and a civil case.

Uh do we know if our retention schedule?

Because uh the audit report says we retain within statute, but do we know if we're retaining for 60 days or retaining for some shorter period of time?

So for ALPR, so it's unless it's uh part of any investigation, so it all the data is uh deleted after 60 days.

Okay.

So we retain up to 60 days after that, it's deleted.

We'd be validated that.

Would that be true also for like the stationary traffic cameras?

Uh so the stationary traffic cameras are not part of the ALPR.

Okay.

Uh strictly for all the DASCAM and what they consider is a stationary ALPR system.

But for this uh scope of the purposes, so any traffic cameras are not considered ALPR.

Okay.

Yeah.

Thank you.

See, oh uh member Williams.

Thank you.

Can you just remind me of the um the scope period of this audience date-wise?

Uh so uh January 1st, 2023 to um December 31st, 2024.

Thank you.

Seeing no other questions or comments, I'll direct the clerk to receive and file this report.

I will also direct staff to publish this report and the previous report and direct the city clerk to transmit the both of those reports to the appropriate agencies.

Thank you.

Next, we have item number five, which is receiving a filing and filing report on the 2026 enterprise-wide risk assessment.

Uh, I will once again invite our audit team up to present on this report.

All right, good morning, Chair Payne.

Good morning, audit committee.

Uh we are excited to present to you uh some work that we've been uh doing over the last several months uh to develop the 2026 enterprise wide risk assessment as well as the audit plan uh and strategic plan for our office.

This first presentation aligns with the report uh on your agenda that will cover some of the high points related to the enterprise wide risk assessment.

Uh in this presentation, I will cover the background and methodology of the work that we did.

We will cover some progress made on uh risks that we had identified in 2025, and then we will discuss risks needing special attention in 2026.

Uh and finally we will close things out with a bit of a discussion on enterprise risk management, which is something that our office has discussed with the audit committee as well as the city council in the past.

So for this particular report, we uh surveyed about 120 individuals across the city, uh, mostly elected leaders, appointed leaders, uh, and other uh key staff members throughout the organization.

We met with management uh and staff across the city holding nearly 30 meetings with city officials to gather their input.

We reviewed various budgets and considered prior risk assessments such as uh last year's and the year before.

Uh we also looked at risk assessments from other cities uh and different reports.

We want to make sure that we are providing uh and following our own best practices uh and industry standards, and so we do regularly look at similar reports from cities uh outside of Minnesota as well.

Uh and then we looked at current industry trends and those best practices I mentioned.

As far as progress made on risks that our office identified in 2025, uh the first few here focus on uh some actual work and changes that happened within our office.

Um we completed four audit reports, five advisory memos in 2025.

Uh we anticipate this work to increase significantly now that we have an investment in our office that I'll cover here in a moment.

Uh we were able to work with the administration to close 28 audit issues in 2025.

We provide updates at each audit committee meeting on those closed issues, and when we get into our auditor update at the end of this meeting, we will talk about a few more closed issues that the administration has taken care of.

Uh in 2025, we had the good fortune of council investing in the Office of City Auditor.

We were able to increase our um actual staffing size from eight FTEs to 14 FTEs.

Uh I will provide a little bit more information on that in the auditor update as well, but that is uh a great investment in oversight and accountability for the city of Minneapolis.

And we have started building some momentum towards building out an enterprise risk management body or group or function, excuse me, as the city council continues to consider some recommendations in that area.

The administration has streamlined the communications department.

We've seen this over the last several months being beneficial in the emergency response and the communications related to the emergency response with Operation Metro surge.

And then we've also seen some progress with the IT department planning for AI policies in addition to basic guidelines.

So the risks needing special attention in 2026.

You'll notice based on the report, but also this presentation that we came at it a little bit differently this year.

Rather than looking at risks from your standard, operational, financial, reputational, those risks that all audit standards kind of outline.

We decided to focus on four key risks that we heard throughout our conversations.

We received feedback throughout our surveys.

The first being budgetary risks, there are significant financial risks to the city that will impact service delivery.

It will impact the cost of borrowing, and it will impact property tax obligations of residents and businesses.

We'll get into this a little bit more in the next few slides.

The second risk that is needing special attention this year is related to federal operations and safety of employees and citizens and residents within the city itself.

Federal actions increase the risk to resident safety, legal exposure to the city, and financial deficit.

The third risk is contract oversight, lack of universal policy and inconsistent oversight, exposes the city to significant risk of contract fraud, waste and abuse.

And finally, risks related to city culture and trust, unmanaged organizational culture risk can undermine employee morale and diminish public trust.

Alright, so getting into the first risk, and keep in mind these are risks.

These are things that were identified by the folks that we interviewed, by the surveys that we completed, and there are some significant budgetary risks, as many of you are aware of that have been exacerbated recently by Operation Metro surge.

These risks will affect residents, businesses, and core services.

It could lead to higher borrowing costs, staffing shortages, and service reductions.

And the city needs to really start working and considering what it will look like with this change to our revenue, but also to our expenses as they've increased significantly over the last five or six weeks.

Without new revenue, it will be difficult to sustain the services that residents expect.

New revenue in this case may be supported by funding that the city requests from the state legislature.

Additionally, the city should be prepared to readjust tax levy expectations in future years.

Specifically, the budgetary impacts of recent federal actions.

These significant and unplanned financial impacts have been quite noticeable in our city.

Event cancellations, declining visitor traffic, all affects the revenue of the city as we do have a city sales tax.

Five million dollars of unplanned and unbudgeted overtime, and this number continues to grow.

Although the there is an active drawdown in federal agents in the city, there is a projected 1.5 million dollar cost per week of overtime and expenses.

This is all on top of the estimated 203 million dollars that has been estimated to impact the overall community.

The last bullet item here is the preliminary impact assessment and relief needs overview that came out of the emergency operations department.

We were able to loan one of our auditors to that office over the last five or six weeks, and they actually put a significant amount of time into building out that report, and there is some great information about the costs of the city in that report.

So that can be found through the link on the slide here.

As far as recommendations related to budget, the recommendations that we've developed for this risk assessment are not ones that we will track like we normally do with audit recommendations.

These are things to be aware of, things to take into uh deliberation, strategic planning, but we do recommend that regular risk reviews and budget planning is done to reflect different scenarios.

I think that uh adopting an enterprise risk management posture goes along with this.

We think that the finance department should update its forecasts over the next several years.

Uh on page 60 of the budget book.

They have some projected forecasts for maximum tax levies for the next several years.

I believe that those should all be reviewed, updated, and communication should start being developed to provide to residents to understand the real impacts of uh the potential need for increasing revenue.

The city should prioritize core services, set guardrails for any cuts that would occur, and clearly communicate the possibility of property tax increases.

The city should inventory grant dependencies and at-risk positions and prepare contingency staffing plans, and the city should increase stakeholder engagement in the budget process, including structured input from the parks board.

So we talked a bit about the uh federal operations as it's related to budget, but it is such a risk to the city that it gets its own category as well.

Uh Operation Metro Surge certainly introduced unprecedented disruptions to regular city operations.

Uh actions have confirmed earlier concerns that our office shared in the 2025 risk assessment, but it's also introduced new risks about compliance finance and safety of employees and residents.

Um our risk assessment discussions for the 2026 risk assessment started in November and December.

Uh, and so while we were going through some of these conversations, in fact, Mr.

Poodjall and I were sitting in a risk assessment conversation when uh we first learned of increased federal presence and the the death of Renee Good and things rapidly changed from there.

And so the overall response that we got related to this risk assessment changed from general city operations to very hyper focused operations just in the period of time that we were developing this work.

Um I do want to point out that the greatest challenge is that uncertainty.

We've learned in the last couple weeks that there is a drawdown in the federal presence, and that's good news as it's related to safety of residents, but also the city's budget.

Um I do want to note though that recent recognition, such as the city's Nobel Peace Prize nomination, does offer hope for improving public perception, and at the same time, these risks remain significant.

Departments are navigating complex federal directives that increase compliance challenges and additional litigation exposure.

So as far as resident employee safety, we've talked about this a little bit, and we elaborate more in the report, but certainly large gatherings, emotionally charged interactions, dynamic scenes.

They raise the likelihood of injuries and service delays.

Residents, especially in neighborhoods with that heavy federal activity reporting have reported heightened fear and anxiety.

Some residents avoid public spaces, businesses, services, which reduces their access to care and food and employment.

And as I noted, the report that the city recently published has impact has identified these to be about 203 million dollars in actual costs to the community.

Operation Metro Surge has also led to additional litigation and compliance risk.

Minneapolis has joined lawsuits against the federal government, challenging both grant conditions and contesting the federal surge.

The city is facing litigation threats and various federal investigations.

Resources have been diverted to respond to litigation and inquiries.

And one of the recommendations that we'll cover here is, if possible, moving some funding to the city attorney's office to help with some of this litigation work.

The city's incident response.

One thing that I do want to talk about, and I'm happy to answer questions about when I'm done with this presentation.

The Office of City Auditor, like so many people in the city, has felt hopeless helpless, sorry, over the last several weeks because our work is typically retrospective.

We look back at response.

So while things have been unfolding, we have tried to pull in as much information as possible.

We have tried to get into a position where if a request is later made for our office to review any city actions related to Operation Metro Surge, we'd be in good position to do that.

And as such, we have uh assessed generally the city's response and thought quite highly of the communications and the emergency response.

We think the emergency operations department has done a fine job, and the uh the JIC has also done a nice job of communicating both with city staff and residents.

The reason I bring this up is because this past summer we had recommendations to improve the communication flow when there was an ICE activity in June of 2025, and the city did uh integrate the legislative department in their communications channels, and that helped with ensuring that people in the legislative department were on the same page with the administration.

Recommendations related to federal operations and safety.

I'm not going to read through all of these, but the city is actively doing most of them.

Just to touch on a few.

This is not new to the audit committee as we've looked at specific contracts over the last year and also made general comments about the city's contract oversight.

The decentralized contract management that the city operates under does create risk of errors and misuse.

The city has made efforts to improve contract oversight through staff training.

The city attorney's office has trained well over a hundred individuals across the city in contract management, but training only goes so far if there's not policy that goes along with it.

And so we recommend that those standard policies be created by the administration for contract oversight.

We also think that a cross-departmental team to provide contract oversight support should be built.

This is similar to a governance team of sorts, one that can help build out contract oversight policy, one that can answer questions.

We have some departments, such as Public Works that do many, many contracts a year and do a great job of managing those.

And we have others, such as the Office of City Auditor that may have one or two contracts a year, and these smaller offices certainly have less support in that contract management and oversight.

We do think that those capacity checks and additional training to ensure vendors can meet city requirements.

We as a city try to make the barriers to entry for our vendors as low as possible because we want local vendors helping with our city works, but that does come with risks that we need to mitigate.

And then finally, strengthening reporting mechanisms to make it easy to report concerns of wrongdoing or fraud.

This is something that our office will take to the administration, make it easier within our websites and our different uh communication channels for residents and staff to report wrongdoing.

All right, the last of four risks that we're highlighting this year are related to culture and trust.

Keep in mind these are things that we heard from those uh leaders we've interviewed, those staff members and key personnel that we received survey responses from.

And some of the things that we heard are that there are communication gaps that exist between the council and the administration, as well as departments, that there are unclear roles, responsibilities, and sometimes that unclear communication can lead to duplication of efforts, operational drag, departments operating in silos, which is a theme we heard regularly, loss of experienced staff, and an inconsistent messaging that could erode public trust and confidence.

In this area, the recommendations that we have are to uh have the administration, the council, any leaders throughout the city help define roles and responsibilities and expectations through enterprise-wide policies.

Now we're aware that there is some work that is being done to create a process for developing tracking, updating enterprise-wide policies, and so we want to also acknowledge the good work that's been started in this area.

Uh, we recommend that continue and that those policies get documented.

We think that standardizing internal and external communication practices would be beneficial.

One thing that we heard from respondents was that individuals don't know who is allowed to talk to the media and who's not.

Individuals don't know who has the authority to disseminate information outside of the city and who does not.

And we see that as a risk to the city.

We think there should be standard processes and delegated authorities for various communications.

We think that there should be joint training for elected officials and staff.

Of course, this is something that's been ongoing, something that's been going since the first week of this particular term, and I think that should continue.

We think that there should be standard uh excuse me, there should be a standing governance oversight committee.

The administration right now does not seem to have a governance committee.

Of course, everybody is welcome to operate their organizations as they see fit, but I do think that having an enterprise risk management posture along with a governance committee certainly helps with tone at the top, it helps with policy making, it helps with decision making, and it certainly will help with communication as well.

And then finally, we think that there should be quarterly departmental reports that are offered to the city council.

I think some of this communication is being built into the 2026 session here, and these are again things that we've heard through our conversations, and we wanted to make sure to highlight them.

Alright, so in conclusion, with the risk assessment, managing those four risks can help certainly reduce costs, certainly help improve service delivery to residents, but it does take a coordinated effort across leadership departments and elected offices.

All of these risks are interconnected, as you saw between budget and the federal operations, and culture and trust.

I mean, they are all interrelated, and that is why risk management is so important, as I promised.

The biggest recommendation to come from our office on this risk assessment is that the city should bolster its risk management posture.

Enterprise risk management can help in all of the things that we've discussed.

The Office of City Auditor or Internal Audit in general is one of three legs of a stool when you consider risk management.

The image on the screen here is something that is regularly referred to by our office, but also audit shops across the country.

The IIA, which is one of the governing bodies of the audit standards that we follow, does a good job of talking about risk management.

The USGAO also has what's colloquially known as the Green Book.

And we've talked about this with the audit committee in the past.

So an effective ERM framework should align risks with responsible staff, continuously monitor and adapt controls, improve early detection and escalation of issues, and break down those information silos that we've talked about.

The city should dedicate that risk management staff.

This is something that we talked about and that there was some momentum in 2025 with.

Alright, so that brings me to the end of the risk assessment presentation and I can take questions related to this before we move on to the audit plan.

Any questions or comments from members um on the for me on the uh recommendation for culture and trust around creating a standing governance committee uh I'm assuming your intention for that recommendation is for the administration to create that committee not like a city council committee correct that's correct uh and then I'm wondering how you know we have uh the for instance the permanent review committee committee just this last cycle there was some discussion on city council around suspending the PRC during the duration of Metro search that actually did not pass city council we as a body agreed that we think we should have those controls in place.

But then last year we also adopted the uh policy the guide to the city's enterprise policy framework formally as city council but the rub is uh in all of the discussion around this is around the authority of council versus the administration and I think this is where at least in my conversations around culture as a risk is we constantly get in the way of each other when it comes to that separation of power and I think that it's not just that the admin needs to set up a committee I mean I I'm kind of maybe meandering a little bit here but just to say we already have the permanent review committee as uh a governance body uh there's the policy review group as a separate body that's discussed in the policy framework is the recommendation to consolidate those under one oversight and governance committee that's question one and then question two is I think that that wouldn't go far enough just for the administration to have that consolidated single point of reference I think there needs to be an integration and alignment with the city council and I'm just wondering how you how you think about that.

Yeah I I think you are right Chair Payne I think that um combining the two committees may be expanding the scope beyond what one committee should do.

I think that the the policy uh framework that is has been adopted in 2025 and that's going to move forward in 2026 honestly I think that's a great start towards addressing some of the risks uh and concerns that we had coming out of this risk assessment um I think that um more connection between the council and the administration top leadership would be valuable um I do think that if there were opportunities for the mayor's office and legislative leadership to meet and connect and discuss strategic priorities um that would be incredibly valuable because that could lead the work of a governance team within the administration but I also think that once uh or if a governance team like that is is fully operational there should be ties to the city council so to your concerns about um you know the the maybe the misunderstanding about roles uh I think that those all can be documented developed and then agreed upon and so that there isn't duplication of efforts and quite frankly I think the legislative department's done a good job of trying to reach out and set up these um these conversations to get the ball rolling so again I want to I want to mention these are risks I think that many of them are already the safeguards are being developed they're in the works um but it I guess if if it were up to me, the structure I would see or like to see is a governance committee within the administration that has a similar structure as a policy committee that would have ties directly into the council, and then um the internal controls, enterprise risk management, that group, that team, would be led by an individual responsible and held responsible for ensuring internal controls and a posture of risk management exists in this city, and that individual is responsible for holding department heads and others responsible for ensuring that there are safeguards, risk assessments, things of that nature.

This will take time, and it is something that I know that the council has reached out to me again recently to start those conversations as far as the enterprise risk management piece goes, and our office is happy to have those conversations because I think that having that ERM partner in the administration that can help hold people responsible for the audit findings that we have will ensure that the work is valuable and honestly to ensure that our recommendations are followed through on.

Excellent.

Member Hosman.

Thank you, Chair Payne.

Thank you, Mr.

Temer Member, for this.

And it feels like the ERM piece is kind of the green underneath all of this.

Sure.

And I just while I think it is critical that you have these four buckets of risks needing special attention, the ERM that now is kind of at the back of this presentation report, it impacts all of this.

And I just don't want the administration and others to lose track of that, because I think a lot of those things that we've been seeing even before Operation Metro Surge are just going to continue to get amplified, which is what you've covered here beautifully.

And had we had that, so much of these other pieces would have, I think, really fallen into place a lot easier.

And then I wanted to.

If folks don't feel like they have that support, they're gonna continue to leave or continue to not know the right thing to do.

Just from any of your reviews or your team's reviews, at this current time with kind of heightened work, emotional work, people getting frustrated, potentially with resources not getting to the community.

I know that's been a big kind of as a committee member on this uh board, the aid that is being offered is not necessarily being easily transferred transferred to the those that are most needing it.

How do we ensure that it's not just the manager of that department or that manager of that person that's helping support that frustration to the right path, and then just not saying, sure, let's just get it out as fast as we can, which is also kind of personally my urge right now, too.

Um, and I just think that that's gonna be critical for this year, in addition to these kind of open items, but having that management level training of support of how that um ends up kind of playing out here and kind of the flexibility that might need with other height and risks that come up as we kind of see what this looks like in two to four to six to four years.

I don't know.

Um so anyway, thank you for that.

I um I just yeah, the ERM piece really feels like the baseline to a lot of this.

Um, and if it doesn't get prioritized, we're gonna see more fractures in this.

Yeah, uh Chair Payne and uh committee member Hosbin, the I I really like the way that you put that, and I now wish we would have called that green square enterprise risk management in next year.

I think we will, um, which is nice to have this partnership.

So my plan this year is to distribute this to administration leaders uh as well as city council members.

Uh as you probably noticed, and I will talk a little bit more about with the audit plan.

We separated the audit plan and the risk assessment this year for a very specific reason, and that is we wanted the risk assessment to be something that could be held in hand and used while leaders go through their strategic planning, their budget planning, and they don't have to answer all of these questions.

They don't have to address all of these recommendations, but they have to be aware of them.

These are risks to the city that we should be building safeguards against.

Um, and so to your uh your question about managers having the right decision-making authority or or the right people getting the the funds to the right organizations.

I think that those are those types of risks that need to be considered on an annual basis so we can proactively answer those questions rather than be so reactionary in nature.

Member Williams?

Uh thank you.

I was gonna ask this question on six, but I'm gonna ask it now, and I'm comfortable if you want to wait until six.

I completely understand the proactive nature of creating the special needs as well as the strategic plan.

But the concern I have is the reactive nature that is sometimes needed.

An example of this 120 days if I would have asked you to create these four boxes.

Something tells me it wouldn't have looked like this.

And I understand one of the challenges that any audit group has is that you said it earlier is that you audit things that have already happened.

But I am curious about your opinion and and maybe approach on something unexpected were to happen in 40 days.

How does this plan as well as the audit and strategic plan adjust quick enough so that we're not talking about it in two years about all the things that we should have done, but we are coming up with an actionable plan as soon as we can to protect the city on something else that could happen as well.

Uh sure, Chair Payne and uh committee member Williams, that's that's a really great question.

And it is often a feeling of being between a rock and a hard place when it comes to audit.

We do have the good fortune of being able to provide advisory services, and those advisory services, in my opinion, are incredibly important to be built into governing bodies, to be built into enterprise risk management committees and to be built into policymaking committees.

Um, and so all of those committees, when they are forming, when they are uh even considering um in individual policy, audit should have a seat at that table because audit can look at things through a uh a lens of risk and provide recommendations in live time.

And so audit does have the ability in those situations to be um be lifetime help, to be proactive help in that way.

As far as looking at, I mean, your assessment on this 40 days from now versus 120 days ago, I mean it's spot on.

And that's why the enterprise risk management recommendation is the key.

That's why it is the conclusion to this year's risk uh assessment, because that is the that is the foundation for uh the city to be able to uh respond, react, but in a manner that is prepared.

Uh, I do think that based on our observations over the last five, six weeks, the emergency operations division as well as communications and and others across the city um have done a job that um they weren't expecting.

And I do think that they demonstrated some good um preparation for responding to that.

Um but to answer your question specifically about audit, I think we just need to continue to offer our services in Lifetime for those advisory services.

When we get to the audit plan, you'll see we did build in some time for that.

Um, and we also need for others, including folks on the audit committee, to remind those uh those bodies, those committees, those decision making um leaders that they should be talking with audit.

They should be thinking about risk, and if they're not doing that, they should be asking audit to be thinking about risk, and that's a service we can offer.

Yeah, I would add um building off of the advisory services component.

Uh, after the Lake Street raid in June, that after action review had a number of recommendations, including strengthening the separation ordinance and including some operational changes to how communications happened.

And we passed that separation ordinance strength, the strength and separation ordinance in December of last year, and when Metro Surge was stood up, we certainly learned from the June incident and the lack of communication and had much better communication between council members and um and our emergency operations and the joint information center, which is the component of emergency operations that we most tied into.

So I think part of it is just understanding what the risk assessment scope is and then also being having systems structures and resources in place for other aspects of our audit capacity so that we can be much more responsive.

So, and I think the advisory services is actually a reflection of that.

So yeah.

Thank you.

Uh not seeing anyone else with comments or questions.

I will uh direct the clerk to receive and file this report and direct staff to publish the report, and we will take up item number six, which is receiving and filing of the 2026 audit and strategic plan for approval.

And I will once again have Mr.

Chairman present on that item.

All right, thank you, Chair Payne Audit Committee.

Um, the audit plan and strategic plan this year.

Um, we will uh cover what's different about it.

We will talk about the purpose and the background.

We'll get into those audits that we are proposing for 2026, and then we will cover the new strategic plan, which the office has not uh formalized in the past.

So, what is different?

And this is all in the audit plan report uh in the executive summary, but as I mentioned, we separated out the enterprise-wide risk assessment because we want that to be a document that leaders can use in their decision making, but we also want the audit plan to be a document that you as the audit committee can use, the city council can use, and other leaders can use to know what's coming up this year.

We included our updated mission, vision, and values.

Uh, I know I've shared these in the past.

We're also going to uh share them and attach them to the RCA with the auditor updates uh with this uh audit committee meeting so they get into the uh the public record.

Um we prioritize work by considering risk capacity and optimization of auditor hours.

We developed preliminary objective questions for each audit, uh which will help get the audit rolling more quickly, as well as the preliminary scope for each audit.

And we also added strategic priorities, which we'll get to.

Alright, so as I mentioned, we included in our report this year our updated mission, vision, and values.

Um, in the last year, we updated all of these.

We developed a vision statement, which we had not had in the past, and we documented the values that lead our work each and every day.

Uh independence and objectivity, of course, are the guiding principles that we safeguard closely, but it's important that we also uh document the values in which we uh want to bring into all of our work.

The audit plan informs the audit committee, the council, administration, and members of the public of our planned activities for the upcoming year.

The city ordinance and professional auditing standards require this work.

It is designed this year to be flexible as new risks may emerge.

Uh so committee member Williams, we are trying to maintain some hours to be flexible, as you noted.

Uh and then also the uh the plan is intended to be flexible.

So if something does come up, we can bring changes to you uh and update the audit plan throughout the year.

All right, so the purpose and background of the audit plan, the as I mentioned, the uh city ordinances require the uh Office of City Auditor to follow two sets of govern of auditing standards.

One is the government auditing standards, and one is the global internal audit standards.

These standards require strict adherence to ensure accountability, transparency, and quality in all engagements.

They also require planning, which the audit plan does for 2026.

This is the first year that we've looked at or considered resource utilization.

It is standard in many government audit shops to calculate based on a 70% resource utilization rate, which means that of your auditors, you uh start with the assumption that 70% of the 2,080 hours is auditable hours.

This year, because of some of the strategic priorities that we have, because half of our staff is new within the last three months, and we have two more staff that we'll be bringing on in the coming three months that we've developed this calculation based on a 50% utilization rate.

These are estimates, these are things that are adjusted throughout the year, and you'll see that when we get to the audit plan, we've indicated how many hours we think each audit will take, which we also need to be flexible with.

All right, so as far as the audit plan goes, we'll start with those that are in progress.

Um the body worn camera audits, those are effectively done, maybe a few hours left here just to wrap things up as far as getting things attached to the RCA, things of that nature.

Um we've got the after action reviews of the death of Alison Lucher, the shooting of Davis Maturi.

Um we believe that this work uh will use a few hundred more hours uh internally as well as more time uh from our contracted uh law firm that's helping with this work.

We've got the NSD contract management and contractor oversight audit.

This is in the works.

Um, this is scoped for 2020 to 2025.

Again, with any audit where we're looking at contracts or vendor payments, uh we are going to create and reiterate recommendations for contract oversight for the enterprise as a whole.

Um, and so we expect there to be some recommendations for enterprise-wide policy and oversight changes that come from this particular review.

Uh, a new audit that we will begin, and we've uh actually started some of the preliminary work is uh reviewing the behavioral crisis response program.

Uh is the contractor meeting requirements that are outlined in the contract with the city, is the city city providing effective oversight.

Um, so this one is uh one that is owned by the fire department.

Uh meet Minneapolis, we're going to take a look at the contract and the relationships with Meet Minneapolis.

It's been many years since this uh organization, quasi-governmental organization was audited.

So we will be taking a look at that.

They have certain key performance indicators there to meet, so we will use those as audit criteria.

Um we will ensure that they have effective internal controls and that those are being followed.

Uh shot spotter was one that the uh city council had requested.

That is one that is in the works uh right now as well.

Um that is looking at the placement of sensors based on uh objective shooting data rather than demographic factors.

Um we want to be able to develop a an opinion or a conclusion about the effective level of policing in specific neighborhoods related to the placement of those.

We'll look at average response time and uh effectively make an assessment on the benefits of that program overall.

Body worn camera.

So we heard about MPD's body worn camera program today.

We presented one for Parks police also has to you last year, and we'll be presenting one again this year.

So those body worn camera audits we'll see pretty regularly since they are required.

The management of after action reviews.

Data governance has been a hot topic.

It came up quite a bit in our risk assessments.

Keep in mind our risk assessment informs our audit plan.

Data governance is the city efficiently or sorry, sufficiently managing the data that it creates.

What does ownership of data look like?

And what does training in this area look like?

So as you can imagine, the city creates data with every meeting, every word that we speak in public, every camera that we have, and so there really does need to be a robust overview of the city's data governance.

Continuity of operations, this is one that I think any organization should audit regularly, certainly with some of the things that have occurred in the last five or six weeks.

Citywide fleet management.

Does the city have effective design controls and processes in place to manage its vehicles?

This is one that the Office of City Auditor did uh years ago, but I think that it is an important one, especially as technology has developed as far as GPS tracking and the efficiency of vehicles as well.

We have an IT auditor, which we are blessed to have.

I think many organizations find it difficult to staff an IT auditor.

And so we are going to be inventoring the software across the city, something that will work closely with IT, and then we will start doing access audits.

Of course, we want to make sure that only the right people access the right systems.

And this inventory will also help us develop future IT audits down the road.

With the City Council's investment in the Office of City Auditor, we committed to developing a program evaluation process or report that is similar to what the office of the legislative auditor at the state level has.

These will be deeper dives into programs, units, or functions within the city.

They will act as uh half educational report for the audit committee in the city council and half audit report where there are recommendations associated with each program.

To get that work started, we have selected three programs to evaluate this year.

One is the misconduct complaints intake in the police department.

Another is the ethics board policies implementation and oversight.

I think it is important that not only we ensure that staff are following all of those requirements, but that the ethics board itself is making sure that those are relevant, updated, and aligning with the work that is continuously changing throughout the city.

And then the last program evaluation will be the permitting process within CPAD from a resident requesting an application all the way until the certificate of occupancy is granted.

So we have a lot of work this year.

I am hopeful that we will be able to effectively implement our resources.

And as I mentioned, we did save some time for that ad hoc fraud waste and abuse investigations, on-demand advisory services.

1,200 hours is certainly not enough for all of this, but it is the placeholder, and then we adjust as we need to.

So again, this is intended to be a flexible and fluid plan.

Hopefully, it is a realistic plan for 2026.

All right, so then getting into the strategic plan.

As I mentioned, we have not uh developed or communicated a strategic plan in the past, but I think that it's really important for our office to continue the momentum that we've created over the last year.

Um the first item on that strategic plan is to complete our organizational right sizing.

Um we need to ensure that all of our recently hired team members are fully integrated and equipped to succeed.

We need to operationalize our quality assurance and training manager, who I would like to welcome today, Jessica Peterson, who's joined us.

She will be joining the Office of City Auditors leadership team, developing our quality review program as well as helping build out our audit manual.

This role is paramount to us meeting audit standards.

Um, and Jessica will be helping us invite the association of local government auditors in 2026 to audit our shop.

As I've shared with some of you in the past, we have spent a lot of time strategically this last year in 2025 getting the shop into a place where we will be meeting professional audit standards across the board, and any recommendations that we receive from that review, we will share with the audit committee.

We will adjust our practices because it is important that the auditor gets audited and that the auditor follows up on recommendations we receive.

The second item on our strategic plan is to strengthen auditor resources.

We want to develop that audit manual I mentioned that will guide auditor work.

It will assist in ensuring we're also meeting professional requirements.

We're going to refresh all of our audit work papers, our presentation templates, our reports.

We've done a good job of updating a number of these templates, especially the public-facing ones over the last year, but it has been kind of a building effect, and so now we want to finalize these, get them as templates within our own work.

We want to implement a structured quality review process to create actionable feedback for auditors, and we want to promote certifications and participation in conferences and trainings so we can maintain cutting edge expertise.

The third item on our strategic plan is to uphold professional standards.

We want to maintain the highest standard of audit quality and compliance.

That's that quality review function I mentioned.

As I said, we're going to engage ELGA to perform a peer review of our work, and we're going to expand internal training opportunities.

We're all required to get give or take 40 hours of CPE a year and having the quality review, or sorry, quality assurance manager on board.

We're going to actually be able to perform some training in-house, which will be a cost savings to our office.

And then the fourth item, enhancing independence.

This is something you've heard me talk a lot about over the last year.

We've done a great job enhancing independence in 2025.

We're going to continue that momentum in 2026 to further strengthen our organizational autonomy.

We will recommend revisions to the city code to further clarify independence and align with professional standards.

When we wrote the audit committee rules that you approved at your organizational meeting uh last month, there were some items that I identified that could be strengthened within city code.

So we will work through those.

Um and then we're also going to collaborate with the city attorney, IGR, and state legislators to secure uh necessary authority for our office to get subpoena authority.

Uh there does need to be some uh state legislation that occurs, but um there is a path to get there, and I think having that subpoena authority will certainly help us down the road.

The last item on our strategic plan is to advance non-audit projects.

Um we've talked about a few of those already, but we want to enterprise uh finalize our enterprise-wide workforce optimization and comparative benchmarking study to provide city leaders with information to enhance strategic and budget planning.

That's a study that um we brought on a vendor um called 65th North Group to help with to look at five sister cities to determine um are our staffing resources in the right places, might we learn something from other cities?

Um, so really more of a study with some soft recommendations, but that should be released at our April audit committee meeting.

Um we want to develop an auditable universe of all units and programs and divisions across the enterprise.

I mentioned this with software systems, but we also want to do this uh to develop a full universe of auditable functions in the city that will help inform our audit plans going forward.

Uh and then, as I mentioned, that centralized inventory of software.

All right.

So that's a lot.

I feel like I'm losing my voice.

Um, but as I transition to taking questions, I do want to note the back page of the audit plan.

I took the liberty of uh using white space because uh I needed to offer some gratitude.

Um, I think that the staff in the Office of City Auditor has done an amazing job in the last year.

I think that we have been responsive to some requests from the audit committee, some requests from the city council, um, and I think that with pleasure they've taken on some very difficult work.

Every day they demonstrate integrity, professionalism, and a commitment to excellence.

Um I also want to express my gratitude to the audit committee, to the council, to leadership across the city.

Uh I do think that uh just in the year that I've been here, there has been some real acknowledgement that the audit function was asked to step up.

The audit function in 2021 was asked to become more visible, and voters through the charter change in 2021 built the Office of City Auditor and created the city auditor position.

And so over the last year and over the next year, uh we will continue to try to elevate the function of the Office of City Auditor.

But I do think that with your support, with the council support, with staff support, um, we're well on our way.

So thank you for your support.

All right, that is it for the audit plan.

Hopefully, I can answer any questions you have about that.

Any questions from members?

Well, I I will just say uh much gratitude to you.

I mean, your very first day you were in council chambers and the family of Alice and Lucia were demanding justice, and I mean you stepped completely into that space, and you know, we're waiting with great anticipation for the conclusion of that investigation.

But the fact that you were able to just move so adeptly through just many, many challenges throughout the last year.

It's it's just much gratitude to you for that.

So thank you.

Thank you.

Uh, Chair.

And seeing no other questions or comments, I will direct the clerk to uh receive and file that report.

Uh and may I have a motion to approve the 2026 audit plan.

So moved.

Second.

All those in favor say aye.

Aye, opposed say nay.

The ayes have it, and that carries.

And last is the report of the city auditor, and I will again welcome Mr.

Timmerman.

All right.

Thank you, Chair Payne and audit committee.

I will try to be quick through these first few slides because we've talked about a number of these things.

But as is our tradition, we we'd like to provide you an update of the work in progress, what we've done since we last met.

And so we will cover completed and in-progress audit work.

We will uh just quickly highlight uh fraud waste and abuse investigations.

As you know, those are um things that we normally just share the number of of uh reviews we're working on because of the sensitivity of those.

Uh, and then we will talk about those prior audit issues and findings that have been closed.

Uh finally we'll close it out with some personnel updates.

Uh, I introduced Jessica, but I'd like to introduce two other uh new auditors as well.

So we'll do that at the end, and then uh I'll just get some documents in the public record that I want to make sure are available to the public.

All right.

So completed work.

We talked about MPD body worn camera audits.

So we also talked about ALPR audit.

We're just gonna keep going.

Uh we also talked about the risk assessment and the strategic audit plan.

Other progress or in progress work I I briefly talked about, but we will uh just quickly highlight these to make sure that I didn't miss anything.

Uh NSD, we're doing that contract management audit I mentioned.

The objective of that is to review the NSD contract process, including administration, management, reporting, oversight, and monitoring to ensure that controls are established and operating effectively.

This is currently in the field work stage.

We're getting good cooperation from NSD.

Um, do we have an estimate June?

April.

Uh we're looking at April for a release of this particular report.

Uh the parks body worn camera audit.

We just sent out the uh the kickoff notice for that, I believe last week.

So that one uh now that we've done a couple of these, we'll go rather quickly.

Um the after-action reviews, these um, I do hope that um we will have them wrapped up.

Our plan is to have them presented at the April, either audit committee or some other structure of a committee.

Um I know that there's significant interest both by the public and the city council in these uh reviews, so uh we may uh work with the clerk in the attorney's office to combine committee meetings with the city council, but more to come on that.

So please know it will either be at the April 20th audit committee or sometime around then.

Shot spotter, we talked about that's to analyze the effectiveness of that program.

We are in the planning stages, we've reached out to notify on that audit as well.

Uh meet Minneapolis, we are doing preliminary background research in this particular audit.

And uh we talked a little bit about the 65th North Group contractor that we're working with on the workforce optimization and comparative benchmarking review.

That too will be presented in April.

So I will warn you we will have a very heavy April audit committee meeting, which is another reason that possibly splitting out uh those after action reviews into a separate meeting might make sense.

So uh as I mentioned, we'll we'll share more once logistics are sorted out.

All right, I will hand it over to Siddhartha Pudyal, our internal audit director, who will cover uh the last couple items, and then I will close out with uh some staffing and budget updates.

No, Chair Payne and the members of the audit committee.

So right now we have uh two open investigations that we're working on right now.

And regarding some of the prior audit issues, uh we have right now seven open audit issues, which is so they're still not being remediated, and the entity um completion date has not been expired.

So anytime it's not due yet, we put that in that bucket as open audit issues.

Uh there are like 204 of them are overdue, which is beyond that we received in our office, and we're right now basically going through all the supporting documents and their memos to validate whether they have been completed or not.

So since the last audit committee meeting, we have closed two of the issues, and majority of these overdue issues, and the plan was to complete some of these MPD open audit issues related to fleet management as well, but due to the events that had been going on in the city.

But the plan was to do that.

But since with the drawdown of the ICE officers, so hopefully we'll be able to follow up with them to close some of these out.

Because some of the open issues were related to MPD who were involved in that, and NCR who are involved finance.

So because of that, they wanted to prioritize that work first.

And we agreed with them as well.

But we have been in constant touch to regarding some of these open issues.

So we'll be closing more in the upcoming uh audit committee meeting.

So the couple of our audit issues that we closed.

If the first one is related to 2022 hiring and promotion process audit, uh it was related to appeals, grievance, and other concerns.

So right now we just have like one left uh regarding this audit, which will I'll cover in the next few slides.

And the next one that we closed was 2023 revenue and collection phase one uh related to issue number two, which was oversight and monitoring.

So right now uh these are the list of all the reports with uh at least one open audit issues.

Um, and uh per the recommendation of the audit committee.

Uh we have started um highlighting all those open audit issues in detail so you can see the audit uh and the issue number and the title and the issue rating and um and the issue due date as well.

So any time it's overdue, we just put those at the status, anything validation in progress.

We also put that in the status and um and anything that has not due yet, so we just put that tentative um time or date that's they are due as well.

So uh quickly going through some of these open audit issues.

So the there are three open issues related to 2019 MPD off duty work, and MPD did provide that their update at the December 8th audit committee meeting.

So as they made aware about some of these issues, so some of them is like are like technology related where in which like they're trying to actively resolve uh some of these issues and some of these like policy requirements and oversight and monitoring.

They will be working as well.

Uh so there is one open issue related to 2021 uh personnel work issued mobile device policies and controls audit.

Uh so we've been working with the management uh to close that one issue with the data related to data governance as well.

So related to 2022 hiring and promotion process audit.

So there's only one open issue right now related to job studies and class maintenance studies.

Uh so right now, so the HR is trying to implement that new process.

So for us, so basically we're just gonna observe what's that completion would be at least at the end of the Q1 2026, and based on what they have implemented, uh, most likely either in April or June audit committee, we should be able to close this one out and uh remove this uh as a project, right?

As an audit, um, so we'll be able to close all the issues related to this audit.

Um related to 2023 revenue and collection phase one audit, we have two open issues.

Uh issue number five, asset safeguarding and security, and also the mail handling.

So some of these are partially completed.

So basically, we're just waiting on that last portion of the pieces of the issue so that we can completely close them out.

But management is working on completing these two issues right now.

So the next one is related to 2023 sexual assault examination kit special project follow-up audit.

And these uh two issues are non-public, so we won't be able to discuss that in public.

But the management did uh provide that update uh in June 2nd, 2025 audit committee meeting, but um we'll be following up with this issue and also um so because these two issues and the MPD property management uh and evidence audit, those two issues are uh like us in the same vein.

So um we still have seven open issues related to these, but we'll be working with management to resolve uh some of these issues as well.

Uh so the next one is 2023 P card spending audit.

Um so there's only one open issue.

Uh we're just waiting.

Uh we know some of those work has already been done, but basically we're just waiting for management to provide the official um memo that we normally require the management to complete as well as the supporting documents, but we know for fact uh so this work has been almost completed as well.

So basically we're just waiting on uh some of that supporting documents for us to close this one out.

And the next one is the 2024 MPD fleet management audit.

So right now we have uh nine open issues uh open right now, and at least based on our conversation uh with uh one of the commanders who is responsible on working some of these.

So there are already some of the uh issues that has already been closed, but we haven't received the appropriate supporting documents to officially close them out, but we'll be working with them in near future so that we can close some of these out for the next audit committee meeting.

So the next one is related to 2024 NCR city funding to neighborhood organizational audit.

Um so there is only one issue left for this one related to NCR risk assessment, uh, but we are working uh with them to close this one out.

So the due date for this one was um uh January 31st, 2026.

So um because of what they were prioritizing, uh, we were not able to close this one out, but we'll be working with them to resolve this issue as well.

And the next one is um the MPRB revenue and collection audit.

So this is the audit report um was issued during the December audit committee meeting, and right now we have seven open issues.

Um, and most of these for most of these issues, um, the completion tentative completion uh date is June, either June 30th, 2026 and December 31st, 2026.

Uh for issue number two policy and procedures, uh, because for most of these issues, there are two-part um management action plan, one from the finance department and another one from the IT department.

So for the issue number two policy and procedures, the IT's um tentative timeline was by end of the year 2025, which we already validated, and they have already completed their piece, but we're still waiting on management uh finance department to complete their portion of the management action plan, which is not due until June 30th, 2026.

So once they do that, we'll close this issue as a whole at that time.

So that's why even those half of the work is complete, we will still keep that open.

And now I'd like to any questions before.

Thank you, Chair Peen.

Uh, just a comment um for the 24 overdue um items, and you've related to this.

Um, I know April sounds like a big meeting.

Um, and I think whatever folks have needed to do to get through the last eight weeks or more is what they need to do.

So I understand like deprioritizing some of this, but if we could either via the meeting or otherwise just get a more um list by list update of some of those, um that would be really helpful either at the um April meeting or after that, just because several of these are still kind of in that bucket of 2019 and yeah, kind of some some older ones that I think would be helpful just to get more of a insight, and then once again, how can we as the committee help move those forward as well?

Um but yes, no expectation today after what has happened to have that move forward, but I think that shouldn't be a continuous trend as we try to work through those.

So thank you for that.

Thank you.

Seeing no other questions, all right.

All right, Chair Payne Audit Committee.

Um, just to close things out here, I wanted to provide a couple administrative updates.

Uh, I introduced Jessica Peterson.

I'd like to also introduce my Myra Hagley, who joins us from the City of Atlanta as an internal auditor too.

She has hit the ground running and is already um taking on efforts leading an audit project.

Remind me which audit project you're starting.

Oh, Meet Minneapolis.

The Meet Minneapolis audit project.

So thank you, Myra, for um being ready to go.

Um, Stephen Kolfa also joined us recently as an auditor one.

Uh, he joins us from the private sector, has already been pulled into a number of audits, and so I am excited to have them both on board.

Um, quickly, as far as budget goes, I alluded to this, but formally I wanted to share that the um the 2026 budget did fund 14 FTEs for the Office of City Auditor.

Um if you remember, we were uh looking for 15 FTEs, and so I am incredibly grateful that we got as close as we did.

I'm grateful to the audit chair for his work in this area as well as uh the city council and their support of our work.

Uh the vacancies that we currently have are the director of special review and advisory services.

So this was budgeted, but we had to go back to the city council because of the um of the specific classification of this position.

So the council just, I believe last week approved that, so it should be getting posted within the next week or two.

Um, and then our last position uh is in development right now.

It's an auditor three lead worker position.

It will act as a lead worker over um supporting both of the divisions in the office.

Um the final budget update is that our contractor working on the after action reviews um because of the uh significant amount of time that this um this review has taken.

We do need to request some additional funding.

So we will be doing that with the um city council in the next cycle.

That would be um out of our existing 2026 budget.

Uh, and as I mentioned, with this work, it will be presented in April.

Um I will not go into these documents too much because you've got sorry, you've got paper versions.

I also shared them at our last uh organizational meeting.

Um, but I do want to get them into public record, it makes it a lot easier to link to them on our website.

Um, and so we've got the one-pager which is on the screen.

Uh, we will have the organizational chart as well as our mission, vision, and value statement that those will all get attached to the RCA after this meeting.

Um, just to wrap things up, I wanted to provide a uh a final reminder about email communications.

The clerk's office is advised that we uh email just to city email addresses, so personal email addresses for audit committee members.

Um although we occasionally still send you things just to make sure you get them.

Uh please just make it uh a habit to check that at Minneapolis Mn.gov email that you have.

Um then also as we always remind you, please don't reply all.

We want to avoid any serial meetings.

All right, that is it.

That was uh enough for one day, I think.

But if you have any questions related to the auditor updates, we'll stand for those now.

Not seeing any.

So thank you for that presentation.

Thank you.

Uh I'll ask the clerk to file that report and seeing no further further business to come before us, and without objection, I declare this meeting adjourned.