Scope limitation

Given current funding, a formal risk assessment for site selection and future planned sites has not been completed. As such we are not able to conclude on the sufficiency of the security threat/vulnerability/risk assessments (TRVA) control.

Overall assessment

Overall our assessment of Security Incident Prevention and Mitigation at the City is one of​ ​No Major Concerns. We identified areas where one significant internal control ​weakness was noted which is reported in the Private and confidential package.

A total of ​four findings​ have been identified surrounding the Resource Allocation and Incident Monitoring area whereas t​ wo considerations for improvement​ have been provided as well.

Management comments

In the absence of a centralized corporate security division, a single responsible party does not currently exist. A report to council dealing with the results of 5 facility security risk assessments, and a security master plan is anticipated later in the year. Administration will be seeking council direction, including the option to establish a centralized corporate security division.

Management agrees with the recommendations, and has provided specific action plans in the Detailed Observations section, however, pending the outcome of the aforementioned report to council, a responsible party is not identified for some management action plans at this time.

(Additional details provided in ‘Appendix A - Security Incident Prevention and Mitigation Internal Audit Report’)