• Our visits included knowledge assessment of staff, site profile discussion, site tour, open Q&A session with supervisors and guards, review of demonstration of safety or security components including observation of physical infrastructure, duress buttons, cameras, radios, locks, lights to assess whether they were functioning at the time of visit.

• Reviewed security service provider contracts and performance terms and nature of protection services available.

• Assessed management's oversight/governance process over the security vendor.

• Reviewed City documentation to determine if legislative requirements are incorporated into H&S documentation and procedures.

• Reviewed and analyzed incident management mechanisms including event reporting protocols.

• Reviewed practices in place for evacuation drills.

Scope limitation

Given current funding, a formal risk assessment for site selection and future planned sites has not been completed. As such we are not able to conclude on the sufficiency of the security threat/vulnerability/risk assessments (TRVA) control.

Overall assessment

Overall our assessment of Security Incident Prevention and Mitigation at the City is one of​ ​No Major Concerns. We identified areas where one significant internal control ​weakness was noted which is reported in the Private and confidential package.

A total of ​four findings​ have been identified surrounding the Resource Allocation and Incident Monitoring area whereas t​ wo considerations for improvement​ have been provided as well.

Management comments

In the absence of a centralized corporate security division, a single responsible party does not currently exist. A report to council dealing with the results of 5 facility security risk assessments, and a security master plan is anticipated later in the year. Administration will be seeking council direction, including the option to establish a centralized corporate security division.

Management agrees with the recommendations, and has provided specific action plans in the Detailed Observations section, however, pending the outcome of the aforementioned report to council, a responsible party is not identified for some management action plans at this time.

(Additional details provided in ‘Appendix A - Security Incident Prevention and Mitigation Internal Audit Report’)