Audit and Finance Committee Meeting Transcript – 11/18/2020 Title: City of Austin Channel: 6 - COAUS Recorded On: 11/18/2020 6:00:00 AM Original Air Date: 11/18/2020 Transcript Generated by SnapStream Please note that the following transcript is for reference purposes and does not constitute the official record of actions taken during the meeting. For the official record of actions of the meeting, please refer to the Approved Minutes. >> Tovo: chair, i serve on visit austin with the mayor. I'll be leaving as well. I thought i would go for a bit and then come back. I didn't realize that one of our other colleagues was also leaving. That would leave you without a quorum. >> alter: i think councilmember pool is here so we should be fine. >> tovo: okay. With just two? >> alter: no, because councilmember pool and flannigan and i are staying and you and mayor adler are leaving. >> flannigan: i plan on attending visit austin as well. >> alter: all right. Let's get started and maybe we'll take a few of the things that we have to vote on quickly first if you're going to go quickly. Good morning, my name is alison alter, chair of the audit and finance committee. It is 9:32 a.m. And i'm going to call this meeting to order with all members on the virtual dais. I'm going to entertain a motion to approve the minutes? Mayor adler, seconded by councilmember flannigan. With no objections that motion is approved. I am wondering if we should take up four and five quickly so we can make sure we have the votes on those. Number 4 is the 2021 audit and finance committee meeting schedule. Is there any update we need, ms. Stokes? >> sorry, i was muted. Just a quick update. I think the version that was posted in backup reflects this, but it shows november 9th, was a tuesday and it should be november 10th, which is a wednesday. The other thing is around the summer break time we may want to adjust the meetings but i'd like to get something on the calendar now to make sure we hold space for audits that may be coming out at that time. >> alter: thank you. Do i have a motion to approve the calendar? Councilmember pool makes that motion. Seconded by mayor adler. Thank you. If we can jump to item 5 on the bylaws. >> yes. Stephanie is actually in city hall right now in the clerk's department so we're going to go ahead and get her and let her know that her item is coming up. >> alter: so the remainder that we have on the agenda, we have future items. Does anyone want to raise any future items at this point? I'm not sure how quickly we'll get stephanie down here. Okay. We may have a future update regarding facilities and also on the small minority business program in the near future. The other two items that we have on the agenda are the software licenses audit, which we will need to take a vote on, as well as the overview of the audit process, which we can do after folks leave. Is stephanie on yet? >> she's on the way. Should be here in just a couple of minutes. >> alter: okay. Why don't we go ahead with the software licenses audit and if one of you at least can stay for us to be able to vote on those bylaws quickly at the end of that, that would be great or we can pause if she comes on to do that. >> great. So this is our software licensing audit which is managed by patrick johnson and kelsey thompson is the lead and she will be presenting today. So kelsey. >> good morning, committee. My screen is black here. I don't know if you can see me or not. From my view it's black. You can't see me? I'm not quite sure why that's happening. Apologies. I'll just push onward. >> alter: we can see the screen, but not you. >> that will be fine. Good morning, my name is kelsey thompson. I was the auditor in charge for the software licenses audit. Our objective was to review if the city is is managing software licenses to minimize cost as well as maintain compliance with applicable requirements. Next slide, please. So software is a significant piece of the city's i.t. Spending with every department using software licenses to accomplish their mission and there are several phases to managing software licenses effectively from strategically planning what software licenses you need to disposing of software licenses you no longer use. And this is how we thought about what managing software licenses means throughout this project. Next slide, please. We found that the city could identify ways to save money and improve the compliance of its software licenses if the city had an inventory and citywide management of software licenses. Next slide, please. So throughout the project we used the government accountability offices or goa's leading practices to understand or compare to how the city is managing software licenses. And we found that the city has not implemented these leading practices. And i'll go through each of these in detail in the following slides. Next slide, please. The next of the gao's leading practices is centralized management. However, the city's management of software licenses is decentralized. Ctm is the city's primary i.t. Department and ctm manages some licenses while others are managed by departments with some departments managing licenses for other departments outside of ctm. Also there is no centralized compliance monitoring function so how departments monitor compliance and security of software licenses depends on which department is managing the software license. And lastly, there is no centralized way to prevent employees from using free and unmanaged software, which puts the city's data at risk if it is not under a formal license agreement. Next slide, please. The next of the gao's leading practices are to have a software inventory and track and maintain that inventory. The city does not have a software inventory and does not know how much they have or how much it costs. We have a project that will include software licenses and staff project to be completed in 2004 and 25. Next slide, please. City departments often make the decision about how many office 365 licenses they need and that is often outside their control. A system to analyze license usage data would allow the city to better assess the need for all software licenses, including office 365 and potentially identify opportunities to save money. Next slide, please. The last of the gao's leading practice is to provide sufficient training regarding software license management. And there are also no citywide policies, guidance or training specific to managing software licenses. As a result it is not always clear to departments who has what responsibility for managing software licenses. Next slide, please. To address these issues, we recommend that the city's chief information officer continue working with city departments and continue their efforts to develop an inventory and include software license counts and associated costs in that inventory. It is consistent with GAO's practices. Next slide, please. Thank you. And we are happy to take any questions. >> Alter: Thank you. Before we move to management for their response, I just wanted to note for those who are dipping into the meeting for today that the audit and finance committee has determined that as a city we can make improvements in our I.T., in our technology area, and we've asked the auditor to do a series of different reports looking into this area. And this is one of several that we are using to improve our approach to technology. And one of the reasons that [9:41:44 AM] we asked the auditor to do her broader overview and what the auditor does is that, you know, when we go in and we find this stuff, we're going in thinking that we have a challenge and we want to have the device and the input from auditor to be able to address challenges. So as we go through this process I think that broader perspective on how the audit and finance committee works and what the auditor's role is is important to keep in mind to assess as we hear things back. Mr. Stewart, would you like to provide management response, please? >> Definitely. Thank you for the opportunity. It was great working with Kelsey and team to get here. We wholeheartedly agree with the assessment. We agree we need to do quite a bit better. The good thing of what was in the audit is we are already moving down a path of the system of record where we would keep our software licensing so how we [9:42:45 AM] manage it. That came from a previous audit that came from the hardware that knows what hardware we have so that our security team can know what's out there to help protect us that we know what we have out there. We'll roll into that as well as part of our program. It's programmed into that as we get our hardware in, we'll get -- we already know how we're going to income and what system we're going to do that. It's already in place, so we're on board with that. The audit did spell out some of the challenges we have where it's the chief information officer's responsibility to do this for the city of Austin, but that person doesn't have the access or authority right now in the way that we are decentralized. So it does call out that decentralized manner. We'll have to work with departments on finding a solution to that so we can all make sure that [9:43:47 AM] everybody's inventories are in the same place and centrally managed but we think we can get there. >> Alter: Thank you. Colleagues, do folks have any questions or comments at this time? So I have two short ones hopefully. One is do you envision that the authority that's mentioned in here going to ctm is sufficient for you to be able to manage the challenge that has been laid out in this? Because I understand that part of the problem is the authority has to be clarified through various I.T. Committees. Is that sufficient or do we need to be taking additional steps? >> I think we can do that through our steering committee headed by deputy city manager and Arellano. I think we can clarify part [9:44:47 AM] of the phrasing there that the responsibility is well laid out, but the authority part of it we can work on. But in the meantime we can get a whole lot done even without that being any more clarified than it is today. >> Alter: Can you please clarify the asset management system is going to take until 2024, 2025 to implement? >> Sure. That's the entirety of the program. So I.T. Assets, we want to start with hardware. We're already starting that process. We'll have significant numbers of hardware in the next few months, then we're going to move on to software. So we're going to have software assets into the system I would think the next calendar year. The majority we can find will be in there. I.T. Includes data and when he we start talking about [9:45:49 AM] data sets, that becomes complex. Take your data and classify as an asset and track it as an asset. It's a bit loftier. But our primary goals of hardware and software, we're going to get that done quickly in the next year and we're going to find more and more software. There's thousands of pieces of software. We want to identify those meaningful to us so it's a lot of expenditure, for example, that we're managing those very, very well and we don't want to spend too much effort and money and resources on software that isn't going to really provide that value. So it's the entirety of the project that will take several years to get our hardware and software is not going to take very long at all. >>. >> Alter: Mr. Flannigan? >> Flannigan: I'm interested in ctm and the departments requesting license. It's awkward, Mr. Stewart, [9:46:50 AM] to have you here answering when I think departments are likely more on the hook for asking for these they didn't need. But there is kind of a missing voice at the manager level to talk about how we're going to navigate that relationship. You know, if we're going to give ctm authority, then that's kind of a manager level conversation to say what does that look like? If a department is going to ask for 100 licenses, is ctm going to say justify your licenses? Because I don't think that's how it's been working in the past. We've been supporting departments instead of overseeing their requests. So I'm interested in that and wanted to note that for folks who -- especially if there is any media story about oh, the I.T. Department has this huge issue. Well, it's more of a distributeive problem than just a problem in I.T. To the auditor, was there any -- as you did your research on this one narrow channel, the office 365 [9:47:51 AM] channels, obviously there's more than that, was there any indication this is an equal problem or were there outliers that showed that maybe one or two departments were the larger offenders in asking for more than they needed? >> I wouldn't say that we found it was an outlier. We kind of looked at the framework of the entire system and noted these larger issues at that level and zeroed in on the office 365 licenses because it is so large and kept our review there. I don't believe we really have the information to answer that at this time because we focused on the systemic issues. >> Flannigan: I don't know that it's particularly actionable information because I.T. Is already going about fixing this problem, so I'm encouraged by that, but I do think there's a conversation to be had with cmo at the table, the city manager's office, to talk about how the managers navigate the [9:48:52 AM] relationship shift between departments and ctm. >> And I will just note to the extent that I can in open session that that relationship and the broader -- broader issues between ctm and the city manager's office are shifting and are -- we have a robust governance structure in place that is moving forward to make sure that we are in a position to address our technology and our cyber -- and our cyber needs for the city. Does anyone else have any questions that they want to raise at this point in time? So thank you, auditor's office, miss Thompson, and thank you, Mr. Stewart, for being here. We will be, you know, having these ongoing discussions about our technology and how we can improve. It is one of those areas [9:49:54 AM] where we all agree we can drive further effectiveness and I think we now have some better systems and leadership in place that's going to help us to get there. Did you have a question before I ask -- or we kind of back on -- >> [Inaudible] >> Alter: I will entertain a motion to accept this audit. Councilmember tovo makes the motion, seconded by councilmember Flannigan. All in favor raise your hand. It's unanimous on the virtual dais. Thank you. We're going to skip to item number 5, if the clerk's office is available. >> Yes, hi chair, this is Stephanie from the city clerk's office. [9:50:54 AM] Sorry I was not in here earlier. I am here to present additional by law changes for the parks and recreation board and for the mayor's committee for people with disabilities. For the pard board, they are just simply changing the name of their committee and on the revised agenda -- revised backup it shows this better that they are changing the land facilities and program committee to the financial committee and updating some of those responsibilities there. I believe the director Mcneely is on the line if you have questions about that one. And then for -- excuse me, the mayor's committee for people with disabilities, they are just making a few updates that are pretty standard. It looks like the bylaws may not have been updated for a long time so updates are simple and standard correcting details about members and -- let me look at this list again quickly. [9:51:55 AM] Quorums, some duties, the department that it's assigned to and those are all outlined in the attachment and I'm here if you have questions for that. >> Alter: Thank you. So the -- the by law changes are as she outlined. Does anyone have any questions for staff? Okay. I'll entertain a motion to pass the bylaws. Councilmember pool. I have a second from mayor Adler. All those in favor? It's unanimous on the virtual dais. So thank you. I'm now going to move and invite Ms. Stokes to speak. We asked -- we requested kind of an overview from the audit team sort of what the auditor's office does, and in particular to share some of the resources that are available online once you understand what the [9:52:56 AM] auditor's office does. There are a wealth of resources available, you know, for folks who are trying to understand some of the history on different projects or challenges, and I want to really encourage people to take advantage of this wealth of resources. We often forget we're not the first council or first councilmembers to ask these questions and there really is a lot of very useful information that the auditor's office has produced over the years and it's interesting to see how recommendations have been presented and where they've had successes as well. Ms. Stokes, if you would like to begin, that would be great. Thank you. >> Okay. I'll unmute and share my screen myself. Just so I can also demo some of the available resources. Should be pulling up. But the first thing is, [9:53:59 AM] we, I appreciate -- I'm corrie stokes. I appreciate the opportunity to share some information about what we do and how it works. The very first thing on this slide is our mission, so this comes straight out of city code and can you all see my slides? >> Alter: We can't see your slides yet, I don't think. >> Okay. I can fix that. I just know it. But the very first thing comes straight out of code our mission to promote transparent accountability and -- >> Excuse me. It seems that we're not yet having you share the presentation through webex. Awesome. >> It was just a -- it was going slow. You all can see that okay? >> Yes. Thanks. >> Great. So our mission, transparency, accountability, continues improvement. That's what we're focused on. [9:54:59 AM] My office was established -- there we go -- in -- well, my office has existed since the 1800's, but established as an independent office reporting to council in the early '90s. That was done through charter, so that's a vote of the people says we want who group to report to the city council and provide oversight of city management. Our job is to do performance audits. We do some special request projects for council and do investigations of [inaudible] And we've been doing all of those things for a long time. I'll talk more about each of those and what that means, but one of the things that comes up frequently how is our office different from other functions in the city that might look at continuous improvement and process. An important part of city management is doing process improvement. There's an office of performance management. They do work focused on processes and how to improve them. There are groups throughout the city, internal audit [9:56:00 AM] folks throughout the city, particularly in our enterprise department and all of those, they don't negate the work they do, they compliment the work. The idea is that looking at maybe in our work we're not looking at specific processes, we're really taking a topic area and saying what are the highest gross areas and what could be adjusted in a process -- more detailed process improvement work you might dissect a specific process within a department or within a division of a department. So I don't know if that was super clear, but the idea is that we do our work at a higher level or a citywide level or try to do that versus that kind of a more detailed process level which city management does every day. So within my office I have 27 staff. They all come from diverse backgrounds and experience. We have people coming with a law background, a business background, journalism, [9:57:01 AM] accounting, pretty much you name it. My own background is in urban studies followed by public policy. So we have a lot of different perspectives and I think that helps us do our work. The -- one of the key things about our office and the way that we're set up, and again, this is required in charter, we follow audit standards and investigative standards. So the audit standards are adopt by the government accountability office. That's basically the federal, the federal city auditor. The federal legislative auditor. And those standards address, you know, are we independent to do the work, do we have safeguards in place to meet our objective, are the staff qualified, and we have good evidence to support our work and do we have [inaudible] In place to make sure all reports are public, and there's also things that I think is an important piece about how we collaborate [9:58:03 AM] with management when we issue a report, we have to allow for their feedback, incorporate their feedback both as we make changes to drafts and then in the final report we incorporate response. As an example you saw in the software licenses earlier. Quality control, that's just making sure we do all of the above. So specific to audits, we recently presented our approved -- got your approval for our audit plan for fiscal year 21. I won't spend too much time on this suns we talked about the last meeting. The idea is come up with audits, we look at external audits, customer survey, audit ideas through our website, your input, input from city management, input from our own staff, passed audits or future audits where there have been [9:59:03 AM] recurring issues or an area that we identified but didn't have time to look at that might end up on the audit plan. So once we identify our audit poppic, we have preliminary objectives and they are very high level. They might say go look at how this department does this task, but we can't look at that entire thing in an efficient manner. So we zero in. What we try to do is spend some time identifying what's the biggest deal and look into that and make sure it's being handled as efficiently and effectively as possible. We conduct field work. So an example there, awhile ago we were looking at street repairs, so field work was us going out into the field looking at repairs that had happened and determining whether or not that repair was completed, timely, was completed to the standards that are required, and so that's the kind of [10:00:03 AM] thing, sometimes field work is data males, sometime it's talking to people, just depending on the analysis, the field work and that's why it's in quotes. When we're done with summarize findings in a report. That includes recommendations. This is a collaborative process. We do work with management over the area to make sure their concerns are reflected and to make sure everything that we're saying is accurate and that they have -- they are able to respond to the recommendations and formulate a plan to address this. So we also do follow-up. We follow up on the most critical recommendations until they have been implemented. So we keep checking back and I'll show you something in a meant that reflects that work. We do that, we consider all of the recommendations, but given confined of resource constraints and priority, we zero in on the most important ones. So classes, these are short projects to help council with decision-making, give [10:01:05 AM] design to quickly answer questions. Usually the processes that we have a sponsor and co-sponsor for those. Sometimes we have more than one co-sponsor. Recent examples are here, but usually those are looking at maybe a, you know, look in more depth at this data or summarize this information and a lot of times they actually involve in both of these involve looking at how other cities do something. So in terms of citizen initiatives that looked at the processes in place to get things on the ballot through a citizen initiative in other Texas cities. So that's often a way to get information about how other people are doing a similar task. Our investigation, so as I mentioned earlier we investigate fraud, waste or abuse. Stealing city assets, using city resource for non-city purposes, circumventing processes, personal gains. There are a bunch of things [10:02:05 AM] we look at from that fraud, waste and abuse angle. We run a hotline. There's a phone number for it. You can report things on line. Everything we get, and la month we did our annual report on investigation, but as you know, everything we get we triage through on pro ISES to make sure this is within our jurisdiction, if not, let's get it to the right place and if we have a case, we will investigate fully. So just in terms of our reports or people asking for information from us, our reports are public for the most part. There are a few confidential reports. For example, I.T. Security or infrastructure, reports on those are confidential under state law. So the reports themselves are public, and generally the supporting documentation like audit work papers, there is an exception in the public information act so we request that exemption to keep that part confidential so the final report is [10:03:07 AM] public. We present reports to this committee. We also have special requests and investigation reports. Those are released to the city council and then to the public so those don't come come through the committee but are certainly shared with council. We always say we'll discuss any report after we released he it. So if a reporter or interested party asks about something before it's finalized, we don't discuss it except to say that yes, we are doing that work, basically. So we can talk about kind of the scope and what we're doing, but not the results of the work until after it's released. So the last piece, these are some resources related to our audits. Audit reports, investigative reports. I want to switch over, hopefully I can do this. I'm going to stop sharing and switch over. Before I do that because I probably won't come back to this slide, we are on social [10:04:08 AM] media, we have several Facebook, Twitter, Instagram. This website for the audit and finance committee is a key resource because there's backup for all the items that come to the committee that get posted with the agenda. I'm going to try to stop sharing. There's a stop button, so hopefully that works. I ask still see you all, so that's good. >> Alter: Thank you. Do any of the question members have questions for Ms. Stokes? >> I do have one other thing I want to show you all. I have to switch to a different screen. >> Alter: I'm sorry. I misunderstood. >> That's okay. But I'm happy to answer questions while I do that. Ms. Pool. >> Pool: I just had a [10:05:09 AM] thank you to city auditor and staff and also for putting this presentation up on our agenda. When I had my pre-meeting briefing with corrie, I mentioned that this was helpful for the community too and I plan to amplify it through the various different feeds that I've got like minus letter and that sort of thing. So any opportunity we have to explain city processes to folks and this is one of the really fundamental ones to take advantage of and this is a really good presentation to send out to the community far and wide so thanks so much. >> I appreciate that. We want to get the word out there too. We want more people to know that we exist, to read our work and to better understand city processes through that work. >> Pool: There's a lot of really helpful links that are embedded in that presentation too. People can just geek out on [10:06:11 AM] on. Thanks so much. >> That is the goal. Excellent. The other thing I wanted to show you all here, hopefully you can see this, audit reports page. So this is -- page up just a little bit. This is the audit report and basically it's a list of audit reports by most recent. So by tomorrow you should see the software licenses reported in order by date. If you are looking for something specific, it's sometimes hard to find them this way. If you know a report exists, you can go here and find it. But there are -- we have some other tools to help you find something if you don't know this got released October or this just happened, et cetera. Also here are investigative reports, there's a link there. They are all available there. We have a brand-new practice or brand-new I guess we're debuting pod casts so we have pod casts on Spotify, soon on iTunes as well, and those are just a short [10:07:11 AM] audio recording of an interview with usually the lead on the audit to provide audit or investigation to provide information. So we're checking out if that's a format that you like. And then the recent recommendations. This link actually goes out to the Austin data portal and the Austin data portal has tons of great information that the open data portal, I should say, but this one goes straight to our list of recommendations. So there is some kind of general information up at the top about what's in here, but these are basically every recommendation that we've issued since 2014 is in this data set. So you can -- lots of things you can do with that. You can filter it, export it to excel to look at it, but what to show as example as to what it will have is, you know, the recommendation itself and then kind of a priority for our office, but [10:08:13 AM] then whether or not it's been implemented or not. And so if I was looking only for audits of Austin water, I could Felter for that. If I were looking for recommendations related to a certain topic, I could do a key word search. There's a lot in here and I'm slowly paging through, but you can see if I pull, you know, Austin water is what I'm on now, I look over and I can see, okay, a lot of those are verified and there's this outstanding one and you can drill down and find more information. That ties directly to the audit I was mentioning before about street repairs, most have been fully implemented, a few that haven't. While we summarize that work periodically, this is a way to go and see, you know, is that recommendation I was worried about or that area I was concerned about, has it been addressed. So that is all I have. [10:09:13 AM] I think I stopped sharing glad. >> Alter: Thank you so much. I appreciate the time putting that together. I think the public needs to understand out the auditor's office fits into the broader scheme of the city and there's work being done on multiple levels and the auditor's office reports to the council and is focused in on questions that council has identified where we need to pay particular attention above and beyond what management is already doing on a day-to-day basis, and these reports serve as an important record, but also really help us to see, you know, what changes have been made as well. And I think the data is there. We've worked very hard as a city to be transparent and to make this information available to the public, so [10:10:13 AM] please take advantage of these resources to learn more about different pieces of the city, but know that, you know, we're going into these reports thinking that there's a challenge that we want to have more information about so that we can address it in most cases. So thank you very much, Ms. Stokes. Does anyone have anything else they want to discuss for future business or anything? If not, then it is 10:10 A.M. And I am going to adjourn at a record speed this audit and finance committee meeting. Thank you very much. Take care.