By Some city agencies are still not formally sharing critical information technology risks they encounter with Technology Services and other agencies, leaving the city exposed to cyberthreats and vulnerabilities, according to a new follow up report from Denver Auditor Timothy M. O’Brien, CPA.
“If city agencies are not required to let Technology Services know about risks, Technology Services can’t effectively respond to cyberthreats, like data breaches or system failures,” said Auditor O’Brien.
Our 2024 audit about information technology risk management identified this core issue and recommended Technology Services take steps to address the concern. Since then, Technology Services cooperated with some agencies, like the Mayor’s Office and Denver Public Library. But a new approved memorandum of understanding between agencies involving information-exchange agreements has still not been created.
Our follow-up report found Technology Services developed a process for a citywide information technology risk assessment and it updated its information technology risk management policy. But Technology Services did not document either the process or the policy, as we recommended.
And while staff completed some new trainings, the trainings were not specific to information technology risk management policies and procedures.
We also recommended Technology Services include the percentage of city employees who had completed cybersecurity training as a metric in the annual performance evaluation for agency leaders. This was not implemented.
But Technology Services did designate an agency leader responsible for developing and implementing a comprehensive, citywide information technology risk assessment.
“Technology Services recognizes information technology risk management is important, and it made improvements since our initial audit. I hope it will follow through on finalizing information-exchange agreements to strengthen cybersecurity citywide,” said Auditor O’Brien.
You can find more information about the Auditor and recent audits on our website.
About the Auditor’s Office
Denver’s Auditor is publicly elected and answers to the voters. The role of the Auditor is to help minimize risks, improve internal controls, maximize efficiencies, and strengthen accountability.
About Auditor O’Brien
Denver Auditor Timothy M. O’Brien, CPA, has more than 40 years of auditing and accounting experience. Auditor O’Brien strives to bring greater clarity, transparency, and accountability to Denver’s city government for its residents. Elected in 2015 — and reelected in 2019 and 2023 — Timothy O’Brien is distinguished from his predecessors as a professional auditor.
