Citywide Social Media Usage Follow-up Report May 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor
The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher, Chair Maurice Goodgaine Leslie Mitchell Rudolfo Payan Robert Bishop Jeffrey Hart Timothy O Brien, Vice-Chair Audit Management Kip Memmott, Director, MA, CGAP, CRMA John Carlson, Deputy Director, JD, MBA, CIA, CGAP, CRMA Audrey Donovan, Deputy Director, CIA, CGAP, CRMA Audit Staff Marcus Garrett, Audit Supervisor, CIA, CGAP, CRMA You can obtain copies of this report by contacting us at: Office of the Auditor 201 West Colfax Avenue, Department 705 Denver CO, 80202 (720) 913-5000 Fax (720) 913-5247 Or download and view an electronic copy by visiting our website at: www.denvergov.org/auditor Report number A2013-009
City and County of Denver 201 West Colfax Avenue, Department 705 Denver, Colorado 80202 720-913-5000 FAX 720-913-5247 www.denvergov.org/auditor Dennis J. Gallagher Auditor May 14, 2015 Janice Sinden, Chief of Staff Mayor s Office City and County of Denver Re: Audit Follow-Up Report Dear Ms. Sinden: In keeping with professional auditing standards and the Audit Services Division s policy, as authorized by D.R.M.C. 20-276, our Division has a responsibility to monitor and follow-up on audit recommendations to ensure audit findings are being addressed and to aid us in planning future audits. This report is to inform you that we have completed our follow-up effort for the Citywide Social Media Usage audit issued November 21, 2013. Our review determined that the City has implemented the majority of the recommendations made in the audit report. Auditors determined that most of the risk associated with the audit team s initial findings have been fully mitigated. Our Division may revisit the status of outstanding recommendations in future audits to ensure appropriate corrective action is taken. For your reference, this report includes a Highlights page that provides background and summary information on the original audit and the completed follow-up effort. Following the Highlights page is a detailed implementation status update for each recommendation. This concludes audit follow-up work related to this audit. I would like to express our sincere appreciation to you and to Department personnel who assisted us throughout the audit and follow-up process. If you have any questions, please feel free to contact me at 720-913-5029 or Marcus Garrett, Internal Audit Supervisor, at 720-913-5086. Sincerely, KRM/mg Kip Memmott, MA, CGAP, CRMA Director of Audit Services cc: Honorable Michael Hancock, Mayor Honorable Members of City Council Members of Audit Committee Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.
Mr. David P. Edinger, Chief Performance Officer Ms. Beth Machann, Controller Mr. Scott Martinez, City Attorney Ms. Janna Young, City Council Executive Staff Director Mr. L. Michael Henry, Executive Director, Board of Ethics Ms. Rowena Alegria, Director of Communications Mr. Alena Gouveia, Manager of IT Governance To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.
City and County of Denver Office of the Auditor Audit Services Division REPORT HIGHLIGHTS Citywide Social Media Usage Follow-up Report: April 2015 The City has implemented the majority of recommendations made in the November 2013 audit report. Background Social media or social networking, as defined by the City, includes networking sites that offer multiple ways to connect to registered users through status updates, instant messaging, blogs, or photo and video sharing. The City is officially represented only on Facebook at the City and County of Denver page. Links to individual City agencies social media accounts are located at the top of the Denvergov.org homepage in the drop-down menu labeled Connect Denver. Three entities have a potentially greater role to play with respect to social media: Communications, Technology Services, and the City Attorney s Office. The City and County of Denver has begun developing official guidelines for the administration of social media. Purpose The purpose of this audit was to assess the effectiveness of Citywide social media guidance or policy, specifically regarding strategy, business objectives, governance structure, and the administration of social media throughout the City. Highlights from Original Audit The City should develop social media governance to provide structure and guidance and reduce risk associated with social media. Such governance should also provide City agencies with some autonomy to act quickly and to conform their social media usage to their specific needs. In the past, the City lacks an overall strategy and related business objectives for social media use throughout the City, without which it is difficult to assess the effectiveness of social media usage. In addition, the City s ability to proactively identify and address key risks of social media including information security risks and legal risks is inhibited by the lack of broad guidance for social media and by the City s highly decentralized structure related to social media usage. Although some decentralization is necessary to ensure that timely social media engagement is not impeded by an overly bureaucratized structure, the City would benefit from greater Citywide guidance and oversight to adequately address the social media issues that have befallen the City and other organizations. Additionally, City agencies should make greater efforts to develop internal guidance, to monitor the effectiveness of social media use, and to ensure that social media administrators training needs are met. Findings at Follow-up In collaboration with agencies from around the City, Communications developed an official social media policy on September 2014 that provides guidance to agencies and departments and establishes a governance framework around the use of social media. For a complete copy of this report, visit www.denvergov.org/auditor Audit Contact Person: Marcus Garrett 720.913.5086 marcus.garrett@denvergov.org
Recommendations: Status of Implementation Recommendation Auditee Action Status Finding: Social Media Governance Should Be Further Developed to Address Key Risks While Allowing Some Agency Autonomy 1.1 The City needs to clarify and formalize its social media strategy and business objectives, and because of its unique position, the Mayor s Office of Communications should take the lead role in this effort. 1.2 The Mayor s Office of Communications should ensure that it gathers feedback and input from agencies including Technology Services and the City Attorney s Office, as well as all independent City agencies, including the City Council, the Clerk and Recorder s Office, and the Auditor s Office, to develop a Citywide social media strategy and business objectives. 1.3 The Mayor s Office of Communications should ensure that the Citywide strategy that is developed conforms with both the social media business objectives and other core Citywide business objectives. The Mayor s Office of Communications agrees that a formal social media strategy was necessary to meet the City s business objectives. The Mayor s Office of Communications developed a strategy that provided guidance to agencies and departments and a governance framework around the use of social media. The strategy referenced in Recommendation 1.1 was a collaborative exercise, and the Mayor s Office of Communications met with agencies and departments under the executive direction of the Mayor. This collaborative exercise included the independent agencies noted. The business objectives for all forms of communication were key drivers in the development of the City s social media strategy. Page 1 Office of the Auditor
Recommendations: Status of Implementation Recommendation Auditee Action Status 1.4 The Mayor s Office of Communications should lead the development of Citywide social media policies and procedures to address the risks associated with inadequate guidance, such as ensuring that key areas of social media usage are performed the same way, and to complement the development of a social media strategy and business objectives. The Mayor s Office of Communications should involve representatives from various City entities, including the Mayor s Office of Communications, Technology Services, the City Attorney s Office, and key social media users within the City. 1.5 The policies and procedures Communications should be limited in scope, generally maintaining the decentralized approach of allowing agencies to quickly respond to situations as determined by their business needs. The social media policy was created based on interviews with City agencies and departments, and a review of new techniques and strategies by other government entities. The City s social media policies and procedures conform to Recommendation 1.5. City and County of Denver Page 2
Recommendations: Status of Implementation Recommendation Auditee Action Status 1.6 The policies and procedures Communications should ensure the creation and maintenance of a complete and accurate social media site inventory. In addition, a single complete and accurate list of social media administrators is necessary for determining who has access to City social media sites, and for disabling access when those individuals leave City service. Since these are operational activities rather than policy decisions, Technology Services should be named the lead agency responsible for the social media inventories. 1.7 The policies and procedures Communications should address relevant information security and access control issues, and should name Technology Services as the lead agency for the ensuring that appropriate security is maintained. 1.8 The policies and procedures Communications should specifically require that Technology Services be included as an administrator on all social media sites, if allowed by the site, to ensure that no City social media sites are lost due to inadequate access controls. The City s updated social media policy states that Technology Services will maintain an inventory and the Division will continue to work to establish a final inventory. Technology Services will assume responsibility for ensuring that current information security principles are applied to the City s use of social media, and will also perform periodic risk assessments on these activities. Technology Services should have administrative access to all City social media sites to ensure adequate access controls. This requirement will be included in the strategic documents that will be promulgated to City agencies and departments using social media. Agree/Not Agree/Not Page 3 Office of the Auditor
Recommendations: Status of Implementation Recommendation Auditee Action Status 1.9 The policies and procedures Communications should require that no City funds be collected through social media sites to avoid potential loss of the payment card industry (PCI) compliance. Instead social media sites should only link to the City s website, which is in compliance with PCI standards. 1.10 The policies and procedures Communications should provide clarification regarding relevant legal issues, including but not limited to when deleting public comments is allowed, how to maintain appropriately the privacy of citizens who use City social media sites, and the requirements of social media records management for open records purposes. The City Attorney s Office should be the lead agency developing guidelines to address relevant legal risks of social media use. The City s social media policy includes that City funds should not be collected through payment applications on social media sites, and that any fund collection through social media be limited to links to approved City payment sites. The City s social media policy includes requirements for a uniform privacy policy across all City sites as well as compliance with records retention requirements and the Colorado Open Records Act (CORA). City and County of Denver Page 4
Recommendations: Status of Implementation Recommendation Auditee Action Status 1.11 The policies and procedures Communications should clarify how social media coordination will occur in the event of an emergency, including which agency is the lead voice for the City in specific emergencies, and how social media use should be coordinated with the City website usage. The group developing the policies and procedures should consider the City s records management policy, access controls policy, and data classification policy when developing social media guidance. 1.12 To ensure that agencies are developing and formalizing guidance for their social media administrators, the Mayor s Office of Communications should require (or request from independent agencies) formal social media guidance to developed by all agencies using social media, and serve as the repository for this guidance. 1.13 The Mayor s Office of Communications should support the agencies development of internal guidance by answering questions about best practice or referring agencies to Technology Services and the City Attorney s Office when necessary. The policies and procedures will include a list of types of communications, and the designated lead agency for each. As the citywide process around social media matures, this list will be expanded. The City s draft social media policy includes a requirement that all agencies and departments create an annual social media strategy that will be reviewed by Communications. The Mayor s Office of Communications, Technology Services, and the City Attorney s Office will continue to provide guidance to agencies and departments based on new techniques and strategies, advances in social media technology, and relevant legal guidance. Agree/Not Page 5 Office of the Auditor
Recommendations: Status of Implementation Recommendation Auditee Action Status 1.14 The Mayor s Office of Communications should assist agencies in meeting their training needs by referring them to existing social media trainings or by periodically setting aside time at its monthly meeting with City communications and marketing personnel for presentations that address agencies social media training needs. 1.15 The Mayor s Office of Communications should support sharing best practices by periodically setting aside time at its monthly meeting with City communications and marketing personnel to discuss and analyze best practices for measuring social media effectiveness. The City will continue to designate time in its monthly marketing and communications meetings to discuss social media issues and advice around new techniques and strategies. The Mayor s Office of Communications has designated time in its monthly marketing and communications meetings to discuss social media issues and advice around new techniques and strategies. City and County of Denver Page 6
Conclusion We found that the City has implemented the majority of recommendations and adequately mitigated the risk identified during the original audit. The Audit Services Division may revisit the status of outstanding recommendations in future audits to ensure appropriate corrective action is taken. On behalf of the citizens of the City and County of Denver, we thank staff and leadership from the various Departments for their cooperation during our follow-up effort and their dedicated public service. Page 7 Office of the Auditor