City Council's current operations could increase risks of cyberattacks, according to a new audit report from the Denver Auditor's Office released Thursday.
The audit found issues with how City Council tracks technology equipment, how the city makes sure staff take cybersecurity training and how offices track credit card usage.
"The council is within the city's firewall," Auditor Tim O'Brien said in a statement Thursday. "Although they are an independent agency not subject to executive orders, they are sharing the citywide resources and have equal responsibility to protect those public resources. Governments don't run without technology."
O'Brien's office also found issues with City Council's city credit cards. The report reviewed 94 transactions and found 14 donations to local nonprofits, while city rules do not allow donations with a purchase card.
Under new city rules, City Councilmembers were supposed to disable purchase cards a month before Election Day during election years. While no outgoing Councilmembers overspent their allocated funding before the election, six offices used their purchase cards within the election time limit.
City Council agreed with all 14 recommendations from the Auditor's Office. These recommendations include things like creating clearer policies around tracking technology, cybersecurity efforts and donations to nonprofits.
In a statement Thursday, City Council spokesperson Robert Austin said that Council has added a human resources manager, a communications specialist and a fiscal administrator in the past two years to address some of the identified issues.
"We welcome the opportunity to further refine and strengthen the few internal processes identified in the audit," he wrote.
Council President Jamie Torres pointed to the effects of the pandemic on issues with tracking technology citywide.
"One of the experiences we all had was the pandemic, being in office at home, and then coming back into the office," Torres said. "I know, for my office in particular, all of my team got rid of their central processing unit and operated just with a laptop. That happened across 13 offices differently."
Partially, the issues come from the fact that City Council operates differently from the rest of the city and cannot discipline employees for failing to take certain technology training courses like on cybersecurity.
"I will say that our relationship with technology services is really strong," Torres said. "We start off with the use policies and the same things that any city employee starts off with when they're issued a technology or an ability to log into the systems. But it's then up to us to make sure that we're also making that consistent among our teams."
Editor's note: This story has been updated with comments from Denver City Council spokesperson Robert Austin.
