Halifax Regional Police have again provided incorrect information to the Board of Police Commissioners about IT security. But this time they didn’t mean to, according to the auditor general.
Auditor general Evangeline Colman-Sadd’s office made 12 recommendations for the police to strengthen their information technology (IT) security systems in a scathing 2021 report. Colman-Sadd found the police had previously lied to the board about progress in implementing recommendations from a past external audit.
Colman-Sadd tabled a follow-up report at council’s Audit and Finance Committee on Thursday. The auditor general found that 11 of her 12 recommendations from 2021 were complete, 92%. Colman-Sadd called that implementation rate “excellent,” and said it “demonstrates a commitment to correcting known issues.”
But Colman-Sadd marked one recommendation incomplete: that HRP should “finalize and implement its draft information technology security policies. This should include detailed guidance on how the policies will be applied to Halifax Regional Police information technology operations.”
“The [policies] that we specifically talked about during the audit have been completed but there are still some others that need to be finalized,” Colman-Sadd told the committee.
Police believed their work was done
In an April 2022 report to the Board of Police Commissioners, the police said that recommendation was complete.
“This update will be the final update related to the public recommendations, as they have now been completed,” Chief Dan Kinsella wrote in a memo to the board.
Kinsella’s report also leaves out the 12th recommendation. That recommendation was that HRP “should develop and implement operating procedures to maintain its systems, including patch management, change management, and backup.” That one is complete, according to Colman-Sadd.
Police spokesperson Const. John MacLeod told the Halifax Examiner in an email that the last recommendation was linked to one of the in-camera recommendations. And, “for the purpose of reporting, it was simply included with the in-camera recommendations.”
MacLeod pointed to Colman-Sadd’s comments during the meeting on the other recommendation, writing that “the policies that were specifically talked about during the audit have been completed.”
Colman-Sadd said it was a misunderstanding of her original recommendation.
“They truly believed that was accurate when they made that statement,” Colman-Sadd said in an interview.
Colman-Sadd said the audit listed a few policies that needed to be completed as examples, and police took those examples to be a complete list of the work they needed to do.
“They just simply didn’t realize that we recommended to do all of them as opposed to those individual ones,” Colman-Sadd said.
Police now understand they have more work to do, Colman-Sadd said.
“I didn’t have any concerns after talking to them that there was any effort to mislead or anything like that. They genuinely believed that it was done,” she said.
Permits and inspections recommendations incomplete
Colman-Sadd also followed up on her office’s September 2020 audit of Building Permits and Inspections.
That report found the municipality had no clear timeline for the approval of building permits and inspections and its records were inaccurate, as the Examiner reported at the time. The report made three recommendations.
“None of those three were complete at the time we did our follow-up work, which is disappointing,” Colman-Sadd said.
Mayor Mike Savage called that “concerning.”
Chief administrative officer Cathie O’Toole said she was “somewhat alarmed” at the findings, and followed up with the department. O’Toole said staff didn’t properly fill out a form properly to self-assess their performance, and management didn’t review their work.
O’Toole said her office used to track the status of auditor general recommendations. That stopped under former CAO Jacques Dubé. That tracking will now start again, O’Toole said.
The big take-away from the AG report is this …” O’Toole said her office used to track the status of auditor general recommendations. That stopped under former CAO Jacques Dubé. ”
Surely the council was responsible for ensuring the CAO tracked any recommendations. I suggest the AG audit the failure of council to ensure the CAO was managing issues raised by her reports.
I love the image description for the police station.