Item - 2021.AU8.5

The Audit Committee recommends that:

1.  City Council request the Chief Information Security Officer to report to the May 31, 2021 meeting of the Audit Committee on the implementation status of all outstanding cybersecurity-related audit recommendations, including:

a.  high priority recommendations where there are still significant risks;

b.  risks being faced by the City of Toronto as a result of not implementing audit recommendations;

c.  a risk assessment identifying the impact of the risks after considering any current vulnerabilities;

d.  any other security risks being faced as a result of the changing cyber threat landscape; and

e.  short-, medium-, and long-term plans identifying what needs to be done to reduce the risk level for the City of Toronto in an expedited fashion.

2.  City Council request the Chief Information Security Officer to report to the General Government and Licensing Committee on a biannual basis regarding the City-wide cybersecurity program, including:

a.  the status of all outstanding audit recommendations that have not been implemented to date, including any increase to the City's cybersecurity risk profile;

b.  projects, initiatives, procurement, and operations where cybersecurity requirements or directives were not included in the process;

c.  embedding "cybersecurity by design" principles to support the City's modernization efforts; and

d.  any additional supports required to address cybersecurity risks in an expedited manner.

3.  City Council request the Auditor General to report on the implementation status of cybersecurity-related audit recommendations in the Auditor General's status report on outstanding recommendations to the Audit Committee.

4.  City Council request the Auditor General to provide regular status updates to the Audit Committee on the progress of management's implementation of the Auditor General's recommendations and, unless there are specific requests for special updates, City Council no longer require the City Manager to provide regular status updates to the Audit Committee, as outlined in Item 2020.AU5.11 headed "Management Update on the Implementation Status of Outstanding Auditor General Recommendations (City-Wide)".

5.  City Council direct that Confidential Attachment 1 to the report (February 4, 2021) from the Auditor General remain confidential in its entirety, as it contains information on the security of property belonging to the City of Toronto, information explicitly supplied in confidence to the City of Toronto which, if disclosed, could reasonably be expected to impact the safety and security of the City and its services, labour relations or employee negotiations, and litigation or potential litigation that affects the City of Toronto.

The Audit Committee recessed its public session to meet in closed session to consider this item, as it relates to the security of property belonging to the City of Toronto, information explicitly supplied in confidence to the City of Toronto which, if disclosed, could reasonably be expected to impact the safety and security of the City and its services, labour relations or employee negotiations, and litigation or potential litigation that affects the City of Toronto.

The Auditor General reviews the implementation status of recommendations made through her audit and investigation reports. The results of the review are reported to City Council through the Audit Committee.

The Auditor General's follow-up work was impacted by the COVID-19 pandemic. In 2020, we deferred our follow-up work that was in-progress to enable City divisions and its agencies and corporations to focus on the delivery of essential services. However, the City divisions and its agencies and corporations, where possible, did continue to work on the implementation of recommendations to realize savings and operational efficiencies.

During this time our Office implemented a new audit management technology solution. As an extension of the new system, we integrated continuous tracking of the implementation status of the recommendations included in the audit and investigation reports. This solution will provide a more efficient tracking of the outstanding recommendations to management and reporting to the Audit Committee on management actions to implement these recommendations.

As of January 8, 2021, there were 748 outstanding recommendations issued between September 2005 and February 2020. Management reported that 233 (31 per cent) recommendations were fully implemented and three recommendations were no longer applicable. The Auditor General has not verified the management reported status; however, this work is now underway. The results of our review will be submitted to the May 31, 2021 Audit Committee meeting.

The purpose of this report is to update the Audit Committee and Council on management actions and plans to implement the outstanding audit and investigation recommendations.

Table 1 provides an overview of the status of outstanding audit and investigation recommendations for City divisions, agencies and corporations as reported by management as of January 8, 2021.

Table 1 - Status of Outstanding Audit and Investigation Recommendations as Reported by Management as of January 8, 2021 (Status Not Verified by the Auditor General)

The recommendations where a significant amount of savings, or health and safety, or the City's reputation risks are involved, these are considered high priority. In addition, those recommendations that remain outstanding for over five years are also considered high priority.

The 99 (13 per cent) high priority fully implemented recommendations are included in the Attachment 1, unless confidential, the one high priority no longer applicable recommendation is included in the Attachment 3, and all confidential recommendations are included in the Confidential Attachment 1.

The 225 (30 per cent) high priority not fully implemented recommendations, together with management comments, action plans and implementation due dates are included in the Attachment 2, unless confidential. The confidential high priority not fully implemented recommendations are included in the Confidential Attachment 1.