Audit Report

Download PDF

Safety and Security of City Facilities

The audit had three objectives:

  1. To determine whether the city has clearly defined roles and responsibilities related to safety and security;
  2. To examine whether the city has effective practices to ensure the safety and security of city facilities and its employees and the public; and
  3. To determine whether HSS Inc. is providing safety and security services in compliance with the city’s contract and in alignment with leading practices

The responsibility for ensuring city facility safety and security for employees and the public lies with multiple city agencies, including the Department of General Services and the Department of Finance, as well as with contracted security services.

Existing practices are driven by different city executive orders and policies, some of which are outdated. Additionally, while some city agencies have emphasized a need for better facility safety and security practices, many initiatives are in reaction to a specific incident and are not supported by a risk, or needs, assessment.

In our first citywide audit of city facility safety and security, we identified an overall lack of citywide strategic planning around the safety and security of city facilities.

The City and County of Denver Has Not Sufficiently Prioritized the Safety and Security of City Facilities

  • The city lacks clearly defined roles and responsibilities for ensuring sufficient safety and security.
  • The city’s lack of prioritization of safety and security has resulted in a fragmented approach.

Existing Safety and Security Initiatives for City Facilities Are Not Adequate

  • The city lacks a formal approach to performing and evaluating vulnerability assessments.
  • The city is not adequately educating employees on evacuation and drill procedures.
  • The city’s policies and procedures for access and badging and for its employee notification system do not align with leading practices.

The City Is Not Always Receiving Security Services in Alignment with Contractual Requirements or Leading Security Practices

  • The Department of General Services’ contract administration practices are insufficient to ensure effective oversight of the city’s contracted security services.
  • Requirements in the city’s security services contract do not always clearly define performance measures.

1.1 Develop Strategic Plan – The Mayor’s Office should develop a strategic plan for ensuring safety and security of city facilities. This strategic plan should define the city’s mission, long-term goals, and approaches to monitor progress in addressing challenges and opportunities related to its mission as well as provide context for decisions made and consider risks. Progress should be measurable and objective-based. Additionally, the plan should include a timeline for periodic review based on leading practices.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

1.2 Define Roles and Responsibilities – The Mayor’s Office should work with the Department of General Services, the Department of Finance, the Department of Public Safety, and the Office of Emergency Management and Homeland Security, at minimum, to define specific roles and responsibilities related to city facility safety and security.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

1.3 Update Executive Orders – After implementing Recommendation 1.2, the Mayor’s Office should work with the Department of General Services, the Department of Finance, the Department of Public Safety, and the Office of Emergency Management and Homeland Security to update executive orders 6, 65, and 85 — or to create a new executive order — to include defined roles and responsibilities and designated authority to those charged with city facility safety and security and to align with current and leading practices.

Agency Response: Agree, Implementation Date – May 14, 2021

2.1 Prioritize and Plan Vulnerability Assessments – The Department of General Services should prioritize the completion of citywide facility vulnerability assessments either through a contract or by developing an assessment in line with leading practices, such as the Interagency Security Committee standards.

As part of this prioritization, General Services should develop a timeline for completing all city facility assessments, including assessments of leased facilities that house city employees.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

2.2 Document Implementation Rationale – The Department of General Services and other affected agencies should document rationale for deciding whether to implement safety or security initiatives based on a formal vulnerability, or needs, assessment.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

2.3 Amend Executive Order No. 65 – In conjunction with Recommendation 1.3, the Department of General Services and the Department of Finance should work with the Mayor’s Office to amend Executive Order No. 65 to clarify that additional procedures or related safety standards exist apart from the executive order itself. The Department of Finance’s Risk Management Office should communicate to those responsible for implementing and adhering to the executive order that these additional safety standards and procedures exist.

Agency Response: Agree, Implementation Date – Aug. 12, 2021

2.4 Document Roles and Responsibilities for Emergency Response Team – In conjunction with Recommendation 1.2, the Department of General Services and the Department of Finance should work with the Mayor’s Office to identify an agency responsible for implementing the emergency response team, and they should develop and document specific roles and responsibilities for those responsible for implementation.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

2.5 Implement Policies and Procedures for Emergency Response Team – Following the implementation of Recommendation 2.4, the agency responsible for implementing the emergency response team should then develop and implement policies and procedures on how to do that, including tracking the existence of emergency coordinators for each agency and verifying training attendance. These policies and procedures should include noncity buildings that house city employees (i.e., leased spaces).

Agency Response: Agree, Implementation Date – April 14, 2021

2.6 Implement Certification Program – The Denver Fire Department should develop and implement a certification program for those charged with evacuation and emergency training.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

2.7 Ensure Certification – Following the implementation of Recommendation 2.6, the Denver Fire Department should ensure those responsible for evacuation and emergency training are certified as required by the Building and Fire Code for the City and County of Denver.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

2.8 Review and Approve Emergency Procedures Guides – The Denver Fire Department should review and approve building emergency procedures guides as required by the International Fire Code to ensure contents are consistent with the code and with department expectations. The fire department should retain documentation of this review and approval process.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

2.9 Track Fire Drill Data – The Denver Fire Department should track data and results related to fire drills to identify trends and inform future training needs.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

2.10 Develop Employee Evacuation and Emergency Procedures Training – Following implementation of Recommendation 2.4, the agency responsible for implementing the emergency response team should work with the Office of Human Resources and the Denver Fire Department to develop citywide employee training related to evacuation and emergency procedures. The training should communicate information consistent with emergency procedures guides and the city’s new standard response protocols. Additionally, as required by the International Fire Code, this training should be required upon employment and annually thereafter. Documentation of this training requirement should be included either in an executive order or through Career Services Rules.

Agency Response: Agree, Implementation Date – Aug. 12, 2021

2.11 Centralize Identity, Credential, and Access Management – In conjunction with Recommendation 1.2, the Mayor’s Office should work with agencies implementing identity, credential, and access management systems to identify an agency or agencies responsible for citywide identity, credential, and access management. Responsibility for identity management, credential management, and access management should be given to an agency or agencies to satisfy the purpose of each program consistent with federal guidance.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

2.12 Update Executive Order No. 6 – In conjunction with Recommendation 1.3 and following the implementation of Recommendation 2.11, the Mayor’s Office should work with responsible agencies to update Executive Order No. 6 to document roles and responsibilities and authority associated with identity, credential, and access management.

Agency Response: Agree, Implementation Date – May 14, 2021

2.13 Assess Existing Identity, Credential, and Access Management – In conjunction with Recommendation 2.1, the completion of citywide vulnerability assessments should include a review of existing identity, credential, and access management systems and processes to ensure they align with leading practices. Responsible city agencies should subsequently make changes based on identified vulnerabilities.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

2.14 Develop Policies and Procedures for Identity, Credential, and Access Management – Following implementation of recommendations 2.11, 2.12, and 2.13, responsible agencies should develop and implement policies and procedures for identity, credential, and access management. The policies and procedures should include a periodic review of existing access and permissions to ensure individuals are afforded appropriate access and to ensure individuals no longer working for the city no longer have access or permissions.

Agency Response: Agree, Implementation Date – May 14, 2021

2.15 Define Outcomes and Target Goals – The Department of General Services, in conjunction with the Employee Notification System Governance Committee, should define its intended outcomes and target goals for assessing whether the employee notification system is effective and achieving its intended purpose.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

2.16 Develop Contact Information Policies and Procedures – The Department of General Services, in conjunction with the Employee Notification System Governance Committee, should work with the Office of Human Resources to develop and implement policies and procedures to ensure Workday contact information for all new city employees and vendors — including contractors, on-call employees, and volunteers — is as complete and accurate as possible.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

2.17 Ensure Accurate Contact Information – The Department of General Services, in conjunction with the Employee Notification System Governance Committee, should continue to work with the Office of Human Resources to ensure existing employees’ and vendors’ contact information — including those of contractors, on-call employees, and volunteers — is as complete and accurate as possible.

Agency Response: Agree, Implementation Date – Jan. 14, 2021

3.1 Develop and Implement Contract Monitoring Program – The Department of General Services should develop and implement a contract monitoring program and function to monitor the effectiveness

of contracted security services. The program should reflect performance and contract monitoring guidelines established in Executive Order No. 8 and align with leading practices for performance and contract monitoring.

Agency Response: Agree, Implementation Date – Oct. 16, 2020

3.2 Assess and Update Post Orders – The Department of General Services’ Denver Security Office should coordinate with the city’s contracted security services to ensure all post orders outlining required duties for contracted security guards reflect the city’s current operational security expectations and align with leading practices.

Agency Response: Agree, Implementation Date – Oct. 16, 2020

3.3 Develop Well-Defined Contract Performance Measures – The executive director of the Department of General Services should ensure any future city contract for security services includes well-defined performance measures that align with leading practices for performance monitoring in order to monitor the effectiveness of these services in accordance with Executive Order No. 8.

Agency Response: Agree, Implementation Date – Oct. 16, 2020

The objective of our audit of the safety and security of city facilities was to determine the overall effectiveness of the City and County of Denver’s safety and security practices. I am pleased to present the results of this audit.

The audit revealed the city has not sufficiently prioritized city facility safety and security and that existing initiatives are not adequate. Additionally, the audit found the city is not always receiving security services in alignment with the city’s contract or leading security practices. Because of their sensitive nature, some of the details for the weaknesses we identified were reported confidentially to the city agencies involved.

By implementing recommendations for developing a citywide strategic plan, updating city regulations, and implementing stronger policies and contract monitoring, the city will be better equipped to ensure the safety and security of city facilities and its employees and the public.

This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, “General Powers and Duties of Auditor.” We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

We extend our appreciation to the personnel in the Mayor’s Office, the Department of General Services, the Department of Finance, the Office of Emergency Management and Homeland Security, the Department of Public Safety, and the Office of Human Resources who assisted and cooperated with us during the audit — especially considering each agency’s involvement with the COVID-19 crisis. For any questions, please feel free to contact me at 720-913-5000.

Follow-up report

A follow-up report is forthcoming. 

Audit Team: Dawn Wiseman, Kharis Eppstein, Shaun Wyson, Darrell Finke, Daniel Summers, Megan Kelly

Methodological Support: Samuel Gallaher, William Morales