Information Technology Risk Management Follow-Up

Photo illustration showing a pointed finger tapping one of a series of holographic locks.

The Technology Services agency fully implemented two recommendations made in the original audit report. However, Technology Services partially implemented three recommendations, and it has not taken steps to address the risks two other recommendations had sought to resolve.

While only two recommendations were fully implemented, we did find Technology Services has made some progress. This includes the implementation of its 2025 citywide IT risk assessment survey, an updated risk management policy, use of a third-party training platform for training employees, use of a single source of record for its risk management program, as well as automated reminders to employees and their managers for delinquent training completion.

Green circle icon with 2 fully implemented, blue circle icon with 3 partially implemented, red circle icon with 2 not implemented.

Remaining Risks

The recommendations Technology Services did not fully implement present several lingering risks. Among them, the agency has not:

  • Established a risk assessment procedure for performing risk assessments.
  • Developed an internal risk management training program.
  • Defined roles and responsibilities for citywide risk management.
  • Established partnerships with independent agencies to share data about potential risks.
  • Implemented acceptable use agreement and cybersecurity awareness training completion percentages in leadership performance evaluations.

Auditor's Letter

January 8, 2026

In keeping with generally accepted government auditing standards and Auditor’s Office policy, as authorized by city ordinance, we have a responsibility to monitor and follow up on audit recommendations to ensure city agencies address audit findings through appropriate corrective action and to aid us in planning future audits.

In June 2024, we audited Information Technology risk management and found risks of having an incomplete understanding of potential technology risks and vulnerabilities across the city. Technology Services agreed to implement all seven of our recommendations.

We recently followed up and found Technology Services fully implemented two recommendations, partially implemented three, and did not implement two recommendations.

Although Technology Services has made notable progress, it did not fully address the risks associated with our original findings. Consequently, we may revisit these risk areas in future audits to ensure the city takes appropriate corrective action.

We appreciate the leaders and team members at Technology Services who shared their time and knowledge with us throughout the audit and the follow-up process. Please contact me at 720-913-5000 with any questions.

Denver Auditor's Office

Auditor's Signature
Timothy O'Brien, CPA

Timothy O'Brien Official Headshot

AUDITOR TIMOTHY O'BRIEN, CPA
Denver Auditor

Denver Auditor's Office

201 W. Colfax Ave. #705 Denver, CO 80202
Emailauditor@denvergov.org
Call: 720-913-5000
Follow us on Facebook     Connect with us on Twitter

Auditors Office Logos for Footer: Denver Auditor, Denver Labor

Back to top