On Wednesday, April 16, the Audit and Finance Standing Committee meeting got updates on audit implementation, and the police IT audit is still lagging.

Before the news of the meeting, as we’re in the middle of a subscriber drive (read about it here), I’d just like to take a moment to say that once the newspaper launches, these after-meeting stories will be behind a paywall. To be clear, you’re not going to miss anything important if you only read the paper. These post-meeting stories are where the deep dives and op-ed-y type stuff will mainly live, whereas the paper will be a more traditional news report. Usually.

Now, on the Audit and Finance Committee meeting and the Police’s IT audit.

To kick things off before giving his presentation to the committee, Halifax’s auditor general, Andrew Atherton, gave an administrative update when he told councillors that his office didn’t have the personnel required to do more than say whether or not their recommendations were 100% complete. If something is listed as incomplete, it may not have been started at all or it may be at 99.9% complete, but progress updates are the purview of HRM’s management, not his office.

With that caveat out of the way, he informed councillors that the recommendations on how the city buys and sells real estate are 5 of 7 complete. The recommendations from Halifax Water’s Supervisory Control And Data Acquisition System (SCADA) audit (read: IT security audit) are about half complete. The building permits audit recommendations are now complete, and the police IT audit recommendations are still not complete.

Just for a bit of background, the police IT audit first started in 2016 when the city got a consultant report about the police’s IT security. In 2018, the AG of the day, Evangaline Coleman-Sadd, wrote to the Board of Police Commissioners that her office was going to delay the police IT audit because the consultant’s “report covered many of the areas we planned to examine in our audit and identified serious security deficiencies.” Then in 2019, HRP’s then chief information security officer, Andrew Kozma, told the Board of Police Commissioners they had completed 10 of the recommendations and started 40 of the 66 recommendations in the 2016 audit.

The AG’s office eventually got around to auditing the police’s IT security and found that in 2019 the HRP had lied to the Board of Police Commissioners when they said they’d completed 40 of 66 recommendations because Coleman-Sadd’s office found that the HRP had actually only done five of the 40 things they claimed to have finished in 2019.

The bulk of this meeting was an in-camera portion so that councillors could ask questions that can't be asked in public. Maybe questions like “how can it be that almost a decade after it was first identified as an issue, the Halifax Regional Police still haven’t fixed their IT issues?” Which can’t be answered publicly because police incompetence creates existential security issues for the HRM. That’s also why police have the Board of Police Commissioners as an extra oversight body.

After the in-camera portion of the meeting, Atherton told the committee that being down two employees is delaying audits. Councillor Kathryn Morse asked if the AG’s planned Facility/ Infrastructure Management and Maintenance audit would include some hard numbers on just how bad Halifax’s infrastructure deficit is. The good news is that it will, but the bad news is that he doesn’t know how quickly his office will be able to get to the single most critical audit in their docket due to staffing shortages.