Square one

Magdy Mossaad ushers in a new era for the city’s internal audit process

For the first time in decades, the city’s internal auditor has a posse.

When he hired two employees last fall, Magdy Mossaad, brand new director of the city of Minneapolis’ brand new Internal Audit Department, made history.

At least since the 1980s, the city’s self-auditing had been done by one man.

You plugged a parking meter? He made sure your quarter made it safely into the city’s coffer. Paid to get your car out of the impound lot? He made sure the clerk didn’t pocket your cash. Your elected official is claiming mileage and parking fees? He made sure it was legit.

Other cities of a comparable size — places like Portland, Atlanta and Seattle — have as many as 15 professionals in their internal audit departments.

Now, in March 2011, Minneapolis has three.

Some attention, it seems, is finally returning to a function that for a long time was lost in the bureaucratic shuffle.

“It simply got to be a forgotten job,” says Mark Oyaas. “I like to say it got parked in a funny spot: on the M floor behind a big, gray desk.”

Oyaas is one of three private-sector representatives on the new Audit Committee, which Mossaad’s staff now reports to. The Audit Committee was created in late 2009, in direct response to the problem of Minneapolis’ short-staffed audit crew. In addition to the three private-sector members, the committee includes three city council members.

“It wasn’t forgotten,” clarified Carol Becker, a current member on the Board of Estimate, which used to oversee internal auditing.  Becker has long fought for a more robust audit process. “It was just under-resourced. What could be done was really limited.”


The Mossaad era

At any rate, times have changed. Bob Bjorklund, the former director of internal audit, retired in late 2009 after more than 20 years on the job. After a stormy transition period — one that left an eight-month auditor vacancy and almost resulted in the elimination of the Board of Estimate altogether — the slate is cleared. We’re in a new era: the Mossaad era.

“Pretty much square one,” said Oyaas. “We are starting from scratch. City Hall’s getting three really well-trained eyes on the thing.”

Oyaas got the Audit Committee gig thanks to the Minneapolis Parks and Recreation Board, which was allowed one appointment to the committee. He is a managing partner with the public affairs consulting group Neerland & Oyaas.

The other two private-sector appointments come from the mayor and the city council, respectively.

Mossaad, an Egyptian native, took the job in June 2010, after a 10-year run as a senior auditor at Rochester’s Mayo Clinic. By November, he needed to present two things to the Audit Committee: a comprehensive “risk profile” — essentially identifying and ranking every conceivable threat factor for the city — and a three-year plan to address those factors. The plan would go into effect immediately, in December 2010.

It was a sensationally complex task.

And Mossaad, meanwhile, had yet to find a place to live locally. He was commuting back and forth from his home in Rochester, occasionally crashing at the apartment of his son, a third-year music student at the University of Minnesota. Six months later, he still is.


The heat map  

So what has Mossaad been up to since last summer? Mostly bringing in experts.

Mossaad had never worked in city government before.

“Internal audit as a profession is the same wherever you work — in government, in not-for-profit, in business,” Mossaad says. “… However, every industry has its own special challenges. So you need to beef-up your experience.”

In July, he contracted KPMG, one of the world’s largest audit and consulting firms, which boasts a specialty in government, to get a head start on the initial risk assessment. Then in October, he hired his two senior internal auditors: Jacob L. Claeys, a former lead auditor for the city of Denver, and Ginger Bigbie, who comes from Florida-based Shands Health Care.

Within a few months, the team had its “Heat Map,” a color-coded chart prioritizing threats to the city.

The biggest risk, in the red zone both for “major impact” and “almost certain likelihood” is in the city’s information systems: the city’s computer network, its databases and all of the private information that flows through each. IT, Mossaad, says is “always the top priority in any industry.”

Another red risk is cash handling — the huge amounts of actual currency generated from parking meters and parking lots. Mossaad is pleased with the city’s new “smart meters,” which allow motorists to pay with credit cards, as they will reduce the amount of cash requiring hand delivery to the city.

On the low end of the heat map, in a mild green zone (“moderate impact,” “possible likelihood”) is expense reimbursement.

The middle orange and yellow zones are the most cluttered, home to threat categories such as the impound lot, grant administration, pension fund accounting and utility billing.

The 2011 audit plan calls for a number of protective measures: 800 hours to assess the controls in place for purchasing and accounts payable, 700 hours to review vendor and contract management, 300 hours to “determine whether controls over cash collection, accounting and deposit of funds are appropriate.”

For his efforts, Mossaad will be paid $97,201 annually.

As for IT concerns, Mossaad says the Audit Committee has approved a project to hire “professional hackers” this year to come in and test information systems.

“We expected the first two or three projects to go slow,” Mossaad says. “It’s something new to the city. It’s also new to us, as a team. We’re trying to build the process and prototype it.”

The pace has raised a few eyebrows. But Becker is pleased that things are changing for the better.

“In an era of cut, cut, cut, this is one of the few places that actually added resources,” she said. “It’s not cool, it’s not sexy. But they’re the people that keep you out of trouble, that keep you off the front page.”