DENVER – The Denver Botanic Gardens needs to improve safety and security at public events, better screen and train volunteers who handle cash or have contact with children, and increase its safeguards over information technology operations and security, according to a new audit from Denver Auditor Timothy M. O’Brien, CPA.
“This audit identified some flaws in how the Gardens ensures a safe environment at its special events and some security and information system weaknesses which need to be fixed,” Auditor O’Brien said. “I hope by pointing out flaws now, the Gardens will act quickly to make improvements and make sure the thousands of visitors every year continue to have positive experiences at one of Denver’s most beloved attractions.”
The City of Denver owns the majority of the land and buildings at the Botanic Gardens’ York Street location. The city leases the property at the Chatfield Farms wildlife and native plant refuge and working farm. The city also has an agreement with the Gardens that requires, among other things, the city to pay for the water, insurance, utilities and other operational costs. This agreement specifies that the Auditor has authority to audit the Gardens and assess any risks to the city’s reputational or financial interests.
Volunteer, Safety and Security Policies Lacking
In addition to its horticulture and conservation-related work, the Gardens also hosts public and private events, including the Blossoms of Light at the York Street location and the Pumpkin Festival at the Chatfield Farms location. Our audit found the Gardens cannot prove it conducted background checks for all ongoing volunteers involved in high-risk activities involving children or cash handling at these events and others. The audit also found inconsistent safety and security policies at both Gardens locations. This, in combination with certain event characteristics, the use of volunteers throughout the organization and the significant growth in the use of special event volunteers, could add up to a greater comprehensive concern, potentially impacting the public.
“Volunteers receive inconsistent training, and many volunteers do not undergo background checks before they interact with children, families and the public at special events,” Auditor O’Brien said. “While we observed volunteers behaving properly, we want to make sure there is no opportunity for future bad actors to join the exemplary team at the Gardens and put visitors and the city at risk.”
Ongoing volunteers must pass background checks, maintain active memberships and pay a volunteer fee. However, the Gardens exercises less oversight over special event volunteers. These volunteers can simply show up the day of the event to help. The Gardens also did not have complete records to prove all ongoing volunteers had passed the required background checks. As a result, the Gardens might be using inaccurate data or incomplete information to assign volunteers to jobs with inherently higher risk, such as those involving children or cash handling.
In 2017, the Gardens reported more than 2,600 ongoing and special events volunteers, compared to 262 official staff. In 2017, the Gardens reported more than 1.3 million guests. Many of the Gardens’ events are geared toward children and families. Although legal guardians and parents are ultimately responsible for supervision of their children, volunteers at events do typically oversee children’s activities. Volunteers are involved with every department and function at the Gardens.
The audit team surveyed other public botanic gardens and other Denver cultural institutions and found the wide range of volunteer responsibilities without background checks is not common. The team found half the peer locations surveyed require background checks for all volunteers, regardless of role or length of service. In other cultural facilities where volunteers are not vetted, their roles are more limited. For example, five of the six institutions surveyed do not allow volunteers to handle cash.
The combination of the Gardens’ frequent hosting of public events and heavy reliance on volunteers poses a risk to the organization due to inconsistent safety and security practices.
Inconsistencies in Oversight of Public Events Put Guests and City at Risk
Overall, the Gardens’ oversight of public events at Chatfield appears to be less rigorous than at York Street. The audit team observed staff and volunteers without uniforms, name tags or some sort of official identification at the Chatfield location over two nights of testing. They also observed violations of smoking and alcohol policies by both visitors and a food vendor. In addition, the team spotted two visitors drinking alcoholic beverages. Chatfield management says the size of the site makes it difficult to enforce rules related to smoking and alcohol.
One example of the potential risk associated with underdeveloped safety and security programs at public events is an alleged assault that took place at Chatfield’s haunted Corn Maze in October 2017. According to a woman who was a guest at the event, a masked individual presenting himself as part of the event physically assaulted her. According to the Gardens’ staff, event personnel handled the incident according to protocol. However, the incident still garnered unflattering press coverage and created a risk of reputational harm for the city.
The Gardens’ lack of a formal risk management plan and gaps in safety, security, training, planning and oversight could impact the Gardens’ ability to prevent future similar incidents, affecting public safety, the Gardens’ reputation, and by extension, the city’s.
Working to Maintain Neighborhood Relationships
The audit also found that while the Gardens has greatly improved efforts to maintain a good relationship with the neighborhood around the York Street location, it could do more to clarify expectations and encourage proactive efforts involving sound and traffic management.
Both the Gardens and an advisory committee made up of members of surrounding neighborhood groups agree the Gardens has made great strides toward building a positive relationship over the past several years. Committee representatives speak highly of the Gardens’ current management and their responsiveness to neighborhood concerns. For example, the Gardens introduced a ticket cap and offered a ride-sharing promotion through Lyft for the 2017 Blossoms of Light event to help manage traffic at night in the neighborhood.
However, the expectations regarding noise and crowd size from major events are unclear, and we could not determine whether the Gardens complies with the neighborhood agreement. The neighborhood groups believe the agreement to limit major events includes crowd size, while the Gardens asserts it applies only to amplified sound.
Critical Safeguards Missing for Information Technology Protection
The audit also found issues with critical safeguards over information systems and physical access to restricted areas. Basic controls over information technology systems at the Gardens are lacking, leading to potentially unauthorized activities. For example, physical access to storage areas for servers, networking and routing data was insecure. The Gardens uses electronic key fobs to control access for some secure areas. However, nobody is monitoring the use of these key fobs to track who is getting into the rooms. Another secure server room uses traditional keys and was unlocked when the audit team tested the door. The audit found the Gardens needs to establish accountability over electronic key distribution, management and access, as well as better monitoring of physical key distribution for restricted areas.
A lack of secure policies and procedures for information technology controls could jeopardize the confidentiality, integrity and availability of the entire organization’s information systems. The underlying cause for two overarching risk areas we identified — a lack of basic information technology controls and deficient segregation of duties — stems from a lack of technical expertise by those who lead the Gardens’ IT department.
Certain Governance Policies Unclear and Lax
Finally, the audit team identified room for improvement in the Botanic Gardens Board of Trustees’ governance practices. There was not enough clarity regarding attendance requirements for the board members. There were also gaps in the board’s conflict of interest policies and documentation. The Gardens could also improve two specific practices to demonstrate transparency and accountability.
The Botanic Gardens agreed to all 25 of the audit’s recommendations and is well on its way to implementing the changes.
“The Botanic Gardens has work to do to improve critical gaps in the safety and security of its facilities,” Auditor O’Brien said. “I am pleased Gardens officials were willing to work with us and hear our concerns. I look forward to checking back in to see their progress and improvements in the future.”