720-913-5000 auditor@denvergov.org

Audit Report

Denver Botanic Gardens

The audit had two objectives: 1) To examine the financial relationship between the City and County of Denver (City) and the Denver Botanic Gardens (Gardens) and identify areas in need of improvement related to select financial processes and controls; and 2) To review the effectiveness of the Gardens’ management of select operations and activities, including the Gardens’ Foundation’s Board of Trustees, IT-related infrastructure, planning and implementation of special events, and its volunteer program.

Watch the Audit Committee presentation here once it is available.

Flaws in how the Gardens ensure a safe environment at its special events and some security and information system weaknesses have an impact on reputation and operations. By identifying these risks, the Gardens can act quickly to make improvements to ensure that the thousands of visitors continue to have positive experiences at one of Denver’s most beloved attractions.

The City of Denver owns the land and buildings at the Botanic Gardens’ York Street location. The city leases the property at the Chatfield Farms wildlife and native plant refuge and working farm. The city also has an agreement with the Gardens for the city to pay for the water, insurance, utilities and other operational costs.

In our first audit of the Denver Botanic Gardens (Gardens), we identified a variety of controls and processes that are insufficient or
could be improved.

FINDING 1: The Gardens’ Management of Safety, Security, Public Events, and Volunteers Should Be Improved
-Safety and security policies are inconsistent across locations.
-Planning, training, and staffing for events is inconsistent.
-The Gardens could be more proactive in anticipating and mitigating its effects on nearby residents.
-The Gardens does not keep accurate records on its volunteers and could not demonstrate that its ongoing volunteers had passed background checks.

FINDING 2: The Gardens Lacks Critical Safeguards over IT Systems, Segregation of Duties, and Physical Access to Restricted Areas
-The Gardens lacks policies and procedures for key IT controls such as granting individual access to information systems.
-The Gardens has not adequately protected its IT infrastructure against physical and environmental risks.
-The Gardens is unprepared to continue business operations in the event of a disaster and does not properly segregate duties for sensitive tasks.
-Control of door key access is insufficient.

FINDING 3: The Board of Trustees’ Attendance, Conflict of Interest Documentation, and Governance Practices Need Improvement Board and committee meeting attendance rates do not meet bylaw expectations.
-The board could not provide complete conflict of interest documentation for years reviewed.
-The board does not follow certain best practices, such as conducting regular self-evaluations.

1.1 The Gardens should develop risk management plans for key programs that are critical to its operations such as the special events program. This plan should (1) comprehensively identify program risks, (2) assess risks for likelihood, impact, and interaction, and (3) develop response strategies and policies and procedures appropriate to its risk tolerance.
Agency Response: Agree, Implementation Date – December 31, 2018

1.2 The Gardens should fully develop its safety and security program to ensure that it aligns with operational risks. At a minimum, this process should include (1) assessing the emergency procedures in place for York Street and Chatfield and ensuring they follow recommended Occupational Safety and Health Administration guidelines, including training, (2) reviewing the adequacy of the current number of permanent security staff at both locations and their qualifications and take action as needed, (3) developing safety and security policies and procedures for public events at York Street and Chatfield that include criteria for when to develop a safety and security plan and cash management plan, and (4) establishing a monitoring and evaluation function to ensure consistent application of safety and security policies and procedures.
Agency Response: Agree, Implementation Date – October 31, 2018

1.3 The Gardens should work with the Neighborhood Advisory Committee to revise the large event agreement, or formally document clarification on the agreement. These revisions should specify which events are subject to the agreement, include a reporting mechanism that will enable the Neighborhood Advisory Committee to measure compliance, and provide guidance for how the Gardens should measure sound and event size.
Agency Response: Agree, Implementation Date – December 31, 2018

1.4 The Gardens should consult with the City’s Department of Environmental Health’s Community Noise Program to ensure its method for measuring sound is consistent with City practices and appropriately accounts for event setup, such as the number of speakers and speaker angle, elevation, and location. The Gardens should consider periodically reassessing its method for measuring sound and consider including this consultation and resulting methodology in its reports to the Neighborhood Advisory Committee to promote transparency and demonstrate compliance with the City’s noise ordinances.
Agency Response: Agree, Implementation Date – September 30, 2018

1.5 The Gardens should develop and implement procedures that outline how volunteer services personnel should document compliance with volunteer requirements within its systems of record. The procedures should include measures to ensure accuracy of information in Volgistics as well as a process for periodic review of the accuracy of the data.
Agency Response: Agree, Implementation Date – October 31, 2018

1.6 The Gardens should strengthen its current background check policy to ensure it includes the process for reviewing and approving volunteer background check results and requires retention of documentation, outside of Choice Screening, to demonstrate background checks were completed as required by policy.
Agency Response: Agree, Implementation Date – December 31, 2018

1.7 The Gardens should develop a risk management plan for programs critical to its operations, such as the management of ongoing and special event volunteers. This plan should (1) comprehensively identify program risks, (2) assess risks for likelihood, impact, and interaction, and (3) develop response strategies and policies and procedures appropriate to its risk tolerance.
Agency Response: Agree, Implementation Date – December 31, 2018

1.8 The Gardens should evaluate the importance of requiring an active membership and a volunteer fee for ongoing volunteers. If the Gardens determines these are critical elements, it should develop policies and procedures to ensure the requirements are consistently implemented. At a minimum, these policies should include its method of documenting compliance and developing criteria for awarding a scholarship and documenting this decision.
Agency Response: Agree, Implementation Date – December 31, 2018

1.9 After establishing criteria for awarding a scholarship, the Gardens should advertise this information on its website alongside the volunteer program requirements to prevent potential limitations in the diversity of its volunteer pool.
Agency Response: Agree, Implementation Date – December 31, 2018


2.1 Create IT Policies Based on National Standards—The Gardens should work with a qualified third-party to adopt an IT control framework, such as the one outlined by the National Institute of Standards and Technology, and develop and implement IT control policies in compliance with the adopted framework to address the five control areas outlined above, as soon as possible.
Agency Response: Agree, Implementation Date – December 31, 2018

2.2 Tighten Management of Key Fobs—Executive management at the Gardens should work with the Operations department and IT department to establish accountability over electronic key distribution, management, and access, including regular monitoring of access alerts, as soon as possible. Additionally, the responsible department should periodically review access over electronic keys.
Agency Response: Agree, Implementation Date – July 31, 2018

2.3 Establish Server Room Policy—After implementation of recommendation 2.2, the responsible department should implement IT controls, as soon as possible, based on a nationally recognized standard such as the National Institute of Standards and Technology’s 800-53 standard to ensure that the data and infrastructure is properly protected from physical and environmental threats.
Agency Response: Agree, Implementation Date – December 31, 2018

2.4 Implement Continuity Planning Policy—The Gardens should adopt an IT control framework, such as the one outlined by the National Institute of Standards and Technology, and develop and implement IT control policies in compliance with the adopted framework to address continuity planning. The policy should include the frequency for plan review and the approval process.
Agency Response: Agree, Implementation Date – December 31, 2018

2.5 Create Business Continuity and Disaster Recovery Plans—The Gardens should implement a business continuity and disaster recovery plan for its information systems, data, and relevant personnel as soon as possible.
Agency Response: Agree, Implementation Date – December 31, 2018

2.6 Re-evaluate Data Retention Strategy—The Gardens should find an appropriate location for its data and information systems to ensure continuity of operations as soon as possible.
Agency Response: Agree, Implementation Date – December 31, 2018

2.7 Establish Segregation of Duties Policy for User Provisioning—The Gardens should develop and implement policies and procedures that address segregation of duties from a user provisioning perspective as soon as possible.
Agency Response: Agree, Implementation Date – December 31, 2018

2.8 Evaluate Segregation of Duties for Business Processes—The Gardens should (1) conduct a comprehensive evaluation of internal controls including a segregation of duties assessment to identify incompatible work responsibilities of all staff and volunteers and (2) develop and document compensating or other controls to minimize risks that result from the identified incompatible work responsibilities. These controls should include measurable criteria and documentation requirements and periodic monitoring by management.
Agency Response: Agree, Implementation Date – December 31, 2018

2.9 Physical Key Management and Control Ownership—The Gardens Operations and IT departments should work together to identify the department and positions responsible for door key distribution, management, and access.
Agency Response: Agree, Implementation Date – July 31, 2018

2.10 Door Key Management Internal Controls—After implementation of recommendation 2.9, the responsible department should document and implement appropriate internal controls based on a nationally recognized standard, such as the National Institute of Standards and Technology’s 800-53 standard, to ensure that the data and infrastructure are properly protected.
Agency Response: Agree, Implementation Date – October 31, 2018


3.1 Assess and Enforce Board and Committee Attendance—The Board of Trustees should assess the level of board and committee meeting attendance required to promote board engagement and revise its bylaws or other governing documents accordingly. In addition, the board should actively enforce its attendance requirement and ensure all communications regarding attendance requirements are consistent to ensure board members demonstrate their duty of care.
Agency Response: Agree, Implementation Date – September 30, 2018

3.2 Track Attendance Rates—The Board of Trustees should develop a method for analyzing and monitoring overall board and committee member attendance rates, including keeping an accurate, up-to-date roster of current board members, to identify and address patterns of low attendance.
Agency Response: Agree, Implementation Date – August 31, 2018

3.3 Develop Conflict of Interest Document Retention Policy—The Board of Trustees should develop and implement a document retention policy for the board’s conflict of interest disclosure statements.
Agency Response: Agree, Implementation Date – September 30, 2018

3.4 Revise Conflict of Interest Policy—The Board of Trustees should revise its current conflict of interest policy to include steps to enforce the requirement for each active board member to sign a conflict of interest disclosure statement annually.
Agency Response: Agree, Implementation Date – September 30, 2018

3.5 Document Governance and Nominating Committee Meetings—The Board of Trustees should revise its bylaws to require the Governance and Nominating Committee to document meeting minutes to include, at minimum, committee members in attendance, overall themes of the discussion, and decisions made.
Agency Response: Agree, Implementation Date – September 30, 2018

3.6 Conduct Board Self-Evaluation—The Board of Trustees should revise its bylaws to include a requirement that the board conduct a self-evaluation on a regular basis and clearly define the frequency with which this evaluation should occur.
Agency Response: Agree, Implementation Date – September 30, 2018

Other related reports
None at this time.
In the news

Audit Team: Katja E.V. Freeman, Kevin Sear, Emily Owens, Kharis Eppstein, Chatherine Lyles, Ronald Keller, Brian Cheli, Shannon Dale, Thomas Hardcastle