Data Governance

This pre-audit report highlights and ranks risks related to how the City of Tulsa governs and manages its data across departments and systems. Data governance plays an important role in delivering services, protecting sensitive information, meeting legal requirements, and providing reliable information to residents and decision-makers.

This report is an early step in the audit process. The Audit Manager will use it to inform the scope and narrow the focus of the upcoming audit plan, prioritizing the areas of highest risk and greatest opportunity for improvement. It is not a list of audit findings, but rather the issues most worth testing in the full audit.

This pre-audit report was created based on information gathering from:

• Interviews with internal stakeholders across City Departments, including:

  • Internal Audit

  • IT Leadership and Security

  • City Clerk/Records & Archives

  • Legal

  • Mayor's Office

  • City Council Administration & a City Councilor

  • Fire

  • Police

  • Water & Sewer

  • Development Services

  • Human Resources

  • Planning & Performance

  • Municipal Court

• Interviews and focus groups with City Data Stewards, including two multi-participant focus groups and multiple individual steward interviews

• Interviews with external stakeholders (local nonprofit sector and local media)

• Survey of external stakeholders with 43 respondents from local non profit sector, local media, and community members

• Resident feedback via the City Auditor web form

• Community feedback across the City Auditor's social media platforms including Instagram, Facebook, LinkedIn, and Reddit

• A review of peer-city Data Governance and Information Governance audits for comparison and validation

Top Questions to Consider when Determining Audit Scope:

1. Is the City effectively managing the full lifecycle of its records?

   Are records retention, legal holds, and disposition/destruction practices consistently defined, implemented, and auditable across City systems and departments?

   
   

   Cited most often by: Legal, City Clerk, City Council, Planning & Performance, Human Resources, Internal Audit

   
   

2. Is there a clear and enforceable data governance structure operating citywide?

   Are data governance decision rights, roles, standards, and enforcement mechanisms clearly defined and consistently applied across the City?

   
   

   Cited most often by: IT, Legal, City Clerk, Mayor's Office, City Council, Internal Audit

   
   

3. Does the City have the organizational capacity to carry out its data governance responsibilities effectively?

   Does the City have sufficient capacity, staffing, training, and role clarity to execute data governance, security, and disclosure responsibilities consistently and on time?

   
   

   Cited most often by: Legal, City Clerk, Fire, Water & Sewer, Human Resources, City Council

   
   

4. Does the City have sufficient visibility into its data assets and systems to manage risk and support transparency?

   Does the City maintain an authoritative inventory of systems, data assets, owners, and data flows sufficient to support security, retention, and transparency controls?

   
   

   Cited most often by: IT, Water & Sewer, Fire, Planning & Performance, Internal Audit, Data Stewards

   
   

5. Are public meeting records published in a consistent and usable manner that supports transparency and oversight?

   Are public meeting calendars, agendas, minutes, and attachments standardized, timely, and published in machine-readable formats the support transparency and oversight?

   
   

   Cited most often by: Media, City Council, City Clerk, Data Stewards, Internal Audit, External Survey

   
   

6. Is emergency response performance data accessible in ways that support accountability while protecting sensitive information?

   Are de-identified 911/dispatch and emergency response performance analytics accessible and usable for oversight, quality improvement, and public accountability while protecting sensitive information?

   
   

   Cited most often by: City Council, Police, Fire, IT

   
   

7. Is the City's open records process managed in a consistent and coordinated manner across departments?

   Is the open records request intake, routing, tracking, and response workflow unified and consistently managed across departments to meet statutory requirements and requester needs?

   
   

   Cited most often by: Police, City Clerk, City Council, Data Stewards, Nonprofit, Media
   

8. Are open records fees applied consistently and transparently to ensure equitable access?

   Are open records fee estimated and fee rule-rule interpretations applied consistently and transparently in ways that ensure equitable access for requesters?

   
   

   Cited most often by: Community Member/Citizen, Legal, City Clerk, Media, External Survey, Social Media

   
   

9. Are disclosure controls sufficient to manage high-volume multimedia records accurately and securely?

   Are controls for high-volume video/audio redaction and disclosure sufficient to ensure timely, accurate releases and prevent inadvertent disclosure of sensitive information?

   
   

   Cited most often by: Police, Legal, Data Stewards, Media

   
   

10. Is information about capital projects and service requests accessible and transparent to the public?

    Is there a transparent, queryable view of capital improvement and service request pipelines (e.g., Capital Improvement Program, 311, work orders) that supports accountability, coordination, and resident updates?

    
    

    Cited most often by: City Council, Planning & Performance, Development Services, IT

    
    

11. Are data classification and sensitivity standards consistently applied across the City?

    Are data classification and sensitivity standards (e.g., Personally Identifiable Information, Criminal Justice Information Services, Human Resources) operationalized citywide to enable consistent protection and safe sharing?

    
    

    Cited most often by: IT, Legal, City Clerk, Planning & Performance, Data Stewards, Municipal Court

    
    

12. Is data protected during system migrations and modernization efforts?

    Are controls for system migrations and data conversions designed and executed to prevent data loss, corruption, misconfiguration, or unintended disclosure during modernization efforts?

    
    

    Cited most often by: Police, Municipal Court, IT, Data Stewards

    
    

13. Can external users reliably find and access City data?

    Can external users reliably discover what data exists, where it resides, and how to access it without relying on informal relationships or trial-and-error investigation?

    
    

    Cited most often by: Nonprofit, City Clerk, City Council, Data Stewards, Media, External Survey

    
    

14. Are data governance practices consistent enough across departments to prevent high-risk gaps?

    Are data governance controls and maturity consistent enough across departments to prevent high-risk gaps where practices lag behind enterprise expectations?

    
    

    Cited most often by: Mayor's Office, Development Services, Human Resources, Fire, Water & Sewer, City Clerk

    
    

15. Is the City proactively publishing high-value information to reduce barriers to access?

    Is the City proactively publishing high-value, non-sensitive datasets and information in ways that reduce request burden and support transparency and informed decision-making?

    
    

    Cited most often by: City Clerk, City Council, Fire, Planning & Performance, Development Services, IT

    
    

16. Do City systems produce reliable and timely data to support operational and policy decisions?

    Do the City's systems interoperate sufficiently—and are reconciliations/controls strong enough—to produce reliable, timely data for operational and policy decisions?

    
    

    Cited most often by: Fire, Water & Sewer, City Council, Planning & Performance, IT, Development Services

    
    

17. Are data definitions and documentation standardized to ensure consistent interpretation?

    Are common definitions, metadata standards, and data dictionaries maintained so stakeholders interpret data consistently and can trace it to authoritative sources?

    
    

    Cited most often by: External Survey, Data Stewards, IT, City Council, Social Media

    
    

18. Are financial and performance reports clear, contextualized, and usable for decision-making?

    Are budget, financial, and performance reports consistently decision-ready (clear definitions, context, and outcome linkage) for Council, leadership, and the public?

    
    

    Cited most often by: City Council, Internal Audit, Mayor's Office

    
    

19. Are third-party systems governed in ways that adequately manage data risk?

    Do vendor and third-party systems have standardized governance requirements (security, audit rights, retention, access, and exit/portability) to manage data risk throughout the lifecycle?

    
    

    Cited most often by: IT, Legal, Planning & Performance, Water & Sewer, Municipal Court, Police

    
    

20. Are surveillance technologies governed with appropriate controls for retention, access, and transparency?

    Are governance, retention, access, disclosure, and transparency controls for surveillance technology data (e.g., Automated License Plate Reader, Flock) clearly defined and effectively monitored?

    
    

    Cited most often by: Social Media, Police, Legal, IT

    
    
    
    

Our review shows that data governance risks may potentially occur where records management, security requirements, and public transparency responsibilities overlap. Key areas for early audit focus might include records retention and legal holds. Consistency in handling open records requests, protection of sensitive information, and maintaining a clear inventory of the City's data systems.

Ensuring that the City of Tulsa maintains strong data governance practices can reduce risk, ease administrative burden, strengthen compliance, and build public trust—while helping City leaders make better, more informed decisions.