Denver auditors commended the Denver Zoo Conservation Alliance for maintaining low information technology risks and minimizing the potential for cybersecurity attacks, according to a new report released by Denver Auditor Timothy O’Brien on Thursday.

With only minor process and policy enhancements identified in the audit’s findings, zoo officials were praised for their efforts.

“It’s not often we complete audits where an auditee is doing nearly all the right things,” O’Brien said in a statement. “I applaud the zoo and their IT team for establishing and maintaining a culture where IT protections are taken seriously in policy and in practice. They are setting a quality standard that other Denver agencies and IT teams should follow.”

Auditors evaluated 882 pieces of IT equipment and found that only 13 of them (1.3%) were considered “outdated” infrastructure, which had already been identified by zoo IT personnel prior to the audit.

Industry experts caution that outdated IT equipment and software can pose significant risks, including compromised security, loss of innovation and reduced productivity.

One of the key successes, auditors said, is that the Denver Zoo’s culture fosters a top-to-bottom and bottom-to-top understanding of funding, which enables the replacement of outdated infrastructure — a challenge often faced by other organizations.

“At the Denver Zoo, we found no evidence that its budget requests for outdated infrastructure were rejected,” Nicholas Jimroglou of the audit team said.

Computers and mobile devices at the Denver Zoo are replaced every five years to ensure that the hardware can support the latest operating system and networking equipment.

Auditors found that 300 of the 303 pieces of networking equipment are still supported by the vendor and are receiving security updates as they approach their end-of-life. The remaining three of the 303 pieces of networking equipment are not connected to the network.

Other recommendations included reconciling the organization’s equipment and software inventory — which Denver Zoo officials were aware of — but had not accomplished by the time of the audit.

“We agree with the recommendation and are conducting a comprehensive audit of all legacy hardware to ensure enrollment in our endpoint management system,” wrote Denver Zoo IT desktop support specialist Nick Weaver in the organization’s formal response. “Devices found to be incompatible with our endpoint management system will be replaced.”

Weaver estimated the process would be completed by the end of September.

“With a complete and accurate inventory, the zoo can better manage and identify the IT equipment that may put the zoo at risk for cyberattacks,” O’Brien said.

Zoo officials also agreed with the auditor’s recommendation to update their policies and procedures surrounding outdated technology infrastructure to prevent knowledge loss with employee turnover.

“This is the best implementation schedule that I’ve seen in my entire time on the Audit Committee, which means that wherever you were before the recommendations, you’ve been doing a really good job, and you’ve really taken this seriously,” wrote Jack Blumenthal, committee vice chairman.