The URL can be used to link to this page

Home My WebLink About2023-04-26 Policy & Services Committee AgendasPOLICY AND SERVICES COMMITTEE Special Meeting Wednesday, April 26, 2023 Community Meeting Room & Hybrid Meeting Location Changed 7:00 PM Pursuant to AB 361 Palo Alto City Council meetings will be held as “hybrid” meetings with the option to attend by teleconference/video conference or in person. To maximize public safety while still maintaining transparency and public access, members of the public can choose to participate from home or attend in person. Information on how the public may observe and participate in the meeting is located at the end of the agenda. Masks are strongly encouraged if attending in person. The meeting will be broadcast on Cable TV Channel 26, live on YouTube https://www.youtube.com/c/cityofpaloalto, and streamed to Midpen Media Center https://midpenmedia.org. VIRTUAL PARTICIPATION CLICK HERE TO JOIN (https://cityofpaloalto.zoom.us/j/94618744621) Meeting ID: 946 1874 4621 Phone: 1(669)900‐6833 PUBLIC COMMENTS Public comments will be accepted both in person and via Zoom for up to three minutes or an amount of time determined by the Chair. All requests to speak will be taken until 5 minutes after the staff’s presentation. Written public comments can be submitted in advance to city.council@CityofPaloAlto.org and will be provided to the Council and available for inspection on the City’s website. Please clearly indicate which agenda item you are referencing in your subject line. PowerPoints, videos, or other media to be presented during public comment are accepted only by email to city.clerk@CityofPaloAlto.org at least 24 hours prior to the meeting. Once received, the Clerk will have them shared at public comment for the specified item. To uphold strong cybersecurity management practices, USB’s or other physical electronic storage devices are not accepted. CALL TO ORDER PUBLIC COMMENT Members of the public may speak to any item NOT on the agenda. ACTION ITEMS 1.Office of the City Auditor Presentation of the Remote and Flexible Work Study Report 2.Office of the City Auditor Presentation of the Electronic Payment Process and Controls Audit Report 3.City Council Referral to Discuss and Recommend Council Protocols on International Travel and other City Council referrals related to the City Council Procedures and Protocols. FUTURE MEETINGS AND AGENDAS Members of the public may not speak to the item(s) ADJOURNMENT PUBLIC COMMENT INSTRUCTIONS Members of the Public may provide public comments to teleconference meetings via email, teleconference, or by phone. 1. Written public comments may be submitted by email to city.council@cityofpaloalto.org. 2. For in person public comments please complete a speaker request card located on the table at the entrance to the Council Chambers and deliver it to the Clerk prior to discussion of the item. 3. Spoken public comments using a computer or smart phone will be accepted through the teleconference meeting. To address the Council, click on the link below to access a Zoom‐based meeting. Please read the following instructions carefully. You may download the Zoom client or connect to the meeting in‐ browser. If using your browser, make sure you are using a current, up‐to‐date browser: Chrome 30 , Firefox 27 , Microsoft Edge 12 , Safari 7 . Certain functionality may be disabled in older browsers including Internet Explorer. Or download the Zoom application onto your smart phone from the Apple App Store or Google Play Store and enter in the Meeting ID below. You may be asked to enter an email address and name. We request that you identify yourself by name as this will be visible online and will be used to notify you that it is your turn to speak. When you wish to speak on an Agenda Item, click on “raise hand.” The Clerk will activate and unmute speakers in turn. Speakers will be notified shortly before they are called to speak. When called, please limit your remarks to the time limit allotted. A timer will be shown on the computer to help keep track of your comments. 4. Spoken public comments using a phone use the telephone number listed below. When you wish to speak on an agenda item hit *9 on your phone so we know that you wish to speak. You will be asked to provide your first and last name before addressing the Council. You will be advised how long you have to speak. When called please limit your remarks to the agenda item and time limit allotted. CLICK HERE TO JOIN Meeting ID: 946‐1874‐4621 Phone: 1‐669‐900‐6833 Americans with Disability Act (ADA) It is the policy of the City of Palo Alto to offer its public programs, services and meetings in a manner that is readily accessible to all. Persons with disabilities who require materials in an appropriate alternative format or who require auxiliary aids to access City meetings, programs, or services may contact the City’s ADA Coordinator at (650) 329‐2550 (voice) or by emailing ada@cityofpaloalto.org. Requests for assistance or accommodations must be submitted at least 24 hours in advance of the meeting, program, or service. 1 Regular Meeting April 26, 2023 Materials related to an item on this agenda submitted to the Board after distribution of the agenda packet are available for public inspection at www.CityofPaloAlto.org. POLICY AND SERVICES COMMITTEESpecial MeetingWednesday, April 26, 2023Community Meeting Room & HybridMeeting Location Changed7:00 PMPursuant to AB 361 Palo Alto City Council meetings will be held as “hybrid” meetings with theoption to attend by teleconference/video conference or in person. To maximize public safetywhile still maintaining transparency and public access, members of the public can choose toparticipate from home or attend in person. Information on how the public may observe andparticipate in the meeting is located at the end of the agenda. Masks are strongly encouraged ifattending in person. The meeting will be broadcast on Cable TV Channel 26, live onYouTube https://www.youtube.com/c/cityofpaloalto, and streamed to Midpen MediaCenter https://midpenmedia.org.VIRTUAL PARTICIPATION CLICK HERE TO JOIN (https://cityofpaloalto.zoom.us/j/94618744621)Meeting ID: 946 1874 4621 Phone: 1(669)900‐6833PUBLIC COMMENTSPublic comments will be accepted both in person and via Zoom for up to three minutes or anamount of time determined by the Chair. All requests to speak will be taken until 5 minutesafter the staff’s presentation. Written public comments can be submitted in advance tocity.council@CityofPaloAlto.org and will be provided to the Council and available for inspectionon the City’s website. Please clearly indicate which agenda item you are referencing in yoursubject line. PowerPoints, videos, or other media to be presented during public comment are accepted only by email to city.clerk@CityofPaloAlto.org at least 24 hours prior to the meeting. Once received, the Clerk will have them shared at public comment for the specified item. To uphold strong cybersecurity management practices, USB’s or other physical electronic storage devices are not accepted. CALL TO ORDER PUBLIC COMMENT Members of the public may speak to any item NOT on the agenda. ACTION ITEMS 1.Office of the City Auditor Presentation of the Remote and Flexible Work Study Report 2.Office of the City Auditor Presentation of the Electronic Payment Process and Controls Audit Report 3.City Council Referral to Discuss and Recommend Council Protocols on International Travel and other City Council referrals related to the City Council Procedures and Protocols. FUTURE MEETINGS AND AGENDAS Members of the public may not speak to the item(s) ADJOURNMENT PUBLIC COMMENT INSTRUCTIONS Members of the Public may provide public comments to teleconference meetings via email, teleconference, or by phone. 1. Written public comments may be submitted by email to city.council@cityofpaloalto.org. 2. For in person public comments please complete a speaker request card located on the table at the entrance to the Council Chambers and deliver it to the Clerk prior to discussion of the item. 3. Spoken public comments using a computer or smart phone will be accepted through the teleconference meeting. To address the Council, click on the link below to access a Zoom‐based meeting. Please read the following instructions carefully. You may download the Zoom client or connect to the meeting in‐ browser. If using your browser, make sure you are using a current, up‐to‐date browser: Chrome 30 , Firefox 27 , Microsoft Edge 12 , Safari 7 . Certain functionality may be disabled in older browsers including Internet Explorer. Or download the Zoom application onto your smart phone from the Apple App Store or Google Play Store and enter in the Meeting ID below. You may be asked to enter an email address and name. We request that you identify yourself by name as this will be visible online and will be used to notify you that it is your turn to speak. When you wish to speak on an Agenda Item, click on “raise hand.” The Clerk will activate and unmute speakers in turn. Speakers will be notified shortly before they are called to speak. When called, please limit your remarks to the time limit allotted. A timer will be shown on the computer to help keep track of your comments. 4. Spoken public comments using a phone use the telephone number listed below. When you wish to speak on an agenda item hit *9 on your phone so we know that you wish to speak. You will be asked to provide your first and last name before addressing the Council. You will be advised how long you have to speak. When called please limit your remarks to the agenda item and time limit allotted. CLICK HERE TO JOIN Meeting ID: 946‐1874‐4621 Phone: 1‐669‐900‐6833 Americans with Disability Act (ADA) It is the policy of the City of Palo Alto to offer its public programs, services and meetings in a manner that is readily accessible to all. Persons with disabilities who require materials in an appropriate alternative format or who require auxiliary aids to access City meetings, programs, or services may contact the City’s ADA Coordinator at (650) 329‐2550 (voice) or by emailing ada@cityofpaloalto.org. Requests for assistance or accommodations must be submitted at least 24 hours in advance of the meeting, program, or service. 2 Regular Meeting April 26, 2023 Materials related to an item on this agenda submitted to the Board after distribution of the agenda packet are available for public inspection at www.CityofPaloAlto.org. POLICY AND SERVICES COMMITTEESpecial MeetingWednesday, April 26, 2023Community Meeting Room & HybridMeeting Location Changed7:00 PMPursuant to AB 361 Palo Alto City Council meetings will be held as “hybrid” meetings with theoption to attend by teleconference/video conference or in person. To maximize public safetywhile still maintaining transparency and public access, members of the public can choose toparticipate from home or attend in person. Information on how the public may observe andparticipate in the meeting is located at the end of the agenda. Masks are strongly encouraged ifattending in person. The meeting will be broadcast on Cable TV Channel 26, live onYouTube https://www.youtube.com/c/cityofpaloalto, and streamed to Midpen MediaCenter https://midpenmedia.org.VIRTUAL PARTICIPATION CLICK HERE TO JOIN (https://cityofpaloalto.zoom.us/j/94618744621)Meeting ID: 946 1874 4621 Phone: 1(669)900‐6833PUBLIC COMMENTSPublic comments will be accepted both in person and via Zoom for up to three minutes or anamount of time determined by the Chair. All requests to speak will be taken until 5 minutesafter the staff’s presentation. Written public comments can be submitted in advance tocity.council@CityofPaloAlto.org and will be provided to the Council and available for inspectionon the City’s website. Please clearly indicate which agenda item you are referencing in yoursubject line.PowerPoints, videos, or other media to be presented during public comment are accepted onlyby email to city.clerk@CityofPaloAlto.org at least 24 hours prior to the meeting. Once received,the Clerk will have them shared at public comment for the specified item. To uphold strongcybersecurity management practices, USB’s or other physical electronic storage devices are notaccepted.CALL TO ORDERPUBLIC COMMENT Members of the public may speak to any item NOT on the agenda. ACTION ITEMS1.Office of the City Auditor Presentation of the Remote and Flexible Work Study Report2.Office of the City Auditor Presentation of the Electronic Payment Process and ControlsAudit Report3.City Council Referral to Discuss and Recommend Council Protocols on InternationalTravel and other City Council referrals related to the City Council Procedures andProtocols.FUTURE MEETINGS AND AGENDASMembers of the public may not speak to the item(s) ADJOURNMENT PUBLIC COMMENT INSTRUCTIONS Members of the Public may provide public comments to teleconference meetings via email, teleconference, or by phone. 1. Written public comments may be submitted by email to city.council@cityofpaloalto.org. 2. For in person public comments please complete a speaker request card located on the table at the entrance to the Council Chambers and deliver it to the Clerk prior to discussion of the item. 3. Spoken public comments using a computer or smart phone will be accepted through the teleconference meeting. To address the Council, click on the link below to access a Zoom‐based meeting. Please read the following instructions carefully. You may download the Zoom client or connect to the meeting in‐ browser. If using your browser, make sure you are using a current, up‐to‐date browser: Chrome 30 , Firefox 27 , Microsoft Edge 12 , Safari 7 . Certain functionality may be disabled in older browsers including Internet Explorer. Or download the Zoom application onto your smart phone from the Apple App Store or Google Play Store and enter in the Meeting ID below. You may be asked to enter an email address and name. We request that you identify yourself by name as this will be visible online and will be used to notify you that it is your turn to speak. When you wish to speak on an Agenda Item, click on “raise hand.” The Clerk will activate and unmute speakers in turn. Speakers will be notified shortly before they are called to speak. When called, please limit your remarks to the time limit allotted. A timer will be shown on the computer to help keep track of your comments. 4. Spoken public comments using a phone use the telephone number listed below. When you wish to speak on an agenda item hit *9 on your phone so we know that you wish to speak. You will be asked to provide your first and last name before addressing the Council. You will be advised how long you have to speak. When called please limit your remarks to the agenda item and time limit allotted. CLICK HERE TO JOIN Meeting ID: 946‐1874‐4621 Phone: 1‐669‐900‐6833 Americans with Disability Act (ADA) It is the policy of the City of Palo Alto to offer its public programs, services and meetings in a manner that is readily accessible to all. Persons with disabilities who require materials in an appropriate alternative format or who require auxiliary aids to access City meetings, programs, or services may contact the City’s ADA Coordinator at (650) 329‐2550 (voice) or by emailing ada@cityofpaloalto.org. Requests for assistance or accommodations must be submitted at least 24 hours in advance of the meeting, program, or service. 3 Regular Meeting April 26, 2023 Materials related to an item on this agenda submitted to the Board after distribution of the agenda packet are available for public inspection at www.CityofPaloAlto.org. 9 2 8 Policy & Services Committee Staff Report From: Adriane McCoy, Interim City Auditor Meeting Date: April 26, 2023 Report #: 2302-1019 TITLE Office of the City Auditor Presentation of the Remote and Flexible Work Study Report BACKGROUND Baker Tilly, in its capacity serving as the Office of the City Auditor (OCA), performed a citywide risk assessment that assessed a wide range of risk areas, including strategic, financial, operational, compliance, technological, and reputation risks. The purpose of the assessment was to identify and prioritize risks to develop the annual audit plan. During the FY2022 risk assessment1 (ID#13914), the OCA identified recruitment and retention challenges and need for a study of remote positions which affect recruitment and retention as many people prefer remote positions. DISCUSSION The objectives of the review were to: 1) Evaluate the alignment of remote and flexible work policy and procedure to best practices. 2) Identify position eligibility criteria for remote and flexible work schedules. Through conversations with the Human Resources management staff, analysis of current applicable remote work policies, and market research, Baker Tilly created a framework for the implementation of a remote and flexible work study program. This framework includes the use of a criteria tool and two potential options for the implementation of the framework. The tool can be used to objectively evaluate City positions for remote and flexible work eligibility. The report provides market trend research to inform future implementation for this recommended framework and optional surveys to distribute to City employees for assistance in the determination of remote and flexible work eligibility. 1 City Council Staff Report April 4, 2022 https://www.cityofpaloalto.org/files/assets/public/agendas-minutes- reports/agendas-minutes/city-council-agendas-minutes/2022/20220404/20220404pccsmamendedlinked1.pdf 9 2 8 FISCAL/RESOURCE IMPACT The Office of the City Auditor worked primarily with Human Resources Department and engaged with additional stakeholders, including the City Manager’s Office and the City Attorney’s Office, as necessary. The timeline for implementation of corrective action plans is identified within the attached report. ATTACHMENTS •Attachment A: Remote and Flexible Work Study Report . 1 j City of Palo Alto Office of the City Auditor FY21/22 Remote and Flexible Work Study March 14, 2023 2 Executive Summary Purpose of the Audit The purpose of this audit was to: 1) Evaluate the alignment of remote and flexible work policy and procedure to best practices 2) Identify position eligibility criteria for remote and flexible work schedules Report Highlights Category/Theme Page # Recommendation Remote Work Policy Pg. 6 The City should revise the current policy to strengthen its teleworking risk mitigation and further clarify the remote work arrangement between its employees and departments. The City should also implement a periodic review of its telework policy in annual intervals to ensure content is current and still meeting department needs. Remote Work Procedures Pg. 7 The City should revise the current agreement form to include a more robust list of employee obligations to improve the clarity of responsibilities for remote workers and their departments. The City should also ensure that the agreement form reflects the content of the current teleworking policy. Position Eligibility Pg. 7 We recommend the development of a standardized criteria for position remote and flex work eligibility. All positions should be evaluated for full remote, partial remote/flex schedule, and ineligible remote work. Once position eligibility is determined, the City should follow existing policy to review individual employee eligibility for all eligible positions. Opportunities Remote Work Best Practices Pg. 8 We provide context to consider for future implementation of a remote and flexible work policy to remain current and competitive in the hiring market and considerations for executing a position eligibility assessment. Summarized by: - Early Covid-19 Pandemic Workforce Response - Sustaining Remote Workforce Responses - Future Workforce Challenges Position Eligibility Framework Pg. 9-11 We recommend a six-step framework for position eligibility implementation: - Creation of a framework - Creation of a communication plan - Selection of pilot departments - Pilot department evaluation with two approaches - Modification of the implementation plan - Implementation of position evaluation 3 Table of Contents Executive Summary ........................................................................................................................................................... 2 Purpose of the Audit ..................................................................................................................................................... 2 Report Highlights ........................................................................................................................................................... 2 Objective........................................................................................................................................................................... 4 Background ..................................................................................................................................................................... 4 Scope................................................................................................................................................................................. 4 Methodology .................................................................................................................................................................... 4 Compliance Statement.................................................................................................................................................. 4 Organizational Strengths ............................................................................................................................................. 5 Category/Theme ............................................................................................................................................................. 6 Analysis on the Future of Remote Work ...................................................................................................................... 8 Appendices ........................................................................................................................................................................ 12 Appendix A: Sample Policy Modifications ............................................................................................................ 12 DEFINITIONS ..................................................................................................................................................................... 15 POLICY ................................................................................................................................................................................ 15 PROCEDURE ..................................................................................................................................................................... 16 ELIGIBILITY ........................................................................................................................................................................ 17 CONDITIONS ..................................................................................................................................................................... 17 Information Security and Protection ................................................................................................................................ 19 Ad Hoc Arrangements ....................................................................................................................................................... 19 Exceptions ........................................................................................................................................................................... 19 Appendix B: Hybrid Work Agreement Form ......................................................................................................... 20 Appendix C: Position Eligibility Criteria ................................................................................................................ 23 Appendix D: Management Response ..................................................................................................................... 24 4 Introduction 1 Government auditing standards require an external peer review at least once every three (3) years. The last peer review of th e Palo Alto Office of the City Auditor was conducted in 2017. The Palo Alto City Council approved a contract from October 2020 th rough Objective The purpose of this audit was to: 1) Evaluate the alignment of remote and flexible work policy and procedure to best practices. 2) Identify position eligibility criteria for remote and flexible work schedules. Background The City of Palo Alto’s Human Resources Department states they "strive to recruit, develop, and retain a diverse, well-qualified and professional workforce that reflects the high standards of the community we serve. The department’s key responsibilities are: Employment Recruitment & Selection, Employee Benefit Administration, Employee Training & Development, Employee and Labor Relations, Compensation & Classification Administration, Risk Management, Safety and Workers Compensation and Volunteer Administration. As part of the FY2022-2023 Audit Plan approved by the City Council, a Remote and Flexible Work Study audit was authorized. Through conversations with the Human Resources management staff, analysis of current applicable remote work policies, and market research, Baker Tilly created a framework for the implementation of a remote and Flexible Work Study Program. This framework includes the use of a criteria tool and two potential options for the implementation of the framework. The tool can be used to objectively evaluate City positions for remote and flexible work eligibility. The report provides market trend research to inform future implementation for this recommended framework and optional surveys to distribute to City employees for assistance in the determination of remote and flexible work eligibility. More details on this framework are included in the Methodology and Detailed Testing Results section. Scope The scope of this engagement includes remote work policies, procedures, and eligibility effective as of June, 2021. Methodology The Baker Tilly team conducted the following audit activities to meet the engagement objectives: • Interviewed Human Resources staff to understand the current state, benefits, and barriers of remote work, • Reviewed relevant policies and procedures, • Identified industry-relevant criteria to be used for evaluation, • Researched best practices, as well as remote work trends and challenges. Compliance Statement This audit activity was conducted from May 2022 to July 2022 in accordance with generally accepted government auditing standards, except for the requirement of an external peer review1. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. 5 June 2022 with Baker Tilly US, LLP (Baker Tilly) and appointed Kyle O’Rourke, Senior Consulting Manager in Baker Tilly's Public Sector practice, as City Auditor. Given the transition in the City Audit office, a peer review was not conducted in 2020 a nd will be conducted after the third year of Baker Tilly’s contract. Organizational Strengths During this audit activity, we observed certain strengths of the City. Key strengths include: Dedicated Human Resources staff committed to the organization. A commitment to providing excellent service delivery in the community while balancing the needs and safety of City employees. Staff awareness regarding the ever-changing landscape of the remote work environment in a post-covid workplace. The Office of the City Auditor greatly appreciates the support of the Human Resources Department in conducting this audit activity. Thank you! 6 Testing Results During our assessment, we identified three key documents of improvement for Palo Alto to implement related to remote work practices. The areas assessed, results of each assessment, and our recommendations for improvement are shown below. Policy and procedure criteria were based upon Society for Human Resources best practice documents: • SHRM Telecommuting Policy and Procedure • SHRM Short Term Telecommuting Agreement • International Public Management – Human Resources Association remote work best practices Category/Theme Document name Finding # Finding Recommendation Remote Work Policy 2-38/HRD Remote Work Policy 1 The City last updated the Remote Work policy in June of 2021 in consultation with City management, modifying the original to accommodate telework modification required as a result of the COVID-19 pandemic. The City's Remote Work Policy is missing components that will strengthen and clarify the remote work arrangement between employees, their departments, and the City. Some components were recommended by Human Resources during the most recent revisions, but discussions with City management resulted in their omission from the final policy. The current policy leaves the City susceptible to holding employees accountable for attendance and performance issues, City property inventory discrepancies, and dependent care responsibilities. The City should revise the current policy to strengthen its teleworking risk mitigation and further clarify the remote work arrangement between its employees and departments. The City should also implement a periodic review of its telework policy in annual intervals to ensure content is current with best practices and meets department needs. A sample policy revision, based upon The Society for Human Resources Management and the International Public Management – Human Resources Association best practices and sample policies, is provided in Appendix A. 7 Category/Theme Document name Finding # Finding Recommendation Remote Work Procedures Hybrid Work Agreement Form (FY23) 2 The City's Hybrid Work Agreement Form omits obligations of a remote worker that, if present, would better define employee responsibilities and commitments. As is, the form leaves the City susceptible to employee attendance and performance issues, unclear accountability standards with regard to City property and policy, and an inability to modify the remote work agreement as needed. The City last updated the teleworking agreement form June 2021, modifying the original to accommodate remote work modification required as a result of the COVID-19 pandemic. However, the revised form does not comprehensively reflect components of the City’s teleworking policy. The Society for Human Resources Management, with a thorough sample agreement form for teleworking, frames content that addresses these common remote work risks. The City should revise the current agreement form to include a more robust list of employee obligations to improve the clarity of responsibilities for remote workers and their departments. The City should also ensure that the agreement form reflects the content of the current teleworking policy. A sample revision of the form is provided in Appendix B. Remote Work Position Eligibility n/a 3 The City does not have a standardized approach to determine position eligibility for remote or flex work schedules. Department directors approve eligibility on a case-by-case basis as employees request it, with a strong consideration of department norms and supervisor preferences. This creates inconsistent eligibility across departments for positions with similar essential duties. Department requirement of in-person work when essential job duties do not require the position to be on-site or in the office damages the City’s ability to retain employees and attract new talent. The City should development standardized criteria for position remote and flex work eligibility. All positions should be evaluated for full remote, partial remote/flex schedule, and ineligible remote work. Once position eligibility is determined, The City should follow existing policy to review individual employee eligibility for all eligible positions. A sample criteria is provided in Appendix C. 8 Analysis on the Future of Remote Work This section provides market and industry context to consider for future implementation to remain current and competitive in the hiring market and considerations for executing a position eligibility assessment. 2 Public Sector Telework Trends During the Coronavirus Pandemic | IPMA -HR 3 Public Sector Telework Trends During the Coronavirus Pandemic | IPMA -HR 4 Quick Steps to Prepare a Remote Work Policy for Your Local Government | icma.org 5 The Future of Remote Work in the Public Sector - Government Technology Insider Remote Work Best Practices and Research Governments and public sector organizations have continued to leverage remote work as a necessary alternative to traditional in-person work. Forecast trends predict public sector reliance on remote work will continue and likely expand. Standardized implementation of remote work will allow the City of Palo Alto to remain competitive as well as modernize and expand the quality services its residents expect. Early Covid-19 Pandemic Workforce Response Prior to the Covid-19 Pandemic and government issued shutdowns, remote work was uncommon within the public sector. The U.S. Bureau of Labor Statistics 2019 National Compensation Survey found flexible workplace benefits were available to 4 percent of state and local government workers and 5 percent of management level positions. An International Public Management Association for Human Resources (IPMA-HR) survey of local government members found that 70 percent of public sector organizations did not have established remote work programs in early 2020 when the Pandemic began. During Covid, among the 30 percent of public sector organizations surveyed by IPMA-HR which already had remote work programs, the percentage of remote workers increased to 63 percent after closures began. Among organizations that did not have established programs, survey participants reported an average of 1 percent of their workforce worked remotely before the Pandemic. Their share of remote workers grew to 41 percent by April 2020, representing an increase of 4,000 percent and indicating industry-wide adoption of remote work flexibility.2 Sustaining Remote Workforce Responses IPMA-HR reports 69 percent of the respondents at public sector organizations that already had established remote work policies prior to February 2020 reported plans to continue allowing more remote work after reopening their offices. Maintained remote work programs were lower, at 45 percent, among survey respondents whose organizations lacked remote work programs prior to the Covid-19 Pandemic.3 Currently, local government policies and approaches address primarily four areas: 1) Employee eligibility for remote work, 2) Necessary forms and policy development, 3) Accessing communication channels, and 4) IT practices, procedures, and security.4 Government Technology Insider notes that investments made to enhance and maintain network architecture are needed for continued support of remote work. Services, such as streamlined support tickets and an IT service desk, are important to support remote end-users. Additionally, agencies should establish a business continuity plan (BCP) to train workers on secure network practices while remotely working.5 The reported ability to work remote varies widely depending on the industry. Government, public administration, and military organizations fall in the middle of this list with 46 percent of workers reporting most daily job functions can be performed remotely. According to the FlexJobs online trends database, The State of California has the most remote job listings of any state. In terms of remote worker populations, The City of Palo Alto is among the top five cities in the State, with 9.3% of the ir 9 6 Remote Job Market Map - Trends, Companies, & Facts by State | FlexJobs 7 Amid public sector hiring challenges, researchers highlight telework, flexibility as path forward - American City and County 8 Public Sector Remote Work Challenges - Exisor, California Transportation Commission, 2021, “Effects of COVID-19-Related Telework Policies on the Transportation System” 9 Work remotely – Employees | telework.govops.ca.gov total working population remote. Neighboring cities Mountain View, Sunnyvale, and Redwood, also make th is list of the top 50 California cities for remote work with 6.2 percent, 5.3 percent, and 4.6 percent, remote populations, respectively.6 Future Workforce Challenges As the public sector rebounds from the demands incurred from the Covid-19 Pandemic, hiring challenges, vacancies, and burnout are impeding return to pre-pandemic workforce levels. Approximately 90 percent of jobs lost in the private sector have returned as of April 2022, while only 53 percent of jobs lost have returned for the public sector. Pandemic job loss and pre-pandemic hiring challenges have made quality talent recruiting and succession planning the highest priority staffing challenges government organizations face.7 Burnout and stress have caused 44 percent of public sector employees to experience decline in mental-emotional health. In California, other remote work challenges include public sector work culture, high paper dependenc ies, and cybersecurity concerns according to the California Transportation Commission.8 Remote work is likely preceding a future of public service performed by a network of workers across integrated geographies, making “remoteability” a key metric for a public sector organization’s success. A ddressing motivation and the intrinsic value of public sector work is one strategy to retain devoted public servants. Increasing resources through benefits and salary to match the increased demands placed on large City and County employees will further encourage public sector participation. We anticipate California will continue various resources, programs, and benefits that enable employers and local governments to support their remote work segments. The California Government’s “telework.govops.ca.gov” is one resource providing best practices and helpful tips for governments like Palo Alto. We encourage use of these resources and others to achieve ideal remoteability.9 Position Eligibility Framework Below is a sample framework to consider implementing for evaluating position eligibility for remote work and modifying the position eligibility in context of the remote work policy at the City of Palo Alto: 1. Human Resources makes a framework for position eligibility assessment deployment a. HR evaluates the positions first and solicits director feedback on potential eligible positions b. HR collaborates with department directors to evaluation eligibility for all positions 2. Human Resources creates a communication plan for the evaluation framework 3. Human Resources selects pilot departments to evaluation position eligibility 4. Human Resources runs the pilot department evaluation 5. Human Resources modifies implementation plan using lessons learned from the pilot 6. Human Resources implements position evaluation with remaining departments 1. Creation of framework a. Human Resources evaluates the positions first to eliminate positions for department review that are ineligible to work remotely The benefits of this method: Creates a top-down efficient approach using the knowledge and expertise of the Human Resources staff and reducing the volume of department position review. The negatives of this method: Reduced position review transparency for department leadership and employees b. Department directors review all positions The benefits of this method: Illustrates to employees the desire to intimately understand positions when determining eligibility. 10 Increases the volume of positions for department directors and employees to review. The negatives of this method: Increased review and implementation time-frame 2. Creation of a communication plan Change management plan standards suggest the use of comprehensive and clear communications to all affected parties. Human Resources will need to identify the target audience for each communication and the intended purpose/goal of the communication. The City may consider a communication approach as follows: - Notify all City employees of the position review. In the notification, state the pilot departments, phased approach for additional department position reviews, roles and responsibility for Human Resources, department supervisors, and employees. - Provide regular updates during executive team meetings - Provide updates to department directors of when phases are complete and next steps - Provide written communication to all employee participants at each phase. Hold a townhall meeting introducing the project, communicating the purpose, approach and outcome - Communicate position eligibility to the executive team and directors when all positions are evaluated The methods and delivery for the communication plan should also be outlined, considering a formalized message to staff and informal channels. Human Resources should be prepared for the responses they will receive to the communication plan – both negative and positive - and appropriate response channels. Human Resources should be clear and repeatedly communicate throughout the process that the assessment is to determine position eligibility to equitably apply consideration across the City. Individuals who hold eligible positions should continue to be assessed for approval and continued eligibility per the City’s policy. 3. Selection of pilot departments When selecting the two departments for the pilot, consider the following: - A department that performs administrative functions for the City (e.g. Legal, City Clerk and Information Technology) - A department that has positions performing some elements of fieldwork/operations - Departments that are collaborative in nature and willing to adapt to changes in City policy - Departments that are well respected within the City as they will serve as advocates for the future rollout of the Remote and Flexible Work program - Departments with a high volume of hard-to-fill positions or key positions with a high vacancy rate Running the pilot - Human Resources should consider the length of the pilot program, any changing needs of the community and potential changes in service delivery requiring a stop or pause to the pilot, and any changing needs of the department that may require a stop or pause. - Develop a re-start plan to continue the pilot to keep staff engaged and invested in the pilot program. Feedback from piloted departments should be solicited and factored into future implementation for improved deployment. The pilot should be self-evaluated by all participants and ‘lessons learned’ documented when providing feedback to Human Resources. The feedback provided in this phase will inform steps 5 and 6. 4. Pilot department evaluation Human Resources outlines the approach needed for the evaluation of the pilot department program. Steps may include: - Department director meeting: o Kick-off o Project timeline/purpose o Confirm approach and scope - Employee kick-off meeting o Kick-off o Project timeline/purpose o Confirm approach and scope 11 The approach will differ and is dependent on if Human Resources will provide the first assessment of positions or initiate preliminary assessment at the employee level. 1a Approach. Human Resources evaluates positions using essential duties from the job descriptions and designates positions ineligible to work remotely. Human Resources reviews the assessment with department directors. For all remaining positions, employees self-evaluate their position eligibility, directors review the self- assessment and Human Resources analyzes the responses to find an average question score for each position. Human Resources should review all results with Managers/Directors for their input and approval of the results. 1b Approach. All employees self-evaluate their position eligibility, directors review the self-assessment and Human Resources analyzes the responses to find an average question score for each position. Human Resources should review all results with Managers/Dir ectors for their input and approval of the results. From this analysis, Human Resources can designate positions as eligible for options of fully remote, flexible hours/day schedules, or ineligible for remote work. All results of the analysis should be shared with both Directors and Employees and include any next steps. For Directors, considerations for next steps to accommodate employee requests going forward: - Technology needs - Scheduling needs - Ebbs and flows of services in their department For Employees, considerations for next steps going forward: - A review of essential duties for similar positions would result in an equitable approach amongst all employees and improve program deployment 5. Modification of the implementation plan Using the feedback received in Phase 3, Human Resources should adjustment the implementation plan. Considerations of adjustments should include t he ability to adapt the plan to a changing environment within the City (e.g. at different times of the year different needs may arise where staff may need a more frequent presence in the office) 6. Implementation of position evaluation Human Resources will need to prioritize the remaining City departments. Considerations on prioritizing should include: - High turnover or high vacancy rate departments - Departments with a balance of administrative and non-administrative functions - Seasonality of work and City milestones (e.g. budget planning, Capital infrastructure planning, hig h volumes of outdoor functions for summer and spring activities) Consider developing a phased deployment. A potential implementation approach includes: - Phase 1: common positions across all departments (e.g. administrative assistants, Directors, etc.) - Phase 2: Departments with common functionality (e.g. operations and fieldwork functions) - Phase 3: Departments with common functionality (e.g. administrative and internal shared services positions). As mentioned in Phase 2, elements of a change management plan can assist Human Resources in this implementation. In addition to the communication plan, a Change Management Approach implementation strategy includes a training plan, business systems plan and resistance plan. Having a plan to address any resistance from employees will assist with a successful program. A possible tool to consider is a Resistance Assessment Survey. This survey identifies areas of possible resistance, and provides a space for rating (1-5 from strongly disagree to strongly agree). Human Resources could deploy this survey and aggregate the scores as they did for the evaluation tool to find pockets of resistance and approval. 12 Appendices Appendix A: Sample Policy Modifications SHRM Telecommuting Policy and Procedure Blue highlighted text indicates content recommended to include in City Policy Objective Telecommuting allows employees to work at home, on the road or in a satellite location for all or part of their workweek. [Organization Name] considers telecommuting to be a viable, flexible work option when both the employee and the job are suited to such an arrangement. Telecommuting may be appropriate for some employees and jobs but not for others. Telecommuting is not an entitlement, it is not a companywide benefit, and it in no way changes the terms and conditions of employment with [Organization Name]. Procedures Telecommuting can be informal, such as working from home for a short -term project or on the road during business travel, or a formal, set schedule of working away from the office as described below. Either an employee or a supervisor can suggest telecommuting as a possible work arrangement. Any telecommuting arrangement made will be on a trial basis for the first three months and may be discontinued at will and at any time at the request of either the telecommuter or the organization. Every effort will be made to provide 30 days’ notice of such change to accommodate commuting, child care and other issue s that may arise from the termination of a telecommuting arrangement. There may be instances, however, when no notice is possible. Eligibility Individuals requesting formal telecommuting arrangements must be employed with [Organization Name] for a minimum of 12 months of continuous, regular employment and must have a satisfactory performance record. Before entering into any telecommuting agreement, the employee and manager, with the assistance of the human resource department, will evaluate the suitability of such an arrangement, reviewing the following areas: ⎯ Employee suitability. The employee and manager will assess the needs and work habits of the employee, compared to traits customarily recognized as appropriate for successful telecommuters. ⎯ Job responsibilities. The employee and manager will discuss the job responsibilities and determine if the job is appropriate for a telecommuting arrangement. ⎯ Equipment needs, workspace design considerations and scheduling issues. The employee and manager will review the physical workspace needs and the appropriate location for the telework. ⎯ Tax and other legal implications. The employee must determine any tax or legal implications under IRS, state and local government laws, and/or restrictions of working out of a home-based office. Responsibility for fulfilling all obligations in this area rests solely with the employee. If the employee and manager agree, and the human resource department concurs, a draft telecommuting agreement will be prepared and signed by all parties, and a three-month trial period will commence. Evaluation of telecommuter performance during the trial period will include regular interaction by phone and e-mail between the employee and the manager, and weekly face-to-face meetings to discuss work progress and problems. At the end of the trial period, the employee and manager will each complete an evaluation of the arrangement and make recommendations for continuance or modifications. Evaluation of telecommuter performance beyond the trial period will 13 be consistent with that received by employees working at the office in both content and frequency but wil l focus on work output and completion of objectives rather than on time-based performance. An appropriate level of communication between the telecommuter and supervisor will be agreed to as part of the discussion process and will be more formal during the trial period. After conclusion of the trial period, the manager and telecommuter will communicate at a level consistent with employees working at the office or in a manner and frequency that is appropriate for the job and the individuals involved. Equipment On a case-by-case basis, [Organization Name] will determine, with information supplied by the employee and the supervisor, the appropriate equipment needs (including hardware, software, modems, phone and data lines and other office equipment) for each telecommuting arrangement. The human resource and information system departments will serve as resources in this matter. Equipment supplied by the organization will be maintained by the organization. Equipment supplied by the employee, if deemed appropriate by the organization, will be maintained by the employee. [Organization Name] accepts no responsibility for damage or repairs to employee-owned equipment. [Organization Name] reserves the right to make determinations as to appropriate equipment, subject to change at any time. Equipment supplied by the organization is to be used for business purposes only. The telecommuter must sign an inventory of all [Organization Name] property received and agree to take appropriate action to protect the items from damage or theft. Upon termination of employment, all company property will be returned to the company, unless other arrangements have been made. [Organization Name] will supply the employee with appropriate office supplies (pens, paper, etc.) as deemed necessa ry. [Organization Name] will also reimburse the employee for business -related expenses, such as phone calls and shipping costs, that are reasonably incurred in carrying out the employee’s job. The employee will establish an appropriate work environment within his or her home for work purposes. [Organization Name] will not be responsible for costs associated with the setup of the employee’s home office, such as remodeling, furniture or lighting, nor for repairs or modifications to the home office space. Security Consistent with the organization’s expectations of information security for employees working at the office, telecommuting employees will be expected to ensure the protection of proprietary company and customer information accessible from their home office. Steps include the use of locked file cabinets and desks, regular password maintenance, and any other measures appropriate for the job and the environment. Safety Employees are expected to maintain their home workspace in a safe manner, free from safety hazards. [Organization Name] will provide each telecommuter with a safety checklist that must be completed at least twice per year. Injuries sustained by the employee in a home office location and in conjunction with his or her regular work duties are normally covered by the company’s workers’ compensation policy. Telecommuting employees are responsible for notifying the employer of such injuries as soon as practicable. The employee is liable for any injuries sustained by visitors to his or her home worksite. Telecommuting is not designed to be a replacement for appropriate child care. Although an individual employee’s schedule may be modified to accommodate child care needs, the focus of the arrangement must remain on job performance and meeting business demands. Prospective telecommuters are encouraged to discuss expectations of telecommuting with family members prior to entering a trial period. 14 Time Worked Telecommuting employees who are not exempt from the overtime requirements of the Fair Labor Standards Act will be required to accurately record all hours worked using [Organization Name]’s time-keeping system. Hours worked in excess of those scheduled per day and per workweek require the advance approval of the telecommuter’s supervisor. Failure to comply with this requirement may result in the immediate termination of the telecomm uting agreement. Ad Hoc Arrangements Temporary telecommuting arrangements may be approved for circumstances such as inclement weather, special projects or business travel. These arrangements are approved on an as-needed basis only, with no expectation of ongoing continuance. Other informal, short-term arrangements may be made for employees on family or medical leave to the extent practical for the employee and the organization and with the consent of the employee’s health care provider, if appropriate. All informal telecommuting arrangements are made on a case-by-case basis, focusing first on the business needs of the organization. 15 POLICY AND PROCEDURE 2-38/HRD Revised: June 2021 Blue highlighted text indicates content recommend to include from SHRM policy. Green highlighted text indicates Baker Tilly language based upon review of current state and federal reimbursement requirements. Baker Tilly does not provide legal advice. We recommend the City consult with their employment law counsel prior to any sample form or policy adoption. REMOTE WORK POLICY PURPOSE The purpose of this Policy is to provide guidance for administering remote work. DEFINITIONS Remote Work is the practice of working from an alternative worksite on either a voluntary (Remote Work Arrangement) or assigned (Remote Work Assignment) on a regular basis. Occasional remote work is when an employee is approved to work remotely on an infrequent or project basis. Occasional remote work does not require a formal remote work agreement. Remote Work Agreement is the formal agreement between a supervisor and an employee which defines the employee’s regular remote work schedule and details any City -owned resources the employee will use in the alternative worksite. Alternative Worksite is a location where the employee works other than at a City facility. POLICY It is the policy of the City of Palo Alto to allow and/or assign employees to work remotely when it is consistent with the City’s operational needs. When the employee and their position are eligible and well-suited for remote work, Department Directors are strongly encouraged to allow remote work. Remote work can be advantageous to the employee, department and the community. Research and numerous sources have identified that remote work: • Reduces air pollutants and decreases traffic, parking congestion and overcrowding of public transportation. • Improves the City’s ability to maintain services during an emergency when the regular worksite is inaccessible. • Enhances the ability to recruit and retain quality employees, improves job satisfaction, supports work -life balance, and may increase productivity. While remote work is typically a voluntary arrangement, the City may require work to be performed remotely based on operational needs or in emergency circumstances. Remote work is a service delivery model that can be used to meet operational needs, and is not to be viewed as an entitlement, reward or benefit. All City employees who are working remotely on a regular basis must have an approved Remote Work Agreement under this Policy. Occasional Remote Work must be documented and approved in advance by the employee’s supervisor, but no formal Remote Work Agreement is required. Remote work does not alter duties, obligations, responsibilities and conditions of employment for the employee who is approved and/or assigned to work remotely. Employees working remotely remain obligated to comply with all City rules, regulations, policies, procedures, and state and federal laws. 16 Remote Work is not designed to be a replacement for appropriate child care. Although an individual employee’s schedule may be modified to accommodate child care needs, the foc us of the arrangement must remain on job performance and meeting business demands. Prospective remote workers are encouraged to discuss expectations of remote work with family members prior to entering a trial period PROCEDURE All employees must have a Remote Work Agreement in order to work remotely on a regular basis. Any Remote Work arrangement made will be on a trial basis for the first three months and may be discontinued at will and at any time at the request of either the telecommuter or the organization. Every effort will be made to provide 30 days’ notice of such change to accommodate commuting, child care and other issues that may arise from the termination of a remote work arrangement. There may be instances, however, when no notice is possible. Evaluation of telecommuter performance during the trial period will include regular interaction by phone and e -mail between the employee and the manager, with recommended bi-weekly meetings to discuss work progress and problems. At the end of the trial period, the employee and manager will each complete an evaluation of the arrangement and make recommendations for continuance or modifications. Evaluation of telecommuter performance beyond the trial period will be consistent with that received by employees working at the office in both content and frequency but will focus on work output and completion of objectives rather than on time-based performance. An appropriate level of communication between the telecommuter and supervisor will be agreed to as part of the discussion process and will be more formal during the trial period. After conclusion of the trial period, the manager and telecommuter will communicate at a level consistent with employees working at the office or in a manner and frequency that is appropriate for the job and the individuals involved. Remote Work Request Initiated by Employee (Remote Work Arrangements) Employees who believe they may be eligible for Remote Work as defined in this Policy mus t first discuss their desire to work remotely with their direct supervisor. At that time, the supervisor and employee can discuss eligibility, schedule, equipment needs, work hours, and other items that are part of the Remote Work Agreement and this Policy . The employee must then submit the Remote Work Agreement to their supervisor for approval. If the supervisor approves the Remote Work Agreement, they will submit the agreement to the Department Director or designee for consideration. The Department Director or designee will either approve, deny, or modify the agreement. A copy of the final signed agreement must be provided to the employee, their supervisor, and submitted to Human Resources. Should an employee’s remote work request be denied, the decision is final and not subject to the grievance procedure or any other appeal. The employee may request to meet with the Human Resources Director or their designee to discuss their denial. As part of an employee’s annual performance appraisal, the Remote Work Agreement should be evaluated by the employee and supervisor to determine if the arrangement is successful and if it should continue. The Remote Work Agreement should be updated with any changes and submitted for approval by the Department Director or designee. The Department Director or designee can suspend or cancel the Remote Work Agreement with at least five business days’ written notice when possible. In the event operational necessity does not allow for five business days’ notice, the Department Director or designee may suspend or cancel the Remote Work Agreement with less notice. General considerations for terminating the agreement include, but are not limited to, operational need, performance, conduct, safety, and violation of the Remote Work Policy and other City policies. Termination of the agreement is administrative and not considered discipline. The decision is not be subject to the grievance procedure nor can it be appealed. Remote Work Required by the City (Remote Work Assignment) 17 If operational needs require remote work for continuity of City services, or in cases of emergency, managers and the Department Director will evaluate each position for remote work. The requirement to perform work remotely will be assigned in consultation with the City Manager’s Office and Human Resources. Employees assigned to work remotely must complete a Remote Work Agreement. Remote Work Assignments may be discontinued at any time at the sole discretion of the City pursuant to the procedures outlined above. ELIGIBILITY Not all positions or employees are eligible for remote work. When determining whether an employee requesting remote work is eligible, employees must meet both the position eligibility criteria and performance eligibility criteria. When a position is being required to work remotely due to operational necessity and continuity of service or emergency circumstances, City management will evaluate the eligibility of the position and follow any local, state or federal guidance. Individuals requesting Remote Work arrangements must maintain a satisfactory performance record. *** Eligibility requirements may need to be revised based on the final outcome of the Remote and Flexible Work Study*** Position Based Eligibility: Criteria for establishing eligibility of a position: ⎯ In-person interaction or physical presence on a daily basis is not essential to the performance of job duties and may be scheduled or conducted virtually to permit Remote Work. ⎯ Some or all the job duties are able to be performed from an alternative worksite without diminishing the quality and timeliness of the work. ⎯ Appropriate equipment must be available or can be made available in the alternative worksite to perform job duties and assigned tasks. ⎯ Remote Work must not unduly disrupt or create problems for projects, staff, the community or other stakeholders. ⎯ When performed remotely, job duties can be completed in compliance with all applicable IT, Security, Privacy and Confidentiality policies and procedures. Performance Based Eligibility: Criteria for establishing eligibility of an employee: ⎯ Employee is adaptable, with a proven ability to work independently. ⎯ Employee demonstrates good time-management skills by completing quality assignments on time. ⎯ Employee communicates information efficiently with leadership, coworkers, support staff and customers. ⎯ Employee sets appropriate priorities, changes priorities as needed, and maintains a suitable workspace. ⎯ Employee possesses computer and other necessary skills sufficient to work independ ently at an alternate worksite. CONDITIONS Schedule and Work Hours: The actual time worked by the employee, as established by the Remote Work Agreement, must be accurately recorded on the timesheet. ⎯ Employees FLSA status as exempt or non-exempt will not be altered as a result of the employee working remotely. ⎯ The number of hours worked by the employee will not change because the employee is working at an alternative worksite. 18 ⎯ Employees eligible for overtime may work overtime only when directed to do so and approved in advance by the supervisor. ⎯ Employees must obtain approval to use vacation, sick, or other leave in the same manner as departmental employees who do not work remotely. ⎯ Employees working remotely will maintain accessibility via email, phone, or as otherwise agreed to by their supervisor during agreed upon work hours. ⎯ Employees must follow all regular timecoding requirements. Employees working at an alternate worksite may be required to report to a City facility on a remote workday. Supervisors should give at least 24 hours’ notice of this change, unless an unforeseeable immediate need should arise. An employee who is required to report to a City facility instead of their alternative worksite is not eligible for travel reimbursement. When an employee is required to report to a City Facility on the same day, then travel time to the City facility shall be considered hours worked. Occasional requests by employees to change their schedule should be accommodated by the supervisor if possible. Occasional changes (such as working remotely on a different day in the same week) do not constitute a change in the underlying agreement. A permanent schedule change would require an employee to resubmit an approved Remote Work Agreement. Remote Worksite & Equipment It is the responsibility of the employee to create a safe and ergonomically suitable environment for work. Employees shall make all reasonable efforts to ensure their remote work area meets the ergonomic standards of the City. Upon request, the City will provide an ergonomic evaluation for the employee’s alternative worksite. Employees working remotely must work in an environment that allows them to perform their duties safely and efficiently. Employees are responsible for ensuring their work areas comply with health and safety requirements . Employees are covered by workers’ compensation laws when performing work duties at their designated alternate locations during their regular work hours. Employees who suffer a work-related injury or illness while remote working must notify their supervisor and complete any required forms immediately in accordance with the City’s Workers’ Compensation Policy. In order to work remotely, employees and supervisors must identify the equipment, software, and supplies required to successfully work at an alternate location. The employee will not be eligible for Remote Work if the required equipment is not available. IT will serve as resources to assist employees and supervisors determine appropriate equipment needs. The remote worker must sign an inventory of all City property received and agree to take appropriate action to protect the items from damage or theft City Equipment: Any equipment and software shall remain the property of the City and is limited to use for purposes relating to City business only. Employees working remotely must keep City -owned equipment in good working order, report any problems or malfunctions immediately, and must promptly return equipment upon completion or termination of their Remote Work Agreement, or separation from the City. Basic office supplies that normally are available at the City worksite for the employee's use (e.g., pens, binders, notepads, Post-its, etc., but not including printer ink cartridges) may be used at the employee’s remote worksite in accorda nce with the same policies that govern their use at the City worksite. Employees working remotely will not be reimbursed for additional office supplies unless approval to purchase supplies is given in advance. City issued supplies must be used for City work purposes only. Any other costs may be incurred only with prior approval by the Department Director. City-issued laptops or other required computer equipment and repairs will be provided based on need and availability. To ensure hardware and software security, all software used for remote work must be approved by the department and IT 19 before installation. Networking can only be established using compatible hardware and software. All remote work must be done through the City VPN or approved applications. Personal Equipment: When not provided by the City, employees under a Remote Work Agreement are expected to use personal office equipment including, but not limited to, furniture, seating, internet access, scanners, calculators, ink cartridges, etc., u sed while working remotely. Employees working remotely are responsible for the maintenance and repair of their office equipment and are required to install and maintain personal office equipment at no expense to the City. The employee is responsible fo r ensuring that software used on non-City premises is compatible with City standards. Business-related Expenses: Employees voluntarily working remotely are responsible for all business expenses incurred. Should the City require employees to work remotely, the City will supply the employee with “necessary” and “reasonable” expenses10. Employees may not incur expenses before receiving written approval from a department supervisor. Information Security and Protection Remote workers, like all City employees, are expected to protect confidential, proprietary, and business information from unauthorized or accidental access, destruction, or disclosure. Employees may not disclose confidential or private files, records, materials, or information, and may not allow access to City networks or databases to anyone who is not authorized to have access. Employees who work remotely shall comply with the City’s Information Security Policy, Information Security Standards, Information Privacy Policy and ensure the protection of the City’s protected information. Ad Hoc Arrangements Temporary remote work arrangements may be approved for circumstances such as inclement weather, special projects or business travel. These arrangements are approved on an as-needed basis only, with no expectation of ongoing continuance. Other informal, short-term arrangements may be made for employees on family or medical leave to the extent practical for the employee and the organization and with the consent of the employee’s health care provider, if appropriate. All informal remote work arrangements are made on a case-by-case basis, focusing first on the business needs of the organization. Exceptions The City is not liable for loss or destruction of the employee’s home or personal property while working remotely. The City is not liable for injury to the employee that occurs outside of remote work hours or while not conducting City work. The City is not liable for injury to the employee’s family members, visitors, or invitees within or around the remote worker’s home. 10 California Labor Code 2802 20 Appendix B: Hybrid Work Agreement Form Baker Tilly does not provide legal advice. We recommend the City consult with their employment law counsel prior to any sample form or policy adoption. Hybrid Work Agreement Sample teleworking agreement modified from the SHRM and other industry samples. Blue text indicates added content from SHRM template. Definition For purposes of this agreement, “telework” means an agreed-upon regular, modified work location outside of City premises or standard work location (e.g., home office, community workspace. etc.) Employee Information Name: ____________________________________ Hire date: __________________ Employee ID: _________________________________________________________ Job title: _____________________________________________________________ Department: ___ ______________________________________________________ Supervisor’s Title: _____________________________________________________ Is your supervisor the Department Director (Y/N) ______________________________ Department Director’s email address: ______________________________________ FLSA status: Exempt Nonexempt This telework agreement will begin and end on the following dates: Start date: _______________ End date: _______________ Primary work location: ________________________________________________ Employee Telework Schedule - Mark “X” where applicable Remote Work Onsite Work Remote/Onsite Combination Regular Day Off Monday Tuesday Wednesday Thursday Friday Saturday Sunday The employee agrees to the following conditions: The employee will remain accessible and productive during scheduled work hours. 21 Nonexempt employees will record all hours worked and meal periods taken in accordance with regular t imekeeping practices. Nonexempt employees will obtain supervisor approval prior to working unscheduled overtime hours. The employee will report to the employer’s work location as necessary upon directive from his or her supervisor and notify the supervisor in advance of work location modifications. The employee will communicate regularly with his or her supervisor and co-workers, with a cadence and format established by the supervisor. The employee will comply with all City rules, policies, pract ices and instructions that would apply if the employee were working at the employer’s work location. The employee will maintain satisfactory performance standards. The employee will make arrangements for regular dependent care and understands that telework is not a substitute for dependent care. In pandemic or natural disaster circumstances, exceptions may be made for employees with caregiving responsibilities. The employee will maintain a safe and secure work environment at all times. The employee will allow the employer to have access to the telework location for purposes of assessing safety and security, upon reasonable notice by the City. The employee will report work-related injuries to his or her supervisor as soon as practicable. City will provide the following equipment: __________________________ ______________________________________________________________________ The employee will provide the following equipment : ____________________________ ______________________________________________________________________ The employee agrees that City equipment will not be used by anyone other than the employee and only for business - related work. The employee will not make any changes to security or administrative settings on City equipment. The employee agrees to promptly install all technology security upgrades to ensure network security. The employee understands that all tools and resources provided by the City shall remain the property of the City at all times. The employee agrees to protect City tools and resources from theft or damage and to report theft or damage to his or her supervisor immediately. The employee agrees to comply with City’s policies and expectations regarding information security. The employee will be expected to ensure the protection of confidential and customer information accessible from their home offices. The employee understands that telework is a privilege, subject to position eligibility and performance review requirements . The employee understands that reomote eligibility may be revoked based upon performance reviews, non-compliance of this agreement and/or position essential duty modifications. Palo Alto will reimburse employee for the following expenses: ________________________________________________________________ Employee will submit expense reports with attached receipts in accordance with City expense reimbursement policy. 22 The employee understands that all terms and conditions of employment with the City remain un changed, except those specifically addressed in this agreement. The employee understands that management retains the right to modify this agreement on a temporary or permanent basis for any reason at any time. The employee agrees to return City equipment and documents within five days of termination of employment. Employee signature: ______________________________ Date: ____________________ Manager signature: _______________________________ Date:______________________ Human resources signature: ________________________ Date: ______________________ Hybrid Work Agreement Form (FY23) All workers who are assigned to Telework, including those who partially Telework, should complete this form. Telework minimizes the number of employees at City facilities, while allowing essential work to continue. By submitting this Telework Agreement you acknowledge and agree to the following: While on this telework arrangement, you are expected to fully engage in your job and to work in a manner that is safe, efficient and responsible. Telework requires that you take extra care to remain in close communication with your supervisor and co-workers. When you telework, you have the same responsibilities as when you work at your normal worksite. Responsibilities include being immediately available during work time, following work policies and protocols; protecting the confidentiality of sensitive data; maintaining a safe work area and reporting any injury; protecting government property; and reporting your absences accurately. In addition, if you are in a classification that allows for overtime or comp time you are required to obtain prior approval from your supervisor. If you have any questions regarding telework arrangements please contact HR at (650)329-2376 or HR@CityofPaloAlto.org (mailto:HR@CityofPaloAlto.org) 23 Appendix C: Position Eligibility Criteria Key 24 Appendix D: Management Response Summary Statement: The Palo Alto City Administration thanks the City Auditor’s Office for their work on this important and timely topic. As requested by the Administration, this study provides an independent perspective on one of the most widely discussed and rapidly evolving contemporary workplace issues. The study affirms that the City’s efforts, initiated pre-pandemic, continue to reflect a progressive and balanced approach to ensuring worker productivity in delivering services to t he community while continuing to model an “employer of choice.” This will continue to guide and inform future decision making and strategic opportunities for revision of hybrid working practices. 25 Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan Finding 1: Remote Work Policy The City should revise the current policy to strengthen its teleworking risk mitigation and further clarify the remote work arrangement between its employees and departments. The City should also implement a periodic review of its telework policy in annual intervals to ensure content is current with best practices and meets department needs. A sample policy revision, based upon The Society for Human Resources Management and the International Public Management – Human Resources Association best practices and sample policies, is provided in Appendix A. Human Resources Concurrence: Partially agree Target Date: March 2023 Completion Date: To be determined during the OCA’s follow-up review Action Plan: Currently the City’s policy includes Position Based and Performance Based Eligibility criteria for the Department Director to consider their employee’s request for a hybrid work schedule. City equipment, is tracked by the Information Technology department therefore incorporating an additional equipment tracking component into the hybrid work policy would be duplicative and could lead to confusing and contradictory practices. In regards to excluding employees on probation, the City did not include this provision as providing hybrid work as an option may offer flexibility candidates are seeking. The City’s policy update has been updated to reflect the workforce transition to “hybrid work”, now titled the Hybrid Work Policy, and will be reviewed periodically or at minimum, annually as recommended. Finding 2: Remote Work Procedures The City should revise the current agreement form to include a more robust list of employee obligations to improve the clarity of responsibilities for remote workers and their departments. The City should also ensure that the agreement form reflects the content of the current teleworking policy. A sample revision of the form is provided in Appendix B. Human Resources Concurrence: Partially Agree Target Date: March 2023 Completion To be determined during the OCA’s follow-up review Action Plan: The City provides regular and consistent training to supervisors and managers on how to effectively communicate performance feedback, use progressive discipline, targeted development plans, and leave of absence tracking to ensure efficient and effective delivery of City services. Changes to the Hybrid Policy and agreement form that infer disciplinary results or actions would detract from the City’s established performance management processes and cause meet and discuss obligations with the City’s different impacted labor groups. Authority of managers and supervisors is clearly articulated in the City’s merit rules to document expectations of an employee to perform their assigned tasks. An employee performing their assigned tasks remotely does 26 not impact the supervisor’s responsibility to complete the performance management process. The City closely reviewed sample documents from the Society for Human Resources Management in developing the revision to the Remote Work Policy and Agreement form currently utilized. The City’s Hybrid Work agreement form has been updated to reference the Hybrid Work policy and include link. Finding 3: Remote Work Position Eligibility The City should development standardized criteria for position remote and flex work eligibility. All positions should be evaluated for full remote, partial remote/flex schedule, and ineligible remote work. Once position eligibility is determined, The City should follow existing policy to review individual employee eligibility for all eligible positions. A sample criteria is provided in Appendix C. Human Resources Concurrence: Partially Agree Target Date: February 2023 Completion Date: February 28, 2023 Action Plan: The Hybrid Work Policy clearly outlines and distinguishes the difference between position eligibility and employee eligibility creating a two-step process for approving hybrid work. Fully remote is not articulated as an option going forward as no longer mandated by public health conditions, except as a special exemption authorized by the City Manager’s Office. A survey tool such as discussed during the audit, using criteria tailored to City operational requirements, will be placed on the HR website as a resource that can be incorporated into future use by supervisors and managers when reviewing a new position for hybrid work eligibility. Opportunities We provide context to consider for future implementation of a remote and flexible work policy to remain current and competitive in the hiring market and considerations for executing a position eligibility assessment. Summarized by: - Early Covid-19 Pandemic Workforce Response - Sustaining Remote Workforce Responses - Future Workforce Challenges We recommend a six-step framework for position eligibility implementation: - Creation of a framework - Creation of a communication plan - Selection of pilot departments Human Resources The process outlined above was very similar to that utilized prior to the pandemic to test the revised changes to an earlier version of the City’s policy. Two city divisions were selected to pilot the new policy with surveys of employees being conducted at the beginning, middle, and end of the pilot process. This feedback was then incorporated into the final version of the policy adopted in June 2021. We believe it is consistent with existing practice to follow this similar framework if/when significant additional changes are needed to the framework of the hybrid work policy. An additional pilot is not necessary to accomplish the minor updates being pursued at this time. However the critical position assessment suggested can be used when new positions are submitted for Annual Budget in support of providing flexible work options. 27 - Pilot department evaluation with two approaches - Modification of the implementation plan - Implementation of position evaluation 9 2 9 Policy & Services Committee Staff Report From: Adriane McCoy, Interim City Auditor Meeting Date: April 26, 2023 Report #: 2302-1020 TITLE Office of the City Auditor Presentation of the Electronic Payment Process and Controls Audit Report BACKGROUND In 2021, the City of Palo Alto (City) was subject to multiple attempts to misdirect wire payments. Given the importance of the topic, the Office of the City Auditor (OCA) obtained an approval to start a recommended audit activity, Wire Payment Process and Controls Review project, in February 20221 (ID#13891) before finalizing the FY2022-2023 Audit Plan that included the Wire Payment Process and Controls Review project and was subsequently approved by the City Council in April 20222 (ID#13914). DISCUSSION The objectives of the review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that all disbursements are valid and properly processed in compliance with City’s policies and procedures 2) Determine whether end user security awareness training is sufficient to prevent erroneous payments The original scope to review wire payments was changed to review electronic payments that include both wire and Automated Clearing House (ACH) payments due to the similar risks against ACH payments. The OCA’s review included the ACH and wire disbursement processes by the Accounts Payable and Treasury teams, banking information addition and modification, and the user security awareness training to evaluate the design of internal controls. Additionally, 1 City Council Staff Report February 7, 2022 https://www.cityofpaloalto.org/files/assets/public/agendas-minutes- reports/agendas-minutes/city-council-agendas-minutes/2022/20220207/20220207pccsm-revised-final.pdf 2 City Council Staff Report April 4, 2022 https://www.cityofpaloalto.org/files/assets/public/agendas-minutes- reports/agendas-minutes/city-council-agendas-minutes/2022/20220404/20220404pccsmamendedlinked1.pdf 9 2 9 the OCA’s testing was conducted by reviewing the selected disbursement transactions to determine whether the controls are operating effectively. The attached report summarizes the analysis, audit findings, and recommendations. FISCAL/RESOURCE IMPACT The Office of the City Auditor worked primarily with Administrative Services Department and engaged with additional stakeholders, including the City Manager’s Office and the City Attorney’s Office, as necessary. The timeline for implementation of corrective action plans is identified within the attached report. ATTACHMENTS •Attachment A: Report on Electronic Payment Process and Controls . 1 City of Palo Alto City Auditor’s Office Electronic Payment Process and Controls March 14, 2023 2 Executive Summary Purpose of the Audit Baker Tilly US, LLP (Baker Tilly), in its capacity serving as the Office of the City Auditor (OCA) for the City of Palo Alto (the City), conducted an audit of the electronic payment process and controls based on the approved Task Order 4.12. The objectives of this review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that all electronic payments are valid and properly processed in compliance with City’s policies and procedures. 2) Determine whether end user security awareness training is sufficient to prevent erroneous payments caused by phishing. Report Highlights Finding 1: Electronic Payment Instructions (Page 11) In August 2021, management implemented an internal control by formalizing the existing verbal verification process of all new electronic payment instructions and modifications. This is an important control to prevent wire and ACH fraud, as noted in the Best Practices section of this report. However, the City’s Policy and Procedures 1-06/ ASD, Payment Procedures, has not been revised to include the new requirement. The OCA reviewed the supporting documents and approvals for two wire templates and 10 randomly selected vendors for ACH and noted that the control activity performed is not documented to evidence a review of changes made to vendor records. This review is not currently included in the policy. An independent person who did not enter the information in the system should review the vendor record added or changed in the system using the supporting documents for validity and accuracy. The review should be evidenced as defined in the policy. In the absence of control activities and requirements defined in the policy, the City cannot ensure that key internal controls are implemented properly and operate effectively. Key Recommendations The Administrative Services Division (ASD) management should review and update the City’s Policy and Procedures 1-06/ ASD, Payment Procedures, to ensure that an adequate internal control system is in place to mitigate a risk of potential loss resulting from wire and ACH frauds. The control activities and requirements should be clearly defined and communicated to employees to ensure that controls are implemented properly and executed effectively. The ASD management should also train the appropriate employees on the required control activities to ensure that they execute the controls properly. Finding 2: ACH Payments (Page 12) There are three employees in the ADP AP team. The OCA noted that all three AP team members have access to post invoices and process payments in the SAP ERP system and in the bank online portal. The access allows the employees to update the vendor records in the SAP ERP system as well. Because of this lack of segregation of duties issue, effective operation of mitigating controls is important to ensure that all electronic payments are valid and 3 properly processed. The mitigating control currently in place is dual authentication of ACH payment batches and bank transactions in the bank online portal. For one of 25 ACH payments reviewed, the actual ACH bank account number used for this payment was different from the ACH bank account number shown on the vendor invoice. This discrepancy was not identified during the payment process, and the payment was made to an incorrect account. The control to prevent erroneous payments did not operate effectively for this payment although there was no financial loss and all supporting documents and approvals were well documented. The quality and effectiveness of independent reviews are especially crucial due to the existing segregation of duties issue, where all AP team members have the same system access. The ACH payments are made from the bank online portal. The OCA determined that the application control requiring dual authorization was in place. However, as the City currently does not require the employees to save the reports that are available in the bank portal only for a month, the audit trails evidencing that the dual authorization control is working effectively are not maintained. Although the mitigating controls such as secondary approver, dual authorization, and bank account reconciliation are in place, ineffective execution of any of the key mitigating controls may lead to invalid and/or inaccurate AP ACH payments. Key Recommendations The ASD management should review segregation of duties among creating/updating vendor records, processing vendor invoices, and processing payments and evaluate risks associated with conflicts. The ASD management should work with IT management to identify the ways to improve segregation of duties and mitigate risks. Until the segregation of duties conflicts are resolved, the ASD management should strengthen mitigating controls over the AP payment process by ensuring that the controls are designed to mitigate risks adequately and operating effectively. The City’s Policy and Procedures 1-06/ ASD, Payment Procedures should be updated to clearly define the controls and communicate to the employees. 4 Table of Contents Executive Summary ........................................................................................................................................................... 2 Purpose of the Audit ..................................................................................................................................................... 2 Report Highlights ........................................................................................................................................................... 2 Introduction ......................................................................................................................................................................... 5 Objective........................................................................................................................................................................... 5 Background ..................................................................................................................................................................... 5 Scope................................................................................................................................................................................. 6 Methodology .................................................................................................................................................................... 7 Compliance Statement.................................................................................................................................................. 7 Organizational Strengths ............................................................................................................................................. 7 Detailed Analysis ............................................................................................................................................................... 8 Policies and Procedures .............................................................................................................................................. 8 User Security Awareness Training ............................................................................................................................ 8 Best Practices ................................................................................................................................................................. 9 Audit Results ..................................................................................................................................................................... 11 Finding 1: Electronic Payment Instructions ......................................................................................................... 11 Recommendation ......................................................................................................................................................... 11 Finding 2: ACH Payments .......................................................................................................................................... 12 Recommendation ......................................................................................................................................................... 13 Appendices ........................................................................................................................................................................ 14 Appendix A: Electronic Payments Process and Controls ................................................................................ 15 Appendix B: Management Response ..................................................................................................................... 16 5 Introduction 1 ACH Costs are a Fraction of Check Costs for Businesses, AFP Survey Shows | Nacha 2022 AFP Payments Cost Benchmarking Survey (afponline.org) Objective The objectives of this review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that all electronic payments are valid and properly processed in compliance with City’s policies and procedures. 2) Determine whether end user security awareness training is sufficient to prevent erroneous payments caused by phishing. Background The City disburses its funds using electronic payments and paper checks. Electronic payments consists of wire transfers and the Automated Clearing House (ACH) payments. During the period between September 1, 2021, and March 15, 2022, the City recorded 3.8K disbursement transactions totaling $430M in the general ledger cash account. The charts below show the following: • Wire transfers are only 4% of all disbursement transactions but 29% of total disbursement amount. • ACH payments processed by the Accounts Payable (AP) team for vendors and employees are just 1% of all disbursement transactions, due to weekly batch processing, but 11% of total disbursement amount. ACH payments cost much less than checks, according to the 2022 Payment Cost Benchmarking Survey 1. A cost for initiating a wire payment can vary widely and generally higher than checks. Similarly, the City’s average costs per unit, not including staff time and processing costs, are approximately $0.22, $0.07, and $4.02 for checks, ACH, and wires, respectively, based on the OCA’s calculation using the Chart 1-A: Payment Methods by Transaction Chart 1-B: Payment Methods by Amount ¹ ACH payments are processed in batches from one bank to another through the Automated Clearing House (ACH) system and often used for payroll, vendor payments, recurring payments, etc. ² Wire payments are electronic interbank payments made through a wire system such as FedWire and typically used for higher value, lower volume, time-sensitive transactions. ³ Automatic Withdraws include automatic bank transfers to the City’s three zero balance accounts and other charges withdrawn such as bank and credit card fees based on agreements. 6 2 Attachment A US Bank and Elavon Contract Extension Agreement and Related Documents (cityofpaloalto.org) 3 2021_IC3Report.pdf by Internet Crime Complaint Center (IC3) - IC3 receives complaints on cyber crimes from the American public and tracks the trends and threats. 4 Suspected Business Email Compromise Ringleader Busted (bankinfosecurity.com) estimated monthly unit volume shown in the existing banking and merchant services agreement 2. Electronic payments are more secure method of payments than checks as paper checks are more susceptible to physical loss and check frauds such as forgery and theft. However, no payment method is completely secure. According to the FBI’s 2021 Internet Crime Report 3, Business Email Compromise (BEC)/Email Account Compromise (EAC) “is a sophisticated scam targeting both business and individual performing transfers of funds” and “is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” This FBI’s report states that BEC schemes are among the top incidents reported in 2021 and resulted in almost 20K complaints with losses of nearly $2.4B in total (an increase from approximately $1.8B in 2019). The report also shows California had the most victims and losses (67K, $1.2B, respectively) among all states, American Territory, and the District of Columbia. There was a significant arrest in May 2021 when Interpol received the intelligence from private sector partners including Unit 42 at Palo Alto Networks 4, but a threat of BEC remains. In June 2021, the City became a victim of a BEC scam, resulting in a wire payment of approximately $43K to a fraudster. This incident was identified in late July 2021 when the legitimate vendor inquired about a payment they never received from the City. The City management subsequently reviewed the wire and ACH payments and vendor record changes made between June 2021 and August 2021 and noted no other similar incident. They also formalized an internal control to verbally confirm the new and modified banking information with a payee to prevent similar incidents, which, in August 2021, actually prevented a loss from a similar scheme called Vendor Impersonation Fraud that is often used for public sector entities as the contracting information is a public record. Scope The original scope to review wire payments was changed to review electronic payments that include both wire and ACH payments due to the similar risks against ACH payments. The OCA’s review included the ACH and wire disbursement processes by the AP and Treasury teams, banking information addition and modification, and the user security awareness training to evaluate the design of internal controls. Additionally, the OCA’s testing was conducted by reviewing the selected transactions processed between September 1, 2021, and March 15, 2022, to determine whether the controls are operating effectively. The OCA reviewed the City employees’ access to the bank online portal during this audit. However, for the access to the City’s SAP ERP system, the OCA’s recent assessment results of the segregation of duties in the City’s SAP ERP system (Task Order 4.3), was utilized. A review of cybersecurity risks is covered in a separate cybersecurity audit that is already underway (Task Order 4.14). 7 5 Government auditing standards require an external peer review at least once every three (3) years. The last peer review of the Palo Alto Office of the City Auditor was conducted in 2017. The Palo Alto City Council approved a contract from October 2020 through June 2022 with Baker Tilly US, LLP (Baker Tilly) and appointed Kyle O’Rourke, Senior Consulting Manager in Baker Tilly's Public Sector practice, as City Auditor. Given the transition in the City Audit office, a peer review was not conducted in 2020 and will be conducted after the third year of Baker Tilly’s contract. Methodology To achieve the audit objectives, the OCA performed the following procedures: • Reviewed the policies and procedures related to the ACH and wire payment processing. • Interviewed the appropriate individuals within the Administrative Services Division (ASD), including the Treasury (for wires), Accounts Payable (for ACH payments), and General Ledger teams, to discuss the process and controls for electronic payments, including vendor record creation and modification. • Reviewed the approvals and supporting documents for randomly selected samples of electronic payments as well as new and modified vendor records. • Reviewed the access and controls related to the bank online portal. • Interviewed the key process owners of the electronic payment processes to understand the security awareness training they received. • Inquired with the Information Technology Department and the Human Resources Department regarding the user security awareness training the City offers to the employees. • Reviewed the employees’ completion status of the latest user security awareness training the City provided. • Identified the best practices related to electronic payment processing to mitigate risks of wire and ACH frauds. Compliance Statement This audit activity was conducted from March 2022 to July 2022 in accordance with generally accepted government auditing standards, except for the requirement of an external peer review5. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Organizational Strengths During this audit activity, we observed certain strengths of the City. Key strengths include: • Approvals of payments are well documented using e-signature software called DocuSign • Supporting documents are consistent and well organized • The staff members are devoted and professional and were responsive to the OCA’s questions and requests The Office of the City Auditor greatly appreciates the support of the Administrative Services Department in conducting this audit activity. Thank you! 8 Detailed Analysis Policies and Procedures The City has the Policy and Procedures 1-06/ ASD, Payment Procedures (Revised: February 2007). The Policy Statement of this policy is that the “functionality of Accounts Payable is to ensure that all payment requests are properly authorized, accurately recorded and promptly disbursed in accordance with City policies and contractual terms.” The City’s nine-page Policy and Procedures include the sections shown in the box on this page. The policy does not include the following related processes and controls: • A verbal verification process of all new electronic payment instructions and modifications that was formalized in August 2021 • The controls and requirements for ACH payments including the vendor record creation and modification • The controls and requirements for wire payments including the creation and modification of wire templates for recurring payments and the situation where free-form (non-recurring) wire payments are used • The processes and controls for the bank online portal There is also a six-page document titled “Internal Controls on Cash Disbursement Cycle” that was updated in May 2021. This Cash Disbursement document contains the similar sections as the City’s policy but provides additional descriptions of procedures for payment requests and ACH payments. The OCA documented an overview of the wire and ACH processes and controls, based on the understanding obtained during this audit (Appendix A). User Security Awareness Training The City required all City employees to complete a cybersecurity awareness training by November 25, 2020. This was the latest training provided by the Information Technology (IT) and Human Resources (HR) departments, using a well-established, leading vendor who provides the large library of security awareness training content as well as a simulated phishing campaign tool. The training was delivered through the City’s learning system managed by HR. The employees’ completion status generated from the City’s learning system shows that over 98% of all employees completed the training by December 31, 2020. Although all 10 ASD employees who process electronic payments completed this Policy and Procedures 1-06/ ASD* Payment Procedures Contents A. Purchasing Authorization B. Change Order Process C. Routine Accounts Payable Payment Process D. Department Approvals E. Accounts Payable Editing and Posting F. Check Printing, Reversal and Re-issuance, and Wire Transfer G. Year-end Accruals H. Reconciliations I. Quarterly sales tax reporting * Administrative Services Department 9 training, some of them did not complete by the due date set by HR. The City does not require those 10 ASD employees to receive additional fraud training courses that are more directly related to AP and cash disbursement. According to the AP and Treasury teams, they share news and articles related to fraud incidents among team members and have taken fraud-related training courses on their own. Table 1: 2020 Security Awareness Training Completed in 2020-2022 Best Practices As people increasingly conduct business online and communicate digitally, fraud attempts such as phishing are growing. Electronic payments are susceptible to fraud schemes due to the speedy and irrevocable transaction. Fraudsters gather information on target organizations, take advantage of a weak internal control system, and take money from victims using compromised or impersonated methods. Therefore, an effective internal control system is key to protect an organization from becoming a victim of fraud schemes. Through researches around wire and ACH frauds and best practices to prevent them, the OCA compiled the following best practices. Practices to guard against wire and ACH fraud • Educate and train employees on fraud schemes to ensure they recognize red flags and take appropriate actions such as: 10 o Do not click on links and attachments in an unsolicited e-mail or text message or respond to them before verifying the legitimacy. o Cautiously inspect the e-mail address, URL, and spelling in a message to identify the slightly modified address/URL. o Be watchful if there is a sense of urgency. o Do not use “reply” for e-mail communication. Instead, use “forward” and add the correct e-mail address. • Implement a verbal verification process that uses a phone number used previously or obtained independently from the information provided in the current request. o Conduct an internet search or compare against reputable databases. o Do not call a phone number provided with a request o Use a script to verify both the existing account information and the information to be changed. • Process payments using dual control (two people authorization). • Work with the IT department to ensure that appropriate cybersecurity controls are implemented. • Review the insurance policy for an appropriate coverage of financial losses due to cybersecurity fraud. • Periodically review all control procedures to keep them current and relevant to current threats. 11 Audit Results Finding 1: Electronic Payment Instructions In August 2021, the ASD management implemented an internal control by formalizing the existing verbal verification process of all new electronic payment instructions and modifications. The formalized verification process involves the following steps: 1) Calling a phone number independently obtained from the sources such as the signed original instructions and the company website 2) Confirming the banking and relevant information 3) Writing down on the new or modified instructions the name of an individual who confirmed, date, the information verified, and the initials of the staff member who performed the verification. This is an important control to prevent wire and ACH fraud, as noted in the Best Practices section of this report. However, the City’s Policy and Procedures 1-06/ ASD, Payment Procedures, has not been revised to include the new requirement. Between September 1, 2021, and March 15, 2022, ASD had two new or modified wire templates (the payee banking information stored in the bank online portal) for the payees with recurring wire payments. ASD also added or changed records for 2,057 vendors, 32 of which had new or modified ACH banking information. The OCA reviewed the supporting documents and approvals for two wire templates and 10 randomly selected vendors for ACH and noted the following: • The City receives a request to update various payee information such as tax number, payment method, and name. The current practice is that not all changes require documentation of the verbal verification performed. Only the verbal verification of the changes to the banking information is documented, which should be defined in the policy. • AP Senior Accountant runs a "display changes to vendor" report and review banking changes listed in the report prior to approving a weekly ACH batch. However, a supervisory review of changes made in the system is not documented, or a report used for a supervisory review is not included in the ACH payment packet that AP Senior Accountant signs off on. Therefore, the control activity performed is not documented to evidence a review of changes made to vendor records. This review is not currently included in the policy. An independent person who did not enter the information in the system should review the vendor record added or changed in the system using the supporting documents for validity and accuracy. The review should be evidenced as defined in the policy. In the absence of control activities and requirements defined in the policy, the City cannot ensure that key internal controls are implemented properly and operate effectively. Recommendation The ASD management should review and update the City’s Policy and Procedures 1-06/ ASD, Payment Procedures, to ensure that an adequate internal control system is in place to mitigate a risk of potential loss resulting from wire and ACH frauds. The control activities and requirements should be clearly defined and 12 communicated to employees to ensure that controls are implemented properly and executed effectively. The ASD management should also train the appropriate employees on the required control activities to ensure that they execute the controls properly. Additionally, the ASD management should implement a mechanism (such as periodic meetings, training, e-mail communications, etc.) that is a little more proactive than the current practice to keep appropriate employees informed on wire and ACH fraud schemes and trends in addition to the user security awareness training provided by the City. Finding 2: ACH Payments There are three employees in the ASD AP team. The OCA noted that all three AP team members have access to post invoices and process payments in the SAP ERP system and in the bank online portal. The access allows the employees to update the vendor records in the SAP ERP system as well. The AP segregation of duties issue was reported in the ERP Planning: Separation of Duties audit report dated October 17, 2018. Recently, the SAP Functionality and Internal Control Assessment revealed that: 1) “Process Vendor Invoices” and “AP Payments” are the two of three processes with the most conflicts out of 12 business processes that are part of the SAP Finance and Accounting (FI) module 2) “AP Payments and Process Vendor Invoices” is one of top 10 SAP FI conflicts. Because of the existing conflicts, effective operation of mitigating controls is important to ensure that all electronic payments are valid and properly processed. The mitigating control currently in place is dual authentication of ACH payment batches and bank transactions in the bank online portal. Between September 1, 2021, and March 15, 2022, ASD AP team processed 31 weekly ACH batches totaling approximately $45M. The OCA reviewed approvals for 10 ACH batches and the supporting documents for 25 individual ACH payments selected from those 10 batches. Each ACH batch payment packet is signed by the following three individuals using DocuSign: • Preparer (AP Account Specialist) who creates the batch file in the SAP ERP system, assembles a payment packet containing the supporting documents approved by the applicable departments for the batch, and uploads the batch file to the bank online portal • First Approver (AP Senior Accountant) who reviews and approves a payment packet and approves the uploaded batch file in the bank online portal • Second Approver (Treasury Manager) who reviews and approves a payment packet Then OCA compared the bank information in the SAP ERP system to the bank information shown in the supporting documents. For one of 25 ACH payments reviewed, the actual ACH bank account number used for the payment was different from the ACH bank account number shown on the vendor invoice. This discrepancy 13 was not identified during the payment process, and the payment was made to an incorrect account. There was no financial loss since the bank returned the payment that was made to the closed account, and the City was able to issue a check to the vendor. However, if the wrong account had not been closed, the error would have gone unnoticed without the vendor’s notification. The control to prevent erroneous payments did not operate effectively for this payment although all supporting documents and approvals were well documented. The quality and effectiveness of independent reviews are especially crucial due to the segregation of duties issue as noted above. The ineffective execution of internal control (a thorough review to detect errors and irregularities) may result in erroneous payments, financial loss, and/or inefficient use of resources. The ACH payments are made from the bank online portal. The access to this account is limited but all three AP team members can initiate and approve ACH payment batches. According to Manager of Treasury, Debt, Investment, he set the dual authorization requirement in the account setting in the bank online portal around October 2018 so that the same individual cannot approve the transaction he/she initiated. The OCA determined that the application control requiring dual authorization currently in place. The names of the individuals who initiated and approved each ACH batch are listed in the ACH Audit Report and ACH Daily Batch Detail. However, these audit trails are available in the portal only for a month unless a report is generated and saved offline by a user. As the City currently does not require the employees to save the reports, the audit trails evidencing that the dual authorization control is working effectively are not maintained. It took a week for the City to receive the information after submitting a request to the bank’s customer service department. Audit trails are detailed records of financial transactions and are used to verify and track transactions. It is necessary for the City to maintain a complete audit trail to be able to trace back any irregularities and investigate them when they happen. Although the mitigating controls such as secondary approver, dual authorization, and bank account reconciliation are in place, ineffective execution of any of the key mitigating controls may lead to invalid and/or inaccurate AP ACH payments. Recommendation The ASD management should review segregation of duties among creating/updating vendor records, processing vendor invoices, and processing payments and evaluate risks associated with conflicts. The ASD management should work with IT to identify the ways to improve segregation of duties and mitigate risks. Until the segregation of duties conflicts are resolved, the ASD management should strengthen mitigating controls over the AP payment process by ensuring that the controls are designed to mitigate risks adequately and operating effectively. The City’s Policy and Procedures 1-06/ ASD, Payment Procedures should be updated to clearly define the controls and communicate to the employees. 14 Appendices 15 Appendix A: Electronic Payments Process and Controls 16 Appendix B: Management Response Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan Finding: Electronic Payment Instructions The ASD management should review and update the City’s Policy and Procedures 1-06/ ASD, Payment Procedures, to ensure that an adequate internal control system is in place to mitigate a risk of potential loss resulting from wire and ACH frauds. The control activities and requirements should be clearly defined and communicated to employees to ensure that controls are implemented properly and executed effectively. Administrative Services Concurrence: Agree Target Date: February 2023 Completion Date: February 22, 2023 Action Plan: ASD has drafted revisions to Policy and Procedures 1- 06/ASD, Payment Procedures to align the policy document with staff’s current practices for electronic payments through ACH and wire transfer. Controls already in practice and added to the updated policy include: ACH Payments • AP staff verbally confirms bank information on the ACH enrollment form by calling an independently obtained phone number from the company website and/or master vendor record in SAP. • ACH batches are signed by three individuals before the batch is processed: preparer (A/P Accounting Specialist); first approver (A/P Senior Accountant); and second approver (Manager, Treasury, Debt & Investments). Wire Transfers • The Manager, Treasury, Debt & Investments, confirms bank information from the ACH enrollment form by calling an independently obtain phone number from the company website and/or master vendor record in SAP. • Wire transactions are entered in U.S. Bank’s online portal. The wire is initiated by the Manager, Treasury, Debt & Investments; a second approval is required to execute the wire. The revised policy was distributed to City employees in February 2023. 17 The ASD management should also train the appropriate employees on the required control activities to ensure that they execute the controls properly. Additionally, the ASD management should implement a mechanism (such as periodic meetings, training, e-mail communications, etc.) that is a little more proactive than the current practice to keep appropriate employees informed on wire and ACH fraud schemes and trends in addition to the user security awareness training provided by the City. Administrative Services Concurrence: Partially Agree Target Date: March 2023 Completion Date: To be determined during the OCA’s follow-up review Action Plan: Key ASD employees (Finance Manager; AP Senior Accountant, Manager; Treasury, Debt & Investments; and Assistant Director, ASD) stay current control environment and activities through continuing education requirements, government association training opportunities, and news articles on the subject. ASD staff are members of the Government Finance Officers Association and the California Society of Municipal Finance Offers and have access to email distribution lists and discussion groups on these topics. As discussed in Management’s Response, Policy and Procedures 1-06/ASD, Payment Procedures has been revised to the City’s practice of verbally confirming payment information through contact information that is independently obtained through the company’s website or the vendor record in SAP; this is a control activity best practice implemented by staff as a result of cybersecurity and control environment training. In addition, the City requires cyber security training biennially. Key ASD Staff will continue to actively pursue training opportunities to remain informed of new control environment practices, fraud schemes, and user security awareness. Finding: ACH Payments The ASD management should review segregation of duties among creating/updating vendor records, processing vendor invoices, and processing payments and evaluate risks associated with conflicts. The ASD management should work with IT to identify the ways to improve segregation of duties and mitigate risks. Administrative Services Concurrence: Partially Agree Target Date: March 2023 Completion Date: To be determined during the OCA’s follow-up review Action Plan: As noted previously, ASD has revised Policy and Procedures 1-06/ASD, Payment Procedures to describe mitigating controls that ASD has in place over ACH and wire payments. ASD is aware of the system configuration in the ERP and has implemented 18 internal controls to mitigate the risk the system configuration could present. Staff continually to reviews segregation of duties and the internal control structure that is in place with the goal of maximizing use of staff resource and balancing with risk mitigation. Staff agrees that a technology solution to improve segregation of duties is ideal. As part of phase two of the ERP upgrade, staff will evaluate the cost benefit of system configuration modifications. Until the segregation of duties conflicts in the City’s ERP system are resolved, the ASD management should strengthen mitigating controls over the AP payment process by ensuring that the controls are designed to mitigate risks adequately and operating effectively. The City’s Policy and Procedures 1-06/ ASD, Payment Procedures should be updated to clearly define the controls and communicate to the employees. Administrative Services Concurrence: Partially Agree Target Date: February 2023 Completion Date: February 22, 2023 Action Plan: Staff agrees that updates to the City’s Policy and Procedures 1-06/ASD, Payment Procedures will provide clear communication to employees and memorialize the control practices already in place. As listed below, segregation of duties and mitigating control practices exist in the ACH and wire payment process, and updates to 1-06/ASD, Payment Procedures, will ensure clear definition of these controls. Staff believes that the following controls are designed to mitigate risk effectively and operate effectively: • Verbally confirm vendor banking information through independently obtained contact information and/or the master vendor record in SAP. • Invoices cannot be parked and posted by the same AP employee. In addition, invoices cannot be parked and process by the same AP employee • Although all three AP employees can post and process ACH batch payments, this control risk it mitigated by requiring three approvers to process the payment. The third approver, Manager, Treasury, Debt & Investments, has no authorization to park, post, or process payments. Independent review of all 19 ACH payments is done by verifying the vendor, dollar amount, and authorized signature(s). • The AP Senior Accountant reviews banking changes made in the SAP system before approving ACH batch. Documentation of these banking changes began in May 2022. • The ACH batch cannot be uploaded and approved by the same person in the City’s bank online portal (U.S. Bank). • AP staff do not have authority to enter goods receipts in SAP (MIGO). Goods receipt is required for all PO related payments. Policy & Services Committee Staff Report From: City Manager Report Type: ACTION ITEMS Lead Department: City Manager Meeting Date: April 26, 2023 Report #:2304-1249 TITLE City Council Referral to Discuss and Recommend Council Protocols on International Travel and other City Council referrals related to the City Council Procedures and Protocols. RECOMMENDATION Staff recommends that the Policy and Services Committee discuss the referral from the City Council related to City Council international travel and make a recommendation to the Council for inclusion in the City Council Procedures and Protocols Handbook. If time allows, the Committee can also discuss any other referral related to the City Council Procedures and Protocols Handbook. BACKGROUND AND ANALYSIS The City Council discussed the City Council Procedures and Protocols Handbook on January 30 and March 20, 2023 and referred a few discussion topics to the Policy and Services Committee. The referrals included the following: 1. Procedures Section 1.1: Annual Organization of City Council 2. Procedures Section 5.1a(4): Video Participation for Public Comment. As an alternative, staff included text in the revised Handbook to simply note that if feasible this will be implemented. If Council is not satisfied with this clause, this text can be deleted and the item fully evaluated at committee. 3. Procedures Section 8.2: Censure language was referred to committee for review. 4. Protocols Section 2.2: Refrain from Lobbying Board and Commission Members. 5. Protocols Section 2.8: The Role of Council Liaison to Boards or Commissions. Council recommended involving the Board/Commission Chairs in this process. 6. Protocols Section 4: International Travel 7. Protocols Section 4.1: Miscellaneous Expenditures. Council referral for the committee to discuss the establishment of appropriate parameters for Council discretionary expenditures and whether to allocate $2,000 annually from the Council contingency fund for each Council member to decide its purpose. These topics will be scheduled throughout the year at the Committee to balance workload. The first topic is highlighting for Committee discussion is: Councilmember international travel. If time allows, the Committee can discuss any other of the referral topics listed above. Regarding Council member international travel, the Council asked the Committee to consider this topic especially with the following sub-questions: •Should Councilmember international travel be approved for reimbursement. •Should certain international travel expenses for the Mayor or Councilmembers related to Sister Cities be covered by the City. Additionally, Neighbors Abroad, the nonprofit organization that engages with the City‘s Sister Cities on behalf on the City of Palo Alto, has raised a question related to expenses for Sister/Sibling City visits. Often when Palo Alto has a delegation visiting a Sister/Sibling City, the Sister/Sibling Cities will arrange for expenses to be covered for the delegations airport transportation to the actual Sister/Sibling City (not the flight itself) and sometimes for other expenses throughout the visit (such as meals or hotel stay). When delegations visit Palo Alto, the City and Neighbors Abroad typically only fund expenses related to organized meals and will sometimes arrange for travel to and from meetings in and around Palo Alto. Historically, most Sister/Sibling Cities have not asked about reciprocity for their visits (asking Palo Alto to cover a comparable amount of expenses during delegation visits to Palo Alto). However, this topic has come up more recently and discussion of international travel protocols provides an opportunity to clarify expectations of City expenditures for Sister/Sibling City delegation visits to Palo Alto. The Committee may wish to consider recommending the establishment of clear expectations around what expenses will be covered by Palo Alto for visiting Sister/Sibling City delegations, what frequency will they be covered (e.g., annually or every 5 years), and which delegates will be covered (e.g., a number but not the entire delegation). The expenses in question include to hotel/lodging and transportation, but discussion could extend to meals and other expenses. The Committee can recommend a policy to the City Council for the Handbook that includes what to cover and a source of funds for those expenses. FISCAL/RESOURCE IMPACT Depending on the recommendations from the Policy and Services Committee, there could be the need to increase the City Council travel budget. Staff will be able to assess the costs based on the Committee recommendation. Currently the Council also has a $125,000 annual contingent account that could be recommended for these ad hoc purposes. STAKEHOLDER ENGAGEMENT The City Council began this discussion related to the travel section of the Handbook on March 20, 2023. Staff reached out to Neighbors Abroad since that time. No additional engagement has been done to date. ENVIRONMENTAL REVIEW This is not a project. APPROVED BY: Chantal Cotton Gaines, Deputy City Manager