The URL can be used to link to this page

Home My WebLink About2021-10-12 Policy & Services Committee Summary MinutesSUMMARY MINUTES Page 1 of 10 Policy & Services Committee Regular Meeting October 12, 2021 The Policy and Services Committee of the City of Palo Alto met on this date in virtual teleconference at 7:00 P.M. Present: Kou (Chair), Stone, Tanaka Absent: None Oral Communications None Agenda Items 1. Review and Approve a Task Order for the Office of the City Auditor to Conduct the Utility Work Order Process and Accounting Review. City Auditor Kyle O’Rourke reported that the Utility Work Order Process and Accounting Review is a project that was approved as part of the Audit Plan. The objectives of the audit are to identify high-risk subprocesses in the work order process, document and evaluate the processes and controls in place to ensure proper recording of costs, and perform tests to determine the accuracy of attributed costs for a sample of completed work orders. The utility work order process is a significant component of how utilities operates. Staff recommended that the Policy and Services Committee (Committee) forward the Utility Work Order and Accounting Review Task Order to City Council (Council) as a Consent Calendar item. Public Comments: None Committee Member Stone inquired if the interviews will be in-person. Mr. O’Rourke answered that all interviews will be conducted virtually. Committee Member Stone wanted to understand the on-site fieldwork in comparison to doing everything virtually. Mr. O’Rourke mentioned that if the system is complex, it is beneficial to be in person. SUMMARY MINUTES Page 2 of 10 Policy & Services Meeting Summary Minutes: 10/12/2021 Committee Member Stone asked if Staff is visiting Palo Alto (City), is Staff required to stay at a Palo Alto hotel. Mr. O’Rourke could not recall there being a specific requirement. Committee Member Stone requested further information on comparing the process and controls against best practices. Mr. O’Rourke disclosed that the processes and controls are compared against industry best practices and industry standards. Committee Member Tanaka noticed that the agenda states that the start time for the meeting is 7:00 P.M. Chair Kou confirmed that the start time is 7:00 P.M. She asked if Staff is allowed access into the utility’s system or are reports provided. Mr. O’Rourke explained that it can be done either way, but for this specific audit he was not sure. Chair Kou mentioned that the price of the task is listed as $84,900 and $81,400 is for the utility work order and process review while $3,500 is for reimbursable expenses. Mr. O’Rourke clarified that he did not anticipate visiting the City. If there is a lot of paper documents then he would be required to come to the City and review those documents. The City can choose to eliminate the travel budget all together which would result in cost savings to the City or those funds could be used for other audit activities. MOTION: Chair Kou moved, seconded by Committee Member Stone to recommend the City Council approve the Office of the City Auditor’s Utility Work Order Process & Accounting Review Task Order on the Consent Calendar. MOTION PASSED: 3-0 2. Office of the City Auditor Presentation of the IT Risk Management Assessment Report. Baker Tilly’s Atit Shah introduced himself to the Policy and Services Committee (Committee). He mentioned that he provided quality assurance for the project. SUMMARY MINUTES Page 3 of 10 Policy & Services Meeting Summary Minutes: 10/12/2021 Baker Tilly’s Stacey Gill served as the project manager for this project. City Auditor Kyle O’Rourke expressed appreciation to Palo Alto (City) Information Technology (IT) Director and the City Manager’s Office for their help on the audit. He mentioned that the risk ratings in Appendix A are not necessarily intended to indicate an internal control weakness or operating effectiveness. He emphasized that the audit is not a cybersecurity assessment or review. Staff is planning to recommend additional IT audits and cybersecurity audit work. He cautioned the Committee on asking questions about the redacted information because the information contains internal controls that should not be published politically. If the audit is approved by Council, that approval accepts the action plan highlighted in Appendix D. Ms. Gill stated that IT risk management encompasses all the processes, policies, tools, and methods to manage and mitigate IT-related risks. Management of IT risks can be done on an operational level as well as on a holistic level. The holistic approach evaluates activities that are being done to actively understand what IT risks exist for the City and to assess and respond to those risks. The IT risk framework included setting context, risk identification and assessment, risk analysis and business impact evaluation, risk response, and risk reporting and communication. The objective for the audit included understanding the key risk areas within the IT governance strategy and risk management environment, evaluate the adequacy of the IT risk management framework and key internal controls, and offer recommendations for improvement. For the audit, Staff identified the Control Objectives for Information Technologies (COBIT) 5 framework and it will be used for future implementation of the risk management program. Staff reviewed background information and interviewed key personal to understand the City’s IT risk management strategy. Then testing and analysis was conducted to determine if the design mitigates key risks and then Staff identified opportunities for improvement. The first recommendation that Staff provided was that the City establish a risk appetite and tolerance when developing strategy and implement proactive IT risk management processes. The second recommendation was to develop a risk register and risk assessment process. The third recommendation was to use standard criteria to measure the likelihood, impact frequency, and magnitude of the risk scenarios from a top-down and bottom-up approach. The fourth recommendation was to plan and implement a mitigation approach to avoid, share, transfer, or accept any risks identified in the risk appetite. The fifth recommendation was to monitor risks and report timely and accurate risk information to decision-makers and stakeholders. SUMMARY MINUTES Page 4 of 10 Policy & Services Meeting Summary Minutes: 10/12/2021 Mr. Shah clarified that Staff is not saying that communication is not happening. Staff recommends that a formal process be established to communicate what is happening with key stakeholders and decision-makers. Public Comments: None Committee Member Stone inquired if the five steps listed in the risk management workflow are formal IT risk management. Ms. Gill confirmed that is correct. Committee Member Stone asked if Staff will be working with Mr. Rourke to develop criteria for the City to use to rank risks. Mr. Shah answered that it depends upon what the City’s risk appetite is and then based on that, Staff will work with the City to develop a criteria matrix. Committee Member Stone wanted to know if the budget includes periodic re- evaluation. Ms. Gill stated that the City’s IT Department monitors ongoing risks. Chair Kou asked who will develop the risk management workflow steps. Mr. O’Rourke answered that the City’s IT Department will be creating those. An outside consultant will formalize the process and conduct the first documentation of the risk assessment. IT Director Darren Numoto answered that is correct. Chair Kou inquired how the redacted information is being handled if an outside consultant is doing the work. Mr. Numoto explained that Staff would follow the City’s existing procurement process for outside consultants. City Attorney Molly Stump confirmed that the information is protected through the contractual relationship with the vendor. Chair Kou wanted to know how many frameworks are there and why was COBID 5 was chosen. Mr. Shah explained that COBID 5 is a full risk management framework that is geared towards IT. SUMMARY MINUTES Page 5 of 10 Policy & Services Meeting Summary Minutes: 10/12/2021 Chair Kou remarked that Mr. Numoto and his team have done very well through the Coronavirus Pandemic. She agreed that there is a need to formalize and identify the risks as well as to protect the public and their information. Committee Member Tanaka announced that overall the audit and the recommendation make sense. He requested further clarification on how the City determines what work is done in-house and what work is outsourced. He mentioned that many government agencies are moving to a cloud database which is cheaper and easier to secure. Mr. Shah mentioned that transitioning to a cloud would require a significant investment by the City. Mr. Numoto commented that the City is using the cloud for certain workloads and will continue to increase that as needed. Even if the City moved to the cloud full time, the City would still need to manage the infrastructure, and that requires folks who have a certain skill set. Committee Member Tanaka asked what percentage of the workload is on- premise versus in the cloud. Mr. Numoto disclosed that there is a high percentage of internal services on- premise. Committee Member Tanaka indicated that using the cloud will reduce Staff time. Mr. Numoto restated that there is a significant cost because a cloud is consumption-based and there must be cost management. Committee Member Tanaka inquired if using the cloud would increase security. Mr. Numoto explained that the City does have backup solutions that are stored offsite. He emphasized that there are costs associated with backups and other services. Committee Member Tanaka appreciated Staff’s response but mentioned that the federal government, and other agencies, are moving to the cloud. He encouraged Staff to explore the pros and cons of using a cloud. Concerning the audit report, he asked if any analysis was done on what type of work should be done in-house versus outsourced. Ms. Gill answered that type of analysis was not within the scope of the audit. SUMMARY MINUTES Page 6 of 10 Policy & Services Meeting Summary Minutes: 10/12/2021 Committee Member Tanaka asked how the audit compares to other Cities. Mr. Shah answered that the City’s IT risk management is similar to other cities the size of Palo Alto. He mentioned that because of the status of the City being a high technology City, that draws hackers to the area. MOTION: Chair Kou moved, seconded by Committee Member Stone to recommend the City Council approve the IT Risk Management Report on the Consent Calendar. MOTION PASSED: 3-0 3. Review and Approval of the Office of the City Auditor (OCA) Annual Report. City Auditor Kyle O’Rourke reported that the scope of the work conducted by the OCA included the Citywide risk assessment, preparation of the annual audit plan, financial audit tasks, execution of the annual plan, preparation of quarterly reports and annual status reports, and evaluation and benchmarking. For Fiscal Year (FY) 2021, the OCA completed the first Citywide risk assessment which was approved in March 2021 by City Council (Council) and the FY 2022 Citywide risk assessment is pending kick-off. The Annual Audit Plan was approved by Council in March of 2021. Concerning the financial audit, the final FY 2020 audit reports were approved. Council approved a 1-year contract extension due to extraordinary circumstances and the FY 2021 financial audit is underway. A Request for Proposal (RFP) has been issued to recruit financial auditors for the coming 3-year period with an option to extend beyond the 3-years. Concerning the execution of the Audit Plan, 10 task orders have been approved, and nine audit activities are currently in progress. Concerning periodic reporting, Staff continues to monitor the Fraud/Waste/Abuse Hotline, deliver quarterly reports, and attend City meetings. Concerning the Fraud, Waste and Abuse Hotline, Staff received and closed one report in the first quarter. The OCA reviewed prior findings made from audits conducted in 2018 to the present. Staff discovered 37 findings that were still pending action. Of the 37 findings, Staff was able to close out 24 of them, and there are plans in place to close out the remaining 13 findings in the coming years. Through the FY 2022 risk assessment process, Staff will re-evaluate audit priorities and determine whether investment management, application lifecycle management, Phase 2 of Systems and Applications and Data Processing (SAP) functionality and internal controls, and the Wastewater Treatment Plant Agreement are still top priorities. In the coming months, OCA will be requesting feedback on how the OCA is doing through the annual review process. Staff SUMMARY MINUTES Page 7 of 10 Policy & Services Meeting Summary Minutes: 10/12/2021 recommended that the Policy and Services Committee (Committee) forward the Office of the City Auditor’s Annual Report to Council for the Consent Calendar. Public Comment: None Committee Member Stone inquired if of the process to track and compare overtime in various departments has provided any benefit to the City regarding lowering overtime costs. Mr. O’Rourke clarified that the recommendation was to improve the reporting and control process. Staff verified and validated that those controls were implemented as intended. City Manager Ed Shikada noted that it is difficult to generalize trends in overtime costs. He mentioned that there are legitimate reasons why overtime is higher than it was in previous years. Committee Member Stone wanted to know what the end goal is for the Overtime Audit. City Manager Shikada explained that the Overtime Audit was established in the context of the Enterprise Resource Planning (ERP) System that was being developed at the time. The City decided to move in a different direction with the ERP. Committee Member Stone recalled that the City’s Municipal Code penalizes the user of a gas-powered leaf blower and not the property owner. He asked what the process is if the City were to modify that section of the code so that the property owner receives a citation. Planning and Transportation Director John Lait commented that the code can be amended but it would require direction from the Council. Staff would have to do more analysis to determine if it is feasible for the homeowner to be responsible. Committee Member Stone encouraged Staff to explore how to modify the City’s Municipal Code so that the homeowner is penalized rather than the owner of the leaf blower. He predicted that citing a property owner would deter folks from using gas-powered leaf blowers. He mentioned that many residents are frustrated with the lack of enforcement regarding leaf blowers. He suggested that Council discuss whether code enforcement should continue to address leaf blowers or should it be community service officers. He emphasized that eliminating gas-powered leaf blowers will greatly help the City reduce its greenhouse gas (GHG) emissions. SUMMARY MINUTES Page 8 of 10 Policy & Services Meeting Summary Minutes: 10/12/2021 Deputy City Manager Chantal Cotton Gaines mentioned that Staff is continuing to educate the community on the ramifications of gas-powered leaf blowers and lawnmowers. Committee Member Stone appreciated Staff’s work on the issue, but he predicted that even with a robust education and communication program. The problem will not diminish until proper enforcement happens. Committee Member Tanaka requested that Staff provide more details on benchmarking. Mr. O’Rourke explained that Task 6, evaluation and benchmarking, is peer review benchmarking of the OCA. Committee Member Tanaka asked if benchmarking is done that compares the City to other jurisdictions. Mr. O’Rourke answered yes, Task 4.9 and 4.10 does that type of benchmarking. Committee Member Tanaka encouraged Staff to do benchmarking as much as possible against other jurisdictions. He appreciated that the City Manager is releasing Net Promoter Scores (NPS) and encouraged Staff to use that data to compare the City to other jurisdictions. Mr. O’Rourke confirmed that Staff will use NPS in future reports. Committee Member Tanaka emphasized that customer feedback is very important and it is better to hear the feedback in real-time. He mentioned that with the fluctuation of commodities in utilities, some utilities will use hedging, and he inquired if Staff will be making recommendations regarding that. Mr. O’Rourke confirmed that there are currently no planned activities regarding hedging, but it can be considered for the coming year’s Audit Plan. Committee Member Tanaka commented that he did not agree with Commissioner Member Stone’s recommendation to penalize homeowners when it comes to gas-powered leaf blowers. He predicted that many homeowners are not home when their gardeners come. He asked how can the Council help the OCA become more effective and where does Staff need more support. Mr. O’Rourke answered that Staff needs help with the next risk assessment process. Also, to provide feedback on future audit activities and to forward any independent research of what other jurisdictions are doing to the OCA. SUMMARY MINUTES Page 9 of 10 Policy & Services Meeting Summary Minutes: 10/12/2021 Committee Member Tanaka wanted to better understand crime trends and enforcement of the City’s existing ordinances. Chair Kou remarked that when an audit is closed, Staff continues to monitor the corrective actions. Mr. O’Rourke answered that is correct. Chair Kou asked for the non-profit agreement risk management review, is the fieldwork is being conducted in person. Mr. O’Rourke disclosed that work is being done remotely. Chair Kou understood that the City Auditor’s Office is talking with City Staff rather than talking with the non-profits themselves. Mr. O’Rourke confirmed that is correct. Chair Kou inquired if Staff will be reaching out to community stakeholders, businesses, and residents for feedback on the code enforcement items. Mr. O’Rourke explained that typically there is no interaction with the public, but rather looking at the practices and procedures that are implemented by City Staff to remediate any audit recommendations. MOTION: Council Member Stone moved, seconded by Council Member Tanaka to recommend the City Council approve the Office of the City Auditor (OCA) Annual Report on the Consent Calendar. MOTION PASSED: 3-0 Future Meetings and Agendas Deputy City Manager Chantal Cotton Gaines announced that the items pending for the meetings for November and December 2021 included priority setting for the annual City Council retreat, the Legislative Guidelines, and an update on the Protocols and Procedures document. Also, a quarterly update on the race and equity work, the Community Ambassador Program, and affordable housing funding. She asked if the Policy and Services Committee (Committee) is interested in starting the meetings at 6:00 P.M. Committee Member Tanaka commented that he wished to leave the start time at 7:00 P.M. Chair Kou did not mind a start time of 6:00 P.M. SUMMARY MINUTES Page 10 of 10 Policy & Services Meeting Summary Minutes: 10/12/2021 City Manager Ed Shikada noted that a 7:00 P.M. start time guarantees a 12- hour day for Staff. Committee Member Stone remarked that if it is easier for Staff, he supported a 6:00 P.M. start time. Adjournment: The meeting was adjourned at 8:32 P.M.