The URL can be used to link to this page

Home My WebLink AboutStaff Report 11952 City of Palo Alto (ID # 11952) Policy and Services Committee Staff Report Report Type: Adjournment Meeting Date: 2/9/2021 City of Palo Alto Page 1 Summary Title: Approval of the FY21 Audit Plan and Related Reports Title: Discussion and Recommendation to the City Council to Accept the City Auditor’s Risk Assessment Report, Annual Audit Plan, and Quarterly Status Report From: City Manager Lead Department: City Auditor Recommendation The City Auditor recommends that the Policy and Services Committee take the following actions and forward the corresponding reports to the City Council for consent: • Accept the Fiscal Year 2021 Risk Assessment Report and Recommend City Council Approval • Accept the Fiscal Year 2021 Audit Plan Report and Recommend City Council Approval • Approve the following Task Orders, identified in the Audit Plan Report o Construction Project Controls o Asset Capitalization o Assessment of SAP Functionality and Internal Controls o IT Risk Management o Investment Management o Power Purchase Agreements o Economic Recovery Advisory • Accept the City Auditor’s Office Quarterly Status Report covering October – December 2020 Background In its capacity serving as the City Auditor function, and in accordance with Baker Tilly’s agreement with the City (Task #2 of the agreement), Baker Tilly performed a citywide risk assessment. The purpose of the assessment was to identify and prioritize risks in order to develop the annual audit plan (Task #1). During the risk assessment, Baker Tilly assessed a wide range of risk areas, including strategic, financial, operational, compliance, technological, and reputation risks. The risk matrix is included as an appendix to the report. Baker Tilly will City of Palo Alto Page 2 provide a presentation to the Committee to discuss the results of the Risk Assessment and is asking that the Committee recommend acceptance of the report by City Council. The Palo Alto Municipal Code (Section 2.08.130) requires the City Auditor prepare and submit an annual audit plan to the City Council for review and approval. The audit plan is normally submitted to the City Council at the beginning of the fiscal year. Given the timing of onboarding Baker Tilly to serve as the City Audit Function, the risk assessment and audit planning process spanned October 2020 through January 2021, the middle of fiscal year 2021. As a result, Baker Tilly has sought to identify audit activities across an 18-month horizon (through FY22). Baker Tilly plans to present on the audit plan and is asking that the Committee recommend approval of the audit plan report by City Council, which will prompt finalization of the corresponding Task Orders by Baker Tilly and the Policy & Services Committee Chair. Lastly, Baker Tilly is required to report quarterly to the Policy & Services Committee on a variety of topics, generally including progress to plan (Task #5). Baker Tilly intends to present on status, is asking that the Committee accept the Quarterly Report covering October – December 2020. Respectfully submitted, Kyle O’Rourke City Auditor and Senior Manager, Baker Tilly Attachments: • Attachment A: City Auditor's Office - Risk Assessment Report (FINAL DRAFT) • Attachment B: City Auditor's Office - FY21 Audit Plan (FINAL DRAFT) City of Palo Alto City Auditor’s Office FY21/22 Annual Risk Assessment January 15, 2021 Table of Contents Introduction ......................................................................................................................................................................... 3 Detailed Risk Analysis ...................................................................................................................................................... 5 Risk Assessment Results .............................................................................................................................................. 16 Appendices ........................................................................................................................................................................ 21 3 Introduction Overview According to City Ordinance, the mission of City Auditor’s Office is to promote honest, efficient, effective, economical, and fully accountable and transparent city government. To fulfill this mission, the Office conducts performance audits and performs nonaudit services of any city department, program, service, or activity as approved by the city council. (Section 2.08.130). In its capacity serving as the City Auditor function, and in accordance with Baker Tilly’s agreement with the City (Task #2 of the agreement), Baker Tilly performed a citywide risk assessment. The purpose of assessment was to identify and prioritize risks in order to develop the annual audit plan (Task #1). During the risk assessment, we assessed a wide range of risk areas, including strategic, financial, operational, compliance, technological, and reputation risks. Please see Appendix A for the Baker Tilly Risk Framework that helped to promote a thorough consideration of risks. This report outlines our analysis of risk, and includes a quantitative scoring of risk based on the likelihood of occurrence and potential impact to the City. The results of the risk assessment informed the development of the annual audit plan. The risk assessment involved collaboration with City Council and executive leadership across the organization. In conducting the 2021 risk assessment, we: - Developed a detailed understanding of the City’s environment, business functions, and organizational objectives - Met with members of senior management and the executive leadership team representing the major operations and administrative functions of the City - Reviewed key documentation such as the capital plan, annual budget, organizational charts, financial statements, and prior financial and City Auditor reports - Evaluated interview results and considered industry factors, including current economic factors related to the COVID-19 pandemic, to identify areas of risk to the City Organizational Strengths Through the risk assessment, we observed certain strengths of the City. Key strengths include: - Commitment to public service - High value on efficient and effective government - Focus on long term strategy - Dedicated and highly professional management and staff - Demonstrated history of innovation and commitment to sustainability, including implementation of the Palo Alto Climate Action Plan Additionally, Baker Tilly commends the City for its response to COVID-19. In particular, we greatly admire all efforts taken to support the health and wellbeing of Palo Alto citizens and Stanford students, as well as the support of essential workers during this time of heightened risk. 4 Key Risk Areas Identified Baker Tilly performed interviews with members of City Council and the Executive Leadership Team. During these interviews, Baker Tilly asked participants what they view to be the top five risks facing the City overall, regardless as to whether it is specific to their area of focus/department or not. The following is a list of risk themes identified in those interviews: - Financial Performance and Economic Recovery - Information Technology & Cybersecurity - Strategic Workforce Planning - Organizational Governance - Compliance and Legal Risks Financial Performance - Revenue Generation – Although the City has many sources of revenue, some of which are healthy and stable, the City also relies on economically sensitive revenues such as sales tax and transient occupancy tax. Palo Alto has been a hub for large technology businesses, which bring in visitors to hotels, restaurants, and retail. These visitors and daytime population help feed the sales and transient occupancy taxes. The COVID-19 pandemic has highlighted weaknesses in the reliability of this revenue structure. Information Technology - Cybersecurity – Ransomware and malware attacks are growing threats facing all municipal governments. These cyberattacks may result in significant financial losses, costly service disruption, and loss of information. The City faces similar threats on a daily basis and seeks to ensure that its information security practices and controls mitigate these risks. Strategic Workforce Planning - Employee Recruitment & Retention – Attracting and retaining high-performing employees is a complex challenge facing the City. Recent legislation such as the Public Employee Pension Reform Act of 2013 (PEPRA) made public employment less attractive in the State of California as retirement benefits became less generous. In addition, the City’s high cost of living limits the applicant pool as many employees and prospective employees commute long distances to work for the City. - Employee Turnover – The City faces potential risk of employee turnover in a variety of critical positions due to retirement eligibility, perceived or actual lack of upward mobility, and competitiveness of compensation and benefits in comparison to the cost of living. Employee turnover for any reason creates gaps in institutional knowledge. Succession planning, documenting standard operating procedures and cross training are key considerations for entities facing this dynamic. Governance - Intergovernmental Relations & Governance – The City of Palo Alto collaborates with a network of institutions at the national, state, and local level. Operating in an environment where there are numerous stakeholders and key partners can strain the governance system and impair achievement of organizational objectives. Compliance Environment - Regulatory Environment – Palo Alto has a complex regulatory compliance environment, in which the City must comply with numerous laws and regulations, local ordinances, contracts and grant agreements, and policies and procedures. Failure to track and update relevant regulations may lead to external audit findings, fines, reputational harm and other negative outcomes 5 Detailed Risk Analysis Function Descriptions and Key Risks When identifying risks throughout the organization, Baker Tilly considered each department throughout the City of Palo Alto and risks associated with those operational or functional areas. Below is an overview of each department and their key risks. Administrative Services Department The Administrative Services Department provides financial and analytical support to the City. Departmental functions include finance and accounting, purchasing, administration, budget, real estate, and others. Key Risks - Tax Revenue & Economic Recovery - Asset Management - Investment Management City Clerk’s Office The City Clerk serves as a liaison between the public and City Council. Office functions include public records requests, elections registration, public hearings, City Council compliance, and others. Key Risks - Public Records Requests - Records Management Communication’s Office The Communications Office is housed under the City Manager’s Office and is the primary correspondent between the City and the public. The department oversees media relations and internal and external communications of the City. Key Risks - External Affairs - Social Media Management - Internal Communications Community Services Department The Community Services Departments offers a variety of services administered through the following divisions: Community Services Administration, Office of Human Services, Palo Alto Art Center, Palo Alto Children’s Theatre, Palo Alto Junior Museum & Zoo, the Public Art Program, Open Space, Parks, & Palo Alto Baylands Golf Links, and Recreation Services. Key Risks - Contract Monitoring - Background Check Procedures Emergency Services Department The Office of Emergency Services is designed to prevent, prepare for, and recover from various hazards. The Office is responsible for overseeing various risk management programs. Key Risks - Disaster Response Fire Department The Fire Department oversees emergency response such as ambulance transports and fire response/rescue, emergency protection services such as fire prevention, and hazardous materials planning. The department highlights safeguarding the community and compassionate care. Key Risks - Recruitment and Retention - Compliance with SB 201 6 Human Resources Department The Human Resources Department is responsible for recruiting, developing, and retaining a well-qualified and professional workforce. The department ensures compliance with relevant labor laws, adheres to record keeping practices, and serves as a strategic partner for executive decision making. Key Risks - High Cost Claims - Records Management - Workforce and Succession Planning Information Technology The Information Technology Department provides innovative technology solutions that support City departments. The department oversees IT project management, operations, enterprise systems, and security services. Key Risks - Cyber Security - Database/Data Management - Disaster Preparedness and Recovery Library Department The Library Department operates five libraries throughout the City, each offering unique resources. The Library provides educational programming, multi-cultural events, and large and diverse book, information and technology resources. Key Risks - Inventory Management - Recourse Demand - Events and Programming Planning Department The Planning Department supports the City in land use development, planning, transportation, housing and environmental policies, and plans and programs that “maintain and enhance the City as a safe, vital, and attractive community”. Key Risks - Long Term Planning - Code Enforcement Police Department Palo Alto’s Police Department oversees technical services such as dispatch and record management, field services such as patrol and emergency response, and animal control. The Police Department also places a high value on community relations. Key Risks - Employee/Officer Overtime - Officer Conduct and Use of Force Policies - Recruitment and Retention Public Works The Public Works Department is broken into four divisions: Engineering, Airport, Public Services, and Environmental Services. The divisions are responsible for a variety of tasks including design and implementation of capital projects, maintenance of City-owned and leased structures, and management of the solid waste programs. Key Risks - Construction Project Management - Facilities Management - Fleet Management - Water Quality Control Office of Transportation The Office of Transportation works to enhance quality of life and improve the safety of the users of all modes of transportation. The office oversees a variety of large-scale capital projects including rail grade separations. Key Risks - Contract Management - Safety Improvement Projects - Traffic Operations 7 Utilities Department The Utilities Department owns and operates electric, gas, water, wastewater and fiber optic services to the City. The City purchases all their power from external sources. The mission of the department is to “provide safe, reliable, environmentally sustainable and cost effective services.” Key Risks - Workforce and Succession Planning - Contract Management of Purchased Power - Capital Program Management - Work Order and Asset Management 8 Detailed Function Analysis In order to comprehensively assess risk, Baker Till drew upon subject matter experts in key risk areas. The following subsections provide additional analysis of those key risk areas, which include: - Financial Management - Information Technology - Construction Management and Planning - Utilities Note that the following subsections are written to provide insight into key risks. The purpose of this analysis is to inform the overall risk assessment and scoring, not to draw conclusions or identify audit findings. Financial Management Overview of Credit and Debt The City of Palo Alto possesses strong socioeconomic characteristics and is supported by a large tax base. The City is rated Aaa / AAA by Moody’s Investors Service and S&P Global Ratings, respectively. These ratings are the highest possible credit rating for which a city can be assigned by both Moody’s and S&P. The City’s largest source of tax revenue is property tax. Property tax revenue is generally considered a more stable source of revenue than other forms of taxation. According to the City’s unaudited 2020 Comprehensive Annual Financial Report (CAFR), the City’s next most significant tax revenue sources in the general fund are sales tax (14%) and transient occupancy tax (9%). As of fiscal year-end 2020, the City had a relatively low debt burden and healthy, though declining, fund balances. The initial impact of the current economic downturn caused by COVID-19 has caused some sources of revenue to decline significantly. Steps to mitigate challenges posed by declines in revenue are discussed in more detail in the sections below. Table 1 shows the City’s largest general fund revenues and expenditures for fiscal years 2018 through 2020 audited financials. General Fund Largest Revenues and Expenditures ($000s) Year-End Result Percent Year-Ove-Year Change Revenue Source 2020 2019 2018 2020-2019 2019-2018 Property Tax 51,089 47,327 42,839 7.9% 10.5% Sales Tax 30,563 36,508 31,091 -16.3% 17.4% Utility User Tax 16,140 16,402 15,414 -1.6% 6.4% Transient Occupancy Tax 18,553 25,649 24,937 -27.7% 2.9% Charges for Services 24,127 27,346 26,824 -11.8% 1.9% Rental Income 15,964 16,338 15,896 -2.3% 2.8% Expenditures 2020 2019 2018 2020-2019 2019-2018 Public Works 13,577 13,757 14,569 -1.3% -5.6% Planning & Dev. Services* 19,269 19,681 20,061 -2.1% -1.9% Police 45,679 42,854 40,326 6.6% 6.3% Fire 36,440 33,489 33,522 8.8% -0.1% Community Services 29,603 28,903 27,122 2.4% 6.6% Non-Departmental 9,255 11,769 5,973 -21.4% 97.0% *In FY20, the Development Services Department was combined with the Planning and Community Environment Department to form the Planning and Development Services Department. 9 High-level Credit and Debt Risks Cities with high debt burdens, low fund balances, and/or reduced cash balances are more susceptible to facing challenges during economic downturns. Maintaining healthy fund balances, managing outstanding debt levels, and implementing debt policies are prudent practices to help ensure future financial health. Reliance on volatile or economically sensitive revenues can also create budgetary stress during economic downturns. If certain sources of revenue are dedicated to pay for day-to-day operations or pay debt service on outstanding bonds, it is a conservative practice to provide sufficient coverage in the event revenues decline. Credit and Debt Risks Specific to Palo Alto The City’s 2021 adopted budget estimates that sales tax will decline by 40.3% while transient occupancy tax is estimated to decline 49.2%. Industry sources such as S&P and HVS Global Hospitality Services estimate that the hospitality industry will not return to 2019 revenue levels until sometime between 2023-2025. This estimate suggests that transient occupancy tax could sustain significantly lower revenues for the next three to five years. It is also our understanding that 70% of transient occupancy tax is leveraged to pay debt service on outstanding bonds. With significant declines to transient occupancy tax, pressure on paying debt service may create a need cut spending in other areas of the City’s operations to free-up funds needed to pay debt service. Using unaudited data from the 2020 CAFR, the City’s available general fund balance as a percentage of operating revenues was approximately 31.3%. The City’s available cash balance as a percentage of operating revenues was 27.8%. These metrics are important to the rating agencies, and the City’s calculated results are considered healthy ratios. However, these ratios have declined year-over-year from 37.5% and 30.6%, respectively. The City currently estimates a $39 million loss in general fund revenues for fiscal year 2021, as detailed in the City’s adopted budget. The full extent of the negative financial impact caused by COVID-19 remains to be seen, however, has been partially captured in the City’s unaudited 2020 financials through June. The City has implemented citywide cost containment measures, which includes hiring freezes among other action items, which will help to mitigate the impact of this estimated reduction in revenues. General Fund Revenue and Expense Analysis Baker Tilly analyzed key revenue sources and summarized that analysis in the table below. Revenues Comments/Drivers Strengths Limitations Property Tax Palo Alto's main revenue source in the General fund is property tax, accounting for an approx. 27% of total revenues in 2019-2020. The top type of property tax revenue is that from "secured" property tax which means the asset is of sufficient value to guarantee property tax is levied and if unpaid, can be satisfied from sale of realty. Turnovers and title changes can be beneficial to the increase in property tax revenue as it allows for a reassessment on AV. Long-term leases are also an area that can trigger new AV when the terms expire. Property tax in lieu of vehicle license fees is the second highest type of property tax revenue for the City. This is money from the State to replace a decrease in the VLF rate in 2004. Property tax revenue has proven to be stable. Prop 13 caps the property tax at 1% of AV. Prop 8 allows an assessor to reduce a property's assessed value to the lesser of the market value or the assessed value. California residents and local officials have little control over the distribution of property tax revenue to local governments as that is controlled by the State. Sales Tax Sales tax is the second largest revenue stream for the General Fund accounting for an approx. 16% of total revenues in 2019-2020 with an expected decrease to 12% for the 2020-2021 budget. Units can impose an additional rate added to the base of the state rate (called a District Tax). The City has strayed away from imposing additional rates added to the base (District Tax) because of its regressive nature. The 2020-2021 budget is expecting a $10M decrease in revenues from 2019-2020. 10 Revenues Comments/Drivers Strengths Limitations Charges For Services Charges for services accounted for an approx. 12% of revenues in 2019-2020. Some of the larger revenue sources within this category are Stanford fire service fees, paramedic service fees, plan-checking fees and green fees. Charges for services fees are typically controlled at the local level so can be reevaluated on a regular basis to cover costs of services. In the past 2-3 years, the City has transitioned its golf course to a contract with a third party. Transient Occupancy Tax This includes hotel taxes. Palo Alto's current rate is 15.5%. Currently no cap. Any increased rate requires voter approval. Utility Users Tax Rate imposed on the use of utility services including telephones. Tax and use of revenue is determined by the local agency. Any increased rate requires voter approval. Baker Tilly analyzed key expense categories and summarized that analysis in the table below. Expenses Comments/Drivers Strengths Limitations Police Police department expenses accounted for approx. 23% of expenses in 2019-2020. Some of the top spending categories are field services, technical services, investigations, and crime prevention. Police are an essential for public safety and expense reductions can be limited. Fire Fire department expenses accounted for approx. 19% of expenses in 2019-2020. Some of the top spending categories are emergency response and administration. Fire is essential for public safety and expense reductions can be limited. Community Services Community services expenses accounted for approx. 15% of expenses in 2019-2020. Some of the top spending categories were open space – parks & golf, arts & sciences and recreation and Cubberley. Reduction of expenses do not typically affect the public safety. Public Works Public works expenses accounted for approx. 9% of expenses in 2019-2020. Some of the top spending categories are structures and grounds, trees and streets. Development Services Development services expenses accounted for approx. 6% of expenses in 2019-2020. Some of the top spending categories are building, fire and administration. Enterprise Fund Revenue Analysis Baker Tilly analyzed key revenue sources and summarized that analysis in the table below. Utility Revenue Source Comments/Drivers Strengths Limitations Electric Net Sales, Connection charges The main source of revenue for Electric is user fees assessed to commercial, industrial and residential customers. Have the ability to raise rates at discretion of the governing body. Fiber Net Sales The main source of revenue for Fiber is from commercial leases and a lease to the City. A feasibility study is currently underway to expand this service to residential areas. Have the ability to raise rates at discretion of the governing body. A recent rate increase was approved. Gas Net Sales, Connection charges The main source of revenue for Gas is user fees assessed to commercial, industrial and residential customers. Have the ability to raise rates at discretion of the governing body. 11 Utility Revenue Source Comments/Drivers Strengths Limitations A recent rate increase was approved. WW Collection Net Sales The main source of revenue for WW Collection is user fees assessed to commercial, industrial and residential customers. WW Treatment Net Sales The main source of revenue for WW Treatment is user fees assessed to the following areas: Mountain View, Los Altos, East Palo Alto and Stanford. Water Net Sales, Connection charges The main source of revenue for Water is user fees assessed to commercial, industrial and residential customers. Have the ability to raise rates at discretion of the governing body. Airport From Other Agencies, Hangar Fees The main source of revenue for the Airport is state grants. A large increase in budgeted revenues from state grants is expected based on the 2020-2021 budget at $17M compared to $5.5M in 2019-2020. Relying on state grants for a majority of revenue could pose financial risk if funding is not available. Refuse Net Sales The main source of revenue for Refuse is user fees assessed to commercial, industrial and residential customers. Have the ability to raise rates at discretion of the governing body. Stormwater Net Sales The main source of revenue for Stormwater is user fees assessed to commercial, industrial and residential customers. Have the ability to raise rates at discretion of the governing body. A recent rate increase was approved. 12 Enterprise Fund Expense Analysis Baker Tilly analyzed key expenses categories and summarized that analysis in the table below. Utility Expenses Comments/Drivers Strengths Limitations Electric Resource Management, Administration and Capital Projects Resource management represented 63% of expenses in 2019-2020. A majority of the capital project expense in 2019-2020 was spent on electric system improvements. Utility rates can be adjusted to account for increases in expenses. Capital projects can often be large expenses that can only be delayed for so long if needed. Fiber Capital Projects, O&M and Planning Market/Contracts The capital project expense is focused on design/construction. If services are extended to residential areas, an increase in operating expenses would be expected in future years. Utility rates can be adjusted to account for increases in expenses. Capital projects can often be large expenses that can only be delayed for so long if needed. Gas Resource Management, Administration and Capital Projects The capital project expense is focused on system improvements. Resource management includes gas transportation. Utility rates can be adjusted to account for increases in expenses. Capital projects can often be large expenses that can only be delayed for so long if needed. WW Collection O&M, Capital Projects and Administration O&M accounted for approx. 63% of expenses in 2019-2020. The capital project expense is mainly for system improvements. Utility rates can be adjusted to account for increases in expenses. Capital projects can often be large expenses that can only be delayed for so long if needed. WW Treatment Capital Projects and Treatment Operations Capital project expense for treatment was $4M in 2019-2020 but increases to $32M for 2020-2021 budget. Utility rates can be adjusted to account for increases in expenses. Capital projects can often be large expenses that can only be delayed for so long if needed. Water Resource Management, O&M and Capital Projects Water supply resources is the largest expense item accounting for $20M of the $43M spent in 2019-2020. Improvements are underway for a water quality control plant. Utility rates can be adjusted to account for increases in expenses. Capital projects can often be large expenses that can only be delayed for so long if needed. If state loans do not support control plant, will have to issue additional debt which will exceed normal debt cap. Airport Capital Projects and Administration Airport capital expenses in 2019-2020 were approx. 79% of total expenses. This number increases to 92% for the 2020-2021 budget. Rates can be adjusted to account for increases in expenses. Capital projects can often be large expenses that can only be delayed for so long if needed. Refuse Refuse Collections and haulings account for $23.5M of the $35.5M expenses in 2019- 2020. Landfill expenses, street sweeping and offsite disposal are other expenses in this category. Utility rates can be adjusted to account for increases in expenses. Stormwater Storm Drainage In-house storm drainage maintenance is the largest expense in this category. Utility rates can be adjusted to account for increases in expenses. 13 Information Technology Overview of Information Technology Department The Palo Alto Municipal Code requires the IT Department to provide leadership to the City Council and management on alignment of technology with City initiatives, policies, and strategic objectives and to direct and manage interdepartmental technology governance. In July 2018, the IT Department published its FY19-21 IT Strategy, which identifies five major goals to support its mission: (1) Smart City services and capabilities, (2) Customer service, (3) Infrastructure, (4) Cybersecurity, and (5) Data governance. The Information Technology department is organized into 5 functional groups to better provide support to the organization. According to the Palo Alto Information Technology Department’s October 2020 organizational chart, there are currently 33 positions in the department organized across the following functional areas: - IT Security Services provides centralized guidance and leadership in the development of policies and procedures, legal compliance, risk management activities, disaster recovery activities and security audits. - IT Operations, provides enterprise architecture support, service desk support for end users, infrastructure support for the cities operations, server housing, software support, technical training and asset management. - IT Enterprise Systems provides systems governance and roadmap planning, system administration support and maintenance, system integration, business intelligence system management, Master Data management, system security and System change management. - IT Program Management Office (PMO) provides strategic planning and alignment, project and program resource management, project risk management, performance measurement, data management, Project life cycle management, system development life cycle (SDLC) management, IT solution research, evaluation, recommendation. - Office of the Chief Information Officer (CIO) provides strategic planning, financial management, contract management, communications, workforce development, department administration and data analytics. Refer to the Risk Matrix in Appendix B for additional information on each risk area. Construction Management and Planning Overview of Construction and Planning Activities Many of the Capital construction projects are managed by the City of Palo Alto Public Works Department. The Department is comprised of four divisions as follows: - Engineering Services – Plans, designs and manages construction and renovations of City-owned facilities, parks and infrastructure - Public Services – Performs preventive maintenance and repair of City-owned and leased buildings, streets, sidewalks, storm drains, traffic signs and markings - Environmental Services – Operates and maintains the Regional Water Quality Control Plant and managers the City’s solid waste programs - Airport Operations – operates and maintains the Palo Alto Airport The current strategic plan includes several initiatives including ongoing construction on the waste water treatment plant and the $235 million Capital Improvement (Infrastructure) Plan introduced in 2014. The projects included in the Capital Improvement (Infrastructure) Plan are some of the largest construction projects the City has managed. 14 High-level Construction and Planning Risks Construction projects are inherently risky. They can be highly visible complex undertakings that require significant financial commitments. In addition municipalities such as the City of Palo Alto are required to be good stewards of public funds. Risks common to all municipalities include: - Reputational damage related to projects the public considers unsuccessful - Preconstruction planning risks such as: - Failure to acquire adequate right of way and subsequent restoration - Loss of service prevention - Proper site condition assessment - Budget overruns due to excessive change order activity or abusive pricing practices - Schedule delays due to poor or improper project management - Fraud and/or abuse related to: - Bid and award - Price fixing - Materials substitutions Construction and Planning Risks The City of Palo Alto Public Works is currently working through the Capital Improvement (Infrastructure) Plan introduced in 2014. This is a $235 million that includes ten major capital projects ranging in value from $57 million to $2 million as well as dozens of other smaller maintenance and improvement projects. Examples of potential risks specific to the City of Palo Alto include: - Inconsistent application project controls – The City of Palo Alto Public Works has over 25 professionals that work on capital construction projects. Public Works has a construction administration manual; however, failure to consistently adhere to the operations manual could result in project impacts such as budget overruns and delays. - Project controls not operating as intended – The recently completed Fire Station No. 3 project was delayed by approximately one year and experienced budget overruns. This could indicate ineffective project controls, or controls that are not operating as intended. - Ineffective contractor pre-qualification – Public works performs a contractor pre-qualification process on larger and higher risk projects. Certain projects experience a high degree of turnover by the contractor’s personnel and their subcontractors. This could indicate the pre-qualification process failed to eliminate unqualified contractors. - Continued impacts from COVID-19 – Continued impacts include schedule delays and rising project costs. These could be related to labor and materials shortages, additional job site closures and abusive change order pricing practices from contractors. 15 Utilities Overview of Palo Alto Utilities The City of Palo Alto has five separate service lines; separate utilities, electric, gas, water, sewer and fiber. The City purchases all power and does not conduct any generation activities. High-level Utility Risks The Utilities Department faces many risks that are common in the public utility industry. Examples risks include: - Cost allocations – The City hires staff who work across utilities, including gas, water, and wastewater, meaning that their time and expenses are associated with multiple different lines. Additionally, other facilities and resources are shared across departments and across services. This introduces a level of complexity in regards to cost allocations and derivations of customer rates. - Feasibility study for fiber to the home –The City of Palo Alto is considering offering fiber optic as a service line to residents and commercial customers. This requires a significant effort in studying the feasibility of such a project, as well as challenging assumptions that are being made in initial analyses. Palo Alto will require consultations with outside fiber experts to ensure that all considerations are thoroughly being captured. - Electric utility purchases all power for resale – The monitoring of contracts for compliance with state and local requirements or goals for renewable or carbon neutral sources is a risk specific to the State of California and the City. Managing the cost of these contracts is also a risk a City. - AMI project on horizon – Palo Alto is moving towards an implementation of AMI technology for meter reading. AMI will allow for the City to conduct meter readings with more efficiency and accuracy. The costs associated with such an implementation are significant. Any implementation with such an effort may run into unexpected challenges and barriers to implementation. Additionally, redeploying current meter readers is also a challenge. - Shut-offs during COVID-19 – As a practice, the City of Palo Alto does not currently shut off utilities for those who are regularly missing payments. This includes both commercial and residential customers. The City maintains financial reserves that fluctuate over time, but attempt to remain above 70 days. Continued customers who do not pay their bills will reduce financial reserves. - Work Order and Asset Management – For any operations and maintenance, a proper work order system is vital to the operations of the utility. Modern day technology and automation can improve the work order process and reduce the number of steps required from employees. - Rate recovery – Palo Alto owns and operates its own utilities. However, the City purchases all of its electric, water, and gas from other sources. The City must set its rates according to the cost to purchase power, water, and gas as well all O&M and capital costs associated with administering the utilities. For example, the City purchases water from a different source than its neighbors and subsequently has higher water rates. 16 Risk Assessment Results Risk Assessment Approach Baker Tilly’s risk assessment approach consists of the following phases: Risk Assessment Phase Planning The Planning phase entailed working with Palo Alto to determine the appropriate approach to plan and perform the risk assessment. Information Gathering In the Information Gathering phase of the risk assessment, we began identifying risks through interviews with City Council and the Executive Leadership Team (ELT) and review of critical documents such as the budget and financial statements. Analysis The Analysis phase included analyzing and prioritizing risks and correlating these risks to potential internal audit activities with input from Palo Alto’s Internal Audit management. Reporting The Reporting phase included developing this report that summarizes the objectives, scope, approach, and results of the risk assessment. In considering the results of the risk assessment, there are some important points to keep in mind: The risk assessment process primarily measures inherent risk, before any internal controls or management plans are applied. Palo Alto has plans, processes, and/or controls in place to mitigate many or all of the identified risks. We did not intend to assess Palo Alto’s response to these risks, although we gathered some understanding of risk mitigation approaches through our interviews. The risk assessment results on the following page summarizes the top risks to Palo Alto. The risks are ranked based on potential impact and inherent likelihood for occurrence. We are not highlighting these areas as “problems.” Rather, due to the nature of Palo Alto as a city, the state in which it resides, current state and federal affairs, and observations raised by interview participants, our assessment indicates that these risk areas warrant the organization’s attention. 17 Risk Assessment Scoring Methodology Baker Tilly scored each risk based on the likelihood of an adverse event occurring and the corresponding impact. “Likelihood” considers, in the absence of control and risk mitigation efforts, the relative possibility of adverse events occurring. If a related risk event were to occur, “Impact” considers implications of the adverse event relative to strategy, finance, reputation, and operations. The use of the consultants’ judgment was necessary at times to score risks. Likelihood of an Adverse Event Likelihood Definitions Likelihood Scale General Very Likely 5 Weekly (50+ occurrences annually) Likely 4 Monthly (10-50 occurrences annually) Somewhat Likely 3 Annually (>10 occurrences annually) Unlikely 2 Once every 2 years Rare 1 Less than once every 2 years Impact of an Adverse Event Baker Tilly considered many risks and potential adverse events – refer to Appendix B for the complete risk matrix. As part of the analysis, Baker Tilly considered risks related to major projects and initiatives as well as risks associated with specific functional areas of the organization. The table below shows the scoring methodology for major initiatives and projects: Impact - Major Initiatives Impact Scale Financial High 5 $50M+ Elevated 4 $25M - $49.99M Moderate 3 $10M - $2.99M Minor 2 $5M - $9.99M Insignificant 1 <$5M The table below shows the scoring methodology for function specific risks as well as general organization wide risks: Impact Definitions - General Impact Scale Financial General High 5 Event causes a $100k or greater impact to revenue, expense, or net revenue Very significant and long term impact to revenue, profit, brand/company image, and/or people Elevated 4 Event causes a $50k - $100k impact to revenue, expense, or net revenue Significant and sustained impact to revenue, profit, brand/company image, and/or people Moderate 3 Event causes a $25k - $50k impact to revenue, expense, or net revenue Moderate and short-term impact to revenue, profit, brand/company image, and/or people Minor 2 Event causes a $5k - $25k impact to revenue, expense, or net revenue Moderately low impact to revenue, profit, and/or brand/company image which can be overcome w/in 1 year Insignificant 1 Event causes less than $5k impact to revenue, expense, or net revenue Low impact to revenue, profit, and/or brand/company image which can be overcome within one quarter of occurrence 18 Overall Risk Scoring Following the scoring of likelihood and impact, each risk is assigned an overall score based on the methodology outlined in The Internal Auditor’s Guide to Risk Assessment by Rick Wright Jr. Red represents high risk, yellow represents moderate, and green represents low. 5 30 38 44 48 50 4 20 28 36 42 46 3 12 18 26 34 40 2 6 10 16 24 32 1 2 3 8 14 22 1 2 3 4 5 Likelihood Im p a c t 19 Risk Assessment Results The risk assessment results below present the risks identified, as well as their relative potential overall risk rating. The risks are ordered from highest risk to the lowest, and are grouped into high, moderate, and low risk categories based on the methodology summarized on the prior page. Note that this is a representative list of risks and does not contain all risks outlined in the Risk Matrix. Refer to Appendix B to review the full Risk Matrix including risk details and likelihood and impact scoring. High Risks Moderate Risks Low Risks COVID-19 Response ADA Compliance Upgrade Financial Planning & Budgeting Renewable Standards Portfolio Public Safety Building Construction Investments, Debt, & Cash Management Fiber to Home Vendor Master File Management Tax Revenue & Economic Recovery Ransomware Gas Main Replacements Digital Marketing Real Estate and Property Management Use of Force and Officer Conduct Secondary Treatment Upgrades Human Services Contract Monitoring ERP System Upgrade Gas Main Replacements Children’s Theater Asset Management Accounts Receivable Race & Equity Initiative Library Events High Cost Claims & Litigation IT Architecture and Deployment Credit & Debt Urban Forestry Database and Data Management IT Disaster Recovery & Preparedness Ambulance Service College Terrace Market Long-Term Planning Public Works – Fleet Management Hazardous Materials Response Print & Mail Services Workforce & Succession Planning IT End-User Support & Perceptions IT Strategy & Governance External Affairs Wastewater Treatment Plant Operations Public Works – Engineering Services IT Host Intrusion and Malware Defense Airport Operations AMI Project (utilities) Public Works – Facilities IT Information Security Labor Environment Utility Rates Public-Private Partnerships IT Operations & Monitoring Organizational Culture IT Organization and Architecture Airport Noise Pollution Purchase Power Contract Management Social Media Management Current Planning Background Check Procedures Ethics Employee Offboarding & Separation Disaster Response Records Management Organizational Governance Utilities Work Order & Asset Management 20 The following graph shows the distribution of overall risk scoring. Note that we do not necessarily seek a normal distribution but do consider distribution to evaluate the effectiveness of our scoring methodology, which has been right-sized to the City. 26 37 48 27 10 0 10 20 30 40 50 60 Low Low-Moderate Moderate High-Moderate High Overall Risk Scoring Distribution 21 Appendices Appendix A: Risk Framework Baker Tilly’s risk framework below provides a strategic and structured view of risks in an organization, as well as the interdependencies between risks at multiple levels. It helps to promote a thorough methodology to the consideration of risk and serves as a valuable tool when facilitating discussions of risks throughout an organization. Environmental – factors external to the organization Citizen Demands Reputation Regulatory Economy Legal Technologies Strategy – planning and decision making Business Model Strategic Change Investments Planning and Budgeting Governmental Relations Financial Compliance Management Shareholder Relations Liquidity & Credit Organization – attributes of Metra and departments Governance Empowerment Communication Values Authority Performance Management Ethics and Code of Conduct Change Readiness Compliance Monitoring Organizational Structure Resource Allocation Safety & Occupational Hazards Leadership Skills and Training Succession Planning Processes and Operations – functional effectiveness and policies and procedures Quality Process Alignment Contracts Efficiency Accounting Procurement Performance Payroll Fraud Sourcing Human Resources Forecasting Continuity Information Systems Vendor Management Information – records and knowledge Data Integrity Financial Information Knowledge Management Access & Availability Financial Reporting Retention Security Regulatory Reporting Privacy Infrastructure – facilities and systems Capacity Maintenance Availability Reliability Facilities Utilities 22 Appendix B: Risk Matrix For purposes of scoring risks based on likelihood and impact, Baker Tilly categorized risks in the following manner: - Environment, Strategy, and Governance – Generally speaking, these risks affect the entire organization rather than a specific department or function. - Major Projects and Initiatives – These are risks related to on-going projects and initiatives; generally speaking, the duration of the project lasts only as long as the project itself (i.e., they are not inherent to the organization). - Function Specific Risks – These risks are inherent to a function with no timetable for completion. 23 Risk Matrix - Environment, Strategy, and Governance Risks (Risks 1-9) The following table summarizes risks related to Environment, Strategy, and Governance: Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 1 Org Wide Ethics Title 2 - Administrative Code, Part 7 Ethics in Contracting Title 2 - Administrative Code, Chapter 2.09 Conflict of Interest for Designated Positions Ethics is mentioned directly in the City Code as it pertains to purchasing/contracting. The City Code intends to prevent conflicts of interest in the purchasing process and requires employees from withdrawing from participation in a purchasing or contracting activity where a real or perceived conflict exists. Additionally, the City has adopted a Conflict of Interest Code in accordance with the CA Political Reform Act. The City of Palo Alto has a Fraud, Waste, and Abuse Hotline in place and corresponding administrative policy. The objective of the Hotline is to encourage anonymous reporting of potential instances of fraud, waste, and abuse. The Hotline is monitored by a committee consisting of the 3 members - the City Manager, City Auditor, and City Attorney. Examples of Potential Risks: >Instance of fraud, waste, or abuse involving a City employee or contractor engaged by the City >Conflict of interest in the purchasing process whereby a City employee improperly influences a City purchasing decision 1 5 30 Financial Legal & Compliance Reputation 2 Org Wide Governance Charter of the City of Palo Alto, Article III. Council Charter of the City of Palo Alto, Article III. Council, Section 9 The City of Palo Alto is governed first and foremost by its citizens. The citizens of Palo Alto elect seven members of City Council, who in turn elect the Mayor and Vice Mayor. The City Council is the governing body of the City and is responsible for all legislation. The Council also sets the strategic direction and priorities of the City. It approves the budget, adopts ordinances and resolutions, and functions as a board of appeals. The City Council also appoints the City Manager, City Attorney, City Clerk, and City Auditor. The City Council has committees including the Policy & Services Committee and the Finance Committee. The City Council also appoints members to Boards and Commissions including the Human Relations Commission, the Utilities Advisory Commission, and the Public Art Commission. The Executive Leadership Team is the administrative function of the City and is made up of leaders from different departments across the City. The Executive Leadership Team is led by the City Manager. Examples of Potential Risks: >Acting outside the bounds of delegated authority >Misuse and abuse of authority for personal gain >Conflicts of interest in appointees by City Council >Non-compliance with the City Charter 2 4 28 Strategic Operational Legal & Compliance Reputation Political & Economic 24 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 3 Org Wide Labor Environment City of Palo Alto employees are represented by seven unions and collective bargaining agreements. Palo Alto must maintain ongoing negotiations, handle disputes, and mitigate conflicts from becoming larger, more costly issues. Labor contracts include: >International Association of Fire Fighters (IAFF) >Management and Professional Personnel and Council Appointees (MGMT) >Fire Chief's Association (FCA) >Palo Alto Peace Officers' Association (PAPOA) >Palo Alto Police Management Association (PAPMA) >Service Employees International Union (SEIU) >Utilities Management and Professional Association of Palo Alto (UMPAPA) The City also adheres to other compensation plans including: >Limited Hourly Employees Compensation Plan Examples of Potential Risks: >Non-Compliance with California Labor Code >Long-term financial pressures, including unfunded pension liabilities >Agreement oversight and administrative burden >Service disruptions due to extended contract negotiations 3 3 26 Operational Financial Legal & Compliance Reputation Political & Economic 4 Org Wide Financial Planning and Budgeting Title 2 - Administrative Code, Chapter 2.28 Fiscal Procedures The adopted budget is released annually in August. The preparation of the budget begins in September of the prior year. The Office of Management and Budget (OMB) in the Administrative Services Department develops the operating and capital budgets. The OMB works with senior management and the City Manager to develop budgets accordingly. Per the Capital Budget for FY21, there are six sources that inform the budget: >The City Council’s top priorities and other City Council directives, such as the 2014 Infrastructure Plan >Organizational financial status and budgetary guidelines >Service level and infrastructure prioritization, as identified by the City Manager >Community input (e.g. Infrastructure Blue Ribbon Commission) >The City’s policies regarding land use and community design, transportation, housing, natural environment, business, and economics, as outlined in the Comprehensive Plan. Examples of Potential Risks: >Disagreement among City leadership and/or City Council regarding budgetary priorities >Non-compliance with City Code >Long-term financial pressures, including unfunded pension liabilities 2 4 28 Strategic Operational Financial 5 Org Wide Public-Private Partnerships Palo Alto partners with private organizations and non-profits. In particular, the City has established partnerships with non-profits in the administration of senior services, the animal shelter, urban forestry, local history museum, suicide prevention activities, the Zoo, and others. Examples of Potential Risks: >Reputational damage done to the City based on actions of a partner >Financial impact of any inefficiencies >Agreement oversight and administrative burden 3 3 26 Strategic Operational Financial Reputation 25 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 6 Org Wide Compliance and Regulatory Environment Palo Alto has numerous laws and regulations, ordinances, and policies and procedures that the organization and its employee must abide by. These laws are promulgated at the Federal, State, and Local level. Examples of Potential Risks: >Failure to track and update relevant regulations may lead to external audit findings, fines, and other punitive measures by federal and state agencies >Changing regulations may add complexity to operations and strategic planning >Non-compliance leading to enforcement action 3 2 16 Legal & Compliance Political & Economic 7 Org Wide Employee Retention & Succession Planning Title 2 - Administrative Code, Chapter 2.36 Personnel Procedures Many factors impact employee recruitment and retention within the City. The Public Employee Pension Reform Act of 2013 (PEPRA) ultimately made public employment less attractive in the State. The new benefits structure lowered retirement benefits to State employees. Palo Alto and the surrounding area has a high cost of living. For many employees, it is difficult to afford to live in or near Palo Alto, and any employees commute great distances to work for the City. For certain positions, it is difficult to recruit candidates, as there are other employment options in more affordable communities. This is especially difficult for those employees with skills in high demand, such as linemen and other employees in the trades. Examples of Potential Risks: >Lack of succession planning or cross training may result in knowledge loss after employee separations >High levels of turnover may result in expensive hiring/training >Inability to recruit for key positions >Inability to hire qualified candidates due to greater competition from other companies/communities 4 3 34 Strategic Operational Financial 8 Org Wide Stanford University Palo Alto provides Stanford University with a variety of services, including, but not limited too; police, fire, ambulance, disaster preparedness, land use, and utilities. Stanford directly and indirectly serves as a revenue source for the City. Stanford University is the largest source of property taxes within the City, with $5.5M in taxable assets for the City. The City and Stanford also partner on various community issues, relationships and projects. Stanford Medical and Stanford University are the first and third largest employer in Palo Alto, respectively. Palo Alto is responsible for providing services to students, facility, staff and visitors of the University every day, as well as providing increased services for special events held by or at Stanford University every year. Examples of Potential Risks: >Reliance on revenues generation directly and indirectly tied to Stanford University >Shared blame or reputational impact for instances that occur on or by Stanford persons or property, and City services are involved 1 4 20 Financial Reputation Political & Economic 26 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 9 Org Wide Organizational Culture Culture is the system of values, beliefs and behaviors that shape how things get done within an organization. Culture risk results from potential misalignments between the values and beliefs of an organization and day to day operations. Examples of Potential Risks: >Acceptance of deviations from policies and procedures >Culture of long hours leading to employee dissatisfaction >Lack of ethical tone at the top 3 3 26 Operational Reputation Political & Economic 27 Risk Matrix - Major Projects & Initiatives (Risks 10-40) The following table summarizes risks related to Major Projects and Initiatives: Risk ID Functional Area Risk Title Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 10 City Wide COVID-19 Response Palo Alto has operated under emergency response orders since March 2020. Mitigation and control of COVID-19 is imperative for citizen and employee safety and continued operation of City services. COVID-19 has created additional needs and hurdles for the City, including: >50% of medical response calls the patient has at least one symptom of COVID >Increased demand for public services >Transition to a completely virtual environment >More centralized need for internal and external communications >Browning-out of fire services >Discontinued shuttle services Examples of Potential Risks: >Inability to meet citizens demands given current financial and operational constraints >Transition of communications and operations to normal operational status >Health and safety of citizens and employees 5 5 50 Strategic Operational Financial Legal & Compliance Reputation Political & Economic 11 Uplift Local Program Parking Revenue The City has closed or partially closed several streets to allow restaurants and patrons more space for socially distanced outdoor dining. The City has also removed parking meters and garage parking fees during this time. The City implemented the Uplift Local Program to help support the economy and local businesses, residents and visitors. Examples of Potential Risks: >Loss of revenues from closure or suspending parking meter and parking garage fees >Logistics for reopening of closed streets >Resistance from businesses and vendors on reopening streets and stopping outdoor dining and shopping 5 1 22 Operational Financial Legal & Compliance Reputation Political & Economic 12 Administrative Services ERP System Upgrade The City of Palo Alto is currently undergoing an upgrade of the ERP system. This includes two phases of efforts. The first phase is migrating upgrading to a new version of SAP. The second phase focuses on process improvement through use of the upgraded system. Examples of Potential Risks: >Unforeseen barriers in implementation requiring change orders that delay the process and increase overall expenses >Strain on capacity associated with the level of attention required by ERP implementation >Data loss during system upgrade or subsequent efforts >System downtime leading to stoppage in the ability to provide services 3 4 36 Operational Financial Legal & Compliance IT Reputational 13 Legal Foothills Park In November 2020, the City Council voted to open Foothills Park to non-residents. This decision came after years of discussion and consideration. Examples of Potential Risks: >Reputational risks associated with those of dissenting opinions regarding restricted access to the park >Operation of the park given opening to non-citizens 3 3 26 Legal & Compliance Reputation Political & Economic 28 Risk ID Functional Area Risk Title Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 14 Public Safety Public Safety Building Construction The City approved the FY21-FY25 Capital Improvement Plan, which includes construction of the Public Safety Building. The total project budget is $118M, $106.6M is budgeted from FY21-FY25. Justification for the project was included in the 2014 Council approved Infrastructure Plan, which was preceded by a recommendation by the Infrastructure Blue Ribbon Commission report in 2011. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 3 5 44 Operational Financial 15 Public Works Newell Road/San Francisquito Creek Bridge Replacement The City approved the FY21-FY25 Capital Improvement Plan, which includes the continued replacement of the Newell Road/San Francisquito Creek Bridge. The total project budget is $16.2M, $12.4M is budgeted from FY21-FY25. Removal of the existing bridge is a necessary element of the San Francisquito Creek Joint Powers Authority (JPA) comprehensive flood management program. Examples of Potential Risks: >Availability of funding to complete the project >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 16 Public Works Fire Station 4 Replacement The City approved the FY21-FY25 Capital Improvement Plan, which includes construction of Fire Station 4. The total project budget is $10.2M, all of which is budgeted from FY21-FY25. This project provides funding to replace Fire Station #4 at the corner of Middlefield Road and East Meadow Drive. The replacement facility will be based on the prior Replacement Study and Needs Assessment prepared in 2005. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 17 Public Works Street Maintenance The City approved the FY21-FY25 Capital Improvement Plan, which includes the continued upkeep and repair of various City streets. The total project budget is $24.8M, all of which is budgeted from FY21-FY25. This project provides funding for annual resurfacing, slurry sealing, crack sealing, and reconstruction of various City streets. Using Pavement Maintenance Management Systems (PMMS) and Metropolitan Transportation Agency's StreetSaver software, streets determined to be below the pavement condition index (PCI) standard minimum of 60, are to be repaired. The City Council established a goal of achieving an average City wide PCI of 85, and intends to bring all City streets to a PCI of 85 or greater. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 29 Risk ID Functional Area Risk Title Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 18 Office of Transportation Railroad Grade Separation and Safety Improvements The City approved the FY21-FY25 Capital Improvement Plan, which includes the construction and upkeep of safety measure at railroad crossings. The total project budget is $13M, $9.3M is budgeted from FY21-FY25. Connecting Palo Alto, is a community-based process to advance the railroad grade crossing circulation study and context sensitive solutions study envisioned by the City Council. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 19 Administration Capital Improvement Fund Administration The City approved the FY21-FY25 Capital Improvement Plan, which includes the buildings of administrative reserves for costs associated with salary and benefits for CIP projects. The total project budget is $12.8M, all of which is budgeted from FY21-FY25. Administrative costs associated with the completion of CIP projects are capitalized and are added to the total costs of projects. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 20 Public Works Airport Apron Reconstruction The City approved the FY21-FY25 Capital Improvement Plan, which includes the repaving of airport pathways. The total project budget is $44.6M, $19.4M is budgeted from FY21-FY25. The project includes the total re-pavement of airport runways, taxiways and pavement surfaces critical to airport safety. Average pavement condition index (PCI) for the airport was 36, below the industry standard minimum of 60, and below the City's goal of a PCI of 85. A PCI of 36 indicated a need for full pavement reconstruction. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 21 Utilities Electric Customer Connections The City approved the FY21-FY25 Capital Improvement Plan, which includes the installations of services, transformers and meters for new customers. The total project budget is $13.5M, all of which is budgeted from FY21-FY25. During a typical year, over 200 electric services are installed or upgraded n the City. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 30 Risk ID Functional Area Risk Title Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 22 Utilities Electrical Systems Improvement The City approved the FY21-FY25 Capital Improvement Plan, which includes improve the Electrical Distribution System. The total project budget is $12.6M, all of which is budgeted from FY21-FY25. Typical activities include: increasing system capacity for load growth, replacing deteriorated capital facilities, reconfiguring/adding to the system to improve service reliability, repairing and replacing storm damaged equipment, and making general improvements to the system. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 23 Utilities Smart Grid Technology Installation The City approved the FY21-FY25 Capital Improvement Plan, which includes building a smart grid. The total project budget is $19.4M, $19M is budgeted from FY21-FY25. Smart grid technology, including the Smart Grid Road Map leads to cost operation savings and energy conservation. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 24 Utilities Renewable Portfolio Standard (RPS) The City of Palo Alto has ambitious goals to become a greener City. The State of California also has ambitious goals as it pertains to limiting greenhouse gas emissions by adopting renewable energy sources. As stated on the City's website, "in 2018, California adopted one of the most aggressive Renewable Portfolio Standard (RPS) policies in the country, requiring that all utilities in the state supply 60% of their retail electric sales from eligible renewable energy resources by 2030 and putting the state on a path to 100% fossil-fuel free electricity by 2045." The City adopted a similar plan in 2002 and committed to providing customers a carbon neutral electricity supply in 2013. Today, all of Palo Alto's energy comes from renewable sources. Examples of Potential Risks: >Failure to maintain 100% renewable energy sources leading to reputation risks >Increased cost of renewable power due to economic/political changes 1 3 12 Strategic Financial Reputation Political & Economic 25 Utilities Fiber To The Home The City has been exploring the possibility of providing the option for residents to connect to a fiber optic network for faster internet. This would involve expanding the current fiber optic network and formalizing a new utility function. Interest in the service has been rising and the Utilities Department have been exploring the possibility of implementing a greater network of fiber optic. The City has engaged a consultant to perform a feasibility study. Examples of Potential Risks >Financial loss associated with learning curve of new service >Resources associated with operating the new service >Risk of misalignment with broader City strategy 2 4 28 Operational Financial Legal & Compliance Reputation 31 Risk ID Functional Area Risk Title Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 26 Utilities Water Tank Seismic Upgrade and Rehabilitation The City approved the FY21-FY25 Capital Improvement Plan, which includes upgrades and repairs to the water tank seismic system. The total project budget is $15.6M, $12M is budgeted from FY21-FY25. Work at the reservoir sites will also include the installation of: new seismic shut off valves between the reservoirs and valve vaults, new plug valves, piping and pipe supports in the valve vaults, and recoating of the interior and exterior reservoir walls. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 27 Utilities Water Main Replacement The project will fund the design and replacement of structurally deficient water mains and appurtenances in Fiscal Years 2024 and 2026. Mains are selected by researching the maintenance history of the system and identifying those that are undersized, corroded, and subject to breaks. Water main replacements totals $21.8M, include four projects > Project 27: 9,150 linear feet, at $2.5M > Project 28:14,985 linear feet, at $9.1M > Project 29:13,425 linear feet, at $9.4M > Project 30:13,025 linear feet, $.85M Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 28 Utilities Gas Main Replacements The City is replacing gas mains that may be leaking, inadequately-sized, and/or structurally deficient based on the City's Distribution Integrity Management Plan's mathematical model. The model is used to evaluate risks presented by PVC and steel facilities located within business districts that have been assigned the highest probability and consequence scores. The project will target replacing PVC mains and services located in business districts and steel mains and services with ineffective corrosion protection, also known as cathodic protection. Targeted streets will be coordinated with the Public Works Street Maintenance Program to complete replacement before streets are paved. Gas main replacements totals $29.6M, include three projects > Project 23: 21,700 linear feet, at $7.6M > Project 24:33,050 linear feet, at $11M > Project 25:31,260 linear feet, at $11M Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 4 28 Operational Financial Legal & Compliance Reputation 32 Risk ID Functional Area Risk Title Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 29 Public Works RWQCP Plant Repair, Retrofit and Equipment Replacement This project provides funding for the assessment, repair, and retrofit of the Regional Water Quality Control Plant's (RWQCP) concrete and metal structures; the replacement of necessary RWQCP equipment and ancillary facilities to maintain treatment reliability and existing infrastructure; and the replacement of large diameter flow meters built into the wastewater treatment system on sewers, pipes, and water lines. The budget from FY21-FY25 is $21.5M. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 30 Public Works Primary Sediment Tank Rehabilitation The four primary concrete sediment tanks are in need of new protective coatings and replacement of worn rotating parts and aging power distribution equipment. The tanks, installed in 1972, are 220 feet long by 41 feet wide by 14 feet deep each and remove settleable solids and floatable grease with mechanical and electrical equipment. Recoating is necessary for the structural integrity of the concrete. The budget from FY21-FY25 is $21.7M. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 31 Public Works Secondary Treatment Upgrades Upgrades to the Secondary Treatment process at the Regional Water Quality Control Plant (RWQCP). The existing Secondary Treatment process has two main components: the Fixed Film Reactors (FFR) and the Activated Sludge (AS) Process. This project includes the reconfiguration of the aeration basins, modification of the AS Process, and the elimination of the FFRs. Justification of the project was identified in the Long Range Facilities Plan accepted by Council in 2012. The components of the Secondary Treatment process are between 35 and 45 years old and show signs of wear and structural weakness. The budget from FY21-FY25 is $31.3M. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 4 28 Operational Financial Legal & Compliance Reputation 33 Risk ID Functional Area Risk Title Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 32 Utilities Water Tank Seismic Upgrade and Rehabilitation The City approved the FY21-FY25 Capital Improvement Plan, which includes upgrades and repairs to the water tank seismic system. The total project budget is $15.6M, $12M is budgeted from FY21-FY25. Work at the reservoir sites will also include the installation of: new seismic shut off valves between the reservoirs and valve vaults, new plug valves, piping and pipe supports in the valve vaults, and recoating of the interior and exterior reservoir walls. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 33 Utilities Water Main Replacement The project will fund the design and replacement of structurally deficient water mains and appurtenances in Fiscal Years 2024 and 2026. Mains are selected by researching the maintenance history of the system and identifying those that are undersized, corroded, and subject to breaks. Water main replacements totals $21.8M, include four projects > Project 27: 9,150 linear feet, at $2.5M > Project 28:14,985 linear feet, at $9.1M > Project 29:13,425 linear feet, at $9.4M > Project 30:13,025 linear feet, $.85M Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 34 Public Works Scheduled Vehicle and Equipment Replacement The ongoing replacement of City fleet vehicles and equipment is prescribed by the City's policy on vehicle replacement, which includes guidelines based on age, mileage accumulation, and obsolescence. Timely replacement of vehicles lowers maintenance costs, helps to maintain or even increase the productivity of client departments, and allows the City to take advantage of new technology. The largest vehicle replacement costs are schedule for FY23 and FY25 at $3.4M and $3.1M respectively. The FY21 budget includes $1.4M in budgeted expenses. Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Justification for change orders or changes in delivery schedules 2 3 18 Operational Financial Legal & Compliance Reputation 34 Risk ID Functional Area Risk Title Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 35 Utilities Gas Main Replacements The City is replacing gas mains that may be leaking, inadequately-sized, and/or structurally deficient based on the City's Distribution Integrity Management Plan's mathematical model. The model is used to evaluate risks presented by PVC and steel facilities located within business districts that have been assigned the highest probability and consequence scores. The project will target replacing PVC mains and services located in business districts and steel mains and services with ineffective corrosion protection, also known as cathodic protection. Targeted streets will be coordinated with the Public Works Street Maintenance Program to complete replacement before streets are paved. Gas main replacements totals $29.6M, include three projects > Project 23: 21,700 linear feet, at $7.6M > Project 24:33,050 linear feet, at $11M > Project 25:31,260 linear feet, at $11M Examples of Potential Risks: >Design and operating effectiveness of internal controls over various financial aspects of the construction project >Adherence to construction contract terms and conditions >Mathematical accuracy of project related costs >Justification for change orders or changes in delivery schedules 2 4 28 Operational Financial Legal & Compliance Reputation 36 Public Works ADA Compliance Upgrade According to Palo Alto's ADA Transition Plan, the ADA Transition "project identifies potential noncompliant items and other physical barriers at City buildings, parking lots, and recreational facilities. The work to be performed under this contract includes the evaluation of site and program accessibility compliance to provide the basis for identification, prioritization, budgeting, and implementation of plans, as well as an updated plan and database which will be used in continuing efforts to comply with accessibility requirements as established by the ADA and State of California Building Code (CBC) accessibility provisions." This will be a multi-decade project to upgrade City-owned properties to align with ADA requirements. Examples of Potential Risks: >Unforeseen costs associated with a multi-decade project, consuming greater Capital Improvement funds than expected >Changes in ADA regulations during the course of the project, requiring changes to the existing plan 2 5 38 Operational Financial Legal & Compliance Reputation 37 City Wide Sustainability and Climate Action Plan Palo Alto's goal is to reduce our greenhouse gas emissions 80 percent below 1990 levels by 2030. In early 2020, the City launched an update to the Sustainability and Climate Action Plan (S/CAP) to help meet our sustainability goals, including our goal of reducing GHG emissions 80 percent below 1990 levels by 2030. The plan includes goals and key actions in seven areas: Energy, Mobility, Electric Vehicles, Water, Climate Adaptation and Sea Level Rise, Natural Environment, and Zero Waste. Examples of Potential Risks: >Reputational risk of not achieving stated goals >Costs associated with marginal improvements in greenhouse gas emission reductions 2 3 18 Operational Financial Reputation 35 Risk ID Functional Area Risk Title Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 38 City Wide Noise Pollution Palo Alto is impacted by three arrival routes into San Francisco International Airport (SFO). These routes have had an ongoing negative health impact on our community and intensified due to the implementation of the Federal Aviation Administration’s NextGEN Initiative. The City is committed to working with our citizens, Congress, the Federal Aviation Administration (FAA), SFO, SFO’s Community Roundtable, neighboring city and county agencies, regional airports, noise groups, and all stakeholders associated with air traffic in Silicon Valley to find solutions which restore the quality of life of our community. Examples of Potential Risks: >Health and safety risk associated with noise pollution. >Property value reductions >Community trust and engagement 3 3 26 Financial Legal & Compliance Reputation 39 City Wide College Terrace Market The PC ordinance (5069), and the associated Restrictive Covenant, require that a grocery store must be in continuous operation. If the grocery store ceases operations, a new grocery operator must be found. There is a six month grace period for the property owner to find a new grocery tenant. Starting on February 13, 2020, daily fines of $2,157/day began to be assessed against the property owner for its failure to have a grocery store in operation. This requirement for the continuous operation of a grocery store was established by PC Ordinance 5069 and was further amended by a restrictive covenant put in place in 2015. Examples of Potential Risks: >Inability to identify and retain a tenant >Reputational risk associated requiring a grocery store 2 2 10 Legal & Compliance Reputation 40 City Wide Race & Equity Initiative In June 2020, the City Council adopted a resolution affirming that Black lives matter and committed to address systemic racism and bias, and honored the lives of George Floyd, Breonna Taylor, Ahmaud Arbery, and others that have fallen victim to violence at the hands of authorities. The City Council also approved the Race & Equity Framework and action plan and a series of actions including reviewing policing practices, making changes to use-of- force policies to reduce the potential for violence, and engaging the community in ongoing, thoughtful dialogue and leadership. Examples of Potential Risks: >Inaction causing reputational damage >Improper use of force 2 4 28 Financial Legal & Compliance Reputation 36 Risk Matrix - Function Specific Risks (Risks 41-148) The following table summarizes Function Specific Risks: Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 41 Administrative Services P-Card Program 2.08.150 Department of Administrative Services 2.30.240 Designated Employees' Use of Petty Cash, P-Card, or Other Credit Card The City of Palo Alto uses P-Cards throughout the organization to leverage purchasing power and improve purchasing processes. The organization has hundreds of P-Cards assigned to individuals throughout the City. P-Cards can be requested through purchasing and require supervisor approval for use. Transactions have a threshold of $10k. Examples of Potential Risks: >Personal expenditures on City P-Cards for items that could be interpreted as business expenses >Circumventing policy, such as splitting transactions to fall below the $10K threshold >Information technology purchases that do not allow for proper IT oversight or governance 4 2 24 Financial Legal & Compliance 42 Administrative Services Vendor Master File 2.08.150 Department of Administrative Services At City of Palo Alto, segregation of duties as it pertains to changes to the Vendor Master File are segregated such that one individual cannot process payments and modify the vendor master file. Examples of Potential Risks: >Accounts Payable changing payment information to a personal bank account routing number >Erroneous Vendor data leading improper payments 1 3 12 Financial Reputation 43 Administrative Services Print and Mail Services 2.08.150 Department of Administrative Services The City of Palo Alto operates a print and mail services department, managing the mailing of all utility bills, acting as a central receiving area in City Hall, and also completing any printing services. The print services division handles printing of Council packets for City Council members. Examples of Potential Risks: >Financial and operational opportunity costs of running in-house mail services department compared to outsourcing the function 2 2 10 Strategic Operational Financial 44 Administrative Services Real Estate and Property Management 2.08.150 Department of Administrative Services The City of Palo Alto handles many different real estate and property agreements such as easements, rights of way, leases, tie back agreements, and more. The Real Property team provides expertise on real estate matters and partners with client departments on specific real estate needs. Examples in which the Real Property team coordinates with client department include leases at the Cubberley Community Center and hangar space at the airport. Examples of Potential Risks: >Inadequate technology to manage lease agreements >Lack of capacity to manage and ensure accuracy in real estate agreements >Revenue collection errors >Failure to properly implement GASB 87 4 4 42 Operational Financial Legal & Compliance 37 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 45 Attorney Claims & Claim Reserves 2.28.240 Settlement of Claims and Actions 2.08.120 Office and Duties of the City Attorney State of California Tort Claims Act As provided in Section 935.4 of the Government Code of California, the City Attorney is designated to perform the functions of the City Council relative to claims and actions against the City or any of its officers or employees under the provisions of Division 3.6 of the Government Code. The City may be liable for a variety of claims including: >Torts Claims >Law Claims >Labor and Employment Claims >Contract Claims Risk to the City is mitigated though the City's membership in the Authority for California Cities Excess Liability (ACCEL) pool, though which the insures itself. Examples of Potential Risks: >Property damage resulting from City actions >Motorist injuries due to an interaction with a Palo Alto staff member acting within scope of her/his employment >An employee suffers an injury while performing their job duties 3 3 26 Legal & Compliance 46 Clerk Elections Chapter 2.40 Municipal Elections The City Clerk is the local Filing Officer for the State of California. All local campaign Committees are required to file Campaign Statements with the City Clerk. The City Clerk maintains regulations and forms under the State of California Fair Political Practices Commission. Examples of Potential Risks >Non-compliance with regulatory requirements 1 2 6 Reputation 47 Clerk Public Records Requests 2.08.110 Office and Duties of the City Clerk 2.08.300 Books and records. (Ord. 4274 § 1 (part), 1995) The City receives upwards of 400 requests for information every year. Public records requests come in a variety ways; written, in person, online and over the phone. Compliance with the Freedom of Information Act (FOIA) and state and local jurisdiction dictate the availability of requests and outlines the procedures for providing documents to the public. Examples of Potential Risks >Incoming requests are decentralized, leaving possibility for requests to go unfulfilled >Fulfilling of requests is centralized, burdening the department and causing inefficiencies >Noncompliance with applicable laws 2 2 10 Financial Legal & Compliance Reputation 38 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 48 Clerk Records Management 2.08.110 Office and Duties of the City Clerk 2.08.300 Books and records. (Ord. 4274 § 1 (part), 1995) The City Clerk is the Records Manager for the City and is responsible for maintaining the City's Records Retention Schedule and for providing departments with guidance on policies and best practices of records management. The City Clerk's Office records official actions and legislation of the municipal government and retains other legal and historical records. The City Clerk manages the proper maintenance and disposition of City records and information according to statute, and helps to preserve City history. Formalized Standard Operating Procedures (SOPs) communicate the correct way of carrying out records management activities. SOPs help the organization operate efficiently, maintain consistency, and communicate clearly. The City Clerk does not have current SOPs detailing records management and retention practices. A modern/centralized records management system may increase efficiency and offer functionality such as analytics and reporting capability. Without a centralized repository, employees use paper based files and multiple online platforms. The City of Palo Alto operates on a decentralized records management process. Examples of Potential Risks >Damage to documents from improper storage >Inability for documents and information to be accurately recorded and sourced for public information requests and public is given inaccurate information about the availability of documents >Institutional knowledge is lost when employees retire or leave the department >Records are destroyed prematurely or stored longer that legally necessary 4 2 24 Operational Legal & Compliance Reputation 49 Communications External Affairs Relations with the media and general public are primarily handled by the Communications Office. The City of Palo Alto works to timely and accurately inform the media, Including a monthly newsletter, presses releases, interviews, news releases to 400 media contacts and statements on behalf of departments and the City. Requests for information from media is decentralized, with the majority of responses for comments and communication coming from the Communications Department. Multiple channels are used by the City to build relationships and inform the citizens of Palo Alto and surrounding communities. The City works to engage stakeholders and provide a positive public perception by: >Communicating through its multiple platforms >Hosting community service events >Maintaining open and transparent government Examples of Potential Risks: >False or misleading information is published by the City >Conflicting statements made by City officials >Lack of internal controls for managing media requests 2 2 10 Strategic Legal & Compliance Reputation Political & Economic 39 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 50 Communications Social Media Management Brown Act (California Government Code Section 54950 et seq.) Social media accounts are handled and managed by separate, decentralized departments. Content published by these accounts are not generated from a central office, but are monitored by the Communications Office. Additionally, elected officials social media posts may be considered public record and may be subject to State law. The majority of instances include the use of personal platforms to promote City agenda, issues and positions. Examples of Potential Risks: >False or misleading information is published by City owned accounts >Conflicting information is provided by multiple City owned accounts >Lack of internal controls for publishing content on City owned accounts >Publishing of inappropriate or inaccurate content >Inaccurately holding and/or of managing public information for records management 3 3 26 Strategic Legal & Compliance Reputation Political & Economic 51 Communications Digital Marketing Digital platforms, such as websites, social media, online platforms, blog posts (Palo Alto Connect) and digital newsletters are used to disperse information and inform community members and City employees. Additionally, these platforms are used to advertise City services and events. Examples of Potential Risks: >False and/or misleading information is published by the City >Publishing of inappropriate or inaccurate content 1 3 12 Strategic Legal & Compliance Reputation Political & Economic 52 Communications Internal Communications 18.79.010 Purposes Communications oversees formal internal communications, including creation and/or review of Citywide emails, internal newsletters and communications. A centralized place of issuance for organization wide communication including City Manager and department head presentations and reporting. Examples of Potential Risks: >Conflicting information is provided to City Employees >Internal communications are improperly published to the community 2 1 4 Operational 53 Communications Website The City's website and affiliated websites are maintained and updated in conjunction with the Communications Office and the Information Technology Department. Both departments work with website host to update information and publish new webpages. Additionally, individual departments have access to back-end website publishing. Examples of Potential Risks >Lack of internal controls for website access >Publishing of inappropriate or inaccurate content 2 3 18 Legal & Compliance Reputation IT 54 Community Services Contract Monitoring 2.30 Contracts and Purchasing Procedures Community Services relies on third-party contractors to manage the zoo, deliver recreational services (i.e. swimming pool, athletic fields, the golf course), and provide arts and theatre programs. As a result, Community Services oversees dozens of contracts and independent contractors. Examples of Potential Risks: >Overpayments due to contract complexity >Reputational risk associated with actions of a 3rd party >Failure to adhere to contract terms including scope of work and other critical provisions >Failure to monitor vendor performance 4 4 42 Strategic Operational Financial Legal & Compliance Reputation 40 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 55 Community Services Background Check Procedures 2.08.210 Department of community services. Community Services offers a variety of programs where workers may come into contact with children. The following is a non-inclusive list of screening practices the City uses: local criminal record check, state criminal record check, FBI criminal record check, employment reference checks, and personal reference checks. Examples of Potential Risks: >Hiring of unqualified individuals >Employing an individual that should be ineligible for employment involving interactions with children 3 3 26 Operational Legal & Compliance Reputation 56 Community Services Human Services 2.08.210 Department of community services. The Office of Human Services provides services and works toward enhancing the quality of life in Palo Alto in a variety of ways. Services relate to the following areas: >Children Resources >Family Resources >Tenant/Landlord >Human Services Grants >Emerging Needs Funds Examples of Potential Risks: >Resources are expended on services that are not of sufficient benefit to the community >Ineligible program participation >Fraud/waste/abuse of public funds 1 3 12 Operational Financial Legal & Compliance Reputation 57 Community Services Palo Alto Art Center 2.08.210 Department of community services. 2.18 Public Art Commission The Palo Alto Art Center has a partnership with the Palo Alto Art Center (PAAC) Foundation Board. Successful fundraising efforts of the PAAC Foundation are necessary, in addition to City funds, to sustain the Art Center. The Art Center measures its progress based on the following priorities: >Community Engagement >Financial Sustainability >Leadership capacity Examples of Potential Risks: >Resources are expended on services that are not of sufficient benefit to the community >Employing an individual that should be ineligible for employment involving interactions with children 1 2 6 Strategic Financial Legal & Compliance Reputation 58 Community Services Children's Theatre 2.08.210 Department of community services. Palo Alto's Children Theatre serves more than 57,000 community members each year with theatrical productions and programs for youth ages 3 through high school. Performing arts education opportunities include onsite classes, camps, and production experiences, as well as theatrical Outreach Productions (grades 3-5) and Dance in Schools classes (grades K-2) in all twelve PAUSD Elementary Schools. Children's Theatre offers a variety of programs where workers may come into contact with children. Examples of Potential Risks: >Resources are expended on services that are not of sufficient benefit to the community >Employing an individual that should be ineligible for employment involving interactions with children 1 3 12 Strategic Financial Legal & Compliance Reputation 41 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 59 Community Services Junior Museum & Zoo 2.08.210 Department of community services. The Palo Alto Junior Museum & Zoo has a partnership with the Friends of Palo Alto Junior Museum & Zoo. Successful fundraising efforts of Friends of Palo Alto Junior Museum & Zoo are necessary, in addition to City funds, to sustain the museum and zoo. The JMZ is owned and operated by the City of Palo Alto and admission is free. The JMZ hosts more than 17,000 local students annually from schools, science camps, and field trips. In total, the JMZ has approximately 180,000 visitors per year. The City is exploring potential opportunities to relinquish day-to-day operations responsibilities to Friends of Palo Alto Junior Museum & Zoo. These discussions are still early stage. Examples of Potential Risks: > Resources are expended on services that are not of sufficient benefit to the community >Transferring operating responsibilities to a non-profit may result in legal challenge from existing City employees >Failure to properly manage the JMZ may result in negative publicity and reputational damage 1 2 6 Strategic Financial Legal & Compliance Reputation 60 Community Services Public Art Program Chapter 2.26 15.61.110 Public Art Fund 2.26.070 Public Art for Municipal Projects 2.26.030 Duties of the Public Art Commission The Public Art Program operates in accordance with Chapter 2.26 of Palo Alto Municipal Code to provide opportunities for the placement of permanent and temporary site-specific public art projects in municipal projects across Palo Alto. Additionally, the Program oversees the implementation of the Ordinance requirement to incorporate public art in private development projects. The Public Art Commission (PAC) reviews and advises the Public Art Program on selection, placement, and care of public art throughout the City of Palo Alto. The City collection of public art is comprised of approximately 100 permanently sited works and approximately 200 portable works of art in a diverse range of media. All works are commissioned and acquired through a public process. Examples of Potential Risks: >Resources are expended on services that are not of sufficient benefit to the community 1 2 6 Strategic Financial 61 Community Services Open Space, Parks, & Baylands Golf Links The City of Palo Alto has almost 4,000 acres of open space to explore, recreate and relax in. Park Services handles the maintenance of 162 developed acres of urban parklands. Individual parks range in size from under two acres to large community parks such as Rinconada Park, Mitchell Park, and Greer Park. Besides maintaining urban parks, Parks Services handles landscape maintenance of libraries, community centers, business districts and utility sub-stations. Troon, previously OB Sports, manages the Baylands Golf Links. According to the contract, Troon is responsible for course maintenance, leases a cafe from the City, and manages a pro shop. The City receives a percentage of revenue from the pro shop. This approach to golf course management is new to the City within the past few years. The City has a contract with Brightview for maintenance and landscaping services on other open space and parks land. Examples of Potential Risks: >Resources are expended on services that are not of sufficient benefit to the community >3rd party management of City resources, such as the golf course 1 3 12 Strategic Legal & Compliance Reputation 42 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 62 Community Services Recreations Services Recreation Services has a focus on youth wellbeing. Facilities include the historic Lucie Stern Community Center, Mitchell Park Community Center, Cubberley Community Center, and Rinconada Pool. Recreation Services also coordinates a variety of recreation programs including middle school athletics, the Teen Center, Palo Alto Youth Leadership programs, year-round Life-Long Learning classes, adult sports leagues, dynamic summer camp and aquatics program. Examples of Potential Risks: >Resources are expended on services that are not of sufficient benefit to the community >Employing an individual that should be ineligible for employment involving interactions with children >Improper payment for services (e.g., a referee) 2 3 18 Strategic Financial Legal & Compliance Reputation 63 Emergency Services Emergency Volunteer Coverage Palo Alto Municipal Code (PAMC) Sec. 2.12.070 2.08.185 Office of Emergency Services. In the case of emergency, the Office of Emergency Services may enlist the assistance of the community through a volunteer network. The mission of the Palo Alto Emergency Services Volunteers (ESV) is to: 1) provide supplemental resources to the professional first responders of the City and surrounding communities and 2) facilitate means for neighbors to help neighbors (including business and other entities). Emergency Service Volunteers are often times geographically concentrated in some, but not all, neighborhoods. Examples of Potential Risks: >Lack of volunteer participation across the City/concentration of volunteers leading to inconsistent emergency response depending on location 2 3 18 Strategic Operational Financial Legal & Compliance Reputation Political & Economic 64 Emergency Services Disaster Response 2.08.185 Office of Emergency Services. The mission of the Office of Emergency Services is to prevent, prepare for, mitigate, respond to, and recover from all hazards. This involves: >Executing a training plan for designated staff >Maintaining emergency management facilities, critical infrastructure, and essential equipment >Coordinating with private sector, non-governmental organizations to promote continuity of operations >Maintaining disaster plans for the City The City has developed many resources and have placed them on the website: www.cityofpaloalto.org/thira. Example of Potential Risks: >Inadequate response to an emergency such as an earthquake, fire, urban flood, or active shooter situation may result in injury, loss of life, financial hardship, and reputational damage to the City and its employees 1 5 30 Strategic Operational Financial Legal & Compliance Reputation Political & Economic 65 Finance Tax Revenue 2.08.150 Department of Administrative Services The City of Palo Alto's largest sources of revenue include property taxes, sales taxes, and transient occupancy taxes. Palo Alto has been a hub for large technology businesses which bring in visitors to hotels, restaurants, and retail. These visitors and daytime population help feed the sales and transient occupancy taxes. Palo Alto property values have also risen over the last few decades, driving an increase in property tax revenue. Examples of Potential Risks: >Large businesses moving to other locations or decreasing the focus on in-person interactions at headquarters lowers the daytime population and visitors >Decreasing real estate values due to external factors decreases City revenues from property taxes 3 5 44 Strategic Financial Political & Economic 43 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 66 Finance Accounts Payable 2.08.150 Department of Administrative Services The Accounts Payable division handles payment of vendor invoices, p-card transactions, and other payments. The Accounts Payable department issues payments in a number of manners, including ACH and Checks. Accounts Payable is managed in SAP and any paper invoices are inputted into the system. Examples of Potential Risks: >Late payment of invoices in the event invoices are not inputted into SAP >Invoices entered into the system with incorrect information, such as dates miskeyed 4 2 24 Financial Legal & Compliance 67 Finance Credit & Debt 2.08.150 Department of Administrative Services Palo Alto's credit rating is currently AAA, the highest rating a municipality can receive. This is due in large part to high fund balances and low debt burdens. Healthy fund balances and low reliance on debt equips the City to face economic hardships or other external factors outside the City's control. Example of Potential Risks: >Sustained decreasing revenues may require the City to diminish fund balances and rely more heavily on debt >Operational inefficiencies may result from sustained economic prosperity, leaving the City vulnerable to inefficient uses of debt and fund balances during times of economic hardship 2 4 28 Financial Reputation Political & Economic 68 Finance Proposition 13 2.08.150 Department of Administrative Services Proposition 13, or "The Peoples Amendment to Control Taxation", caps property tax rates according to a percentage of the property value or the Consumer Product Index. This proposition limits the amount that residents can be taxed on their property in the midst of rising property values, while also limits the ability for the City to collect revenue at a rate in pace with the Palo Alto real estate market. Examples of Potential Risks: >Lost revenue for the City to fund City services with Prop 13 in place >High taxation on residents due to increased property values, especially long term Palo Alto residents, in the absence of Prop 13 1 3 12 Financial Reputation Political & Economic 69 Finance Investments, Debt, and Cash Management 2.08.150 Department of Administrative Services 2.28.140 Depositories and Investments Palo Alto manages their investment, debt, and cash portfolio through a single internal investment manager. This investment manager maintains the City's investment portfolio subject to the investment policy, including limits on holdings of various financial products. Maintaining an internal investments manager allows for the City of Palo Alto to avoid commissions/fees. In addition, the investment manager also performs cash management and cash flow modeling, executes wire transactions, serves as the bank custodian, and performs a daily cash flow reconciliation. Examples of Potential Risks: >Financial opportunity cost from an optimized portfolio managed by an outsourced firm >Operational inefficiencies due to lack of economies of scale in comparison to an outsourced firm >Fraud/misuse/abuse risk associated with lacking or failed internal controls in regards to investments >Noncompliance with the investment policy >Over reliance on one individual to manage City investments 2 5 38 Strategic Financial Legal & Compliance 44 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 70 Finance Procurement 2.08.150 Department of Administrative Services 2.30.040 Centralized Purchasing Palo Alto has detailed policies and procedures in place for purchasing and procurement. The process includes internal controls to ensure that the organization is protected against fraud, misuse and abuse in the purchasing process. If any areas within the purchasing process are missing controls, it opens an opportunity for unethical, fraudulent, or erroneous activities. If the purchasing process has too many controls, the City may be missing opportunities for cost savings and operational efficiencies. Examples of Potential Risks: >Burdensome internal controls slowing the purchasing process down, discouraging good vendors from bidding on projects >Lack on internal purchasing controls, opening opportunities for fraud, misuse and abuse 4 2 24 Operational Financial Legal & Compliance 71 Finance Grants Management 2.08.150 Department of Administrative Services Grants Management include the pursuit of grants, the tracking of outstanding grant decisions, reporting managing any awards and associated reporting and spending deadlines. The City of Palo Alto does not have a centralized Grant Management Function. Rather, each department pursues grant opportunities applicable to a specific program or the department as a whole and manages the grant in accordance with the grant agreement and applicable law. The Administrative Services Department prepares pertinent financial reports including the Schedule of Expenditures of Federal Awards (SEFA). Examples of Potential Risks: >Missed grant reporting deadlines >Use of grant funding on ineligible expenses >Missed grant opportunities due to inaction or delays in application writing 3 2 16 Operational Financial Legal & Compliance 72 Finance Asset Management 2.08.150 Department of Administrative Services The City manages assets to ensure that all assets are properly accounted for both operationally and financially. Asset management is important to the accounting function as well to ensure that depreciation on all assets are being properly tracked and applied as well as classification of various assets. Examples of Potential Risks: >Misclassification of assets, hampering the ability to properly account for depreciation and other accounting requirements >Lack of internal controls in managing and accounting for assets 4 4 42 Operational Financial 73 Finance Accounts Receivable 2.08.150 Department of Administrative Services The Revenue Collection and General Accounting teams manage the City's accounts receivable function. This function ensures that bills are timely, accurate and include adequate information for those who paying the City. Additionally, this functions manages what payments are expected, any overdue payments, and any necessary collections. Note that this function is not responsible for utility billing. Examples of Potential Risks: >Outstanding balances for extended periods of time >Redirected payments to personal accounts 3 4 36 Operational Financial Legal & Compliance 74 Finance Payroll 2.08.150 Department of Administrative Services Payroll ensures that all City employees are paid on time and with accuracy. Segregation of duties between employees who process payroll and those with access to the employee master file is an important consideration for any organization. Examples of Potential Risks: >Errors in paychecks, including over or under payments >Not accounting for updates to qualifying events such as marriage or new children 4 2 24 Operational Financial Legal & Compliance 45 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 75 Finance General Accounting 2.08.150 Department of Administrative Services Palo Alto's accountants ensure that the City has accurate financial information with which to make decisions and to report to the public. The accounting function ensures that the financial statements reflect the true operations and financial state of the City. Examples of Potential Risks: >Misstatement on financial statements >Lack of internal controls to catch accounting errors 3 3 26 Strategy Operational Financial Legal & Compliance 76 Fire Ambulance Service State of California Senate Bill 201 2.08.180 Fire department. The Fire Department operates an ambulance transfer service. The EMS Director oversees equipment, staffing, training, and all other activities associated with this ambulance function. The City is implementing an Ambulance Subscription Fee Program. The program will be voluntary and proposes to waive the insurance co-pay participants would otherwise be charged when transported to the hospital by ambulance. Examples of Potential Risks: >Compliance with EMS Act, including Section 201 and service level requirements >Proper billing and collection of subscription fees 2 4 28 Operational Financial Legal & Compliance Reputation 77 Fire Hazardous Materials Response 2.08.180 Fire department. Palo Alto's Hazardous Materials Team responds to calls involving hazardous materials. Examples of Potential Risks: >Staff capacity, training, and certification 2 4 28 Operational Legal & Compliance 78 Fire Palo Alto Foothills & Fire Risk 2.08.180 Fire department. The City includes land west of Highway 280, including Foothills Park. This area is served by Fire Station 8. When Fire Station 8 is not staffed, the City is heavily reliant on mutual aid. Examples of Potential Risks: >Lack of staffing to respond to emergencies in the Foothills Park area 2 4 28 Operational Legal & Compliance Reputation 79 Fire EMT / Paramedics 2.08.180 Fire department. The majority of City of Palo Alto Firefighters are also certified as either EMT's or Paramedics. Palo Alto offers training for firefighters to be certified as EMT's. Paramedics and EMT's both respond to medical/rescue and fire calls. Paramedics are trained to perform additional medical services that EMT's are not certified to perform, including; starting IV's, administering medication and beginning intubation. According to NFPA safety standards and best practices, two paramedics and two EMT or BLS trained individuals should be on scene for every event. Examples of Potential Risks: >Improper staffing of firetruck and ambulance units 1 1 2 Operational Legal & Compliance Reputation 46 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 80 Human Resources Contract Employees State of California Assembly Bill (AB) 5 State of California Assembly Bill (AB) 5 requires the application of the "ABC test" to determine if workers in California are employees or independent contractors. Under the ABC test, a worker is considered an employee and not an independent contractor, unless the hiring entity satisfies all three of the following conditions: 1. The worker is free from the control and direction of the hiring entity in connection with the performance of the work, both under the contract for the performance of the work and in fact; 2. The worker performs work that is outside the usual course of the hiring entity’s business; and 3. The worker is customarily engaged in an independently established trade, occupation, or business of the same nature as that involved in the work performed Some City departments rely on third-party contractors to deliver services. For example, Community Services relies on third-party contractors to manage the golf course, deliver recreational services (i.e. swimming pool, athletic fields) and provide arts and theatre programs. The City uses a variety of methods to mitigate risk in this area including management-level trainings led by the City Attorney and detailed reviews by Procurement. The City relies on a variety of "flags" such as previous employees trying to work as contractors. In these cases, the City can share the contract with CalPERS for review. Examples of Potential Risks: >Litigation against the City for improper employment practices 3 2 16 Strategic Operational Financial Legal & Compliance 81 Human Resources Employee Separation and Offboarding The City adheres to a detailed offboarding process including a formalized employee termination checklist. Departmental management, Human Resources, and IT coordinate to gather necessary paperwork, update IT permissions and access rights, discuss knowledge transfer, schedule and conduct an exit interview, and recover city-owned assets. This process is not supported in SAP. Instead, it involves multiple workflows and manual communications. Example of Potential Risks: >Payroll fraud >Compliance with relevant laws and regulations regarding employee separation >On-going, improper physical access or business/information systems 3 3 26 Strategic Operational Financial Legal & Compliance Reputation 82 Human Resources High Cost Claims 2.08.160 Department of human resources. Managing high-cost claimants, including individuals suspected of "gaming the system" is critical for controlling benefits costs. Staffing models should plan for high-cost scenarios such as employees with chronic illnesses and sick leave abuse. High cost claims include both expensive chronic medical conditions and acute conditions. Major cost drivers include: >Cardiovascular disease >Pulmonary conditions >Neurological conditions Examples of Potential Risks: >Public safety employees may place a significant financial burden on the City given the dangerous nature of the role 4 4 42 Financial Legal & Compliance 47 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 83 Human Resources Hiring 2.08.160 Department of human resources. The Human Resources Department oversees the hiring process. The hiring process starts with departments submitting a requisition to fill a vacancy. Upon receipt of approval from the Budget Office, Human Resources goes through a planning process with the department to identify urgency, develop a timeline, and agree on a process. Most positions are governed by merit rule and require public posting. At this stage, the City details position requirements including whether exams are necessary. Human Resources completes an initial review to eliminate candidates that fail to meet minimum requirements. Screening processes (i.e. phone, paper-based) differ depending on the position. Interview processes are structured and questions require sign-off from Human Resources. Human Resources works with departments to conduct a job analysis and author interview questions tied to job duties. To score interviews, the City uses a scoring matrix. Human Resources has plans to promote diversity, for example, blind resume reviews. To address issues related to diversity, the City focuses on job outreach to encourage a diverse candidate pools. Examples of Potential Risk: >Hiring of unqualified individuals >Employing an individual that should be ineligible for employment >Litigation due to an illegal interview question >Implicit bias in the hiring process 3 3 26 84 Human Resources Onboarding Employee Set-up 2.08.160 Department of human resources. The City relies on NEOGOV HR Software to assist with the onboarding process and Checkr to assist with the background check process. Before the implementation of the NEOGOV onboarding module, the onboarding process was more paper-based. Once an employee is selected for hiring, their information is transferred from the applicant tracking system to the onboarding system. The City leverages the onboarding tool to ensure candidates receive benefits, payroll, and tax documents along with critical policies and procedures. The NEOGOV system allows the City to share paperwork with new employees before their first day and eliminate the step of creating applicant packets. Human Resources oversees a two-day onboarding training with new employees. In the past, the City conducted this training monthly thus allowing for a natural cohort structure. Employees would receive a tour, meet key employees, meet their union representative, and attend a variety of trainings reviewing policies and other key information. Since COVID-19, the City has shifted to an on demand hiring approach instead of the cohort model. Examples of Potential Risk: >New hires do not understand critical policies and procedures >New hires do not gain access to important employment documents in a timely manner 3 2 16 Strategic Operational Legal & Compliance 48 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 85 Human Resources Performance Management 2.08.160 Department of human resources. The performance management process is predominantly manual. The City has not transitioned to an automated process that would assist with critical steps such as notifying supervisors and employees about upcoming evaluation deadlines. Performance evaluations for non-union, management employees is less structured and involves greater discretion to determine merit based increases. Departments conduct these reviews on the anniversary of the employee’s first day to determine if an employee moves to the next step. Examples of Potential Risks: >Failure to eliminate unconscious bias from the performance appraisal process may increase the risk of litigation against the City based on the Lilly Ledbetter Act (2009) and/or the State of California Fair Pay Act (2016) >Failure to accurately track and recognize employee performance may lead to reduced engagement, especially among high-performers >Failure to recognize employee performance may result in unwanted turnover of high-performers 3 2 16 Strategic Operational Financial Legal & Compliance Reputation Political & Economic IT 86 Human Resources Records Management 2.08.160 Department of human resources. CA Labor Code Section 226 - Record Keeping Requirements Human Resources lacks a centralized repository for employee records. As a result, tracking employee data is oftentimes cumbersome. Within the past three years, Human Resources started converting files in an effort to go paperless. Due to issues with the vendor partner, the department has been unable to complete this transition. Completing this transition would enhance the department's ability to store, retrieve, and archive information. In addition, it is unclear whether the department has policy language detailing proper handling of personal identifiable information (PII). This topic is covered through annual trainings. Examples of Potential Risks: >Failure to establish clear record keeping guidelines increases the likelihood the City will be noncompliant with state and federal record keeping requirements such as USCIS, the EEOC, and numerous federal employment acts (such as ERISA, ADA, FMLA and OSHA) >Increased difficulty responding to various legal actions and unemployment claims 3 3 26 Legal & Compliance 87 Human Resources Standard Operating Procedures 2.08.160 Department of human resources. Formalized SOPs are a critical tool as they communicate the correct way of carrying out HR activities. SOPs help the organization operate efficiently, maintain consistency, and communicate clearly. Examples of Potential Risks: >A lack of standard operating procedures detailing appropriate HR practices >A lack of standard operating procedures may result in loss of institutional knowledge if an employee leaves the organization >A lack of standard operating procedures related to employee safety may result in preventable injury claims 2 3 18 Strategic Operational Financial Legal & Compliance 49 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 88 Human Resources Succession Planning 2.08.160 Department of human resources. The City used to conduct "people-focused" succession planning exercises and is considering a transition to a more "skill-focused" approach. This process may include: >Determining current and short-term departmental needs >Compiling critical skillsets >Analyzing the current in-house talent pool >Assessing risk of turnover for critical positions Examples of Potential Risks: >Successors may lack readiness >Loss of institutional knowledge >Costs associated with recruiting a replacement 3 3 26 Strategic 89 Human Resources Systems and Technology 2.08.160 Department of human resources. The City does not have a centralized Human Resources Information System (HRIS). Instead, Human Resources relies on multiple systems and software, especially the finance system powered by SAP. Due to system limitations, Human Resources is required to conduct critical processes manually. These processes include adjusting hazard pay and bilingual worker pay. In addition, Human Resources experiences challenges coordinating with the pension system and making salary adjustments when certain employee types are promoted. Example of Potential Risks: >Human error due to manual processes >Inaccurate calculation of employee compensation and pension balance 3 3 26 90 Human Resources Staffing Levels 2.08.160 Department of human resources. Multiple departments within the City expressed challenges with staffing levels. Hiring limitations in response to COVID-19 worsened these existing challenges. Example of Potential Risk: >Relying on unqualified employees to perform critical tasks due to an unfilled vacancy >Non-compliance with state and federal laws due to capacity limitations >Reductions in service quality due to capacity limitations 3 3 26 91 Human Resources Class and Comp 2.08.160 Department of human resources. Due to COVID-19, cost of living adjustments (COLA) and merit-based increases are frozen for non-union, management-level employees. For unionized employees, the City has contractual obligations to adhere to agreed upon pay structures and step advancements. In the case of union employees, classification and compensation are determined through market analysis based on agreed upon comparable firms. In some instances, agreeing upon these comparable firms has been an obstacle. Examples of Potential Risks: >Choosing an inappropriate market sample may result in an noncompetitive salary ranges >Noncompetitive salary ranges on the high end may result in an increased financial burden on the City >Noncompetitive salary ranges on the low end may result in difficulties with recruitment and retention 3 3 26 50 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 92 Information Technology Application Management 2.08.240 Department of information technology. This area focuses on the management of the organization's business applications – how they are developed, procured, modified and managed as well as how application security is performed and the role of the IT department in managing an application. Examples of Potential Risks: >Inability to implement application changes and provide application support in a timely manner due to critical staff shortage or turn-over >Disruption of core business functions due to application downtime >Shared or generically named and/or shared among a group of users, the lack of accountability may result in inappropriate activity 4 3 34 Operational IT 93 Information Technology Architecture and Deployment 2.08.240 Department of information technology. This area focuses on the architecture and deployment of organization’s information technology. In-scope elements include: >The network architecture and deployed technology that is used to provide intra-site, inter-site connectivity and Internet connectivity >The organization’s server and storage infrastructure >The computer hardware that is deployed for end-users Examples of Potential Risks: >Poor or unreliable IT service delivery that may result in customer dissatisfaction 3 4 36 Strategic Operational IT 94 Information Technology Asset Management 2.08.240 Department of information technology. This area focuses on the IT department’s asset management practices. In-scope activities include the following: >Tracking information technology assets from procurement through disposal. >Reusing and decommissioning information technology assets >Ensuring information technology assets have an assigned owner, who is a stakeholder in the asset’s protection >Ensuring information technology assets are properly maintained to maximize their useful life >Tracking software usage and ensuring that vendors’ software license agreements are followed Examples of Potential Risks: >Inadequate security management of untracked IT assets >Lack of asset longevity and usefulness of assets >Data loss due to unsecured assets 4 3 34 Strategic Operational Financial IT 51 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 95 Information Technology Change Management 2.08.240 Department of information technology. This area focuses on the IT department’s practices for controlling changes to the IT environment. In- scope activities include the following: >Management of infrastructure hardware, software and configuration changes >Management of host system software and configuration changes >Management of normal and emergency changes >Application release management >Delineation of the activities that are controlled by change management versus help desk request ticketing Examples of Potential Risks: >Inappropriate, unauthorized, under-planned and/or under-tested system changes may be implemented that negatively impact agency operations and/or reputation >Lack of managements approval prior to moving changes into production may result in disruptions in business operations. >Lack of a formal documented change management process may result in the inconsistent application of changes. >Lack of segregation of duties between environments related to development, testing and production can result in inappropriate changes that may disrupt operations 3 3 26 Strategic Operational IT 96 Information Technology Compliance Management 2.08.240 Department of information technology. This area focuses on the IT department’s practices for complying with IT-related contract requirements, governmental regulations (e.g., HIPAA Security Rule) and industry standards (e.g., PCI Data Security Standard). In-scope are the following activities: >Compliance program development and maintenance >Compliance program monitoring and reporting Examples of Potential Risks: >Poor compliance management practices may result in regulatory fines and oversight stemming from non-compliance. >Inability to management compliance requirements may result in increased operating expenses (e.g., payment card transaction costs). >Legal costs and ramifications that damage reputation and hinder business operations 3 3 26 Legal & Compliance IT 97 Information Technology Database and Data Management 2.08.240 Department of information technology. This area focuses on the IT department’s practices for managing digital information. In-scope activities include the following: >Classifying the information that is received, processed, transmitted and stored by the work staff >Protecting digital information from the following security losses: confidentiality, integrity and availability >Controlling access to digital information via file share and database management controls >Performing procedures to backup stored information >Ensuring backed up information is recoverable Examples of Potential Risks: >Loss of data availability or usage >Lack of classified information that is received, processed, transmitted and stored by the work staff may result inappropriate access >Inadequate data security may lead to reputational harm if customer/citizen information is accessible to malicious individuals 4 4 42 Operational IT 52 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 98 Information Technology Disaster Recovery Preparedness and Testing 2.08.240 Department of information technology. This area focuses on the IT department’s preparations and testing for disaster recovery (DR). In-scope activities include the following: >Disaster recovery strategy and alignment with the organization’s business continuity plans >Disaster recovery plan preparation >Disaster recovery testing Examples of Potential Risks: >Inability to establish a formal disaster recovery team that has the authority to declare a disaster and does not have defined roles during an event may result in financial penalties for service level misses >Inadequate disaster recovery preparedness may result in a disruption of essential process and service delivery thus preventing business continuity >Lack of restoration testing may result in false assurance that your organization has functional backups to restore operations in the event of an emergency 3 4 36 Strategic Operational Reputational IT 99 Information Technology End-User Support and Perceptions 2.08.240 Department of information technology. This area focuses on the IT department’s scope and approach for providing end-user support as well as the perceptions that end-users have regarding IT service delivery. In-scope activities include the following: >End-user request intake >Help Desk triaging of end-user requests and problems >Help Desk request tracking and reporting >End-user notification of request handling progress and completion >Requesting and receiving end-user feedback on completed or abandoned service requests Examples of Potential Risks: >Loss of end-user sponsorship and partnership in IT initiatives >Inefficient help desk processes related to request in-take, triaging, tracking and reporting may result in end-user dissatisfaction 3 4 36 Operational Reputational IT 100 Information Technology Host Intrusion and Malware Defense 2.08.240 Department of information technology. This area focuses on the IT department’s practices for protecting network connected computers, telephones, printers and infrastructure hardware devices from intrusive activity and malicious software exploitation. In-scope activities include the following: >Intrusion detection and prevention deployment, operation, and monitoring >Malware defense deployment, operation (e.g., signature updating), and monitoring for hosts and applications (e.g., spam email) Examples of Potential Risks: >Loss of system/application availability and integrity >Possible data breach and hijacking (ransomware) of organization data >Lack of intrusion detection and protection controls may result in the untimely identification of an attack 3 4 36 Strategic Operational Financial Legal & Compliance Reputational IT 53 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 101 Information Technology Information Security 2.08.240 Department of information technology. This area focuses on the IT department’s practice of information security. Information security programs are developed to protect an organization’s information systems and information from plausible threats and vulnerability exploitation that could result in one or more losses of security: confidentiality, integrity, availability, authenticity and/or non-repudiation. Programs should address the following: >Policy development and enforcement >Identity and access management >Threat identification and management >Vulnerability identification and management >Security roles and responsibilities >Security training and awareness for IT and non-IT personnel Examples of Potential Risks: >Increased probability that the systems and data within the systems are not adequately protected from technical and malicious threats. >Lack of security awareness training may result in internal employees exposing the organization to security threats. >Lack of vulnerability monitoring may result in untimely threat identification and a lag in response time 3 4 36 Strategic Operational Financial Legal & Compliance Reputational IT 102 Information Technology Mobile Device Management 2.08.240 Department of information technology. This area focuses on the IT department’s management of mobile devices. In-scope activities include the following: >Authorization to use mobile devices >Mobile device provisioning, monitoring, support and de-provisioning >Mobile device incident response Examples of Potential Risks: >Unauthorized device access due to compromised security PINs >Unauthorized access by installed mobile applications to stored email, text messages, media and data >Unauthorized user access to stored email, text messages, media and data as well as network applications via VPN >Lack of mobile device monitoring may result in the untimely identification of an incident 4 3 34 Operational IT 103 Information Technology Operations and Monitoring 2.08.240 Department of information technology. This area focuses on the IT department’s practices for operating, monitoring and maintaining the computer systems and supporting infrastructure that are used by the work staff. In-scope activities include the following: >Capacity management > Hardware and software maintenance Examples of Potential Risks: >Increased costs due to insufficient planning and forecasting >Disruption of business processes and service delivery >Financial penalties for service level misses 3 4 36 Operational IT 54 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 104 Information Technology Organizational Architecture 2.08.240 Department of information technology. This area focuses on the organization of the IT department, its placement within the organization and its approach to staffing. Examples of Potential Risks: >A decentralized IT Department may result in inefficient operations by resulting in shadow IT. >Unaligned organizational structure may result in inefficient service delivery resulting in increased operating costs and potential service disruption >Lack of cross-training to backfill critical job roles and tasks may result in inadequate staffing >Lack of professional development for staff may result in the inability to recruit and retain qualified talent 3 4 36 Strategic Operational IT 105 Information Technology Physical and Environmental Controls 2.08.240 Department of information technology. This area focuses on IT physical and environmental safeguards that are deployed to protect the organization’s application systems and information. In scope activities include the following: >Deployment and monitoring of physical access controls that protect IT assets >Deployment and monitoring of environmental controls that protect IT assets Examples of Potential Risks: >Inappropriate or unauthorized physical access to data centers, server rooms, wiring closets, or facilities containing end-user IT hardware >Inappropriate or unauthorized physical access to IT hardware >IT hardware and/or infrastructure loss due to poor environmental controls 3 3 26 Strategic Operational Legal & Compliance IT 106 Information Technology Problem Management and Incident Response 2.08.240 Department of information technology. This area focuses on the IT department’s practices for managing problems and incidents. In scope are the following activities: >The method(s) by which IT problems are reported and resolved >Problem tracking, reporting and communication >Incident response preparation and response testing >Incident identification, triaging, containment, eradication and recovery Examples of Potential Risks: >Loss of IT asset confidentiality, integrity and availability >Inability to properly identify the root cause of an incident thus preventing the ability to implement the appropriate corrective controls to reduce the risk a future incidents 3 4 36 Strategic Operational Reputational IT 107 Information Technology Procurement and Service Provider Management 2.08.240 Department of information technology. This area focuses on the IT department’s practices for procuring hardware, soft-ware, facilities and services as well as managing the contracted service providers. In scope are the following activities: >Procurement strategy > Vendor and service provider due diligence and performance monitoring Examples of Potential Risks: >Insufficient oversight of procurement strategy and methods could result in the failure to optimize the cost and effectiveness of IT asset and service purchases >Insufficient oversight of service provider contract performance could result in the non-timely detection of product/service delivery problems >Insufficient oversight of service provider activity and security controls could cause security problems including a data breach 3 3 26 Strategic Operational Financial Legal & Compliance Reputational IT 55 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 108 Information Technology Project Management 2.08.240 Department of information technology. This area focuses on the IT department’s project management practices. In-scope activities include: >Initiating, planning, executing, controlling, and closing projects >Managing projects’ scope, milestones, quality and budget >Ensuring projects are adequately staffed >Reporting project progress and issues on a recurring basis to management and stakeholders Examples of Potential Risks: >Poor project deliverable quality >Project cost overruns and late project completion >Inadequate project management may lead to fines due to unmet project milestones or non-compliance 2 3 18 Operational IT 109 Information Technology Risk Management 2.08.240 Department of information technology. This area focuses on the IT department’s risk management practices. In-scope activities include IT risk identification, triaging, treatment, tracking and management reporting. Examples of Potential Risks: >Reputational damage >Monetary loss and penalties >Inadequate risk identification may lead to unmitigated threats to the organization 4 3 34 Strategic Operational Reputational IT 110 Information Technology Strategy and Governance 2.08.240 Department of information technology. This area focuses on IT strategy and governance practices. In-scope activities include the following: >Development, maintenance and approval of an IT strategic plan that is aligned with the organization's business strategy >Development and execution of tactical IT plans that are aligned to the IT strategy >Development, maintenance and approval of an IT operating budget >Recurring performance and risk reporting to Executive Management and the Board of Directors >Oversight of IT operation and resource consumption by Executive Management and the Board of Directors Examples of Potential Risks: >Executive management and the Board of Directors are unaware of IT risks and their severity >IT service delivery is misaligned with the organization and/or over-spends and under-delivers 2 4 28 Strategic Operational, Reputational IT 111 Information Technology Ransomware 2.08.240 Department of information technology. Governments are subject to cybersecurity threats, including but not limited to hacking, malware, ransomware. These crimes are becoming more common and costly for local governments to detect and deter. Examples of Potential Risk: >Financial loss as a result of a cyber attacker demanding a monetary payment in exchange organization data. >Service delivery disruption as a result of organizational data being held ransom thus preventing employee assess to essential data. 2 5 38 Reputational IT 56 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 112 Information Technology IT Roadmap 2.08.240 Department of information technology. As a best practice, an IT Department's 1-3 year strategic roadmap is recommended to specifically align with the City's strategic goals. Failure to implement a documented roadmap may result in an insufficient use of limited resources and the inability of the department to support the overall business operations of the City. This can reveal itself when operations tend to be more reactive in nature. Proactive measures such as a roadmap will support alignment of network security, replacing aging application with new systems, hardware and software and technical items with the business goals of the City. Examples of Potential Risks: >Absence of a formal IT Capital Plan approach has limited the transparency into the IT Capital Plan budget and misses the opportunity to facilitate a cohesive, City-wide IT investment strategy 3 4 36 Strategic Legal & Compliance Reputational IT 113 Information Technology Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) 2.08.240 Department of information technology. As a best practice, the City can benefit from a BCP which includes a DRP that is communicated to all staff. There is a lack of awareness across several functions on whether or not the City has a formal BCP and DRP. Failure to establish a plan leaves the potential for an interruption in services and the inability for all parties to know their roles, responsibilities and sequence of operations in the instance of an identified disasters. Examples of Potential Risks: >Less effective and timely recovery from disaster events resulting in increased disruption of business operations or service delivery, increased expenditures for system recovery and potentially reputational damage 2 4 28 Strategic Financial IT 114 Library Events 2.08.230 Department of libraries. Throughout the year, the library hosts many events, holiday parties and seminars. These events are interactive, often involving food, music and performances. Events are hosted by the library in conjunction with external non-profits, community agencies, faith based organizations and individual persons and groups. The library also works with internal departments such as Police and Fire to host events. Events are designed to be educational and to help engage the community. Examples of Potential Risks: >Health and safety for gatherings of large groups of individuals >Culturally insensitive events 1 3 12 Strategic Legal & Compliance Reputation 115 Library Library Programs 2.08.230 Department of libraries. Palo Alto's library offers hundreds of adult, children and family programs and services. These programs and services are open to any member of the community or library card holder. These programs include; >Book Clubs >ESL Classes >Writers workshops and contests >Arts and Crafts >Story Times Library offered programs are services are traditionally in person and virtual. Programs may require pre- registration, while others are readily available online, to be used at any time. Examples of Potential Risks: >Program demand 1 3 12 Strategic Financial Legal & Compliance Reputation 57 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 116 Library Locations Management 2.08.230 Department of libraries. Palo Alto has 5 library branches spaced throughout the City. Each library has unique services and function, and is situated near other City services. The placement and special function of each library is to best serve the local community surrounding the library. Individuals are able to use any library, and may request books from another library be transferred to their chosen community library for reservation and check-out. Additionally, books may be returned to any library or book-drop, regardless of where the book was originally checked-out. Examples of Potential Risks: >Internal management of book returns and logistics is inefficient, and books are temporarily or permanently lost >Balance of staff and service offerings 2 1 4 Strategic Operational Financial Reputational 117 Library Inventory Management 2.08.230 Department of libraries. The largest business of the library involves the management of the book inventory (check-in and check- out). An inherent risk to lending is the ability to recoup and collect items loaned. The City does not charge late fees for book rentals, but does impose fines and fees for replacement of books that are 42 days late. Laptop's and other library collection items are subject to late fees and replacement costs. Examples of Potential Risks: >Book return process and inventory management 3 2 16 Financial 118 Library Privacy 2.08.230 Department of libraries. Privacy is a concern for both the City and its citizens. Holding and storing of personal information safely, even for minimal periods of time, is essential. The library collects personal information from residents when evaluating citizen requests for a library card, no information is retained by any of the City's libraries. Examples of Potential Risks: >Users do not log off when using the library computers//hardware >Private information regarding uses of libraries and its services is stored improperly 3 1 8 Legal & Compliance Reputation IT 119 Planning Development Services 2.08.220 Department of planning and development services Development Services includes the Development Center, Plan Review Services, and the Inspection program. Permits are filed in person at City Hall or through the new Online Permit Services System. Permits and inspections are mandated before construction and/or remodeling for a variety of projects. Examples of Potential Risks: >Individuals and businesses do not request permits or inspections before initiating projects >Delays or backlogs in providing permitting and inspection services 4 3 34 Operational Financial Legal & Compliance Reputation 120 Planning Historic Preservation 2.08.220 Department of planning and development services 18.12.140 Historical Review and Incentives 18.10.130 Historical Review and Incentives The City of Palo Alto looks to preserve and protect its culturally, historically and architecturally significant places in order to create a vibrant and sustainable community that fully reflects Palo Alto’s diverse past. The City of Palo Alto’s Historic Preservation Program began in 1979 and currently boasts four National Register Districts and hundreds of individually significant resources. Examples of Potential Risks: >Cultural significance of historic homes and architecturally significant places increases reputational risk related to preservation >Process efficiency and customer service 1 2 6 Financial Legal & Compliance Reputation Political & Economic 58 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 121 Planning Code Enforcement 2.08.220 Department of planning and development services The Code Enforcement Division of the Department of Planning & Development Services is responsible for enforcement of property maintenance, zoning, and building codes throughout Palo Alto. Examples of Potential Risks: >High volume of development and/or renovations without adequate capacity to enforce all codes >Inability to respond to all complaints made by community members 3 2 16 Operational Legal & Compliance Reputation 122 Planning Building Division 2.08.220 Department of planning and development services The City of Palo Alto Building Division serves as a resource for homeowners, businesses, designers and contractors. The goal is to help customers build safe, healthy and sustainable buildings that comply with applicable codes and regulations. Examples of Potential Risks: >Volume of requests due to high demand for new builds and renovation, leading to lower quality of advice or inability to answer all incoming questions 3 2 16 Operational Legal & Compliance Reputation 123 Planning Current Planning 2.08.220 Department of planning and development services For anyone desiring to build in Palo Alto, they will first need to receive a building permit. The planning function will provide building permits based on the function's broader Comprehensive Plan 2030, compliance with the California Environmental Quality Act (CEQA), Plan Review (a fully outsourced service) and other codes and regulations. There is also an Architecture Review Board that consults on the decision for new proposals. All of these factors are considered when making decisions regarding proposals and requests. Examples of Potential Risks: >Disagreement amount interpretation of current codes and regulations increasing the amount of discretion necessary in decision making >High quantities of new building proposals required for review, putting pressure on existing staff and lowering overall quality 4 3 34 Strategic Operational Financial Legal & Compliance Reputation 124 Planning Long Term Planning 2.08.220 Department of planning and development services Chapter 16.65 CITYWIDE AFFORDABLE HOUSING REQUIREMENTS Chapter 19.04 PLANNING COMMISSION The Long Range Planning division within the Department of Planning & Development Services guides and develops visioning and implementation programs for the City's community development policies and programs. Division areas of focus include: >Affordable housing >Housing planning and policies >Land Use and zoning >Weatherization >Comprehensive Planning >Community Block Grants Examples of Potential Risks: >Unforeseen changes in economic or political conditions leading to required changes and inability to forecast future circumstances 4 4 42 Strategic Operational Financial Legal & Compliance Reputation Political & Economic 125 Police Overtime 2.08.170 Police department. Unpaid overtime claims are the largest category of complaints filed under California's wage and hours laws. Palo Alto police officers frequently work overtime. A common issue is having step based officers working dispatch during times of need. Examples of Potential Risks: >Increased stress and fatigue among officers >Increased financial burden on the City as officers are paid at a higher rate 4 2 24 Strategic Operational Financial Legal & Compliance Reputation Political & Economic IT 59 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 126 Police Dispatch 2.08.170 Police department. The City of Palo Alto uses the dispatch function within the Police Department in order to dispatch for multiple functions, including police calls, Stanford matters, utilities, fire, and others. This dispatching service provides a conduit from citizens to City public safety and emergency services. Examples of Potential Risks: >Mishandling of emergency calls from the public could lead to unfavorable views of City Police and other services >Multiple services addressed by dispatch may raise the risk for errors or bottlenecks in dispatching processes >Inaccurate allocation of dispatch related costs to other departments or organizations 3 2 16 Operational Reputation 127 Police Staffing Levels 2.08.170 Police department. As of November 2020, nine employees are eligible for retirement and the City recently offered a retirement incentive. In addition, PD is also experiencing attrition among line-level officers, some of whom make lateral moves to work in other communities. Due to hiring constraints, turnover typically results in prolonged position vacancies. Examples of Potential Risks: >Costs associated with position vacancy including lost productivity, overtime paid to officers, and training costs 3 3 26 Strategic Operational Financial Legal & Compliance Reputation Political & Economic IT 128 Police Onboarding/Trainin g 2.08.170 Police department. Officers are required to reach a minimum of 32 hours of ongoing professional training every 24 months. Officer training is integrated into officers’ schedules throughout the year. Trainings are both in-person and virtual, and can be in both group and individual settings. Additionally, training and onboarding of a new officer recruit can take upwards of 18 months. Examples of Potential Risks: >Noncompliance with training requirements >Inadequately trained personnel resulting in improper handling of public safety matters 2 2 10 Operational Legal & Compliance Reputation 129 Police Use of Force and Officer Conduct 2.08.170 Police department. The Independent Police Auditor has the authority to review and assess for objectivity, thoroughness, and appropriateness of disposition citizen complaint investigations of misconduct and internal affairs investigations associated with the Police Department and makes recommendations to the Police Chief. Loss of trust in law enforcement is a common externality. Research shows that perceived legitimacy of law enforcement is critical to effective law enforcement. High profile officer-involved interactions carry with them a variety of risks. Examples of Potential Risks: >Litigation due to perceived or actual misconduct may result in legal action and expensive settlements >Reputational harm from improper use of force 2 5 38 Operational Financial Reputation 60 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 130 Police Records Management 2.08.170 Police department. Law enforcement records management systems are a valuable source of information essential to the investigative, arrest, and judicial processes. Failure to manage records can affect the successful prosecution of criminal violators, resulting in liability or loss of public confidence. The City of Palo Alto Police Department relies on Sun Ridge Systems, Inc. to manage its police records. Examples of Potential Risks: >Mismanagement of records, resulting in non-compliance from federal and/or State standards >Insufficient record retainage for important, highly visible cases 2 3 18 Strategic Operational Financial Legal & Compliance Reputation Political & Economic IT 131 Public Works Engineering Services 12.04.030 Public Works 2.30.100 Public Works Contracts 2.30.300 Public Works Contracts 2.08.190 Department of Public Works The Engineering Services Division designs and constructs City-owned facilities, streets, sidewalks, storm drains and parks infrastructure; provides engineering support to City Departments and the private development community for construction in the public right of way. The City oversees approximately 400,000 square feet of City-owned facilities including multiple community centers and libraries. Usage and maintenance patterns differ for each of these facilities. For example, the City leases space within the Cubberley Community Center to a variety of long-term leases. Examples of Potential Risks: >Lack of funding may cause some capital projects to be significantly delayed and risk cost over-run from lack of continuous activities (i.e. start-up/shut-down operations) >Unfavorable contract terms resulting in unexpected expenses 2 4 28 Strategic Operational Financial Legal & Compliance Reputation Political & Economic IT 132 Public Works Airport 2.30.100 Public works contract. The Airport Division operates and maintains the Palo Alto Airport, the 3rd busiest airport in the Bay Area. The Air Traffic Control Tower is operated by the Federal Aviation Administration. The Airport generates revenues through tie-down fees and hangar rentals. The fee schedule is updated periodically. The Airport Division is overseeing a multi-phase apron reconstruction project. Construction began in 2018 and is expected to be complete in 2021. Construction of Phase I was completed in June 2018. Construction of Phase II began in December 2018 and was completed in January 2020. Examples of Potential Risks: >Unfavorable contract terms may result in in unexpected expenses >Failure to reconcile contractor invoices may result in overpayments >Poor project planning may result in expensive change orders >Improper billing or management of fees for service >Impact of repayment plan established by Airport to the General Fund causing impacts on airport operations 2 4 28 Strategic Operational Financial Legal & Compliance 61 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 133 Public Works Public Services - Fleet 2.30.100 Public works contract. The Public Services Division maintains the City’s fleet. Due to spending restrictions because of the COVID-19 pandemic, the City has limited fleet maintenance efforts as a cost savings measure. The City maintains a pool of vehicles that may be used for City business. Examples of Potential Risks: >An ageing fleet may result in increased maintenance costs >Lack of funding stability may harm the City's ability to maintain and replace vehicles >Charges to user departments may not sufficiently cover the City's full fleet costs >Policies and procedures that fail to clearly define replacement criteria may result in inefficient replacement methods 3 4 36 Strategic Operational Financial Legal & Compliance Reputation 134 Public Works Environmental Services 2.30.100 Public works contract. The Environmental Services division operates and maintains the Regional Water Quality Control Plant; maintains a Pretreatment Program for control of industrial and commercial dischargers; provides pollution prevention information and programs to residents and businesses; manages the City’s solid waste programs. Environmental Services helps implement Zero Waste Palo Alto's mission, to help the community virtually eliminate waste being buried or burned. This effort involves garbage collection and sorting, recycling, and composting. Environmental Services contracts out these waste collection and sorting services. Examples of Potential Risks: >Failure to detect non-compliant industrial dischargers may result in preventable pollution >Failure to achieve Zero Waste goals may harm the City's reputation 2 3 18 Strategic Operational Financial Legal & Compliance Reputation 135 Public Works Building Deconstruction 2.30.100 Public works contract. As part of an ongoing effort to reduce waste in Palo Alto, City Council approved a Deconstruction Ordinance. The goal is for building materials to be reused or recycled, so workers will have to disassemble structures instead of wrecking buildings. Two of the largest components of landfill waste are food waste and construction and demolition (C&D) related materials. C&D materials represent more than 40% of Palo Alto debris that gets disposed in landfills. Examples of Potential Risks: >This ordinance may place a financial burden on residential, commercial, and industrial property owners interested in demolishing a building >The City may weaken its reputation as "business-friendly" >Property owners may avoid needed upgrades to circumvent additional costs 2 2 10 Financial Reputation Political & Economic 62 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 136 Public Works Public Services - Facilities The City must prioritize capital projects based on a variety of factors. The 2011 Blue Ribbon Commission (IBCR) report highlighted conclusions the City uses to assist with project prioritization and funding models. Key conclusions include: >The City underfunded its infrastructure maintenance in the amount of over $2 million per year. >The City permitted the infrastructure underfunding to accumulate, building a backlog of "catch-up" needs totaling over $40 million. >Five major City-owned facilities fell below current standards of safety, capacity, and functionality. Examples of Potential Risks: >Inadequate preventative maintenance resulting in long-term financial burden of managing emergency maintenance needs >Failure to adhere to an infrastructure management system may hinder the City's ability to track the condition and use of all City infrastructure >Failure to effectively maintain City-owned facilities may result in more costly long-term repairs and replacement in the future 2 4 28 Operational Financial 137 Public Works Urban Forestry The Public Works Urban Forestry Section maintains nearly 66,000 trees of Palo Alto’s urban forest. The urban forest provides a variety of benefits including: >Reduce the effects of urban density >Increase property values >Assist with storm water mitigation >Remove air pollutants >Assist with greenhouse gas sequestration The City has established a Urban Forest Master Plan, which was adopted in February 2019. The “Implementation Plan” includes planning for: >Budget need >Inter-departmental collaboration >Municipal Code updates >Monitoring Examples of Potential Risks: >Risks associated with contract management 1 3 12 Operational Legal & Compliance Reputation 138 Public Works Wastewater Treatment Plant Operations The City operates the Regional Water Quality Control Plant (RWQCP), which cleans and treats wastewater before it is discharged to San Francisco Bay. The plant is owned and operated by the City of Palo Alto, and it treats wastewater for the communities of Los Altos, Los Altos Hills, Mountain View, Palo Alto, Stanford University and the East Palo Alto Sanitary District. There is an agreement in place to allocate costs to each community. Examples of Potential Risks: >Accuracy of cost allocation to each community >Compliance with applicable environmental laws 3 4 36 Operational Financial Legal & Compliance 63 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 139 Transportation Contract Management 2.08.260 Office of transportation. The Office of Transportation relies on contracted services for a variety of areas including construction, parking enforcement, and permitting. Noteworthy contractors include Serco and Duncan Solutions. The Serco contract is three years, in an amount not-to-exceed $2,322,285 for residential preferential parking enforcement services. The Duncan Solution contract is $627,000 over a five-year term to develop, implement, support and maintain a parking permit and citation management system. Examples of Potential Risks: >Unfavorable contract terms resulting in unexpected expenses >Contract compliance and cost control issues >Failure to reconcile contractor invoices may result in overpayments 3 2 16 Operational Financial Legal & Compliance 140 Transportation Safety Improvement Projects and Traffic Operations 2.08.260 Office of transportation. The Office of Transportation works to enhance quality of life and improve the safety of the users of all modes of transportation. To achieve these goals, the Office manages safety improvement projects, collects transportation data, sets speed limits, follows signage and striping best practices, and implements traffic control measures. Examples of Potential Risks: >Improper roadway safety and operations decisions may result in preventable roadway incidents with legal ramifications for the City >Failure to obtain community support for a project may result in expensive change orders and reputational harm 2 4 28 Strategic Financial Legal & Compliance Reputation 141 Utilities Workforce & Succession Planning 2.08.200 Department of Utilities With Palo Alto's high cost of living, the City has had trouble recruiting and retaining positions such as lineman and operations crew as there are other organizations (such as investor-owned utilities) in more affordable areas that are also in need of these positions. These employees can oftentimes make the same or higher salaries at other organizations with lower costs of living. This creates an issue for the City in regards to recruiting and retaining positions in high demand such as linemen. Examples of Potential Risks: >Sustained high vacancy of positions decrease the ability for Palo Alto to maintain pace of capital improvements and maintenance >High turnover of employees increases personnel expenses associated with onboarding and training >Difficulty hiring high-quality employees in these types of positions 4 4 42 Operational Financial Reputation Political & Economic 142 Utilities AMI Project 2.08.200 Department of Utilities Palo Alto is moving towards an implementation of AMI technology for meter reading. AMI will allow for the City to conduct meter readings with more efficiency and accuracy. The costs associated with such an implementation are significant. Any implementation with such an effort may run into unexpected challenges and barriers to implementation. Additionally, redeploying current meter readers is also a challenge. Examples of Potential Risks: >Customers desiring to opt out of AMI technology may introduce additional challenges in creating efficient meter reading processes >Implementation of AMI can introduce financial risks for unexpected challenges 3 4 36 Strategic Operational Financial IT 64 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 143 Utilities Utility Bill Collections 2.08.200 Department of Utilities As a practice, the City of Palo Alto does not currently shut off utilities for those who are regularly missing payments. This includes both commercial and residential customers. The City maintains financial reserves that fluctuate over time, but attempt to remain above 70 days. Continued customers who do not pay their bills will reduce financial reserves. Examples of Potential Risks: >Continued practices of no water shut offs may encourage late payments or missed payments >The City may not have the option to complete water shut offs during times like COVID-19, or may not want to complete shut offs due to reputational risk 3 2 16 Financial Legal & Compliance Reputation Political & Economic 144 Utilities Customer Service 2.08.200 Department of Utilities The City of Palo Alto Utilities Customer Service supports the Utilities mission to provide safe, reliable, environmentally sustainable and cost effective services. Customer Services supports residential and commercial customers with questions about the Utilities services: electric, fiber optics, natural gas, water, and wastewater. Customer Services helps customers pay their bill, start new services, and access rebates. Examples of Potential Risks: >Negative customer interactions reflect poorly upon the City >COVID-19 and other emergency utility disconnection moratoriums cause a financial burden for the City >Improper handling of customer accounts 3 2 16 Operational Reputation 145 Utilities Rates 2.08.200 Department of Utilities Palo Alto owns and operates its own utilities. However, the City purchases all of its electric, water, and gas from other sources. The City must set its rates according to the cost to purchase power, water, and gas as well all O&M and capital costs associated with administering the utilities. For example, the City purchases water from a different source than its neighbors and subsequently has higher water rates. Examples of Potential Risks: >Competitive rates in neighboring communities may provide incentive for any prospective residents to choose neighboring communities >Rising rates may indicate operational inefficiencies that contribute to a greater cost of service >Compliance with regulatory requirements in the rate setting process >Reputational risk associated with rate setting >Delay in cost recovery after provider's cost increase >Allocation of costs across utilities 3 4 36 Strategic Operational Financial Reputation 146 Utilities Purchase Power Contract Management 2.08.200 Department of Utilities The City purchases all of their power from external sources, without any generation operations of their own. This requires a greater effort in monitoring these Purchase Power Agreements. Monitoring these agreements is important both from a compliance standpoint, ensuring that state and local requirements are being met, as well as a financial standpoint, ensuring that costs are reasonable. Examples of Potential Risks: >The cost of purchased power exceeding the cost of generating power >Noncompliance with purchase power agreements 3 4 36 Strategic Financial Legal & Compliance 65 Risk ID Functional Area Risk Title Municipal Code Reference Risk Detail (From documents provided, audit reports, interviews) Likelihood (1-5) Impact (1-5) Score Risk Areas 147 Utilities Word Order & Asset Management 2.08.200 Department of Utilities For any operations and maintenance, a proper work order system is vital to the operations of the utility. Modern day technology and automation can improve the work order process and reduce the number of steps required from employees. Examples of Potential Risks: >Implementation of an automated work order system can be costly and disruptive >Lack of an automated work order system can create efficiency issues and opportunities for human error >Improper use of the work order system resulting in improper classification of assets 3 3 26 Operational IT 148 Utilities Rebates and Programs 2.08.200 Department of Utilities The City offers both residential and commercial utility customers rebates and programs to assist with efficiency and cost savings. In particular, both residential and commercial customers can take advantage of city resources to learn more about solar energy. The City also offers tips and tricks regarding energy efficiency. For residential customers, you can receive landscape rebates, rebates for outdoor surveys, home water surveys, EV rebates, heat pump water heater rebates, permeable pavement rebates just to name a few. Commercial customers also can receive water rebates and other business specific rebates. Commercial can also take advantage of the fiber program, renewable energy program and others. Examples of Potential Risks: >Decreased consumption impacting rates >Rebates and programs become cost inefficient, producing less benefits than inputs required to run the program 1 2 6 Operational Financial Reputation City of Palo Alto City Auditor’s Office FY21/22 Annual Audit Plan January 15, 2021 FY2021/2022 Audit Plan 2 Overview Introduction The purpose of the City Audit function is “to ensure that city management is using its financial, physical, and informational resources effectively, efficiently, economically, ethically, and equitably, and in compliance with laws, regulations, contract and grant requirements, and city policies and procedures” (City of Palo Alto Contract No, C21179340). The Palo Alto Municipal Code (Section 2.08.130) requires the City Auditor prepare and submit an annual audit plan to the City Council for review and approval. The audit plan is normally submitted to the City Council at the beginning of the fiscal year. Given the timing of onboarding Baker Tilly to serve as the City Audit Function, the risk assessment and audit planning process spanned October 2020 through January 2021, the middle of Fiscal Year 2021. As a result, Baker Tilly has sought to identify audit activities across an 18-month horizon (through FY22). Note that Baker Tilly will seek approval of contract task orders iteratively during that timeframe in order to remain agile and accommodate changes to the plan as time passes. Note that this report address Task #2 of the Baker Tilly agreement. Other activities are addressed in separate Task Orders corresponding to the tasks in the Baker Tilly agreement. For example, the City Auditor performs follow up on audit findings and recommendations, as outlined in Task #5. Conformance with Local Ordinances and Standards According to City Ordinance, the mission of City Auditor’s Office is to “promote honest, efficient, effective, economical, and fully accountable and transparent city government. To fulfill this mission, the office of the city auditor conducts performance audits and performs nonaudit services of any city department, program, service, or activity as approved by the city council. (Section 2.08.130). Palo Alto City Charter Article IV Sec. 12 requires the City Auditor to: – Conduct audits in accordance with a schedule approved by the City Council and may conduct unscheduled audits from time to time – Conducts audits of financial transactions of the City Palo Alto Municipal Code Section 2.08.130 requires the City Auditor to: – Prepare an annual audit plan for city council approval – Identify the preliminary objectives of each audit to be performed, reflecting the purpose of the engagement and a preliminary description of the areas that may be addressed FY2021/2022 Audit Plan 3 Audit Activity Types The Office of the City Auditor will conduct performance audits and perform financial/operational analyses of any City department, program, service, or activity as approved by the City Council (City of Palo Alto Contract No, C21179340). Performance Audits According to the Government Auditing Standards (GAO-18-568G, Section 1.21 and 1.22, page 10-12), performance audits provide objective analysis, findings, and conclusions to assist management and those charged with governance and oversight with, among other things, improving program performance and operations, reducing costs, facilitating decision making by parties responsible for overseeing or initiating corrective action, and contributing to public accountability. Performance audits may include the following four (4) audit objectives. – Program effectiveness and results – Internal control design and effectiveness – Compliance with laws, regulations, and policies – Prospective analysis Audit Planning Considerations While maintaining its independence and objectivity in accordance with standards, The City Auditor considers a variety of matters when developing the Annual Audit Plan, including but not limited to: – Risk assessment – Baker Tilly performed a risk assessment and summarized the results in a separate report (Task #2). Generally speaking, audit activities target high(er) risk areas. Note that Key Risks are outlined on the following page. – Ability to add value – audit seeks to add value through independent and objective analysis. – City Council – the City Auditor reports to the City Council and seeks input on audit priorities. – Coverage and Prior Audits – the City Auditor considers prior audits conducted by the City Auditor’s Office, the financial audit, and other audit and consulting reports recently issued. – “Ripeness” and On-Going Initiatives – certain risk areas may be addressed through operational activities, which could mean they are not be ripe for audit to add value. – Scheduling – the City Auditor takes into consideration the timing of an audit and other on-going initiatives that directly relate. Putting an undue burden on City staff may exacerbate the risk at hand or other interrelated risks. FY2021/2022 Audit Plan 4 Key Risks Baker Tilly performed a citywide risk assessment to plan for FY21 and FY22 audit activities and documented the detailed results in a separate Risk Assessment Report. In summary, we identified the following key risks for each function: Function Key Risks Function Key Risks Administrative Services  Tax Revenue & Economic Recovery  Asset Management  Investment Management Information Technology  Cyber Security  Database/Data Management  Disaster Preparedness and Recovery City Clerk’s Office  Public Records Requests  Records Management Library Department  Inventory Management  Recourse Demand  Events and Programming Communication’s Office  External Affairs  Social Media Management  Internal Communications Planning Department  Long Term Planning  Code Enforcement Community Services Department  Contract Monitoring  Background Check Procedures Police Department  Employee/Officer Overtime  Officer Conduct and Use of Force Policies  Recruitment and retention Emergency Services Department  Disaster Response Public Works  Construction Project Management  Facilities Management  Fleet Management  Water Quality Control Fire Department  Recruitment and Retention  Compliance with SB 201 Office of Transportation  Contract Management  Safety Improvement Projects  Traffic Operations Human Resources Department  High Cost Claims  Records Management  Workforce and Succession Planning Utilities Department  Workforce and Succession Planning  Contract Management of Purchased Power  Capital Program Management  Work Order and Asset Management Refer to the Risk Assessment Report for more information about the risk assessment methodology and results of the risk assessment. FY2021/2022 Audit Plan 5 Proposed Audit Activities for FY2021-2022 Included in the tables below are the proposed audit activities for the remainder of FY2021 and FY2022. Each audit activity corresponds to a risk rated as High or Moderate in the Risk Assessment Report and selected based on other factors outlined on page 3. The preliminary audit objectives are described for each audit listed. These objectives and scope of each audit activity will be further defined based on the result of a project planning risk assessment processes performed at the beginning of each activity. Audits are planned in three overall phases – note that the timing may differ slightly for each audit activity: – Phase I – Activities projected to start in March 2021 and end by June 2021 – Phase II – Activities projected to start in May 2021 and end by December 2021 – Phase III – Activities projected to start in January 2022 and end by June 2022 Amendments to the proposed audit plan will be proposed either as needed or after conducting a follow up risk assessment and update the audit plan, as needed, at the on-set of FY22. Amendments may be proposed in response to changes in the City’s environment such as organizational structure, operations, risks, systems, and controls. Please note that the City Auditor will actively manage project and overall budgets and workload in its execution of the workplan. For each audit activity, a task order is submitted to the City Council for approval before the work is commenced. We have prepared and attached to this report multiple task orders that correspond to audit activities we have prioritized (e.g., those in Phase I). Those audit activities for are marked with an “X” in the ‘Seeking Approval’ column of the table below, and the Task Orders are included in the Appendix. FY2021/2022 Audit Plan 6 Phase I Activities Seeking Approval Function Project Title Audit Objectives Timeline Estimated Hours FY21 Cost FY22 Cost Total Cost X Public Works Construction Project Controls Assessment  Identify key processes and controls in the construction project management program.  Assess the control environment and make recommendations for improvement. March – June 310 $61,400 $61,400 X Administrative Services Asset Capitalization Audit  Evaluate process of capturing construction work in progress.  Document and evaluate key processes and controls related to categorizing and recording capital project costs.  Assess compliance with financial policies and relevant accounting standards. March – June 180 $38,600 $38,600 X Information Technology Assessment of SAP Functionality and Internal Controls (FY21)  Participate as an advisor to the project steering committee for Phase 2 of the ERP system upgrade.  Evaluate internal control design as system configuration is analyzed. March – June 100 $23,050 $23,050 X Information Technology IT Risk Management Assessment  Identify key risks and controls within the IT function – including IT governance and IT security.  Evaluate the adequacy of the control environment and offer recommendations for improvement. March – June 350 $61,550 $61,550 X Administrative Services Investment Management Review  Determine whether adequate controls are in place and operating effectively to ensure that investments are managed in accordance with the investment management and other relevant policies.  Assess the organizational structure and operations of the investment portfolio management function against best practice. TBD 400 $82,500 $82,500 X Utilities Power Purchase Agreement Review  Evaluate the process for evaluating and entering into power purchase agreements.  Assess the effectiveness of internal controls in the management of the power purchase agreements and accuracy and compliance of billings. TBD 375 $74,875 $74,875 TBD Ad Hoc Requests TBD TBD TBD $14,640 $14,640 Phase I Sub Total 1,715 $356,615 $356,615 FY2021/2022 Audit Plan 7 Phase II Activities Seeking Approval Function Project Title Audit Objectives (preliminary objectives for audits not currently subject to approval) Timeline Estimated Hours FY21 Cost FY22 Cost Total Cost X Administrative Services Economic Recovery Advisory  Review the City’s long-term financial planning model and offer recommendations for improvement.  Identify and evaluate key revenue source categories that present long term risk to the City's financial sustainability and perform scenario analysis.  Offer ad hoc advisory assistance during the FY22 budget process. March - December 400 $8,462 $76,153 $84,615 Planning Building Permit & Inspection Process Review  Identify highest impact area to focus the assessment (e.g., specific permit type(s), specific sub-processes, etc.).  Document corresponding process(es) and evaluate for efficiency and effectiveness.  Benchmark operational performance against industry practices and established standards. May – September 360 $12,548 $71,102 $83,650 Citywide Nonprofit Agreements Risk Management Review  Evaluate controls in place to ensure that nonprofit organizations are properly vetted prior to selection and monitored through the life of an agreement.  Assess the performance monitoring process against the best practice.  Follow up on relevant audit findings from past audit work. May – September 400 $12,375 $70,125 $82,500 Phase II Sub Total 1,160 $33,385 $217,380 $250,765 FY2021/2022 Audit Plan 8 Phase III Activities Seeking Approval Function Project Title Preliminary Audit Objectives Timeline Estimated Hours FY21 Cost FY22 Cost Total Cost Information Technology Assessment of SAP Functionality and Internal Controls (FY22)  Participate as an advisor to the project steering committee for Phase 2 of the ERP system upgrade.  Evaluate internal control design as system configuration is analyzed. June – April 200 $45,900 $45,900 Information Technology Application Lifecycle Management Audit  Determine whether adequate controls are in place and working effectively to ensure that application systems are properly implemented and maintained.  Assess the maturity level of application management against the IT framework and standards. December – April 340 $65,950 $65,950 Public Works Wastewater Treatment Plant Agreement Audit  Evaluate whether direct and indirect costs incurred by the City are properly allocated to the operation of the Wastewater Treatment Plant.  Review whether costs are properly allocated to the various parties to the Wastewater Treatment Plant Agreement. December – April 400 $82,500 $82,500 Utilities Work Order Process and Accounting Review  Perform an initial assessment to identify high risk subprocesses in the work order process (e.g., labor, materials, specific utility).  Document and evaluate the processes and controls in place to ensure proper recording of costs.  Perform tests to determine the accuracy of attributed costs for a sample of completed work orders. June – December 400 $84,900 $84,900 Construction Audit – Public Safety Building Public Works TBD TBD TBD $82,500 $82,500 TBD TBD / Ad Hoc Requests TBD TBD TBD $20,870 $20.870 Phase III Sub Total 2,100 $382,620 $382,620 FY2021/2022 Audit Plan 9 City Auditor – Budget Overview The following is a reconciliation between the audit plan above and the City Audit budget. Note that the annual budgets agree to the annual budget in the Baker Tilly agreement (Task #4). Budget Item Amount FY21 Cost $390,000.00 FY22 Cost $600,000.00 Total Cost $990,000.00 Total Budget - Task 4 $990,000.00 Net $ - FY2021/2022 Audit Plan 10 Appendix: Task Orders *Note that certain items are subject to change pending Council discussion and approval. 11 Audit Activity 4.1 – Construction Project Controls Assessment PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY21-004.1 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY21-004.1 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2021 COMPLETION: June 30, 2021 4 TOTAL TASK ORDER PRICE: $61,400 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 12 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting the Construction Controls Assessment involves four (3) primary steps:  Step 1: Audit Planning  Step 2: Control review and analysis  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit 13 Step 2 – Controls review and analysis During this step we will assess the adequacy of the City’s controls and whether documented controls have been implemented and are functioned as intended. We will focus on the following areas:  Construction contracts  Prime contractor bid and award  Contract administration  Schedule management  Communication and document control  Contractor billing review and approval  Change management  Allowance and contingency management  Verification of completed work  Project closeout activities Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee  Present the final report to the City Council and/or appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement:  Project controls assessment which will include the construction contract risk/opportunity register Schedule of Performance Anticipated Start Date: March 1, 2021 Anticipated End Date: June 30, 2021 14 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum for this Task is $61,400. The not-to-exceed budget is based on an estimate of 310 total project hours, of which 10 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. 15 Audit Activity 4.2 – Asset Capitalization Audit PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY21-004.2 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY21-004.2 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2021 COMPLETION: June 30, 2021 4 TOTAL TASK ORDER PRICE: $38,600 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 16 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting a limited scope audit of asset capitalization involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Review and Testing  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit 17 Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to: (1) Evaluate process to capture construction work in progress, expensing or capitalizing items in accordance with accounting standards; (2) Determine whether adequate controls are in place and working effectively to ensure that assets are properly categorized and recorded in accordance with the accounting policy; (3) Assess the design of the internal controls against the best practice. Procedures include:  Interview the appropriate individuals to understand the process, the information system used, and the internal controls related to asset capitalization  Review policies and procedures as well as the regulations and standards to identify the criteria to be used for evaluation of control design and effectiveness  Perform test procedures including observation of controls (such as application controls) and review of selected documents (such as supporting documents for the recorded transactions)  Compare the process and controls against the best practices Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee  Present the final report to the City Council and/or appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement:  Audit Report 18 Schedule of Performance Anticipated Start Date: March 1, 2021 Anticipated End Date: June 30, 2021 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $38,600. The not-to-exceed budget is based on an estimate of 180 total project hours, of which 10 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. 19 Audit Activity 4.3 – Assessment of SAP Functionality & Internal Controls PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY21-004.3 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY21-001 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2021 COMPLETION: June 30, 2021 4 TOTAL TASK ORDER PRICE: $23,050 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 20 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting a limited scope Assessment of SAP Functionality and Internal Controls (FY21) involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Review and Testing  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit 21 Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to determine whether controls and segregation of duties are properly designed and in place for the upgraded ERP system. Procedures include, but are not limited to:  Interview the appropriate information technology (IT) personnel to understand the internal controls and segregation of duties considered during the SAP system upgrade project  Interview the appropriate users to understand the process and the internal controls changed as a result of prior audit findings and the SAP upgrade  Perform test procedures including observation of controls (such as application controls) and review of selected documents (such as user access reports) Note that the nature and extent of testing and control review will be dependent on the project delivery schedule. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee  Present the final report to the City Council and/or appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement:  Audit Report Schedule of Performance Anticipated Start Date: March 1, 2021 22 Anticipated End Date: June 30, 2021 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $23,050 The not-to-exceed budget is based on an estimate of 100 total project hours, of which 10 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. 23 Audit Activity 4.4 – IT Risk Management Assessment PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY21-004.4 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY21-004.4 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2021 COMPLETION: June 30, 2021 4 TOTAL TASK ORDER PRICE: $61,550 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 24 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting the IT Risk Management Assessment involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Testing and Review  Step 3: Reporting Step 1 – Audit Planning This step includes those tasks necessary to solidify mutual understanding of the assessment scope, objectives, deliverables, and timing as well as ensuring that appropriate client and consultant resources are available and well-coordinated. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct a kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Testing and Review This step involves gathering information, through various means, that will enable the project team to understand Palo Alto’s IT Risk Management and Governance strategy. Tasks include: 25  Request and review background information – the project team will develop an information request(s) in order to obtain an understanding of the Risk Management and Governance strategy within the City of Palo Alto. The request will include, but not be limited to: o Organizational Strategic plan(s) o Organizational Governance Documents o IT Risk Management Strategy o IT Strategic Roadmaps o Organizational Security and Privacy Policies o System- level Security and Privacy Policies o Operational policies and procedures o Consulting reports o Security Baselines and Cybersecurity frameworks o Other relevant information and reports  Conduct interviews with IT management to gain understanding of Palo Alto’s: o Risk Management Strategy to gain an understanding of the organization’s priorities, constraints, risk tolerances, and assumptions that are established and used to support operational risk decisions. o Risk Assessment Process to gain an understanding of how Palo Alto identifies its cybersecurity risks to its organizational operations (including mission, functions, image and reputation) o Organization security baselines and frameworks o Continuous Monitoring strategy  Conduct research into key risks in order to identify relevant information to assess risks  Test design and implementation of controls related to assessment objectives to determine whether controls are adequately designed and implemented to support the IT Risk Management Strategy  Compare the current IT risk management process against appropriate IT governance framework Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses 26  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee  Present the final report to the City Council and/or appropriate Council Committee Deliverables: The following deliverables will be prepared as part of this engagement:  Audit Report Schedule of Performance Anticipated Start Date: March 1, 2021 Anticipated End Date: June 30, 2021 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $61,550. The not-to-exceed budget is based on an estimate of 350 total project hours, of which 20 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. 27 Audit Activity 4.5 – Investment Management Review PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY21-004.5 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY21-001 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2021 COMPLETION: June 30, 2021 4 TOTAL TASK ORDER PRICE: $82,500 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 28 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting a Review of Investment Management involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Review and Testing  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit 29 Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to: (1) Determine whether adequate controls are in place and working effectively to ensure that investments are properly managed in accordance with the investment policy; (2) Assess the efficiency and the effectiveness of the investment portfolio management against the best practice. Procedures include, but not limited to:  Interview the appropriate individuals to understand the process, the information system used, and the internal controls related to investment management  Review policies and procedures as well as the regulations and standards to identify the criteria to be used for evaluation of control design and effectiveness  Perform test procedures including observation of controls (such as application controls) and review of selected documents (such as supporting documents for the recorded transactions)  Compare the process, controls, and organization against the best practices Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement:  Audit Report Schedule of Performance Anticipated Start Date: March 1, 2021 Anticipated End Date: June 30, 2021 30 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $82,500. The not-to-exceed budget is based on an estimate of 400 total project hours, of which 20 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. 31 Audit Activity 4.6 – Power Purchase Agreement Review PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY21-004.6 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY21-001 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2021 COMPLETION: June 30, 2021 4 TOTAL TASK ORDER PRICE: $74,875 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Alison Cormack, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 32 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting the Power Purchase Contracts Review involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Review and Testing  Step 3: Reporting  Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as appropriate o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct a kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit 33 Step 2 – Control Review and Testing This step involves gathering information, through various means, that will enable the project team to understand the current work order process. Tasks include:  Request and review background information – the project team will develop an information request(s) in order to obtain various background information from the City. The request will include, but not be limited to: o Organizational charts o Contact information for key process owners o Active power purchase agreements (PPA) o Policy and procedures documentation related to procuring and managing PPAs and related billings/invoice processing  Conduct interviews with key process owners and management o Interviews aimed at understanding the processes surrounding PPAs and related billings/invoice processing  Perform risk assessment, analysis and testing o Identify initial control or process gaps o Quantify and analyze PPA spend by contract o Perform testing of key controls o Review contract billings for accuracy and contract compliance o Benchmark active PPA terms and conditions against other Baker Tilly client PPAs o Compare current state to industry best practices Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee  Present the final report to the City Council and/or appropriate Council Committee Deliverables: The following deliverables will be prepared as part of this engagement: 34  Audit Report Schedule of Performance Anticipated Start Date: March 1, 2021 Anticipated End Date: June 30, 2021 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $74,875. The not-to-exceed budget is based on an estimate of 375 total project hours, of which 10 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. 35 Audit Activity 4.7 – Economic Recovery Advisory PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY21-004.7 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY21-004.7 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2021 COMPLETION: December 31, 2021 4 TOTAL TASK ORDER PRICE: $84,615 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 36 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting the Economic Recovery Advisory project involves four (4) primary steps:  Step 1: Project Planning & Management  Step 2: Information Gathering  Step 3: Analysis  Step 4: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit 37 Step 2 – Information Gathering This step involves gathering information, through various means, that will enable the project team to understand the various risks facing the City. Tasks include:  Request and review background information – the project team will develop an information request(s) in order to obtain various background information from the City. The request will include, but not be limited to: o Financial reports, including the past five years City Budgets and Comprehensive Annual Financial Report (CAFR) especially major revenue sources including:  Net sales  Property tax  Sales tax  Utility user tax  Transient occupancy tax  Documentary transfer tax  Charges for services  Permits and licenses  Rental income  Other o Existing financial and revenue planning projections o Other relevant information and reports  Conduct up to twelve (12) interviews with City Council and management o Information gathering and assessment interviews, aimed at understanding City functions and identifying revenue and expense risks, will be conducted with City Council members as well as department and division  Conduct research to identify relevant information to assess risks. The following items may be relevant depending on the revenue source or expense type. o Diversity and distribution of each revenue source  Economic base by NAICS code  Major contributors to each source  Geographic location/concentration  Office and industrial rental vacancies  Transient occupancy  Property values  Property turnover (sales)  Student enrollment  Household income  Unemployment rate  Employment and number of jobs  Sales tax base per capita  Property tax base per capita  Other o Projected economic trends 38 Step 3 – Analysis In Step 3, the project team will analyze each revenue source. The analysis, which will focus on a subset of high risk revenue sources, will include the following:  Historical trends  Distribution of revenue sources by revenue type: o Source(s) o Concentration/distribution of revenue received to identify:  Largest payors  Geographic location o Historical relationship between economic factors and other relevant factors to revenue amounts o Perform a sensitivity analysis to determine the range of likely variability based on relevant drivers of sensitivity o Comparison of per-capita revenues by type to other similar cities  Review analysis with City staff  Modify analysis incorporating City staff recommendations as appropriate Step 4 – Reporting In Step 4, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee  Present the final report to the City Council and/or appropriate Council Committee *Note – Baker Tilly has budgeted to provide ad hoc, as-needed assistance to the City and City Council during the budgeting process. The nature and extent of that work will be determined through discussion with Council. Deliverables: The following deliverables will be prepared as part of this engagement:  Final Report Schedule of Performance Anticipated Start Date: March 1, 2021 39 Anticipated End Date: December 31, 2021 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $84,615. The not-to-exceed budget is based on an estimate of 400 total project hours, of which 20 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto.