Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
Staff Report 2301-0827
2.Approval of Office of City Auditor FY2023 Task Orders Presentation 1 5 8 2 Policy & Services Committee Staff Report From: Chantal Gaines, Deputy City Manager Lead Department: City Auditor Meeting Date: February 28, 2023 Report #: 2301-0827 TITLE Approval of Office of City Auditor FY2023 Task Orders RECOMMENDATION The City Auditor recommends that the Policy & Services Committee recommend City Council approval for the following Task Orders, identified in the Audit Plan Report: 1) FY23-Task 01 – Citywide Risk Assessment 2) FY23-Task 02 – Annual Audit Plan 3) Task 04.12 – Wire Payment Process and Controls Review (Extension) 4) Task 04.13 – Remote and Flexible Work Study (Extension) 5) Task 04.14 – Cybersecurity Assessment (Extension) 6) Task 04.15 – Wastewater Treatment Facility Agreement (Extension) 7) Task 04.19 – Disaster Recovery Preparedness 8) Task 04.20 – Procurement Process Review DISCUSSION In accordance with our agreement with the City, Baker Tilly is required to conduct recurring activities each year. Those recurring activities including the following tasks outlined in our agreement: •Task 1: Citywide Risk Assessment •Task 2: Preparation of Annual Audit Plan •Task 4: Execute Council approved Annual Audit Plan (Attachment B) The Office of the City Auditor (OCA) is seeking approval from the Policy & Services Committee of the Tasks Orders that correspond to the Tasks outlined above and recommendation to forward these task orders to the City Council for approval. The Task Orders provide the contractual authority to begin this work in the new Fiscal Year 2023. An excerpt from the contract outlining these tasks is below for ease of reference. 1 5 8 2 Task 1. Beginning with year 1 and continuing at a minimum every other year thereafter, prepare a citywide risk assessment following the same review and approval requirements described in Task 2. The risk assessment process will be the primary determinant of subsequent audit activity. Task 2. Prepare an annual audit plan for review by the City Manager and appropriate City Council committee(s), and approval by the City Council, that identifies preliminary objectives of each audit to be performed, the schedule for each audit, and the estimated not to exceed resources and costs for each audit. The City Auditor shall consult with the City Attorney as necessary when developing audit plans. The annual audit plan will be largely based on the risk assessment required in Task 1. Task 4. Execute Annual Audit Plan: Conduct a minimum number of internal audits in accordance with each approved annual audit plan based on the risk assessments. Each internal audit will commence only upon the City’s approval of a Task Order (which may be at the task or sub-task level) as required by this Agreement. Each internal audit requires the preparation of a written report for review by the City Manager, City Attorney and appropriate Council committee, and review/approval by the City Council as required. Task 4 Details. The details of the four task orders (4 extensions and 2 new) are as follows: 04.12 Wire Payment Process and Controls Review (Extension) This task order with the period of performance from January 10, 2022, to June 30, 2022, was signed at the end of February 2022, and the review was commenced in March 2022. Although the fieldwork was completed in May 2022, the report process took longer than expected, and then there was a transition period in early FY23 until the interim City Auditor was appointed. OCA requests the period of performance to be extended to March 31, 2023. The total not-to-exceed budget remains the same although the costs incurred after June 30, 2022, will be charged against the FY2023 budget (instead of the FY2022 budget). 04.13 Remote and Flexible Work Study (Extension) This task order with the period of performance from March 1, 2022, to December 31, 2022, was signed in mid-April 2022, and the review was commenced in late April 2022. Although the fieldwork was completed in September 2022, the management response process is taking longer than expected. OCA requests the period of performance to be extended to March 30, 2023. The total not-to-exceed budget remains the same. 04.14 Cybersecurity Assessment (Extension) This task order with the period of performance from March 1, 2022, to December 31, 2022, was signed in mid-April 2022, and the review was commenced in April 1 5 8 2 2022. Although the fieldwork was completed in November 2022, the management response process is taking longer than expected. OCA requests the period of performance to be extended to April 30, 2023. The total not-to-exceed budget remains the same. 04.15 Wastewater Treatment Facility Agreement (Extension) This task order with the period of performance from March 1, 2022, to December 31, 2022, was signed in mid-April 2022, and the review was commenced in June 2022. Although the fieldwork was completed in October 2022, the report process is taking longer than expected. OCA requests the period of performance to be extended to May 31, 2023. The total not-to-exceed budget remains the same. 04.19 Disaster Recover Preparedness The preliminary audit objectives include assessing the documentation of current disaster recovery plan for high priority application and supporting infrastructure to identify the adequacy of the documentation and identify additional documentation requirements. 04.20 Procurement Process Review The preliminary audit objectives include: •Determine whether adequate controls are in place and working effectively to ensure that the appropriate vendors are selected properly to achieve desired objectives. •Identify the opportunities to improve the efficiency and effectiveness of the procurement process. If these task orders are approved unanimously by the Policy & Services Committee, this recommendation will be forwarded to the full City Council approval on an upcoming consent calendar. FISCAL/RESOURCE IMPACT Work recommended in these tasks is within both the approved scope and compensation of the contract with Baker Tilly and funding levels in the FY 2023 Operating Budget for the Office of the City Auditor. ATTACHMENTS None. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY23-01 Citywide Risk Assessment Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-01 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2023 COMPLETION: June 30, 2023 4 TOTAL TASK ORDER PRICE: $55,000 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT: TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ o Strategic plan(s) o Financial reports, including the most recent City Budget and Comprehensive Annual Financial Report (CAFR) o Operational policies and procedures o Municipal code o Consulting reports o Other relevant information and reports • Conduct interviews with City Council and management o Risk assessment interviews, aimed at understanding City functions and identifying risks, will be conducted with City Council members as well as department and division • Conduct a risk assessment survey, if necessary • Conduct research into key risks in order to identify relevant information to assess risks Overall, the project team will consider the following risk types: • Strategic • Financial • Operational • Technology • Compliance • Reputational • Political Step 3 – Risk Analysis In Step 3, the project team will develop a risk matrix consisting of auditable areas (also referred to as an audit or risk universe). The risk matrix will include the following risk categories: • Environment, Strategy, and Governance – risks that have an organization wide impact and are not subject to a specific department or function (e.g., ethics) • Significant Projects and Initiatives – risks associated with large projects (e.g., capital projects, technology implementation) or City initiatives (e.g., employee engagement initiative). • Function Specific Risks – risks associated with a specific department or function (e.g., procurement policy compliance) After assembling a risk matrix, the project team will assess the likelihood and impact of potential adverse events in order to quantitatively score each auditable area for purposes of prioritizing audit activities. Step 4 – Reporting In Step 4, the project team will finalize the draft Risk Matrix and prepare a draft Risk Assessment Report. The project team will ask for input (general completeness, risk scoring) on the Risk Matrix from key project stakeholders. Upon finalization of the Risk Matrix, the project team will finalize the Risk Assessment Report. Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting the Citywide Risk Assessment involves four (4) primary steps: • Step 1: Project Planning & Management • Step 2: Information Gathering • Step 3: Analysis • Step 4: Reporting Step 1 – Project Planning & Management This step includes those tasks necessary to solidify mutual understanding of the risk assessment scope, objectives, deliverables, and timing as well as ensuring that appropriate client and consultant resources are available and well-coordinated. Tasks include: • Finalize project design – The first project activities will be to: o Identify communication channels and reporting relationships and responsibilities of project staff o Review and confirm project timelines o Review and confirm deliverables • Arrange logistics/administrative support – Matters to be addressed include schedules for interviews and data collection, contact persons in the departments, any other logistical matters, etc. • Conduct kick-off meeting with key project stakeholders Step 2 – Information Gathering This step involves gathering information, through various means, that will enable the project team to understand the various risks facing the City. Tasks include: • Request and review background information – the project team will develop an information request(s) in order to obtain various background information from the City. The request will include, but not be limited to: Deliverables: The following deliverables will be prepared as part of this engagement: • Risk Matrix • Risk Assessment Report • Presentation of Results to City Council (note that this may be combined with presentation of the Task 2 Annual Audit Plan) Schedule of Performance Anticipated Start Date: March 1, 2023 Anticipated End Date: June 30, 2023 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $55,000. The not-to-exceed budget is based on an estimate of 250 total project hours, of which 40 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY23-02 Annual Audit Plan Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-01 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2023 COMPLETION: June 30, 2023 4 TOTAL TASK ORDER PRICE: $10,500 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT: TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to preparing the Annual Audit Plan involves two (2) primary steps: • Step 1: Consultation with City Council and Management • Step 2: Reporting Step 1 – Consultation with City Council and Management The Risk Matrix and Risk Assessment Report will serve as the primary drivers of the Annual Audit Plan. The project team will initiate discussions over Risk Assessment results, potential audit activities, and audit coverage with City Council and Management. The purpose of those conversations will be to understand the priorities of City Council, and to develop a Draft Annual Audit Plan: The Draft Annual Audit Plan will identify the following components for each audit activity: • Audit activity type – audit or consulting activity • Audit objectives and scope • Anticipated budget – both in terms of hours and budget • Anticipated timeline Step 2 – Reporting The project team will present the Draft Annual Audit Plan to the City Council in order to obtain input on each potential audit activity. Upon refining the plan, the project team will finalize the Annual Audit Plan for presentation to City Council. Deliverables The following deliverable will be prepared as part of this engagement: • Annual Audit Plan Schedule of Performance Anticipated Start Date: March 1, 2023 Anticipated End Date: June 30, 2023 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $10,500. The not-to-exceed budget is based on an estimate of 50 total project hours, of which 10 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. Step 2 – Process and Control Review This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to: (1) Determine whether adequate controls are in place and working effectively to ensure that all disbursements are valid and properly processed in compliance with City’s policies and procedures; (2) Determine whether end user security awareness training is sufficient to prevent erroneous payments caused by phishing. Procedures include: • Interview the appropriate individuals to understand the identified instance of wire fraud • Interview the appropriate individuals to understand the process, the information system used, and manual and automated controls related to the disbursement process including vendor record creation and modification • Interview the appropriate individuals to understand the end user awareness training • Review policies and procedures as well as the regulations and standards to identify the criteria to be used for evaluation of control design and effectiveness • Test disbursement transactions and new and modified vendor records as well as related key internal controls on a sample basis • Compare the process and controls against the best practices Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals and discuss the root cause of the identified findings • Complete supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report • Review report with members of City Council and/or the appropriate Council Committee • Present the final report to the City Council and/or appropriate Council Committee Deliverables: The following deliverables will be prepared as part of this engagement: • Audit Report PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY22-4.12 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY22-004.12 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: January 10, 2022 COMPLETION: June 30, 2022 March 31, 2023 4 TOTAL TASK ORDER PRICE: $54,550 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT: Remaining in Task 4 FY22: 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting the Work Order Process Review involves three (3) primary steps: • Step 1: Audit Planning • Step 2: Process and Control Review • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined • Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Schedule of Performance Anticipated Start Date: January 10, 2022 Anticipated End Date: June 30, 2022 March 31, 2023 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $54,550. The not-to-exceed budget is based on an estimate of 270 total project hours. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. Audit Activity 4.13 – Remote and Flexible Work Study PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY22-004.13 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY22-004.13 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2022 COMPLETION: December 31, 2022 March 31, 2023 4 TOTAL TASK ORDER PRICE: $60,000 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greer Stone Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting the Construction Controls Assessment involves four (3) primary steps: • Step 1: Audit Planning • Step 2: Control review and analysis • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organization structure and objectives o Review the codes, regulations, policies, and other standards and expectations o Review the prior audit results, if any o Review previously conducted employee engagement and satisfaction surveys o Issue an employee survey centered on remote work capabilities o Issue a management survey centered on remote work capabilities o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit plan and audit program o Define audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained • Announce the initiation of the audit and conduct a kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to: (1) Assess employee and management perspectives for long-term remote and flexible work viability and associated challenges; (2) Evaluate positive outcomes and challenges for managing a mixed location workforce; (3) Identify policies, processes, management practices and work culture improvements that may improve the City’s ability to manage a remote workforce. Tasks include but are not limited to: • Analyze employee and management surveys to identify management and policy change opportunities and barriers for managing a mixed location workforce • Interview (focus group and/or individual) the Human Resources, employee representatives and management representatives to understand the current state, benefits and barriers to • Review relevant policies and procedures as well as the position eligibility standards for remote work to identify the criteria to be used for evaluation of control design and effectiveness • Research best practices and practices of surrounding communities • Analyze available data to assess current practices impact on recruitment and retention • Validate analysis with Human Resources Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals • Complete the supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report with remote and flexible work data analysis and best practice recommendation Schedule of Performance Anticipated Start Date: March 1, 2022 Anticipated End Date: December 31, 2022 March 31, 2023 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $60,000. The not-to-exceed budget is based on an estimate of 285 total project hours, of which 16 are estimated to be completed by the City Auditor. Reimbursable Expenses If circumstances allow, Baker Tilly anticipates planning one on-site fieldwork. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $5,000. The following summarizes anticipated reimbursable expenses: • Round-trip Airfare – $1,200 • Rental Car - $600 • Hotel accommodation - $2,500 (8 nights) • Food and incidentals – $700 Note that, if current restrictions associated with COVID-19 continue, an on-site visit may not be possible. The project team will work with the City to consider circumstances at the time. Audit Activity 4.14 – Cybersecurity Assessment PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY22-004.14 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY22-004.14 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2022 COMPLETION: December 31, 2022 April 30, 2023 4 TOTAL TASK ORDER PRICE: $110,000 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greer Stone Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Cybersecurity Maturity Assessment Baker Tilly’s approach to conducting a cybersecurity assessment and developing a cybersecurity program strategy involves four (4) primary steps: • Step 1: Assessment Planning and Kick-off • Step 2: Information Gathering • Step 3: Cybersecurity Capability Analysis and Recommendations • Step 4: Reporting Step 1 – Assessment Planning and Kick-off This step consists of the tasks performed to adequately plan the work necessary to address the overall assessment objective and to solidify mutual understanding of the assessment scope, objectives, assessment process, and timing between stakeholders and assessors. Tasks include: • Baker Tilly will work with the City to finalize the assessment scope and project timeline. Baker Tilly will also provide the City with an initial interview and documentation request list. • Finally, Baker Tilly will perform a project kick-off discussion with the City to ensure alignment with the project timeline, interview schedule, and deliverables. Step 2 – Information Gathering This step involves conducting interviews with identified IT security personnel and key stakeholders to identify security capabilities, processes, and currently implemented technologies. Baker Tilly will also review current IT security policy and procedure documentation, as well as network and infrastructure architecture documents. Step 3 – Cybersecurity Capability Analysis and Recommendations This step involves mapping current state security capabilities to the NIST Cybersecurity Framework and evaluate the maturity of current security processes. Baker Tilly will also identify current risks related to weaknesses in the City’s cybersecurity program. Baker Tilly will then review current state capabilities and risks with the City to ensure alignment on Baker Tilly’s initial analysis and identify target state objectives utilizing the Capability Maturity Model (CMMI) Finally, Baker Tilly will take the identified improvement areas and target state maturity objectives to develop our recommendations for the City’s cybersecurity program to meet its target state objectives. Step 4 – Reporting The project team will perform tasks necessary to finalize the initial draft cybersecurity assessment report and review a draft report with the stakeholders. Additionally, the team will submit a final assessment report to the City. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals • Distribute a draft assessment report and conduct a closing meeting with key stakeholders o Discuss the assessment results, findings, conclusions, and recommendations • Obtain written management responses and finalize a report Deliverables: The following deliverable will be prepared as part of this engagement: • Cybersecurity Assessment Report and Program Strategy External Penetration Testing Baker Tilly will perform external penetration testing on behalf of the City. Baker Tilly’s approach to conducting these security testing activities involves four (4) primary steps: • Step 1: Assessment Planning and Kick-off • Step 2: Open-Source Information Gathering and Reconnaissance • Step 3: External Penetration Testing • Step 4: Reporting Step 1 – Assessment Planning and Kick-off This step consists of the tasks performed to adequately plan the work necessary to address the overall testing objective and to solidify mutual understanding of the testing scope, objectives, testing process, and timing between stakeholders and assessors. Tasks include: • Baker Tilly will work with the City to finalize the testing scope and project timeline. • Baker Tilly will perform a project kick-off discussion with the City to ensure alignment with the project timeline, testing approach, and deliverables. • Baker Tilly will provide the City with an ISP authorization form and Rules of Engagement documents for signature to confirm testing scope and activities. Step 2 – Open-Source Information Gathering and Reconnaissance This step involves conducting interviews with identified IT security personnel and key stakeholders to identify security capabilities, processes, and currently implemented technologies. Baker Tilly will also review current IT security policy and procedure documentation, as well as network and infrastructure architecture documents. Step 3 – External Penetration Testing Baker Tilly will conduct external penetration testing on up to 300 active and 208 dormant external IP addresses provided by the City. External penetration testing services include: • Confirmation of active versus dormant IP addresses • Identification of services and service versions running on each active system; • Automated vulnerability discovery scanning for each active system; • Penetration attempts on systems identified that have known exploitable vulnerabilities; and • Deep dive exploitation of any identified exploitable vulnerabilities to gain unauthorized access to internal systems and/or data. Step 4 – Reporting The project team will perform tasks necessary to finalize our security testing report and review a draft report with City stakeholders. Additionally, the team will submit a final testing report to the City. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals • Distribute a draft testing report and conduct a closing meeting with key stakeholders o Discuss the testing results, findings, conclusions, and recommendations • Obtain written management responses and finalize a report Deliverables: The following deliverable will be prepared as part of this engagement: • External Penetration Testing Report Schedule of Performance Anticipated Start Date: March 1, 2022 Anticipated End Date: December 31, 2022 April 30, 2023 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $110,000. The not-to-exceed budget is based on an estimate of 525 total project hours, of which 30 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete the audit work remotely, including all interviews and documentation review. However, if the City requests the assessment team to travel on-site for meetings, interviews, or assessment report readouts, these travel related expenses will be billed in addition to the fees above. Audit Activity 4.15 – Wastewater Treatment Plant Agreement PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY22-004.15 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY22-004.15 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2022 COMPLETION: December 31, 2022 May 31, 2023 4 TOTAL TASK ORDER PRICE: $82,500 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greer Stone Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting a Wasterwater Treatment Plant Agreement Review involves three (3) primary steps: • Step 1: Audit Planning • Step 2: Process and Control Review • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined • Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Process and Control Review This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to: (1) Determine whether adequate controls are in place and working effectively to ensure that costs for treatment plan operations are properly accounted for and allocated; (2) Assess the compliance with contracts and regulations. Procedures include: • Interview the appropriate individuals to understand the process, the information system used, and internal controls related to accounting and allocation of costs for treatment plan operations. • Review the contracts, policies and procedures as well as the regulations and standards to identify the criteria to be used for evaluation of compliance and control design and effectiveness • Review the documents (such as contracts and supporting documents for allocation) for the selected allocation transactions • Compare the cost accounting and allocation methodology against the requirements Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals and discuss the root cause of the identified findings • Complete supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report • Review report with members of City Council and/or the appropriate Council Committee • Present the final report to the City Council and/or appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report Schedule of Performance Anticipated Start Date: March 1, 2022 Anticipated End Date: December 31, 2022 May 31, 2023 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $82,500. The not-to-exceed budget is based on an estimate of 400 total project hours, of which 20 are estimated to be completed by the City Auditor. Reimbursable Expenses If circumstances allow, Baker Tilly anticipates planning one on-site fieldwork week. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $4,750. The following summarizes anticipated reimbursable expenses (for three team members): • Round-trip Airfare – $1500 • Rental Car - $400 • Hotel accommodation - $2500 (4 nights) • Food and incidentals – $750 Note that, if current restrictions associated with COVID-19 continue, an on-site visit may not be possible. The project team will work with the City to consider circumstances at the time. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY23-4.19 Disaster Recover Preparedness Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY23-4.19 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2023 COMPLETION: June 30, 2023 4 TOTAL TASK ORDER PRICE: $87,500 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Disaster Recovery Assessment Baker Tilly’s approach to conducting a disaster recovery assessment involves four (4) primary steps: • Step 1: Assessment Planning and Kick-off • Step 2: Information Gathering • Step 3: Disaster Recovery Analysis and Recommendations • Step 4: Reporting Step 1 – Assessment Planning and Kick-off This step consists of the tasks performed to adequately plan the work necessary to address the overall assessment objective and to solidify mutual understanding of the assessment scope, objectives, assessment process, and timing between stakeholders and assessors. Tasks include: • Baker Tilly will work with the City to finalize the assessment scope and project timeline. Baker Tilly will also provide the City with an initial interview and documentation request list. • Finally, Baker Tilly will perform a project kick-off discussion with the City to ensure alignment with the project timeline, interview schedule, and deliverables. Step 2 – Information Gathering This step involves conducting interviews with identified IT security personnel and key stakeholders to gain an understanding of the operating environment and understand the desired outcome of the disaster recovery plan. Baker Tilly will also review current IT disaster recovery policy and procedure documentation, as well as review current infrastructure in place. Step 3 – Disaster Recovery Analysis and Recommendations This step involves assessing the documentation of current disaster recovery plan for high priority application and supporting infrastructure to identify the adequacy of the documentation and identify additional documentation requirements. Baker Tilly will perform a gap assessment between the current disaster recovery capabilities, desired disaster recovery strategy, and industry best practices. Baker Tilly develop recommendation to remediate the identified documentation and capability gaps. Baker Tilly will provide recommendations to update the disaster recovery documentation to address the gaps identified. Step 4 – Reporting The project team will perform tasks necessary to finalize the initial draft disaster recovery assessment report and review a draft report with the stakeholders. Additionally, the team will submit a final assessment report to the City. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals • Distribute a draft assessment report and conduct a closing meeting with key stakeholders o Discuss the assessment results, findings, conclusions, and recommendations • Obtain written management responses and finalize a report Deliverables: The following deliverable will be prepared as part of this engagement: • Disaster Recovery Assessment Report Schedule of Performance Anticipated Start Date: March 1, 2023 Anticipated End Date: June 30, 2023 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $87,500. The not-to-exceed budget is based on an estimate of 400 total project hours, of which 20 are estimated to be completed by the City Auditor. Reimbursable Expenses If circumstances allow, Baker Tilly anticipates planning one on-site fieldwork. The maximum compensation amount reflected above will be inclusive of any travel related expenses. Note that, if current restrictions associated with COVID-19 continue, an on-site visit may not be possible. The project team will work with the City to consider circumstances at the time. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY23-4.20 Procurement Process Review Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.20 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2023 COMPLETION: September 30, 2023 4 TOTAL TASK ORDER PRICE: $61,550 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Procurement Process involves three (3) primary steps: • Step 1: Audit Planning • Step 2: Control Review and Testing • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined • Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to: (1) Determine whether adequate controls are in place and working effectively to ensure that the appropriate vendors are selected properly to achieve desired objectives. (2) Identify the opportunities to improve the efficiency and effectiveness of the procurement process. Procedures include, but not limited to: • Interview the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to procurement processes from the need assessment and market analysis to contract awarding and administration. • Review policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness. • Review the documents (such as contracts and related procurement files and performance reviews) for the selected contracts. • Analyze the data and information related to procurement, as appropriate. • Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals and discuss the root cause of the identified findings • Complete supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report • Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report Schedule of Performance Anticipated Start Date: March 1, 2023 Anticipated End Date: September 30, 2023 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $61,550. The not-to-exceed budget is based on an estimate of 350 total project hours, of which 20 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. City of Palo Alto Office of the City Auditor FY22/FY23 Annual Audit Plan February 15, 2022 FY2022/2023 Audit Plan 2 Overview Introduction The purpose of the audit activites performed by the Office of the City Auditor (OCA) for the City of Palo Alto (the City) is “to ensure that city management is using its financial, physical, and informational resources effectively, efficiently, economically, ethically, and equitably, and in compliance with laws, regulations, contract and grant requirements, and city policies and procedures”, according to the Palo Alto Municipal Code (Section 2.08.130). It requires the City Auditor prepare an annual audit plan for the City Council’s approval at the beginning of each fiscal year. In accordance with Task #2 of the Baker Tilly agreement (City of Palo Alto Contract No, C21179340), Baker Tilly US, LLP (Baker Tilly) performed the initial risk assessment after having started to serve as OCA in October 2020 and submitted in early 2021 the FY21-FY22 annual audit plan identifying audit activities across an 18-months horizon (through FY22). The OCA updated the initial risk assessment in January 2022, one year after our initial risk assessment. This audit plan for the remaining FY22 and FY23 was prepared based on the results of the updated risk assessment. The OCA will seek approval of contract task orders iteratively during that timeframe in order to remain agile and accommodate changes to the plan as time passes. Other activities are addressed in separate task orders corresponding to the tasks in the Baker Tilly agreement. For example, the City Auditor performs follow up on audit findings and recommendations, as outlined in Task #5. Conformance with Local Ordinances and Standards Section 2.08.130 of the Palo Alto Municipal Code defines that the mission of OCA is to promote honest, efficient, effective, economical, and fully accountable and transparent city government. Audits are to be conducted and nonaudit services provided in accordance with Government Auditing Standards, as established by the Comptroller General of the United States, Governmental Accountability Office. The following duties of the City Auditor exist regarding the plan and scope of internal audits. Palo Alto City Charter Article IV Sec. 12 requires the City Auditor to perform the following: – Conduct audits in accordance with a schedule approved by the City Council and may conduct unscheduled audits from time to time. – Conducts internal audits of all the fiscal transactions of the City. Title 2 Administrative Code Section 2.08.130 requires the City Auditor to perform the following: – Prepare an annual audit plan for city council approval. – Identify the preliminary objectives of each audit to be performed, reflecting the purpose of the engagement and a preliminary description of the areas that may be addressed. – Conduct performance audits and perform nonaudit services of any city department, program, service, or activity as approved by the city council. California Government Code Section 1236 requires all cities that conduct audit activities to conduct their work under the general and specified standards prescribed by the Institute of Internal Auditors (IIA) or the Government Auditing Standards (GAO) issued by the Comptroller General of the United States, as appropriate. FY2022/2023 Audit Plan 3 Audit Activity Types OCA will conduct performance audits and perform financial/operational analyses of any City department, program, service, or activity as approved by the City Council in accordance with the Baker Tilly agreement. Performance Audits According to the Government Auditing Standards (GAO-18-568G, Section 1.21 and 1.22, page 10-12), performance audits provide objective analysis, findings, and conclusions to assist management and those charged with governance and oversight with, among other things, improving program performance and operations, reducing costs, facilitating decision making by parties responsible for overseeing or initiating corrective action, and contributing to public accountability. Performance audits may include the following four (4) audit objectives: – Program effectiveness and results – Internal control design and effectiveness – Compliance with laws, regulations, and policies – Prospective analysis Audit Planning Considerations While maintaining its independence and objectivity in accordance with standards, the City Auditor considers a variety of matters when developing the Annual Audit Plan, including but not limited to: – Risk assessment – OCA performed a risk assessment and summarized the results in a separate report (Task #2). Generally speaking, audit activities target high(er) risk areas. The results are shown the following page. – Ability to add value – audit seeks to add value through independent and objective analysis. – City Council – the City Auditor reports to the City Council and seeks input on audit priorities. – Coverage and Prior Audits – the City Auditor considers prior audits conducted by OCA, the financial audit, and other audit and consulting reports recently issued. – “Ripeness” and On-Going Initiatives – certain risk areas may be addressed through operational activities, which could mean they are not be ripe for audit to add value. – Scheduling – the City Auditor takes into consideration the timing of an audit and other on-going initiatives that directly relate. Putting an undue burden on City staff may exacerbate the risk at hand or other interrelated risks. FY2022/2023 Audit Plan 4 Risk Assessment Results The OCA performed a citywide risk assessment to plan for FY22 and FY23 audit activities and documented the methodology and the detailed results in a separate Risk Assessment Report. In summary, we identified the following areas rated as High or High-Moderate risks. In determining the audit activities to be performed in FY22 and in FY23, we further reviewed these risks and functional areas and considered the matters listed in the previous page. Functional Area Title Likelihood (1-5) Impact (1-5)Score City Wide COVID-19 Response 5 5 50 Org Wide Employee Retention & Succession Planning 5 4 46 Planning and Development Services Long Rnage Planning 5 4 46 Information Technology Disaster Recovery Preparedness and Testing 3 5 44 Information Technology Host Intrusion and Malware Defense 3 5 44 Information Technology Problem Management and Incident Response 3 5 44 Transportation Contract Management 3 5 44 Org Wide Workforce 4 4 42 Org Wide Citywide Risk Management 4 4 42 Administrative Services Procurement 4 4 42 Fire Emergency Medical Service 4 4 42 Human Resources High Cost Claims 4 4 42 Human Resources Workload 4 4 42 Information Technology Mobile Device Management 5 3 40 Information Technology Strategy and Governance 5 3 40 Public Works Secondary Treatment Upgrades 2 5 38 Public Works ADA Compliance Upgrade 2 5 38 Administrative Services Investments, Debt, and Cash Management 2 5 38 Information Technology Information Security 2 5 38 Information Technology Operations and Monitoring 2 5 38 Information Technology Physical and Environmental Controls 2 5 38 Information Technology Ransomware 2 5 38 Police Use of Force and Officer Conduct 2 5 38 Org Wide Governance 3 4 36 Org Wide Organizational Culture 3 4 36 Administrative Services ERP System Upgrade 3 4 36 City Wide Sustainability and Climate Action Plan 3 4 36 Administrative Services Accounts Receivable 3 4 36 Fire Fire Suppression 3 4 36 Fire Fire Prevention - Palo Alto Foothills & Wildlad Fire Risk 3 4 36 Public Works Public Services - Fleet 3 4 36 Public Works Wastewater Treatment Plant Operations 3 4 36 Public Works Public Services -Facilities 3 4 36 Utilities AMI (Advanced Metering Infrastructure) Project 3 4 36 Utilities Rates and Rate Adjustments 3 4 36 FY2022/2023 Audit Plan 5 Proposed Audit Activities for FY2022-2023 Included in the tables below are the proposed audit activities for the remainder of FY2022 and FY2023. Each audit activity corresponds to a risk rated as High or Moderate in the Risk Assessment Report and selected based on other factors outlined on page 3. The preliminary audit objectives are described for each audit listed. These objectives and scope of each audit activity will be further defined based on the result of a project planning risk assessment processes performed at the beginning of each activity. Audits are planned in three overall phases – note that the timing may differ slightly for each audit activity: – Phase I – Activities projected to start before March 2022 and end by June 2022 – Phase II – Activities projected to start in March 2022 and end by December 2022 – Phase III – Activities projected to start in June 2022 or January 2023 and end by June 2023 Amendments to the proposed audit plan will be proposed either as needed or after conducting an annual risk assessment and update the audit plan, as needed, during FY23. Amendments may be proposed in response to changes in the City’s environment such as organizational structure, operations, risks, systems, and controls. Please note that the City Auditor will actively manage projects and overall budgets and workload in its execution of the workplan. For each audit activity, a task order is submitted to the City Council for approval before the work is commenced. We have prepared and attached to this report multiple task orders that correspond to audit activities we have prioritized (e.g., those in Phase I). Those audit activities for are marked with an “X” in the ‘Seeking Approval’ column of the table below, and the Task Orders are included in the Appendix. FY2022/2023 Audit Plan 6 Phase I Activities Seeking Approval Function Project Title Audit Objectives Timeline Estimated Hours FY22 Cost FY23 Cost (*) Total Cost FY21+22+23 _ Administrative Services Economic Recovery Advisory (Task Order 4.7) ● Review the City’s long-term financial planning model and offer recommendations for improvement. ● Identify and evaluate key revenue sources categories that present long term risk to the City's financial sustainability. ● Perform scenario analysis and advise in the development of long term financial projections. March - December 2021 400 $64,663 $64,663 Public Works Public Safety Building - Construction Audit (Task Order 4.8) ● Monthly invoice review ● Change order testing ● Contingency and allowance testing ● Lien waiver control ● Compliance with insurance requirements ● Closeout testing ● Verify the City’s implementation and adherence to documented project controls March 2021 - June 2023 420 $26,633 $26,633 $51,266 Planning and Development Services Building Permit & Inspection Process Review (Task Order 4.9) ● Identify highest impact area to focus the assessment (e.g., specific permit type(s), specific sub-processes, etc.). ● Document corresponding process(es) and evaluate for efficiency and effectiveness. ● Benchmark operational performance against industry practices and established standards. April – September 2021 360 $48,300 $48,300 Citywide Nonprofit Agreements Risk Management Review (Task Order 4.10) ● Evaluate controls in place to ensure that nonprofit organizations are properly vetted prior to selection and monitored through the life of an agreement. ● Assess the performance monitoring process against the best practice. ● Follow up on relevant audit findings from past audit work. May – September 2021 400 $55,246 $55,246 Utilities Utility Work Order & Process Review (Task Order 4.11) ● Determine whether adequate controls are in place and working effectively around the work order process ● Assess the work order process against best practices January - December 2022 400 $81,400 $81,400 Administrative Services / Information Technology Wire Payment Process and Controls (Task Order 4.12) ● Determine whether adequate controls are in place and working effectively to ensure that all disbursements are valid and properly processed in compliance with City’s policies and procedures ● Determine whether end user security awareness training is sufficient to prevent erroneous payments caused by phishing February - June 2022 270 $54,550 $54,550 Phase I Sub Total 2,250 $329,792 $26,633 $355,425 * For the purpose of audit plan preparation, OCA used the FY22 budget amount for FY23 FY2022/2023 Audit Plan 7 Phase II Activities Seeking Approval Function Project Title Audit Objectives (preliminary objectives for audits not currently subject to approval) Timeline Estimated Hours FY22 Cost FY23 Cost (*) Total Cost X Human Resources Remote and Flexible Work Study ● Assess employee and management perspectives for long-term remote and flexible work viability and associated challenges ● Evaluate positive outcomes and challenges for managing a mixed location workforce ● Identify policies, processes, management practices and work culture improvements that may improve the City’s ability to manage a remote workforce March - December 2022 285 $50,000 $10,000 $60,000 X Information Technology Cybersecurity Assessment ● Map current state security capabilities to the NIST Cybersecurity Framework and evaluate the maturity of current security processes ● Identify current risks related to weaknesses in the City’s cybersecurity program ● Identify target state objectives utilizing the Capability Maturity Model (CMMI) and develop recommendation to meet the objectives March - December 2022 525 $90,000 $20,000 $110,000 X Public Works Wastewater Treatment Plant Agreement Audit ● Evaluate whether direct and indirect costs incurred by the City are properly allocated to the operation of the Wastewater Treatment Plant. ● Review whether costs are properly allocated to the various parties to the Wastewater Treatment Plant Agreement. March 2022 - December 2022 400 $60,000 $2,250 $62,250 Phase II Sub Total 1,210 $194,000 $38,250 $232,250 * For the purpose of audit plan preparation, OCA used the FY22 budget amount for FY23 FY2022/2023 Audit Plan 8 Phase III Activities Seeking Approval Function Project Title Preliminary Audit Objectives Timeline Estimated Hours FY22 Cost FY23 Cost (*) Total Cost Transportation Contract Management - ALPR Technology ● Determine whether policies and procedures are implemented effectively to protect the privacy of personal information gathered using ALPR technology for the City's parking management. ● Determine whether the City monitors the vendor's performance to ensure the compliance with contract terms and applicable laws and regulations related to data privacy. June 2022 - January 2023 400 $82,500 $82,500 Administrative Services Investment Management ● Determine whether adequate controls are in place and operating effectively to ensure that investments are managed in accordance with the investment management and other relevant policies. ● Assess the organizational structure and operations of the investment portfolio management function against best practice. June 2022 - January 2023 350 $61,550 $61,550 Information Technology Disaster Recovery Preparedness ● Determine whether a formal disaster recovery plan exists and aligns with the City's needs for business continuity ● Determine whether a disaster recovery plan is periodically tested and updated to ensure a successful recovery January - June 2023 400 $87,500 $87,500 Administrative Services Procurement Process ● Determine whether adequate controls are in place and working effectively to ensure that the appropriate vendors are selected properly to achieve desired objectives ● Identify the opportunities to improve the efficiency and effectiveness of the procurement process January - June 2023 350 $61,550 $61,550 Planning and Development Services Long Range Planning ● Review progress against intended goals and identify any gaps ● Determine whether an effective control environment exists for the Long Range Planning group to maintain City's Comprehensive Plan ● Determine whether adequate controls are in place and working effectively for data analyses January - June 2023 400 $82,500 $82,500 Public Works ADA Compliance ● Determine whether improvements have been made to make facilities, programs, and services accessible in accordance with the Transition Plan and Self-Evaluation Final Study to ensure compliance with the Americans with Disabilities Act (ADA) OF 1990 January - June 2023 350 $61,550 $61,550 TBD TBD / Ad Hoc Requests TBD TBD TBD Phase III Sub Total 2,300 $0 $458,100 $458,100 Phase I + II + III TOTAL 5,760 $523,792 $521,983 $1,045,775 FY22 - FY23 Budget $600,000 $560,000 $1,160,000 FY23 Ad Hoc / Contingency $76,208 $38,017 $114,225 * For the purpose of audit plan preparation, OCA used the FY22 budget amount for FY23 FY2021/2022 Audit Plan 9 Appendix: Task Orders 10 Audit Activity 4.13 – Remote and Flexible Work Study PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY22-004.13 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY22-004.13 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2022 COMPLETION: December 31, 2022 4 TOTAL TASK ORDER PRICE: $60,000 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greer Stone, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: ▪ SERVICES AND DELIVERABLES TO BE PROVIDED ▪ SCHEDULE OF PERFORMANCE ▪ MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) ▪ REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 11 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting the Construction Controls Assessment involves four (3) primary steps: • Step 1: Audit Planning • Step 2: Control review and analysis • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organization structure and objectives o Review the codes, regulations, policies, and other standards and expectations o Review the prior audit results, if any o Review previously conducted employee engagement and satisfaction surveys o Issue an employee survey centered on remote work capabilities o Issue a management survey centered on remote work capabilities o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit plan and audit program o Define audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained • Announce the initiation of the audit and conduct a kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit 12 Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to: (1) Assess employee and management perspectives for long-term remote and flexible work viability and associated challenges; (2) Evaluate positive outcomes and challenges for managing a mixed location workforce; (3) Identify policies, processes, management practices and work culture improvements that may improve the City’s ability to manage a remote workforce. Tasks include but are not limited to: • Analyze employee and management surveys to identify management and policy change opportunities and barriers for managing a mixed location workforce • Interview (focus group and/or individual) the Human Resources, employee representatives and management representatives to understand the current state, benefits and barriers to • Review relevant policies and procedures as well as the position eligibility standards for remote work to identify the criteria to be used for evaluation of control design and effectiveness • Research best practices and practices of surrounding communities • Analyze available data to assess current practices impact on recruitment and retention • Validate analysis with Human Resources Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals • Complete the supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report with remote and flexible work data analysis and best practice recommendation Schedule of Performance Anticipated Start Date: March 1, 2022 13 Anticipated End Date: December 31, 2022 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $60,000. The not-to-exceed budget is based on an estimate of 285 total project hours, of which 16 are estimated to be completed by the City Auditor. Reimbursable Expenses If circumstances allow, Baker Tilly anticipates planning one on-site fieldwork. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $5,000. The following summarizes anticipated reimbursable expenses: • Round-trip Airfare – $1,200 • Rental Car - $600 • Hotel accommodation - $2,500 (8 nights) • Food and incidentals – $700 Note that, if current restrictions associated with COVID-19 continue, an on-site visit may not be possible. The project team will work with the City to consider circumstances at the time. 14 Audit Activity 4.14 – Cybersecurity Assessment PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY22-004.14 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY22-004.14 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2022 COMPLETION: December 31, 2022 4 TOTAL TASK ORDER PRICE: $110,000 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greer Stone, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: ▪ SERVICES AND DELIVERABLES TO BE PROVIDED ▪ SCHEDULE OF PERFORMANCE ▪ MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) ▪ REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 15 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Cybersecurity Maturity Assessment Baker Tilly’s approach to conducting a cybersecurity assessment and developing a cybersecurity program strategy involves four (4) primary steps: • Step 1: Assessment Planning and Kick-off • Step 2: Information Gathering • Step 3: Cybersecurity Capability Analysis and Recommendations • Step 4: Reporting Step 1 – Assessment Planning and Kick-off This step consists of the tasks performed to adequately plan the work necessary to address the overall assessment objective and to solidify mutual understanding of the assessment scope, objectives, assessment process, and timing between stakeholders and assessors. Tasks include: • Baker Tilly will work with the City to finalize the assessment scope and project timeline. Baker Tilly will also provide the City with an initial interview and documentation request list. • Finally, Baker Tilly will perform a project kick-off discussion with the City to ensure alignment with the project timeline, interview schedule, and deliverables. Step 2 – Information Gathering This step involves conducting interviews with identified IT security personnel and key stakeholders to identify security capabilities, processes, and currently implemented technologies. Baker Tilly will also review current IT security policy and procedure documentation, as well as network and infrastructure architecture documents. 16 Step 3 – Cybersecurity Capability Analysis and Recommendations This step involves mapping current state security capabilities to the NIST Cybersecurity Framework and evaluate the maturity of current security processes. Baker Tilly will also identify current risks related to weaknesses in the City’s cybersecurity program. Baker Tilly will then review current state capabilities and risks with the City to ensure alignment on Baker Tilly’s initial analysis and identify target state objectives utilizing the Capability Maturity Model (CMMI) Finally, Baker Tilly will take the identified improvement areas and target state maturity objectives to develop our recommendations for the City’s cybersecurity program to meet its target state objectives. Step 4 – Reporting The project team will perform tasks necessary to finalize the initial draft cybersecurity assessment report and review a draft report with the stakeholders. Additionally, the team will submit a final assessment report to the City. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals • Distribute a draft assessment report and conduct a closing meeting with key stakeholders o Discuss the assessment results, findings, conclusions, and recommendations • Obtain written management responses and finalize a report Deliverables: The following deliverable will be prepared as part of this engagement: • Cybersecurity Assessment Report and Program Strategy External Penetration Testing Baker Tilly will perform external penetration testing on behalf of the City. Baker Tilly’s approach to conducting these security testing activities involves four (4) primary steps: • Step 1: Assessment Planning and Kick-off • Step 2: Open-Source Information Gathering and Reconnaissance • Step 3: External Penetration Testing • Step 4: Reporting Step 1 – Assessment Planning and Kick-off This step consists of the tasks performed to adequately plan the work necessary to address the overall testing objective and to solidify mutual understanding of the testing scope, objectives, testing process, and timing between stakeholders and assessors. Tasks include: 17 • Baker Tilly will work with the City to finalize the testing scope and project timeline. • Baker Tilly will perform a project kick-off discussion with the City to ensure alignment with the project timeline, testing approach, and deliverables. • Baker Tilly will provide the City with an ISP authorization form and Rules of Engagement documents for signature to confirm testing scope and activities. Step 2 – Open-Source Information Gathering and Reconnaissance This step involves conducting interviews with identified IT security personnel and key stakeholders to identify security capabilities, processes, and currently implemented technologies. Baker Tilly will also review current IT security policy and procedure documentation, as well as network and infrastructure architecture documents. Step 3 – External Penetration Testing Baker Tilly will conduct external penetration testing on up to 300 active and 208 dormant external IP addresses provided by the City. External penetration testing services include: • Confirmation of active versus dormant IP addresses • Identification of services and service versions running on each active system; • Automated vulnerability discovery scanning for each active system; • Penetration attempts on systems identified that have known exploitable vulnerabilities; and • Deep dive exploitation of any identified exploitable vulnerabilities to gain unauthorized access to internal systems and/or data. Step 4 – Reporting The project team will perform tasks necessary to finalize our security testing report and review a draft report with City stakeholders. Additionally, the team will submit a final testing report to the City. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals • Distribute a draft testing report and conduct a closing meeting with key stakeholders o Discuss the testing results, findings, conclusions, and recommendations • Obtain written management responses and finalize a report Deliverables: The following deliverable will be prepared as part of this engagement: • External Penetration Testing Report 18 Schedule of Performance Anticipated Start Date: March 1, 2022 Anticipated End Date: December 31, 2022 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $110,000. The not-to-exceed budget is based on an estimate of 525 total project hours, of which 30 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete the audit work remotely, including all interviews and documentation review. However, if the City requests the assessment team to travel on-site for meetings, interviews, or assessment report readouts, these travel related expenses will be billed in addition to the fees above. 19 Audit Activity 4.15 – Wastewater Treatment Plant Agreement PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY22-004.15 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY22-004.14 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2022 COMPLETION: December 31, 2022 4 TOTAL TASK ORDER PRICE: $110,000 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT $TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greer Stone, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: ▪ SERVICES AND DELIVERABLES TO BE PROVIDED ▪ SCHEDULE OF PERFORMANCE ▪ MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) ▪ REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 20 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting a Wasterwater Treatment Plant Agreement Review involves three (3) primary steps: • Step 1: Audit Planning • Step 2: Process and Control Review • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined • Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit 21 Step 2 – Process and Control Review This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to: (1) Determine whether adequate controls are in place and working effectively to ensure that costs for treatment plan operations are properly accounted for and allocated; (2) Assess the compliance with contracts and regulations. Procedures include: • Interview the appropriate individuals to understand the process, the information system used, and internal controls related to accounting and allocation of costs for treatment plan operations. • Review the contracts, policies and procedures as well as the regulations and standards to identify the criteria to be used for evaluation of compliance and control design and effectiveness • Review the documents (such as contracts and supporting documents for allocation) for the selected allocation transactions • Compare the cost accounting and allocation methodology against the requirements Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals and discuss the root cause of the identified findings • Complete supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report • Review report with members of City Council and/or the appropriate Council Committee • Present the final report to the City Council and/or appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report Schedule of Performance 22 Anticipated Start Date: March 1, 2022 Anticipated End Date: December 31, 2022 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $82,500. The not-to-exceed budget is based on an estimate of 400 total project hours, of which 20 are estimated to be completed by the City Auditor. Reimbursable Expenses If circumstances allow, Baker Tilly anticipates planning one on-site fieldwork week. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $4,750. The following summarizes anticipated reimbursable expenses (for three team members): • Round-trip Airfare – $1500 • Rental Car - $400 • Hotel accommodation - $2500 (4 nights) • Food and incidentals – $750 Note that, if current restrictions associated with COVID-19 continue, an on-site visit may not be possible. The project team will work with the City to consider circumstances at the time. City of Palo Alto Office of the City Auditor Policy & Services Committee Meeting February 28, 2023 The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments. Baker Tilly Virchow Krause, LLP trading as Baker Tilly is a member of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. © 2018 Baker Tilly Virchow Krause, LLP 1. Present the Utility Work Order Process Review Report •Project Background •Key Observations/Recommendations •Questions & Discussion The CAO thanks the Palo Alto Utilities Department for their work on this audit activity –THANK YOU! 2. Task order review/approval Agenda Objectives for the audit activity include: •Determine whether adequate controls are in place and working effectively around the work order process •Assess the work order process against best practices •Provide recommendations for improvement related to increased controls or process efficiencies Project Background Audit Planning The OCA performed tasks to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, review process, and timing between stakeholders and auditors. Process Analysis and Testing The OCA tested 6 controls on a sample of work orders to determine if controls were operating effectively. In addition, the OCA reviewed current processes in place and systems used to identify areas of improved controls and efficiencies. Recommendations The OCA identified areas for improvement and drafted a report. Project Background: Sample Work Order Testing Key controls tested 1. All capital work orders require supervisor approval before work can be performed 2. For development services projects, a permit must be reviewed and approved before work can begin 3. For customer work orders, customer payment must be received before work can begin 4. The Supervisor reviews the completed work order and as-built forms for accuracy 5. For electric work orders, the Utility Coordinator completes a checklist to ensure all documents are complete and included in the job packet (control implemented in August 2021) 6. For closed capital work orders, the assets were recorded to an appropriate plant account Key Observations & Recommendations - Sample Work order Testing # Observation Recommendation 1 Of the 21 sampled work orders that currently require approval, 3 did not have appropriate signature approval on the work order. All 3 were capital work orders. We recommend that all work orders (including O&M) be approved by someone that has budget responsibility or the ability to approve unbudgeted maintenance work. Approval should be evidenced in writing. 2 Of the 25 sampled work orders, 2 did not have a signature showing review of the completed work order. We also noted 3 work orders that had a signature showing a review was performed, however, there were costs which were incorrectly recorded to the wrong work order indicating the review may not be performed at a detailed enough level and could be improved. The review performed by the Supervisor should include review of all labor and materials including 3rd party invoices to ensure all costs are recorded to the correct work order. Key Observations & Recommendations - Sample Work order Testing # Observation Recommendation 3 Because this control was not implemented until August 2021 and only pertains to electric work orders, this control only applied to 5 of the sampled work orders. All 5 work orders had a completed checklist. We recommend the Utility Coordinator complete a checklist to show review of verifying completeness of work orders for all utilities. 4 Costs are capitalized to the asset account on a quarterly basis. As such, only 4 of our sampled capital work orders were closed and recorded to the asset account at the time of our testing. All 4 work orders appeared to be recorded to an appropriate asset account (although not all costs were included as noted in control number 4 above). Per Palo Alto, the additional costs will be recorded in Q3 FY22. We recommend work orders be closed and capitalized monthly to prevent a backlog and to ensure depreciation starts immediately when the asset is placed in service Key Observations & Recommendations - System Utilization # Observation Recommendation 5 Although the water, wastewater, and gas utilities utilize SoGen to track work order progress, the electric utility utilizes SharePoint to share files and track work order status. Scheduling work is often done by the supervisor on a white board. In addition, the operations team has handheld tablets in the field, however, these do not interface with SoGen and they have found that it is easier to handwrite all workorder information manually on paper forms. These paper forms are then given to the utility coordinator to be entered into SoGen, duplicating the data entry function. We recommend the electric utility consider evaluating whether SAP has the capability to effectively track work orders to avoid using side systems. The electric utility should also evaluate whether implementing SoGen, the system used by the water, gas, and wastewater utilities to track work orders, would allow for easier, more accurate work order tracking. A system with the ability to schedule work orders based on priority will also ensure there is not unnecessary downtime or overburdening of worker time. Palo Alto utilities should also consider developing an interface between the handheld devices and SoGen to eliminate duplicate processes and allow stakeholders access to the most up-to-date information as changes are being made in real time. Key Observations & Recommendations - Design changes and Recording Assets # Observation Recommendation 6 Currently, only major field changes require approval from the engineering supervisor and that approval is oftentimes provided verbally. Any design changes should be approved by an engineer or supervisor. Changes in the field are a safety issue for service and could impact other areas that the field crew may not be aware of. All approvals should be evidenced in writing. 7 For water, gas, and wastewater, the asset additions and retirements that the Business Analyst provides to the Accountant for recording is a report from the SoGen system. These costs are settled to accounts in SAP. The Business Analyst indicated that assets may not have been recorded accurately in the past and that AME should be the system of record when recording asset additions and retirements. If assets are not recorded appropriately, financial, and other reporting becomes less reliable. We recommend that the utilities perform a full system reconciliation of assets in AME and SAP to ensure assets are accurately recorded. Assets in AME and SAP should continue to be reconciled on an annual basis (or cycle counts can be performed monthly where a certain type of asset is counted each month). This reconciliation should be documented and signed-off on. Key Observations & Recommendations - Asset Reconciliation and KPI’s # Observation Recommendation 8 Asset reconciliations are performed on a quarterly basis. No review of the reconciliation is performed by a separate individual. In addition, the reconciliation process is very manual with the accountant manually entering in numbers instead of using formulas to add the next periods numbers. All reconciliations should be performed on a monthly basis to ensure monthly financials are accurate. All reconciliations should be reviewed for accuracy by another individual. This review should be evidenced in writing. In addition, Palo Alto should consider using more formulas in the reconciliation to reduce the risk of errors that can be caused by manually entering in numbers. 9 The water, wastewater, and gas utilities currently utilize key performance indicators (KPIs) to assist with monitoring their performance around project management and operations. An example of some of the KPIs currently being used are shown in Appendix C. It is our understanding that these same KPIs are currently being developed for the electric utility. We agree that the electric utility would benefit from developing similar KPIs that the water, wastewater, and gas utilities currently use. In addition, the utilities may want to consider adding additional KPIs related to work orders and project management. Policy & Services Committee action The City Auditor recommends that the Policy & Services Committee take the following action: •Review the Utility Work Order Process Review report and corresponding recommendations for improvement and recommend the City Council accept the report. The City Auditor recommends that the Policy & Services Committee take the following actions and forward the corresponding report to City Council for consent: Approve the following Task Orders: •FY23-Task 01 – Citywide Risk Assessment •FY23-Task 02 – Annual Audit Plan •Task 04.12 – Wire Payment Process and Controls Review (Extension) •Task 04.13 – Remote and Flexible Work Study (Extension) •Task 04.14 – Cybersecurity Assessment (Extension) •Task 04.15 – Wastewater Treatment Facility Agreement (Extension) •Task 04.19 – Disaster Recovery Preparedness •Task 04.20 – Procurement Process Review Policy & Services Committee action 11 Questions and answers 3 Thank you, it was a pleasure working with you! Amanda Lasinski (920) 210 7796 Amanda.lasinski@bakertilly.com Adriane McCoy (312) 240 2440 Adriane.mccoy@bakertilly.com