The URL can be used to link to this page

Home My WebLink AboutStaff Report 2305-15272 3 0 7 Policy & Services Committee Staff Report From: City Auditor Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: June 13, 2023 Report #:2305-1527 TITLE Approval of Office of City Auditor Task Order Change - FY23-01 Citywide Risk Assessment & FY23-02 Annual Audit Plan; CEQA Status – Not a Project RECOMMENDATION The City Auditor recommends that the Policy & Services Committee recommend City Council approve the change to the Task Orders FY23-01 Citywide Risk Assessment and FY23-02 Annual Audit Plan. DISCUSSION The agreement between Baker Tilly and the City requires that each internal audit be commenced only upon the City’s approval of a Task Order. The Office of the City Auditor (OCA) presented Task Order FY23-01 – Citywide Risk Assessment and Task Order FY23-02 – Annual Audit Plan and the task orders were recommended for approval by the Policy & Services Committee on February 28, 2023, and accepted by the City Council during the City Council meeting on March 13, 2023. These task orders with the period of performance from March 1, 2023, to June 30, 2023, have not been signed since they were approved on March 13, 2023. As a result, OCA has not been able to start FY 2023 Risk Assessment and Annual Audit Plan. The OCA requests the period of performance to be extended to October 31, 2023. The total not-to-exceed budget remains the same. FISCAL/RESOURCE IMPACT Work recommended in these task orders is within both the approved scope and compensation of the contract with Baker Tilly and funding levels in the Funding levels in the FY 2023 Operating Budget for the Office of the City Auditor. 2 3 0 7 STAKEHOLDER ENGAGEMENT The Office of the City Auditor will coordinate with the Executive Leadership Team. ENVIRONMENTAL REVIEW Council action on this item is not a project as defined by CEQA because the audit activities do not involve any commitment to any specific project which may result in a potentially significant physical impact on the environment. CEQA Guidelines section 15378(b)(4). ATTACHMENTS Attachment A: TASK ORDER FY23-01 Citywide Risk Assessment (Extension) Attachment B: TASK ORDER FY23-02 Annual Audit Plan (Extension) APPROVED BY: Adriane D. McCoy, City Auditor PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY23-01 Citywide Risk Assessment Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-01 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2023 COMPLETION: June 30 October 31, 2023 4 TOTAL TASK ORDER PRICE: $55,000 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT: TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting the Citywide Risk Assessment involves four (4) primary steps: • Step 1: Project Planning & Management • Step 2: Information Gathering • Step 3: Analysis • Step 4: Reporting Step 1 – Project Planning & Management This step includes those tasks necessary to solidify mutual understanding of the risk assessment scope, objectives, deliverables, and timing as well as ensuring that appropriate client and consultant resources are available and well-coordinated. Tasks include: • Finalize project design – The first project activities will be to: o Identify communication channels and reporting relationships and responsibilities of project staff o Review and confirm project timelines o Review and confirm deliverables • Arrange logistics/administrative support – Matters to be addressed include schedules for interviews and data collection, contact persons in the departments, any other logistical matters, etc. • Conduct kick-off meeting with key project stakeholders Step 2 – Information Gathering This step involves gathering information, through various means, that will enable the project team to understand the various risks facing the City. Tasks include: • Request and review background information – the project team will develop an information request(s) in order to obtain various background information from the City. The request will include, but not be limited to: o Strategic plan(s) o Financial reports, including the most recent City Budget and Comprehensive Annual Financial Report (CAFR) o Operational policies and procedures o Municipal code o Consulting reports o Other relevant information and reports • Conduct interviews with City Council and management o Risk assessment interviews, aimed at understanding City functions and identifying risks, will be conducted with City Council members as well as department and division • Conduct a risk assessment survey, if necessary • Conduct research into key risks in order to identify relevant information to assess risks Overall, the project team will consider the following risk types: • Strategic • Financial • Operational • Technology • Compliance • Reputational • Political Step 3 – Risk Analysis In Step 3, the project team will develop a risk matrix consisting of auditable areas (also referred to as an audit or risk universe). The risk matrix will include the following risk categories: • Environment, Strategy, and Governance – risks that have an organization wide impact and are not subject to a specific department or function (e.g., ethics) • Significant Projects and Initiatives – risks associated with large projects (e.g., capital projects, technology implementation) or City initiatives (e.g., employee engagement initiative). • Function Specific Risks – risks associated with a specific department or function (e.g., procurement policy compliance) After assembling a risk matrix, the project team will assess the likelihood and impact of potential adverse events in order to quantitatively score each auditable area for purposes of prioritizing audit activities. Step 4 – Reporting In Step 4, the project team will finalize the draft Risk Matrix and prepare a draft Risk Assessment Report. The project team will ask for input (general completeness, risk scoring) on the Risk Matrix from key project stakeholders. Upon finalization of the Risk Matrix, the project team will finalize the Risk Assessment Report. Deliverables: The following deliverables will be prepared as part of this engagement: • Risk Matrix • Risk Assessment Report • Presentation of Results to City Council (note that this may be combined with presentation of the Task 2 Annual Audit Plan) Schedule of Performance Anticipated Start Date: March 1, 2023 Anticipated End Date: June 30 October 31, 2023 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $55,000. The not-to-exceed budget is based on an estimate of 250 total project hours, of which 40 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY23-02 Annual Audit Plan Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-01 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2023 COMPLETION: June 30 October 31, 2023 4 TOTAL TASK ORDER PRICE: $10,500 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT: TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to preparing the Annual Audit Plan involves two (2) primary steps: • Step 1: Consultation with City Council and Management • Step 2: Reporting Step 1 – Consultation with City Council and Management The Risk Matrix and Risk Assessment Report will serve as the primary drivers of the Annual Audit Plan. The project team will initiate discussions over Risk Assessment results, potential audit activities, and audit coverage with City Council and Management. The purpose of those conversations will be to understand the priorities of City Council, and to develop a Draft Annual Audit Plan: The Draft Annual Audit Plan will identify the following components for each audit activity: • Audit activity type – audit or consulting activity • Audit objectives and scope • Anticipated budget – both in terms of hours and budget • Anticipated timeline Step 2 – Reporting The project team will present the Draft Annual Audit Plan to the City Council in order to obtain input on each potential audit activity. Upon refining the plan, the project team will finalize the Annual Audit Plan for presentation to City Council. Deliverables The following deliverable will be prepared as part of this engagement: • Annual Audit Plan Schedule of Performance Anticipated Start Date: March 1, 2023 Anticipated End Date: June 30 October 31, 2023 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $10,500. The not-to-exceed budget is based on an estimate of 50 total project hours, of which 10 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto.