The URL can be used to link to this page

Home My WebLink AboutStaff Report 2312-2460CITY OF PALO ALTO Policy & Services Committee Special Meeting Tuesday, February 13, 2024 7:00 PM Agenda Item 1.Approval of Office of City Auditor FY2024 Task 4 Task Orders Supplemental Memo 3 7 5 8 Policy & Services Committee Staff Report From: City Manager Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: February 13, 2024 Report #:2312-2460 TITLE Approval of Office of City Auditor FY2024 Task 4 Task Orders (CEQA Status - Not a Project) RECOMMENDATION The City Auditor recommends that the Policy and Services Committee recommend the City Council approve the following Task 4 Task Orders, identified in the Audit Plan Report: •TASK ORDER FY24-4.23 Recruitment and Succession Planning •TASK ORDER FY24-4.24 Grant Management •TASK ORDER FY24-4.25 Emergency Preparedness •TASK ORDER FY24-4.26 Utility Billing •TASK ORDER FY24-4.27 Payment Card Industry Data Security Standard (PCI/DSS) BACKGROUND The Task 4, Execute Annual Audit Plan, in the agreement between the City of Palo Alto (City) and Baker Tilly US, LLP (Baker Tilly)1 states, “Conduct a minimum number of internal audits in accordance with each approved annual audit plan based on the risk assessments. Each internal audit will commence only upon the City’s approval of a Task Order (which may be at the task or sub-task level) as required by this Agreement. Each internal audit requires the preparation of a written report for review by the City Manager, City Attorney and appropriate Council committee, and review/approval by the City Council as required.” 1 Baker Tilly US, LLP, Agreement for Professional Services, C21179340; https://www.cityofpaloalto.org/files/assets/public/v/5/agendas-minutes-reports/agendas-minutes/city-council- agendas-minutes/2022/20220509/20220509pccsmamended-linked.pdf 3 7 5 8 ANALYSIS The Office of the City Auditor (OCA) is seeking approval from the Policy and Services Committee of the following Task Orders for internal audits listed in the Fiscal Year 2024 audit plan that was approved by the City Council on January 22, 20242: •TASK ORDER FY24-4.23 Recruitment and Succession Planning The preliminary audit objectives include: •Determine the efficiency and effectiveness of the recruitment and hiring process •Determine whether a formal succession plan and related policies procedures are in place •TASK ORDER FY24-4.24 Grant Management The preliminary audit objective is to determine whether the City has adequate internal controls to manage the grant lifecycle efficiently and effectively •TASK ORDER FY24-4.25 Emergency Preparedness The preliminary audit objective is to determine whether the City is working to prevent wildfire and adequately prepared to respond to wildfire as part of the City’s emergency management plan •TASK ORDER FY24-4.26 Utility Billing The preliminary audit objectives include: •Determine whether the internal controls over the utility billing process are adequate and working effectively to ensure billing is accurate and in compliance with the City's policy and regulations •Determine whether billing adjustments are properly supported and approved •TASK ORDER FY24-4.27 Payment Card Industry Data Security Standard (PCI/DSS) The preliminary audit objective is to determine whether the internal controls over the payment card processing are adequate and working effectively for the City and any third party service provider 2 City Council, January 22, 2024, Agenda Item #9, SR # 2311-2304 https://cityofpaloalto.primegov.com/Portal/Meeting?meetingTemplateId=13333 3 7 5 8 FISCAL/RESOURCE IMPACT Work recommended in these tasks is within both the approved scope and compensation of the agreement with Baker Tilly and funding levels in the Fiscal Year 2024 operating budget for the OCA. Management has expressed a concern that multiple audits will be in progress simultaneously for the duration of this fiscal year. Staff will therefore work with the OCA to sequence audits to minimize conflicts. STAKEHOLDER ENGAGEMENT No stakeholder outreach was necessary to create task orders for the tasks described in the signed contract. ENVIRONMENTAL REVIEW Council action on this item is not a project as defined by CEQA because the Auditor task orders are administrative activities that will not result in direct or indirect physical changes in the environment. CEQA Guidelines section 15378(b)(5). ATTACHMENTS Attachment A: TASK ORDER FY24-4.23 Recruitment and Succession Planning Attachment B: TASK ORDER FY24-4.24 Grant Management Attachment C: TASK ORDER FY24-4.25 Emergency Preparedness Attachment D: TASK ORDER FY24-4.26 Utility Billing Attachment E: TASK ORDER FY24-4.27 Payment Card Industry Data Security Standard (PCI/DSS) APPROVED BY: Adriane D. McCoy, City Auditor PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.23 Recruitment and Succession Planning Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.23 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: January 1, 2024 COMPLETION: June 30, 2024 4 TOTAL TASK ORDER PRICE: $58,890 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Recruitment and Succession Planning involves three (3) primary steps: • Step 1: Audit Planning • Step 2: Control Review and Testing • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined • Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to (1) determine the efficiency and effectiveness of the recruitment and hiring process; (2) determine whether a formal succession plan and related policies and procedures are in place. Procedures include, but not limited to: • Interview the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to recruitment and succession planning. • Review policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness. • Select a sample of the recruitment activities for documentation review • Review the existing succession plan • Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals and discuss the root cause of the identified findings • Complete supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report • Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report Schedule of Performance Anticipated Start Date: January 1, 2024 Anticipated End Date: June 30, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $58,890. The not-to-exceed budget is based on an estimate of 290 total project hours, of which 20 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.24 Grant Management Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.24 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: January 1, 2024 COMPLETION: June 30, 2024 4 TOTAL TASK ORDER PRICE: $60,330 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Grant Management involves three (3) primary steps: • Step 1: Audit Planning • Step 2: Control Review and Testing • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined • Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to determine whether the City has adequate internal controls to manage the grant lifecycle efficiently and effectively. Procedures include, but not limited to: • Interview the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to grant management. • Review policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness. • Select a sample of grants for documentation review. • Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals and discuss the root cause of the identified findings • Complete supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report • Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report Schedule of Performance Anticipated Start Date: January 1, 2024 Anticipated End Date: June 30, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $60,330. The not-to-exceed budget is based on an estimate of 315 total project hours, of which 23 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.25 Emergency Preparedness Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.25 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: January 1, 2024 COMPLETION: June 30, 2024 4 TOTAL TASK ORDER PRICE: $73,110 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Emergency Preparedness involves three (3) primary steps: • Step 1: Audit Planning • Step 2: Control Review and Testing • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined • Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to determine whether the City is working to prevent wildfire and adequately prepared to respond to wildfire as part of the City’s emergency management plan. Procedures include, but not limited to: • Interview the appropriate individuals in all relevant departments to gain an understanding of the organizational structure, processes, and controls related to wildfire prevention and response as well as the City’s overall emergency preparedness. • Review policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness. • Review the existing emergency management plan and other related documents such as prevention activities, training and exercises, equipment, and service contracts. • Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals and discuss the root cause of the identified findings • Complete supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report • Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report Schedule of Performance Anticipated Start Date: January 1, 2024 Anticipated End Date: June 30, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $73,110. The not-to-exceed budget is based on an estimate of 385 total project hours, of which 25 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may mutually determine it will be beneficial to perform a portion of the work on-site. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $6,500. The following summarizes anticipated reimbursable expenses: • Round-trip Airfare – $2,000 (1 round trip flights x 2 auditors) • Ground Transportation (car rental or Uber/taxi) - $800 • Hotel accommodation - $3,000 (2 rooms x 4 nights) • Food and incidentals – $700 PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.26 Utility Billing Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.26 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: January 1, 2024 COMPLETION: June 30, 2024 4 TOTAL TASK ORDER PRICE: $72,010 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Utility Billing involves three (3) primary steps: • Step 1: Audit Planning • Step 2: Control Review and Testing • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined • Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to (1) determine whether the internal controls over the utility billing process are adequate and working effectively to ensure billing is accurate and in compliance with the City's policy and regulations; (2) determine whether billing adjustments are properly supported and approved. Procedures include, but not limited to: • Interview the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to utility billing. • Review policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness. • Select a sample of utility invoices and a sample of billing adjustments for testing. • Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals and discuss the root cause of the identified findings • Complete supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report • Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report Schedule of Performance Anticipated Start Date: January 1, 2024 Anticipated End Date: June 30, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $72,010. The not-to-exceed budget is based on an estimate of 385 total project hours, of which 24 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.27 Payment Card Industry Data Security Standard (PCI DSS) Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.27 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: January 1, 2024 COMPLETION: June 30, 2024 4 TOTAL TASK ORDER PRICE: $69,680 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements: • Services and Deliverables To Be Provided • Schedule of Performance • Maximum Compensation Amount and Rate Schedule (As Applicable) • Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Payment Card Industry Data Security Standard (PCI DSS) Compliance involves three (3) primary steps: • Step 1: Audit Planning • Step 2: Control Review and Testing • Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include: • Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary • Assess the audit risk • Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined • Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to determine whether the internal controls over the payment card processing are adequate and working effectively for the City and any third party service provider. Procedures include, but not limited to: • Interview the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to compliance with PCI/DSS for payment card processing. • Review policies and procedures as well as the legislative and regulatory requirements (including PCI/DSS) to identify the criteria to be used for evaluation of control design and effectiveness. • Review the documentation related to ensuring third party providers’ PCI/DSS compliance • Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include: • Develop findings, conclusions, and recommendations based on the supporting evidence gathered • Validate findings with the appropriate individuals and discuss the root cause of the identified findings • Complete supervisory review of working papers and a draft audit report • Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses • Obtain written management responses and finalize a report • Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement: • Audit Report Schedule of Performance Anticipated Start Date: January 1, 2024 Anticipated End Date: June 30, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $69,680. The not-to-exceed budget is based on an estimate of 370 total project hours, of which 10 hours are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may mutually determine it will be beneficial to perform a portion of the work on-site. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $6,500. The following summarizes anticipated reimbursable expenses: • Round-trip Airfare – $2,000 (1 round trip flights x 2 auditors) • Ground Transportation (car rental or Uber/taxi) - $800 • Hotel accommodation - $3,000 (2 rooms x 4 nights) • Food and incidentals – $700 The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. © 2020 Baker Tilly US, LLP Memo To:City Clerk, City of Palo Alto From:Chiemi Perry, Manager, Baker Tilly US, LLP c.c.Ed Shikada, City Manager Date:February 8, 2024 Subject:Supplemental Memo for Staff Report #2312-2460 Changes to the task order dates in the attachments to Staff Report #2312-2460 for the Agenda Item #1 of the Policies and Services Committee on February 13, 2024 The following five task orders prepared based on the FY2024 Audit Plan have the task order end dates of June 30, 2024, and were attached to Staff Report #2312-2460 when it was submitted on February 1, 2024: TASK ORDER FY24-4.23 Recruitment and Succession Planning TASK ORDER FY24-4.24 Grant Management TASK ORDER FY24-4.25 Emergency Preparedness TASK ORDER FY24-4.26 Utility Billing TASK ORDER FY24-4.27 Payment Card Industry Data Security Standard (PCI/DSS) Due to the departure of the City Auditor, Adriane D. McCoy, this week, there will be a delay in starting new audits as no new audit will be commenced until a new City Auditor is appointed. To be able to resume internal audit activities as soon as a new City Auditor is appointed, Baker Tilly is not withdrawing a request for approval of the task orders for the audits listed in the FY2024 Audit Plan approved by the City Council in January 2024. However, the delay necessitates an adjustment to the planned audit timeline. Therefore, we are submitting the task orders with new task order dates. The following changes were made to all five task orders originally attached to the Staff Report #2312-2460: Page of a task order Section Title Change from Change to 1 3. PERIOD OF PERFORMANCE START: January 1, 2024 START: March 1, 2024 1 3. PERIOD OF PERFORMANCE COMPLETION: June 30, 2024 COMPLETION: December 31, 2024 3 Schedule of Performance Anticipated Start Date: January 1, 2024 Anticipated Start Date: March 1, 2024 3 Schedule of Performance Anticipated End Date: June 30, 2024 Anticipated End Date: December 31, 2024 The changes listed above are the only changes made. No other changes were made since the City Clerk published the meeting packet in the City’s website. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.23 Recruitment and Succession Planning Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.23 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2024 COMPLETION: December 31, 2024 4 TOTAL TASK ORDER PRICE: $58,890 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Recruitment and Succession Planning involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Review and Testing  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to (1) determine the efficiency and effectiveness of the recruitment and hiring process; (2) determine whether a formal succession plan and related policies and procedures are in place. Procedures include, but not limited to:  Interview the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to recruitment and succession planning.  Review policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness.  Select a sample of the recruitment activities for documentation review  Review the existing succession plan  Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement:  Audit Report Schedule of Performance Anticipated Start Date: March 1, 2024 Anticipated End Date: December 31, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $58,890. The not-to-exceed budget is based on an estimate of 290 total project hours, of which 20 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.24 Grant Management Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.24 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2024 COMPLETION: December 31, 2024 4 TOTAL TASK ORDER PRICE: $60,330 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Grant Management involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Review and Testing  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to determine whether the City has adequate internal controls to manage the grant lifecycle efficiently and effectively. Procedures include, but not limited to:  Interview the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to grant management.  Review policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness.  Select a sample of grants for documentation review.  Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement:  Audit Report Schedule of Performance Anticipated Start Date: March 1, 2024 Anticipated End Date: December 31, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $60,330. The not-to-exceed budget is based on an estimate of 315 total project hours, of which 23 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.25 Emergency Preparedness Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.25 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2024 COMPLETION: December 31, 2024 4 TOTAL TASK ORDER PRICE: $73,110 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Emergency Preparedness involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Review and Testing  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to determine whether the City is working to prevent wildfire and adequately prepared to respond to wildfire as part of the City’s emergency management plan. Procedures include, but not limited to:  Interview the appropriate individuals in all relevant departments to gain an understanding of the organizational structure, processes, and controls related to wildfire prevention and response as well as the City’s overall emergency preparedness.  Review policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness.  Review the existing emergency management plan and other related documents such as prevention activities, training and exercises, equipment, and service contracts.  Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement:  Audit Report Schedule of Performance Anticipated Start Date: March 1, 2024 Anticipated End Date: December 31, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $73,110. The not-to-exceed budget is based on an estimate of 385 total project hours, of which 25 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may mutually determine it will be beneficial to perform a portion of the work on-site. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $6,500. The following summarizes anticipated reimbursable expenses:  Round-trip Airfare – $2,000 (1 round trip flights x 2 auditors)  Ground Transportation (car rental or Uber/taxi) - $800  Hotel accommodation - $3,000 (2 rooms x 4 nights)  Food and incidentals – $700 PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.26 Utility Billing Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.26 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2024 COMPLETION: December 31, 2024 4 TOTAL TASK ORDER PRICE: $72,010 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Utility Billing involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Review and Testing  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to (1) determine whether the internal controls over the utility billing process are adequate and working effectively to ensure billing is accurate and in compliance with the City's policy and regulations; (2) determine whether billing adjustments are properly supported and approved. Procedures include, but not limited to:  Interview the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to utility billing.  Review policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness.  Select a sample of utility invoices and a sample of billing adjustments for testing.  Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement:  Audit Report Schedule of Performance Anticipated Start Date: March 1, 2024 Anticipated End Date: December 31, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $72,010. The not-to-exceed budget is based on an estimate of 385 total project hours, of which 24 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto. PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.27 Payment Card Industry Data Security Standard (PCI DSS) Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.27 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: March 1, 2024 COMPLETION: December 31, 2024 4 TOTAL TASK ORDER PRICE: $69,680 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Payment Card Industry Data Security Standard (PCI DSS) Compliance involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Review and Testing  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to determine whether the internal controls over the payment card processing are adequate and working effectively for the City and any third party service provider. Procedures include, but not limited to:  Interview the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to compliance with PCI/DSS for payment card processing.  Review policies and procedures as well as the legislative and regulatory requirements (including PCI/DSS) to identify the criteria to be used for evaluation of control design and effectiveness.  Review the documentation related to ensuring third party providers’ PCI/DSS compliance  Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement:  Audit Report Schedule of Performance Anticipated Start Date: March 1, 2024 Anticipated End Date: December 31, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $69,680. The not-to-exceed budget is based on an estimate of 370 total project hours, of which 10 hours are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may mutually determine it will be beneficial to perform a portion of the work on-site. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $6,500. The following summarizes anticipated reimbursable expenses:  Round-trip Airfare – $2,000 (1 round trip flights x 2 auditors)  Ground Transportation (car rental or Uber/taxi) - $800  Hotel accommodation - $3,000 (2 rooms x 4 nights)  Food and incidentals – $700