Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
Staff Report 2411-3841
CITY OF PALO ALTO Policy & Services Committee Special Meeting Tuesday, December 10, 2024 7:00 PM Agenda Item 5.Approval of Office of the City Auditor Annual Risk Assessment and FY2025 Audit Plan Late Packet Report, Staff Presentation Policy & Services Committee Staff Report Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: December 10, 2024 Report #:2411-3841 TITLE Approval of Office of the City Auditor Annual Risk Assessment and FY2025 Audit Plan This report will be a late packet report published on December 5, 2025. 5 6 0 3 Policy & Services Committee Staff Report From: City Manager Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: December 10, 2024 Report #:2410-3553 TITLE Recommend City Council Approve the Office of the City Auditor Risk Assessment and FY 2025 Audit Plan and Corresponding Task Orders RECOMMENDATION The City Auditor recommends that the Policy and Services Committee recommend the City Council approve the following reports: 1. Fiscal Year 2024 Risk Assessment Report 2. Fiscal Year 2025 Audit Plan Report BACKGROUND The Palo Alto Municipal Code (Section 2.08.1301) requires the City auditor prepare and submit an annual audit plan to the City Council for review and approval. In its capacity serving as the City Auditor function, and in accordance with Baker Tilly’s agreement with the City, Baker Tilly performed a citywide risk assessment (Task 1 of the agreement2). The purpose of the assessment was to identify and prioritize risks to develop the annual audit plan (Task 2). During the risk assessment, Baker Tilly assessed a wide range of risk areas, including strategic, financial, technological, human capitol, operational, reputational, economic, and including compliance risk categories. ANALYSIS Baker Tilly, serving as the City Auditor, interviewed City Council members and executive leadership across all departments within the City regarding risks to the City and individual departments. Baker Tilly analyzed the results of these interviews and other data and information gathered from industry associations and publications. Identified risks were scored 1 https://codelibrary.amlegal.com/codes/paloalto/latest/paloalto_ca/0-0-0-60361 2 https://www.cityofpaloalto.org/files/assets/public/v/1/agendas-minutes-reports/reports/city-manager-reports- cmrs/year-archive/2020-2/id-11624.pdf?t=64761.15 5 6 0 3 and ranked based on likelihood and impact. The FY2025 Audit Plan was prepared based on the results of the FY2023 risk assessment survey conducted in the fall of 2023 and the FY2024 risk assessment interviews conducted in summer of 2024 and informed by current business factors such as other planned assessments and studies to ensure efficient allocation of City resources. FISCAL/RESOURCE IMPACT STAKEHOLDER ENGAGEMENT ENVIRONMENTAL REVIEW ATTACHMENTS APPROVED BY: 1 6 2 8 6 November 20, 2024 City of Palo Alto Office of the City Auditor FY2024 Annual Risk Assessment Contents Baker Tilly Advisory Group, LP and Baker Tilly US, LLP, trading as Baker Tilly, operate under an alternative practice structure and are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP is a licensed CPA firm that provides assurance services to its clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. INTRODUCTION...............................................................................................................1 RISK ASSESSMENT APPROACH...................................................................................2 RISK ASSESSMENT RESULTS......................................................................................3 APPENDICES...................................................................................................................9 1 Introduction Overview According to City Ordinance of the City of Palo Alto (the City), the mission of the Office of the City Auditor (OCA) is to promote honest, efficient, effective, economical, and fully accountable and transparent city government. To fulfill this mission, the OCA conducts performance audits and performs financial/operational analyses of city departments, programs, services, or activities as approved by the City Council. (Section 2.08.130). In its capacity serving as the City Auditor function, and in accordance with Baker Tilly’s agreement with the City (Task #1 of the agreement), Baker Tilly Advisory Group, LP (Baker Tilly) conducted the fiscal year (FY) 2024 citywide risk assessment in order to develop the FY2025 annual audit plan (Task #2). The California Government Code Section 1236 requires all cities that conduct audit activities to conduct their work under the general and specified standards prescribed by the Institute of Internal Auditors (IIA) or the Government Auditing Standards (GAO) issued by the Comptroller General of the United States, as appropriate. According to the IIA Standard 2010, the head of internal audit function “must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals” and consider the input of senior management and a governing board. The purpose of the risk assessment is to develop an internal audit plan that assigns internal audit resources to the activities that add the most value to the City. The risk assessment process involves identifying, measuring, and prioritizing risks associated with the audit universe (list of specific departments, functions, processes, programs, etc. that can be subject to an audit). Risk is defined as “the possibility of an event or condition occurring that will have an impact on the ability of an organization to achieve its objectives.”1 Our risk assessment involved collaboration with City Council and executive leadership from 14 main departments across the organization. This report summarizes our risk assessment methodology, analysis, and results. The FY2025 annual audit plan is based on the results of this risk assessment. Through the risk assessment, we observed certain strengths of the City. Key strengths include: Commitment to public service High value on efficient and effective government Focus on long term strategy Dedicated and highly professional management and staff Demonstrated history of innovation and commitment to sustainability Risk Assessment Process Considerations The starting point of internal auditing is to conduct a risk assessment that is the basis for determining the internal audit activities. However, it is not a one-size-fits-all process. The scope and complexity of the risk assessment are affected by various factors such as the maturity level of the internal audit function’s products and services, the organization’s enterprise risk management efforts, coordination with other monitoring and risk management functions, and the stakeholders’ expectations. As every organization is subject to a changing environment, the results of the annual risk assessment represent the information considered at the time of the assessment. In addition to the annual macro-level risk assessment, the internal audit function is required to perform an engagement-level risk assessment when starting each audit listed in the approved audit plan. The IIA Standard 2200 states, “Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.” 1 Rick A. Wright Jr., CIA, “The Internal Auditor’s Guide to Risk Assessment” The Institute of Internal Auditors Research Foundation (IIARF), 2018 2 Risk Assessment Approach Baker Tilly’s risk assessment approach consisted of four phases as illustrated in the graphic below. 2024 RISK ASSESSMENT PHASES Planning Scheduled the interviews with City Council members and Executive Leadership Team (ELT) members. Information Gathering Analyzed key documents such as City Council Priorities and the progress report, the budget documents, the annual comprehensive financial report, departmental strategic plans, employee turnover, the information on the City’s website and other relevant documents. Interviewed all available City Council Members and ELT members (24 individuals) to identify the events and conditions that may affect the achievement of objectives. Updated the risk assessment matrix with the information gathered. Analysis Scored the auditable units (listed in Appendix A) in the risk assessment matrix based on the likelihood and the impact2 of potential adverse events. o Each of the auditable units received scores for various risk factors related to the likelihood or impact (defined in Appendix B). o Risk factor scores were summed to create a single score for the auditable unit. Identified potential internal audit activities for the auditable units with high risk scores. Reporting Summarized the approach and results of the risk assessment Baker Tilly conducted an initial comprehensive risk assessment in FY2021 by interviewing all Council Members and Executive Leadership Team (ELT) members to create a risk assessment matrix. For the FY2022 risk assessment, Baker Tilly surveyed all ELT members and some additional members of management and conducted interviews with available Council Members as well as key ELT members representing areas of perceived high risk (e.g., Information Technology, Human Resources). For the third year risk assessment, all Council Members and ELT members were interviewed, 51 managers were surveyed, and the risk assessment matrix was redeveloped for a comprehensive picture of the risk landscape, which will be continuously improved. For FY2024, Baker Tilly met with all available City Council and ELT members (24 individuals in total). These interviews focused on identifying strategic and operational strengths, weaknesses, opportunities, and threats. Our risk assessment primarily measured inherent risk (the risk without mitigating controls/factors) for each risk factor although we also considered specific risks based on the City’s processes, controls, and other factors we learned through internal audit activities. Using the information gathered, we identified risks and determined the likelihood and impact of the risks. 2 Likelihood is the possibility that an event will occur. Impact is the extent to which an event might affect an organization. 3 Risk Assessment Results Department Descriptions and Key Risk Areas When identifying risk areas throughout the City, Baker Tilly considered each department and associated risks. Based on the concerns described by interviewees, departments’ functions, and their inherent risks, Baker Tilly identified the auditable risk areas for each department. Below is an overview of the City’s departments and their key risk areas. Administrative Services The Administrative Services Department provides financial and analytical support to the City. Departmental functions include finance and accounting, purchasing, administration, budget, real estate, and others. Key Risk Areas Purchasing Card Program Procurement Process Property Management Contract & Consultant Oversight City Attorney’s Office The City Attorney’s Office provides legal services to the City, including providing legal advice and training to City leaders, negotiating on behalf of the City, drafting contracts and other legal documents, investigating claims, and defending the City in litigation Key Risk Areas Identification of Legal Risks Contracts & Legal Documents City Clerk’s Office The City Clerk serves as a liaison between the public and City Council. Office functions include Public Records Act requests, public hearings, local elections, board and commission recruitments, record management, and others. Key Risk Areas Election Administration Record Retention & Management Council Meeting Management City Manager’s Office The City Manager’s Office provides leadership to the City departments and is responsible for facilitating City Council legislative actions, managing special interdepartmental projects, and more. The Communications Office is housed under the City Manager’s Office and is the primary correspondent between the City and the public. Key Risk Areas Citywide Risk Management Government Efficiency Economic Development Strategic Planning Office of Transportation The Office of Transportation works to enhance quality of life and improve the safety of the users of all modes of transportation. The Office is responsible for sustainable transportation systems, managing parking, and oversees the City’s traffic and transportation capital improvement projects. Key Risk Areas Intersection Safety Improvements Federal Railroad Administration (FRA) Quiet Zone Transit-Related Growth Community Services Department The Community Services Departments offers a variety of services administered through the following three divisions and the Office of Human Services: Arts and Sciences; Open Spaces, Parks, and Golf; and Recreation. Key Risk Areas Human Services Resource Allocation Process (HSRAP) Junior Museum and Zoo (JMZ) Operation Equipment & Materials Management 4 Fire The Fire Department oversees emergency response such as ambulance transports and fire response/rescue, emergency protection services such as fire prevention, and hazardous materials planning. The department highlights safeguarding the community and compassionate care. Key Risk Areas Emergency Preparedness (Foothills Fire Master Plan) Staffing Fleet Electrification Human Resources The Human Resources (HR) Department is responsible for recruiting, developing, and retaining a well-qualified and professional workforce. The Department ensures compliance with relevant labor laws, adheres to record keeping practices, and serves as a strategic partner for executive decision making. Key Risk Areas Recruitment Succession Planning HR Strategy & Risk Management Workplace Safety Information Technology The Information Technology Department's provides innovative technology solutions that support City departments. The department oversees IT project management, operations, enterprise systems, and security services. Key Risk Areas - PCI/DSS Compliance - AMI Implementation - ERP Upgrade - Adoption & Integration of New Tech Library The Library Department operates five libraries throughout the City, each offering unique resources. The Library provides educational programming, multi-cultural events, and large and diverse book, information and technology resources. Key Risk Areas Operations Events and Programming Volunteer Engagement Office of Emergency Services The Office of Emergency Services is designed to prevent, prepare for, and recover from various hazards. The Office is responsible for overseeing various risk management programs. Key Risk Areas Emergency Preparedness (Foothills Fire Mitigation Program; Evacuation Plans, COOPs, Interlocal Agreements) Training Compliance Planning and Development Services The Planning Department supports the City in land use development, planning, transportation, housing and environmental policies, and plans and programs that “maintain and enhance the City as a safe, vital, and attractive community”. Key Risk Areas Building Permit & Inspection Processes Building Permit & Inspection Fees Zoning Ordinance Code Enforcement Long Range Planning RHNA Affordable Housing Mandate Police The Police Department oversees technical services such as dispatch and record management, field services such as patrol and emergency response, and animal control. The Police Department also places a high value on community relations. Key Risk Areas Crime Reduction Psychiatric Emergency Response Team (PERT) Program Safety and Wellness Training 5 Overall Risk Scoring Distribution Baker Tilly structured the audit universe based on the department/division/program from the budget document and management’s feedback, which resulted in 96 auditable units (Appendix A). We scored them based on the information gathered for each risk factor related to the likelihood, impact, or fraud. Appendix B lists the risk factors, definitions, and scoring method. The maximum score for an auditable unit is 30. The following chart shows the distribution of overall risk scoring. Baker Tilly rated the auditable units as follows: High Risk – Scores 14 and above Moderate Risk – Scores more than 9 and less than 14 Low Risk – Scores below 9 Listed in the following pages are the auditable units with a score over 12 (out of 30) based on our scoring. The list includes 28 functions rated as high risk (with a score between 14 and 30) and 17 functions rated as moderate risk (with a score between 12 and 14). Items in grey text, were part of the FY2024 Audit Plan. In determining the audit activities to be performed in FY2025, we further evaluated specific risks and functional Public Works The Public Works Department is broken into four divisions: Engineering, Airport, Public Services, and Environmental Services. The Divisions are responsible for a variety of tasks including design and implementation of capital projects, maintenance of City-owned and leased structures, and management of the solid waste programs. Key Risk Areas Wastewater Treatment Capital Program The Americans with Disabilities Act (ADA) Compliance Flood Protection Capital Project Airport Operations Utilities The Utilities Department owns and operates electric, gas, water, wastewater and fiber optic services to the City. The City purchases all their power from external sources. The mission of the Department is to “provide safe, reliable, environmentally sustainable and cost effective services.” Key Risk Areas Power Purchase Agreements Utility Billing Fiber Optics Billing & Rates Rate Setting and Adjustment Utility Asset Management 7 24 44 18 3 Score ≤ 5 5 - 10 10 - 15 15 - 20 > 20 Overall Risk Score Distribution 6 areas and considered risk-based priorities as well as other factors such as requirements by law or regulation, timing of activities, special projects, and requests from City Council and management. The proposed audit plan will be included in a separate FY2025 Annual Audit Plan Report. 7 8 9 Appendix A: Resumes Appendices 10 Appendix A: Audit Universe City Attorney’s Office Administration Consultation and Advisory Litigation and Dispute Resolution Official and Administration Duties City Clerk’s Office Administration Administrative Citations Council Support Services Election/Conflict of Interest Legislative Records Management City Manager’s Office Administration and City Management Economic Development Public Communication Administrative Services Department Accounting Administration Office of Management and Budget Printing and Mailing Purchasing Real Estate Treasury/Revenue Collection/Warehouse Community Services Department Administration and Human Services Animal Shelter Aquatics Arts and Sciences Open Space, Parks and Golf Recreation and Cubberley Fire Department Administration Emergency Response Environmental Safety Management Records and Information Management Training and Personnel Human Resources Department Administration, Employee Org Development and HR Systems Benefits and Compensation Employee and Labor Relations Recruitment Risk Management, Safety, Workers’ Compensation Information Technology Department Enterprise Systems Office of the CIO Operations Project Services Library Department Administration Collection and Technical Services Public Services Office of Emergency Services Emergency Services Office of Transportation Administration Parking Districts Programs Special Revenue Funds Planning and Development Services Department Administration 11 Building Development Services Planning and Transportation Special Districts Police Department Administration Animal Control Field Services Investigations and Crime Prevention Services Law Enforcement Services Parking Services Police Personnel Selection Technical Services Traffic Services Department of Public Works Administration Airport Engineering Services Refuse Storm Drainage Streets Structures and Grounds Sustainability Trees Vehicle Replacement and Maintenance Wastewater Treatment Utilities Department Electric Administration Electric Customer Service Electric Demand Side Management Electric Engineering (Operating) Electric Operations and Maintenance Electric Resource Management Fiber Optics Administration Fiber Optics Customer Service Fiber Optic Operations and Maintenance Gas Administration Gas Customer Service Gas Demand Side Management Gas Engineering (Operating) Gas Operations and Maintenance Gas Resource Management Wastewater Collection Administration Wastewater Collection Customer Service Wastewater Collection Engineering (Operating) Wastewater Collection Operations and Maintenance Water Administration Water Customer Service Water Engineering (Operating) Water Operations and Maintenance Water Resource Management 12 Appendix B: Risk Factor Definition F D W M A e E M S M 3 C R E N s E M S M I 3 A O G T t E M S M I 3 1 C A g 5 4 3 2 1 2 P P P t d 5 4 3 2 1 R C M s 5 r 2 M C R 5 3 e 1 p 1 S C 5 3 1 3 1 F C m 5 3 1 1 1 H * F I H L H O H 1 6 3 0 6 November 20, 2024 City of Palo Alto Office of the City Auditor FY2025 Annual Audit Plan Contents Baker Tilly Advisory Group, LP and Baker Tilly US, LLP, trading as Baker Tilly, operate under an alternative practice structure and are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP is a licensed CPA firm that provides assurance services to its clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. INTRODUCTION...............................................................................................................1 RISK ASSESSMENT RESULTS......................................................................................3 PROPOSED AUDIT PROJECTS FOR FY2024................................................................4 APPENDICES...................................................................................................................6 1 Introduction Introduction The purpose of the audit activities performed by Baker Tilly Advisory Group, LP (Baker Tilly) as the outsourced Office of the City Auditor (OCA) for the City of Palo Alto (the City) is “to ensure that city management is using its financial, physical, and informational resources effectively, efficiently, economically, ethically, and equitably, and in compliance with laws, regulations, contract and grant requirements, and city policies and procedures”, according to the Palo Alto Municipal Code (Section 2.08.130). It requires the City Auditor to prepare an annual audit plan for the City Council’s approval. Conformance with Local Ordinances and Standards Section 2.08.130 of the Palo Alto Municipal Code defines that the mission of the OCA is to promote honest, efficient, effective, economical, and fully accountable and transparent city government. Audits are to be conducted and non-audit services provided in accordance with Government Auditing Standards, as established by the Comptroller General of the United States, Governmental Accountability Office. The following duties of the City Auditor exist regarding the plan and scope of internal audits. Palo Alto City Charter Article IV Sec. 12 requires the City Auditor to perform the following: –Conduct audits in accordance with a schedule approved by the City Council and may conduct unscheduled audits from time to time. –Conducts internal audits of all the fiscal transactions of the City. Title 2 Administrative Code Section 2.08.130 requires the City Auditor to perform the following: –Prepare an annual audit plan for City Council approval. –Identify the preliminary objectives of each audit to be performed, reflecting the purpose of the engagement and a preliminary description of the areas that may be addressed. –Conduct performance audits and perform non-audit services of any City department, program, service, or activity as approved by the City Council. California Government Code Section 1236 requires all cities that conduct audit activities to conduct their work under the general and specified standards prescribed by the Institute of Internal Auditors (IIA) or the Government Auditing Standards (GAO) issued by the Comptroller General of the United States, as appropriate. Audit Activity Type The OCA will conduct performance audits and perform financial/operational analyses of any City department, program, service, or activity as approved by the City Council in accordance with the Baker Tilly agreement. Performance Audits According to the Government Auditing Standards (GAO-18-568G, Section 1.21 and 1.22, page 10-12), performance audits provide objective analysis, findings, and conclusions to assist management and those charged with governance and oversight with, among other things, improving program performance and operations, reducing costs, facilitating decision making by parties responsible for overseeing or initiating corrective action, and contributing to public accountability. Performance audits may include the following four (4) audit objectives: –Program effectiveness and results 2 INTRODUCTION –Internal control design and effectiveness –Compliance with laws, regulations, and policies –Prospective analysis Audit Planning Considerations While maintaining its independence and objectivity in accordance with standards, the City Auditor considers a variety of matters when developing the Annual Audit Plan, including but not limited to: –Risk Assessment – the OCA performed a risk assessment and summarized the results in a separate report (Task #2). Generally speaking, audit activities target high(er) risk areas. The results are shown on the following page. –Ability to Add Value – audit seeks to add value through independent and objective analysis. –City Council – the City Auditor reports to the City Council and seeks input on audit priorities. –Coverage and Prior Audits – the City Auditor considers prior audits conducted by the OCA, the financial audit, and other audit and consulting reports recently issued. –“Ripeness” and On-Going Initiatives – certain risk areas may be addressed through operational activities, which could mean they are not ripe for audit to add value. –Scheduling – the City Auditor takes into consideration the timing of an audit and other on-going initiatives that directly relate. Putting an undue burden on City staff may exacerbate the risk at hand or other interrelated risks. 3 Risk Assessment Results The OCA performed a citywide risk assessment to plan for FY2025 audit activities and documented the methodology and the detailed results in a separate Risk Assessment Report. In summary, we identified the following areas rated as High or Moderate risks. Items in grey were included in the FY2024 Annual Audit Plan. In determining the audit activities to be performed in FY2025, we further reviewed these risks and functional areas and considered the matters listed in the previous page. 4 PROPOSED PROJECTS FOR FY2025 Proposed Projects for FY2025 Summary The proposed audits, special projects and follow-up project for FY2025 are listed on the next page. The projects were selected from the auditable units that were rated as High or Moderate in the results of our risk assessment and selected based on some factors such as risk rating, the pervasiveness of the processes or controls, the audit coverage, the timing of projects, and the value-adding activities that help the City enhance the ability to manage risks, strengthen accountability, and improve efficiency and effectiveness. The preliminary audit objectives are described for each audit listed. These objectives and scope will be further defined based on the result of the engagement level risk assessment performed at the beginning of each audit. Amendments to this audit plan may need to be proposed during FY2025 in response to changes in the City’s environment such as organizational structure, operations, risks, systems, and controls. For each audit, a task order is submitted to the City Council for approval before an audit commences. We prepared six task orders which are included in the Appendix. The OCA is seeking approval from the City Council to begin all six audits in January 2025. 5 Proposed Audit Plan for FY2025 6 Appendix A: Resumes Appendices 7 PROFESSIONAL SERVICES TASK ORDER Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY25-4.29 2. CONSULTANT NAME: Baker Tilly Advisory Group, LP 3. PERIOD OF PERFORMANCE: START: January 1, 2025 COMPLETION: June 30, 2025 4. TOTAL TASK ORDER PRICE: $95,670 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: Baker Tilly Advisory Group, LP BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 8 Attachment A Introduction Services and Deliverables To Be Provided Schedule of Performance Maximum Compensation Amount and Rate Schedule (As Applicable) Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Step 1: Audit Planning Step 2: Fieldwork and Testing Step 3: Reporting Step 1 – Audit Planning Gather information to understand the environment under review o Understand the environment under assessment o Assess the City code, regulations, and other standards and expectations o Assess prior audit results, as applicable o Assess additional documentation and conduct interviews as necessary Assess the audit risk Prepare an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined Announce the initiation of the audit and kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Fieldwork and Testing Interviewing the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to the Purchasing Card Program 9 Analyze policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness Select a sample of P-Card transactions to assess Compare processes and controls against best practices Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with stakeholders, and submit a final report for management response. Tasks include: Developing findings, conclusions, and recommendations based on the supporting evidence gathered Validating findings with appropriate individuals and discuss the root cause of the identified findings Complete supervisory review of working papers and a draft audit report Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, findings, conclusions, and recommendations o Discuss management responses Obtain written management responses and finalize a report Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverables will be prepared as part of this engagement: Audit Report Policy & Services Committee Audit Report Presentation Schedule of Performance Anticipated Start Date: January 1, 2025 Anticipated End Date: June 30, 2025 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $95,670. The not-to-exceed budget is based on an estimate of 500 total project hours, of which a minimum of 50 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may mutually determine it will be beneficial to perform a portion of the work on-site. Given this possibility, Baker Tilly could incur expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $6,500. The following summarizes anticipated reimbursable expenses: Round-trip Airfare – $2,000 (1 round trip flight x 2 auditors) Ground transportation – $800 (car rental or Uber/taxi) 10 Hotel accommodation – $3,000 (2 rooms x 4 nights) Food & Incidentals – $2,100 PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY25-4.30 Building Permit and Inspection Fees Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK ORDER NO.: FY25-4.30 2. CONSULTANT NAME: Baker Tilly Advisory Group, LP 3. PERIOD OF PERFORMANCE: START: January 1, 2025 COMPLETION: June 30, 2025 4. TOTAL TASK ORDER PRICE: $95,670 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: Baker Tilly Advisory Group, LP BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 11 Attachment A Introduction Services and Deliverables To Be Provided Schedule of Performance Maximum Compensation Amount and Rate Schedule (As Applicable) Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Step 1: Audit Planning Step 2: Fieldwork and Testing Step 3: Reporting Step 1 – Audit Planning Gather information to understand the environment under review o Understand the environment under assessment o Assess the City code, regulations, and other standards and expectations o Assess prior audit results, as applicable o Assess additional documentation and conduct interviews as necessary Assess the audit risk Prepare an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined Announce the initiation of the audit and kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Fieldwork and Testing Interviewing the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to the Development Services Program 12 Analyze policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness Select a sample of Building Permit and Inspection Fee transactions to assess Compare processes and controls against best practices Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with stakeholders, and submit a final report for management response. Tasks include: Developing findings, conclusions, and recommendations based on the supporting evidence gathered Validating findings with appropriate individuals and discuss the root cause of the identified findings Complete supervisory review of working papers and a draft audit report Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, findings, conclusions, and recommendations o Discuss management responses Obtain written management responses and finalize a report Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverables will be prepared as part of this engagement: Audit Report Policy & Services Committee Audit Report Presentation Schedule of Performance Anticipated Start Date: January 1, 2025 Anticipated End Date: June 30, 2025 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $95,670. The not-to-exceed budget is based on an estimate of 500 total project hours, of which a minimum of 50 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may mutually determine it will be beneficial to perform a portion of the work on-site. Given this possibility, Baker Tilly could incur expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $6,500. The following summarizes anticipated reimbursable expenses: Round-trip Airfare – $2,000 (1 round trip flight x 2 auditors) Ground transportation – $800 (car rental or Uber/taxi) 13 Hotel accommodation – $3,000 (2 rooms x 4 nights) Food & Incidentals – $2,100 PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY25-4.31 Junior Museum and Zoo Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK ORDER NO.: FY25-4.31 2. CONSULTANT NAME: Baker Tilly Advisory Group, LP 3. PERIOD OF PERFORMANCE: START: January 1, 2025 COMPLETION: June 30, 2025 4. TOTAL TASK ORDER PRICE: $89,900 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: Baker Tilly Advisory Group, LP BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 14 Attachment A Introduction Services and Deliverables To Be Provided Schedule of Performance Maximum Compensation Amount and Rate Schedule (As Applicable) Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Step 1: Audit Planning Step 2: Fieldwork and Testing Step 3: Reporting Step 1 – Audit Planning Gather information to understand the environment under review o Understand the environment under assessment o Assess the City code, regulations, and other standards and expectations o Assess prior audit results, as applicable o Assess additional documentation and conduct interviews as necessary Assess the audit risk Prepare an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined Announce the initiation of the audit and kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Fieldwork and Testing Interviewing the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to the Junior Museum and Zoo Analyze policies and procedures as well as the program mission and objectives to identify the criteria to be used for evaluation of control design and effectiveness Compare processes and controls against best practices 15 Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with stakeholders, and submit a final report for management response. Tasks include: Developing findings, conclusions, and recommendations based on the supporting evidence gathered Validating findings with appropriate individuals and discuss the root cause of the identified findings Complete supervisory review of working papers and a draft audit report Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, findings, conclusions, and recommendations o Discuss management responses Obtain written management responses and finalize a report Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverables will be prepared as part of this engagement: Audit Report Policy & Services Committee Audit Report Presentation Schedule of Performance Anticipated Start Date: January 1, 2025 Anticipated End Date: June 30, 2025 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $89,900. The not-to-exceed budget is based on an estimate of 500 total project hours, of which a minimum of 40 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may mutually determine it will be beneficial to perform a portion of the work on-site. Given this possibility, Baker Tilly could incur expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $6,500. The following summarizes anticipated reimbursable expenses: Round-trip Airfare – $2,000 (1 round trip flight x 2 auditors) Ground transportation – $800 (car rental or Uber/taxi) Hotel accommodation – $3,000 (2 rooms x 4 nights) Food & Incidentals – $2,100 16 PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY25-4.32 CSD Equipment and Materials Inventory Management Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK ORDER NO.: FY25-4.32 2. CONSULTANT NAME: Baker Tilly Advisory Group, LP 3. PERIOD OF PERFORMANCE: START: January 1, 2025 COMPLETION: June 30, 2025 4. TOTAL TASK ORDER PRICE: $89,900 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: Baker Tilly Advisory Group, LP BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 17 Attachment A Introduction Services and Deliverables To Be Provided Schedule of Performance Maximum Compensation Amount and Rate Schedule (As Applicable) Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Step 1: Audit Planning Step 2: Fieldwork and Testing Step 3: Reporting Step 1 – Audit Planning Gather information to understand the environment under review o Understand the environment under assessment o Assess the City code, regulations, and other standards and expectations o Assess prior audit results, as applicable o Assess additional documentation and conduct interviews as necessary Assess the audit risk Prepare an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined Announce the initiation of the audit and kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Fieldwork and Testing Interviewing the appropriate individuals to gain an understanding of the equipment and materials inventory management system Analyze policies and procedures related to equipment and material management and procurement to identify the criteria to be used for evaluation of control design and effectiveness Compare processes and controls against best practices 18 Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with stakeholders, and submit a final report for management response. Tasks include: Developing findings, conclusions, and recommendations based on the supporting evidence gathered Validating findings with appropriate individuals and discuss the root cause of the identified findings Complete supervisory review of working papers and a draft audit report Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, findings, conclusions, and recommendations o Discuss management responses Obtain written management responses and finalize a report Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverables will be prepared as part of this engagement: Audit Report Policy & Services Committee Audit Report Presentation Schedule of Performance Anticipated Start Date: January 1, 2025 Anticipated End Date: June 30, 2025 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $89,900. The not-to-exceed budget is based on an estimate of 500 total project hours, of which a minimum of 40 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may mutually determine it will be beneficial to perform a portion of the work on-site. Given this possibility, Baker Tilly could incur expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $6,500. The following summarizes anticipated reimbursable expenses: Round-trip Airfare – $2,000 (1 round trip flight x 2 auditors) Ground transportation – $800 (car rental or Uber/taxi) Hotel accommodation – $3,000 (2 rooms x 4 nights) Food & Incidentals – $2,100 19 PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY25-4.33 Public Safety Staffing Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK ORDER NO.: FY25-4.33 2. CONSULTANT NAME: Baker Tilly Advisory Group, LP 3. PERIOD OF PERFORMANCE: START: January 1, 2025 COMPLETION: June 30, 2025 4. TOTAL TASK ORDER PRICE: $95,670 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: Baker Tilly Advisory Group, LP BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 20 Attachment A Introduction Services and Deliverables To Be Provided Schedule of Performance Maximum Compensation Amount and Rate Schedule (As Applicable) Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Step 1: Audit Planning Step 2: Fieldwork and Testing Step 3: Reporting Step 1 – Audit Planning Gather information to understand the environment under review o Understand the environment under assessment o Assess the City code, regulations, and other standards and expectations o Assess prior audit results, as applicable o Assess additional documentation and conduct interviews as necessary Assess the audit risk Prepare an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined Announce the initiation of the audit and kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Fieldwork and Testing Interviewing the appropriate individuals to gain an understanding of the organizational structures, processes, and controls related to staffing and use of overtime including plans and systems used Analyze policies and procedures related to Public Safety staffing to identify the criteria to be used for evaluation of control design and effectiveness 21 Analyze Public Safety performance metrics to determine if staffing levels enable desired performance outcomes Compare performance processes and controls against best practices Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with stakeholders, and submit a final report for management response. Tasks include: Developing findings, conclusions, and recommendations based on the supporting evidence gathered Validating findings with appropriate individuals and discuss the root cause of the identified findings Complete supervisory review of working papers and a draft audit report Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, findings, conclusions, and recommendations o Discuss management responses Obtain written management responses and finalize a report Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverables will be prepared as part of this engagement: Audit Report Policy & Services Committee Audit Report Presentation Schedule of Performance Anticipated Start Date: January 1, 2025 Anticipated End Date: June 30, 2025 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $95,670. The not-to-exceed budget is based on an estimate of 500 total project hours, of which a minimum of 50 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may mutually determine it will be beneficial to perform a portion of the work on-site. Given this possibility, Baker Tilly could incur expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $6,500. The following summarizes anticipated reimbursable expenses: Round-trip Airfare – $2,000 (1 round trip flight x 2 auditors) Ground transportation – $800 (car rental or Uber/taxi) Hotel accommodation – $3,000 (2 rooms x 4 nights) 22 Food & Incidentals – $2,100 PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY25-4.34 Follow-Up Audit Activities Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK ORDER NO.: FY25-4.34 2. CONSULTANT NAME: Baker Tilly Advisory Group, LP 3. PERIOD OF PERFORMANCE: START: January 1, 2025 COMPLETION: June 30, 2025 4. TOTAL TASK ORDER PRICE: $59,390 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE: SERVICES AND DELIVERABLES TO BE PROVIDED SCHEDULE OF PERFORMANCE MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable) REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: Baker Tilly Advisory Group, LP BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ 23 Attachment A Introduction Services and Deliverables To Be Provided Schedule of Performance Maximum Compensation Amount and Rate Schedule (As Applicable) Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Track and monitor progress on all audit recommendations Obtain sufficient evidence to support conclusions regarding the status of audit recommendations Annually report on the status of recommendations Deliverables: Annual Status of Audit Recommendations Report Policy & Services Committee Report Presentation Schedule of Performance Maximum Compensation Amount and Rate Schedule Baker Tilly US, LLP, trading as Baker Tilly, is a member of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. © 2023 Baker Tilly US, LLP. City of Palo Alto Office of the City Auditor (OCA) Policy & Services Committee Meeting Citywide Risk Assessment & FY25 Audit Plan December 10, 2024 2 Risk Assessment Overview P R E S E N TAT I O N •Annual activities required for the OCA: o Task 1 – Citywide Risk Assessment o Task 2 – Annual Audit Plan •FY24 Risk Assessment (June 2024 through October 2024): o Interviews with City Council and Executive Leadership Team (ELT) members o Analyzed documents and data •FY25 Annual Audit Plan (January 2025 through June 2025): 3 Risk assessment considerations R I S K AS S E S S M E N T M E T H O D O L O G Y In f o r m a t i o n G a t h e r i n g •Interviews •Information requests Financial reports Budget documents Strategic Plan Prior audits Policies Org. Chart Data •Strategic •Financial •Technology •Human Capital •Operational •Reputational •Market •Regulatory •Likelihood •Impact •Total risk rating 4 Risk Analysis R I S K AS S E S S M E N T M E T H O D O L O G Y 24 SWOT Interviews with City Council members and Executive Leadership Team •Strengths •Weaknesses •Opportunities •Threats Strategic – threats to organizational prosperity and longevity Financial – financial processes and systems Market (Economic) Reputational Technological - Human Capital Operational Regulatory Compliance – policies, guidelines, governing bodies Strategic – organizational prosperity and longevity Financial – financial processes, systems, and transactions Market (Economic) – market conditions – costs, labor, etc. Reputational – organizational perception and credibility Technological – IT performance necessary for business operations Human Capital – personnel knowledge, skills, and resources Operational – HR, Supply Chain, Customer Services, Payroll, etc. 5 Risk Factors – Impact and Likelihood R I S K AS S E S S M E N T M E T H O D O L O G Y Impact (effect on organization) •Magnitude - Budget expenditure of department/function area •Customer/Resident Experience – health, safety, customer satisfaction •Organizational Goals – City Council Priorities Likelihood (probability of risk occurring •Complexity – difficulty performing process or function •Policies & Procedures – present, up-to-date •Regulatory Compliance – existence of and compliance with regulations •Monitoring – monitoring activities and known deficiencies •Specific Risks – current conditions and significance Fraud – consider the functions susceptibility to fraud 6 Audit Universe (example) R I S K AS S E S S M E N T M E T H O D O L O G Y City Attorney’s Office Administration Consultation and Advisory Litigation and Dispute Resolution Official and Administration Duties City Clerk’s Office Administration Administrative Citations Council Support Services Election / Conflict of Interest Legislative Reports Management City Manager’s Office Administration & City Management Economic Development Public Communication Office of Transportation Administration Parking Districts Programs Information Technology Office of the CIO Enterprise Systems Operations Project Services Community Services Administration & Human Services Arts and Sciences Open Spaces, Parks & Golf Recreation 7 Top 28 Risk Areas R I S K AS S E S S M E N T R E S U LT S For Total Risk Score: low risk (Green) < 9; 9 ≤ moderate risk (Yellow) < 14; 14 ≤ high risk (Red) 8 Top 28 Risk Areas R I S K AS S E S S M E N T R E S U LT S For Total Risk Score: low risk (Green) < 9; 9 ≤ moderate risk (Yellow) < 14; 14 ≤ high risk (Red) 9 Top 28 Risk Areas R I S K AS S E S S M E N T R E S U LT S For Total Risk Score: low risk (Green) < 9; 9 ≤ moderate risk (Yellow) < 14; 14 ≤ high risk (Red) 10 FY25 Proposed Audits R I S K AS S E S S M E N T R E S U LT S Department Audit Area Administrative Services Purchasing Card Program Planning & Development Services Building & Permit Inspection Fees Community Services Junior Museum & Zoo Operation Community Services Equipment & Materials Inventory Management Fire & Police Public Safety Staffing & Overtime Citywide Follow-up on Corrective Actions Questions? 12 Follow-up Activities R I S K AS S E S S M E N T R E S U LT S Department Audit Area Public Works Construction Project Controls Administrative Services Asset Capitalization Information Technology IT Risk Management Utilities Power Purchase Agreement Administrative Services Economic Recovery Advisory Planning and Development Services Building Permitting Process Community Services Nonprofit Agreements Utilities Work Order Process Administrative Services Electronic Payment Process and Controls Human Resources Remote and Flexible Work Study 13 Follow-up Activities R I S K AS S E S S M E N T R E S U LT S Department Audit Area Information Technology Cybersecurity Public Works Wastewater Treatment Plant Agreement Transportation Contract Management – ALPR Technology Administrative Services Investment Management Information Technology Disaster Recovery Preparedness Administrative Services Procurement Process