Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
Staff Report 2507-5006
CITY OF PALO ALTO Policy & Services Committee Special Meeting Tuesday, August 12, 2025 6:00 PM Agenda Item 2.Office of the City Auditor Presentation of the Purchasing Card Audit Report Supplemental Report Added, Presentation 7 8 6 9 Policy & Services Committee Staff Report From: City Manager Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: August 12, 2025 Report #:2507-5006 TITLE Office of the City Auditor Presentation of the Purchasing Card Audit Report RECOMMENDATION The Office of the City Auditor recommends the Policy & Services Committee accept the results of the Purchasing Card Audit Report. BACKGROUND Baker Tilly Advisory, in its capacity serving as the Office of the City Auditor (OCA), performed a citywide risk assessment that evaluated a wide range of risk areas, including strategic, financial, operational, compliance, technological, and reputational risks. The purpose of the assessment was to identify and prioritize risks to develop the annual audit plan. During the FY23 risk assessment, the OCA identified purchasing card processes as a potential area of risk and was originally included in the FY24 Audit Plan but was deferred to prioritize other audit projects. The audit was reintroduced and included as part the FY25 Audit Plan. ANALYSIS The objective of the Purchasing Card (P-Card) Audit was to: Determine whether P-Cards are used appropriately in compliance with the City’s policies and pertinent laws and regulations. Evaluate the administration of the P-Card Program for adequate internal controls to safeguard the City from fraud, waste, and abuse. The City’s P-Card Program is intended to streamline and simplify the Purchasing and Accounts Payable (AP) functions by eliminating steps for low dollar purchases below $10,000. The Program is administered by the Administrative Services Department (ASD), but P-cards are used by all City departments. The P-Card is a tool that can reduce transaction costs, facilitate timely acquisition of materials and supplies, automate data flow for accounting purposes and offer 7 8 6 9 flexible controls to help ensure proper usage. OCA assessed P-Card transactions from FY2023 through the first 6 months of FY2025, interviewed key program administrative staff and users, analyzed policies, procedures and internal controls governing the program, and assessed the overall efficiency and effectiveness of the program’s oversight functions, as well as, the program itself. Audit findings and recommendations focused on the following areas for improvement: While the City’s P-Card Program demonstrates strong internal controls and sampled purchases are in line with procurement policies, user compliance with program policies and procedures could be improved. Some P-Card Program oversight and administrative functions are not consistently completed and documented. Also, more efficient review processes could save staff time. OCA made an additional observation that the City may be able to increase operational efficiencies and save staff time by increasing P-Card spending limits which have not been updated since 2016. As this observation is outside of ASD’s direct control it is not a finding since it would most likely require amending the municipal code to increase the maximum threshold at which designated employees are authorized to make purchases to $15,000 from $10,0001. The attached report summarizes OCA’s analysis, audit findings, and recommendations. FISCAL/RESOURCE IMPACT The timeline and resource needs for implementation of management’s corrective action plans are identified by management within the attached report. STAKEHOLDER ENGAGEMENT The OCA worked with and would like to thank the Administrative Services Department for their assistance in conducting this audit. In particular, we would like to thank the Purchasing Card Program and Accounts Payable staff for their thorough review and collaboration on this audit. ENVIRONMENTAL REVIEW Council action on this item is not a project as defined by CEQA because contracting for auditing services is an organizational or administrative activity that will not result in direct or indirect physical changes in the environment. CEQA Guidelines section 15378(b)(5). ATTACHMENTS 1 Municipal Code Section 2.30.230 Designated Employee Purchases of $10,000 or Less https://codelibrary.amlegal.com/codes/paloalto/latest/paloalto_ca/0-0-0-61903 7 8 6 9 Attachment A: Purchasing Card Program Audit APPROVED BY: Kate Murdock, City Auditor 1 + July 29, 2025 City of Palo Alto Office of the City Auditor Purchasing Card Program Audit Baker Tilly Advisory Group, LP and Baker Tilly US, LLP, trading as Baker Tilly, operate under an alternative practice structure and are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP is a licensed CPA firm that provides assurance services to its clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. Contents Executive Summary ............................................................................................................................ 1 Purpose of the Audit ........................................................................................................................... 1 Report Highlights ................................................................................................................................ 1 Introduction ........................................................................................................................................ 4 Detailed Analysis ................................................................................................................................. 6 Audit Results ....................................................................................................................................... 9 Appendix A: ....................................................................................................................................... 22 1 Executive Summary Purpose of the Audit Baker Tilly Advisory Group, LP (Baker Tilly), in its capacity serving as the Office of the City Auditor (OCA) for the City of Palo Alto (the City), conducted a Purchasing Card (P-Card) Program Audit based on approved Task Order 4.29 as part of the City’s FY25 Audit Plan. The objective of this audit was to: • Determine whether P-Cards are used appropriately in compliance with the City’s policies and pertinent laws and regulations. • Evaluate the administration of the P-Card Program for adequate internal controls to safeguard the City from fraud, waste, and abuse. Report Highlights Finding 1: (Page 9) Overall, the City's P-Card program demonstrates strong internal controls and adherence to procurement policies, however, user compliance with policy requirements could be improved. The OCA confirmed that all P-Card expenses analyzed complied with the "General Guidance for Use" section of the P-Card Guidebook (Guidebook), ensuring purchases were not personal and directly supported City operations. However, OCA noted that some P-Card purchases were not documented as required by City policy and could not confirm timeliness of approver review in the system due to system reporting limitations. The OCA noted that while the City does have a Guidebook and training videos, the City does not have an established, ongoing training program for P-Card users. However, prior to 2020 and staffing reductions due to the COVID pandemic, staff stated that in-person trainings were held monthly. Administrative staff and department leaders agree that regular, recurring formal training is important and will help improve compliance with program requirements and are currently working to formalize training. Key Recommendations To further strengthen compliance with P-Card program guidelines, we recommend that management enhance cardholder and approver training on specific documentation requirements. We also recommend exploring system enhancements for approval timestamps by collaborating with the City’s P-Card system vendor, to explore adding timestamp functionality to the system for approver actions and automating system notifications of non-compliance to users. 2 EXECUTIVE SUMMARY Management should consider the merits of implementing clearly defined, tiered consequences for P-Card policy non-adherence vs. the cost of implementing such measures. Finding 2: (Page 14) Some P-Card Program oversight and administrative functions are not consistently completed and documented; more efficient review processes could save staff time. The OCA noted three areas for improvement in program oversight and administration: the post-audit process, tracking and documenting P-Card misuse, and documenting approved exceptions to P-Card spending limits. The OCA noted that the post-audit process is not always completed due to staffing shortages, and the process can be overly time-consuming. In addition, Accounts Payable's (AP) post-audit of P-Card transactions focuses on all software/hardware purchases and transactions over $1,000. Approximately 88% of transactions are not reviewed which may limit the effectiveness of the post-audit activity to identify areas of concern. A statistically significant sampling process, encompassing all transaction sizes, may provide a more accurate and complete picture of compliance while also taking less staff time. AP notifies relevant departments and P-Card administrators of discrepancies like missing documentation or policy violations, with common infractions including purchase splitting and unauthorized acquisitions. However, the current manual tracking system for P-Card misuse is inconsistent and incomplete, lacking specific dates, categorized infraction types, and documented resolutions, which hinders effective policy enforcement and the identification of misuse trends. Finally, the City's process for documenting P-Card spending limit increases, which relies on a "P-Card Credit Limit Request Form," lacks formal documentation for different types of exceptions to purchase limits and the OCA found some instances where evidence of approvals could not be located. Key Recommendations To strengthen the P-Card internal control environment and potentially realize cost savings through a more efficient post-audit process, we recommend that AP consider adopting a multi-faceted strategy centered on consistent operations and statistically valid sampling. This means shifting from the current review methods to a statistically random sampling methodology, with the precise sample size calculated monthly to ensure findings accurately represent all transactions. We recommend that the P-Card Administrator ensure all instances of misuse are formally and comprehensively tracked including the type of infraction, infraction date, and resulting resolution. We recommend formalizing and standardizing the P-Card limit exception process. The "P-Card Program Credit Limit Request Form" should be revised to include 3 EXECUTIVE SUMMARY fields for all types of card limit exceptions, ensuring consistent documentation of the rationale and approver concurrence. Additional Observation: (Page 18) As part of our assessment, we also looked at the overall objectives of the P-Card Program to assess its effectiveness and efficiency in aiding departmental staff to procure items. We identified potential cost savings the City could achieve by raising the P-Card transaction limits versus continuing to use purchase orders to procure items with certain dollar thresholds. The City's current procurement procedures, particularly for lower-value transactions exceeding the micro-purchase threshold, create significant administrative burdens and consume substantial staff time due to council approval and solicitation requirements. This inefficiency is exacerbated by an unchanged P-Card limit since 2016, despite inflation. Raising the P-Card limit, potentially aligning with the anticipated federal micro-purchase threshold increase to $15,000, could save thousands of staff hours currently spent processing purchase orders within the $10,000 to $15,000 range. Such a change could potentially streamline operations, reduce incentives for purchase splitting, and prevent delays in acquiring essential goods and services, reallocating resources to more strategic initiatives. 4 Introduction Objective Determine whether P-Cards are used appropriately in compliance with the City’s policies, pertinent laws, regulations and evaluate the administration of the P- Card Program for adequate internal controls to safeguard the City from fraud, waste, and abuse. Background The City’s P-Card Program is intended to streamline and simplify the Purchasing and AP functions by eliminating steps for low dollar purchases below $10,000. The P-Card is a tool that reduces transaction costs, facilitates timely acquisition of materials and supplies, automates data flow for accounting purposes and offers flexible controls to help ensure proper usage. Managed by a designated Agency Program Administrator in the Purchasing Department, the program provides designated employees with City-issued credit cards to facilitate timely and cost-effective purchases, reducing the administrative burden associated with traditional purchase orders. Each cardholder is assigned a monthly credit limit of $15,000 and is required to follow established purchasing policies and procedures, including documentation, reconciliation, and supervisory approval of transactions. The program aims to improve operational efficiency while maintaining strong internal controls to ensure responsible spending of public funds. The P-Card program is governed by the City’s Procurement Card Guidebook. This document outlines roles and responsibilities, allowable and restricted purchases, and monitoring requirements. Regular oversight and audits are key to ensuring the program’s integrity and alignment with the City’s financial and ethical standards. Scope The OCA obtained purchase card transactions from FY 2023 to FY 2024 and assessed P-Card transaction approvals and internal controls for managing the P-Card Program across all applicable departments. Methodology To achieve the audit objectives, the OCA performed the following procedures: • Interviewed the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to the P-Card Program. • Analyzed policies and procedures as well as legislative and regulatory requirements to identify criteria to evaluate control design and effectiveness. • Judgmentally selected a sample of P-Card users, transactions, and misuse log from FY2023, FY2024, and the first half of FY2025 to determine if P-Card use is in compliance with pertinent laws and regulations, City policies, and procedures, if the P-Card Program is 5 INTRODUCTION 1 Government auditing standards require an external peer review at least once every three (3) years. The last peer review of the Palo Alto Office of the City Auditor was conducted in 2017. The Palo Alto City Council approved a contract with Baker Tilly U.S, LLP for internal audit services for October 2020 through June 2022 with an extension through June 2025. City Council appointed Kate Murdock, Audit Manager in Baker Tilly’s Risk Advisory practice, as City Auditor in May 2024. As a result of transitions in the Audit Office and peer review delays due to the COVID pandemic, an external peer review is targeted for 2025. It should be noted that Baker Tilly’s most recent firmwide peer review was completed in November 2024 with a rating of “Pass”. The scope of that peer review includes projects completed under government auditing standards. effectively administered to users, and if P-Card activity is adequately audited and reviewed by the Administrative Services Department (ASD). • Completed audit report of findings, conclusions, and recommendations based on the supporting evidence gathered. Compliance Statement This audit activity was conducted from January 2025 to June 2025 in accordance with generally accepted government auditing standards, except for the requirement of an external peer review1. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings, observations, and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings, observations, and conclusions based on our audit objectives. Organizational Strengths During this audit activity, we observed a strong spirit of collaboration and a clear dedication to continuous improvement among the ASD leadership – particularly within the P-Card Program and AP teams. Their efforts reflect a shared commitment to providing the City with accurate, reliable information to support informed decision-making. The OCA appreciates the support of the ASD in conducting this audit activity. Thank you! 6 Detailed Analysis P-Card Program Management Criteria and City Code Procurement Card Guidebook The City’s Procurement Card Guidebook, version 15, updated November 2024, governs the Program and serves as a comprehensive resource for the City's P-Card users. The P-Card itself is a MasterCard issued by JPMorgan/Chase, designed to streamline purchasing and AP by eliminating steps and reducing transaction costs for purchases $10,000 and under. The program operates under guiding principles of transparency, accountability, integrity, consistency, efficiency, and manageability, and is intended to complement existing procurement processes rather than bypass them. The Guidebook outlines processes for using P-Cards, details permissible and prohibited purchases, and specifies the record-keeping and reconciliation requirements for each billing cycle. It emphasizes that cardholders are committing City funds and are responsible for all charges made to their card, with misuse potentially leading to disciplinary action. The Guidebook also defines the responsibilities of various participants in the P-Card Program, including Cardholders, Account Group Managers, Approvers/Level Managers, AP staff, the Agency Program Administrator (APA), and the system vendor. It details card limits, such as a $10,000 maximum for a single purchase, no more than 10 daily transactions, and a $15,000 maximum in a 30-day cycle, which can be temporarily increased via departmental request and approval from the APA. Palo Alto Municipal Code The current P-Card purchasing authority and maximum for single purchases is based on established purchasing limits detailed in Palo Alto’s Municipal Code. “Chapter 2.30 Contracts and Purchasing Procedures” of the Palo Alto Municipal Code states the following: 2.30.230 Designated employee purchases of $10,000.00 or less. Employees authorized, in writing, by their department heads may award and sign contracts for the purchase of goods and the procurement of general services, where the contract price does not exceed $10,000.00 and the contract term does not exceed one year. All purchases and procurements shall be made in accordance with the contracting procedures and requirements contained in this chapter and in the purchasing manual. The written authorizations of department heads shall be kept on file by the Procurement Officer. 2.30.240 Designated employees’ use of petty cash, P-card or other credit card. Employees designated in writing by their department heads, including by completed P-card authorization request form, may make purchases by using petty cash or make payments by using a city P-card or other credit card. All purchases shall be made in accordance with the contracting procedures and requirements contained in this chapter and in the purchasing manual. The written authorizations of department heads shall be kept on file by the Procurement Officer. 7 Program Environment The OCA conducted a comprehensive analysis of P-Card transaction data spanning from July 1, 2022, to December 31, 2024, alongside cardholder data from July 1, 2023, to January 29, 2025. Our analysis identified a total of 42 unique departmental divisions participating in the P-Card Program. The transaction amount totaled $9,033,155.92 in FY2023, $9,515,758.87 in FY2024, and $ 4,604,414.13 in the first half of FY2025 revealing a total transaction amount of $23,153,328.92 across 44,705 purchase line items. Over the two-and-a-half-year period the OCA examined, the departments with the highest P-Card usage in terms of transaction amount were PWD Public Services – FAC, which led with $3,927,234.77, followed by PWD Env. Services - WQCP ($2,201,246.41) and IT ($1,636,975.63). Table 1: Top 10 Departments by Transaction Amount Department Total Amount PWD Public Services - FAC $3,927,234.77 PWD Env. Services - WQCP $2,201,246.41 IT $1,636,975.63 CSD Open Space, Parks, & Golf $1,323,946.17 Utilities Electric Operations $1,295,651.97 Police Department $1,190,825.79 Utilities WGW $1,134,320.06 PWD Public Services $1,061,659.67 Fire Administration $979,260.20 CSD JMZ & Interpretive $797,260.14 Note: Dataset 07/01/2022 - 12/31/24 Regarding the number of transactions, PWD Public Services - FAC was the most active with 5,659 purchase line items, with Utilities WGW closely behind at 5,022. CSD JMZ & Interpretive (3,350 line items), Police Department (2,764 purchase line items), and CSD Recreation (2,299 line items) also demonstrated high transaction volumes. Table 2: Top 10 Departments by Number of Transactions Department Number of Purchase Line Items PWD Public Services - FAC 5,658 Utilities WGW 5,022 CSD JMZ & Interpretive 3,350 Police Department 2,764 CSD Recreation 2,299 PWD Env. Services - WQCP 2,275 Utilities Electric Operations 1,969 CSD Open Space, Parks, & Golf 1,898 CSD Children's & Community Theatre 1592 IT 1559 Note: Dataset 07/01/2022 - 12/31/24 8 The OCA’s analysis of cardholders’ data revealed there were 254 current active cardholders across 42 unique departmental divisions as of the end of January 2025. The Police Department had the most cardholders (34), followed by Fire Administration (20) and PWD Env. Services - WQCP (16). Table 3: Top 10 Departments by Current Active Cardholders Department Number of Active Cardholders Police Department 34 Fire Administration 20 PWD Env. Services - WQCP 16 PWD Public Services - FAC 15 CSD Open Space, Parks, & Golf 12 CSD JMZ & Interpretive 10 CSD Recreation 10 PWD Env. Services - WP 10 Utilities Electric Operations 10 Utilities WGW 10 Note: Data as of 1/29/25 Currently, AP conducts comprehensive post-audits of P-Card transactions to ensure adherence to established P-Card guidelines, focusing on those valued at $1,000 or more. To better understand the coverage of post-audit review, the OCA performed a distribution analysis across all transactions in the scope period. After removing all $0.00 and negative dollar amount transactions from the data set which represented returns or voided transactions, the purchase line item population for the distribution analysis went from 44,705 line items to 43,588. The distribution analysis shows that 77.66% (33,852 line items) were less than $500.00 and 9.92% (4,325 line items) were between $500.00 and $999.99, indicating that most transactions from the scope period would not be subject to comprehensive post-audits. Table 4: Purchase Line Item Distribution by Dollar Amount Distribution Subgroup Number of Purchase Line Items Percentage of Purchase Line Items $0-499.99 33,851 77.66% $500-999.99 4,325 9.92% $1,000-4,999.99 4,520 10.37% $5,000-9,999.99 881 2.02% $10,000+ 10 0.02% Note: Dataset 07/01/2022 - 12/31/24 9 Audit Results Finding 1: Overall, the City's P-Card Program demonstrates strong internal controls and adherence to procurement policies, however, user compliance with policy requirements could be improved. The City’s P-Card program, utilizing a MasterCard credit card issued by JPMorgan/Chase, serves as a streamlined procurement and payment tool. The purpose of the program is to reduce transaction costs, facilitate the timely acquisition of materials and supplies, and automate data flow for enhanced accounting efficiency, all while providing flexible controls to ensure proper usage. Designed as an alternative to traditional methods such as petty cash, check requests, and low-dollar purchase orders, the P-Card Program is intended to complement, not bypass, established procurement and payment procedures. Program requirements include adherence to spending limits and policy guidelines, diligent record-keeping and reconciliation, thorough review and approval, and consistent program administration and oversight. There are several key roles involved in the P-Card process: • Cardholder • Approver • AP • Agency Program Administrator (APA) • JPMorgan/Chase The City has a Procurement Card Guidebook that establishes the purpose, policies, procedures, and responsibilities for cardholders and approvers. This policy requires that: • Cardholders upload receipts to SmartData daily and/or weekly. • Cardholders assign their purchases, on a daily or weekly basis, to the correct cost centers/GL accounts, • Approvers review and authorize cardholder purchases, ensuring compliance and correct accounting by the 5th of every month. The OCA tested a sample of 39 transactions made between July 7, 2022, and December 31, 2024, for adherence to the City’s Guidebook. The OCA selected a representative sample of transactions. Cardholder purchases consistently align with the Guidebook, demonstrating that expenditures are directly supportive of City operations and are not personal in nature. The OCA examined expense descriptions and receipts to ensure purchases were not personal in nature and directly support City operations, in compliance with allowable card uses cited in the "General Guidance for Use" section of the Guidebook, and there were 10 2 City of Palo Alto, Procurement Card Guidebook: Travel upgrades and business travel meals are not allowed. The card cannot be used for certain event-related food (e.g., retirement parties, holiday events), alcoholic beverages, or consultant meals. Prohibited items also extend to bottled drinking water, pesticides (with limited exceptions), foam foodware, and specific antibacterial soaps. Furthermore, using the P-Card for purchases with existing City contracts, gift cards for employees, safety shoes for certain staff, or Amazon Prime memberships is not permitted. Small appliances for employee-only spaces are generally restricted without an Assistant City Manager's approval. IT software and hardware purchases are allowed but require approval before purchase. no exceptions. This section explicitly prohibits personal purchases, cash advances, and unauthorized travel/entertainment expenses. Specific restrictions include the purchase of safety products (i.e. glasses, hard-hats, earplugs, insect repellent), personal items, fuel for personal vehicles, and payments to the City itself.2 It is important to note that the ultimate determination of whether purchases are authorized, appropriate, and correctly allocated rests with cardholders and designated approvers, and department leadership. Some P-Card purchases were not documented as required by City policy. Based on our P-Card transaction testing, we found strong internal controls and compliance with P-Card policies with respect to documenting purchases. For all transactions tested, the OCA noted that receipts were uploaded documenting transactions and GL cost centers were assigned for each purchase. However, some required documentation was missing. Out of 39 transactions reviewed, 35 were fully compliant, demonstrating that most purchases were properly documented, assigned to general ledger cost centers, and reviewed by designated approvers. This reflects positively on the overall management of the P-Card Program. However, there were three transactions (10%) that did not have the Guidebook-specified documentation required. The Guidebook states food purchases must have a separate sheet of paper uploaded, along with the receipt, which specifies the business purpose of the meal and a list of participants. OCA found two instances where a separate sheet of paper detailing the business purpose and list of participants was not provided, however, most of this information was provided in the vendor p-card system. The Guidebook states when making IT software or hardware purchases, an email must be sent to the City’s Help Desk stating the specific request to purchase the IT related item. If IT Management approves (via email) the purchase, the P-card user is required to attach a copy of the approving email along with the purchase receipt when submitting supporting documentation for 11 processing. OCA found two instances of IT purchases that where the email documenting IT Management approval was not provided. However, AP staff noted that approvals documented in the JP Morgan Chase were performed by IT Management. The City may want to revisit the Guidebook and determine if the existing requirements are still relevant or if less labor-intensive documentation is sufficient, such as leaving comments in JP Morgan Chase as opposed to submitting separate paperwork. These exceptions, while few, pose a risk of non-compliance with policies and make it difficult for reviewers to timely confirm purchases. Such policies are in place to prevent any potential fraud, waste and abuse, which was not found. These exceptions also highlight the need for continued training to ensure users understand the importance of documentation and adherence to policy. All tested P-Card transactions showed system-generated evidence of approver review, however, the timeliness of review could not be verified. Per the Guidebook, in addition to reviewing a cardholder’s transactions, ensuring the cardholder has uploaded sales receipts and any supporting documentation for each purchase, and that each transaction has a cost center account assignment, approvers must also ensure all cardholder transactions are approved in the system by the 5th of the month. For all transactions tested, the OCA noted that every transaction had system-generated evidence of review by an approver confirming required review. However, the system does not provide timestamps, making it impossible to verify whether approvals occurred within the required timeframe. Program administration staff stated that they have to routinely send reminders to p-card approvers when approvals have not been submitted timely. This, in turn, creates process delays with monthly review responsibilities potentially resulting in lost time and may limit staff time for other Accounts Payable activities. The City does not have an established, ongoing training program for P-Card Program users. The Guidebook states that the APA is responsible for facilitating training for the P-Card Program. When a department submits an application for a new cardholder, the potential cardholder is required to complete mandatory training. Once training is completed, the cardholder can self-register for a system login. As part of the new account process, the City also requires each user to sign the P-Card Cardholder User Agreement via the system. 12 Program administration stated that while users are provided with the Guidebook and have to sign a user agreement via the vendor system website in order to initiate use of their card, they frequently have to explain the program parameters to users suggesting that actual review of the Guidebook may be limited. While the City has training materials and user agreements in place, evidence that activities were completed could not be provided by the APA or the system vendor. The Guidebook also notes that training may be required because of improper or flagrant violation of P-Card authorized use, loss of receipts, or failure to complete monthly transaction processing by designated deadlines. This mandatory refresher course would involve both the cardholder and the approving official. However, program administrators indicated this training does not typically happen. While all program stakeholders, including cardholders, approvers, and AP, can access a step-by-step guide and training video on the Purchasing Resource Library to assist with uploading receipts, cost center coding, reviewing, and approving P-Card transactions, it is not clear how often this resource is accessed. Administrative staff stated the need for regular, recurring training to eliminate confusion and to reduce time spent responding to individual inquiries. P-Card Program leaders of departments with high P-Card utilization corroborated this need, expressing a desire to develop a formal, recurring training program. In addition, our analysis of AP’s monthly reconciliation process and the APA’s P-Card misuse tracker showed instances of non-compliance with the P-Card policy. According to the APA, apart from the initial training provided when a card is issued, some ad hoc departmental training, and the recently created training videos, there is no structured training program for P-Card users. The APA stated that this lack of training has led to frequent policy-related questions and potential misuse of cards. The primary source of guidance for program stakeholders is the lengthy Guidebook, which administrators said does not appear to be read thoroughly. A lack of adequate P-Card training may result in incomplete receipt uploading, incorrect cost center coding, and hinder the effective review and approval of transactions. This can lead to operational inefficiencies, increased errors, and heightened financial and compliance risks for the City. Departmental personnel also reported concerns regarding recurring instances of inadequate purchase review, budget overruns, and the use of P-Cards as a matter of convenience rather than adhering to established procurement channels. While staff expressed a desire for a regular, formalized P-Card training program to mitigate these issues, staff also said that since there are no consequences for violating the policy, there is little to deter repeat offences. This absence of corrective measures could impact effective policy enforcement and compliance. 13 The APA did note that in the past, some limited training sessions have been conducted for new employees, but a more comprehensive approach is needed. There are plans to develop computer-based training modules to educate employees on P-Card policies and procedures. Additionally, annual refresher courses are planned to ensure ongoing compliance and to keep users updated on any policy changes. These planned initiatives aim to improve user understanding and reduce instances of misuse, which are currently a concern due to the lack of formal repercussions for policy violations. Recommendation Strengthen Compliance: To further strengthen compliance with P-Card program guidelines, we recommend that management enhance cardholder and approver training on specific documentation requirements which may include providing targeted training and quick reference guides or checklists. In addition, management may want to consider a form(s) for documenting purchases such as food, fuel reimbursement, and IT purchases to simplify documentation procedures for users and approvers. However, management will need to determine if this will create efficiencies and enhance compliance or add unneeded steps. We also recommend exploring system enhancements for approval timestamps by collaborating with City’s P-Card system vendor, to explore adding timestamp functionality to the system for approver actions and automating system notifications of non-compliance to users. Finally, management should consider the merits of implementing clearly defined consequences for non-adherence against the time and resources necessary to do so. Such a system could range from written warnings and remedial training for minor first offenses to temporary suspension of cardholder or approval privileges for repeat issues, and potentially permanent expulsion from the P-Card Program. If the City were to adopt a system of disciplinary action for non-adherence, management would need to formalize this tiered policy in the Guidebook, communicate it clearly to all approvers, apply consequences consistently, and document all violations in collaboration with Human Resources. Training: We recommend that the City continue working to establish and implement a formal, structured, and ongoing P-Card training program for all stakeholders, including cardholders, approvers, and AP personnel. This program should continue to mandate initial training for all new P- Card applicants, requiring completion of the JP Morgan-administered training as outlined in the Guidebook, and ensure that all completed training is documented and tracked. A comprehensive curriculum should be developed, expanding beyond current guides to explicitly cover appropriate use, prohibited purchases, spending limits, limit 14 increase procedures, consequences for misuse, and detailed documentation. Finally, regular, periodic refresher training for all active P-Card users and approving officials should be required to ensure ongoing compliance and policy awareness. Management Response Responsible Department(s): Administrative Services Department Concurrence: Agree Target Date: November 2025 Action Plan: ASD will resume in person and hybrid training while continuing to pursue technology-based training solutions such as automated classes, videos, and tests. This will include disseminating reference guides and checklists. The in-person training will focus on allowable transactions, non- permissible transactions, approval process, required supporting documents for transactions, and due dates. The training will be required for all new P-Card holders and approvers. Technology solutions will be explored for refresher trainings. ASD will evaluate adding a form for documenting purchases such as food, fuel reimbursement, and IT purchases. This evaluation will determine if the form creates efficiencies or adds unneeded steps. If the former, then a form will be added to the process. Adding timestamp information will be explored with the P-Card system vendor along with notifications to users for non- compliance. ASD will implement a system of consequences for non-compliance. Such a system might include an escalation of consequences after a certain number of infractions. The ultimate consequence would be removing P-Cards from users. This will include mandatory training for repeat infractions. Additional resources will be provided to those with infractions to ensure their understanding of the rules. Finding 2: Some P-Card Program oversight and administrative functions are not consistently completed and documented; more efficient review AP and the APA are tasked with the oversight and administration of the P-Card Program. AP staff is responsible for ensuring that cardholder activity is documented, supported, and authorized, and verifying that cardholders and approvers adhere to program policies. To maintain compliance with P-Card policies and procedures, AP staff conducts post-audits and actively monitors P-Card activity. The APA holds comprehensive authority and responsibility for the P-Card Program's operation, including closely monitoring it and acting as the primary liaison between the City and JPMorgan/Chase. The APA is also responsible for managing procurement card 15 processes could save staff time. administration, including card activation, issuance, assisting in developing citywide policies and procedures, overseeing program activity, and maintaining and tracking credit limits for cardholders’ authorized limits. We found that AP's mandated monthly post-audits may be hampered by staffing shortages and high transaction volume, which undermines the effectiveness of these reviews. Additionally, current methods for tracking and documenting P-Card misuse are inconsistent, hindering management's ability to identify patterns and enforce policy effectively. Furthermore, our analysis revealed a lack of adequate documentation for approved exceptions to P-Card spending limits. This indicates a need for more formal and transparent procedures in this area. Overall, these findings highlight opportunities to enhance the P-Card Program's controls and administrative efficiency. The post audit process is not always completed due to staffing shortages and is overly time-consuming. More efficient review processes could save staff time. AP is responsible for conducting comprehensive post-audits of P-Card transactions to ensure adherence to established P-Card guidelines. Their current review protocol mandates a monthly examination of all P-Card transactions valued at $1,000 or more, as well as all software and hardware acquisitions. Additionally, AP performs ad-hoc spot checks on transactions that may indicate potential cost-splitting or appear unusual. Through interviews with AP and ASD leadership, the OCA learned that timely review is often a challenge for staff due to staffing capacity and the volume of transactions eligible for review. The OCA selected three months from the scope period and requested the post audit reviews conducted to assess the process. AP was able to provide evidence for 2 of the 3 selected months, stating that review for the third month was not completed due to staffing shortages. This indicates that while the post-audit review process is established, it is not always completed which may compromise the purpose of the review. The OCA also performed a deeper analysis of the most recent month within the scope period, December 2024. During that post audit review, AP reviewed 203 of the 1,310 purchase line items made. This represented approximately 15% of the total number of purchases made that month and 73% of the total dollar amount. Of the 203 transactions, 164 (approximately 12% of the total number) exceeded the $1,000 threshold for required review. The post audit review documentation indicated that of 61 transactions, approximately 30 reviewed required additional follow-up with cardholders, approvers, or department leadership. Of those 61, 10 transactions were identified as cost-splitting violations. While this represents less than 1% of the total transactions for the time period, it still represents a policy violation. 16 According to AP staff, post audit can take anywhere from 3 minutes to an hour per transaction, depending on the level of review needed. This highlights the labor-intensive nature of the process. This time commitment, especially when coupled with staffing shortages, directly contributes to the inability to achieve comprehensive review coverage directly impacts control effectiveness and efficiency. Further, the high follow-up rate, combined with the limited review coverage, could mean there are issues present within the unreviewed 88% of transactions and a new approach to post audit review may be needed. It is often assumed that only large-value transactions present a significant risk of misuse or error. However, this assumption may be misleading. In practice, individuals may be more inclined to commit smaller, seemingly insignificant infractions, under the perception that such transactions are less likely to be selected for review and therefore less likely to be detected. This is another instance where staff could incorporate the use of Excel data analytics tools to identify spending trends over time that may require further investigation. For instance, PivotTables and COUNTIF functions can be effectively utilized to quantify transaction volumes per employee or per vendor. A high frequency of small-value transactions by a single employee, or a notable volume of transactions consistently falling just below the $1,000 review threshold, could indicate a need for more in-depth scrutiny. (See Appendix A) A statistically significant sampling, encompassing all transaction sizes, may provide a more accurate and complete picture of compliance. While formal internal guidance for transaction sampling may not be established, our analysis suggests that a comprehensive approach to sampling would involve examining all transactions, rather than a select subset. This would promote a more complete and robust review. For example, if AP were to conduct a random sample and applied a 95% confidence level with a +/- 10% margin of error rate to the 1,310 purchase line item population, this confidence level would require a testing sample of 90. In addition, there are other data analytic procedures AP may be able to administer to identify trends and issues such as split transactions. There is potential for use of these analytics to further save staff time and increase the rigor or AP’s review. (See Appendix A) The current process for tracking and documenting P-Card misuse is inadequate and lacks comprehensive and consistent record-keeping. Upon identifying discrepancies such as missing documentation or policy violations, AP initiates communication with the relevant department and formally notifies Purchasing and the AP Administrator, who are responsible for overseeing instances of P-Card misuse. Common infractions include purchase splitting and the acquisition of unauthorized appliances. The current tracking process for these issues is manual, relying on a log. 17 The OCA assessed the P-Card Misuse tracker to identify recurring themes and evaluate the resolution process. Our analysis revealed that instances of misuse are not consistently or comprehensively documented. While the tracker dates back to 2022, the tracking system frequently lacks specific dates for when misuse occurred and does not categorize the types of infractions, such as cost splitting or unauthorized purchases. Additionally, the types of program misuse (e.g., cost splitting, professional services, safety equipment) are not categorized, hindering clear tracking of infraction types. Furthermore, the outcomes of investigations and their resolutions are not formally documented within the tracker. The existing P-Card misuse tracking process has several significant limitations. Since all instances of misuse are not formally and completely documented, management could be left with an incomplete understanding of policy violations. Without the outcomes of investigations and their resolutions being consistently recorded, it may hinder management’s ability to identify common themes in P-Card misuse, effectively analyze the resolution process, and pinpoint trends related to specific departments or staff. This may in turn undermine effective policy enforcement and the deterrence of repeat offenses. There is a lack of adequate documentation to evidence approved exceptions to P-Card spending limitations. Currently, the City utilizes the “P-Card Credit Limit Request Form” to document the request, review, and approval of card spending limitation increases. In order to gain an understanding of processes for approved exceptions to card spending limitations, the OCA examined three transactions that exceeded the $10,000 card limit. The sample documentation provided for these transactions did not include evidence of a completed request form or an email from the cardholder’s approver to the P-Card administrator documenting the approver’s concurrence with the exception rationale and/or justification, as required by the Guidebook. The APA provided support for one of these transactions showing that an exception to exceed the single purchase limit was granted, however the approval lacked formal documentation. No documentation was readily available for the other two selected transactions. It should also be noted that while the "P-Card Program Credit Limit Request Form" includes a comments section that could detail other types of card limit exceptions (single purchase transaction limits, number of daily transactions limits, daily spending limits), the language of the form only explicitly documents the request and approval of exceptions to the monthly spending limit of $15,000. 18 Recommendation Post Audit: To strengthen the P-Card internal control environment, enhance compliance assurance, and mitigate associated risks, we recommend that AP should implement a multi-faceted approach focusing on operational consistency and statistically valid sampling. AP should transition from the current review approach and volume to a statistically random sampling methodology, implementing a sampling strategy designed to achieve a desired confidence level, thereby providing a high degree of assurance that the sample findings are representative of the entire population. The precise sample size should be dynamically calculated each month based on the actual transaction volume. Misuse Tracking: The OCA recommends that the P-Card Administrator ensure all instances of misuse are formally and comprehensively tracked including a categorization of infraction types, infraction dates, and the resolution of each instance of misuse. By maintaining a complete misuse tracker, the P-Card Administrator will be better equipped to identify repeat offenders and allow make informed decisions regarding appropriate repercussions, such as mandatory training or, if warranted, the suspension or revocation of P- Card user access. In cases where repeat offenses are observed within a specific department, management should consider implementing department-wide training to reinforce awareness of City policies and procedures. Oversight of Card Limit Exceptions: We recommend formalizing and standardizing the P-Card limit exception process. The existing "P-Card Program Credit Limit Request Form" should be revised to explicitly include fields for requesting and documenting approval for all types of card limit exceptions, not just monthly spending limits. The revised form, or an equally formal documented process, should be consistently used for all exceptions, clearly stating the rationale and evidence of the approver’s agreement. The APA and other relevant stakeholders must consistently follow this formalized process to document and retain all limit exception approvals. Management Response Responsible Department(s): Concurrence: Agree Target Date: November 2025 Action Plan: Post Audit AP will implement a new, multi-faceted review criteria to capture a more statistically random sampling of P-card transactions. Misuse Tracking ASD will add to the current misuse tracker to include infraction types, infraction dates, and resolution. This information will be used to focus additional training where repeat offenses are identified. 19 Oversight of Card Limit Exceptions ASD will standardize the P-Card limit exception process with a revised form that includes fields for requesting and documenting. The form will include a section for the rationale for the increase. It should be noted that P-Card exception increases are currently very limited and only 10 out of 254 cards are in place currently. These exceptions have been documented on the existing form. The existing form will be evaluated for use as a single form with all exceptions or possibly a separate form for single limit exceptions approvals will be created based on what incorporates best into workflow. Additional Observation: The City may be able to increase operational efficiencies and save staff time by increasing P-Card spending limits The City's current procurement procedures impose a significant administrative burden, especially for lower-value transactions exceeding the micro-purchase threshold. Requirements for council approval and solicitation for each purchase order consume considerable staff time, driving up processing costs and diverting resources from more strategic procurement initiatives. This highlights an opportunity to streamline these processes. By optimizing procedures for these transactions, the City can achieve substantial efficiency gains and reallocate valuable staff resources to essential responsibilities. According to ASD management, the current procedure for obtaining approvals and completing solicitations for each purchase order (PO) requires, on average, approximately 10 hours of staff time. This represents a significant investment of staff and managements’ time. The City’s P-Card limit has not been increased since 2016. Since that time, inflation has continued to increase the costs of goods. If the City were to raise the purchasing limit, there could be substantial time saved in preparing POs. The OCA performed an analysis of recent fiscal years and found that in FY2023, the City processed 59 POs ranging from $10,000 to $12,000. At an estimated 10 hours per PO of staff time, raising the threshold to $12,000 and reducing the number of POs by 59 would save an estimated 590 hours of staff time. An additional 41 POs between $12,000 and $15,000 were processed which if eliminated could save an estimated 410 hours. FY 2024 projections showed 70 POs in the $10,000 to $12,000 range, equating to 700 hours, and 60 POs in the $12,000 to $15,000 range, totaling 600 hours. The increase in the number of POs at these dollar thresholds year over year is also an indicator that more goods that used to be procured through a simple P-Card transaction may be shifting to the PO process due to inflation. 20 These figures highlight a recurring and considerable investment of time in the procurement process for these specific PO value ranges. By reviewing and potentially streamlining the approval and solicitation procedures for these categories of purchases, the City could realize substantial cumulative time savings, allowing staff to reallocate their efforts to other critical municipal functions. Concurrently, a prevalent issue associated with lower limits is the incentive for cardholders to split legitimate purchases into multiple, smaller transactions to circumvent established single transaction limits. This behavior undermines internal controls and complicates effective monitoring and reconciliation. Furthermore, essential goods and services exceeding the lower limits may experience procurement delays as employees await approvals through more formal channels, potentially impacting mission-critical activities or operational responsiveness. The OCA reviewed a proposed amendment to the Federal Acquisition Regulation (FAR) concerning the inflation adjustment of acquisition-related thresholds. This amendment indicates that the micro-purchase threshold, as defined in FAR 2.101, is projected to increase from $10,000 to $15,000. Given the anticipated increase of the federal micro-purchase limit to $15,000 in October 2025, the City should also evaluate its current P-Card purchase limit and consider adjusting it to align with this inflationary change. Consideration: With consideration given to the official increase of the federal micro-purchase limit to $15,000 in October 2025, the City should consider increasing the single purchase card limit from $10,000 to $15,000 and the monthly purchase power from $15,000 to $20,000. Increasing these card limits may enable the City to realize significant time savings. Based on historical data, this change could save the City approximately 1,000 to 12,000 staff hours on average per fiscal year when processing transactions within the $10,000-$15,000 range. Further, increased card limits may also potentially discourage cost splitting and reduce administrative processing. 21 Appendices 22 Appendix A: Basic Excel Analytics for P-Card Transaction Review The following basic analytics can be performed in Excel by the AP team to enhance oversight of P-Card transactions. These techniques rely on standard Excel functions and features such as Pivot Tables, Conditional Formatting, and built-in formulas: • Transaction Volume and Spend by Cardholder Use Pivot Tables to group transactions by cardholder and calculate the total number of transactions and total spend. This helps identify high-use individuals and potential misuse. • Vendor Spend Analysis Group transactions by vendor using a Pivot Table to determine total spend per vendor. This can help evaluate vendor concentration and opportunities for negotiated pricing or consolidated purchasing. • Weekend and Holiday Transactions Use the WEEKDAY() function to identify transactions occurring on weekends. Flag transactions that fall on known holidays for further review. • Duplicate Transactions Check Use COUNTIFS() or Conditional Formatting to flag potential duplicates based on identical transaction dates, amounts, vendors, and cardholders. • Split Purchases Sort by cardholder, vendor, and date to identify multiple transactions that may have been used to circumvent single-transaction thresholds. • Threshold Breach Detection Apply Conditional Formatting to highlight transactions exceeding predefined dollar thresholds (e.g., $2,500), which may require additional documentation or approval. • Inactive or Terminated Cardholder Usage Use VLOOKUP() or XLOOKUP() to compare cardholder names against a current employee roster and identify activity associated with terminated employees. • High-Risk Keyword Search Use the SEARCH() function to flag keywords in the transaction description that may indicate unallowable purchases (e.g., “gift card,” “alcohol,” “Amazon,” “electronics,” etc.). • Self-Approval Detection Compare cardholder and approver names using an IF() statement to detect instances where cardholders may be approving their own transactions. • Trend Analysis Over Time Use Pivot Tables and line charts to analyze monthly or quarterly spend trends. This can help detect unusual spikes or seasonal patterns in card usage. Baker Tilly Advisory Group, LP and Baker Tilly US, LLP, trading as Baker Tilly, are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP is a licensed CPA firm that provides assurance services to its clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. City of Palo AltoOffice of the City Auditor (OCA) Policy & Services Committee Meeting Purchasing Card Program Audit , August 12, 2025 Presenter: Nick Martinez, Senior Auditor, Manager, Baker Tilly 2 Audit Objectives •Determine whether P-Cards are used appropriately in compliance with the City’s policies and pertinent laws and regulations. •Evaluate the administration of the P-Card Program for adequate internal controls to safeguard the City from fraud, waste, and abuse. 3 Background City’s P-Card Program: Provides designated employees with City-issued credit cards to make purchases of $10,000 and under Allows cardholders a monthly credit limit of $15,000 Aims to simplify the purchasing process and reduce administrative costs Governed by the City’s Procurement Card Guidebook, which details roles, regulations, and procedures for documenting, reconciling and approving purchases 4 Finding 1: Policy Adherence & Training Finding Overall, the City's P-Card program demonstrates strong internal controls and adherence to procurement policies, however, user compliance with policy requirements could be improved. All P-Card purchases followed the program’s guidelines, ensuring they were for official city use and not personal. Some purchases lacked proper documentation, and due to system limitations, timeliness of approval could not be verified. The City currently lacks a formal, ongoing training for P-Card users, but staff are currently working to establish a new program. 5 Finding 1: Policy Adherence & Training Recommendation We recommend the City: •Enhance cardholder and approver training on specific documentation requirements. •Explore system enhancements for approval timestamps by collaborating with the City’s P- Card system vendor. •Explore adding timestamp functionality to the system for approver actions and automating non-compliance system notifications to users. •Consider the merits of implementing clearly defined consequences for non-adherence against the time and resources necessary to do so. •Continue working to establish and implement formal, ongoing P-Card training program. 6 Finding 2: Oversight and Administrative Gaps Finding Some P-Card Program oversight and administrative functions are not consistently completed and documented; more efficient review processes could save staff time. Post-audit process is not always completed due to staffing shortages and the process can be overly time-consuming. The manual system for tracking P-Card misuse is inconsistent and incomplete, making it difficult to enforce the policy and identify trends. The City's process for increasing P-Card limits lacks formal documentation for exceptions, and some approvals were missing. 7 Finding 2: Oversight and Administrative Gaps Recommendation We recommend the City: •Implement a new post-audit process using a statistically valid random sampling methodology to ensure efficient and accurate review of transactions. •Consistently and comprehensively track all instances of misuse, including the date, type of infraction, and resolution. •Formalize and standardize the P-Card limit exception process by revising the "P-Card Credit Limit Request Form" to include fields for documenting the rationale and approval for all types of exceptions. 8 Additional Observations Finding The City may be able to increase operational efficiencies and save staff time by increasing p-card spending limits Limits have not been increased since 2016 and the federal micro-purchase threshold is anticipated to increase to $15,000 in October 2025 Staff estimate each purchase order requires approximately 10 hours of staff time to process from start to finish OCA analysis estimates raising the p-card limit could have diverted approximately 94 purchase orders to p-cards in FY24 saving 940 staff hours Raising the p-card limit to $15,000 could save hundreds of staff hours, streamline operations, and prevent delays Questions? Baker Tilly Advisory Group, LP and Baker Tilly US, LLP, trading as Baker Tilly, operate under an alternative practice structure and are members of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. Baker Tilly US, LLP is a licensed CPA firm that provides assurance services to its clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and consulting services to their clients and are not licensed CPA firms. The name Baker Tilly and its associated logo is used under license from Baker Tilly International limited. The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. © 2024 Baker Tilly Advisory Group, LP