The URL can be used to link to this page

Home My WebLink AboutStaff Report 13891 City of Palo Alto (ID # 13891) City Council Staff Report Meeting Date: 2/7/2022 Report Type: Consent Calendar City of Palo Alto Page 1 Title: Policy and Services Committee Recommends Approval of the Office of the City Auditor's Task Order to Perform a Wire Payment Process and Controls Review From: City Manager Lead Department: City Auditor Recommendation The Policy and Services Committee recommends that the City Council approve the Office of the City Auditor’s Wire Payment Process and Controls Audit Activity Task Order. Discussion In accordance with Baker Tilly's agreement with the City, the Office of the City Auditor is required to conduct audit activities each year. The forthcoming audit plan, to be presented to Policy & Services Committee in February of 2022, will include a recommended audit activity, Wire Payment Process and Controls Review project. Given the importance of the topic, and that the City has been subject to multiple attempts to misdirect wire payments, the City Auditor recommends that the City begin the work at an earlier date. Preliminary audit objectives include: • Determine whether adequate controls are in place and working effectively to ensure that all disbursements are valid and properly processed in compliance with City’s policies and procedures • Determine whether end user security awareness training is sufficient to prevent erroneous payments The Policy & Services Committee unanimously approved the task order at the December 14, 2021 meeting (ID # 13838). Timeline, Resource Impact, Policy Implications (If Applicable) The budget for each Task Order noted above aligns to the previously approved budget for the Office of the City Auditor, the agreement with Baker Tilly, and will be included in City of Palo Alto Page 2 the Audit Plan for 2022, scheduled for review in February 2022. Thus, there is no additional resource impact associated with this item. Stakeholder Engagement The Office of the City Auditor will coordinate with the Administrative Services Department, as well as with the Office of the City Attorney and the Office of the City Manager. Environmental Review Environmental review is not applicable to this activity. Attachments: • Task Order 4.12 - Wire Payment Process and Controls Audit Activity PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY22-004.12 Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): 1B. TASK O RDER NO.: FY22-004.12 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: January 10, 2022 COMPLETION: June 30, 2022 4 TOTAL TASK ORDER PRICE: $54,550 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT: Remaining in Task 4 FY22: 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Lydia Kou, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting the Work Order Process Review involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Process and Control Review  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Step 2 – Process and Control Review This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to: (1) Determine whether adequate controls are in place and working effectively to ensure that all disbursements are valid and properly processed in compliance with City’s policies and procedures; (2) Determine whether end user security awareness training is sufficient to prevent erroneous payments caused by phishing. Procedures include:  Interview the appropriate individuals to understand the identified instance of wire fraud  Interview the appropriate individuals to understand the process, the information system used, and manual and automated controls related to the disbursement process including vendor record creation and modification  Interview the appropriate individuals to understand the end user awareness training  Review policies and procedures as well as the regulations and standards to identify the criteria to be used for evaluation of control design and effectiveness  Test disbursement transactions and new and modified vendor records as well as related key internal controls on a sample basis  Compare the process and controls against the best practices Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee  Present the final report to the City Council and/or appropriate Council Committee Deliverables: The following deliverables will be prepared as part of this engagement:  Audit Report Schedule of Performance Anticipated Start Date: January 10, 2022 Anticipated End Date: June 30, 2022 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $54,550. The not-to-exceed budget is based on an estimate of 240 total project hours. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. If at any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s approval prior to traveling to Palo Alto.