HomeMy WebLinkAboutStaff Report 2306-159825.Approval of Office of City Auditor Task Order Change - FY23-01 Citywide Risk Assessment
& FY23-02 Annual Audit Plan; CEQA Status – Not a Project Late Packet Report
2
4
4
1
City Council
Staff Report
From: City Manager
Report Type: CONSENT CALENDAR
Lead Department: City Auditor
Meeting Date: June 19, 2023
Report #:2306-1598
TITLE
Approval of Office of City Auditor Task Order Change - FY23-01 Citywide Risk Assessment & FY23-
02 Annual Audit Plan; CEQA Status – Not a Project
RECOMMENDATION
The Policy and Services Committee and City Auditor recommend that the City Council approve
the change to the Task Orders FY23-01 Citywide Risk Assessment and FY23-02 Annual Audit Plan
to expend the period of performance.
ANALYSIS
The agreement between Baker Tilly and the City requires that each internal audit be commenced
only upon the City’s approval of a Task Order.
The Office of the City Auditor (OCA) presented Task Order FY23-01 – Citywide Risk Assessment
and Task Order FY23-02 – Annual Audit Plan and the task orders were recommended for approval
by the Policy & Services Committee on February 28, 2023 (CMR 2301-08271), and accepted by
the City Council during the City Council meeting on March 13, 2023.
These task orders with the period of performance from March 1, 2023, to June 30, 2023, have
not been signed since they were approved on March 13, 2023 (CMR 2302-10212). As a result,
OCA has not started FY 2023 Risk Assessment and Annual Audit Plan. The OCA requests the period
of performance to be extended to October 31, 2023. The total not-to-exceed budget remains the
same.
Baker Tilly presented the attached modified task order during the Policy & Service Committee
1 2/28/2023 Policy & Services Committee, Agenda Item #2, FY 2023 City Auditor Task Orders,
https://recordsportal.paloalto.gov/WebLink/DocView.aspx?id=52154&dbid=0&repo=PaloAlto
2 3/13/23 City Council, Agenda Item #AA1, FY 2023 City Auditor Task Orders,
https://recordsportal.paloalto.gov/WebLink/DocView.aspx?id=82302&dbid=0&repo=PaloAlto&cr=1
2
4
4
1
meeting on June 13, 2023 (CMR 2305-15273), where a motion to approve the task order change
was passed (3-0).
FISCAL/RESOURCE IMPACT
STAKEHOLDER ENGAGEMENT
ENVIRONMENTAL REVIEW
ATTACHMENTS
APPROVED BY:
3 6/13/23 Policy and Services Committee, FY23-010 Citywide Risk Assessment and FY23-02 Annual Audit Plan:
https://cityofpaloalto.primegov.com/Portal/viewer?id=2307&type=0
PROFESSIONAL SERVICES TASK ORDER
TASK ORDER FY23-01 Citywide Risk Assessment
Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the
Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this
Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical
and supporting personnel required by this Task Order as described below.
CONTRACT NO. C21179340
OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE)
1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340
1B. TASK O RDER NO.: FY23-01
2. CONSULTANT NAME: Baker Tilly US, LLP
3. PERIOD OF PERFORMANCE: START: March 1, 2023 COMPLETION: June 30 October 31, 2023
4 TOTAL TASK ORDER PRICE: $55,000
BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT: TBD
5. BUDGET CODE_______________
COST CENTER________________
COST ELEMENT______________
WBS/CIP__________
PHASE__________
6. CITY PROJECT MANAGER’S NAME & DEPARTMENT:
Greg Tanaka, Chair of the City Council’s Policy and Services Committee
7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A)
MUST INCLUDE:
SERVICES AND DELIVERABLES TO BE PROVIDED
SCHEDULE OF PERFORMANCE
MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)
REIMBURSABLE EXPENSES, if any (with “not to exceed” amount)
8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A
I hereby authorize the performance of the
work described in this Task Order.
APPROVED:
CITY OF PALO ALTO
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
this Task Order and warrant that I have
authority to sign on behalf of Consultant.
APPROVED:
COMPANY NAME: ______________________
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
Attachment A
DESCRIPTION OF SCOPE OF SERVICES
Introduction
Attachment A, the Description of Scope of Services, contains the following four (4) elements:
• Services and Deliverables To Be Provided
• Schedule of Performance
• Maximum Compensation Amount and Rate Schedule (As Applicable)
• Reimbursable Expenses, if any (With “Not To Exceed” Amount)
Services & Deliverables
Baker Tilly’s approach to conducting the Citywide Risk Assessment involves four (4) primary
steps:
• Step 1: Project Planning & Management
• Step 2: Information Gathering
• Step 3: Analysis
• Step 4: Reporting
Step 1 – Project Planning & Management
This step includes those tasks necessary to solidify mutual understanding of the risk
assessment scope, objectives, deliverables, and timing as well as ensuring that appropriate
client and consultant resources are available and well-coordinated. Tasks include:
• Finalize project design – The first project activities will be to:
o Identify communication channels and reporting relationships and
responsibilities of project staff
o Review and confirm project timelines
o Review and confirm deliverables
• Arrange logistics/administrative support – Matters to be addressed include schedules
for interviews and data collection, contact persons in the departments, any other
logistical matters, etc.
• Conduct kick-off meeting with key project stakeholders
Step 2 – Information Gathering
This step involves gathering information, through various means, that will enable the project
team to understand the various risks facing the City. Tasks include:
• Request and review background information – the project team will develop an
information request(s) in order to obtain various background information from the
City. The request will include, but not be limited to:
o Strategic plan(s)
o Financial reports, including the most recent City Budget and Comprehensive
Annual Financial Report (CAFR)
o Operational policies and procedures
o Municipal code
o Consulting reports
o Other relevant information and reports
• Conduct interviews with City Council and management
o Risk assessment interviews, aimed at understanding City functions and
identifying risks, will be conducted with City Council members as well as
department and division
• Conduct a risk assessment survey, if necessary
• Conduct research into key risks in order to identify relevant information to assess
risks
Overall, the project team will consider the following risk types:
• Strategic
• Financial
• Operational
• Technology
• Compliance
• Reputational
• Political
Step 3 – Risk Analysis
In Step 3, the project team will develop a risk matrix consisting of auditable areas (also
referred to as an audit or risk universe). The risk matrix will include the following risk
categories:
• Environment, Strategy, and Governance – risks that have an organization wide impact
and are not subject to a specific department or function (e.g., ethics)
• Significant Projects and Initiatives – risks associated with large projects (e.g., capital
projects, technology implementation) or City initiatives (e.g., employee engagement
initiative).
• Function Specific Risks – risks associated with a specific department or function
(e.g., procurement policy compliance)
After assembling a risk matrix, the project team will assess the likelihood and impact of
potential adverse events in order to quantitatively score each auditable area for purposes of
prioritizing audit activities.
Step 4 – Reporting
In Step 4, the project team will finalize the draft Risk Matrix and prepare a draft Risk
Assessment Report. The project team will ask for input (general completeness, risk scoring)
on the Risk Matrix from key project stakeholders. Upon finalization of the Risk Matrix, the
project team will finalize the Risk Assessment Report.
Deliverables:
The following deliverables will be prepared as part of this engagement:
• Risk Matrix
• Risk Assessment Report
• Presentation of Results to City Council (note that this may be combined with
presentation of the Task 2 Annual Audit Plan)
Schedule of Performance
Anticipated Start Date: March 1, 2023
Anticipated End Date: June 30 October 31, 2023
Maximum Compensation Amount and Rate Schedule
The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this
Task is $55,000. The not-to-exceed budget is based on an estimate of 250 total project hours, of
which 40 are estimated to be completed by the City Auditor.
Reimbursable Expenses
We plan to complete all work remote including all interviews and documentation review. If at
any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion
of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s
approval prior to traveling to Palo Alto.
PROFESSIONAL SERVICES TASK ORDER
TASK ORDER FY23-02 Annual Audit Plan
Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the
Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this
Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical
and supporting personnel required by this Task Order as described below.
CONTRACT NO. C21179340
OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE)
1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340
1B. TASK O RDER NO.: FY23-01
2. CONSULTANT NAME: Baker Tilly US, LLP
3. PERIOD OF PERFORMANCE: START: March 1, 2023 COMPLETION: June 30 October 31, 2023
4 TOTAL TASK ORDER PRICE: $10,500
BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT: TBD
5. BUDGET CODE_______________
COST CENTER________________
COST ELEMENT______________
WBS/CIP__________
PHASE__________
6. CITY PROJECT MANAGER’S NAME & DEPARTMENT:
Greg Tanaka, Chair of the City Council’s Policy and Services Committee
7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A)
MUST INCLUDE:
SERVICES AND DELIVERABLES TO BE PROVIDED
SCHEDULE OF PERFORMANCE
MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)
REIMBURSABLE EXPENSES, if any (with “not to exceed” amount)
8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A
I hereby authorize the performance of the
work described in this Task Order.
APPROVED:
CITY OF PALO ALTO
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
this Task Order and warrant that I have
authority to sign on behalf of Consultant.
APPROVED:
COMPANY NAME: ______________________
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
Attachment A
DESCRIPTION OF SCOPE OF SERVICES
Introduction
Attachment A, the Description of Scope of Services, contains the following four (4) elements:
• Services and Deliverables To Be Provided
• Schedule of Performance
• Maximum Compensation Amount and Rate Schedule (As Applicable)
• Reimbursable Expenses, if any (With “Not To Exceed” Amount)
Services & Deliverables
Baker Tilly’s approach to preparing the Annual Audit Plan involves two (2) primary steps:
• Step 1: Consultation with City Council and Management
• Step 2: Reporting
Step 1 – Consultation with City Council and Management
The Risk Matrix and Risk Assessment Report will serve as the primary drivers of the Annual
Audit Plan. The project team will initiate discussions over Risk Assessment results, potential
audit activities, and audit coverage with City Council and Management. The purpose of those
conversations will be to understand the priorities of City Council, and to develop a Draft
Annual Audit Plan:
The Draft Annual Audit Plan will identify the following components for each audit activity:
• Audit activity type – audit or consulting activity
• Audit objectives and scope
• Anticipated budget – both in terms of hours and budget
• Anticipated timeline
Step 2 – Reporting
The project team will present the Draft Annual Audit Plan to the City Council in order to
obtain input on each potential audit activity. Upon refining the plan, the project team will
finalize the Annual Audit Plan for presentation to City Council.
Deliverables
The following deliverable will be prepared as part of this engagement:
• Annual Audit Plan
Schedule of Performance
Anticipated Start Date: March 1, 2023
Anticipated End Date: June 30 October 31, 2023
Maximum Compensation Amount and Rate Schedule
The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this
Task is $10,500. The not-to-exceed budget is based on an estimate of 50 total project hours, of
which 10 are estimated to be completed by the City Auditor.
Reimbursable Expenses
We plan to complete all work remote including all interviews and documentation review. If at
any point the City and Baker Tilly mutually determine it will be beneficial to perform a portion
of the work on-site, we will submit an estimate of our reimbursable expenses for the City’s
approval prior to traveling to Palo Alto.