HomeMy WebLinkAboutStaff Report 2311-2304CITY OF PALO ALTO
CITY COUNCIL
Special Meeting
Monday, January 22, 2024
Council Chambers & Hybrid
5:30 PM
Agenda Item
9.Approval of Office of City Auditor Risk Assessment and Audit Plan (CEQA Status - Not a
Project)
3
6
3
2
City Council
Staff Report
From: City Manager
Report Type: CONSENT CALENDAR
Lead Department: City Auditor
Meeting Date: January 22, 2024
Report #:2311-2304
TITLE
Approval of Office of City Auditor Risk Assessment and Audit Plan (CEQA Status - Not a Project)
RECOMMENDATION
The Policy and Services Committee and City Auditor recommend that City Council approve the
following reports:
1) Fiscal Year 2023/24 Risk Assessment Report
2) Fiscal Year 2023/24 Audit Plan Report
3) Task Orders identified in the Audit Plan Report
o TASK ORDER FY24-4.21 Purchasing Card Program
o TASK ORDER FY24-4.22 ADA Compliance Review
o TASK ORDER FY24-5 Various Reporting & City Hotline (Modified)
EXECUTIVE SUMMARY
Baker Tilly interviewed City Council members and executive leadership across 14 departments
within the City. In addition, selected directors and managers were asked to complete a survey
that provided their view of top risk areas to their departments and the City as a whole. Baker
Tilly analyzed the results of the survey and other data and information gathered.
The risk assessment involved scoring and ranking the 97 auditable units to identify the audit
areas with high to moderate risks. The FY2023/24 Audit Plan was prepared based on the results
of the risk assessment, conversations with leadership, and other matters.
BACKGROUND
The Palo Alto Municipal Code (Section 2.08.1301) requires the City Auditor to prepare and
submit an annual audit plan to the City Council for review and approval. In its capacity serving
1 https://codelibrary.amlegal.com/codes/paloalto/latest/paloalto_ca/0-0-0-60361
3
6
3
2
as the City Auditor function, and in accordance with Baker Tilly’s agreement with the City2,
Baker Tilly performed a citywide risk assessment (Task 2 of the agreement). The purpose of the
assessment was to identify and prioritize risks in order to develop the annual audit plan (Task
1). During the risk assessment, Baker Tilly assessed a wide range of risk areas, including
strategic, financial, technology, human capital, operational, reputational, economic, and
compliance risk categories.
During the Policy and Services Committee meeting on December 12, 20233, the council
members approved the attached Risk Assessment Report and Audit Plan Report.
MOTION: Chair Tanaka moved, seconded by Mayor Kou, to approve the Office of the City
Auditor Risk Assessment Report and FY2024 Audit Plan Report and recommend the City
Council accept the following reports:
1) Fiscal Year 2023/24 Risk Assessment Report
2) Fiscal Year 2023/24 Audit Plan Report
3) Task Orders identified in the Audit Plan Report
o TASK ORDER FY24-4.21 Purchasing Card Program
o TASK ORDER FY24-4.22 ADA Compliance Review
o TASK ORDER FY24-5 Various Reporting & City Hotline (Modified)
MOTION PASSED: 2-0
ANALYSIS
For Baker Tilly to execute the approved audit plan, the Task Orders will need to be signed by
the Policy & Services Committee Chair upon approval of the audit plan by City Council. Per the
contract with Baker Tilly, the P&S Chair is authorized to sign task orders that follow the
approved annual audit workplan.
Furthermore, one of the OCA’s responsibilities is to follow up on management’s corrective
actions. The follow-up activities require periodic inquiries with management on outstanding
corrective actions and verifying implementation of the corrective actions as well as testing of
the effectiveness of the implemented controls. As Task 5 of Baker Tilly’s agreement with the
City includes the OCA’s annual report on the status of recommendations made in completed
audits, the estimated costs for the follow-up activities on recommendations need to be
allocated to the Task 5 budget. Therefore, modified TASK ORDER FY24-5 Various Reporting &
City Hotline has been prepared to transfer the amount for the estimated costs of $30,592 for
the follow-up activities (as shown as a line item in the Proposed Audit Plan for FY2024) from
Task 4 to Task 5.
2 https://www.cityofpaloalto.org/files/assets/public/v/1/agendas-minutes-reports/reports/city-manager-reports-
cmrs/year-archive/2020-2/id-11624.pdf?t=64761.15
3 https://cityofpaloalto.primegov.com/Portal/Meeting?meetingTemplateId=12186
3
6
3
2
FISCAL/RESOURCE IMPACT
The timeline for risk assessment and the audit plan is to complete within FY2024. The proposed
audits in the audit plan are within the contract amount for FY2024. Specifically, below is a
summary of the task orders seeking approval financial impacts, all estimated to be completed
by June 30, 2024:
•TASK ORDER FY24-4.21 Purchasing Card Program in the amount of $76,540
•TASK ORDER FY24-4.22 ADA Compliance Review in the amount of $73,110
•TASK ORDER FY24-5 Various Reporting & City Hotline (Modified) revise from $90,000 to a
total not to exceed of $120,592
STAKEHOLDER ENGAGEMENT
The Office of the City Auditor worked with Executive Leaders from 14 departments across the
City and engaged the City Council.
ENVIRONMENTAL REVIEW
Environmental review is not applicable to this activity.
ATTACHMENTS
Attachment A: OCA – FY2023/24 Risk Assessment Report
Attachment B: OCA – FY2023/24 Annual Audit Plan Report
APPROVED BY:
Adriane D. McCoy, City Auditor
1
December 12, 2023
City of Palo Alto
Office of the City Auditor
FY2023 Annual Risk Assessment
Contents
Baker Tilly US, LLP, trading as Baker Tilly, is an independent member of Baker Tilly International. Baker Tilly International Limited is an English company. Baker
Tilly International provides no professional services to clients. Each member firm is a separate and independent legal entity, and each describes itself as such.
Baker Tilly US, LLP is not Baker Tilly International’s agent and does not have the authority to bind Baker Tilly International or act on Baker Tilly International’s
behalf. None of Baker Tilly International, Baker Tilly US, LLP nor any of the other member firms of Baker Tilly International has any liability for each other’s acts
or omissions. The name Baker Tilly and its associated logo is used under license from Baker Tilly International Limited.
INTRODUCTION ............................................................................................................. 1
RISK ASSESSMENT APPROACH ................................................................................. 2
SURVEY RESULTS ........................................................................................................ 3
RISK ASSESSMENT RESULTS ..................................................................................... 5
APPENDICES ................................................................................................................. 9
1
Introduction
Overview
According to City Ordinance of the City of Palo Alto (the City), the mission of the Office of the City Auditor (OCA)
is to promote honest, efficient, effective, economical, and fully accountable and transparent city government. To
fulfill this mission, the OCA conducts performance audits and performs financial/operational analyses of
city departments, programs, services, or activities as approved by the City Council. (Section 2.08.130). In its
capacity serving as the City Auditor function, and in accordance with Baker Tilly’s agreement with the City (Task
#1 of the agreement), Baker Tilly US, LLP (Baker Tilly) conducted the fiscal year(FY) 2023 citywide risk
assessment in order to develop the FY2024 annual audit plan (Task #2).
The California Government Code Section 1236 requires all cities that conduct audit activities to conduct their
work under the general and specified standards prescribed by the Institute of Internal Auditors (IIA) or the
Government Auditing Standards (GAO) issued by the Comptroller General of the United States, as appropriate.
According to the IIA Standard 2010, the head of internal audit function “must establish a risk-based plan to
determine the priorities of the internal audit activity, consistent with the organization’s goals” and consider the
input of senior management and a governing board.
The purpose of the risk assessment is to develop an internal audit plan that assigns internal audit resources to
the activities that add the most value to the City. The risk assessment process involves identifying, measuring,
and prioritizing risks associated with the audit universe (list of specific departments, functions, processes,
programs, etc. that can be subject to an audit). Risk is defined as “the possibility of an event or condition
occurring that will have an impact on the ability of an organization to achieve its objectives.”1
Our risk assessment involved collaboration with City Council and executive leadership from 14 main
departments across the organization. This report summarizes our risk assessment methodology, analysis, and
results. The FY2024 annual audit plan is based on the results of this risk assessment.
Through the risk assessment, we observed certain strengths of the City. Key strengths include:
Commitment to public service
High value on efficient and effective government
Focus on long term strategy
Dedicated and highly professional management and staff
Demonstrated history of innovation and commitment to sustainability
Risk Assessment Process Considerations
The starting point of the internal auditing is to conduct a risk assessment that is the basis for determining the
internal audit activities. However, it is not a one-size-fits-all process. The scope and complexity of risk
assessment are affected by various factors such as the maturity level of the internal audit function’s products
and services, the organization’s enterprise risk management efforts, coordination with other monitoring and risk
management functions, and the stakeholders’ expectations. As every organization is subject to changing
environment, the results of the annual risk assessment represent the information considered at the time of the
assessment.
In addition to the annual macro-level risk assessment, the internal audit function is required to perform an
engagement-level risk assessment when starting each audit listed in the approved audit plan. The IIA Standard
2200 states, “Internal auditors must develop and document a plan for each engagement, including the
engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s
strategies, objectives, and risks relevant to the engagement.”
1 Rick A. Wright Jr., CIA, “The Internal Auditor’s Guide to Risk Assessment” The Institute of Internal Auditors Research Foundation (IIARF),
2018
2
Risk Assessment Approach
Baker Tilly’s risk assessment approach consisted of four phases as illustrated in the graphic below.
2023 RISK ASSESSMENT PHASES
Planning
Prepared risk assessment survey questions and the online survey tool.
Scheduled the interviews with City Council members and Executive Leadership Team (ELT)
members.
Information
Gathering
Reviewed the key documents such as City Council Priorities and the progress report, the
budget documents, the annual comprehensive financial report, departmental strategic plans,
employee turnover, the information on the City’s website and other relevant documents.
Distributed a link to the online survey to the selected 51 managers. The survey responses
were downloaded in Excel spreadsheet.
Interviewed all City Council Members and ELT members (25 individuals) to identify the
events and conditions that may affect the achievement of objectives.
Updated the risk assessment matrix with the information gathered.
Analysis
Analyzed the survey responses.
Scored the auditable units (listed in Appendix A) in the risk assessment matrix based on the
likelihood and the impact2 of potential adverse events.
o Each of the auditable units received scores for various risk factors related to the
likelihood or impact (defined in Appendix B).
o Risk factor scores were summed to create a single score for the auditable unit.
Identified potential internal audit activities for the auditable units with high risk scores.
Reporting Summarized the approach and results of the risk assessment
Baker Tilly conducted an initial comprehensive risk assessment in FY2021 by interviewing all Council Members
and Executive Leadership Team (ELT) members to create a risk assessment matrix. For the FY2022 risk
assessment, surveyed all ELT members and some additional members of management and conducted
interviews with available Council Members as well as key ELT members representing areas of perceived high
risk (e.g., Information Technology, Human Resources). For the third year risk assessment, all Council Members
and ELT members were interviewed, the selected 51 managers were surveyed, and the risk assessment matrix
was redeveloped for a comprehensive picture of the risk landscape, which will be continuously improved.
Our risk assessment primarily measured inherent risk (the risk without mitigating controls/factors) for each risk
factor although we also considered specific risks based on the City’s processes, controls, and other factors we
learned through internal audit activities. Using the information gathered, we identified risks and determined the
likelihood and impact of the risks.
2 Likelihood is the possibility that an event will occur. Impact is the extent to which an event might affect an organization.
3
Survey Results
Baker Tilly team conducted an online risk assessment survey to gather management’s insights for all City
departments and received 47 responses (92% response rate). The survey questions are listed in Appendix C.
Changes over the past 12 months
All organizations are subject to changing environments that can influence risk to organizations. The COSO 3
Internal Control – Integrated Framework4 highlights the influence of change in one of the 17 principles. Principle
9 states, “the organization identifies and assesses changes that could significantly impact the system of internal
control.” The survey participants were asked to select all significant changes for their team or department during
last 12 months.
Policies and Procedures
Policies and procedures provide a
roadmap for daily operations to ensure
compliance with laws and regulations,
give guidance for decision-making, and
establish the standards and internal
controls.
The survey participants were also asked
to select the current state of the policies
and procedures necessary to perform
their job responsibilities.
3 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is sponsored jointly by five major professional
associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public
Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and Institute of Management
Accountants (IMA). https://www.coso.org/
4 Internal Control – Integrated Framework provides principles-based guidance for designing and implementing effective internal controls.
This framework has become the most widely used internal control framework in the U.S. https://www.coso.org/guidance-on-ic
Changes for team or department # of Response
New/additional staff 33
Unfilled positions 28
Change in workload 23
New software 19
Change in organizational structure 17
New workflows or business processes 13
New or significant changes in information technology systems 13
Change in compliance requirements (due to changes in policies/contracts/laws/regulations) 11
New vendors and contractors 11
Significant changes in processes or controls 7
Workforce reduction 7
Increased undesirable performance or instances (such as injuries/complaints/customer dissatisfaction/etc.) 6
Change in goals/objectives/performance measures 6
Change in culture 3
Other 4
4
SURVEY RESULTS
Barriers to meeting goals and objectives in FY2024
The COSO Enterprise Risk Management—Integrating with Strategy and
Performance5 provides insight into the links between strategy, risk, and
performance through 20 principles. Principle 10 states, “the organization
identifies risk that impacts the performance of strategy and business
objectives.”
The survey participants were asked about their team/department’s periodic
reporting on significant goals and compliance requirements to monitor the
performance. The pie chart shows the results.
The survey participants were also asked what can possibly prevent their
team/department from meeting its goals and objectives in 2024. The
results are summarized below.
Top risk areas selected by the survey participants
The survey participants were asked to select and rank the top five
risk areas from 31 risk areas listed in the survey. Based on the
number of selection and the ranking given by them, the top 15 risk
areas were identified.
For the risks they selected:
59.6% of the participants think the City management is aware
of the risk, but more efforts are needed to help mitigate the risks.
34.0% of the participants think the City management is aware
of the risks and has implemented activities to help mitigate the
risks.
6.4% of the participants think the City management is either not
aware of the risks or have not developed sufficient activities to help
mitigate the risks.
5 Enterprise Risk Management—Integrating with Strategy and Performance addresses the need for organizations to improve their approach
to managing risk to meet the demands of an evolving business environment. https://www.coso.org/guidance-erm
Rank Risk Area
1 Citizen Demands
2 Succession Planning
3 Economy
4 Human Capital Management
5 Human Resources
6 Procurement/Sourcing
7 Security
8 Regulatory
9 Reputation
10 Resource Allocation
11 Efficiency
12 Document Retention
13 Leadership and Authority
14 Technologies
15 Strategic Change
5
RISK ASSESSMENT RESULTS
Risk Assessment Results
Department Descriptions and Key Risk Areas
When identifying risk areas throughout the City, Baker Tilly considered each department and associated risks.
Based on the concerns described by interviewees and survey respondents, departments’ functions, and their
inherent risks, Baker Tilly identified the auditable risk areas for each department. Below is an overview of the
City’s departments and their key risk areas.
Administrative Services
The Administrative Services Department provides financial and
analytical support to the City. Departmental functions include
finance and accounting, purchasing, administration, budget, real
estate, and others.
Key Risk Areas
Purchasing card program
Vendor master file
Property management
Grant management
City Attorney’s Office
The City Attorney’s Office provides legal services to the City,
including providing legal advice and training to City leaders,
negotiating on behalf of the City, drafting contracts and other
legal documents, investigating claims, and defending the City in
litigation
Key Risk Areas
Identification of legal risks
Contracts and legal documents
City Clerk’s Office
The City Clerk serves as a liaison between the public and City
Council. Office functions include Public Records Act requests,
public hearings, local elections, board and commission
recruitments, record management, and others.
Key Risk Areas
Election administration
Record management
Council meeting management
City Manager’s Office
The City Manager’s Office provides leadership to the City
departments and is responsible for facilitating City Council
legislative actions, managing special interdepartmental projects,
and more. The Communications Office is housed under the City
Manager’s Office and is the primary correspondent between the
City and the public.
Key Risk Areas
Citywide risk management
Economic development
Office of Transportation
The Office of Transportation works to enhance quality of life and
improve the safety of the users of all modes of transportation.
The Office is responsible for sustainable transportation systems,
manage parking, and oversees the City’s traffic and
transportation capital improvement projects.
Key Risk Areas
Intersection safety improvements
Federal Railroad Administration (FRA)
Quiet Zone
Parking permit revenue
Community Services Department
The Community Services Departments offers a variety of
services administered through the following three divisions and
the Office of Human Services: Arts and Sciences; Open Spaces,
Parks, and Golf; and Recreation.
Key Risk Areas
Human Services Resource Allocation
Process (HSRAP)
Junior Museum and Zoo (JMZ)
Operation
Contract management
6
RISK ASSESSMENT RESULTS
Fire
The Fire Department oversees emergency response such as
ambulance transports and fire response/rescue, emergency
protection services such as fire prevention, and hazardous
materials planning. The department highlights safeguarding the
community and compassionate care.
Key Risk Areas
Emergency Preparedness (Foothills
Fire Master Plan)
Safety and Wellness
Human Resources
The Human Resources Department is responsible for recruiting,
developing, and retaining a well-qualified and professional
workforce. The Department ensures compliance with relevant
labor laws, adheres to record keeping practices, and serves as a
strategic partner for executive decision making.
Key Risk Areas
Recruitment
Succession Planning
HR Strategy & Risk Management
Workplace Safety
Information Technology
The Information Technology Department's provides innovative
technology solutions that support City departments. The
department oversees IT project management, operations,
enterprise systems, and security services.
Key Risk Areas
- PCI/DSS Compliance
- AMI Implementation
- ERP Upgrade
Library
The Library Department operates five libraries throughout the
City, each offering unique resources. The Library provides
educational programming, multi-cultural events, and large and
diverse book, information and technology resources.
Key Risk Areas
Operations
Events and Programming
Office of Emergency Services
The Office of Emergency Services is designed to prevent,
prepare for, and recover from various hazards. The Office is
responsible for overseeing various risk management programs.
Key Risk Areas
Emergency preparedness (Foothills Fire
Mitigation Program)
Planning and Development Services
The Planning Department supports the City in land use
development, planning, transportation, housing and
environmental policies, and plans and programs that “maintain
and enhance the City as a safe, vital, and attractive community”.
Key Risk Areas
Building Permit & Inspection
Zoning Ordinance
Code Enforcement
Long Range Planning
Police
Palo Alto’s Police Department oversees technical services such
as dispatch and record management, field services such as
patrol and emergency response, and animal control. The Police
Department also places a high value on community relations.
Key Risk Areas
Crime Reduction
Psychiatric Emergency Response Team
(PERT) Program
Safety and Wellness
Training
Public Works
The Public Works Department is broken into four divisions:
Engineering, Airport, Public Services, and Environmental
Services. The Divisions are responsible for a variety of tasks
Key Risk Areas
Wastewater treatment capital program
7
RISK ASSESSMENT RESULTS
Overall Risk Scoring Distribution
Baker Tilly structured the audit universe based on the department/division/program from the budget document
and management’s feedback, which resulted in 96 auditable units (Appendix A). We scored them based on the
information gathered for each risk factor related to the likelihood, impact, or fraud. Appendix B lists the risk
factors, definitions, and scoring method. The maximum score for an auditable unit is 30. The following chart
shows the distribution of overall risk scoring.
Baker Tilly rated the auditable units as follows:
High Risk – Scores 14 and above
Moderate Risk – Scores more than 9 and less than 14
Low Risk – Scores below 9
Listed in the following page are the auditable units with a score over 13 (out of 30) based on our scoring. The list
includes 27 functions rated as high risk (with a score between 14 and 30) and 13 functions rated as moderate
risk (with a score between 13 and 14). In determining the audit activities to be performed in FY2024, we further
review specific risks and functional areas and consider risk-based priorities as well as other factors such as
requirements by law or regulation, timing of activities, special projects, and requests from City Council and
management. The proposed audit plan will be included in a separate FY2024 Annual Audit Plan Report.
7
26
43
16
4
SCORE ≤ 5 5 - 10 10 - 15 15 - 20 > 20
including design and implementation of capital projects,
maintenance of City-owned and leased structures, and
management of the solid waste programs.
The Americans with Disabilities Act
(ADA) compliance
Flood protection capital project
Airport Operations
Utilities
The Utilities Department owns and operates electric, gas, water,
wastewater and fiber optic services to the City. The City
purchases all their power from external sources. The mission of
the Department is to “provide safe, reliable, environmentally
sustainable and cost effective services.”
Key Risk Areas
Power Purchase Agreements
Utility Billing
Rate Setting and Adjustment
Utility Asset Management
8
Department Function Risk Area Total Risk Score
Planning and Development Services Building Building Permit & Inspection Process 22.8
Public Works Wastewater Treatment Wasterwater Treatment Capital Program 22.4
Planning and Development Services Development Services Building Permit & Inspection Process 20.5
Public Works Structures and Grounds ADA Compliance / Flood protection capital project 20.0
Administrative Services Purchasing Purchasing Card Program / Vendor Master File 18.6
Police Field Services Psychiatric Emergency Response Team (PERT) Program 18.2
Utilities Electric Administration Power Purchase Agreement 18.2
Community Services Administration and Human Services Human Services Resource Allocation Process (HSRAP) 18.0
Community Services Arts and Sciences Junior Museum and Zoo (JMZ) Operation 18.0
Community Services Recreation and Cubberley Contract Management 18.0
Police Technical Services 911 Operations 17.2
Community Services Animal Shelter Contract Management 16.9
Fire Emergency Response Emergency Preparedness (Foothills Fire Master Plan) 15.8
City Manager Administration and City Management Citywide Risk Management 15.6
Fire Administration Safety and Wellness 15.6
Planning and Development Services Planning and Transportation Code Enforcement 15.4
Office of Transportation Programs Intersection safety improvements 15.4
Utilities Electric Engineering (Operating) Utility Asset Management 15.3
Public Works Airport Airport Operations 15.1
Human Resources Administration, Employee Org Development and HR Systems HR Strategy / Succession Planning 15.1
Police Police Personnel Selection Recruitment and retention 14.9
Administrative Services Treasury / Revenue Collection / Warehouse Investment Management 14.9
Administrative Services Real Estate Property Management 14.7
Public Works Engineering Services Animal Shelter Renovation 14.3
Community Services Open Space, Parks and Golf Emergency Preparedness (Foothills Fire Master Plan) 14.1
Information Technology Operations PCI/DSS Compliance 14.1
Administrative Services Accounting Grant Management 14.0
Office of Emergency Services Emergency Services Emergency preparedness (Foothills Fire Mitigation Program) 13.9
Utilities Electric Customer Service Utility Billing 13.9
Information Technology Project Services AMI Implementation 13.8
Library Administration Business Operations (Donations and grants; Inventory
Management; Fines, Purchasing, etc.)13.8
Human Resources Risk Mgmt., Safety, Workers' Compensation HR Risk Management / Workplace Safety 13.8
Police Law Enforcement Services Evidence 13.8
Utilities Water Customer Service Utility Billing 13.6
City Manager Economic Development Economic Development 13.4
Human Resources Recruitment Recruitment Process 13.3
Utilities Electric Resource Management Rate setting and adjustments 13.2
Public Works Administration Safety and Wellness 13.0
Utilities Gas Customer Service Utility Billing 13.0
Utilities Fiber Optics Customer Service Utility Billing 13.0
9
Appendix A: Resumes
Appendices
10
Appendix A: Audit Universe
City Attorney’s Office
Administration
Consultation and Advisory
Litigation and Dispute Resolution
Official and Administration Duties
City Clerk’s Office
Administration
Administrative Citations
Council Support Services
Election/Conflict of Interest
Legislative Records Management
City Manager’s Office
Administration and City Management
Economic Development
Public Communication
Administrative Services Department
Accounting
Administration
Office of Management and Budget
Printing and Mailing
Purchasing
Real Estate
Treasury/Revenue Collection/Warehouse
Community Services Department
Administration and Human Services
Animal Shelter
Aquatics
Arts and Sciences
Open Space, Parks and Golf
Recreation and Cubberley
Fire Department
Administration
Emergency Response
Environmental Safety Management
Records and Information Management
Training and Personnel
Human Resources Department
Administration, Employee Org Development and HR Systems
Benefits and Compensation
Employee and Labor Relations
Recruitment
Risk Management, Safety, Workers’ Compensation
Information Technology Department
Enterprise Systems
Office of the CIO
Operations
Project Services
Library Department
Administration
Collection and Technical Services
Public Services
Office of Emergency Services
Emergency Services
Office of Transportation
Administration
Parking Districts
Programs
Special Revenue Funds
Planning and Development Services Department
Administration
11
Building
Development Services
Planning and Transportation
Special Districts
Police Department
Administration
Animal Control
Field Services
Investigations and Crime Prevention Services
Law Enforcement Services
Parking Services
Police Personnel Selection
Technical Services
Traffic Services
Department of Public Works
Administration
Airport
Engineering Services
Refuse
Storm Drainage
Streets
Structures and Grounds
Sustainability
Trees
Vehicle Replacement and Maintenance
Wastewater Treatment
Utilities Department
Electric Administration
Electric Customer Service
Electric Demand Side Management
Electric Engineering (Operating)
Electric Operations and Maintenance
Electric Resource Management
Fiber Optics Administration
Fiber Optics Customer Service
Fiber Optic Operations and Maintenance
Gas Administration
Gas Customer Service
Gas Demand Side Management
Gas Engineering (Operating)
Gas Operations and Maintenance
Gas Resource Management
Wastewater Collection Administration
Wastewater Collection Customer Service
Wastewater Collection Engineering (Operating)
Wastewater Collection Operations and Maintenance
Water Administration
Water Customer Service
Water Engineering (Operating)
Water Operations and Maintenance
Water Resource Management
12
Appendix B: Risk Factor Definition
Factor Definition Weight
Magnitude
A measure of materiality based on pervasiveness or volume of dollars or transactions; Scores based on the budgeted
expenditure amount
Extreme - 5: $50M or more
Material - 4: $10M or more; Less than $50M
Significant - 3: $3M or more; Less than $10M
Moderate - 2: $1M or more; Less than 3M
30%
Customer /
Resident
Experience
Negative experience by customers and residents, such as perceived or actual safety concerns and unsatisfactory
services, impacts negatively on the reputation / credibility of the organization
Extreme - 5: Direct impact on health and safety
Material - 4: Direct impact on transparency
Significant - 3: Direct impact on customer satisfaction/City's reputation
Moderate - 2: Indirect impact on customer satisfaction/City's reputation
Inconsequential - 1: Immaterial impact on reputation / credibility
35%
Achievement of
Organizational
Goals
The greater the effect that a department or process has on the organization meeting strategic objectives and goals,
the greater the related risks
Extreme - 5: Directly relates to the City Council Priorities
Material - 4: Supports the function/process directly related to the City Council Priorities
Significant - 3: Has performance/workload measures related to City Council Priorities
Moderate - 2: Somewhat relates to the City Council Priorities
Inconsequential - 1: Does not relate to City's City Council Priorities
35%
100%
Complexity
A measure of the difficulty in performing a process or function. As a process or function becomes more complex, the
greater the opportunity for errors
5 - Very high complexity
4 - High complexity
3 - Medium complexity
2 - Low complexity
1 - Very low complexity
25%
Policies and
Procedures
Policies and Procedures are a complete set of written instructions that guide personnel in the successful execution of
their duties and the duties of the office for which they work. If the policies and procedures are adequate and up-to-
date, a risk is lower
5 - No or little written P&P
4 - Some written P&P
3 - Basic P&P requiring improvements
2 - Adequate but outdated P&P
10%
Regulatory
Compliance
Measures the existence of and potential noncompliance with, government regulations and other applicable laws,
standards, and policies/procedures
5 - Requirements to meet more than a few laws/regulations and professional standards specific to the division's
responsibilities
25%
Monitoring
Consider the existence of monitoring activities, including the results of last audits by Internal Auditor, External Auditor,
Regulators, etc. and other known deficiencies
5 - Overall, there is no mechanism to monitor the status of performance goals/compliance requirements
3 - For only some of significant performance goals/compliance requirements, there is a periodic reporting process to
ensure performance goals/compliance requirements are met
1 - For all significant performance goals/compliance requirements, there is a periodic reporting process to ensure
performance goals/compliance requirements are met
10%
Specific Risks
Consider the existence of specific risk events/conditions and their significance
5 - Identified risk event(s)/condition(s) seem to significantly affect the likelihood
3 - Identified risk event(s)/condition(s) seem to have some impact on the likelihood
1 - No or very minor risk event(s)/condition(s) have been identified
30%
100%
Fraud Schemes
Consider the susceptibility to fraud, which is the opportunity for employees/vendors/customers/fraudsters to
misappropriate resources or defraud the organization*
5 - High Risk
3 - Moderate Risk
1 - Low Risk
100%
100%
HIGHEST TOTAL SCORE 30
* Considered fraud schemes listed in the Fraud Tree provided in the “Occupational Fraud 2022: A report to the Nations” by Association of Certified
Fraud Examiners. Also considered are cyber fraud schemes.
Impact Factors (the effect on the organization)
HIGHEST TOTAL SCORE FOR IMPACT: 5
Likelihood Factors (the probability of the risk occurring)
HIGHEST TOTAL SCORE FOR LIKELIHOOD: 5
Other Risk Factor
HIGHEST TOTAL SCORE FOR OTHER: 5
13
Appendix C: Survey Questions
The Office of City Auditor is conducting the 2023 Risk Assessment to identify and prioritize risks in order to
update the annual audit plan. As part of our 2023 Risk Assessment, we are conducting a survey. This survey is
used primarily to collect information related to changes in operations, emerging issues and risks the City faces,
and to gather your perspective on key risks faced by your department. Your candid responses would be greatly
appreciated to assess the risks that prevent the City of Palo Alto from achieving its mission, goals, and
objectives.
Questions 1-7 remain the same for both options.
1. Please provide your name, title, department, and email address:
Name
Title
Department
o City Council
o City Attorney
o City Manager’s Office – Other than Transportation
o City Manager’s Office – Transportation
o Administrative Services
o City Clerk’s Office
o Community Services
o Emergency Services
o Fire
o Human Resources
o Information Technology
o Library
o Planning
o Police
o Public works
o Utilities
Email address
2. Describe any significant changes for your team or department during last 12 months. Select all that
apply.
New software
New workflows or business processes
Significant changes in processes or controls
New or significant changes in information technology systems
Change in organizational structure
Change in culture
Workforce reduction
Unfilled positions
New/additional staff
New vendors and contractors
Change in workload
Change in compliance requirements (due to changes in policies, contracts, laws, or regulations)
Change in goals, objectives, or performance measures
Increased undesirable performance or instances (such as injuries, complaints, customer dissatisfaction,
etc.)
Change in any risks previously identified for your team/department
14
Other (please specify)
3. Describe the complexity of the key processes in your team or department:
Complexity is a measure of the difficulty in performing a process or function. As a process or function
becomes more complex, the greater the opportunity for errors.
Very high complexity
High complexity
Medium complexity
Low complexity
Very low complexity
Please provide any comment related to complexity, if any.
4. Are there adequate and up-to-date documented policies and procedures to perform your job
responsibilities?
Yes, documented policies and procedures are adequate and up-to-date
Documented policies and procedures are adequate but not updated regularly
Documented policies and procedures need improvement
No – Please describe how the responsibilities and requirements are communicated in a clear and
consistent manner.
5. Please select the compliance requirements with applicable Federal/State/Local laws and regulations
and professional standards (e.g. CEQA, NERC, OSHA, EMT licensure/certification) for each of
divisions/functions of your department listed below:
More than a few laws/regulations and/or professional standards specific to the division's responsibilities
need to be met
One or two laws/regulations and/or professional standards specific to the division's responsibilities need
to be met
No requirement to meet any laws/regulations or professional standards specific to the division's
responsibilities
6. Describe what can possibly prevent your team/department from meeting its goals and objectives in
2024. Select all that apply.
Financial constraints
Staffing constraints
Limited skills, knowledge, experience, training
Technology issue
Inefficiency in process and/or communication
Ambiguity in roles and responsibilities
Lack of, or ineffective, internal controls
Community pressure
State/Federal regulations
Other (please specify)
7. Describe the activities to monitor the achievement of the goals in your team or department:
Example – Periodic reporting, periodic meetings, spot checks by management, periodic audits by external
organizations such as consultants and the Federal government, etc.
For all significant performance goals/compliance requirements, there is a periodic reporting process to
ensure performance goals/compliance requirements are met
For only some of significant performance goals/compliance requirements, there is a periodic reporting
process to ensure performance goals/compliance requirements are met
Overall, there is no mechanism to monitor the status of performance goals/compliance requirements
15
Please provide comments related to monitoring the achievement of your department’s goals, if any.
To help us identify potential risks, please list your team/department’s Strengths, Weaknesses,
Opportunities, and Threats (SWOT) for achieving its missions, goals, and objectives. Typically,
strengths and weaknesses are internal aspects of team/department/organization, while opportunities
and threats are found externally.
8. Describe up to three STRENGTHS of your team or department:
Strengths refer to the resources or capabilities that help the team/department accomplish its mission and
serve the public. These can be things like competitive advantages, available resources, engaged
community, strong balance sheet, utilized technology and so on.
9. Describe up to three WEAKNESSES of your team or department:
Weaknesses refer to the areas where the team/department needs to improve to accomplish its mission.
These can include things like deficiencies in resources and capabilities, inefficient use of available
technologies, barriers or inability to collaborate among different departments, lack of effective
communication, mission or direction, high levels of debt, financial or human resources constraints and so
on.
10. Describe up to three OPPORTUNITIES for your team or department:
Opportunities are any area where the team/department can grow. They are often related to the
organization’s strengths. Outside factors that affect the organization in a favorable way can include things
like; offering more products or services to citizens, lower costs through new technology and so on.
11. Describe up to three THREATS for your team or department:
Threats include the local or national economy, laws and regulations and any other external issue that can
harm or affect the team/department successfully meeting goals. Common threats include things like rising
costs for housing/living, increasing competition, tight labor supply, billing rates and so on.
12. Using the bulleted list within the risk framework below, please select what you consider to be the top
five enterprise risks to the City of Palo Alto.
Environmental (factors external to the organization)
• Reputation - The opinions and perceptions of the public and customers toward the organization.
• Regulatory - Laws and standards, which the organization must comply with in its operations.
• Citizen Demands - The effect that current citizens demands have on the decisions made by management for aligning tactical
plans with the business strategy and the allocation of resources.
• Economy - The effect that current external conditions have on the decisions made by management for aligning tactical plans
with the business strategy and the allocation of resources.
• Legal - The potential for an unforeseen event to cause civil or criminal litigation for the organization or its elected leaders,
directors, officers, and employees.
• Technologies - The evolution of technology both within and outside of the organization’s industry.
Strategy (planning and decision-making)
• Strategic Change - The ability of the organization to modify its processes in order to either align with its current strategy and
business model or to achieve a different strategic goal.
• Investments - The portfolio of both intangible and tangible investments held by the organization, and the implications of these
assets on the resources, financial viability, and operations of the organization. The effect on liquidity the ability of current
assets to meet current liabilities when due.
• Planning and Budgeting - Details of the organization’s goals and the financial management necessary to achieving those
goals.
• Financial - The goals of the organization in terms of the structure of its assets and liabilities, including the financing capability
based on its credit worthiness, the ability to receive credit and the use of credit lines to achieve its business objectives.
• Inter-government Relations - The relationship of the organization with other government agencies that have regulatory and
oversight responsibilities and shared services or citizens.
16
• Compliance Management - The continuous monitoring of the organization’s ability to operate within regulatory requirements
and community standards.
• Resource Allocation – The process for assigning and managing assets that support the organizations strategic goals.
Organization (attributes of departments)
• Governance - The role, composition, and major activities of the governing body of the organization in providing direction and
oversight for the organization
• Empowerment and Values - The ability of senior members of the organization to effectively delegate power or authority to
other members of the organization.
• Communication - The methods of communication commonly used in the organization and the effectiveness of this
communication on the operations of the organization.
• Ethics and Code of Conduct - The set of rules outlining the ethical practices expected of management and employees of the
organization.
• Leadership and Authority - The members of the organization who hold power and their ability to exercise this power
effectively.
• Organizational Structure - The configuration of units and workflows to align the behavior of the units to the higher-level goals
of the organization.
• Succession Planning - The planning and processes to ensure that there are highly qualified people in key leadership
positions today and in the future.
• Human Capital Management - The set of practices an organization uses for recruiting, managing, developing, and optimizing
employees, including performance management (The process of creating expectations for performance, monitoring progress,
and measuring the results) and training (The ability for employees to gain and develop necessary tools to ensure effective
operations).
• Safety - The organization strives to provide a safe working environment by effectively mitigating the risks to the safety of its
employees.
Process and Operations (functional effectiveness and policies and procedures) Externa
• Contracts - Contracts are adequately structured to address and mitigate risks.
• Efficiency - Processes are up-to-date and efficient, resulting in efficient operations and output.
• Accounting - The timely and accurate tracking of the financial position of the organization.
• Payroll - The policies, processes, and systems in place to ensure that employee compensation is reliable, timely, and
accurate.
• Fraud - The organization uses internal controls to prevent and/or detect fraud.
• Procurement/Sourcing – The ability to acquire the necessary goods and services for operation and the process of vetting,
selecting and managing supplier, vendors and contractors.
• Human Resources - The knowledge, skills and experiences, and resources among personnel, which allow for the execution
of the organization’s business plan and achievement of its critical success factors.
• Information Systems - The facilities, systems, and connectivity in place to support data processing.
• Vendor Management - The need for the organization to continuously monitor the quality and reliability of vendors it uses in
the course of its business.
• Change Management - Management adapts appropriately to the evolution of the processes and operations of the
organization.
Information (data governance)
• Data Integrity - Data used for making management decisions, recording information, and reporting financial activity is
accurate, complete, and reliable.
• Access - The right to view or manipulate data is carefully granted and monitored to prevent the mishandling of data
• Retention - The policies used by the organization to determine document retention in terms of the form of documents, how
these documents are stored, and for how long these should be maintained.
• Availability - Relevant critical information is available when needed in order to maintain the organization’s critical operations
and processes, including when a disaster or unplanned disruption occurs
• Privacy - Organization policies are in place to ensure the correct treatment of sensitive information held by the organization.
• Security – Any event that could result in the compromise of organizational data. (I.e. unauthorized use, loss, damage,
disclosure or modification of organizational data).
17
13. Please use the click and drag feature to rank the five enterprise risks that you selected into a priority
order, with #1 being the highest.
14. Please describe why you selected them as the top five risks.
15. How well does the City of Palo Alto manage activities to mitigate these risks?
Well – the City management is aware of the risk and has implemented activities to help mitigate this risk
Somewhat well – the City management is aware of this risk, but more effort/activities are needed to help
mitigate this risk
Not well – the City management is either not aware of this risk or hasn’t developed sufficient activities to
help mitigate this risk
16. Are there any other risks that could affect operations that were not included in the risk framework?
17. Please list any potential internal audit activities you recommend based on the risks you identified.
The projects can be consultative/advisory in nature, or provide assurance:
Internal Audit – an objective examination of evidence for the purpose of providing an independent
assessment on governance, risk management, and control processes for the organization.
Advisory and related client service activities, the nature and scope of which are intended to add value
and improve an organization’s governance, risk management, and control processes without the
internal auditor assuming management responsibility.
1
December 12, 2023
City of Palo Alto
Office of the City Auditor
FY2024 Annual Audit Plan
Contents
Baker Tilly US, LLP, trading as Baker Tilly, is an independent member of Baker Tilly International. Baker Tilly International Limited is an English company. Baker
Tilly International provides no professional services to clients. Each member firm is a separate and independent legal entity, and each describes itself as such.
Baker Tilly US, LLP is not Baker Tilly International’s agent and does not have the authority to bind Baker Tilly International or act on Baker Tilly International’s
behalf. None of Baker Tilly International, Baker Tilly US, LLP nor any of the other member firms of Baker Tilly International has any liability for each other’s acts
or omissions. The name Baker Tilly and its associated logo is used under license from Baker Tilly International Limited.
INTRODUCTION ............................................................................................................. 1
RISK ASSESSMENT RESULTS ..................................................................................... 3
PROPOSED AUDIT PROJECTS FOR FY2024 .............................................................. 4
APPENDICES ................................................................................................................. 6
1
Introduction
Introduction
The purpose of the audit activities performed by the Office of the City Auditor (OCA) for the City of Palo Alto (the
City) is “to ensure that city management is using its financial, physical, and informational resources effectively,
efficiently, economically, ethically, and equitably, and in compliance with laws, regulations, contract and grant
requirements, and city policies and procedures”, according to the Palo Alto Municipal Code (Section 2.08.130).
It requires the City Auditor prepare an annual audit plan for the City Council’s approval at the beginning of each
fiscal year.
In accordance with the Task #1 and Task #2 of the Baker Tilly agreement (City of Palo Alto Contract No,
C21179340), Baker Tilly US, LLP (Baker Tilly) performed the initial risk assessment after having started to serve
as the OCA in October 2020 and submitted in early 2021 the FY21-FY22 annual audit plan. For the second
year, the OCA updated the initial risk assessment and submitted the FY22-FY23 audit plan. This report includes
the proposed FY23-FY24 audit plan.
The Task #4 of the agreement requires execution of the approved annual audit plans and preparation of a task
order for each project listed in the plan. The OCA will seek approval of contract task orders iteratively during
FY24 in order to remain agile and accommodate changes to the plan as time passes.
Conformance with Local Ordinances and Standards
Section 2.08.130 of the Palo Alto Municipal Code defines that the mission of the OCA is to promote honest,
efficient, effective, economical, and fully accountable and transparent city government. Audits are to be
conducted and nonaudit services provided in accordance with Government Auditing Standards, as established
by the Comptroller General of the United States, Governmental Accountability Office.
The following duties of the City Auditor exist regarding the plan and scope of internal audits.
Palo Alto City Charter
Article IV Sec. 12 requires the City Auditor to perform the following:
– Conduct audits in accordance with a schedule approved by the City Council and may conduct
unscheduled audits from time to time.
– Conducts internal audits of all the fiscal transactions of the City.
Title 2 Administrative Code
Section 2.08.130 requires the City Auditor to perform the following:
– Prepare an annual audit plan for city council approval.
– Identify the preliminary objectives of each audit to be performed, reflecting the purpose of the
engagement and a preliminary description of the areas that may be addressed.
– Conduct performance audits and perform nonaudit services of any city department, program, service,
or activity as approved by the city council.
California Government Code
Section 1236 requires all cities that conduct audit activities to conduct their work under the general and
specified standards prescribed by the Institute of Internal Auditors (IIA) or the Government Auditing
Standards (GAO) issued by the Comptroller General of the United States, as appropriate.
2
INTRODUCTION
Audit Activity Type
The OCA will conduct performance audits and perform financial/operational analyses of any City department,
program, service, or activity as approved by the City Council in accordance with the Baker Tilly agreement.
Performance Audits
According to the Government Auditing Standards (GAO-18-568G, Section 1.21 and 1.22, page 10-12),
performance audits provide objective analysis, findings, and conclusions to assist management and those
charged with governance and oversight with, among other things, improving program performance and
operations, reducing costs, facilitating decision making by parties responsible for overseeing or initiating
corrective action, and contributing to public accountability. Performance audits may include the following four
(4) audit objectives:
– Program effectiveness and results
– Internal control design and effectiveness
– Compliance with laws, regulations, and policies
– Prospective analysis
Audit Planning Considerations
While maintaining its independence and objectivity in accordance with standards, the City Auditor considers a
variety of matters when developing the Annual Audit Plan, including but not limited to:
– Risk assessment – the OCA performed a risk assessment and summarized the results in a separate
report (Task #2). Generally speaking, audit activities target high(er) risk areas. The results are shown
the following page.
– Ability to add value – audit seeks to add value through independent and objective analysis.
– City Council – the City Auditor reports to the City Council and seeks input on audit priorities.
– Coverage and Prior Audits – the City Auditor considers prior audits conducted by the OCA, the financial
audit, and other audit and consulting reports recently issued.
– “Ripeness” and On-Going Initiatives – certain risk areas may be addressed through operational
activities, which could mean they are not be ripe for audit to add value.
– Scheduling – the City Auditor takes into consideration the timing of an audit and other on-going
initiatives that directly relate. Putting an undue burden on City staff may exacerbate the risk at hand or
other interrelated risks.
3
Risk Assessment Results
The OCA performed a citywide risk assessment to plan for FY2024 audit activities and documented the
methodology and the detailed results in a separate Risk Assessment Report. In summary, we identified the
following areas rated as High or Moderate risks. In determining the audit activities to be performed in FY2024,
we further reviewed these risks and functional areas and considered the matters listed in the previous page.
Department Function Risk Area Total Risk
Score
Planning and Development
Services Building Building Permit & Inspection Process 22.8
Public Works Wastewater Treatment Wasterwater Treatment Capital Program 22.4
Planning and Development
Services Development Services Building Permit & Inspection Process 20.5
Public Works Structures and Grounds ADA Compliance / Flood protection capital project 20.0
Administrative Services Purchasing Purchasing Card Program / Vendor Master File 18.6
Police Field Services Psychiatric Emergency Response Team (PERT) Program 18.2
Utilities Electric Administration Power Purchase Agreement 18.2
Community Services Administration and Human Services Human Services Resource Allocation Process (HSRAP) 18.0
Community Services Arts and Sciences Junior Museum and Zoo (JMZ) Operation 18.0
Community Services Recreation and Cubberley Contract Management 18.0
Police Technical Services 911 Operations 17.2
Community Services Animal Shelter Contract Management 16.9
Fire Emergency Response Emergency Preparedness (Foothills Fire Master Plan) 15.8
City Manager Administration and City Management Citywide Risk Management 15.6
Fire Administration Safety and Wellness 15.6
Planning and Development
Services Planning and Transportation Code Enforcement 15.4
Office of Transportation Programs Intersection safety improvements 15.4
Utilities Electric Engineering (Operating) Utility Asset Management 15.3
Public Works Airport Airport Operations 15.1
Human Resources Administration, Employee Org
Development and HR Systems HR Strategy / Succession Planning 15.1
Police Police Personnel Selection Recruitment and retention 14.9
Administrative Services Treasury / Revenue Collection /
Warehouse Investment Management 14.9
Administrative Services Real Estate Property Management 14.7
Public Works Engineering Services Animal Shelter Renovation 14.3
Community Services Open Space, Parks and Golf Emergency Preparedness (Foothills Fire Master Plan) 14.1
Information Technology Operations PCI/DSS Compliance 14.1
Administrative Services Accounting Grant Management 14.0
Office of Emergency Services Emergency Services Emergency preparedness (Foothills Fire Mitigation Program) 13.9
Utilities Electric Customer Service Utility Billing 13.9
Information Technology Project Services AMI Implementation 13.8
Library Administration Business Operations (Donations and grants; Inventory
Management; Fines, Purchasing, etc.)13.8
Human Resources Risk Mgmt., Safety, Workers'
Compensation HR Risk Management / Workplace Safety 13.8
Police Law Enforcement Services Evidence 13.8
Utilities Water Customer Service Utility Billing 13.6
City Manager Economic Development Economic Development 13.4
Human Resources Recruitment Recruitment Process 13.3
Utilities Electric Resource Management Rate setting and adjustments 13.2
Public Works Administration Safety and Wellness 13.0
Utilities Gas Customer Service Utility Billing 13.0
Utilities Fiber Optics Customer Service Utility Billing 13.0
4
PROPOSED AUDIT PROJECTS FOR FY2024
Proposed Audit Projects for FY2024
Summary
The proposed audits and follow-up project for FY2024 are listed in the next page. The projects were selected
from the auditable units that were rated as High or Moderate in the results of our risk assessment and selected
based on some factors such as risk rating, the pervasiveness of the process or control, the audit coverage, the
timing of projects, and the value-adding activities that help the City enhance the ability to manage risks,
strengthen accountability, and improve efficiency and effectiveness.
The preliminary audit objectives are described for each audit listed. These objectives and scope will be further
defined based on the result of the engagement level risk assessment performed at the beginning of each audit.
Amendments to this audit plans may need to be proposed during FY2024 in response to changes in the City’s
environment such as organizational structure, operations, risks, systems, and controls.
For each audit, a task order is submitted to the City Council for approval before an audit is commenced. We
prepared three task orders which are included in Appendix. The OCA is seeking approval from the City Council
for three project that are projected to start in January 2024. Those audits are marked “X” in the Seeking
Approval column.
5
Proposed Audit Plan for FY2024
Seeking
Approval Function Project Title Audit Objectives Timeline
FY24
Estimated
Hours
FY24 Cost
Public Works
Public Safety Building -
Construction Audit
(Task Order 4.8)
? Monthly invoice review
? Change order testing
? Contingency and allowance testing
? Lien waiver control
? Compliance with insurance requirements
? Closeout testing
? Verify the City’s implementation and adherence to documented project
controls
March 2021 -
March 2024 87 $19,734
X Administrative
Services Purchasing Card Program
? Determine whether procurement cards are used appropriately in
compliance with the City's policy and pertinent laws and regulations
? Evaluate the administration of the Purchasing Card Program for
adequate internal controls to safeguard the City from fraud, waste, and
abuse
January - June
2024 415 $76,540
X Public Works ADA Compliance
Determine whether improvements have been made to make facilities,
programs, and services accessible in accordance with the Transition Plan
and Self-Evaluation Final Study to ensure compliance with the Americans
with Disabilities Act (ADA) of 1990
January - June
2024 385 $73,110
Human Resources Recruitment and Succession
Planning
? Determine the efficiency and effectiveness of the recruitment and hiring
process
? Determine whether a formal succession plan and related policies
proceudres are in place
January - June
2024 290 $58,890
Citywide Grant Management Determine whether the City has adequate interal controls to efficiently and
effectively manage the grant lifecycle
January - June
2024 315 $60,330
Multiple departments Emergency Preparedness Determine whether the City if working to prevent wildfire and adequately
prepared to respond to wildfire
January - June
2024 385 $73,110
Utilities Utility Billing
? Determine whether the internal controls over the utility billing process are
adequate and working effectively to ensure billing is accurate and in
compliance with the City's policy and regulations.
? Determine whether billing adjustments are properly supported and
approved
January - June
2024 385 $72,010
Information
Technology
Payment Card Industry Data
Security Standard (PCI DSS)
Determine whether the internal controls over the payment card processing
are adequate and working effectively for the City and any thrid party service
providor
January - June
2024 370 $69,680
X Citywide Follow-up on Corrective
Actions
Follow up on previous OCA audit reports to ensure corrective actions
included in management responses in each audit report are completed
[This activity will be performed under Task 5 (an annual report on the status
of recommendations made in completed audits)]
December 2023
- June 2024 140 $30,592
TBD Ad Hoc Requests TBD TBD TBD $0
2,772 $533,996
$534,250
$254
FY23 - FY24 Budget
FY24 Ad Hoc / Contingency
FY24
6
Appendix A: Resumes
Appendices
7
PROFESSIONAL SERVICES TASK ORDER
TASK ORDER FY24-4.21 Purchasing Card Program
Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the
Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated
into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional,
technical and supporting personnel required by this Task Order as described below.
CONTRACT NO. C21179340
OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE)
1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340
1B. TASK O RDER NO.: FY23-4.22
2. CONSULTANT NAME: Baker Tilly US, LLP
3. PERIOD OF PERFORMANCE: START: January 1, 2024 COMPLETION: June 30, 2024
4 TOTAL TASK ORDER PRICE: $69,940
BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD
5. BUDGET CODE_______________
COST CENTER________________
COST ELEMENT______________
WBS/CIP__________
PHASE__________
6. CITY PROJECT MANAGER’S NAME & DEPARTMENT:
Greg Tanaka, Chair of the City Council’s Policy and Services Committee
7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A)
MUST INCLUDE:
SERVICES AND DELIVERABLES TO BE PROVIDED
SCHEDULE OF PERFORMANCE
MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)
REIMBURSABLE EXPENSES, if any (with “not to exceed” amount)
8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A
I hereby authorize the performance of the
work described in this Task Order.
APPROVED:
CITY OF PALO ALTO
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
I hereby acknowledge receipt and acceptance of
this Task Order and warrant that I have authority to
sign on behalf of Consultant.
APPROVED:
COMPANY NAME: ______________________
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
8
Attachment A
DESCRIPTION OF SCOPE OF SERVICES
Introduction
Attachment A, the Description of Scope of Services, contains the following four (4) elements:
Services and Deliverables To Be Provided
Schedule of Performance
Maximum Compensation Amount and Rate Schedule (As Applicable)
Reimbursable Expenses, if any (With “Not To Exceed” Amount)
Services & Deliverables
Baker Tilly’s approach to conducting an internal audit of Purchasing Card Program involves
three (3) primary steps:
Step 1: Audit Planning
Step 2: Control Review and Testing
Step 3: Reporting
Step 1 – Audit Planning
This step consists of the tasks performed to adequately plan the work necessary to address
the overall audit objective and to solidify mutual understanding of the audit scope,
objectives, audit process, and timing between stakeholders and auditors. Tasks include:
Gather information to understand the environment under review
o Understand the organizational structure and objectives
o Review the City code, regulations, and other standards and expectations
o Review prior audit results, as applicable
o Review additional documentation and conduct interviews as necessary
Assess the audit risk
Write an audit planning memo and audit program
o Refine audit objectives and scope
o Identify the audit procedures to be performed and the evidence to be obtained
and examined
Announce the initiation of the audit and conduct kick-off meeting with key
stakeholders
o Discuss audit objectives, scope, audit process, timing, resources, and
expectations
o Discuss documentation and interview requests for the audit
9
Step 2 – Control Review and Testing
This step involves executing the procedures in the audit program to gather information,
interview individuals, and analyze the data and information to obtain sufficient evidence to
address the audit objectives. The preliminary audit objective is to determine whether (1)
Determine whether procurement cards are used appropriately in compliance with the City's
policy and pertinent laws and regulations; (2) Evaluate the administration of the Purchasing
Card Program for adequate internal controls to safeguard the City from fraud, waste, and
abuse. Procedures include, but not limited to:
Interview the appropriate individuals to gain an understanding of the organizational
structure, processes, and controls related to the Purchasing Card Program.
Review policies and procedures as well as the legislative and regulatory requirements
to identify the criteria to be used for evaluation of control design and effectiveness.
Select a sample of the P-Card transactions
Compare the process and controls against the best practices.
Step 3 – Reporting
In Step 3, the project team will perform tasks necessary to finalize audit working papers,
prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks
include:
Develop findings, conclusions, and recommendations based on the supporting
evidence gathered
Validate findings with the appropriate individuals and discuss the root cause of the
identified findings
Complete supervisory review of working papers and a draft audit report
Distribute a draft audit report and conduct a closing meeting with key stakeholders
o Discuss the audit results, finings, conclusions, and recommendations
o Discuss management responses
Obtain written management responses and finalize a report
Review report with members of City Council and/or the appropriate Council
Committee
Deliverables:
The following deliverable will be prepared as part of this engagement:
Audit Report
Schedule of Performance
Anticipated Start Date: January 1, 2024
Anticipated End Date: June 30, 2024
10
Maximum Compensation Amount and Rate Schedule
The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this
Task is $69,940. The not-to-exceed budget is based on an estimate of 375 total project hours, of
which 15 are estimated to be completed by the City Auditor.
Reimbursable Expenses
We plan to complete all work remote including all interviews and documentation review.
However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may
mutually determine it will be beneficial to perform a portion of the work on-site. Given this
possibility, Baker Tilly could incur reimbursable expenses for this Task.
The not-to-exceed maximum for reimbursable expenses for this Task is $6,500.
The following summarizes anticipated reimbursable expenses:
Round-trip Airfare – $2,000 (1 round trip flights x 2 auditors)
Ground Transportation (car rental or Uber/taxi) - $800
Hotel accommodation - $3,000 (2 rooms x 4 nights)
Food and incidentals – $2,100
11
PROFESSIONAL SERVICES TASK ORDER
TASK ORDER FY24-4.22 ADA Compliance Review
Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the
Agreement referenced in Item 1A below. All exhibits referenced FY24 in Item 8 below are incorporated
into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional,
technical and supporting personnel required by this Task Order as described below.
CONTRACT NO. C21179340
OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE)
1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340
1B. TASK O RDER NO.: FY23-4.23
2. CONSULTANT NAME: Baker Tilly US, LLP
3. PERIOD OF PERFORMANCE: START: January 1, 2024 COMPLETION: June 30, 2024
4 TOTAL TASK ORDER PRICE: $73,110
BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD
5. BUDGET CODE_______________
COST CENTER________________
COST ELEMENT______________
WBS/CIP__________
PHASE__________
6. CITY PROJECT MANAGER’S NAME & DEPARTMENT:
Greg Tanaka, Chair of the City Council’s Policy and Services Committee
7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A)
MUST INCLUDE:
SERVICES AND DELIVERABLES TO BE PROVIDED
SCHEDULE OF PERFORMANCE
MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)
REIMBURSABLE EXPENSES, if any (with “not to exceed” amount)
8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A
I hereby authorize the performance of the
work described in this Task Order.
APPROVED:
CITY OF PALO ALTO
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
I hereby acknowledge receipt and acceptance of
this Task Order and warrant that I have authority to
sign on behalf of Consultant.
APPROVED:
COMPANY NAME: ______________________
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
12
Attachment A
DESCRIPTION OF SCOPE OF SERVICES
Introduction
Attachment A, the Description of Scope of Services, contains the following four (4) elements:
Services and Deliverables To Be Provided
Schedule of Performance
Maximum Compensation Amount and Rate Schedule (As Applicable)
Reimbursable Expenses, if any (With “Not To Exceed” Amount)
Services & Deliverables
Baker Tilly’s approach to conducting an internal audit of ADA (Americans Disabilities Act)
Compliance involves three (3) primary steps:
Step 1: Audit Planning
Step 2: Control Review and Testing
Step 3: Reporting
Step 1 – Audit Planning
This step consists of the tasks performed to adequately plan the work necessary to address
the overall audit objective and to solidify mutual understanding of the audit scope,
objectives, audit process, and timing between stakeholders and auditors. Tasks include:
Gather information to understand the environment under review
o Understand the organizational structure and objectives
o Review the City code, regulations, and other standards and expectations
o Review prior audit results, as applicable
o Review additional documentation and conduct interviews as necessary
Assess the audit risk
Write an audit planning memo and audit program
o Refine audit objectives and scope
o Identify the audit procedures to be performed and the evidence to be obtained
and examined
Announce the initiation of the audit and conduct kick-off meeting with key
stakeholders
o Discuss audit objectives, scope, audit process, timing, resources, and
expectations
o Discuss documentation and interview requests for the audit
13
Step 2 – Control Review and Testing
This step involves executing the procedures in the audit program to gather information,
interview individuals, and analyze the data and information to obtain sufficient evidence to
address the audit objectives. The preliminary audit objective is to determine whether
improvements have been made to make facilities, programs, and services accessible in
accordance with the Transition Plan and Self-Evaluation Final Study to ensure compliance
with the Americans with Disabilities Act (ADA) of 1990. Specifically, we will determine
whether (1) necessary remediation work, projects, or programs are included in the annual
capital budget to meet the ADA Transition Plan Schedules; (2) the progress of the
remediation efforts and any change in laws and regulations are assessed periodically to
ensure continued improvements in ADA compliance; (3) the City monitors the contractor’s
compliance with the contractual requirements to ensure that the City receives necessary
services. Procedures include, but not limited to:
Interview the appropriate individuals to gain an understanding of the organizational
structure, processes, and controls related to the ADA compliance efforts.
Review policies and procedures as well as the legislative and regulatory requirements
to identify the criteria to be used for evaluation of control design and effectiveness.
Review the relevant documents such as ADA Transition Plan, ADA Self-Evaluation
Report, the Transition Plan Schedule, progress assessment reports, and the contract
with the consultants.
Compare the process and controls against the best practices.
Step 3 – Reporting
In Step 3, the project team will perform tasks necessary to finalize audit working papers,
prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks
include:
Develop findings, conclusions, and recommendations based on the supporting
evidence gathered
Validate findings with the appropriate individuals and discuss the root cause of the
identified findings
Complete supervisory review of working papers and a draft audit report
Distribute a draft audit report and conduct a closing meeting with key stakeholders
o Discuss the audit results, finings, conclusions, and recommendations
o Discuss management responses
Obtain written management responses and finalize a report
Review report with members of City Council and/or the appropriate Council
Committee
Deliverables:
The following deliverable will be prepared as part of this engagement:
Audit Report
14
Schedule of Performance
Anticipated Start Date: January 1, 2024
Anticipated End Date: June 30, 2024
Maximum Compensation Amount and Rate Schedule
The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this
Task is $73,110. The not-to-exceed budget is based on an estimate of 385 total project hours, of
which 15 are estimated to be completed by the City Auditor.
Reimbursable Expenses
We plan to complete all work remote including all interviews and documentation review.
However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may
mutually determine it will be beneficial to perform a portion of the work on-site. Given this
possibility, Baker Tilly could incur reimbursable expenses for this Task.
The not-to-exceed maximum for reimbursable expenses for this Task is $6,500.
The following summarizes anticipated reimbursable expenses:
Round-trip Airfare – $2,000 (1 round trip flights x 2 auditors)
Ground Transportation (car rental or Uber/taxi) - $800
Hotel accommodation - $3,000 (2 rooms x 4 nights)
Food and incidentals – $2,100
15
PROFESSIONAL SERVICES TASK ORDER
TASK ORDER FY24-05 Various Reporting & City Hotline (Modified)
Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the
Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this
Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical
and supporting personnel required by this Task Order as described below.
CONTRACT NO. C21179340
OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE)
1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340
1B. TASK O RDER NO.: FY24-05
2. CONSULTANT NAME: Baker Tilly US, LLP
3. PERIOD OF PERFORMANCE: START: July 1, 2023 COMPLETION: June 30, 2024
4 TOTAL TASK ORDER PRICE: $120,592 90,000
BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD
5. BUDGET CODE_______________
COST CENTER________________
COST ELEMENT______________
WBS/CIP__________
PHASE__________
6. CITY PROJECT MANAGER’S NAME & DEPARTMENT:
Greg Tanaka, Chair of the City Council’s Policy and Services Committee
7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A)
MUST INCLUDE:
SERVICES AND DELIVERABLES TO BE PROVIDED
SCHEDULE OF PERFORMANCE
MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)
REIMBURSABLE EXPENSES, if any (with “not to exceed” amount)
8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A
I hereby authorize the performance of the
work described in this Task Order.
APPROVED:
CITY OF PALO ALTO
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
I hereby acknowledge receipt and acceptance of
this Task Order and warrant that I have authority to
sign on behalf of Consultant.
APPROVED:
COMPANY NAME: ______________________
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
16
Attachment A
DESCRIPTION OF SCOPE OF SERVICES
Introduction
Attachment A, the Description of Scope of Services, contains the following four (4) elements:
Services and Deliverables To Be Provided
Schedule of Performance
Maximum Compensation Amount and Rate Schedule (As Applicable)
Reimbursable Expenses, if any (With “Not To Exceed” Amount)
Services & Deliverables
Baker Tilly will provide the following services in Task 5:
Quarterly Reports
Annual Status Report
Provision of the City Hotline
Office Administrative Functions, including quarterly follow-up activities and testing of
corrective actions for the completed audits
Deliverables:
Legislative documents will be prepared to present the financial statements and reports
prepared by an external auditor to the Finance Committee
Quarterly Reports (4 in FY24)
Annual Status Report
Schedule of Performance
Anticipated Start Date: July 1, 2023
Anticipated End Date: June 30, 2024
Maximum Compensation Amount and Rate Schedule
The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this
Task is $120,592 90,000. The not-to-exceed budget is based on an estimate of 440 300 total
project hours, of which 170 are estimated to be completed by the City Auditor.
Reimbursable Expenses
Baker Tilly anticipates several site visits by the City Auditor throughout FY2024 planning one
on-site fieldwork week. Given this possibility, Baker Tilly could incur reimbursable expenses
for this Task.
17
The not-to-exceed maximum for reimbursable expenses for this Task is $19,500 19,000.
The following summarizes anticipated reimbursable expenses:
Round-trip Airfare – $6,000 (6 round trip flights)
Ground Transportation (car rental or Uber/taxi) - $2,400
Hotel accommodation - $9,000 (24 nights)
Food and incidentals – $2,100 1,600