HomeMy WebLinkAboutStaff Report 2409-3430CITY OF PALO ALTO
CITY COUNCIL
Special Meeting
Monday, September 23, 2024
Council Chambers & Hybrid
5:30 PM
Agenda Item
7.Approval of Two Audits as Recommended by the Policy & Services Committee: Public
Safety Construction Audit and Parking Permit Technology Contracts Audit
5
3
9
9
City Council
Staff Report
From: City Manager
Report Type: CONSENT CALENDAR
Lead Department: City Auditor
Meeting Date: September 23, 2024
Report #:2409-3430
TITLE
Approval of Two Audits as Recommended by the Policy & Services Committee: Public Safety
Construction Audit and Parking Permit Technology Contracts Audit
RECOMMENDATION
The Policy & Services Committee and Office of the City Auditor recommend City Council
approve the results of two audits
1) Public Safety Construction Audit (Attachment A, P&S Committee recommended approval on
June 11, 2024) and
2) Parking Permit Technology Contracts Audit (Attachment B, P&S Committee recommended
approval on August 13, 2024).
EXECUTIVE SUMMARY
Public Safety Building Construction Audit
Baker Tilly Advisory Group, LP (Baker Tilly), in its capacity serving as the Office of the City
Auditor (OCA) for the City of Palo Alto (the City) performed construction audit services on the
Public Safety Building project. The objectives of this audit were to verify that billings to the City
from the Architect, Engineer, Inspector of Record, Construction Manager, Contractor, and
Waterproofing Inspector were compliant with the terms of the applicable contracts.
The new Public Safety Building will house the Police Department, 911 Emergency Dispatch
Center, the Emergency Operations Center, the Office of Emergency Services, and the
administration needs of the Fire Department. The Public Safety Building is part of the Capital
Improvement (Infrastructure) Plan introduced in 2014. Non-compliance with contract terms
related to project billings can result in cost overruns that impact the overall project budget. The
audit found no material billing errors and did not recommend any additional actions.
5
3
9
9
Parking Permit Technology Contracts Management Audit
Baker Tilly Advisory Group, LP (Baker Tilly), in its capacity serving as the Office of the City
Auditor (OCA) for the City of Palo Alto (the City) performed an audit of the parking permit
technology contract management process and controls based on the approved Task Order 4.16
in alignment with the FY 2022 citywide risk assessment and audit plan. The objectives of this
review were to: 1) Determine whether adequate policies and procedures are implemented
effectively to protect the privacy of personal information gathered using parking permit
technology for the City’s parking management. 2) Determine whether the City monitors the
parking permit vendor’s performance to ensure compliance with contract terms and applicable
laws and regulations related to data privacy. The audit noted areas for improving policies and
procedures related to how the City and it’s parking technology system third-party providers
manage data privacy security. The attached report summarizes the analysis, audit findings, and
recommendations.
FISCAL/RESOURCE IMPACT
For the Parking Permit Technology Contract Management audit, the OCA worked primarily with
the Office of Transportation and the Information Technology Department, as well as, additional
stakeholders, including the City Manager’s Office and the City Attorney’s Office, as necessary.
The timeline for implementation of corrective action plans is identified within the attached
report. The necessary resources to implement these recommendations will be dependent on
the policy revisions approved upon completion of the review of IT policies and procedures.
ENVIRONMENTAL REVIEW
Council action on this item is not a project as defined by CEQA because the audit activities do
not involve any commitment to any specific project which may result in a potentially significant
physical impact on the environment. CEQA Guidelines section 15378(b)(4).
ATTACHMENTS
Attachment A: Public Safety Building Construction Audit Report, May 21, 2024
Attachment B: Park Permit Technology Contracts Audit, August 1, 2024
APPROVED BY:
Kate Murdock, City Auditor
1
May 21, 2024
City of Palo Alto
Office of the City Auditor
Public Safety Building Construction
Audit Report
Contents
Baker Tilly US, LLP, trading as Baker Tilly, is an independent member of Baker Tilly International. Baker Tilly International Limited is an English company. Baker
Tilly International provides no professional services to clients. Each member firm is a separate and independent legal entity, and each describes itself as such.
Baker Tilly US, LLP is not Baker Tilly International’s agent and does not have the authority to bind Baker Tilly International or act on Baker Tilly International’s
behalf. None of Baker Tilly International, Baker Tilly US, LLP nor any of the other member firms of Baker Tilly International has any liability for each other’s acts
or omissions. The name Baker Tilly and its associated logo is used under license from Baker Tilly International Limited.
EXECUTIVE SUMMARY...................................................................................................1
INTRODUCTION...............................................................................................................2
AUDIT RESULTS..............................................................................................................4
APPENDICES...................................................................................................................5
1
Executive Summary
Purpose of the Audit
Baker Tilly US, LLP (Baker Tilly), in its capacity serving as the Office of the City Auditor (OCA) for the
City of Palo Alto (the City) performed construction audit services on the Public Safety Building project.
The objectives of this audit were to verify that billings to the City from the Architect, Engineer,
Inspector of Record, Construction Manager, Contractor, and Waterproofing Inspector were compliant
with the terms of the applicable contracts.
Report Highlights
Baker Tilly reviewed documentation provided by the Public Works Department for each of the
selected scopes on a monthly basis through March 2024 and found project billings were compliant
with the terms of the respective contracts. The billings, change orders, and additional services related
to each scope had the proper supporting documentation and authorizations. During the audit, we
identified several immaterial billing errors (see Finding 1 and Appendix A); however, these are
considered minor when compared to the overall value of the costs reviewed. The results of this audit
indicate the City’s implemented controls with respect to the review and approval of project billings are
operating as intended.
2
Introduction
1 Invoiced amount includes design and construction administration services for the California Avenue Garage
project.
2 Invoiced amount includes project development and construction management services for the Fire Station No.
3 and California Avenue Garage projects.
Objective The objectives of this audit were to verify billings from the Architect, Engineer,
Inspector of Record, Construction Manager, Contractor, and Waterproofing Inspector
were contractually compliant, adequately supported, and authorized by the City.
Background The new Public Safety Building will house the Police Department, 911 Emergency
Dispatch Center, the Emergency Operations Center, the Office of Emergency
Services, and the administration needs of the Fire Department. The Public Safety
Building is part of the Capital Improvement (Infrastructure) Plan introduced in 2014.
Non-compliance with contract terms related to project billings can result in cost
overruns that impact the overall project budget.
Scope Our testing scope encompassed billings and cost documentation provided by the Public
Works Department through March 2024. This included the Swinerton Builders payment
application dated December 31, 2023, and billings for the other scopes through February
2024. At that time, billings reviewed for each of the contract scope subject to audit were
as follows:
Scope Contractor Invoiced Amount
Architect Ross Drulis Cusenbery (RDC) $ 9,497,8501
Engineer Romig Engineers 92,976
Inspector of Record 4Leaf, Inc. 546,534
Construction Manager Nova Partners, Inc. 9,264,4272
Contractor Swinerton Builders 86,888,316
Waterproofing Inspector Consolidated Engineering Laboratories (CEL) 106,317
Total $ 106,396,420
Methodology
and Analysis
To achieve the audit objectives, Baker Tilly performed the following procedures and
analysis:
•Inspected the contract to identify the key terms related to project billings for each
scope subject to audit
•Analyzed billings for each scope subject to audit on a monthly basis as follows:
o Created control schedules for billings and payment applications
o Footed and recalculated amounts billed to test for mathematical accuracy
o Rolled forward previous billed amounts to ensure reported totals were
accurate
o Verified lien waivers were collected where applicable
o Verified monthly invoices were submitted with a description of services
performed and the applicable charges (identification of personnel, hours
worked, hourly rates, and reimbursable expense)
o Where applicable, verified hourly rates reconciled to agreed upon rates
o Where applicable, reconciled support for reimbursable expenses to third
party cost support
3
INTRODUCTION
3 Government auditing standards require an external peer review at least once every three (3) years. The last peer review of the Palo Alto
Office of the City Auditor was conducted in 2017. The Palo Alto City Council approved a contract from October 2020 through June 2022
with Baker Tilly US, LLP (Baker Tilly) and appointed Kyle O’Rourke, Senior Consulting Manager in Baker Tilly's Public Sector practice, as
City Auditor. Given the transition in the City Audit office, a peer review was not conducted in 2020 and will be conducted after the third year
of Baker Tilly’s contract.
o Verified aggregate billings did not exceed contractual limitations
o Verified billings and payment applications had the appropriate
authorizations
•Analyzed change orders, amendments, and additional services in scope as
follows:
o Reconciled the amounts reflected on change orders to supporting
documentation
o Verified the change order costs were contractually compliant and
reconciled to agreed upon rates where appliable
o Recalculated any markups and insurance amounts to ensure the applicable
rates adhered to the contract terms
o Verified change orders and additional services had the required
authorization
•Communicated the testing results to the Public Works Department on a monthly
basis:
o Verified any identified billing errors were corrected (see Appendix A)
o Requested additional documentation as necessary to complete testing
Compliance
Statement
This audit activity was conducted from March 2021 to March 2024 in accordance with
generally accepted government auditing standards, except for the requirement of an
external peer review3. Those standards require that we plan and perform the audit to
obtain sufficient, appropriate evidence to provide a reasonable basis for our findings
and conclusions based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on our audit
objectives.
Organizational
Strengths
During this audit activity, we observed that the controls implemented by the City
related to the review of billings and change orders were operating as intended. This is
evidenced based on the low occurrence of findings and immaterial values thereof. All
parties were accommodating during the audit process and were forthcoming with
answers to questions and requests for additional documentation.
The Office of the City Auditor greatly appreciates the support of the Public Works Department in
conducting this audit activity.
Thank you!
4
Audit Results
Finding 1:
Immaterial billing
errors
Baker Tilly identified nine billing errors totaling $10,122 throughout the audit
engagement. These errors were mostly related to labor billing rate errors
where the contractor in question billed for services at rates that were not
compliant with the agreed upon rates. Each of the identified errors was
resolved on a subsequent billing from the applicable contractor. See
Appendix A for additional detail related to the specific billing errors identified.
Recommendation No additional action is required. All billing errors have been resolved. In
addition, the errors in question occurred during the early months of our audit
and the occurrence of findings decreased as the audit progressed.
Recommended
follow-up
activities
As of the report date the project was not yet complete. Baker Tilly
recommends performing a closeout audit upon final completion of the
project. The current substantial completion is anticipated on July 31, 2024.
The closeout audit would kick off in August 2024 and conclude upon receipt
of the documentation required to complete closeout testing. The primary
objectives of the closeout audit would include:
•Analyze billings and change orders for the selected audit scopes
received by the Public Works Department from March 2024 through
project completion (Swinerton Payment applications subsequent to
December 31, 2023, and billings from the other selected scopes
subsequent to February 2024).
•Verify the allowances included in the construction contract are
reconciled and closed out per the contract terms
•Verify final lien waivers are collected from subcontractors
•Confirm final amounts paid to each contractor in the scope of the
audit does not exceed the contractual limitations
5
Appendices
Appendices
6
Appendix A: Public Safety Building – Construction Audit Issues Log
The following audit issues totaling $10,122 were identified during monthly testing. Each of these issues were communicated to the Public Works
Department when identified. All audit issues have been resolved.
AI ID
No.Audit Issue AI Date
Response
Date Status Result Amount
001 Swinerton Builders - COR #25 which was
included in Change Order #4 included a
duplicate charge for equipment markup
totaling $356.77 (see RFI #7).
9/23/2021 11/15/2021 Closed Public Works provided Change Order #8
reflecting the credit.
Baker Tilly reviewed Change Order #8
and confirmed credit.
$ 356.77
002 Nova Partners - Invoices from June 2017 to
December 2017 billed an Estimator at a
rate of $175 per hour rather than the
agreed-upon rate of $160 per hour. This
resulted in a billing rate overcharge totaling
$6,975 (see RFI #1).
10/15/2021 1/12/2022 Closed Public Works provided Invoice #104376
reflecting the credit.
Baker Tilly reviewed Invoice #104376
and confirmed credit.
$ 6,975.00
003 Consolidated Engineering Laboratories -
Invoice #191863 billed overtime at a rate of
$161.25 and double-time at a rate of
$215.00 rather than the agreed upon rates
of $142.50 for overtime and $190 for double
time. This resulted in a billing rate
overcharge totaling $400 (see RFI #24).
3/16/2022 4/13/2022 Closed Public Works provided Invoice #195679
reflecting the credit.
Baker Tilly reviewed Invoice #195679
and confirmed credit.
$ 400.00
004 Romig Engineers - Invoice #27139 and
#28131 billed the position "Engineering
Technician Prevailing Wage" at a rate of
$150 per hour rather than the agreed-upon
rate of $144 per hour. This resulted in a
billing rate overcharge totaling $473.40 (see
RFI #27).
4/21/2022 5/31/2023 Closed Public Works provided Invoice #31394
and #31569 reflecting the credit.
Baker Tilly reviewed Invoice #31394 and
#31569 and confirmed credit.
$ 473.40
Appendix A: Public Safety Building – Construction Audit Issues Log (cont.)
7
AI ID
No.Audit Issue AI Date
Response
Date Status Result Amount
005 Romig Engineers - Invoice #28131 billed
overtime at a rate of $225 rather than the
agreed upon rate of $216. This resulted in a
billing rate overcharge totaling $63.00 (see
RFI #28).
4/21/2022 5/31/2023 Closed Public Works provided Invoice #31569
reflecting the credit.
Baker Tilly reviewed Invoice #31569 and
confirmed credit.
$ 63.00
006 Romig Engineers - Invoice #27784B billed
the position "Engineering Technician
Prevailing Wage" at a rate of $150 per hour
rather than the agreed-upon rate of $144
per hour. Overtime was also billed at a rate
of $225 rather than the agreed upon rate of
$216. This resulted in a billing rate
overcharge totaling $333.00 (see RFI #26).
4/21/2022 5/31/2023 Closed Public Works provided Invoice #31394
reflecting the credit.
Baker Tilly reviewed Invoice #31394 and
confirmed credit.
$ 333.00
007 Consolidated Engineering Laboratories
(CEL) Invoice #196433 billed the position
"Waterproof Inspector" at rate of $99.28 per
hour rather than the agreed-upon rate of
$96.90 per hour. This resulted in a billing
rate overcharge totaling $310.59 (see RFI
#31).
6/27/2022 7/26/2022 Closed Public Works provided Invoice #198423
reflecting the credit.
Baker Tilly reviewed Invoice #198423
and confirmed credit.
$ 310.59
008 Consolidated Engineering Laboratories
(CEL) Invoice #197348 billed the position
"Waterproof Inspector" at rate of $99.28 per
hour rather than the agreed-upon rate of
$96.90 per hour. This resulted in a billing
rate overcharge totaling $166.60 (see RFI
#35).
7/26/2022 7/26/2022 Closed Public Works provided Invoice #198423
reflecting the credit.
Baker Tilly reviewed Invoice #198423
and confirmed credit.
$ 166.60
Appendix A: Public Safety Building – Construction Audit Issues Log (cont.)
8
AI ID
No.Audit Issue AI Date
Response
Date Status Result Amount
009 4 Leaf, Inc - Invoice #J3909W billed time for
Traci Craton at $169.95 per hour rather
than the agreed-upon rate of $54 per hour.
This resulted in a billing rate overcharge
totaling $1,043.64 (See RFI #42).
7/28/2023 8/29/2023 Closed Public Works provided Invoice #J309X-
REV reflecting the correct rates.
Baker Tilly reviewed Invoice #J309X-
REV and confirmed.
$ 1,043.64
9
10
1
August 1, 2024
City of Palo Alto
Office of City Auditor
Parking Permit Technology Contracts Audit
Contents
Baker Tilly US, LLP, trading as Baker Tilly, is an independent member of Baker Tilly International. Baker Tilly International Limited is an English company. Baker
Tilly International provides no professional services to clients. Each member firm is a separate and independent legal entity, and each describes itself as such.
Baker Tilly US, LLP is not Baker Tilly International’s agent and does not have the authority to bind Baker Tilly International or act on Baker Tilly International’s
behalf. None of Baker Tilly International, Baker Tilly US, LLP nor any of the other member firms of Baker Tilly International has any liability for each other’s acts
or omissions. The name Baker Tilly and its associated logo is used under license from Baker Tilly International Limited.
EXECUTIVE SUMMARY...................................................................................................1
PURPOSE OF THE AUDIT......................................................................................................................1
REPORT HIGHLIGHTS............................................................................................................................1
INTRODUCTION...............................................................................................................5
DETAILED ANALYSIS...................................................................................................11
BEST PRACTICES..................................................................................................................................12
AUDIT RESULTS............................................................................................................13
..................................................................................................................................................................24
1
Executive Summary
Purpose of the Audit
Baker Tilly US, LLP (Baker Tilly), in its capacity serving as the Office of the City Auditor (OCA) for the
City of Palo Alto (the City), conducted an audit of the parking permit technology systems contract
management process and controls based on the approved Task Order 4.16. The objectives of this
review were to:
1) Determine whether adequate policies and procedures are implemented effectively to protect the
privacy of personal information gathered using parking permit technology for the City’s parking
management.
2) Determine whether the City monitors the vendor’s performance to ensure compliance with
contract terms and applicable laws and regulations related to data privacy.
Report Highlights
Finding 1: Data Privacy Improvements
The City lacks a data privacy program owner and policies, procedures and
associated training requirements have not been regularly updated.
Key Recommendation
We recommend the City designate a data privacy program owner to coordinate a
uniform approach to data privacy management between the City Attorney, Chief
Information Officer, and Director of Human Resources.
Finding 2:Lack of Personal Identifiable Information (PII) Procedures
The City does not have Personal Identifiable Information (PII) procedures for
personal information that is managed or collected. Additionally, there are no
procedures related to masked or de-identified personal information.
Key Recommendation
We recommend that the City establish procedures for managing and collecting
Personal Identifiable Information (PII). These procedures should include:
classification of information, retention of PII, access control, data masking, and data
restoration and backup.
Finding 3:Records and Information Management Policy Enhancements
The City's Records and Information Management Policy does not address essential
elements related to information collection consent, management protocols for
personally identifiable information (PII), and comprehensive guidelines governing
data retention, maintenance, and destruction.
Key Recommendation
We recommend the City should annually review and approve its Records and
Information Management Policy to ensure it aligns with best practices and relevant
laws.
2
EXECUTIVE SUMMARY
Finding 3: Lack of User Access Listing and Reviews
The City could not provide a user access listing for individuals who have access to
Personal Identifiable Information (PII) and there are no individuals that are
considered data security owners. Additionally, there is no evidence that access
reviews are being performed periodically by data security owners and confirmed with
the IT Department.
Key Recommendation
We recommend that the City establishes a list of individuals who have access to
add, edit, or delete Personal Identifiable Information (PII).
Finding 4: Inadequate Breach of Contract Terms and Conditions with Third-Party Vendor
There is a section called "Data Security Breach Notification Act" within the City's
Data Privacy Policy, however, there is no specific mention of breaches related to
third-party vendors.
Key Recommendation
We recommend that the City's Data Privacy Policy explicitly covers breaches that
occur to third-party vendors. The policy should specifically emphasize that vendors
are required to adhere to and uphold the data privacy and security standards set by
the City.
Finding 5:Inadequate Vendor Performance Assessment
There is no formal vendor performance assessment in place within the
Transportation Department.
Key Recommendation
We recommend that the Transportation Department establishes a formal vendor
performance assessment for all third-party vendors.
Finding 6:Absence of Third-Party Agreement Requirements
The City’s third-party license plate reading provider agreement does not formally
define the minimum requirements and vendor expectations related to the workflows
that process PII data.
Key Recommendation
The City should implement internal controls to ensure that all third-party providers
and agreements are in alignment with Palo Alto's maximum risk appetite and risk
posture.
3
Introduction
Objective The objectives of this review were to:
1) Determine whether adequate policies and procedures are implemented
effectively to protect the privacy of personal information gathered using
PARKING PERMIT technology for the City’s parking management.
2) Determine whether the City monitors the vendor’s performance to ensure
compliance with contract terms and applicable laws and regulations related to
data privacy.
Background During the FY2022 risk assessment, the Baker Tilly team identified the following
inherent risks and noted the contract management as a high-risk area:
•Contract compliance and cost control issues
•Noncompliance with applicable data privacy laws
4
INTRODUCTION
The summary of the information provided in the FY2022 operating and capital budget
documents prepared by the City of Palo Alto (the City) is as follows:
Systems Involved
•Permitting System, City of Palo Alto
•Processing System, Duncan Solutions
•Automated License Plate Reader, ComSonics
Risk Consideration
Based on the currently available information, we have identified the following risks
associated with management of the Office of Transportation:
•Data Privacy
•Contract Management
•Safety Improvement Projects
•Traffic Operations
5
INTRODUCTION
Personally Identifiable Information (PII)
According to the National Institute of Standards and Technology (NIST), the definition
of personally identifiable information (PII) is: "Information that can be used to
distinguish or trace an individual’s identity—such as name, social security number,
biometric data records—either alone or when combined with other personal or
identifying information that is linked or linkable to a specific individual (e.g., date and
place of birth, mother’s maiden name, etc.)."
It is crucial for the City to define their posture as it relates to data privacy and PII
because this will allow the City to ensure that all providers are complying with the
City’s standards.
Data Security Owner
Each data security owner (the City, Duncan Solutions, and ComSonics) is
responsible for the classification, protection, storage, use, and quality of data
processed related to parking permitting and enforcement operations.
Data Life Cycle
At a high level, the data life cycle involves the suggested steps below, followed by
Palo Alto’s current, related practices:
1. Data Collection:
Data should be gathered in standardized formats, so it can be accessible and
manageable later in the cycle.
•Palo Alto customers apply for permits online, which includes PII and PCI.
2. Data Storage
Policies should be established related to the storage of data.
•Data is stored in the City’s permitting system, Duncan Solutions’
6
INTRODUCTION
processing system, and the ComSonics system.
3. Data Maintenance
Data should be made usable and available for the appropriate person(s).
•Palo Alto’s customer application data is used to generate permits.
4. Data Usage
Data is used for making decisions.
•Verification of active permits is performed by scanning license plate
numbers into the parking permit system and validating against Duncan
Solutions’ processing system, which pulls from the City’s permitting
system.
5. Data Cleaning
When data is no longer useful, data should be deleted, purged, destroyed, or
archived.
•Palo Alto customers permits that are inactive or expired should be purged
based on the City’s records retention schedule.
Scope The scope of this audit was to review the parking permit technology systems contract
management. The OCA reviewed the City of Palo Alto’s policies and procedures
related to Privacy Management, Data Management and Collection, Data Security, 3rd
Party C&C Agreements, Surveillance Policy, and Incident Management in relation to
the use of the parking permit technology and to ensure that the City maintains all
necessary policies and that they are up to date. In addition to the policies and
procedures, the OCA reviewed the City’s vendor performance monitoring.
7
INTRODUCTION
1 Government auditing standards require an external peer review at least once every three (3) years. The last peer review of the Palo Alto
Office of the City Auditor was conducted in 2017. The Palo Alto City Council approved a contract with Baker Tilly U.S, LLP for internal audit
services for October 2020 through June 2022 with an extension through June 2025. City Council appointed Kate Murdock, Audit Manager in
Baker Tilly’s Risk Advisory practice, as City Auditor in May 2024. As a result of transitions in the Audit Office and peer review delays due to
the COVID pandemic, an external peer review is targeted for 2025. It should be noted that Baker Tilly’s most recent firmwide peer review
was completed in October 2021 with a rating of “Pass”. The scope of that peer review includes projects completed under government
auditing standards. A report on the next firmwide peer review should be available later in 2024.
Methodology 1. In order to address our audit objective (1), we performed the following
procedures:
•Interviewed the appropriate individuals to understand the process, the
information system used, and internal controls related to the gathering of
personal information collected by the parking permit technology systems.
•Reviewed the contracts, policies, and procedures as well as the regulations
and standards to identify the criteria to be used for evaluation of compliance
and control design and effectiveness.
•Reviewed the documents (such as contracts and supporting documents for
allocation) for selected samples.
•Compared privacy control against the California Consumer Privacy Act of
2018 and other best practices.
2. In order to address our audit objective (2), we performed the following
procedures:
•Interviewed the appropriate individuals to understand the process and internal
controls over compliance with contracts, regulations, and vendor monitoring.
•Reviewed agreements between Palo Alto and Duncan Solutions to identify
compliance requirements.
•Identified the monitoring activities performed by management to ensure the
compliance.
•Reviewed the relevant documents to evaluate the effectiveness of compliance
monitoring activities.
Compliance
Statement
This audit activity was conducted from February 2023 to December 2023 in
accordance with generally accepted government auditing standards, except for the
requirement of an external peer review1. Those standards require that we plan and
perform the audit to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
Organizational
Strengths
During this audit activity, we observed certain strengths of the City. Key strengths
include:
•Transportation Department was responsive and helpful.
•All involved departments provided responses to all requested items.
•Knowledge and expertise of third-party providers.
8
INTRODUCTION
The Office of the City Auditor greatly appreciates the support of the Information
Technology, Human Resources, and Transportation Departments in conducting this audit
activity.
Thank you!
9
Detailed Analysis
2 California Consumer Privacy Act of 2018, Section 1798.185 - Codes Display Text (ca.gov)
3 Chapter 3 – Rights of the data subject - General Data Protection Regulation (GDPR) (gdpr-info.eu)
4 A complete guide to business Records Retention | Iron Mountain United States
Policies and
Procedures
The City has the Data Privacy Policy (Revised: April 2019). The Policy
Statement of this policy is “this Data Privacy Policy describes the data privacy
requirements and procedures for the protection of personal data and personal
information of individuals (the “Data”) created, collected, processed, received,
stored, and transmitted by the City of Palo Alto (the “City”).”
The City’s Data Privacy Policy includes User Data Collected, Stored,
Processed, and Shared; Information Security and Data Protection; Data
Security Breach Notification Act; Third-Party Data Access Control; Information
Disclosure; California Privacy Rights; Protecting Children’s Privacy Online; and
City of Palo Alto Utilities (“CPAU”) Data Privacy. The policy does not include
the following related best practices:
•Guidance on the measures in place to secure and protect PII from
unauthorized access, disclosure, alteration, and destruction. This may
include encryption, access controls, and regular security audits.2
•A clear definition of Data Subject Rights that outlines the rights of
individuals regarding their personal information3.
The City has the Records and Information Management Policy (Revised: July
2000). The policy statement of this policy is that it “was developed to ensure
the efficient retention and protection of information and to assure the
availability of information to the public in accordance with the State of California
Public Records Act.”
The City’s Records and Information Management Policy includes Roles and
Responsibilities and a Compliance Requirements section. The policy does not
include the following related best practices4:
•A formal definition of record categories or types of data that guides how
data is retained.
•A procedure for destroying or disposing of records once they have
reached the end of their retention period.
•A procedure for exceptions and legal holds as records may be exempt
from regular retention periods.
•Guidance on individuals that have access to the various types of
records.
•Guidance on any training programs or awareness campaigns that are
related to record retention.
•Guidance on the monitoring of record retention activity and
consequences of non-compliance.
There is also a Data Retention Schedule that supplements the Records and
Information Management Policy. The retention schedule identifies which
records are permanently retained as well as department-specific retention of
records.
10
DETAILED ANALYSIS
Best Practices
As organizations and businesses move online and communicate digitally, the
risk of data breaches and/or private information leaks are higher than ever.
Personally identifiable information (PII) can be used for targeted attacks, social
engineering attacks, identity theft, and more. Effective and updated policies
and procedures are integral to protecting the City from breaches of PII.
Through researching standards related to PII, data privacy, and records
management & retention, the OCA compiled the following list of best practices
according to the California Consumer Privacy Act (CCPA), the Information
Systems Audit and Control Association (ISACA), and National Institute of
Standards and Technology (NIST).
•Educate and train employees on a consistent basis on topics related to
PII, data privacy, security, incident management, and cybersecurity.
•Obtain explicit and informed consent from individuals before collecting
their personal information.
•The purposes for which personal data are collected should be specified
at the time of data collection.
•Personal data should be protected by reasonable security safeguards
against such risks as loss or unauthorized access, destruction, use,
modification, or disclosure of data.
•Conduct periodic data audits and/or risk assessments to identify
vulnerabilities, compliance gaps, and areas for improvement.
•Review policies and procedures on an annual basis to ensure accuracy
and that all information is up to date.
•Ensure that all policies and procedures related to PII, data privacy, and
security are available for City employees and external users.
The vendor contract owner should be responsible for all quantitative and
qualitative key performance indicator identification, monitoring and reporting to
Executive Leadership related to but not limited to the following:
•Quality - error resolution
•Delivery - availability
•Innovation - proposed improvements
•Risk - breaches and non-compliance
•Cost - price increase and scope limitations
•Customer Service - compliant resolution and communication
11
Audit Results
Finding 1: Data Privacy
Improvements
The City lacks an identified citywide data privacy program owner and
policies, procedures and associated training requirements have not
been updated recently.
Recommendation We recommend the City designate a data privacy program owner to
coordinate a uniform approach to data privacy management among
the City Attorney, Chief Information Officer and Director of Human
Resources. Based on best practices, the data privacy program owner
responsibilities should include the following:
•Annual review and update of data privacy policies and
procedures in alignment with the California Consumer Privacy
Act of 2018. Reviews should be appropriately documented.
•Annual data privacy trainings held with all departments. The
City might also consider use of a Certified Information Privacy
Professional (CIPP) to ensure compliance with data privacy
laws, regulations, and best practices. Training compliance
should be tracked and monitored, and metrics might include:
completion rate, assessment scores, feedback, and survey
responses, and reported to management quarterly. Every
employee is expected to take privacy management training.
•Ensure data privacy requirements and changes are annually
incorporated into the City’s Record and Information Retention
Policy so records containing personal identifiable information
are properly secured. Additionally, documented procedures for
data destruction should be aligned with legal requirements,
Management Response Responsible Department(s): Information Technology
Concurrence: Agree
Target Date: CY Q4 2024
Action Plan: While the City Does not have a designated data privacy
program owner, the Data Privacy Policy provides oversight for the
shared responsibility amongst the roles and departments, though staff
agree the policy review and updates. A project to update all IT
policies has been initiated and this policy will be reviewed as part of
this project, specifically in alignment with NIST regulations. This
initiative has been started in alignment with the Cybersecurity Audit
that recommended review of Outdated Policy and Standards
Documentation recently completed in FY 2023. Although
cybersecurity training is already offered and required citywide, to
provide privacy training opportunities, a newly procured security
training platform will provide training related to data protection,
compliance with privacy laws and regulations, and best practices
related to data privacy.
Finding 2: Lack of
Personal Identifiable
The City does not have specific Personal Identifiable Information (PII)
procedures for personal information that is managed or collected in
12
Information (PII)
Procedures
the parking permit systems. In addition, there are no procedures or
guidelines regarding if or which information should be de-identified to
protect information privacy.
Recommendation We recommend when implementing a system such as the parking
permit systems, that the City documents procedures related to
Personal Identifiable Information (PII) when managing or collecting
personal data in that system. Procedures for PII data should include
how to classify sensitive and non-sensitive information, which PII is
necessary for retention, access control, data masking (what type of
data is redacted or even replaced), contract terms to manage vendor
relationships where PII is referenced or shared, and data that is
restored or backed up. Once established the procedures should be
easily accessible to program staff.
Management Response Responsible Department(s): Information Technology
Concurrence: Partially Agree
Target Date: CY Q4 2024
Action Plan: Procedures on handling PII are included and
maintained as part of Information Privacy policy provided for review.
In addition, a Surveillance Policy is also maintained and reported on
annually for new technologies implemented prospectively.
Specifically, parking permit data is limited to parking permit program
and collections staffing. More specificity regarding PII handling can be
added and identified in these policies already under review.
Finding 3: Lack of User
Access Listing and
Reviews
The City did not provide a user access listing for individuals who have
access to Personal Identifiable Information (PII) for the parking permit
systems and no designation of the data security owner(s).
Additionally, there is no evidence that access reviews are being
performed periodically.
Recommendation We recommend that the City establishes a list of individuals who have
access to add, edit, or delete Personal Identifiable Information (PII).
The City should review user access rights annually by the identified
data security owners in departments.
Management Response Responsible Department(s): Information Technology
Concurrence: Agree
Target Date: CY Q4 2024
Action Plan: Vendors required to supply role-based access control to
managed user access levels and those permissions/restrictions are
established upon user set-up. Staff will evaluate updates to
centralized process requirements in the review of data privacy policy
and procedures including feasibility to develop reports will be shared
with the appropriate staff to validate only authorized staff have access
to PII across many software platforms.
13
Finding 4: Inadequate
Breach of Contract
with Third-Party
Vendor
There is a section called "Data Security Breach Notification Act"
within the City's Data Privacy Policy, however, there is no specific
mention of breaches related to third-party vendors.
Recommendation We recommend that the City's Data Privacy Policy explicitly covers
breaches that occur to third-party vendors. The policy should
specifically emphasize that vendors are required to adhere to and
uphold the data privacy and security standards set by the City.
Additionally, the policy should specify that third-party vendors must
follow the City's data classifications and requirements. The City's data
breach response plan should identify a key point of contact, defined
approved communication methods, the maximum timeframe for which
the incident should be communicated to the City, and the minimum
requirements for key information that should be provided.
Management Response Responsible Department(s): Information Technology
Concurrence: Partially Agree
Target Date: CY Q4 2024
Action Plan: All vendors are required to agree to the City's
Cybersecurity Terms and Conditions which requires notification of a
security breach, this is evidenced by the ALPR contract approved in
2021 which included these terms. Specific updates to specify a
response plan expectations in the policy will be reviewed as part of
the project to update all IT policies as staff agreed the policy is in
need of review and update.
Finding 5: Inadequate
Vendor Performance
Assessment
The City does not have a formal process to ensure on-going vendor
compliance with the Vendor Information Security Assessment (VISA)
Questionnaire through the full term of the parking permit systems
contracts.
Recommendation We recommend that the Transportation Department establish a
formal vendor performance assessment for all third-party vendors.
This assessment would help evaluate potential risks, identify benefits
of working with a vendor, and confirm that the vendor is fulfilling the
terms of the contract while delivering value in the relationship.
Specific tests that can be performed during a third-party assessment
are performance tests, delivery tests, customer service tests,
cybersecurity tests, and compliance tests.
Management Response Responsible Department(s): Information Technology, Office or
Transportation, Administrative Services
Concurrence: Partially Agree
Target Date: Q4 CY 2024
Action Plan:
14
The Office of Transportation is responsible for contract management
and has an informal process to ensure service providers are meeting
scope of services described within. A more formal process to ensure
continued compliance with cyber security requirements through the
term of the contract will be reviewed among Administrative Services,
Office of Transportation, and Information Technology to determine an
appropriate procedure. Staff is reviewing this in alignment with the IT
risk management process which was recommended as part of the
Risk Management Assessment completed by Baker Tilly previously.
Finding 6: Absence of
Third-Party Agreement
Requirements
The City’s third-party license plate reading provider agreement does
not formally define the minimum requirements and vendor
expectations related to the workflows that process PII data.
Recommendation The City should implement internal controls to ensure that all third-
party providers and agreements are in alignment with the Palo Alto's
maximum risk appetite and risk posture in the following areas:
•Contractual language for the management of that have access
to City PII data.
•Duly executed contracts are in place with third parties
managing or that have access to workflows related to PII data.
•Third-party companies responsible for or that have access to
workflows which are related to PII are appropriately risk
ranked in order to assess exposure to privacy data leakage.
•Self-assessment of third-party vendors is managed and
reviewed to ensure performance is satisfactory.
Management Response Responsible Department(s): Information Technology &
Administrative Services
Concurrence: Partially Agree
Target Date: Q4 CY 2024
Action Plan:
The City currently has a procurement process that involves the
requesting department, legal review, and consultation with
stakeholders such as Information Technology or Human Resources.
This process will be detailed in the nearly completed Procurement
Audit. Standard contract templates that are in alignment with the
City’s risk tolerance levels are used when possible, when changes or
alternative contract documents are necessary they are reviewed by
these parties in depth to ensure general compliance with risk
exposure. As such, this continues to be a living process as both
service providers and industry standard practices evolve; staff agree
that as more technology contracts are required for the delivery of
services, clarity in risk tolerance and alignment with contract terms
will continue to be adjusted.
15