The URL can be used to link to this page

Home My WebLink About2018-06-21 Policy & Services Committee Agenda PacketPolicy and Services Committee 1 MATERIALS RELATED TO AN ITEM ON THIS AGENDA SUBMITTED TO THE CITY COUNCIL AFTER DISTRIBUTION OF THE AGENDA PACKET ARE AVAILABLE FOR PUBLIC INSPECTION IN THE CITY CLERK’S OFFICE AT PALO ALTO CITY HALL, 250 HAMILTON AVE. DURING NORMAL BUSINESS HOURS. Thursday, June 21, 2018 Special Meeting Community Meeting Room 6:00 PM Agenda posted according to PAMC Section 2.04.070. Supporting materials are available in the Council Chambers on the Thursday 12 days preceding the meeting. PUBLIC COMMENT Members of the public may speak to agendized items. If you wish to address the Committee on any issue that is on this agenda, please complete a speaker request card located on the table at the entrance to the Council Chambers/Community Meeting Room, and deliver it to the Clerk prior to discussion of the item. You are not required to give your name on the speaker card in order to speak to the Committee, but it is very helpful. Call to Order Oral Communications Members of the public may speak to any item NOT on the agenda. Action Items 1.Policy and Services Committee Recommend the City Council Accept the Green Purchasing Audit Status Update 2.Policy and Services Committee Recommend the City Council Accept the Status Update on the Audit of Parking Funds and Approve Consolidation of Residential Parking Funds 3.Policy and Services Committee Recommend the City Council Accept the Status Update of the Community Services Department Fee Schedule Audit 4.Policy and Services Committee Recommend the City Council Accept the Status Update on the Cross Bore Inspection Contract Audit 5.Policy and Services Committee Recommend the City Council Accept the Status Update on the Accuracy of Water Meter Billing Audit 6.Auditor's Office Quarterly Report as of March 31, 2018 7.Policy and Services Committee Recommends the City Council Accept the ERP Planning: Information Technology and Data Governance Audit REVISED 2 June 21, 2018 MATERIALS RELATED TO AN ITEM ON THIS AGENDA SUBMITTED TO THE CITY COUNCIL AFTER DISTRIBUTION OF THE AGENDA PACKET ARE AVAILABLE FOR PUBLIC INSPECTION IN THE CITY CLERK’S OFFICE AT PALO ALTO CITY HALL, 250 HAMILTON AVE. DURING NORMAL BUSINESS HOURS. Future Meetings and Agendas Adjournment AMERICANS WITH DISABILITY ACT (ADA) Persons with disabilities who require auxiliary aids or services in using City facilities, services or programs or who would like information on the City’s compliance with the Americans with Disabilities Act (ADA) of 1990, may contact (650) 329-2550 (Voice) 24 hours in advance. City of Palo Alto (ID # 8900) Policy and Services Committee Staff Report Report Type: Action Items Meeting Date: 6/21/2018 City of Palo Alto Page 1 Summary Title: Green Purchasing Audit Update Title: Staff Recommendation That the Policy and Services Committee Recommend the City Council Accept the Green Purchasing Audit Status Update From: City Manager Lead Department: Public Works Recommendation Staff recommends that City Council accept the attached Status of the City Auditor’s Green Purchasing Program Audit Recommendations. Executive Summary Staff has completed or made progress on seven of the eight Auditor’s recommendations. This report summarizes the progress made to date. Background In April, 2017 the City Auditor’s Office issued an audit on the City’s Green Purchasing Program. The purpose of the audit was to determine whether the City of Palo Alto complies with applicable green purchasing requirements in its purchases. The audit report presented one finding with a total of eight recommendations and 17 tasks. Staff from Public Works, Administrative Services, Utilities and IT have worked together to address the recommendations. Details are covered in Attachment A– Green Purchasing Audit Matrix Spring 2018. Attachments: ·May 2 20 18 Green Purchasing Spring 2018 Audit Final STATUS OF AUDIT RECOMMENDATIONS GREEN PURCHASING PRACTICES – ISSUED 4/13/17 Page 1 The City Manager has agreed to take the following actions in response to the audit recommendations in this report. The City Manager will report progress on implementation six months after the Council accepts the audit report, and every six months thereafter until all recommendations have been implemented. Recommendation Responsible Department(s) Original Target Date and Response Status Implementation Update and Expected Completion Date Finding: The City does not always comply with applicable green purchasing requirements in purchases 1. The City Manager’s Office should clearly define the department(s) responsible for implementing green purchasing policies, determine if additional staffing and funding is needed to implement the policies, and provide the responsible department(s) with the authority to implement green purchasing across the City. The responsible department(s) should then: ASD/CMO Concurrence: Agree Target Date: August 1, 2017 Action Plan: Staff will prepare a document identifying the responsibilities, funding, and staffing needs as suggested. In progress. March 2018 Management Update: Roles, responsibilities and staffing needs were drafted by PWD, CMO and ASD. Funds for a 0.5 contract position have been requested as part of the FY 2019 budget and were not approved because of a federal law suit regarding contracted staff which may also pertain to City contracted staff. The issue is under review in the Attorney’s Office. When a decision is made, the Green Purchasing Team will reconsider how best to increase staffing levels. 2. Consult with the Attorney’s Office to align the Municipal Code as needed with green purchasing policies. ASD/Attorney Concurrence: Agree Target Date (see related Action Plan targets below): a) September 15, 2017 b) September 15, 2018 Action Plan: a) Determine which parts of municipal code, if any, need to be revised to reflect City policies. Complete March 2018 Management Update: On April 26, 2018 the Attorney’s Office Confirmed that no revisions to the Municipal Code are necessary. STATUS OF AUDIT RECOMMENDATIONS GREEN PURCHASING PRACTICES – ISSUED 4/13/17 Page 2 Recommendation Responsible Department(s) Original Target Date and Response Status Implementation Update and Expected Completion Date b) Revise municipal code as needed. 3. Write and distribute consolidated procedures to implement green purchasing policies, including the 10 different areas in the EPP Policy and update existing policies and procedures to reflect current requirements, including recycled paper and p-card guidance. CMO/ASD/PWD Concurrence: Agree Target Date (see related Action Plan targets below): a) July 1, 2017 b) September 1, 2017 c) April 22, 2018 d) Ongoing. Action Plan: a) Short term (12-18 months): Identify funding and/or staff to implement. This could be via consultant services or Office of Sustainability staff. b) P-Card: Confirm proposed revisions to P-Card guidelines, and integrate into PCard Guidelines, training, and approval process. c) Revise Recycled Paper Policy and procedures and develop an integrated City-wide paper reduction and recycled-content paper procurement plan. d) Draft/implement/revise policies and procedures as needed. In progress. March 2018 Management Update: 3a) Staff requested a 0.5 contracted position for FY19 to help implement Green Purchasing Program which was not approved. See Status Update in Recommendation #1. 3b) Completed. Staff revised P-Card Guidelines to reflect procurement requirements relating to zero waste, pollution prevention and other environmental policies. 3c) Completed. Staff have updated the Procurement of Recycled Paper and Recycled Paper Products Policy as suggested and renamed it the Paper Reduction and Procurement of Environmentally Preferable Paper Products Policy. This policy is currently under review by the CMO before it is added to the online policy manual. 3d) The paper policy (see #3c) and two fleet procurement policies (see #8) were revised. STATUS OF AUDIT RECOMMENDATIONS GREEN PURCHASING PRACTICES – ISSUED 4/13/17 Page 3 Recommendation Responsible Department(s) Original Target Date and Response Status Implementation Update and Expected Completion Date 4. Educate staff on green purchasing policies and procedures through various means, which could include citywide emails, p-card and other training, department staff meetings, and new employee orientations. ASD, CMO, PWD Concurrence: Agree Target Date: Ongoing as milestones in this document are achieved. Action Plan: Ongoing as milestones in this document are achieved. In progress. March 2018 Management Update: Some outreach has already been done, and outreach will be an ongoing task. Efforts to date include:  Don’t Sprint to Print email campaign from Zero Waste group;  PCard guidelines and training have been revised to reflect prohibited purchases;  Purchasing is developing educational material in the City’s “Comearound” self- training tool which will be completed by July 1, 2018;  Provided training to IT staff on April 24, 2018) about City policy to purchase EPEAT Certified products (Electronic Product Environmental Assessment Tool) Discussion about additional education and outreach beyond what has already been done will begin after FY2019 budget approval when potential contracted staff availability has been determined. 5. Evaluate the quality, performance, and cost of 40 percent postconsumer fiber paper towels, monitor the janitorial contractor’s use of cleaning supplies and paper PWD/Facilities Concurrence: Agree Target Date (see related Action Plan targets below): a) April 22, 2018 (see 3c) b) Ongoing In Progress March 2018 Management Update: 5a) In progress. City’s custodial contractor is now using Green Seal certified toilet paper and 100% recycled content toilet seat covers throughout City facilities, and hand towels are now 20% post-consumer content. Higher STATUS OF AUDIT RECOMMENDATIONS GREEN PURCHASING PRACTICES – ISSUED 4/13/17 Page 4 Recommendation Responsible Department(s) Original Target Date and Response Status Implementation Update and Expected Completion Date products to ensure compliance with the green purchasing contract requirements, and evaluate the feasibility of including other green products such as Green Seal certified soap and green can liners in the next janitorial contract, as appropriate. c) September 1, 2017 Action Plan: a) Include evaluation of custodial paper products under 3c. b) Continue to monitor custodial contractor’s use of Green Seal products. c) Analyze more environmentally preferable options for trashcan liners. content paper towels will need to be considered for the FY 2020 budget as costs of higher recycled content paper towels are $23,000 higher than what is currently purchased. 5b) Ongoing. Two types of hand soaps are currently used – one is Green Seal Certified and the other is Eco Logo Certified. 5c) In progress. Trash can liners with 70% post-consumer recycle content were evaluated and deemed acceptable. These liners meet EPA standard for recycle content. The cost to changeover to these liners is $8,000 annually with the City’s custodial contractor. The request for additional funding for these liners was approved at the first phase of the FY 2019 budget process, and if approved by Council will be used as standard practice as soon as the contractor can transition them in beginning July 2018. 6. Evaluate if the new e-procurement system and proposed enterprise resource planning system or other specialized software can help with tracking and reporting green purchases. As part of the planned transition of the ASD/PWD Concurrence: Agree Target Date (see related Action Plan targets below): a) December 1, 2017 b) September 1, 2018 Action Plan: In progress. March 2018 Management Update: 6a) A committee was formed and recommended ERP specifications were submitted to ASD in fall 2017. Interviews with ERP candidates occurred in late January. A decision on the ERP contractor will occur by summer 2018 (ASD is lead). STATUS OF AUDIT RECOMMENDATIONS GREEN PURCHASING PRACTICES – ISSUED 4/13/17 Page 5 Recommendation Responsible Department(s) Original Target Date and Response Status Implementation Update and Expected Completion Date Annual Performance Report to the City Manager’s Office, determine what green purchasing performance measures to track and report on, such as the number and percentage of green products purchased and their environmental benefits. The Sustainable Procurement Playbook for Cities provides potential criteria for what to track. a) Form City-wide stakeholder committee to recommend green purchasing performance measures for ERP system to track number and percentage of green products purchased. If ERP system cannot achieve this, consider other options. b) Identify best indicators to track environmental performance for select contracts and services (e.g., less GHG, waste reduction). 6b) Discussion will begin in summer 2018, but the ability to implement additional measures beyond what is currently done may be contingent on staffing availability given that a 0.5 contracted position was not approved. It is time intensive to create, educate, monitor and report environmental impact indicators, and so this task would need to be prioritized while factoring in other department responsibilities. 7. To the extent possible, require vendors to provide data on the amounts of green products and services that the City purchases from them annually. ASD/PWD Concurrence: Agree. Target Date (see related Action Plan targets below): a) September 1, 2017 b) Ongoing Action Plan: a) Identify selected services and goods requiring vendor data and specify data needed. b) Monitor and enforce data collection. Discussion will begin after FY2019 budget is determined. March 2018 Management Update: 7a) This is related to item 6b. Discussion will begin in summer 2018, but the extent to which staff can implement additional measures beyond what is currently done may be contingent on:  when contracts expire (the opportunity to add new requirements),  staffing availability (see 6b). STATUS OF AUDIT RECOMMENDATIONS GREEN PURCHASING PRACTICES – ISSUED 4/13/17 Page 6 Recommendation Responsible Department(s) Original Target Date and Response Status Implementation Update and Expected Completion Date 8. Develop and implement a process to formally document the assessment and suitability of battery-electric and plug-in hybrid vehicles and an evaluation of the cost effectiveness as part of the fleet replacement capital improvement plan budget process. The assessment should consider lifecycle costs and environmental impacts in addition to the initial cost of the vehicle. PWD/Fleet by Concurrence: Agree Target Date: Sept 30, 2017 Action Plan: a) Establish a process to formally document the suitability of battery electric and plug-in hybrid vehicles within the design and planning process of capital replacements. b) Conduct an evaluation of the cost effectiveness of battery electric and plug-in hybrid vehicles in coordination with the budget office and the Chief Sustainability Officer. This will include life cycle costs and environmental impacts. Completed. March 2018 Management Update: A Fleet Procurement Policy was revised and includes auditor recommendations. Tasks 8a and 8b were addressed in the policy revision. City of Palo Alto (ID # 9325) Policy and Services Committee Staff Report Report Type: Action Items Meeting Date: 6/21/2018 Summary Title: Parking Funds Audit Status Update and Fund Consolidation Title: Staff Recommendation That the Policy and Services Committee Recommend the City Council Accept the Status Update on the Audit of Parking Funds and Approve Consolidation of Residential Parking Funds From: City Manager Lead Department: Planning and Community Environment Recommended Motion Staff recommends that the Policy and Services Committee recommend that the City Council: a.) accept the attached Status of Audit Recommendations regarding the Audit of Parking Funds, and; b.) approve the consolidation of residential parking programs into a single non- revenue neutral fund. Background In December 2015, the City Auditor’s Office issued an audit of parking funds (Staff report 6404). The purpose of the audit was to determine if the City’s parking in‐lieu and parking permit fees are collected, accounted for, and used in accordance with applicable laws, regulations, policies, and governing documents. Staff members from Planning and Community Environment, Administrative Services, Public Works, the City Attorney’s Office, Police, and Community Services have jointly worked to address the recommendations. To ensure the continuity of improvements, a workgroup was formed consisting of staff from these departments. This group meets at least quarterly to create high level procedures that establish roles and responsibilities for budgeting and parking fund management. Staff reported on audit status to the Policy and Services Committee in November, 2017. At that time, of the eight recommendations identified in the audit, five had been completed, two required ongoing work (recommendations 2.1 and 2.2), and one (recommendation 1.5) was expected to be complete when the new downtown parking garage is constructed. City of Palo Alto Page 1 Discussion With the workgroup’s successful completion of the Fiscal Year 2019 proposed parking budgets, recommendations 2.1 and 2.2 are now considered complete. The workgroup will continue to pursue the remaining recommendation (recommendation 1.5): creating necessary procedures to ensure appropriations, funding sources, and capital expenses are accurately and completely tracked during the life of each new parking garage CIP project. The role of the workgroup and the status of these audit recommendations are covered in more detail in Attachment A. The staff recommendation also includes a change to the manner in which staff administers the RPP fund. The parking audit recommended and staff implemented separate accounts for each RPP. This change however, has resulted in additional administrative challenges that have complicated implementation of this audit objective. Alternatively, staff requests approval to combine these RPP accounts and to do so in a manner that allows Council to track data for each individual district. The City Auditor has reviewed and supports this recommended change. This fund will not be revenue neutral so that the city can adjust parking permit rates based on city policy to discourage employees from parking in residential neighborhoods. Attachments:  Audit status update parking funds June 2018 City of Palo Alto Page 2 City of Palo Alto (ID # 9340) Policy and Services Committee Staff Report Report Type: Action Items Meeting Date: 6/21/2018 City of Palo Alto Page 1 Summary Title: CSD Fee Schedule Audit and Status Updates Title: Staff Recommendation That the Policy and Services Committee Recommend the City Council Accept the Status Update of the Community Services Department Fee Schedule Audit From: City Manager Lead Department: Community Services Recommendation Staff recommends the Policy and Services Committee recommend that the City Council accept the attached Status of Audit Recommendations resulting from the City Auditor’s Community Services Department Fee Schedule Audit. Background The City Auditor’s Office issued an audit, the Community Services Department (CSD) Fee Schedule Audit on February 14, 2017. The full audit report can be found here: https://www.cityofpaloalto.org/civicax/filebank/documents/55243. The audit objective was to determine if department fees cover the cost of services to ensure:  Financial sustainability of CSD programs;  Customers pay the appropriate share of service costs, including direct costs and the indirect cost rate related to the service;  City programs are subsidized in accordance with the City’s cost recovery policy and that the financial impact of subsidies on total cost recovery is clear. The City Auditor made three recommendations to strengthen the department’s cost recovery procedures and processes for monitoring program costs. The key recommendations were: 1. The City Manager’s Office should coordinate with the City Attorney’s Office and the Administrative Services Department to revise the City’s cost recovery policy and Questica budget system procedures to clarify which fees are not subject to laws limiting fees to cost recovery. 2. CSD should create a procedure to implement the City’s User Fee Cost Recovery Level Policy and incorporate relevant and useful elements from its existing “Class Cost Recovery Policy,” which can then be rescinded. 3. CSD should work with the Administrative Services Department (ASD) and the City of Palo Alto Page 2 Information Technology Department to configure SAP or include a requirement for the proposed new enterprise resource planning system to align cost centers with CSD programs. Discussion The status of the two open audit recommendations is included in Attachment A. Recommendation #3 has already been implemented. The City Manager’s Office, Administrative Services Department, and Community Services Department anticipate that the remaining two recommendations should be completed by November 2018. Attachments:  Attachment A: Status Update Attachment A STATUS OF AUDIT RECOMMENDATIONS FEE SCHEDULE AUDIT – ISSUED 2/4/17 Page 1 The City Manager has agreed to take the following actions in response to the audit recommendations in this report. The City Manager will report progress on implementation six months after the Council accepts the audit report, and every six months thereafter until all recommendations have been implemented. Recommendation Responsible Department(s) Original Target Date and Response Status Implementation Update and Expected Completion Date Finding: Most Community Services Department (CSD) programs recover costs consistent with City policy; however, CSD does not consistently apply its cost recovery policies and procedures 1. The City Manager’s Office should coordinate with the City Attorney’s Office and the Administrative Services Department to revise the City’s cost recovery policy and Questica budget system procedures to clarify which fees are not subject to laws that limit fees to cost recovery; modify the cost recovery categories to allow for fees that recover more than costs, based on market rates; and configure the Questica budget system to support setting fees to recover more than 100 percent of costs when appropriate. ASD Concurrence: Agree Target Date: 6/30/2017 Action Plan: ASD staff will coordinate with the CMO, City Attorney and departments to revise and implement the recommendations. Not started June 2018 Management Update: No change, ASD anticipates it will update this policy by Fall 2018. Expected Completion Date: November 2018. November 2017 Management Update: ASD and the CMO expect to begin the policy and procedure update shortly and will likely complete this recommendation by Fall 2018. 3. CSD should work with ASD and the Information Technology Department to configure SAP or include a requirement for the proposed new enterprise resource planning system to align cost centers with CSD programs. CSD Concurrence: Agree Target Date: 7/1/2018 Action Plan: While we will begin working on this in earnest, realistically, we anticipate that we will not fully implement this recommendation for at least two budget cycles. We are currently working with ASD to better align CSD’s Cost Centers in SAP with our individual lines of business. We expect we will complete much of this recommendation by 7/1/2017 but that there will be additional clean up in the next budget year. In Progress June 2018 Management Update: No change. Staff have identified several clean-up items to further improve cost center alignment to programs. Staff will complete these clean-up actions over the next several months. Expected Completion Date: November 2018. November 2017 Management Update: CSD has worked with Budget Office staff to better align cost centers with CSD programs. Staff have already updated cost centers for the Children’s Theatre and Human Services 2 Community Services Department: Fee Schedule Audit Recommendation Responsible Department(s) Original Target Date and Response Status Implementation Update and Expected Completion Date and are in the process of updating Recreation, Teen Programs, and Cubberley. Staff have also reviewed CSD staff assignments to ensure that positions are assigned to the appropriate cost centers. Staff anticipates that this review of staff and budget by program should be substantially complete this fall but will likely require clean-up at the beginning of FY 2019. Expected Completion date: 11/1/18 City of Palo Alto (ID # 9349) Policy and Services Committee Staff Report Report Type: Action Items Meeting Date: 6/21/2018 City of Palo Alto Page 1 Summary Title: Status Update of Audit Recommendations for Cross Bore Inspection Contract Audit Title: Staff Recommendation That the Policy and Services Committee Recommend the City Council Accept the Status Update on the Cross Bore Inspection Contract Audit From: City Manager Lead Department: Utilities Recommendation Staff recommends the Policy and Services Committee recommend that the City Council accept the attached Status of Audit Recommendations for the Cross Bore Inspection Contract Audit. Background The City Auditor’s Office previously issued an audit with objectives to determine whether Hydromax USA, LLC, (Hydromax) met its contract requirements for inspecting City sewer pipelines to rule out cross bores and whether the City exercised appropriate contract oversight. This will be the first update since the audit was presented to Council on June 1, 2017. (https://www.cityofpaloalto.org/civicax/filebank/documents/60898) Staff provided an update to the Utility Advisory Commission (UAC) on January 18, 2018. (https://www.cityofpaloalto.org/civicax/filebank/documents/62828) Based on lessons learned from the initial Hydromax investigation, staff recommends that subsequent inspections be phased, with the highest risk laterals inspected first. Staff intends to issue a request for proposal (RFP) for phase 2 of the Cross-Bore Safety Program by end of calendar year 2018 which will address high risk laterals that were not completed previously. The RFP will address the auditor’s recommendation to prioritize a list of sewer pipelines to inspect and incorporate applicable industry standard National Association of Sewer Service Companies (NASSCO) guidelines into the contract specifications. City of Palo Alto Page 2 Since the audit, two Operations staff members have been NASSCO certified for CCTV video inspection. The certification enables the operators to identify defects in a pipeline system with standardized codes and ratings. Staff has requested for additional budget of $1,000,000 in FY 2019 to fund the first year of the phase 2 contract. Attachments:  Cross Bore Inspection_June 2018 Final 5-31-18 STATUS OF AUDIT RECOMMENDATIONS UTILITIES DEPARTMENT: CROSS BORE INSPECTION CONTRACT AUDIT ISSUED 6/1/17 6055040 PAGE 1 The City Manager has agreed to take the following actions in response to the audit recommendations in this report. The City Manager will report progress on implementation six months after the Council accepts the audit report, and every six months thereafter until all recommendations have been implemented. Recommendation Responsible Department(s) Original Target Date and Response Current Status Implementation Update and Expected Completion Date Finding: 1. Hydromax inspected 10,791 (60 percent) of 18,028 laterals and could not complete nearly half of its attempted inspections because of adverse conditions in sewer lines. 1.1. Identify sewer pipelines that Hydromax did not fully inspect or attempt to inspect. Prioritize these sewer pipelines for inspection under a future contract(s). To the extent possible, based on past experience, predict potential inspection challenges, such as poor pipeline conditions, that may hinder future inspections. Disclose these challenges in future contract solicitations. Utilities Concurrence: Agree Target Date: Late 2018 Action Plan: Staff will review a previously generated prioritization list based on assessment of risk for property classifications, review inventory of parcels that do not have an associated lateral, and develop a final prioritization list and cost estimates based on experience and data from the original crossbore contract. Implementation of next phase will proceed based on available funding. In Progress June 2018 Management Update: Utilities Engineering performed a risk analysis of the laterals staff identified as not completed during the initial cross-bore project, to prioritize future inspection and predict potential inspection challenges. The prioritization was based on criteria such as occupancy rates, installation of safety devices, service material, age of service, and distance from gas service. Phase 2 priority categories include high occupancy properties, gas services without excess flow valves, separation distance between sanitary sewer lateral and gas service, and polyethylene (PE) material. Staff expects to issue the RFP for Phase 2 of the crossbore safety inspection program, which will include the risk analysis findings, in summer 2018. Staff has requested for additional budget of $1,000,000 in FY 2019 to fund the contract. Expected Completion Date: Q2 of FY 2019 Finding: 2. City oversight and NASSCO contracting guidelines can help ensure accurate, complete, and cost effective future inspections. 2.1. Identify missing data in its laterals database by comparing it with independent databases such as Hydromax inspection data. Update its Utilities Concurrence: Agree Target Date: Mid 2018 Action Plan: In Progress June 2018 Management Update: Staff is in the process of reconciling and updating the lateral information in the GIS database, to STATUS OF AUDIT RECOMMENDATIONS UTILITIES DEPARTMENT: CROSS BORE INSPECTION CONTRACT AUDIT ISSUED 6/1/17 6055040 PAGE 2 Recommendation Responsible Department(s) Original Target Date and Response Current Status Implementation Update and Expected Completion Date laterals database to ensure it can effectively serve to track inspection progress. Staff will utilize existing data to review and update the City’s GIS to reflect missing active City-owned laterals. This will be done in conjunction with the inventory of parcels referenced in Finding 1.1. identify missing laterals. The lateral database will be updated prior to issuance of the RFP for Phase 2 of the project. Common sewer laterals are shared by more than one parcel, thus there is not a one to one ratio of laterals to premises. Staff has started a preliminary review of the various scenarios related to parcels without sanitary sewer laterals and has updated GIS with the two latest capital improvement projects. Staff is working on identifying a dedicated resource to complete the reconciliation process between City mapping data on GIS and Hydromax findings. Expected Completion Date: Q2 of FY 2019 2.2. Incorporate relevant and useful provisions from NASSCO’s contract template, such as linear foot pricing and prior verification of inspector certifications, in future sewer inspection contracts. Consult with the Administrative Services Department’s purchasing staff and the City Attorney’s Office to determine if City can enforce NASSCO template provisions that it plans to incorporate. Utilities Concurrence: Agree Target Date: Mid to Late 2018 Action Plan: Staff will review the NASSCO contract template and look for provisions to incorporate in a future City contract, as applicable. In Progress June 2018 Management Update: Utilities Engineering is in the process of reviewing and adopting applicable National Association of Sewer Service Companies (NASSCO) standards which are appropriate for the City. These include industry standards for the rehabilitation of underground pipelines and continued acceptance and growth of trenchless technologies. Staff has started reviewing the NASSCO contract templates and will incorporate applicable NASSCO standards that can be applied to a future contract. STATUS OF AUDIT RECOMMENDATIONS UTILITIES DEPARTMENT: CROSS BORE INSPECTION CONTRACT AUDIT ISSUED 6/1/17 6055040 PAGE 3 Recommendation Responsible Department(s) Original Target Date and Response Current Status Implementation Update and Expected Completion Date Expected Completion Date: Q2 of FY 2019 2.3. Identify gaps in staff expertise needed to monitor and facilitate field inspections and to review and track inspection data. Develop a training and certification plan for field staff who should have the expertise to help meet the City’s inspection goals and objectives. Utilities Concurrence: Agree Target Date: Late 2018 to Start of future contract Action Plan: Staff will continue to review staffing gaps for office and field personnel. If gaps are identified and are not resolved by training, additional expertise will be identified within the City or via contract. In Progress June 2018 Management Update: Currently two Operations Staff members are NASSCO certified for CCTV inspection. Staff is working on identifying a dedicated resource for the GIS and database analysis experience. Expected Completion Date: On-going City of Palo Alto (ID # 9352) Policy and Services Committee Staff Report Report Type: Action Items Meeting Date: 6/21/2018 City of Palo Alto Page 1 Summary Title: Status Update for Audit Recommendations for Accuracy of Water Metering Billing Audit Title: Staff Recommendation That the Policy and Services Committee Recommend the City Council Accept the Status Update on the Accuracy of Water Meter Billing Audit From: City Manager Lead Department: Utilities Recommendation Staff recommends the Policy and Services Committee recommend that the Council accept the attached Status of Audit Recommendations for the Accuracy of Water Meter Billing Audit. Background The City Auditor’s Office previously issued an audit with objectives to determine if the water utility customers were accurately billed for the water meter type, size, and related adjustments. This will be the first update since the audit was presented to Council on August 22, 2017. (https://www.cityofpaloalto.org/civicax/filebank/documents/62279) The Utilities and Administrative Services Department have completed four of the eleven recommendations. The recommendations and actions taken for completion are listed in the attached document (Attachment A). Recommendation 1.3 is in progress. Staff expects to issue a request for proposal (RFP) in August 2018 to conduct a field audit of the metered services in the City; this field audit will capture all meter sizes, including the recommended 2” and above meters. Due to staffing constraints, Utilities has not been able to conduct the water cost of service study for finding 1.4 regarding fixed meter charges. Staff expects to issue a water cost of service RFP by end of calendar year 2018. For recommendation 2.1, staff will review and update existing policies and procedures to inform Council of significant infrastructure changes. Two of the recommendations 2.2 and 2.3 are related to electronic water meters. Utilities is awaiting an adoption of an American Water Works Association (AWWA) standard for electronic meters. The public comment period on the City of Palo Alto Page 2 proposed new standards closed on April 29, 2018. Final publication of the standard may take several months. Staff will notify Council if Utilities adopts the new electromagnetic and ultrasonic water meter standards. For recommendations 3.1 and 3.2 The Administrative Services Division is currently working on incorporating the nuances of the Sole Source process into Purchasing’s Policy and Procedures. Training is currently being conducted on an as-needed basis. Formal training will be conducted once the Policy and Procedures have been updated. Attachments:  Water Meter Billing_June 2018 Final 5-31-18 STATUS OF AUDIT RECOMMENDATIONS ACCURACY OF UTILITY WATER METER BILLING AUDIT – ISSUED 8/16/17 6055039 PAGE 1 The City Manager has agreed to take the following actions in response to the audit recommendations in this report. The City Manager will report progress on implementation six months after the Council accepts the audit report, and every six months thereafter until all recommendations have been implemented. Recommendation Responsible Department(s) Original Target Date and Response Current Status Implementation Update and Expected Completion Date Finding 1: CPAU has not adequately prevented, detected, nor corrected water meter billing errors. We recommend that CPAU: 1.1. Correct the billing errors identified. Utilities Concurrence: Agree Target Date: November 2017 Action Plan: Utilities staff is confirming the specific addresses and errors cited in the audit. Staff will then take immediate actions to rectify the overcharge situation by contacting the customers and updating their accounts with the correct meter charge as well as reconciling the incorrect charges for the past three years. For the undercharge or backbill scenario, staff plans to recommend Council approval to modify current meter billing policy and eliminate mandated customer backbilling for utility- caused metering errors under certain circumstances. Completed June 2018 Management Update: In August 2017, staff notified 258 customers by letter of the water meter billing error. 125 customers were overcharged. Staff updated the customer accounts with the correct meter charges. The customer accounts were credited of the overcharged amounts. 133 customers were undercharged. Staff updated the customer accounts with the correct meter charges. Council approved an amendment to Utility Rule and Regulation 11 “Billings, Adjustments, and Payments of Bills” which allows Utilities to waive undercharges of up to $500 per incident, subject to the three year retroactive billing adjustment period. The undercharges for the 133 customers were waived because the City was responsible for the billing error. Staff Report: https://www.cityofpaloalto.org/civicax/filebank/documents/64141 Status: Completed 1.2. Investigate each of the 123 water meters that do not match the meter purchasing record, determine if a record or billing correction is required, and correct accordingly. Utilities Concurrence: Agree Target Date: November, 2017 Action Plan: Staff has completed an initial inspection of the 123 meters in the field. Staff will need to conduct further investigation on a few of the accounts to confirm meter type, pipe connection size, and dial register. Thus far, staff has confirmed 84 Completed June 2018 Management Update: All 123 meters were field inspected and customer accounts have been adjusted accordingly. There were 70 undercharges, 6 overcharges, and 47 non-billing errors such as incorrect meter size description. The undercharges and overcharges have been rectified under finding 1.1. STATUS OF AUDIT RECOMMENDATIONS ACCURACY OF UTILITY WATER METER BILLING AUDIT – ISSUED 8/16/17 6055039 PAGE 2 Recommendation Responsible Department(s) Original Target Date and Response Current Status Implementation Update and Expected Completion Date water meters did not match the meter or billing record. Staff will take the necessary actions to rectify the overcharges and undercharges. Status: Completed 1.3. Review and correct the meter record errors identified for meter sizes larger than 2 inches. Utilities Concurrence: Agree Target Date: December 2018 Action Plan: In preparation for the new CIS Utility billing system and potential advanced meter deployment, staff will consider an in- house or contract service audit of the three metered services (electric, gas, water). Staff will also review and update as needed roles and responsibilities for key staff involved in ensuring meter accuracy, including procurement, inventory, testing, installation, and billing records management. In progress June 2018 Management Update: Staff will be issuing an RFP for contract services to conduct a field audit of 74,000 meters. One of the requirements is verification of service connection size for 2” or greater water meters. Expected Completion Date: June 2019 1.4. Explore options for addressing equity when making changes to customer meter size rates and establish a policy and process for determining, documenting, and notifying customers of changes to their meter size and, if appropriate, the rate change associated with the new meter size. Utilities Concurrence: Agree Target Date: July 2018 Action Plan: The audit’s questioning of utility practices regarding changes to meter sizes is based on a unique situation that occurred 22 years ago and does not reflect current policy or process. The situation arising out of Southgate was a unique case and staff does not agree that this or other meter replacement practices raise equity issues. In Progress June 2018 Management Update: Due to staffing changes, the Utilities Department was not able to engage with a consultant to begin the water cost of service study in FY 2018. Staff expects to issue an RFP in the first half of FY 2019. Options to consolidate the fixed rates for 5/8” and 1” meters will be considered. The study results and staff recommendation will be brought forth for Council review when completed. Expected Completion Date: April 2019 STATUS OF AUDIT RECOMMENDATIONS ACCURACY OF UTILITY WATER METER BILLING AUDIT – ISSUED 8/16/17 6055039 PAGE 3 Recommendation Responsible Department(s) Original Target Date and Response Current Status Implementation Update and Expected Completion Date With regard to differential rates for different meter sizes, staff is currently reviewing policy options for addressing this issue going forward, and will develop options such as consolidating the fixed rate for 5/8” and 1” meters for consideration by the City Council. STATUS OF AUDIT RECOMMENDATIONS ACCURACY OF UTILITY WATER METER BILLING AUDIT – ISSUED 8/16/17 6055039 PAGE 4 Recommendation Responsible Department(s) Original Target Date and Response Current Status Implementation Update and Expected Completion Date 1.5. With the understanding that CPAU will be migrating to a new ERP system: a. Implement a temporary monitoring or reporting system to identify record discrepancies that may result in billing errors and correct as discrepancies are identified. b. Ensure the new ERP system will have automated controls in place to prevent such discrepancies and identify them if they do occur. Utilities Concurrence: Agree Target Date: December 2019 Action Plan: a. Staff has established a monthly reconciliation report to monitor and identify inconsistent billing and meter attributes which will ensure comprehensive detection of potential error sources across inventory, meter change activity, and billing databases. b. Elimination of redundant manual entry has already been identified as a system requirement for the new CIS system. Staff will monitor the ongoing procurement for a new customer information system and enterprise resource planning system to ensure system requirements continue to prioritize minimizing manual entry through integration across databases and automated data entry. Completed with Alternate Implementation Plan June 2018 Management Update: a. Staff has been running a monthly reconciliation report since August 2017 to monitor and identify inconsistent or incorrect meter billing data. To date, staff has identified five non-billing data discrepancies and one incorrect billing type. Since these errors were corrected in a timely manner, no billing adjustment was required. Status: Completed b. Elimination of redundant manual entry in SAP will require a large customization effort which will be resource intensive and costly. Since the City is in the process of upgrading or replacing the ERP and CIS systems, customization of the existing system is not a good return on investment. Elimination of redundant entries and reduction of manual entries are key criteria in the ERP and CIS system evaluation process. Expected Completion Date: February 2021 STATUS OF AUDIT RECOMMENDATIONS ACCURACY OF UTILITY WATER METER BILLING AUDIT – ISSUED 8/16/17 6055039 PAGE 5 Recommendation Responsible Department(s) Original Target Date and Response Current Status Implementation Update and Expected Completion Date Finding 2: CPAU has installed 1,178 water eMeters throughout the City’ however, there are no testing standards, and the accuracy, performance, and reliability of these meters are uncertain. We recommend that CPAU: 2.1. Develop a policy and procedure to transparently report significant, systemic, infrastructure changes to Council and update any CPAU Rules and Regulations that may be outdated to current practice or affected by policy changes. Utilities Concurrence: Agree Target Date: Immediately Action Plan: Major infrastructure changes are presented to Council for approval. However, standards are technical documents that provide the general conditions and specifications for the construction of the Water Gas and Wastewater System. Updates to standards are subject to multiple levels of professional review including engineering, procurement and legal. Updated standards will be communicated to Council as informational when substantive. In Progress June 2018 Management Update: The Utilities Department will inform Council when technical standards are substantive. Since August 2017, the department has not updated the technical standards for electric, gas or water. American Water Works Association (AWWA) has drafted new standards for electromagnetic and ultrasonic type water meters. The public comment period on the proposed new standards closed on April 29, 2018. Final publication of the standard may take several months. Staff will notify Council if Utilities adopts the new electromagnetic and ultrasonic water meter standards. Staff will review and update existing policies and procedures if applicable. Expected Completion Date: June 2019 2.2. Seek direction and approval from Council before proceeding further with the future installation of eMeters or any electronic meters. Utilities Concurrence: Agree Target Date: Ongoing Action Plan: Procurement and installation of e-meters will remain suspended until adoption of an AWWA standard for testing and the availability of independent test resources (either in-house or contracted). It is expected that a final standard for testing of E-meters will be available at the end of 2017. The new standards are not expected to change the accuracy requirements In Progress June 2018 Management Update: American Water Works Association (AWWA) has drafted new standards for electromagnetic and ultrasonic type water meters. The public comment period on the proposed new standards closed on April 29, 2018. Final publication of the standard may take several months. Staff will notify Council if Utilities adopts the new electromagnetic and ultrasonic water meter standards or seeks to install additional eMeters. Expected Completion Date: June 2019 STATUS OF AUDIT RECOMMENDATIONS ACCURACY OF UTILITY WATER METER BILLING AUDIT – ISSUED 8/16/17 6055039 PAGE 6 Recommendation Responsible Department(s) Original Target Date and Response Current Status Implementation Update and Expected Completion Date from those expected of the positive displacement meter with the exception that there will likely be an extended range of accuracy for low flows. It should be noted the E- Meters is a specific product line, and mechanical meters may also have electronic components. 2.3. Determine if the 1,178 installed eMeters should be uninstalled and replaced with the original displacement meter and if billing adjustments are required. Utilities Concurrence: Agree Target Date: July 2018 Action Plan: All customers with e- meters installed will be immediately notified of this audit, and that additional information will be provided as available. For eMeter testing, staff will send a sampling of eMeters to independent testing companies to determine if they are performing per manufacturer specification, and based on these results will determine next steps. In addition, the Water Meter Shop has staffing challenges and does not currently have the resources required to undertake this replacement project. At this time, staff will continue to monitor the meter reads for irregularities of both the installed positive displacement and eMeters as part of the billing exception process. Staff is also developing a customer plan for addressing any accuracy concerns with the e-meters already installed. In Progress June 2018 Management Update: The Utilities department sent letters to the 1,178 residents with installed eMeters. In response, 55 customers requested their meters to be exchanged. A couple credit adjustments were required for the eMeter exchanges. As of June 2018, the City has 1,122 eMeters installed. Status: Completed Staff hired a contractor to test a sampling of eMeters. The contractor tested the eMeters under four different scenarios. Overall, the testing results measured correctly within the manufacturer’s specifications and guidelines of +/- 1.5%. After AWWA publishes the final standards for electromagnetic and ultrasonic type meters, staff will meet with other water agencies to determine the pros and cons of these meters. Staff will make a determination in 2019 on whether to standardize displacement and/or ultrasonic type meters. Expected Completion Date: June 2019 STATUS OF AUDIT RECOMMENDATIONS ACCURACY OF UTILITY WATER METER BILLING AUDIT – ISSUED 8/16/17 6055039 PAGE 7 Recommendation Responsible Department(s) Original Target Date and Response Current Status Implementation Update and Expected Completion Date Finding 3: Purchase of water eMeters did not meet purchasing policy and eMeter expenditures were not monitored. We recommend that ASD Purchasing Division: 3.1. ASD Purchasing to clarify its purchasing policy and procedures for new and renewals of product standardization. ASD Concurrence: Agree Target Date: December 2017 Action Plan: Staff will update the policy and coordinate with stakeholders to ensure the policy is clear and easy to follow. Staff will then finalize the policy and disseminate to departments. In Progress June 2018 Management Update: This is in the queue for development to update Purchasing’s Policy and Procedures. Purchasing has the “Solicitation Plan Checklist” already and the nuances of the process are currently being written. The current Exemption Form addresses the “Standardization” process in the P&P. The “How To” and step-by- step self-learning tool regarding standardization are in development. Expected Completion Date: Q4 of FY18 3.2. ASD Purchasing to retrain appropriate ASD and CPAU staff on Purchasing policies and procedures, and completion of required forms. ASD Concurrence: Agree Target Date: January 2018 Action Plan: In conjunction with 3.1 staff will provide training. In Progress June 2018 Management Update: Training is being done on an as needed basis. Purchasing will conduct formal training once item 3.1 is complete. Expected Completion Date: Q2 of FY19 3.3. ASD Purchasing to determine roles and responsibilities and develop a procedure for tracking Sole Source purchases to prevent the overspending of approved amounts. ASD Concurrence: Agree Target Date: March 2018 Action Plan: The SAP system does not currently provide an automated check on sole source spending. Staff will evaluate whether the system can be configured to allow for this. If not, staff will implement manual procedures to track sole source spending. Complete with Alternative Implementation June 2018 Management Update: Purchasing staff is tracking through a manual spreadsheet-type process, which is complete. The department is in development on how to track sole source purchases and spend within the current ERP system (SAP), if possible, and in the future replacement RFP. Expected Completion Date: Manual tracking is complete. Automation tracking is expected to be complete in 2021 as part of the new ERP. CITY OF PALO ALTO OFFICE OF THE CITY AUDITOR June 12, 2018 The Honorable City Council Palo Alto, California Auditor's Office Quarterly Report as of March 31, 2018 RECOMMENDATION The City Auditor’s Office recommends the Policy and Services Committee review and recommend to the City Council acceptance of the Auditor’s Office Quarterly Report as of March 31, 2018. SUMMARY OF RESULTS In accordance with the Municipal Code, the City Auditor prepares an annual work plan and issues quarterly reports to the City Council describing the status and progress towards completion of the work plan. This report provides the City Council with an update on the third quarter for FY 2018. Respectfully submitted, Harriet Richardson City Auditor ATTACHMENTS:  Attachment A: Auditor's Office Quarterly Report as of March 31, 2018 (PDF) Department Head: Harriet Richardson, City Auditor Page 2 Quarterly Report as of March 31, 2018 Office of the City Auditor “Promoting honest, efficient, effective, economical, and fully accountable and transparent city government.” Attachment A PAGE 2 Fiscal Year (FY) 2018 Third Quarter Update (January – March 2018) Overview The audit function is essential to the City of Palo Alto’s public accountability. The mission of the Office of the City Auditor, as mandated by the City Charter and Municipal Code, is to promote honest, efficient, effective, economical, and fully accountable and transparent city government. We conduct performance audits and reviews to provide the City Council and City management with information and evaluations regarding how effectively and efficiently resources are used; the adequacy of internal control systems; and compliance with policies, procedures, and regulatory requirements. Taking appropriate action on our audit recommendations helps the City reduce risks and protect its good reputation. Activity Highlights Engaged our consultant, MuniServices, to conduct a study session for the City Council on March 26, 2018, regarding sales taxes and their trends. City Auditor Harriet Richardson accepted an invitation and went to Ohlone Elementary School to give a presentation on the activities and responsibilities of the Office of the City Auditor as part of the students’ “Volcanic City” project for learning how the City of Palo Alto operates. Received notification from the Association of Local Government Auditors that our audit, Accuracy of Utility Meter Billing, will receive a Distinguished Audit Award at the May 2018 annual conference. Audit and Project Work Below is a summary of our audit and project work for the third quarter of FY 2018: Title Objective(s) Start Date End Date Status Results/Comments Enterprise Resource Planning (ERP) Planning Audit: Data and System Governance and Security Evaluate the adequacy of data and system governance and security in the current SAP system and make recommendations to ensure that identified deficiencies are corrected for the new ERP system. 05/17 06/18 In Process The audit is in the report writing phase, and we expect to complete the audit in mid‐ 2018. ERP Planning Audit: Data Reliability and Integrity Evaluate the integrity and reliability of data in the current SAP system and make recommendations to ensure that identified deficiencies are corrected prior to transferring data to the new ERP system. 05/17 06/18 In Process This will be a series of reports that focus on different aspects of data reliability or specific data sets. Our first two audits are data standardization and the human resources/ payroll data set. These audits are currently in the report writing phase, and we expect to complete them by mid‐ 2018, with more audits to follow. ERP Planning Audit: Separation of Duties Evaluate the adequacy of separation of duties for various activities in the current SAP system and make recommendations to ensure that identified deficiencies are corrected for the new ERP system. 05/17 06/18 In Process The audit is in the report writing phase, and we expect to complete in mid‐ 2018. Attachment A PAGE 3 Title Objective(s) Start Date End Date Status Results/Comments Code Enforcement Audit Evaluate the timeliness and effectiveness of code enforcement actions, the effectiveness of communication with the public, and the accuracy and completeness of code enforcement case tracking for decision making purposes. We conducted a resident survey to help inform our audit recommendations, as described below. 05/17 06/18 In Process The audit is in the report writing phase. We expect to complete the audit in mid‐ 2018. Mobile Device Inventory and Security Determine if the City accurately inventories and securely manages city‐ owned mobile devices, including laptops, tablets, cell/smart phones, and radios. 03/18 10/18 In Process The audit is in the planning phase. We expect to complete the audit in late 2018. Business Registry Evaluate the rules and processes used to establish the business registry and make recommendations to help clean up the data and ensure accuracy in the future. 02/18 06/18 In Process The audit is in the report writing phase. We expect to complete the report in mid‐ 2018. ERP Nonaudit Service Provide advisory services to the Department of Information Technology regarding its planning of a new ERP system. 09/16 Ongoing We attended 13 tactical team meetings during the third quarter of FY 2018 and provided verbal and written advice based on our technical expertise and best practice information readily available to us. Our interaction with the tactical team was limited due to their participation in vendor demonstrations and other due diligence activities. We did not issue a memo this quarter because the fundamental issues we communicated in our previous memos continue to be our main concerns. Custom Citizen Survey Conduct a citizen survey, separate from the annual National Citizen Survey™, to obtain resident opinions about code enforcement activities and the built environment. 06/17 01/18 Completed The National Research Center mailed the survey to 3,000 residents. We compiled the results into a report and presented them at the annual Council retreat on February 3, 2018. Attachment A PAGE 4 Title Objective(s) Start Date End Date Status Results/Comments National Citizen Survey™ Obtain resident opinions about the community and services provided by the City of Palo Alto and benchmark our results against other jurisdictions. 06/17 01/18 Completed The National Research Center has mailed the survey to 3,000 residents. We received the results, did some analysis of the results, and prepared an executive summary. We presented the results at the annual Council retreat on February 3, 2018. We are currently reviewing the questions to identify ones that can be deleted in the 2018 survey to potentially increase the response rate. Annual Performance Report Provides citywide information for key areas, including spending, staffing, workload, and performance 08/17 01/18 Completed Departments provided data, which we compiled into the annual report and presented at the annual Council retreat on February 3, 2018. Citizen Centric Report Provides City and community information, performance results, and summary revenue and expenditure data in an easy‐to‐ready four‐page format. 12/17 01/18 Completed We collected and compiled data into the report, which we presented at the annual Council retreat on February 3, 2018. Other Monitoring and Administrative Assignments Below is a summary of other assignments as of March 31, 2018: Title Objective(s) Status Results/Comments City Auditor Advisory Roles Provide guidance and advice to key governance committees within the City. Ongoing The City Auditor serves as an advisor to the Utilities Risk Oversight Committee and Information Security Steering Committee. We are also serving as an advisor for the strategic and technical planning groups for planning the new ERP system (see comment in the Audit and Project Work section above). Attachment A PAGE 5 Title Objective(s) Status Results/Comments Sales and Use Tax Allocation Reviews 1) Identify businesses that do business in Palo Alto that may have underreported or misallo‐ cated their sales and use tax and submit inquiries to the state for review and tax reallocation. 2) Monitor sales taxes received from the Stanford University Medical Center Project and notify Stanford of any differences between their reported taxes and state sales tax information, in accordance with the development agreement. 3) Provide Quarterly Status Updates and Sales Tax Digest Summaries for Council review. Ongoing 1) Total sales and use tax recoveries for the third quarter of FY 2018 were $0 from our inquiries and $41,592 from the vendor’s inquiries, for a total of $41,592 for the quarter and $313,120 for the fiscal year‐to‐date. Due to processing delays at the State Board of Equalization, 39 potential misallocations are waiting to be researched and processed: 15 from our office and 24 from the vendor. 2) We receive calendar‐year sales tax information for the Stanford Medicine development project about six months after the end of the calendar year. We will report the 2017 sales tax information for this project in our June 2018 quarterly report. The City has received $2,896,941 for calendar years 2011 through 2016 as a result of this agreement. 3) Quarterly sales tax reports are published on the Office of the City Auditor website at www.cityofpaloalto.org/gov/depts/aud/reports/default.asp. Status of Audit Recommendations Sixty‐four recommendations were open at the beginning of the third quarter of FY 2018, and 11 were closed. One status report that was due in the third quarter of FY 2018 is scheduled to be presented to the Policy and Services Committee in June 2018, but we have already verified the implementation of two recommendations for that audit. One status report is past due, and five other status reports are due during the fourth quarter of FY 2018. Below is a summary of the open audit recommendations as of March 31, 2018: Audit Title and Report Date Due Date and Prior Status Report Dates Total Recommendations/ Number Open Summary of Open Recommendations Citywide Cash Handling and Travel Expense Issued 09/15/10 Due – 09/18 03/21/18 08/22/17 11/10/15 09/23/14 09/10/13 10/22/12 04/19/11 Recommendations: 11 Open: 1 Implemented during quarter: 0 Review practice of reimbursing employee meals when not in a travel status and report the amounts as income to employees to conform to Internal Revenue Service requirements (ASD) Inventory Management Issued 02/18/14 Due – 05/18 11/02/17 09/23/14 Recommendations: 14 Open: 4 Implemented during quarter: 0  Implement City’s inventory management policies and procedures (ASD/UTL/PWD/IT)  Update and enforce inventory count policies and procedures to ensure consistent and accurate inventory records (ASD)  Identify, formalize, and communicate inventory management goals and objectives to City departments (ASD)  Ensure staff identify and use key SAP inventory management reports and appropriately configure and update SAP parameters that affect inventory levels (ASD/IT) Attachment A PAGE 6 Audit Title and Report Date Due Date and Prior Status Report Dates Total Recommendations/ Number Open Summary of Open Recommendations Utility Meters: Procurement, Inventory, and Retirement Issued 03/10/15 Due – 05/18 11/02/17 Recommendations: 15 Open: 1 Implemented during quarter: 0  Correct purchase order documents to accurately reflect engineering specifications (ASD) NOTE: Two recommendations were closed because they were deemed to be no longer relevant. Parking Funds Issued 12/15/15 Due – 05/18 11/14/17 Recommendations: 8 Open: 3 Implemented during quarter: 0  Develop policies and procedures to clarify roles and responsibilities and ensure accurate calculation and reporting of parking‐in‐lieu fees (PCE, ASD, PWD, CLK)  Establish policies and procedures to clarify roles and responsibilities for parking programs and parking permit funds (ASD/PCE/PWD/POL)  Identify financial and performance data required for effective evaluation of parking program (PCE/ASD/POL) Disability Rates and Workers’ Compensation Issued 05/10/16 Due – 08/18 02/13/18 Recommendations: 15 Open: 8 Implemented during quarter: 7  Update the safety manual/supplemental tools (HR)  Review departmental procedures and safety requirements to ensure they align with citywide policies and procedures (HR)  Identify and provide industry‐specific ergonomics and general wellness training opportunities (HR)  Address the disability leave benefits incorrectly reported as compensation to CalPERS (HR)  Review claims that had differences in additional city benefits and correct any errors identified (HR)  Determine optimal structure, update tools and procedures, and allocate sufficient and skilled resources to ensure accuracy of benefit eligibility and work status of injured employees (HR)  Ensure that data for managing disability leave is accurately captured through SAP time reporting (HR)  Identify useful performance measures and establish procedures to ensure reliable reporting (HR) Attachment A PAGE 7 Audit Title and Report Date Due Date and Prior Status Report Dates Total Recommendations/ Number Open Summary of Open Recommendations Cable Franchise and Public, Education, and Government (PEG) Fees Issued 06/14/16 Due – 09/18 03/21/18 08/22/17 Recommendations: 9 Open: 6 Implemented during quarter: 0  Assess ongoing need for PEG fees; place fees in restricted account until decisions are made about use of fees (CMO/ATTY/ASD/IT)  Determine whether to allocate unrestricted funds, instead of PEG fees, to subsidize the Media Center’s operations. (CMO/ATTY/ASD/IT)  Send letters to cable companies to demand payment of underpaid franchise and PEG fees (CMO/ATTY/ASD/IT)  Develop criteria for assessing the accuracy of future cable franchise and PEG fee payments and require more detail with payment remittances (ASD)  Assign responsibility for the cable communications program and provide effective oversight of the program (CMO/CLK)  Draft an ordinance to update the Palo Alto Municipal Code based on clarified assignment of responsibility (CMO/ASD/ATTY/CLK) Community Services Department (CSD): Fee Schedule Audit Issued 02/14/17 Due – 05/18 11/14/17 Recommendations: 3 Open: 2 Implemented during quarter: 0  Revise City’s cost recovery policy to align with relevant laws and reconfigure the Questica budget system to support fees that recover more than 100 percent of costs (ASD)  Configure SAP or the new ERP system to align cost centers with CSD programs (CSD) Continuous Monitoring: Payments Issued 04/13/17 Due – 09/18 03/21/18 Recommendations: 7 Open: 5 Implemented during quarter: 2  Build a continuous monitoring process into the new ERP system to identify potential duplicate invoices and seek recovery of duplicate payments (ASD)  Update invoice processing policies and procedures to facilitate identification of duplicate payments (ASD)  Update policies and procedures to clarify guidance for creation of vendor master records and develop standardized coding vendor records (ASD)  Build a continuous monitoring process into the new ERP system to identify duplicate, incomplete, or unused vendor records (ASD)  Clean vendor master file before merging data into new ERP system (ASD) Attachment A PAGE 8 Audit Title and Report Date Due Date and Prior Status Report Dates Total Recommendations/ Number Open Summary of Open Recommendations Green Purchasing Practices Issued 04/13/17 Scheduled for 06/18 None Recommendations: 8 Open: 6 Implemented during quarter: 2  Clearly define department(s) responsible for implementing green purchasing policies and determine if additional staffing and funding are needed to implement the policies (ASD/CMO)  Develop consolidated procedures to implement green purchasing policies (CMO/ASD/PWD)  Educate City staff on green purchasing policies (ASD)  Evaluate if new e‐procurement system or other technology solution can help with tracking and reporting green purchases and establish appropriate green purchasing performance measures (ASD/PWD)  Require vendors to provide data on amounts of green products and services that City purchases from them (ASD/PWD) Utilities Department: Cross Bore Inspection Contract Issued 06/01/17 Past Due None Recommendations: 4 Open: 4 Implemented during quarter: 0  Prioritize uninspected sewer pipelines for inspection and disclose potential inspection challenges in future contract solicitations (UTL)  Identify and update missing data in laterals database (UTL)  Incorporate relevant provisions from National Association of Sewer Service Companies’ contract template in future sewer inspection contracts (UTL)  Identify gaps in staff expertise and develop a training and certification plan for field staff who will monitor field inspections (UTL) Attachment A PAGE 9 Audit Title and Report Date Due Date and Prior Status Report Dates Total Recommendations/ Number Open Summary of Open Recommendations Accuracy of Water Meter Billing Issued 08/16/17 Due – 05/18 None Recommendations: 11 Open: 11 Implemented during quarter: 0  Correct billing errors identified (UTL)  Investigate 123 other meter records with discrepancies and correct as necessary (UTL)  Review and correct meter records for meters larger than 2 inches (UTL)  Explore options for addressing equity in meter size rates (UTL)  Until new ERP system is implemented, implement a temporary monitoring or reporting system to identify and correct discrepancies that may result in billing errors and ensure new ERP system has controls to prevent and identify such discrepancies (UTL)  Develop a policy and procedures to report significant, systemic infrastructure changes to Council and update City of Palo Alto Utilities’ (CPAU) Rules and Regulations as needed (UTL)  Seek direction from Council before proceeding with installing additional electronic meters (UTL)  Determine if installed eMeters should be replaced and if billing adjustments are required (UTL)  Clarify purchasing policy and procedures for product standardization and sole source (ASD)  Retrain staff on purchasing policies and procedures and completion of required forms (ASD)  Determine roles and responsibilities and develop a procedure for tracking sole source purchases to avoid overspending approved amounts (ASD) Continuous Monitoring: Overtime Issued 09/06/17 Due – 10/18 None Recommendations: 2 Open: 2 Implemented during quarter: 0  Explore potential of developing a continuous monitoring process for overtime (ASD)  Form a work group to design standardized overtime management processes in the new ERP environment (ASD) Attachment A PAGE 10 Open Recommendations by Audit Issuance Date Fiscal Year Audit Title Number of Open Recommendations 2011 Citywide Cash Handling and Travel Expense 1 of 11 2014 Inventory Management 4 of 14 2015 Utility Meters: Procurement, Inventory, and Retirement 1 of 15 2016 Parking Funds 3 of 8 Disability Rates and Workers’ Compensation 8 of 15 Cable Franchise and Public, Education, and Government (PEG) Fees 6 of 9 2017 Community Services Department: Fee Schedule 2 of 3 Continuous Monitoring: Payments 5 of 7 Green Purchasing Practices 6 of 8 Utilities Department: Cross Bore Inspection Contract 4 of 4 2018 Accuracy of Water Meter Billing 11 of 11 Continuous Monitoring: Overtime 2 of 2 Fraud, Waste, and Abuse Hotline Administration The hotline review committee, composed of the City Auditor, the City Attorney, and the City Manager, or their designees, meets as needed to review hotline‐related activities. No complaints were received during the third quarter of FY 2018. All prior‐year complaints have been closed. The chart below summarizes the status of complaints received in each fiscal year since the hotline was implemented. 9 1 11 00 2 4 6 8 10 12 Q1 Q2 Q3 Q4 Number of Implemented Recommendations by Quarter 23 17 13 0 20 40 60 80 100 Number of Open Recommendations FY 18 FY 17 Prior Fiscal Years 7 3 2 13 9 00 2 4 6 8 10 12 14 FY 2013 FY 2014 FY 2015 FY 2016 FY 2017 FY 2018 Status of Complaints Received by Fiscal Year Closed Complaints Open Complaints Attachment A CITY OF PALO ALTO OFFICE OF THE CITY AUDITOR June 21, 2018 The Honorable City Council Palo Alto, California Staff Recommends the Policy and Services Committee review and recommend to the City Council acceptance of the ERP Planning: Information Technology and Data Governance Audit In accordance with the Fiscal Year 2018 Annual Audit Work Plan, the Office of the City Auditor has completed the ERP Planning: Information Technology and Data Governance audit. The audit report presents two findings and four recommendations. The Office of the City Auditor recommends that the Policy and Services Committee review and recommend to the City Council acceptance of the ERP Planning: Information Technology and Data Governance audit. Respectfully submitted, Harriet Richardson City Auditor ATTACHMENTS:  Attachment A: Final Report_061318 (DOCX) Department Head: Harriet Richardson, City Auditor Page 2 ERP Planning: Information Technology and Data Governance June 13, 2018 Office of the City Auditor Harriet Richardson, City Auditor Steve Hendrickson, Management Specialist Houman Boussina, Senior Performance Auditor Page intentionally left blank for double-sided printing Office of the City Auditor ● 250 Hamilton Avenue, 7th Floor ● Palo Alto, CA 94301 ● 650.329.2667 Copies of the full report are available on the Office of the City Auditor website at: https://www.cityofpaloalto.org/gov/depts/aud/reports/performance/default.asp OFFICE OF THE CITY AUDITOR EXECUTIVE SUMMARY ERP Planning: Information Technology and Data Governance June 13, 2018 PURPOSE OF THE AUDIT The purpose of this audit was to determine if the City has:  Information technology (IT) governance policies and procedures to align City IT systems with City goals and objectives.  Data governance policies and procedures to maintain confidentiality, integrity, availability, and usefulness of the City's data. The audit also assessed whether IT or data governance changes need to be made to prepare for future IT systems. CONCLUSION The City does not have a sufficient IT or data governance structure, including policies and procedures that clearly define roles and responsibilities. It is essential for the City to develop IT and data governance processes prior to implementing a new ERP system to ensure that implementation and ongoing operation of the system are successful, in alignment with City goals and objectives, and that existing data are accurate, consistent, and complete before being migrated into the new system. REPORT HIGHLIGHTS Finding 1: (Page 6) The City does not have a mature information technology (IT) governance structure to ensure that the City’s IT systems, including the new ERP system, fully align with departments’ operational goals and objectives, prevent project cost overruns, and protect unauthorized access to confidential information. Finding 2: (Page 14) The City has important data that are not sufficiently accurate, consistent, and complete, which creates a risk of operational failures, financial losses, and legal claims. This can cause decision makers and the public to draw inaccurate conclusions from the data and will present challenges in the City's migration to the future ERP system. Key Recommendations:  Assign roles and responsibilities for IT and data governance to ensure that governance covers all key aspects of the City’s information systems and data management.  Adopt industry standard frameworks, such as COBIT for IT governance overall and the Data Management Association’s Data Management Body of Knowledge, for data governance. Page intentionally left blank for double-sided printing TABLE OF CONTENTS Objective ................................................................................................................................................. 1 Background ............................................................................................................................................. 1 Scope ...................................................................................................................................................... 3 Methodology .......................................................................................................................................... 3 Finding: 1 Better information technology governance can help ensure that information technology systems, including the new ERP system, support City goals and objectives .................................................... 6 Finding 1 Recommendations ........................................................................................................... 12 Finding: 2 Better data governance will lead to better data in the new ERP system ........................................ 14 Finding 2 Recommendations ........................................................................................................... 19 Appendix 1: Industry Standard Information Technology and Data Governance Frameworks ............ 20 Appendix 2: Summary of Information Technology Governance Components and City Status ........... 21 Appendix 3: Summary of Data Governance Components and City Status .......................................... 22 Appendix 4: City Manager’s Response ................................................................................................ 23 ABBREVIATIONS ASD Administrative Services Department DAMA Data Management Association DMBOK Data Management Body of Knowledge GTAG Global Technology Audit Guide ISO International Organization for Standardization IIA Institute of Internal Auditors IEC International Electrotechnical Commission IT Information Technology NIST National Institute of Standards and Technology SOD Segregation of Duties Page intentionally left blank for double-sided printing ERP Planning: Information Technology and Data Governance 1 INTRODUCTION Objective The purpose of this audit was to determine if the City has a citywide:  Information technology (IT) governance structure, including policies and procedures to align City IT systems with City goals and objectives.  Data governance structure, including policies and procedures to maintain confidentiality, integrity, availability, and usefulness of the City's data. The audit also assessed whether IT or data governance changes need to be made to prepare for future IT systems, including the new City’s new ERP system. Background Information Technology Governance Defined IT governance is the leadership, organizational structures, policies, and processes to ensure that IT supports the organization’s strategies and objectives within budgetary and staffing constraints. Data governance is a subset of IT governance. It focuses on data management overall by providing the guidance necessary to manage data as an asset, including its availability, usability, integrity, and security. Governance activities are broad and set the stage for more specific management and operational activities. For example, project governance is another subset of IT governance that establishes governance structures and management responsibilities for individual projects, such as projects for acquiring and implementing new IT systems. Finding 1 discusses selected governance activities recommended by The Institute of Internal Auditors (The IIA) and by ISACA, an international body that publishes IT best practices and sets standards for information technology.1 Data governance and security Data is the representation of text, numbers, graphics, images, sound, or video. It is the foundation of information and informed decisions and actions. Data quality is synonymous with information quality, since poor data quality results in inaccurate information and poor business performance. Data governance requires authority and oversight of data management. Effective data security policies and procedures ensure that the right people can 1 ISACA previously stood for Information Systems Audit and Control Association, but the organization now calls itself ISACA. 2 ERP Planning: Information Technology and Data Governance use and update data in the right way, and that all inappropriate access and change is restricted.2 Master data provides information and context about key business elements such as employees and vendors (e.g., connected electronic records in the ERP system that uniquely identify an employee and provide identifying, payroll, and benefits information that does not change often). Business transactions, such as vendor and employee payments, require accurate, consistent, and complete master data. Roles and responsibilities The Palo Alto Municipal Code requires the IT Department to provide leadership to the City Council and management on alignment of technology with City initiatives, policies, and strategic objectives and to direct and manage interdepartmental technology governance. The IT Department has established a goal to maintain and mature an IT governance process to ensure alignment between technology priorities, project risks, City goals, and available funds. ERP Planning and Risks In 2014, the City hired Plante Moran, a consulting firm, to evaluate the City’s current Enterprise Resource Planning (ERP) environment and provide an updated vision of the City’s ERP needs. The ERP is business management software and technology that integrates key business activities of the City, such as purchasing, inventory, utilities, accounting, payroll, and information technology. In its report, Plante Moran recommended that the City replace the existing ERP system (SAP) that has been in place since 2003. As part of this effort, the IT Department gathered business requirements from each City department and issued a Request for Proposal (RFP), with a goal of selecting a new ERP system for the City by April 2018. The IT Department has planned a phased process to migrate the City’s business data and processes into a new ERP system. The migration process is expected to be completed by June 2022. ERP risks may prevent the City from realizing the anticipated benefits of an ERP system once it is implemented. Risk areas include: 2 Data Management Association, The Data Management Body of Knowledge, Technics Publications, LLC, New Jersey, 2010, available for purchase at https://dama.org/content/body-knowledge ERP Planning: Information Technology and Data Governance 3  Insufficient project management and program governance  Poor data quality  Inefficient or ineffective interfaces with other systems  Incompatibility with business processes  Underused software functionality  Ineffective access controls/security  Insufficient technical infrastructure The risks involved with acquiring and implementing a new ERP system were the impetus for us to initiate this IT governance audit. Scope While we assessed the City’s information technology and data governance activities and controls that apply to current IT systems, including the current SAP system and other applications that may be migrated or interfaced with the new ERP system, we considered IT governance as it relates to the City as a whole. We focused on Citywide IT and data governance rather than more specific project governance and management activities. Methodology To accomplish our objective, we:  Identified and reviewed applicable standards for IT and data governance (see Appendix 1) including: o Global Technology Audit Guide (GTAG) 17: Auditing IT Governance, a publication from The Institute of Internal Auditors that covers the IT governance needed to support organizational strategies and objectives.3 o COBIT 5, an ISACA online publication that provides a comprehensive IT governance and management framework. It provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems.4 o Data Management Body of Knowledge (DMBOK), a Data Management Association (DAMA) publication that provides a data governance and management framework to ensure 3 The Institute of Internal Auditors (IIA), Global Technology Audit Guide (GTAG) 17: Auditing IT Governance, 2018, available for purchase at https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG17.aspx. 4 ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, available for purchase at http://www.isaca.org/cobit/pages/default.aspx. 4 ERP Planning: Information Technology and Data Governance high-quality data, which is the foundation for information and informed decisions and actions.5  Conducted a risk assessment to identify and prioritize risks associated with IT and data governance.  Created and administered to all City departments a questionnaire to understand the City’s data governance activities. We separately administered an IT governance survey to the IT Department and a modified data governance survey to reflect the department’s responsibilities and expertise in these areas. To assess the overall sufficiency of the City’s IT and data governance processes, we converted the responses to a numeric rating based on a simplified application of the COBIT Self-assessment Guide, which provides a framework to rate the maturity of business processes.6 Exhibit 1 provides an overview of the COBIT process capability levels, which show the evolution of a business process, from incomplete to optimized. Exhibit 2 shows the nine process attributes used to determine process capability levels. EXHIBIT 1 Process Capability Levels 0 = Incomplete The process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the process purpose. 1 = Performed The implemented process achieves its process purpose. 2 = Managed The performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained. 3 = Established The managed process is now implemented using a defined process that is capable of achieving its process outcomes. 4 = Predictable The established process now operates within defined limits to achieve its process outcomes. 5 = Optimizing The predictable process is continuously improved to meet relevant current and projected business goals. SOURCE: ISACA, Self-assessment Guide: Using COBIT® 5, 2013 5 Data Management Association (DAMA), Data Management Body of Knowledge (DMBOK), available for purchase at https://dama.org/content/body-knowledge. 6 ISACA, COBIT 5 Self-assessment Guide: Using COBIT 5, available for purchase at http://www.isaca.org/cobit/pages/default.aspx ERP Planning: Information Technology and Data Governance 5 EXHIBIT 2 Process Attributes SOURCE: ISACA, Self-assessment Guide: Using COBIT® 5, 2013 Compliance with government auditing standards We conducted this performance audit of information technology and data governance in accordance with our FY 2017 Annual Audit Work Plan and generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We would like to thank City management and staff for their time, cooperation, and assistance during the audit process. 6 ERP Planning: Information Technology and Data Governance Finding 1 Better information technology governance can help ensure that IT systems, including the new ERP system, support City goals and objectives Summary The City does not have a mature information technology (IT) governance structure, including policies and procedures to ensure that its IT systems, including the new ERP system, will align with departments’ operational goals and objectives; prevent unexpected and excessive project costs associated with poor ERP planning, budgeting, and execution; and protect unauthorized access to confidential information. It is essential for the City to develop IT governance processes prior to implementing a new ERP system to ensure that roles and responsibilities are understood and to achieve success in the implementation and ongoing operation of the new system. Existing information technology governance processes not mature or complete The Palo Alto Municipal Code requires the IT Department to direct and manage interdepartmental technology governance. While the IT Department has implemented some governance processes, their focus is on project governance, or ensuring that individual IT Department projects meet their intended goals. The processes are not sufficient to ensure that the overall portfolio of IT Department projects and activities support all departments’ business goals and objectives. We compared the IT Department's responses to our questionnaire to the COBIT 5 process capability model, and developed maturity ratings for the IT Department’s governance processes. The results show that IT does not have sufficient policies and procedures or clearly assigned and defined roles and responsibilities for the following governance components on a citywide basis. There is not clear:  Assignment of governance roles and responsibilities  Alignment of IT with City departments’ priorities  Definition of IT staffing and funding  Identification and mitigation of IT risks  Measurement and monitoring of outcomes The sections below discuss gaps between the City’s existing IT governance and COBIT standards (see Appendix 2). IT governance can help ensure that the City selects and implements its new ERP to better align with departments’ operational goals and objectives and prevent unexpected and excessive project costs associated with poor ERP planning, budgeting, and execution. ERP Planning: Information Technology and Data Governance 7 The City has not adopted an information technology governance framework Although the IT Department is responsible for information technology governance, IT governance is managed within the IT Department instead of on a citywide level. The processes the IT Department has are not sufficient or complete, based on our comparison with the COBIT IT governance and management framework. The City has not adopted an industry-recognized framework, such as COBIT, or rated its information technology governance processes using such standards to identify gaps and risks in its governance practices. The IT Department has a goal in the City’s operating budget book to maintain and mature an IT governance model but does not include any performance metrics to show progress or whether a model has been developed and implemented. The IT Department has not created IT governance policies and procedures to ensure governance activities consistently address all departments’ IT needs on an ongoing basis. COBIT sets forth standards to ensure that IT activities align with entitywide business unit goals and objectives and support development of IT policies and procedures, assignment of roles and responsibilities, and the adoption of performance metrics to measure success. Governance roles and responsibilities not clearly or sufficiently assigned COBIT standards call for allocating governance responsibility, authority, and accountability. Applying the standards can help ensure that communication and reporting mechanisms provide the appropriate information for oversight and decision making. The IT Department has defined IT roles and responsibilities for its staff, created workplans to manage its projects, and currently leads various committees to manage the City’s systems and security. However, the City does not have sufficiently defined and clearly assigned governance roles citywide, nor specific policies and procedures, to ensure ongoing alignment of IT services and systems with departments’ goals and objectives. For example, in our 2017 audit of Continuous Monitoring: Overtime, we found that the City’s public safety departments could not connect their stand- alone scheduling systems to SAP. This required staff to enter their time in two different systems and manually reconcile the entries to identify inconsistences between the systems. 8 ERP Planning: Information Technology and Data Governance Governance should ensure information technology supports all departments’ goals and objectives In 2012, the IT Department created a dedicated IT governance and planning manager position who reported to the IT Department director and an IT Governance Review Board (board). The board included staff from various City departments. The IT Department took these steps to ensure proper planning and prioritization of IT activities, create partnerships between departments and IT for inclusive decision making, and increase project visibility to better prepare for project impacts. However, the City no longer staffs the IT governance and planning manager position, and there is no process to comprehensively manage all of the City’s information systems to align specifically with departments’ goals and objectives. The board meetings now only include IT management staff, and governance responsibilities are assigned to a senior technologist who reports to the manager of the IT Project Services Division. The senior technologist meets with selected department contacts to discuss their needs, and the manager meets with staff in the Administrative Services, Utilities, and Public Works Departments to identify operational concerns in SAP and to manage SAP projects on an ongoing basis. The City also has an SAP steering committee and project management office with representatives from some City departments who meet to provide oversight of projects and issues specific to SAP. Although the IT Department currently includes staff from all departments in the limited process to select and implement the City’s new ERP system, the specific and limited nature of this inclusiveness does not represent an ongoing governance process. Governance should be embedded in the enterprise and continually identify and engage with the enterprise’s stakeholders to clearly understand, document, and address their business requirements. Governance must be properly staffed and funded The IT Department follows the City’s standard budget processes to staff and fund its operations and systems. It also has internal staff development plans to provide and track training to develop staff and support the City’s IT systems. Governance standards call for the availability of adequate and sufficient IT-related capabilities, including funding, staffing, process, and technology, to support enterprise objectives and ensure optimal use of the IT systems’ capabilities. For example, having sufficient and well-trained staff to support City staff in how to use the new ERP system, remain current on existing and future system capabilities, and improve business ERP Planning: Information Technology and Data Governance 9 processes based on system features and capabilities would ensure a long-term and successful implementation of the new ERP system. Past City Auditor’s Office audits identified numerous examples of implemented information systems that had not been leveraged. For example, the 2014 Inventory Management Audit identified that although the City had implemented the SAP inventory system, ASD staff were not aware of important, out-of-the-box functions such as reports on dead stock and inventory turnover. Staff in City departments did not have an understanding of the system configuration or access to staff with technical expertise and time to optimize the system to better align with its business needs. Increased City department involvement needed to address information security risks The IT Department has completed several internal and external information security risk assessments and has adopted security policies and procedures. In 2015, Coalfire Systems, Inc. (Coalfire), a consultant, issued an information security risk assessment report that identified 232 risks covering 15 operational areas (e.g., IT policies, data privacy) in the City. The IT Department has identified and tracked the status of the risks over time, including priority, actions, and decisions to accept risks. However, the IT Department has emphasized the confidentiality of the Coalfire report and has not shared details or sufficiently explained these risks to City departments and stakeholders who should have been included in the decision making process to address the risks. The IT Department’s chief information security officer organizes and leads an Information Security Steering Committee (committee) to inform departments about security matters and initiatives.7 The committee met in June 2015 to discuss Coalfire’s findings, but the IT Department did not provide the report or documentation of its risk management decisions or recommendations to the committee and did not include committee members in a meaningful, informed decision making process to address the security risks. Governance standards call for an understanding of the enterprise’s tolerance for risk and say that this should be properly communicated citywide, but this has not been done. As of March 2018, the IT Department had decided to accept 115 (44 percent) of the 263 risks identified in the Coalfire report. 7 The ISSC generally meets quarterly at City Hall and includes representatives from each City department. 10 ERP Planning: Information Technology and Data Governance IT Department risk management document contains errors and may be misleading In response to our concerns about broader information security governance activities, the IT Department provided documentation of its decisions and actions to address the Coalfire report findings. Although specific risk management actions are beyond the scope of this governance audit, we noted items in the document that raise concerns about its validity and usefulness in addressing the large number of security risks in the Coalfire report, including information and physical security risks in the City. For example, in response to Coalfire’s observation that a segregation of duties (SOD) analysis is not formally performed on a periodic basis, the response shows the City’s disposition as: “Per SOD Policy this is completed.” The same SOD policy is referenced as the remedy for an observation that only one individual understands how to maintain and manage the City’s Geographic Information System. The City’s only formal SOD policy addresses the IT Department’s own system administrator responsibilities and not segregation of duties among the various City business process, which was the context of the Coalfire report finding. Better governance needed to address unresolved security vulnerabilities The City’s IT Department has prioritized security, but there are unresolved, long-standing security vulnerabilities that will require a citywide effort to address. For example, our office has informed the IT department and senior management of ongoing concerns about unsecured, personally identifiable information in the City’s shared-access network drives. These drives are unorganized and contain thousands of folders and files that are not governed by any policies or procedures. This report omits further details pertaining to the security vulnerabilities to avoid inappropriate access and dissemination of sensitive or confidential information. We have provided City management a separate, confidential report with details and recommendations to address the security vulnerabilities. Knowledge of City’s data is a prerequisite to effective security A recent ISACA announcement states that before you can secure your data, you have to know your data, including what data you have, where you have it, why you have it, and how you are using it. A good governance framework not only covers data visibility, intelligence and insight, but also provides strategic direction for security activities to ensure that cybersecurity objectives, such as effective risk and resource management, are achieved. Finding 2 discusses the need for better citywide data governance. ERP Planning: Information Technology and Data Governance 11 No metrics to show whether information systems meet citywide business goals and objectives The IT Department has developed key performance indicators, such as service work order counts and response times, costs by City department, computer counts, and user login counts. It also participates in the City’s budgeting and performance reporting processes that show overall user satisfaction, service desk requests resolved, and workload metrics. However, IT has not established metrics that provide information regarding whether information systems meet departments’ business goals and objectives. Governance standards include sample metrics such as:  Percent of management roles with clearly defined accountabilities for IT decisions  Percent of IT services where expected benefits are realized  Percent of enterprise goals and requirements supported by IT strategic goals  Level of business executive awareness  Understanding of IT innovation possibilities Plante Moran identified governance concerns Plante Moran reported challenges that can be addressed through implementing COBIT or other industry-recognized governance standards. Plante Moran’s survey of City staff identified:  Inefficiencies due to redundant data entry, manual processes and unused system functionality  Unrealized benefits from current City SAP investments  Heavy reliance on IT and outside consultants for SAP enhancement requests  Limited reporting capabilities  Lack of an intuitive user interface  Limited ongoing training available  SAP complexities frustrate users and discourage use of current systems to satisfy business needs  Loss of SAP institutional knowledge due to staff attrition Models of information technology governance policies and procedures are available from other jurisdictions Other cities and public sector agencies have implemented IT governance policies and procedures. For example, Portland, OR, has a Technology Project Intake policy that requires maintaining a citywide enterprise IT perspective, in which the Technology Oversight Committee places importance on understanding customer business needs as they relate to technology and providing IT management with greater visibility of its customers 12 ERP Planning: Information Technology and Data Governance plans and priorities; and Modesto, CA, has an IT Steering Committee Charter that requires the committee to oversee IT strategic alignment and investment priorities. We also identified several universities that have IT governance policies and procedures. Recommendations To ensure the successful implementation of the new ERP system, we recommend that the City Manager place emphasis on developing and implementing a strong, citywide IT governance structure prior to implementing a new ERP system by implementing the following recommendations: 1.1. Assign roles and responsibilities for IT governance (e.g., “chief governance officer”) to an existing City position that reports or could potentially report directly to the City Manager or the Chief Information Officer. The roles and responsibilities should include:  Ensuring that City departments and stakeholders who are the users of the City’s information systems are included in governance processes and decision making, including decisions to address security risks.  Ensuring that there is a process to validate the accuracy and completeness of key IT reports that are used in decision making or reporting (e.g., the City’s document that shows decisions on addressing risks identified in the Coalfire report; decisions regarding departmental roles and responsibilities for the new ERP system).  Ensuring that governance covers all key aspects of the City’s information systems (e.g., ensuring that the IT Department has policies and procedures to address the use, organization, security, and access rights for the City’s network drive). 1.2. Adopt an industry standard IT Governance framework, such as COBIT, and a process assessment and rating or maturity model, such as the COBIT 5 process assessment model. Create a plan to achieve a process capability model of 3 (i.e., “established”) or higher for:  IT staffing and funding  IT governance roles and responsibilities  Aligning IT with departments' priorities ERP Planning: Information Technology and Data Governance 13  Measuring and monitoring IT governance outcomes  Identifying and mitigating IT risks 14 ERP Planning: Information Technology and Data Governance Finding 2 Better citywide data governance will lead to better data in the new ERP system Summary The City has not assigned data governance roles and responsibilities to ensure that its data is available, usable, accurate, and consistent. Most City departments do not have sufficient governance processes to ensure that their data is reliable, secure, and useful. The City has important data that is not sufficiently accurate, consistent, and complete, which creates a risk of operational failures, financial losses, and legal claims. This can cause decision makers and the public to draw inaccurate conclusions from the data and will present challenges in the City's migration to the future ERP system. It is essential for the City to develop data governance processes prior to implementing a new ERP system to ensure that data is accurate, consistent, and complete before being migrated into the new system. Limited and poor quality data has adversely impacted the City Data and the information created from data are widely recognized as organizational assets that need the partnership of business leadership and technical expertise to effectively manage. Accurate data and information are needed for decision making, operations, and public transparency. Although City departments, rather than the IT Department, are considered the data owners, departments generally do not have sufficient data governance processes to provide reliable, secure, and useful information. Past City Auditor’s Office reports provide a broad, yet consistent perspective of ongoing, negative outcomes associated with insufficient data governance roles, responsibilities, and processes for the following areas (see Appendix 3):  Data Integrity refers to the accuracy, consistency and completeness of city data. Our 2017 Continuous Monitoring Audit: Payments identified that almost 41,000 (94 percent) of the City’s 43,642 active vendor records in SAP are unused, duplicates, inconsistent, and/or incomplete, which increased the risk of duplicate, erroneous, and fraudulent payments, as well as incorrectly reported tax information.  Data Inventory is a comprehensive list of system data, including descriptions and interrelationships of data items that underlie a particular business process. Our 2015 Utility Meter Audit: Procurement, Inventory, and Retirement identified incomplete, inaccurate, inconsistent, and irreconcilable ERP Planning: Information Technology and Data Governance 15 information in the City’s data inventory of utility meters. SAP’s capabilities were not fully used to support and coordinate the meter workflow process and its data, which resulted in customer billing errors. The Utilities Department subsequently identified some of these errors, and we identified others and cited them in our audit, Accuracy of Water Meter Billing.  Data Migration is the transfer of data between systems. Our 2013 Employee Health Benefits Administration Audit identified incomplete City retiree data in SAP because it had not been migrated from the City’s legacy Lawson system. This resulted in using time consuming manual processes and Excel spreadsheets to track retiree health benefits and the City’s payment obligations.  Data Security and Access exists to prevent unauthorized access, use, and change of city data. Our 2011 SAP Security Audit identified improperly secured super user accounts that allowed unrestricted access to the City’s data. SAP logs lacked sufficient information to effectively assess the vulnerabilities.  Legal Compliance is the aspect of data governance that ensures that managing and disclosing city data complies with data security and access laws. Our 2012 Special Advisory Memorandum identified a significant SAP security vulnerability that allowed certain individuals with SAP access to view employee personal information that they did not have a business need to know. Under state law, the combination of name and social security number is “personal information.” Agencies must notify individuals if their personal information is acquired by an unauthorized person in a way that amounts to a security breach under the law.8  Availability means the city’s data is easily available for its intended purpose. In our 2016 Disability Rates and Workers' Compensation Audit, we found that the data necessary for disability leave management had not been captured through SAP time reporting. We also found that Human Resources Department staff did not have online access to workers’ compensation claims data maintained by a third-party provider. 8 See citation in California Civil Code, available at http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.29. 16 ERP Planning: Information Technology and Data Governance  Usability is the aspect of data governance that ensures the data readily meets users’ requirements. Our 2011 SAP Security Audit discussed limitations on our SAP access and that an important, free auditing tool in SAP had not been configured, tested, or provided to us. The audit explained that ASD, at the time responsible for the IT function, did not view the Auditor’s Office access as high priority. The Palo Alto Municipal Code provides that the Office of the City Auditor will have unrestricted access to obtain sufficient and appropriate evidence to conduct audits. Most City departments do not have data policies and procedures Most City departments do not have sufficient data governance processes to provide reliable, secure, and useful information. We compared the departments’ responses to our questionnaire to the criteria in the COBIT 5 process capability model and developed maturity ratings for citywide governance processes. The results show that the City does not have sufficient data governance policies and procedures or clearly assigned and defined roles and responsibilities for data inventory, integrity, migration, security & access, legal compliance, availability, and usability. The City has not adopted a data governance framework The City has not assigned data governance roles and responsibilities to ensure that its data is available, usable, accurate, and consistent. Achieving long-term data quality is more feasible when people throughout the organization understand the value of high-quality data and the negative impact of poor-quality data. Establishing clear roles and responsibilities for ensuring high quality data is essential to achieve this. The IT Department has adopted an information security framework, assigned security roles and responsibilities, and created security policies and procedures. However, these do not address Citywide data governance, which should include a citywide approach to data and information that has been adopted as a set of policies and procedures that encompass the full lifecycle of data, from planning to creating/acquiring through use and disposal. This includes establishing decision-making authority and standards regarding data security, data inventories, content and records management, data quality control, data access, and data sharing, as well as ongoing compliance monitoring of all of the above. Regular monitoring of data quality helps to catch and fix issues before they cause major problems. ERP Planning: Information Technology and Data Governance 17 Using the DAMA-DMBOK or a similar framework can help ensure that the City makes informed data governance decisions and implements relevant and useful data management processes. A process maturity framework such as the COBIT Self-assessment Guide can help the City rate and monitor its data governance processes in conjunction with the use of DAMA-DMBOK or a similar framework. Plante Moran identified data concerns Plante Moran, the City’s consultant for the new ERP and Utility Billing Planning systems, stated in its November 2014 Enterprise Resource Planning System Evaluation report that the City’s installation of its current SAP system uses a process that perpetuates data errors in the system and continues to cause data integrity issues. 9 Plante Moran identified examples of data reliability, access, reporting, and usability limitations in the current SAP system and recommended that the City establish a governance structure to successfully select, implement, and maintain the new ERP system. The City has implemented a project governance structure to select and implement the new ERP system but not a broad IT or data governance framework (see Finding 2) to address the City’s data integrity challenges that could carry over into the new ERP system. Security policies and procedures not available to staff The IT Department has adopted data security standards and internal security policies and procedures for the City that are published by the International Organization of Standardization (ISO) and International Electrotechnical Commission (IEC). It also engaged private-sector security experts to assess security vulnerabilities. In response to our concerns about the lack of access to and visibility of these City’s security policies and procedures, the IT Department published them on the City’s intranet in December 2017 to inform all City staff of the adopted standards and acceptable secure practices. In addition, the City has adopted the proprietary ISO/IEC 27000 security standard. However, this standard cannot be openly distributed, shared, or incorporated into the City’s policies and procedures without specific permission and licensing.10 The IT Department purchases 9 Plante Moran’s report is available at http://www.cityofpaloalto.org/civicax/filebank/documents/51141 10 ISO/IEC 2700 is described at https://www.iso.org/isoiec-27001-information-security.html 18 ERP Planning: Information Technology and Data Governance additional copies of the ISO/IEC 27000 standard as needed and prepares work products, such as presentations, that are based on the standard. The IT Department has not assessed whether the City’s security policies and procedures meet the ISO/IEC 27000 standard (i.e., to identify any gaps between the City’s policies and procedures and relevant controls in ISO/IEC 27000). National Institute of Standards and Technology (NIST) security standards are comprehensive and appropriate for the City A more appropriate standard for citywide adoption would be the National Institute of Standards and Technology (NIST) security standards because they are designed for the government sector, are not copyrighted, and are readily accessible, without charge, on the internet.11 NIST SP 800-53 is a comprehensive control framework that provides 276 controls; ISO/IEC 27000 addresses only 196 of those controls. For example, NIST control “AC-22” requires specific steps to ensure that publicly accessible information is appropriate (e.g., does not include information protected under the Privacy Act), but ISO/IEC 27000 does not address this issue. Although there is no specific requirement for local governments to use NIST standards, a May 2017 presidential executive order requires federal executive departments and agencies to use the more comprehensive NIST cybersecurity framework to manage cybersecurity risks. A previous external financial audit firm recommended that the City adopt and implement the NIST SP 800-53 control framework, which NIST designed for the federal government but also recommended to state, local, and tribal governments, as well as private sector organizations. Data governance policies and procedures from other jurisdictions Other cities and public sector agencies, such as the cities of Portland and Modesto, have implemented citywide data governance policies and procedures. For example, Modesto has a data governance charter, a data governance board that oversees the charter, and data governance committees to address citywide, initiative-specific data issues and requirements. Modesto’s procedures include a data checklist to help verify data quality, usability, and security. At the federal level, the Office of Management and Budget has formally chartered the Data Standards Committee as an advisory body to focus on clarifying 11 The NIST security standards are available at https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev- 5/draft/documents/sp800-53r5-draft.pdf ERP Planning: Information Technology and Data Governance 19 existing data element definitions and identifying needs for new standards. Recommendations To ensure the successful implementation of the new ERP system, we recommend that the City Manager place emphasis on developing and implementing a strong citywide data governance structure prior to implementing a new ERP system by implementing the following recommendations: 2.1. Assign roles and responsibilities for data governance (e.g., a “chief data governance officer”) to an existing position that reports or could potentially report directly to the City Manager or the Chief Information Officer. 2.2. Adopt an industry standard data governance framework, such as the DAMA-DMBOK, and a process maturity model, such as the COBIT 5 process assessment model. Create a plan to achieve a process capability model of 3 (i.e., “established”) or higher for:  Inventory  Integrity  Migration  Security & Access  Legal Compliance  Availability  Usability ERP Planning: Data and System Governance 20 APPENDIX 1 – Industry Standard IT and Data Governance Frameworks Framework Description and Reference Global Technology Audit Guide (GTAG) 17: Auditing IT Governance An Institute of Internal Auditors (IIA) online publication that covers the IT governance needed to support organizational strategies and objectives. Available for purchase at: https://na.theiia.org/standards-guidance/recommended- guidance/practice-guides/Pages/GTAG17.aspx COBIT 5: A Business Framework for the Governance and Management of Enterprise IT An ISACA online publication that provides a comprehensive IT governance and management framework to create optimal value from IT. Available for purchase at: http://www.isaca.org/cobit/pages/default.aspx Data Management Association, The Data Management Body of Knowledge Data Management Body of Knowledge, a Data Management Association publication that provides a data management framework. Available for purchase at: https://dama.org/content/body-knowledge National Institute of Standards and Technology (NIST) Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations U.S. Federal Government publication containing a comprehensive catalog of technical and nontechnical security and privacy controls designed for the government sector. Available at: https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev- 5/draft/documents/sp800-53r5-draft.pdf ERP Planning: Data and System Governance 21 APPENDIX 2 - Summary of Information Technology Governance Components and City Status Component of IT Governance Status Assign IT Governance Roles & Responsibilities IT governance and planning position no longer staffed and IT Governance Review Board no longer includes departments. No citywide IT governance policies and procedures or roles and responsibilities. Align IT with Departments' Priorities Senior technologist informally meets with departments. Various project management committees. No citywide IT alignment policies and procedures or roles and responsibilities. Establish IT Staffing & Funding IT Department follows City’s budget and staffing processes. No citywide IT system-specific staffing policies and procedures or roles and responsibilities. Identify and Mitigate IT Risks IT Department has completed internal and external information security assessments and adopted security policies and procedures. No citywide information system risk assessments to more broadly identify information system security, operational, financial, health and safety, and reputational risks. Measure & Monitor IT Governance Outcomes The IT Department has developed Key Performance Indicators such as service work order counts, costs by City department, computer counts, and user login counts. No IT metrics that provide information regarding whether information systems meet departments’ business goals and objectives. ERP Planning: Data and System Governance 22 APPENDIX 3 – Summary of Data Governance Components and City Status Key Components of Data Governance Status of City Practices Inventory: The City should have created a comprehensive list of system data which includes descriptions and interrelationships of data items. Some departments have limited data inventories. No citywide policies and procedures, standards, or roles and responsibilities exist outlining the City’s policies on creating data inventories. Integrity: Calls for the City to maintain accurate and complete city data Some systems have limited preventive measures to ensure integrity. Some departments periodically review selected data to ensure it continues to be accurate and complete. No citywide policies and procedures, standards, or roles and responsibilities define the City’s measures to maintain the integrity of its data. Migration: That aspect of data governance in which city departments properly plan for the transfer of data between systems. Some departments have planned data migration for selected projects. No citywide policies and procedures, standards, or roles and responsibilities describing to City departments’ best practices for migrating data between systems. Security & Access: Refers to steps the City should take to prevent the unauthorized access, use and change of city data. IT Department has information security roles and responsibilities and policies and procedures. City uses a basic access control process for SAP. However, security policies and procedures are not available citywide and no citywide standard for access controls for departments’ information systems. Legal Compliance: Ensures that the handling and disclosure of city data follow state and federal laws. IT Department and Utilities Department have legal compliance policies and procedures. No citywide legal compliance policies and procedures, standards, or roles ERP Planning: Data and System Governance 23 and responsibilities. Availability: Means that city data is readily available. No citywide data availability policies and procedures or roles and responsibilities have been established. Usability: Ensures that the data meets the users’ requirements. No citywide data usability policies and procedures or roles and responsibilities have been established. APPENDIX 4 – City Manager’s Response The City Manager has agreed to take the following actions in response to the audit recommendations in this report. The City Manager will report progress on implementation six months after the Council accepts the audit report, and every six months thereafter until all recommendations have been implemented. Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan To be completed 6 months after Council acceptance and every 6 months thereafter until all recommendations are implemented Current Status Implementation Update and Expected Completion Date Finding 1: Better information technology governance can help ensure that IT systems, including the new ERP system, support City goals, and objectives To ensure the successful implementation of the new ERP system, we recommend that the City Manager place emphasis on developing and implementing a strong, citywide IT governance structure prior to implementing a new ERP system by implementing the following recommendations: 1.1. Assign roles and responsibilities for IT governance (e.g., “chief governance officer”) to an existing City position that reports or could potentially report directly to the City Manager or the Chief Information Officer. The roles and responsibilities should include: Information Technology Agree. Target Date: December 31, 2019 Corrective Action Plan: The IT Department implemented IT Governance citywide in 2012 and since then it has been rightsized to reflect ERP Planning: Data and System Governance 24 Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan To be completed 6 months after Council acceptance and every 6 months thereafter until all recommendations are implemented Current Status Implementation Update and Expected Completion Date  Ensuring that City departments and stakeholders who are the users of the City’s information systems are included in governance processes and decision making, including decisions to address security risks.  Ensuring that there is a process to validate the accuracy and completeness of key IT reports that are used in decision making or reporting (e.g., the City’s document that shows decisions on addressing risks identified in the Coalfire report; decisions regarding departmental roles and responsibilities for the new ERP system).  Ensuring that governance covers all key aspects of the City’s information systems (e.g., ensuring that the IT Department has policies and procedures to address the the evolving needs of the City. The roles and responsibilities for a leader in IT governance have already been assigned to an individual who reports to the Chief Information Officer (CIO). The IT Department agrees that work is required to address gaps in our city IT governance processes today including leadership roles, communications, reporting, and decision-making. ERP Planning: Data and System Governance 25 Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan To be completed 6 months after Council acceptance and every 6 months thereafter until all recommendations are implemented Current Status Implementation Update and Expected Completion Date use, organization, security, and access rights for the City’s network drive). 1.2. Adopt an industry standard IT Governance frameworks, such as COBIT, and a process assessment and rating or maturity model, such as the COBIT 5 process assessment model. Create a plan to achieve a process capability model of 3 (i.e., “established”) or higher for:  IT staffing and funding  IT governance roles and responsibilities  Aligning IT with departments' priorities  Measuring and monitoring IT governance outcomes  Identifying and mitigating IT risks Information Technology Agree. Target Date: December 31, 2019 Corrective Action Plan: IT Department agrees to identify and adopt an appropriate, rightsized, industry-recognized, IT governance framework. The IT Department working with the City Manager’s Office will determine the appropriate level of IT Governance maturity required for enabling organizational success. Finding 2: Better citywide data governance will lead to better data in the new ERP system To ensure the successful implementation of the new ERP system, we recommend that the City Manager place emphasis on developing and implementing a strong citywide data governance structure prior to implementing a new ERP system by implementing the following recommendations: 2.1. Assign roles and responsibilities for data governance (e.g., a “chief data governance officer”) to an Information Technology Agree. Target date: July 1, 2019 ERP Planning: Data and System Governance 26 Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan To be completed 6 months after Council acceptance and every 6 months thereafter until all recommendations are implemented Current Status Implementation Update and Expected Completion Date existing position that reports or could potentially report directly to the City Manager or the Chief Information Officer. Corrective Action Plan. In January 2017, the IT Department hired a qualified data analyst with responsibility for citywide data governance. The role currently reports up through the Chief Information Officer (CIO). The IT Department agrees to request elevation of this role from City Council to a more senior classification to reflect the increased responsibilities expected as a result of implementing an industry- standard data governance framework. 2.2. Adopt an industry standard data governance framework, such as the DAMA-DMBOK, and a process maturity model, such as the COBIT 5 process assessment model. Create a plan to achieve a process capability model of 3 (i.e., “established”) or higher for:  Inventory  Integrity  Migration Information Technology Agree Target date: December 31, 2019 Corrective Action The IT data lead will work to implement the citywide data strategy that is currently being developed and is part of the FY19-21 IT strategy. Adoption of a standard data governance ERP Planning: Data and System Governance 27 Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan To be completed 6 months after Council acceptance and every 6 months thereafter until all recommendations are implemented Current Status Implementation Update and Expected Completion Date  Security & Access  Legal Compliance  Availability  Usability framework was already identified as a goal in this plan. IT Department agrees to identify and adopt an appropriate, rightsized, industry-recognized, data governance framework. The IT Department working with the City Manager’s Office will determine the appropriate level of data governance maturity required for enabling organizational success.