The URL can be used to link to this page

Home My WebLink About2023-12-12 Policy & Services Committee Agenda PacketPOLICY AND SERVICES COMMITTEE Regular Meeting Tuesday, December 12, 2023 Council Chambers & Hybrid 7:00 PM Pursuant to AB 361 Palo Alto City Council meetings will be held as “hybrid” meetings with the option to attend by teleconference/video conference or in person. To maximize public safety while still maintaining transparency and public access, members of the public can choose to participate from home or attend in person. Information on how the public may observe and participate in the meeting is located at the end of the agenda. Masks are strongly encouraged if attending in person. The meeting will be broadcast on Cable TV Channel 26, live on YouTube https://www.youtube.com/c/cityofpaloalto, a n d s t r e a m e d t o M i d p e n M e d i a Center https://midpenmedia.org. VIRTUAL PARTICIPATION CLICK HERE TO JOIN (https://cityofpaloalto.zoom.us/j/94618744621) Meeting ID: 946 1874 4621 Phone: 1(669)900‐6833 PUBLIC COMMENTS Public comments will be accepted both in person and via Zoom for up to three minutes or an amount of time determined by the Chair. All requests to speak will be taken until 5 minutes after the staff’s presentation. Written public comments can be submitted in advance to city.council@CityofPaloAlto.org and will be provided to the Council and available for inspection on the City’s website. Please clearly indicate which agenda item you are referencing in your subject line. PowerPoints, videos, or other media to be presented during public comment are accepted only by email to city.clerk@CityofPaloAlto.org at least 24 hours prior to the meeting. Once received, the Clerk will have them shared at public comment for the specified item. To uphold strong cybersecurity management practices, USB’s or other physical electronic storage devices are not accepted. CALL TO ORDER PUBLIC COMMENT Members of the public may speak to any item NOT on the agenda. ACTION ITEMS 1.Discussion regarding State and Federal Legislative Advocacy and Discussion and Recommendation on the Annual Legislative Guidelines and Legislative Platform 2.2024 City Council Priority Setting Process Discussion and Recommendations 3.Approval of Office of City Auditor Risk Assessment and Audit Plan (CEQA Status ‐ Not a Project) Late Packet Report 4.Office of City Auditor Presentation of the Wastewater Treatment Plant Agreement Audit Report; CEQA Status ‐ Not a Project Late Packet Report 5.Office eport; 3. 4. 5. CEQA Srt Approval of Office of City Auditor Risk Assessment and Audit Plan (CEQA Status ‐ Not a Project) Office of City Auditor Presentation of the Wastewater Treatment Plant Agreement Audit Report; CEQA Status ‐ Not a Project Office of the City Auditor Presentation of the Investment Management Audit Report; CEQA Status ‐ Not a Project FUTURE MEETINGS AND AGENDAS Members of the public may not speak to the item(s) ADJOURNMENT PUBLIC COMMENT INSTRUCTIONS Members of the Public may provide public comments to teleconference meetings via email, teleconference, or by phone. 1. Written public comments may be submitted by email to city.council@cityofpaloalto.org. 2. For in person public comments please complete a speaker request card located on the table at the entrance to the Council Chambers and deliver it to the Clerk prior to discussion of the item. 3. Spoken public comments using a computer or smart phone will be accepted through the teleconference meeting. To address the Council, click on the link below to access a Zoom‐based meeting. Please read the following instructions carefully. You may download the Zoom client or connect to the meeting in‐ browser. If using your browser, make sure you are using a current, up‐to‐date browser: Chrome 30 , Firefox 27 , Microsoft Edge 12 , Safari 7 . Certain functionality may be disabled in older browsers including Internet Explorer. Or download the Zoom application onto your smart phone from the Apple App Store or Google Play Store and enter in the Meeting ID below. You may be asked to enter an email address and name. We request that you identify yourself by name as this will be visible online and will be used to notify you that it is your turn to speak. When you wish to speak on an Agenda Item, click on “raise hand.” The Clerk will activate and unmute speakers in turn. Speakers will be notified shortly before they are called to speak. When called, please limit your remarks to the time limit allotted. A timer will be shown on the computer to help keep track of your comments. 4. Spoken public comments using a phone use the telephone number listed below. When you wish to speak on an agenda item hit *9 on your phone so we know that you wish to speak. You will be asked to provide your first and last name before addressing the Council. You will be advised how long you have to speak. When called please limit your remarks to the agenda item and time limit allotted. CLICK HERE TO JOIN Meeting ID: 946‐1874‐4621 Phone: 1‐669‐900‐6833 Americans with Disability Act (ADA) It is the policy of the City of Palo Alto to offer its public programs, services and meetings in a manner that is readily accessible to all. Persons with disabilities who require materials in an appropriate alternative format or who require auxiliary aids to access City meetings, programs, or services may contact the City’s ADA Coordinator at (650) 329‐2550 (voice) or by emailing ada@cityofpaloalto.org. Requests for assistance or accommodations must be submitted at least 24 hours in advance of the meeting, program, or service. 1 Regular Meeting December 12, 2023 Materials submitted after distribution of the agenda packet are available for public inspection at www.cityofpaloalto.org/agendas POLICY AND SERVICES COMMITTEERegular MeetingTuesday, December 12, 2023Council Chambers & Hybrid7:00 PMPursuant to AB 361 Palo Alto City Council meetings will be held as “hybrid” meetings with theoption to attend by teleconference/video conference or in person. To maximize public safetywhile still maintaining transparency and public access, members of the public can choose toparticipate from home or attend in person. Information on how the public may observe andparticipate in the meeting is located at the end of the agenda. Masks are strongly encouraged ifattending in person. The meeting will be broadcast on Cable TV Channel 26, live onYouTube https://www.youtube.com/c/cityofpaloalto, a n d s t r e a m e d t o M i d p e n M e d i aCenter https://midpenmedia.org.VIRTUAL PARTICIPATION CLICK HERE TO JOIN (https://cityofpaloalto.zoom.us/j/94618744621)Meeting ID: 946 1874 4621 Phone: 1(669)900‐6833PUBLIC COMMENTSPublic comments will be accepted both in person and via Zoom for up to three minutes or anamount of time determined by the Chair. All requests to speak will be taken until 5 minutesafter the staff’s presentation. Written public comments can be submitted in advance tocity.council@CityofPaloAlto.org and will be provided to the Council and available for inspectionon the City’s website. Please clearly indicate which agenda item you are referencing in yoursubject line. PowerPoints, videos, or other media to be presented during public comment are accepted only by email to city.clerk@CityofPaloAlto.org at least 24 hours prior to the meeting. Once received, the Clerk will have them shared at public comment for the specified item. To uphold strong cybersecurity management practices, USB’s or other physical electronic storage devices are not accepted. CALL TO ORDER PUBLIC COMMENT Members of the public may speak to any item NOT on the agenda. ACTION ITEMS 1.Discussion regarding State and Federal Legislative Advocacy and Discussion and Recommendation on the Annual Legislative Guidelines and Legislative Platform 2.2024 City Council Priority Setting Process Discussion and Recommendations 3.Approval of Office of City Auditor Risk Assessment and Audit Plan (CEQA Status ‐ Not a Project) Late Packet Report 4.Office of City Auditor Presentation of the Wastewater Treatment Plant Agreement Audit Report; CEQA Status ‐ Not a Project Late Packet Report 5.Office of the City Auditor Presentation of the Investment Management Audit Report; CEQA Status ‐ Not a Project Late Packet Report FUTURE MEETINGS AND AGENDAS Members of the public may not speak to the item(s) ADJOURNMENT 1.Written public comments may be submitted by email to city.council@cityofpaloalto.org. 2.For in person public comments please complete a speaker request card located on the table at the entrance to the Council Chambers and deliver it to the Clerk prior to discussion of the item. 3.Spoken public comments using a computer or smart phone will be accepted through the teleconference meeting. To address the Council, click on the link below to access a Zoom‐based meeting. Please read the following instructions carefully. You may download the Zoom client or connect to the meeting in‐ browser. If using your browser, make sure you are using a current, up‐to‐date browser: Chrome 30 , Firefox 27 , Microsoft Edge 12 , Safari 7 . Certain functionality may be disabled in older browsers including Internet Explorer. Or download the Zoom application onto your smart phone from the Apple App Store or Google Play Store and enter in the Meeting ID below. You may be asked to enter an email address and name. We request that you identify yourself by name as this will be visible online and will be used to notify you that it is your turn to speak. When you wish to speak on an Agenda Item, click on “raise hand.” The Clerk will activate and unmute speakers in turn. Speakers will be notified shortly before they are called to speak. When called, please limit your remarks to the time limit allotted. A timer will be shown on the computer to help keep track of your comments. 4. Spoken public comments using a phone use the telephone number listed below. When you wish to speak on an agenda item hit *9 on your phone so we know that you wish to speak. You will be asked to provide your first and last name before addressing the Council. You will be advised how long you have to speak. When called please limit your remarks to the agenda item and time limit allotted. CLICK HERE TO JOIN Meeting ID: 946‐1874‐4621 Phone: 1‐669‐900‐6833 Americans with Disability Act (ADA) It is the policy of the City of Palo Alto to offer its public programs, services and meetings in a manner that is readily accessible to all. Persons with disabilities who require materials in an appropriate alternative format or who require auxiliary aids to access City meetings, programs, or services may contact the City’s ADA Coordinator at (650) 329‐2550 (voice) or by emailing ada@cityofpaloalto.org. Requests for assistance or accommodations must be submitted at least 24 hours in advance of the meeting, program, or service. 2 Regular Meeting December 12, 2023 Materials submitted after distribution of the agenda packet are available for public inspection at www.cityofpaloalto.org/agendas POLICY AND SERVICES COMMITTEERegular MeetingTuesday, December 12, 2023Council Chambers & Hybrid7:00 PMPursuant to AB 361 Palo Alto City Council meetings will be held as “hybrid” meetings with theoption to attend by teleconference/video conference or in person. To maximize public safetywhile still maintaining transparency and public access, members of the public can choose toparticipate from home or attend in person. Information on how the public may observe andparticipate in the meeting is located at the end of the agenda. Masks are strongly encouraged ifattending in person. The meeting will be broadcast on Cable TV Channel 26, live onYouTube https://www.youtube.com/c/cityofpaloalto, a n d s t r e a m e d t o M i d p e n M e d i aCenter https://midpenmedia.org.VIRTUAL PARTICIPATION CLICK HERE TO JOIN (https://cityofpaloalto.zoom.us/j/94618744621)Meeting ID: 946 1874 4621 Phone: 1(669)900‐6833PUBLIC COMMENTSPublic comments will be accepted both in person and via Zoom for up to three minutes or anamount of time determined by the Chair. All requests to speak will be taken until 5 minutesafter the staff’s presentation. Written public comments can be submitted in advance tocity.council@CityofPaloAlto.org and will be provided to the Council and available for inspectionon the City’s website. Please clearly indicate which agenda item you are referencing in yoursubject line.PowerPoints, videos, or other media to be presented during public comment are accepted onlyby email to city.clerk@CityofPaloAlto.org at least 24 hours prior to the meeting. Once received,the Clerk will have them shared at public comment for the specified item. To uphold strongcybersecurity management practices, USB’s or other physical electronic storage devices are notaccepted.CALL TO ORDERPUBLIC COMMENT Members of the public may speak to any item NOT on the agenda. ACTION ITEMS1.Discussion regarding State and Federal Legislative Advocacy and Discussion andRecommendation on the Annual Legislative Guidelines and Legislative Platform2.2024 City Council Priority Setting Process Discussion and Recommendations3.Approval of Office of City Auditor Risk Assessment and Audit Plan (CEQA Status ‐ Not aProject) Late Packet Report4.Office of City Auditor Presentation of the Wastewater Treatment Plant Agreement AuditReport; CEQA Status ‐ Not a Project Late Packet Report5.Office of the City Auditor Presentation of the Investment Management Audit Report;CEQA Statis ‐ Not a Project Late Packet Report3.Approval of Office of City Auditor Risk Assessment and Audit Plan (CEQA Status ‐ Not aProject) 4.Office of City Auditor Presentation of the Wastewater Treatment Plant Agreement AuditReport; CEQA Status ‐ Not a Project5.Office of the City Auditor Presentation of the Investment Management Audit Report;CEQA Status ‐ Not a ProjectFUTURE MEETINGS AND AGENDASMembers of the public may not speak to the item(s) ADJOURNMENT PUBLIC COMMENT INSTRUCTIONS Members of the Public may provide public comments to teleconference meetings via email, teleconference, or by phone. 1.Written public comments may be submitted by email to city.council@cityofpaloalto.org. 2.For in person public comments please complete a speaker request card located on the table at the entrance to the Council Chambers and deliver it to the Clerk prior to discussion of the item. 3.Spoken public comments using a computer or smart phone will be accepted through the teleconference meeting. To address the Council, click on the link below to access a Zoom‐based meeting. Please read the following instructions carefully. You may download the Zoom client or connect to the meeting in‐ browser. If using your browser, make sure you are using a current, up‐to‐date browser: Chrome 30 , Firefox 27 , Microsoft Edge 12 , Safari 7 . Certain functionality may be disabled in older browsers including Internet Explorer. Or download the Zoom application onto your smart phone from the Apple App Store or Google Play Store and enter in the Meeting ID below. You may be asked to enter an email address and name. We request that you identify yourself by name as this will be visible online and will be used to notify you that it is your turn to speak. When you wish to speak on an Agenda Item, click on “raise hand.” The Clerk will activate and unmute speakers in turn. Speakers will be notified shortly before they are called to speak. When called, please limit your remarks to the time limit allotted. A timer will be shown on the computer to help keep track of your comments. 4.Spoken public comments using a phone use the telephone number listed below. When you wish to speak on an agenda item hit *9 on your phone so we know that you wish to speak. You will be asked to provide your first and last name before addressing the Council. You will be advised how long you have to speak. When called please limit your remarks to the agenda item and time limit allotted. CLICK HERE TO JOIN Meeting ID: 946‐1874‐4621 Phone: 1‐669‐900‐6833 Americans with Disability Act (ADA) It is the policy of the City of Palo Alto to offer its public programs, services and meetings in a manner that is readily accessible to all. Persons with disabilities who require materials in an appropriate alternative format or who require auxiliary aids to access City meetings, programs, or services may contact the City’s ADA Coordinator at (650) 329‐2550 (voice) or by emailing ada@cityofpaloalto.org. Requests for assistance or accommodations must be submitted at least 24 hours in advance of the meeting, program, or service. 3 Regular Meeting December 12, 2023 Materials submitted after distribution of the agenda packet are available for public inspection at ww.cityofpaloalto.org/agendas Policy & Services Committee Staff Report From: Chantal Gaines, Deputy City Manager Meeting Date: December 12, 2023 Report #: 2309-2059 TITLE Discussion regarding State and Federal Legislative Advocacy and Discussion and Recommendation on the Annual Legislative Guidelines and Legislative Platform BACKGROUND Staff recommends that the Policy & Services Committee recommend that City Council approve the 2024 Federal and State Legislative Guidelines / Legislative Platform (Attachment A). ANALYSIS As part of the City’s state and federal legislative advocacy program, staff and the City’s contracted federal and state advocates work to identify and analyze potentially impactful legislation and communicate the City’s public advocacy positions to legislators. The program is guided by the Advocacy Process Manual, last approved by City Council on January 13, 2020 (CMR #10772). In addition to the Manual, the City maintains a City Council-approved set of legislative guidelines that provide additional City Council policy direction to staff and the City’s state and federal legislative advocates. The legislative guidelines are used by staff in consultation with the Mayor to respond to bills and other issues that emerge throughout the year. They allow for efficiency in the fast-paced legislative environment. The guidelines were last discussed at the Policy & Services Committee in October 20221 and subsequently at City Council during discussions of the contract for federal and state advocacy. Legislative Guidelines The Legislative Guidelines enhance and add content to the City Council’s overarching priorities; they do not supplant them. The guidelines provide direction to staff and the City’s legislative advocates on issues that are both (a) important to the City Council, and (b) likely to become a legislative issue in 2024. The guidelines are not rank ordered and are intentionally reasonably 1 October 11, 2022 Policy and Services Agenda: Item 1: https://recordsportal.paloalto.gov/Weblink/DocView.aspx?id=8496 Item 1 Item 1 Staff Report Packet Pg. 4 broad rather than specifically narrow to allow for a flexible and quick response. Further, the guidelines are not proactive instructions; they act as a means by which staff and advocates can respond to federal and state government action, without returning to the City Council each time a bill is introduced or amended. The draft 2024 guidelines are a compilation of the current, approved guidelines, City Council’s 2023 priorities, and policy issues staff and the City’s legislative advocates have heard interest in. Attachment A is an updated Legislative Guidelines with feedback from the City Council Legislative Matters Ad Hoc Committee. The recommendation from the Policy and Services Committee will be taken to the full City Council in January 2024 for discussion and adoption. Legislative Update The City’s legislative advocates in Sacramento and Washington, D.C. (Townsend Public Affairs) will be present to provide advocacy updates and information about the coming weeks and months in Sacramento and D.C. if there are questions from the Committee. FISCAL/RESOURCE IMPACT There is no additional funding needed for this report. The City Council budgets annually for the legislative advocacy services and these efforts are led by staff in the City Manager’s Office with stakeholder support across departments on key issues. ENVIRONMENTAL REVIEW The City’s legislative advocacy activities are not a project under section 15378(b)(25) of the California Environmental Quality Act Guidelines (administrative activities that will not result in direct or indirect physical changes in the environment). ATTACHMENTS Attachment A: 2024 Draft Legislative Guidelines Item 1 Item 1 Staff Report Packet Pg. 5 The City of Palo Alto’s 20243 Federal and State Legislative Guidelines Page 1 of 5 These Guidelines reflect and activate the City Council’s priorities; they do not supplant them. They work to guide staff and the City’s legislative advocates on issues that are important to the City Council, and likely to become a legislative issue. These Guidelines are not rank- ordered and are meant to allow for a flexible and quick response by staff and advocates, without the need to return to the City Council to seek guidance. The Guidelines work in conjunction with the City Council-approved Advocacy Process Manual and the City Council action to do “Strategic Weighing in on Issues of Interest” (June 22, 2021 CMR 12344; Minutes). The City Council’s annual priorities are also guidance for the City’s legislative platform. The below Foundational Principles represent the ideals that form the core of the City’s policy agenda. The Legislative Guidelines all rise from and strengthen four foundational principles: 1.Promote Local Fiscal Sustainability: Support measures that promote fiscal stability, predictability, financial independence, and preserve the City’s revenue base and maximum control over local government budgeting. Also Pprotect local revenue sources and prevent unfunded mandates. 2.Support Funding Opportunities: Protect, seek, and increase funding for programs, projects, and services; pursue grants. Seek opportunities that allow the City to compete for regional, state and federal funding. Support funding for programs including, but not limited to, economic development, infrastructure investment, housing, transportation projects (such as road improvements, rail grade separations, bicycle and pedestrian safety, multi-modal transportation systems and transit- oriented development), air quality, water quality and local water reliability, parks and recreation, historic preservation, natural resources, hazard mitigation, public safety and public health. 3.Preserve Local Control: Preserve and protect the City’s powers, duties, and discretion to enact and engage in local processes and policy making concerning local affairs and oppose efforts and legislation from state and regional bodies that preempt local authority. Advocate for longer lead times for implementation of new legislation that impacts Palo Alto. Protect and increase local government discretion. Oppose items that preempt or reduce the authority or ability of local government to determine how to effectively operate local programs, services, activities, and governance. 4.Protect the health and safety of the community: Support policies and funding that enrich the quality of life for the Palo Alto community with services that provide for a safe, fulfilling, and vibrant life. Support policies that promote equity. Item 1 Attachment A - 2024 Draft Legislative Guidelines Packet Pg. 6 The City of Palo Alto’s 20243 Federal and State Legislative Guidelines Page 2 of 5 The Legislative Guidelines create the framework for organizing the City’s policy interests, while guiding staff and contracted lobbyists in their advocacy efforts on behalf of the City. The items below provide direction for the City’s efforts when addressing reasonable government actions. Transportation The City supports government action that: • Deters single occupancy drivers and alleviates local traffic congestion • Supports local and regional public transportation • Regulates technology that diverts traffic into residential neighborhoods • Provides funding for rail grade separations, rail efficiency improvements, and other means of reducing the local impacts of regional transportation systems • Streamlines funding between the state, federal, and local governments that help reduce the amount of time and resources it takes to fund and complete transportation projects. • Sustains local, regional, and state funding sources for the development and maintenance of transportation and does not condition receipt of funds on non -transportation related factors • Supports expansion and/or maintaining of public transit options throughout Palo Alto, especially funding for transit • Supports state legislation that maximizes local control related to land use requirements near transit (especially if it impacts the City’s approach to planning for complete communities) Climate and Environment The City supports government action that: • Reduces GHG emissions and supports progress toward GHG reduction and carbon neutrality goals • Reduces airplane noise, health impacts, and/or airplane emissions • Promotes residential, commercial, and vehicle electrification programs • Promotes workforce development to provide increased workforce needed for electrification and grid modernization • Promotes the use of renewable resources, water conservation, and the flexible use of existing resources Item 1 Attachment A - 2024 Draft Legislative Guidelines Packet Pg. 7 The City of Palo Alto’s 20243 Federal and State Legislative Guidelines Page 3 of 5 • Continues sSupports for a statewide ban on polystyrene containers and packaging materials • Provides opportunities for staff, in partnership to work with the San Francisquito Creek Joint Powers Authority and other regional stakeholders, to advance in efforts to improve the creek’s watershed and floodplain • Supports efforts to protect local communities from sea level rise and other impacts of climate change • Supports proper disposal responsible processing of recyclables once removed from Palo Alto and other communities, including promoting processing facilities and recyclables markets within the United States • Strengthen and modernize the State and Local electric grids • Supports the protection of our natural environment, including open space, trees/tree canopy, and biodiversity Financial The City supports government action that: • Supports the long-term stability of CalPERS and the ability of local governments to mitigate and manage with flexibility its pension obligations • Protects the funding sources and levels of City services for the sustainable delivery of City services • Provides for COVID-19 related expenses and revenue losses • Supports the continued deductibility of tax-exempt municipal bonds and the restoration of Advance Refunding of Tax-Exempt Municipal Bonds • Supports the lowering or maintaining of voter thresholds for local revenue measures • Supports maximum flexibility for local government in contracting and contract negotiations • Supports efforts to attract and retain resources for current and future smaller businesses in Palo Alto • Preserves local discretion in the assessment, collection, and usage of development fees Governance, Transparency, and Human ResourcesPublic Employment The City supports government action that: • Preserves local government’s ability to manage its own employment issues, including, but not limited to hiring, evaluating, disciplining, and/or terminating and negotiating collective bargaining agreements with employees’ representatives • Supports reasonable regulatory efforts surrounding policies regarding cybersecurity, drones, shared mobility services, returning to Obama-era net neutrality regulations, and smart city initiatives Item 1 Attachment A - 2024 Draft Legislative Guidelines Packet Pg. 8 The City of Palo Alto’s 20243 Federal and State Legislative Guidelines Page 4 of 5 • Protects individual privacy and allows the City to safeguard customer information • Maintain existing records collection and retention requirements • Promote teleconferencing flexibilities under the Ralph M. Brown Act • Allows the City to support the collaborative work of regional partners, trade associations, other local governments and organizations, and Joint Powers Authorities • Provides for the equal treatment of all individuals Technology The City supports government action that: • Supports reasonable regulatory efforts surrounding policies regarding cybersecurity, drones, shared mobility services, returning to Obama-era net neutrality regulations, and smart city initiatives Housing The City supports government action that: • Supports reasonable housing policies that recognize local autonomy to maintain the local public process and preserve local government’s ability to determine land use policies and development standards • Provides funding for (a) affordable housing, (b) homelessness, and (c) infrastructure (such as parks, utilities, roads, and transit) required to support the increased housing production and keep pace with local development goals • Promotes the development and enhancement of safe and affordable housing and accessible housing within the City for all economic segments of the population • Promotes funding and tax incentives for the identification, acquisition, maintenance, adaptive reuse, and restoration of historic sites and vacant structures • Fosters reasonable ratios between jobs and housing • Supports the development and implementation of efficient and environmentally sustainable land use and building practices • Supports the provision of greater lead times (extended effective dates of state legislation) for local jurisdictions to implement state legislation which offers Palo Alto the opportunity to apply new land use and housing requirements within the local context PolicePublic Safety The City supports government action that: • Supports efforts which seek to modify policing services, including but not limited to alternative public safety models and funding to address community mental health issues, expansion of requirements regarding police data and rules regarding prior Item 1 Attachment A - 2024 Draft Legislative Guidelines Packet Pg. 9 The City of Palo Alto’s 20243 Federal and State Legislative Guidelines Page 5 of 5 employment information transparency, and expansion of data and communications including radio encryption. • Provides for greater public safety support resources especially related to organized retail theft operations • Reduces weapons-related violence via the enactment of common-sense firearm reforms • Enhances fire and emergency training and response capabilities. Mitigate fire safety risks. Advocate for funding and policy to mitigate wildfire risks and funding for fire services in general • Updates, implements, and refines processes, services, and programs affecting the City. This includes, but is not limited to, public safety reform efforts and streamlining reporting mandates • Support legislation that would address ongoing safety concerns and help prevent acts of violence motivated by hate, including improving data collection and reporting Other The City supports government action that: • Updates, implements, and refines processes, services, and programs affecting the City. This includes, but is not limited to, public safety reform efforts and streamlining reporting mandates • Protects individual privacy and allows the City to safeguard customer information • Provides for the equal treatment of all individuals • Allows the City to support the collaborative work of regional partners, trade associations, other local governments and organizations, and Joint Powers Authorities Item 1 Attachment A - 2024 Draft Legislative Guidelines Packet Pg. 10 3 6 0 1 Policy & Services Committee Staff Report From: City Manager Report Type: ACTION ITEMS Lead Department: City Manager Meeting Date: December 12, 2023 Report #:2311-2280 TITLE 2024 City Council Priority Setting Process Discussion and Recommendations RECOMMENDATION Staff recommends that the Policy and Services Committee discuss and forward for Council approval of a modified priority setting session as outlined in Option 3 for the 2024 Annual Retreat, tentatively scheduled for January 29, 2024 and suspension of the Council Protocols and procedures for the annual retreat to support this. BACKGROUND In October 20121, the City Council approved Priority Setting Guidelines and outlined the role for the Policy & Services Committee in this process. Per the Guidelines (Attachment A), a priority is defined as a topic that will receive particular, unusual and significant attention during the year. Additionally, there is a goal of no more than three priorities per year, generally with a three- year term. The 2023 Priorities, as selected at the City Council’s Annual Retreat on January 28, 20232 are: •Economic Recovery and Transition •Climate Change and the Natural Environment: Protection and Adaptation •Housing for Social and Economic Balance •Community Health and Safety Additionally, in November 20223, the Council adopted value statements to aid in future retreats and priority setting processes: 1 City Council Meeting 10/1/2012 https://www.cityofpaloalto.org/files/assets/public/v/1/agendas-minutes- reports/reports/city-manager-reports-cmrs/year-archive/2012/mini-packet-3156.pdf 2 City Council Retreat 1/28/2023 https://cityofpaloalto.primegov.com/Portal/Meeting?meetingTemplateId=1492 3 City Council Meeting Minutes 11/07/2022 https://www.cityofpaloalto.org/files/assets/public/v/2/agendas- minutes-reports/agendas-minutes/city-council-agendas-minutes/2022/20221107/20221107amccsm.pdf Item 2 Item 2 Staff Report Packet Pg. 11 3 6 0 1 1. We will make decisions that balance revenues and expenses, now and in the future. 2. We will make decisions that are environmentally sustainable, now and in the future. 3. We will integrate equity into our decisions, considering how decisions affect people differently based on their identity or circumstances. 4. We will make decisions that create a healthy, safe and welcoming community for all. 5. We will safeguard public trust through transparent practices and open communication. 6. We embrace innovation. As set forth in the Priority Setting Guidelines, “If needed, the Policy and Services Committee, each year at its December meeting, shall make recommendations about the process that will be used at the Annual Retreat paying particular attention to the number of priorities suggested by Council members. The recommended process is to be forwarded to Council for adoption in advance of the Council retreat.” This report outlines various retreat process options for the Policy & Services Committee to discuss and consider. ANALYSIS The Priority Setting Guidelines define the meaning of a Council priority and lay out the purpose, process, and general parameters for the Council’s annual priority-setting process. Consistent with these guidelines, staff has reached out to the Council to identify their recommendations for 2024 priorities to be considered by the Council. That information is due back to the Council in mid-January for consideration prior to the retreat. In response to feedback from the 2023 goal-setting process and subsequent discussions, staff is recommending the Policy & Services Committee consider modifications to the 2024 Council Annual Retreat to shift discussion towards longer-term strategic issues and initiatives. 2024 represents a unique year for discussion of Council priorities and strategies to advance them, given no Council turnover from the prior year and extensive ongoing efforts on several priorities. Staff has outlined three options for consideration: Option 1 Continue with the Council-adopted, traditional process for establishing annual Priorities, which includes a) community survey feedback, b) suggestions from individual council members, c) public comment, and the generation of new 2024 Priorities. The retreat would use the current four Priorities as a baseline discussion at the January retreat and explore additional Priorities not contemplated among the Priorities as codified. Option 2 Engage in a traditional strategic planning process that includes inputs from a variety of stakeholders that provides for the development of a mission and vision statement, development of a list of strategic priorities (similar to the current goal-setting process), Item 2 Item 2 Staff Report Packet Pg. 12 3 6 0 1 development of a dashboard of measurable initiatives (similar to the current City goals dashboard) linked to the city work plan. Typical strategic plans take a longer horizon (5-20 years). These work sessions are typically spread over two or more meetings and include extensive public outreach and engagement activities. Should the Council choose to recommend this option, staff recommends rescheduling the planned January retreat to allow for a longer planning period and a more extended work session for the Council. Option 3 th. FISCAL/RESOURCE IMPACT STAKEHOLDER ENGAGEMENT Item 2 Item 2 Staff Report Packet Pg. 13 3 6 0 1 be provided with individual Councilmember suggestions for annual priorities received by December 1st. The public will also have an opportunity to provide feedback during the Council retreat, as well as send direct emails to Council. ENVIRONMENTAL REVIEW ATTACHMENTS APPROVED BY: Item 2 Item 2 Staff Report Packet Pg. 14 City Council Protocols and Procedures Handbook 33 Any questions received after 5 p.m. on the Wednesday before the meeting may be responded to via e-mail, or alternatively, will be responded to at the Council meeting. (c)Staff will not engage in “dialogues” with individual Council members regarding questions; however, follow-up questions to initial questions will be responded to at the Council meeting. (d)Staff will give highest priority to responding prior to the Council meeting via e-mail only on items on the Consent Agenda. Questions which address the policy aspects of the item on the Council agenda will not be responded to prior to the meeting, although Staff welcomes such questions in advance of the meeting in order to prepare for the Council and public discussion. Technical and clarifying questions on non-Consent Calendar items will be responded to as time permits. (e)If the staff will be responding to a Council members Consent Agenda question at the meeting rather responding to the question via e-mail, Staff will inform the Council member as early as possible after receipt of the question(s). (f)Questions and all staff-prepared responses will be forwarded to all Council members as well as posted online for public review of Council agenda questions and staff responses. Staff will include the name of the Council member posing the questions in the “subject” field of the e-mail response. (g)Copies of all Council member agenda questions and staff responses will be emailed to the Council p and posted publicly on the meeting agenda. If staff responses are not released until the meeting date, they will be provided in printed form at the dais. * * * SECTION 7 – COUNCIL VALUES AND ANNUAL COUNCIL PRIORITIES (a)Council Values In November 2022, the Council adopted a set of values as described here: The Palo Alto City Council holds these values to help guide decisions that: 1)Balance revenues and expenses, now and in the future. 2)Are environmentally sustainable. 3)Integrate equity into our decisions, considering how decisions affect people differently based on their identity or circumstances. 4)Make decisions that create a healthy, safe and welcoming community for all. 5)Safeguard public trust through transparent practices and open communication. 6)Embrace innovation. ATTACHMENT AItem 2 Attachment A - Priority Setting Guidelines Packet Pg. 15 City Council Protocols and Procedures Handbook 34 (b) Annual Council Priorities Priorities Background and Definition The City Council adopted its first Council priorities in 1986. Each year the City Council reviews its priorities at its Annual Council Retreat. On October 1, 2012 the City Council formally adopted the definition of a Council priority, and the Council’s process and guidelines for selection of priorities. There is a goal of no more than three to four priorities per year and priorities generally have a two- to three-year time limit. Council can identify two to three specific objectives within a priority. A Council priority is defined as a topic that will receive particular, unusual and significant attention during the year. This varies from a Council value which is defined as an enduring goal and intention to guide the work of the City Council. The values (shared above) allow the City Council to maintain these enduring intentions while also selecting annual priorities that reflect shorter- term projects and goals. Purpose The establishment of Council priorities will assist the Council and staff to better allot and utilize time for discussion and decision making. Process In advance of the annual Council Retreat, staff will solicit input from the City Council on the priorities to be reviewed and considered for the following year. 1) Council members may submit up to three priorities. 2) Priorities should be submitted no later than December 1. 3) As applicable, the City Manager will contact newly elected officials for their input by December 1. 4) The City Manager and the City Clerk will solicit for the public to share proposed priorities prior to the Council retreat. The Policy and Services Committee shall recommend to the Council which suggestions if any shall be considered at the City Council retreat. 5) Staff will collect and organize the recommended priorities into a list for Council consideration and provide to Council in the packet for the City Council retreat. 6) If needed, the Policy and Services Committee, each year at its December meeting, shall make recommendations about the process that will be used at the Annual Retreat paying particular attention to the number of priorities suggested by Council members. The recommended process is to be forwarded to Council for adoption in advance of the Council retreat. * * * ATTACHMENT AItem 2 Attachment A - Priority Setting Guidelines Packet Pg. 16 Policy & Services Committee Staff Report Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: December 12, 2023 Report #:2311-2306 TITLE Approval of Office of City Auditor Risk Assessment and Audit Plan (CEQA Status - Not a Project) BACKGROUND This will be a late packet report released no later than December 7, 2023. Item 3 Item 3 Staff Report Packet Pg. 17 Policy & Services Committee Staff Report Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: December 12, 2023 Report #:2311-2307 TITLE Office of City Auditor Presentation of the Wastewater Treatment Plant Agreement Audit Report; CEQA Status - Not a Project BACKGROUND This will be a late packet report released no later than December 7, 2023. Item 4 Item 4 Staff Report Packet Pg. 18 Policy & Services Committee Staff Report Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: December 12, 2023 Report #:2311-2308 TITLE Office of the City Auditor Presentation of the Investment Management Audit Report; CEQA Status - Not a Project BACKGROUND This will be a late packet report released no later than December 7, 2023. Item 5 Item 5 Staff Report Packet Pg. 19 3 3 9 7 Policy & Services Committee Staff Report From: City Manager Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: December 12, 2023 Report #:2310-2174 TITLE Approval of Office of City Auditor Risk Assessment and Audit Plan (CEQA Status - Not a Project) RECOMMENDATION The City Auditor recommends that the Policy and Services Committee recommend City Council approve the following reports: 1) Fiscal Year 2023/24 Risk Assessment Report 2) Fiscal Year 2023/24 Audit Plan Report 3) Task Orders identified in the Audit Plan Report o TASK ORDER FY24-4.21 Purchasing Card Program o TASK ORDER FY24-4.22 ADA Compliance Review o TASK ORDER FY24-5 Various Reporting & City Hotline (Modified) EXECUTIVE SUMMARY Baker Tilly interviewed City Council members and executive leadership across 14 departments within the City. In addition, selected directors and managers were asked to complete a survey that provided their view of top risk areas to their departments and the City as a whole. Baker Tilly analyzed the results of the survey and other data and information gathered. The risk assessment involved scoring and ranking the 97 auditable units to identify the audit areas with high to moderate risks. The FY2023/24 Audit Plan was prepared based on the results of the risk assessment, conversations with leadership, and other matters. BACKGROUND The Palo Alto Municipal Code (Section 2.08.1301) requires the City Auditor prepare and submit an annual audit plan to the City Council for review and approval. In its capacity serving as the 1 https://codelibrary.amlegal.com/codes/paloalto/latest/paloalto_ca/0-0-0-60361 Item 3 Item 3 Late Packet Report Packet Pg. 20 3 3 9 7 City Auditor function, and in accordance with Baker Tilly’s agreement with the City2, Baker Tilly performed a citywide risk assessment (Task 2 of the agreement). The purpose of the assessment was to identify and prioritize risks in order to develop the annual audit plan (Task 1). During the risk assessment, Baker Tilly assessed a wide range of risk areas, including strategic, financial, technology, human capital, operational, reputational, economic, and compliance risk categories. ANALYSIS FISCAL/RESOURCE IMPACT STAKEHOLDER ENGAGEMENT ENVIRONMENTAL REVIEW 2 https://www.cityofpaloalto.org/files/assets/public/v/1/agendas-minutes-reports/reports/city-manager-reports- cmrs/year-archive/2020-2/id-11624.pdf?t=64761.15 Item 3 Item 3 Late Packet Report Packet Pg. 21 3 3 9 7 ATTACHMENTS Late Packet Attachment A: OCA – F2023 Risk Assessment Report Late Packet Attachment B: OCA – FY2024 Annual Audit Plan APPROVED BY: Adriane D. McCoy, City Auditor Item 3 Item 3 Late Packet Report Packet Pg. 22 1 December 12, 2023 City of Palo Alto Office of the City Auditor FY2023 Annual Risk Assessment Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 23 Contents Baker Tilly US, LLP, trading as Baker Tilly, is an independent member of Baker Tilly International. Baker Tilly International Limited is an English company. Baker Tilly International provides no professional services to clients. Each member firm is a separate and independent legal entity, and each describes itself as such. Baker Tilly US, LLP is not Baker Tilly International’s agent and does not have the authority to bind Baker Tilly International or act on Baker Tilly International’s behalf. None of Baker Tilly International, Baker Tilly US, LLP nor any of the other member firms of Baker Tilly International has any liability for each other’s acts or omissions. The name Baker Tilly and its associated logo is used under license from Baker Tilly International Limited. INTRODUCTION ............................................................................................................. 1 RISK ASSESSMENT APPROACH ................................................................................. 2 SURVEY RESULTS ........................................................................................................ 3 RISK ASSESSMENT RESULTS ..................................................................................... 5 APPENDICES ................................................................................................................. 9 Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 24 1 Introduction Overview According to City Ordinance of the City of Palo Alto (the City), the mission of the Office of the City Auditor (OCA) is to promote honest, efficient, effective, economical, and fully accountable and transparent city government. To fulfill this mission, the OCA conducts performance audits and performs financial/operational analyses of city departments, programs, services, or activities as approved by the City Council. (Section 2.08.130). In its capacity serving as the City Auditor function, and in accordance with Baker Tilly’s agreement with the City (Task #1 of the agreement), Baker Tilly US, LLP (Baker Tilly) conducted the fiscal year(FY) 2023 citywide risk assessment in order to develop the FY2024 annual audit plan (Task #2). The California Government Code Section 1236 requires all cities that conduct audit activities to conduct their work under the general and specified standards prescribed by the Institute of Internal Auditors (IIA) or the Government Auditing Standards (GAO) issued by the Comptroller General of the United States, as appropriate. According to the IIA Standard 2010, the head of internal audit function “must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals” and consider the input of senior management and a governing board. The purpose of the risk assessment is to develop an internal audit plan that assigns internal audit resources to the activities that add the most value to the City. The risk assessment process involves identifying, measuring, and prioritizing risks associated with the audit universe (list of specific departments, functions, processes, programs, etc. that can be subject to an audit). Risk is defined as “the possibility of an event or condition occurring that will have an impact on the ability of an organization to achieve its objectives.”1 Our risk assessment involved collaboration with City Council and executive leadership from 14 main departments across the organization. This report summarizes our risk assessment methodology, analysis, and results. The FY2024 annual audit plan is based on the results of this risk assessment. Through the risk assessment, we observed certain strengths of the City. Key strengths include: Commitment to public service High value on efficient and effective government Focus on long term strategy Dedicated and highly professional management and staff Demonstrated history of innovation and commitment to sustainability Risk Assessment Process Considerations The starting point of the internal auditing is to conduct a risk assessment that is the basis for determining the internal audit activities. However, it is not a one-size-fits-all process. The scope and complexity of risk assessment are affected by various factors such as the maturity level of the internal audit function’s products and services, the organization’s enterprise risk management efforts, coordination with other monitoring and risk management functions, and the stakeholders’ expectations. As every organization is subject to changing environment, the results of the annual risk assessment represent the information considered at the time of the assessment. In addition to the annual macro-level risk assessment, the internal audit function is required to perform an engagement-level risk assessment when starting each audit listed in the approved audit plan. The IIA Standard 2200 states, “Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.” 1 Rick A. Wright Jr., CIA, “The Internal Auditor’s Guide to Risk Assessment” The Institute of Internal Auditors Research Foundation (IIARF), 2018 Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 25 2 Risk Assessment Approach Baker Tilly’s risk assessment approach consisted of four phases as illustrated in the graphic below. 2023 RISK ASSESSMENT PHASES Planning  Prepared risk assessment survey questions and the online survey tool.  Scheduled the interviews with City Council members and Executive Leadership Team (ELT) members. Information Gathering  Reviewed the key documents such as City Council Priorities and the progress report, the budget documents, the annual comprehensive financial report, departmental strategic plans, employee turnover, the information on the City’s website and other relevant documents.  Distributed a link to the online survey to the selected 51 managers. The survey responses were downloaded in Excel spreadsheet.  Interviewed all City Council Members and ELT members (25 individuals) to identify the events and conditions that may affect the achievement of objectives.  Updated the risk assessment matrix with the information gathered. Analysis  Analyzed the survey responses.  Scored the auditable units (listed in Appendix A) in the risk assessment matrix based on the likelihood and the impact2 of potential adverse events. o Each of the auditable units received scores for various risk factors related to the likelihood or impact (defined in Appendix B). o Risk factor scores were summed to create a single score for the auditable unit.  Identified potential internal audit activities for the auditable units with high risk scores. Reporting  Summarized the approach and results of the risk assessment Baker Tilly conducted an initial comprehensive risk assessment in FY2021 by interviewing all Council Members and Executive Leadership Team (ELT) members to create a risk assessment matrix. For the FY2022 risk assessment, surveyed all ELT members and some additional members of management and conducted interviews with available Council Members as well as key ELT members representing areas of perceived high risk (e.g., Information Technology, Human Resources). For the third year risk assessment, all Council Members and ELT members were interviewed, the selected 51 managers were surveyed, and the risk assessment matrix was redeveloped for a comprehensive picture of the risk landscape, which will be continuously improved. Our risk assessment primarily measured inherent risk (the risk without mitigating controls/factors) for each risk factor although we also considered specific risks based on the City’s processes, controls, and other factors we learned through internal audit activities. Using the information gathered, we identified risks and determined the likelihood and impact of the risks. 2 Likelihood is the possibility that an event will occur. Impact is the extent to which an event might affect an organization. Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 26 3 Survey Results Baker Tilly team conducted an online risk assessment survey to gather management’s insights for all City departments and received 47 responses (92% response rate). The survey questions are listed in Appendix C. Changes over the past 12 months All organizations are subject to changing environments that can influence risk to organizations. The COSO 3 Internal Control – Integrated Framework4 highlights the influence of change in one of the 17 principles. Principle 9 states, “the organization identifies and assesses changes that could significantly impact the system of internal control.” The survey participants were asked to select all significant changes for their team or department during last 12 months. Policies and Procedures Policies and procedures provide a roadmap for daily operations to ensure compliance with laws and regulations, give guidance for decision-making, and establish the standards and internal controls. The survey participants were also asked to select the current state of the policies and procedures necessary to perform their job responsibilities. 3 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is sponsored jointly by five major professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and Institute of Management Accountants (IMA). https://www.coso.org/ 4 Internal Control – Integrated Framework provides principles-based guidance for designing and implementing effective internal controls. This framework has become the most widely used internal control framework in the U.S. https://www.coso.org/guidance-on-ic Changes for team or department # of Response New/additional staff 33 Unfilled positions 28 Change in workload 23 New software 19 Change in organizational structure 17 New workflows or business processes 13 New or significant changes in information technology systems 13 Change in compliance requirements (due to changes in policies/contracts/laws/regulations) 11 New vendors and contractors 11 Significant changes in processes or controls 7 Workforce reduction 7 Increased undesirable performance or instances (such as injuries/complaints/customer dissatisfaction/etc.) 6 Change in goals/objectives/performance measures 6 Change in culture 3 Other 4 Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 27 4 SURVEY RESULTS Barriers to meeting goals and objectives in FY2024 The COSO Enterprise Risk Management—Integrating with Strategy and Performance5 provides insight into the links between strategy, risk, and performance through 20 principles. Principle 10 states, “the organization identifies risk that impacts the performance of strategy and business objectives.” The survey participants were asked about their team/department’s periodic reporting on significant goals and compliance requirements to monitor the performance. The pie chart shows the results. The survey participants were also asked what can possibly prevent their team/department from meeting its goals and objectives in 2024. The results are summarized below. Top risk areas selected by the survey participants The survey participants were asked to select and rank the top five risk areas from 31 risk areas listed in the survey. Based on the number of selection and the ranking given by them, the top 15 risk areas were identified. For the risks they selected:  59.6% of the participants think the City management is aware of the risk, but more efforts are needed to help mitigate the risks.  34.0% of the participants think the City management is aware of the risks and has implemented activities to help mitigate the risks.  6.4% of the participants think the City management is either not aware of the risks or have not developed sufficient activities to help mitigate the risks. 5 Enterprise Risk Management—Integrating with Strategy and Performance addresses the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. https://www.coso.org/guidance-erm Rank Risk Area 1 Citizen Demands 2 Succession Planning 3 Economy 4 Human Capital Management 5 Human Resources 6 Procurement/Sourcing 7 Security 8 Regulatory 9 Reputation 10 Resource Allocation 11 Efficiency 12 Document Retention 13 Leadership and Authority 14 Technologies 15 Strategic Change Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 28 5 RISK ASSESSMENT RESULTS Risk Assessment Results Department Descriptions and Key Risk Areas When identifying risk areas throughout the City, Baker Tilly considered each department and associated risks. Based on the concerns described by interviewees and survey respondents, departments’ functions, and their inherent risks, Baker Tilly identified the auditable risk areas for each department. Below is an overview of the City’s departments and their key risk areas. Administrative Services The Administrative Services Department provides financial and analytical support to the City. Departmental functions include finance and accounting, purchasing, administration, budget, real estate, and others. Key Risk Areas Purchasing card program Vendor master file Property management Grant management City Attorney’s Office The City Attorney’s Office provides legal services to the City, including providing legal advice and training to City leaders, negotiating on behalf of the City, drafting contracts and other legal documents, investigating claims, and defending the City in litigation Key Risk Areas Identification of legal risks Contracts and legal documents City Clerk’s Office The City Clerk serves as a liaison between the public and City Council. Office functions include Public Records Act requests, public hearings, local elections, board and commission recruitments, record management, and others. Key Risk Areas Election administration Record management Council meeting management City Manager’s Office The City Manager’s Office provides leadership to the City departments and is responsible for facilitating City Council legislative actions, managing special interdepartmental projects, and more. The Communications Office is housed under the City Manager’s Office and is the primary correspondent between the City and the public. Key Risk Areas Citywide risk management Economic development Office of Transportation The Office of Transportation works to enhance quality of life and improve the safety of the users of all modes of transportation. The Office is responsible for sustainable transportation systems, manage parking, and oversees the City’s traffic and transportation capital improvement projects. Key Risk Areas Intersection safety improvements Federal Railroad Administration (FRA) Quiet Zone Parking permit revenue Community Services Department The Community Services Departments offers a variety of services administered through the following three divisions and the Office of Human Services: Arts and Sciences; Open Spaces, Parks, and Golf; and Recreation. Key Risk Areas Human Services Resource Allocation Process (HSRAP) Junior Museum and Zoo (JMZ) Operation Contract management Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 29 6 RISK ASSESSMENT RESULTS Fire The Fire Department oversees emergency response such as ambulance transports and fire response/rescue, emergency protection services such as fire prevention, and hazardous materials planning. The department highlights safeguarding the community and compassionate care. Key Risk Areas Emergency Preparedness (Foothills Fire Master Plan) Safety and Wellness Human Resources The Human Resources Department is responsible for recruiting, developing, and retaining a well-qualified and professional workforce. The Department ensures compliance with relevant labor laws, adheres to record keeping practices, and serves as a strategic partner for executive decision making. Key Risk Areas Recruitment Succession Planning HR Strategy & Risk Management Workplace Safety Information Technology The Information Technology Department's provides innovative technology solutions that support City departments. The department oversees IT project management, operations, enterprise systems, and security services. Key Risk Areas - PCI/DSS Compliance - AMI Implementation - ERP Upgrade Library The Library Department operates five libraries throughout the City, each offering unique resources. The Library provides educational programming, multi-cultural events, and large and diverse book, information and technology resources. Key Risk Areas Operations Events and Programming Office of Emergency Services The Office of Emergency Services is designed to prevent, prepare for, and recover from various hazards. The Office is responsible for overseeing various risk management programs. Key Risk Areas Emergency preparedness (Foothills Fire Mitigation Program) Planning and Development Services The Planning Department supports the City in land use development, planning, transportation, housing and environmental policies, and plans and programs that “maintain and enhance the City as a safe, vital, and attractive community”. Key Risk Areas Building Permit & Inspection Zoning Ordinance Code Enforcement Long Range Planning Police Palo Alto’s Police Department oversees technical services such as dispatch and record management, field services such as patrol and emergency response, and animal control. The Police Department also places a high value on community relations. Key Risk Areas Crime Reduction Psychiatric Emergency Response Team (PERT) Program Safety and Wellness Training Public Works The Public Works Department is broken into four divisions: Engineering, Airport, Public Services, and Environmental Services. The Divisions are responsible for a variety of tasks Key Risk Areas Wastewater treatment capital program Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 30 7 RISK ASSESSMENT RESULTS Overall Risk Scoring Distribution Baker Tilly structured the audit universe based on the department/division/program from the budget document and management’s feedback, which resulted in 96 auditable units (Appendix A). We scored them based on the information gathered for each risk factor related to the likelihood, impact, or fraud. Appendix B lists the risk factors, definitions, and scoring method. The maximum score for an auditable unit is 30. The following chart shows the distribution of overall risk scoring. Baker Tilly rated the auditable units as follows:  High Risk – Scores 14 and above  Moderate Risk – Scores more than 9 and less than 14  Low Risk – Scores below 9 Listed in the following page are the auditable units with a score over 13 (out of 30) based on our scoring. The list includes 27 functions rated as high risk (with a score between 14 and 30) and 13 functions rated as moderate risk (with a score between 13 and 14). In determining the audit activities to be performed in FY2024, we further review specific risks and functional areas and consider risk-based priorities as well as other factors such as requirements by law or regulation, timing of activities, special projects, and requests from City Council and management. The proposed audit plan will be included in a separate FY2024 Annual Audit Plan Report. 7 26 43 16 4 SCORE ≤ 5 5 - 10 10 - 15 15 - 20 > 20 including design and implementation of capital projects, maintenance of City-owned and leased structures, and management of the solid waste programs. The Americans with Disabilities Act (ADA) compliance Flood protection capital project Airport Operations Utilities The Utilities Department owns and operates electric, gas, water, wastewater and fiber optic services to the City. The City purchases all their power from external sources. The mission of the Department is to “provide safe, reliable, environmentally sustainable and cost effective services.” Key Risk Areas Power Purchase Agreements Utility Billing Rate Setting and Adjustment Utility Asset Management Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 31 8 Department Function Risk Area Total Risk Score Planning and Development Services Building Building Permit & Inspection Process 22.8 Public Works Wastewater Treatment Wasterwater Treatment Capital Program 22.4 Planning and Development Services Development Services Building Permit & Inspection Process 20.5 Public Works Structures and Grounds ADA Compliance / Flood protection capital project 20.0 Administrative Services Purchasing Purchasing Card Program / Vendor Master File 18.6 Police Field Services Psychiatric Emergency Response Team (PERT) Program 18.2 Utilities Electric Administration Power Purchase Agreement 18.2 Community Services Administration and Human Services Human Services Resource Allocation Process (HSRAP) 18.0 Community Services Arts and Sciences Junior Museum and Zoo (JMZ) Operation 18.0 Community Services Recreation and Cubberley Contract Management 18.0 Police Technical Services 911 Operations 17.2 Community Services Animal Shelter Contract Management 16.9 Fire Emergency Response Emergency Preparedness (Foothills Fire Master Plan) 15.8 City Manager Administration and City Management Citywide Risk Management 15.6 Fire Administration Safety and Wellness 15.6 Planning and Development Services Planning and Transportation Code Enforcement 15.4 Office of Transportation Programs Intersection safety improvements 15.4 Utilities Electric Engineering (Operating) Utility Asset Management 15.3 Public Works Airport Airport Operations 15.1 Human Resources Administration, Employee Org Development and HR Systems HR Strategy / Succession Planning 15.1 Police Police Personnel Selection Recruitment and retention 14.9 Administrative Services Treasury / Revenue Collection / Warehouse Investment Management 14.9 Administrative Services Real Estate Property Management 14.7 Public Works Engineering Services Animal Shelter Renovation 14.3 Community Services Open Space, Parks and Golf Emergency Preparedness (Foothills Fire Master Plan) 14.1 Information Technology Operations PCI/DSS Compliance 14.1 Administrative Services Accounting Grant Management 14.0 Office of Emergency Services Emergency Services Emergency preparedness (Foothills Fire Mitigation Program) 13.9 Utilities Electric Customer Service Utility Billing 13.9 Information Technology Project Services AMI Implementation 13.8 Library Administration Business Operations (Donations and grants; Inventory Management; Fines, Purchasing, etc.)13.8 Human Resources Risk Mgmt., Safety, Workers' Compensation HR Risk Management / Workplace Safety 13.8 Police Law Enforcement Services Evidence 13.8 Utilities Water Customer Service Utility Billing 13.6 City Manager Economic Development Economic Development 13.4 Human Resources Recruitment Recruitment Process 13.3 Utilities Electric Resource Management Rate setting and adjustments 13.2 Public Works Administration Safety and Wellness 13.0 Utilities Gas Customer Service Utility Billing 13.0 Utilities Fiber Optics Customer Service Utility Billing 13.0 Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 32 9 Appendix A: Resumes Appendices Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 33 10 Appendix A: Audit Universe City Attorney’s Office Administration Consultation and Advisory Litigation and Dispute Resolution Official and Administration Duties City Clerk’s Office Administration Administrative Citations Council Support Services Election/Conflict of Interest Legislative Records Management City Manager’s Office Administration and City Management Economic Development Public Communication Administrative Services Department Accounting Administration Office of Management and Budget Printing and Mailing Purchasing Real Estate Treasury/Revenue Collection/Warehouse Community Services Department Administration and Human Services Animal Shelter Aquatics Arts and Sciences Open Space, Parks and Golf Recreation and Cubberley Fire Department Administration Emergency Response Environmental Safety Management Records and Information Management Training and Personnel Human Resources Department Administration, Employee Org Development and HR Systems Benefits and Compensation Employee and Labor Relations Recruitment Risk Management, Safety, Workers’ Compensation Information Technology Department Enterprise Systems Office of the CIO Operations Project Services Library Department Administration Collection and Technical Services Public Services Office of Emergency Services Emergency Services Office of Transportation Administration Parking Districts Programs Special Revenue Funds Planning and Development Services Department Administration Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 34 11 Building Development Services Planning and Transportation Special Districts Police Department Administration Animal Control Field Services Investigations and Crime Prevention Services Law Enforcement Services Parking Services Police Personnel Selection Technical Services Traffic Services Department of Public Works Administration Airport Engineering Services Refuse Storm Drainage Streets Structures and Grounds Sustainability Trees Vehicle Replacement and Maintenance Wastewater Treatment Utilities Department Electric Administration Electric Customer Service Electric Demand Side Management Electric Engineering (Operating) Electric Operations and Maintenance Electric Resource Management Fiber Optics Administration Fiber Optics Customer Service Fiber Optic Operations and Maintenance Gas Administration Gas Customer Service Gas Demand Side Management Gas Engineering (Operating) Gas Operations and Maintenance Gas Resource Management Wastewater Collection Administration Wastewater Collection Customer Service Wastewater Collection Engineering (Operating) Wastewater Collection Operations and Maintenance Water Administration Water Customer Service Water Engineering (Operating) Water Operations and Maintenance Water Resource Management Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 35 12 Appendix B: Risk Factor Definition Factor Definition Weight Magnitude A measure of materiality based on pervasiveness or volume of dollars or transactions; Scores based on the budgeted expenditure amount Extreme - 5: $50M or more Material - 4: $10M or more; Less than $50M Significant - 3: $3M or more; Less than $10M Moderate - 2: $1M or more; Less than 3M 30% Customer / Resident Experience Negative experience by customers and residents, such as perceived or actual safety concerns and unsatisfactory services, impacts negatively on the reputation / credibility of the organization Extreme - 5: Direct impact on health and safety Material - 4: Direct impact on transparency Significant - 3: Direct impact on customer satisfaction/City's reputation Moderate - 2: Indirect impact on customer satisfaction/City's reputation Inconsequential - 1: Immaterial impact on reputation / credibility 35% Achievement of Organizational Goals The greater the effect that a department or process has on the organization meeting strategic objectives and goals, the greater the related risks Extreme - 5: Directly relates to the City Council Priorities Material - 4: Supports the function/process directly related to the City Council Priorities Significant - 3: Has performance/workload measures related to City Council Priorities Moderate - 2: Somewhat relates to the City Council Priorities Inconsequential - 1: Does not relate to City's City Council Priorities 35% 100% Complexity A measure of the difficulty in performing a process or function. As a process or function becomes more complex, the greater the opportunity for errors 5 - Very high complexity 4 - High complexity 3 - Medium complexity 2 - Low complexity 1 - Very low complexity 25% Policies and Procedures Policies and Procedures are a complete set of written instructions that guide personnel in the successful execution of their duties and the duties of the office for which they work. If the policies and procedures are adequate and up-to- date, a risk is lower 5 - No or little written P&P 4 - Some written P&P 3 - Basic P&P requiring improvements 2 - Adequate but outdated P&P 10% Regulatory Compliance Measures the existence of and potential noncompliance with, government regulations and other applicable laws, standards, and policies/procedures 5 - Requirements to meet more than a few laws/regulations and professional standards specific to the division's responsibilities 25% Monitoring Consider the existence of monitoring activities, including the results of last audits by Internal Auditor, External Auditor, Regulators, etc. and other known deficiencies 5 - Overall, there is no mechanism to monitor the status of performance goals/compliance requirements 3 - For only some of significant performance goals/compliance requirements, there is a periodic reporting process to ensure performance goals/compliance requirements are met 1 - For all significant performance goals/compliance requirements, there is a periodic reporting process to ensure performance goals/compliance requirements are met 10% Specific Risks Consider the existence of specific risk events/conditions and their significance 5 - Identified risk event(s)/condition(s) seem to significantly affect the likelihood 3 - Identified risk event(s)/condition(s) seem to have some impact on the likelihood 1 - No or very minor risk event(s)/condition(s) have been identified 30% 100% Fraud Schemes Consider the susceptibility to fraud, which is the opportunity for employees/vendors/customers/fraudsters to misappropriate resources or defraud the organization* 5 - High Risk 3 - Moderate Risk 1 - Low Risk 100% 100% HIGHEST TOTAL SCORE 30 * Considered fraud schemes listed in the Fraud Tree provided in the “Occupational Fraud 2022: A report to the Nations” by Association of Certified Fraud Examiners. Also considered are cyber fraud schemes. Impact Factors (the effect on the organization) HIGHEST TOTAL SCORE FOR IMPACT: 5 Likelihood Factors (the probability of the risk occurring) HIGHEST TOTAL SCORE FOR LIKELIHOOD: 5 Other Risk Factor HIGHEST TOTAL SCORE FOR OTHER: 5 Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 36 13 Appendix C: Survey Questions The Office of City Auditor is conducting the 2023 Risk Assessment to identify and prioritize risks in order to update the annual audit plan. As part of our 2023 Risk Assessment, we are conducting a survey. This survey is used primarily to collect information related to changes in operations, emerging issues and risks the City faces, and to gather your perspective on key risks faced by your department. Your candid responses would be greatly appreciated to assess the risks that prevent the City of Palo Alto from achieving its mission, goals, and objectives. Questions 1-7 remain the same for both options. 1. Please provide your name, title, department, and email address:  Name  Title  Department o City Council o City Attorney o City Manager’s Office – Other than Transportation o City Manager’s Office – Transportation o Administrative Services o City Clerk’s Office o Community Services o Emergency Services o Fire o Human Resources o Information Technology o Library o Planning o Police o Public works o Utilities  Email address 2. Describe any significant changes for your team or department during last 12 months. Select all that apply.  New software  New workflows or business processes  Significant changes in processes or controls  New or significant changes in information technology systems  Change in organizational structure  Change in culture  Workforce reduction  Unfilled positions  New/additional staff  New vendors and contractors  Change in workload  Change in compliance requirements (due to changes in policies, contracts, laws, or regulations)  Change in goals, objectives, or performance measures  Increased undesirable performance or instances (such as injuries, complaints, customer dissatisfaction, etc.)  Change in any risks previously identified for your team/department Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 37 14  Other (please specify) 3. Describe the complexity of the key processes in your team or department: Complexity is a measure of the difficulty in performing a process or function. As a process or function becomes more complex, the greater the opportunity for errors.  Very high complexity  High complexity  Medium complexity  Low complexity  Very low complexity Please provide any comment related to complexity, if any. 4. Are there adequate and up-to-date documented policies and procedures to perform your job responsibilities?  Yes, documented policies and procedures are adequate and up-to-date  Documented policies and procedures are adequate but not updated regularly  Documented policies and procedures need improvement No – Please describe how the responsibilities and requirements are communicated in a clear and consistent manner. 5. Please select the compliance requirements with applicable Federal/State/Local laws and regulations and professional standards (e.g. CEQA, NERC, OSHA, EMT licensure/certification) for each of divisions/functions of your department listed below:  More than a few laws/regulations and/or professional standards specific to the division's responsibilities need to be met  One or two laws/regulations and/or professional standards specific to the division's responsibilities need to be met  No requirement to meet any laws/regulations or professional standards specific to the division's responsibilities 6. Describe what can possibly prevent your team/department from meeting its goals and objectives in 2024. Select all that apply.  Financial constraints  Staffing constraints  Limited skills, knowledge, experience, training  Technology issue  Inefficiency in process and/or communication  Ambiguity in roles and responsibilities  Lack of, or ineffective, internal controls  Community pressure  State/Federal regulations  Other (please specify) 7. Describe the activities to monitor the achievement of the goals in your team or department: Example – Periodic reporting, periodic meetings, spot checks by management, periodic audits by external organizations such as consultants and the Federal government, etc.  For all significant performance goals/compliance requirements, there is a periodic reporting process to ensure performance goals/compliance requirements are met  For only some of significant performance goals/compliance requirements, there is a periodic reporting process to ensure performance goals/compliance requirements are met  Overall, there is no mechanism to monitor the status of performance goals/compliance requirements Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 38 15 Please provide comments related to monitoring the achievement of your department’s goals, if any. To help us identify potential risks, please list your team/department’s Strengths, Weaknesses, Opportunities, and Threats (SWOT) for achieving its missions, goals, and objectives. Typically, strengths and weaknesses are internal aspects of team/department/organization, while opportunities and threats are found externally. 8. Describe up to three STRENGTHS of your team or department: Strengths refer to the resources or capabilities that help the team/department accomplish its mission and serve the public. These can be things like competitive advantages, available resources, engaged community, strong balance sheet, utilized technology and so on. 9. Describe up to three WEAKNESSES of your team or department: Weaknesses refer to the areas where the team/department needs to improve to accomplish its mission. These can include things like deficiencies in resources and capabilities, inefficient use of available technologies, barriers or inability to collaborate among different departments, lack of effective communication, mission or direction, high levels of debt, financial or human resources constraints and so on. 10. Describe up to three OPPORTUNITIES for your team or department: Opportunities are any area where the team/department can grow. They are often related to the organization’s strengths. Outside factors that affect the organization in a favorable way can include things like; offering more products or services to citizens, lower costs through new technology and so on. 11. Describe up to three THREATS for your team or department: Threats include the local or national economy, laws and regulations and any other external issue that can harm or affect the team/department successfully meeting goals. Common threats include things like rising costs for housing/living, increasing competition, tight labor supply, billing rates and so on. 12. Using the bulleted list within the risk framework below, please select what you consider to be the top five enterprise risks to the City of Palo Alto. Environmental (factors external to the organization) • Reputation - The opinions and perceptions of the public and customers toward the organization. • Regulatory - Laws and standards, which the organization must comply with in its operations. • Citizen Demands - The effect that current citizens demands have on the decisions made by management for aligning tactical plans with the business strategy and the allocation of resources. • Economy - The effect that current external conditions have on the decisions made by management for aligning tactical plans with the business strategy and the allocation of resources. • Legal - The potential for an unforeseen event to cause civil or criminal litigation for the organization or its elected leaders, directors, officers, and employees. • Technologies - The evolution of technology both within and outside of the organization’s industry. Strategy (planning and decision-making) • Strategic Change - The ability of the organization to modify its processes in order to either align with its current strategy and business model or to achieve a different strategic goal. • Investments - The portfolio of both intangible and tangible investments held by the organization, and the implications of these assets on the resources, financial viability, and operations of the organization. The effect on liquidity the ability of current assets to meet current liabilities when due. • Planning and Budgeting - Details of the organization’s goals and the financial management necessary to achieving those goals. • Financial - The goals of the organization in terms of the structure of its assets and liabilities, including the financing capability based on its credit worthiness, the ability to receive credit and the use of credit lines to achieve its business objectives. • Inter-government Relations - The relationship of the organization with other government agencies that have regulatory and oversight responsibilities and shared services or citizens. Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 39 16 • Compliance Management - The continuous monitoring of the organization’s ability to operate within regulatory requirements and community standards. • Resource Allocation – The process for assigning and managing assets that support the organizations strategic goals. Organization (attributes of departments) • Governance - The role, composition, and major activities of the governing body of the organization in providing direction and oversight for the organization • Empowerment and Values - The ability of senior members of the organization to effectively delegate power or authority to other members of the organization. • Communication - The methods of communication commonly used in the organization and the effectiveness of this communication on the operations of the organization. • Ethics and Code of Conduct - The set of rules outlining the ethical practices expected of management and employees of the organization. • Leadership and Authority - The members of the organization who hold power and their ability to exercise this power effectively. • Organizational Structure - The configuration of units and workflows to align the behavior of the units to the higher-level goals of the organization. • Succession Planning - The planning and processes to ensure that there are highly qualified people in key leadership positions today and in the future. • Human Capital Management - The set of practices an organization uses for recruiting, managing, developing, and optimizing employees, including performance management (The process of creating expectations for performance, monitoring progress, and measuring the results) and training (The ability for employees to gain and develop necessary tools to ensure effective operations). • Safety - The organization strives to provide a safe working environment by effectively mitigating the risks to the safety of its employees. Process and Operations (functional effectiveness and policies and procedures) Externa • Contracts - Contracts are adequately structured to address and mitigate risks. • Efficiency - Processes are up-to-date and efficient, resulting in efficient operations and output. • Accounting - The timely and accurate tracking of the financial position of the organization. • Payroll - The policies, processes, and systems in place to ensure that employee compensation is reliable, timely, and accurate. • Fraud - The organization uses internal controls to prevent and/or detect fraud. • Procurement/Sourcing – The ability to acquire the necessary goods and services for operation and the process of vetting, selecting and managing supplier, vendors and contractors. • Human Resources - The knowledge, skills and experiences, and resources among personnel, which allow for the execution of the organization’s business plan and achievement of its critical success factors. • Information Systems - The facilities, systems, and connectivity in place to support data processing. • Vendor Management - The need for the organization to continuously monitor the quality and reliability of vendors it uses in the course of its business. • Change Management - Management adapts appropriately to the evolution of the processes and operations of the organization. Information (data governance) • Data Integrity - Data used for making management decisions, recording information, and reporting financial activity is accurate, complete, and reliable. • Access - The right to view or manipulate data is carefully granted and monitored to prevent the mishandling of data • Retention - The policies used by the organization to determine document retention in terms of the form of documents, how these documents are stored, and for how long these should be maintained. • Availability - Relevant critical information is available when needed in order to maintain the organization’s critical operations and processes, including when a disaster or unplanned disruption occurs • Privacy - Organization policies are in place to ensure the correct treatment of sensitive information held by the organization. • Security – Any event that could result in the compromise of organizational data. (I.e. unauthorized use, loss, damage, disclosure or modification of organizational data). Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 40 17 13. Please use the click and drag feature to rank the five enterprise risks that you selected into a priority order, with #1 being the highest. 14. Please describe why you selected them as the top five risks. 15. How well does the City of Palo Alto manage activities to mitigate these risks?  Well – the City management is aware of the risk and has implemented activities to help mitigate this risk  Somewhat well – the City management is aware of this risk, but more effort/activities are needed to help mitigate this risk  Not well – the City management is either not aware of this risk or hasn’t developed sufficient activities to help mitigate this risk 16. Are there any other risks that could affect operations that were not included in the risk framework? 17. Please list any potential internal audit activities you recommend based on the risks you identified. The projects can be consultative/advisory in nature, or provide assurance:  Internal Audit – an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.  Advisory and related client service activities, the nature and scope of which are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Item 3 Late Packet Attachment A - OCA - F2023 Risk Assessment Report Packet Pg. 41 1 December 12, 2023 City of Palo Alto Office of the City Auditor FY2024 Annual Audit Plan Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 42 Contents Baker Tilly US, LLP, trading as Baker Tilly, is an independent member of Baker Tilly International. Baker Tilly International Limited is an English company. Baker Tilly International provides no professional services to clients. Each member firm is a separate and independent legal entity, and each describes itself as such. Baker Tilly US, LLP is not Baker Tilly International’s agent and does not have the authority to bind Baker Tilly International or act on Baker Tilly International’s behalf. None of Baker Tilly International, Baker Tilly US, LLP nor any of the other member firms of Baker Tilly International has any liability for each other’s acts or omissions. The name Baker Tilly and its associated logo is used under license from Baker Tilly International Limited. INTRODUCTION ............................................................................................................. 1 RISK ASSESSMENT RESULTS ..................................................................................... 3 PROPOSED AUDIT PROJECTS FOR FY2024 .............................................................. 4 APPENDICES ................................................................................................................. 6 Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 43 1 Introduction Introduction The purpose of the audit activities performed by the Office of the City Auditor (OCA) for the City of Palo Alto (the City) is “to ensure that city management is using its financial, physical, and informational resources effectively, efficiently, economically, ethically, and equitably, and in compliance with laws, regulations, contract and grant requirements, and city policies and procedures”, according to the Palo Alto Municipal Code (Section 2.08.130). It requires the City Auditor prepare an annual audit plan for the City Council’s approval at the beginning of each fiscal year. In accordance with the Task #1 and Task #2 of the Baker Tilly agreement (City of Palo Alto Contract No, C21179340), Baker Tilly US, LLP (Baker Tilly) performed the initial risk assessment after having started to serve as the OCA in October 2020 and submitted in early 2021 the FY21-FY22 annual audit plan. For the second year, the OCA updated the initial risk assessment and submitted the FY22-FY23 audit plan. This report includes the proposed FY23-FY24 audit plan. The Task #4 of the agreement requires execution of the approved annual audit plans and preparation of a task order for each project listed in the plan. The OCA will seek approval of contract task orders iteratively during FY24 in order to remain agile and accommodate changes to the plan as time passes. Conformance with Local Ordinances and Standards Section 2.08.130 of the Palo Alto Municipal Code defines that the mission of the OCA is to promote honest, efficient, effective, economical, and fully accountable and transparent city government. Audits are to be conducted and nonaudit services provided in accordance with Government Auditing Standards, as established by the Comptroller General of the United States, Governmental Accountability Office. The following duties of the City Auditor exist regarding the plan and scope of internal audits. Palo Alto City Charter Article IV Sec. 12 requires the City Auditor to perform the following: – Conduct audits in accordance with a schedule approved by the City Council and may conduct unscheduled audits from time to time. – Conducts internal audits of all the fiscal transactions of the City. Title 2 Administrative Code Section 2.08.130 requires the City Auditor to perform the following: – Prepare an annual audit plan for city council approval. – Identify the preliminary objectives of each audit to be performed, reflecting the purpose of the engagement and a preliminary description of the areas that may be addressed. – Conduct performance audits and perform nonaudit services of any city department, program, service, or activity as approved by the city council. California Government Code Section 1236 requires all cities that conduct audit activities to conduct their work under the general and specified standards prescribed by the Institute of Internal Auditors (IIA) or the Government Auditing Standards (GAO) issued by the Comptroller General of the United States, as appropriate. Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 44 2 INTRODUCTION Audit Activity Type The OCA will conduct performance audits and perform financial/operational analyses of any City department, program, service, or activity as approved by the City Council in accordance with the Baker Tilly agreement. Performance Audits According to the Government Auditing Standards (GAO-18-568G, Section 1.21 and 1.22, page 10-12), performance audits provide objective analysis, findings, and conclusions to assist management and those charged with governance and oversight with, among other things, improving program performance and operations, reducing costs, facilitating decision making by parties responsible for overseeing or initiating corrective action, and contributing to public accountability. Performance audits may include the following four (4) audit objectives: – Program effectiveness and results – Internal control design and effectiveness – Compliance with laws, regulations, and policies – Prospective analysis Audit Planning Considerations While maintaining its independence and objectivity in accordance with standards, the City Auditor considers a variety of matters when developing the Annual Audit Plan, including but not limited to: – Risk assessment – the OCA performed a risk assessment and summarized the results in a separate report (Task #2). Generally speaking, audit activities target high(er) risk areas. The results are shown the following page. – Ability to add value – audit seeks to add value through independent and objective analysis. – City Council – the City Auditor reports to the City Council and seeks input on audit priorities. – Coverage and Prior Audits – the City Auditor considers prior audits conducted by the OCA, the financial audit, and other audit and consulting reports recently issued. – “Ripeness” and On-Going Initiatives – certain risk areas may be addressed through operational activities, which could mean they are not be ripe for audit to add value. – Scheduling – the City Auditor takes into consideration the timing of an audit and other on-going initiatives that directly relate. Putting an undue burden on City staff may exacerbate the risk at hand or other interrelated risks. Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 45 3 Risk Assessment Results The OCA performed a citywide risk assessment to plan for FY2024 audit activities and documented the methodology and the detailed results in a separate Risk Assessment Report. In summary, we identified the following areas rated as High or Moderate risks. In determining the audit activities to be performed in FY2024, we further reviewed these risks and functional areas and considered the matters listed in the previous page. Department Function Risk Area Total Risk Score Planning and Development Services Building Building Permit & Inspection Process 22.8 Public Works Wastewater Treatment Wasterwater Treatment Capital Program 22.4 Planning and Development Services Development Services Building Permit & Inspection Process 20.5 Public Works Structures and Grounds ADA Compliance / Flood protection capital project 20.0 Administrative Services Purchasing Purchasing Card Program / Vendor Master File 18.6 Police Field Services Psychiatric Emergency Response Team (PERT) Program 18.2 Utilities Electric Administration Power Purchase Agreement 18.2 Community Services Administration and Human Services Human Services Resource Allocation Process (HSRAP) 18.0 Community Services Arts and Sciences Junior Museum and Zoo (JMZ) Operation 18.0 Community Services Recreation and Cubberley Contract Management 18.0 Police Technical Services 911 Operations 17.2 Community Services Animal Shelter Contract Management 16.9 Fire Emergency Response Emergency Preparedness (Foothills Fire Master Plan) 15.8 City Manager Administration and City Management Citywide Risk Management 15.6 Fire Administration Safety and Wellness 15.6 Planning and Development Services Planning and Transportation Code Enforcement 15.4 Office of Transportation Programs Intersection safety improvements 15.4 Utilities Electric Engineering (Operating) Utility Asset Management 15.3 Public Works Airport Airport Operations 15.1 Human Resources Administration, Employee Org Development and HR Systems HR Strategy / Succession Planning 15.1 Police Police Personnel Selection Recruitment and retention 14.9 Administrative Services Treasury / Revenue Collection / Warehouse Investment Management 14.9 Administrative Services Real Estate Property Management 14.7 Public Works Engineering Services Animal Shelter Renovation 14.3 Community Services Open Space, Parks and Golf Emergency Preparedness (Foothills Fire Master Plan) 14.1 Information Technology Operations PCI/DSS Compliance 14.1 Administrative Services Accounting Grant Management 14.0 Office of Emergency Services Emergency Services Emergency preparedness (Foothills Fire Mitigation Program) 13.9 Utilities Electric Customer Service Utility Billing 13.9 Information Technology Project Services AMI Implementation 13.8 Library Administration Business Operations (Donations and grants; Inventory Management; Fines, Purchasing, etc.)13.8 Human Resources Risk Mgmt., Safety, Workers' Compensation HR Risk Management / Workplace Safety 13.8 Police Law Enforcement Services Evidence 13.8 Utilities Water Customer Service Utility Billing 13.6 City Manager Economic Development Economic Development 13.4 Human Resources Recruitment Recruitment Process 13.3 Utilities Electric Resource Management Rate setting and adjustments 13.2 Public Works Administration Safety and Wellness 13.0 Utilities Gas Customer Service Utility Billing 13.0 Utilities Fiber Optics Customer Service Utility Billing 13.0 Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 46 4 PROPOSED AUDIT PROJECTS FOR FY2024 Proposed Audit Projects for FY2024 Summary The proposed audits and follow-up project for FY2024 are listed in the next page. The projects were selected from the auditable units that were rated as High or Moderate in the results of our risk assessment and selected based on some factors such as risk rating, the pervasiveness of the process or control, the audit coverage, the timing of projects, and the value-adding activities that help the City enhance the ability to manage risks, strengthen accountability, and improve efficiency and effectiveness. The preliminary audit objectives are described for each audit listed. These objectives and scope will be further defined based on the result of the engagement level risk assessment performed at the beginning of each audit. Amendments to this audit plans may need to be proposed during FY2024 in response to changes in the City’s environment such as organizational structure, operations, risks, systems, and controls. For each audit, a task order is submitted to the City Council for approval before an audit is commenced. We prepared three task orders which are included in Appendix. The OCA is seeking approval from the City Council for three project that are projected to start in January 2024. Those audits are marked “X” in the Seeking Approval column. Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 47 5 Proposed Audit Plan for FY2024 Seeking Approval Function Project Title Audit Objectives Timeline FY24 Estimated Hours FY24 Cost Public Works Public Safety Building - Construction Audit (Task Order 4.8) ? Monthly invoice review ? Change order testing ? Contingency and allowance testing ? Lien waiver control ? Compliance with insurance requirements ? Closeout testing ? Verify the City’s implementation and adherence to documented project controls March 2021 - March 2024 87 $19,734 X Administrative Services Purchasing Card Program ? Determine whether procurement cards are used appropriately in compliance with the City's policy and pertinent laws and regulations ? Evaluate the administration of the Purchasing Card Program for adequate internal controls to safeguard the City from fraud, waste, and abuse January - June 2024 415 $76,540 X Public Works ADA Compliance Determine whether improvements have been made to make facilities, programs, and services accessible in accordance with the Transition Plan and Self-Evaluation Final Study to ensure compliance with the Americans with Disabilities Act (ADA) of 1990 January - June 2024 385 $73,110 Human Resources Recruitment and Succession Planning ? Determine the efficiency and effectiveness of the recruitment and hiring process ? Determine whether a formal succession plan and related policies proceudres are in place January - June 2024 290 $58,890 Citywide Grant Management Determine whether the City has adequate interal controls to efficiently and effectively manage the grant lifecycle January - June 2024 315 $60,330 Multiple departments Emergency Preparedness Determine whether the City if working to prevent wildfire and adequately prepared to respond to wildfire January - June 2024 385 $73,110 Utilities Utility Billing ? Determine whether the internal controls over the utility billing process are adequate and working effectively to ensure billing is accurate and in compliance with the City's policy and regulations. ? Determine whether billing adjustments are properly supported and approved January - June 2024 385 $72,010 Information Technology Payment Card Industry Data Security Standard (PCI DSS) Determine whether the internal controls over the payment card processing are adequate and working effectively for the City and any thrid party service providor January - June 2024 370 $69,680 X Citywide Follow-up on Corrective Actions Follow up on previous OCA audit reports to ensure corrective actions included in management responses in each audit report are completed [This activity will be performed under Task 5 (an annual report on the status of recommendations made in completed audits)] December 2023 - June 2024 140 $30,592 TBD Ad Hoc Requests TBD TBD TBD $0 2,772 $533,996 $534,250 $254 FY23 - FY24 Budget FY24 Ad Hoc / Contingency FY24 Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 48 6 Appendix A: Resumes Appendices Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 49 7 PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.21 Purchasing Card Program Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referencedFY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.22 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: January 1, 2024 COMPLETION: June 30, 2024 4 TOTAL TASK ORDER PRICE: $69,940 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 50 8 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of Purchasing Card Program involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Review and Testing  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 51 9 Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to determine whether (1) Determine whether procurement cards are used appropriately in compliance with the City's policy and pertinent laws and regulations; (2) Evaluate the administration of the Purchasing Card Program for adequate internal controls to safeguard the City from fraud, waste, and abuse. Procedures include, but not limited to:  Interview the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to the Purchasing Card Program.  Review policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness.  Select a sample of the P-Card transactions  Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement:  Audit Report Schedule of Performance Anticipated Start Date: January 1, 2024 Anticipated End Date: June 30, 2024 Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 52 10 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $69,940. The not-to-exceed budget is based on an estimate of 375 total project hours, of which 15 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may mutually determine it will be beneficial to perform a portion of the work on-site. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $6,500. The following summarizes anticipated reimbursable expenses:  Round-trip Airfare – $2,000 (1 round trip flights x 2 auditors)  Ground Transportation (car rental or Uber/taxi) - $800  Hotel accommodation - $3,000 (2 rooms x 4 nights)  Food and incidentals – $700 Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 53 11 PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-4.22 ADA Compliance Review Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced FY24 in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY23-4.23 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: January 1, 2024 COMPLETION: June 30, 2024 4 TOTAL TASK ORDER PRICE: $73,110 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 54 12 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly’s approach to conducting an internal audit of ADA (Americans Disabilities Act) Compliance involves three (3) primary steps:  Step 1: Audit Planning  Step 2: Control Review and Testing  Step 3: Reporting Step 1 – Audit Planning This step consists of the tasks performed to adequately plan the work necessary to address the overall audit objective and to solidify mutual understanding of the audit scope, objectives, audit process, and timing between stakeholders and auditors. Tasks include:  Gather information to understand the environment under review o Understand the organizational structure and objectives o Review the City code, regulations, and other standards and expectations o Review prior audit results, as applicable o Review additional documentation and conduct interviews as necessary  Assess the audit risk  Write an audit planning memo and audit program o Refine audit objectives and scope o Identify the audit procedures to be performed and the evidence to be obtained and examined  Announce the initiation of the audit and conduct kick-off meeting with key stakeholders o Discuss audit objectives, scope, audit process, timing, resources, and expectations o Discuss documentation and interview requests for the audit Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 55 13 Step 2 – Control Review and Testing This step involves executing the procedures in the audit program to gather information, interview individuals, and analyze the data and information to obtain sufficient evidence to address the audit objectives. The preliminary audit objective is to determine whether improvements have been made to make facilities, programs, and services accessible in accordance with the Transition Plan and Self-Evaluation Final Study to ensure compliance with the Americans with Disabilities Act (ADA) of 1990. Specifically, we will determine whether (1) necessary remediation work, projects, or programs are included in the annual capital budget to meet the ADA Transition Plan Schedules; (2) the progress of the remediation efforts and any change in laws and regulations are assessed periodically to ensure continued improvements in ADA compliance; (3) the City monitors the contractor’s compliance with the contractual requirements to ensure that the City receives necessary services. Procedures include, but not limited to:  Interview the appropriate individuals to gain an understanding of the organizational structure, processes, and controls related to the ADA compliance efforts.  Review policies and procedures as well as the legislative and regulatory requirements to identify the criteria to be used for evaluation of control design and effectiveness.  Review the relevant documents such as ADA Transition Plan, ADA Self-Evaluation Report, the Transition Plan Schedule, progress assessment reports, and the contract with the consultants.  Compare the process and controls against the best practices. Step 3 – Reporting In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and review a draft report with the stakeholders, and submit a final audit report. Tasks include:  Develop findings, conclusions, and recommendations based on the supporting evidence gathered  Validate findings with the appropriate individuals and discuss the root cause of the identified findings  Complete supervisory review of working papers and a draft audit report  Distribute a draft audit report and conduct a closing meeting with key stakeholders o Discuss the audit results, finings, conclusions, and recommendations o Discuss management responses  Obtain written management responses and finalize a report  Review report with members of City Council and/or the appropriate Council Committee Deliverables: The following deliverable will be prepared as part of this engagement:  Audit Report Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 56 14 Schedule of Performance Anticipated Start Date: January 1, 2024 Anticipated End Date: June 30, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $73,110. The not-to-exceed budget is based on an estimate of 385 total project hours, of which 15 are estimated to be completed by the City Auditor. Reimbursable Expenses We plan to complete all work remote including all interviews and documentation review. However, during the planning and fieldwork phases of this audit, the City and Baker Tilly may mutually determine it will be beneficial to perform a portion of the work on-site. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. The not-to-exceed maximum for reimbursable expenses for this Task is $6,500. The following summarizes anticipated reimbursable expenses:  Round-trip Airfare – $2,000 (1 round trip flights x 2 auditors)  Ground Transportation (car rental or Uber/taxi) - $800  Hotel accommodation - $3,000 (2 rooms x 4 nights)  Food and incidentals – $700 Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 57 15 PROFESSIONAL SERVICES TASK ORDER TASK ORDER FY24-05 Various Reporting & City Hotline (Modified) Consultant shall perform the Services detailed below in accordance with all the terms and conditions of the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional, technical and supporting personnel required by this Task Order as described below. CONTRACT NO. C21179340 OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE) 1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340 1B. TASK O RDER NO.: FY24-05 2. CONSULTANT NAME: Baker Tilly US, LLP 3. PERIOD OF PERFORMANCE: START: July 1, 2023 COMPLETION: June 30, 2024 4 TOTAL TASK ORDER PRICE: $120,592 90,000 BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD 5. BUDGET CODE_______________ COST CENTER________________ COST ELEMENT______________ WBS/CIP__________ PHASE__________ 6. CITY PROJECT MANAGER’S NAME & DEPARTMENT: Greg Tanaka, Chair of the City Council’s Policy and Services Committee 7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A) MUST INCLUDE:  SERVICES AND DELIVERABLES TO BE PROVIDED  SCHEDULE OF PERFORMANCE  MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)  REIMBURSABLE EXPENSES, if any (with “not to exceed” amount) 8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A I hereby authorize the performance of the work described in this Task Order. APPROVED: CITY OF PALO ALTO BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ I hereby acknowledge receipt and acceptance of this Task Order and warrant that I have authority to sign on behalf of Consultant. APPROVED: COMPANY NAME: ______________________ BY:____________________________________ Name __________________________________ Title___________________________________ Date ___________________________________ Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 58 16 Attachment A DESCRIPTION OF SCOPE OF SERVICES Introduction Attachment A, the Description of Scope of Services, contains the following four (4) elements:  Services and Deliverables To Be Provided  Schedule of Performance  Maximum Compensation Amount and Rate Schedule (As Applicable)  Reimbursable Expenses, if any (With “Not To Exceed” Amount) Services & Deliverables Baker Tilly will provide the following services in Task 5:  Quarterly Reports  Annual Status Report  Provision of the City Hotline  Office Administrative Functions, including quarterly follow-up activities and testing of corrective actions for the completed audits Deliverables: Legislative documents will be prepared to present the financial statements and reports prepared by an external auditor to the Finance Committee  Quarterly Reports (4 in FY24)  Annual Status Report Schedule of Performance Anticipated Start Date: July 1, 2023 Anticipated End Date: June 30, 2024 Maximum Compensation Amount and Rate Schedule The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $120,592 90,000. The not-to-exceed budget is based on an estimate of 440 300 total project hours, of which 170 are estimated to be completed by the City Auditor. Reimbursable Expenses Baker Tilly anticipates several site visits by the City Auditor throughout FY2024 planning one on-site fieldwork week. Given this possibility, Baker Tilly could incur reimbursable expenses for this Task. Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 59 17 The not-to-exceed maximum for reimbursable expenses for this Task is $19,500 19,000. The following summarizes anticipated reimbursable expenses:  Round-trip Airfare – $6,000 (6 round trip flights)  Ground Transportation (car rental or Uber/taxi) - $2,400  Hotel accommodation - $9,000 (24 nights)  Food and incidentals – $2,100 1,600 Item 3 Late Packet Attachment B - OCA - FY2024 Annual Audit Plan Packet Pg. 60 3 4 1 3 Policy & Services Committee Staff Report From: City Manager Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: December 12, 2023 Report #:2310-2182 TITLE Office of City Auditor Presentation of the Wastewater Treatment Plant Agreement Audit Report; CEQA Status - Not a Project RECOMMENDATION The City Auditor recommends that the Policy and Services Committee recommend the City Council approve the Wastewater Treatment Plant Agreement Audit Report. BACKGROUND Baker Tilly, in its capacity serving as the Office of the City Auditor (OCA), performed a citywide risk assessment that assessed a wide range of risk areas, including strategic, financial, operational, compliance, technological, and reputation risks. The purpose of the assessment was to identify and prioritize risks to develop the annual audit plan. During the FY2022 risk assessment (ID#13914)1, the OCA identified risks associated with wastewater treatment plant operations. ANALYSIS The objectives of this review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that costs related to the wastewater treatment plant are properly accounted for and allocated. 2) Determine whether adequate controls are in place and working effectively to ensure the compliance with contracts and regulations. The OCA interviewed City employees and reviewed 39 Regional Water Quality Control Plant (RWQCP) contracts and amendments the City manages. The OCA also reviewed the transactions 1 https://www.cityofpaloalto.org/files/assets/public/v/8/agendas-minutes-reports/agendas-minutes/city-council- agendas-minutes/2022/20220404/20220404pccsmamendedlinked1.pdf Item 4 Item 4 Late Packet Report Packet Pg. 61 3 4 1 3 and documents in our audit period (from July 1, 2020, to May 30, 2022) for control testing, such as billing and compliance monitoring activities. FISCAL/RESOURCE IMPACT STAKEHOLDER ENGAGEMENT ENVIRONMENTAL REVIEW ATTACHMENTS APPROVED BY: Item 4 Item 4 Late Packet Report Packet Pg. 62 1 December 12, 2023 City of Palo Alto Office of the City Auditor Wastewater Treatment Plant Agreement Audit Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 63 Contents Baker Tilly US, LLP, trading as Baker Tilly, is an independent member of Baker Tilly International. Baker Tilly International Limited is an English company. Baker Tilly International provides no professional services to clients. Each member firm is a separate and independent legal entity, and each describes itself as such. Baker Tilly US, LLP is not Baker Tilly International’s agent and does not have the authority to bind Baker Tilly International or act on Baker Tilly International’s behalf. None of Baker Tilly International, Baker Tilly US, LLP nor any of the other member firms of Baker Tilly International has any liability for each other’s acts or omissions. The name Baker Tilly and its associated logo is used under license from Baker Tilly International Limited. EXECUTIVE SUMMARY ................................................................................................. 1 INTRODUCTION ............................................................................................................. 3 DETAILED ANALYSIS ................................................................................................... 6 AUDIT RESULTS ............................................................................................................ 8 APPENDICES ............................................................................................................... 12 Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 64 1 Executive Summary Purpose of the Audit Baker Tilly US, LLP (Baker Tilly), in its capacity serving as the Office of the City Auditor (OCA) for the City of Palo Alto (the City), conducted a Wastewater Treatment Plant Agreement Audit based on the approved Task Order 4.15. The objectives of this review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that costs related to the wastewater treatment plant are properly accounted for and allocated. 2) Determine whether adequate controls are in place and working effectively to ensure the compliance with contracts and regulations. Report Highlights Finding 1: Invoice and Payment Due Dates (Page 8) The OCA judgmentally selected eight invoices from the FY21 and FY22 quarterly/annual invoices sent to five partner agencies to include diverse samples and reconciled the invoices and supporting documents as well as the payment information against the billing and payment requirements in the agreements. Six invoices were sent to the partner agencies eight days to two and a half months late, and one payment was received more than 100 days late due to incomplete supporting documents sent to the partner agency. Each agreement with a partner agency includes billing and payment requirements as summarized in Table 1 in the Detailed Analysis section. The languages and requirements differ among the Regional Water Quality Control Plant (RWQCP) agreements, especially for amendments including additional capital project costs. The variety and inconsistency of billing and payment requirements among multiple agreements may cause the agencies to be susceptible to noncompliance, errors, slower cash inflows, and inefficiency. Key Recommendations The City’s management should evaluate all billing and payment requirements in the existing contracts to determine whether there is any reason preventing the agencies from making the requirements and language in the RWQCP contracts more consistent. . If there is no reason, management should standardize billing and payment requirements for all RWQCP contracts in order to improve the efficiency of billing and monitoring of payments and ensure compliance with the requirements. Additionally, the City’s management should formalize the internal controls and processes to ensure timely submission of invoices with adequate supporting documents and partner agencies’ compliance with payment requirements. Finding 2: Industrial Waste Surveys (Page 9) The City has the Industrial Waste Pretreatment Program (IWPP) in which the City’s staff members perform permitting, monitoring, and enforcing Industrial Waste Discharge Permits for the entire RWQCP service area (except for the City of Mountain View operating portion of the IWPP). The agreements require the partner agencies to update the industrial waste survey (IWS) and provide the update annually to the City. However, the City currently does not receive the surveys. The surveys are updated informally by discussing new facilities during quarterly coordination meetings or receiving e-mail Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 65 2 EXECUTIVE SUMMARY updates on auto and dental facility lists. For some partner agencies, the IWS is not routinely requested or required in the agreement. As the City’s RWQCP management meets with partner agencies periodically to discuss the IWS-related items, this process is being used in place of requiring formal IWS updates from each partner agency. Without submitting annual IWS updates to the City, the partner agencies are non- compliant with this requirement in the agreements. Key Recommendations The City’s Public Works management should obtain the necessary IWS updates from all partner agencies to ensure compliance with pretreatment laws, regulations, and discharge permits until the contracts are amended. Management should evaluate the adequacy of the current informal survey update practice for effective administration and operation of the IWPP and either enforce the current agreement requirements or amend the language in the contract as necessary to refine the partner agencies’ responsibilities. Finding 3: Compliance Monitoring (Page 10) The OCA noted that the timeliness of payments from the partner agencies is not being monitored even though some contracts include a delinquent payment clause that requires interest to be accrued on the unpaid balance. For other requirements in contracts, individual requirements are monitored and performed by different individuals. However, there are currently no policies and procedures to formalize the compliance monitoring processes for RWQCP contracts and no centralized monitoring mechanism to ensure all contract requirements are executed as intended. As listed in the Scope section of this report, RWQCP has 39 contracts and amendments with several partner agencies. Keeping track of agreement requirements and monitoring compliance with them are necessary for successful construction, operation, and maintenance of RWQCP due to various reasons such as:  The billing and payment requirements differing among agreements and vary based on the type of costs.  An addendum being added for a new project with different debt service billing and payment requirements.  Compliance with regulations and permits that is essential to carry out RWQCP’s mission.  Cost allocation depending on capacity rights, certain cost and wastewater data, debt service schedules, and other allocation methods that are described and updated in the contracts for each type of cost and revenue. It is important to identify compliance issues and resolve them in a timely manner. Without policies and procedures and a formal monitoring mechanism, the City cannot ensure that all contract requirements are met to successfully construct, operate, and maintain RWQCP or collect interest penalties that are due to the City. Key Recommendations The City’s management should establish RWQCP policies and procedures to implement a formal monitoring mechanism that will ensure contract requirements are met. Roles and responsibilities and the expectations of various City departments should be clearly defined. When an issue or a potential issue is identified, appropriate actions should be taken in a timely manner. The policies and procedures should provide guidelines for appropriate actions such as communication/escalation and contract amendments. Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 66 3 Introduction 1 https://www.cityofpaloalto.org/files/assets/public/agendas-minutes-reports/agendas-minutes/finance- committee/2022/20221129/20221129pfcsm-linked.pdf Objective The objectives of this review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that costs related to the wastewater treatment plant are properly accounted for and allocated. 2) Determine whether adequate controls are in place and working effectively to ensure the compliance with contracts and regulations. Background The “Basic Agreement Between the City of Palo Alto, the City of Mountain View and the City of Los Altos for Acquisition, Construction and Maintenance of a Joint Sewer System” (Basic Agreement) was executed in 1968. As the City of Palo Alto (the City) is the owner of the joint sewer system and the Administrator of the Basic Agreement, its Public Works department is responsible for operations and capital projects of the Regional Water Quality Control Plant (RWQCP) that treats wastewater before it is discharged to San Francisco Bay. The Basic Agreement has been amended in the following years, which included the Addendum No. Eight to the Basic Agreement that extended the contract term to December 31, 2060. These three communities are entitled to use the proportion of the capacity of the joint sewer system based on the capacity rights defined in the contracts. The costs of acquisition, construction, maintenance, and operations as well as revenue from services and sales are shared in proportion as specifically described for each cost category and each project in the contracts. The City also entered into separate agreements with the East Palo Alto Sanitary District, the Town of Los Altos Hills, and Stanford to share the City’s proportionate share of the cost and use. The costs of operating and maintenance and major capital improvement projects are paid by each community based on allocation formula and schedules described in the contracts. As the Administrator of the Basic Agreement as well as three separate agreements, the City sends bills to the five communities noted above in advance on a quarterly basis. The billing amount is based on the estimated annual costs of the operation and maintenance. The City adjusts one of the quarterly bills in the subsequent year to offset the difference between the billed amounts and actual costs. The Basic Agreement requires that the City’s independent auditor conduct an audit of the RWQCP financial statements each year to express an opinion on the fair presentation of the net expenditures and quarterly billings in accordance with the financial reporting provisions of the Basic Agreement. The audited RWQCP Financial Statements for the year ended June 30, 20221, shows the following percentages used to allocate costs and revenues: Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 67 4 INTRODUCTION The agreements and subsequent amendments include the following to be used for allocation of the costs of capital improvement projects: Scope The OCA reviewed the following 39 RWQCP contracts and amendments the City manages:  Basic Agreement, Supplementals, and subsequent Addendums No. One through No. Ten  First Amended and Restated Contract No. C059999 Between the City of Palo Alto and the City of Mountain View for Implementation and Operation of the SWRCB Water Recycling Project (June 18, 2007) and subsequent Amendment No. 1  Agreement Between the City of Palo Alto and the Town of Los Altos Hills for Sewage Transportation, Treatment and Disposal (March 18, 1968) and subsequent Amendments No. 1 through No. 7  Contract No. C869 Between the City of Palo Alto and the Board of Trustees of the Leland Stanford Junior University (November 30, 1956) and subsequent Amendments No. One through No. Seven  Second Amended and Restated Agreement Between the City of Palo Alto and the East Palo Alto Sanitary District for Wastewater Treatment and District Outfall (May 17, 2021) City of Mountain View 40.22% City of Los Altos 11.58% City of Palo Alto 32.37% 48.20% East Palo Alto Sanitary District 7.29% Stanford University 6.19% Town of Los Altos Hills 2.35% Maintenance and Operation Costs & Joint System Revenue Source: Note 2 - Summary of Significant Accounting Policies City of Palo Alto Regional Water Quality Control Plant Independent Auditor's Report and Financial Statements For the Year Ended June 30, 2022 City of Mountain View 37.89% City of Los Altos 9.47% City of Palo Alto 38.16% 52.64% East Palo Alto Sanitary District 7.64% Stanford University 5.26% Town of Los Altos Hills 1.58% Debt Services Expenditures This table does not apply to the Refunding 1990 Series A Bonds Source: EXHIBIT H - Annual Average Flow Capacity Rights Second Restated and Amended Agreement Between the City of Palo Alto and the East Palo Alto Sanitary District for Wastewater Treatment and District Outfall Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 68 5 INTRODUCTION 2 Government auditing standards require an external peer review at least once every three (3) years. The last peer review of the Palo Alto Office of the City Auditor was conducted in 2017. The Palo Alto City Council approved a contract from October 2020 through June 2022 with Baker Tilly US, LLP (Baker Tilly) and appointed Kyle O’Rourke, Senior Consulting Manager in Baker Tilly's Public Sector practice, as City Auditor. Given the transition in the City Audit office, a peer review was not conducted in 2020 and will be conducted after the third year of Baker Tilly’s contract.  Partnership Agreement to Advance Resilient Water Reuse Programs in Santa Clara County between the City of Palo Alto, the City of Mountain View, and the Santa Clara Valley Water District (Valley Water Agreement) (December 10, 2019)  Effluent Transfer Agreement Between the City of Palo Alto and City of Los Altos (June 7, 2021) The OCA reviewed the transactions and documents in our audit period (from July 1, 2020, to May 30, 2022) for control testing. Methodology To achieve the audit objectives, the OCA performed the following procedures:  Interviewed the appropriate City employees to understand the roles and responsibilities and processes related to the contract administration.  Reviewed the contracts to identify the contract requirements to be tested for the City’s compliance monitoring activities.  Reviewed the documents (such as supporting documents for billing, reports, and meeting minutes) showing cost allocations and compliance monitoring activities. Compliance Statement This audit activity was conducted from June 2022 to October 2022 in accordance with generally accepted government auditing standards, except for the requirement of an external peer review2. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Organizational Strengths During this audit activity, we observed that invoices to partner agencies are itemized and accompanied by cost allocation calculations based on a flow report and schedules, which makes it easier for each partner agency to confirm the rates. The Office of the City Auditor greatly appreciates the support of the Public Works Department and Administrative Services Department in conducting this audit activity. Thank you! Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 69 6 Detailed Analysis RWQCP Contracts The Basic Agreement was originally signed in October 1968 and has been amended 10 times (as of June 2022). It requires that the City act as the Administrator to administer the contract. The significant sections of the Basic Agreement include:  Design, ownership, and capacity rights of the joint system  Acquisition and construction of the joint system  Sharing of the costs of acquisition and construction, reconstruction, and maintenance and operation  Payment of the costs  Revenue from services and sales of wastewater for reuse The Supplementals to the Basic Agreement and separate agreements with other partner agencies include the requirements pertaining to:  Pretreatment program to comply with federal, state, or local regulations and applicable discharge permits  Capital projects and financing (The major projects planned are listed in Appendix A.) The audited RWQCP Financial Statements for the year ended June 30, 2022¹, lists the following bonds and loans financing RWQCP capital projects: o 1999 Utility Revenue Refunding Bonds (1999 Wastewater Treatment New Project & Refunding of 1990 Series A Bonds) o 2009 State Water Resource Loan o 2017 State Water Resource Loan The OCA reviewed the requirements in 39 RWQCP agreements and amendments within the audit scope (see the Scope section of this report) and summarized the various requirements related to billings and payments in Table 1 in the following page. Power and Duties of the Administrator* a) Supervise and administer the contract between the parties for the operation and maintenance of the Joint System. b) Maintain and operate the Joint System and preserve it is good repair and working order, all in accordance with recognized sound engineering practice. c) Maintain records of all revenues and expenditures incurred in connection with operation and maintenance of the Joint System. The accounting system shall be based on “Uniform System of Accounts for Waste Water Utilities” as published by the Water Pollution Control Federation. d) Arrange for an independent annual audit of the accounts of the Joint System. e) Measure and keep accurate records of the measurements of sewage flow. * Paragraph 11, “Basic Agreement Between the City of Palo Alto, the City of Mountain View and the City of Los Altos for Acquisition, Construction and Maintenance of a Joint Sewer System” executed October 10, 1968 Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 70 7 DETAILED ANALYSIS Table 1: Requirements for Billing and Payments Partner Agency Contract Requirements Bill Amount Billing Due Date Payment Due De Ture-up* Billing (*Offset of the difference between the billed amounts and actual costs Interest on the excess/deficit payments over/under actual costs Interest on delinquent payments City of Mountain View One-fourth of proportionate share of the cost of maintenance and operation as estimated by February 15th July October (debt payment) January April (debt payment) [Dates are not specified] Maintenance and Operation • August 15 • November 15 • February 14 • May 15 Project Costs • 30 business days of receipt of the quarterly billing statement • 10 business days of receipt of the quarterly billing statement for Ultra-Violet Treatment Project October Yes No City of Los Altos One-fourth of proportionate share of the cost of maintenance and operation as estimated by February 15th July October (debt payment) January April (debt payment) [Dates are not specified] Maintenance and Operation • August 15 • November 15 • February 15 • May 15 Project Costs • 30 business days of receipt of a quarterly billing statement • 10 business days of receipt of a quarterly billing statement for Ultra-Violet Treatment Project October Yes No East Palo Alto Sanitary District One-fourth of proportionate share of the cost of maintenance and operation as estimated by July 1 July 31 October 31 January 31 May 1 [“Not later than thirty (30) days after July 1, October 1, January 1, and April 1, of each year”] Maintenance and Operation Later of: • August 15 /November 15 /February 15 /May 16, or • 25 business days of receipt of a quarterly billing statement Project Costs • 30 business days of receipt of a quarterly billing statement • 10 business days of receipt of the quarterly billing statement for Ultraviolet Disinfection Facility Project • October to reflect the actual costs for immediately prior fiscal year • April to reflect the estimated costs to be incurred between April 1 and July adjusted the actual costs for the first three quarters of fiscal year prior to April 1 Yes Yes Stanford University Based on the schedule of payments August 1st Bond • December 1 Project Costs • 30 business days of receipt of an annual billing statement for Ultra-Violet Treatment Project and Outfall Project and the Primary Sedimentation Tank Rehabilitation Project • 10 business days of receipt of an annual billing statement Upon completion of the project and certification of the costs No Yes Town of Los Altos Hills Based on the schedule of payments August 1st Bond • December 1 Project Costs • 30 business days of receipt of an annual billing statement for Ultra-Violet Treatment Project and Outfall Project and the Primary Sedimentation Tank Rehabilitation Project • 10 business days of receipt of an annual billing statement Upon completion of the project and certification of the costs No Yes Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 71 8 Audit Results Finding 1: Invoice and Payment Due Dates The City sends invoices on a quarterly basis to three partner agencies (City of Mountain View, City of Los Altos, and the East Palo Alto Sanitary District) and on an annual basis to two partner agencies (Stanford University and Town of Los Altos Hills). Out of 26 invoices the City sent to these five partner agencies, The OCA judgmentally selected eight invoices to include at least one invoice prepared for each quarter in our audit period and at least one invoice for each partner agency and reviewed the invoices and supporting documents as well as the payment information against the billing and payment requirements in the agreements. The review of eight invoices revealed the following:  Two invoices that are required to be sent annually on or before August 1st were dated October 15, 2021, and October 16, 2022, respectively.  Two quarterly invoices were sent in January and another two quarterly invoices were sent in July as required by the Basic Agreement. However, they were dated about eight to nineteen days later than management’s intended invoice dates, January 1st and July 1st respectively. The agreements require payments by February 14th and August 15th for a January invoice and a July invoice, respectively.  One payment that was required to be deposited by August 15th was received on October 28th, which was over 100 days late due to incomplete supporting documents sent to the partner agency. Each agreement with a partner agency includes billing and payment requirements as summarized in Table 1 in the Detailed Analysis section. The languages and requirements differ among RWQCP’s agreements, especially for amendments including additional capital project costs. Some agreements require a payment within 30 business days of receipt of an invoice while others require a payment within 10 business days. Billing due dates also differ among the agreements. Billing for three partner agencies is due quarterly in January, April, July, and October while billing for two partner agencies is due once a year in August. The variety and inconsistency of billing and payment requirements among multiple agreements may cause the agencies to be susceptible to noncompliance, errors, slower cash inflows, and inefficiency. Recommendation The City’s management should evaluate all billing and payment requirements in the existing contracts to determine whether there is any reason preventing the agencies from making the requirements and language in the RWQCP contracts more consistent. If there is no reason, management should standardize billing and payment requirements for all RWQCP contracts in order to improve the efficiency of billing and monitoring of payments and ensure compliance with the requirements. Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 72 9 AUDIT RESULTS Additionally, the City’s management should formalize the internal controls and processes to ensure timely submission of invoices with adequate supporting documents and partner agencies’ compliance with payment requirements. Management Response Responsible Department(s): Public Works Department; Administrative Services Department Concurrence: Agree Target Date: July 25, 2025 Action Plan: The City agrees that it would be beneficial to make billing practices consistent between agencies. The City has made changes to improve the clarity of quarterly and annual bills by including the due date and potential late fees. The City will modify existing partner agreements as other updates are made to clarify the billing frequency and ensure standardization amongst all the partners, with a target date of July 2025 based on current capital project schedules. Finding 2: Industrial Waste Surveys The City has the Industrial Waste Pretreatment Program (IWPP) in which the City’s staff members perform permitting, monitoring, and enforcing Industrial Waste Discharge Permits for the entire RWQCP service area (except for the City of Mountain View operating portion of the IWPP). The contracts with partner agencies describe the Sewer Use Ordinance that is as stringent as the Federal Pretreatment Regulations and enforced via permits. The costs of the program are shared among the partner agencies and included in their quarterly or annual invoices. The contracts require the partner agencies to update the industrial waste survey (IWS) and provide the update annually to the City. However, the City currently does not receive the surveys. The RWQCP management explains that the City does not have all FY21 survey updates because the Pretreatment Program Manager in the beginning of FY21 who would have requested and received the survey updates via email is no longer employed by the City. Currently, the surveys are updated informally as follows:  For two partner agencies, new facilities are discussed during quarterly coordination meetings.  For one partner agency, e-mail updates on auto and dental facility lists are received.  For one partner agency, the IWS is not currently routinely requested although the staff is working on improving the practice.  One partner agency is not required to update the IWS in the agreement. As the City’s RWQCP management meets with partner agencies periodically to discuss the IWS-related items, this process is being used in place of requiring formal IWS updates from each partner agency. Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 73 10 AUDIT RESULTS Without submitting annual IWS updates to the City, the partner agencies are non-compliant with this requirement in the agreements. Recommendation The City’s Public Works management should obtain the necessary IWS updates from all partner agencies to ensure compliance with pretreatment laws, regulations, and discharge permits until the contracts are amended. Management should evaluate the adequacy of the current informal survey update practice for effective administration and operation of the IWPP and either enforce the current agreement requirements or amend the language in the contract as necessary to refine the partner agencies’ responsibilities. Management Response Responsible Department(s): Public Works Department Concurrence: Agree Target Date: September 2024 Action Plan: The City agrees that the City should obtain necessary Industrial Waste Survey updates from all partner agencies in a more formalized way. Starting in FY25, the City will send out formal requests to all Partner Agencies to review and approve/edit the Industrial Waste Surveys for their jurisdictions. This requirement will be evaluated for any needed revisions whenever as the Partner Agreements are reopened for other reasons. Finding 3: Compliance Monitoring The OCA noted that the timeliness of payments from the partner agencies is not being monitored even though some contracts include a delinquent payment clause that requires interest to be accrued on the unpaid balance. For other requirements in contracts, individual requirements are monitored and performed by different individuals. However, there are currently no policies and procedures to formalize the compliance monitoring processes for RWQCP contracts and no centralized monitoring mechanism to ensure all contract requirements are executed as intended. The RWQCP operations, finances, and staff (over 55 staff members) are overseen by the Water Quality Control Plant Manager in the Water Quality Control Plant group of the City’s Public Works Department who also works with the Industrial Waste Pretreatment Program (IWPP) staff members and the accounting team of the Administrative Services Department. As listed in the Scope section of this report, RWQCP has 39 contracts and amendments with several partner agencies. Keeping track of agreement requirements and monitoring compliance with them are necessary for successful construction, operation, and maintenance of RWQCP due to the following:  Some contracts are old and have multiple amendments. Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 74 11 AUDIT RESULTS 3 “The mission of the Regional Water Quality Control Plant (RWQCP) is to protect San Francisco Bay by cleaning and treating wastewater before it is discharged to San Francisco Bay.” https://cleanbay.org/our-programs/regional-water-quality- control-plant/#RWQCP  The billing and payment requirements differ among agreements and vary based on the type of costs.  An addendum continues to be added for a new project with different debt service billing and payment requirements.  Compliance with regulations and permits as described in the agreements is essential to carry out RWQCP’s mission3.  Cost allocation depends on capacity rights, certain cost and wastewater data, debt service schedules, and other allocation methods described and updated in the agreements for each type of costs and revenue. It is important to identify compliance issues and resolve them in a timely manner. Without policies and procedure and a formal monitoring mechanism, the City cannot ensure that all contract requirements are met to successfully construct, operate, and maintain RWQCP or collect interest penalties that are due to the City. Recommendation The City’s management should establish RWQCP policies and procedures to implement a formal monitoring mechanism that will ensure contract requirements are met. Roles and responsibilities of various City departments, functions, and employees and the expectations should be clearly defined. To implement a monitoring mechanism, the City’s Public Works management should assign specific requirements to be monitored or performed to the appropriate staff members or teams, if necessary, and have an individual responsible for overall compliance verify compliance with all requirements periodically. When an issue or a potential issue is identified, appropriate actions should be taken in a timely manner. The policies and procedures should provide guidelines for appropriate actions such as communication/escalation and contract amendments. Management Response Responsible Department(s): Public Works Department Concurrence: Agree Target Date: December 31, 2023 Action Plan: The City has drafted an internal Standard Operating Procedure to formally monitor tracking and receipt of payments from partner agencies and will complete reviews and distribution. Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 75 12 AUDIT RESULTS Appendix A: Resumes Appendices Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 76 13 Appendix A: Summary of FY23-FY27 Capital Budget in Wastewater Treatment Fund According to the City of Palo Alto Fiscal Year 2023 Adopted Capital Budget4,  Six agencies using RWQCP serve 250,000 residents.  Expenditures of approximately $289.0M are programmed for the Wastewater Treatment Fund, which is 53 % of the City’s 2023-2027 Capital Improvement Program Projects ($193.2M are allocated in FY2023).  The costs are recovered from the Palo Alto Wastewater Collection Fund and five partner agencies.  Total ten projects are programmed: A. Buildings and Facilities 1. New Laboratory and Environmental Services Building (Fiscal Year 2023: $2.6 million; 5- Year CIP: $23.7 million). 2. Plant Master Plan (Fiscal Year 2023: $0.2 million; 5-Year CIP: $2.1 million) B. System Improvements 1. Plant Repair, Retrofit, and Equipment Replacement (Fiscal Year 2023: $ 10.5million; 5- Year CIP: $26.2 million) 2. Advanced Water Purification Facility (Fiscal Year 2023: $17.1 million; 5-Year CIP: $17.1 million) 3. Headworks Facility Replacement (Fiscal Year 2023: $4.8 million; 5-Year CIP: $48.8 million) 4. Horizontal Levee Pilot (Fiscal Year 2023: $0.2 million; 5-Year CIP $0.7 million) 5. Joint Intercepting Sewer Rehabilitation (5-year CIP $12.6 million) 6. Outfall Line Construction (Fiscal Year 2023: $10.6 million; 5-Year CIP: $10.6 million) 7. Primary Sedimentation Tank Rehabilitation (Fiscal Year 2023: $2.6 million; 5-Year CIP: $2.6 million) 8. Secondary Treatment Upgrades (Fiscal Year 2023: $144.7 million; 5-Year CIP: $144.7 million) 4 https://www.cityofpaloalto.org/files/assets/public/administrative-services/city-budgets/fy2023-city-budget/adopted- fy23/capital-budget_final-4-online-version.pdf Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 77 14 Appendix B: Management Response Findings and Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan Finding 1: Invoice and Payment Due Dates The City’s management should evaluate all billing and payment requirements in the existing contracts to determine whether there is any reason preventing the agencies from making the requirements and language in the RWQCP contracts more consistent. If there is no reason, management should standardize billing and payment requirements for all RWQCP contracts in order to improve the efficiency of billing and monitoring of payments and ensure compliance with the requirements. Additionally, the City’s management should formalize the internal controls and processes to ensure timely submission of invoices with adequate supporting documents and partner agencies’ compliance with payment requirements Public Works / Administrative Services Concurrence: Agree Target Date: July 2025 Action Plan: The City agrees that it would be beneficial to make billing practices consistent between agencies. The City has made changes to improve the clarity of quarterly and annual bills by including the due date and potential late fees. The City will modify existing partner agreements as other updates are made to clarify the billing frequency and ensure standardization amongst all the partners, with a target date of July 2025 based on current capital project schedules. Finding 2: Industrial Waste Surveys The City’s Public Works management should obtain the necessary IWS updates from all partner agencies to ensure compliance with pretreatment laws, regulations, and discharge permits until the contracts are amended. Management should evaluate the adequacy of the current informal survey update practice for effective administration and operation of the IWPP and either enforce the current agreement requirements or amend the language in the contract as necessary to refine the partner agencies’ responsibilities. Public Works Concurrence: Agree Target Date: September 2024 Action Plan: The City agrees that the City should obtain necessary Industrial Waste Survey updates from all partner agencies in a more formalized way. Starting in FY25, the City will send out formal requests to all Partner Agencies to review and approve/edit the Industrial Waste Surveys for their jurisdictions. Finding 3: Compliance Monitoring The City’s management should establish RWQCP policies and procedures to implement a formal monitoring mechanism that will ensure contract requirements are met. Roles and responsibilities of various City departments, functions, and employees and the expectations should be clearly defined. To implement a monitoring mechanism, the City’s Public Works management should assign specific requirements to be monitored or Public Works Concurrence: Agree Target Date: December 31, 2023 Action Plan: Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 78 15 Findings and Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan performed to the appropriate staff members or teams, if necessary, and have an individual responsible for overall compliance verify compliance with all requirements periodically. When an issue or a potential issue is identified, appropriate actions should be taken in a timely manner. The policies and procedures should provide guidelines for appropriate actions such as communication/escalation and contract amendments. The City has drafted an internal Standard Operating Procedure to formally monitor tracking and receipt of payments from partner agencies and will complete reviews and distribution. Item 4 Late Packet Attachment A - OCA - Wastewater Treatment Plant Agreement Packet Pg. 79 3 4 1 7 Policy & Services Committee Staff Report From: City Auditor Report Type: ACTION ITEMS Lead Department: City Auditor Meeting Date: December 12, 2023 Report #:2310-2183 TITLE Office of the City Auditor Presentation of the Investment Management Audit Report; CEQA Status - Not a Project RECOMMENDATION The City Auditor recommends that the Policy and Services Committee recommend the City Council approve the Investment Management Audit Report. BACKGROUND Baker Tilly, in its capacity serving as the Office of the City Auditor (OCA), performed a citywide risk assessment that assessed a wide range of risk areas, including strategic, financial, operational, compliance, technological, and reputation risks. The purpose of the assessment was to identify and prioritize risks to develop the annual audit plan. During the FY2022 risk assessment (ID#13914)1, the OCA identified risks associated with Investment Management. ANALYSIS The objectives of this review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that investments are properly managed in accordance with the investment policy. 2) Assess the efficiency and the effectiveness of the investment portfolio management against the best practice. 1 https://www.cityofpaloalto.org/files/assets/public/v/8/agendas-minutes-reports/agendas-minutes/city-council- agendas-minutes/2022/20220404/20220404pccsmamendedlinked1.pdf Item 5 Item 5 Late Packet Report Packet Pg. 80 3 4 1 7 The OCA evaluated the processes and controls that safeguard the City’s investment of pooled idle cash to which the City’s Investment Policy is applied to and tested the selected controls by reviewing a sample of investment activities between July 1, 2020, to March 26, 2023. FISCAL/RESOURCE IMPACT STAKEHOLDER ENGAGEMENT ENVIRONMENTAL REVIEW ATTACHMENTS APPROVED BY: Item 5 Item 5 Late Packet Report Packet Pg. 81 1 December 12, 2023 City of Palo Alto Office of the City Auditor Investment Management Audit Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 82 Contents Baker Tilly US, LLP, trading as Baker Tilly, is an independent member of Baker Tilly International. Baker Tilly International Limited is an English company. Baker Tilly International provides no professional services to clients. Each member firm is a separate and independent legal entity, and each describes itself as such. Baker Tilly US, LLP is not Baker Tilly International’s agent and does not have the authority to bind Baker Tilly International or act on Baker Tilly International’s behalf. None of Baker Tilly International, Baker Tilly US, LLP nor any of the other member firms of Baker Tilly International has any liability for each other’s acts or omissions. The name Baker Tilly and its associated logo is used under license from Baker Tilly International Limited. EXECUTIVE SUMMARY ................................................................................................. 1 INTRODUCTION ............................................................................................................. 3 DETAILED ANALYSIS ................................................................................................... 6 AUDIT RESULTS .......................................................................................................... 10 APPENDICES ............................................................................................................... 16 Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 83 1 Executive Summary Purpose of the Audit Baker Tilly US, LLP (Baker Tilly), in its capacity serving as the Office of the City Auditor (OCA) for the City of Palo Alto (the City), conducted an Investment Management Audit based on the approved Task Order 4.17. The objectives of this review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that investments are properly managed in accordance with the investment policy. 2) Assess the efficiency and the effectiveness of the investment portfolio management against the best practice. Report Highlights Finding 1: Segregation of duties and oversight of investment activities (Page 10) The City’s Administrative Services Department (ASD)’s Treasury Division includes the investment function. The day-to-day operations of the investment function are performed by the Manager of Treasury, Debt, Investment (Manager). The Assistant Director of ASD (Assistant Director) oversees the function and has delegated the responsibility for managing the investment program to the Manager and authorized him to enter into the investment within the parameters set in the City’s Investment Policy. The Manager performs all tasks to manage the investment program as well as initiating wire transactions among all responsibilities of the Treasury Division. While an approval is required prior to sales of investments, formal independent reviews of investment purchase decisions prior to purchases are not in place. When the Manager is out of office, there is no backup personnel to buy/sell securities. The limited staffing of the Treasury Division and untimely authorization of investment activities cause a concern for the inadequate segregation of duties in the investment function even through there are some segregations of duties: the purchased investments are required to be delivered to the City’s safekeeping custodian and recorded in the City’s accounting system by the Accounting team. Without adequate segregation of duties, the City has a higher risk of not preventing and detecting errors and fraudulent transactions in a timely manner. As mitigating controls, increased monitoring and oversight of the investment function are required. Key Recommendations The City should implement a formal process for a review and approval of investment activities by the Assistant Director and, if required, the Director prior to placing an order to buy or sell securities. Approvals should be documented. Additionally, the City should reassess the City’s Investment Policy to ensure that the City will comply with the requirement to perform a monthly performance review described in the City’s Investment Policy and address Section 53607 of California Government Code that requires submission of a monthly report of investment transactions to the City Council. Furthermore, the City should continue the efforts to adjust the staffing of the investment function to assign responsibilities to ensure adequate internal controls are in place for prevention of the loss of public funds arising from errors, imprudent actions, and fraud. Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 84 2 EXECUTIVE SUMMARY Finding 2: Supporting documents for investment activities (Page 13) The OCA reviewed 58 out of 850 investment activities from July 1, 2020, to March 26, 2023, and noted inadequate or lack of supporting documents related to the following:  Manager’s investment decisions  Quotations from authorized brokers and dealers  Qualification of brokers and dealers  Broker’s acknowledgement of the applicable California Government Code sections and the City’s Investment Policy Adequate supporting documents for investment decisions and transactions are important for transparency and accountability. The supporting documents provide the necessary information to demonstrate the validity, accuracy, and compliance to the approvers of the decisions and transactions and the oversight functions such as auditors and an oversight committee. Key Recommendations The City’s ASD should implement a procedure to assemble and maintain adequate supporting documents such as the cash flow forecasts and evaluation of quotations for each investment decision and transaction to enable the approvers to review and approve them prior to purchases/sales and to allow the oversight functions to evaluate the validity, accuracy, and compliance when needed. Additionally, the City should update the City’s Investment Policy to require the brokers and dealers who wish to sell and buy securities to the City to provide documentation showing their financial condition and relevant registration. The City should also require them to certify in writing that they reviewed the applicable California Government Code sections and the City’s Investment Policy. An annual review should be also conducted to maintain the List of Authorized Brokers and Dealers with the recent status. Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 85 3 Introduction 1 Section 53600.3: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=53600.3.&lawCode=GOV Objective The objectives of this review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that investments are properly managed in accordance with the investment policy. 2) Assess the efficiency and the effectiveness of the investment portfolio management against the best practice. Background The City of Palo Alto (City) invests idle cash pooled from all sources and all funds in accordance with the California Government Code and the City’s Investment Policy. California Government Code states that trustees who are governing bodies or individuals authorized to make investment decisions on behalf of local agencies investing public funds are subject to the prudent investor standard that requires a trustee to act with care, skill, prudence, and diligence under the circumstances then prevailing that a prudent person acting in a like capacity and familiarity with those matters would use in the conduct of funds of a like character and with like aims, to safeguard the principal and maintain the liquidity needs of the agency.1 The City follows the prudent investor standard and defines the following investment objectives in the City’s Investment Policy: 1. Ensure the safety of the public funds 2. Maintain the liquidity to meet the City’s financial obligations 3. Achieve a reasonable yield on the City’s investment portfolio The City’s Administrative Services Department (ASD) is responsible for cash management and investment activities. The Assistant Director of ASD who is authorized to make all investment transactions and responsible for managing the investment program oversees the activities while the Manager of Treasury, Debt, Investment (Manager) performs the day-to-day responsibilities, including purchasing and selling securities, recording investment transactions, maintaining the cash flow forecast, revenue analysis, and revenue projection spreadsheets. The Note 3 in the City’s Annual Comprehensive Financial Report (ACFR) as of June 30, 2022, shows that cash and investments available for operations were $553M as shown in Table 1: Table 1 – Cash and Investment Classification (in thousands) Source: page 64, Note 3, City of Palo Alto FY2022 Annual Comprehensive Financial Report Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 86 4 INTRODUCTION The City’s investment Policy describes limitations on types, maturity periods, and amounts of investments in accordance with the Section 53601 of the California Government Code. These limitations are summarized in the Note 3 in the City’s ACFR as of June 30, 2022 (Table 2 below). The ASD’s goals and key performance measures in the FY2023 Adopted Operating Budget include the following investment-related goal and key performance measure: The ASD submits a quarterly report to the City Council that provides the information on the City’s investment portfolio (Appendix A) as required by the Section 53646 of the California Government Code. Table 2 – Investments Authorized by the Investment Policy and Debt and Trust Agreements Source: page 65, Note 3, City of Palo Alto FY2022 Annual Comprehensive Financial Report See the footnotes at https://www.cityofpaloalto.org/files/assets/public/v/1/administrative-services/financial-reporting/comprehensive-annual-financial- reports-cafr/current-2011-cafrs/2022-acfr-final/city-of-palo-alto-acfr-fy2022-final-secured-2.pdf Goal: Ensure public funds and assets are invested prudently and are well-managed. Objectives: • Ensure sufficient cash is always available to meet current expenditures. • Maintain a reasonable rate of return on investments while prioritizing the safety and liquidity needs. • Invest in sound Environmental, Social, and Governance (ESG) securities, which include green and sustainable bonds, when available and appropriate, in alignment with the Investment Policy. Key Performance Measure: FY2020 Actuals FY2021 Actual FY2022 Estimated FY2023 Adopted Budget Annual percentage yield on investments 2.22% 1.72% 1.70% 1.80% Source: page 208, City of Palo Alto FY2023 Adopted Operating Budget Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 87 5 INTRODUCTION 2 The Investment Policy does not cover funds held by the California Public Employees Retirement System (CalPERS), the California Employers’ Retiree Benefit Trust (CERBT), Deferred Compensation program (ICMA, Hartford), the Authority for California Cities Excess Liability (ACCEL), and the Public Agency Retirement Services (PARS) Section 115 IRREVOCABLE Trust. 3 Judgmental sampling is a non-statistical sampling that involves selecting a sample based on auditors’ experience, knowledge, and professional judgment and is appropriate when auditors do not need to draw conclusions about the population. 4 Government auditing standards require an external peer review at least once every three (3) years. The last peer review of the Palo Alto Office of the City Auditor was conducted in 2017. The Palo Alto City Council approved a contract from October 2020 through June 2022 with Baker Tilly US, LLP (Baker Tilly) and appointed Kyle O’Rourke, Senior Consulting Manager in Baker Tilly's Public Sector practice, as City Auditor. Given the transition in the City Audit office, a peer review was not conducted in 2020 and will be conducted after the third year of Baker Tilly’s contract. Scope The OCA evaluated the processes and controls that safeguard the City’s investment of pooled idle cash to which the City’s Investment Policy is applied to2 and tested the selected controls by reviewing a sample of investment activities between July 1, 2020, to March 26, 2023 (audit period). Methodology To achieve the audit objectives, the OCA performed the following procedures:  Reviewed the pertinent laws, policies, and guidelines related to investments.  Gathered the City’s financial and management reports related to investments.  Interviewed the appropriate individuals to understand the roles and responsibilities, processes, and controls related to investment activities.  Judgmentally3 selected a sample of investments purchased and sold during our audit period in order to cover all three fiscal years in our audit period, all brokers used, all types of investments, and all approval workflow types.  Reviewed supporting documents for controls performed and approvals for the selected investment activities.  Used the California Debt and Investment Advisory Commission (CDIAC) and the Government Finance Officers Association (GFOA) as best practices. Compliance Statement This audit activity was conducted from March 2023 to June 2023 in accordance with generally accepted government auditing standards, except for the requirement of an external peer review4. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Organizational Strengths During this audit activity, we observed that the dedicated Manager of Treasury, Debt, Investment maintained the detailed spreadsheets to monitor the cash flow forecast and keep track of the compliance with the investment restrictions. We also observed the adequate supporting documents maintained by the detail- oriented Accounting team who posts the investment transactions in the City’s accounting system and reconciles the transactions. The Office of the City Auditor greatly appreciates the support of the Treasury and Accounting Divisions of the Administrative Services Department in conducting this audit activity. Thank you! Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 88 6 Detailed Analysis Investment Policy The City’s Investment Policy describes the following internal controls over the City’s investment activities: Roles and Responsibilities  The Director of ASD/Chief Financial Officer (Treasurer) o Must approve any sale of securities from the City’s portfolio  The Assistant Director of ASD o Is charged with the responsibility to manage the investment portfolio o Needs to approve a transfer more than total of $10 million a day from the City’s general account to any one financial institution  Manager and Analyst o Are directed and supervised by Assistant Director of ASD o Prepare the quarterly report and record investment transactions (type of investment, amount, yield, and maturity)  Custodian o All securities (with a few exceptions listed in the City’s Investment Policy) must be delivered to the City’s safekeeping custodian List of Authorized and Prohibited Investments  The investments authorized by Section 53601 of California Government Code are reflected in the City’s Investment Policy List of Authorized Brokers and Dealers  Brokers and dealers meeting the City’s two requirements must be approved by the Assistant Director before they are added to the City’s List of Authorized Brokers and Dealers  Brokers and Dealers will be removed from the list if a history of problems is developed Reporting  On a monthly basis, the ASD reviews performance against the City’s Investment Policy  On a quarterly basis, the ASD reports investment activities, including the portfolio’s performance and compliance with the City’s Investment Policy to the City Council, as well as a detailed list of all securities and the City’s ability to meet expenditure requirements over the next six months Policy Review  Annually, the ASD presents a proposed investment policy to the City Council during the annual budget process The Appendix B is the flowchart showing the current processes and controls in place. Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 89 7 DETAILED ANALYSIS 5 https://www.treasurer.ca.gov/cdiac/LAIG/guideline.pdf 6 For example, the Investment Advisory Committee is mentioned in the investment polices of City of San Diego and City of Burbank; The Investment Committee is mentioned in the investment policies of City of Riverside and City of Beverly Hills. Best Practices and Benchmarking The California Debt and Investment Advisory Commission (CDIAC) provides guidance to local governments in California to improve the public finance practice. The CDIAC’s publication, Local Agency Investment Guidelines 5, includes the following recommendations. The Annual Investment Policy Although the California Government Code does not specify the elements of an investment policy for local governments other than counties, it should include at least the following elements required of counties:  List of authorized investments with percentages by type of security and the maximum terms  The manner of calculating and apportioning the authorized costs of investing, etc.  Limits on the receipt of honoraria, gifts, and gratuities  Criteria for selecting brokers and dealers  A requirement that the treasurer provide an investment report Reporting The treasurer or designated official should provide the local government’s legislative body a quarterly investment report that provides the status of the current investment portfolio. The quarterly investment report should include the following:  A listing of individual securities held at the end of the reporting period by authorized investment category  Average life and final maturity of all investments listed  Coupon, discount, or earnings rate  Par value, amortized book value and market value  Percentage of the portfolio represented by each investment category  A description of the funds, investments, and programs managed by contracted parties  A statement of compliance with the investment policy or an explanation for non-compliance  A statement of the local agency’s ability to meet its pool’s expenditure requirements for the next six months In addition to a quarterly investment report required by California Government Code 53646, the treasurer should submit a monthly report of investment transactions to the legislative body even though the California Government Code 53607 does not specify the contents of the monthly report of transactions. Treasury Oversight Committee Local governments should consider whether an oversight committee is appropriate. Some cities6 have treasury oversight committees even though the law does not require them to have such a committee. The more discretion the Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 90 8 DETAILED ANALYSIS 7 https://www.gfoa.org/materials/investment-policy 8 https://www.gfoa.org/materials/government-relationships-with-securities-dealers 9 https://gfoaorg.cdn.prismic.io/gfoaorg/76b137b8-17e3-42bd-ae9f-7f7be8be50bd_GFOA_sample_investment_policy.pdf 10 Based on the “Revenues broken down by City”, California State Controller’s Office https://cities.bythenumbers.sco.ca.gov/#!/year/2021/revenue/0/entity_name treasurer has in making investment decisions, the greater the need for oversight procedures. The role of the oversight committee should be clearly specified. The Government Finance Officers Association (GFOA) Investment Policy Best Practices recommends that the investment policy include the following elements7: A. Scope and investment objectives B. Roles, responsibilities, and standards of care – “Standards of care should include language on prudence……. due diligence, ethics and conflicts of interest, delegation and authority, and knowledge and qualifications.” C. Suitable and authorized investments D. Investment diversification E. Safekeeping, custody, and internal controls – “Develop guidelines to enhance the separation of duties and reduce the risk of fraud.” F. Authorized financial institutions, depositories, and broker/dealers – See the additional information provided by the GFOA below. G. Risks and performance standards H. Reporting and disclosure standards The GFOA provides recommendations pertaining to selecting securities dealers for an approved vendor list in its website8 and includes the following in its Sample Investment Policy9: “All financial institutions and broker/dealers who desire to become qualified for investment transactions must supply the following as appropriate:  Audited financial statements demonstrating compliance with state and federal capital adequacy guidelines  Proof of Financial Industry Regulatory Authority (FINRA) certification (not applicable to Certificate of Deposit counterparties)  Proof of state registration  Completed broker/dealer questionnaire (not applicable to Certificate of Deposit counterparties)  Certification of having read and understood and agreeing to comply with the [entity's] investment policy.  Evidence of adequate insurance coverage. An annual review of the financial condition and registration of all qualified financial institutions and broker/dealers will be conducted by the investment officer.” The OCA compared the City’s Investment Policy as well as the investment policies of the six California cities that have relatively similar revenue amounts as the City10 to the GFOA Sample Investment Policy (using the elements A through H listed above) for the benchmarking purpose (see Table 1 below). The GFOA states that its Sample Investment Policy is presented as a model to help entities customize a Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 91 9 DETAILED ANALYSIS policy to fit their needs, constraints, and capabilities, not to supplant an existing policy. Table 1: Comparison of Investment Policies GFOA Recommended Elements Investment Policy for the City of: Palo Alto Sacramento San Diego Riverside Burbank Berkeley Beverly Hills A. Scope & objectives √ √ √ √ √ √ √ B. Roles & standards of care ▲ Note 1 √ √ √ √ √ √ C. Authorized investments √ √ √ √ √ √ √ D. Investment diversification ▲ Note 2 √ ▲ ▲ √ √ ▲ E. Safekeeping & internal controls ▲ Note 3 √ √ √ √ √ √ F. Authorized broker/dealers ▲ Note 4 ▲ ▲ √ √ √ √ G. Riks & performance standards ▲ Note 5 √ √ ▲ √ √ ▲ H. Reporting standards ▲ Note 6 ▲ ▲ ▲ ▲ ▲ √ √ = All elements are covered in the policy ▲ = One or more elements are not covered Note 1: Ethics and conflicts of interest is not discussed while other cities include a section Note 2: Although dollar and/or percentage limits on securities are listed, an overall diversification strategy/approach is not discussed. Note 3: Although safekeeping and custody are discussed, some requirements related to "Delivery Versus Payment" and internal controls are not discussed. Note 4: Although a list of authorized broker/dealers are maintained, the information and documentation required from them for authorization are limited. Note 5: The benchmark(s) to be used for the portfolio performance measurement is not established. Note 6: Two reporting requirements by California Government Code are not clearly addressed. Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 92 10 Audit Results 11 The trade date is the day a trader/investor place an order to buy or sell a security. 12 According to the data provided by the management, during FY21, there were 18 settlement netting (totaling $24.3M purchase settlement) that were processed without approval and, during FY22, there were14 settlement netting (totaling $11.6M). Finding 1: Segregation of duties and oversight of investment activities The City’s Administrative Services Department (ASD)’s Treasury Division includes the investment function. The day-to-day operations of the investment function are performed by the Manager of Treasury, Debt, Investment (Manager). The Assistant Director of ASD (Assistant Director) oversees the function and has delegated the responsibility for managing the investment program to the Manager and authorized him to enter into the investment within the parameters set in the City’s Investment Policy. The Manager also enters the investment transactions in the City’s investment management software, maintains the cash flow forecast, revenue analysis, and revenue projection spreadsheets, and executes wire transactions. At the time of this audit in FY2023, there was no Senior Management Analyst who performed any of these tasks under supervision of the Manager. The OCA reviewed 58 out of 850 investment activities from July 1, 2020, to March 26, 2023, and noted the following:  None of purchased investments (45 of 58 investment activities reviewed) had the evidence of approval by the Assistant Director or other authorized personnel prior to the trade dates11.  Although the Assistant Director can check the reasonableness of investment activities using cash flow spreadsheets at the time the Manager notifies the custodian bank and the Assistant Director of an investment purchase (within a day or so of a purchase), there is no evidence of a review because a response from the Assistant Director is expected only when there is a question or an issue, which did not happen for the 45 purchased investments that were reviewed (or for the remaining investments in the audit period).  The Manager prepares the final paperwork for each purchase (Memorandum) that requires a signature by the Assistant Director for securities under five years and by both the Assistant Director and the Director of ASD for securities over five years. The memorandums for all 45 purchased investments we reviewed were signed by the required authorized personnel four to 170 days (average 65 days) after the trade dates.  Wire transfers to the custodian bank initiated by the Manager are approved by the Assistant Director after an order to buy a security is placed. However, three of 45 purchased investments we reviewed did not have any approval because there were no outgoing wire transfers for these purchases due to settlement netting12 that nets incoming security maturity and interest earnings against a security purchase. As an independent review of a wire transaction is the only documented review the City has formally implemented in the Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 93 11 AUDIT RESULTS investment purchasing process, there was no independent review of these three purchased investments until the memorandums were signed 11 to 130 days (average 72 days) after the trade dates.  The proposed sale of investments made by the Manager in July 2022 was approved by a designee of the Director of ASD on July 7, 2022. The detailed listing of the sold investments shows 13 securities totaling $10.7M (par value) were sold with a net gain of $3.5K on July 12, 13, and 14, 2022, which was accurately reported in a quarterly report (Investment Activity Report for the Fourth Quarter, Fiscal Year 2022). However, the approval e-mail dated July 7, 2022, from a designee of the Director of ASD listed only five of 13 securities sold. According to the Manger, changes had to be made to the approved list of proposed securities to be sold due to the daily changes in market values of securities. The Manager sent e-mails to update a designee of the Director of ASD and the Director of ASD on July 7, 8, and 13, but there was no documentation of the final approval. Additionally, a monthly review of performance has not been performed by the ASD as described in the City’s Investment Policy for many years, according to the Manager. The City does not have other oversight mechanism such as an investment advisory committee. Another reporting requirement is submission of a monthly report of investment transactions to the legislative body, which is required by Section 53607 of the California Government Code. However, this reporting requirement is not mentioned in the City’s Investment Policy. As described above, the Manager performs all tasks to manage the investment program as well as initiating wire transactions among all responsibilities of the Treasury Division. While an approval is required prior to sales of investments, formal independent reviews of investment purchase decisions prior to purchases are not in place. When the Manager is out of office, there is no backup personnel to buy/sell securities. The limited staffing of the Treasury Division and untimely authorization of investment activities cause a concern for inadequate segregation of duties in the investment function even through there are some segregations of duties: the purchased investments are required to be delivered to the City’s safekeeping custodian and recorded in the City’s accounting system by the Accounting team. Segregation of duties is a key internal control that disperses responsibilities of a process to more than one individual. Without adequate segregation of duties, the City has a higher risk of not preventing and detecting errors and fraudulent transactions in a timely manner. As mitigating controls, increased monitoring and oversight of the investment function are required. According to the Assistant Director, the efforts to assign more employees to perform some of the cash management function tasks currently performed by the Manager were initiated at the end of our fieldwork of this audit. Recommendation The City should implement a formal process for a review and approval of investment activities by the Assistant Director and, if required, the Director Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 94 12 AUDIT RESULTS prior to placing an order to buy or sell securities. Approvals should be documented. Additionally, the City should reassess the City’s Investment Policy to ensure that the City will:  Comply with the requirement to perform a monthly performance review described in the City’s Investment Policy. The City can take this opportunity to assess the suitability of an investment advisory committee to execute a monthly performance review to ensure appropriate investment decisions are made in compliance with the laws, regulations, and the City’s Investment Policy.  Address the Section 53607 of the California Government Code that requires submission of a monthly report of investment transactions to the City Council. Furthermore, the City should continue the efforts to adjust the staffing of the investment function to assign responsibilities to ensure adequate internal controls are in place for prevention of the loss of public funds arising from errors, imprudent actions, and fraud. The new staff members should receive adequate training and a procedure manual to perform their job responsibilities, and succession planning should be reviewed and updated for the key positions. Management Response Responsible Department(s): Administrative Services Department Concurrence: Agree Target Date: February 2024 Action Plan: The City agrees that a formal process for review and approval of investment activities by the Assistant Director will provide oversight of investment activities and transactions. A workplan has been developed for the team and will be amended to include clear approval processes for the purchase or sale of securities in advance of the transaction, however, staff does anticipate some authority to continue to be granted for real time transactions within approved guidelines and limits. Expected implementation is targeted for January 2024. The City concurs with the City Auditor’s recommendation that a monthly informational report of investment transactions be made available to the City Council, as required by California Government Code section 53607, and will implement this practice in January 2024. The City agrees with segregation of duties in this function will provide adequate internal controls, additional oversight, and back fill for these activities when the key staff is on leave. A workplan for this was provided in early 2023 and under the guidance of an Assistant Director, has continuously worked on transitioning certain duties to ASD’s analytical staff and administrative support staff. The workplan will be reviewed and amended to ensure documented adequate training and a procedure manual Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 95 13 AUDIT RESULTS 13 The General Investment Guidelines in the City’s Investment Policy states, “This rule will not apply to new issues, which are purchased at market no more than three (3) working days before pricing, as well as to LAIF, City of Palo Alto bonds, money market accounts and mutual funds, all of which shall be evaluated separately.” for job responsibilities is available to other ASD staff. The targeted completion and transition of these duties is targeted for February 2024. The analyst assigned to the Treasury Division has been tasked with creating a desk manual for certain treasury tasks. While full completion of this manual is not targeted for February 2024, it is continuously being worked on as the analyst increases exposure and knowledge of treasury operations. Finding 2: Supporting documents for investment activities The Manager maintains the cash flow forecast and revenue projection spreadsheets to monitor the City’s cash needs and make investment decisions. According to the Manager, when the City needs to purchase or sell securities, the Manager verbally communicates the City’s requirements and needs to the brokers/dealers who are listed on the City’s List of Authorized Brokers and Dealers (List) approved by the Assistant Director. The City’s Investment Policy requires brokers and dealers to meet two conditions before they can be added to the List. The Manager reviews the information e-mailed by authorized brokers/dealers and decides a security to purchase/sell. After a purchase/sale of a security, the Manager enters the trade information in the investment management software and prepares a Memorandum that will be approved by the Assistant Director and, if necessary, the Director. The OCA reviewed 58 out of 850 investment activities from July 1, 2020, to March 26, 2023, and noted the following:  The printouts of the spreadsheets or the versions of the spreadsheets that supported the Manager’s investment decisions for the purchased investments (45 of 58 investment activities reviewed) are not available as they were not included in the supporting documents for the wire payments or in the Memorandums.  The General Investment Guidelines in the City’s Investment Policy encourages the City to obtain three or more quotations on the purchase or sale of comparable securities13 and take the higher yield on purchase or higher price on sale whenever possible. However, no multiple quotations were obtained for any of the 45 purchased investments we reviewed. In the supporting documents for eight of 45 investment purchases we reviewed, a standard language “Not required to obtain three or more quotations” was included. For the remaining investment purchases we reviewed, a standard language, “No comparable security offering maturing within 30 days of the one purchased were available” was included. There were no other documents such as evaluation of securities and the information obtained from the authorized brokers and dealers to support the unavailability of a comparable security.  The OCA verified that the brokers and dealers associated with the selected investment activities were listed in the List of Authorized Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 96 14 AUDIT RESULTS Brokers and Dealers. During our audit period, there were two changes to the List: The List dated 10/27/2020 had a new broker; The List dated 11/16/2022 also had a new broker. Both changes were approved by the Assistant Director. However, there were no supporting documents showing that new brokers and dealers met the City’s criteria. Additionally, the two requirements in the City’s Investment Policy do not address Section 53601.5 of the California Government Code regarding authorized brokers and dealers. Furthermore, there was no documentation showing the broker’s acknowledgement of the applicable California Government Code sections and the City’s Investment Policy. Adequate supporting documents for investment decisions and transactions are important for transparency and accountability. The supporting documents provide the necessary information to demonstrate the validity, accuracy, and compliance to the approvers of the decisions and transactions and the oversight functions such as auditors and an oversight committee. Recommendation The City’s ASD should implement a procedure to assemble and maintain adequate supporting documents such as the cash flow forecast and evaluation of quotations for each investment decision and transaction to enable the approvers to review and approve them prior to purchases/sales and to allow the oversight functions to evaluate the validity, accuracy, and compliance when needed. The City should update the City’s Investment Policy to require the brokers and dealers who wish to sell and buy securities to the City to provide documentation showing their financial condition and relevant registration. The City should also require them to certify in writing that they reviewed the applicable California Government Code sections and the City’s Investment Policy. An annual review should be also conducted to maintain the List of Authorized Brokers and Dealers with the recent status. Management Response Responsible Department(s): Administrative Services Department Concurrence: Agree Target Date: January and June 2024 Action Plan: The City agrees that the evaluation of investment options that are available at the time of purchase should be performed and documented before an investment is purchased. Investment offerings are received by the Manager via email and can be attached to investment paperwork as documentation. Furthermore, a workplan to formalize review and oversight of investment activities has been developed outlining expectations for routine reviews of cash flow and investment status. Expected implementation of this workplan is targeted for January 2024. The City agrees that the Investment Policy should be updated to include the requirements that brokers and dealers who wish to buy or sell securities with the City must provide documentation of their financial condition and relevant Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 97 15 AUDIT RESULTS registration. ASD staff will consider these updates in the next Investment Policy review by the City Council in June 2024. Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 98 16 Appendix A: Resumes Appendices Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 99 17 Appendix A: City of Palo Alto Investment Portfolio The following information on the City’s investment portfolio was reported in the Investment Activity Report for the Second Quarter, Fiscal Year 2023. Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 100 18 Appendix B: Palo Alto Investment Management Processes and Controls City of Palo Alto ASD Investment Function Ad m i n i s t r a t i v e Se r v i c e s D e p t . Ac c o u n t i n g D i v i s i o n M a n a g e r o f T r e a s u r y D i v i s i o n A s s i s t a n t D i r e c t o r o f A S D SAP FI Recording of Investment Transactions Start (during budget process) Monitor the City’s cash flow Invest? YesNo Annually, prepare a Proposed Statement of Investment Policy Obtain an approval by the Council Approved Investment Policy Authorize Treasury Manager to enter into investments within parameters specified by the Policy Maintain Cash flow and daily investment spreadsheets Account for investments in financial statements (ACFR) Independent auditor provides reasonable assurance about the financial statements Report to Council Quarterly, prepare a report on investment activity, portfolio’s performance, etc. Approve updates to the list of acceptable dealers Verbally communicate to the dealers the City’s requirements and needs Daily, review the options received from brokers via email SymPro Enter the trade information Place the information on the investment in a temporary shared folder Respond to an email on an exception basis Email paperwork with coversheet to custodian and Assistant Director Prepare wire paperwork Review and approve a quarterly report in the One Meeting system Upload and submit a quarterly report in the One Meeting system US Bank Portal Initiate a wire transaction Send the wire paperwork via Docusign to the approver of the transaction Check the reasonableness of investment activities using cash flow spreadsheet Memo for trade tickets to formalize paperwork Approve a memo via Docusign Suggest dealers to be added to/ removed from the approved list Investment over 5 years? Director of ASD Approve a memo via Docusign Yes Save the approved memo and supporting documents in the shared drive No Monthly reconciliation against SymPro Approve wire paperwork via Docusign Daily reconciliation against a daily bank statement, cash flow spreadsheet, and SymPro US Bank Portal Approve a wire transaction Wire payment Receive an automatic e-mail notification Review by Director, City Manager, and City Attorney Journal Entries Prepared monthly and annually Sell before maturity?No Propose investment to be sold before maturity Yes Approve sales of investments before maturity Approve sales of investments before maturity Contact a Broker to buy/sell the investment No Investment action needed. Monthly Review performance against the Investment Policy Is Incoming $ larger than purchase $ on the settlement day? No Yes Supporting documents (cash flow projection and evaluation of quotations): • are not assembled • are not submitted for approval • No supporting documents for qualifications • No broker’s acknowledgement of the applicable California Government Code sections and the City’s Investment Policy This is not a control as the evidence of review and approval is not maintained Receive the netted amount There is no approval of the transaction • This report is not prepared and reviewed as required by the policy • Advisory or oversight committee does not exist Formulas are used to meet various requirements listed in the Investment Policy. End Start Reporting Monthly Report of Investment Transactions This report is included in the Quarterly Report Needs ImprovementKey Control Untimely Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 101 19 Appendix C: Management Response Findings and Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan Fining 1: Segregation of duties and oversight of investment activities The City should implement a formal process for a review and approval of investment activities by the Assistant Director and, if required, the Director prior to placing an order to buy or sell securities. Approvals should be documented. Additionally, the City should reassess the City’s Investment Policy to ensure that the City will:  Comply with the requirement to perform a monthly performance review described in the City’s Investment Policy. The City can take this opportunity to assess the suitability of an investment advisory committee to execute a monthly performance review to ensure appropriate investment decisions are made in compliance with the laws, regulations, and the City’s Investment Policy.  Address the Section 53607 of the California Government Code that requires submission of a monthly report of investment transactions to the City Council. Administrative Services Concurrence: Agree Target Date: February 2024 Action Plan: The City agrees that a formal process for review and approval of investment activities by the Assistant Director will provide oversight of investment activities and transactions. A workplan has been developed for the team and will be amended to include clear approval processes for the purchase or sale of securities in advance of the transaction, however, staff does anticipate some authority to continue to be granted for real time transactions within approved guidelines and limits. Expected implementation of this is targeted to be completed in January 2024. The City concurs with the City Auditor’s recommendation that a monthly informational report of investment transactions be made available to the City Council, as required by California Government Code section 53607. The City should continue the efforts to adjust the staffing of the investment function to assign responsibilities to ensure adequate internal controls are in place for prevention of the loss of public funds arising from errors, imprudent actions, and fraud. The new staff members should receive adequate training and a procedure manual to perform their job responsibilities, and succession planning should be reviewed and updated for the key positions. Administrative Services Concurrence: Agree Target Date: February 2024 Action Plan: The City agrees with segregation of duties in this function will provide adequate internal controls, additional oversight, and back fill for these activities when the key staff is on leave. A workplan for this was provided in early 2023 and under the guidance of an Assistant Director, has continuously worked on transitioning certain duties to ASD’s analytical staff and administrative support staff. The workplan will be reviewed and amended to ensure documented adequate training and a procedure manual for job responsibilities is available to Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 102 20 Findings and Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan other ASD staff. The targeted completion and transition of these duties is targeted for February 2024. The analyst assigned to the Treasury Division has been tasked with creating a desk manual for certain treasury tasks. While full completion of this manual is not targeted for February 2024, it is continuously being worked on as the analyst increases exposure and knowledge of treasury operations. Finding 2: Supporting documents for investment activities The City’s ASD should implement a procedure to assemble and maintain adequate supporting documents such as the cash flow forecast and evaluation of quotations for each investment decision and transaction to enable the approvers to review and approve them prior to purchases/sales and to allow the oversight functions to evaluate the validity, accuracy, and compliance when needed Administrative Services Concurrence: Agree Target Date: January 2024 Action Plan: The City agrees that the evaluation of investment options that are available at the time of purchase should be performed and documented before an investment is purchased. Investment offerings are received by the Manager via email and can be attached to investment paperwork as documentation. Furthermore, a workplan to formalize review and oversight of investment activities has been developed outlining expectations for routine reviews of cash flow and investment status. Expected implementation of this workplan is targeted for January 2024. The City should update the City’s Investment Policy to require the brokers and dealers who wish to sell and buy securities to the City to provide documentation showing their financial condition and relevant registration. The City should also require them to certify in writing that they reviewed the applicable California Government Code sections and the City’s Investment Policy. An annual review should be also conducted to maintain the List of Authorized Brokers and Dealers with the recent status. Administrative Services Concurrence: Agree Target Date: June 2024 Action Plan: The City agrees that the Investment Policy should be updated to include the requirements that brokers and dealers who wish to buy or sell securities with the City must provide documentation of their financial condition and relevant registration. ASD staff will consider these updates in the next Investment Policy review by the City Council in June 2024. Item 5 Late Packet Attachment A - OCA - Investment Management Packet Pg. 103