HomeMy WebLinkAboutStaff Report 2603-6084CITY OF PALO ALTO
Policy & Services Committee
Special Meeting
Tuesday, March 10, 2026
6:00 PM
Agenda Item
AA1.Recommend Approval of New Task Order 4.42 - Flock Safety Assessment for Inclusion in
the City Auditor's FY 2026 Audit Plan and Amend FY 2026 Task Order budgets to
Support this New Task Order with a Net Zero Financial Impact; CEQA – Not a project
New Item Added, At Places Memo Added
Policy & Services Committee
Staff Report
From: City Manager
Report Type: ACTION ITEMS
Lead Department: City Auditor
Meeting Date: March 10, 2026
Report #:2603-6084
TITLE
Recommend Approval of New Task Order 4.42 - Flock Safety Assessment for Inclusion in the
City Auditor's FY 2026 Audit Plan and Amend FY 2026 Task Order budgets to Support this New
Task Order with a Net Zero Financial Impact; CEQA – Not a project
RECOMMENDATION
The Office of the City Auditor recommends the Policy & Services Committee (P&S) recommend
City Council approve a new Task Order 4.42 - Flock Safety Assessment for inclusion in the City
Auditor's FY 2026 Audit Plan.
The Office of the City Auditor recommends P&S approve the following actions to fund the
proposed new task order:
•
• Task Order 4.40 – Contract Solicitation
and Authority Levels Advisory Project which was reported to P&S in
• Task 6 – Evaluation & Benchmarking
Task Order 4.42 – Flock Safety Assessment Total $30,000
BACKGROUND
The City entered into a three-year contract 1 with Flock Safety in 2023 for Automated License
Plate Recognition (ALPR) implementation services to install and maintain twenty ALPR cameras
1 City Council, April 3, 2023; Agenda Item #: 11; Staff Report #: 2301-0741,
https://recordsportal.paloalto.gov/WebLink/DocView.aspx?id=82232&dbid=0&repo=PaloAlto&searchid=98d1813
d-4a86-41b4-a85b-8035a8722846
at locations identified by the Palo Alto Police Department. Ten additional cameras were added
via a contract amendment2 in 2024.
The City has requested the City Auditor conduct an assessment of Flock Safety given recent
concerns about the security of the City’s data within Flock Safety’s system.
The City outsourced its City Auditor function to Baker Tilly in 20203. Through the process of
reviewing the City’s request for Flock Safety assessment services, Baker Tilly identified that
Flock Safety became a client of the firm in 2024. Baker Tilly provided Flock Safety with ISO
27001, 27701, 42001, 27017, 27018 Certifications audit services and SOC 2 Type II Examination
services in 2025. ISO/IEC 27001:2022 certification is a globally recognized standard that
establishes requirements for implementing, maintaining and continually improving an agency’s
information security management system, Privacy and AI. SOC 2 Type II examinations provide
assurance that a company’s system adheres to criteria prescribed by the AICPA related to
security, availability, processing integrity, confidentiality and privacy as selected by the client.
The proposed Flock Safety Assessment, conducted by the City Auditor’s Office, would look at
Flock Safety’s operational controls that interface with and/or impact Flock’s client-facing
policies, procedures and security controls as they relate to the processes for roll-out and
control of user settings around data sharing in alignment with the City of Palo Alto’s contract.
ANALYSIS
The objectives of this assessment are to review Flock’s system for the appropriate policies,
procedures and controls to ensure City information and data is secure and confidential.
Assessment areas include, but are not limited to, the following:
• IT Security/Governance – compliance with customer regulatory and data privacy
requirements
• Source Code Review – process for introducing system releases/updates
• System Infrastructure – assess Flock cloud environment for security and monitoring
• Access Management – expected controls and data security including access
management policies and procedures
• System Interfaces – assess internal/external systems interface and security
• Change/Configuration Management – assess processes for developing, implementing,
and testing changes to the Flock ALPR system as well as access controls for monitoring
system changes to ensure appropriate authorization
2 City Council, December 2, 2024; Agenda Item #: 11; Staff Report #: 2408-3360,
https://recordsportal.paloalto.gov/WebLink/DocView.aspx?id=83107&dbid=0&repo=PaloAlto&searchid=7b6b82d
0-6e91-40f8-819c-f028c5036c77
3 City Council, September 28, 2020; Agenda Item #: 11; Staff Report #: 11624,
https://recordsportal.paloalto.gov/WebLink/DocView.aspx?id=80939&dbid=0&repo=PaloAlto&searchid=835258ae
-7722-4c0b-985b-ec3289ab3b3c
Please see the attached Task Order and Scope of Work for a full list of audit activities proposed
for this assessment.
In addition, both the City of Palo Alto and Flock Safety will need to agree to a conflict-of-
interest waiver in order for work on this task order to proceed because Baker Tilly provides
services to both the City and Flock. The City Attorney’s Office is currently reviewing this waiver.
Please note that the City and Flock Safety are served by independent teams at Baker Tilly.
FISCAL/RESOURCE IMPACT
The proposed engagement will have a net zero impact on the City Auditor’s contracted budget
for FY 2026 as we will be using unspent funds and funds specifically earmarked for ad hoc
projects such as this.
STAKEHOLDER ENGAGEMENT
The City Auditor consulted with the Palo Alto Police Department and City Manager’s Office as
well as representatives from Flock Safety to discuss the parameters of the project.
ENVIRONMENTAL REVIEW
Council action on this item is not a project as defined by CEQA because the audit activities do
not involve any commitment to any specific project which may result in a potentially significant
physical impact on the environment. CEQA Guidelines section 15378(b)(4). Council action on
this item is not a project as defined by CEQA because the audit activities do not involve any
commitment to any specific project which may result in a potentially significant physical impact
on the environment. CEQA Guidelines section 15378(b)(4).
ATTACHMENTS
Attachment A: Task Order 4.42 Flock Safety Assessment & Scope of Work
APPROVED BY:
Kate Murdock, City Auditor
1
0
8
0
2
PROFESSIONAL SERVICES TASK ORDER
Consultant shall perform the Services detailed below in accordance with all the terms and conditions of
the Agreement referenced in Item 1A below. All exhibits referenced in Item 8 below are incorporated into
this Task Order by this reference. The Consultant shall furnish the necessary facilities, professional,
technical and supporting personnel required by this Task Order as described below.
CONTRACT NO. C21179340
OR PURCHASE ORDER REQUISITION NO. (AS APPLICABLE)
1A. MASTER AGREEMENT NO. (MAY BE SAME AS CONTRACT / P.O. NO. ABOVE): C21179340
1B. TASK ORDER NO.: FY26-4.42
2. CONSULTANT NAME: Baker Tilly Advisory Group, LP
3. PERIOD OF PERFORMANCE: START: March 1, 2026 COMPLETION: June 30, 2026
4. TOTAL TASK ORDER PRICE: $30,000
BALANCE REMAINING IN MASTER AGREEMENT/CONTRACT TBD
5. BUDGET CODE_______________ COST CENTER________________ COST
ELEMENT______________ WBS/CIP__________ PHASE__________
6. CITY PROJECT MANAGER’S NAME & DEPARTMENT:
Chair of the City Council’s Policy and Services Committee
7. DESCRIPTION OF SCOPE OF SERVICES (Attachment A)
MUST INCLUDE:
SERVICES AND DELIVERABLES TO BE PROVIDED
SCHEDULE OF PERFORMANCE
MAXIMUM COMPENSATION AMOUNT AND RATE SCHEDULE (as applicable)
REIMBURSABLE EXPENSES, if any (with “not to exceed” amount)
8. ATTACHMENTS: A: Task Order Scope of Services B (if any): N/A
I hereby authorize the performance of the work
described in this Task Order.
APPROVED:
CITY OF PALO ALTO
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
I hereby acknowledge receipt and acceptance of
this Task Order and warrant that I have authority
to sign on behalf of Consultant.
APPROVED:
COMPANY NAME: Baker Tilly Advisory Group,
LP
BY:____________________________________
Name __________________________________
Title___________________________________
Date ___________________________________
1
0
8
0
2
Attachment A
Introduction
Services and Deliverables To Be Provided
Schedule of Performance
Maximum Compensation Amount and Rate Schedule (As Applicable)
Reimbursable Expenses, if any (With “Not To Exceed” Amount)
Services & Deliverables
Step 1: Assessment Planning
Step 2: Fieldwork and Testing
Step 3: Reporting
Step 1 – Assessment Planning
Gather information to understand the environment under review
o Understand the environment under assessment
o Assess the City code, regulations, and other standards and expectations
o Assess prior audit results, as applicable
o Assess additional documentation and conduct interviews as necessary
Prepare an assessment program
o Refine assessment
o objectives and scope
o Identify the procedures to be performed and the evidence to be obtained and examined
Announce the initiation of the assessment and kick-off meeting with key stakeholders
o Discuss assessment objectives, scope, process, timing, resources, and expectations
o Discuss documentation and interview requests for the audit
Step 2 – Fieldwork and Testing
1
0
8
0
2
a. Assess how the Flock ALPR cloud environment is secured and monitored to protect Palo Alto
data
4. Access Management (Application and Database Layers)
a. Assess User Access Management process
b. Assess Vendor Access Management process
c. Assess User Access Review process
d. Asses User activity monitoring
i. Potentially test a sample of data entries that may have been impacted by the enabling
of the global license plate search feature, to see if any of the data was accessed
during the time period that the feature was enabled.
5. System Interfaces
a. Assess security controls around internal/external systems that may interface with the Flock
ALPR system (e.g., data encryption, data transferred between systems, monitoring of activity,
controls to prevent data leakage, etc.)
6. Change/Configuration Management
a. Asses process for requesting, developing, implementing, and testing changes to the Flock
ALPR system features and/or configurations.
b. Assess controls for monitoring and reviewing system configuration changes, to ensure they
are authorized.
c. Assess whether any system alerts are sent out to authorized individuals, if changes are made
to the system, including changes to configurations.
d. Assess process for communication to Flock ALPR System customers of any new
releases/features and/or functionality changes (e.g., Release Notes).
Step 3 – Reporting
In Step 3, the project team will perform tasks necessary to finalize audit working papers, prepare and
review a draft report with stakeholders, and submit a final report for management response. Tasks include:
Developing findings, conclusions, and recommendations based on the supporting evidence
gathered
Validating findings with appropriate individuals and discuss the root cause of the identified
findings
Complete supervisory review of working papers and a draft audit report
Distribute a draft audit report and conduct a closing meeting with key stakeholders
o Discuss the audit results, findings, conclusions, and recommendations
o Discuss management responses
Obtain written management responses and finalize a report
Review report with members of City Council and/or the appropriate Council Committee
Deliverables:
The following deliverables will be prepared as part of this engagement:
Audit Report
Policy & Services Committee Audit Report Presentation
Schedule of Performance
Anticipated Start Date: March 1, 2026
Anticipated End Date: June 30, 2026
1
0
8
0
2
Maximum Compensation Amount and Rate
Schedule
The not-to-exceed maximum, inclusive of reimbursable expenses (as summarized below) for this Task is $30,000.
The not-to-exceed budget is based on an estimate of 105 total project hours, of which a minimum of 5 are estimated
to be completed by the City Auditor.
We plan to complete all fieldwork steps for this audit remotely and do not anticipate any on-site work.
Item No. AA1 | Page 1 of 1
9
5
8
2
Policy & Services Committee
At Places Memo
From: Kate Murdock, City Auditor
Meeting Date: March 10, 2026
Item Number: AA1
Report #:2603-6107
TITLE
The Office of the City Auditor Recommends the Policy & Services Committee Remove from
Consideration Agenda Item AA1 - Approval of New Task Order 4.42 - Flock Safety Assessment
for Inclusion in the City Auditor's FY 2026 Audit Plan
RECOMMENDATION
The Office of the City Auditor recommends the Policy and Services Committee (P&S) remove
from consideration Agenda Item AA1 – “Recommend Approval of New Task Order 4.42 – Flock
Safety Assessment for Inclusion in the City Auditor’s FY 2026 Audit Plan and Amend FY 2026
Task Order budgets to Support this New Task Order with a Net Zero Impact”.
BACKGROUND
Upon further consideration and following the firm’s standard process, Baker Tilly has
completed its conflict-of-interest check. Baker Tilly has concluded that it is appropriate for the
firm to recuse itself from this assessment to avoid any potential appearance or concern that
this might impair our independence and/or compromise our ability to effectively conduct this
assessment with the full confidence of the public’s trust.
The Office of the City Auditor thinks the engagement for the City to review Flock Safety as a
vendor is important. As the City and vendor coordinate to set the scope for the review, Baker
Tilly can assist as needed by recommending specific firms that would be qualified to perform
this work. In addition, Baker Tilly will commit the previously identified funds, in the amount of
$30,000, for the proposed assessment from the City Auditor’s contracted budget to retain such
services if desired.
APPROVED BY:
Kate Murdock, City Auditor