The URL can be used to link to this page

Home My WebLink AboutFinance Committee - September 24, 2020CITY OF NEWPORT BEACH FINANCE COMMITTEE MEETING WILL BE HELD VIA ZOOM. PLEASE SEE SPECIAL NOTICE REGARDING COVID-19 FOR PUBLIC COMMENT INFORMATION. AGENDA - FinalThursday, September 24, 2020 - 3:00 PM Finance Committee Members: Will O'Neill, Chair / Mayor Brad Avery, Mayor Pro Tem Joy Brenner, Council Member William Collopy, Committee Member John Reed, Committee Member Joe Stapleton, Committee Member Larry Tucker, Committee Member Staff Members: Grace K. Leung, City Manager Dan Matusiewicz, Finance Director / Treasurer Steve Montano, Deputy Director, Finance Marlene Burns, Administrative Specialist to the Finance Director SPECIAL NOTICE REGARDING COVID-19 On March 4, 2020, Governor Newsom proclaimed a State of Emergency in California as a result of the threat of COVID-19. On March 12, 2020, Governor Newsom issued Executive Order N-25-20, which allows Finance Committee Members to attend Finance Commission meetings by electronic means. Please be advised that to minimize the spread of COVID-19, Finance Committee Members may attend this meeting either electronically or telephonically. Also, please be advised that on March 17, 2020, Governor Newsom issued Executive Order N-29-20, which allows for the public to participate in any meeting of the Finance Committee telephonically or by other electronic means. Given the health risks associated with COVID-19, the City of Newport Beach will conduct this meeting via Zoom. As a member of the public, if you would like to participate in this meeting, you can participate via the following options: 1. You can submit your questions and comments in writing for the FInance Committee's consideration by sending them to Dan Matusiewicz, Finance Director, at dmatusiewicz@newportbeachca.gov. To give the Finance Committee adequate time to review your questions and comments, please submit your written comments by Wednesday, September 23, 2020, at 5 p.m. All emails will be made part of the record. 2. You can connect with a computer by joining through Zoom. Use the link below to register for the meeting using a valid email address. You will receive a confirmation email allowing you to join the meeting: https://zoom.us/webinar/register/WN_qoYKPZnfT0O3bqHU26oLTA. 3. Or you may connect by Phone/Audio Only by calling: 669-900-9128. The meeting ID is 935 7850 0383# 4. Attendees must raise their hand in the Zoom module if they would like to speak. If attending by phone, press *9 to raise hand. Please know that it is important for the City to allow public participation at this meeting. While the City does not expect there to be any changes to the above process for participating in this meeting, if there is a change, the City will post the information as soon as possible to the City’s website. The City of Newport Beach thanks you in advance for continuing to take precautions to prevent the spread of the COVID 19 virus. The Finance Committee meeting is subject to the Ralph M. Brown Act. Among other things, the Brown Act requires that the Finance Committee agenda be posted at least seventy-two (72) hours in advance of each regular meeting and that the public be allowed to comment on agenda items before the Committee and items not on the agenda but are within the subject matter jurisdiction of the Finance Committee. The Chair may limit public comments to a reasonable amount of time, generally three (3) minutes per person. I. CALL MEETING TO ORDER II. ROLL CALL September 24, 2020 Page 2 Finance Committee Meeting III.PUBLIC COMMENTS Public comments are invited on agenda and non-agenda items generally considered to be within the subject matter jurisdiction of the Finance Committee. Speakers must limit comments to three (3) minutes. Before speaking, we invite, but do not require, you to state your name for the record. The Finance Committee has the discretion to extend or shorten the speakers’ time limit on agenda or non-agenda items, provided the time limit adjustment is applied equally to all speakers. As a courtesy, please turn cell phones off or set them in the silent mode. IV.CONSENT CALENDAR MINUTES OF JUNE 4, 2020A. Recommended Action: Approve and file. DRAFT MINUTES 06042020 V.CURRENT BUSINESS INVESTMENT PERFORMANCE REVIEWA. Summary: Staff and/or one or more investment advisors will describe the performance of the City's investment portfolio. Recommended Action: Receive and file. STAFF REPORT ATTACHMENT A ATTACHMENT B ANNUAL INVESTMENT POLICY REVIEW AND UPDATEB. Summary: In furtherance of Section K-2 of Council Policy F-1, Statement of Investment Policy (the Policy), the Finance Department has completed an annual review of the Policy to ensure its consistency with the overall objectives of preservation of principal, liquidity and return, and its relevance to current law and financial and economic trends. Staff is proposing no modifications to the Policy at this time as recommended by Chandler Asset Management and supported by the City’s Finance Director/Treasurer. Recommended Action: Receive and file. STAFF REPORT ATTACHMENT A September 24, 2020 Page 3 Finance Committee Meeting FIRE STATION 2 - BOND AUTHORIZATION RECOMMENDATIONC. Summary: On May 12, 2020, the City Council reviewed the Adopted Fiscal Year 2019-20 Capital Improvement Program Budget. There was a unanimous straw vote to support evaluating financing for the Lido Fire Station 2 Project. This report describes the contours of a financing plan and its conformance to the City’s Debt Policy. Recommended Action: Receive and file. STAFF REPORT ATTACHMENT A ATTACHMENT B INTERNAL AUDIT PLAN UPDATED. Summary: This update summarizes all internal audit activities to date including the findings of the Enterprise Risk Assessment and the Internal Controls Review report. Working in collaboration with City management, Moss Adams prepared a recommended internal audit program for Fiscal Year 2020-21 that focuses on addressing priorities from the risk assessment and internal controls review. Recommended Action: Review and discuss the reports and provide recommendations for City Manager consideration. STAFF REPORT ATTACHMENT A ATTACHMENT B ATTACHMENT C ATTACHMENT D WORK PLAN REVIEWE. Summary: Staff will review with the Committee the agenda topics scheduled for the remainder of the calendar year. Recommended Action: Receive and file. ATTACHMENT A September 24, 2020 Page 4 Finance Committee Meeting VI.FINANCE COMMITTEE ANNOUNCEMENTS ON MATTERS WHICH MEMBERS WOULD LIKE PLACED ON A FUTURE AGENDA FOR DISCUSSION, ACTION OR REPORT (NON-DISCUSSION ITEM) VII.ADJOURNMENT Finance Committee Meeting Minutes June 4, 2020 Page 1 of 5 CITY OF NEWPORT BEACH FINANCE COMMITTEE JUNE 4, 2020 MEETING MINUTES I. CALL MEETING TO ORDER The meeting was called to order at 3:03 p.m. via teleconference. II. ROLL CALL PRESENT: Mayor /Chair Will O’Neill, Council Member Diane Dixon, Committee Member William Collopy, Committee Member John Reed (attending remotely), Committee Member Joe Stapleton, Committee Member Larry Tucker (attending remotely) ABSENT: Council Member Joy Brenner STAFF PRESENT: City Manager Grace Leung, Finance Director/Treasurer Dan Matusiewicz, Deputy Director/Finance Steve Montano, Budget Analyst Amy Lewis, and Senior Pool Lifeguard Caitlin McCourt MEMBERS OF THE PUBLIC: Jim Mosher and Phillip Bettencourt III. PUBLIC COMMENTS Jim Mosher reported the Planning Commission will be meeting to consider a Mixed-Use project by the airport and will be paying the City $6-$7 million for building rights. He commented that the net cost to the City in perpetuity would be approximately $620,000 per year. Mr. Mosher reported he requested review of the Moss-Adams Risk Assessment but was advised it would not be made public. He commented while he understands some items in the report may be for internal users only, the public should be able to understand the clear idea of the risk for the City. IV. CONSENT CALENDAR MINUTES OF MAY 21, 2020 Recommended Action: Approve and file. MOTION: Chair O’Neill moved to approve the minutes, seconded by Committee Member Collopy. The motion carried 6 ayes – 0 noes, 1 absence (Brenner). V. CURRENT BUSINESS A. RECOMMENDATION FY 2020-21 BUDGET Summary: Make final recommendation to the City Council on the City Manager's Proposed FY 2020-21 Operating and CIP Budgets. Recommended Action: Review, discuss, and make a recommendation to the City Council regarding the City Manager's Proposed FY 2020-21 Budget. Finance Committee Meeting Minutes June 4, 2020 Page 2 of 5 Chair O’Neill provided opening remarks and noted one of the primary functions of the Finance Committee is to make a recommendation to the City Council on the budget proposed by the City Manager. He commented the current proposed budget has gone through several iterations due to the current financial crisis and was discussed during the joint Finance Committee-City Council meeting over Memorial Day weekend. He thanked the City Manager and Finance Director for clarifying the fund transfer issue during the discussion. In response to Chair O’Neill’s inquiry, Finance Director/Treasurer Matusiewicz reported there would be minor changes to the FY 2020-21 Proposed Budget for the Capital Improvement Projects (CIP). He explained that carry forward balances from encumbered CIP projects will not be known until closer to the fiscal year-end. Adjustments will be made at that time. Additionally, he noted there is a position amendment that has a zero-dollar impact to the budget. In response to Committee Member Collopy’s inquiry, Finance Director/Treasurer Matusiewicz reported Property Tax Revenue is projected to be on target, Sales Tax Revenue is projected to have a $6 million shortfall and Transient Occupancy Tax (TOT) currently has a $5 million shortfall for the current budget. Finance Director/Treasurer Matusiewicz advised May and June TOT payments have not been received. In response to Chair O’Neill, Finance Director/Treasurer Matusiewicz clarified when looking at collections to date, May and June TOT payments still need to be added to the total. He also clarified Property Tax Revenue is on target and there has only been a small increase in delinquencies. He explained it will be difficult to determine Sales Tax Revenues. City Manager Grace Leung interjected and commented it will be difficult to determine the shortfall until the clean-up payment is received in August. In response to Chair O’Neill’s inquiry, City Manager Leung responded that any budget surplus can be used to plug the revenue shortfall . Chair O’Neill recommended reviewing the budget in September once the August numbers are received. In response to Committee Member Tucker, Finance Director/Treasurer Matusiewicz confirmed the $35 million annual payments to Unfunded Pension Liabilities remains in the budget. He also confirmed there is an additional $5 million in the budget to address increases to our unfunded pension liabilities that may result from the next CalPERS experience study that reviews actual experience of the system in relation to the current actuarial assumptions. Committee Member Tucker suggested City Council review the policy for how much Contingency Reserve is used before covering shortfalls in other categories. In response to Committee Member Tucker’s request, Finance Director/Treasurer Matusiewicz agreed to prepare a schedule of incoming and outgoing transfers for the Finance Committee. In response to Council Member Diane Dixon’s inquiry, City Manager reported General Fund Reserves currently stand at $52 million. Finance Director/Treasurer Matusiewicz clarified General Fund would only be drawn down if necessary. Council Member Dixon commented the City has been conservative in terms of financial management and has strong General Fund Reserves going into the FY 2020-21 Proposed Budget. In response to Council Member Dixon’s inquiry, Finance Director/Treasurer Matusiewicz explained the plan was to draw $2.1 million from General Fund Reserves but the amount could be more or less. Council Member Dixon stated for the record and for any residents who are observing the meeting, the City has solid financial security and has the funds available to absorb the shortfall. Committee Member Stapleton thanked the staff for their efforts during these unusual times. He applauded the efforts of the City in exercising conservative fiscal practices in the last few years which will help it get through the crisis. Finance Committee Meeting Minutes June 4, 2020 Page 3 of 5 In response to Committee Member Reed’s inquiry, Finance Director/Treasurer Matusiewicz explained staff will be reviewing the budget regularly and could potentially propose cuts on the expenses side to make up some financial ground. City Manager Leung explained the tiers were developed so they could be replenished. The Contingency Fund would be replenished first, then the CIP, and then last, long-term funds. City Manager Leung reported the City is currently on an annualized budgeting system and the Executive Team is being convened to review the impact of service reductions for the City. In response to Council Member Dixon’s inquiry, City Manager Leung confirmed step increases and cost of living increases will continue moving forward as the City is contractually obligated in those areas. Chair O’Neill opened public comments. Mr. Mosher commented the process and budget itself is confusing including what the Finance Committee is doing today. He referenced page 13 of the staff report, which states per Council Resolution 2018-71, the Finance Committee is responsible for reviewing and recommending the operating portion of the City Manager’s proposed budget excluding the proposed budget revisions. He is interpreting this as the Finance Committee is making recommendations regarding the budget that has been published on the City’s website and completely ignoring revisions that might be made to it. He stated it may be difficult or meaningless to make that recommendation because revisions to the published budget are quite large. Mr. Mosher referenced page 12 of the staff report, which states the FY 2020-21 Proposed Budget is balanced and feels the statement references the entire budget. He explained the definition of a balanced budget, in particular as related to a governmental agency, is one where revenues are equal or exceed expenses and the proposed budget has substantially larger expenses than revenue. He commented declaring the budget balanced is confusing to the public. Philip Bettencourt inquired if budget refinements have impacted the Housing Element budget assumptions and any consultant contract commitments due to the delay in the kick-off process for the Housing Element Advisory Update Committee. In response to Mr. Bettencourt’s inquiry, Chair O’Neill confirmed the City will be able to meet its budgetary contractual obligations. In response to Mr. Mosher’s comments, Finance Director/Treasurer Matusiewicz explained that all appropriations in the Capital Improvement Budget for projects currently underway and remaining unexpended as of June 30, 2020, as approved by the City Council in prior years, will be appropriated (carried forward) to the 2020-21 Fiscal Year. Funding for these prior year projects are held in reserves. This may seem to inflate the budget relative to revenues that are expected in FY 2020-21, but there are sufficient funds in reserves to cover prior year projects. In response to Mr. Mosher’s comments, Chair O’Neill acknowledged there is not a budget checklist this year, and explained it is normally used for policy decisions at the City Council level. City Manager Leung explained that in-lieu of the budget checklist there will be proposed budget revisions, but will not include changes in service levels or resources. Chair O’Neill closed public comments. MOTION: Council Member Dixon moved, and Committee Member Collopy seconded, to recommend the proposed budget to the City Council as prepared by staff. The motion carried 6 ayes – 0 noes, 1 absence (Brenner) Finance Committee Meeting Minutes June 4, 2020 Page 4 of 5 In response to Committee Member Collopy’s inquiry, City Manager Leung explained any projects removed from the budget would need to be appropriated by City Council action if funding were to become available. B. WORK PLAN REVIEW Summary: Staff will review with the Committee the agenda topics scheduled for the remainder of the calendar year. Recommended Action: Receive and file. Finance Director/Treasurer Matusiewicz recommended a Finance Committee meeting in mid- to late July. Chair O’Neill reminded the Finance Committee their terms of service expire on June 30, 2020, and explained an item needs to be placed on the City Council agenda to initiate the appointment/reappointment process. He advised once the Finance Committee members are confirmed, the Finance Committee can then set up meetings. Chair O’Neill opened public comments. Committee Member Tucker recommended a review of resolutions established for the Finance Committee for process review. He also recommended monitoring methods to maximize revenues and minimize expenses. He expressed concern City funding will not be available to execute Development Agreements when the Housing Element Update is received due to the financial crisis. Last, he recommended a review of the Facilities Financial Plan (FFP) to which Chair O’Neill agreed. Chair O’Neill closed public comments. Chair O’Neill thanked the Finance Committee and staff for their service. There was no further action taken on this item. VI. FINANCE COMMITTEE ANNOUNCEMENTS ON MATTERS WHICH MEMBERS WOULD LIKE PLACED ON A FUTURE AGENDA FOR DISCUSSION, ACTION OR REPORT (NON-DISCUSSION ITEM) None VII. ADJOURNMENT The Finance Committee adjourned at 3:47 p.m. until the next regular meeting of the Finance Committee. Filed with these minutes are copies of all materials distributed at the meeting. The agenda for the Regular Meeting was posted on June 1, 2020, 1:51 at p.m., in the binder and on the City Hall Electronic Board located in the entrance of the Council Chambers at 100 Civic Center Drive. Attest: Finance Committee Meeting Minutes June 4, 2020 Page 5 of 5 ___________________________________ _____________________ Will O’Neill, Chair Date Finance Committee September 24, 2020, Finance Committee Agenda Comments These comments on an item on the Newport Beach City Council Finance Committee agenda are submitted by: Jim Mosher ( jimmosher@yahoo.com ), 2210 Private Road, Newport Beach 92660 (949-548-6229) Item IV.A. MINUTES OF JUNE 4, 2020 Changes to the draft minutes passages shown in italics are suggested in strikeout underline format. The page numbers are those of the minutes (add four to obtain the agenda packet page numbers). Page 1, Item III, paragraph 1: “Jim Mosher reported the Planning Commission will be meeting to consider a Mixed-Use project by the airport and which will be paying the City $6-$7 million for building rights.” Page 2, paragraph 1, sentence 2: “He commented the current proposed budget has gone through several iterations due to the current financial crisis and was discussed during the joint Finance Committee-City Council meeting over after Memorial Day weekend.” Page 2, paragraph 6, sentence 2: “In response to Committee Member Tucker, Finance Director/Treasurer Matusiewicz confirmed the $35 million annual payments payment to Unfunded Pension Liabilities remains in the budget.” Page 2, paragraph 8, sentence 2: “Finance Director/Treasurer Matusiewicz clarified the General Fund would only be drawn down if necessary.” Page 4, paragraph 4 before Item VI, sentence 3: “He expressed concern City funding will not be available to execute Development Agreements when the Housing Element Update is received due to the financial crisis.” [Others may understand this sentence as written, but I do not. And since I don’t understand its intent, I am unable to offer a revision. At minimum, “due to the financial crisis” probably belongs at the beginning rather than the end. That said, I don’t know what “City funding” is needed to “execute” DA’s or why receipt of the HEU would affect it.] From: Sent: To: Cc: Subject: Larry Tucker Thursday, September 24, 2020 12:19 PM Burns, Marlene O'Neill, William; Matusiewicz, Dan; Tucker, Larry Suggested Edits to Finance Committee Minutes of June 4, 2020 [EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe. Hi Marlene, At the middle of Page 4 of the minutes I would re-word the paragraph as follows: “Committee Member Tucker recommended a review of the Resolution establishing the Finance Committee to evaluate whether to recommend a change to the Resolution to be more consistent with the manner in which the Finance Committee operates. He also suggest the Finance Committee have a discussion about maximizing revenues and minimizing costs as its founding Resolution contemplates. He expressed concern that the focus on encouraging more housing could mean less revenue being generated from Development Agreements. Lastly, he recommended a review of the future sources of funding the Facilities Financial Plan to which Chair O’Neill agreed.” Thanks. Larry CITY OF NEWPORT BEACH FINANCE COMMITTEE STAFF REPORT Agenda Item No. 5A September 24, 2020 TO: HONORABLE CHAIR AND MEMBERS OF THE COMMITTEE FROM: Finance Department Dan Matusiewicz, Finance Director 949-644-3123 or danm@newportbeachca.gov SUBJECT: INVESTMENT PERFORMANCE REVIEW EXECUTIVE SUMMARY This memorandum provides an overview of the structure and the performance of the City’s investment portfolio. As guided by the City’s investment policy objectives, the City strives to maintain a portfolio emphasizing safety and liquidity while earning a market rate of return commensurate with the City’s risk tolerance and investment restrictions imposed by the California Government Code. The City has complied with all the limiting parameters of both the California Government Code and the City’s Investment Policy Statement while earning a rate of return comparable to the City’s established benchmarks, the Intercontinental Exchange Bank of America Merrill Lynch (ICE BAML) 1-3 Year US Treasuries Index and the ICE BAML 1-3 Year US Corporate / Government Rated AAA-A Index. DISCUSSION Investment Portfolio Overview The City’s strategy continues to focus on identifying value from high quality, marketable securities among the full range of investment options, ensuring the portfolio continues to be well diversified. As of June 30, 2020, the City’s entire investment portfolio totaled over $315 million. These investments are pooled assets of the City Newport Beach, which includes the general fund, special revenue funds, internal service funds, enterprise funds (i.e., water and wastewater), as well as various other funds. Investment Performance Review September 24, 2020 Page 2 Liquidity Portfolios The City uses a number of accounts and carve-out portfolios to accomplish its investment objectives. For liquidity, the City uses a combination of demand deposit accounts (DDA), the Local Agency Investment Fund (LAIF), and a targeted-maturities portfolio to provide sufficient liquidity to meet its day-to-day cash flows. Municipal deposits in DDAs are 110 percent collateralized by bank assets, and the City receives a compensating balance credit that can only be used to offset banking fees but does not produce income beyond bank fees. The average compensating balance credit for Fiscal Year ended June 30, 2020, amounted to approximately 0.5%, while LAIF produced an income return of approximately 2.1% during the Fiscal Year. Because of the current disparity in earnings potential between our DDA accounts and LAIF, only the bare minimums are maintained in the DDA accounts. Funds needed to meet specific cash flows can be invested at a rate higher than LAIF are accounted for in our targeted-maturities portfolio. As of June 30, 2020, this targeted-maturities portfolio held about $9 million in securities and provided an income return for the Fiscal Year of approximately 2.2%. Yield-to-maturity at cost, a forward-looking measure, was about 1.2%. Short-Term Portfolio The City’s core investment portfolio of about $209 million is actively managed in accordance with the California Government Code and the City’s investment policy. The investments are held by a custody bank and are registered in the City’s name. The City accounts for and monitors the portfolio independently of the investment advisors, by a direct feed from the custody bank and the use of third-party analytical software. The City’s core portfolio finished the twelve months ending June 30, 2020, with an income return of 2.2%. Performance Benchmarking The City’s investment policy statement identifies the City investment objectives. The objectives are to preserve principal and liquidity while earning a market rate of return commensurate with the City’s investment risk tolerance, liquidity needs, and significant constraints imposed by the California Government Code 53601 as to the type and quantity of securities that may be purchased by local agencies. “Total return” is the accepted industry standard measure for comparing portfolio performance to established benchmarks. Total return benchmarks provide valuable information to those charged with governance of the investment portfolio by: • Communicating a transparent risk profile and related investment strategy; • Managing expectations of risk and return; and • Providing relative variances that can be used to identify decisions made regarding portfolio durations, sector weighting, credit quality and maturity structure. Investment Performance Review September 24, 2020 Page 3 The City uses total return to measure performance and risk against its benchmarks. Total return is made up of both income return and unrealized gains and losses due to changing interest rate environments. The market value of bonds moves inversely to the direction of interest rates. As interest rates decrease, the market value of bonds held in the portfolio increases because they are paying a higher interest rate than comparable bonds in the market. As illustrated in the chart below, the City’s core portfolio’s income return was about 2.2%. As interest rates trended downward, price return turned positive lifting the total return up to about 4.4% even though the unrealized gains were not realized. The core portfolio currently follows a short-term bond strategy. This portfolio aims to find value and maximize yield within the high-quality fixed income market within the duration range of the City’s strategic benchmarks. The City uses the ICE BAML 1-3 Year US Treasuries Index as one benchmark. The City also uses a second benchmark, the ICE BAML 1-3 Year U.S. Corporate / Government Rated AAA-A Index, which is more reflective of the portfolio’s risk and return characteristics. The use of two benchmarks provides a means to evaluate the added value high-quality corporate bonds bring to the portfolio. Investment Performance Review September 24, 2020 Page 4 As demonstrated in the table below, the City’s investment portfolio was positioned shorter in duration than its benchmarks and outperformed the ICE BAML 1-3 Year US Treasuries Index by 29.6 basis points (bps). Total return on the portfolio for Fiscal Year 2018-19 and Fiscal Year 2019-20 was comparable at 4.1% and 4.4%, respectively. Similar total returns between the two Fiscal Years is reasonable given interest rates declined during both Fiscal Years. Bond prices move inversely to interest rates, and both Fiscal Years featured price returns of about 2%. The following chart of two-year Treasury yields illustrates the decline in interest rates during the two Fiscal Years. Nominal Yields on Two Year Treasuries from July 2018 through June 2020 (Source: U.S. Department of the Treasury) Investment Performance Review September 24, 2020 Page 5 Uncertainties and concerns about foreign economies led to the Federal Reserve deciding on July 2019 to reduce the federal funds target rate range. Chair Powell noted during a July 2019 press conference that the rate reduction was “intended to insure against downside risks from weak global growth and trade policy uncertainty, to help offset the effects these factors are currently having on the economy, and to promote a faster return of inflation to our symmetric 2 percent objective.” Reductions to the federal funds target rate range continued. March 2020’s cumulative 1.50% decrease left the federal funds target rate range at 0.00% to 0.25%, where the rate range remained through the end of Fiscal Year 2019-20. If low interest rates continue, future total returns from fixed income portfolios may be muted. Future income returns will decrease as money from coupons, maturities, sales, and new money is reinvested into a low interest rate environment. Positive returns related to the changes in price will likely have a lessor impact than those realized over the last six months. Bond prices increase as interest rates decrease and interest rates are unlikely to move materially lower from their current levels. Interest rates are close to zero and the Federal Reserve appears unlikely to implement negative interest rates in the United States. Consequently, both the City’s future income return and future price return likely will be lower than during Fiscal Year 2019-20. PORTFOLIO CHARACTERISTICS LOOKING FORWARD While total return is an excellent benchmarking measure it does not always provide intuitive information regarding what the portfolio is earning on a cash basis since the total return measure assumes all unrealized gains and losses are ultimately realized at a particular date. This difference is especially magnified in a changing interest rate environment and when the duration of the portfolio is longer than the benchmark. As of June 30, 2020, the City’s net unrealized gains on the short-term investment portfolio were nearly $7 million. Overall, this is neutral news. The City will be earning lower bond yields as maturing investments and earnings are reinvested. The short-term portfolio’s yield to maturity (YTM) at market value at June 30, 2020, declined to about 0.3% from 2.0% from a year earlier. The upside is the City will have more latitude in its cash flow forecasting. Liquidating securities prior to their maturity date may result in realized gains that would otherwise have been unrealized by holding a security to maturity. That is not to say that the City automatically sells securities when unrealized gains arise. The City deploys an active investment strategy. Before investments are sold, various factors are considered, such as the difference in yield between the market and the City’s portfolio. This is the primary difference between an active versus a passive investment strategy, which simply follows the attributes of a given benchmark. Currently, the City’s strategies have served the City well in the current economic environment. Investment Performance Review September 24, 2020 Page 6 Prepared by: Submitted by: /s/Jeremiah Lim /s/Dan Matusiewicz Jeremiah Lim Dan Matusiewicz Accountant Finance Director Attachments: A. Financial Markets Overview B. Treasury Report – Month Ended June 30, 2020 ATTACHMENT A FINANCIAL MARKETS OVERVIEW Financial Markets Overview Fiscal Year 2019-20 saw a downward trajectory for interest rates. At the start of July 2019, 2-year Treasuries had a yield of 1.78% and gradually decreased to 1.42% by mid- February 2020. With the onset of the COVID-19 pandemic and the associated forced shutdowns of large portions of the global economy, 2-year Treasuries fell rapidly to a yield of 0.23% at the end of March 2020 – an 87% decline from the beginning of the fiscal year. Declines continued, albeit at a lessor pace through the fiscal year’s end, with 2-year Treasuries yielding 0.16% at the end of the fiscal year. Yields on 2-year Treasuries have not moved materially since, ending August 2020 at 0.14%. Nominal Yields on Two Year Treasuries (Source: U.S. Department of the Treasury) The Federal Reserve’s (Fed) federal funds rate range followed a similar trend. July 2019 began with a federal funds rate range of 2.25% - 2.50%. Subsequently, three separate rate cuts by the Fed of 0.25% were implemented during August, September, and October 2019, resulting in a federal funds rate range of 1.50% - 1.75% at the end of October 2019. The Fed lowered the federal funds rate citing potential slower economic growth in the US and abroad. Press conference comments during October 2019 by Jerome Powell, chair of the Federal Reserve cited the US economy remains vibrant but risks remain abroad, such as trade disputes with China and uncertainty related to the United Kingdom leaving the European Union, making rate reductions appropriate. To quote Chair Powell, “Overall, we continue to see sustained expansion of economic activity, a strong labor market, and inflation near our symmetric 2 percent objective as most likely. While this has been our outlook for quite some time, our views about the path of interest rates that will best achieve these outcomes have changed significantly over the past year. As mentioned, weakness in global growth and trade developments have weighed on the economy and pose ongoing risks. These factors, in conjunction with muted inflation pressures, have led the Fed to lower their assessment of the appropriate level of the federal funds rate over the past year. Responding to a question during the same October 2019 press conference, Chair Powell indicated potentially increasing interest rates for calendar year 2020 if the phase- one U.S. – China trade deal was finished and the USMCA trade deal was ratified. Impacts from COVID-19 caused calendar year 2020’s economy and interest rates to deviate significantly from expectations. COVID19’s impact on the economy led to rapid decreases in the federal funds target rate range. Economic threats from COVID19 resulted in the Federal Reserve’s Federal Open Market Committee holding two unscheduled meetings in March 2020, during which the committee reduced the federal funds target rate range a total of 1.50% to a range of 0.00% - 0.25%. During a press conference on March 15, 2020 Chair Powell stated, “we expect to maintain the rate at this level until we’re confident that the economy has weathered recent events and is on track to achieve our maximum employment and price stability goals.” Rates will likely remain low an extended period of time as COVID-19 has significantly affected the economy. Chair Powell noted during a July 29, 2020 press conference that, “the current economic downturn is the most severe in our lifetimes. It will take a while to get back to the levels of economic activity and employment that prevailed at the beginning of the year, and it will take continued support from both monetary and fiscal policy to achieve that.” Thankfully, the economy is recovering, with Chair Powell noting during the same July 29, 2020 press conference that, “job gains have reversed about a third of the job losses from March and April, and consumer spending has reversed about a half of the drop… [T]hose were sooner and stronger than we expected… Nonetheless, on balance, it looks like the data are pointing to a slowing in the pace of the recovery. But I want to stress, it’s… too early to say both how large that is and how sustained it will be.” Information from the Bureau of Economic Analysis and the Bureau of Labor Statistics helps illustrate the economy over the last few months. The Bureau of Economic Analysis (BEA) released new estimates of gross domestic product (GDP) toward the end of August 2020. BEA’s “second” estimate is that in the second calendar quarter of 2020 real GDP fell 31.7 percent annualized, following a 5.0 percent decrease in the first calendar quarter. BEA commented that, “The decline in second quarter GDP reflected the response to COVID-19.” Widespread decreases across the economy contributed to 31.7 percent real GDP decline. Only federal government spending and reduced imports contributed positively to real GDP during the second calendar quarter of 2020. Percent Change of Real GDP from Preceding Calendar Quarter (Source: U.S. Bureau of Economic Analysis) (Seasonally adjusted annualized rates) The Bureau of Labor Statistics (BLS) released August 2020’s employment data in September. BLS reported that, “Total nonfarm payroll employment rose by 1.4 million in August, and the unemployment rate fell to 8.4 percent…These improvements in the labor market reflect the continued resumption of economic activity that had been curtailed due to the coronavirus (COVID-19) pandemic and efforts to contain it.’ In August, an increase in government employment largely reflected temporary hiring for the 2020 Census. Notable job gains also occurred in retail trade, in professional and business services, in leisure and hospitality, and in education and health services. Seasonally Adjusted Unemployment Rate (Source: U.S. Bureau of Labor Statistics) Seasonally Adjusted Monthly Change of Non-Farm Payroll (Source: U.S. Bureau of Labor Statistics) ATTACHMENT B TREASURY REPORT – MONTH ENDED JUNE 30, 2020 CITY OF Newport BeachAmortized UnrealizedMarketAccrued Market Value % YTM @ YTM @Operating PortfoliosCostGains/(Loss)ValueInterest Plus Accrued Total Cost Market NotesLiquidity PortfolioDemand Deposit Accounts11,256,784$ -$ 11,256,784$ -$ 11,256,784$ 3.69% 0.20% 0.20% (1) Local Agency Investment Fund74,499,640 - 74,499,640 - 74,499,640 24.40% 1.36% 1.41% (2) Targeted-Maturities Portfolio9,306,811 11,624 9,318,435 40,996 9,359,431 3.07% 1.17% 0.34%Short-Term PortfolioCash Equivalents214,604 - 214,604 165 214,769 0.07% 0.07% 0.07%Marketable Securities202,045,679 6,967,766 209,013,445 975,291 209,988,736 68.78% 2.22% 0.31%TOTAL OPERATING FUNDS297,323,518$ 6,979,390$ 304,302,908$ 1,016,452$ 305,319,360$ 100.00%Bond Fund Portfolios2010 Civic Center COPs6,551,417$ -$ 6,551,417$ -$ 6,551,417$ 62.36% 0.01% 0.01%Assessment Districts3,952,840604 3,953,444 1,124 3,954,568 37.64% 0.07% 0.02%TOTAL BOND FUNDS WITH FISCAL AGENT 10,504,256$ 604$ 10,504,861$ 1,124$ 10,505,985$ 100.00%TOTAL CASH & INVESTMENTS307,827,774$ 6,979,995$ 314,807,769$ 1,017,576$ 315,825,344$ Notes:(1) Yield offsets bank fees(2) LAIF's yield is available quarterlyPortfoliosJune 30, 2020For the Month Ended TREASURER'S REPORT4%24%3%< 1%69%Composition of Operating PortfolioJune 30, 2020Demand DepositAccountsLocal Agency InvestmentFundTargeted‐MaturitiesPortfolioCash EquivalentsMarketable Securities4%6%13%< 1%77%Composition of Operating PortfolioJune 30, 2019Demand Deposit AccountsLocal Agency InvestmentFundTargeted‐MaturitiesPortfolioCash EquivalentsMarketable Securities CITY OF Newport BeachSecurity Type Par Value Original CostAmortized CostUnrealized Gain/(Loss) Market ValueAccrued InterestMarket Value Plus Accrued% of PortfolioYTM @ CostYTM @ MarketCash Equivalents- 214,604 214,604 - 214,604 165 214,769 0.10% 0.07% 0.07%Marketable SecuritiesAgency85,080,000 85,592,963 85,492,337 3,375,505 88,867,843 397,256 89,265,099 42.47% 2.15% 0.28%U.S. Government55,575,000 54,912,940 55,303,064 1,797,188 57,100,252 206,853 57,307,105 27.29% 1.96% 0.18%Corporate Notes41,480,000 41,370,481 41,450,759 1,487,677 42,938,436 310,278 43,248,714 20.52% 2.81% 0.48%Asset-Backed Securities12,104,443 12,131,541 12,119,188 195,321 12,314,509 10,385 12,324,894 5.89% 2.02% 0.60%Supranational5,680,000 5,685,140 5,680,331 41,435 5,721,765 35,332 5,757,098 2.73% 1.97% 0.14%Municipal Bonds2,000,000 2,000,000 2,000,000 70,640 2,070,640 15,187 2,085,827 0.99% 2.01% 1.02%Total Marketable Securities201,919,443 201,693,064 202,045,679 6,967,766 209,013,445 975,291 209,988,736 99.90% 2.22% 0.31%GRAND TOTAL201,919,443 201,907,668 202,260,283 6,967,766 209,228,049 975,456 210,203,505 100.00% 2.22% 0.31%*Periods greater than one year are annualizedShort-Term Portfolio by Security Typefor the Month EndedJune 30, 2020Prior Month Current MonthCurrent Fiscal Yearto DatePrior Fiscal Year Trailing Year Trailing 3 Years*Income Return0.178% 0.175% 2.200% 2.014% 2.200% 1.913%Price Return0.138%‐0.042% 2.161% 2.127% 2.161% 1.096%Total Return = Income Return + Price Return0.316% 0.133% 4.361% 4.141% 4.361% 2.969%1‐3 yr Treasury Index Total Return0.065% 0.026% 4.065% 3.962% 4.065% 2.683%1‐3 yr Gov./Corp Index Total Return0.217% 0.118% 4.176% 4.158% 4.176% 2.826%‐0.500%0.000%0.500%1.000%1.500%2.000%2.500%3.000%3.500%4.000%4.500%5.000%Rate of ReturnPerformance History Cumulative Returns from the Beginning of the Trailing YearPeriod BeginPeriod EndTotal ReturnIncome ReturnPrice Return07/01/201907/31/20190.015%0.180%-0.165%07/01/201908/31/20190.847%0.363%0.484%07/01/201909/30/20190.747%0.546%0.202%07/01/201910/31/20191.121%0.730%0.391%07/01/201911/30/20191.108%0.913%0.194%07/01/201912/31/20191.301%1.097%0.205%07/01/201901/31/20201.883%1.278%0.604%07/01/201902/29/20202.724%1.456%1.268%07/01/201903/31/20203.361%1.657%1.704%07/01/201904/30/20203.894%1.832%2.062%07/01/201905/31/20204.223%2.017%2.205%07/01/201906/30/20204.361%2.200%2.161%07/01/2019------------Cumulative Returns from the Beginning of the Trailing YearShort-Term Portfolio's Cumulative Returns During Trailing Year07/01/2019 - 06/30/2020 Index: ICE BofA 1-3 Year US Treasury Index.Index Comparison SummaryIndex Comparison DurationIndex Comparison Credit RatingIndex Comparison Market SectorComparison of Short-Term Portfolio with 1-3 Year U.S.Treasuries Index06/01/2020 - 06/30/2020 CITY OF Newport Beach BOND MARKET OVERVIEWFor the Month Ended June 30, 2020 DISCLAIMER: This report is provided for informational purposes only and should not be construed as specific investment or legal advice. The information contained herein was obtained from sources believed to be reliable as of the date of publication, but may become outdated or superseded at any time without notice. This report may contain forecasts and forward‐looking statements which are inherently limited and should not be relied upon as an indicator of future results. Past performance is not indicative of future results.  On a month‐over‐month basis, retail sales rose 7.5% in June, following an 18.2% increase in May and 14.7% decline in April.  The Federal Open Market Committee (FOMC) kept monetary policy unchanged.  The federal funds target rate the range remained at 0%‐0.25%.  U.S. nonfarm payrolls in June increased 4,800,000. SummaryRisk MetricValueCash0.01MMFund214,769.05Fixed Income209,988,735.65Duration1.755Convexity-0.227WAL1.874Years to Final Maturity1.979Years to Effective Maturity1.874Yield0.313Book Yield2.218Avg Credit RatingAA/Aa2/AACredit RatingSecurity TypeDurationMarket SectorIssuer ConcentrationRisk Summary of Short-Term Portfolio06/01/2020 - 06/30/2020 CITY OF Newport BeachStatusPolicy NameRules Compliant Rules Violating RulesCompliantStatement of Investment Policy29290StatusRule BasisRule RequirementsRule LimitActualCompliantConcentrationBankers Acceptance Concentration40.00%0.00%CompliantConcentrationBankers Acceptances Rated Below (LT) A / A2 (ST) A-1/P-10.00%0.00%CompliantConcentrationCD30.00%0.00%CompliantConcentrationCommercial Paper25.00%2.19%CompliantConcentrationCorp Rated Below A- / A30.00%0.00%CompliantConcentrationCP and CDs Rated Below A/A2 or A1/P10.00%0.00%CompliantConcentrationIssuer Concentration Except for Agency, Repo, FDIC5.00%2.19%CompliantConcentrationMax Concentration of Corps (%)30.00%21.73%CompliantConcentrationMax Concentration of Funds Assets10.00%0.01%CompliantConcentrationMax Concentration of MBS and ABS20.00%5.61%CompliantConcentrationMax Concentration of MMF20.00%0.14%CompliantConcentrationMax Concentration of Munis (%)30.00%0.95%CompliantConcentrationMax Concentration of Supranationals20.00%2.62%CompliantConcentrationMax Issuer Concentration of Corporate Bonds (%)5.00%1.94%CompliantConcentrationMax Issuer Concentration of Supranationals10.00%1.05%CompliantConcentrationMinimum Credit Rating for MBS of AAA0.00%0.00%CompliantConcentrationMinimum Issuer Size for CD's - In Billions10Unavailable(1)CompliantConcentrationMinimum Issuer Size for CP's - In Millions500Unavailable(1)CompliantConcentrationMinimum Rating for Supranational Securities AA0.00%0.00%CompliantConcentrationMunis Rated Below A/A20.00%0.00%CompliantConcentrationRepos10.00%0.00%CompliantConcentrationSupranational is in USD0.00%0.00%CompliantMaturityMax Effective Maturity for Repos (in Years)0.080.000CompliantMaturityMax Final Maturity (from Settle) for Munis5.004.296CompliantMaturityMax Final Maturity for CP (in Years)0.740.517CompliantMaturityMax Final Maturity From Settle Date (in Years)5.004.964CompliantMaturityMax Final Maturity From Settle for Corp Excl CD5.004.858CompliantMaturityMax Maturity CD2.000.000CompliantMaturityMax Maturity of Bankers Acceptances0.490.000I verify that this investment portfolio is in conformity with California laws and the City's Investment Policy. /S/ Dan MatusiewiczDan MatusiewiczFinance Director(1) The city's financial advisors have verified compliance based on the data available to them. That data may be for a month(s) prior to this treasury report.Short-Term & Targeted-Maturities Portfolios Compliance Statusfor the Month EndedJune 30, 2020 CITY OF Newport BeachBook Value15,968,269.91 9,306,811.45Accrued Balance54,182.92 40,995.97Book Value + Accrued16,022,452.83 9,347,807.41Net Unrealized Gain/Loss18,607.66 11,623.84Market Value + Accrued16,041,060.49 9,359,431.26Begin Date 06/01/2020End Date 06/30/2020Net Amortization/Accretion Income(984.06)Interest Income11,338.65Dividend Income0.00Foreign Tax Withheld Expense0.00Misc Income0.00Allowance Expense0.00Income Subtotal11,338.65Net Realized Gain/Loss0.00Net Holding Gain/Loss(6,983.82)Impairment Loss0.00Net Gain/Loss(6,983.82)Expense0.00Net Income3,370.77Transfers In/Out(6,685,000.00)Change in Unrealized Gain/Loss0.00Values are provided by Clearwater Analytics.Income StatementTargeted-Maturities Portfolio Financialsfor the Month EndedJune 30, 2020Balance Sheet05/31/2020 06/30/2020 CEReceivableSTSummary * Grouped by: General Ledger Grouping. * Groups Sorted by: General Ledger Grouping.General Ledger Grouping,AccountIdentifier,DescriptionOriginal Units,Factorized UnitsCurrency,Security TypeBS Class,Trade DateSettle Date,Amort TargetDateMaturity Date,Accrued InterestBook Value,Net Unrealized Gain/LossMarket ValueCECNB-Chandler Ultra Short-Term38141W315GOLDMAN:FS TRS O ADM91,143.0791,143.07USDMMFUNDCE------------0.0091,143.070.0091,143.07CECNB-Chandler Ultra Short-Term458140AQ3INTEL CORP415,000.00415,000.00USDCORPCE05/22/202005/27/202007/29/202007/29/20204,292.94415,638.1846.57415,684.75CECNB-Chandler Ultra Short-Term458140AQ3INTEL CORP315,000.00315,000.00USDCORPCE05/26/202005/28/202007/29/202007/29/20203,258.50315,489.3730.38315,519.75CECNB-Chandler Ultra Short-Term808513AD7CHARLES SCHWAB CORP265,000.00265,000.00USDCORPCE06/04/202006/08/202007/22/202007/22/20205,208.35265,617.21-34.21265,583.00CECNB-Chandler Ultra Short-Term------1,086,143.071,086,143.07USD---CE------------12,759.801,087,887.8242.751,087,930.57General Ledger Grouping,AccountIdentifier,DescriptionOriginal Units,Factorized UnitsCurrency,Security TypeBS Class,Trade DateSettle Date,Amort TargetDateMaturity Date,Accrued InterestBook Value,Net Unrealized Gain/LossMarket ValueReceivableCNB-Chandler Ultra Short-TermCCYUSDReceivable3.003.00USDCASHRCV------------0.003.000.003.00ReceivableCNB-Chandler Ultra Short-TermCCYUSDReceivable3.003.00USDCASHRCV------------0.003.000.003.00General Ledger Grouping,AccountIdentifier,DescriptionOriginal Units,Factorized UnitsCurrency,Security TypeBS Class,Trade DateSettle Date,Amort TargetDateMaturity Date,Accrued InterestBook Value,Net Unrealized Gain/LossMarket ValueSTCNB-Chandler Ultra Short-Term40428HPV8HSBC USA INC2,000,000.002,000,000.00USDCORPST01/27/202001/29/202008/07/202008/07/202022,000.002,001,916.712,563.292,004,480.00STCNB-Chandler Ultra Short-Term46625HNX4JPMORGAN CHASE & CO1,420,000.001,420,000.00USDCORPST01/13/202001/15/202009/29/202010/29/20206,236.171,422,319.744,922.261,427,242.00STCNB-Chandler Ultra Short-Term62479LHB4MUFG Bank Ltd. (New York Branch)1,800,000.001,800,000.00USDCPST02/03/202002/04/202008/11/202008/11/20200.001,796,617.503,042.301,799,659.80STCNB-Chandler Ultra Short-Term62479LHU2MUFG Bank Ltd. (New York Branch)3,000,000.003,000,000.00USDCPST04/29/202004/29/202008/28/202008/28/20200.002,998,066.671,053.252,999,119.92STCNB-Chandler Ultra Short-Term------8,220,000.008,220,000.00USD---ST------------28,236.178,218,920.6211,581.108,230,501.72General Ledger Grouping,AccountIdentifier,DescriptionOriginal Units,Factorized UnitsCurrency,Security TypeBS Class,Trade DateSettle Date,Amort TargetDateMaturity Date,Accrued InterestBook Value,Net Unrealized Gain/LossMarket Value---CNB-Chandler Ultra Short-Term------9,306,146.079,306,146.07USD------------------40,995.979,306,811.4511,623.849,318,435.29GAAP GL Balance Sheet by Lot (Targeted-Maturities Portfolio)As of 06/30/2020 * Does not Lock Down. * Weighted by: Absolute Value of Principal. * MMF transactions are collapsed. * The Transaction Detail/Trading Activity reports provide our most up-to-date transactional details. As such, these reports are subject to change even after the other reports on the website have been locked down. While these reports can be useful tools in understanding recent activity,due to their dynamic nature we do not recommend using them for booking journal entries or reconciliation.AccountIdentifier DescriptionCurrent Units Currency Transaction Type Trade Date Settle Date FinalMaturityPricePrincipal Accrued InterestAmountCNB-Chandler UltraShort-Term17275RAX0 CISCO SYSTEMS INC-440,000.00 USD Maturity06/15/2020 06/15/2020 06/15/2020 100.000-440,000.000.00440,000.00CNB-Chandler UltraShort-Term38141W315 GOLDMAN:FS TRS O ADM28,991.06 USD Buy------06/30/2020 1.00028,991.060.00-28,991.06CNB-Chandler UltraShort-Term38141W315 GOLDMAN:FS TRS O ADM-3,670,748.14 USD Sell------06/30/2020 1.000 -3,670,748.140.003,670,748.14CNB-Chandler UltraShort-Term437076BQ4 HOME DEPOT INC-1,500,000.00 USD Maturity06/05/2020 06/05/2020 06/05/2020 100.000 -1,500,000.000.001,500,000.00CNB-Chandler UltraShort-Term808513AD7 CHARLES SCHWAB CORP265,000.00 USD Buy06/04/2020 06/08/2020 07/22/2020 100.488266,293.204,454.94-270,748.14CNB-Chandler UltraShort-Term912828XU9 UNITED STATES TREASURY-1,345,000.00 USD Maturity06/15/2020 06/15/2020 06/15/2020 100.000 -1,345,000.000.001,345,000.00CNB-Chandler UltraShort-Term-------6,661,757.08 USD ---------06/22/2020--- -6,660,463.884,454.946,656,008.94GAAP Trading Activity (Targeted-Maturities Portfolio)06/01/2020 - 06/30/2020 CITY OF Newport BeachBook Value205,639,662.42 202,260,282.62Accrued Balance1,222,522.81 975,455.87Book Value + Accrued206,862,185.23 203,235,738.49Net Unrealized Gain/Loss7,059,950.76 6,967,766.22Market Value + Accrued213,922,135.99 210,203,504.71Begin Date 06/01/2020End Date 06/30/2020Net Amortization/Accretion Income1,382.13Interest Income372,171.16Dividend Income0.00Foreign Tax Withheld Expense0.00Misc Income0.00Allowance Expense0.00Income Subtotal372,171.16Net Realized Gain/Loss(0.03)Net Holding Gain/Loss(92,184.55)Impairment Loss0.00Net Gain/Loss(92,184.58)Expense0.00Net Income281,368.72Transfers In/Out(4,000,000.00)Change in Unrealized Gain/Loss0.00Values are provided by Clearwater Analytics.05/31/2020 06/30/2020Short-Term Portfolio Financialsfor the Month EndedJune 30, 2020Balance SheetIncome Statement CEMSGeneral Ledger Grouping,AccountIdentifier,DescriptionOriginal Units,Factorized UnitsCurrency,Security TypeBS Class,Trade DateSettle Date,Amort TargetDateMaturity Date,Accrued InterestBook Value,Net Unrealized Gain/LossMarket ValueCECNB-Chandler60934N104FEDERATED HRMS GV O INST214,469.04214,469.04USDMMFUNDCE------------165.32214,469.040.00214,469.04CECNB-PFM60934N104FEDERATED HRMS GV O INST134.69134.69USDMMFUNDCE------------0.00134.690.00134.69CECNB-PFMCCYUSDReceivable0.010.01USDCASHRCV------------0.000.010.000.01CE---------214,603.74214,603.74USD------------------165.32214,603.740.00214,603.74General Ledger Grouping,AccountIdentifier,DescriptionOriginal Units,Factorized UnitsCurrency,Security TypeBS Class,Trade DateSettle Date,Amort TargetDateMaturity Date,Accrued InterestBook Value,Net Unrealized Gain/LossMarket ValueMSCNB-Chandler02007HAC5ALLYA 2017-2 A3700,000.0010,468.50USDABSLT03/21/201703/29/201707/15/202008/16/20218.2810,468.405.3710,473.77MSCNB-Chandler02007YAC8ALLYA 2017-5 A3675,000.00180,369.87USDABSLT11/14/201711/22/201702/15/202103/15/2022159.53180,367.91641.70181,009.61MSCNB-Chandler02665WBF7AMERICAN HONDA FINANCE CORP2,000,000.002,000,000.00USDCORPLT06/28/201806/29/201807/12/202107/12/202115,491.671,969,966.4152,553.592,022,520.00MSCNB-Chandler02665WCP4AMERICAN HONDA FINANCE CORP500,000.00500,000.00USDCORPLT10/03/201810/10/201812/10/202112/10/2021984.38499,880.1819,274.82519,155.00MSCNB-Chandler02665WCT6AMERICAN HONDA FINANCE CORP500,000.00500,000.00USDCORPLT01/13/202001/15/202001/12/202401/12/20248,332.64525,238.4519,406.55544,645.00MSCNB-Chandler037833AK6APPLE INC1,000,000.001,000,000.00USDCORPLT04/11/201904/15/201905/03/202305/03/20233,866.67991,828.2465,241.761,057,070.00MSCNB-Chandler05531FAZ6TRUIST FINANCIAL CORP450,000.00450,000.00USDCORPST10/23/201710/26/201702/01/202102/01/20214,031.25449,960.963,855.04453,816.00MSCNB-Chandler06406FAA1BANK OF NEW YORK MELLON CORP1,500,000.001,500,000.00USDCORPST09/05/201709/07/201703/15/202104/15/20217,916.671,505,355.1617,519.841,522,875.00MSCNB-Chandler06406FAD5BANK OF NEW YORK MELLON CORP1,000,000.001,000,000.00USDCORPLT03/27/201903/29/201908/16/202308/16/20238,250.00982,750.5962,549.411,045,300.00MSCNB-Chandler084670BR8BERKSHIRE HATHAWAY INC1,000,000.001,000,000.00USDCORPLT12/20/201812/24/201803/15/202303/15/20238,097.22983,458.8875,581.121,059,040.00MSCNB-Chandler09247XAH4BLACKROCK INC1,000,000.001,000,000.00USDCORPST04/27/201804/30/201805/24/202105/24/20214,368.061,010,740.5222,709.481,033,450.00MSCNB-Chandler14913Q2A6CATERPILLAR FINANCIAL SERVICES CORP645,000.00645,000.00USDCORPST09/05/201709/07/201709/04/202009/04/20203,878.06644,967.701,760.90646,728.60MSCNB-Chandler24422ETF6JOHN DEERE CAPITAL CORP500,000.00500,000.00USDCORPST03/20/201803/22/201801/08/202101/08/20216,127.08499,027.966,582.04505,610.00MSCNB-Chandler24422EUA5JOHN DEERE CAPITAL CORP1,500,000.001,500,000.00USDCORPLT07/24/201807/26/201801/06/202301/06/202319,687.501,475,648.05105,651.951,581,300.00MSCNB-Chandler3130A0F70FEDERAL HOME LOAN BANKS4,000,000.004,000,000.00USDAGCY BONDLT12/21/201812/24/201812/08/202312/08/20238,625.004,069,914.30345,005.704,414,920.00MSCNB-Chandler3130A3KM5FEDERAL HOME LOAN BANKS1,750,000.001,750,000.00USDAGCY BONDLT08/27/201808/28/201812/09/202212/09/20222,673.611,737,748.53104,371.471,842,120.00MSCNB-Chandler3130A3KM5FEDERAL HOME LOAN BANKS1,255,000.001,255,000.00USDAGCY BONDLT10/17/201910/18/201912/09/202212/09/20221,917.361,281,207.6439,855.561,321,063.20MSCNB-Chandler3130A3UQ5FEDERAL HOME LOAN BANKS4,000,000.004,000,000.00USDAGCY BONDST01/17/201801/18/201812/11/202012/11/20204,166.673,994,300.1636,459.844,030,760.00MSCNB-Chandler3130A7PH2FEDERAL HOME LOAN BANKS4,000,000.004,000,000.00USDAGCY BONDLT03/03/202003/04/202003/08/202403/08/202423,541.674,148,572.7968,747.214,217,320.00MSCNB-Chandler3130AAB49FEDERAL HOME LOAN BANKS2,000,000.002,000,000.00USDAGCY BONDLT08/22/201908/23/201912/10/202112/10/20212,187.502,006,675.8040,084.202,046,760.00MSCNB-Chandler3130ADRG9FEDERAL HOME LOAN BANKS4,800,000.004,800,000.00USDAGCY BONDLT01/18/201901/22/201903/10/202303/10/202340,700.004,800,441.00299,799.005,100,240.00MSCNB-Chandler3130AEBM1FEDERAL HOME LOAN BANKS1,750,000.001,750,000.00USDAGCY BONDLT06/13/201806/15/201806/10/202206/10/20222,807.291,746,976.6986,813.311,833,790.00MSCNB-Chandler3130AEBM1FEDERAL HOME LOAN BANKS1,250,000.001,250,000.00USDAGCY BONDLT07/24/201807/25/201806/10/202206/10/20222,005.211,246,853.3662,996.641,309,850.00GAAP GL Balance Sheet by Lot (Short-Term Portfolio)As of 06/30/2020 General Ledger Grouping,AccountIdentifier,DescriptionOriginal Units,Factorized UnitsCurrency,Security TypeBS Class,Trade DateSettle Date,Amort TargetDateMaturity Date,Accrued InterestBook Value,Net Unrealized Gain/LossMarket ValueMSCNB-Chandler3130AF5B9FEDERAL HOME LOAN BANKS650,000.00650,000.00USDAGCY BONDLT10/22/201810/23/201810/12/202110/12/20214,279.17649,579.2823,820.72673,400.00MSCNB-Chandler3130AFE78FEDERAL HOME LOAN BANKS2,500,000.002,500,000.00USDAGCY BONDLT12/20/201812/21/201812/09/202212/09/20224,583.332,513,689.41151,160.592,664,850.00MSCNB-Chandler313376C94FEDERAL HOME LOAN BANKS5,000,000.005,000,000.00USDAGCY BONDLT01/30/202001/31/202012/10/202112/10/20217,656.255,085,126.2386,673.775,171,800.00MSCNB-Chandler313378CR0FEDERAL HOME LOAN BANKS1,300,000.001,300,000.00USDAGCY BONDLT09/15/201709/19/201703/11/202203/11/20228,937.501,309,420.7333,557.271,342,978.00MSCNB-Chandler313378JP7FEDERAL HOME LOAN BANKS4,000,000.004,000,000.00USDAGCY BONDLT08/29/201908/30/201909/10/202109/10/202129,291.674,037,769.7461,430.264,099,200.00MSCNB-Chandler3133834G3FEDERAL HOME LOAN BANKS1,900,000.001,900,000.00USDAGCY BONDLT05/20/201905/21/201906/09/202306/09/20232,467.361,892,230.57109,932.432,002,163.00MSCNB-Chandler3133834G3FEDERAL HOME LOAN BANKS2,000,000.002,000,000.00USDAGCY BONDLT06/10/201906/11/201906/09/202306/09/20232,597.222,007,243.47100,296.532,107,540.00MSCNB-Chandler313383WD9FEDERAL HOME LOAN BANKS3,750,000.003,750,000.00USDAGCY BONDLT09/25/201809/26/201809/09/202209/09/202236,458.333,758,974.08226,375.923,985,350.00MSCNB-Chandler313383YJ4FEDERAL HOME LOAN BANKS1,600,000.001,600,000.00USDAGCY BONDLT04/05/201904/08/201909/08/202309/08/202316,950.001,648,978.81107,325.191,756,304.00MSCNB-Chandler313383ZU8FEDERAL HOME LOAN BANKS2,400,000.002,400,000.00USDAGCY BONDLT11/28/201811/29/201809/10/202109/10/202122,200.002,401,344.6276,847.382,478,192.00MSCNB-Chandler3133EJ3B3FEDERAL FARM CREDIT BANKS FUNDING CORP4,000,000.004,000,000.00USDAGCY BONDLT12/26/201812/27/201812/17/202112/17/20214,355.564,005,588.69145,891.314,151,480.00MSCNB-Chandler3133EJT74FEDERAL FARM CREDIT BANKS FUNDING CORP4,000,000.004,000,000.00USDAGCY BONDLT12/11/201812/12/201811/15/202111/15/202115,588.894,009,593.58146,766.424,156,360.00MSCNB-Chandler3133EKHN9FEDERAL FARM CREDIT BANKS FUNDING CORP2,500,000.002,500,000.00USDAGCY BONDLT05/02/201905/03/201910/18/202210/18/202211,811.812,497,585.01120,114.992,617,700.00MSCNB-Chandler3133EKMX1FEDERAL FARM CREDIT BANKS FUNDING CORP2,000,000.002,000,000.00USDAGCY BONDLT07/30/201907/31/201902/23/202402/23/202415,857.782,022,407.51114,432.492,136,840.00MSCNB-Chandler3133EKSN7FEDERAL FARM CREDIT BANKS FUNDING CORP4,000,000.004,000,000.00USDAGCY BONDLT06/21/201906/26/201906/26/202306/26/2023983.333,985,982.16190,297.844,176,280.00MSCNB-Chandler3133EKUA2FEDERAL FARM CREDIT BANKS FUNDING CORP4,000,000.004,000,000.00USDAGCY BONDLT07/23/201907/24/201902/01/202302/01/202330,833.333,997,892.63162,427.374,160,320.00MSCNB-Chandler3133EKZK5FEDERAL FARM CREDIT BANKS FUNDING CORP2,000,000.002,000,000.00USDAGCY BONDLT08/09/201908/14/201908/14/202308/14/202312,177.781,997,972.9681,487.042,079,460.00MSCNB-Chandler3133ELNW0FEDERAL FARM CREDIT BANKS FUNDING CORP2,290,000.002,290,000.00USDAGCY BONDLT02/19/202002/21/202002/21/202302/21/202311,990.692,290,242.4269,281.982,359,524.40MSCNB-Chandler3135G0S38FEDERAL NATIONAL MORTGAGE ASSOCIATION1,600,000.001,600,000.00USDAGCY BONDLT09/27/201709/28/201701/05/202201/05/202215,644.441,602,296.3041,543.701,643,840.00MSCNB-Chandler3135G0T60FEDERAL NATIONAL MORTGAGE ASSOCIATION700,000.00700,000.00USDAGCY BONDST08/02/201708/03/201707/30/202007/30/20204,404.17699,959.09817.91700,777.00MSCNB-Chandler3135G0T60FEDERAL NATIONAL MORTGAGE ASSOCIATION2,095,000.002,095,000.00USDAGCY BONDST08/30/201708/31/201707/30/202007/30/202013,181.042,094,992.572,332.882,097,325.45MSCNB-Chandler3135G0T94FEDERAL NATIONAL MORTGAGE ASSOCIATION1,600,000.001,600,000.00USDAGCY BONDLT10/04/201810/05/201801/19/202301/19/202317,100.001,571,954.25118,333.751,690,288.00MSCNB-Chandler3135G0W33FEDERAL NATIONAL MORTGAGE ASSOCIATION4,390,000.004,390,000.00USDAGCY BONDLT09/05/201909/06/201909/06/202209/06/202219,282.474,378,822.81120,224.794,499,047.60MSCNB-Chandler369550BE7GENERAL DYNAMICS CORP2,000,000.002,000,000.00USDCORPST06/07/201806/11/201805/11/202105/11/20218,333.331,997,725.6048,454.402,046,180.00MSCNB-Chandler40428HPV8HSBC USA INC1,460,000.001,460,000.00USDCORPST12/13/201912/17/201908/07/202008/07/202016,060.001,461,115.052,155.351,463,270.40MSCNB-Chandler43811BAC8HAROT 2017-2 A3875,000.00147,952.65USDABSLT06/20/201706/27/201712/15/202008/16/2021110.47147,951.31406.00148,357.32MSCNB-Chandler43813FAC7HAROT 2017-4 A3485,000.00133,053.01USDABSLT11/22/201711/29/201703/21/202111/22/202175.77133,049.97614.14133,664.11MSCNB-Chandler43813RAC1HAROT 2020-1 A31,770,000.001,770,000.00USDABSLT02/19/202002/26/202008/21/202304/22/2024791.581,769,698.8443,198.351,812,897.19MSCNB-Chandler43814TAC6HAROT 2017-1 A3400,000.0030,653.15USDABSLT03/21/201703/28/201709/21/202007/21/202114.6530,653.0446.8330,699.88MSCNB-Chandler43814UAG4HAROT 2018-2 A3750,000.00562,057.60USDABSLT05/22/201805/30/201809/15/202105/18/2022610.93562,110.397,765.88569,876.28MSCNB-Chandler43814WAB1HAROT 2019-1 A21,870,000.00741,889.44USDABSLT02/19/201902/27/201912/18/202009/20/2021736.74741,879.513,857.89745,737.40GAAP GL Balance Sheet by Lot (Short-Term Portfolio)As of 06/30/2020 General Ledger Grouping,AccountIdentifier,DescriptionOriginal Units,Factorized UnitsCurrency,Security TypeBS Class,Trade DateSettle Date,Amort TargetDateMaturity Date,Accrued InterestBook Value,Net Unrealized Gain/LossMarket ValueMSCNB-Chandler43815HAC1HAROT 2018-3 A3670,000.00537,438.41USDABSLT08/21/201808/28/201801/21/202208/22/2022440.40537,415.559,447.38546,862.93MSCNB-Chandler43815NAC8HAROT 2019-3 A31,570,000.001,570,000.00USDABSLT08/20/201908/27/201901/15/202308/15/20231,242.041,569,990.9532,281.811,602,272.76MSCNB-Chandler44931PAD8HART 2017-A A3380,000.0021,919.31USDABSLT03/22/201703/29/201708/15/202008/16/202117.1521,919.2417.2821,936.52MSCNB-Chandler44932GAD7HART 2017-B A3735,000.00194,523.25USDABSLT08/09/201708/16/201701/15/202101/18/2022153.03194,519.66573.54195,093.20MSCNB-Chandler44932HAG8IBM CREDIT LLC700,000.00700,000.00USDCORPST02/22/201802/26/201802/05/202102/05/20217,523.06699,335.0910,891.91710,227.00MSCNB-Chandler4581X0CD8INTER-AMERICAN DEVELOPMENT BANK1,700,000.001,700,000.00USDSUPRANATIONALST10/02/201710/10/201711/09/202011/09/20205,218.061,701,866.018,860.991,710,727.00MSCNB-Chandler45905UP32INTERNATIONAL BANK FOR RECONSTRUCTIONAND DEVELOPM1,730,000.001,730,000.00USDSUPRANATIONALST09/12/201709/19/201709/12/202009/12/20208,176.601,729,718.996,906.911,736,625.90MSCNB-Chandler45950KCM0INTERNATIONAL FINANCE CORP1,250,000.001,250,000.00USDSUPRANATIONALST01/18/201801/25/201801/25/202101/25/202112,187.501,249,287.2814,275.221,263,562.50MSCNB-Chandler45950KCM0INTERNATIONAL FINANCE CORP1,000,000.001,000,000.00USDSUPRANATIONALST01/24/201801/26/201801/25/202101/25/20219,750.00999,458.5311,391.471,010,850.00MSCNB-Chandler46625HRT9JPMORGAN CHASE & CO1,500,000.001,500,000.00USDCORPST09/07/201809/11/201806/07/202106/07/20212,400.001,488,542.5737,032.431,525,575.00MSCNB-Chandler477870AC3JDOT 2019-B A3810,000.00810,000.00USDABSLT07/16/201907/24/201902/15/202312/15/2023795.60809,892.8314,801.63824,694.45MSCNB-Chandler47788BAD6JDOT 2017-B A3250,000.0030,193.61USDABSLT07/11/201707/18/201711/15/202010/15/202124.4230,193.4257.4930,250.91MSCNB-Chandler47789JAB2JDOT 2019 A21,380,000.00475,823.30USDABSLT03/05/201903/13/201912/15/202012/15/2021602.71475,818.292,170.58477,988.86MSCNB-Chandler47789KAC7JDOT 2020 A31,285,000.001,285,000.00USDABSLT03/04/202003/11/202009/15/202308/15/2024628.221,284,930.8910,946.771,295,877.65MSCNB-Chandler649791PP9NEW YORK ST2,000,000.002,000,000.00USDMUNILT10/29/201910/30/201902/15/202402/15/202415,186.672,000,000.0070,640.002,070,640.00MSCNB-Chandler65479JAD5NAROT 2019-C A31,675,000.001,675,000.00USDABSLT10/16/201910/23/201908/15/202307/15/20241,436.781,674,932.9646,662.021,721,594.98MSCNB-Chandler68389XBB0ORACLE CORP2,000,000.002,000,000.00USDCORPLT06/07/201806/11/201805/15/202205/15/20226,388.891,975,800.1792,159.832,067,960.00MSCNB-Chandler69353REY0PNC BANK NA1,000,000.001,000,000.00USDCORPLT11/17/201711/21/201711/09/202112/09/20211,558.331,001,959.2726,850.731,028,810.00MSCNB-Chandler69353RFB9PNC BANK NA750,000.00750,000.00USDCORPLT12/27/201712/29/201701/17/202202/17/20227,328.13750,698.1926,279.31776,977.50MSCNB-Chandler69353RFB9PNC BANK NA485,000.00485,000.00USDCORPLT07/19/201807/23/201802/17/202202/17/20224,738.85479,577.5022,867.95502,445.45MSCNB-Chandler69353RFB9PNC BANK NA500,000.00500,000.00USDCORPLT07/19/201807/23/201802/17/202202/17/20224,885.42494,580.4923,404.51517,985.00MSCNB-Chandler69371RN93PACCAR FINANCIAL CORP1,000,000.001,000,000.00USDCORPST02/26/201802/28/201803/01/202103/01/20219,333.331,000,472.4515,557.551,016,030.00MSCNB-Chandler69371RP42PACCAR FINANCIAL CORP2,105,000.002,105,000.00USDCORPLT08/06/201808/09/201808/09/202108/09/202126,154.632,104,752.1561,524.402,166,276.55MSCNB-Chandler69371RQ41PACCAR FINANCIAL CORP1,000,000.001,000,000.00USDCORPLT10/31/201911/07/201902/07/202302/07/20237,600.00999,950.7334,999.271,034,950.00MSCNB-Chandler74005PBA1PRAXAIR INC2,000,000.002,000,000.00USDCORPLT05/15/201805/17/201802/15/202202/15/202218,511.111,974,503.5775,536.432,050,040.00MSCNB-Chandler808513AW5CHARLES SCHWAB CORP885,000.00885,000.00USDCORPST05/17/201805/22/201805/21/202105/21/20213,195.83884,991.6720,442.98905,434.65MSCNB-Chandler808513AW5CHARLES SCHWAB CORP1,500,000.001,500,000.00USDCORPST05/29/201805/31/201804/21/202105/21/20215,416.671,503,047.8431,587.161,534,635.00MSCNB-Chandler857477AS2STATE STREET CORP600,000.00600,000.00USDCORPST10/04/201610/07/201608/18/202008/18/20205,652.50600,726.05977.95601,704.00MSCNB-Chandler857477AS2STATE STREET CORP400,000.00400,000.00USDCORPST05/22/201705/25/201708/18/202008/18/20203,768.33400,340.15795.85401,136.00MSCNB-Chandler857477AS2STATE STREET CORP1,000,000.001,000,000.00USDCORPST02/12/201802/14/201808/18/202008/18/20209,420.83999,993.632,846.371,002,840.00MSCNB-Chandler89231PAD0TAOT 2018-D A31,315,000.001,315,000.00USDABSLT08/29/201908/30/201906/15/202203/15/20231,858.531,330,301.9218,625.601,348,927.53GAAP GL Balance Sheet by Lot (Short-Term Portfolio)As of 06/30/2020 General Ledger Grouping,AccountIdentifier,DescriptionOriginal Units,Factorized UnitsCurrency,Security TypeBS Class,Trade DateSettle Date,Amort TargetDateMaturity Date,Accrued InterestBook Value,Net Unrealized Gain/LossMarket ValueMSCNB-Chandler89236TEL5TOYOTA MOTOR CREDIT CORP1,000,000.001,000,000.00USDCORPLT09/07/201809/11/201801/11/202301/11/202312,750.00984,827.3165,672.691,050,500.00MSCNB-Chandler89236TFS9TOYOTA MOTOR CREDIT CORP1,000,000.001,000,000.00USDCORPLT06/14/201906/18/201901/08/202401/08/202416,098.611,031,669.6251,940.381,083,610.00MSCNB-Chandler89238KAD4TAOT 2017-D A3540,000.00232,862.52USDABSLT11/07/201711/15/201704/15/202101/18/2022199.74232,859.211,382.18234,241.39MSCNB-Chandler89239AAB9TAOT 2019-A A2A1,150,000.00380,238.82USDABSLT02/05/201902/13/201911/15/202010/15/2021478.26380,233.371,819.04382,052.41MSCNB-Chandler91159HHP8U.S. BANCORP1,000,000.001,000,000.00USDCORPLT01/24/201801/26/201801/24/202201/24/202211,447.92998,496.9034,423.101,032,920.00MSCNB-Chandler91159HHV5U.S. BANCORP1,000,000.001,000,000.00USDCORPLT03/28/201903/29/201901/05/202402/05/202413,687.501,019,069.5973,930.411,093,000.00MSCNB-Chandler91159HHV5U.S. BANCORP1,000,000.001,000,000.00USDCORPLT06/14/201906/18/201901/05/202402/05/202413,687.501,030,754.3762,245.631,093,000.00MSCNB-Chandler9128282P4UNITED STATES TREASURY5,000,000.005,000,000.00USDUS GOVLT12/23/201912/24/201907/31/202207/31/202239,148.355,019,794.28157,555.725,177,350.00MSCNB-Chandler912828F96UNITED STATES TREASURY2,000,000.002,000,000.00USDUS GOVLT02/02/201802/05/201810/31/202110/31/20216,739.131,987,993.9060,766.102,048,760.00MSCNB-Chandler912828H86UNITED STATES TREASURY1,800,000.001,800,000.00USDUS GOVLT08/15/201708/16/201701/31/202201/31/202211,274.731,792,555.7944,920.211,837,476.00MSCNB-Chandler912828L24UNITED STATES TREASURY2,800,000.002,800,000.00USDUS GOVLT09/18/201809/20/201808/31/202208/31/202217,547.552,739,116.00164,036.002,903,152.00MSCNB-Chandler912828L65UNITED STATES TREASURY2,250,000.002,250,000.00USDUS GOVST12/28/201612/29/201609/30/202009/30/20207,776.642,247,826.938,855.572,256,682.50MSCNB-Chandler912828L65UNITED STATES TREASURY275,000.00275,000.00USDUS GOVST03/15/201703/17/201709/30/202009/30/2020950.48274,668.821,147.93275,816.75MSCNB-Chandler912828L99UNITED STATES TREASURY3,000,000.003,000,000.00USDUS GOVST11/01/201711/03/201710/31/202010/31/20206,949.732,996,206.3515,583.653,011,790.00MSCNB-Chandler912828M80UNITED STATES TREASURY2,000,000.002,000,000.00USDUS GOVLT11/05/201911/06/201911/30/202211/30/20223,387.982,016,589.2971,450.712,088,040.00MSCNB-Chandler912828M80UNITED STATES TREASURY2,000,000.002,000,000.00USDUS GOVLT12/11/201912/12/201911/30/202211/30/20223,387.982,015,909.0172,130.992,088,040.00MSCNB-Chandler912828R28UNITED STATES TREASURY4,000,000.004,000,000.00USDUS GOVLT12/04/201912/05/201904/30/202304/30/202310,951.094,003,019.33160,100.674,163,120.00MSCNB-Chandler912828R69UNITED STATES TREASURY2,400,000.002,400,000.00USDUS GOVLT04/11/201904/15/201905/31/202305/31/20233,303.282,354,361.16146,702.842,501,064.00MSCNB-Chandler912828S27UNITED STATES TREASURY600,000.00600,000.00USDUS GOVST06/28/201706/29/201706/30/202106/30/202118.34596,695.528,950.48605,646.00MSCNB-Chandler912828S27UNITED STATES TREASURY3,400,000.003,400,000.00USDUS GOVST01/17/201801/18/201806/30/202106/30/2021103.943,363,368.0168,625.993,431,994.00MSCNB-Chandler912828T34UNITED STATES TREASURY1,000,000.001,000,000.00USDUS GOVLT07/25/201707/26/201709/30/202109/30/20212,827.87992,009.3719,870.631,011,880.00MSCNB-Chandler912828U65UNITED STATES TREASURY1,750,000.001,750,000.00USDUS GOVLT10/19/201710/20/201711/30/202111/30/20212,593.921,746,748.2242,294.281,789,042.50MSCNB-Chandler912828V72UNITED STATES TREASURY1,800,000.001,800,000.00USDUS GOVLT12/15/201712/18/201701/31/202201/31/202214,093.411,793,352.3554,815.651,848,168.00MSCNB-Chandler912828W55UNITED STATES TREASURY1,000,000.001,000,000.00USDUS GOVLT10/20/201710/23/201702/28/202202/28/20226,266.98998,685.0529,514.951,028,200.00MSCNB-Chandler912828W55UNITED STATES TREASURY2,000,000.002,000,000.00USDUS GOVLT12/11/201712/12/201702/28/202202/28/202212,533.971,993,039.9063,360.102,056,400.00MSCNB-Chandler912828W89UNITED STATES TREASURY3,000,000.003,000,000.00USDUS GOVLT12/26/201712/28/201703/31/202203/31/202214,139.342,983,199.58105,750.423,088,950.00MSCNB-Chandler912828XW5UNITED STATES TREASURY1,500,000.001,500,000.00USDUS GOVLT04/24/201804/25/201806/30/202206/30/202271.331,470,379.4076,840.601,547,220.00MSCNB-Chandler912828XW5UNITED STATES TREASURY2,000,000.002,000,000.00USDUS GOVLT09/07/201809/10/201806/30/202206/30/202295.111,959,314.93103,645.072,062,960.00MSCNB-Chandler912828YA2UNITED STATES TREASURY5,000,000.005,000,000.00USDUS GOVLT12/24/201912/26/201908/15/202208/15/202228,228.024,980,610.88160,789.125,141,400.00MSCNB-Chandler912828YK0UNITED STATES TREASURY5,000,000.005,000,000.00USDUS GOVLT01/16/202001/17/202010/15/202210/15/202214,463.804,977,620.02159,479.985,137,100.00MSCNB-Chandler92826CAB8VISA INC1,000,000.001,000,000.00USDCORPST12/28/201601/03/201712/14/202012/14/20201,038.89999,771.476,818.531,006,590.00GAAP GL Balance Sheet by Lot (Short-Term Portfolio)As of 06/30/2020 Summary * Grouped by: General Ledger Grouping. * Groups Sorted by: General Ledger Grouping.General Ledger Grouping,AccountIdentifier,DescriptionOriginal Units,Factorized UnitsCurrency,Security TypeBS Class,Trade DateSettle Date,Amort TargetDateMaturity Date,Accrued InterestBook Value,Net Unrealized Gain/LossMarket ValueMSCNB-Chandler92826CAC6VISA INC1,000,000.001,000,000.00USDCORPLT12/20/201812/24/201812/14/202212/14/20221,322.22988,772.1267,317.881,056,090.00MSCNB-Chandler931142EK5WALMART INC2,000,000.002,000,000.00USDCORPLT04/29/201904/30/201905/26/202306/26/2023944.442,040,462.46138,277.542,178,740.00MSCNB-Chandler------209,100,000.00201,919,443.45USD------------------975,290.55202,045,678.886,967,766.22209,013,445.10General Ledger Grouping,AccountIdentifier,DescriptionOriginal Units,Factorized UnitsCurrency,Security TypeBS Class,Trade DateSettle Date,Amort TargetDateMaturity Date,Accrued InterestBook Value,Net Unrealized Gain/LossMarket Value------------209,314,603.74202,134,047.19USD------------------975,455.87202,260,282.626,967,766.22209,228,048.84GAAP GL Balance Sheet by Lot (Short-Term Portfolio)As of 06/30/2020 * Does not Lock Down. * Weighted by: Absolute Value of Principal. * MMF transactions are collapsed. * The Transaction Detail/Trading Activity reports provide our most up-to-date transactional details. As such, these reports are subject to change even after the other reports on the website have been locked down. While these reports can be useful tools in understanding recent activity,due to their dynamic nature we do not recommend using them for booking journal entries or reconciliation.AccountIdentifier DescriptionCurrent Units Currency Transaction Type Trade Date Settle Date FinalMaturityPricePrincipal Accrued InterestAmountCNB-Chandler02007HAC5 ALLYA 2017-2 A3-21,343.15 USD Principal Paydown 06/15/2020 06/15/2020 08/16/2021----21,343.150.0021,343.15CNB-Chandler02007YAC8 ALLYA 2017-5 A3-27,640.35 USD Principal Paydown 06/15/2020 06/15/2020 03/15/2022----27,640.350.0027,640.35CNB-Chandler313383HU8 FEDERAL HOME LOAN BANKS-750,000.00 USD Maturity06/12/2020 06/12/2020 06/12/2020 100.000-750,000.000.00750,000.00CNB-Chandler43811BAC8 HAROT 2017-2 A3-31,881.33 USD Principal Paydown 06/15/2020 06/15/2020 08/16/2021----31,881.330.0031,881.33CNB-Chandler43813FAC7 HAROT 2017-4 A3-20,801.53 USD Principal Paydown 06/21/2020 06/21/2020 11/22/2021----20,801.530.0020,801.53CNB-Chandler43814TAC6 HAROT 2017-1 A3-11,560.80 USD Principal Paydown 06/21/2020 06/21/2020 07/21/2021----11,560.800.0011,560.80CNB-Chandler43814UAG4 HAROT 2018-2 A3-49,464.50 USD Principal Paydown 06/18/2020 06/18/2020 05/18/2022----49,464.500.0049,464.50CNB-Chandler43814WAB1 HAROT 2019-1 A2-141,137.67 USD Principal Paydown 06/18/2020 06/18/2020 09/20/2021----141,137.670.00141,137.67CNB-Chandler43815HAC1 HAROT 2018-3 A3-41,108.23 USD Principal Paydown 06/21/2020 06/21/2020 08/22/2022----41,108.230.0041,108.23CNB-Chandler44931PAD8 HART 2017-A A3-16,741.33 USD Principal Paydown 06/15/2020 06/15/2020 08/16/2021----16,741.330.0016,741.33CNB-Chandler44932GAD7 HART 2017-B A3-37,848.95 USD Principal Paydown 06/15/2020 06/15/2020 01/18/2022----37,848.950.0037,848.95CNB-Chandler47788BAD6 JDOT 2017-B A3-8,131.98 USD Principal Paydown 06/15/2020 06/15/2020 10/15/2021----8,131.980.008,131.98CNB-Chandler47789JAB2 JDOT 2019 A2-83,326.78 USD Principal Paydown 06/15/2020 06/15/2020 10/15/2021----83,326.780.0083,326.78CNB-Chandler60934N104 FEDERATED HRMS GV O INST2,040,263.09 USD Buy------06/30/2020 1.0002,040,263.090.00 -2,040,263.09CNB-Chandler60934N104 FEDERATED HRMS GV O INST-4,000,000.00 USD Sell06/25/2020 06/25/2020 06/30/2020 1.000 -4,000,000.000.004,000,000.00CNB-Chandler89238KAD4 TAOT 2017-D A3-29,225.31 USD Principal Paydown 06/15/2020 06/15/2020 01/18/2022----29,225.310.0029,225.31CNB-Chandler89239AAB9 TAOT 2019-A A2A-76,000.59 USD Principal Paydown 06/15/2020 06/15/2020 10/15/2021----76,000.580.0076,000.58CNB-Chandler-------3,305,949.43 USD ---------08/09/2020--- -3,305,949.400.003,305,949.40GAAP Trading Activity (Short-Term Portfolio)06/01/2020 - 06/30/2020 CITY OF Newport Beach GLOSSARY OF TERMS  Accrued Interest ‐ The interest that has accumulated on a bond since the last interest payment up to, but not including, the settlement date. Accrued interest occurs as a result of the difference in timing of cash flows and the measurement of these cash flows.  Amortized Cost ‐ The amount at which an investment is acquired, adjusted for accretion, amortization, and collection of cash.  Book Yield ‐The measure of a bond’s recurring realized investment income that combines both the bond’s coupon return plus it amortization.  Average Credit Rating ‐ The average credit worthiness of a portfolio, weighted in proportion to the dollar amount that is invested in the portfolio.  Convexity ‐ The relationship between bond prices and bond yields that demonstrates how the duration of a bond changes as the interest rate changes.  Credit Rating ‐ An assessment of the credit worthiness of an entity with respect to a particular financial obligation. The credit rating is inversely related to the possibility of debt default.  Duration ‐ A measure of the exposure to interest rate risk and sensitivity to price fluctuation of fixed‐income investments. Duration is expressed as a number of years.  Income Return ‐ The percentage of the total return generated by the income from interest or dividends.  Original Cost ‐ The original cost of an asset takes into consideration all of the costs that can be attributed to its purchase and to putting the asset to use.  Par Value ‐ The face value of a bond. Par value is important for a bond or fixed‐income instrument because it determines its maturity value as well as the dollar value of coupon payments.  Price Return ‐ The percentage of the total return generated by capital appreciation due to changes in the market price of an asset.  Short‐Term Portfolio ‐ The city’s investment portfolio whose securities’ average maturity is between 1 and 5 years.  Targeted‐Maturities Portfolio ‐ The city’s investment portfolio whose securities’ average maturity is between 0 and 3 years.  Total Return ‐ The actual rate of return of an investment over a given evaluation period. Total return is the combination of income and price return.  Unrealized Gains/(Loss) ‐ A profitable/(losing) position that has yet to be cashed in. The actual gain/(loss) is not realized until the position is closed. A position with an unrealized gain may eventually turn into a position with an unrealized loss, as the market fluctuates and vice versa.  Weighted Average Life (WAL) ‐ The average number of years for which each dollar of unpaid principal on an investment remains outstanding, weighted by the size of each principal payout.  Yield ‐ The income return on an investment. This refers to the interest or dividends received from a security and is expressed as a percentage based on the investment's cost and its current market value.  Yield to Maturity at Cost (YTM @ Cost) ‐ The internal rate of return of a security given the amortized price as of the report date and future expected cash flows.  Yield to Maturity at Market (YTM @ Market) ‐ The internal rate of return of a security given the market price as of the report date and future expected cash flows.  Years to Effective Maturity – The average time it takes for securities in a portfolio to mature, taking into account the possibility that any of the bonds might be called back to the issuer.  Years to Final Maturity ‐ The average time it takes for securities in a portfolio to mature, weighted in proportion to the dollar amount that is invested in the portfolio. Weighted average maturity measures the sensitivity of fixed‐income portfolios to interest rate changes. 1 CITY OF NEWPORT BEACH FINANCE COMMITTEE STAFF REPORT Agenda Item No. 5B September 24, 2020 TO: HONORABLE CHAIRMAN AND MEMBERS OF THE COMMITTEE FROM: Finance Department Dan Matusiewicz, Finance Director 949-644-3123 or danm@newportbeachca.gov SUBJECT: ANNUAL INVESTMENT POLICY REVIEW AND UPDATE DISCUSSION: In furtherance of Section K-2 of Council Policy F-1, Statement of Investment Policy (the Policy), the Finance Department has completed an annual review of the Policy to ensure its consistency with the overall objectives of preservation of principal, liquidity and return, and its relevance to current law and financial and economic trends. The investment of City funds is governed by California Code (Sections 53600-53610) that prescribe the investment vehicles in which local agencies are permitted to invest available funds. Staff, working with the City’s investment advisor, Chandler Asset Management (Chandler), has completed a comprehensive review of the Policy including compliance with relevant sections of the Government Code, as well as, incorporating best investment practices. Staff is proposing no modifications to the Policy at this time as recommended by Chandler Asset Management and supported by the City’s Finance Director/Treasurer. RECOMMENDATION: Receive and file. Prepared by: Submitted by: /s/Steve Montano /s/Dan Matusiewicz Steve Montano Dan Matusiewicz Deputy Finance Director Finance Director Annual Investment Policy Review and Update September 24, 2020 Page 2 of 2 Attachment: A. Council Policy F-1, Statement of Investment Policy ATTACHMENT A COUNCIL POLICY F-1, STATEMENT OF INVESTMENT POLICY STATEMENT OF INVESTMENT POLICY PT TRPC)cF- F-1 The City Council has adopted this Investment Policy (the Policy) in order to establish the scope of the investment policy, investment objectives, standards of care, authorized investments, investment parameters, reporting, investment policy compliance and adoption, and the safekeeping and custody of assets. This Policy is organized in the following sections: A. Scope of Investment Policy 1. Pooling of Funds 2. Funds Included in the Policy 3. Funds Excluded from the Policy B. Investment Objectives 1. Safety 2. Liquidity 3. Yield C. Standards of Care 1. Prudence 2. Ethics and Conflicts of Interest 3. Delegation of Authority 4. Internal Controls D. Banking Services E. Broker/ Dealers F. Safekeeping and Custody of Assets G. Authorized Investments 1. Investments Specifically Permitted 2. Investments Specifically Not Permitted 3. Exceptions to Prohibited and Restricted Investments H. Investment Parameters 1. Diversification 2. Maximum Maturities 3. Credit Quality 4. Competitive Transactions I. Portfolio Performance J. Reporting K. Investment Policy Compliance and Adoption 1. Compliance 2. Adoption 1 F-1 A. SCOPE OF INVESTMENT POLICY 1. Pooling of Funds All cash shall be pooled for investment purposes. The investment income derived from the pooled investment shall be allocated to the contributing funds, net of all banking and investing expenses, based upon the proportion of the respective average balances relative to the total pooled balance. Investment income shall be distributed to the individual funds not less than annually. 2. Funds Included in the Policy The provisions of this Policy shall apply to all financial assets of the City as accounted for in the City's Comprehensive Annual Financial Report, including; a) General Fund b) Special Revenue Funds c) Capital Project Funds d) Enterprise Funds e) Internal Service Funds 0 Trust and Agency Funds g) Permanent Endowment Funds h) Any new fund created unless specifically exempted If the City invests funds on behalf of another agency and, if that agency does not have its own investment policy, this Policy shall govern the agency's investments. 3. Funds Excluded from this Policy Bond Proceeds - Investment of bond proceeds will be made in accordance with applicable bond indentures. B. INVESTMENT OBJECTIVES The City's funds shall be invested in accordance with all applicable City policies and codes, State statutes, and Federal regulations, and in a manner designed to accomplish the following objectives, which are listed in priority order: 1. Safety Preservation of principal is the foremost objective of the investment program. Investments of the City shall be undertaken in a manner that seeks to ensure the preservation of capital in the overall portfolio. The objective shall be to mitigate credit risk and interest rate risk. To attain this objective, the City shall diversify its investments by investing funds among 2 F-1 several financial institutions and a variety of securities offering independent returns. a) Credit Risk The City shall minimize credit risk, the risk of loss due to the failure of the security issuer or backer, by: Limiting investments in securities that have higher credit risks, pre -qualifying the financial institutions, broker/dealers, intermediaries, and advisors with which the City will do business Diversifying the investment portfolio so as to minimize the impact any one industry/ investment class can have on the portfolio b) Interest Rate Risk To minimize the negative impact of material changes in the market value of securities in the portfolio, the City shall: Structure the investment portfolio so that securities mature concurrent with cash needs to meet anticipated demands, thereby avoiding the need to sell securities on the open market prior to maturity Invest in securities of varying maturities 2. Liquidity The City's investment portfolio shall remain sufficiently liquid to enable the City to meet all operating requirements which might be reasonably anticipated without requiring a sale of securities. Since all possible cash demands cannot be anticipated, the portfolio should consist largely of securities with active secondary or resale markets. A portion of the portfolio also may be placed in money market mutual funds or LAIF which offer same-day liquidity for short-term funds. 3. Yield The City's investment portfolio shall be designed with the objective of attaining a benchmark rate of return throughout budgetary and economic cycles, commensurate with the City's investment risk constraints and the liquidity characteristics of the portfolio. Return on investment is of secondary importance compared to the safety and liquidity objectives described above. The core of investments is limited to relatively low risk securities in anticipation of earning a fair return relative to the risk being assumed. 3 F-1 C. STANDARDS OF CARE 1. Prudence The standard of prudence to be used for managing the City's investment program is California Government Code Section 53600.3, the prudent investor standard, which states that "when investing, reinvesting, purchasing, acquiring, exchanging, selling, or managing public funds, a trustee shall act with care, skill, prudence, and diligence under the circumstances then prevailing, including, but not limited to, the general economic conditions and the anticipated needs of the agency, that a prudent person acting in a like capacity and familiarity with those matters would use in the conduct of funds of a like character and with like aims, to safeguard the principal and maintain the liquidity needs of the agency." The City's overall investment program shall be designed and managed with a degree of professionalism that is worthy of the public trust. The City recognizes that no investment is totally without risk and that the investment activities of the City are a matter of public record. Accordingly, the City recognizes that occasional measured losses may occur in a diversified portfolio and shall be considered within the context of the overall portfolio's return, provided that adequate diversification has been implemented and that the sale of a security is in the best long-term interest of the City. The Finance Director and authorized investment personnel acting in accordance with established procedures and exercising due diligence shall be relieved of personal responsibility for an individual security's credit risk or market price changes, provided that deviations from expectations are reported in a timely fashion to the City Council and appropriate action is taken to control adverse developments. 2. Ethics and Conflicts of Interest Elected officials and employees involved in the investment process shall refrain from personal business activity that could conflict with proper execution of the City's investment program or could impair or create the appearance of an impairment of their ability to make impartial investment decisions. Employees and investment officials shall subordinate their personal investment transactions to those of the City. In addition, City Council members, the City Manager, and the Finance Director shall file a Statement of Economic Interests each year as required by California Government Code Section 87203 and regulations of the Fair Political Practices Commission. 4 F-1 3. Delegation of Authority Authority to manage the City's investment program is derived from the Charter of the City of Newport Beach section 605 (j). The Finance Director shall assume the title of and act as City Treasurer and with the approval of the City Manager appoint deputies annually as necessary to act under the provisions of any law requiring or permitting action by the City Treasurer. The Finance Director may then delegate the authority to conduct investment transactions and to manage the operation of the investment portfolio to other specifically authorized staff members. No person may engage in an investment transaction except as expressly provided under the terms of this Policy. The City may engage the support services of outside investment advisors with respect to its investment program, so long as it can be demonstrated that these services produce a net financial advantage or necessary financial protection of the City's financial resources. Such companies must be registered under the Investment Advisors Act of 1940, be well-established and exceptionally reputable. Members of the staff of such companies who will have primary responsibility for managing the City's investments must have a working familiarity with the special requirements and constraints of investing municipal funds in general and this City's funds in particular. These firms must insure that the portion of the portfolio under their management complies with various concentration and other constraints specified herein, and contractually agree to conform to all provisions of governing law and the collateralization and other requirements of this Policy. Selection and retention of broker/ dealers by investment advisors shall be at their sole discretion and dependent upon selection and retention criteria as stated in the Uniform Application for Investment Advisor Registration and related Amendments (SEC Form ADV 2A). 4. Internal Controls The Finance Director is responsible for establishing and maintaining a system of internal controls. The internal controls shall be designed to prevent losses of public funds arising from fraud, employee error, and misrepresentation by third parties, unanticipated changes in financial markets, or imprudent action by City employees and officers. The internal structure shall be designed to provide reasonable assurance that these objectives are met. The concept of reasonable assurance recognizes that (1) the cost of a control should not exceed the benefits likely to be derived, and 2) the valuation of costs and benefits requires estimates and judgments by management. 5 F-1 D. BANKING SERVICES Banking services for the City shall be provided by FDIC insured banks approved to provide depository and other banking services. To be eligible, a bank shall qualify as a depository of public funds in the State of California as defined in California Government Code Section 53630.5 and shall secure deposits in excess of FDIC insurance coverage in accordance with California Government Code Section 53652. E. BROKER/ DEALERS In the event that an investment advisor is not used to purchase securities, the City will select broker/dealers on the basis of their expertise in public cash management and their ability to provide service to the City's account. Each approved broker/dealer must possess an authorizing certificate from the California Commissioner of Corporations as required by Section 25210 of the California Corporations Code. To be eligible, a firm must meet at least one of the following criteria: 1. Be recognized as Primary Dealers by the Federal Reserve Bank of New York or have a primary dealer within their holding company structure, or 2. Report voluntarily to the Federal Reserve Bank of New York, or 3. Qualify under Securities and Exchange Commission (SEC) Rule 15c3-1 Uniform Net Capital Rule). F. SAFEKEEPING AND CUSTODY OF ASSETS The Finance Director shall select one or more banks to provide safekeeping and custodial services for the City. A Safekeeping Agreement approved by the City shall be executed with each custodian bank prior to utilizing that bank's safekeeping services. Custodian banks will be selected on the basis of their ability to provide services for the City's account and the competitive pricing of their safekeeping related services. The purchase and sale of securities and repurchase agreement transactions shall be settled on a delivery versus payment basis. All securities shall be perfected in the name of the City. Sufficient evidence to title shall be consistent with modern investment, banking and commercial practices. All investment securities, except non-negotiable Certificates of Deposit, Money Market Funds and local government investment pools, purchased by the City will 0 F-1 be delivered by book entry and will be held in third -party safekeeping by a City approved custodian bank, its correspondent bank or its Depository Trust Company (DTC) participant account. All Fed wireable book entry securities owned by the City shall be held in the Federal Reserve system in a customer account for the custodian bank which will name the City as "customer." All DTC eligible securities shall be held in the custodian bank's DTC participant account and the custodian bank shall provide evidence that the securities are held for the City as "customer." G. AUTHORIZED INVESTMENTS All investments and deposits of the City shall be made in accordance with California Government Code Sections 16429.1, 53600-53609 and 53630-53686. Any revisions or extensions of these code sections will be assumed to be part of this Policy immediately upon being enacted. The City has further restricted the eligible types of securities and transactions. The foregoing list of authorized securities and transactions shall be strictly interpreted. Any deviation from this list must be pre - approved by resolution of the City Council. In the event an apparent discrepancy is found between this Policy and the Government Code, the more restrictive parameter(s) will take precedence. Where this section specifies a percentage limitation or minimum credit rating for a particular security type, that percentage or credit rating minimum is applicable only at the date of purchase. 1. Investments Specifically Permitted a) United States Treasury bills, notes, or bonds with a final maturity not exceeding five years from the date of trade settlement. There is no limitation as to the percentage of the City's portfolio that may be invested in this category. b) Federal Instrumentality (government-sponsored enterprise) debentures, discount notes, callable and step-up securities, with a final maturity not exceeding five years from the date of trade settlement. There is no limitation as to the percentage of the portfolio that can be invested in this category. c) Federal Agency Obligations for which the full faith and credit of the United States are pledged for the payment of principal and interest and which have a final maturity not exceeding five years from the 7 F-1 date of trade settlement. There is no limitation as to the percentage of the portfolio that can be invested in this category. d) Mortgage-backed Securities, Collateralized Mortgage Obligation CMO) and Asset-backed Securities from issuers not defined in sections (a),(b), and c) of this Section are limited to bonds with a final maturity not exceeding five years from the date of trade settlement. The security itself shall be rated at least "AAA" or the equivalent by a Nationally Recognized Statistical Rating Organization ("NRSRO"). No more than five percent (5%) of the City's total portfolio shall be invested in any one issuer of mortgage- backed and asset-backed securities listed above, and the aggregate investment in mortgage-backed and asset-backed securities shall not exceed twenty percent (20%) of the City's total portfolio. e) Medium -Term Notes issued by corporations organized and operating within the United States or by depository institutions licensed by the United States or any state and operating within the United States, with a final maturity not exceeding five years from the date of trade settlement, and rated in at least the "A" category or the equivalent by an NRSRO. No more than five percent (5%) of the City's total portfolio shall be invested in any one issuer of medium- term notes, and the aggregate investment in medium-term notes shall not exceed thirty percent (30%) of the City's total portfolio. f) Municipal Bonds: including bonds issued by the City of Newport Beach, including bonds payable solely out of the revenues from a revenue-producing property owned, controlled, or operated by the City or by a department, board, agency, or authority of the City. State of California registered warrants or treasury notes or bonds, including bonds payable solely out of the revenues from a revenue- producing property owned, controlled, or operated by the state or by a department, board, agency, or authority of the state. Registered treasury notes or bonds of any of the other 49 states in addition to California, including bonds payable solely out of the revenues from a revenue producing property owned, controlled, or operated by a state or by a department, board, agency, or authority of any of the other 49 states, in addition to California. Bonds, notes, warrants, or other evidences of indebtedness of a local F-1 agency within California, including bonds payable solely out of the revenues from a revenue-producing property owned, controlled, or operated by the local agency, or by a department, board, agency, or authority of the local agency. In addition, these securities must be rated in at least the "A" category or the equivalent by a NRSRO with maturities not exceeding five years from the date of trade settlement. No more than five percent 5%) of the City's total portfolio shall be invested in any one municipal issuer. In addition, the aggregate investment in municipal bonds may not exceed thirty percent (30%) of the portfolio. g) Non-negotiable Certificates of Deposit and savings deposits with a maturity not exceeding two years from the date of trade settlement, in FDIC insured state or nationally chartered banks or savings banks that qualify as a depository of public funds in the State of California as defined in California Government Code Section53630.5. Deposits exceeding the FDIC insured amount shall be secured pursuant to California Government Code Section 53652. No one issuer shall exceed more than five percent (5%) of the portfolio, and investment in negotiable and nonnegotiable certificates of deposit shall be limited to thirty percent (30%) of the portfolio combined. h) Negotiable Certificates of Deposit only with a nationally or state - chartered bank, a savings association or a federal association (as defined by Section 5102 of the Financial Code), a state or federal credit union, or by a federally licensed or state -licensed branch of a foreign bank whose senior long-term debt is rated in at least the A" category, or the equivalent, or short-term debt is rated at least A-1" or the equivalent by an NRSRO and having assets in excess of 10 billion, so as to ensure security and a large, well- established secondary market. Ease of subsequent marketability should be further ascertained prior to initial investment by examining currently quoted bids by primary dealers and the acceptability of the issuer by these dealers. No one issuer shall exceed more than five percent (5%) of the portfolio, and maturity shall not exceed two years. Investment in negotiable and non- negotiable certificates of deposit shall be limited to thirty percent (30%) of the portfolio combined. i) Prime Commercial Paper with a maturity not exceeding 270 days from the date of trade settlement that is rated "A-1", or the equivalent, by an NRSRO. The entity that issues the commercial A F-1 paper shall meet all of the following conditions in either sub- paragraph i. or sub -paragraph ii. below: i The entity shall (1) be organized and operating in the United States as a general corporation, (2) have total assets in excess of $500,000,000 and (3) have debt other than commercial paper, if any, that is rated in at least the "A" category or the equivalent by an NRSRO. ii The entity shall (1) be organized within the United States as special purpose corporation, trust, or limited liability company, (2) have program wide credit enhancements, including, but not limited to, over collateralization, letters of credit or surety bond and (3) have commercial paper that is rated at least "A-1" or the equivalent, by an NRSRO. R No more than five percent (5%) of the City's total portfolio shall be invested in the commercial paper of any one issuer, and the aggregate investment in commercial paper shall not exceed twenty-five percent (25%) of the City's total portfolio. j) Eligible Banker's Acceptances with a maturity not exceeding 180 days from the date of trade settlement, drawn on and accepted by a commercial bank whose senior long-term debt is rated in at least the A" category or the equivalent by an NRSRO at the time of purchase. Banker's Acceptances shall be rated at least "A-1", or the equivalent at the time of purchase by an NRSRO. If the bank has senior debt outstanding, it must be rated in at least the "A" category or the equivalent by an NRSRO. The aggregate investment in banker's acceptances shall not exceed forty percent (40%) of the City's total portfolio, and no more than five percent (5%) of the City's total portfolio shall be invested in banker's acceptances of any one bank. k) Repurchase Agreements and Reverse Repurchase Agreements with a final termination date not exceeding 30 days collateralized by U.S. Treasury obligations or Federal Instrumentality securities listed in items 1 and 2 above with the maturity of the collateral not exceeding ten years. For the purpose of this section, the term collateral shall mean purchased securities under the terms of the City's approved Master Repurchase Agreement. The purchased securities shall have a minimum market value including accrued interest of onehundred and two percent (102%) of the dollar value of the funds borrowed. Collateral shall be held in the City's custodian bank, as safekeeping agent, and the market value of the collateral securities shall be marked -to -the -market daily. 10 F-1 Repurchase Agreements and Reverse Repurchase Agreements shall be entered into only with broker/ dealers and who are recognized as Primary Dealers with the Federal Reserve Bank of New York, or with firms that have a Primary Dealer within their holding company structure. Primary Dealers approved as Repurchase Agreement counterparties shall have a short-term credit rating of at least "A-1" or the equivalent and a long-term credit rating of at least "A" or the equivalent. Repurchase agreement counterparties shall execute a City approved Master Repurchase Agreement with the City. The Finance Director shall maintain a copy of the City's approved Master Repurchase Agreement and a list of the broker/ dealers who have executed same. In addition, the City must own assets for more than 30 days before they can be used as collateral for a reverse repurchase agreement. No more than ten percent (10%) of the portfolio can be involved in reverse repurchase agreements. 1) State of California's Local Agency Investment Fund (LAIF pursuant to California Government Code Section 16429.1. m) County Investment Funds: Los Angeles County provides a service similar to LAIF for municipal and other government entities outside of Los Angeles County, including the City. Investment in this pool is intended to be used as a temporary repository for short-term funds used for liquidity purposes. The Finance Director shall maintain on file appropriate information concerning the county pool's current investment policies, practices, and performance, as well as its requirements for participation, including, but not limited to, limitations on deposits or withdrawals and the composition of the portfolio. At no time shall more than five percent (5%) of the City's total investment portfolio be placed in this pool. n) Mutual Funds and Money Market Mutual Funds registered under the Investment Company Act of 1940, provided that: 11 F-1 i MUTUAL FUNDS that invest in the securities and obligations as authorized under California Government Code, Section 53601 (a) to (k) and (m) to (q) inclusive and that meet either of the following criteria: 1) Attained the highest ranking or the highest letter and numerical rating provided by not less than two (2) NRSROs; or 2) Have retained an investment adviser registered or exempt from registration with the Securities and Exchange Commission with not less than five years' experience investing in the securities and obligations authorized by California Government Code, Section 53601 and with assets under management in excess of $500 million. 3) No more than 10% of the total portfolio may be invested in shares of any one mutual fund. ii. MONEY MARKET MUTUAL FUNDS registered with the Securities and Exchange Commission under the Investment Company Act of 1940 and issued by diversified management companies and meet either of the following criteria: 1) Have attained the highest ranking or the highest letter and numerical rating provided by not less than two (2) NRSROs; or 2) Have retained an investment adviser registered or exempt from registration with the Securities and Exchange Commission with not less than five years' experience managing money market mutual funds with assets under management in excess of $500 million. 3) No more than 20% of the total portfolio may be invested in Money Market Mutual Funds. d No more than 20% of the total portfolio maybe invested in these securities. 12 F-1 o) Supranationals which are United States dollar denominated senior unsecured unsubordinated obligations issued or unconditionally guaranteed by the International Bank for Reconstruction and Development (IBRD), International Finance Corporation (IFC), or Inter -American Development Bank (IADB), with a maximum remaining maturity of five years or less, and eligible for purchase and sale within the United States. Investments under this paragraph shall be rated in the "AA" category, its equivalent, or better by at least one NRSRO. No more than ten percent (10%) of the City's total portfolio shall be invested in any one issuer of supranational obligations. Purchases of supranational obligations shall not exceed twenty percent (20%) of the investment portfolio of the City. 2. Investments Specifically Not Permitted Any security type or structure not specifically approved by this policy is hereby prohibited. Security types, which are thereby prohibited include, but are not limited to: "exotic" derivative structures such as range notes, dual index notes, inverse floating rate notes, leveraged or de -leveraged floating rate notes, interest only strips that are derived from a pool of mortgages and any security that could result in zero interest accrual if held to maturity, or any other complex variable or structured note with an unusually high degree of volatility risk. The City shall not invest funds with the Orange County Pool. 3. Exceptions to Prohibited and Restricted Investments The City shall not be required to sell securities prohibited or restricted in this policy, or any future policies, or prohibited or restricted by new State regulations, if purchased prior to their prohibition and/or restriction. Insofar as these securities provided no notable credit risk to the City, holding of these securities until maturity is approved. At maturity or liquidation, such monies shall be reinvested as provided by this policy. 13 F-1 H. INVESTMENT PARAMETERS 1. Diversification The City shall diversify its investments to avoid incurring unreasonable risks inherent in over -investing in specific instruments, individual financial institutions or maturities. As such, no more than five percent (5%) of the City's portfolio may be invested in the instruments of any one issuer, except governmental issuers, supranationals, investment pools, mutual funds and money market funds, or unless otherwise specified in this investment policy. This restriction does not apply to any type of Federal Instrumentality or Federal Agency Security listed in Sections G1 (b) and G1 (c) above. Nevertheless, the asset allocation in the investment portfolio should be flexible depending upon the outlook for the economy, the securities markets and the City's anticipated cash flow needs. 2. Maximum Maturities To the extent possible, investments shall be matched with anticipated cash flow requirements and known future liabilities. The City will not invest in securities maturing more than five years from the date of trade settlement, unless the City Council has by resolution granted authority to make such an investment at least three months prior to the date of investment. 3. Credit Quality Each investment manager will monitor the credit quality of the securities in their respective portfolio. In the event a security held by the City is the subject of a rating downgrade which brings it below accepted minimums specified herein, or the security is placed on negative credit watch, where downgrade could result in a rate drop below acceptable levels, the investment advisor who purchased the security will immediately notify the Finance Director. The City shall not be required to immediately sell such securities. The course of action to be followed will then be decided on a case by case basis, considering such factors as the reason for the rate drop, prognosis for recovery or further drop, and market price of the security. The City Council will be advised of the situation and intended course of action. 4. Competitive Transactions Investment advisors shall make best effort to price investment transactions on a competitive basis with broker/ dealers selected consistent with their practices disclosed in form ADV 2A filed with the SEC. Where possible, at least three broker/ dealers shall be contacted for each transaction and their bid or offering prices shall be recorded. If there is no other readily available competitive offering, the investment advisor shall make their best efforts to document quotations for comparable or alternative securities. If qualitative 14 F-1 characteristics of a transaction, including, but not limited to, complexity of the transaction, or sector expertise of the broker, prevent a competitive selection process, investment advisors shall use brokerage selection practices as described above. I. PORTFOLIO PERFORMANCE The investment portfolio shall be designed to attain a market rate of return throughout budgetary and economic cycles, taking into account prevailing market conditions, risk constraints for eligible securities, and cash flow requirements. The performance of the City's investments shall be compared to the total return of a benchmark that most closely corresponds to the portfolio's duration, universe of allowable securities, risk profile, and other relevant characteristics. When comparing the performance of the City's portfolio, its rate of return will be computed consistent with Global Investment Performance Standards (GIPS). J. REPORTING Monthly, the Finance Director shall produce a treasury report of the investment portfolio balances, transactions, risk characteristics, earnings, and performance results of the City's investment portfolio available to City Council and the public on the City's Website. The report shall include the following information: 1. Investment type, issuer, date of maturity, par value and dollar amount invested in all securities, and investments and monies held by the City; 2. A description of the funds, investments and programs; 3. A market value as of the date of the report (or the most recent valuation as to assets not valued monthly) and the source of the valuation; 4. A statement of compliance with this Policy or an explanation for non- compliance K. INVESTMENT POLICY COMPLIANCE AND ADOPTION 1. Compliance Any deviation from the policy shall be reported to Finance Committee as soon as practical, but no later than the next scheduled Finance Committee meeting. Upon recommendation of the Finance Committee, the Finance Director shall review deviations from policy with the City Council. 2. Adoption The Finance Director shall review the Investment Policy with the Finance Committee at least annually to ensure its consistency with the overall 15 F-1 objectives of preservation of principal, liquidity and return, and its relevance to current law and financial and economic trends. The Finance Director shall review the Investment Policy with City Council at a public meeting if there are changes recommended to the Investment Policy. This Policy was endorsed and adopted by the City Council of the City of Newport Beach on September 8, 2015. It replaces any previous investment policy or investment procedures of the City. Adopted - April 6,1959 Amended - November 9,1970 Amended - February 11, 1974 Amended - February 9,1981 Amended - October 27,1986 Rewritten - October 22, 1990 Amended - January 28,1991 Amended - January 24,1994 Amended - January 9,1995 Amended - April 22,1996 Corrected - January 27,1997 Amended - February 24,1997 Amended - May 26,1998 Reaffirmed - March 22,1999 Reaffirmed - March 14, 2000 Amended & Reaffirmed - May 8, 2001 Amended & Reaffirmed - April 23, 2002 Amended & Reaffirmed - April 8, 2003 Amended & Reaffirmed - April 13, 2004 Amended & Reaffirmed - September 13, 2005 Amended - August 11, 2009 Amended & Reaffirmed - August 10, 2010 Amended & Reaffirmed - September 28, 2010 Reaffirmed - June 28, 2011 Amended & Reaffirmed - October 9, 2012 Amended - August 13, 2013 Amended - September 8, 2015 Amended - March 28, 2017 Amended - January 28, 2020 T: F-1 Glossary of Investment Terms AGENCIES. Shorthand market terminology for any obligation issued by a government- sponsored entity (GSE), or a federally related institution. Most obligations of GSEs are not guaranteed by the full faith and credit of the US government. Examples are: FFCB. The Federal Farm Credit Bank System provides credit and liquidity in the agricultural industry. FFCB issues discount notes and bonds. FHLB. The Federal Home Loan Bank provides credit and liquidity in the housing market. FHLB issues discount notes and bonds. FHLMC. Like FHLB, the Federal Home Loan Mortgage Corporation provides credit and liquidity in the housing market. FHLMC, also called "FreddieMac" issues discount notes, bonds and mortgage pass-through securities. FNMA. Like FHLB and FreddieMac, the Federal National Mortgage Association was established to provide credit and liquidity in the housing market. FNMA, also known as "FannieMae," issues discount notes, bonds and mortgage pass- through securities. GNMA. The Government National Mortgage Association, known as "GinnieMae," issues mortgage pass-through securities, which are guaranteed by the full faith and credit of the US Government. PEFCO. The Private Export Funding Corporation assists exporters. Obligations of PEFCO are not guaranteed by the full faith and credit of the US government. TVA. The Tennessee Valley Authority provides flood control and power and promotes development in portions of the Tennessee, Ohio, and Mississippi River valleys. TVA currently issues discount notes and bonds. ASKED. The price at which a seller offers to sell a security. ASSET BACKED SECURITIES. Securities supported by pools of installment loans or leases or by pools of revolving lines of credit. AVERAGE LIFE. In mortgage -related investments, including CMOs, the average time to expected receipt of principal payments, weighted by the amount of principal expected. BANKER'S ACCEPTANCE. A money market instrument created to facilitate international trade transactions. It is highly liquid and safe because the risk of the trade transaction is transferred to the bank which "accepts" the obligation to pay the investor. BENCHMARK. A comparison security or portfolio. A performance benchmark is a partial market index, which reflects the mix of securities allowed under a specific investment policy. BID. The price at which a buyer offers to buy a security. 17 F-1 BROKER. A broker brings buyers and sellers together for a transaction for which the broker receives a commission. A broker does not sell securities from his own position. CALLABLE. A callable security gives the issuer the option to call it from the investor prior to its maturity. The main cause of a call is a decline in interest rates. If interest rates decline since an issuer issues securities, it will likely call its current securities and reissue them at a lower rate of interest. Callable securities have reinvestment risk as the investor may receive its principal back when interest rates are lower than when the investment was initially made. CERTIFICATE OF DEPOSIT (CD). A time deposit with a specific maturity evidenced by a certificate. Large denomination CDs may be marketable. CERTIFICATE OF DEPOSIT ACCOUNT REGISTRY SYSTEM (CDARS). A private placement service that allows local agencies to purchase more than $250,000 in CDs from a single financial institution (must be a participating institution of CDARS) while still maintaining FDIC insurance coverage. CDARS is currently the only entity providing this service. CDARS facilitates the trading of deposits between the California institution and other participating institutions in amounts that are less than $250, 000 each, so that FDIC coverage is maintained. COLLATERAL. Securities or cash pledged by a borrower to secure repayment of a loan or repurchase agreement. Also, securities pledged by a financial institution to secure deposits of public monies. COLLATERALIZED MORTGAGE OBLIGATIONS (CMO). Classes of bonds that redistribute the cash flows of mortgage securities (and whole loans) to create securities that have different levels of prepayment risk, as compared to the underlying mortgage securities. COMMERCIAL PAPER. The short-term unsecured debt of corporations. COST YIELD. The annual income from an investment divided by the purchase cost. Because it does not give effect to premiums and discounts which may have been included in the purchase cost, it is an incomplete measure of return. COUPON. The rate of return at which interest is paid on a bond. CREDIT RISK. The risk that principal and/or interest on an investment will not be paid in a timely manner due to changes in the condition of the issuer. CURRENT YIELD. The annual income from an investment divided by the current market value. Since the mathematical calculation relies on the current market value rather than the investor's cost, current yield is unrelated to the actual return the investor M2 F-1 will earn if the security is held to maturity. DEALER. A dealer acts as a principal in security transactions, selling securities from and buying securities for his own position. DEBENTURE. A bond secured only by the general credit of the issuer. DELIVERY VS. PAYMENT (DVP). A securities industry procedure whereby payment for a security must be made at the time the security is delivered to the purchaser's agent. DERIVATIVE. Any security that has principal and/or interest payments which are subject to uncertainty (but not for reasons of default or credit risk) as to timing and/or amount, or any security which represents a component of another security which has been separated from other components ("Stripped" coupons and principal). A derivative is also defined as a financial instrument the value of which is totally or partially derived from the value of another instrument, interest rate, or index. DISCOUNT. The difference between the par value of a bond and the cost of the bond, when the cost is below par. Some short-term securities, such as T-bills and banker's acceptances, are known as discount securities. They sell at a discount from par, and return the par value to the investor at maturity without additional interest. Other securities, which have fixed coupons, trade at a discount when the coupon rate is lower than the current market rate for securities of that maturity and/or quality. DIVERSIFICATION. Dividing investment funds among a variety of investments to avoid excessive exposure to any one source of risk. DURATION. The weighted average time to maturity of a bond where the weights are the present values of the future cash flows. Duration measures the price sensitivity of a bond to changes in interest rates. (See modified duration). FEDERAL FUNDS RATE. The rate of interest charged by banks for short-term loans to other banks. The Federal Reserve Bank through open -market operations establishes it. FEDERAL OPEN MARKET COMMITTEE. A committee of the Federal Reserve Board that establishes monetary policy and executes it through temporary and permanent changes to the supply of bank reserves. LEVERAGE. Borrowing funds in order to invest in securities that have the potential to pay earnings at a rate higher than the cost of borrowing. LIQUIDITY. The speed and ease with which an asset can be converted to cash. 19 F-1 LOCAL AGENCY INVESTMENT FUND (LAIF). A voluntary investment fund open to government entities and certain non-profit organizations in California that is managed by the State Treasurer's Office. LOCAL GOVERNMENT INVESTMENT POOL. Investment pools that range from the State Treasurer's Office Local Agency Investment Fund (LAIF) to county pools, to Joint Powers Authorities (JPAs). These funds are not subject to the same SEC rules applicable to money market mutual funds. MAKE WHOLE CALL. A type of call provision on a bond that allows the issuer to pay off the remaining debt early. Unlike a call option, with a make whole call provision, the issuer makes a lump sum payment that equals the net present value (NPV) of future coupon payments that will not be paid because of the call. With this type of call, an investor is compensated, or "made whole." MARGIN. The difference between the market value of a security and the loan a broker makes using that security as collateral. MARKET RISK. The risk that the value of securities will fluctuate with changes in overall market conditions or interest rates. MARKET VALUE. The price at which a security can be traded. MARKING TO MARKET. The process of posting current market values for securities in a portfolio. MATURITY. The final date upon which the principal of a security becomes due and payable. MEDIUM TERM NOTES. Unsecured, investment-grade senior debt securities of major corporations which are sold in relatively small amounts on either a continuous or an intermittent basis. MTNs are highly flexible debt instruments that can be structured to respond to market opportunities or to investor preferences. MODIFIED DURATION. The percent change in price for a 100 basis point change in yields. Modified duration is the best single measure of a portfolio's or security's exposure to market risk. MONEY MARKET. The market in which short-term debt instruments (T-bills, discount notes, commercial paper, and banker's acceptances) are issued and traded. MORTGAGE PASS-THROUGH SECURITIES. A securitized participation in the interest and principal cash flows from a specified pool of mortgages. Principal and interest payments made on the mortgages are passed through to the holder of the security. 20 F-1 MUNICIPAL SECURITIES. Securities issued by state and local agencies to finance capital and operating expenses. MUTUAL FUND. An entity which pools the funds of investors and invests those funds in a set of securities which is specifically defined in the fund's prospectus. Mutual funds can be invested in various types of domestic and/or international stocks, bonds, and money market instruments, as set forth in the individual fund's prospectus. For most large, institutional investors, the costs associated with investing in mutual funds are higher than the investor can obtain through an individually managed portfolio. NATIONALLY RECOGNIZED STATISTICAL RATING ORGANIZATION (NRSRO). A credit rating agency that the Securities and Exchange Commission in the United States uses for regulatory purposes. Credit rating agencies provide assessments of an investment's risk. The issuers of investments, especially debt securities, pay credit rating agencies to provide them with ratings. The three most prominent NRSROs are Fitch, S&P, and Moody's. NEGOTIABLE CD. A short-term debt instrument that pays interest and is issued by a bank, savings or federal association, state or federal credit union, or state -licensed branch of a foreign bank. Negotiable CDs are traded in a secondary market. PREMIUM. The difference between the par value of a bond and the cost of the bond, when the cost is above par. PREPAYMENT SPEED. A measure of how quickly principal is repaid to investors in mortgage securities. PREPAYMENT WINDOW. The time period over which principal repayments will be received on mortgage securities at a specified prepayment speed. PRIMARY DEALER. A financial institution (1) that is a trading counterparty with the Federal Reserve in its execution of market operations to carry out U.S. monetary policy, and 2) that participates for statistical reporting purposes in compiling data on activity in the U.S. Government securities market. PRUDENT PERSON (PRUDENT INVESTOR) RULE. A standard of responsibility which applies to fiduciaries. In California, the rule is stated as "Investments shall be managed with the care, skill, prudence and diligence, under the circumstances then prevailing, that a prudent person, acting in a like capacity and familiar with such matters, would use in the conduct of an enterprise of like character and with like aims to accomplish similar purposes." REALIZED YIELD. The change in value of the portfolio due to interest received and interest earned and realized gains and losses. It does not give effect to changes in market 21 F-1 value on securities, which have not been sold from the portfolio. REGIONAL DEALER. A financial intermediary that buys and sells securities for the benefit of its customers without maintaining substantial inventories of securities and that is not a primary dealer. REPURCHASE AGREEMENT. Short-term purchases of securities with a simultaneous agreement to sell the securities back at a higher price. From the seller's point of view, the same transaction is a reverse repurchase agreement. SAFEKEEPING. A service to bank customers whereby securities are held by the bank in the customer's name. STRUCTURED NOTE. A complex, fixed income instrument, which pays interest, based on a formula tied to other interest rates, commodities or indices. Examples include inverse floating rate notes which have coupons that increase when other interest rates are falling, and which fall when other interest rates are rising, and "dual index floaters," which pay interest based on the relationship between two other interest rates - for example, the yield on the ten-year Treasury note minus the Libor rate. Issuers of such notes lock in a reduced cost of borrowing by purchasing interest rate swap agreements. SUPRANATIONAL. A Supranational is a multi -national organization whereby member states transcend national boundaries or interests to share in the decision making to promote economic development in the member countries. TOTAL RATE OF RETURN. A measure of a portfolio's performance over time. It is the internal rate of return, which equates the beginning value of the portfolio with the ending value; it includes interest earnings, realized and unrealized gains, and losses in the portfolio. U.S. TREASURY OBLIGATIONS. Securities issued by the U.S. Treasury and backed by the full faith and credit of the United States. Treasuries are considered to have no credit risk, and are the benchmark for interest rates on all other securities in the US and overseas. The Treasury issues both discounted securities and fixed coupon notes and bonds. TREASURY BILLS. All securities issued with initial maturities of one year or less are issued as discounted instruments, and are called Treasury bills. The Treasury currently issues three- and six-month T-bills at regular weekly auctions. It also issues "cash management" bills as needed to smooth out cash flows. TREASURY NOTES. All securities issued with initial maturities of two to ten years are called Treasury notes, and pay interest semi-annually. 22 F-1 TREASURY BONDS. All securities issued with initial maturities greater than ten years are called Treasury bonds. Like Treasury notes, they pay interest semi-annually. VOLATILITY. The rate at which security prices change with changes in general economic conditions or the general level of interest rates. YIELD TO MATURITY. The annualized internal rate of return on an investment which equates the expected cash flows from the investment to its cost. 23 CITY OF NEWPORT BEACH FINANCE COMMITTEE STAFF REPORT Agenda Item No. 5C September 24, 2020 TO: HONORABLE CHAIR AND MEMBERS OF THE COMMITTEE FROM: Finance Department Dan Matusiewicz, Finance Director (949) 644-3123 or danm@newportbeachca.gov SUBJECT: FIRE STATION NO. 2 FINANCING – BOND AUTHORIZATION AND RECOMMENDATION SUMMARY: On May 12, 2020, the City Council reviewed the Adopted Fiscal Year 2019-20 Capital Improvement Program Budget. There was a unanimous straw vote to support evaluating financing for the Lido Fire Station 2 Project. This report describes the contours of a financing plan and its conformance to the City’s Debt Policy. RECOMMENDATION: Discuss and recommend financing proposal for City Council consideration. DISCUSSION: The current Lido Fire Station No. 2, located on 32nd Street, was constructed in 1952 and has required frequent maintenance and repairs. While the existing structure is functional, it is too small and no longer meets the operational needs of the Fire Department and community. In lieu of trying to construct and relocate the fire station to a temporary facility, and then demolish and reconstruct a new fire station on the existing property, the City purchased a 17,693-square-foot property located at 2807 Newport Boulevard where the new Fire Station No. 2 facility will be constructed. The Lido Fire Station No. 2 project is currently included as a planned project within the City’s Facilities Financing Plan and the Fiscal Year 2020-21 CIP Budget. A conceptual Lido Fire Station No. 2 Financing September 24, 2020 Page 2 design for the replacement of Fire Station No. 2 was developed with input from the Fire Department and the community. The concept design shows an 11,068-square-foot fire station that includes: • 4,316-square-foot apparatus bay with three doors; • Secure medical storage room; • Twelve dorm rooms; • 30-person locker turnout; • Improved kitchen, day room and fitness areas; • Extractor room and wash down areas for contaminated clothing and gear; • On-site parking for fire personnel; and • A separate on-site public restroom facility. Project Cost Estimate The estimated fire station facility project cost (design, construction, incidentals) is $9,564,500 and itemized below (not including the recent land purchase). The overall estimated Fire Station facility budget is as follows: Project Design (Architect, Geotechnical, Survey) $ 525,800 Incidentals (Construction Management, Utilities, FF&E, Testing) $ 500,000 Alerting System $ 150,000 Facility Construction Estimate (09/9/19) $ 7,194,200 New Traffic Signal (Balboa Blvd/28th Street) $ 325,000 Design Contingency (10-percent) $ 869,500 Estimated Overall Project Cost $ 9,564,500 On May 12, 2020, the City Council reviewed the Adopted Fiscal Year 2019-20 Capital Improvement Program Budget. Mayor O’Neill proposed moving forward with Lido Fire Station 2 project but on a finance term of at least 10 years. With Council Member Muldoon recusing himself, there was a unanimous straw vote to support evaluating financing for the Lido Fire Station 2 Project. Proposed Financing The City proposes to issue certificates of participation (bonds) to finance project costs and costs related to the issuance of the bonds. The bonds will be structured with a 10-year term or final maturity of July 1, 2030. Though the term of the bonds may be considered less than the useful life of the project, the accelerated repayment conforms to the City’s Debt Policy by reducing the debt burden and total borrowing costs. Annual debt service payments are level and also conform with the Debt Policy. Current market rates estimate annual repayment is approximately $995,000 for total debt service of approximately $9,950,000. To provide a cost ceiling for the Resolution to authorize Lido Fire Station No. 2 Financing September 24, 2020 Page 3 bonds, as required by the Debt Policy, we assume a 2% maximum true interest cost, which would equate to a maximum annual debt service of 1,073,700. Other structuring elements are market driven: the bonds assume serial, current interest bonds and premium coupons (i.e. the coupon rate is greater than the yield rate). All help improve the cost effectiveness of the borrowing as well as conform to the Debt Policy. The City’s Debt Policy recommends an optional par call provision no later than 10 years. Because the term of the bonds is 10 years, the market standard 10-year call option does not apply. To maximize repayment flexibility, a shorter call provision may be considered. No additional funding is needed for a reserve or capitalized interest. The City benefits from the highest lease credit ratings (Aa1/AA+/AA+), so the municipal market will not require a debt service reserve fund. In line with the Debt Policy, there will be no capitalized interest to defer debt service until project completion. This is accomplished by the lease-lease-back structure, whereby the City will lease-back from the Newport Beach Public Facilities Corporation the Corona Del Mar Fire Station and the Santa Ana Heights Fire Station properties to effectuate lease payments securing the bonds. In accordance with the Debt Policy, please see the attachments to this Staff Report an independent analysis of all financing scenarios considered with respect to this financing including the specific recommendation for the bonds as well as the draft resolution authorizing sale of bonds and proposed parameters staff is authorized to negotiate when the bonds are priced. Prepared by: Submitted by: /s/Steve Montano /s/Dan Matusiewicz Steve Montano Dan Matusiewicz Deputy Finance Director Finance Director Attachments: A – Municipal Advisor’s Analysis of Financing Scenarios B – Draft Resolution Authorizing Sale of Bonds ATTACHMENT A MUNICIPAL ADVISOR’S ANALYSIS OF FINANCIAL SCENARIOS 2054 University Avenue, Suite 300 │ Berkeley, CA 94704 │ Main 510-839-8200 │ Fax 510-208-8282 1451 Quail Street, Suite 200 │ Newport Beach, CA 92660 │ Main 949-346-4900 │ Fax 510-208-8282 5901 W. Century Boulevard, Suite 750 │ Los Angeles, CA 90045 │ Main 310-348-2901 │ Fax 510-208-8282 A Limited Liability Company Date: September 16, 2020 To: Dan Matusiewicz, Finance Director, City of Newport Beach From: Mark Young and Larry Lom, KNN Public Finance Re: Financing Scenario Analyses for the Certificates of Participation 2020A (Lido Fire Station Project) The City of Newport Beach will issue certificates of participation (bonds) to finance its Lido Fire Station project of $9,500,000. KNN Public Finance, as Municipal Advisor, has analyzed various financing scenarios to help evaluate costs and options available to the City. The following discussion details the approach and analyses undertaken. Initial Analysis of Financing Scenarios Upon the City’s request, our initial analysis as of May 2020 included four scenarios for different financing terms: 10, 15, 20 and 30 years. Other assumptions, such as project size, costs of issuance and level debt service structure, were the same across scenarios. The objective was to evaluate borrowing costs and debt burden in terms of annual debt service payments. A summary of the results is provided in the table below; please see Exhibit A for an expanded table. Financing Scenarios 10-Year 15-Year 20-Year 30-Year Par Amount 8,530,000.00 8,475,000.00 8,500,000.00 9,060,000.00 Premium 1,191,500.75 1,245,224.85 1,218,807.10 663,771.55 Total Sources 9,721,500.75 9,720,224.85 9,718,807.10 9,723,771.55 Project Fund 9,500,000.00 9,500,000.00 9,500,000.00 9,500,000.00 Cost of Issuance 167,750.00 167,750.00 167,750.00 167,750.00 Underwriter's Discount 51,180.00 50,850.00 51,000.00 54,360.00 Rounding Proceeds 2,570.75 1,624.85 57.10 1,661.55 Total Uses 9,721,500.75 9,720,224.85 9,718,807.10 9,723,771.55 True Interest Cost (TIC)1.563% 2.180% 2.598% 2.887% Average Coupon 4.000% 4.000% 4.000% 3.352% Total Debt Service 10,516,000 11,433,600 12,511,600 14,579,600 Maximum Annual Debt Service 1,053,200 764,800 628,600 488,550 Average Annual Debt Service 1,051,600 762,240 625,580 485,987 As illustrated, total borrowing costs increase as the term of the debt becomes longer. Estimated total debt service was $10.5 million for a 10-year borrowing and $14.5 million for a 30-year borrowing. The debt burden, however, declined with longer term debt. Annual debt service was $1 million for a 10- year borrowing and $490,000 for a 30-year borrowing. Therefore, a recommended financing scenario Financing Scenario Analyses for COPs (Lido Fire Station Project) | pg. 2 would need to balance the City’s desire to keep total borrowing costs low and the capacity of the General Fund to make annual debt service payments. For example, borrowing long to reduce annual debt service pressure on the General Fund may be desirable as the costs for long term bonds are at historic lows and the interest rate difference (or spread) along the yield curve has narrowed. Many of the other structuring elements of the bonds are market driven and thus achieve cost effectiveness. For example, we assume across scenarios: serial and term bonds; semi-annual current interest; premium coupons (i.e. the coupon rate is greater than the yield rate); and a 10-year par call where applicable. Also, we assume no additional funding for a debt service reserve fund or capitalized interest. The City benefits from the highest lease credit ratings (Aa1/AA+/AA+), so the municipal market will not require a debt service reserve fund. In line with the Debt Policy, there will be no capitalized interest to defer debt service until project completion. This is accomplished by the lease- lease-back structure, whereby the City will lease-back from the Newport Beach Public Facilities Corporation the Corona Del Mar Fire Station and the Santa Ana Heights Fire Station properties to effectuate lease payments securing the bonds. All help improve the cost effectiveness of the borrowing. Updated Analysis of Financing Scenarios We updated our analysis in August 2020 by eliminating the 30-year term scenario. We also updated the scenarios for current market rates and assumed one rating to reduce cost of issuance by approximately $20,000. The City has historically issued bonds with all three ratings from Moody’s, S&P and Fitch. However, because the financing is relatively small, being under $10 million in par, one rating will be sufficient to market bonds. We assume S&P only because they have an explicit policy of not penalizing the credit for no reserve funds and they are well received by investors. This rating approach was recommended in several underwriter proposals and reconfirmed by the selected underwriter, Stifel, Nicolaus & Company, Inc. A summary of the results is provided in the table below; please see Exhibit B for an expanded table. Financing Scenarios 10-Year 15-Year 20-Year Par Amount 8,185,000.00 7,950,000.00 7,920,000.00 Premium 1,500,326.05 1,731,980.25 1,764,010.55 Total Sources 9,685,326.05 9,681,980.25 9,684,010.55 Project Fund 9,500,000.00 9,500,000.00 9,500,000.00 Cost of Issuance 146,800.00 146,800.00 146,800.00 Underwriter's Discount 36,014.00 34,980.00 34,848.00 Rounding Proceeds 2,512.05 200.25 2,362.55 Total Uses 9,685,326.05 9,681,980.25 9,684,010.55 True Interest Cost (TIC)0.621% 1.245% 1.802% Average Coupon 4.000% 4.000% 4.000% Total Debt Service 9,958,938 10,586,150 11,499,160 Maximum Annual Debt Service 998,400 708,400 578,560 Average Annual Debt Service 995,894 705,743 574,958 Financing Scenario Analyses for COPs (Lido Fire Station Project) | pg. 3 After reviewing and discussing the various financing scenarios, the City ultimately decided to proceed with the 10-year term financing or final maturity of July 1, 2030. At the time of the analysis, annual debt service is approximately $995,000 for total debt service of approximately $9,950,000. Though the term of the bonds may be considered less than the useful life of the project, the accelerated repayment conforms to the City’s Debt Policy by reducing the total borrowing costs. Method of Sale The City has experience selling bonds through a public negotiated sale as well as a privately placed negotiated sale. We recommended a public negotiated sale because of the small size of the bonds, historically low market rates, and active retail account participation in the current market. We believe the public offering will maximize retail participation to drive borrowing costs lower. The ultimate decision by the City to use a 10-year term further positions the bonds as a “retail” product. We solicited 23 underwriters through a formal RFP process and received five responses. Stifel, Nicolaus & Company, Inc. was selected to sell the bonds based on the high quality of their proposal and their significant experience in the municipal market, particularly with certificates of participation and lease revenue bonds. Financing Scenario Analyses for COPs (Lido Fire Station Project) | pg. 4 Exhibit A Financing Scenarios 10-Year 15-Year 20-Year 30-Year Par Amount 8,530,000.00 8,475,000.00 8,500,000.00 9,060,000.00 Premium 1,191,500.75 1,245,224.85 1,218,807.10 663,771.55 Total Sources 9,721,500.75 9,720,224.85 9,718,807.10 9,723,771.55 Project Fund 9,500,000.00 9,500,000.00 9,500,000.00 9,500,000.00 Cost of Issuance 167,750.00 167,750.00 167,750.00 167,750.00 Underwriter's Discount 51,180.00 50,850.00 51,000.00 54,360.00 Rounding Proceeds 2,570.75 1,624.85 57.10 1,661.55 Total Uses 9,721,500.75 9,720,224.85 9,718,807.10 9,723,771.55 Cost of Issuance Breakout (est.) 10-Year 15-Year 20-Year 30-Year Bond and Disclosure Counsel 60,000 60,000 60,000 60,000 Financial Advisor 40,000 40,000 40,000 40,000 Moody's Rating Agency 23,000 23,000 23,000 23,000 S&P Rating Agency 20,750 20,750 20,750 20,750 Title Insurer Company 9,000 9,000 9,000 9,000 Trustee 7,500 7,500 7,500 7,500 Printer 2,500 2,500 2,500 2,500 Contingency 5,000 5,000 5,000 5,000 Total 167,750 167,750 167,750 167,750 *Additional Fitch rating is $21,000 Arbitrage Yield 1.463% 1.867% 2.097% 2.728% True Interest Cost (TIC)1.563% 2.180% 2.598% 2.887% Average Coupon 4.000% 4.000% 4.000% 3.352% Total Debt Service 10,516,000 11,433,600 12,511,600 14,579,600 Maximum Annual Debt Service 1,053,200 764,800 628,600 488,550 Average Annual Debt Service 1,051,600 762,240 625,580 485,987 Annual Debt Service Schedules 10-Year 15-Year 20-Year 30-Year 11/1/2021 1,051,200 764,000 620,000 485,950 11/1/2022 1,052,800 762,000 623,800 484,350 11/1/2023 1,053,200 764,400 627,000 487,550 11/1/2024 1,052,400 761,000 624,600 485,350 11/1/2025 1,050,400 762,000 626,800 487,950 11/1/2026 1,052,200 762,200 628,400 485,150 11/1/2027 1,052,600 761,600 624,400 487,150 11/1/2028 1,051,600 760,200 625,000 483,750 11/1/2029 1,049,200 763,000 625,000 485,150 11/1/2030 1,050,400 759,800 624,400 486,150 11/1/2031 0 760,800 628,200 486,750 11/1/2032 0 760,800 626,200 486,950 11/1/2033 0 764,800 628,600 486,750 11/1/2034 0 762,600 625,200 486,150 11/1/2035 0 764,400 626,200 485,150 11/1/2036 0 0 626,400 483,750 11/1/2037 0 0 625,800 486,950 11/1/2038 0 0 624,400 484,550 11/1/2039 0 0 627,200 486,750 11/1/2040 0 0 624,000 488,350 11/1/2041 0 0 0 484,350 11/1/2042 0 0 0 488,550 11/1/2043 0 0 0 487,300 11/1/2044 0 0 0 485,750 11/1/2045 0 0 0 483,900 11/1/2046 0 0 0 486,750 11/1/2047 0 0 0 484,150 11/1/2048 0 0 0 486,250 11/1/2049 0 0 0 487,900 11/1/2050 0 0 0 484,100 Financing Scenario Analyses for COPs (Lido Fire Station Project) | pg. 5 Exhibit B Financing Scenarios 10-Year 15-Year 20-Year Par Amount 8,185,000.00 7,950,000.00 7,920,000.00 Premium 1,500,326.05 1,731,980.25 1,764,010.55 Total Sources 9,685,326.05 9,681,980.25 9,684,010.55 Project Fund 9,500,000.00 9,500,000.00 9,500,000.00 Cost of Issuance 146,800.00 146,800.00 146,800.00 Underwriter's Discount 36,014.00 34,980.00 34,848.00 Rounding Proceeds 2,512.05 200.25 2,362.55 Total Uses 9,685,326.05 9,681,980.25 9,684,010.55 Cost of Issuance Breakout (est.) 10-Year 15-Year 20-Year Bond and Disclosure Counsel 75,000 75,000 75,000 Financial Advisor 32,500 32,500 32,500 S&P Rating Agency 16,750 16,750 16,750 Title Insurer Company 9,000 9,000 9,000 Trustee 3,550 3,550 3,550 Printer 2,500 2,500 2,500 DAC 2,500 2,500 2,500 Contingency 5,000 5,000 5,000 Total 146,800 146,800 146,800 Arbitrage Yield 0.547% 0.880% 1.121% True Interest Cost (TIC)0.621% 1.245% 1.802% Average Coupon 4.000% 4.000% 4.000% Total Debt Service 9,958,938 10,586,150 11,499,160 Maximum Annual Debt Service 998,400 708,400 578,560 Average Annual Debt Service 995,894 705,743 574,958 Annual Debt Service Schedules 10-Year 15-Year 20-Year 7/1/2021 995,538 704,350 578,560 7/1/2022 996,200 703,200 577,000 7/1/2023 998,200 707,000 576,000 7/1/2024 994,000 705,000 574,600 7/1/2025 993,800 707,400 572,800 7/1/2026 997,400 704,000 575,600 7/1/2027 994,600 705,000 572,800 7/1/2028 995,600 705,200 574,600 7/1/2029 995,200 704,600 575,800 7/1/2030 998,400 708,200 576,400 7/1/2031 0 705,800 576,400 7/1/2032 0 707,600 575,800 7/1/2033 0 708,400 574,600 7/1/2034 0 703,200 572,800 7/1/2035 0 707,200 575,400 7/1/2036 0 0 572,200 7/1/2037 0 0 573,400 7/1/2038 0 0 573,800 7/1/2039 0 0 573,400 7/1/2040 0 0 577,200 ATTACHMENT B DRAFT RESOLUTION AUTHORIZING SALE OF BONDS Stradling Yocca Carlson & Rauth Draft of 09/17/20 -1- 4847-6943-1237v3/022459-0033 RESOLUTION NO. _______ A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF NEWPORT BEACH AUTHORIZING THE PREPARATION, SALE AND DELIVERY OF NOT TO EXCEED $10,000,000 PRINCIPAL AMOUNT OF CERTIFICATES OF PARTICIPATION, SERIES 2020A (LIDO FIRE STATION PROJECT) AND APPROVING CERTAIN DOCUMENTS AND AUTHORIZING CERTAIN ACTIONS IN CONNECTION THEREWITH WHEREAS, the City of Newport Beach (the “City”) and the Newport Beach Public Facilities Corporation (the “Corporation”) desire to enter into a Site Lease dated as of November 1, 2020 (the “Site Lease”) and a Lease/Purchase Agreement, dated as of November 1, 2020 (the “Lease”), whereby the City, as agent of the Corporation, shall cause the acquisition, improvement and equipping of a new Lido Fire Station, as described therein (the “Project”), and the City has agreed to lease the Leased Premises (defined below) from the Corporation, the forms of which have been presented to this City Council at the meeting of which the Resolution has been adopted; and WHEREAS, in order to finance the Project, the City and the Corporation desire to authorize the sale of the City of Newport Beach Certificates of Participation 2020A (Lido Fire Station Project) (the “Certificates”) evidencing fractional interests in the Lease Payments made by the City under the Lease; and WHEREAS, Section 5450 et seq. of the California Government Code (the “Government Code”) provides statutory authority for pledging collateral for the payment of principal or prepayment price of, and interest on, any agreement, including certificates of participation, and the Government Code creates a continuing perfected security interest which shall attach immediately to such collateral irrespective of whether the parties to the pledge document have notice of the pledge and without the need for any physical delivery, recordation, filing or further act, and, therefore, the City and the Corporation hereby warrant and represent that pursuant to the Lease, the Trust Agreement, to be dated as of November 1, 2020, by and among The Bank of New York Mellon Trust Company, N.A., as trustee (the “Trustee”), the City and the Corporation (the “Trust Agreement”), and the Government Code, the Trustee will have a first priority perfected security interest in the Lease Payments described in the Lease represented by the Certificates pursuant to the Government Code. WHEREAS, the City Council desires to consent to the assignment of certain of the Corporation's rights, title and interest in and to the Site Lease and the Lease Agreement, including the right to receive such lease payments from the City, to the Trustee pursuant to an Assignment Agreement, between the Corporation and the Trustee, to be dated as of November 1, 2020 (the “Assignment Agreement”), the form of which together with the form of the Trust Agreement have been presented to this City Council at the meeting at which this Resolution has been adopted; and WHEREAS, the City Council desires to approve the form of a Purchase Agreement (the “Purchase Agreement”), by and among the Corporation, the City and Stifel, Nicolaus & Company, Incorporated (the “Purchaser”), pursuant to which the Purchaser will agree to buy the Certificates on -2- 4847-6943-1237v3/022459-0033 the terms and conditions set forth therein, the form of which has been presented to this City Council at the meeting at which this Resolution has been adopted; WHEREAS, the City Council desires to approve the form of a Preliminary Official Statement relating to the Certificates (the “Preliminary Official Statement”) to be distributed to potential investors, for the purposes of facilitating the sale of the Certificates at the lowest feasible interest rate, the form of which has been presented to this City Council at the meeting at which this Resolution has been adopted; and WHEREAS, the City Council desires to approve the form of a Continuing Disclosure Agreement (the “Disclosure Agreement”) between the City and Digital Assurance Certification, LLC, the form of which has been presented to this City Council at the meeting at which the Resolution has been adopted; WHEREAS, the City Council desires to approve the form of an Agency Agreement between the City and the Corporation, the form of which has been presented to this City Council at the meeting at which the Resolution has been adopted; and WHEREAS, in compliance with SB 450, the City has obtained from KNN Public Finance, LLC, the City’s municipal advisor, the required good faith estimates and such estimates are disclosed and set forth in Exhibit A attached hereto. NOW, THEREFORE, BE IT RESOLVED by the City Council of the City of Newport Beach that: Section 1. Each of the foregoing recitals is true and correct. The City Council hereby finds and determines that the total rental to be paid under the Lease Agreement does not exceed the fair rental value of the leased property identified in Exhibit A to the Lease (collectively, the “Leased Premises”). Section 2. This City Council hereby consents to the preparation, sale and delivery of the Certificates in an aggregate amount of not to exceed $10,000,000 in accordance with the terms and provisions of the Trust Agreement, to pay the costs of the Project and to pay all associated costs in connection therewith. The proceeds of the Certificates shall be expended to finance the costs of the Project and to provide for a reserve fund, if any, and the costs of the preparation, sale and delivery of the Certificates. Section 3. The Bank of New York Mellon Trust Company, N.A. is hereby appointed as Trustee on behalf of the owners of the Certificates, with the duties and powers of such Trustee as set forth in the Trust Agreement. Section 4. The forms of the Site Lease, the Lease Agreement, the Trust Agreement, the Disclosure Agreement, the Agency Agreement and the Assignment Agreement presented at this meeting are hereby approved. Each of the Mayor, the City Manager, the Finance Director and the City Clerk is hereby authorized for and in the name of the City to execute the Site Lease, the Lease Agreement, the Disclosure Agreement, the Agency Agreement and the Trust Agreement in substantially the forms hereby approved, with such additions thereto and changes therein as are recommended or approved by Stradling Yocca Carlson & Rauth, a Professional Corporation, as Special Counsel to the City (“Special Counsel”), or the City Attorney and the officer or officers -3- 4847-6943-1237v3/022459-0033 executing the same. Approval of such changes shall be conclusively evidenced by the execution and delivery of the foregoing documents by one or more of the authorized officers. The Mayor, the City Manager, the Finance Director and the City Clerk each is hereby authorized to execute, acknowledge and deliver any and all documents required to consummate the transactions contemplated by the Site Lease, the Lease Agreement, the Disclosure Agreement, the Trust Agreement, the Agency Agreement and the Assignment Agreement. Section 5. The form of the Purchase Agreement presented at this meeting and the sale of the Certificates pursuant thereto are hereby approved, and each of the Mayor, the City Manager and the Finance Director is hereby authorized to evidence the City's acceptance of the terms and provisions of the Purchase Agreement by executing and delivering the Purchase Agreement in the form presented to the City at this meeting, with such additions thereto and changes therein as are recommended or approved by Special Counsel or the City Attorney and the officers executing the same. Approval of such additions and changes shall be conclusively evidenced by the execution and delivery of the Purchase Agreement; provided, however, that the Purchase Agreement shall be signed only if (a) the aggregate principal amount of the Certificates does not exceed $10,000,000, (b) the aggregate true interest cost of the Certificates does not exceed 2.0% per annum; (c) the interest rate with respect to the Certificates does not exceed 4.0% per annum; and (d) an underwriting discount for the purchase of the Certificates does not exceed 0.5% of the principal amount of the Certificates. The City Manager or the Finance Director, or their designees, are authorized to reject any terms presented by the Purchaser if determined not to be in the best interest of the City. Section 6. The form of the Certificates as set forth in the Trust Agreement (as the Trust Agreement may be modified pursuant to Section 4 hereof) are hereby approved. Section 7. In addition to the parameters relating to the Certificates set forth in Sections 1 and 5 of this Resolution, the Certificates shall mature no later than July 1, 2030 and may be subject to all or certain of the proposed prepayment provisions relating to the Certificates set forth in Exhibit B of this Resolution, as determined by the City Manager or the Finance Director. Section 8. Based on current market conditions, KNN Public Finance, LLC, the City’s Municipal Advisor, has projected maximum annual debt service with respect to the Certificates to be $1,073,700 and estimated the costs of delivery of the Certificates to be in the amount provided in Exhibit A under the subheading “Finance Charge of the Certificates.” Section 9. The form of the Preliminary Official Statement presented at this meeting is hereby approved, and the Preliminary Official Statement may be distributed to prospective purchasers in the form so approved, together with such additions thereto and changes therein as are determined necessary by the Finance Director, or his designee, to make such Preliminary Official Statement final as of its date for purposes of Rule 15c2-12 of the Securities and Exchange Commission. Each of the Mayor, the City Manager and the Finance Director is hereby authorized to execute a final Official Statement in the form of the Preliminary Official Statement, together with such changes as are determined necessary by the Finance Director, or his designee, and the officer executing the same to make such Official Statement complete and accurate as of its date. The Purchaser is further authorized to distribute the final Official Statement for the Certificates to the purchasers thereof upon its execution by an officer of the City as described above. The City Manager, the Finance Director and their written designees are hereby authorized and directed to take whatever steps are necessary to comply with the requirements of Rule 15c2-12 applicable to the Certificates following their execution and delivery. -4- 4847-6943-1237v3/022459-0033 Section 10. The Mayor, the City Manager, the Finance Director and the City Clerk are hereby authorized, jointly and severally, to do any and all things and to execute and deliver any and all documents which they may deem necessary and advisable in order to consummate the sale and delivery of the Certificates and otherwise effectuate the purposes of this Resolution (including but not limited to the execution and delivery of any consents or agreements to remove encumbrances to title with respect to the Leased Premises and to substitute, remove or add property to the Leased Premises that is determined by the City Manager to be in the best interests of the City) and such actions previously taken by such officers are hereby ratified and confirmed. In the event the Mayor is unavailable or unable to execute and deliver any of the above-referenced documents, any other member of the City Council may validly execute and deliver such document, and, in the event the City Clerk is unavailable or unable to execute and deliver any of the above-referenced documents, any deputy clerk may validly execute and deliver such document in her place. Section 11. In connection with the execution and delivery of the Certificates, the City has engaged Stradling Yocca Carlson & Rauth, a Professional Corporation, to act as Special Counsel and Disclosure Counsel to the City, Stifel, Nicolaus & Company, Incorporated to act as the underwriter and KNN Public Finance, LLC, to act as Municipal Advisor to the City. Section 12. If any section, subsection, sentence, clause or phrase of this Resolution is, for any reason, held to be invalid or unconstitutional, such decision shall not affect the validity or constitutionality of the remaining portions of this Resolution. The City Council hereby declares that it would have passed this Resolution, and each section, subsection, sentence, clause or phrase hereof, irrespective of the fact that any one or more sections, subsections, sentences, clauses or phrases be declared invalid or unconstitutional. Section 13. The City Council finds the adoption of this resolution is not subject to the California Environmental Quality Act (“CEQA”) pursuant to Sections 15060(c)(2) (the activity will not result in a direct or reasonably foreseeable indirect physical change in the environment) and 15060(c)(3) (the activity is not a project as defined in Section 15378) of the CEQA Guidelines, California Code of Regulations, Title 14, Division 6, Chapter 3, because it has no potential for resulting in physical change to the environment, directly or indirectly. Section 14. This Resolution shall take effect immediately upon its adoption by the City Council, and the City Clerk shall certify the vote adopting the Resolution. ADOPTED, SIGNED AND APPROVED this ___ day of _____, 2020. -5- 4847-6943-1237v3/022459-0033 Mayor of the City of Newport Beach ATTEST: City Clerk of the City of Newport Beach -6- 4847-6943-1237v3/022459-0033 APPROVED AS TO FORM: OFFICE OF THE CITY ATTORNEY: By: Aaron C. Harp, City Attorney -7- 4847-6943-1237v3/022459-0033 STATE OF CALIFORNIA ) ) ss. COUNTY OF ORANGE ) I hereby certify that the foregoing Resolution was duly and regularly adopted by the City Council of the City of Newport Beach at a regular meeting thereof held on the ___ day of _____, 2020, by the following vote: AYES: COUNCIL MEMBERS: NOES: COUNCIL MEMBERS: ABSENT: COUNCIL MEMBERS: ABSTAIN: COUNCIL MEMBERS: City Clerk of the City of Newport Beach -8- 4847-6943-1237v3/022459-0033 EXHIBIT A GOOD FAITH ESTIMATES The good faith estimates set forth herein are provided with respect to the Certificates in accordance with California Government Code Section 5852.1. Such good faith estimates have been provided to the City by KNN Public Finance, LLC, the City’s Municipal Advisor (the “Municipal Advisor”). Principal Amount. The Municipal Advisor has informed the City that, based on the City’s financing plan and current market conditions, its good faith estimate of the aggregate principal amount of the Certificates to be sold is $8,185,000 (the “Estimated Principal Amounts”). True Interest Cost of the Certificates. The Municipal Advisor has informed the City that, assuming that the respective Estimated Principal Amounts of the Certificates are sold, and based on market interest rates prevailing at the time of preparation of such estimate, its good faith estimate of the true interest cost of the Certificates, which means the rate necessary to discount the amounts payable on the respective principal and interest payment dates to the purchase price received for the Certificates, is 0.62%. Finance Charge of the Certificates. The Municipal Advisor has informed the City that, assuming that the Estimated Principal Amounts of the Certificates are sold, and based on market interest rates prevailing at the time of preparation of such estimate, its good faith estimate of the finance charge for the Certificates, which means the sum of all fees and charges paid to third parties (or costs associated with the Certificates), is $185,326. Amount of Proceeds to be Received. The Municipal Advisor has informed the City that, assuming that the Estimated Principal Amounts of the Certificates are sold, and based on market interest rates prevailing at the time of preparation of such estimate, its good faith estimate of the amount of proceeds expected to be received by the City for sale of the Certificates, less the finance charge of the Certificates, as estimated above, and any capitalized interest on the Certificates paid or funded with proceeds of the Certificates, is $9,500,000. Total Payment Amount. The Municipal Advisor has informed the City that, assuming that the Estimated Principal Amounts of the Certificates are sold, and based on market interest rates prevailing at the time of preparation of such estimate, its good faith estimate of the total payment amount, which means the sum total of all payments the City will make to pay debt service on the Certificates, plus the finance charge for the Certificates, as described above, not paid with the respective proceeds of the Certificates, calculated to the final maturity of the Certificates, is $9,958,938 and the annual cost to administer the Certificates, not paid with proceeds of the Certificates is $3,750. The foregoing estimates constitute good faith estimates only and are based on market conditions prevailing at the time of preparation of such estimates on August 24, 2020. The actual principal amount of the Certificates issued and sold, the true interest cost thereof, the finance charges thereof, the amount of proceeds received therefrom and total payment amount with respect thereto may differ from such good faith estimates due to (a) the actual date of the sale of the Certificates being different than the date assumed for purposes of such estimates, (b) the actual principal amount -9- 4847-6943-1237v3/022459-0033 of Certificates sold being different from the respective Estimated Principal Amounts, (c) the actual amortization of the Certificates being different than the amortization assumed for purposes of such estimates, (d) the actual market interest rates at the time of sale of the Certificates being different than those estimated for purposes of such estimates, (e) other market conditions, or (f) alterations in the City’s financing plan, or a combination of such factors. The actual date of sale of the Certificates and the actual principal amount of Certificates sold will be determined by the City based on various factors. The actual interest rates borne by the Certificates will depend on market interest rates at the time of sale thereof. The actual amortization of the Certificates will also depend, in part, on market interest rates at the time of sale thereof. Market interest rates are affected by economic and other factors beyond the control of the City. -10- 4847-6943-1237v3/022459-0033 EXHIBIT B PREPAYMENT PROVISIONS [Pursuant to the City’s Debt Management Policy, it should be noted that the below optional prepayment provision provides for a call at par less than ten years after the delivery of the Certificates.] Extraordinary Prepayment from Net Proceeds. The 2020 Certificates are subject to prepayment prior to their respective maturity dates on any date, in whole or in part, from Net Proceeds which the Trustee deposits in the Prepayment Fund as provided in the Lease Agreement at least 45 days prior to the date fixed for prepayment and credited toward the prepayment made by the City pursuant to the Lease Agreement, at a prepayment price equal to the principal amount thereof together with the accrued interest to the date fixed for prepayment, without premium. For extraordinary prepayment of 2020 Certificates pursuant to the Trust Agreement, the Trustee will select 2020 Certificates for prepayment so that the Net Proceeds will be applied to prepay a proportionate amount of 2020 Certificates and Additional Certificates based on the Outstanding principal amount and by lot within any maturity or sinking account prepayment. The Trustee will promptly notify the City and the Corporation in writing of the 2020 Certificates so selected for prepayment by mailing to the City and the Corporation copies of the notice of prepayment provided for in the Trust Agreement. The City will provide the Trustee with a revised sinking fund schedule upon any prepayments. “Net Proceeds” means any proceeds of any insurance, performance bonds or taking by eminent domain or condemnation paid with respect to the Leased Premises remaining after payment therefrom of any expenses (including attorneys’ fees) incurred in the collection thereof. [Optional Prepayment. The 2020 Certificates maturing on or after July 1, 20__ are subject to prepayment prior to maturity in whole or in part on any date on or after July 1, 20__ at the option of the City, in the event the City exercises its option under the Lease Agreement to prepay all or a portion of the principal component of the Lease Payments (in integral multiples of $5,000), at the prepayment price equal to the principal component to be prepaid, plus accrued interest to the date fixed for prepayment, without premium. In the event the City gives notice to the Trustee of its intention to exercise such option, but fails to deposit with the Trustee on or prior to the prepayment date an amount equal to the prepayment price, the City will continue to pay the Lease Payments as if no such notice had been given.] Mandatory Sinking Account Prepayment. The 2020 Certificates maturing July 1, 20__ (the “20__ Term 2020 Certificates”) will be subject to prepayment in part by lot, on July 1, 20__ in each of the following years from sinking account payments as set forth below at a prepayment price equal to the principal amount thereof to be prepaid, without premium; provided, however, that if some but not all of the 20__ Term 2020 Certificates have been prepaid pursuant to an optional or extraordinary prepayment, the total amount of all future sinking account payments will be reduced by the aggregate principal amount of the 20__ Term 2020 Certificates so prepaid in such manner as selected by the City. In addition, in lieu of prepayment thereof, the 20__ Term 2020 Certificates may be purchased by the City and tendered to the Trustee pursuant to the provisions of the Trust Agreement. -11- 4847-6943-1237v3/022459-0033 Mandatory Prepayment Date (July 1) Sinking Account Prepayment $ * * Final Maturity The 2020 Certificates maturing November 1, 20__ (the “20__ Term 2020 Certificates”) will be subject to prepayment in part by lot, on November 1 in each of the following years from sinking account payments as set forth below at a prepayment price equal to the principal amount thereof to be prepaid, without premium; provided, however, that if some but not all of the 20__ Term 2020 Certificates have been prepaid pursuant to an optional or extraordinary prepayment, the total amount of all future sinking account payments will be reduced by the aggregate principal amount of the 2046 Term 2020 Certificates so prepaid in such manner as selected by the City. In addition, in lieu of prepayment thereof, the 20__ Term 2020 Certificates may be purchased by the City and tendered to the Trustee pursuant to the provisions of the Trust Agreement. Mandatory Prepayment Date (July 1) Sinking Account Prepayment $ * * Final Maturity If prior to one of the mandatory prepayment dates specified above the City purchases any 20__ Term 2020 Certificates or 20__ Term 2020 Certificates, then at least 45 days prior to the prepayment date the City will notify the Trustee as to the principal amount purchased, and the amount of 2020 Certificates so purchased will be credited at the time of purchase, to the extent of the full principal amount thereof, to reduce the upcoming sinking account payment for the applicable maturity of the 2020 Certificates so purchased. All 2020 Certificates purchased pursuant to the Trust Agreement shall be cancelled pursuant to the Trust Agreement. CITY OF NEWPORT BEACH FINANCE COMMITTEE STAFF REPORT Agenda Item No. 5D September 24, 2020 TO: HONORABLE CHAIRMAN AND MEMBERS OF THE COMMITTEE FROM: Finance Department Dan Matusiewicz, Finance Director and City Treasurer 949-644-3123, dmatusiewicz@newportbeachca.gov SUBJECT: INTERNAL AUDIT PLAN UPDATE SUMMARY: In the spirit of continuous improvement, with support and direction from the City Manager’s office, the Finance Department has been charged to develop a comprehensive internal audit program. This report summarizes all internal audit activities to date including the findings of the Enterprise Risk Assessment and the Internal Controls Review report. Working in collaboration with City management, Moss Adams prepared a recommended internal audit program for Fiscal Year 2020-21 that focuses on addressing priorities from the risk assessment and internal controls review. RECOMMENDED ACTION: Review and discuss the reports and provide recommendations for City Manager consideration. DISCUSSION: Background While the City has managed a great many financial statement and compliance audits over the years, the City has never had a robust internal audit program. The program was initiated with an enterprise risk assessment and enterprise internal control review. These processes serve as the primary building block to inform and develop internal audit work programs to further assess and test internal controls, conduct performance audits, and provide consulting services when appropriate. Each year, an internal audit work program will be defined to guide internal audit activities for the upcoming fiscal year. Internal Audit Program Update September 24, 2020 Page 2 Current Progress Moss Adams completed an enterprise risk assessment and enterprise internal controls review and leveraged the results from these two bodies of work to prepare a recommended internal audit program for FY 2020-21. These three documents are attached to this staff report and all three were reviewed in detail by City management. An overview of each document is provided below. Fiscal Year 2020-21 Internal Audit Program Moss Adams translated the results of the enterprise risk assessment and internal controls review into an internal audit program. The goals of internal audit programs are to reduce risks, strengthen controls and compliance, and enhance performance. Working in collaboration with City management, Moss Adams prepared a recommended internal audit program for Fiscal Year 2020-21. The program focuses on addressing priorities from the risk assessment and internal controls review and includes the following projects: • Policy Inventory and Implementation Plan • Procurement Operational Review and Internal Controls Testing • Inventory Management Internal Controls Testing Enterprise Risk Assessment Moss Adams conducted an enterprise risk assessment in order to provide the City’s leadership with a means to identify and assess key risks to the City’s ability to achieve its defined objectives and operate effectively. As part of the assessment, Moss Adams conducted planning activities, completed fieldwork and data collection, analyzed the results of their fieldwork, and prepared the results of their analysis in a report. The process involved the assessment of risks related to 18 categories such as strategy, governance, staffing, finance and systems, and operations. Moss Adams assigned an overall risk level for each category. Risk levels reflect an evaluation of likelihood of a negative event, impact of a negative event, risk trajectory, and risk preparedness. In addition, mitigating actions were identified to reduce risks, and these actions translate directly into recommended internal audit activities. The highest risk categories include: • High: o Procurement and Contracting • Moderate to High: o External Risk o Organizational Structure and Staffing o Information Technology o Planning and Strategy o Risk Programs Internal Audit Program Update September 24, 2020 Page 3 The remaining twelve categories were rated as either moderate risk (seven) or low to moderate risk (five). Internal Controls Review Moss Adams conducted an enterprise internal controls review in order to determine the general adequacy of internal controls and identify areas warranting more in-depth review in the future. As part of the assessment, Moss Adams conducted planning activities, completed fieldwork and data collection, analyzed the results of their fieldwork, and prepared the results of their analysis in a report. Moss Adams reviewed the City’s fiscal internal controls for design and performed limited testing in key areas to determine if the controls were designed effectively. Specific areas of focus included: • Purchasing and Contract Management • Cash Receipts, Billing and Collections, and Accounts Receivable • Accounts Payable and Disbursements • Fixed Assets Management • Inventory Management • Financial Reporting • Budgeting • Payroll • Information Technology • Overall Control Environment To gain an understanding of the processes and controls in place in various departments, Moss Adams performed interviews with key personnel and performed procedures that included: • Identifying control objectives • Reviewing policies and procedures • Performing control walk-throughs and/or testing limited samples • Assessing whether controls would prevent/detect errors or asset misappropriation • Comparing the current environment to best practices • Providing recommendations regarding opportunities for improvement In addition, for each improvement opportunity, Moss Adams assessed risk levels of the likelihood and impact of occurrence of a negative event. The City has internal controls in place for many functions. Key controls with exception conditions are reported in the document. Priority areas for improvement include: • Purchasing and Contract Management Internal Audit Program Update September 24, 2020 Page 4 • Information Technology • Cash Handling • Accounts Payable • Police Property and Evidence • Inventory Management Management concurs with most findings and recommendations contained within the Internal Controls Review Report and has respectfully submitted responses to provide greater context and clarity to certain sections of the report in Attachment D. Prepared and Submitted by: /a/ Steve Montano _____________________________ Steve Montano Deputy Finance Director Attachments: A. Fiscal Year 2020-21 Internal Audit Program Presentation B. Enterprise Risk Assessment Final Report C. Internal Controls Review Final Report D. Management Response to Moss Adams Internal Controls Review ATTACHMENT A FISCAL YEAR 2020-21 INTERNAL AUDIT PROGRAM PRESENATION City of Newport Beach FY 20-21 Internal Audit Program September 24, 2020 Overview I.Introduction II.Internal Audit Program Components III.Enterprise Risk Assessment Overview IV.Internal Controls Review Overview V.Potential FY 20-21 Internal Audit Projects VI.Recommended FY 20-21 Internal Audit Plan 2 3 I. Introduction •The City retained Moss Adams LLP to serve as the designated Internal Auditor and conduct projects addressing: ◦Risks ◦Internal controls ◦Compliance ◦Performance ◦Best practices •Work is being performed under relevant industry standards 4 II. Internal Audit Program – Multi-Year Focus Internal Audit Plan Risks Internal Controls Compliance Performance Accounting and financial reporting, asset management, capital programs, compliance, economics and funding, fraud, governance, human resources, internal controls, maintenance and operations, management, operations and service delivery, organization and staffing, processes and procedures, procurement, public safety, risk management, and technologyFunctions Components PlanCity Internal Audit Annual 5 III. Risk Assessment Purpose and Process •Purpose: Provide City leadership with a means to identify and assess key risks to the City’s ability to achieve its defined objectives and operate effectively. •Process: Assessed 18 categories through document review, interviews, employee survey, and comparison to best practices. Review results with management. 6 III. Risk Factors 7 III. Risk Assessment Results 8 IV. Internal Controls Review Purpose and Process •Purpose: Determine the general adequacy of internal controls across the City and identify areas warranting more in-depth review in the future. •Process: Reviewed the City’s fiscal internal controls for design and performed limited testing in 10 key areas to determine if the controls were designed effectively. Performed assessment through document review, interviews, limited testing, and comparison to best practices. Reviewed results with management. 9 IV. Review Activities •Identify control objectives •Review policies and procedures •Perform control walk-throughs and/or testing limited samples •Assess whether controls would prevent/detect errors or asset misappropriation •Compare the current environment to best practices •Provide recommendations regarding opportunities for improvement 10 IV. Internal Controls Review Results Key Controls # of High Risk Control Issues* # of High-High Risk Control Issues** Total Control Issues Purchasing and Contract Mgmt.4 1 9 Cash,Billing, Collections, and AR 3 3 9 AP and Disbursements 1 1 6 Fixed Asset Management 3 1 4 Inventory Management 1 4 5 Financial Reporting 1 4 Budgeting 1 2 Payroll 2 1 3 Information Technology 3 6 Overall Control Environment 1 7 * High likelihood of occurrence; ** High likelihood and impact of occurrence 11 V. Potential FY 20-21 Internal Audit Projects •Procurement Operational Review and Internal Controls Testing •Inventory Management Internal Controls Testing •IT Operational Review and Internal Controls Testing •Cash Handling Internal Controls Testing •Accounts Payable Internal Controls Testing •Police Property and Evidence Internal Controls Testing •Policy Inventory and Implementation Plan •Finance Customer Service Operational Review •Key Performance Indicator Development •Business Continuity and Disaster Planning Assessment •Resource Sharing and Cross-Training Assessment 12 V. Recommended FY 20-21 Internal Audit Projects 1.Policy Inventory and Implementation Plan: Perform an inventory of fiscal policies to determine gaps and prepare a prioritized implementation plan. 2.Procurement Operational Review and Internal Controls Testing: Assess policies and procedures, workflow processes, and throughput, and test internal controls. 3.Inventory Management Internal Controls Testing: Assess tracking and control of inventory on hand that is expensed when purchased, such as office supplies, tires, safety equipment, and goods sold. 4.Program Management and Internal Audit Plan: Manage program, provide status reports, attend meetings, and prepare FY 21-22 internal audit plan. The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. 13 ATTACHMENT B ENTERPRISE RISK ASSESSMENT FINAL REPORT THIS REPORT IS INTENDED FOR THE INTERNAL USE OF THE CITY OF NEWPORT BEACH, AND MAY NOT BE PROVIDED TO, USED, OR RELIED UPON BY ANY THIRD PARTIES. Proprietary & Confidential FINAL REPORT City of Newport Beach ENTERPRISE RISK ASSESSMENT September 16, 2020 Moss Adams LLP 999 Third Avenue, Suite 2800 Seattle, WA 98104 (206) 302-6500 Enterprise Risk Assessment Report FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Table of Contents Executive Summary 1 A. Project Scope and Methodology 1 Impacts of COVID-19 1 Risk Assessment Framework 2 B. Risk Assessment Results 3 Project Scope and Methodology 4 A. Scope 4 B. Methodology 4 Employee Survey 5 Risk Assessment Framework 7 Risk Assessment Results 9 A. High-Risk Categories 9 Procurement and Contracting 9 B. Moderate to High-Risk Categories 11 External Risk 11 Organization Structure and Staffing 15 Information Technology 17 Planning and Strategy 21 Risk Programs 23 C. Moderate-Risk Categories 25 Human Capital and Resources 25 Management and Leadership 30 Operations and Service Delivery 31 Accounting and Financial Reporting 33 Ethics, Fraud, Waste, and Abuse 35 Governance 37 Funding and Economics 39 Table of Contents – Continued Enterprise Risk Assessment Report FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY D. Low to Moderate-Risk Categories 41 Reputation and Public Perception 41 Policies and Procedures 43 Compliance 44 Public Safety 45 Infrastructure and Asset Management 48 Employee Survey Results 50 A. Survey Respondent Profile 50 Percent of Respondents by Years of Tenure 50 Percent of Respondents by Department 50 B. Overall Perceived Risk Ratings 51 Enterprise Risk Assessment Report | 1 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY EXECUTIVE SUMMARY The City of Newport Beach (City, Newport Beach) is located in Orange County, California (the County), and serves a population of approximately 90,000 residents. The City provides a full range of municipal services, including but not limited to: community development, fire, harbor management, library, recreation and senior services, police, public works, and utilities. Moss Adams LLP (Moss Adams, we) serves as the outsourced internal auditor for the City and we report to the City Manager, who oversees our work. As part of developing the internal audit work plan for the coming year, Moss Adams conducted an enterprise risk assessment in order to provide the City’s leadership with a means to identify and assess key risks to the City’s ability to achieve its defined objectives and operate effectively. As part of the assessment, we conducted planning activities, completed fieldwork and data collection, analyzed the results of our fieldwork, and prepared the results of our analysis in this report. The enterprise risk assessment process reflects a specific point in time: the risk assessment phase, which was conducted from February 2020 through April 2020. Both the overall risk ratings and trajectory levels are directly connected to this timing. This engagement was performed in accordance with Standards for Consulting Services established by the American Institute of Certified Public Accountants. Accordingly, we provide no opinion, attestation, or other form of assurance with respect to our work or the information upon which our work is based. This report was developed based on information from our interviews and analysis of sample documentation. The procedures we performed do not constitute an examination in accordance with generally accepted auditing standards or attestation standards. The majority of the research and analysis for this report took place prior to the impacts of the COVID- 19 crisis being experienced by City staff and residents. As such, this report presents a mostly pre- COVID-19 risk profile for the City. The rapidly changing situation—which is still developing at the time this report was issued—will affect many areas of the City’s operations. While the impacts of the pandemic are still unfolding, City leadership reported in June 2020 that the primary impacts have been related to funding and staffing. The City activated the Emergency Operations Center and a cross-section of staff from all departments to respond to the pandemic. A steep decline in tourism and retail sales, due to state-mandated orders, including beach closures, impacted the City’s revenues, requiring significant budget revisions to achieve a balanced budget and impacting long-term financial forecasts. There are major ongoing employee impacts: closure of City buildings has shifted the City’s workforce to almost all remote; public-facing programs were suspended; events were canceled; and public spaces were closed or limited to the public. The City has mounted a small business relief grant program with more than 300 recipients. We anticipate that the pandemic will continue to have impacts for some time on overall City management, including funding and economics, human resources, risk programs, emergency operations, economic development, library and recreation programs, and information technology. Enterprise Risk Assessment Report | 2 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY The process to identify and assess risks considers both internal and external factors. As part of this risk assessment, Moss Adams used a variety of techniques, both qualitative and quantitative, to identify external and internal factors that contribute to risk. The enterprise risk assessment process leveraged the Enterprise Risk Management (ERM) framework, as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and embraced by the Institute of Internal Auditors (IIA). For each of the risk factor categories, Moss Adams assigned an overall risk level. These risk levels are intended to provide the City with a means of prioritizing mitigation efforts. Definitions of each level for overall risk, impact, likelihood, and preparedness are explained in the table below. Low Low to Moderate Moderate Moderate to High High Overall Risk Level A minor threat to the organization. Ordinary risks that should be addressed during the next review cycle. Risks that should be addressed as soon as reasonably possible. Serious risks that should be addressed expeditiously. Significant risks that should be addressed immediately. Impact Negligible impact. Minor impact on time, cost, or quality. Notable impact on time, cost, or quality. Substantial impact on time, cost, or quality. Threatens the success and/or future of the organization. Likelihood Unlikely to occur with current risk conditions. May occur with current risk conditions. Likely to occur with current risk conditions. Very likely to occur with current risk conditions. Almost certain to occur with current risk conditions. Preparedness Minimal risk preparedness activity. Preliminary risk preparedness efforts have been initiated, though few, if any, are implemented. Deliberate risk preparedness efforts are under way; important gaps remain. Preparedness efforts are well established, documented, and stable. Risk preparedness activities are robust and likely to be sustained. In addition, we also assessed risk relative to risk trajectory, which is the anticipated direction of the risk level given the current risk conditions. Trajectory was rated as decreasing, flat, or increasing. As part of this enterprise risk assessment, Moss Adams identified and evaluated risk conditions within 18 categories that cover strategy and governance, staffing, finance and systems, and operations. The summary results of the risk assessment are provided in the table below, with risk categories listed in order of overall risk rating, from highest to lowest. Enterprise Risk Assessment Report | 3 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY RISK CATEGORY IMPACT LIKELIHOOD PREPAREDNESS TRAJECTORY High Risk Procurement and Contracting  High High Moderate Increasing Moderate to High Risk External Risk  High High Moderate to High Increasing Organizational Structure and Staffing  High Moderate to High Moderate Increasing Information Technology  High Moderate Moderate to High Increasing Planning and Strategy  Moderate to High Moderate Moderate Flat Risk Programs  Moderate to High Moderate to High Moderate Flat Moderate Risk Human Capital and Resources  Moderate to High Moderate Moderate Increasing Management and Leadership  Moderate Moderate Low Flat Operations and Service Delivery  Moderate Moderate Moderate Increasing Accounting and Financial Reporting  Moderate Low to Moderate Moderate Flat Ethics, Fraud, Waste, and Abuse  Moderate Low to Moderate Moderate Flat Governance  Moderate to High Low to Moderate Moderate Flat Funding and Economics  High Low to Moderate Moderate to High Flat Low to Moderate Risk Reputation and Public Perception  Moderate to High Low Moderate Flat Policies and Procedures  Low to Moderate Moderate Moderate Decreasing Compliance  Moderate Low Moderate Flat Public Safety  Moderate to High Low Moderate to High Flat Infrastructure and Asset Management  Moderate Low to Moderate Moderate Decreasing Enterprise Risk Assessment Report | 4 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY PROJECT SCOPE AND METHODOLOGY The City engaged Moss Adams to conduct an independent enterprise risk assessment to evaluate the City’s overarching areas of risk. In order to assess the overall risk level of the City across a number of risk categories, the process followed conventional Enterprise Risk Management (ERM) methodology, as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and embraced by the Institute of Internal Auditors (IIA). This assessment was conducted under the oversight of the City Manager. The Moss Adams team evaluated 18 categories of risk that collectively comprise operations across the organization. This risk assessment reflects an evaluation of current levels of risk relative to factors that include likelihood of occurrence of a negative event, impact of a negative event, level of preparedness in terms of mitigating negative events, and risk trajectory given the current risk conditions. Using this information, the City can identify the most important areas of risk and prioritize management of these risks. All City departments were included in the risk assessment process. This assessment includes information provided by Finance Committee members, senior leadership, managers, supervisors, and staff. The enterprise risk assessment process reflects a specific point in time: February 2020 through April 2020. Both the overall risk ratings and trajectory levels are directly connected to this timing. The enterprise risk assessment process consists of four phases: 1) planning, 2) fact finding, 3) analysis, and 4) reporting. Planning included requesting documents and identifying which individuals to interview and include in the survey process. Fact finding encompassed document review, analysis of existing data, interviews, and an online survey sent to City employees. Analysis included assessment of the level of uncertainty associated with each risk factor. Reporting entailed the development of draft and final deliverables, along with follow-up discussions with management and presentation to key stakeholders. The activities and goals for each phase are described in detail below. PLANNING We began planning our assessment by requesting a standard set of documents from the City, including (but not limited to) prior risk assessments, audits, public website documents, and financial reports. We used these documents to identify the first round of individuals to interview and additional document needs based on business process/functional areas. Enterprise Risk Assessment Report | 5 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY FACT FINDING Fact finding encompassed analyzing received documents, interviewing select employees and select City Council members, and soliciting additional employee feedback via an online survey. During this phase, we gathered information in order to gain a clear understanding of the City and the way it operates to achieve its goals and purpose. ANALYSIS With the information collected and compiled, we performed a risk assessment that includes a comprehensive review and analysis of the various categories of risks. This analysis included assessing current risk conditions and trajectory, the level of preparedness efforts to mitigate risks, and the probability and potential impact a negative event may have on the City’s ability to achieve its mission, vision, and strategic goals. REPORTING During this phase, we developed a draft report to engage in review and discussion with senior leadership. Based on feedback, we finalized the report for delivery to the City Manager and presentation to the Finance Committee. The enterprise risk assessment process relied heavily on evidence obtained from City employees. By design, the assessment process required access to all senior leadership and many department and division managers. Input was obtained from employees from all departments, through a combination of interviews and an online questionnaire; full disclosure of information has been assumed in this process. Distribution of a risk assessment survey offered staff the opportunity to identify perceived strengths and weaknesses of the City, and provided us with an additional data point to consider during our assessment of potential opportunities for improvement and areas of specific vulnerability. The survey posed a variety of statements for each risk category to employees, including rating scale questions and open-ended questions. Additional questions, including the rating of each category’s overall risk level, were posed only to management-level employees (identified by title, including: managers; supervisors; superintendents; administrators; assistant/deputy leadership positions; and leadership positions). The confidential survey was distributed to 585 full-time employees (FTEs) and was open for submission between March 9, 2020 and March 16, 2020. An internal email to inform employees of the upcoming survey was sent by the City prior to distribution of the survey via the research platform. Out of all the employees invited to take the survey, 88 individuals submitted responses – a participation rate of 15%. This rate is low for public-sector organizations and likely due to the impacts of COVID-19 during the time of the survey. Survey responses are noted in each section. Respondent demographics and overall risk ratings are included in Section IV of this report. Enterprise Risk Assessment Report | 6 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Given the low survey response rate, it is important to note that the survey results were not the sole or primary source of information for our overall assessment or recommendations. The staff survey rating was excluded from our risk assessment rating calculations. Instead, survey results provided additional context and point of comparison to understand staff sentiment and outlook on these issues. In general, staff risk ratings were lower than the risk assessment rating generated by the Moss Adams team, which is usually the case, notably for Procurement and Contracting, Information Technology, Planning and Strategy, and Risk Programs. However, we are cautious to draw specific conclusions due to the low survey response rate. RISK AREA MOSS ADAMS RISK ASSESSMENT RATING STAFF SURVEY RESULT RATINGS Procurement and Contracting High Low to Moderate External Risks Moderate to High N/A Organizational Structure and Staffing Moderate to High Moderate Information Technology Moderate to High Low to Moderate Planning and Strategy Moderate to High Low to Moderate Risk Programs Moderate to High Low to Moderate Human Capital and Resources Moderate Low to Moderate Management and Leadership Moderate Low to Moderate Operations and Service Delivery Moderate N/A Accounting and Financial Reporting Moderate Low to Moderate Ethics, Fraud, Waste, and Abuse Moderate Low to Moderate Governance Moderate Moderate Funding and Economics Moderate Low Reputation and Public Perception Low to Moderate Low to Moderate Policies and Procedures Low to Moderate Low Compliance Low to Moderate Low to Moderate Public Safety Low to Moderate Low Infrastructure and Asset Management Low to Moderate Low to Moderate Enterprise Risk Assessment Report | 7 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY The process to identify and assess risks considers both internal and external factors. As part of this risk assessment, Moss Adams used a variety of techniques, both qualitative and quantitative, to identify external and internal factors that contribute to risk. Risk assessments involve a dynamic and iterative process to identify and analyze risks to the City’s ability to achieve its objectives, forming a basis for determining how risks should be managed. For each of the 18 risk categories assessed, our risk assessment includes an overview of the risk condition at the City, including the current risk level, likelihood, impact, preparedness, and trajectory. In addition, risk mitigation identifies potential strategies to reduce overall risk for each category, and residual risk represents the probable risk exposure after risk mitigation efforts have been implemented. The elements provided below make up the risk assessment framework, which are industry standards and defined by COSO’s ERM methodology. RISK LEVEL Level of uncertainty that could impair functions and processes, in the absence of any actions taken to alter either the risk’s likelihood or impact. • Low • Low to Moderate • Moderate • Moderate to High • High LIKELIHOOD Qualitative assessment of the probability of a negative event occurring, given the current risk conditions. • Low • Low to Moderate • Moderate • Moderate to High • High IMPACT Level of potential impact of a negative event on strategy, people, operations, systems, and resources. • Low • Low to Moderate • Moderate • Moderate to High • High PREPAREDNESS Level of preparedness through activities and resources to manage risks and minimize and limit potential losses. • Low • Low to Moderate • Moderate • Moderate to High • High TRAJECTORY Trajectory of the risk level, given the current risk conditions. • Decreasing • Flat • Increasing RISK MITIGATION Potential strategies for reducing risk. Enterprise Risk Assessment Report | 8 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY RESIDUAL RISK Possible remaining exposure after known risks have been mitigated through specific actions. Enterprise Risk Assessment Report | 9 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY RISK ASSESSMENT RESULTS Overall Risk Level High Impact Likelihood Preparedness Trajectory High High Moderate Increasing Residual Risk Low to Moderate Suggested Risk Mitigation •Conduct a procurement efficiency study, including a workload analysis of the procurement function to determine if there is sufficient capacity and backup to adequately manage this function. •Prioritize the development of a comprehensive set of procurement policies and procedures, including contract management. •Assess the procurement and contract management processes for opportunities to improve efficiency and streamline communication, including leveraging technology to provide status updates and implement system workflows. Risk Areas Risks associated with purchasing processes (e.g., specifications development, bidding, selection) and contract administration (e.g., compliance with terms and conditions, payments, change orders) for goods, services, and capital programs. Scope Procurement and contracting includes purchasing processes (e.g., purchase orders, bidding, selection) and contract administration (e.g., compliance with terms and conditions, payments, change orders) for goods and services. The City’s purchasing function primarily resides within the Finance Department, with some exceptions. The positions involved in purchasing activities primarily consist of a dedicated purchasing agent, who is supported by a senior buyer and a senior fiscal clerk for the City’s central warehouse. A part-time fiscal specialist in the Financial Planning division also processes purchase orders. Public Works has historically had a dedicated buyer for auto parts for fleet maintenance. Public Works also performs, in partnership with Finance, much of the contract procurement related to capital projects. The Deputy Director of Finance is responsible for providing oversight of purchasing activities. The Institute for Public Procurement says that for procurement “...to operate effectively, it is imperative in those [procurement] systems that there be central leadership to provide direction and cohesion.” Best practice is to position procurement processes under the authority of a dedicated procurement position in order to support independence and good checks and balances. Purchasing requests may be initiated by any City employee with access to MUNIS, the City’s enterprise resource planning (ERP) system. The system workflows route purchases through the first Enterprise Risk Assessment Report | 10 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY layer of approvals (at department level) based on the dollar amount and assigned approval roles within MUNIS. A limited group of City employees have permission settings in MUNIS that allow them to convert a purchase requisition into a purchase order. This group includes the Purchasing Agent, the Senior Buyer, the Senior Fiscal Clerk, and a fiscal specialist in Financial Planning. The shift to using workflow approvals in MUNIS has streamlined processes and strengthened internal controls over purchasing activities; however, the volume of purchases continues to increase, which is creating workload challenges for purchasing roles. For example, the number of purchase orders issued by Purchasing increased 128.6% in fiscal year 2018-19 compared to the previous year. The City’s approach to contract management is spread between the City Attorney’s Office (CAO), the Purchasing group, and individual departments. The City Attorney’s office is the primary owner of the contracting drafting process. The assigned contract representative in each department is typically responsible for completing contract worksheets (based on service/work type) on the City’s intranet to trigger the CAO’s creation of a new draft contract based on standardized templates. The purchasing agent is responsible for overseeing the formal bidding and RFP processes for contracts, as well as contract negotiations. The CAO uses the CityLaw system to track contracts while drafting them in conjunction with the departments, until the point that final contracts are printed. The CAO works in collaboration with the HR Department to manage insurance requirements with the City’s broker, based on service types. Once a contract is executed, the information is entered into MUNIS by Finance. Individual departments are then responsible for active contract management during the life cycle of the contract (such as managing budget information and conformance with contract terms and conditions). Public Works engages in capital project procurement activities in cooperation with the Finance Department. The majority of managers who were interviewed reported procurement (including both purchasing and contracting) as a significant pain point and raised concerns about risks to operational effectiveness and efficiency. Staff reported in interviews and the employee survey that central purchasing has often become a bottleneck for procurement processes due to increasing volumes. The transition to the MUNIS system, while bringing positive impacts, also changed the purchasing workflows and demands on central purchasing resources. When there is a new system implementation, it is critical that the new process be assessed in terms of understanding the impact on staffing capacity, otherwise the City faces an increased risk of operational challenges to meeting business needs. The quality of the support for procurement and contracting is reportedly high, with 72% of survey respondents noting that customer service was excellent or good. Q: How would you rate the quality of the internal customer service provided to staff by the procurement and contracting team? 24%48%21%7% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 11 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate to High Impact Likelihood Preparedness Trajectory High High Moderate to High Increasing Residual Risk Moderate Suggested Risk Mitigation • Continue efforts to implement the City’s Housing Action Plan. • Explore strategies for supporting coordinated government relations activities. • Develop a framework to assess sea level rise vulnerabilities specific to the City, and support the implementation of adaptation strategies in coordination with other local governments. • Develop and implement cross training for key positions, such as the Emergency Services Coordinator. • Continue to participate in regional resilience and preparedness programs, initiatives, and planning. • Identify and begin to capture data on indicators for key external risk factors to establish a baseline for the City. • Conduct an analysis of Assembly Bill 5 risks, including contractual relationships; classification of workers; definitions of "usual course of business"; and short-term employment policies. Risk Areas Risks associated with events outside of an organization’s control. Scope External risks typically include economic trends, natural disasters, climate change, political lobbying and legislative changes, and interagency relations. The City has multiple external risk factors (described in more detail later in this report) that are primarily outside the City’s control. Examples include natural disasters, climate change, political lobbying and changes, and macroeconomic changes such as interest rates and industry shifts. Organizations typically cannot influence the likelihood of these events. Mitigating these risks requires a different approach from the other risk categories identified in this risk assessment. The approach for mitigating external risk factors should include risk identification and subsequent scenario analysis/testing to determine if the City has the necessary resources to mitigate the impact of an external risk event. Legal and Regulatory Changes While the City is subject to many laws and regulations (see the Compliance section of this report); mandates from the State often have significant impacts on the City. For example, as a result of a housing shortage, California’s housing costs have been rising consistently over the last few decades. Enterprise Risk Assessment Report | 12 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY High housing costs make it difficult for many Californians to find housing that is affordable and meets their needs. As part of State activities to address this issue, the proposed Regional Housing Needs Assessment (RHNA) will mandate that the City plan for 4,832 dwelling units between the October 2021-2029 period. Staff report that these requirements have provoked significant concerns from community members about how the City will retain the character of the community and manage the increased infrastructure need to support these additional units. In response to the RHNA, the City has designed the Housing Action Plan with the four objectives: 1) facilitating compliance with mandated deadlines and requirements; 2) appealing to reduce the City’s RHNA number; 3) focusing the General Plan update on housing; and 4) collaborating regionally. In 2019, Assembly Bill 5 (AB 5) became law in California, focusing on how independent contractors are defined and setting new requirements for providing employee benefits. It included a method for determining whether a given worker is an independent contractor or statutory employee under the California Labor Code. Although the impact of AB 5 on public employers appears limited, AB 5 does apply to public agencies. Public agencies like the City should evaluate potential AB 5 impacts on both operations and policy, as misclassifying employees as independent contractors carries potentially significant consequences for employers. Affordable Housing Aside from the challenges posed by RHNA, access to stable and affordable housing within the City and the greater region is an increasingly difficult challenge. Data from the U.S. Census shows that both owner and rental costs within the City are significantly higher than the surrounding County average and the U.S. national average. For example, the City’s median monthly housing ownership costs are 88.2% higher than the County average, and the median monthly rental costs (rent plus cost of utilities) in the City is 22.4% higher than the County average and over twice as much as the U.S. national average as shown in the table below. 2018 HOUSING STATISTICS Newport Beach Orange County U.S. Average % diff. from County % diff. from U.S. Value of owner-occupied housing $1,787,300 $652,900 $204,900 173.7% 772% Monthly owner costs (with mortgage) $4,000 + $2,702 $1,558 -- -- Monthly owner costs (without mortgage) $1,169 $621 $490 88.2% 139% Gross rent – median $2,175 $1,777 $1,023 22.4% 113% Source: U.S. Census Bureau, 2020 This lack of affordable housing increases risks to the City relative to recruiting and retaining employees. Multiple department heads noted that many of their employees live outside the City due to housing costs and have extremely long commutes, which presents risks to both employee retention and operational stability. Enterprise Risk Assessment Report | 13 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Air Traffic John Wayne Airport (JWA) is owned and operated by Orange County. JWA currently handles approximately 10.5 million passengers annually and 126 commercial flights per day. The airport is located along the northern boundary of the City, and residential and commercial properties are located directly below the airport’s primary departure pattern for commercial and general aviation aircraft. While the City does not have jurisdiction to control the airport, the presence of the aviation activity presents a major challenge for the City in terms of preserving the quality of life for residents. In 1985, the City, the County, the Airport Working Group (AWG), and Stop Polluting Our Newport (SPON) entered into a Settlement Agreement to resolve litigation related to JWA. The agreement has been amended multiple times, most recently in late 2015 with approval of the tenth supplemental stipulation, which included new calibration of noise monitors. The agreement will next be open for negotiation in the 2025-2026 fiscal year. To help mitigate potential impacts to residents, the City actively manages the relationship with JWA by designating a Deputy City Manager as the primary liaison and running an Aviation Committee to provide additional input and guidance on implementing the Newport Beach City Council Airport Policy. Interagency Relations As with all local governments, the City is dependent on collaborative relationships with multiple agencies at the local, state, and federal levels to provide services—notably public safety, transportation, disaster preparedness, natural resource management, and public utilities. The City’s utility environment is particularly complex, with key relationships with the Municipal Water District of Orange County, Orange County Sanitation District, State Department of Health and County Health, State Water Quality Control Board, Coast Guard, the Orange County Sheriff Department, Department of Fish and Wildlife Army Corps of Engineers, Coastal Commission, and JWA, among others. Within the past several years, the City separated the Utility and Public Works divisions into separate departments. A primary motivation for this change was to help elevate the utility function and give more visibility to the interagency work taking place in relation to this critical work. As noted in the Organization and Staffing section, the government relations function is decentralized, with some aspects of this work managed by staff in the CMO, City Attorney, Community Development, Public Works, and Utilities departments. While a decentralized model can be effective, without effective internal coordination it increases risks related to inconsistent messaging and redundant workloads. Ground Traffic The Orange County area consistently ranks on national worst traffic lists, and the congestion the City experiences is reflective of this reality. Tourist-heavy areas with limited infrastructure due to geography—most prominently the Balboa Peninsula—are especially vulnerable to traffic congestion. Staff report that traffic concerns are a primary quality of life issue for both employees and residents. The City’s Public Works’ Transportation Division is actively involved in traffic management, with a focus on implementing solutions that a majority of residents agree on. Enterprise Risk Assessment Report | 14 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Natural Disasters The City is susceptible to various natural hazards including drought, earthquakes, extreme heat, tsunamis and floods, wildfire, and other environmental shifts related to climate change. Potentially the most likely hazard is an earthquake on any of the three faults that extend through or are located near the City. An earthquake under or near the City has the potential to cause extensive damage due to ground shaking, fault rupture, liquefaction, earthquake-induced slope instability, and inundation due to catastrophic failure of the City’s water storage reservoirs. Other potential secondary effects of such an earthquake include urban fires ignited by damaged appliances, rupture of gas mains, fallen electrical lines, and the release of hazardous materials as a result of broken storage containers. The City has developed a strong set of disaster preparedness practices (see the Risk Program section for more details). Many individuals are involved in emergency response and public safety activities, such as the Emergency Operations Center. The City’s Fire Department is responsible for supporting public-facing programs such as the community emergency response teams. As noted in the Risk Program section of this report, the position of Emergency Services Coordinator plays a critical role, with responsibilities for day-to-day liaison, coordination, communication, training, and administrative support across the City. This position is essential for the City’s preparation efforts against all emergencies, including natural disasters, making cross-training key to sufficient backup. Climate Change Climate change is a complex issue that imposes multiple challenges on public agencies, which include defining how climate change relates to existing scopes of work and how to develop a plan to address climate change. While climate change itself is not a distinct hazard, the effects of it can exacerbate hazards and risks. These include increasing average temperatures, more heat waves and extreme heat days, more extreme weather, rising sea levels, worsening air pollution, and more vector-borne diseases. These changing conditions can have devastating effects on the regional economy, urban infrastructure, public health, recreation, tourism, agriculture, and the environment. Given the City’s coastal location and reliance on waterways, issues related to sea level change will be particularly impactful. Increasing temperatures will melt ice sheets and glaciers and cause thermal expansion of ocean water, both of which will increase the volume of water in the oceans. The U.S. Department of the Interior projects that average sea levels along the Southern California coast will rise on average by more than one foot by 2050 and by four to five feet by 2100. Scientists warn that sea level rise will likely be punctuated by episodic flood events as high tides and stronger and more frequent storm surges coincide, putting shoreline property and ecosystems at risk prior to 2050. Enterprise Risk Assessment Report | 15 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate to High Impact Likelihood Preparedness Trajectory High Moderate to High Moderate Increasing Residual Risk Moderate Suggested Risk Mitigation • Perform a workload assessment and determine workload measures for City staff to better define workload challenges. • Create a prioritized list of workload challenges, and determine if acute pain points can be addressed through outsourcing or cross training. • Review decentralized functions to determine if efficiencies can be gained through increased coordination or centralized guidance, oversight, and training. Risk Areas Risks associated with how personnel is organized, as well as staffing levels and skills. Scope An entity’s organizational structure provides the framework to plan, execute, control and monitor its activities. Organization and staffing encompasses hierarchy, chain of command, span of control, and staffing levels. Staffing includes specific positions, counts, and capacity. A relevant organizational structure includes defining key areas of authority and responsibility and establishing appropriate lines of reporting. The City’s organizational structure consists of twelve departments: City Manager’s Office, Community Development, Finance, Fire, Harbor, Human Resources, Library Services, Police, Public Works, Recreation and Senior Services, and Utilities, in addition to the City Clerk and City Attorney’s offices. As of January 2020, the City has 973 active employees on staff including 585 FTEs and 388 part-time employees. With a few exceptions (for example, Public Works), managers’ spans of control are within normal ranges of four to eight direct employees. As part of the City’s strategy to manage unfunded pension liability, leadership has adopted a conservative approach to expanding staffing levels. As a result, some positions have stretched to fill multiple job functions and some teams are experiencing high workloads. While having a high- performing team of flexible employees, who can handle multiple functions, is a strength for the City, several critical functions would benefit from support through cross training of designated backups. Specifically, during interviews, the following functions were identified as needing additional workload analysis: • Cybersecurity • Payroll • Harbor code enforcement • Planning (if the City is going to revise the General Plan) • Public records Enterprise Risk Assessment Report | 16 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY • Purchasing • Real estate • Utility billing • Emergency preparedness Excessive workloads can result in employees working in a reactive mode rather than being proactive and operating strategically. These conditions can increase the risk of burnout, employee turnover, and loss of institutional knowledge, as well as increases service delivery challenges like the risk of errors and poor customer service. This can be particularly true for functions that have a high impact on multiple departments (like Purchasing) or the customer experience (like Utility Billing). Approximately two thirds of surveyed staff reported the opinion that the City is understaffed. Q: How would you rate the current staffing levels across the City as a whole? Q: How would you rate the current staffing levels within your department? Like most cities, Newport Beach has a number of functions that are decentralized. Some notable examples include external communications (see the Reputation and Public Perception section for more details), graphic design, government relations, and a few finance functions. While decentralized functions can provide operational benefits, they typically require enhanced coordination to achieve service efficiency and sometimes result in duplication of efforts. 5%22%56%11%6% Excellent Good Average Poor Terrible 5%29%41%22%3% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 17 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate to High Impact Likelihood Preparedness Trajectory High Moderate Moderate to High Increasing Residual Risk Moderate Suggested Risk Mitigation • Pursue opportunities to increase utilization/optimization of current systems. • Develop a succession plan for the IT Manager position. • Continue to enhance IT governance processes, while documenting and distributing supporting policies and procedures. • Continue work to improve penetration testing results. • Pursue collaboration opportunities with state and local government agencies to strengthen cybersecurity resilience, such as shared service agreements for cyber defensive tools, cybersecurity awareness training, and other ways to pool resources. • Identify and assess strategies to meet the need for increased cybersecurity readiness. Risk Areas Risks associated with information technology, cybersecurity, and data. Scope Information technology risks include the design, development, implementation, administration, operations, and maintenance of information systems including change management and the system development life cycle. Also includes risks to infrastructure, system performance, data architecture and management, integration, backup, security, and controls. The IT function at the City resides within the City Manager’s Office, with the IT Manager reporting to the Assistant City Manager. The IT Manager oversees three teams: IT Operations, IT Applications; and the GIS function. Similar to other local governments, the City’s use of IT has rapidly grown over the years, with departments being responsible for driving IT purchasing. The IT governance process is relatively new, without an official documented policy in place. Technology has become part of the backbone of local government operations, as the integration of systems evolves and reliance on technology continues to increase. The IT group has reportedly been successful due to the talented individuals who staff the department. The IT Manager has been with the City for almost 30 years, so there is an increased need to implement succession planning for this critical function. A growing number of local governments have recognized the need for a dedicated senior leadership position in IT, such as a Chief Technology Officer, as the role of technology becomes increasingly critical for core operations and delivery of essential services to citizens. Cities are facing digital disruption as they integrate emerging technologies (such as artificial intelligence, “smart” cities; and the Internet of Things) with the rapidly changing cybersecurity landscape. Enterprise Risk Assessment Report | 18 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY IT Systems As part of its daily operations, the City utilizes a wide range of enterprise and department-specific applications. The primary enterprise systems include Tyler Munis (finance, purchasing), NeoGov (recruiting/onboarding), Microsoft Office 365 (administration), SysAid (IT ticketing), and PerformancePro (performance evaluations). IT is also in the process of replacing several major applications, including the Integrated Library System (ILS) and Land Management System (LMS). In general, staff report that they feel well supported by the current IT systems and hardware. Q: How would you rate the quality of the information technology systems that you currently have (software, applications, programs, etc.) and use in your role? Q: How would you rate the quality of the information technology hardware that you currently have (computers, phones, etc.) and use in your role? However, there are several prominent opportunities for improvement. Some of the most commonly noted issues from staff include improving systems support for the procurement process (see the Procurement and Contracting section) and ensuring that existing systems are fully utilized. For example, the IT Division has documented multiple functions within the Tyler Munis platform that are currently not being used. In addition, IT staff noted several processes that are currently manual— including time-off requests and employee expense, petty cash, and travel authorizations—and could be automated within the City’s existing systems. Automation could increase staff efficiency, as well as improve consistency and internal controls. IT Governance IT governance plays an important role in local governments to optimize technology purchases, systems integration, and access to information to support decision making. While the City lacks a documented IT governance policy, it recently implemented a more centralized governance process. Within this context, decisions regarding IT purchases are supposed to be made in partnership between IT and the individual departments. This model is supported by centralized funding through the IT Internal Service Fund (ISF). The ISF chargeback methodology is based on multiple factors in line with industry standards: 10% charged to divisions based on the number of FTEs, 65% charged based on the number of devices, and 25% charged based on the number of support tickets. 19%61%16%4% Excellent Good Average Poor Terrible 21%57%17%5% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 19 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Following best practice, the City operates with a standardized four-year replacement schedule for end user computing equipment. The City also collects comprehensive replacement costs for software, hardware (PCs, devices, phones, printers), network, data center, and library/fire equipment. IT Staffing The IT function employs 15.5 FTEs across Operations, Applications, and GIS. This is a lean staffing structure given the size of the City. In particular, the City is working with a ratio of one IT support technician/specialist (first level of response) to approximately 325 employees. Industry standards commonly recommend ratios ranging between 1:150 and 1:250, depending on the complexity of the IT environment. In addition, staff report that the workload for IT staff is increasing. For example, it was recently suggested that all security camera management should be centralized in IT, without considering potential impacts to the IT capacity. The City would benefit from establishing a shared and consistent process to prioritize new potential IT work, in order to ensure sufficient IT staff support for new initiatives. Interviewed and surveyed staff reported that the IT function provides excellent or good internal customer service. Q: How would you rate the quality of the internal customer service provided to staff by the IT team? Data Storage The IT function has taken significant measures to ensure that data is securely stored and recoverable. The City is currently operating with 99% server virtualization and uses Veeam backup and replication solutions, which are stored on a local backup appliance. In addition to on-site backups, the City uploads all mission critical data—database exports, source code, and payroll data—to Amazon Web Services. The City retains one year of backups for all systems. The IT Division is also currently evaluating the iLand Disaster Recovery cloud solution and has plans to implement the product in 2020. The iLand cloud backup solution project would include backup and restoration procedures. Cybersecurity Almost every civic function across a modern city is facilitated, housed, or carried out on digital systems; consequently, any threat that compromises these systems presents a significant area of risk. The City does not currently employ a dedicated cybersecurity staff position. As risks related to cybersecurity continue to grow, it will be critical to ensure that adequate attention is paid to cybersecurity. The IT function completed its first IT penetration test in 2019. As this process was new to the City, it uncovered significant opportunities to improve security. City leadership reports that IT was highly responsive to resolving the identified issues and has successfully addressed all critical and high-priority problems. IT is planning to conduct a second penetration test in 2020 to track progress and plans to integrate penetration testing into regularly scheduled activities. 51%38%9%2% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 20 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY In terms of user training, IT performs phishing tests each quarter, holds annual staff trainings, and sends out a weekly newsletter to all employees. Staff report that they have successfully reduced the phishing test failure rates from 9% to below 3%. Over 60% of surveyed staff reported they were extremely or very prepared to identify, report, or manage a cybersecurity threat. Q: How prepared do you feel to identify, report, or manage a cybersecurity threat? Cybersecurity threats and incidents continue to emerge in local government, and they can result in extensive costs beyond the initial amount of money demanded by attackers. For instance, the City of Atlanta spent more than $2.6 million on emergency efforts to recover from a ransomware attack in 2018, and the 2019 ransomware attack on the City of Baltimore caused at least $18 million in damages. A coordinated ransomware attack hit more than 20 local governments in Texas in 2019. Once activated, ransomware programs effectively lock out city employees, preventing them from accessing key systems, servers, and data—often rendering computers unusable unless a ransom or other demand set by the attackers is met. Other schemes can result in city employees or citizens unknowingly transferring funds into fraudulent accounts, exposure of citizens’ credit card and personal data, outages of 911 dispatch systems, digital police evidence lost, traffic light outages, and compromised water quality. This shift in focus by cybercriminals to public-sector organizations comes after a deliberate shift in the private sector to make more of the necessary investments to secure their systems after suffering from cyberattacks. In the wake of the COVID-19 pandemic, cities have experienced spikes in malicious activity, including targeted phishing attacks and other attempts to confuse city staff who are already under increased pressure. Some governments are increasing their use of outsourced resources, including cybersecurity risk assessments, audit log analysis, and threat management and monitoring. 24%36%33%4%3% Extremely prepared Very prepared Moderately prepared Slightly prepared Not prepared at all Enterprise Risk Assessment Report | 21 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate to High Impact Likelihood Preparedness Trajectory Moderate to High Moderate Moderate Flat Residual Risk Low to Moderate Suggested Risk Mitigation • Establish a three to five-year strategic plan that identifies major City goals and activities. • Implement a basic performance measurement strategy that is aligned with the City’s strategic plan. • Based on the City’s strategic goals, establish annual operating plans (and related measurements) for each department. • Ensure sufficient resources are available to support the General Plan update process. Risk Areas Risks related to organizational planning activities. Scope Planning activities include operational and strategic planning, including both short-term and long-range planning. A comprehensive planning framework builds upon strategic goals, and dives into the next layer of planning which looks at strategic objectives for not only the enterprise, but sets objectives for departments, divisions, programs, and individual roles. In alignment with the City’s Fiscal Sustainability Plan, the City’s primary focus for planning activities has been to achieve long-range financial stability. For example, the City maintains and reviews a Long-Range Financial Forecast each year as part of the regular budget process. The City has also prioritized activities like instituting an aggressive payment schedule for the unfunded liability pension and establishing multiple reserve funds (like the Facilities Financial Planning Reserve and Equipment Replacement Fund) to ensure that significant anticipated expenditures will be adequately provided for in the future. In addition, the Public Works and Community Development teams are highly involved in planning activities. More specifically, Public Works oversees a robust CIP process (see Capital Program Section) to plan for the provision of public improvements, special projects, and ongoing maintenance initiatives, in addition to maintaining documents like the Water Master Plan. Community Development is in charge of maintaining the City’s General Plan—a tool to help the City make land use and public investment decisions. The General Plan was last updated in 2006. The City had planned to embark on revisions to the Plan in 2019, but recent mandates from the Regional Housing Needs Assessment have shifted the priority of this planning process. The majority of surveyed staff (77%) rated the quality of organizational planning as excellent or good. Enterprise Risk Assessment Report | 22 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How would you rate the quality of organizational planning (strategic planning, annual operations planning, financial planning, etc.) that happens at the City? Despite these areas of strength, the City has historically not had a strategic planning culture. Strategic plans serve as valuable tools to clarify the mission, vision, and direction of the City. Without the continuity provided by a plan to guide decision making over a multi-year period, there is a risk that work can become diluted, priorities can be unclear or change, and staff can be left to work in a highly reactive (rather than proactive) environment as they attempt to respond to multiple new and uncoordinated requests from the City Council. Within this context, management report that it can be challenging to make sound decisions around what work they should or should not prioritize. Without a strategic plan and associated goals, it is extremely challenging to implement successful performance measurement to track the City’s progress over time. The City’s Fiscal Sustainability Plan states that the City will “implement a Performance Measurement/Management Strategy as part of an ongoing effort to ensure high-quality and efficient performance.” However, this work has not yet begun. By setting strategic objectives for the City as a whole, leadership will be better able to identify critical success factors and associated performance measurement criteria. While some departments have developed annual work plans (for example, the IT function), this is not a standard practice throughout the City. Staff report that the City values agility and does not have a culture of planning, with multiple employees noting that strategic or annual operating plans would hinder the City’s ability to respond to incoming issues. As such, the City will need to incorporate change management practices into any planning initiatives to ensure adequate buy-in from staff at all levels within the organization. 21%56%16%7% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 23 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate to High Impact Likelihood Preparedness Trajectory Moderate to High Moderate to High Moderate Flat Residual Risk Moderate Suggested Risk Mitigation • Evaluate options to enhance security and access to City employee work spaces. • Conduct an assessment of employee safety and health programs at the City. • Coordinate risk management functions across the City to develop and deliver a cohesive emergency management program. • Update the Local Hazard Mitigation Plan (last published in 2016) on schedule with FEMA requirements • Develop and implement cross training for the Emergency Services Coordinator position. Risk Areas Risks associated with the organization’s formal/structured risk management programs, such as employee health and safety programs, operational risk management programs, and incident response and emergency management efforts. Scope Risk programs include administration of the general liability, workers’ compensation, safety, disability management and property programs. Risk efforts also include contract/insurance certificate review, insurance procurement, emergency preparedness programs, and continuity of operations planning. Risk and Safety Management Risk management functions and related activities are distributed across different positions within the City; there is no dedicated enterprise risk management program. Risk management activities can be found within the HR Department, which focuses primarily on insurance programs and is responsible for running a Safety Committee. In the Police Department, the Emergency Services Coordinator supports emergency management. Within the Fire Department, individuals support disaster response planning and community programs. Most of these individual functions have skilled staff supporting them; however, the City would benefit from more formally coordinating its current activities into a cohesive risk management program designed to identify potential events that may affect the City and protect and minimize risks to the City’s property, services, and employees. Surveyed employees noted concerns with security at times, particularly around the unsecured nature of City Hall. We observed that the City has no controlled access points to employee work areas in City Hall, with only intermittent “Employees Only” signs indicating where public-spaces end. While there are many admirable aspects about the new building, the open floor concept combined with the lack of controlled entry points can increase the risk of unauthorized or unwelcome persons walking into City work areas. Only a few employees reported participating in some safety-related trainings in the last few years, indicating the City should provide additional training for safety and emergency Enterprise Risk Assessment Report | 24 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY management. Almost 40% of survey respondents noted that they have felt physically unsafe at work within the past two years. Q: In the last two years, have you experienced an incident or experience where you’ve felt physically at risk or unsafe while working at the City? Workers' Compensation and Insurance The risk management function is responsible for processing and monitoring all CAL/OSHA activity. While 50% of survey respondents rated the workers' compensation program as average, 40% gave it a rating of excellent or good. Q: How would you rate the workers' compensation program and processes? Emergency Management The City’s Emergency Management Program was created by Municipal Ordinance 2.20.060, which designates the City Manager as the Director of Emergency Services and gives them the power to designate an Assistant Director of Emergency Services. The Emergency Management Program staff consists of: (1) an Emergency Council that consists of the Mayor who shall be Chairman (in his/her absence, the Mayor Pro Tem), remaining members of City Council, and other officers and employees of Newport Beach; (2) an Emergency Services Coordinator who oversees the City’s Emergency Management Program; and (3) a Life Safety Specialist who is responsible for the City’s community preparedness. The Emergency Services Coordinator and Life Safety Specialist work under the direction of the Police and Fire Departments, respectively The City has engaged in suitable planning efforts around emergency management—including development of the Emergency Operations Plan, a Local Hazard Mitigation Plan, a Public Education Program, and a Community Emergency Response Team (CERT) Program. In addition, the City has established the Employee Emergency Response Team (ERT) Program, which consists of employees who are responsible for receiving training in CPR and first aid and serving as Safety Officers in the event of an emergency. Activation of the Emergency Operations Center (EOC) in response to the COVID-19 pandemic provided the City with the opportunity to test out operations and identify operations for improvement. 61%39% No Yes 7%33%50%7%3% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 25 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY There are many individuals involved in the activation and running of the EOC, and emergency management activities are not dependent upon one person. However, the Emergency Services Coordinator is a key position, filled by a person who has extensive institutional knowledge. There is no formalized backup for the full scope of this position. Risk exposure due to loss of institutional knowledge could be mitigated through cross training for this position. Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate to High Moderate Moderate Increasing Residual Risk Low to Moderate Suggested Risk Mitigation • Institute consistent performance evaluations that incorporate annual employee growth and development plans. • Develop succession plans for key positions. • Evaluate compensation levels for operational cost sustainability and retention. Risk Areas Risks associated with recruiting, workforce development, labor and employee relations, employee management and benefits, and succession planning. Scope Human capital and resource practices can span functions that include hiring, orientation, training, evaluating, counseling, career planning, compensation and benefits, labor negotiation, employee relations, retirement and succession planning. These practices can house the policies that define an organization’s expected levels of professionalism and competence. The Human Resources Department at the City has 12.25 budgeted FTEs in the 2019–2020 fiscal years. The positions consist of an HR Director, HR Manager (2), HR Specialist II (4), HR Senior Analyst (2), HR Analyst, Assistant (2), and Student Aide. HR appears to be adequately staffed; the ratio of HR FTE to Citywide FTEs is 1:72, which is well below the standard best practice maximum ratio of 1:100. The City collaborates with 11 bargaining units, in addition to the non-represented executive group. In general, staff report that they feel adequately supported by the HR team, with the majority of survey respondents noting the quality of internal customer service provided by HR as excellent or good. However, the range of responses indicates that there may be opportunities for improvement. Enterprise Risk Assessment Report | 26 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How would you rate the quality of internal customer service provided to staff by the HR Department? Recruiting Like many other public agencies, the City is experiencing some challenges with recruiting high-quality talent. Some of the challenges are external, like the high cost of living in the area, and some are related to internal processes or policies. For example, staff report that the City’s decision to offer police testing only once a quarter has created a barrier to hiring sworn officers. Another commonly noted issue is a comparatively high retirement contribution paid by City employees. Staff contribute between 12% and 14% of their salary to retirement, resulting in reduced net income. Staff report that these levels are significantly higher when compared to other local agencies. As of January 2020, the City had 45 vacant full- and part-time positions, 28 of which are within public safety. When asked to rate the effectiveness and efficiency of the City’s recruitment processes and support, survey respondents reported a wide range of opinions: Q: How would you rate the effectiveness and efficiency of the City’s recruitment processes and support? Performance Management The City uses the PerformancePro system to administer basic performance appraisals where all staff are rated in four or five general categories: attitude and customer relations, communication, job knowledge/skills, productivity, and supervision/management (for supervisors only). In alignment with best practice, the system is online (rather than being paper-based). However, the evaluations are done on a rolling basis, rather than on a regular annual calendar, which can decrease the likelihood that all staff receive appraisals on time. In addition, individual career goals and career growth plans are not integrated into the performance evaluation process. There are no formal opportunities to provide upstream or 360 evaluations, so management does not receive feedback from the staff that they supervise. While a majority of survey respondents rated the effectiveness of the performance evaluation process as very or moderately effective (69%), almost a third rated the process as only slightly effective or not effective at all. 19%39%25%12%5% Excellent Good Average Poor Terrible 18%29%29%18%6% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 27 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How would you rate the effectiveness of the current performance evaluation/appraisal process? As noted in the Management section of this report, accountability is a commonly cited performance management challenge. The majority of survey respondents (59%) reported that non-supervisory staff are only moderately held accountable for their actions. While respondents reported that supervisory staff are held accountable more frequently than non-supervisory staff, almost 30% of respondents felt they were only slightly or not at all consistently held accountable. Q: How consistently are non-supervisory employees held accountable for their actions? Q: How consistently do you feel managers are held accountable for their actions? Retention In general, the City has a strong track record of retaining employees. Within the past three years, the City’s turnover rate for FTEs has ranged between 8.5% and 9.4%—well below the average turnover rate for local government agencies, which typically falls between 19% and 20%. While there is variation depending on specific departments/divisions, staff generally report that there is a positive work environment within their immediate team. This is reflected in the responses to survey questions about the City’s efforts to establish a welcoming workplace culture: 33%36%19%13% Extremely effective Very effective Moderately effective Slightly effective Not effective at all 6%18%59%5%12% Extremely consistently Very consistently Moderately consistently Slightly consistently Not at all consistent 10%36%25%13%16% Extremely consistently Very consistently Moderately consistently Slightly consistently Not at all consistent Enterprise Risk Assessment Report | 28 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How well has the City established a welcoming workplace culture? Apart from the retirement system-related concerns, interviewed and surveyed staff generally reported satisfaction with the City’s compensation and benefits. In particular, benefits like the City’s health programs were reported to be especially well received. Of concern, however, is that over half (54%) of the City's FTEs were at the highest step in their pay grade, which is based on position. There are between zero to eight steps in each pay grade (except for Police, which has 11 steps). The high concentration of employees at the highest pay step of their pay grade indicates that the City may have an increased risk that employees have hit a ceiling when it comes to career advancement compensation increases. For example, in the Utilities Department, out of the 44 FTEs (or 86%) are at pay grade step eight. A large percentage of employees at the high end of a pay scale also translates into a high cost workforce. Q: How would you rate the adequacy of the City’s compensation and benefits? The HR Department reported that a primary focus of their retention strategy is to provide high-quality training opportunities to staff. This effort is reflected in the large majority of survey respondents (66%) who noted that their access to the training and professional development resources they need to grow their career was excellent or good. Q: How would you rate your access to the training and professional development resources you need to grow your career? The City does not provide an annual employee engagement survey to track trends over time or gather employee feedback. However, the HR Department does offer focused surveys related to specific functions like workers' compensation, onboarding, and in-house trainings. 11%37%32%15%5% Extremely Well Very Well Moderately Well Slightly Well Not Well At All 11%46%33%8%3% Excellent Good Average Poor Terrible 22%44%26%4%4% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 29 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Succession Planning In general, the public sector is experiencing significant challenges associated with an aging workforce reaching retirement eligibility. Approximately 28.4% of the FTEs at the City were eligible to retire in March 2020.1 The table below presents the number of FTEs by department who are eligible for retirement as a percentage of the total number of FTEs. Public Works has the highest percentage of eligible employees, with 60.8% of total FTEs (a count of 45 positions) eligible to retire. DEPARTMENT % OF FTES ELIGIBLE TO RETIRE City Attorney 0.0% City Clerk 25.0% City Manager 37.5% Community Development 32.4% Finance 45.8% Fire 24.5% Harbor 0.0% Human Resources 10.0% Library Services 40.6% Police 16.2% Public Works 60.8% Recreation & Senior Services 20.6% Utilities 27.3% Total 28.4% The City has not yet institutionalized succession planning efforts across departments. The HR Department has identified the need to perform additional work to ensure that there are strong career paths and ladders within all departments—a key factor for effective succession planning. Without a deliberate, institutionalized program for effective knowledge management and transfer, a significant amount of institutional knowledge and technical expertise citywide is at increased risk of being lost. 1 Calculated using CALPERS criteria of age 50 with five years of service credit before 1/1/2013, or age of 52 with five years of service credit. Enterprise Risk Assessment Report | 30 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate Moderate Low Flat Residual Risk Low to Moderate Suggested Risk Mitigation • Provide additional management training focusing on leadership, change management, and communication. • Develop a cascading communication framework to improve internal communication. Risk Areas Programs and activities related to organizational leadership, management practices, leadership strategic activities, and operating styles. Scope Management's philosophy and operating style affect the way an organization is managed, including the kinds of risks accepted. The attitude and daily operating style of top management affect the extent to which actions are aligned with risk philosophy and appetite. A collaborative management team that is able to communicate and make decisions through an enterprise leadership lens is a critical component to operational effectiveness. Staff report that the City’s leadership collaboration has improved greatly in recent years. Many noted that the new City Hall building has helped to break down silos and increase communication. Several examples of positive team-work were also noted, including the effective use of the Drought Response Task Force. When asked about the ability of senior leadership to collaborate, 75% of survey respondents provided a positive rating. Q: How well do you feel that the senior leadership team at the City works together? However, City leadership reports that there are opportunities to improve enterprise decision making, which is decision making that focuses on what is best for the City as a whole, rather than what is best for an individual department. Through interviews, it was apparent that many managers use a fairly hands-off management approach. While this approach can work well with high-performing and diligent staff who are tightly aligned around the same goal, it is less effective when it is necessary to implement change or accomplish activities that may be in the City's best interest but not viewed as such from a 25%50%25% Extremely well Very well Moderately well Slightly well Not well at all Enterprise Risk Assessment Report | 31 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY departmental perspective. Staff noted multiple examples of positive changes and new initiatives that were ultimately abandoned by managers, because they were unable to get staff buy-in and unwilling to hold staff responsible to embracing change. This creates risks, as staff are not being held accountable for adopting changes that could positively impact City operations (see the Human Capital and Resources Performance Management section of this report for more details). Internal communication within the City, which starts at the management team level, was noted to be inconsistent. In particular, there is a perception that a wide gap in knowledge exists between what is shared at the director level and what is communicated to staff. This is exacerbated by a lack of positions focused on internal communications. Over 45% of surveyed staff reported that quality of leadership communication was average, poor, or terrible. Q: How would you rate the quality of the communication you receive from leadership? Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate Moderate Moderate Increasing Residual Risk Low Suggested Risk Mitigation • Perform an operational review of customer-facing functions within the Finance Department. • Continue work to streamline and digitize permitting processes within the Community Development Department. • Implement key performance indicators and targets, as well as an annual resident engagement surveys, to track and evaluate service levels over time. Risk Areas Risks associated with programs/service delivery and quality, resident expectations, and resource allocation. Scope Day-to-day operations across the organization, and efficient and effective delivery of the City’s programs and services in alignment with the City’s strategic goals, vision, and mission. 22%33%33%10%2% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 32 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY At the most fundamental level, the City’s mission is to direct the efficient and effective delivery of municipal services. The City provides a full range of services to residents, including: • Community Development (Planning, Building Permits and Plans, Code Enforcement) • Finance (Utility Billing, Permits and Licenses) • Fire • General Services (City Maintenance) • Harbor • Library • Police • Public Information • Public Works • Recreation and Senior Services • Utilities Over 90% of survey respondents reported that the City’s overall ability to deliver core services to the public in an effective manner was excellent or good. Q: How would you rate the City’s overall ability to deliver core services to the public in an effective manner? Strong customer service is a key factor to effectively deliver services. “Excellent Service” is one of the City's core values and is defined as “providing thorough, efficient and effective service with a courteous and professional attitude. It also means being informed, timely, and open to complaints and requests.”2 Interviewed staff commonly noted that providing quality customer service was a goal shared throughout the organization. However, several areas were noted as opportunities to improve customer experiences, including, but not limited to: • Utility Billing (Finance Department): As part of the transition to using Tyler Munis to support utility billing, the City has been uncovering billing errors. Given that the City is currently undergoing a significant sewer rate increase, it is especially important that billing issues are proactively resolved. • Permitting (Community Development): Most notably, the City is working toward moving aspects of the permitting process online to improve the customer service experience. 2 City of Newport Beach Core Values: https://www.newportbeachca.gov/government/departments/city-manager-s-office/core-values 48%45%7% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 33 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY In addition, the City does not utilize key performance indicators measure service levels or outcomes (see the Planning and Strategy section) or conduct resident satisfaction/engagement surveys (see the Reputation and Public Perception section). Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate Low to Moderate Moderate Flat Residual Risk Low to Moderate Suggested Risk Mitigation • In collaboration with departments, develop and provide regular training on internal reporting related to financial performance and budget status. • Continue to refine processes to ensure efficient and effective use of Tyler Munis. Risk Areas Risks associated with fiscal controls, budgeting, ongoing information tracking and management, revenue capture, and transaction processing. Financial reporting areas including those fundamental to planning, budgeting, pricing, evaluating vendor performance, assessing partnerships, and a range of other operational and strategic activities. Scope The role of accounting and financial functions in risk mitigation is focused on record keeping and compliance through recording, classifying, summarizing, and reporting financial transactions. Financial reporting includes deliverables such audited annual financial statements. Reliable financial information is fundamental to planning, budgeting, pricing, evaluating vendor performance, assessing partnerships, and a range of other operational and strategic activities. The City has a centralized Finance Department, with some roles embedded in other departments and divisions, including a Fiscal Manager position embedded in both Police and Public Works, a Fiscal Clerk position in Fire and Recreation and Senior Services, an Auto Parts Buyer in Public Works, and a Budget Analyst in Recreation and Senior Services. Out of the 30 employees in the Finance Department in March 2020, six were part-time positions, representing 20% of the Department’s employees. The average tenure of FTEs in Finance is 13.2 years. Similar to other departments in the City, the hierarchy of the Finance Department is relatively flat, and there are limited career paths for long-time employees. In general, staff report that the quality and timeliness of financial reporting is above average. Enterprise Risk Assessment Report | 34 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How useful is the financial reporting information that you receive/have access to on a regular basis? Q: How would you rate the timeliness of the financial information you receive (e.g., reports, response time to requests, etc.)? In terms of the working relationship between the Finance team and other City departments, staff report a wide range of experiences. In particular, staff noted that there are opportunities to improve communication with the Public Works and Fire Departments. Q: How would you rate the level of internal customer service provided by the Finance Department? The City uses Tyler Munis as its main financial system. Staff noted that the adoption of this new system has been primarily positive, although there are still some procedural issues that are in the process of being resolved. For example, as noted in the Operations and Service Delivery section, the City has been uncovering utility billing errors. Given the City is currently undergoing a significant sewer rate increase, it is especially important that billing issues be proactively resolved. 25%33%25%8%8% Extremely useful Very useful Moderately useful Slightly useful Not at all useful 18%55%18%9% Excellent Good Average Poor Terrible 20%46%27%4% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 35 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate Low to Moderate Moderate Flat Residual Risk Low to Moderate Suggested Risk Mitigation • Develop a whistleblower policy. • Provide additional training and/or communications related to retaliation protections and management reporting responsibility. Risk Areas Risks associated with the prevention, detection, and correction activities undertaken to minimize or prevent fraud (intentional), waste (inefficiency), or abuse (mistakes) that result in unnecessary costs to the organization. Scope Fraud, waste, and abuse programs, as well as ethics policies, are designed to protect the ethical and fiscal integrity of the organization and its employees, stakeholders, and the general public. City employees have a duty to use funds economically, efficiently, effectively, and ethically. When employees do not honor this obligation, it could result in instances of fraud, waste, or abuse. Employees are also expected to behave ethically and respectfully. All City employees share the common purpose of serving the public in an ethical and transparent manner. One of the City’s core values is integrity, defined as “being honest, reliable, respectful, ethical, fair, and authentic.” As part of this work, the City has established a set of tools, policies, and trainings to prevent unethical behavior and fraud, waste, and abuse (FWA). Within this context, FWA is defined as follows: • Fraud: A dishonest and deliberate course of action that results in obtaining money, property, or an advantage to which employees or an official committing the action would not normally be entitled. • Waste: The needless, careless, or extravagant expenditure of funds, incurring of unnecessary expenses, or mismanagement of resources or property. • Abuse: The intentional, wrongful, or improper use or destruction of resources, or seriously improper practice that does not involve prosecutable fraud. In accordance with best practices, the City operates an ethics hotline that provides a mechanism for employees to anonymously report potential instances of FWA. The City has also provided several administrative and Council policies including Prevention, Reporting and Investigation of Fraud, Waste, and Abuse; Discrimination and Harassment Prevention; Council Conflict of Interest Procedures; and City Travel Policy Statement. The City does not have a whistleblower policy. It is a best practice for ethics hotline reports to go to the internal audit function. Enterprise Risk Assessment Report | 36 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY The City provides FWA training to all new employees, which includes an overview of the City’s policy, employee responsibilities, and answers to other FAQs. In addition, in alignment with legal requirements, the City provides workplace harassment prevention training to all employees every two years. This training is apparently effective, as the majority of survey respondents (70%) were confident that they would know what actions to take if they were to become aware of unethical or fraudulent activity. Q: Do you know what action(s) to take if you were to become aware of unethical or fraudulent activity? Additional training around retaliation protections and management responsibility may be useful, as survey respondents reported a range of opinions when asked about their confidence that they would be protected if reporting an issue and their confidence that management would stop wrongdoings if reported. In particular, several interviewed and surveyed staff noted that they did not trust their manager to handle confidential issues or had experienced retaliation in the past. Q: What are the chances that you would be protected from retaliation if you reported wrongdoing? Q: What are the chances that management above you would make efforts to stop wrongdoing if you reported it? 75%25%5% Yes - I know what I would do first Maybe - I would have to research a bit No, not really sure 31%39%17%8%5% Definitely will Probably will Might or might not Probably will not Definitely will not 47%34%12%5%2% Definitely will Probably will Might or might not Probably will not Definitely will not Enterprise Risk Assessment Report | 37 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate to High Low to Moderate Moderate Flat Residual Risk Low to Moderate Suggested Risk Mitigation • Establish a three to five-year strategic plan that identifies major City goals and activities (see the Planning and Strategy section). • Consider revisiting the mission and charter of committees to ensure they are effectively providing support to City operations. • Establish annual work plans with measurable goals for each committee. These work plans should align with and support the City’s overall strategic plan. Risk Areas Risks associated with the governance processes, including strategic direction, ongoing oversight, ethics and values, control environment, policy management, enterprise performance management, and defined roles, responsibilities, and authority. Scope Governance is a process of overseeing an organization’s management of risk and control processes and is ultimately the responsibility of leadership. Management is responsible for identifying and managing risks. City residents elect officials to provide community leadership and govern the administration of public services. The City operates under a council-manager form of government, directed by a seven-member City Council. Council elections take place every other year, with Council members serving staggered four-year terms. The Council has established a Council Policy Manual to define bylaws and procedures related to Council operations and Council-level policies. In terms of leadership continuity, the Council has a healthy mix of tenure end dates, with three council members coming up for re-election in 2020 and three members serving their final term through 2022. The City Manager was appointed in September 2018. Based on a sample of the last ten regular City Council meetings, meetings ranged in length from one to eight hours, with an average meeting length of four and a half hours. Staff report that the relationship between the Council and City management is generally positive. The majority of surveyed staff rated the effectiveness of Council governance (67%) and quality of strategic direction (60%) as excellent or good. However, as noted in the Planning and Strategy section, the Council can occasionally operate at more of a tactical level rather than a strategic level, focusing on immediate actions items rather than setting long-term strategic goals. This contributes to a reactive environment, where staff priorities can quickly change depending on the Council’s interests. Enterprise Risk Assessment Report | 38 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How would you rate the effectiveness of the oversight and governance provided by the Council? Q: How would you rate the quality of the strategic direction provided by the Council? The City has established multiple boards, commissions, and committees to assist and advise the Council on issues, including the following: Boards and Commissions • Board of Library Trustees • Building and Fire Board of Appeals • City Arts Commission • Civil Service Board • Harbor Commission • Parks, Beaches and Recreation Commission • Planning Commission Council Committees • Affordable Housing Task Force • Homeless Task Force • Public Facilities Corporation Council/Citizens’ Ad Hoc Committees • Aviation Committee • General Plan Update Steering Committee • Housing Element Update Advisory Committee • Library Lecture Hall Design Committee Citizens’ Advisory Committees • Balboa Village Advisory Committee • Environmental Quality Affairs Committee • Finance Committee • Newport Coast Advisory Committee • Water Quality/Coastal Tidelands Committee 20%47%31% Excellent Good Average Poor Terrible 21%39%28%4%8% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 39 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY These groups provide many critical functions to support the City, and offer an opportunity for residents to engage with and have an impact on their local government. However, staff report that several of the committees do not have well-defined or well-understood missions and scopes—which can lead to frustrations for both staff and group members. Given that a high level of staff time is required to support each body, it may be helpful to revisit the charter and/or mission of each committee to ensure they are effectively providing needed support to the City. In addition, each committee should operate with a well-defined annual work plan that outlines measurable goals and milestones. Q: How would you rate the effectiveness of the committees and commissions that support the City? Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory High Low to Moderate Moderate to High Flat Residual Risk Low to Moderate Suggested Risk Mitigation • Continue to pursue the City’s initiatives for long-term financial stability. Risk Areas Risks associated with revenue sources (rates, fees, grants, and taxes), funding levels, cash management, liquidity, expenditure rates and commitments, debt management, and inter-organizational business. Scope The funding and economics factors that impact the organization’s ability to maintain operations and deliver programs and services. Whether within the City’s realm of influence (or outside of their control), funding and economic factors impact the City’s long-term fiscal stability as well as its ability to mitigate the negative impacts of extraordinary risk, such as regional changes and national economic volatility. Funding Sources In general, the City has a strong financial foundation. The City reports that its General Fund revenues were approximately $230 million during FY 2018-19. The top three individual revenue sources are property taxes, sales taxes and sales tax in lieu, and Transient Occupancy Taxes (TOT). Together, 11%37%32%16%4% Extremely effective Very effective Moderately effective Slightly effective Not effective at all Enterprise Risk Assessment Report | 40 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY these three sources represent 75% of all General Fund revenues. Over the past 10 years, assessed property valuation increased an average annual rate of 4.7%, representing a 6.8% increase over a 20-year period. Proportion of City Taxes in 2019 by Type The rating agencies Fitch, Moody's, and Standard & Poor's have all assigned the City the highest quality credit rating of AAA. Moody’s reaffirmed their AAA ratings in 2019. CalPERS Like nearly all California cities and other public agencies, the City provides retirement programs to its employees through the California Public Employees Retirement System (CalPERS). The City has separate CalPERS accounts for its Safety Employees (sworn police and fire employees) and its Miscellaneous Employees (all other non-safety employees). Employees contribute a percentage of their pay toward retirement costs (11% to 14%), and the City must pay the remaining required amount, as determined by CalPERS actuaries. In July 2011, the City Council passed Resolution No. 2011-55 establishing a Compensation Philosophy, which included a goal that employees share 50/50 in the cost of retirement benefits. The labor contracts adopted since 2012 provide for employees paying the full member contribution, with employees contributing additional amounts toward retirement benefits, up to the amount allowed by state law. In 2018 (latest data available), the market value of the City’s CalPERS assets grew at a faster rate than the accrued pension liability, increasing the funded ratio to 66.9%. 59%20%13%7% Property Tax Sales Tax Transient Occupancy Tax All Other Taxes Enterprise Risk Assessment Report | 41 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Low to Moderate Impact Likelihood Preparedness Trajectory Moderate to High Low Moderate Flat Residual Risk Low Suggested Risk Mitigation • Consider implementing a resident engagement survey to track public perception over time. • Update the crises communication policy. Provide related training to all relevant staff. • Implement policies and procedures to ensure that communication is coordinated and performed in the best interest of the City as a whole. This will require executive leadership sponsorship and/or buy-in. Risk Areas Risks associated with the City’s reputation and the public’s perception of the organization, including its competency (financial performance, safety and security, responsiveness), transparency (openness and integrity), and guardianship (demonstrating care and consideration). 63.8% 66.0% 66.9% 62.0% 62.5% 63.0% 63.5% 64.0% 64.5% 65.0% 65.5% 66.0% 66.5% 67.0% 67.5% $0 $200 $400 $600 $800 $1,000 $1,200 2016 2017 2018MillionsFunded Pension Liability Ratio Accrued Liability Market Value of Assets Funded Ratio Enterprise Risk Assessment Report | 42 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Scope The reputation of an organization refers to how a broad group of stakeholders perceives the accumulated decisions, actions, and behaviors of the people within an organization. This social judgement is influenced both directly and indirectly by interactions with employees, with programs and services, and by commentary in the public domain (e.g., news stories, press release, social media). As a local government entity, the City’s reputation and relationship with its residents is the heart of its success. The operations of a local government like the City are complex and multi-faceted and impact the lives of residents, either directly or indirectly, every single day. In general, staff report that the City has built a positive relationship with members of the public. As noted in the External Environment section, homelessness/affordable housing and issues related to John Wayne Airport continue to be at the forefront of public discussion. Q: What kind of reputation do you think the City has within the community? Multiple interviewed employees noted that the City strives to be highly responsive to community needs. For example, one major impetus behind the creation of the Harbor Department was to help manage community issues related to living near or owning property on local waterways. In fact, 13% of survey respondents indicate that the City may be too responsiveness to citizen feedback. Q: How would you rate the City’s responsiveness to citizen feedback? In terms of formal opportunities to provide feedback, the City holds frequent public meetings that are reportedly well attended by residents. In addition, some departments collect customer service data. For example, the Community Development Department regularly solicits feedback via short paper surveys. However, the City does not conduct a regular resident engagement/satisfaction survey. Without this type of measurement tool, the City must rely on anecdotal (and potentially non- representative) evidence to track public perception over time. The City’s external communication function is decentralized. Through this model, staff in a variety of departments—including the CMO, Police, Fire, Library, and Recreation Departments—communicate directly with the public via various social media accounts, websites, publications, and reports. Decentralized communication can be an effective way to ensure engagement with specific departments. However, it can increase risks if external communications are not adequately coordinated (which can result in inconsistent messaging to the public), or inefficiencies if it results in 27%62%10%1% Excellent Good Average Poor Terrible 13%21%62%4% Far too responsive Slightly too responsive Appropriate level of responsiveness Slightly too unresponsive Far too unresponsive Enterprise Risk Assessment Report | 43 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY redundant staffing or work (which increases costs to the City). The City has taken steps to ensure coordination of social media posts by using a centralized posting application (Buffer). However, staff report that there has been a lack of executive buy-in on any additional coordination efforts. In terms of policies and procedures, the City’s crises communication policy is out of date. In addition, the City does not operate with any specific strategy, policy, or procedure to guide how the various decentralized communication roles are meant to work together. Without these types of guiding documents, the City is at a higher risk of miscommunicating to the public and operating without a clear and consistent voice. Overall Risk Level Low to Moderate Impact Likelihood Preparedness Trajectory Low to Moderate Moderate Moderate Decreasing Residual Risk Low Suggested Risk Mitigation • Inventory, review, and prioritize revisions to outdated policies and procedures and development of missing policies and procedures. • For out-of-date policies and procedures, update documentation with standardized templates and current information. Provide adequate training and communication on new processes. • Post centralized policies and procedures in a searchable format. • Institutionalize a simple and ongoing review and update process for all City policies and procedures. Risk Areas Programs and activities related to governing, administrative, and operational policies and procedures of the organization, including the comprehensiveness of coverage and documentation; their relevance and applicability of content; and the effectiveness and efficiency of their use. Risk Areas Policies and procedures play a critical role in providing the guidance required to ensure all functions operate efficiently, effectively, safely, and consistently across the organization. A policy establishes what should be done, and procedures effect the policy. Policies and procedures also play an important role in protecting against the loss of institutional knowledge. The City operates with a fairly comprehensive set of Council-level and administrative policies. However, multiple staff reported that specific operational policies and procedures were lacking or out of date. For example, staff noted that many basic procurement and financial processes (like how to process an invoice) are not documented or performed consistently. Given the wide range of responses on the survey, it is likely that the City has both gaps and strong pockets of operational policies, depending on the department and/or division. Enterprise Risk Assessment Report | 44 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How would you rate the defined and documented operational policies and procedures in your department? The City does not follow a standard review process for policies and procedures, so they are currently updated on an ad hoc basis. As a result, some policies (like the crises communication policy) have not been updated within the past ten years. Notably, the Employee Policy Manual was last updated in 2010. As a general rule, City policies and procedures documentation should be reviewed every one to three years. A lack of up-to-date documented policies and procedures often results in reduced efficiency and effectiveness. In addition, a lack of documentation to guide operations can cause communication and accountability challenges due to a lack of defined responsibilities. A key component to effectively adopting updated policies and procedures is ensuring that they are communicated and accessible to staff. Currently, documentation is stored on the internal network drive. (Note: Documents that require archiving are stored on Laserfishe, and legislative packages are managed through Granicus.) Policies and procedures should be stored centrally in a searchable format; when new versions are published, alerts should be communicated and training should be provided. Overall Risk Level Low to Moderate Impact Likelihood Preparedness Trajectory Moderate Low Moderate Flat Residual Risk Low Suggested Risk Mitigation • Review grant management procedures to ensure sufficient controls are in place. • Review compliance-focused training within each department to ensure employees are receiving adequate guidance. Risk Areas Risks associated with compliance with laws, regulations, and other requirements. Scope Risks organizations face when they are unable to follow internal policies, government laws, and regulations, and may be subjected to legal penalties and financial fines. 16%51%29%2%2% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 45 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overseeing proactive compliance throughout the City depends primarily on individual departments. Internal and external auditors reactively evaluate compliance. Proactive compliance is characterized by employees being aware of requirements and actively operating to comply with them. Performed effectively, proactive compliance prevents issues from occurring before they become problematic. Reactive compliance involves ongoing monitoring, testing, and reporting. Staff reported that the City Attorney’s Office and the City Clerk are the primary points of contact for important issues their departments face in terms of regulatory compliance in dealing with the City Council, the Brown Act, and Conflicts of Interest. In addition, Police, Fire, and Utilities all noted significant reporting requirements related to their respective areas of work. In terms of grants—which are typically a large source of compliance reporting—staff report that the City has relatively low grant activities and, thus, requires low grant management capacity. However, grant management is a decentralized function within the City, which presents risks to the City if individual departments are not consistently utilizing appropriate controls. In the most recent single audit report (issued June 30, 2019), the City’s financial auditors reported that in their opinion, the City complied in all material respects with the types of compliance requirements that could have a direct and material effect on each of its major federal programs for the fiscal year ending June 30, 2019. The audit found no material weaknesses or significant deficiencies in the financial reporting internal controls that were in scope for the audit. When asked about the chances of the City experiencing any compliance issues (including late or missed reporting, noncompliance with safety requirements, or a breach of contracts), almost 80% of survey respondents rated the probability as low or low to moderate. What do you feel are the chances that the City will experience any issue with compliance within the next year? Overall Risk Level Low to Moderate Impact Likelihood Preparedness Trajectory Moderate to High Low Moderate to High Flat Residual Risk Low to Moderate 29%50%14%7% Low Low to Moderate Moderate Moderate to High High Enterprise Risk Assessment Report | 46 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Suggested Risk Mitigation • Continue to enhance emergency services to provide effective wildfire response. Consistent training of the City's fire response personnel is one activity included in this effort. • Ensure the City continues to be able to competitively recruit to fill vacancies, and explore methods to increase resources dedicated to providing public safety recruiting and HR support. • Update the Local Natural Hazards Mitigation Plan as scheduled in 2020-2021. Risk Areas Risks associated with public safety services, including level of services, funding, and community issues. Scope Public safety includes emergency services such as law enforcement, fire, dispatch, and community disaster response programs. Public safety operations in the City are somewhat unique. The City has approximately 7.2 million visitors a year, significant traffic congestion, and high housing costs, which collectively contribute to long shifts and long commutes. The community has high expectations for service, particularly response times. The majority of survey respondents (90%) rate the perception of overall safety in the community as either Excellent or Good. Q: How would you rate the overall feeling of safety in the community? Police The City’s Police Department is divided into four divisions, including: Office of the Chief of Police, Support Services Division, Patrol and Traffic Division, and Detective Division. The Support Services Division includes Dispatch, Records, Fiscal, Fleet, Personnel, and Training. The Police Department has 219 employees with an average tenure of 11.3 years. The average tenure of police officers is 8.2 years, and the median tenure is 6.5 years. Similar to many local agencies, recruiting is one of the primary challenges facing the Police Department (see the Human Capital and Resources section for more details). Given the highly demanding nature of working in public safety, Police Department leadership has placed a significant focus on programs designed to support and retain officers. This initiative includes efforts related to physical and mental health, peer support, and a career shadowing program. The Police Chief restructured the Department to a nimbler model to address crime through a specialized crime suppression unit model. Total crimes in the City have fallen consistently over the last three years. The most common crimes in the City are reportedly theft and drug abuse violations. 41%49%7%3%1% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 47 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Like many other west coast cities, homelessness is a significant public safety concern for the City. Most solutions for homelessness and drug addiction are provided by the County, non-profit organizations, and regional agencies, but City police officers play a coordinating role. Fire The City’s Fire Department is divided into five divisions, including Administration, Fire Operations, Emergency Medical Services, Fire Prevention, and Lifeguard Operations. Services delivered by the Department include advanced life support provided by paramedic/firefighters, basic life support provided by EMT/firefighters and EMT/lifeguards, fire and building inspections, fire suppression, ocean rescue, underwater search and rescue, Community Emergency Response Team Program, and public education on City beaches and in local schools. The Department is responsible for eight fire stations, three lifeguard offices on the beach, and 38 lifeguard towers. The Fire Department had 182 part-time lifeguards in March 2020, who are excluded from this analysis. The average tenure of all other employees was 15.6 years. Southern California faces challenges with wildfire hazards from increased development in the wildland-urban interface, which has produced a significant increase in threats to life and property from fires. The City will likely continue to have to plan for increased threats from wildfires and prepare for how the Fire Department will likely be impacted. 4,532 4,251 4,129 3,559 3,823 3,544 3,584 3,765 0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 2016 2017 2018 2019 City Crime Statistics Part I Offenses Part II Offenses Enterprise Risk Assessment Report | 48 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Low to Moderate Impact Likelihood Preparedness Trajectory Moderate Low to Moderate Moderate Decreasing Residual Risk Low Suggested Risk Mitigation • Continue to proactively address asset maintenance and update the Facilities Financial Plan. • Conduct annual reviews of water storage basins and dams in the City in accordance with California Division of Dam Safety guidelines. • Continue to work to strengthen and/or replace sections of the water distribution network that have been identified as most vulnerable due to their age or location in areas susceptible to ground failure. Risk Areas Risks associated with the ongoing maintenance, management, tracking, reporting, accountability, accounting, and physical safeguarding of assets, including the City’s infrastructure and capital assets. Scope Asset management includes the supply, deployment, and maintenance of the organization’s resources; it includes physical or logical access to data and locations (offices, warehouses, etc.). Asset management includes the connected strategies, processes, people, and technology that make up the foundation of enabling the organization to meet service levels and minimize the overall cost of asset ownership. Capital improvement and infrastructure programs are a critical component of asset management. The City’s major infrastructure systems consist of a broad range of capital assets including land, buildings, machinery and equipment, park facilities, road improvements, storm drains, piers, oil wells, sound walls, an 800-MHz radio communications system, parking pay stations and meters, and bridges. The City’s infrastructure includes maintaining 400 miles of streets, 5,971 streetlights, 808 traffic signals, 65 parks, 300.88 miles of water mains, 203.00 miles of sanitary sewers, and 95.35 miles of storm sewers. The City has one police station, eight fire stations; one lifeguard headquarters, 15 community centers (including leased property), and one aquatic center. Real property assets are managed through the Community Development Department’s Real Property Program. The Department is also responsible for the Community Development Block Grant Program that allocates federal funds to special programs and capital improvements. The City has created and maintained a Facilities Financial Plan (FFP), which is a comprehensive master facilities replacement schedule that projects the timing of construction of facility projects, forecasts the schedule of any planned debt issuance, includes all relevant revenue sources and expenditures on a yearly, project-by-project basis, and determines the long-term “level funding” annual budget commitment that is required to support the program. Employees report that the City’s Enterprise Risk Assessment Report | 49 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY assets are in relatively good condition. The City has continued to invest in infrastructure and continues to follow the Facilities Master Plan. Water service in the City is provided by the City, the Irvine Ranch Water District, and the Mesa Consolidated Water District. Each of these agencies maintains a capital improvement program. Many water districts in the region are in the process of replacing old cast iron pipes with more ductile iron pipes, which will be more resilient in the long term. Storm drainage systems in the City are provided and maintained by the City, Orange County, and local community associations. In general, the County is responsible for maintaining the regional flood control system, while the City is responsible for local improvements. Each of these agencies maintains master and capital improvement plans. They all are required to conform to regional, state, and federal regulatory requirements, including those controlling the discharge from municipal storm sewer systems to protect the environmental quality of surface waters. Enterprise Risk Assessment Report | 50 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY EMPLOYEE SURVEY RESULTS3 3 Data in this section is reported as a percent of total responses; the values may not total to 100% due to rounding. 11% 2% 14% 14% 26% 15% 14% 11% 15% 19% 20% 39% Tenure in Position Tenure with City Less than 1 1 to 2 3 to 5 6 to 10 11 to 15 More than 15 22.7% 13.6% 10.2% 10.2% 10.2% 9.1% 8.0% 5.7% 3.4% 2.3% 2.3% 1.1% 1.1% Public Works Community Development Fire Library Recreation & Senior Services Finance Utilities Information Technology City Clerk City Attorney Police City Manager Human Resources Enterprise Risk Assessment Report | 51 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Risk Category: Accounting and Financial Reporting Risk Category: Compliance Risk Category: Ethics, Fraud, Waste, and Abuse Risk Category: External Risks Not surveyed. Risk Category: Funding and Economics 29%43%21%7% Low Low to Moderate Moderate Moderate to High High 29%50%14%7% Low Low to Moderate Moderate Moderate to High High 20%33%27%13%7% Low Low to Moderate Moderate Moderate to High High 41%41%12%6% Low Low to Moderate Moderate Moderate to High High Enterprise Risk Assessment Report | 52 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Risk Category: Governance Risk Category: Human Capital and Resources Risk Category: Information Technology Risk Category: Infrastructure and Asset Management Risk Category: Management and Leadership 20%25%30%20%5% Low Low to Moderate Moderate Moderate to High High 24%47%18%12% Low Low to Moderate Moderate Moderate to High High 27%33%20%7%13% Low Low to Moderate Moderate Moderate to High High 33%27%33%7% Low Low to Moderate Moderate Moderate to High High 16%53%32% Low Low to Moderate Moderate Moderate to High High Enterprise Risk Assessment Report | 53 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Risk Category: Operations and Service Delivery Risk Category: Organization and Staffing Risk Category: Planning and Strategy Risk Category: Policies and Procedures Risk Category: Procurement and Contracting 11%44%33%11% Low Low to Moderate Moderate Moderate to High High 33%39%28% Low Low to Moderate Moderate Moderate to High High 21%26%42%11% Low Low to Moderate Moderate Moderate to High High 40%40%13%7% Low Low to Moderate Moderate Moderate to High High 31%38%8%15%8% Low Low to Moderate Moderate Moderate to High High Enterprise Risk Assessment Report | 54 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Risk Category: Public Safety Risk Category: Reputation and Public Perception Risk Category: Risk Programs 47%40%7%7% Low Low to Moderate Moderate Moderate to High High 32%42%21%5% Low Low to Moderate Moderate Moderate to High High 21%43%21%14% Low Low to Moderate Moderate Moderate to High High ATTACHMENT C INTERNAL CONTROLS REVIEW FINAL REPORT This report is intended for the internal use of City of Newport Beach, and may not be provided to, used, or relied upon by any third parties. Proprietary & Confidential FINAL REPORT City of Newport Beach ENTERPRISE INTERNAL CONTROLS REVIEW September 16, 2020 Moss Adams LLP 999 Third Avenue, Suite 2800 Seattle, WA 98104 (206) 302-6500 Enterprise Internal Controls Review Report FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY Table of Contents Executive Summary 1 Scope and Methodology 4 Internal Controls Review Results 8 A. Purchasing and Contract Management 8 B. Cash Receipts, Billing and Collections, and Accounts Receivable 16 C. Accounts Payable and Disbursements 25 D. Fixed Assets Management 29 E. Central Warehouse and Automotive Inventory Management 32 F. Financial Reporting 37 G. Budgeting 40 H. Payroll 42 I. Information Technology (IT) 46 J. Overall Control Environment 49 Enterprise Internal Controls Review Report | 1 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY EXECUTIVE SUMMARY The City of Newport Beach (the City) asked its internal auditor, Moss Adams, to review its internal controls environment. This internal controls review took place between April and August 2020, and focused on assessing controls over all significant fiscal processes throughout the City. The review of internal controls was completed under the consultancy standards of the American Institute of Certified Public Accountants (AICPA). As such, this work was not an audit of internal controls that resulted in a formal opinion or other form of assurance. Moss Adams reviewed the City’s fiscal internal controls for design and performed limited testing in key areas to determine if the controls were designed effectively. Specific areas where fiscal practices were reviewed included: • Purchasing and Contract Management • Cash Receipts, Billing and Collections, and Accounts Receivable • Accounts Payable and Disbursements • Fixed Assets Management • Central Warehouse and Automotive Inventory Management • Financial Reporting • Budgeting • Payroll • Information Technology • Overall Control Environment The City has internal controls in place for many functions. Some examples of commendable activities include: • Purchasing and Contract Management: ○ At the time of the review, the City had 2.25 full-time equivalents (FTEs) dedicated to the Purchasing Unit within the Finance Department. With these limited resources, the City has been able to process a high level of purchase orders (POs), averaging 1,650 per year for the last two years. A large portion of these were above the $25,000 threshold requiring Purchasing to conduct formal procurement efforts, including issuing RFPs. ○ Workflows are set up in MUNIS to ensure that all purchases are properly approved based on defined dollar thresholds. ○ The City typically utilizes internal contract templates, rather than relying on contract templates provided by vendors. There are a variety of contract templates based on the type of services/goods being procured. This helps to reduce the risks related to entering into new contracts, as the City’s templates have already been fully vetted by Legal. • Accounts Payable and Disbursements: A new/improved weekly check batch monitoring and review process was implemented in June 2020, which, if implemented consistently and adequately documented, would appear to serve as a solid monitoring and internal control process over the A/P weekly check batch. • Inventory Management: Based on interviews, Central Warehouse and Automotive inventory (collectively referred to as “inventory” throughout this report) is managed through a first-in-first-out Enterprise Internal Controls Review Report | 2 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY process to prevent inventory spoilage. However, we were unable to confirm these controls during this review. • Financial Reporting: Journal entries tested had separate preparers and reviewers, and there was a basic year-end checklist in place that had been completed in recent years to track the year-end financial close process. • Budgeting: Budget to actual reporting is presented to the City Council on a regular basis, and budget amendments tested were prepared, reviewed, and documented. • Payroll: The system is set up to prevent employee timecards from being submitted without approval. An “audit” process has been implemented whereby an accountant outside of the payroll function performs an audit/reconciliation of each payroll run. • Information Technology: A process had been developed to identify stale (inactive) Windows user accounts and perform research and deactivation monthly, thereby mitigating the risk of terminated employee accounts not being deactivated timely upon termination. The IT Department has implemented SysAid (IT ticket workflow tool) to allow for the submission of IT tickets and track related resolution. • Overall Control Environment: A process was developed to facilitate meetings between the Finance and IT departments to assess systems access on a regular basis. The City appears to have an engaged and active governance board structure. Similar to most cities, there are opportunities to strengthen policies, procedures, systems, and controls. Gaps were identified in some of the areas reviewed. The primary conclusion from this review is the City has an opportunity to improve internal controls, strengthen processes, and document procedures. Suggested priorities to address over the next 6 to 12 months include, but are not limited to: • Evaluate the current purchasing thresholds and required due diligence for each threshold to determine whether they are reasonable and necessary. Determine whether simplified acquisition procurement procedures could be established to address the high volume of purchases requiring the formal RFP process. Identify training and tools that could be developed to aid departments in taking on more of the purchasing responsibilities and workload. • Perform a full process assessment focused on the procurement function to further identify gaps in internal controls and improvement opportunities, as well as opportunities for increased efficiencies. • Perform a full process assessment of the cash handling function to further identify gaps in internal controls and opportunities for improved controls. This assessment should include a detailed evaluation of each department handling cash to ensure the City’s assets are adequately controlled. • Implement A/R reconciliation procedures and overall monitoring to ensure that City A/R is identified, recorded, and properly controlled. • Develop and enforce daily reconciliation procedures for cash handling at each site responsible for collecting payments. • Implement additional internal controls over the Cashiering Unit to ensure that the reconciliations performed on collections each day include the reconciliation of individual drawers, at the end of each shift, to the underlying transaction listing (i.e., a system or manual list total detailing collections during the shift) and that the related deposit packets are adequately secured at all times. Enterprise Internal Controls Review Report | 3 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY • Evaluate the systems access levels for all significant fiscal functions, including purchasing, A/P, payroll, etc., and identify which individuals warrant edit access based on their current roles. All other edit access levels should be removed immediately to prevent unauthorized or inappropriate changes/transactions. • Evaluate the fixed asset (i.e., assets above the City’s capitalization threshold) management activities and consider implementing improvements for the next physical inventory performed. Focus on ensuring asset records are accurate and complete. • Implement controls over the asset disposal process to prevent assets from being misappropriated during the disposal process. • Perform a full assessment of inventory management to further identify control gaps and assist in the development of recommendations to address those gaps. Also assess any significant inventory loss or misappropriation that has occurred in the past, given the significant control gaps identified during this review. • Address the segregation of duties issues identified during this review related to Central Warehouse and Automotive Warehouse inventory management, and segregate duties wherever possible. In those areas that cannot be immediately segregated, mitigating controls, including external reviews, should be implemented. • During the next physical inventory performed over the City’s inventory, ensure that an individual outside of the person responsible for inventory management is involved and that “blind” inventory counts are performed. • Develop and implement a process for performing penetration testing on the City’s network/systems. • Initiate the process of inventorying all policies and procedures across the City, performing a gap analysis of the current coverage and controls and developing a formalized work plan and timeline for addressing all gaps identified. Enterprise Internal Controls Review Report | 4 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY SCOPE AND METHODOLOGY The scope of our review included a high-level evaluation of key internal controls throughout the City to determine the general adequacy of internal controls and identify areas warranting more in-depth review in the future. To gain an understanding of the processes and controls in place at various departments across the City, we interviewed personnel who are involved with the City’s fiscal processes. Personnel from the following departments/sites were included: • Finance Department, including Budget, Accounting, Accounts Payable, Revenue, and Purchasing Units • Revenue Division of the Finance Department • City Attorney’s Office (CAO) • Central Warehouse and Automotive Warehouse (functional units of the Finance Department) • Information Technology Department The procedures performed to assess the City’s enterprise fiscal processes and procedures during the internal controls review included the following: • Identifying control objectives over the City’s fiscal procedures and controls that would satisfy each control objective. • Reviewing policies and procedures (P&Ps) created by the various departments and citywide P&Ps to assess whether adequate policies and procedures are documented, current, and being utilized for each key fiscal function. • Performing control walkthroughs and/or testing limited samples in selected key areas, including, but not limited to, the following: ○ Purchasing and Contract Management: − Evaluated purchasing data, including reports on POs processed, open POs, RFPs, sole source purchases, etc. − Judgmentally selected a sample of POs processed to test for compliance with specific policy requirements (e.g., timelines, approvals, and support) and assessed the support for adequate documentation of due diligence performed (e.g., RFP and quotes). − Performed a walkthrough of a sole source purchase to evaluate the level of documentation and approval required. − Obtained the link to contract templates and evaluated the overall structure and segregation of contract types. − Obtained purchasing and contract data to assess whether dates related to the purchasing and contracting processes were tracked (allowing for the assessment of efficiency opportunities). ○ Cash Receipts, Billing and Collections, and Accounts Receivable: − Obtained the support for one month of A/R reconciliations performed between sub- ledger/systems at the department level and MUNIS. Evaluated the adequacy of any reconciliation processes documented and the overall completeness of available reports. Enterprise Internal Controls Review Report | 5 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY − Evaluated the support for one quarter of the Revenue Auditor’s review/audit process to assess the adequacy of the control. − Evaluated reports available to support cash receipt, billing and collection, and A/R activity monitoring that was being performed. − Assessed the daily cash receipts log (or other form of tracking) maintained by departments, and assessed the completeness of information recorded and the change in custody documentation required at the time of deposit to the Treasury. ○ Accounts Payable and Disbursements − Evaluated the new weekly check batch review process for adequacy and controls. − Performed a walkthrough of the weekly A/P process by selecting the first batch processed in May 2020 and obtaining all supporting documentation for assessment. − Selected a sample of payments processed and evaluated for appropriate segregation of duties. − Assessed vendor change reports, including selecting a small sample of changes to tie to the underlying supporting documentation and evaluating the individuals who entered and approved the change for proper control. ○ Fixed Assets Management: − Obtained and reviewed the fixed asset listing and vehicle tracking report. − Reviewed the documentation of the PO reviews that occur to identify miscoding. − Assessed the results of the most recent fixed asset inventory. ○ Central Warehouse and Automotive Inventory Management: − Requested the physical inventory count documentation for a specific period to assess the adequacy of the inventory count process and the related documentation. − Obtained and reviewed the Perpetual Inventory Report for the Central Warehouse and the Parts List from Automotive, as of June 30, 2020, to assess the total quantity and amount of inventory reported as on-hand at fiscal year-end. ○ Financial Reporting − Assessed select financial reports, chart of accounts, and year-end close checklist. − Reviewed systems access reports for key system functions. − Tested a sample of journal entries for proper segregation of duties between preparer and poster. − Assessed the completeness and adequacy of the May 2020 account reconciliation and financial reporting documentation. ○ Budgeting: − Assessed the final approved FY 2020 budget. − Reviewed a sample of FY 2020 City Council reporting packages to evaluate for budget- to-actual report presentation and amendment approvals. − For February 2020, reviewed budget-to-actual reports, selected specific budget overages identified to determine whether follow-up occurred, and selected budget amendment requests to evaluate for proper documentation, processing, and approval. Enterprise Internal Controls Review Report | 6 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY ○ Payroll: − Selected a sample of three terminations to evaluate for the timeliness of Personnel Action Form (PAF) submission, the date of the final paycheck, and the date that systems access cancellation was requested and processed. − Reviewed systems access reports for HR and payroll-related functions in MUNIS and assessed for adequate segregation of duties. − Performed a walkthrough of one pay period to assess whether payroll reports were reconciled, reviews/approvals were documented, and adequate support was on file for the payroll run. ○ Information Technology: − Obtained and assessed systems access reports for various MUNIS functions. − Reviewed a report of inactive accounts to assess whether stale system accounts were being researched and deactivated timely. − Assessed documentation for internal system report monitoring and oversight. ○ Overall Control Environment: − Assessed the content of the Finance Committee and City Council meeting packets for coverage of City fiscal operations and controls. − Analyzed the citywide workflow setup structure, overall communication of roles and responsibilities, and segregation of duties for key financial functions. • Assessing whether the controls in place would prevent or detect errors or the misappropriation of City assets. • Comparing current processes, policies and procedures, and functions to best practices to identify opportunities for improvement. • Providing recommendations regarding key controls that need to be implemented or improved. To best share the results of the internal controls review, the matrix provided in Section III is organized by: • Control objectives • Control issues • Corresponding recommendations • Likelihood of occurrence • Impact of occurrence Likelihood of occurrence is defined as the probability of a negative event occurring. Impact of occurrence is defined as the level of significance should a negative event occur. Risk levels of low, moderate, or high were used to rate the likelihood of occurrence and impact of occurrence for each finding. Beyond those controls that have been reported within this report as a control issue, additional controls were reviewed without exception. It should be noted that many controls were reviewed multiple times in relevant, separate department reviews, but not all controls or departments were reviewed. Departments were selected to provide a broad understanding of the City’s overall control environment. Key controls with exception conditions are reported in this document. Enterprise Internal Controls Review Report | 7 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY Due to the COVID-19 pandemic, which was occurring at the time of this internal controls review, we were unable to perform certain planned procedures as we were unable to go onsite to physically observe the inventory on-hand; physically test the completeness, existence, and accuracy of fixed assets recorded; or perform surprise cash counts at a variety of cash receipt sites. The City should consider including these additional onsite procedures during a future follow-up review. Enterprise Internal Controls Review Report | 8 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY INTERNAL CONTROLS REVIEW RESULTS CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 1 Purchase Requests are not approved and processed until the required level of due diligence (e.g., information quotes, bids, etc.) is performed to ensure that a fair price is obtained for all City purchases. For purchases of goods, equipment, or materials between $3,000 and $10,000, Administrative Procedure F5 requires three informal bids to be attached to the Purchase Requisition Form. For purchases related to professional services under $25,000, Administrative Procedure F14 requires three letter proposals/quotes. During our testing of five City purchases, we identified one materials purchase for $10,000 and one professional services purchase for $4,625 that were not supported by any informal bids or quotes, and there was not adequate documentation of the non- compliance (e.g., sole source justification, etc.). Although the City’s Administrative Procedures require some form of informal bid/quote for purchases that fall below a certain threshold, it did not appear that these requirements were being adhered to and enforced. The City should decide whether informal bids/quotes are required for these lower-dollar purchases. If not, then the revised requirements proposed should be presented to and approved by the City Council, and if approved, the Administrative Procedures should be updated accordingly. If the City elects to maintain the current due diligence requirements, then the Purchasing Unit should not approve any Purchase Requisition Forms or contract requests that do not have the required supporting documentation to show that adequate due diligence, in compliance with City Administrative Procedures, was performed. The training provided by the Purchasing Unit, which covers the overall procurement process, should be tailored to cover all key related aspects of the City’s Administrative Procedures, including details on how to obtain and document required bids/quotes. Consider developing a one-page form for employees to use to document informal bids obtained via phone, online, etc. to streamline the process and promote compliance. High Moderate 2 Thresholds for required due diligence (e.g., The City’s current procurement thresholds are conservative and well below The City should evaluate the current procurement thresholds to determine whether they are sufficient to support an efficient, yet controlled, procurement High High Enterprise Internal Controls Review Report | 9 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE bids, RFP, etc.) of purchases are established. The defined thresholds balance controls and efficiencies in the procurement function. best practice recommendations. The City’s established threshold for when a purchase must go through a formal RFP is $25,000, and the Purchasing Unit must lead the procurement effort for purchases above this threshold. This threshold is significantly lower than the simplified acquisition threshold allowed for under 2CFR (Code of Federal Regulations) Section 200.88, which is currently $150,000. At the time of this review, the City had 71 POs open that exceeded the $25,000 threshold, and 41 of these were under $50,000. RFPs open at the time of this review had been in process (from date of request through current) for an average of 111 days. A significant portion of the City’s current procurement resources are spent managing the RFP process. process. Alternative due diligence requirements can be established, which could reduce the number of purchases that are required to go through the time- consuming full RFP process, yet still provide control over the procurement function and ensure that the City is receiving fair and reasonable prices for goods/services. The City should consider developing simplified- acquisition thresholds for smaller purchases and presenting the proposed thresholds to the City Manager for approval. Simplified-acquisition methods of procurement, such as obtaining and documenting informal quotes (verbal, online, etc.) or a Request for Quotation (RFQ), allow departments requesting purchases to take responsibility for performing due diligence independently, rather than relying on the Purchasing Unit to conduct procurement efforts. The City should consider adjusting the section of the Administrative Procedures covering due diligence requirements to provide more detailed guidance for employees at the department level and developing templates, such as standard RFQ templates or forms, for adequately documenting informal quotes. Training should then be provided to departments requesting purchases to allow for the departments themselves to assume more responsibility and accountability. Reducing the workload that the current thresholds place on the Purchasing Unit would allow for current resources to focus their efforts more on other value- adding functions, such as identifying opportunities for better pricing options across the City, streamlining and improving the RFP process, developing training for employees, and performing trend analysis to identify unusual activity or opportunities for improvement. Enterprise Internal Controls Review Report | 10 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 3 Comprehensive P&Ps are documented to cover purchasing exceptions, including sole source procurement, emergency purchases, and blanket purchase orders (BPOs). The City does not have comprehensive P&Ps guiding the various exceptions to the general purchasing requirements. Administrative Procedure F5, Purchasing Procedures for Goods, Equipment, and Materials, provides only limited guidance on sole source, emergency, and BPO purchases, and it does not provide details on the specific circumstances that justify the use of each, documentation and approval requirements, and other key information to guide the appropriate use of these types of procurement. The Administrative Procedures should be updated to provide more comprehensive guidance for requesting purchases outside of the standard purchasing process. Specifically, the procedures should be updated to adequately address sole source procurement, emergency purchase, and BPOs. Sole Source: The following information should be included in the City’s guidance on sole source procurement: ● The specific circumstances/situations that would qualify a purchase as “sole source”. ● The required documentation (e.g., the form) to support a sole source purchase request, including the description of which specific sole source criteria a purchase request meets and why. ● The required approvals for a sole source purchase request and the responsibility of the approver. Emergency Purchases: The emergency purchase procedures should include what types of circumstances, along with examples, qualify as an emergency purchase (i.e., why it warrants approval outside of the standard PO process), the approvals required, the timelines for submitting the purchasing request after-the-fact, and the justification documentation required. BPOs: The procedures for BPOs should address those circumstances in which the use of a BPO would be justified/appropriate and the requirements for establishing a BPO, including documentation required, estimating the total value, due diligence requirements, and approvals. BPOs can be more susceptible to risk given they allow for routine purchases to be processed without repetitive approvals; therefore, it is important to ensure that routine monitoring is in place. High Moderate Enterprise Internal Controls Review Report | 11 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE Monitoring controls should be established to ensure that BPO activity is assessed regularly. 4 P&Ps are established to guide the processing of returns (e.g., returning goods, tracking credits, etc.). City P&Ps do not currently address how the return of goods purchased should be processed or how the related refund or vendor credit should be recorded and tracked. Documented P&Ps should be developed to guide the process for returning goods. The P&Ps should address how, and to whom, returns should be reported, what documentation must be submitted, how credits and refunds should be tracked, and who is accountable for ensuring the goods are returned and the City’s refund/credit has been obtained and controlled. Moderate Low 5 Purchasing activity is monitored on a regular basis and the reviews, as well as follow-up performed, are documented. Based on interviews performed, the Purchasing Unit performs a variety of purchasing activity reviews to identify potential unusual activity, long-outstanding POs, and invoices/payments that do not have a corresponding PO or contract. However, there are no documented procedures around what reviews will be performed, who is responsible for performing these reviews and how often, and what follow-up actions are required for potential issues identified. In addition, the reviews that are currently performed are not documented. There is currently no formal monitoring process in place to identify purchasing trends, by department or Monitoring purchasing activity provides vital internal controls over the City’s purchasing function and helps to identify potential problems or inappropriate activity in a timely manner. Monitoring activities for the purchasing function should be formalized and documented, including: ● What trend analysis will be performed, such as purchases by department, requestor, and type of purchase, and how often and by whom the analysis will be performed. ● Monitoring purchasing activity by month in comparison to prior year purchases (refer to the “Budget” section below). ● Monitoring for split-purchases (e.g., attempts to split several purchases with the same vendor into smaller purchases to circumvent the formal RFP process). This activity should include assessing purchases by department, vendor, and citywide to identify potential split-purchasing activity and opportunities for combining purchases across departments, with the same vendor, for potential price savings. High Moderate Enterprise Internal Controls Review Report | 12 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE requester, or potential split- purchases. ● Open PO report monitoring and procedures to address long-outstanding POs that meet a defined threshold of time elapsed. ● How invoices/payments requested or processed that do not tie to a corresponding PO or contract are to be addressed and by whom. ● Follow-up research or resolution that must occur for each of the reviews performed and related documentation requirements. The monitoring results should be documented, and someone independent of the Purchasing Unit should review them on a regular basis to help ensure that any problems or inappropriate activity can be identified and addressed in a timely manner. 6 Contract management is performed consistently to ensure that all contract terms and conditions are complied with, goods/services are delivered in compliance with contract specifications, contractor invoices are appropriate, and contracts are properly closed out. There is not a centralized contract management function within the City. Rather, various aspects of contract compliance are managed by various departments throughout the City. This structure increases the risk that contract non-compliance will not be identified timely and that departments will not be aware of their responsibilities for managing contracts that they enter into. Training is conducted for employees responsible for contract management; however, it is limited to purchasing and receiving Given the volume of large contracts that are entered into by the City, the City should consider establishing a contract monitoring program to mitigate the risks related to the decentralized structure. A contract monitoring program may include: ● Defining contract management P&Ps that include all aspects of the contract monitoring program, as described below. ● Training for the various departments throughout the City that play a key role in monitoring contracts. For instance, individual departments that enter into contracts for goods or services are typically responsible for monitoring the actual performance of services or delivery of goods. It is key for them to understand the specific contract terms, conditions, deliverables, and timelines to supplement the training they receive on the purchasing aspects of contract management. ● Defining the role that various individuals fulfill in the review, approval, and payment of invoices that Moderate Moderate Enterprise Internal Controls Review Report | 13 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE and does not cover contract monitoring and compliance. The most recent training was provided in April 2019. There is not a process in place to consistently verify contract compliance, such as spot checks, contract audits, or another form of overall monitoring of contract performance. are related to City contracts. Defining the specific responsibilities of user departments, purchasing, accounts payable, legal, etc. is important to ensure individuals involved understand what they are accountable for in order to perform effective reviews. ● Developing a process for performing contract reviews, such as spot checks or contract audits. These reviews could include testing a sample of contracts, on a regular basis, and performing the following: ○ Comparing current contract performance against the contracted requirements/milestones to ensure contract performance is within the negotiated timeline. ○ Comparing current expenditures, invoices, and payments to the contract budget and amounts to ensure expensed amounts are in compliance with the contract. ○ Comparing vendor invoices to the contract to ensure the expenses appear reasonable, are accurate, and are properly supported by any required documentation per the contract. ○ Performing follow-up of any issues identified in these reviews and the related corrective actions. 7 Contracts with City vendors are prepared, reviewed, signed, and finalized timely following the procurement process (e.g., RFP process is Based on interviews performed, there are delays in contract execution following the RFP and vendor/contractor selection process. The City Attorney’s Office (CAO) has developed detailed contract worksheets for departments requesting Delays in processing and finalizing contracts with selected City vendors resulted in delays in City contractors being able to provide the related goods/services to the City, as well as time-consuming back-and-forths between Purchasing, the department obtaining the related goods/services, and the CAO. The Purchasing Unit should consider putting more responsibility back on the departments during the RFP process and providing increased training on how to Moderate Moderate Enterprise Internal Controls Review Report | 14 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE completed, if required, and the vendor/contractor is selected). Scope of work, contract fees, and timelines are fully vetted during the RFP and award process, aiding in the timely execution of related contracts. a contract to obtain all information (scope of work, fees, timing, etc.) that is needed for the CAO to execute a contract. However, departments do not always complete the worksheets adequately. At times, details on the scope of work, fees, and timing are lacking, as they were not fully vetted during the RFP process. This results in time-consuming back-and- forths to obtain the details needed for the contract and, ultimately, leads to inefficiencies in the execution of a contract. Given the lack of data available for tracking the dates contracts are awarded, when contract templates are initially submitted/requested, CAO response date, contract draft and approval date, and final execution date, we were unable to provide data to quantify the delays that are occurring. effectively complete all required steps. Specifically, if departments provided more information during the RFP preparation, issuance, and evaluation process, including the scope of work (specifics of the goods/services being procured), the expected timeline for completion/delivery, and the details of the fees and payment terms, then the contracting process could be completed more efficiently. Given the City’s intranet provides contract templates, worksheets, and examples to aid departments in providing the information needed to execute a City contract, and departments are not effectively utilizing these resources, consideration should be given as to why these available resources are not being used properly. The City should consider developing and implementing contract-specific training for departments to walk them through the process of utilizing these resources, and providing a Contract Request Checklist that departments can utilize to verify that they are completing all required steps and conveying all information upfront. Departments should then be held accountable for attending training and fulfilling their roles in the RFP and contracting process. 8 The purchase request and PO issuance process The City processes, on average, approximately 1,650 POs each year. Based on interviews, the process is inefficient and at The City’s procurement function would benefit from a full process assessment to further identify where bottlenecks are occurring and identify workflow improvements that could add efficiencies. Many of the current, cumbersome processes are handled by the High Moderate Enterprise Internal Controls Review Report | 15 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE is efficient and well-controlled. times, there are long delays in getting a PO issued. While a portion of these delays is due to the time it takes for vendors to deliver on the goods/services requested and the invoice/payment process to be completed, there are inefficiencies in the current purchasing process that contribute to extended delays. Based on the data available, we were unable to determine the exact points in the process that are resulting in delays; however, budget transfers, incomplete purchase request documentation, volume of purchases requiring the RFP process, and other factors appeared to be contributing to the extended processing times. Purchasing Unit, which creates risk given that a lot of resources are spent on back-and-forth manual processes, rather than focusing on controlling, monitoring, and managing the overall procurement function. In addition, with so much time and effort being spent on the various inefficient aspects of the current purchasing process, there is an increased risk of inappropriate purchasing activity not being identified. The assessment of the procurement function should include a focus on identifying opportunities for increased efficiencies, automation, and internal controls. 9 If adequate budget is not available in a line item (i.e., the specific object code category selected) to cover a requested purchase entered into MUNIS, then The current process for addressing situations where a requested purchase results in a negative balance on the budget line-item (object code category) charged is cumbersome as MUNIS forces a “hard-stop” The responsibility for managing a department’s budget, down to the line-item level, should rest with the department that manages the budget. Users entering purchasing requests should be responsible for initiating a budget transfer request, prior to entering a Purchase Request Form or contract request into MUNIS, to prevent the stall that occurs from the hard stop in MUNIS and the additional time spent by Purchasing to fix them. If departments are proactively Moderate Low Enterprise Internal Controls Review Report | 16 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE the system will automatically initiate the budget transfer request process prior to the request being sent through the workflow for approval. and delays the purchasing process. If a purchase is entered into MUNIS that exceeds the available budget in the line item selected, Purchasing must manually initiate a budget transfer prior to continuing with the approval process. The Purchasing Unit identifies the negative balance and “hard stop” in MUNIS and then goes in to work past the hard stop. This results in a stall in the process and the Purchasing Unit having to make budget decisions in order to allow the department to proceed with the purchase. managing their budget-to-actual reports on a monthly basis, expected overages should be addressed during that process, including identifying what transfers need to be processed. Consider changing the existing workflow, which requires Purchasing to make the transfer, to automatically send hard stops to the Budget Unit to work through with the requesting Department. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 10 Cash Management P&Ps are documented and implemented to guide all aspects of the cash handling process. Comprehensive and current Cash Management P&Ps are not documented, approved, and implemented. There has been some guidance provided to employees; however, it is in the form of memos covering Given the City has a variety of cash receipting sites, it is important that documented P&Ps are utilized to manage these activities to ensure that City assets are properly protected and risks are minimized. Specifically, the City should develop and implement citywide, as well as department-specific, P&Ps that include, at a minimum, the following: High Moderate Enterprise Internal Controls Review Report | 17 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE some areas of cash management and a draft policy that has not been finalized and does not include all cash management components. Department-specific P&Ps for cash handling are not consistently documented or verified for adequacy and compliance with citywide requirements and overall internal controls. ● Procedures for receiving cash, via in-person, online, or mail payments, including how to handle cash, issue receipts, secure payments, and perform reconciliations. ● Details of how individual departments must prepare deposits, the frequency in which deposits must be made to the Treasury, and responsibilities for deposit preparation, documentation, review, and approval. ● Procedures followed by the Cashiering Unit for collecting in-person, mail, online, and department deposits, documenting payments and deposits, issuing receipts, and recording in the system what documentation is required for department deposits to show the change in custody of the funds, end-of shift/day reconciliation process, including documentation, reviews, and approvals, and cash security controls. The City would benefit from a cash handling assessment/audit that can be leveraged to develop and document P&Ps to support the processes and any recommended improvements. 11 A full cash handling assessment has been performed to ensure that all cash collection sites are properly controlled and that City assets are properly protected and reported. During this review, we did not perform a detailed assessment or audit of each cash handling site, and we were unable to determine if adequate cash receipt controls and daily reconciliations are performed for each department that handles cash. This review identified that there are a variety of sites, The City would benefit from a more in-depth cash handling assessment. The assessment should include: ● Identifying all sites that handle cash. ● Obtaining an understanding of each site’s processes, controls, and management of cash receipts, and evaluating each for adequacy and opportunities for improved controls. ● Identifying control gaps that present a risk of misappropriation, and developing recommendations for addressing the gaps and mitigating the associated risk. High High Enterprise Internal Controls Review Report | 18 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE with varying levels of controls, that manage the cash receipts process and a full assessment of each site’s processes, controls, and management has not been performed. The decentralized nature of City business results in a variety of individuals performing cash receipting, depositing, and reconciling functions, and this creates an increased risk of cash being misappropriated and not being identified. ● Performing surprise cash counts at each cash handling location to check for selected controls, performing a cash count and reconciliation to the system balances at the time, and testing petty cash or base fund counts, if applicable. ● Evaluating and testing each department’s process for reconciling cash receipts to the underlying system or manual receipts. ● Evaluating and testing the processes for department deposits to the Cashiering Unit and then the Cashiering Unit deposits to the bank. ● Testing samples related to cash receipts, deposits, reconciliations, and recording to assess for compliance with select internal controls and evaluate the processes for risk. ● Evaluating the bank reconciliation process for adequacy, proper controls, timely resolution of variances, and maintenance of the outstanding checklist. 12 Cash receipts trend analysis are performed for all cash handling sites to identify any unusual trends or potentially inappropriate activity timely. Based on interviews performed, it does not appear that regular trend analysis is performed to evaluate for unusual or inappropriate cash receipt trends. While some form of cash receipt monitoring may be occurring throughout the City, there is not adequate documentation showing that sufficient trend analysis is performed on cash receipt data that would allow for the early identification of activity requiring follow-up. The City should establish a process for performing regular trend analysis on cash receipts across all departments. The analysis should be performed by someone independent of the departments that are handling the cash receipts. Trend analysis should include assessment of: ● Cash receipts, by department, by month. ● Cash receipts, by department and citywide by month and year-to-date in comparison with prior year totals. ● Cash deposits reported to the Cashiering Unit on a weekly basis to identify fluctuations or indications that a department may be holding onto deposits, increasing the risk of misappropriation. Moderate Moderate Enterprise Internal Controls Review Report | 19 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 13 Billing and Collection P&Ps are documented and implemented to specifically address how each source of City A/R will be billed collected, monitored, and written-off. The City has various revenue sources that result in A/R, including utility services, tax assessments, and business licenses. As of June 30, 2019, the City reported approximately $12,000,000 in A/R from the various sources. P&Ps to guide each type of A/R, including how A/R will be established, billed, collected, monitored, and adjusted/written-off are not in place. Therefore, each department that is responsible for A/R billing and collections may be doing it differently, and there is a risk that the overall A/R functions are not properly controlled and monitored. Given the City has a variety of revenue sources that result in A/R and the need for billing and collections, it is important that there are documented P&Ps that manage these activities. Specifically, the City should develop and implement citywide and department- specific P&Ps that include, at a minimum, the following: ● A citywide A/R P&P that address aspects of A/R, billing, and collections that are applicable to all the various sources of A/R. The citywide P&P should cover things such as what departments are responsible for monitoring A/R, the requirements for managing billing and collections of A/R, reporting requirements, assessing past-due accounts, and requesting, approving, and processing related A/R adjustments/write-offs. Monitoring controls should be documented to oversee the department A/R management functions and verify the accuracy of balances reported, ensure oversight of adjustments/write- offs, and reconcile activity on a regular basis. ● For each department that is responsible for managing A/R, a department-specific P&P covering their specific processes for overseeing and controlling the A/R, billing, and collections functions should be developed and implemented. Department-specific P&Ps should address the specifics of how A/R is established, what systems are used and the related reports that will be used, who is responsible for each aspect of the process, and what reviews/approvals are in place. Each department-specific P&P should reference and comply with the citywide P&P; however, they should include an adequate level of detail to aid departments in properly managing and controlling City A/R within their respective departments. Moderate Moderate Enterprise Internal Controls Review Report | 20 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 14 Adequate reconciliation controls are in place to ensure that all A/R across various City departments is properly captured and reported. Based on information obtained during interviews, there is a risk that not all City A/R is identified, reconciled, and reported. There are several departments across the City whose activities give rise to the establishment of A/R. Some departments utilize MUNIS for managing A/R, while others use a department-specific system. In addition, many departments have a separate system for the underlying activity that gives rise to the A/R, such as a system for recording utility meter reading data and Community Plus, which is used to process business licensing, alarms, etc. Data from these systems is used to calculate customer bill amounts, which are recorded as City-A/R until collected. There are not reconciliation procedures in place to ensure that all external systems are fully reconciled to the related activity or balances reported in MUNIS, verifying that all activity and balances were The City should establish a full reconciliation process that is performed both by individual departments responsible for managing A/R and by the Finance Department on a monthly basis. A full assessment should be performed to identify each activity or source of City-A/R across all of the relevant departments. A listing should be made to identify each department, whether there are activities that result in City-A/R, and how each will be reconciled. This will help to ensure that all City-A/R is identified and subjected to routine reconciliation and monitoring procedures. Each source of A/R should be reconciled, and the reconciliation process, at a minimum, should include the following: ● Completeness checks to ensure that the activity recorded in any system (e.g., systems such as utility meter reading or Community Plus) is properly captured and included in the related billing and collections process. These checks should include verifying all activity (amounts, usage, units, etc.) are properly transferred, and the review should be confirmed by someone outside of the individuals responsible for overseeing the process. ● Reconciling the billing and collection activity, including a process for ensuring the beginning balance plus new activity/billings less payments received, equals the ending balance of A/R reported. ● Reconciling the A/R monitoring schedule and system used by each department to the actual activity and/or balances reported in MUNIS at month-end. ● Researching and resolving any variances identified. High Moderate Enterprise Internal Controls Review Report | 21 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE properly captured and reported. Given each source of A/R is unique and the reconciliation activities will vary depending on the underlying systems and processes in place, it is key that overarching reconciliation procedures are developed and implemented in a customized manner to each A/R source. 15 A/R activity and balances are monitored consistently and timely to ensure that collection efforts are adequate, City assets are protected, and A/R is reported accurately and written-off, when appropriate. Aged accounts are assessed regularly and uncollectible accounts are written-off and removed from the billing and collection reports. Each source of A/R is established, recorded, and monitored differently, resulting in a high risk that error or inappropriate activity will not be identified. It does not appear that all A/R balances are billed for and collected in a consistent manner and A/R aging and other reporting and monitoring is performed by all departments or by the Cashiering Unit of the Revenue Division for all sources of A/R. A/R assessments to determine whether write-offs are warranted are only fully performed for department A/R at year-end, and it is unclear if the year-end adjustment accounted for a full detailed analysis of all aged balances. It appears that the City applied an approach that allowed for all A/R over 90 days. The fiscal year ending June 30, 2020 The City should establish consistent monitoring procedures and controls for City A/R. Each source of A/R should be identified, billed for, and collected in a consistent and well-controlled manner, monitored adequately, including A/R billing and collections and A/R aging, and evaluated for whether it needs to be written off based on pre-determined criteria. Specifically, the following should be considered in the establishment of monitoring procedures: ● All sources of A/R should require a defined billing and collection process that is monitored for compliance and adequacy regularly. Regular reporting, including A/R aging, should be produced and reviewed, and aged A/R over a set threshold (e.g., 90 or 120 days) should be evaluated to determine whether additional follow-up is required, whether the related services should be cancelled or revoked, and whether a write-off is warranted. ● A/R write-offs and adjustments should be performed in a way that ensures the underlying criteria is documented and applied consistently to prevent claims of unfair treatment and erroneous adjustments that cannot be identified. Write- offs/adjustments should be documented consistently and reviewed and approved appropriately. Documentation of write- offs/adjustments should be maintained and monitored by an independent department/function (e.g., Revenue Auditor) on a routine basis. High Moderate Enterprise Internal Controls Review Report | 22 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE write-off recorded was approximately $500,000; however, we were unable to determine whether this was an accurate reflection of the total that should be deemed as uncollectible. Finally, many of the A/R aging reports received included A/R balances that were established five or more years ago and had not been written off and removed from the aging reports. ● To ensure that A/R balances are not overstated, a full analysis of all City A/R recorded should be performed on a regular and consistent basis, based on preset criteria for each source of A/R, rather than performing one overall assessment and write-off at year-end. For those accounts that are written off, a documented process for follow-up should occur, including assessing what actions should occur due to unpaid accounts. This may include cancelling service for a customer, revoking a license/permit, or other action. ● On a regular basis, A/R accounts should be assessed, and old uncollectible accounts should be removed from the sub-ledgers or systems used to track A/R. Accounts that are deemed uncollectible should be removed from the billing and collections system to prevent adequate oversight from being performed of true A/R aging reports that are still being pursued and possibly collected upon. 16 Payment and deposit collections processed at the Cashiering Unit are reconciled on a daily basis, by drawer/cashier, and the reconciliation includes tying the total amounts on- hand, by payment type, to an underlying system report or manual log total. Based on interviews performed with Cashiering Unit personnel, there are daily reconciliations in place to reconcile beginning balances for each drawer, and in total, to the ending balance on-hand and placed in deposit packets. Individual drawers are counted, the base funds are subtracted out of the total for deposit, and the remaining funds are placed in a deposit bag for processing. There are no In order to ensure that payments and deposits collected at the Cashiering Unit are properly controlled and accounted for and all cash collected is deposited to a City bank account, a thorough and controlled reconciliation by drawer must be performed daily. The City should perform a full process analysis to overhaul the cash receipt and deposit process at the Cashiering Unit to provide for adequate controls over the City’s assets. A well-controlled cashiering function should include, at a minimum, the following: ● Cashiers are assigned individual drawers and base funds are verified and signed for at the beginning of each shift. ● All payments processed, including deposits from departments, are documented immediately upon High High Enterprise Internal Controls Review Report | 23 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE procedures in place to reconcile payments collected to an underlying system report or payment log to ensure that the total amount collected throughout the day, less the drawers base fund, ties to the amount being deposited. Individual cash drawers are used for each cashier; however, at the end of their shift, there is not a formal process for performing a drawer reconciliation and cash count to account for all funds before leaving. Based on interviews, reconciliations are performed in total, not by drawer, variances are typically not identified, and adjustments are not posted until a weekly reconciliation process. It is difficult or impossible to determine the cause of variances. receipt, collections are counted, and a formal receipt (system generated or manual) is issued prior to the individual making the payment or deposit leaving. ● A detailed reconciliation by drawer is performed at the end of each shift, including reconciling the beginning base fund, plus receipts recorded in the system or manual receipts, to the ending balance on-hand. This should be performed by payment type (cash, checks, and credit card transactions) and variances should be researched and resolved prior to the cashier leaving for the day. ● The count and reconciliation process for each drawer should be verified and signed off on by a second individual, and deposits should be secured appropriately until the full deposit is processed at the end of the day. ● A full end-of-day reconciliation of all drawer deposits to the system totals or manual receipt totals for the day by payment type and preferably by revenue source. This reconciliation should be documented and reviewed, and all variances should be researched and resolved immediately. ● The full day’s deposit, once reconciled, should be documented and stored in a safe until the deposit is picked up by an armored service or physically taken to the bank for processing. 17 Payments collected are properly protected until deposited at the bank. Based on interviews performed, adequate controls are not in place to ensure that all payments collected are properly secured until they are deposited. During the recommended full cash handling assessment, the processes for controlling payments should be analyzed. However, the City should implement immediate corrective actions to ensure that payments collected are properly protected and prevent misappropriation of City assets. Specific actions should include: High High Enterprise Internal Controls Review Report | 24 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE Specifically, it was unclear as to whether individual sites are restrictively endorsing checks upon receipt and whether the payments are secured in a locked drawer or safe until deposit to treasury. In addition, the Cashiering Unit drawer deposits, which include all of the individual payments processed and the remote deposits collected, at the end of each shift, are placed in a basket within the Cashiering Unit, rather than immediately being placed in a secured safe or locked drawer. Based on interviews, the Cashiering Unit is secured and access is restricted to only their employees, which helps to mitigate the related risk. These control gaps create the risk that payments collected could be stolen, and it would be impossible to identify who took the funds or when the funds went missing. ● Communication should be sent out to all cash handling departments that checks received must be restrictively endorsed immediately upon receipt. ● All departments should be physically assessed to identify an adequate means of securing payments upon receipt (e.g., a safe, locked office and drawer), and individuals responsible for monitoring these controls at each department should be identified. ● The Cashiering Unit should not keep cash/payment deposits in an open area throughout the day. A process should be developed immediately to require that deposits (bags of payments) be properly secured immediately after a cashier’s shift. ● Access to the physical areas where cash is stored should be assessed to ensure that the areas are properly secured. 18 Surprise cash audits are performed on a regular basis and We were unable to obtain documentation of any surprise cash audits or counts performed by the Surprise cash audits are an effective internal control for addressing the risks that arise due to the decentralized nature of cash receipts throughout the City. A documented process for performing surprise Moderate Moderate Enterprise Internal Controls Review Report | 25 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE include auditing the controls in place at each cash collection department on a rotating basis. Finance Department or the Revenue Auditor. Although these may be occurring at some level, they may not be sufficient, and they are not documented in order to allow for an assessment of their adequacy. cash audits should be developed and implemented and should include, at a minimum, the following: ● Defining who will perform the audits and at what intervals and what the basis will be for rotating departments audited to ensure full coverage each year. ● The specific procedures for performing a reconciliation of the sites base fund, plus receipts reported in the system or on manual receipts, compared to the amount of payments on-hand by payment type. ● Control checks, such as confirming a sign notifying customers/citizens of who to contact if a physical receipt is not received, verifying that checks are restrictively endorsed, checking the physical security of cash on-hand, etc. ● Requirements for documenting the results of each audit and ensuring that any deficiencies identified are communicated, addressed, and followed up in a timely manner. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 19 The City has adequate controls in place to protect cardholder data and to ensure compliance with Payment Card Industry (PCI) The City has not established a formal policy and process for monitoring PCI compliance. Best practices suggest that formal security procedures should be documented and implemented, systems should be designed appropriate to control cardholder information, and a systematic and continuous monitoring program should be in place to identify and manage process and system weaknesses where PCI could be exploited. Moderate Moderate Enterprise Internal Controls Review Report | 26 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE Data Security Standards, which are applicable to all organizations that store, process, or transmit cardholder data. 20 Adequate internal controls are in place to ensure the integrity of the vendor master file. Both A/P and Purchasing employees have systems access in MUNIS to process vendor changes; however, A/P is primarily responsible for entering new vendors and processing vendor changes (e.g., vendor name, address, and contract information). Although workflows are established to require approvals of vendor additions/changes, this presents a significant segregation of duties risk. Independent reviews of the vendor master file and related system change/edit reports are not performed regularly. Current practice is to require a W-9 at vendor setup; however, based on interviews performed, a new W-9 is not always required when vendor changes are requested. Best practices in internal controls recommend that access to add new vendors or process vendor changes should be restricted to individuals outside of the A/P function. Segregating duties between vendor file maintenance and payment processing is important to maintaining internal controls over the disbursement process. Allowing access to both functions creates the risk of the same person having access to set up a new vendor and process a fraudulent payment to that vendor. The City should restrict systems access and responsibilities related to maintaining the vendor master listing to individuals independent of the A/P function. To ensure adequate monitoring of the vendor master files, reports should be run from MUNIS on a regular (defined) basis, and reviewed by someone independent of the A/P function, and the results of these reviews should be documented and maintained. Reports monitored should include, at a minimum: ● The vendor master listing, in detail, along with the last activity date for each active vendor. ● All vendor additions and changes processed during the period, along with the name/ID of the employee who processed the change/addition and approved the change/addition. High High Enterprise Internal Controls Review Report | 27 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE A W-9 should be required and verified whenever a change is processed to a vendor’s name, address, or EIN. The independent review described above should include selecting a small sample of vendor additions and changes and ensuring that a completed W-9 is on file to support the addition/change. 21 All vendors, prior to becoming an approved City vendor, are checked for suspension and debarment. Accountability for performing this check is defined, and the results of the verification is documented to support new vendor setup. Based on interviews, vendors that are selected through the formal RFP process are typically checked for suspension and debarment. However, this check is not being performed for all new vendors, responsibility for performing this check is not defined, and the results are not consistently documented and maintained to support new vendor setup. The CFR, as well as best practices, require that a formal process be in place to ensure vendors are not suspended or debarred prior to conducting business with them. The recommended threshold is $25,000 of combined total vendor purchases. A formal policy should be established and address, at a minimum: ● The threshold for when a suspension and debarment check must be performed. ● Responsibility for performing this check and when in the procurement process the check must occur. ● Documentation required to support that the check was performed and how/where the documentation will be maintained to support new vendor setup. ● A reverification process for confirming that vendors used for longer than a specified period (e.g., one year) are reconfirmed and the results of the review are documented. Moderate Low 22 Vendor payment activity is monitored on a regular basis, and the results of the review are assessed and documented. Vendor payment activity is not being monitored on a regular basis by someone independent of the A/P function. A formal monitoring process for reviewing and assessing payment/disbursement activity should be developed and documented. The A/P monitoring process should include, at a minimum, the following: ● Total disbursements, by vendor, citywide and by department. Moderate Low Enterprise Internal Controls Review Report | 28 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE ● Total disbursements, by department and by month, and comparing to the same month of activity in prior year. The reviews should be documented and any unusual trends or activity should be researched. 23 The A/P process includes adequate controls, including reviews, approvals, and reconciliations to ensure that all payments are properly approved and supported and appear appropriate. A final review is performed and documented, ensuring that all invoices approved for payment pre- processing tie to the actual disbursements processed. Prior to June 2020, the review and approval process of A/P weekly check batches was not adequate to ensure that the final disbursements processed tied to those that were initially approved pre- processing. As a result, during our walkthrough of the first A/P check batch processed in May 2020, we were unable to reconcile the reports utilized to tie out the pre-processing approved totals to the final processed disbursements, and there was no documentation that a review had been performed internally by someone independent of the A/P function. A new process for monitoring and reviewing weekly check batch activity was implemented in June 2020 to address the control gaps identified during this review. However, the process has not been The new process for monitoring and reviewing weekly check batch activity should be documented in a P&P and include, at a minimum, the following: ● Specifications as to what reports will be reviewed and approved by whom and when. ● The specific supporting documentation (e.g., vendor invoices or other payment support) that must be included to support the pre-processing check batch review process. ● The reconciliation process between the pre- processing approved totals (number of invoices and total amount) to the final disbursements processed on the final check register, including how variances will be researched and addressed. ● The comparison of the actual physical checks to the final check register. ● The documentation that will be maintained to support the review and approval process for each A/P weekly check batch. ● The requirement that final printed signed checks not be returned to the A/P Department. ● The new process should be reviewed as part of a future project to assess the adequacy of the controls and documentation. Moderate Low Enterprise Internal Controls Review Report | 29 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE documented in a P&P, and the process was not verified during this review. 24 After printing A/P checks, the physical checks are not returned to the A/P Department, and are mailed out by an individual independent of the A/P function. Based on interviews, the physical signed checks are returned to the A/P Department prior to being mailed out to vendors. This creates the risk that a check could be misappropriated. Physical, signed checks should not be returned to the A/P Department after printing/signing. They should be given to a person that is independent from the A/P function for a final comparison to the final check register, matched to any mailing support, and mailed. High Low CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 25 Comprehensive Fixed Asset P&Ps covering fixed asset management are available to employees, and all employees assigned responsibility for tagging, safeguarding, accounting for, and inventorying Detailed fixed asset P&Ps do not exist, and personnel responsible for fixed asset management do not receive regular training. Comprehensive fixed asset management P&Ps should be developed, and personnel assigned responsibility for tagging, safeguarding, accounting for, and inventorying fixed assets should be trained accordingly. The fixed asset P&Ps should cover areas such as: ● Purchasing and G/L coding ● Documentation requirements and asset tagging ● Fixed asset recording ● Safeguarding ● Fixed asset custodian responsibilities ● Inventory process High Moderate Enterprise Internal Controls Review Report | 30 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE fixed assets have been trained. ● Disposals 26 Fleet fixed assets are adequately tracked utilizing the City’s fixed asset module in MUNIS. Fleet purchases are not recorded as fixed assets in the MUNIS system upon purchase. Rather, they are expensed in MUNIS, tracked manually in an Excel spreadsheet, and entered into Fleet Focus within the department. This results in a manual process for tracking asset balances, additions, disposals, and the related depreciation. On a regular basis, Finance is reconciling related fixed assets recorded in MUNIS to the Fleet Focus asset listing. We obtained the reports from these two systems, and were unable to determine if they reconciled. PO reports are also reviewed in detail, line- by-line, to identify potential vehicles that should be capitalized. Based on the documentation available and the manual processes involved, it appears there is a risk that vehicle purchases and disposals may not be identified and recorded timely. Given that the MUNIS fixed asset module is not currently being utilized to track fleet purchases, there is an increased risk of misappropriation of assets or incomplete fixed asset records. To ensure that fleet assets are monitored adequately and are recorded timely, the full reconciliation process between MUNIS and Fleet Focus should be performed regularly, at set periods (e.g., monthly or quarterly), and the reconciliation should be documented. System reports should be run on the same date, and any variances between the two systems should be identified and researched. The City should assess this process to determine whether there is a more efficient and effective way to identify vehicle additions upon initial purchase, thus reducing the need for a manual reconciliation process to identify variances. While there are benefits to utilizing Fleet Focus for tracking fleet asset activity, it requires the assets be entered individually, upon purchase, into the MUNIS system for asset tracking. Adjustments could still be processed at specified points throughout the year to account for increases or decreases in value, based on Fleet Focus reports. High Moderate Enterprise Internal Controls Review Report | 31 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 27 An annual full physical fixed asset inventory is performed. The inventory process is well-controlled, performed by individuals outside of the asset custodians, and the results are adequately documented. The documentation provided to support the quarterly/yearly physical fixed asset inventory process did not appear to be complete or show that an effective inventory was performed for each department. Based on interviews performed, the inventory process is likely performed by the asset custodian for each department, and formal instructions for how the inventory is to be performed are not documented to ensure that the process is complete and effective. Not all departments perform a thorough inventory, resulting in asset disposals that are not identified until years after the fact. Department directors are ultimately responsible for these inventories; however, the related responsibilities are not documented and the reviews/approvals are not maintained. The fixed asset inventory process should be evaluated and improved. The current process in place may not be effective and does not appear to be well-controlled. The following should be considered: ● If the physical inventory process is going to be performed on a rotating basis (e.g., quarterly covering different department assets), then a reconciliation of the assets inventoried each quarter compared to the year-end listing should be performed and documented to ensure that all assets were accounted for during the quarterly inventories. ● Physical inventory instructions should be developed and provided to all individuals responsible for performing inventory counts. ● Instructions should include requirements for verifying the details of each asset, the tab number assigned, and the condition, as well as the requirement for assessing the assigned listing for completeness or untagged assets within their assigned department. ● Physical inventory counts should always be performed by individuals that are not custodians of the assets (e.g., not the individuals who are responsible for maintaining those assets). ● The result of each department’s physical inventory should be documented, approved by the department director, and assessed for training needs. For instance, if disposals or asset purchases were not reported until year-end, then the department personnel should receive training on what should be done when these transactions are processed and they should be held accountable for complying. High Moderate Enterprise Internal Controls Review Report | 32 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE ● All variances identified should be thoroughly researched, resolved, and documented. 28 Fixed asset disposals, surplus, and transfers are reported timely and documented and processed consistently. Based on interviews performed, it was determined that departments are not consistently reporting fixed asset disposals, assets for surplus, and asset transfers. At times, departments are just disposing of assets without following any formal process for documenting and processing the disposal. This results in assets being identified as being disposed of several years after the fact. Assets are not consistently reported to the Central Warehouse as surplus to be available for use by other departments or auctioned off for the benefit of the City. Controlling the fixed asset disposal process is vital to ensuring that City assets cannot be misappropriated, such as being taken home by employees or sold by individuals rather than being auctioned for the benefit of the City. Enhanced fixed asset inventory processes will aid in identifying instances of unreported disposals more timely. Given that so much responsibility is put back on the departments who have the asset rather than deploying a centralized asset management process, training should be provided to all asset custodians on their responsibilities related to disposing of assets, reporting surplus assets, and transferring assets. All assets being disposed of or moved from an assigned department should be immediately reported to the Central Warehouse for tracking and processing. A formal Disposal/Transfer form should be utilized, and all surplus property should be tracked. Any non-compliance with these processes should be tracked by the Central Warehouse, and department directors should be held accountable for ensuring their departments appropriately track and report assets. High High CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 29 The City’s inventory management Given the significant internal control issues identified during this high-level review, The City should consider performing a full assessment of the inventory management function at all sites that handle inventory on behalf of the City. Given the High High Enterprise Internal Controls Review Report | 33 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE function has been fully assessed to identify internal control gaps and opportunities for improvement. there is a significant risk that inventory could be misappropriated and that it would not be identified. The overall inventory management function is not well-controlled and adequate independent monitoring is not in place. A full outside assessment of the inventory management function, including the Central Warehouse, Automotive Warehouse, and other departments that maintain inventory, has not been performed. control gaps identified, detailed testing should be performed to quantify any inventory misappropriation or errors that have occurred over the past several years. Each area of inventory management should be fully assessed, including the procedures for purchasing, receiving, logging, using, reconciling, reporting, and inventorying. Significant control improvements should be implemented to protect the City’s investment in inventory and mitigate the related risks, including public scrutiny that can occur if inventory is not properly controlled. 30 Inventory at the various departments (outside of the Central and Automotive Warehouses) is adequately tracked and monitored. Based on interviews, there is a lack of understanding of how inventory at other departments, such as Utilities and Police, are maintained and controlled. Consistent, independent monitoring and oversight is likely not in place over these other inventory locations. The City should identify all departments across the City that maintain some level of internal inventory on- hand to support daily operations. Formal procedures and monitoring should be in place to ensure that these smaller inventories, managed by individual departments, receive an adequate level of control to prevent misappropriation. High Low 31 Adequate segregation of duties is in place over the inventory function at the Central and Based on interviews performed, there are very limited, if any, segregation of duties in place over inventory management. The same individuals are assigned sole responsibility, at times, for purchasing, A full assessment of segregation of duties over inventory management functions should be performed for the Central Warehouse and Automotive Warehouse. Duties should be adequately segregated between existing personnel, and where needed, mitigating controls should be implemented to address High High Enterprise Internal Controls Review Report | 34 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE Automotive Warehouses. receiving, counting, and reconciling inventory, creating a significant risk that inventory could be stolen and not identified or an individual could be accused of stealing inventory and there would be no way of verifying whether the claim was justified. Historically, all aspects of inventory management at the Automotive Warehouse have been performed by one individual. any remaining risks. The following actions should be considered: ● Responsibilities for and access to purchasing inventory and receiving the inventory should be segregated to separate employees. If this is not always possible, then inventory received should be subsequently verified by an individual independent from the original purchaser. ● Inventory physical counts should be conducted and verified by someone independent of the inventory management function. Those individuals responsible for managing the daily activity of inventory should not be the ones designated to perform the physical inventory counts, compare those counts to system totals, and research and report inventory adjustments as warranted. ● Spot checks comparing inventory on-hand to system inventory totals should be performed by someone independent of the inventory management functions on a regular basis. All reviews should be documented, and variances should be researched and addressed in a timely manner. ● The physical security of both warehouses should be physically assessed to ensure that access is restricted to individuals who warrant access for their job responsibilities. ● Access to adjust inventory levels (e.g., record inventory corrections, increases/decreases, etc.) should be appropriately restricted and related activity should be independently monitored on a regular basis. 32 Automotive inventory is managed through Automotive inventory is managed on a separate system, which is Fleet A full assessment of the Automotive inventory management process is needed to fully identify control and process improvements that would address the High High Enterprise Internal Controls Review Report | 35 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE a controlled system on a perpetual basis, and the system integrates with MUNIS. Focus (Asset Works). However, this system does not integrate with MUNIS, and there are not monitoring and reconciliation controls in place to ensure that the systems reconcile and that inventory adjustments are appropriate. Automotive parts are not barcoded, and given the nature of the related assets, it is important to track inventory down to the specific vehicle. This tracking is a manual process, which both requires individuals to write down usage on a log and then an individual with access to Fleet Focus to process the transactions when time permits. There are no independent reconciliations or verifications to ensure that all usage activity is correctly coded to corresponding vehicles, the related expenses are correctly charged to individual departments, and the activity recorded is complete and based on maintenance/repairs that actually occurred. significant deficiencies identified. At a minimum, the recommended controls should be considered and implemented immediately where possible, until such time that a full assessment can be performed. In addition, the following should be considered: ● Although Fleet Focus and MUNIS do not integrate, regular system reconciliations should still be occurring to assess the reasonableness of the amounts reported in the department’s perpetual inventory system. ● An assessment of the manual processes of recording inventory usage should be assessed to determine if automation is possible. At a minimum, a formal documentation of usage process (e.g., consistent form or template) should be utilized, and a daily reconciliation of usage reported on the forms/templates should be reconciled to the system entries each day. These reconciliations should be documented, variances should be researched timely, and an independent review should occur. Enterprise Internal Controls Review Report | 36 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 33 The physical inventory process is documented and well-controlled to ensure that all inventory is verified/counted on at least an annual basis by someone outside of the person responsible for the daily management of the inventory. Variances in inventory levels are researched and addressed timely. The City’s physical inventory process is not adequately controlled, and as a result, the results of the inventory are likely not reliable. As noted above, the same individuals who manage the inventory at the Central and Automotive Warehouses on a daily basis are the ones who are responsible for performing the physical inventory counts of that inventory. Inventory results are reported to the Finance Department for any adjustments that need to be posted to the general ledger. However, there are no independent verifications of the inventory counts reported. Historically, the variances identified have been extremely minimal, which raises a red flag that the counts may not be accurately or fully performed. For example, the Central Warehouse system inventory report included 102 pages with 1,022 different line items of inventory on-hand at the time of the physical count. However, the variances A full physical inventory count should be performed, at least one time per year, for the Central and Automotive Warehouses. Counts should include a “blind count” of inventory levels utilizing a listing of all potential inventory types and identification information, without the current system inventory balances included. This “blind count” approach allows for an independent count of the units on-hand without any bias or reliance on the system totals. After the count is performed, the inventory on-hand system reports should be run and a full comparison of inventory count results to on-hand system totals should be performed. All variances should be researched immediately. Inventory counts should always be performed by someone independent of the person who is assigned inventory management responsibility. Typically, the individual assigned to perform the independent count is someone in the Finance Department or an auditor. All inventory counts performed should be properly documented, and the results should be reviewed and approved by upper management. High High Enterprise Internal Controls Review Report | 37 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE identified and corresponding adjustments posted were only 16 line items totally approximately $16,000. There are thousands of inventory units on-hand, and given the current lack of controls, the minimal year- end adjustments seem unusual. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 34 Financial Reporting P&Ps are documented, and the City is actively utilizing the P&Ps to guide the financial reporting function. Comprehensive checklists or other control tools are in place to guide the month-end and year-end close processes. There are no citywide P&Ps covering financial reporting, including month-end and year-end close, journal entry processing, chart of account maintenance, producing, reviewing and approving financial reports, and required monitoring and oversight. In addition, Finance does not have a monthly close checklist, or similar tool, to track all tasks that must be completed at month-end close, the responsibility for performing and reviewing each required tasks, and the The financial reporting function for the City is key to ensuring that accurate, reliable, and timely financial information is available for decision-makers. Comprehensive Financial Reporting P&Ps should be developed to ensure that all key roles, responsibilities, and requirements are well-defined. These P&Ps should, at a minimum, cover the following: ● Month-end and year-end close procedures, including tasks that must be completed for each account, department, or function, the assigned preparer and reviewer, the underlying support required for each reconciliation or adjustment, and the timeline for completion. ● Journal entry processing, including how to prepare, review, and approve entries, who has the authority and responsibility for each of these functions, and the supporting documentation required. High Moderate Enterprise Internal Controls Review Report | 38 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE timeline/due dates for each. There is a year-end close checklist; however, it may not be adequate as it currently only shows each account and a deadline. ● Chart of accounts establishment, updates, and maintenance, including the defined structure for use. ● Financial reports prepared, timelines for completion, accuracy checks and reasonableness assessment procedures, approval requirements, and presentation formats. ● Monitoring and oversight roles and responsibilities for key financial reporting activities to promote proactive monitoring, identify unusual or problematic activity timely, and ensure errors are identified. In order to ensure that a complete and accurate month-end close process is completed each month, which is best practice to ensure the timely production of financial reports, a month-end checklist should be developed and implemented. The checklist should cover required reconciliations, journal entries expected, and other closings tasks, with the designated preparer responsible for the task and the assigned reviewer’s role and designation, and the timeline to ensure a timely close process occurs. The current year-end checklist should be enhanced to ensure there are detailed tasks assigned to promote accountability, ensure errors are identified, and deliver year-end financial statements on time. 35 Trend analysis on key financial activity and indicators is performed on a regular basis. Unusual or unexpected trends The City did not provide any documentation of consistent trend analysis performed each month, quarter, or year to monitor financial results and activity, such as assessing month-to-month activity, prior year monthly activity to current year, year- Financial reporting trend analysis performed on a routine basis can help to identify unusual trends, errors, or poor performance timely. The City should develop a set of key financial reporting trend analyses to be performed each month to allow for regular oversight and monitoring. Some key trend analysis and report monitoring that may provide value to the City include: Moderate Moderate Enterprise Internal Controls Review Report | 39 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE are identified and researched timely. to-date activity and balances in comparison with prior year, department comparisons by month/year- to-date, or other key trend analysis. While some of these financial analysis may be performed informally or on an ad-hoc basis, there was not a consistent analysis and follow- up/research process in place to timely identify unusual activity, indicators of errors or poor performance, etc. ● Revenue and expense analysis month-to-month, by department, and current-year month to the same month in prior-month. ● Year-to-date revenue and expense analysis, by department and citywide, compared to the same year-to-date information from prior-year. ● Specific expenses as a percentage of related revenue, year-to-date, by department. ● Budget to actual, by department, in comparison with prior year actual (month over month and year- to-date). ● Account balances for balance sheet accounts, by department, in comparison with prior year. ● Other key financial performance indicators compared on a monthly basis and assessed over time. 36 Monthly financial reports are prepared and reviewed. Departments receive timely financial reports and are actively involved in performance monitoring. Currently, there are not defined financial reports that are prepared, reviewed, and distributed to departments on a monthly basis. Financial reporting to the City Council occurs a few times throughout the year; however, there are not monthly financial reporting packets included each month for ongoing oversight. Monthly financial reporting is vital for ensuring that senior management, department leadership, Finance Committee, and City Council have timely information for decision-making and addressing performance issues, expense overruns, downturn in revenues, etc. The City should define which financial reports are valuable to produce, review, and distribute on a monthly basis. All individuals responsible for oversight of departments or functions should be actively involved with reviewing financial reporting information. A monthly financial reporting packet should be prepared for, and submitted to, the Finance Committee and City Council. Moderate Moderate 37 Accounts are reconciled on a monthly basis and adjustments are Monthly bank reconciliations were provided and To ensure monthly financial reporting can be performed accurately and timely, Finance should identify all balance sheet accounts that would benefit Moderate Moderate Enterprise Internal Controls Review Report | 40 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE posted timely to reflect current activity and balances. appeared to be completed timely following month-end. However, other month-end close reconciliations, journal entries and other close procedures were not documented. It appears a full month-end reconciliation and close process is not consistently occurring. Most month-end entries are posted based on data- dumps from other sub- ledgers or systems, rather than based on a full reconciliation and assessment of variances. Multiple departments interviewed mentioned that the only full reconciliation and adjustment is typically occurring at year-end. from being reconciled and adjusted monthly, rather than waiting until year-end. All month-end account reconciliations should be added to the month-end close checklist and any significant variances should be researched immediately. While recording month-end entries based on data- dumps from sub-ledgers and other systems does help to prevent material year-end entries, they do not promote the identification of errors or activity warranting research. Reconciliations from the prior month’s ending balance, adding in additions, subtracting known uses, and comparing to the current month ending balance helps to ensure variances are resolved timely, prior to the close of the month. Full reconciliations allow for account activity to be monitored real-time, rather than relying on year-end analysis. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 38 Budget P&Ps are documented, and the City is actively utilizing the P&Ps There is only one Council- level policy related to the budget, which focuses on the City’s philosophy and organization of the budget and long-term planning, and The City should develop administrative Budget P&Ps that cover all key aspects of the budget function including: ● The budget preparation process, including timing, department involvement in the development High Low Enterprise Internal Controls Review Report | 41 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE to guide budget- related activities. only has limited reference to the budget process and monitoring. There are no administrative citywide P&Ps covering the budget process, including budget development, approval, amendments, transfers, and monitoring. phase, Council input process, required reviews and approvals, and presenting budgets in a meaningful way to the City Council. ● Budget monitoring, including budget-to-actual reporting, use and responsibilities, required reviews, justification for budget overages, and anticipating changes throughout the year. ● Budget amendment and transfer processing, including what documentation and approvals are required and the responsibilities for each key process. Comprehensive P&Ps covering the budget function help to ensure the budget is utilized effectively as a City management tool. Detailed procedures guiding users on how to manage their budget, including how to monitor budget-to-actual activity proactively and request amendments and transfers on the front-end, rather than waiting until a Purchase Request results in a budget overage, helps to promote accountability down to the department level and can result in efficiency gains by proactively looking forward and anticipating expenses rather than responding to overages as they occur. 39 Budget-to-actual reporting is reviewed, proactively responded to, and approved on a regular basis, ensuring the budget is adequately monitored throughout the The City currently has budget monitoring and trend analysis reports available, and they appear to be produced on a regular basis. However, there is limited documentation available to show that these reports are being reviewed (e.g., by the specific department, finance, etc.). It is also up to the department (users) to The City has great reports and tools available to aid in budget monitoring across the City. In order to ensure that the available budget reports are utilized effectively by the City, it is important to determine and document how each available report should be used, the timing in which they will be produced, who is responsible for reviewing them, and what follow-up activity should be performed based on the results reported. The City should evaluate the budget monitoring tools and reports that are available, determine which reports are valuable to the budget monitoring process, and include these components when the City develops Budget Moderate Moderate Enterprise Internal Controls Review Report | 42 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE year and shortages/ overages are identified timely. utilize the reports and monitor them; however, there are no formal requirements documented stating who must monitor these report at the department-level, how often the monitoring should occur, and how the monitoring should be documented. Budget to actual reports and trend analysis reports are available to show year-to- date variances and spending trends for each department; however, it was unclear if these reports are being utilized effectively and if unusual activity and expected overages are being researched and responded to timely. P&Ps. Budget personnel could provide training and guidance to those individuals responsible throughout the City on how to effectively use tools and respond to reports. For instance: ● Budget-to-Actual Reports should be used to proactively assess when budget overages are expected and initiate the amendment process as soon as possible. This would help to prevent delays that occur during procurement or A/P processes throughout the year. All significant variances should be researched and responded to in a timely manner. ● Trend Analysis Reports have available trend data could be beneficial if used effectively. Monitoring trends, such as spikes in use by department, unexpected budget overages, unexpected spending trends, or other unusual trends, can be an early warning sign that something is wrong. The trend analysis could also be used to monitor prior year usage, by month and by department, to current year for unexpected changes in spending. Monitoring these trends can identify red flags that should be addressed in a timely manner. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 40 Terminations are reported on or before the termination date. During our analysis of three terminations, we found that systems access is not requested and cancelled The process for reporting employee terminations should be evaluated to include the IT Department in the initial notification of an employee’s last date of employment with the City. The IT Department should High Moderate Enterprise Internal Controls Review Report | 43 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE The related PAFs are submitted to HR immediately once the termination is known, and systems access is cancelled on the final date of employment or immediately after. timely upon termination. Specifically, we found: ● Two instances where the termination date was 5/22/20, an IT ticket was submitted 5/28/20 (six days later). One of the tickets showed a closed date of 8/3/20 (over two months after being submitted) and one was still “pending” as of the date of our request 8/3/20. ● One instance where the termination date was 1/3/30, an IT ticket was submitted 1/9/20 (six days later) and the ticket showed a closed date of 1/16/20 (13 days after termination). be responsible for ensuring that systems access is appropriately cancelled on, or immediately following, an employee’s termination date. An assessment of the IT process for cancelling access should be performed to determine why delays are occurring after they are notified of the termination. 41 Systems access to key functions of the HR and payroll modules within MUNIS are properly restricted to only allow for those employees who warrant edit access to have access. Access is restricted in a way Based on our analysis of MUNIS system access reports, it appears that access may not be adequately restricted for key HR and payroll functions. Specifically, the following access levels create potential risks for inappropriate activity: ● Payroll role (four users): Has update access for employee accruals, Systems access controls over all HR and payroll related functions in MUNIS are key to ensuring that inappropriate or erroneous changes are not processed. In general, in the absence of other mitigating controls, the following segregation of duties, enforced through systems access restrictions, should be in place: ● Payroll personnel should have access to processing time adjustments and payroll corrections, and all functions related to processing payroll runs. However, they should not have access to the employee master file, including new employee setup, pay rate adjustments, accrual High High Enterprise Internal Controls Review Report | 44 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE that ensures adequate segregation of duties between HR and payroll functions. Systems access reports and change reports are reviewed on a regular basis. employee pay, and employee direct deposits. ● HR role (15 users): Has update access to payroll runs and payroll super- user ● IT Admin role (seven users): Appears to have update access to all HR and payroll functions. While this review did not include a detailed assessment of each access level and what these permissions allow these users to do, the levels identified above potentially create risk; however, further evaluation would be needed to determine the level of risk. These risks are increased given that there are no documented access reviews or change report reviews performed for key payroll and HR functions. rate changes or related balance updates, or direct deposit changes. ● HR personnel should have access to setting up all new employees and related information, including pay rates, demographics, direct deposit information, and accrual rates. They should also have access to perform pay rate changes, accrual rate changes or balance updates, and direct deposit and demographic updates. However, they should not have access to any payroll processing or time adjustment functions. ● IT Admin roles should be properly restricted to employees who need access to make regular system updates. This should be very limited, and it is most likely not necessary for seven users to have this level of access, if any. If access cannot be restricted in a way that represents adequate segregation of duties in these areas, then there needs to be regular, documented monitoring in place to mitigate the resulting risk. Monitoring controls should be developed, including a full review of a “change report” showing all new employees set up and all employee changes (specifically to pay rates and accruals of leave) processed along with the user who entered and approved each change. In addition, systems access reports to these functions should be fully reviewed, unwarranted access should be removed, and the reports should be reviewed/monitored on a regular basis. A sample of employee additions and pay rate changes should be verified to supporting documentation as part of these reviews. These monitoring activities should be performed by someone independent of the related HR and payroll functions, and the reviews should be documented. Enterprise Internal Controls Review Report | 45 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 42 Monitoring controls are in place over the payroll function. Based on interviews performed, there is not adequate monitoring in place over payroll-related activity. Monitoring controls over payroll activity should be developed and implemented. Monitoring can identify potential inappropriate or erroneous activity. Monitoring controls over payroll activity should include, at a minimum, the following: ● Accrual activity including assessing paid time off (PTO) use and accruals, by employee. ● Total gross payroll, by employee, over a period of time. ● Timecard adjustments, by employee and by timecard editor. ● Overtime paid, by employee, over a period of time. Monitoring activities should be performed by someone independent of the payroll function, and all reviews, and any follow-up performed, should be documented and maintained. High Moderate 43 Payroll processed each pay period is reviewed by someone independent of the payroll function. The review includes a reconciliation of the pre-processing approved reports and the final disbursements processed. A process is in place where the Payroll Department saves all payroll processing reports to a file, summarizes the data from those reports, and provides the summary along with the final payroll system report to an accountant, who is outside the payroll function, to “audit” the payroll run. However, for the pay period tested, we were unable to reconcile the reports provided, as the reconciliation performed by the accountant was not fully The payroll audit and reconciliation process should be assessed and improvements should be implemented. In order to ensure that the audit/reconciliation is effective as an internal control, the following should be in place: ● All pre-processing payroll report and final payroll register reviews/approvals should be documented and verification that these reviews/approvals occurred should be performed. ● The accountant should tie all totals reported to the underlying system-generated payroll reports. ● The full reconciliation process, including reconciling time reported to time paid, pre- processing reports to the final payroll register, and the analysis of any variances or adjustments, Moderate Moderate Enterprise Internal Controls Review Report | 46 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE documented, and it was unclear during interviews whether the accountant is tying all summary totals to the underlying system- generated reports to ensure the information being reconciled/audited is accurate. should be documented and the documentation should be maintained with the payroll run support. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 44 The City has a mature IT governance function in place that is supported by P&Ps. Currently, the City does not have a formal IT Governance Committee or designated body. A formal IT Governance Policy is not documented and implemented. The City should consider implementing an IT governance body in order to determine the best framework for governance, as well as determine how best to invest in IT. An IT Governance Policy should be developed, specifically to address how decisions are made, who has authority to make decisions, who is held accountable, and how the results of these decisions are measured and monitored. Moderate Moderate 45 The City has a dedicated IT security and cybersecurity position or function, and the roles and responsibilities are clearly defined. While the City does have IT security practices in place, it does not appear that the responsibility for overall IT security, including cybersecurity, is defined. IT security P&Ps are not in place to ensure that the risks in this area are The City should consider implementing an IT Security policy/function in accordance with ISO 17799, "Information Technology - Code of Practice for Information Security Management." This policy/function should aim to ensure that the City has a comprehensive security policy, organization security, asset classification and control, access controls, system development and maintenance, and business Moderate Moderate Enterprise Internal Controls Review Report | 47 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE proactively managed, prevented, and addressed. continuity in order to adequately reduce security infrastructure risk. 46 The City has a formal IT disaster recovery plan in place that is tested regularly and supported by P&Ps. The City does not have a documented IT disaster recovery plan. The City should document and implement a disaster recovery plan that, at a minimum, addresses a structured approach for how quickly and in what manner the City can resume work after an unplanned event. This is an essential part of business continuity. It will help the City to resolve data loss and recover system functionality so that it can perform as seamlessly as possible in the aftermath of an event, even if it operates at a minimal level. Once developed, the disaster recovery plan should be tested on at least an annual basis, and the results of the testing should be documented. High High 47 Mobile and remote access policies and monitoring controls are in place to ensure that City information is protected. A documented Mobile Access Policy is not in place to document the requirements and controls surrounding accessing City email and other information on personal cell phones or tablets. In addition, a documented Remote Access policy for users accessing the City’s network remotely is not in place. A formal monitoring application for employee mobile access and remote access is not utilized. Without documented policies, and a comprehensive monitoring program in place, over mobile and remote access, the risk of data breaches is increased, and it is more difficult to hold employees responsible for ensuring City information is protected and secured. The City should document formal Mobile Access and Remote Access Policies, and develop a formal monitoring program over the access of City information on mobile devices and through remote logins. Mobile access should be controlled through verification of user authentication, implemented security patches regularly, encryption use, frequent backups, etc. Policies should address the limitations of remote access use and guidelines for employees to reference to ensure proper use and protection of City information. Moderate Moderate 48 Systems access to all City systems is well-controlled and The City has implemented ad-hoc meetings between the Finance and IT Regular reviews of systems access reports are key in providing control over City assets, systems, and information. The current ad-hoc Finance/IT meetings High High Enterprise Internal Controls Review Report | 48 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE monitoring activities occur regularly and the results are documented. Departments to review systems access levels assigned to employees. However, the reports reviewed, access levels researched or adjusted, and overall outcome of these meetings is not formally documented. Therefore, we are unable to determine whether they are effective in controlling systems access risks. There are varying levels of IT reporting performed; however, there is not a recurring reporting and review process to monitor system activity. should be formalized to define the frequency of occurrence, the reports that will be reviewed, and related roles and responsibilities. Finance should ensure that finance roles are clearly defined and that user responsibilities tie to the user access levels assigned. A matrix of segregation of duties for key financial functions, such as purchasing, A/P, payroll, and cash receipts, should be developed and utilized for comparison to the systems access reports during these meetings. The results of these meetings should be documented, and the documentation should be maintained to support the monitoring process. The IT Department should develop system activity reporting that is provided to City management on a regular basis (at least quarterly). Reporting may include active directory reports, automatic system-log- out checks, system penetration testing results, and other key system and access reports. These reports should be discussed within the ad-hoc meetings to assess the impact of the results and ensure that any unusual activity is addressed in a timely manner. 49 Penetration testing is performed to evaluate the City’s ability to protect its network, applications and users. The City’s IT Department does not perform penetration testing on an regular (annual) basis, and policies around how these tests will be performed, how often and by whom, and how the results will be communicated and addressed are not documented in City P&Ps. Penetration testing helps the City manage vulnerabilities, avoid the costs related to potential network downtimes, and develop confidence among the various City stakeholders that the City’s systems are properly protected and that vulnerabilities are identified and addressed timely. The City should develop a process for performing penetration testing on, at a minimum, an annual basis. A formal City P&P should be documented addressing how the testing will be performed, how often and by whom, and how the results will be addressed and reported. The policy should then be implemented and the results should be documented. High High Enterprise Internal Controls Review Report | 49 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 50 Adequate Grant Management P&Ps are in place, training is provided to those responsible for grant management, and regular assessments of grant activity are occurring. Grant revenues account for over $20 million in City revenue. While this is not a large portion of City revenue (approximately 7-8%), there are risks related to non- compliance. Grants management was not included in the scope of this project; however, based on limited interview information obtained, the City could benefit from an assessment in this area. The City should assess whether Grant Management P&Ps are in place, and whether those City employees responsible for managing grant funds are adequately trained in managing grants and the related compliance requirements. Given the limited funding that comes from grants, there is an increased risk of a lack of adequate oversight, monitoring, and training. Grants are managed in a decentralized manner, resulting in most of the compliance aspects falling on various City departments, with varying levels of grant knowledge or compliance controls. Moderate Low 51 The City has an effective Conflict of Interest (COI) Policy in place, and employees are required to submit COI confirmations on an annual basis. While the City has various policies and Administrative Procedures that address COIs, there is not a comprehensive COI P&P in place to guide how COIs should be reported and monitored. The current Administrative Procedure F5 for Purchasing Goods, Equipment, and Material does not reference what constitutes a potential reportable COI. The City should consider combining all current COI policies and Administrative Procedures to allow for one comprehensive policy covering all aspects of the COI process. The overall COI reporting function should be assessed for adequacy, and related guidance should cover, at a minimum, the following: What constitutes a potential COI, specifically addressing the procurement and contracting functions. What employees are required to do if a potential COI is identified. An annual reporting process for potential COIs, including how information will be reported, who will track reported COIs, and what controls will be implemented to address reportable conditions. Moderate Low 52 A process for tracking and The City does not currently have a process in place to Implement a finding, tracking, and monitoring system/tool. Tracking should include all findings Moderate Moderate Enterprise Internal Controls Review Report | 50 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE monitoring all outstanding audit findings and the related resolution of findings is in place. track all audit (external, internal, or other) findings and the related resolution of findings. Outstanding findings are not actively monitored and reported on to ensure that resolution occurs timely. reported from any mechanism, including those reported from external audit, internal audit, or department or program-specific compliance, grant, or other audits or reviews. Outstanding findings should be assigned planned resolution dates and an owner (employee taking responsibility for resolution). The report should be assessed and updated regularly to ensure the timely resolution of outstanding findings. Consider developing a regular report that is presented to the Finance Committee and City Council to report the current status and resolution of all outstanding audit findings. This is typically an internal audit function. 53 Employees in key control functions, such as procurement, A/P, payroll, cash receipts, etc., are required to have a backup cross- trained to perform their role and to take PTO, allowing for the opportunity for others to perform the role. A policy is not in place to require PTO to be utilized and to ensure mandatory rotation of key functions within the City. A formal process is not established to ensure that all key financial functions have adequate cross- training established and that key roles are performed by separate individuals at times throughout each year. Sole-contributor risks relate to having one person solely responsible for, and knowledgeable of, performing key functions of City control and operations. If a sole contributor is out or leaves the City, others would not be able to step in and perform the function effectively. It also creates the risk that inappropriate activity, such as fraud, could continue to occur for extended periods without being identified. The City should establish a policy that identifies all key financial functions within the City, the primary individual responsible for the function, the assigned backup individuals that are cross-trained to perform the function, and a mandatory rotation of duties process. Those responsible for key functions should be required to take PTO throughout the year and allow for their assigned and trained backup complete the functions. Moderate Moderate 54 Designation of approval authority, for key approval functions, such as approving The current processes established to delegate approval authority to another individual is informal. Workflows The City should develop and document a formal process for delegating approval authority for key forms, transactions, etc. Delegation of authority should always be established in writing, including the person to which the authority is being delegated, the type of Moderate Low Enterprise Internal Controls Review Report | 51 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE timecards and purchases, is documented, controlled, and reassessed regularly. established in MUNIS allow for an approver to forward a document/transaction requiring their approval to another designated individual. However, there is no documented process for how the approval authority must be documented, controlled, and reassessed for reasonableness on a regular basis. approval authority being delegated, and the period of time for which the delegation will be applicable. Individuals should be responsible for assessing delegations on a regular basis to ensure they are still appropriate and applicable. Examples of situations warranting delegation may include timecard approvals, purchase requests, financial reports, and budget amendments. While delegating approval authority is important to ensure that bottlenecks do not occur when an individual approver is out, it is important to ensure that the process is formalized and re-evaluated on a regular basis to maintain the integrity of the approval process and ensure accountability and responsibility is clearly defined and known. 55 Comprehensive up-to-date P&Ps are documented for all City functions. Employees are aware of which policies apply to each key function within the City and have adequate procedures to refer to in order to ensure compliance. There are limited P&Ps available to support the key functions evaluated in this review. The lack of comprehensive and enforced P&Ps over key risk areas resulted in many of the control findings. Without adequate P&Ps, roles and responsibilities are not fully defined, accountability is difficult to monitor, and controls may not be in place or may not be functioning appropriately to protect City assets and promote accurate financial reporting. An inventory of all existing P&Ps across all major City functions and departments should be performed. Once all P&Ps are accumulated and inventoried, an analysis should be performed to identify all P&P gaps (e.g., significant areas/functions that are not supported by adequate P&Ps or supported by out-of-date P&Ps), potential control or performance risks, etc. The results of the gap analysis should be utilized to develop a detailed, prioritized work plan to get the City’s P&Ps drafted/updated, reflect current practices, systems and resources, and incorporate adequate internal controls to promote accountability, identify errors or red flags timely, ensure accurate financial reporting, and operate in an efficient, effective, and consistent manner across all City departments and functions. Regular monitoring and oversight procedures should be built into each P&P to ensure compliance. High Moderate 56 All key functions are supported by adequate While some functions are covered by formalized training (for example, A full analysis of all City functions should be performed to identify those functions most in need of a formalized training program. Consider conducting an employee Moderate Moderate Enterprise Internal Controls Review Report | 52 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE employee training. Employees are trained on a regular basis for the functions that they are involved with and responsible for. procurement), there are many functions across the City that are not supported by routine training programs. A lack of training can result in inconsistencies in performance and a lack of clarity in related roles and responsibilities. survey to identify areas that are most susceptible to a lack of clarity and understanding by the individuals responsible for the function. Training for all employees involved in the areas covered by the new P&Ps (once established) should be developed to ensure that employees understand their roles and responsibilities. A training program should be implemented that includes training of all new hires on functions they will be involved with, and annual training updates should be established for existing employees to provide a refresher and communicate any changes to processes, systems, roles and responsibilities, and controls. ATTACHMENT D MANAGEMENT RESPONSE TO MOSS ADAMS INTERNAL CONTROLS REVIEW Finance Department CITY OF NEWPORT BEACH 100 Civic Center Drive Newport Beach, California 92660 949 644-3126 | 949 644-3339 FAX newportbeachca.gov/finance City of Newport Beach Management Response To Findings Relating to the Moss Adams LLP Internal Controls Review Report (September 16, 2020) September 16, 2020 Management concurs with most findings at a high level as well as the areas identified that have greatest opportunities for improvement. Management also wishes to acknowledge the cost of control procedures should not outweigh the benefit derived from procedures therefore, management must carefully balance the perceived operational risk against available resources and the ultimate cost of any given control procedure. We respectfully submit the following responses to provide greater context and clarity to certain sections of the report. Cash Receipts, Billing and Collections, and Accounts Receivable 10. Comprehensive and current Cash Management P&Ps are not documented, approved, and implemented. There has been some guidance provided to employees; however, it is in the form of memos covering some areas of cash management and a draft policy that has not been finalized and does not include all cash management components. Department-specific P&Ps for cash handling are not consistently documented or verified for adequacy and compliance with citywide requirements and overall internal controls. While not formalized as City Administrative Procedures, management has developed numerous narrative documents that guide the procedures for receiving revenues, daily closing and balancing, processing petty cash requests and many other revenue collection tasks. These documents provide Finance Department staff with specific guidance for such things as managing cash drawers, mail-in payments, preparing a bank deposit, receipting wire transfers and other electronic fund transfers, processing direct deposits, and cash handling procedures. In addition, other departments have cash handling procedures (Library, RSS, Police, Fire, Parking, Public Works, Harbor and CDD). This narrative is updated every year. Management concurs that these documents should be formalized as City administrative procedures and implemented Citywide. 13. The City has various revenue sources that result in A/R, including utility services, tax assessments, and business licenses. As of June 30, 2019, the City reported approximately $12,000,000 in A/R from the various sources. P&Ps to guide each type of A/R, including how A/R will be established, billed, collected, monitored, and adjusted/written-off are not in place. Therefore, each department that is responsible for A/R billing and collections may be doing it differently, and there is a risk that the overall A/R functions are not properly controlled and monitored. The accounts receivable balances that are derived from customer billing systems should be distinguished from accrued revenues (e.g. large intergovernmental tax remittances that are accrued back to match the economic period in which the tax originated). For example, at year end, General Fund accrued revenues totaled $10 million whereas A/R derived from billing systems generally range from $2 million to $6 million, not the $12 million referenced above. It is true that specialty billing systems like alarm, medical, mooring, slip rentals and the like have propagated over the years. Remote and outsourced billing activity is challenging to monitor and control. Management concurs that the City could benefit from tightening up the procedure over these disparate systems. 14. Based on information obtained during interviews, there is a risk that not all City A/R is identified, reconciled, and reported. There are several departments across the City whose activities give rise to the establishment of A/R. Some departments utilize MUNIS for managing A/R, while others use a department-specific system. In addition, many departments have a separate system for the underlying activity that gives rise to the A/R, such as a system for recording utility meter reading data and Community Plus, which is used to process business licensing, alarms, etc. Data from these systems is used to calculate customer bill amounts, which are recorded as City-A/R until collected. There are not reconciliation procedures in place to ensure that all external systems are fully reconciled to the related activity or balances reported in MUNIS, verifying that all activity and balances were properly captured and reported. The Finance Department consolidates and processes payment receipts from disparate pay points throughout the City that utilize approximately 20 different software systems for Library, Parking, Marina, Police Department (parking fines, animal control fees), Recreation operations, among others. In addition, the City has several internally developed and maintained web portals that accept payments online. Management concurs with the findings and recognizes that a decentralized approach to cash receipting and reconciliation would be effective with solid policies and procedures to guide staff actions. This would require departments to more fully participate in reconciling activity from their native software systems. 15. It does not appear that all A/R balances are billed for and collected in a consistent manner and A/R aging and other reporting and monitoring is performed by all departments or by the Revenue Department for all sources of A/R. A/R assessments to determine if write-offs are warranted are only fully performed for department A/R at year-end, and it is unclear if the year-end adjustment accounted for a full detailed analysis of all aged balances. It appears that the City applied an approach of allowing for all A/R over 90 days. The fiscal year ending June 30, 2020 write-off recorded was approximately $500,000; however, we were unable to determine if this was an accurate reflection of the total that should be deemed as uncollectible. Finally, many of the A/R aging reports received included A/R balances that were established five or more years ago and had not been written off and removed from the aging reports. The Finance Department has a clearly defined process to track collectible debt and sharing aged A/R reports with departments for their review. The Revenue Division maintains a draft policy/procedure for write-offs and has always produced aging reports. The Finance Department maintains and utilizes an informal Write- Off/Collections policy and procedure document. Management concurs that this document should be formalized as a City administrative procedure and implemented Citywide. Historically, the City has used collection agents and jointly pursued collections but would write-off receivables that are greater than 3 years old on an annual basis. As we transitioned from our legacy ERP system to our current ERP we are changing our collection agent and write-off procedures. For inactive accounts where the City has no on-going relationship with the customer (closed utility billing accounts, jail booking fees, damage to City property etc.) these balances are sent to collections after they have aged over 90 days past due, typically 120 days past the originally billing. This process is intended to occur monthly to allow the collection agent to pursue relatively fresh delinquencies. Of the $468,050 that was written off in FY 19- 20, over 80% were associated with jail booking fees, police and fire emergency response and damage to City property. Intergovernmental receivables related to cooperative projects and grants are obviously not sent to collections but may be active for several years until a given grant or project has been completed. 16. Based on interviews performed with Cashiering Unit personnel, there are daily reconciliations in place to reconcile beginning balances for each drawer, and in total, to the ending balance on-hand and placed in deposit packets. Individual drawers are counted, the base funds are subtracted out of the total for deposit, and the remaining funds are placed in a deposit bag for processing. There are no procedures in place to reconcile payments collected to an underlying system report or payment log to ensure that the total amount collected throughout the day, less the drawers base fund, ties to the amount being deposited. Individual cash drawers are used for each cashier; however, at the end of their shift, there is not a formal process for performing a drawer reconciliation and cash count to account for all funds before leaving. Based on interviews, reconciliations are performed in total, not by drawer, variances are typically not identified, and adjustments are not posted until a weekly reconciliation process. It is difficult or impossible to determine the cause of variances. Daily reconciliations of each drawer are done at the beginning and end of each day. Cashiers are assigned a different individual cash drawer daily - ensuring the daily drawer count reconciles to each cashier’s activity for the day. Cash collected during the day is deposited and reconciled with the finance system at the end of the day. The procedures are specified in the cash narrative and cash handling procedural documents that are currently used to guide staff actions for properly processing cash receipts and posting revenues into the finance system. Management concurs that these guiding documents should be formalized as a City administrative procedure and implemented Citywide. 23. Prior to June 2020, the review and approval process of AP weekly check batches was not adequate to ensure that the final disbursements processed tied to those that were initially approved pre-processing. As a result, during our walk-through of the first AP check batch processed in May 2020, we were unable to reconcile the reports utilized to tie out the pre-processing approved totals to the final processed disbursements, and there was no documentation that a review had been performed internally by someone independent of the A/P function. The Accounts Payable Batch Total Form is used to compare the total number of invoices, and amount of each batch. The number of invoices and total amounts is also compared with the cash disbursement total, prior to posting the final cash disbursement journal and providing the physical checks to Accounts Payable. The comparison of actual physical checks to the final check register is also completed by comparing the checks to the cash disbursement journal prior to its posting. Management concurs that the development of a formal policy/procedure to document this current practice would provide greater transparency and clarity. Payroll 42. Based on interviews performed, there is not adequate monitoring in place over payroll- related activity. Substantial monitoring of payroll activity is undertaken during each payroll cycle. Adjustments to timecards are reviewed each pay period by the Payroll Processor. Audit reports of changes made by Timecard Processors are run each pay period. The Payroll Processor audits each employee in the payroll warrant and communicates any changes to the departmental Timecard. Management concurs that the development of a formal policy/procedure to document this current practice would provide greater transparency and clarity to current practice. 43. A process is in place where the Payroll Department saves all payroll processing reports to a file, summarizes the data from those reports, and provides the summary along with the final payroll system report to an Accountant, who is outside the payroll function, to “audit” the payroll run. However, for the pay period tested, we were unable to reconcile the reports provided, the reconciliation performed by the Accountant was not fully documented, and it was unclear during interviews whether the Accountant is tying all summary totals to the underlying system generated reports to ensure the information being reconciled/audited is accurate. While management has developed a process for the handling and review of payroll processing reports by HR, Accounting, and the Payroll unit; management concurs that a formal policy/procedure would make the process more transparent and easier to follow. Respectfully Submitted, Dan Matusiewicz Finance Director/Treasurer, City of Newport Beach City of Newport Beach FY 20-21 Internal Audit Program September 24, 2020 Overview I.Introduction II.Internal Audit Program Components III.Enterprise Risk Assessment Overview IV.Internal Controls Review Overview V.Potential FY 20-21 Internal Audit Projects VI.Recommended FY 20-21 Internal Audit Plan 2 3 I. Introduction •The City retained Moss Adams LLP to serve as the designated Internal Auditor and conduct projects addressing: ◦Risks ◦Internal controls ◦Compliance ◦Performance ◦Best practices •Work is being performed under relevant industry standards 4 II. Internal Audit Program –Multi-Year Focus Internal Audit Plan Risks Internal Controls Compliance Performance Accounting and financial reporting, asset management, capital programs, compliance, economics and funding, fraud, governance, human resources, internal controls, maintenance and operations, management, operations and service delivery, organization and staffing, processes and procedures, procurement, public safety, risk management, and technologyFunctions Components PlanCity Internal Audit Annual 5 III. Risk Assessment Purpose and Process •Purpose: Provide City leadership with a means to identify and assess key risks to the City’s ability to achieve its defined objectives and operate effectively. •Process: Assessed 18 categories through document review, interviews, employee survey, and comparison to best practices. Review results with management. 6 III. Risk Factors 7 III. Risk Assessment Results 8 IV. Internal Controls Review Purpose and Process •Purpose: Determine the general adequacy of internal controls across the City and identify areas warranting more in-depth review in the future. •Process: Reviewed the City’s fiscal internal controls for design and performed limited testing in 10 key areas to determine if the controls were designed effectively. Performed assessment through document review, interviews, limited testing, and comparison to best practices. Reviewed results with management. 9 IV. Review Activities •Identify control objectives •Review policies and procedures •Perform control walk-throughs and/or testing limited samples •Assess whether controls would prevent/detect errors or asset misappropriation •Compare the current environment to best practices •Provide recommendations regarding opportunities for improvement 10 IV. Internal Controls Review Results Key Controls # of High Risk Control Issues* # of High-High Risk Control Issues** Total Control Issues Purchasing and Contract Mgmt.4 1 9 Cash,Billing, Collections, and AR 3 3 9 AP and Disbursements 1 1 6 Fixed Asset Management 3 1 4 Inventory Management 1 4 5 Financial Reporting 1 4 Budgeting 1 2 Payroll 2 1 3 Information Technology 3 6 Overall Control Environment 1 7 * High likelihood of occurrence; ** High likelihood and impact of occurrence 11 V. Potential FY 20-21 Internal Audit Projects •Procurement Operational Review and Internal Controls Testing •Inventory Management Internal Controls Testing •IT Operational Review and Internal Controls Testing •Cash Handling Internal Controls Testing •Accounts Payable Internal Controls Testing •Police Property and Evidence Internal Controls Testing •Policy Inventory and Implementation Plan •Finance Customer Service Operational Review •Key Performance Indicator Development •Business Continuity and Disaster Planning Assessment •Resource Sharing and Cross-Training Assessment 12 V. Recommended FY 20-21 Internal Audit Projects 1.Policy Inventory and Implementation Plan: Perform an inventory of fiscal policies to determine gaps and prepare a prioritized implementation plan. 2.Procurement Operational Review and Internal Controls Testing: Assess policies and procedures, workflow processes, and throughput, and test internal controls. 3.Inventory Management Internal Controls Testing: Assess tracking and control of inventory on hand that is expensed when purchased, such as office supplies, tires, safety equipment, and goods sold. 4.Program Management and Internal Audit Plan: Manage program, provide status reports, attend meetings, and prepare FY 21-22 internal audit plan. The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. 13 THIS REPORT IS INTENDED FOR THE INTERNAL USE OF THE CITY OF NEWPORT BEACH, AND MAY NOT BE PROVIDED TO, USED, OR RELIED UPON BY ANY THIRD PARTIES. Proprietary & Confidential FINAL REPORT City of Newport Beach ENTERPRISE RISK ASSESSMENT September 16, 2020 Moss Adams LLP 999 Third Avenue, Suite 2800 Seattle, WA 98104 (206) 302-6500 Enterprise Risk Assessment Report FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Table of Contents Executive Summary 1 A. Project Scope and Methodology 1 Impacts of COVID-19 1 Risk Assessment Framework 2 B. Risk Assessment Results 3 Project Scope and Methodology 4 A. Scope 4 B. Methodology 4 Employee Survey 5 Risk Assessment Framework 7 Risk Assessment Results 9 A. High-Risk Categories 9 Procurement and Contracting 9 B. Moderate to High-Risk Categories 11 External Risk 11 Organization Structure and Staffing 15 Information Technology 17 Planning and Strategy 21 Risk Programs 23 C. Moderate-Risk Categories 25 Human Capital and Resources 25 Management and Leadership 30 Operations and Service Delivery 31 Accounting and Financial Reporting 33 Ethics, Fraud, Waste, and Abuse 35 Governance 37 Funding and Economics 39 Table of Contents – Continued Enterprise Risk Assessment Report FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY D. Low to Moderate-Risk Categories 41 Reputation and Public Perception 41 Policies and Procedures 43 Compliance 44 Public Safety 45 Infrastructure and Asset Management 48 Employee Survey Results 50 A. Survey Respondent Profile 50 Percent of Respondents by Years of Tenure 50 Percent of Respondents by Department 50 B. Overall Perceived Risk Ratings 51 Enterprise Risk Assessment Report | 1 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY EXECUTIVE SUMMARY The City of Newport Beach (City, Newport Beach) is located in Orange County, California (the County), and serves a population of approximately 90,000 residents. The City provides a full range of municipal services, including but not limited to: community development, fire, harbor management, library, recreation and senior services, police, public works, and utilities. Moss Adams LLP (Moss Adams, we) serves as the outsourced internal auditor for the City and we report to the City Manager, who oversees our work. As part of developing the internal audit work plan for the coming year, Moss Adams conducted an enterprise risk assessment in order to provide the City’s leadership with a means to identify and assess key risks to the City’s ability to achieve its defined objectives and operate effectively. As part of the assessment, we conducted planning activities, completed fieldwork and data collection, analyzed the results of our fieldwork, and prepared the results of our analysis in this report. The enterprise risk assessment process reflects a specific point in time: the risk assessment phase, which was conducted from February 2020 through April 2020. Both the overall risk ratings and trajectory levels are directly connected to this timing. This engagement was performed in accordance with Standards for Consulting Services established by the American Institute of Certified Public Accountants. Accordingly, we provide no opinion, attestation, or other form of assurance with respect to our work or the information upon which our work is based. This report was developed based on information from our interviews and analysis of sample documentation. The procedures we performed do not constitute an examination in accordance with generally accepted auditing standards or attestation standards. The majority of the research and analysis for this report took place prior to the impacts of the COVID- 19 crisis being experienced by City staff and residents. As such, this report presents a mostly pre- COVID-19 risk profile for the City. The rapidly changing situation—which is still developing at the time this report was issued—will affect many areas of the City’s operations. While the impacts of the pandemic are still unfolding, City leadership reported in June 2020 that the primary impacts have been related to funding and staffing. The City activated the Emergency Operations Center and a cross-section of staff from all departments to respond to the pandemic. A steep decline in tourism and retail sales, due to state-mandated orders, including beach closures, impacted the City’s revenues, requiring significant budget revisions to achieve a balanced budget and impacting long-term financial forecasts. There are major ongoing employee impacts: closure of City buildings has shifted the City’s workforce to almost all remote; public-facing programs were suspended; events were canceled; and public spaces were closed or limited to the public. The City has mounted a small business relief grant program with more than 300 recipients. We anticipate that the pandemic will continue to have impacts for some time on overall City management, including funding and economics, human resources, risk programs, emergency operations, economic development, library and recreation programs, and information technology. Enterprise Risk Assessment Report | 2 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY The process to identify and assess risks considers both internal and external factors. As part of this risk assessment, Moss Adams used a variety of techniques, both qualitative and quantitative, to identify external and internal factors that contribute to risk. The enterprise risk assessment process leveraged the Enterprise Risk Management (ERM) framework, as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and embraced by the Institute of Internal Auditors (IIA). For each of the risk factor categories, Moss Adams assigned an overall risk level. These risk levels are intended to provide the City with a means of prioritizing mitigation efforts. Definitions of each level for overall risk, impact, likelihood, and preparedness are explained in the table below. Low Low to Moderate Moderate Moderate to High High Overall Risk Level A minor threat to the organization. Ordinary risks that should be addressed during the next review cycle. Risks that should be addressed as soon as reasonably possible. Serious risks that should be addressed expeditiously. Significant risks that should be addressed immediately. Impact Negligible impact. Minor impact on time, cost, or quality. Notable impact on time, cost, or quality. Substantial impact on time, cost, or quality. Threatens the success and/or future of the organization. Likelihood Unlikely to occur with current risk conditions. May occur with current risk conditions. Likely to occur with current risk conditions. Very likely to occur with current risk conditions. Almost certain to occur with current risk conditions. Preparedness Minimal risk preparedness activity. Preliminary risk preparedness efforts have been initiated, though few, if any, are implemented. Deliberate risk preparedness efforts are under way; important gaps remain. Preparedness efforts are well established, documented, and stable. Risk preparedness activities are robust and likely to be sustained. In addition, we also assessed risk relative to risk trajectory, which is the anticipated direction of the risk level given the current risk conditions. Trajectory was rated as decreasing, flat, or increasing. As part of this enterprise risk assessment, Moss Adams identified and evaluated risk conditions within 18 categories that cover strategy and governance, staffing, finance and systems, and operations. The summary results of the risk assessment are provided in the table below, with risk categories listed in order of overall risk rating, from highest to lowest. Enterprise Risk Assessment Report | 3 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY RISK CATEGORY IMPACT LIKELIHOOD PREPAREDNESS TRAJECTORY High Risk Procurement and Contracting  High High Moderate Increasing Moderate to High Risk External Risk  High High Moderate to High Increasing Organizational Structure and Staffing  High Moderate to High Moderate Increasing Information Technology  High Moderate Moderate to High Increasing Planning and Strategy  Moderate to High Moderate Moderate Flat Risk Programs  Moderate to High Moderate to High Moderate Flat Moderate Risk Human Capital and Resources  Moderate to High Moderate Moderate Increasing Management and Leadership  Moderate Moderate Low Flat Operations and Service Delivery  Moderate Moderate Moderate Increasing Accounting and Financial Reporting  Moderate Low to Moderate Moderate Flat Ethics, Fraud, Waste, and Abuse  Moderate Low to Moderate Moderate Flat Governance  Moderate to High Low to Moderate Moderate Flat Funding and Economics  High Low to Moderate Moderate to High Flat Low to Moderate Risk Reputation and Public Perception  Moderate to High Low Moderate Flat Policies and Procedures  Low to Moderate Moderate Moderate Decreasing Compliance  Moderate Low Moderate Flat Public Safety  Moderate to High Low Moderate to High Flat Infrastructure and Asset Management  Moderate Low to Moderate Moderate Decreasing Enterprise Risk Assessment Report | 4 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY PROJECT SCOPE AND METHODOLOGY The City engaged Moss Adams to conduct an independent enterprise risk assessment to evaluate the City’s overarching areas of risk. In order to assess the overall risk level of the City across a number of risk categories, the process followed conventional Enterprise Risk Management (ERM) methodology, as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and embraced by the Institute of Internal Auditors (IIA). This assessment was conducted under the oversight of the City Manager. The Moss Adams team evaluated 18 categories of risk that collectively comprise operations across the organization. This risk assessment reflects an evaluation of current levels of risk relative to factors that include likelihood of occurrence of a negative event, impact of a negative event, level of preparedness in terms of mitigating negative events, and risk trajectory given the current risk conditions. Using this information, the City can identify the most important areas of risk and prioritize management of these risks. All City departments were included in the risk assessment process. This assessment includes information provided by Finance Committee members, senior leadership, managers, supervisors, and staff. The enterprise risk assessment process reflects a specific point in time: February 2020 through April 2020. Both the overall risk ratings and trajectory levels are directly connected to this timing. The enterprise risk assessment process consists of four phases: 1) planning, 2) fact finding, 3) analysis, and 4) reporting. Planning included requesting documents and identifying which individuals to interview and include in the survey process. Fact finding encompassed document review, analysis of existing data, interviews, and an online survey sent to City employees. Analysis included assessment of the level of uncertainty associated with each risk factor. Reporting entailed the development of draft and final deliverables, along with follow-up discussions with management and presentation to key stakeholders. The activities and goals for each phase are described in detail below. PLANNING We began planning our assessment by requesting a standard set of documents from the City, including (but not limited to) prior risk assessments, audits, public website documents, and financial reports. We used these documents to identify the first round of individuals to interview and additional document needs based on business process/functional areas. Enterprise Risk Assessment Report | 5 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY FACT FINDING Fact finding encompassed analyzing received documents, interviewing select employees and select City Council members, and soliciting additional employee feedback via an online survey. During this phase, we gathered information in order to gain a clear understanding of the City and the way it operates to achieve its goals and purpose. ANALYSIS With the information collected and compiled, we performed a risk assessment that includes a comprehensive review and analysis of the various categories of risks. This analysis included assessing current risk conditions and trajectory, the level of preparedness efforts to mitigate risks, and the probability and potential impact a negative event may have on the City’s ability to achieve its mission, vision, and strategic goals. REPORTING During this phase, we developed a draft report to engage in review and discussion with senior leadership. Based on feedback, we finalized the report for delivery to the City Manager and presentation to the Finance Committee. The enterprise risk assessment process relied heavily on evidence obtained from City employees. By design, the assessment process required access to all senior leadership and many department and division managers. Input was obtained from employees from all departments, through a combination of interviews and an online questionnaire; full disclosure of information has been assumed in this process. Distribution of a risk assessment survey offered staff the opportunity to identify perceived strengths and weaknesses of the City, and provided us with an additional data point to consider during our assessment of potential opportunities for improvement and areas of specific vulnerability. The survey posed a variety of statements for each risk category to employees, including rating scale questions and open-ended questions. Additional questions, including the rating of each category’s overall risk level, were posed only to management-level employees (identified by title, including: managers; supervisors; superintendents; administrators; assistant/deputy leadership positions; and leadership positions). The confidential survey was distributed to 585 full-time employees (FTEs) and was open for submission between March 9, 2020 and March 16, 2020. An internal email to inform employees of the upcoming survey was sent by the City prior to distribution of the survey via the research platform. Out of all the employees invited to take the survey, 88 individuals submitted responses – a participation rate of 15%. This rate is low for public-sector organizations and likely due to the impacts of COVID-19 during the time of the survey. Survey responses are noted in each section. Respondent demographics and overall risk ratings are included in Section IV of this report. Enterprise Risk Assessment Report | 6 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Given the low survey response rate, it is important to note that the survey results were not the sole or primary source of information for our overall assessment or recommendations. The staff survey rating was excluded from our risk assessment rating calculations. Instead, survey results provided additional context and point of comparison to understand staff sentiment and outlook on these issues. In general, staff risk ratings were lower than the risk assessment rating generated by the Moss Adams team, which is usually the case, notably for Procurement and Contracting, Information Technology, Planning and Strategy, and Risk Programs. However, we are cautious to draw specific conclusions due to the low survey response rate. RISK AREA MOSS ADAMS RISK ASSESSMENT RATING STAFF SURVEY RESULT RATINGS Procurement and Contracting High Low to Moderate External Risks Moderate to High N/A Organizational Structure and Staffing Moderate to High Moderate Information Technology Moderate to High Low to Moderate Planning and Strategy Moderate to High Low to Moderate Risk Programs Moderate to High Low to Moderate Human Capital and Resources Moderate Low to Moderate Management and Leadership Moderate Low to Moderate Operations and Service Delivery Moderate N/A Accounting and Financial Reporting Moderate Low to Moderate Ethics, Fraud, Waste, and Abuse Moderate Low to Moderate Governance Moderate Moderate Funding and Economics Moderate Low Reputation and Public Perception Low to Moderate Low to Moderate Policies and Procedures Low to Moderate Low Compliance Low to Moderate Low to Moderate Public Safety Low to Moderate Low Infrastructure and Asset Management Low to Moderate Low to Moderate Enterprise Risk Assessment Report | 7 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY The process to identify and assess risks considers both internal and external factors. As part of this risk assessment, Moss Adams used a variety of techniques, both qualitative and quantitative, to identify external and internal factors that contribute to risk. Risk assessments involve a dynamic and iterative process to identify and analyze risks to the City’s ability to achieve its objectives, forming a basis for determining how risks should be managed. For each of the 18 risk categories assessed, our risk assessment includes an overview of the risk condition at the City, including the current risk level, likelihood, impact, preparedness, and trajectory. In addition, risk mitigation identifies potential strategies to reduce overall risk for each category, and residual risk represents the probable risk exposure after risk mitigation efforts have been implemented. The elements provided below make up the risk assessment framework, which are industry standards and defined by COSO’s ERM methodology. RISK LEVEL Level of uncertainty that could impair functions and processes, in the absence of any actions taken to alter either the risk’s likelihood or impact. • Low • Low to Moderate • Moderate • Moderate to High • High LIKELIHOOD Qualitative assessment of the probability of a negative event occurring, given the current risk conditions. • Low • Low to Moderate • Moderate • Moderate to High • High IMPACT Level of potential impact of a negative event on strategy, people, operations, systems, and resources. • Low • Low to Moderate • Moderate • Moderate to High • High PREPAREDNESS Level of preparedness through activities and resources to manage risks and minimize and limit potential losses. • Low • Low to Moderate • Moderate • Moderate to High • High TRAJECTORY Trajectory of the risk level, given the current risk conditions. • Decreasing • Flat • Increasing RISK MITIGATION Potential strategies for reducing risk. Enterprise Risk Assessment Report | 8 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY RESIDUAL RISK Possible remaining exposure after known risks have been mitigated through specific actions. Enterprise Risk Assessment Report | 9 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY RISK ASSESSMENT RESULTS Overall Risk Level High Impact Likelihood Preparedness Trajectory High High Moderate Increasing Residual Risk Low to Moderate Suggested Risk Mitigation • Conduct a procurement efficiency study, including a workload analysis of the procurement function to determine if there is sufficient capacity and backup to adequately manage this function. • Prioritize the development of a comprehensive set of procurement policies and procedures, including contract management. • Assess the procurement and contract management processes for opportunities to improve efficiency and streamline communication, including leveraging technology to provide status updates and implement system workflows. Risk Areas Risks associated with purchasing processes (e.g., specifications development, bidding, selection) and contract administration (e.g., compliance with terms and conditions, payments, change orders) for goods, services, and capital programs. Scope Procurement and contracting includes purchasing processes (e.g., purchase orders, bidding, selection) and contract administration (e.g., compliance with terms and conditions, payments, change orders) for goods and services. The City’s purchasing function primarily resides within the Finance Department, with some exceptions. The positions involved in purchasing activities primarily consist of a dedicated purchasing agent, who is supported by a senior buyer and a senior fiscal clerk for the City’s central warehouse. A part-time fiscal specialist in the Financial Planning division also processes purchase orders. Public Works has historically had a dedicated buyer for auto parts for fleet maintenance. Public Works also performs, in partnership with Finance, much of the contract procurement related to capital projects. The Deputy Director of Finance is responsible for providing oversight of purchasing activities. The Institute for Public Procurement says that for procurement “...to operate effectively, it is imperative in those [procurement] systems that there be central leadership to provide direction and cohesion.” Best practice is to position procurement processes under the authority of a dedicated procurement position in order to support independence and good checks and balances. Purchasing requests may be initiated by any City employee with access to MUNIS, the City’s enterprise resource planning (ERP) system. The system workflows route purchases through the first Enterprise Risk Assessment Report | 10 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY layer of approvals (at department level) based on the dollar amount and assigned approval roles within MUNIS. A limited group of City employees have permission settings in MUNIS that allow them to convert a purchase requisition into a purchase order. This group includes the Purchasing Agent, the Senior Buyer, the Senior Fiscal Clerk, and a fiscal specialist in Financial Planning. The shift to using workflow approvals in MUNIS has streamlined processes and strengthened internal controls over purchasing activities; however, the volume of purchases continues to increase, which is creating workload challenges for purchasing roles. For example, the number of purchase orders issued by Purchasing increased 128.6% in fiscal year 2018-19 compared to the previous year. The City’s approach to contract management is spread between the City Attorney’s Office (CAO), the Purchasing group, and individual departments. The City Attorney’s office is the primary owner of the contracting drafting process. The assigned contract representative in each department is typically responsible for completing contract worksheets (based on service/work type) on the City’s intranet to trigger the CAO’s creation of a new draft contract based on standardized templates. The purchasing agent is responsible for overseeing the formal bidding and RFP processes for contracts, as well as contract negotiations. The CAO uses the CityLaw system to track contracts while drafting them in conjunction with the departments, until the point that final contracts are printed. The CAO works in collaboration with the HR Department to manage insurance requirements with the City’s broker, based on service types. Once a contract is executed, the information is entered into MUNIS by Finance. Individual departments are then responsible for active contract management during the life cycle of the contract (such as managing budget information and conformance with contract terms and conditions). Public Works engages in capital project procurement activities in cooperation with the Finance Department. The majority of managers who were interviewed reported procurement (including both purchasing and contracting) as a significant pain point and raised concerns about risks to operational effectiveness and efficiency. Staff reported in interviews and the employee survey that central purchasing has often become a bottleneck for procurement processes due to increasing volumes. The transition to the MUNIS system, while bringing positive impacts, also changed the purchasing workflows and demands on central purchasing resources. When there is a new system implementation, it is critical that the new process be assessed in terms of understanding the impact on staffing capacity, otherwise the City faces an increased risk of operational challenges to meeting business needs. The quality of the support for procurement and contracting is reportedly high, with 72% of survey respondents noting that customer service was excellent or good. Q: How would you rate the quality of the internal customer service provided to staff by the procurement and contracting team? 24%48%21%7% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 11 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate to High Impact Likelihood Preparedness Trajectory High High Moderate to High Increasing Residual Risk Moderate Suggested Risk Mitigation • Continue efforts to implement the City’s Housing Action Plan. • Explore strategies for supporting coordinated government relations activities. • Develop a framework to assess sea level rise vulnerabilities specific to the City, and support the implementation of adaptation strategies in coordination with other local governments. • Develop and implement cross training for key positions, such as the Emergency Services Coordinator. • Continue to participate in regional resilience and preparedness programs, initiatives, and planning. • Identify and begin to capture data on indicators for key external risk factors to establish a baseline for the City. • Conduct an analysis of Assembly Bill 5 risks, including contractual relationships; classification of workers; definitions of "usual course of business"; and short-term employment policies. Risk Areas Risks associated with events outside of an organization’s control. Scope External risks typically include economic trends, natural disasters, climate change, political lobbying and legislative changes, and interagency relations. The City has multiple external risk factors (described in more detail later in this report) that are primarily outside the City’s control. Examples include natural disasters, climate change, political lobbying and changes, and macroeconomic changes such as interest rates and industry shifts. Organizations typically cannot influence the likelihood of these events. Mitigating these risks requires a different approach from the other risk categories identified in this risk assessment. The approach for mitigating external risk factors should include risk identification and subsequent scenario analysis/testing to determine if the City has the necessary resources to mitigate the impact of an external risk event. Legal and Regulatory Changes While the City is subject to many laws and regulations (see the Compliance section of this report); mandates from the State often have significant impacts on the City. For example, as a result of a housing shortage, California’s housing costs have been rising consistently over the last few decades. Enterprise Risk Assessment Report | 12 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY High housing costs make it difficult for many Californians to find housing that is affordable and meets their needs. As part of State activities to address this issue, the proposed Regional Housing Needs Assessment (RHNA) will mandate that the City plan for 4,832 dwelling units between the October 2021-2029 period. Staff report that these requirements have provoked significant concerns from community members about how the City will retain the character of the community and manage the increased infrastructure need to support these additional units. In response to the RHNA, the City has designed the Housing Action Plan with the four objectives: 1) facilitating compliance with mandated deadlines and requirements; 2) appealing to reduce the City’s RHNA number; 3) focusing the General Plan update on housing; and 4) collaborating regionally. In 2019, Assembly Bill 5 (AB 5) became law in California, focusing on how independent contractors are defined and setting new requirements for providing employee benefits. It included a method for determining whether a given worker is an independent contractor or statutory employee under the California Labor Code. Although the impact of AB 5 on public employers appears limited, AB 5 does apply to public agencies. Public agencies like the City should evaluate potential AB 5 impacts on both operations and policy, as misclassifying employees as independent contractors carries potentially significant consequences for employers. Affordable Housing Aside from the challenges posed by RHNA, access to stable and affordable housing within the City and the greater region is an increasingly difficult challenge. Data from the U.S. Census shows that both owner and rental costs within the City are significantly higher than the surrounding County average and the U.S. national average. For example, the City’s median monthly housing ownership costs are 88.2% higher than the County average, and the median monthly rental costs (rent plus cost of utilities) in the City is 22.4% higher than the County average and over twice as much as the U.S. national average as shown in the table below. 2018 HOUSING STATISTICS Newport Beach Orange County U.S. Average % diff. from County % diff. from U.S. Value of owner-occupied housing $1,787,300 $652,900 $204,900 173.7% 772% Monthly owner costs (with mortgage) $4,000 + $2,702 $1,558 -- -- Monthly owner costs (without mortgage) $1,169 $621 $490 88.2% 139% Gross rent – median $2,175 $1,777 $1,023 22.4% 113% Source: U.S. Census Bureau, 2020 This lack of affordable housing increases risks to the City relative to recruiting and retaining employees. Multiple department heads noted that many of their employees live outside the City due to housing costs and have extremely long commutes, which presents risks to both employee retention and operational stability. Enterprise Risk Assessment Report | 13 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Air Traffic John Wayne Airport (JWA) is owned and operated by Orange County. JWA currently handles approximately 10.5 million passengers annually and 126 commercial flights per day. The airport is located along the northern boundary of the City, and residential and commercial properties are located directly below the airport’s primary departure pattern for commercial and general aviation aircraft. While the City does not have jurisdiction to control the airport, the presence of the aviation activity presents a major challenge for the City in terms of preserving the quality of life for residents. In 1985, the City, the County, the Airport Working Group (AWG), and Stop Polluting Our Newport (SPON) entered into a Settlement Agreement to resolve litigation related to JWA. The agreement has been amended multiple times, most recently in late 2015 with approval of the tenth supplemental stipulation, which included new calibration of noise monitors. The agreement will next be open for negotiation in the 2025-2026 fiscal year. To help mitigate potential impacts to residents, the City actively manages the relationship with JWA by designating a Deputy City Manager as the primary liaison and running an Aviation Committee to provide additional input and guidance on implementing the Newport Beach City Council Airport Policy. Interagency Relations As with all local governments, the City is dependent on collaborative relationships with multiple agencies at the local, state, and federal levels to provide services—notably public safety, transportation, disaster preparedness, natural resource management, and public utilities. The City’s utility environment is particularly complex, with key relationships with the Municipal Water District of Orange County, Orange County Sanitation District, State Department of Health and County Health, State Water Quality Control Board, Coast Guard, the Orange County Sheriff Department, Department of Fish and Wildlife Army Corps of Engineers, Coastal Commission, and JWA, among others. Within the past several years, the City separated the Utility and Public Works divisions into separate departments. A primary motivation for this change was to help elevate the utility function and give more visibility to the interagency work taking place in relation to this critical work. As noted in the Organization and Staffing section, the government relations function is decentralized, with some aspects of this work managed by staff in the CMO, City Attorney, Community Development, Public Works, and Utilities departments. While a decentralized model can be effective, without effective internal coordination it increases risks related to inconsistent messaging and redundant workloads. Ground Traffic The Orange County area consistently ranks on national worst traffic lists, and the congestion the City experiences is reflective of this reality. Tourist-heavy areas with limited infrastructure due to geography—most prominently the Balboa Peninsula—are especially vulnerable to traffic congestion. Staff report that traffic concerns are a primary quality of life issue for both employees and residents. The City’s Public Works’ Transportation Division is actively involved in traffic management, with a focus on implementing solutions that a majority of residents agree on. Enterprise Risk Assessment Report | 14 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Natural Disasters The City is susceptible to various natural hazards including drought, earthquakes, extreme heat, tsunamis and floods, wildfire, and other environmental shifts related to climate change. Potentially the most likely hazard is an earthquake on any of the three faults that extend through or are located near the City. An earthquake under or near the City has the potential to cause extensive damage due to ground shaking, fault rupture, liquefaction, earthquake-induced slope instability, and inundation due to catastrophic failure of the City’s water storage reservoirs. Other potential secondary effects of such an earthquake include urban fires ignited by damaged appliances, rupture of gas mains, fallen electrical lines, and the release of hazardous materials as a result of broken storage containers. The City has developed a strong set of disaster preparedness practices (see the Risk Program section for more details). Many individuals are involved in emergency response and public safety activities, such as the Emergency Operations Center. The City’s Fire Department is responsible for supporting public-facing programs such as the community emergency response teams. As noted in the Risk Program section of this report, the position of Emergency Services Coordinator plays a critical role, with responsibilities for day-to-day liaison, coordination, communication, training, and administrative support across the City. This position is essential for the City’s preparation efforts against all emergencies, including natural disasters, making cross-training key to sufficient backup. Climate Change Climate change is a complex issue that imposes multiple challenges on public agencies, which include defining how climate change relates to existing scopes of work and how to develop a plan to address climate change. While climate change itself is not a distinct hazard, the effects of it can exacerbate hazards and risks. These include increasing average temperatures, more heat waves and extreme heat days, more extreme weather, rising sea levels, worsening air pollution, and more vector-borne diseases. These changing conditions can have devastating effects on the regional economy, urban infrastructure, public health, recreation, tourism, agriculture, and the environment. Given the City’s coastal location and reliance on waterways, issues related to sea level change will be particularly impactful. Increasing temperatures will melt ice sheets and glaciers and cause thermal expansion of ocean water, both of which will increase the volume of water in the oceans. The U.S. Department of the Interior projects that average sea levels along the Southern California coast will rise on average by more than one foot by 2050 and by four to five feet by 2100. Scientists warn that sea level rise will likely be punctuated by episodic flood events as high tides and stronger and more frequent storm surges coincide, putting shoreline property and ecosystems at risk prior to 2050. Enterprise Risk Assessment Report | 15 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate to High Impact Likelihood Preparedness Trajectory High Moderate to High Moderate Increasing Residual Risk Moderate Suggested Risk Mitigation • Perform a workload assessment and determine workload measures for City staff to better define workload challenges. • Create a prioritized list of workload challenges, and determine if acute pain points can be addressed through outsourcing or cross training. • Review decentralized functions to determine if efficiencies can be gained through increased coordination or centralized guidance, oversight, and training. Risk Areas Risks associated with how personnel is organized, as well as staffing levels and skills. Scope An entity’s organizational structure provides the framework to plan, execute, control and monitor its activities. Organization and staffing encompasses hierarchy, chain of command, span of control, and staffing levels. Staffing includes specific positions, counts, and capacity. A relevant organizational structure includes defining key areas of authority and responsibility and establishing appropriate lines of reporting. The City’s organizational structure consists of twelve departments: City Manager’s Office, Community Development, Finance, Fire, Harbor, Human Resources, Library Services, Police, Public Works, Recreation and Senior Services, and Utilities, in addition to the City Clerk and City Attorney’s offices. As of January 2020, the City has 973 active employees on staff including 585 FTEs and 388 part-time employees. With a few exceptions (for example, Public Works), managers’ spans of control are within normal ranges of four to eight direct employees. As part of the City’s strategy to manage unfunded pension liability, leadership has adopted a conservative approach to expanding staffing levels. As a result, some positions have stretched to fill multiple job functions and some teams are experiencing high workloads. While having a high- performing team of flexible employees, who can handle multiple functions, is a strength for the City, several critical functions would benefit from support through cross training of designated backups. Specifically, during interviews, the following functions were identified as needing additional workload analysis: • Cybersecurity • Payroll • Harbor code enforcement • Planning (if the City is going to revise the General Plan) • Public records Enterprise Risk Assessment Report | 16 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY • Purchasing • Real estate • Utility billing • Emergency preparedness Excessive workloads can result in employees working in a reactive mode rather than being proactive and operating strategically. These conditions can increase the risk of burnout, employee turnover, and loss of institutional knowledge, as well as increases service delivery challenges like the risk of errors and poor customer service. This can be particularly true for functions that have a high impact on multiple departments (like Purchasing) or the customer experience (like Utility Billing). Approximately two thirds of surveyed staff reported the opinion that the City is understaffed. Q: How would you rate the current staffing levels across the City as a whole? Q: How would you rate the current staffing levels within your department? Like most cities, Newport Beach has a number of functions that are decentralized. Some notable examples include external communications (see the Reputation and Public Perception section for more details), graphic design, government relations, and a few finance functions. While decentralized functions can provide operational benefits, they typically require enhanced coordination to achieve service efficiency and sometimes result in duplication of efforts. 5%22%56%11%6% Excellent Good Average Poor Terrible 5%29%41%22%3% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 17 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate to High Impact Likelihood Preparedness Trajectory High Moderate Moderate to High Increasing Residual Risk Moderate Suggested Risk Mitigation • Pursue opportunities to increase utilization/optimization of current systems. • Develop a succession plan for the IT Manager position. • Continue to enhance IT governance processes, while documenting and distributing supporting policies and procedures. • Continue work to improve penetration testing results. • Pursue collaboration opportunities with state and local government agencies to strengthen cybersecurity resilience, such as shared service agreements for cyber defensive tools, cybersecurity awareness training, and other ways to pool resources. • Identify and assess strategies to meet the need for increased cybersecurity readiness. Risk Areas Risks associated with information technology, cybersecurity, and data. Scope Information technology risks include the design, development, implementation, administration, operations, and maintenance of information systems including change management and the system development life cycle. Also includes risks to infrastructure, system performance, data architecture and management, integration, backup, security, and controls. The IT function at the City resides within the City Manager’s Office, with the IT Manager reporting to the Assistant City Manager. The IT Manager oversees three teams: IT Operations, IT Applications; and the GIS function. Similar to other local governments, the City’s use of IT has rapidly grown over the years, with departments being responsible for driving IT purchasing. The IT governance process is relatively new, without an official documented policy in place. Technology has become part of the backbone of local government operations, as the integration of systems evolves and reliance on technology continues to increase. The IT group has reportedly been successful due to the talented individuals who staff the department. The IT Manager has been with the City for almost 30 years, so there is an increased need to implement succession planning for this critical function. A growing number of local governments have recognized the need for a dedicated senior leadership position in IT, such as a Chief Technology Officer, as the role of technology becomes increasingly critical for core operations and delivery of essential services to citizens. Cities are facing digital disruption as they integrate emerging technologies (such as artificial intelligence, “smart” cities; and the Internet of Things) with the rapidly changing cybersecurity landscape. Enterprise Risk Assessment Report | 18 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY IT Systems As part of its daily operations, the City utilizes a wide range of enterprise and department-specific applications. The primary enterprise systems include Tyler Munis (finance, purchasing), NeoGov (recruiting/onboarding), Microsoft Office 365 (administration), SysAid (IT ticketing), and PerformancePro (performance evaluations). IT is also in the process of replacing several major applications, including the Integrated Library System (ILS) and Land Management System (LMS). In general, staff report that they feel well supported by the current IT systems and hardware. Q: How would you rate the quality of the information technology systems that you currently have (software, applications, programs, etc.) and use in your role? Q: How would you rate the quality of the information technology hardware that you currently have (computers, phones, etc.) and use in your role? However, there are several prominent opportunities for improvement. Some of the most commonly noted issues from staff include improving systems support for the procurement process (see the Procurement and Contracting section) and ensuring that existing systems are fully utilized. For example, the IT Division has documented multiple functions within the Tyler Munis platform that are currently not being used. In addition, IT staff noted several processes that are currently manual— including time-off requests and employee expense, petty cash, and travel authorizations—and could be automated within the City’s existing systems. Automation could increase staff efficiency, as well as improve consistency and internal controls. IT Governance IT governance plays an important role in local governments to optimize technology purchases, systems integration, and access to information to support decision making. While the City lacks a documented IT governance policy, it recently implemented a more centralized governance process. Within this context, decisions regarding IT purchases are supposed to be made in partnership between IT and the individual departments. This model is supported by centralized funding through the IT Internal Service Fund (ISF). The ISF chargeback methodology is based on multiple factors in line with industry standards: 10% charged to divisions based on the number of FTEs, 65% charged based on the number of devices, and 25% charged based on the number of support tickets. 19%61%16%4% Excellent Good Average Poor Terrible 21%57%17%5% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 19 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Following best practice, the City operates with a standardized four-year replacement schedule for end user computing equipment. The City also collects comprehensive replacement costs for software, hardware (PCs, devices, phones, printers), network, data center, and library/fire equipment. IT Staffing The IT function employs 15.5 FTEs across Operations, Applications, and GIS. This is a lean staffing structure given the size of the City. In particular, the City is working with a ratio of one IT support technician/specialist (first level of response) to approximately 325 employees. Industry standards commonly recommend ratios ranging between 1:150 and 1:250, depending on the complexity of the IT environment. In addition, staff report that the workload for IT staff is increasing. For example, it was recently suggested that all security camera management should be centralized in IT, without considering potential impacts to the IT capacity. The City would benefit from establishing a shared and consistent process to prioritize new potential IT work, in order to ensure sufficient IT staff support for new initiatives. Interviewed and surveyed staff reported that the IT function provides excellent or good internal customer service. Q: How would you rate the quality of the internal customer service provided to staff by the IT team? Data Storage The IT function has taken significant measures to ensure that data is securely stored and recoverable. The City is currently operating with 99% server virtualization and uses Veeam backup and replication solutions, which are stored on a local backup appliance. In addition to on-site backups, the City uploads all mission critical data—database exports, source code, and payroll data—to Amazon Web Services. The City retains one year of backups for all systems. The IT Division is also currently evaluating the iLand Disaster Recovery cloud solution and has plans to implement the product in 2020. The iLand cloud backup solution project would include backup and restoration procedures. Cybersecurity Almost every civic function across a modern city is facilitated, housed, or carried out on digital systems; consequently, any threat that compromises these systems presents a significant area of risk. The City does not currently employ a dedicated cybersecurity staff position. As risks related to cybersecurity continue to grow, it will be critical to ensure that adequate attention is paid to cybersecurity. The IT function completed its first IT penetration test in 2019. As this process was new to the City, it uncovered significant opportunities to improve security. City leadership reports that IT was highly responsive to resolving the identified issues and has successfully addressed all critical and high-priority problems. IT is planning to conduct a second penetration test in 2020 to track progress and plans to integrate penetration testing into regularly scheduled activities. 51%38%9%2% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 20 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY In terms of user training, IT performs phishing tests each quarter, holds annual staff trainings, and sends out a weekly newsletter to all employees. Staff report that they have successfully reduced the phishing test failure rates from 9% to below 3%. Over 60% of surveyed staff reported they were extremely or very prepared to identify, report, or manage a cybersecurity threat. Q: How prepared do you feel to identify, report, or manage a cybersecurity threat? Cybersecurity threats and incidents continue to emerge in local government, and they can result in extensive costs beyond the initial amount of money demanded by attackers. For instance, the City of Atlanta spent more than $2.6 million on emergency efforts to recover from a ransomware attack in 2018, and the 2019 ransomware attack on the City of Baltimore caused at least $18 million in damages. A coordinated ransomware attack hit more than 20 local governments in Texas in 2019. Once activated, ransomware programs effectively lock out city employees, preventing them from accessing key systems, servers, and data—often rendering computers unusable unless a ransom or other demand set by the attackers is met. Other schemes can result in city employees or citizens unknowingly transferring funds into fraudulent accounts, exposure of citizens’ credit card and personal data, outages of 911 dispatch systems, digital police evidence lost, traffic light outages, and compromised water quality. This shift in focus by cybercriminals to public-sector organizations comes after a deliberate shift in the private sector to make more of the necessary investments to secure their systems after suffering from cyberattacks. In the wake of the COVID-19 pandemic, cities have experienced spikes in malicious activity, including targeted phishing attacks and other attempts to confuse city staff who are already under increased pressure. Some governments are increasing their use of outsourced resources, including cybersecurity risk assessments, audit log analysis, and threat management and monitoring. 24%36%33%4%3% Extremely prepared Very prepared Moderately prepared Slightly prepared Not prepared at all Enterprise Risk Assessment Report | 21 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate to High Impact Likelihood Preparedness Trajectory Moderate to High Moderate Moderate Flat Residual Risk Low to Moderate Suggested Risk Mitigation • Establish a three to five-year strategic plan that identifies major City goals and activities. • Implement a basic performance measurement strategy that is aligned with the City’s strategic plan. • Based on the City’s strategic goals, establish annual operating plans (and related measurements) for each department. • Ensure sufficient resources are available to support the General Plan update process. Risk Areas Risks related to organizational planning activities. Scope Planning activities include operational and strategic planning, including both short-term and long-range planning. A comprehensive planning framework builds upon strategic goals, and dives into the next layer of planning which looks at strategic objectives for not only the enterprise, but sets objectives for departments, divisions, programs, and individual roles. In alignment with the City’s Fiscal Sustainability Plan, the City’s primary focus for planning activities has been to achieve long-range financial stability. For example, the City maintains and reviews a Long-Range Financial Forecast each year as part of the regular budget process. The City has also prioritized activities like instituting an aggressive payment schedule for the unfunded liability pension and establishing multiple reserve funds (like the Facilities Financial Planning Reserve and Equipment Replacement Fund) to ensure that significant anticipated expenditures will be adequately provided for in the future. In addition, the Public Works and Community Development teams are highly involved in planning activities. More specifically, Public Works oversees a robust CIP process (see Capital Program Section) to plan for the provision of public improvements, special projects, and ongoing maintenance initiatives, in addition to maintaining documents like the Water Master Plan. Community Development is in charge of maintaining the City’s General Plan—a tool to help the City make land use and public investment decisions. The General Plan was last updated in 2006. The City had planned to embark on revisions to the Plan in 2019, but recent mandates from the Regional Housing Needs Assessment have shifted the priority of this planning process. The majority of surveyed staff (77%) rated the quality of organizational planning as excellent or good. Enterprise Risk Assessment Report | 22 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How would you rate the quality of organizational planning (strategic planning, annual operations planning, financial planning, etc.) that happens at the City? Despite these areas of strength, the City has historically not had a strategic planning culture. Strategic plans serve as valuable tools to clarify the mission, vision, and direction of the City. Without the continuity provided by a plan to guide decision making over a multi-year period, there is a risk that work can become diluted, priorities can be unclear or change, and staff can be left to work in a highly reactive (rather than proactive) environment as they attempt to respond to multiple new and uncoordinated requests from the City Council. Within this context, management report that it can be challenging to make sound decisions around what work they should or should not prioritize. Without a strategic plan and associated goals, it is extremely challenging to implement successful performance measurement to track the City’s progress over time. The City’s Fiscal Sustainability Plan states that the City will “implement a Performance Measurement/Management Strategy as part of an ongoing effort to ensure high-quality and efficient performance.” However, this work has not yet begun. By setting strategic objectives for the City as a whole, leadership will be better able to identify critical success factors and associated performance measurement criteria. While some departments have developed annual work plans (for example, the IT function), this is not a standard practice throughout the City. Staff report that the City values agility and does not have a culture of planning, with multiple employees noting that strategic or annual operating plans would hinder the City’s ability to respond to incoming issues. As such, the City will need to incorporate change management practices into any planning initiatives to ensure adequate buy-in from staff at all levels within the organization. 21%56%16%7% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 23 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate to High Impact Likelihood Preparedness Trajectory Moderate to High Moderate to High Moderate Flat Residual Risk Moderate Suggested Risk Mitigation • Evaluate options to enhance security and access to City employee work spaces. • Conduct an assessment of employee safety and health programs at the City. • Coordinate risk management functions across the City to develop and deliver a cohesive emergency management program. • Update the Local Hazard Mitigation Plan (last published in 2016) on schedule with FEMA requirements • Develop and implement cross training for the Emergency Services Coordinator position. Risk Areas Risks associated with the organization’s formal/structured risk management programs, such as employee health and safety programs, operational risk management programs, and incident response and emergency management efforts. Scope Risk programs include administration of the general liability, workers’ compensation, safety, disability management and property programs. Risk efforts also include contract/insurance certificate review, insurance procurement, emergency preparedness programs, and continuity of operations planning. Risk and Safety Management Risk management functions and related activities are distributed across different positions within the City; there is no dedicated enterprise risk management program. Risk management activities can be found within the HR Department, which focuses primarily on insurance programs and is responsible for running a Safety Committee. In the Police Department, the Emergency Services Coordinator supports emergency management. Within the Fire Department, individuals support disaster response planning and community programs. Most of these individual functions have skilled staff supporting them; however, the City would benefit from more formally coordinating its current activities into a cohesive risk management program designed to identify potential events that may affect the City and protect and minimize risks to the City’s property, services, and employees. Surveyed employees noted concerns with security at times, particularly around the unsecured nature of City Hall. We observed that the City has no controlled access points to employee work areas in City Hall, with only intermittent “Employees Only” signs indicating where public-spaces end. While there are many admirable aspects about the new building, the open floor concept combined with the lack of controlled entry points can increase the risk of unauthorized or unwelcome persons walking into City work areas. Only a few employees reported participating in some safety-related trainings in the last few years, indicating the City should provide additional training for safety and emergency Enterprise Risk Assessment Report | 24 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY management. Almost 40% of survey respondents noted that they have felt physically unsafe at work within the past two years. Q: In the last two years, have you experienced an incident or experience where you’ve felt physically at risk or unsafe while working at the City? Workers' Compensation and Insurance The risk management function is responsible for processing and monitoring all CAL/OSHA activity. While 50% of survey respondents rated the workers' compensation program as average, 40% gave it a rating of excellent or good. Q: How would you rate the workers' compensation program and processes? Emergency Management The City’s Emergency Management Program was created by Municipal Ordinance 2.20.060, which designates the City Manager as the Director of Emergency Services and gives them the power to designate an Assistant Director of Emergency Services. The Emergency Management Program staff consists of: (1) an Emergency Council that consists of the Mayor who shall be Chairman (in his/her absence, the Mayor Pro Tem), remaining members of City Council, and other officers and employees of Newport Beach; (2) an Emergency Services Coordinator who oversees the City’s Emergency Management Program; and (3) a Life Safety Specialist who is responsible for the City’s community preparedness. The Emergency Services Coordinator and Life Safety Specialist work under the direction of the Police and Fire Departments, respectively The City has engaged in suitable planning efforts around emergency management—including development of the Emergency Operations Plan, a Local Hazard Mitigation Plan, a Public Education Program, and a Community Emergency Response Team (CERT) Program. In addition, the City has established the Employee Emergency Response Team (ERT) Program, which consists of employees who are responsible for receiving training in CPR and first aid and serving as Safety Officers in the event of an emergency. Activation of the Emergency Operations Center (EOC) in response to the COVID-19 pandemic provided the City with the opportunity to test out operations and identify operations for improvement. 61%39% No Yes 7%33%50%7%3% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 25 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY There are many individuals involved in the activation and running of the EOC, and emergency management activities are not dependent upon one person. However, the Emergency Services Coordinator is a key position, filled by a person who has extensive institutional knowledge. There is no formalized backup for the full scope of this position. Risk exposure due to loss of institutional knowledge could be mitigated through cross training for this position. Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate to High Moderate Moderate Increasing Residual Risk Low to Moderate Suggested Risk Mitigation • Institute consistent performance evaluations that incorporate annual employee growth and development plans. • Develop succession plans for key positions. • Evaluate compensation levels for operational cost sustainability and retention. Risk Areas Risks associated with recruiting, workforce development, labor and employee relations, employee management and benefits, and succession planning. Scope Human capital and resource practices can span functions that include hiring, orientation, training, evaluating, counseling, career planning, compensation and benefits, labor negotiation, employee relations, retirement and succession planning. These practices can house the policies that define an organization’s expected levels of professionalism and competence. The Human Resources Department at the City has 12.25 budgeted FTEs in the 2019–2020 fiscal years. The positions consist of an HR Director, HR Manager (2), HR Specialist II (4), HR Senior Analyst (2), HR Analyst, Assistant (2), and Student Aide. HR appears to be adequately staffed; the ratio of HR FTE to Citywide FTEs is 1:72, which is well below the standard best practice maximum ratio of 1:100. The City collaborates with 11 bargaining units, in addition to the non-represented executive group. In general, staff report that they feel adequately supported by the HR team, with the majority of survey respondents noting the quality of internal customer service provided by HR as excellent or good. However, the range of responses indicates that there may be opportunities for improvement. Enterprise Risk Assessment Report | 26 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How would you rate the quality of internal customer service provided to staff by the HR Department? Recruiting Like many other public agencies, the City is experiencing some challenges with recruiting high-quality talent. Some of the challenges are external, like the high cost of living in the area, and some are related to internal processes or policies. For example, staff report that the City’s decision to offer police testing only once a quarter has created a barrier to hiring sworn officers. Another commonly noted issue is a comparatively high retirement contribution paid by City employees. Staff contribute between 12% and 14% of their salary to retirement, resulting in reduced net income. Staff report that these levels are significantly higher when compared to other local agencies. As of January 2020, the City had 45 vacant full- and part-time positions, 28 of which are within public safety. When asked to rate the effectiveness and efficiency of the City’s recruitment processes and support, survey respondents reported a wide range of opinions: Q: How would you rate the effectiveness and efficiency of the City’s recruitment processes and support? Performance Management The City uses the PerformancePro system to administer basic performance appraisals where all staff are rated in four or five general categories: attitude and customer relations, communication, job knowledge/skills, productivity, and supervision/management (for supervisors only). In alignment with best practice, the system is online (rather than being paper-based). However, the evaluations are done on a rolling basis, rather than on a regular annual calendar, which can decrease the likelihood that all staff receive appraisals on time. In addition, individual career goals and career growth plans are not integrated into the performance evaluation process. There are no formal opportunities to provide upstream or 360 evaluations, so management does not receive feedback from the staff that they supervise. While a majority of survey respondents rated the effectiveness of the performance evaluation process as very or moderately effective (69%), almost a third rated the process as only slightly effective or not effective at all. 19%39%25%12%5% Excellent Good Average Poor Terrible 18%29%29%18%6% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 27 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How would you rate the effectiveness of the current performance evaluation/appraisal process? As noted in the Management section of this report, accountability is a commonly cited performance management challenge. The majority of survey respondents (59%) reported that non-supervisory staff are only moderately held accountable for their actions. While respondents reported that supervisory staff are held accountable more frequently than non-supervisory staff, almost 30% of respondents felt they were only slightly or not at all consistently held accountable. Q: How consistently are non-supervisory employees held accountable for their actions? Q: How consistently do you feel managers are held accountable for their actions? Retention In general, the City has a strong track record of retaining employees. Within the past three years, the City’s turnover rate for FTEs has ranged between 8.5% and 9.4%—well below the average turnover rate for local government agencies, which typically falls between 19% and 20%. While there is variation depending on specific departments/divisions, staff generally report that there is a positive work environment within their immediate team. This is reflected in the responses to survey questions about the City’s efforts to establish a welcoming workplace culture: 33%36%19%13% Extremely effective Very effective Moderately effective Slightly effective Not effective at all 6%18%59%5%12% Extremely consistently Very consistently Moderately consistently Slightly consistently Not at all consistent 10%36%25%13%16% Extremely consistently Very consistently Moderately consistently Slightly consistently Not at all consistent Enterprise Risk Assessment Report | 28 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How well has the City established a welcoming workplace culture? Apart from the retirement system-related concerns, interviewed and surveyed staff generally reported satisfaction with the City’s compensation and benefits. In particular, benefits like the City’s health programs were reported to be especially well received. Of concern, however, is that over half (54%) of the City's FTEs were at the highest step in their pay grade, which is based on position. There are between zero to eight steps in each pay grade (except for Police, which has 11 steps). The high concentration of employees at the highest pay step of their pay grade indicates that the City may have an increased risk that employees have hit a ceiling when it comes to career advancement compensation increases. For example, in the Utilities Department, out of the 44 FTEs (or 86%) are at pay grade step eight. A large percentage of employees at the high end of a pay scale also translates into a high cost workforce. Q: How would you rate the adequacy of the City’s compensation and benefits? The HR Department reported that a primary focus of their retention strategy is to provide high-quality training opportunities to staff. This effort is reflected in the large majority of survey respondents (66%) who noted that their access to the training and professional development resources they need to grow their career was excellent or good. Q: How would you rate your access to the training and professional development resources you need to grow your career? The City does not provide an annual employee engagement survey to track trends over time or gather employee feedback. However, the HR Department does offer focused surveys related to specific functions like workers' compensation, onboarding, and in-house trainings. 11%37%32%15%5% Extremely Well Very Well Moderately Well Slightly Well Not Well At All 11%46%33%8%3% Excellent Good Average Poor Terrible 22%44%26%4%4% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 29 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Succession Planning In general, the public sector is experiencing significant challenges associated with an aging workforce reaching retirement eligibility. Approximately 28.4% of the FTEs at the City were eligible to retire in March 2020.1 The table below presents the number of FTEs by department who are eligible for retirement as a percentage of the total number of FTEs. Public Works has the highest percentage of eligible employees, with 60.8% of total FTEs (a count of 45 positions) eligible to retire. DEPARTMENT % OF FTES ELIGIBLE TO RETIRE City Attorney 0.0% City Clerk 25.0% City Manager 37.5% Community Development 32.4% Finance 45.8% Fire 24.5% Harbor 0.0% Human Resources 10.0% Library Services 40.6% Police 16.2% Public Works 60.8% Recreation & Senior Services 20.6% Utilities 27.3% Total 28.4% The City has not yet institutionalized succession planning efforts across departments. The HR Department has identified the need to perform additional work to ensure that there are strong career paths and ladders within all departments—a key factor for effective succession planning. Without a deliberate, institutionalized program for effective knowledge management and transfer, a significant amount of institutional knowledge and technical expertise citywide is at increased risk of being lost. 1 Calculated using CALPERS criteria of age 50 with five years of service credit before 1/1/2013, or age of 52 with five years of service credit. Enterprise Risk Assessment Report | 30 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate Moderate Low Flat Residual Risk Low to Moderate Suggested Risk Mitigation • Provide additional management training focusing on leadership, change management, and communication. • Develop a cascading communication framework to improve internal communication. Risk Areas Programs and activities related to organizational leadership, management practices, leadership strategic activities, and operating styles. Scope Management's philosophy and operating style affect the way an organization is managed, including the kinds of risks accepted. The attitude and daily operating style of top management affect the extent to which actions are aligned with risk philosophy and appetite. A collaborative management team that is able to communicate and make decisions through an enterprise leadership lens is a critical component to operational effectiveness. Staff report that the City’s leadership collaboration has improved greatly in recent years. Many noted that the new City Hall building has helped to break down silos and increase communication. Several examples of positive team-work were also noted, including the effective use of the Drought Response Task Force. When asked about the ability of senior leadership to collaborate, 75% of survey respondents provided a positive rating. Q: How well do you feel that the senior leadership team at the City works together? However, City leadership reports that there are opportunities to improve enterprise decision making, which is decision making that focuses on what is best for the City as a whole, rather than what is best for an individual department. Through interviews, it was apparent that many managers use a fairly hands-off management approach. While this approach can work well with high-performing and diligent staff who are tightly aligned around the same goal, it is less effective when it is necessary to implement change or accomplish activities that may be in the City's best interest but not viewed as such from a 25%50%25% Extremely well Very well Moderately well Slightly well Not well at all Enterprise Risk Assessment Report | 31 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY departmental perspective. Staff noted multiple examples of positive changes and new initiatives that were ultimately abandoned by managers, because they were unable to get staff buy-in and unwilling to hold staff responsible to embracing change. This creates risks, as staff are not being held accountable for adopting changes that could positively impact City operations (see the Human Capital and Resources Performance Management section of this report for more details). Internal communication within the City, which starts at the management team level, was noted to be inconsistent. In particular, there is a perception that a wide gap in knowledge exists between what is shared at the director level and what is communicated to staff. This is exacerbated by a lack of positions focused on internal communications. Over 45% of surveyed staff reported that quality of leadership communication was average, poor, or terrible. Q: How would you rate the quality of the communication you receive from leadership? Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate Moderate Moderate Increasing Residual Risk Low Suggested Risk Mitigation • Perform an operational review of customer-facing functions within the Finance Department. • Continue work to streamline and digitize permitting processes within the Community Development Department. • Implement key performance indicators and targets, as well as an annual resident engagement surveys, to track and evaluate service levels over time. Risk Areas Risks associated with programs/service delivery and quality, resident expectations, and resource allocation. Scope Day-to-day operations across the organization, and efficient and effective delivery of the City’s programs and services in alignment with the City’s strategic goals, vision, and mission. 22%33%33%10%2% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 32 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY At the most fundamental level, the City’s mission is to direct the efficient and effective delivery of municipal services. The City provides a full range of services to residents, including: • Community Development (Planning, Building Permits and Plans, Code Enforcement) • Finance (Utility Billing, Permits and Licenses) • Fire • General Services (City Maintenance) • Harbor • Library • Police • Public Information • Public Works • Recreation and Senior Services • Utilities Over 90% of survey respondents reported that the City’s overall ability to deliver core services to the public in an effective manner was excellent or good. Q: How would you rate the City’s overall ability to deliver core services to the public in an effective manner? Strong customer service is a key factor to effectively deliver services. “Excellent Service” is one of the City's core values and is defined as “providing thorough, efficient and effective service with a courteous and professional attitude. It also means being informed, timely, and open to complaints and requests.”2 Interviewed staff commonly noted that providing quality customer service was a goal shared throughout the organization. However, several areas were noted as opportunities to improve customer experiences, including, but not limited to: • Utility Billing (Finance Department): As part of the transition to using Tyler Munis to support utility billing, the City has been uncovering billing errors. Given that the City is currently undergoing a significant sewer rate increase, it is especially important that billing issues are proactively resolved. • Permitting (Community Development): Most notably, the City is working toward moving aspects of the permitting process online to improve the customer service experience. 2 City of Newport Beach Core Values: https://www.newportbeachca.gov/government/departments/city-manager-s-office/core-values 48%45%7% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 33 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY In addition, the City does not utilize key performance indicators measure service levels or outcomes (see the Planning and Strategy section) or conduct resident satisfaction/engagement surveys (see the Reputation and Public Perception section). Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate Low to Moderate Moderate Flat Residual Risk Low to Moderate Suggested Risk Mitigation • In collaboration with departments, develop and provide regular training on internal reporting related to financial performance and budget status. • Continue to refine processes to ensure efficient and effective use of Tyler Munis. Risk Areas Risks associated with fiscal controls, budgeting, ongoing information tracking and management, revenue capture, and transaction processing. Financial reporting areas including those fundamental to planning, budgeting, pricing, evaluating vendor performance, assessing partnerships, and a range of other operational and strategic activities. Scope The role of accounting and financial functions in risk mitigation is focused on record keeping and compliance through recording, classifying, summarizing, and reporting financial transactions. Financial reporting includes deliverables such audited annual financial statements. Reliable financial information is fundamental to planning, budgeting, pricing, evaluating vendor performance, assessing partnerships, and a range of other operational and strategic activities. The City has a centralized Finance Department, with some roles embedded in other departments and divisions, including a Fiscal Manager position embedded in both Police and Public Works, a Fiscal Clerk position in Fire and Recreation and Senior Services, an Auto Parts Buyer in Public Works, and a Budget Analyst in Recreation and Senior Services. Out of the 30 employees in the Finance Department in March 2020, six were part-time positions, representing 20% of the Department’s employees. The average tenure of FTEs in Finance is 13.2 years. Similar to other departments in the City, the hierarchy of the Finance Department is relatively flat, and there are limited career paths for long-time employees. In general, staff report that the quality and timeliness of financial reporting is above average. Enterprise Risk Assessment Report | 34 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How useful is the financial reporting information that you receive/have access to on a regular basis? Q: How would you rate the timeliness of the financial information you receive (e.g., reports, response time to requests, etc.)? In terms of the working relationship between the Finance team and other City departments, staff report a wide range of experiences. In particular, staff noted that there are opportunities to improve communication with the Public Works and Fire Departments. Q: How would you rate the level of internal customer service provided by the Finance Department? The City uses Tyler Munis as its main financial system. Staff noted that the adoption of this new system has been primarily positive, although there are still some procedural issues that are in the process of being resolved. For example, as noted in the Operations and Service Delivery section, the City has been uncovering utility billing errors. Given the City is currently undergoing a significant sewer rate increase, it is especially important that billing issues be proactively resolved. 25%33%25%8%8% Extremely useful Very useful Moderately useful Slightly useful Not at all useful 18%55%18%9% Excellent Good Average Poor Terrible 20%46%27%4% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 35 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate Low to Moderate Moderate Flat Residual Risk Low to Moderate Suggested Risk Mitigation • Develop a whistleblower policy. • Provide additional training and/or communications related to retaliation protections and management reporting responsibility. Risk Areas Risks associated with the prevention, detection, and correction activities undertaken to minimize or prevent fraud (intentional), waste (inefficiency), or abuse (mistakes) that result in unnecessary costs to the organization. Scope Fraud, waste, and abuse programs, as well as ethics policies, are designed to protect the ethical and fiscal integrity of the organization and its employees, stakeholders, and the general public. City employees have a duty to use funds economically, efficiently, effectively, and ethically. When employees do not honor this obligation, it could result in instances of fraud, waste, or abuse. Employees are also expected to behave ethically and respectfully. All City employees share the common purpose of serving the public in an ethical and transparent manner. One of the City’s core values is integrity, defined as “being honest, reliable, respectful, ethical, fair, and authentic.” As part of this work, the City has established a set of tools, policies, and trainings to prevent unethical behavior and fraud, waste, and abuse (FWA). Within this context, FWA is defined as follows: • Fraud: A dishonest and deliberate course of action that results in obtaining money, property, or an advantage to which employees or an official committing the action would not normally be entitled. • Waste: The needless, careless, or extravagant expenditure of funds, incurring of unnecessary expenses, or mismanagement of resources or property. • Abuse: The intentional, wrongful, or improper use or destruction of resources, or seriously improper practice that does not involve prosecutable fraud. In accordance with best practices, the City operates an ethics hotline that provides a mechanism for employees to anonymously report potential instances of FWA. The City has also provided several administrative and Council policies including Prevention, Reporting and Investigation of Fraud, Waste, and Abuse; Discrimination and Harassment Prevention; Council Conflict of Interest Procedures; and City Travel Policy Statement. The City does not have a whistleblower policy. It is a best practice for ethics hotline reports to go to the internal audit function. Enterprise Risk Assessment Report | 36 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY The City provides FWA training to all new employees, which includes an overview of the City’s policy, employee responsibilities, and answers to other FAQs. In addition, in alignment with legal requirements, the City provides workplace harassment prevention training to all employees every two years. This training is apparently effective, as the majority of survey respondents (70%) were confident that they would know what actions to take if they were to become aware of unethical or fraudulent activity. Q: Do you know what action(s) to take if you were to become aware of unethical or fraudulent activity? Additional training around retaliation protections and management responsibility may be useful, as survey respondents reported a range of opinions when asked about their confidence that they would be protected if reporting an issue and their confidence that management would stop wrongdoings if reported. In particular, several interviewed and surveyed staff noted that they did not trust their manager to handle confidential issues or had experienced retaliation in the past. Q: What are the chances that you would be protected from retaliation if you reported wrongdoing? Q: What are the chances that management above you would make efforts to stop wrongdoing if you reported it? 75%25%5% Yes - I know what I would do first Maybe - I would have to research a bit No, not really sure 31%39%17%8%5% Definitely will Probably will Might or might not Probably will not Definitely will not 47%34%12%5%2% Definitely will Probably will Might or might not Probably will not Definitely will not Enterprise Risk Assessment Report | 37 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory Moderate to High Low to Moderate Moderate Flat Residual Risk Low to Moderate Suggested Risk Mitigation • Establish a three to five-year strategic plan that identifies major City goals and activities (see the Planning and Strategy section). • Consider revisiting the mission and charter of committees to ensure they are effectively providing support to City operations. • Establish annual work plans with measurable goals for each committee. These work plans should align with and support the City’s overall strategic plan. Risk Areas Risks associated with the governance processes, including strategic direction, ongoing oversight, ethics and values, control environment, policy management, enterprise performance management, and defined roles, responsibilities, and authority. Scope Governance is a process of overseeing an organization’s management of risk and control processes and is ultimately the responsibility of leadership. Management is responsible for identifying and managing risks. City residents elect officials to provide community leadership and govern the administration of public services. The City operates under a council-manager form of government, directed by a seven-member City Council. Council elections take place every other year, with Council members serving staggered four-year terms. The Council has established a Council Policy Manual to define bylaws and procedures related to Council operations and Council-level policies. In terms of leadership continuity, the Council has a healthy mix of tenure end dates, with three council members coming up for re-election in 2020 and three members serving their final term through 2022. The City Manager was appointed in September 2018. Based on a sample of the last ten regular City Council meetings, meetings ranged in length from one to eight hours, with an average meeting length of four and a half hours. Staff report that the relationship between the Council and City management is generally positive. The majority of surveyed staff rated the effectiveness of Council governance (67%) and quality of strategic direction (60%) as excellent or good. However, as noted in the Planning and Strategy section, the Council can occasionally operate at more of a tactical level rather than a strategic level, focusing on immediate actions items rather than setting long-term strategic goals. This contributes to a reactive environment, where staff priorities can quickly change depending on the Council’s interests. Enterprise Risk Assessment Report | 38 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How would you rate the effectiveness of the oversight and governance provided by the Council? Q: How would you rate the quality of the strategic direction provided by the Council? The City has established multiple boards, commissions, and committees to assist and advise the Council on issues, including the following: Boards and Commissions • Board of Library Trustees • Building and Fire Board of Appeals • City Arts Commission • Civil Service Board • Harbor Commission • Parks, Beaches and Recreation Commission • Planning Commission Council Committees • Affordable Housing Task Force • Homeless Task Force • Public Facilities Corporation Council/Citizens’ Ad Hoc Committees • Aviation Committee • General Plan Update Steering Committee • Housing Element Update Advisory Committee • Library Lecture Hall Design Committee Citizens’ Advisory Committees • Balboa Village Advisory Committee • Environmental Quality Affairs Committee • Finance Committee • Newport Coast Advisory Committee • Water Quality/Coastal Tidelands Committee 20%47%31% Excellent Good Average Poor Terrible 21%39%28%4%8% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 39 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY These groups provide many critical functions to support the City, and offer an opportunity for residents to engage with and have an impact on their local government. However, staff report that several of the committees do not have well-defined or well-understood missions and scopes—which can lead to frustrations for both staff and group members. Given that a high level of staff time is required to support each body, it may be helpful to revisit the charter and/or mission of each committee to ensure they are effectively providing needed support to the City. In addition, each committee should operate with a well-defined annual work plan that outlines measurable goals and milestones. Q: How would you rate the effectiveness of the committees and commissions that support the City? Overall Risk Level Moderate Impact Likelihood Preparedness Trajectory High Low to Moderate Moderate to High Flat Residual Risk Low to Moderate Suggested Risk Mitigation • Continue to pursue the City’s initiatives for long-term financial stability. Risk Areas Risks associated with revenue sources (rates, fees, grants, and taxes), funding levels, cash management, liquidity, expenditure rates and commitments, debt management, and inter-organizational business. Scope The funding and economics factors that impact the organization’s ability to maintain operations and deliver programs and services. Whether within the City’s realm of influence (or outside of their control), funding and economic factors impact the City’s long-term fiscal stability as well as its ability to mitigate the negative impacts of extraordinary risk, such as regional changes and national economic volatility. Funding Sources In general, the City has a strong financial foundation. The City reports that its General Fund revenues were approximately $230 million during FY 2018-19. The top three individual revenue sources are property taxes, sales taxes and sales tax in lieu, and Transient Occupancy Taxes (TOT). Together, 11%37%32%16%4% Extremely effective Very effective Moderately effective Slightly effective Not effective at all Enterprise Risk Assessment Report | 40 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY these three sources represent 75% of all General Fund revenues. Over the past 10 years, assessed property valuation increased an average annual rate of 4.7%, representing a 6.8% increase over a 20-year period. Proportion of City Taxes in 2019 by Type The rating agencies Fitch, Moody's, and Standard & Poor's have all assigned the City the highest quality credit rating of AAA. Moody’s reaffirmed their AAA ratings in 2019. CalPERS Like nearly all California cities and other public agencies, the City provides retirement programs to its employees through the California Public Employees Retirement System (CalPERS). The City has separate CalPERS accounts for its Safety Employees (sworn police and fire employees) and its Miscellaneous Employees (all other non-safety employees). Employees contribute a percentage of their pay toward retirement costs (11% to 14%), and the City must pay the remaining required amount, as determined by CalPERS actuaries. In July 2011, the City Council passed Resolution No. 2011-55 establishing a Compensation Philosophy, which included a goal that employees share 50/50 in the cost of retirement benefits. The labor contracts adopted since 2012 provide for employees paying the full member contribution, with employees contributing additional amounts toward retirement benefits, up to the amount allowed by state law. In 2018 (latest data available), the market value of the City’s CalPERS assets grew at a faster rate than the accrued pension liability, increasing the funded ratio to 66.9%. 59%20%13%7% Property Tax Sales Tax Transient Occupancy Tax All Other Taxes Enterprise Risk Assessment Report | 41 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Low to Moderate Impact Likelihood Preparedness Trajectory Moderate to High Low Moderate Flat Residual Risk Low Suggested Risk Mitigation • Consider implementing a resident engagement survey to track public perception over time. • Update the crises communication policy. Provide related training to all relevant staff. • Implement policies and procedures to ensure that communication is coordinated and performed in the best interest of the City as a whole. This will require executive leadership sponsorship and/or buy-in. Risk Areas Risks associated with the City’s reputation and the public’s perception of the organization, including its competency (financial performance, safety and security, responsiveness), transparency (openness and integrity), and guardianship (demonstrating care and consideration). 63.8% 66.0% 66.9% 62.0% 62.5% 63.0% 63.5% 64.0% 64.5% 65.0% 65.5% 66.0% 66.5% 67.0% 67.5% $0 $200 $400 $600 $800 $1,000 $1,200 2016 2017 2018MillionsFunded Pension Liability Ratio Accrued Liability Market Value of Assets Funded Ratio Enterprise Risk Assessment Report | 42 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Scope The reputation of an organization refers to how a broad group of stakeholders perceives the accumulated decisions, actions, and behaviors of the people within an organization. This social judgement is influenced both directly and indirectly by interactions with employees, with programs and services, and by commentary in the public domain (e.g., news stories, press release, social media). As a local government entity, the City’s reputation and relationship with its residents is the heart of its success. The operations of a local government like the City are complex and multi-faceted and impact the lives of residents, either directly or indirectly, every single day. In general, staff report that the City has built a positive relationship with members of the public. As noted in the External Environment section, homelessness/affordable housing and issues related to John Wayne Airport continue to be at the forefront of public discussion. Q: What kind of reputation do you think the City has within the community? Multiple interviewed employees noted that the City strives to be highly responsive to community needs. For example, one major impetus behind the creation of the Harbor Department was to help manage community issues related to living near or owning property on local waterways. In fact, 13% of survey respondents indicate that the City may be too responsiveness to citizen feedback. Q: How would you rate the City’s responsiveness to citizen feedback? In terms of formal opportunities to provide feedback, the City holds frequent public meetings that are reportedly well attended by residents. In addition, some departments collect customer service data. For example, the Community Development Department regularly solicits feedback via short paper surveys. However, the City does not conduct a regular resident engagement/satisfaction survey. Without this type of measurement tool, the City must rely on anecdotal (and potentially non- representative) evidence to track public perception over time. The City’s external communication function is decentralized. Through this model, staff in a variety of departments—including the CMO, Police, Fire, Library, and Recreation Departments—communicate directly with the public via various social media accounts, websites, publications, and reports. Decentralized communication can be an effective way to ensure engagement with specific departments. However, it can increase risks if external communications are not adequately coordinated (which can result in inconsistent messaging to the public), or inefficiencies if it results in 27%62%10%1% Excellent Good Average Poor Terrible 13%21%62%4% Far too responsive Slightly too responsive Appropriate level of responsiveness Slightly too unresponsive Far too unresponsive Enterprise Risk Assessment Report | 43 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY redundant staffing or work (which increases costs to the City). The City has taken steps to ensure coordination of social media posts by using a centralized posting application (Buffer). However, staff report that there has been a lack of executive buy-in on any additional coordination efforts. In terms of policies and procedures, the City’s crises communication policy is out of date. In addition, the City does not operate with any specific strategy, policy, or procedure to guide how the various decentralized communication roles are meant to work together. Without these types of guiding documents, the City is at a higher risk of miscommunicating to the public and operating without a clear and consistent voice. Overall Risk Level Low to Moderate Impact Likelihood Preparedness Trajectory Low to Moderate Moderate Moderate Decreasing Residual Risk Low Suggested Risk Mitigation • Inventory, review, and prioritize revisions to outdated policies and procedures and development of missing policies and procedures. • For out-of-date policies and procedures, update documentation with standardized templates and current information. Provide adequate training and communication on new processes. • Post centralized policies and procedures in a searchable format. • Institutionalize a simple and ongoing review and update process for all City policies and procedures. Risk Areas Programs and activities related to governing, administrative, and operational policies and procedures of the organization, including the comprehensiveness of coverage and documentation; their relevance and applicability of content; and the effectiveness and efficiency of their use. Risk Areas Policies and procedures play a critical role in providing the guidance required to ensure all functions operate efficiently, effectively, safely, and consistently across the organization. A policy establishes what should be done, and procedures effect the policy. Policies and procedures also play an important role in protecting against the loss of institutional knowledge. The City operates with a fairly comprehensive set of Council-level and administrative policies. However, multiple staff reported that specific operational policies and procedures were lacking or out of date. For example, staff noted that many basic procurement and financial processes (like how to process an invoice) are not documented or performed consistently. Given the wide range of responses on the survey, it is likely that the City has both gaps and strong pockets of operational policies, depending on the department and/or division. Enterprise Risk Assessment Report | 44 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Q: How would you rate the defined and documented operational policies and procedures in your department? The City does not follow a standard review process for policies and procedures, so they are currently updated on an ad hoc basis. As a result, some policies (like the crises communication policy) have not been updated within the past ten years. Notably, the Employee Policy Manual was last updated in 2010. As a general rule, City policies and procedures documentation should be reviewed every one to three years. A lack of up-to-date documented policies and procedures often results in reduced efficiency and effectiveness. In addition, a lack of documentation to guide operations can cause communication and accountability challenges due to a lack of defined responsibilities. A key component to effectively adopting updated policies and procedures is ensuring that they are communicated and accessible to staff. Currently, documentation is stored on the internal network drive. (Note: Documents that require archiving are stored on Laserfishe, and legislative packages are managed through Granicus.) Policies and procedures should be stored centrally in a searchable format; when new versions are published, alerts should be communicated and training should be provided. Overall Risk Level Low to Moderate Impact Likelihood Preparedness Trajectory Moderate Low Moderate Flat Residual Risk Low Suggested Risk Mitigation • Review grant management procedures to ensure sufficient controls are in place. • Review compliance-focused training within each department to ensure employees are receiving adequate guidance. Risk Areas Risks associated with compliance with laws, regulations, and other requirements. Scope Risks organizations face when they are unable to follow internal policies, government laws, and regulations, and may be subjected to legal penalties and financial fines. 16%51%29%2%2% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 45 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overseeing proactive compliance throughout the City depends primarily on individual departments. Internal and external auditors reactively evaluate compliance. Proactive compliance is characterized by employees being aware of requirements and actively operating to comply with them. Performed effectively, proactive compliance prevents issues from occurring before they become problematic. Reactive compliance involves ongoing monitoring, testing, and reporting. Staff reported that the City Attorney’s Office and the City Clerk are the primary points of contact for important issues their departments face in terms of regulatory compliance in dealing with the City Council, the Brown Act, and Conflicts of Interest. In addition, Police, Fire, and Utilities all noted significant reporting requirements related to their respective areas of work. In terms of grants—which are typically a large source of compliance reporting—staff report that the City has relatively low grant activities and, thus, requires low grant management capacity. However, grant management is a decentralized function within the City, which presents risks to the City if individual departments are not consistently utilizing appropriate controls. In the most recent single audit report (issued June 30, 2019), the City’s financial auditors reported that in their opinion, the City complied in all material respects with the types of compliance requirements that could have a direct and material effect on each of its major federal programs for the fiscal year ending June 30, 2019. The audit found no material weaknesses or significant deficiencies in the financial reporting internal controls that were in scope for the audit. When asked about the chances of the City experiencing any compliance issues (including late or missed reporting, noncompliance with safety requirements, or a breach of contracts), almost 80% of survey respondents rated the probability as low or low to moderate. What do you feel are the chances that the City will experience any issue with compliance within the next year? Overall Risk Level Low to Moderate Impact Likelihood Preparedness Trajectory Moderate to High Low Moderate to High Flat Residual Risk Low to Moderate 29%50%14%7% Low Low to Moderate Moderate Moderate to High High Enterprise Risk Assessment Report | 46 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Suggested Risk Mitigation • Continue to enhance emergency services to provide effective wildfire response. Consistent training of the City's fire response personnel is one activity included in this effort. • Ensure the City continues to be able to competitively recruit to fill vacancies, and explore methods to increase resources dedicated to providing public safety recruiting and HR support. • Update the Local Natural Hazards Mitigation Plan as scheduled in 2020-2021. Risk Areas Risks associated with public safety services, including level of services, funding, and community issues. Scope Public safety includes emergency services such as law enforcement, fire, dispatch, and community disaster response programs. Public safety operations in the City are somewhat unique. The City has approximately 7.2 million visitors a year, significant traffic congestion, and high housing costs, which collectively contribute to long shifts and long commutes. The community has high expectations for service, particularly response times. The majority of survey respondents (90%) rate the perception of overall safety in the community as either Excellent or Good. Q: How would you rate the overall feeling of safety in the community? Police The City’s Police Department is divided into four divisions, including: Office of the Chief of Police, Support Services Division, Patrol and Traffic Division, and Detective Division. The Support Services Division includes Dispatch, Records, Fiscal, Fleet, Personnel, and Training. The Police Department has 219 employees with an average tenure of 11.3 years. The average tenure of police officers is 8.2 years, and the median tenure is 6.5 years. Similar to many local agencies, recruiting is one of the primary challenges facing the Police Department (see the Human Capital and Resources section for more details). Given the highly demanding nature of working in public safety, Police Department leadership has placed a significant focus on programs designed to support and retain officers. This initiative includes efforts related to physical and mental health, peer support, and a career shadowing program. The Police Chief restructured the Department to a nimbler model to address crime through a specialized crime suppression unit model. Total crimes in the City have fallen consistently over the last three years. The most common crimes in the City are reportedly theft and drug abuse violations. 41%49%7%3%1% Excellent Good Average Poor Terrible Enterprise Risk Assessment Report | 47 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Like many other west coast cities, homelessness is a significant public safety concern for the City. Most solutions for homelessness and drug addiction are provided by the County, non-profit organizations, and regional agencies, but City police officers play a coordinating role. Fire The City’s Fire Department is divided into five divisions, including Administration, Fire Operations, Emergency Medical Services, Fire Prevention, and Lifeguard Operations. Services delivered by the Department include advanced life support provided by paramedic/firefighters, basic life support provided by EMT/firefighters and EMT/lifeguards, fire and building inspections, fire suppression, ocean rescue, underwater search and rescue, Community Emergency Response Team Program, and public education on City beaches and in local schools. The Department is responsible for eight fire stations, three lifeguard offices on the beach, and 38 lifeguard towers. The Fire Department had 182 part-time lifeguards in March 2020, who are excluded from this analysis. The average tenure of all other employees was 15.6 years. Southern California faces challenges with wildfire hazards from increased development in the wildland-urban interface, which has produced a significant increase in threats to life and property from fires. The City will likely continue to have to plan for increased threats from wildfires and prepare for how the Fire Department will likely be impacted. 4,532 4,251 4,129 3,559 3,823 3,544 3,584 3,765 0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000 2016 2017 2018 2019 City Crime Statistics Part I Offenses Part II Offenses Enterprise Risk Assessment Report | 48 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Overall Risk Level Low to Moderate Impact Likelihood Preparedness Trajectory Moderate Low to Moderate Moderate Decreasing Residual Risk Low Suggested Risk Mitigation • Continue to proactively address asset maintenance and update the Facilities Financial Plan. • Conduct annual reviews of water storage basins and dams in the City in accordance with California Division of Dam Safety guidelines. • Continue to work to strengthen and/or replace sections of the water distribution network that have been identified as most vulnerable due to their age or location in areas susceptible to ground failure. Risk Areas Risks associated with the ongoing maintenance, management, tracking, reporting, accountability, accounting, and physical safeguarding of assets, including the City’s infrastructure and capital assets. Scope Asset management includes the supply, deployment, and maintenance of the organization’s resources; it includes physical or logical access to data and locations (offices, warehouses, etc.). Asset management includes the connected strategies, processes, people, and technology that make up the foundation of enabling the organization to meet service levels and minimize the overall cost of asset ownership. Capital improvement and infrastructure programs are a critical component of asset management. The City’s major infrastructure systems consist of a broad range of capital assets including land, buildings, machinery and equipment, park facilities, road improvements, storm drains, piers, oil wells, sound walls, an 800-MHz radio communications system, parking pay stations and meters, and bridges. The City’s infrastructure includes maintaining 400 miles of streets, 5,971 streetlights, 808 traffic signals, 65 parks, 300.88 miles of water mains, 203.00 miles of sanitary sewers, and 95.35 miles of storm sewers. The City has one police station, eight fire stations; one lifeguard headquarters, 15 community centers (including leased property), and one aquatic center. Real property assets are managed through the Community Development Department’s Real Property Program. The Department is also responsible for the Community Development Block Grant Program that allocates federal funds to special programs and capital improvements. The City has created and maintained a Facilities Financial Plan (FFP), which is a comprehensive master facilities replacement schedule that projects the timing of construction of facility projects, forecasts the schedule of any planned debt issuance, includes all relevant revenue sources and expenditures on a yearly, project-by-project basis, and determines the long-term “level funding” annual budget commitment that is required to support the program. Employees report that the City’s Enterprise Risk Assessment Report | 49 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY assets are in relatively good condition. The City has continued to invest in infrastructure and continues to follow the Facilities Master Plan. Water service in the City is provided by the City, the Irvine Ranch Water District, and the Mesa Consolidated Water District. Each of these agencies maintains a capital improvement program. Many water districts in the region are in the process of replacing old cast iron pipes with more ductile iron pipes, which will be more resilient in the long term. Storm drainage systems in the City are provided and maintained by the City, Orange County, and local community associations. In general, the County is responsible for maintaining the regional flood control system, while the City is responsible for local improvements. Each of these agencies maintains master and capital improvement plans. They all are required to conform to regional, state, and federal regulatory requirements, including those controlling the discharge from municipal storm sewer systems to protect the environmental quality of surface waters. Enterprise Risk Assessment Report | 50 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY EMPLOYEE SURVEY RESULTS3 3 Data in this section is reported as a percent of total responses; the values may not total to 100% due to rounding. 11% 2% 14% 14% 26% 15% 14% 11% 15% 19% 20% 39% Tenure in Position Tenure with City Less than 1 1 to 2 3 to 5 6 to 10 11 to 15 More than 15 22.7% 13.6% 10.2% 10.2% 10.2% 9.1% 8.0% 5.7% 3.4% 2.3% 2.3% 1.1% 1.1% Public Works Community Development Fire Library Recreation & Senior Services Finance Utilities Information Technology City Clerk City Attorney Police City Manager Human Resources Enterprise Risk Assessment Report | 51 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Risk Category: Accounting and Financial Reporting Risk Category: Compliance Risk Category: Ethics, Fraud, Waste, and Abuse Risk Category: External Risks Not surveyed. Risk Category: Funding and Economics 29%43%21%7% Low Low to Moderate Moderate Moderate to High High 29%50%14%7% Low Low to Moderate Moderate Moderate to High High 20%33%27%13%7% Low Low to Moderate Moderate Moderate to High High 41%41%12%6% Low Low to Moderate Moderate Moderate to High High Enterprise Risk Assessment Report | 52 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Risk Category: Governance Risk Category: Human Capital and Resources Risk Category: Information Technology Risk Category: Infrastructure and Asset Management Risk Category: Management and Leadership 20%25%30%20%5% Low Low to Moderate Moderate Moderate to High High 24%47%18%12% Low Low to Moderate Moderate Moderate to High High 27%33%20%7%13% Low Low to Moderate Moderate Moderate to High High 33%27%33%7% Low Low to Moderate Moderate Moderate to High High 16%53%32% Low Low to Moderate Moderate Moderate to High High Enterprise Risk Assessment Report | 53 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Risk Category: Operations and Service Delivery Risk Category: Organization and Staffing Risk Category: Planning and Strategy Risk Category: Policies and Procedures Risk Category: Procurement and Contracting 11%44%33%11% Low Low to Moderate Moderate Moderate to High High 33%39%28% Low Low to Moderate Moderate Moderate to High High 21%26%42%11% Low Low to Moderate Moderate Moderate to High High 40%40%13%7% Low Low to Moderate Moderate Moderate to High High 31%38%8%15%8% Low Low to Moderate Moderate Moderate to High High Enterprise Risk Assessment Report | 54 FOR INTERNAL USE OF THE CITY OF NEWPORT BEACH ONLY Risk Category: Public Safety Risk Category: Reputation and Public Perception Risk Category: Risk Programs 47%40%7%7% Low Low to Moderate Moderate Moderate to High High 32%42%21%5% Low Low to Moderate Moderate Moderate to High High 21%43%21%14% Low Low to Moderate Moderate Moderate to High High This report is intended for the internal use of City of Newport Beach, and may not be provided to, used, or relied upon by any third parties. Proprietary & Confidential FINAL REPORT City of Newport Beach ENTERPRISE INTERNAL CONTROLS REVIEW September 16, 2020 Moss Adams LLP 999 Third Avenue, Suite 2800 Seattle, WA 98104 (206) 302-6500 Enterprise Internal Controls Review Report FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY Table of Contents Executive Summary 1 Scope and Methodology 4 Internal Controls Review Results 8 A. Purchasing and Contract Management 8 B. Cash Receipts, Billing and Collections, and Accounts Receivable 16 C. Accounts Payable and Disbursements 25 D. Fixed Assets Management 29 E. Central Warehouse and Automotive Inventory Management 32 F. Financial Reporting 37 G. Budgeting 40 H. Payroll 42 I. Information Technology (IT) 46 J. Overall Control Environment 49 Enterprise Internal Controls Review Report | 1 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY EXECUTIVE SUMMARY The City of Newport Beach (the City) asked its internal auditor, Moss Adams, to review its internal controls environment. This internal controls review took place between April and August 2020, and focused on assessing controls over all significant fiscal processes throughout the City. The review of internal controls was completed under the consultancy standards of the American Institute of Certified Public Accountants (AICPA). As such, this work was not an audit of internal controls that resulted in a formal opinion or other form of assurance. Moss Adams reviewed the City’s fiscal internal controls for design and performed limited testing in key areas to determine if the controls were designed effectively. Specific areas where fiscal practices were reviewed included: • Purchasing and Contract Management • Cash Receipts, Billing and Collections, and Accounts Receivable • Accounts Payable and Disbursements • Fixed Assets Management • Central Warehouse and Automotive Inventory Management • Financial Reporting • Budgeting • Payroll • Information Technology • Overall Control Environment The City has internal controls in place for many functions. Some examples of commendable activities include: • Purchasing and Contract Management: ○ At the time of the review, the City had 2.25 full-time equivalents (FTEs) dedicated to the Purchasing Unit within the Finance Department. With these limited resources, the City has been able to process a high level of purchase orders (POs), averaging 1,650 per year for the last two years. A large portion of these were above the $25,000 threshold requiring Purchasing to conduct formal procurement efforts, including issuing RFPs. ○ Workflows are set up in MUNIS to ensure that all purchases are properly approved based on defined dollar thresholds. ○ The City typically utilizes internal contract templates, rather than relying on contract templates provided by vendors. There are a variety of contract templates based on the type of services/goods being procured. This helps to reduce the risks related to entering into new contracts, as the City’s templates have already been fully vetted by Legal. • Accounts Payable and Disbursements: A new/improved weekly check batch monitoring and review process was implemented in June 2020, which, if implemented consistently and adequately documented, would appear to serve as a solid monitoring and internal control process over the A/P weekly check batch. • Inventory Management: Based on interviews, Central Warehouse and Automotive inventory (collectively referred to as “inventory” throughout this report) is managed through a first-in-first-out Enterprise Internal Controls Review Report | 2 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY process to prevent inventory spoilage. However, we were unable to confirm these controls during this review. • Financial Reporting: Journal entries tested had separate preparers and reviewers, and there was a basic year-end checklist in place that had been completed in recent years to track the year-end financial close process. • Budgeting: Budget to actual reporting is presented to the City Council on a regular basis, and budget amendments tested were prepared, reviewed, and documented. • Payroll: The system is set up to prevent employee timecards from being submitted without approval. An “audit” process has been implemented whereby an accountant outside of the payroll function performs an audit/reconciliation of each payroll run. • Information Technology: A process had been developed to identify stale (inactive) Windows user accounts and perform research and deactivation monthly, thereby mitigating the risk of terminated employee accounts not being deactivated timely upon termination. The IT Department has implemented SysAid (IT ticket workflow tool) to allow for the submission of IT tickets and track related resolution. • Overall Control Environment: A process was developed to facilitate meetings between the Finance and IT departments to assess systems access on a regular basis. The City appears to have an engaged and active governance board structure. Similar to most cities, there are opportunities to strengthen policies, procedures, systems, and controls. Gaps were identified in some of the areas reviewed. The primary conclusion from this review is the City has an opportunity to improve internal controls, strengthen processes, and document procedures. Suggested priorities to address over the next 6 to 12 months include, but are not limited to: • Evaluate the current purchasing thresholds and required due diligence for each threshold to determine whether they are reasonable and necessary. Determine whether simplified acquisition procurement procedures could be established to address the high volume of purchases requiring the formal RFP process. Identify training and tools that could be developed to aid departments in taking on more of the purchasing responsibilities and workload. • Perform a full process assessment focused on the procurement function to further identify gaps in internal controls and improvement opportunities, as well as opportunities for increased efficiencies. • Perform a full process assessment of the cash handling function to further identify gaps in internal controls and opportunities for improved controls. This assessment should include a detailed evaluation of each department handling cash to ensure the City’s assets are adequately controlled. • Implement A/R reconciliation procedures and overall monitoring to ensure that City A/R is identified, recorded, and properly controlled. • Develop and enforce daily reconciliation procedures for cash handling at each site responsible for collecting payments. • Implement additional internal controls over the Cashiering Unit to ensure that the reconciliations performed on collections each day include the reconciliation of individual drawers, at the end of each shift, to the underlying transaction listing (i.e., a system or manual list total detailing collections during the shift) and that the related deposit packets are adequately secured at all times. Enterprise Internal Controls Review Report | 3 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY • Evaluate the systems access levels for all significant fiscal functions, including purchasing, A/P, payroll, etc., and identify which individuals warrant edit access based on their current roles. All other edit access levels should be removed immediately to prevent unauthorized or inappropriate changes/transactions. • Evaluate the fixed asset (i.e., assets above the City’s capitalization threshold) management activities and consider implementing improvements for the next physical inventory performed. Focus on ensuring asset records are accurate and complete. • Implement controls over the asset disposal process to prevent assets from being misappropriated during the disposal process. • Perform a full assessment of inventory management to further identify control gaps and assist in the development of recommendations to address those gaps. Also assess any significant inventory loss or misappropriation that has occurred in the past, given the significant control gaps identified during this review. • Address the segregation of duties issues identified during this review related to Central Warehouse and Automotive Warehouse inventory management, and segregate duties wherever possible. In those areas that cannot be immediately segregated, mitigating controls, including external reviews, should be implemented. • During the next physical inventory performed over the City’s inventory, ensure that an individual outside of the person responsible for inventory management is involved and that “blind” inventory counts are performed. • Develop and implement a process for performing penetration testing on the City’s network/systems. • Initiate the process of inventorying all policies and procedures across the City, performing a gap analysis of the current coverage and controls and developing a formalized work plan and timeline for addressing all gaps identified. Enterprise Internal Controls Review Report | 4 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY SCOPE AND METHODOLOGY The scope of our review included a high-level evaluation of key internal controls throughout the City to determine the general adequacy of internal controls and identify areas warranting more in-depth review in the future. To gain an understanding of the processes and controls in place at various departments across the City, we interviewed personnel who are involved with the City’s fiscal processes. Personnel from the following departments/sites were included: • Finance Department, including Budget, Accounting, Accounts Payable, Revenue, and Purchasing Units • Revenue Division of the Finance Department • City Attorney’s Office (CAO) • Central Warehouse and Automotive Warehouse (functional units of the Finance Department) • Information Technology Department The procedures performed to assess the City’s enterprise fiscal processes and procedures during the internal controls review included the following: • Identifying control objectives over the City’s fiscal procedures and controls that would satisfy each control objective. • Reviewing policies and procedures (P&Ps) created by the various departments and citywide P&Ps to assess whether adequate policies and procedures are documented, current, and being utilized for each key fiscal function. • Performing control walkthroughs and/or testing limited samples in selected key areas, including, but not limited to, the following: ○ Purchasing and Contract Management: − Evaluated purchasing data, including reports on POs processed, open POs, RFPs, sole source purchases, etc. − Judgmentally selected a sample of POs processed to test for compliance with specific policy requirements (e.g., timelines, approvals, and support) and assessed the support for adequate documentation of due diligence performed (e.g., RFP and quotes). − Performed a walkthrough of a sole source purchase to evaluate the level of documentation and approval required. − Obtained the link to contract templates and evaluated the overall structure and segregation of contract types. − Obtained purchasing and contract data to assess whether dates related to the purchasing and contracting processes were tracked (allowing for the assessment of efficiency opportunities). ○ Cash Receipts, Billing and Collections, and Accounts Receivable: − Obtained the support for one month of A/R reconciliations performed between sub- ledger/systems at the department level and MUNIS. Evaluated the adequacy of any reconciliation processes documented and the overall completeness of available reports. Enterprise Internal Controls Review Report | 5 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY − Evaluated the support for one quarter of the Revenue Auditor’s review/audit process to assess the adequacy of the control. − Evaluated reports available to support cash receipt, billing and collection, and A/R activity monitoring that was being performed. − Assessed the daily cash receipts log (or other form of tracking) maintained by departments, and assessed the completeness of information recorded and the change in custody documentation required at the time of deposit to the Treasury. ○ Accounts Payable and Disbursements − Evaluated the new weekly check batch review process for adequacy and controls. − Performed a walkthrough of the weekly A/P process by selecting the first batch processed in May 2020 and obtaining all supporting documentation for assessment. − Selected a sample of payments processed and evaluated for appropriate segregation of duties. − Assessed vendor change reports, including selecting a small sample of changes to tie to the underlying supporting documentation and evaluating the individuals who entered and approved the change for proper control. ○ Fixed Assets Management: − Obtained and reviewed the fixed asset listing and vehicle tracking report. − Reviewed the documentation of the PO reviews that occur to identify miscoding. − Assessed the results of the most recent fixed asset inventory. ○ Central Warehouse and Automotive Inventory Management: − Requested the physical inventory count documentation for a specific period to assess the adequacy of the inventory count process and the related documentation. − Obtained and reviewed the Perpetual Inventory Report for the Central Warehouse and the Parts List from Automotive, as of June 30, 2020, to assess the total quantity and amount of inventory reported as on-hand at fiscal year-end. ○ Financial Reporting − Assessed select financial reports, chart of accounts, and year-end close checklist. − Reviewed systems access reports for key system functions. − Tested a sample of journal entries for proper segregation of duties between preparer and poster. − Assessed the completeness and adequacy of the May 2020 account reconciliation and financial reporting documentation. ○ Budgeting: − Assessed the final approved FY 2020 budget. − Reviewed a sample of FY 2020 City Council reporting packages to evaluate for budget- to-actual report presentation and amendment approvals. − For February 2020, reviewed budget-to-actual reports, selected specific budget overages identified to determine whether follow-up occurred, and selected budget amendment requests to evaluate for proper documentation, processing, and approval. Enterprise Internal Controls Review Report | 6 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY ○ Payroll: − Selected a sample of three terminations to evaluate for the timeliness of Personnel Action Form (PAF) submission, the date of the final paycheck, and the date that systems access cancellation was requested and processed. − Reviewed systems access reports for HR and payroll-related functions in MUNIS and assessed for adequate segregation of duties. − Performed a walkthrough of one pay period to assess whether payroll reports were reconciled, reviews/approvals were documented, and adequate support was on file for the payroll run. ○ Information Technology: − Obtained and assessed systems access reports for various MUNIS functions. − Reviewed a report of inactive accounts to assess whether stale system accounts were being researched and deactivated timely. − Assessed documentation for internal system report monitoring and oversight. ○ Overall Control Environment: − Assessed the content of the Finance Committee and City Council meeting packets for coverage of City fiscal operations and controls. − Analyzed the citywide workflow setup structure, overall communication of roles and responsibilities, and segregation of duties for key financial functions. • Assessing whether the controls in place would prevent or detect errors or the misappropriation of City assets. • Comparing current processes, policies and procedures, and functions to best practices to identify opportunities for improvement. • Providing recommendations regarding key controls that need to be implemented or improved. To best share the results of the internal controls review, the matrix provided in Section III is organized by: • Control objectives • Control issues • Corresponding recommendations • Likelihood of occurrence • Impact of occurrence Likelihood of occurrence is defined as the probability of a negative event occurring. Impact of occurrence is defined as the level of significance should a negative event occur. Risk levels of low, moderate, or high were used to rate the likelihood of occurrence and impact of occurrence for each finding. Beyond those controls that have been reported within this report as a control issue, additional controls were reviewed without exception. It should be noted that many controls were reviewed multiple times in relevant, separate department reviews, but not all controls or departments were reviewed. Departments were selected to provide a broad understanding of the City’s overall control environment. Key controls with exception conditions are reported in this document. Enterprise Internal Controls Review Report | 7 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY Due to the COVID-19 pandemic, which was occurring at the time of this internal controls review, we were unable to perform certain planned procedures as we were unable to go onsite to physically observe the inventory on-hand; physically test the completeness, existence, and accuracy of fixed assets recorded; or perform surprise cash counts at a variety of cash receipt sites. The City should consider including these additional onsite procedures during a future follow-up review. Enterprise Internal Controls Review Report | 8 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY INTERNAL CONTROLS REVIEW RESULTS CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 1 Purchase Requests are not approved and processed until the required level of due diligence (e.g., information quotes, bids, etc.) is performed to ensure that a fair price is obtained for all City purchases. For purchases of goods, equipment, or materials between $3,000 and $10,000, Administrative Procedure F5 requires three informal bids to be attached to the Purchase Requisition Form. For purchases related to professional services under $25,000, Administrative Procedure F14 requires three letter proposals/quotes. During our testing of five City purchases, we identified one materials purchase for $10,000 and one professional services purchase for $4,625 that were not supported by any informal bids or quotes, and there was not adequate documentation of the non- compliance (e.g., sole source justification, etc.). Although the City’s Administrative Procedures require some form of informal bid/quote for purchases that fall below a certain threshold, it did not appear that these requirements were being adhered to and enforced. The City should decide whether informal bids/quotes are required for these lower-dollar purchases. If not, then the revised requirements proposed should be presented to and approved by the City Council, and if approved, the Administrative Procedures should be updated accordingly. If the City elects to maintain the current due diligence requirements, then the Purchasing Unit should not approve any Purchase Requisition Forms or contract requests that do not have the required supporting documentation to show that adequate due diligence, in compliance with City Administrative Procedures, was performed. The training provided by the Purchasing Unit, which covers the overall procurement process, should be tailored to cover all key related aspects of the City’s Administrative Procedures, including details on how to obtain and document required bids/quotes. Consider developing a one-page form for employees to use to document informal bids obtained via phone, online, etc. to streamline the process and promote compliance. High Moderate 2 Thresholds for required due diligence (e.g., The City’s current procurement thresholds are conservative and well below The City should evaluate the current procurement thresholds to determine whether they are sufficient to support an efficient, yet controlled, procurement High High Enterprise Internal Controls Review Report | 9 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE bids, RFP, etc.) of purchases are established. The defined thresholds balance controls and efficiencies in the procurement function. best practice recommendations. The City’s established threshold for when a purchase must go through a formal RFP is $25,000, and the Purchasing Unit must lead the procurement effort for purchases above this threshold. This threshold is significantly lower than the simplified acquisition threshold allowed for under 2CFR (Code of Federal Regulations) Section 200.88, which is currently $150,000. At the time of this review, the City had 71 POs open that exceeded the $25,000 threshold, and 41 of these were under $50,000. RFPs open at the time of this review had been in process (from date of request through current) for an average of 111 days. A significant portion of the City’s current procurement resources are spent managing the RFP process. process. Alternative due diligence requirements can be established, which could reduce the number of purchases that are required to go through the time- consuming full RFP process, yet still provide control over the procurement function and ensure that the City is receiving fair and reasonable prices for goods/services. The City should consider developing simplified- acquisition thresholds for smaller purchases and presenting the proposed thresholds to the City Manager for approval. Simplified-acquisition methods of procurement, such as obtaining and documenting informal quotes (verbal, online, etc.) or a Request for Quotation (RFQ), allow departments requesting purchases to take responsibility for performing due diligence independently, rather than relying on the Purchasing Unit to conduct procurement efforts. The City should consider adjusting the section of the Administrative Procedures covering due diligence requirements to provide more detailed guidance for employees at the department level and developing templates, such as standard RFQ templates or forms, for adequately documenting informal quotes. Training should then be provided to departments requesting purchases to allow for the departments themselves to assume more responsibility and accountability. Reducing the workload that the current thresholds place on the Purchasing Unit would allow for current resources to focus their efforts more on other value- adding functions, such as identifying opportunities for better pricing options across the City, streamlining and improving the RFP process, developing training for employees, and performing trend analysis to identify unusual activity or opportunities for improvement. Enterprise Internal Controls Review Report | 10 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 3 Comprehensive P&Ps are documented to cover purchasing exceptions, including sole source procurement, emergency purchases, and blanket purchase orders (BPOs). The City does not have comprehensive P&Ps guiding the various exceptions to the general purchasing requirements. Administrative Procedure F5, Purchasing Procedures for Goods, Equipment, and Materials, provides only limited guidance on sole source, emergency, and BPO purchases, and it does not provide details on the specific circumstances that justify the use of each, documentation and approval requirements, and other key information to guide the appropriate use of these types of procurement. The Administrative Procedures should be updated to provide more comprehensive guidance for requesting purchases outside of the standard purchasing process. Specifically, the procedures should be updated to adequately address sole source procurement, emergency purchase, and BPOs. Sole Source: The following information should be included in the City’s guidance on sole source procurement: ● The specific circumstances/situations that would qualify a purchase as “sole source”. ● The required documentation (e.g., the form) to support a sole source purchase request, including the description of which specific sole source criteria a purchase request meets and why. ● The required approvals for a sole source purchase request and the responsibility of the approver. Emergency Purchases: The emergency purchase procedures should include what types of circumstances, along with examples, qualify as an emergency purchase (i.e., why it warrants approval outside of the standard PO process), the approvals required, the timelines for submitting the purchasing request after-the-fact, and the justification documentation required. BPOs: The procedures for BPOs should address those circumstances in which the use of a BPO would be justified/appropriate and the requirements for establishing a BPO, including documentation required, estimating the total value, due diligence requirements, and approvals. BPOs can be more susceptible to risk given they allow for routine purchases to be processed without repetitive approvals; therefore, it is important to ensure that routine monitoring is in place. High Moderate Enterprise Internal Controls Review Report | 11 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE Monitoring controls should be established to ensure that BPO activity is assessed regularly. 4 P&Ps are established to guide the processing of returns (e.g., returning goods, tracking credits, etc.). City P&Ps do not currently address how the return of goods purchased should be processed or how the related refund or vendor credit should be recorded and tracked. Documented P&Ps should be developed to guide the process for returning goods. The P&Ps should address how, and to whom, returns should be reported, what documentation must be submitted, how credits and refunds should be tracked, and who is accountable for ensuring the goods are returned and the City’s refund/credit has been obtained and controlled. Moderate Low 5 Purchasing activity is monitored on a regular basis and the reviews, as well as follow-up performed, are documented. Based on interviews performed, the Purchasing Unit performs a variety of purchasing activity reviews to identify potential unusual activity, long-outstanding POs, and invoices/payments that do not have a corresponding PO or contract. However, there are no documented procedures around what reviews will be performed, who is responsible for performing these reviews and how often, and what follow-up actions are required for potential issues identified. In addition, the reviews that are currently performed are not documented. There is currently no formal monitoring process in place to identify purchasing trends, by department or Monitoring purchasing activity provides vital internal controls over the City’s purchasing function and helps to identify potential problems or inappropriate activity in a timely manner. Monitoring activities for the purchasing function should be formalized and documented, including: ● What trend analysis will be performed, such as purchases by department, requestor, and type of purchase, and how often and by whom the analysis will be performed. ● Monitoring purchasing activity by month in comparison to prior year purchases (refer to the “Budget” section below). ● Monitoring for split-purchases (e.g., attempts to split several purchases with the same vendor into smaller purchases to circumvent the formal RFP process). This activity should include assessing purchases by department, vendor, and citywide to identify potential split-purchasing activity and opportunities for combining purchases across departments, with the same vendor, for potential price savings. High Moderate Enterprise Internal Controls Review Report | 12 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE requester, or potential split- purchases. ● Open PO report monitoring and procedures to address long-outstanding POs that meet a defined threshold of time elapsed. ● How invoices/payments requested or processed that do not tie to a corresponding PO or contract are to be addressed and by whom. ● Follow-up research or resolution that must occur for each of the reviews performed and related documentation requirements. The monitoring results should be documented, and someone independent of the Purchasing Unit should review them on a regular basis to help ensure that any problems or inappropriate activity can be identified and addressed in a timely manner. 6 Contract management is performed consistently to ensure that all contract terms and conditions are complied with, goods/services are delivered in compliance with contract specifications, contractor invoices are appropriate, and contracts are properly closed out. There is not a centralized contract management function within the City. Rather, various aspects of contract compliance are managed by various departments throughout the City. This structure increases the risk that contract non-compliance will not be identified timely and that departments will not be aware of their responsibilities for managing contracts that they enter into. Training is conducted for employees responsible for contract management; however, it is limited to purchasing and receiving Given the volume of large contracts that are entered into by the City, the City should consider establishing a contract monitoring program to mitigate the risks related to the decentralized structure. A contract monitoring program may include: ● Defining contract management P&Ps that include all aspects of the contract monitoring program, as described below. ● Training for the various departments throughout the City that play a key role in monitoring contracts. For instance, individual departments that enter into contracts for goods or services are typically responsible for monitoring the actual performance of services or delivery of goods. It is key for them to understand the specific contract terms, conditions, deliverables, and timelines to supplement the training they receive on the purchasing aspects of contract management. ● Defining the role that various individuals fulfill in the review, approval, and payment of invoices that Moderate Moderate Enterprise Internal Controls Review Report | 13 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE and does not cover contract monitoring and compliance. The most recent training was provided in April 2019. There is not a process in place to consistently verify contract compliance, such as spot checks, contract audits, or another form of overall monitoring of contract performance. are related to City contracts. Defining the specific responsibilities of user departments, purchasing, accounts payable, legal, etc. is important to ensure individuals involved understand what they are accountable for in order to perform effective reviews. ● Developing a process for performing contract reviews, such as spot checks or contract audits. These reviews could include testing a sample of contracts, on a regular basis, and performing the following: ○ Comparing current contract performance against the contracted requirements/milestones to ensure contract performance is within the negotiated timeline. ○ Comparing current expenditures, invoices, and payments to the contract budget and amounts to ensure expensed amounts are in compliance with the contract. ○ Comparing vendor invoices to the contract to ensure the expenses appear reasonable, are accurate, and are properly supported by any required documentation per the contract. ○ Performing follow-up of any issues identified in these reviews and the related corrective actions. 7 Contracts with City vendors are prepared, reviewed, signed, and finalized timely following the procurement process (e.g., RFP process is Based on interviews performed, there are delays in contract execution following the RFP and vendor/contractor selection process. The City Attorney’s Office (CAO) has developed detailed contract worksheets for departments requesting Delays in processing and finalizing contracts with selected City vendors resulted in delays in City contractors being able to provide the related goods/services to the City, as well as time-consuming back-and-forths between Purchasing, the department obtaining the related goods/services, and the CAO. The Purchasing Unit should consider putting more responsibility back on the departments during the RFP process and providing increased training on how to Moderate Moderate Enterprise Internal Controls Review Report | 14 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE completed, if required, and the vendor/contractor is selected). Scope of work, contract fees, and timelines are fully vetted during the RFP and award process, aiding in the timely execution of related contracts. a contract to obtain all information (scope of work, fees, timing, etc.) that is needed for the CAO to execute a contract. However, departments do not always complete the worksheets adequately. At times, details on the scope of work, fees, and timing are lacking, as they were not fully vetted during the RFP process. This results in time-consuming back-and- forths to obtain the details needed for the contract and, ultimately, leads to inefficiencies in the execution of a contract. Given the lack of data available for tracking the dates contracts are awarded, when contract templates are initially submitted/requested, CAO response date, contract draft and approval date, and final execution date, we were unable to provide data to quantify the delays that are occurring. effectively complete all required steps. Specifically, if departments provided more information during the RFP preparation, issuance, and evaluation process, including the scope of work (specifics of the goods/services being procured), the expected timeline for completion/delivery, and the details of the fees and payment terms, then the contracting process could be completed more efficiently. Given the City’s intranet provides contract templates, worksheets, and examples to aid departments in providing the information needed to execute a City contract, and departments are not effectively utilizing these resources, consideration should be given as to why these available resources are not being used properly. The City should consider developing and implementing contract-specific training for departments to walk them through the process of utilizing these resources, and providing a Contract Request Checklist that departments can utilize to verify that they are completing all required steps and conveying all information upfront. Departments should then be held accountable for attending training and fulfilling their roles in the RFP and contracting process. 8 The purchase request and PO issuance process The City processes, on average, approximately 1,650 POs each year. Based on interviews, the process is inefficient and at The City’s procurement function would benefit from a full process assessment to further identify where bottlenecks are occurring and identify workflow improvements that could add efficiencies. Many of the current, cumbersome processes are handled by the High Moderate Enterprise Internal Controls Review Report | 15 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE is efficient and well-controlled. times, there are long delays in getting a PO issued. While a portion of these delays is due to the time it takes for vendors to deliver on the goods/services requested and the invoice/payment process to be completed, there are inefficiencies in the current purchasing process that contribute to extended delays. Based on the data available, we were unable to determine the exact points in the process that are resulting in delays; however, budget transfers, incomplete purchase request documentation, volume of purchases requiring the RFP process, and other factors appeared to be contributing to the extended processing times. Purchasing Unit, which creates risk given that a lot of resources are spent on back-and-forth manual processes, rather than focusing on controlling, monitoring, and managing the overall procurement function. In addition, with so much time and effort being spent on the various inefficient aspects of the current purchasing process, there is an increased risk of inappropriate purchasing activity not being identified. The assessment of the procurement function should include a focus on identifying opportunities for increased efficiencies, automation, and internal controls. 9 If adequate budget is not available in a line item (i.e., the specific object code category selected) to cover a requested purchase entered into MUNIS, then The current process for addressing situations where a requested purchase results in a negative balance on the budget line-item (object code category) charged is cumbersome as MUNIS forces a “hard-stop” The responsibility for managing a department’s budget, down to the line-item level, should rest with the department that manages the budget. Users entering purchasing requests should be responsible for initiating a budget transfer request, prior to entering a Purchase Request Form or contract request into MUNIS, to prevent the stall that occurs from the hard stop in MUNIS and the additional time spent by Purchasing to fix them. If departments are proactively Moderate Low Enterprise Internal Controls Review Report | 16 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE the system will automatically initiate the budget transfer request process prior to the request being sent through the workflow for approval. and delays the purchasing process. If a purchase is entered into MUNIS that exceeds the available budget in the line item selected, Purchasing must manually initiate a budget transfer prior to continuing with the approval process. The Purchasing Unit identifies the negative balance and “hard stop” in MUNIS and then goes in to work past the hard stop. This results in a stall in the process and the Purchasing Unit having to make budget decisions in order to allow the department to proceed with the purchase. managing their budget-to-actual reports on a monthly basis, expected overages should be addressed during that process, including identifying what transfers need to be processed. Consider changing the existing workflow, which requires Purchasing to make the transfer, to automatically send hard stops to the Budget Unit to work through with the requesting Department. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 10 Cash Management P&Ps are documented and implemented to guide all aspects of the cash handling process. Comprehensive and current Cash Management P&Ps are not documented, approved, and implemented. There has been some guidance provided to employees; however, it is in the form of memos covering Given the City has a variety of cash receipting sites, it is important that documented P&Ps are utilized to manage these activities to ensure that City assets are properly protected and risks are minimized. Specifically, the City should develop and implement citywide, as well as department-specific, P&Ps that include, at a minimum, the following: High Moderate Enterprise Internal Controls Review Report | 17 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE some areas of cash management and a draft policy that has not been finalized and does not include all cash management components. Department-specific P&Ps for cash handling are not consistently documented or verified for adequacy and compliance with citywide requirements and overall internal controls. ● Procedures for receiving cash, via in-person, online, or mail payments, including how to handle cash, issue receipts, secure payments, and perform reconciliations. ● Details of how individual departments must prepare deposits, the frequency in which deposits must be made to the Treasury, and responsibilities for deposit preparation, documentation, review, and approval. ● Procedures followed by the Cashiering Unit for collecting in-person, mail, online, and department deposits, documenting payments and deposits, issuing receipts, and recording in the system what documentation is required for department deposits to show the change in custody of the funds, end-of shift/day reconciliation process, including documentation, reviews, and approvals, and cash security controls. The City would benefit from a cash handling assessment/audit that can be leveraged to develop and document P&Ps to support the processes and any recommended improvements. 11 A full cash handling assessment has been performed to ensure that all cash collection sites are properly controlled and that City assets are properly protected and reported. During this review, we did not perform a detailed assessment or audit of each cash handling site, and we were unable to determine if adequate cash receipt controls and daily reconciliations are performed for each department that handles cash. This review identified that there are a variety of sites, The City would benefit from a more in-depth cash handling assessment. The assessment should include: ● Identifying all sites that handle cash. ● Obtaining an understanding of each site’s processes, controls, and management of cash receipts, and evaluating each for adequacy and opportunities for improved controls. ● Identifying control gaps that present a risk of misappropriation, and developing recommendations for addressing the gaps and mitigating the associated risk. High High Enterprise Internal Controls Review Report | 18 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE with varying levels of controls, that manage the cash receipts process and a full assessment of each site’s processes, controls, and management has not been performed. The decentralized nature of City business results in a variety of individuals performing cash receipting, depositing, and reconciling functions, and this creates an increased risk of cash being misappropriated and not being identified. ● Performing surprise cash counts at each cash handling location to check for selected controls, performing a cash count and reconciliation to the system balances at the time, and testing petty cash or base fund counts, if applicable. ● Evaluating and testing each department’s process for reconciling cash receipts to the underlying system or manual receipts. ● Evaluating and testing the processes for department deposits to the Cashiering Unit and then the Cashiering Unit deposits to the bank. ● Testing samples related to cash receipts, deposits, reconciliations, and recording to assess for compliance with select internal controls and evaluate the processes for risk. ● Evaluating the bank reconciliation process for adequacy, proper controls, timely resolution of variances, and maintenance of the outstanding checklist. 12 Cash receipts trend analysis are performed for all cash handling sites to identify any unusual trends or potentially inappropriate activity timely. Based on interviews performed, it does not appear that regular trend analysis is performed to evaluate for unusual or inappropriate cash receipt trends. While some form of cash receipt monitoring may be occurring throughout the City, there is not adequate documentation showing that sufficient trend analysis is performed on cash receipt data that would allow for the early identification of activity requiring follow-up. The City should establish a process for performing regular trend analysis on cash receipts across all departments. The analysis should be performed by someone independent of the departments that are handling the cash receipts. Trend analysis should include assessment of: ● Cash receipts, by department, by month. ● Cash receipts, by department and citywide by month and year-to-date in comparison with prior year totals. ● Cash deposits reported to the Cashiering Unit on a weekly basis to identify fluctuations or indications that a department may be holding onto deposits, increasing the risk of misappropriation. Moderate Moderate Enterprise Internal Controls Review Report | 19 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 13 Billing and Collection P&Ps are documented and implemented to specifically address how each source of City A/R will be billed collected, monitored, and written-off. The City has various revenue sources that result in A/R, including utility services, tax assessments, and business licenses. As of June 30, 2019, the City reported approximately $12,000,000 in A/R from the various sources. P&Ps to guide each type of A/R, including how A/R will be established, billed, collected, monitored, and adjusted/written-off are not in place. Therefore, each department that is responsible for A/R billing and collections may be doing it differently, and there is a risk that the overall A/R functions are not properly controlled and monitored. Given the City has a variety of revenue sources that result in A/R and the need for billing and collections, it is important that there are documented P&Ps that manage these activities. Specifically, the City should develop and implement citywide and department- specific P&Ps that include, at a minimum, the following: ● A citywide A/R P&P that address aspects of A/R, billing, and collections that are applicable to all the various sources of A/R. The citywide P&P should cover things such as what departments are responsible for monitoring A/R, the requirements for managing billing and collections of A/R, reporting requirements, assessing past-due accounts, and requesting, approving, and processing related A/R adjustments/write-offs. Monitoring controls should be documented to oversee the department A/R management functions and verify the accuracy of balances reported, ensure oversight of adjustments/write- offs, and reconcile activity on a regular basis. ● For each department that is responsible for managing A/R, a department-specific P&P covering their specific processes for overseeing and controlling the A/R, billing, and collections functions should be developed and implemented. Department-specific P&Ps should address the specifics of how A/R is established, what systems are used and the related reports that will be used, who is responsible for each aspect of the process, and what reviews/approvals are in place. Each department-specific P&P should reference and comply with the citywide P&P; however, they should include an adequate level of detail to aid departments in properly managing and controlling City A/R within their respective departments. Moderate Moderate Enterprise Internal Controls Review Report | 20 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 14 Adequate reconciliation controls are in place to ensure that all A/R across various City departments is properly captured and reported. Based on information obtained during interviews, there is a risk that not all City A/R is identified, reconciled, and reported. There are several departments across the City whose activities give rise to the establishment of A/R. Some departments utilize MUNIS for managing A/R, while others use a department-specific system. In addition, many departments have a separate system for the underlying activity that gives rise to the A/R, such as a system for recording utility meter reading data and Community Plus, which is used to process business licensing, alarms, etc. Data from these systems is used to calculate customer bill amounts, which are recorded as City-A/R until collected. There are not reconciliation procedures in place to ensure that all external systems are fully reconciled to the related activity or balances reported in MUNIS, verifying that all activity and balances were The City should establish a full reconciliation process that is performed both by individual departments responsible for managing A/R and by the Finance Department on a monthly basis. A full assessment should be performed to identify each activity or source of City-A/R across all of the relevant departments. A listing should be made to identify each department, whether there are activities that result in City-A/R, and how each will be reconciled. This will help to ensure that all City-A/R is identified and subjected to routine reconciliation and monitoring procedures. Each source of A/R should be reconciled, and the reconciliation process, at a minimum, should include the following: ● Completeness checks to ensure that the activity recorded in any system (e.g., systems such as utility meter reading or Community Plus) is properly captured and included in the related billing and collections process. These checks should include verifying all activity (amounts, usage, units, etc.) are properly transferred, and the review should be confirmed by someone outside of the individuals responsible for overseeing the process. ● Reconciling the billing and collection activity, including a process for ensuring the beginning balance plus new activity/billings less payments received, equals the ending balance of A/R reported. ● Reconciling the A/R monitoring schedule and system used by each department to the actual activity and/or balances reported in MUNIS at month-end. ● Researching and resolving any variances identified. High Moderate Enterprise Internal Controls Review Report | 21 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE properly captured and reported. Given each source of A/R is unique and the reconciliation activities will vary depending on the underlying systems and processes in place, it is key that overarching reconciliation procedures are developed and implemented in a customized manner to each A/R source. 15 A/R activity and balances are monitored consistently and timely to ensure that collection efforts are adequate, City assets are protected, and A/R is reported accurately and written-off, when appropriate. Aged accounts are assessed regularly and uncollectible accounts are written-off and removed from the billing and collection reports. Each source of A/R is established, recorded, and monitored differently, resulting in a high risk that error or inappropriate activity will not be identified. It does not appear that all A/R balances are billed for and collected in a consistent manner and A/R aging and other reporting and monitoring is performed by all departments or by the Cashiering Unit of the Revenue Division for all sources of A/R. A/R assessments to determine whether write-offs are warranted are only fully performed for department A/R at year-end, and it is unclear if the year-end adjustment accounted for a full detailed analysis of all aged balances. It appears that the City applied an approach that allowed for all A/R over 90 days. The fiscal year ending June 30, 2020 The City should establish consistent monitoring procedures and controls for City A/R. Each source of A/R should be identified, billed for, and collected in a consistent and well-controlled manner, monitored adequately, including A/R billing and collections and A/R aging, and evaluated for whether it needs to be written off based on pre-determined criteria. Specifically, the following should be considered in the establishment of monitoring procedures: ● All sources of A/R should require a defined billing and collection process that is monitored for compliance and adequacy regularly. Regular reporting, including A/R aging, should be produced and reviewed, and aged A/R over a set threshold (e.g., 90 or 120 days) should be evaluated to determine whether additional follow-up is required, whether the related services should be cancelled or revoked, and whether a write-off is warranted. ● A/R write-offs and adjustments should be performed in a way that ensures the underlying criteria is documented and applied consistently to prevent claims of unfair treatment and erroneous adjustments that cannot be identified. Write- offs/adjustments should be documented consistently and reviewed and approved appropriately. Documentation of write- offs/adjustments should be maintained and monitored by an independent department/function (e.g., Revenue Auditor) on a routine basis. High Moderate Enterprise Internal Controls Review Report | 22 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE write-off recorded was approximately $500,000; however, we were unable to determine whether this was an accurate reflection of the total that should be deemed as uncollectible. Finally, many of the A/R aging reports received included A/R balances that were established five or more years ago and had not been written off and removed from the aging reports. ● To ensure that A/R balances are not overstated, a full analysis of all City A/R recorded should be performed on a regular and consistent basis, based on preset criteria for each source of A/R, rather than performing one overall assessment and write-off at year-end. For those accounts that are written off, a documented process for follow-up should occur, including assessing what actions should occur due to unpaid accounts. This may include cancelling service for a customer, revoking a license/permit, or other action. ● On a regular basis, A/R accounts should be assessed, and old uncollectible accounts should be removed from the sub-ledgers or systems used to track A/R. Accounts that are deemed uncollectible should be removed from the billing and collections system to prevent adequate oversight from being performed of true A/R aging reports that are still being pursued and possibly collected upon. 16 Payment and deposit collections processed at the Cashiering Unit are reconciled on a daily basis, by drawer/cashier, and the reconciliation includes tying the total amounts on- hand, by payment type, to an underlying system report or manual log total. Based on interviews performed with Cashiering Unit personnel, there are daily reconciliations in place to reconcile beginning balances for each drawer, and in total, to the ending balance on-hand and placed in deposit packets. Individual drawers are counted, the base funds are subtracted out of the total for deposit, and the remaining funds are placed in a deposit bag for processing. There are no In order to ensure that payments and deposits collected at the Cashiering Unit are properly controlled and accounted for and all cash collected is deposited to a City bank account, a thorough and controlled reconciliation by drawer must be performed daily. The City should perform a full process analysis to overhaul the cash receipt and deposit process at the Cashiering Unit to provide for adequate controls over the City’s assets. A well-controlled cashiering function should include, at a minimum, the following: ● Cashiers are assigned individual drawers and base funds are verified and signed for at the beginning of each shift. ● All payments processed, including deposits from departments, are documented immediately upon High High Enterprise Internal Controls Review Report | 23 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE procedures in place to reconcile payments collected to an underlying system report or payment log to ensure that the total amount collected throughout the day, less the drawers base fund, ties to the amount being deposited. Individual cash drawers are used for each cashier; however, at the end of their shift, there is not a formal process for performing a drawer reconciliation and cash count to account for all funds before leaving. Based on interviews, reconciliations are performed in total, not by drawer, variances are typically not identified, and adjustments are not posted until a weekly reconciliation process. It is difficult or impossible to determine the cause of variances. receipt, collections are counted, and a formal receipt (system generated or manual) is issued prior to the individual making the payment or deposit leaving. ● A detailed reconciliation by drawer is performed at the end of each shift, including reconciling the beginning base fund, plus receipts recorded in the system or manual receipts, to the ending balance on-hand. This should be performed by payment type (cash, checks, and credit card transactions) and variances should be researched and resolved prior to the cashier leaving for the day. ● The count and reconciliation process for each drawer should be verified and signed off on by a second individual, and deposits should be secured appropriately until the full deposit is processed at the end of the day. ● A full end-of-day reconciliation of all drawer deposits to the system totals or manual receipt totals for the day by payment type and preferably by revenue source. This reconciliation should be documented and reviewed, and all variances should be researched and resolved immediately. ● The full day’s deposit, once reconciled, should be documented and stored in a safe until the deposit is picked up by an armored service or physically taken to the bank for processing. 17 Payments collected are properly protected until deposited at the bank. Based on interviews performed, adequate controls are not in place to ensure that all payments collected are properly secured until they are deposited. During the recommended full cash handling assessment, the processes for controlling payments should be analyzed. However, the City should implement immediate corrective actions to ensure that payments collected are properly protected and prevent misappropriation of City assets. Specific actions should include: High High Enterprise Internal Controls Review Report | 24 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE Specifically, it was unclear as to whether individual sites are restrictively endorsing checks upon receipt and whether the payments are secured in a locked drawer or safe until deposit to treasury. In addition, the Cashiering Unit drawer deposits, which include all of the individual payments processed and the remote deposits collected, at the end of each shift, are placed in a basket within the Cashiering Unit, rather than immediately being placed in a secured safe or locked drawer. Based on interviews, the Cashiering Unit is secured and access is restricted to only their employees, which helps to mitigate the related risk. These control gaps create the risk that payments collected could be stolen, and it would be impossible to identify who took the funds or when the funds went missing. ● Communication should be sent out to all cash handling departments that checks received must be restrictively endorsed immediately upon receipt. ● All departments should be physically assessed to identify an adequate means of securing payments upon receipt (e.g., a safe, locked office and drawer), and individuals responsible for monitoring these controls at each department should be identified. ● The Cashiering Unit should not keep cash/payment deposits in an open area throughout the day. A process should be developed immediately to require that deposits (bags of payments) be properly secured immediately after a cashier’s shift. ● Access to the physical areas where cash is stored should be assessed to ensure that the areas are properly secured. 18 Surprise cash audits are performed on a regular basis and We were unable to obtain documentation of any surprise cash audits or counts performed by the Surprise cash audits are an effective internal control for addressing the risks that arise due to the decentralized nature of cash receipts throughout the City. A documented process for performing surprise Moderate Moderate Enterprise Internal Controls Review Report | 25 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE include auditing the controls in place at each cash collection department on a rotating basis. Finance Department or the Revenue Auditor. Although these may be occurring at some level, they may not be sufficient, and they are not documented in order to allow for an assessment of their adequacy. cash audits should be developed and implemented and should include, at a minimum, the following: ● Defining who will perform the audits and at what intervals and what the basis will be for rotating departments audited to ensure full coverage each year. ● The specific procedures for performing a reconciliation of the sites base fund, plus receipts reported in the system or on manual receipts, compared to the amount of payments on-hand by payment type. ● Control checks, such as confirming a sign notifying customers/citizens of who to contact if a physical receipt is not received, verifying that checks are restrictively endorsed, checking the physical security of cash on-hand, etc. ● Requirements for documenting the results of each audit and ensuring that any deficiencies identified are communicated, addressed, and followed up in a timely manner. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 19 The City has adequate controls in place to protect cardholder data and to ensure compliance with Payment Card Industry (PCI) The City has not established a formal policy and process for monitoring PCI compliance. Best practices suggest that formal security procedures should be documented and implemented, systems should be designed appropriate to control cardholder information, and a systematic and continuous monitoring program should be in place to identify and manage process and system weaknesses where PCI could be exploited. Moderate Moderate Enterprise Internal Controls Review Report | 26 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE Data Security Standards, which are applicable to all organizations that store, process, or transmit cardholder data. 20 Adequate internal controls are in place to ensure the integrity of the vendor master file. Both A/P and Purchasing employees have systems access in MUNIS to process vendor changes; however, A/P is primarily responsible for entering new vendors and processing vendor changes (e.g., vendor name, address, and contract information). Although workflows are established to require approvals of vendor additions/changes, this presents a significant segregation of duties risk. Independent reviews of the vendor master file and related system change/edit reports are not performed regularly. Current practice is to require a W-9 at vendor setup; however, based on interviews performed, a new W-9 is not always required when vendor changes are requested. Best practices in internal controls recommend that access to add new vendors or process vendor changes should be restricted to individuals outside of the A/P function. Segregating duties between vendor file maintenance and payment processing is important to maintaining internal controls over the disbursement process. Allowing access to both functions creates the risk of the same person having access to set up a new vendor and process a fraudulent payment to that vendor. The City should restrict systems access and responsibilities related to maintaining the vendor master listing to individuals independent of the A/P function. To ensure adequate monitoring of the vendor master files, reports should be run from MUNIS on a regular (defined) basis, and reviewed by someone independent of the A/P function, and the results of these reviews should be documented and maintained. Reports monitored should include, at a minimum: ● The vendor master listing, in detail, along with the last activity date for each active vendor. ● All vendor additions and changes processed during the period, along with the name/ID of the employee who processed the change/addition and approved the change/addition. High High Enterprise Internal Controls Review Report | 27 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE A W-9 should be required and verified whenever a change is processed to a vendor’s name, address, or EIN. The independent review described above should include selecting a small sample of vendor additions and changes and ensuring that a completed W-9 is on file to support the addition/change. 21 All vendors, prior to becoming an approved City vendor, are checked for suspension and debarment. Accountability for performing this check is defined, and the results of the verification is documented to support new vendor setup. Based on interviews, vendors that are selected through the formal RFP process are typically checked for suspension and debarment. However, this check is not being performed for all new vendors, responsibility for performing this check is not defined, and the results are not consistently documented and maintained to support new vendor setup. The CFR, as well as best practices, require that a formal process be in place to ensure vendors are not suspended or debarred prior to conducting business with them. The recommended threshold is $25,000 of combined total vendor purchases. A formal policy should be established and address, at a minimum: ● The threshold for when a suspension and debarment check must be performed. ● Responsibility for performing this check and when in the procurement process the check must occur. ● Documentation required to support that the check was performed and how/where the documentation will be maintained to support new vendor setup. ● A reverification process for confirming that vendors used for longer than a specified period (e.g., one year) are reconfirmed and the results of the review are documented. Moderate Low 22 Vendor payment activity is monitored on a regular basis, and the results of the review are assessed and documented. Vendor payment activity is not being monitored on a regular basis by someone independent of the A/P function. A formal monitoring process for reviewing and assessing payment/disbursement activity should be developed and documented. The A/P monitoring process should include, at a minimum, the following: ● Total disbursements, by vendor, citywide and by department. Moderate Low Enterprise Internal Controls Review Report | 28 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE ● Total disbursements, by department and by month, and comparing to the same month of activity in prior year. The reviews should be documented and any unusual trends or activity should be researched. 23 The A/P process includes adequate controls, including reviews, approvals, and reconciliations to ensure that all payments are properly approved and supported and appear appropriate. A final review is performed and documented, ensuring that all invoices approved for payment pre- processing tie to the actual disbursements processed. Prior to June 2020, the review and approval process of A/P weekly check batches was not adequate to ensure that the final disbursements processed tied to those that were initially approved pre- processing. As a result, during our walkthrough of the first A/P check batch processed in May 2020, we were unable to reconcile the reports utilized to tie out the pre-processing approved totals to the final processed disbursements, and there was no documentation that a review had been performed internally by someone independent of the A/P function. A new process for monitoring and reviewing weekly check batch activity was implemented in June 2020 to address the control gaps identified during this review. However, the process has not been The new process for monitoring and reviewing weekly check batch activity should be documented in a P&P and include, at a minimum, the following: ● Specifications as to what reports will be reviewed and approved by whom and when. ● The specific supporting documentation (e.g., vendor invoices or other payment support) that must be included to support the pre-processing check batch review process. ● The reconciliation process between the pre- processing approved totals (number of invoices and total amount) to the final disbursements processed on the final check register, including how variances will be researched and addressed. ● The comparison of the actual physical checks to the final check register. ● The documentation that will be maintained to support the review and approval process for each A/P weekly check batch. ● The requirement that final printed signed checks not be returned to the A/P Department. ● The new process should be reviewed as part of a future project to assess the adequacy of the controls and documentation. Moderate Low Enterprise Internal Controls Review Report | 29 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE documented in a P&P, and the process was not verified during this review. 24 After printing A/P checks, the physical checks are not returned to the A/P Department, and are mailed out by an individual independent of the A/P function. Based on interviews, the physical signed checks are returned to the A/P Department prior to being mailed out to vendors. This creates the risk that a check could be misappropriated. Physical, signed checks should not be returned to the A/P Department after printing/signing. They should be given to a person that is independent from the A/P function for a final comparison to the final check register, matched to any mailing support, and mailed. High Low CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 25 Comprehensive Fixed Asset P&Ps covering fixed asset management are available to employees, and all employees assigned responsibility for tagging, safeguarding, accounting for, and inventorying Detailed fixed asset P&Ps do not exist, and personnel responsible for fixed asset management do not receive regular training. Comprehensive fixed asset management P&Ps should be developed, and personnel assigned responsibility for tagging, safeguarding, accounting for, and inventorying fixed assets should be trained accordingly. The fixed asset P&Ps should cover areas such as: ● Purchasing and G/L coding ● Documentation requirements and asset tagging ● Fixed asset recording ● Safeguarding ● Fixed asset custodian responsibilities ● Inventory process High Moderate Enterprise Internal Controls Review Report | 30 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE fixed assets have been trained. ● Disposals 26 Fleet fixed assets are adequately tracked utilizing the City’s fixed asset module in MUNIS. Fleet purchases are not recorded as fixed assets in the MUNIS system upon purchase. Rather, they are expensed in MUNIS, tracked manually in an Excel spreadsheet, and entered into Fleet Focus within the department. This results in a manual process for tracking asset balances, additions, disposals, and the related depreciation. On a regular basis, Finance is reconciling related fixed assets recorded in MUNIS to the Fleet Focus asset listing. We obtained the reports from these two systems, and were unable to determine if they reconciled. PO reports are also reviewed in detail, line- by-line, to identify potential vehicles that should be capitalized. Based on the documentation available and the manual processes involved, it appears there is a risk that vehicle purchases and disposals may not be identified and recorded timely. Given that the MUNIS fixed asset module is not currently being utilized to track fleet purchases, there is an increased risk of misappropriation of assets or incomplete fixed asset records. To ensure that fleet assets are monitored adequately and are recorded timely, the full reconciliation process between MUNIS and Fleet Focus should be performed regularly, at set periods (e.g., monthly or quarterly), and the reconciliation should be documented. System reports should be run on the same date, and any variances between the two systems should be identified and researched. The City should assess this process to determine whether there is a more efficient and effective way to identify vehicle additions upon initial purchase, thus reducing the need for a manual reconciliation process to identify variances. While there are benefits to utilizing Fleet Focus for tracking fleet asset activity, it requires the assets be entered individually, upon purchase, into the MUNIS system for asset tracking. Adjustments could still be processed at specified points throughout the year to account for increases or decreases in value, based on Fleet Focus reports. High Moderate Enterprise Internal Controls Review Report | 31 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 27 An annual full physical fixed asset inventory is performed. The inventory process is well-controlled, performed by individuals outside of the asset custodians, and the results are adequately documented. The documentation provided to support the quarterly/yearly physical fixed asset inventory process did not appear to be complete or show that an effective inventory was performed for each department. Based on interviews performed, the inventory process is likely performed by the asset custodian for each department, and formal instructions for how the inventory is to be performed are not documented to ensure that the process is complete and effective. Not all departments perform a thorough inventory, resulting in asset disposals that are not identified until years after the fact. Department directors are ultimately responsible for these inventories; however, the related responsibilities are not documented and the reviews/approvals are not maintained. The fixed asset inventory process should be evaluated and improved. The current process in place may not be effective and does not appear to be well-controlled. The following should be considered: ● If the physical inventory process is going to be performed on a rotating basis (e.g., quarterly covering different department assets), then a reconciliation of the assets inventoried each quarter compared to the year-end listing should be performed and documented to ensure that all assets were accounted for during the quarterly inventories. ● Physical inventory instructions should be developed and provided to all individuals responsible for performing inventory counts. ● Instructions should include requirements for verifying the details of each asset, the tab number assigned, and the condition, as well as the requirement for assessing the assigned listing for completeness or untagged assets within their assigned department. ● Physical inventory counts should always be performed by individuals that are not custodians of the assets (e.g., not the individuals who are responsible for maintaining those assets). ● The result of each department’s physical inventory should be documented, approved by the department director, and assessed for training needs. For instance, if disposals or asset purchases were not reported until year-end, then the department personnel should receive training on what should be done when these transactions are processed and they should be held accountable for complying. High Moderate Enterprise Internal Controls Review Report | 32 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE ● All variances identified should be thoroughly researched, resolved, and documented. 28 Fixed asset disposals, surplus, and transfers are reported timely and documented and processed consistently. Based on interviews performed, it was determined that departments are not consistently reporting fixed asset disposals, assets for surplus, and asset transfers. At times, departments are just disposing of assets without following any formal process for documenting and processing the disposal. This results in assets being identified as being disposed of several years after the fact. Assets are not consistently reported to the Central Warehouse as surplus to be available for use by other departments or auctioned off for the benefit of the City. Controlling the fixed asset disposal process is vital to ensuring that City assets cannot be misappropriated, such as being taken home by employees or sold by individuals rather than being auctioned for the benefit of the City. Enhanced fixed asset inventory processes will aid in identifying instances of unreported disposals more timely. Given that so much responsibility is put back on the departments who have the asset rather than deploying a centralized asset management process, training should be provided to all asset custodians on their responsibilities related to disposing of assets, reporting surplus assets, and transferring assets. All assets being disposed of or moved from an assigned department should be immediately reported to the Central Warehouse for tracking and processing. A formal Disposal/Transfer form should be utilized, and all surplus property should be tracked. Any non-compliance with these processes should be tracked by the Central Warehouse, and department directors should be held accountable for ensuring their departments appropriately track and report assets. High High CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 29 The City’s inventory management Given the significant internal control issues identified during this high-level review, The City should consider performing a full assessment of the inventory management function at all sites that handle inventory on behalf of the City. Given the High High Enterprise Internal Controls Review Report | 33 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE function has been fully assessed to identify internal control gaps and opportunities for improvement. there is a significant risk that inventory could be misappropriated and that it would not be identified. The overall inventory management function is not well-controlled and adequate independent monitoring is not in place. A full outside assessment of the inventory management function, including the Central Warehouse, Automotive Warehouse, and other departments that maintain inventory, has not been performed. control gaps identified, detailed testing should be performed to quantify any inventory misappropriation or errors that have occurred over the past several years. Each area of inventory management should be fully assessed, including the procedures for purchasing, receiving, logging, using, reconciling, reporting, and inventorying. Significant control improvements should be implemented to protect the City’s investment in inventory and mitigate the related risks, including public scrutiny that can occur if inventory is not properly controlled. 30 Inventory at the various departments (outside of the Central and Automotive Warehouses) is adequately tracked and monitored. Based on interviews, there is a lack of understanding of how inventory at other departments, such as Utilities and Police, are maintained and controlled. Consistent, independent monitoring and oversight is likely not in place over these other inventory locations. The City should identify all departments across the City that maintain some level of internal inventory on- hand to support daily operations. Formal procedures and monitoring should be in place to ensure that these smaller inventories, managed by individual departments, receive an adequate level of control to prevent misappropriation. High Low 31 Adequate segregation of duties is in place over the inventory function at the Central and Based on interviews performed, there are very limited, if any, segregation of duties in place over inventory management. The same individuals are assigned sole responsibility, at times, for purchasing, A full assessment of segregation of duties over inventory management functions should be performed for the Central Warehouse and Automotive Warehouse. Duties should be adequately segregated between existing personnel, and where needed, mitigating controls should be implemented to address High High Enterprise Internal Controls Review Report | 34 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE Automotive Warehouses. receiving, counting, and reconciling inventory, creating a significant risk that inventory could be stolen and not identified or an individual could be accused of stealing inventory and there would be no way of verifying whether the claim was justified. Historically, all aspects of inventory management at the Automotive Warehouse have been performed by one individual. any remaining risks. The following actions should be considered: ● Responsibilities for and access to purchasing inventory and receiving the inventory should be segregated to separate employees. If this is not always possible, then inventory received should be subsequently verified by an individual independent from the original purchaser. ● Inventory physical counts should be conducted and verified by someone independent of the inventory management function. Those individuals responsible for managing the daily activity of inventory should not be the ones designated to perform the physical inventory counts, compare those counts to system totals, and research and report inventory adjustments as warranted. ● Spot checks comparing inventory on-hand to system inventory totals should be performed by someone independent of the inventory management functions on a regular basis. All reviews should be documented, and variances should be researched and addressed in a timely manner. ● The physical security of both warehouses should be physically assessed to ensure that access is restricted to individuals who warrant access for their job responsibilities. ● Access to adjust inventory levels (e.g., record inventory corrections, increases/decreases, etc.) should be appropriately restricted and related activity should be independently monitored on a regular basis. 32 Automotive inventory is managed through Automotive inventory is managed on a separate system, which is Fleet A full assessment of the Automotive inventory management process is needed to fully identify control and process improvements that would address the High High Enterprise Internal Controls Review Report | 35 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE a controlled system on a perpetual basis, and the system integrates with MUNIS. Focus (Asset Works). However, this system does not integrate with MUNIS, and there are not monitoring and reconciliation controls in place to ensure that the systems reconcile and that inventory adjustments are appropriate. Automotive parts are not barcoded, and given the nature of the related assets, it is important to track inventory down to the specific vehicle. This tracking is a manual process, which both requires individuals to write down usage on a log and then an individual with access to Fleet Focus to process the transactions when time permits. There are no independent reconciliations or verifications to ensure that all usage activity is correctly coded to corresponding vehicles, the related expenses are correctly charged to individual departments, and the activity recorded is complete and based on maintenance/repairs that actually occurred. significant deficiencies identified. At a minimum, the recommended controls should be considered and implemented immediately where possible, until such time that a full assessment can be performed. In addition, the following should be considered: ● Although Fleet Focus and MUNIS do not integrate, regular system reconciliations should still be occurring to assess the reasonableness of the amounts reported in the department’s perpetual inventory system. ● An assessment of the manual processes of recording inventory usage should be assessed to determine if automation is possible. At a minimum, a formal documentation of usage process (e.g., consistent form or template) should be utilized, and a daily reconciliation of usage reported on the forms/templates should be reconciled to the system entries each day. These reconciliations should be documented, variances should be researched timely, and an independent review should occur. Enterprise Internal Controls Review Report | 36 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 33 The physical inventory process is documented and well-controlled to ensure that all inventory is verified/counted on at least an annual basis by someone outside of the person responsible for the daily management of the inventory. Variances in inventory levels are researched and addressed timely. The City’s physical inventory process is not adequately controlled, and as a result, the results of the inventory are likely not reliable. As noted above, the same individuals who manage the inventory at the Central and Automotive Warehouses on a daily basis are the ones who are responsible for performing the physical inventory counts of that inventory. Inventory results are reported to the Finance Department for any adjustments that need to be posted to the general ledger. However, there are no independent verifications of the inventory counts reported. Historically, the variances identified have been extremely minimal, which raises a red flag that the counts may not be accurately or fully performed. For example, the Central Warehouse system inventory report included 102 pages with 1,022 different line items of inventory on-hand at the time of the physical count. However, the variances A full physical inventory count should be performed, at least one time per year, for the Central and Automotive Warehouses. Counts should include a “blind count” of inventory levels utilizing a listing of all potential inventory types and identification information, without the current system inventory balances included. This “blind count” approach allows for an independent count of the units on-hand without any bias or reliance on the system totals. After the count is performed, the inventory on-hand system reports should be run and a full comparison of inventory count results to on-hand system totals should be performed. All variances should be researched immediately. Inventory counts should always be performed by someone independent of the person who is assigned inventory management responsibility. Typically, the individual assigned to perform the independent count is someone in the Finance Department or an auditor. All inventory counts performed should be properly documented, and the results should be reviewed and approved by upper management. High High Enterprise Internal Controls Review Report | 37 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE identified and corresponding adjustments posted were only 16 line items totally approximately $16,000. There are thousands of inventory units on-hand, and given the current lack of controls, the minimal year- end adjustments seem unusual. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 34 Financial Reporting P&Ps are documented, and the City is actively utilizing the P&Ps to guide the financial reporting function. Comprehensive checklists or other control tools are in place to guide the month-end and year-end close processes. There are no citywide P&Ps covering financial reporting, including month-end and year-end close, journal entry processing, chart of account maintenance, producing, reviewing and approving financial reports, and required monitoring and oversight. In addition, Finance does not have a monthly close checklist, or similar tool, to track all tasks that must be completed at month-end close, the responsibility for performing and reviewing each required tasks, and the The financial reporting function for the City is key to ensuring that accurate, reliable, and timely financial information is available for decision-makers. Comprehensive Financial Reporting P&Ps should be developed to ensure that all key roles, responsibilities, and requirements are well-defined. These P&Ps should, at a minimum, cover the following: ● Month-end and year-end close procedures, including tasks that must be completed for each account, department, or function, the assigned preparer and reviewer, the underlying support required for each reconciliation or adjustment, and the timeline for completion. ● Journal entry processing, including how to prepare, review, and approve entries, who has the authority and responsibility for each of these functions, and the supporting documentation required. High Moderate Enterprise Internal Controls Review Report | 38 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE timeline/due dates for each. There is a year-end close checklist; however, it may not be adequate as it currently only shows each account and a deadline. ● Chart of accounts establishment, updates, and maintenance, including the defined structure for use. ● Financial reports prepared, timelines for completion, accuracy checks and reasonableness assessment procedures, approval requirements, and presentation formats. ● Monitoring and oversight roles and responsibilities for key financial reporting activities to promote proactive monitoring, identify unusual or problematic activity timely, and ensure errors are identified. In order to ensure that a complete and accurate month-end close process is completed each month, which is best practice to ensure the timely production of financial reports, a month-end checklist should be developed and implemented. The checklist should cover required reconciliations, journal entries expected, and other closings tasks, with the designated preparer responsible for the task and the assigned reviewer’s role and designation, and the timeline to ensure a timely close process occurs. The current year-end checklist should be enhanced to ensure there are detailed tasks assigned to promote accountability, ensure errors are identified, and deliver year-end financial statements on time. 35 Trend analysis on key financial activity and indicators is performed on a regular basis. Unusual or unexpected trends The City did not provide any documentation of consistent trend analysis performed each month, quarter, or year to monitor financial results and activity, such as assessing month-to-month activity, prior year monthly activity to current year, year- Financial reporting trend analysis performed on a routine basis can help to identify unusual trends, errors, or poor performance timely. The City should develop a set of key financial reporting trend analyses to be performed each month to allow for regular oversight and monitoring. Some key trend analysis and report monitoring that may provide value to the City include: Moderate Moderate Enterprise Internal Controls Review Report | 39 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE are identified and researched timely. to-date activity and balances in comparison with prior year, department comparisons by month/year- to-date, or other key trend analysis. While some of these financial analysis may be performed informally or on an ad-hoc basis, there was not a consistent analysis and follow- up/research process in place to timely identify unusual activity, indicators of errors or poor performance, etc. ● Revenue and expense analysis month-to-month, by department, and current-year month to the same month in prior-month. ● Year-to-date revenue and expense analysis, by department and citywide, compared to the same year-to-date information from prior-year. ● Specific expenses as a percentage of related revenue, year-to-date, by department. ● Budget to actual, by department, in comparison with prior year actual (month over month and year- to-date). ● Account balances for balance sheet accounts, by department, in comparison with prior year. ● Other key financial performance indicators compared on a monthly basis and assessed over time. 36 Monthly financial reports are prepared and reviewed. Departments receive timely financial reports and are actively involved in performance monitoring. Currently, there are not defined financial reports that are prepared, reviewed, and distributed to departments on a monthly basis. Financial reporting to the City Council occurs a few times throughout the year; however, there are not monthly financial reporting packets included each month for ongoing oversight. Monthly financial reporting is vital for ensuring that senior management, department leadership, Finance Committee, and City Council have timely information for decision-making and addressing performance issues, expense overruns, downturn in revenues, etc. The City should define which financial reports are valuable to produce, review, and distribute on a monthly basis. All individuals responsible for oversight of departments or functions should be actively involved with reviewing financial reporting information. A monthly financial reporting packet should be prepared for, and submitted to, the Finance Committee and City Council. Moderate Moderate 37 Accounts are reconciled on a monthly basis and adjustments are Monthly bank reconciliations were provided and To ensure monthly financial reporting can be performed accurately and timely, Finance should identify all balance sheet accounts that would benefit Moderate Moderate Enterprise Internal Controls Review Report | 40 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE posted timely to reflect current activity and balances. appeared to be completed timely following month-end. However, other month-end close reconciliations, journal entries and other close procedures were not documented. It appears a full month-end reconciliation and close process is not consistently occurring. Most month-end entries are posted based on data- dumps from other sub- ledgers or systems, rather than based on a full reconciliation and assessment of variances. Multiple departments interviewed mentioned that the only full reconciliation and adjustment is typically occurring at year-end. from being reconciled and adjusted monthly, rather than waiting until year-end. All month-end account reconciliations should be added to the month-end close checklist and any significant variances should be researched immediately. While recording month-end entries based on data- dumps from sub-ledgers and other systems does help to prevent material year-end entries, they do not promote the identification of errors or activity warranting research. Reconciliations from the prior month’s ending balance, adding in additions, subtracting known uses, and comparing to the current month ending balance helps to ensure variances are resolved timely, prior to the close of the month. Full reconciliations allow for account activity to be monitored real-time, rather than relying on year-end analysis. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 38 Budget P&Ps are documented, and the City is actively utilizing the P&Ps There is only one Council- level policy related to the budget, which focuses on the City’s philosophy and organization of the budget and long-term planning, and The City should develop administrative Budget P&Ps that cover all key aspects of the budget function including: ● The budget preparation process, including timing, department involvement in the development High Low Enterprise Internal Controls Review Report | 41 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE to guide budget- related activities. only has limited reference to the budget process and monitoring. There are no administrative citywide P&Ps covering the budget process, including budget development, approval, amendments, transfers, and monitoring. phase, Council input process, required reviews and approvals, and presenting budgets in a meaningful way to the City Council. ● Budget monitoring, including budget-to-actual reporting, use and responsibilities, required reviews, justification for budget overages, and anticipating changes throughout the year. ● Budget amendment and transfer processing, including what documentation and approvals are required and the responsibilities for each key process. Comprehensive P&Ps covering the budget function help to ensure the budget is utilized effectively as a City management tool. Detailed procedures guiding users on how to manage their budget, including how to monitor budget-to-actual activity proactively and request amendments and transfers on the front-end, rather than waiting until a Purchase Request results in a budget overage, helps to promote accountability down to the department level and can result in efficiency gains by proactively looking forward and anticipating expenses rather than responding to overages as they occur. 39 Budget-to-actual reporting is reviewed, proactively responded to, and approved on a regular basis, ensuring the budget is adequately monitored throughout the The City currently has budget monitoring and trend analysis reports available, and they appear to be produced on a regular basis. However, there is limited documentation available to show that these reports are being reviewed (e.g., by the specific department, finance, etc.). It is also up to the department (users) to The City has great reports and tools available to aid in budget monitoring across the City. In order to ensure that the available budget reports are utilized effectively by the City, it is important to determine and document how each available report should be used, the timing in which they will be produced, who is responsible for reviewing them, and what follow-up activity should be performed based on the results reported. The City should evaluate the budget monitoring tools and reports that are available, determine which reports are valuable to the budget monitoring process, and include these components when the City develops Budget Moderate Moderate Enterprise Internal Controls Review Report | 42 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE year and shortages/ overages are identified timely. utilize the reports and monitor them; however, there are no formal requirements documented stating who must monitor these report at the department-level, how often the monitoring should occur, and how the monitoring should be documented. Budget to actual reports and trend analysis reports are available to show year-to- date variances and spending trends for each department; however, it was unclear if these reports are being utilized effectively and if unusual activity and expected overages are being researched and responded to timely. P&Ps. Budget personnel could provide training and guidance to those individuals responsible throughout the City on how to effectively use tools and respond to reports. For instance: ● Budget-to-Actual Reports should be used to proactively assess when budget overages are expected and initiate the amendment process as soon as possible. This would help to prevent delays that occur during procurement or A/P processes throughout the year. All significant variances should be researched and responded to in a timely manner. ● Trend Analysis Reports have available trend data could be beneficial if used effectively. Monitoring trends, such as spikes in use by department, unexpected budget overages, unexpected spending trends, or other unusual trends, can be an early warning sign that something is wrong. The trend analysis could also be used to monitor prior year usage, by month and by department, to current year for unexpected changes in spending. Monitoring these trends can identify red flags that should be addressed in a timely manner. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 40 Terminations are reported on or before the termination date. During our analysis of three terminations, we found that systems access is not requested and cancelled The process for reporting employee terminations should be evaluated to include the IT Department in the initial notification of an employee’s last date of employment with the City. The IT Department should High Moderate Enterprise Internal Controls Review Report | 43 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE The related PAFs are submitted to HR immediately once the termination is known, and systems access is cancelled on the final date of employment or immediately after. timely upon termination. Specifically, we found: ● Two instances where the termination date was 5/22/20, an IT ticket was submitted 5/28/20 (six days later). One of the tickets showed a closed date of 8/3/20 (over two months after being submitted) and one was still “pending” as of the date of our request 8/3/20. ● One instance where the termination date was 1/3/30, an IT ticket was submitted 1/9/20 (six days later) and the ticket showed a closed date of 1/16/20 (13 days after termination). be responsible for ensuring that systems access is appropriately cancelled on, or immediately following, an employee’s termination date. An assessment of the IT process for cancelling access should be performed to determine why delays are occurring after they are notified of the termination. 41 Systems access to key functions of the HR and payroll modules within MUNIS are properly restricted to only allow for those employees who warrant edit access to have access. Access is restricted in a way Based on our analysis of MUNIS system access reports, it appears that access may not be adequately restricted for key HR and payroll functions. Specifically, the following access levels create potential risks for inappropriate activity: ● Payroll role (four users): Has update access for employee accruals, Systems access controls over all HR and payroll related functions in MUNIS are key to ensuring that inappropriate or erroneous changes are not processed. In general, in the absence of other mitigating controls, the following segregation of duties, enforced through systems access restrictions, should be in place: ● Payroll personnel should have access to processing time adjustments and payroll corrections, and all functions related to processing payroll runs. However, they should not have access to the employee master file, including new employee setup, pay rate adjustments, accrual High High Enterprise Internal Controls Review Report | 44 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE that ensures adequate segregation of duties between HR and payroll functions. Systems access reports and change reports are reviewed on a regular basis. employee pay, and employee direct deposits. ● HR role (15 users): Has update access to payroll runs and payroll super- user ● IT Admin role (seven users): Appears to have update access to all HR and payroll functions. While this review did not include a detailed assessment of each access level and what these permissions allow these users to do, the levels identified above potentially create risk; however, further evaluation would be needed to determine the level of risk. These risks are increased given that there are no documented access reviews or change report reviews performed for key payroll and HR functions. rate changes or related balance updates, or direct deposit changes. ● HR personnel should have access to setting up all new employees and related information, including pay rates, demographics, direct deposit information, and accrual rates. They should also have access to perform pay rate changes, accrual rate changes or balance updates, and direct deposit and demographic updates. However, they should not have access to any payroll processing or time adjustment functions. ● IT Admin roles should be properly restricted to employees who need access to make regular system updates. This should be very limited, and it is most likely not necessary for seven users to have this level of access, if any. If access cannot be restricted in a way that represents adequate segregation of duties in these areas, then there needs to be regular, documented monitoring in place to mitigate the resulting risk. Monitoring controls should be developed, including a full review of a “change report” showing all new employees set up and all employee changes (specifically to pay rates and accruals of leave) processed along with the user who entered and approved each change. In addition, systems access reports to these functions should be fully reviewed, unwarranted access should be removed, and the reports should be reviewed/monitored on a regular basis. A sample of employee additions and pay rate changes should be verified to supporting documentation as part of these reviews. These monitoring activities should be performed by someone independent of the related HR and payroll functions, and the reviews should be documented. Enterprise Internal Controls Review Report | 45 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 42 Monitoring controls are in place over the payroll function. Based on interviews performed, there is not adequate monitoring in place over payroll-related activity. Monitoring controls over payroll activity should be developed and implemented. Monitoring can identify potential inappropriate or erroneous activity. Monitoring controls over payroll activity should include, at a minimum, the following: ● Accrual activity including assessing paid time off (PTO) use and accruals, by employee. ● Total gross payroll, by employee, over a period of time. ● Timecard adjustments, by employee and by timecard editor. ● Overtime paid, by employee, over a period of time. Monitoring activities should be performed by someone independent of the payroll function, and all reviews, and any follow-up performed, should be documented and maintained. High Moderate 43 Payroll processed each pay period is reviewed by someone independent of the payroll function. The review includes a reconciliation of the pre-processing approved reports and the final disbursements processed. A process is in place where the Payroll Department saves all payroll processing reports to a file, summarizes the data from those reports, and provides the summary along with the final payroll system report to an accountant, who is outside the payroll function, to “audit” the payroll run. However, for the pay period tested, we were unable to reconcile the reports provided, as the reconciliation performed by the accountant was not fully The payroll audit and reconciliation process should be assessed and improvements should be implemented. In order to ensure that the audit/reconciliation is effective as an internal control, the following should be in place: ● All pre-processing payroll report and final payroll register reviews/approvals should be documented and verification that these reviews/approvals occurred should be performed. ● The accountant should tie all totals reported to the underlying system-generated payroll reports. ● The full reconciliation process, including reconciling time reported to time paid, pre- processing reports to the final payroll register, and the analysis of any variances or adjustments, Moderate Moderate Enterprise Internal Controls Review Report | 46 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE documented, and it was unclear during interviews whether the accountant is tying all summary totals to the underlying system- generated reports to ensure the information being reconciled/audited is accurate. should be documented and the documentation should be maintained with the payroll run support. CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 44 The City has a mature IT governance function in place that is supported by P&Ps. Currently, the City does not have a formal IT Governance Committee or designated body. A formal IT Governance Policy is not documented and implemented. The City should consider implementing an IT governance body in order to determine the best framework for governance, as well as determine how best to invest in IT. An IT Governance Policy should be developed, specifically to address how decisions are made, who has authority to make decisions, who is held accountable, and how the results of these decisions are measured and monitored. Moderate Moderate 45 The City has a dedicated IT security and cybersecurity position or function, and the roles and responsibilities are clearly defined. While the City does have IT security practices in place, it does not appear that the responsibility for overall IT security, including cybersecurity, is defined. IT security P&Ps are not in place to ensure that the risks in this area are The City should consider implementing an IT Security policy/function in accordance with ISO 17799, "Information Technology - Code of Practice for Information Security Management." This policy/function should aim to ensure that the City has a comprehensive security policy, organization security, asset classification and control, access controls, system development and maintenance, and business Moderate Moderate Enterprise Internal Controls Review Report | 47 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE proactively managed, prevented, and addressed. continuity in order to adequately reduce security infrastructure risk. 46 The City has a formal IT disaster recovery plan in place that is tested regularly and supported by P&Ps. The City does not have a documented IT disaster recovery plan. The City should document and implement a disaster recovery plan that, at a minimum, addresses a structured approach for how quickly and in what manner the City can resume work after an unplanned event. This is an essential part of business continuity. It will help the City to resolve data loss and recover system functionality so that it can perform as seamlessly as possible in the aftermath of an event, even if it operates at a minimal level. Once developed, the disaster recovery plan should be tested on at least an annual basis, and the results of the testing should be documented. High High 47 Mobile and remote access policies and monitoring controls are in place to ensure that City information is protected. A documented Mobile Access Policy is not in place to document the requirements and controls surrounding accessing City email and other information on personal cell phones or tablets. In addition, a documented Remote Access policy for users accessing the City’s network remotely is not in place. A formal monitoring application for employee mobile access and remote access is not utilized. Without documented policies, and a comprehensive monitoring program in place, over mobile and remote access, the risk of data breaches is increased, and it is more difficult to hold employees responsible for ensuring City information is protected and secured. The City should document formal Mobile Access and Remote Access Policies, and develop a formal monitoring program over the access of City information on mobile devices and through remote logins. Mobile access should be controlled through verification of user authentication, implemented security patches regularly, encryption use, frequent backups, etc. Policies should address the limitations of remote access use and guidelines for employees to reference to ensure proper use and protection of City information. Moderate Moderate 48 Systems access to all City systems is well-controlled and The City has implemented ad-hoc meetings between the Finance and IT Regular reviews of systems access reports are key in providing control over City assets, systems, and information. The current ad-hoc Finance/IT meetings High High Enterprise Internal Controls Review Report | 48 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE monitoring activities occur regularly and the results are documented. Departments to review systems access levels assigned to employees. However, the reports reviewed, access levels researched or adjusted, and overall outcome of these meetings is not formally documented. Therefore, we are unable to determine whether they are effective in controlling systems access risks. There are varying levels of IT reporting performed; however, there is not a recurring reporting and review process to monitor system activity. should be formalized to define the frequency of occurrence, the reports that will be reviewed, and related roles and responsibilities. Finance should ensure that finance roles are clearly defined and that user responsibilities tie to the user access levels assigned. A matrix of segregation of duties for key financial functions, such as purchasing, A/P, payroll, and cash receipts, should be developed and utilized for comparison to the systems access reports during these meetings. The results of these meetings should be documented, and the documentation should be maintained to support the monitoring process. The IT Department should develop system activity reporting that is provided to City management on a regular basis (at least quarterly). Reporting may include active directory reports, automatic system-log- out checks, system penetration testing results, and other key system and access reports. These reports should be discussed within the ad-hoc meetings to assess the impact of the results and ensure that any unusual activity is addressed in a timely manner. 49 Penetration testing is performed to evaluate the City’s ability to protect its network, applications and users. The City’s IT Department does not perform penetration testing on an regular (annual) basis, and policies around how these tests will be performed, how often and by whom, and how the results will be communicated and addressed are not documented in City P&Ps. Penetration testing helps the City manage vulnerabilities, avoid the costs related to potential network downtimes, and develop confidence among the various City stakeholders that the City’s systems are properly protected and that vulnerabilities are identified and addressed timely. The City should develop a process for performing penetration testing on, at a minimum, an annual basis. A formal City P&P should be documented addressing how the testing will be performed, how often and by whom, and how the results will be addressed and reported. The policy should then be implemented and the results should be documented. High High Enterprise Internal Controls Review Report | 49 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE 50 Adequate Grant Management P&Ps are in place, training is provided to those responsible for grant management, and regular assessments of grant activity are occurring. Grant revenues account for over $20 million in City revenue. While this is not a large portion of City revenue (approximately 7-8%), there are risks related to non- compliance. Grants management was not included in the scope of this project; however, based on limited interview information obtained, the City could benefit from an assessment in this area. The City should assess whether Grant Management P&Ps are in place, and whether those City employees responsible for managing grant funds are adequately trained in managing grants and the related compliance requirements. Given the limited funding that comes from grants, there is an increased risk of a lack of adequate oversight, monitoring, and training. Grants are managed in a decentralized manner, resulting in most of the compliance aspects falling on various City departments, with varying levels of grant knowledge or compliance controls. Moderate Low 51 The City has an effective Conflict of Interest (COI) Policy in place, and employees are required to submit COI confirmations on an annual basis. While the City has various policies and Administrative Procedures that address COIs, there is not a comprehensive COI P&P in place to guide how COIs should be reported and monitored. The current Administrative Procedure F5 for Purchasing Goods, Equipment, and Material does not reference what constitutes a potential reportable COI. The City should consider combining all current COI policies and Administrative Procedures to allow for one comprehensive policy covering all aspects of the COI process. The overall COI reporting function should be assessed for adequacy, and related guidance should cover, at a minimum, the following: What constitutes a potential COI, specifically addressing the procurement and contracting functions. What employees are required to do if a potential COI is identified. An annual reporting process for potential COIs, including how information will be reported, who will track reported COIs, and what controls will be implemented to address reportable conditions. Moderate Low 52 A process for tracking and The City does not currently have a process in place to Implement a finding, tracking, and monitoring system/tool. Tracking should include all findings Moderate Moderate Enterprise Internal Controls Review Report | 50 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE monitoring all outstanding audit findings and the related resolution of findings is in place. track all audit (external, internal, or other) findings and the related resolution of findings. Outstanding findings are not actively monitored and reported on to ensure that resolution occurs timely. reported from any mechanism, including those reported from external audit, internal audit, or department or program-specific compliance, grant, or other audits or reviews. Outstanding findings should be assigned planned resolution dates and an owner (employee taking responsibility for resolution). The report should be assessed and updated regularly to ensure the timely resolution of outstanding findings. Consider developing a regular report that is presented to the Finance Committee and City Council to report the current status and resolution of all outstanding audit findings. This is typically an internal audit function. 53 Employees in key control functions, such as procurement, A/P, payroll, cash receipts, etc., are required to have a backup cross- trained to perform their role and to take PTO, allowing for the opportunity for others to perform the role. A policy is not in place to require PTO to be utilized and to ensure mandatory rotation of key functions within the City. A formal process is not established to ensure that all key financial functions have adequate cross- training established and that key roles are performed by separate individuals at times throughout each year. Sole-contributor risks relate to having one person solely responsible for, and knowledgeable of, performing key functions of City control and operations. If a sole contributor is out or leaves the City, others would not be able to step in and perform the function effectively. It also creates the risk that inappropriate activity, such as fraud, could continue to occur for extended periods without being identified. The City should establish a policy that identifies all key financial functions within the City, the primary individual responsible for the function, the assigned backup individuals that are cross-trained to perform the function, and a mandatory rotation of duties process. Those responsible for key functions should be required to take PTO throughout the year and allow for their assigned and trained backup complete the functions. Moderate Moderate 54 Designation of approval authority, for key approval functions, such as approving The current processes established to delegate approval authority to another individual is informal. Workflows The City should develop and document a formal process for delegating approval authority for key forms, transactions, etc. Delegation of authority should always be established in writing, including the person to which the authority is being delegated, the type of Moderate Low Enterprise Internal Controls Review Report | 51 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE timecards and purchases, is documented, controlled, and reassessed regularly. established in MUNIS allow for an approver to forward a document/transaction requiring their approval to another designated individual. However, there is no documented process for how the approval authority must be documented, controlled, and reassessed for reasonableness on a regular basis. approval authority being delegated, and the period of time for which the delegation will be applicable. Individuals should be responsible for assessing delegations on a regular basis to ensure they are still appropriate and applicable. Examples of situations warranting delegation may include timecard approvals, purchase requests, financial reports, and budget amendments. While delegating approval authority is important to ensure that bottlenecks do not occur when an individual approver is out, it is important to ensure that the process is formalized and re-evaluated on a regular basis to maintain the integrity of the approval process and ensure accountability and responsibility is clearly defined and known. 55 Comprehensive up-to-date P&Ps are documented for all City functions. Employees are aware of which policies apply to each key function within the City and have adequate procedures to refer to in order to ensure compliance. There are limited P&Ps available to support the key functions evaluated in this review. The lack of comprehensive and enforced P&Ps over key risk areas resulted in many of the control findings. Without adequate P&Ps, roles and responsibilities are not fully defined, accountability is difficult to monitor, and controls may not be in place or may not be functioning appropriately to protect City assets and promote accurate financial reporting. An inventory of all existing P&Ps across all major City functions and departments should be performed. Once all P&Ps are accumulated and inventoried, an analysis should be performed to identify all P&P gaps (e.g., significant areas/functions that are not supported by adequate P&Ps or supported by out-of-date P&Ps), potential control or performance risks, etc. The results of the gap analysis should be utilized to develop a detailed, prioritized work plan to get the City’s P&Ps drafted/updated, reflect current practices, systems and resources, and incorporate adequate internal controls to promote accountability, identify errors or red flags timely, ensure accurate financial reporting, and operate in an efficient, effective, and consistent manner across all City departments and functions. Regular monitoring and oversight procedures should be built into each P&P to ensure compliance. High Moderate 56 All key functions are supported by adequate While some functions are covered by formalized training (for example, A full analysis of all City functions should be performed to identify those functions most in need of a formalized training program. Consider conducting an employee Moderate Moderate Enterprise Internal Controls Review Report | 52 FOR INTERNAL USE OF CITY OF NEWPORT BEACH ONLY CONTROL OBJECTIVE CONTROL ISSUE RECOMMENDATION LIKELIHOOD OF OCCURRENCE IMPACT OF OCCURRENCE employee training. Employees are trained on a regular basis for the functions that they are involved with and responsible for. procurement), there are many functions across the City that are not supported by routine training programs. A lack of training can result in inconsistencies in performance and a lack of clarity in related roles and responsibilities. survey to identify areas that are most susceptible to a lack of clarity and understanding by the individuals responsible for the function. Training for all employees involved in the areas covered by the new P&Ps (once established) should be developed to ensure that employees understand their roles and responsibilities. A training program should be implemented that includes training of all new hires on functions they will be involved with, and annual training updates should be established for existing employees to provide a refresher and communicate any changes to processes, systems, roles and responsibilities, and controls. 9/17/20 Scheduled Date Agenda Title Agenda Description Dark Dark Thursday, September 24, 2020 Investment Performance Review Staff and/or one or more investment advisors will describe the performance of the City's investment portfolio. Annual Investment Policy Review and Update In furtherance of Section K-2 of Council Policy F-1, Statement of Investment Policy (the Policy), the Finance Department has completed an annual review of the Policy to ensure its consistency with the overall objectives of preservation of principal, liquidity and return, and its relevance to current law and financial and economic trends. Staff is proposing no modifications to the Policy at this time as recommended by Chandler Asset Management and supported by the City’s Finance Director/Treasurer. Fire Station 2 - Bond Authorization Recommendation On May 12, 2020, the City Council reviewed the Adopted Fiscal Year 2019-20 Capital Improvement Program Budget. There was a unanimous straw vote to support evaluating financing for the Lido Fire Station 2 Project. This report describes the contours of a financing plan and its conformance to the City’s Debt Policy. Internal Audit Plan Update This update summarizes all internal audit activities to date including the findings of the Enterprise Risk Assessment and the Internal Controls Review report. Working in collaboration with City management, Moss Adams prepared a recommended internal audit program for Fiscal Year 2020-21 that focuses on addressing priorities from the risk assessment and internal controls review. Work Plan Review Staff will review with the Committee the agenda topics scheduled for the remainder of the calendar year. Thursday, November 19, 2020 CalPERS Update Staff will present the latest actuarial valuation changes to actuarial assumptions, a review of investment returns, the potential impact of future rates, and the results of employee cost sharing. Fiscal Year 2019-20 and Fiscal Year 2020-21 Financial Updates Staff will provide a fiscal year ending June 30, 2020 and first quarter FY 2020- 21 budget performance update. Work Plan Review Staff will review with the Committee the agenda topics scheduled for the remainder of the calendar year. City of Newport Beach Finance Committee Work Plan 2021 November September July August I:\Users\FIN\Shared\Admin\Finance Committee\WORK PLAN\2021\2021 FC Workplan 1