The URL can be used to link to this page

OIG No. 23-26: Insurance Certificate Tracking System Process Review\ B 7 I j l# t Joseph M. Centorino, Inspector General TO: FROM: DATE: PROJECT: Honorable Mayor and Members of the City Commission Joseph Centorino, Inspector General December 21, 2023 Insurance Certificate Tracking System Process Review OIG No. 23-26 The City of Miami Beach Office of the Inspector General (OIG) examined the performance of the City's Insurance Certificate Tracking System process, including the usage of Exigis, LLC (Exigis) software, to determine whether the associated risk exposure due to insufficient insurance coverage was minimized. Testing was performed to determine whether sampled vendor Certificates of Insurance (COis) evaluations were aligned with the insurance coverage requirements approved in the executed contracts/agreements, and the parameters uploaded into the Exigis system. To a lesser extent, the Risk Management Minimum Insurance Requirements of some written contracts/agreements were spot-checked to determine the sufficiency of required vendor insurance coverage. INTRODUCTION The Commission Memorandum related to City Resolution No. 2018-30244 states: The City has over 1,500 agreements (contracts, purchase orders, permits, and leases), most having insurance requirements that apply to the type of goods and services provided through the agreement. The Procurement Department works closely with Risk Management in a continuing effort to maintain vendor/contractor compliance on existing contracts. The Administration is seeking the most efficient and effective methodology to perform certificate of insurance tracking. Rather than add additional staffing to perform this necessary work, as many agencies do, the Administration believes greater efficiencies can be gained by contracting these services to industry experts in the field of insurance compliance. On December 13, 2017, the City Commission approved the issuance of Invitation to Negotiate Page 1 of 19 (ITN) No. 2018-003-JC for Insurance Certificate Tracking System and Related Services, which was issued on December 18, 2017. The City received five proposals, but only two met the ITN minimum requirements. On March 7, 2018, the Mayor and City Commission accepted the recommendation of the City Manager pursuant to ITN No. 2018-003-JC for the Insurance Certificate Tracking System and Related Services and authorized the Administration to enter into simultaneous negotiation, with Exigis as the top-ranked proposer and Compliance Hub as the second highest ranked proposer. The City Manager was authorized to select the successful proposer based on the best overall terms and services to be provided to the City, and, upon conclusion of successful negotiations by the Administration, to execute an agreement with the selected proposer. Afterward, the City entered into a Master Customer Agreement (Agreement) with Exigis on July 14, 2018, to provide the City with its RiskWorks and rm.Compliance and rm.Reports application modules and to perform annual related support services. According to the Exigis website, https://exigis.com, (1) RiskWorks is a risk management Operating System highly configurable Risk Insurance and Treasury solutions suite. (2) rm.Compliance is a service-supported insurance compliance program designed to centralize the administration and automate the request, follow- up, processing, auditing, and annual tracking of third-party Certificates of Insurance, endorsements, contracts, and other related supporting documents. rm.Compliance is vendor compliance software that ensures risk managers have a unified dashboard to easily monitor activity, progress, and real-time insurance compliance activities across the organization. (3) rm.Reports delivers custom reporting and analysis, real-time process metrics, analysis and trending, and flexible formatting and distribution rules, making accessing and sharing information easier. The initial term of services was for three years, but the Agreement may be renewed for two successive one-year terms by mutual written agreement of the parties. The scope of services provides for the request, follow-up, processing, evaluation, and maintenance of third-party insurance documents and contemplates the performance of up to 1,200 Active Third-Party Compliance Evaluations per annum for a base monthly rate of $2,425.00. Exhibit A Statement of Services, included in the Agreement, states as follows: If during the Term of Services Customer requires Consultant to expand the scope of services and perform additional Insurance Compliance Evaluations in excess of the annual base allocation of 1,200 additional project fees will be calculated and assessed at the following fixed rate: • $25.00 per Account Compliance Evaluation, in excess of 1,200 assessed annually. On August 13, 2021, the City renewed the Agreement terms for one additional year, with conditions and pricing pursuant to the ITN No. 2018-003-JC for the insurance tracking system. On December 22, 2021, the City Manager approved a 3% rate increase retroactively on October 1, 2021. The base rate increased from $2,425.00 to $2,497.75, and the price per evaluation in excess of 1,200 annually increased from $25.00 to $25.75. As part of the last renewal term, the contractor requested an 8.6% price increase in the monthly fee on August 13, 2022. The City Human Resources Department Risk Management Division determined that, although the 8.6% rate increase request is more than the 3% allowed in the Agreement, the percentage increase was fair and reasonable, given the actual inflation increase Page 2 of 19 since the Agreement's inception. In response, on September 14, 2022, the City Commission approved an 8.6% rate increase, effective October 1, 2022, and the monthly base rate increased from $2,497.75 to $2,712.56. In sum, the City has paid Exigis a total of $163,161.16 for its services as of August 9, 2023. This total only includes monthly base rate fees charged, as Exigis has not billed the City for any accounts serviced in excess of 1,200 annually through August 2023. Since the Agreement was set to expire on August 13, 2023, the Mayor and City Commission approved issuing Request for Qualifications (RFQ) 2023-009-WG for the insurance certificate compliance system and related services, which was issued on February 2, 2023. On March 29, 2023, a sole proposal to the RFQ was received from Exigis. The Evaluation Committee appointed by the City Manager determined that Exigis was qualified and should be considered for negotiations. BACKGROUND As part of the initial configuration of the software, City staff provided the Exigis Implementation Team with a list of contracts/agreements and the requirement list by type (beachfront concessions, film, fireworks, etc.) to be uploaded into the system. Upon request, the Exigis Account Manager sent the OIG Auditor a November 4, 2022, email containing the Excel spreadsheets uploaded by the Exigis Implementation Team and labeled, 2018-09-19 Vendor Upload List - BEACHFRONT, PARKS, SIDEWALK, TENANTS, PROCUREMENT.xlsx and 2018-08-30 EXIGIS City of Miami Beach - Compliance Rules.xlsx. These Excel spreadsheets were the ones previously uploaded into the software to create the initial vendor profiles. After the initial setup, any new vendor profile creation or modification to an existing vendor profile was the responsibility of the City. The Exigis Account Manager also explained to the OIG Auditor that its staff members do not read contracts or update or modify parameters unless required by the City, and as a normal practice, they do not contact the insurance companies to validate the accuracy of the COis, but it does reach out to insurance agents/brokers by automatic email notifications when there are non- compliant terms. OVERALL OPINION This audit focused primarily on examining the insurance tracking process and in determining the sufficiency of insurance coverage maintained by sampled vendors. The associated testing by the OIG Auditor identified the following deficiencies requiring corrective action: 1. Misalignment between Exigis system parameters and insurance requirements in 20 of 21 OIG sampled contracts/agreements. 2. Minimum insurance coverage required by risk management was not satisfied by insurance provisions in some tested contracts/agreements. 3. No documented methodology or process has been followed to confirm that vendors maintain the required insurance coverage throughout the term of their contract/agreements. 4. Outdated Exigis user list with unrevoked system access for 81 terminated employees as Page 3 of 19 of November 3, 2022. 5. The lack of a centralized listing of all City agreements hinders the determination of those requiring insurance coverage. 6. Uncertainty exists in identifying city staff responsible for the Exigis RiskWorks software administration including ownership of the data. 7. No evidence was provided of a documented Standard Operating Procedures concerning evaluating vendor-maintained insurance coverage, setting insurance parameters, and follow-up on non-compliant results. SCOPE, OBJECTIVES, AND METHODOLOGY The scope of this audit is to verify compliance with selected terms in the Exigis Agreement, verify the sufficiency of the established internal controls, determine whether sampled insurance evaluations comply with the corresponding contracts/agreements and Risk Management Minimum Insurance Requirements, and evaluate whether designated City staff is adequately monitoring the established process so that the City's risk exposure is minimized. The audit methodology included the following: • Reviewed applicable provisions of the sampled vendor contracts/agreements, and related departmental Standard Operating Procedures. • Interviewed and made staff inquiries to understand the internal controls, assess control risk, and plan audit procedures. • Performed substantive testing consistent with the audit objectives, including, but not limited to, examination of applicable transactions and records. • Drew conclusions based on the testing results, made corresponding recommendations, and obtained auditee responses and corrective action plans. • Performed other audit procedures as deemed necessary. FINDINGS, RECOMMENDATIONS, AND RESPONSES 1. MISALIGNMENT BETWEEN EXIGIS SYSTEM PARAMETERS AND INSURANCE REQUIREMENTS IN 20 of 21 OIG SAMPLED CONTRACTS/AGREEMENTS. Exigis created the vendor profiles in 2018 during the initial configuration phase of the system based on the information provided by the City, while City staff created all subsequent vendor profiles. At a minimum, the insurance provisions in the executed contracts/agreements need to be aligned with the parameters in the Exigis system. If not, the maintained insurance coverage may unknowingly be deficient which could increase the City's risk exposure and potential for loss. The OIG Auditor selected a sample of 21 contracts/agreements to determine whether the required insurance coverage terms were aligned with the Exigis system parameters. The sample included contracts/agreements selected from the following City departments/divisions: Procurement, Public Works, Human Resources, Facilities and Fleet Management, Capital Improvement Projects, Housing and Community Services, Asset Management, Parking, City Manager, Parks and Recreation, and Tourism and Culture Development. Each related COi and any available supporting documentation were examined with the City Risk Manager to reach a consensus as to the stated deficiencies. Page 4 of 19 The results were as follows: 1. 305 Consulting Engineers, LLC_-- Procurement - Public Works Administration - Exigis evaluation #118498' • Exigis parameters are not aligned with the contract/agreement: The Commercial General Liability Insurance parameter is $500,000, but the Commercial General Liability required in the contract/agreement is not less than $1,000,000. The Automobile Liability insurance coverage parameter is $100,000, but the Automobile Liability required in the contract/agreement is $500,000. There is no evidence of waiver for the changes in coverage. There are two contracts/agreements, but Exigis evaluated only agreement #18-141-02. Agreement #20-096-02 for Professional Architectural and Engineering Services in Specialized Categories "As-Needed" pursuant to a request for Qualifications discipline: Structural Engineering was not evaluated for compliance in Exigis. Article 11 of agreement #20-096-02 stated that insurance requirements will be determined on a project-by-project basis at the time of Consultant Service Order "CSO." The OIG Auditor searched the Munis system the City enterprise resource planning system, and did not find the CSO; instead, it found Option A - Professional services (non-construction) and Option B - Professional services (non- construction) insurance requirements. 2. 3FM Engineering, Inc. - Procurement - Public Works Administration - Exigis evaluation #112875 • Exigis parameters are not aligned with the contract/agreement: The Commercial General Liability Insurance parameter is $500,000, but the Commercial General Liability required in the contract/agreement is not less than $1,000,000. The Automobile Liability insurance coverage parameter is $100,000, but the Automobile Liability required in the contract/agreement is $500,000. There was no evidence of a waiver for the change in coverage. Exigis parameters were aligned with Appendix D instead of the contract/agreement. The contract/agreement is not aligned with Appendix D of the RFQ- 2018-141-ND. 3. Smith and Wollensky (Concession) - Tenant - Various - Exigis evaluation #27832 • Exigis parameters are not aligned with the contract/agreement: The parameters do not include Business Interruption insurance as 1. The software automatically assigns the Exigis evaluation number. Every time Exigis evaluates a new Certificate of Insurance, the system assigns a new evaluation number. Page 5 of 19 required in the contract/agreement; however, the Exigis Agreement does not include verification of the Business Interruption parameter. Consequently, the scope of the Exigis Agreement may have to be expanded to include Business Interruption insurance and other similar types of insurance coverage. 4. Smith and Wollensky (Lease) - Tenant - Various - Exigis evaluation #101372 • Exigis parameters are not aligned with the contract/agreement: The parameters do not include Business Interruption insurance as required in the contract/agreement; however, the Exigis Agreement does not include verification of the Business Interruption parameter. Consequently, the scope of the Exigis Agreement may have to be expanded to include Business Interruption insurance and other similar types of insurance coverage. The Commercial Liability parameter per occurrence is $1,000,000, but the contract/agreement requires no less than $2,000,000. 5. Benevate Inc. - Procurement - Capital Improvement Program - Exigis evaluation #107065 • Exigis parameters are not aligned with the contract/agreement. The parameters do not include the required Cyber Liability insurance provision in the contract/agreement. 6. COM Smith Inc. - Procurement - Capital Improvement Program - Exigis evaluation #101392 • The contract/agreement stated that the insurance requirement would be determined on a project-by-project basis at the time of the Consultant Service Order. • No related Consultant Service Orders were present in the related Exigis file, making the OIG Auditor unable to determine whether the parameters in Exigis were correct and whether the COi was compliant. • The vendor might have different parameters (project by project), but there was only one vendor profile on Exigis. 7. Penrod (Concession) - Tenant - Various - Exigis evaluation #116301 • Exigis parameters are not aligned with the contract/agreement: The parameters do not include Liquor Liability insurance in the minimum amount of $1,000,000 as required by the contract/agreement. 8. Penrod (Restaurant) - Tenant - Various - Exigis evaluation #116303 • Exigis parameters are not aligned with the contract/agreement: The parameters do not include Liquor Liability and Damage coverage, not less than $1,000,000, contract/agreement requires. Property as the 9. Miami Beach Watersport Center, Inc. - Tenant - Various - Exigis evaluation #103481 • Exigis parameters are not aligned with the contract/agreement: The Commercial Liability Insurance parameter is $1,000,000 per Page 6 of 19 occurrence, but the aggregate Liability Insurance required in the contract/agreement is $3,000,000. The parameters do not include Automobile Insurance coverage with no less than $1,000,000 limits. 10. Lincoln Place LLC- Tenant - Various - Exigis evaluation #79345 • Exigis parameters are not aligned with the contract/agreement: The parameter for Commercial General Liability is $1,000,000 per occurrence, but the Liability Insurance requirement in the contract/agreement is not less than $25,000,000 per occurrence. The parameters do not include Automobile Insurance coverage of $25,000,000, Garage Keeper Liability of $5,000,000, Business Interruption Liability of $100,000, and Proceeds of Casualty Insurance of $1,000,000. The parameters do not include Business Interruption insurance as required in the contract/agreement; however, the Exigis Agreement does not include verification of the Business Interruption parameter. Consequently, the scope of the Exigis Agreement may have to be expanded to include Business Interruption insurance and other similar types of insurance coverage, which may also impact the corresponding fees due. 11. AGC Electric Inc_- Procurement - Fleet Management - Exigis evaluation #116236 • The certification of contract/agreement stated that The contractor shall file Insurance Certificates, as required, which must be signed by a Registered Insurance Agent licensed in the State of Florida, and approved by the City of Miami Beach Risk Manager, prior to delivery of supplies and/or commencement of any service/work by Contractor. However, the OIG Auditor could not find evidence in Exigis indicating advance approval by the City Risk Manager. • The parameters were created based on 1TB 2018-077-WG Appendix F's insurance requirement. • It was evaluated as compliant; however, the COi does not include Automobile Liability. 12. AGC Electric Inc. - Procurement - Property Management - Exigis evaluation #116235 • The contract/agreement does not include insurance requirements. • The parameters were created based on 1TB 2018-124-WG Appendix F's insurance requirement. • It was evaluated as compliant; however, the COi does not include Automobile Liability. 13. AGC Electric Inc. - Procurement - Public Works Streets Division - Exigis evaluation #116234 • The OIG Auditor could not locate a contract/agreement; however, the Procurement Department software has a Notice of Award of Contract Pursuant to Bid {1TB) No. 2022-094-AY. The Notice of Award does not list insurance requirements, so the parameters were created based on 1TB 2022-094-AY Appendix D insurance requirements. • It was evaluated as compliant; however, the COi does not include Page 7 of 19 Automobile Liability or Installation Floater Insurance. 14. AGC Electric Inc. - Procurement - Property Management - Exigis evaluation #116233 • The certification of the contract/agreement states as follows: The contractor shall file Insurance Certificates, as required, which must be signed by a Registered Insurance Agent licensed in the State of Florida, and approved by the City of Miami Beach Risk Manager, prior to delivery of supplies and/or commencement of any service/work by Contractor. However, the OIG Auditor did not find evidence indicating prior approval by the City Risk Manager in Exigis. The parameters were created based on 1TB 2019-011- ND Appendix F's insurance requirements. • It was evaluated as compliant; however, the COi does not include Automobile Liability. 15. Beach Towing Services, Inc. - Other - Parking Administration - Exigis evaluation #107084 • Exigis parameters are not aligned with the contract/agreement: The Garage Keeper Liability insurance parameter is $1,000,000 per occurrence, but the aggregate required in the contract/agreement is $2,000,000. The insurance coverage was evaluated as compliant; however, the COi included less Garage Keeper Coverage than the contract/agreement required. 16. Young Musicians Unite, Inc._- Other - City Manager - Exigis evaluation #114990 • The contract/agreement is not aligned with the Risk Management Minimum Insurance Requirements. The Exigis parameter selected was Type 2-2020; however, it should have been Type 7B for professional services that only require professional liability coverage. Although Worker's Compensation insurance should not have been required for Type 7B, the executed contract/agreement requirement is less than the State minimum requirement for workers' compensation for more than four employees. A waiver approved by Risk Management should be required for an entity with less than four employees. 17. Greater Miami Convention & Visitor Bureau, Inc. - Other - Tourism and Culture Development - Exigis evaluation #104728 • The contract/agreement is not aligned with the Type 7 A minimum requirement: The Exigis parameter selected was Type 7; however, it should have been Type 7 A. Type 7 is for Professional Services (non- construction) >$100- $1 M (million), while Type 7 A is for Professional Services (non-construction) >$1 M. Section 3.1 of the Agreement City's Contribution/Fee/Funding stated that ...The GMCVB shall be entitled to receive an annual Incentive Fee, in an amount not to exceed $2,000,000... Page 8 of 19 18. Holocaust Memorial - Tenant - Various - Exigis evaluation #58129 • Exigis parameters are not aligned with the contract/agreement: The Commercial Liability Insurance parameter is $1,000,000, but the aggregate Liability Insurance required in the contract/agreement is $3,000,000. 19. lnfoquest Information Services, LTD - Procurement - Human Resources - Exigis evaluation #110621 • Exigis parameters are not aligned with the contract/agreement: The parameter for Professional Liability insurance is $100,000, but the contract/agreement requires $1,000,000. 20. Professional Course Management II LTD_- Procurement - Parks and Recreation - Exigis evaluation #115061 • Exigis parameters are not aligned with the contract/agreement: The parameters for Crime Liability do not specify an amount; however, the contract/agreement requires $1,000,000. The Commercial Liability Insurance parameter is $1,000,000, but the aggregate Liability Insurance required in the contract/agreement is $2,000,000. 21. Sobe Cats - Tenants - Various - Exigis evaluation #120839 No deficiencies related to this test were noted, but differences were found when comparing the insurance provisions in the contract/agreement with the Risk Management Minimum Insurance Requirements (see finding #2). Testing determined that 20 of 21 sampled contracts/agreements contained some terms not fully aligned with the corresponding Exigis parameters. Although Exigis properly indicated that insurance coverage for all sampled vendors was compliant with the stated parameters created by City staff, the corresponding vendor-maintained insurance coverage may not be fully compliant due to these identified deficiencies. Recommendation( s ): The above deficiencies related to the profile of the 20 sampled Exigis vendors with noncom pliant insurance parameters should be revised by City staff to mirror the insurance requirements of the associated contracts/agreements. Given the high percentage of sampled contracts/agreements containing deficiencies (20/21 = 95.24%), the OIG strongly recommends that Risk Management Division staff review all other City contracts/agreements, including those executed prospectively, to determine whether the listed insurance parameters are sufficient. If deficient, the necessary corrections should be promptly made. It is also recommended that the Risk Management Division develop an alternate procedure for any contract/agreement with an insurance requirement not verified by Exigis (e.g., Business Interruption insurance) to determine whether pertinent vendors are compliant through an Umbrella Package or another policy. City of Miami Beach Administration Response: Comments are provided in their entirety following this report. 2. MINIMUM INSURANCE COVERAGE REQUIRED BY RISK MANAGEMENT WAS NOT Page 9 of 19 SATISFIED BY INSURANCE CONTRACTS/AGREEMENTS. The City Human Resource Department website, Insurance - City of Miami Beach (miamibeachfl.gov), states as follows: PROVISIONS IN SOME TESTED In order to protect the interest of the City of Miami Beach, certain insurance requirements have been set in place and shall be provided by all, Leases, Contractors, Vendors and other persons or organizations who use or provide services to the City. The purpose of this is to obtain assurances that the supplier, vendor or other party will have the financial capacity (insurance funds) to back up the promise or commitments made in the event of a claim. All vendors, contractors and other parties using the City's facilities shall, at their own expense, procure and maintain current policies of insurance that protect its own interest and the interest of the City against actions arising out of or resulting from their actions. Contractual Insurance Guide Given the wide range of goods and services acquired by the City of Miami Beach in the fulfillment of our mission, tremendous opportunity exists for vendors to do business with the City. The minimum levels of insurance that a vendor is required to maintain throughout the term of the contract are listed in the insurance requirements attached below: The insurance requirements are listed by value of contract and type of service that will be provided. Based on the criteria of the project, please use the appropriate type of contract from the provided list. Disclaimer: The risk management division holds the right to tailor its requirements based on the specifications and potential exposures. Certificates of Insurance Guide Please see the certificate of insurance guide below. With this guide, you will be able to see all the requirements that the City of Miami Beach needs in order to be able to approve COi's {Certificates of Insurance}. Disclaimer: This is only a guide. The risk management division holds the right to tailor its requirements based on the specifications and potential exposures. Page 10 of 19 • Approved by Risk Management. • There are currently 10 different tvpes. Minimum Requirements Agreement • Insurance Requirements should be aligned with the Minimum Requirements. • Can have more requirements but not less. • The vendor's parameters should mirror the agreement. Exigis Parameters The Risk Management Minimum Insurance Requirements were most recently updated in 2020 and include the Insurance Requirement Chart (see Exhibit 1 located at the end of this report), insurance required language for all types on the chart (types 1 through 10), and quick tips with the updated thresholds for Insurance Requirements. At a minimum, the required insurance coverage in the executed contracts/agreements needs to be aligned with the Risk Management Minimum Insurance Requirements to sufficiently protect the City. If not, all subsequent analysis may be incorrect because it is based on the insurance provisions in the contract/agreement. Also, deficient executed contracts/agreements are difficult to amend, as each party is required to agree to the changes for any revised terms to be enforceable. Although the OIG Auditor did not perform direct testing comparing the Risk Management Minimum Insurance Requirements with the terms in the 21 sampled contracts/agreements in finding #1, randomly conducted spot checks did identify some differences. For example, the Risk Management Minimum Insurance Requirements for Type 5 Leases require Commercial General Liability of $1,000,000 per occurrence and $2,000,000 general aggregate; however, the executed contracts/agreements of Smith and Wollensky (Concession), Penrod (Concession), Penrod (Restaurant), and Sobe Cats require $1,000,000 per occurrence. Type 5 also requires Workers' Compensation and Liquor Liability of $1,000,000. The OIG Auditor determined that Penrods (Restaurant) and the Holocaust Memorial contracts/agreements did not include workers' compensation, and while the Smith and Wollensky (Restaurant) contract/agreement included Liquor Liability Insurance, it did not specify the amount required. The Risk Management Minimum Insurance Requirements For Type 2A Goods, Services & Maintenance (For Concessions Only) require Umbrella Liability insurance of not less than $4,000,000; however, the contract/agreement of Professional Course Management II LTD does not include it. Furthermore, inquiries determined that the Risk Management Division is typically not consulted prior to the execution of contracts/agreements to determine the sufficiency of stated insurance coverage terms. As such, any existing deficiencies would not be Page 11 of 19 identified by the City timely and would be more difficult to revise. Recommendation( s ): The Risk Management Minimum Insurance Requirements, the insurance provisions in the executed contracts/agreements, and the parameters in the Exigis system should be aligned. Furthermore, the vendor-maintained insurance coverage should, at a minimum, satisfy the stated requirements during the terms of the contracts/agreements. If not, the City's related risk exposure is increased. Risk Management Division staff should be required to approve the form of all future contracts/agreements in the approval queue before their execution to verify the alignment of the stated terms with the required insurance coverage. Also, the City should contact associated vendors to try to amend any existing contracts/agreements containing materially deficient insurance coverage provisions. City of Miami Beach Administration Response: Comments are provided in their entirety following this report. 3. NO DOCUMENTED METHODOLOGY OR PROCESS HAS BEEN FOLLOWED TO CONFIRM THAT VENDORS MAINTAIN THE REQUIRED INSURANCE COVERAGE THROUGHOUT THE TERM OF THEIR CONTRACTS/AGREEMENTS. Vendors are required to maintain the insurance coverage specified in executed contracts/agreements for the designated term. However, Exigis only evaluates the COis submitted by vendors with the parameters uploaded into its system by City staff at the time of submittal. Title XXXVII Insurance Chapter 627 Section 627.4133(1 )(a), Florida Statutes, states as follows: An insurer issuing a policy providing coverage for workers' compensation and employer's liability insurance, property, casualty, except mortgage guaranty, surety, or marine insurance, other than motor vehicle insurance subject to s. 627. 728, shall give the first-named insured at least 45 days advance written notice of nonrenewal or of the renewal premium. If the policy is not to be renewed, the written notice shall state the reason or reasons why the policy is not to be renewed. This requirement applies only if the insured has furnished all of the necessary information to enable the insurer to develop the renewal premium prior to the expiration date of the policy to be renewed. Therefore, the City and Exigis are not notified when a vendor cancels or changes the previously submitted policy, as only the first-named insurer is informed of the change, not the policyholder or second-named insurer (City). No evidence was provided to the OIG Auditor indicating the existence of an established methodology or process to verify that the vendor maintains the required insurance coverage for the entire designated period. If the vendor reduces or eliminates the maintained insurance coverage after Exigis has approved it, the City would be unaware of its increased risk exposure and potential for loss. Page 12 of 19 Recommendation( s ): Risk Management Division staff should document a methodology or process to determine whether each approved vendor insurance policy continues to satisfy the designated requirements during the remaining term of the contract/agreement. At a minimum, Risk Management Division staff should periodically examine the vendor's insurance coverage and document the results. Vendors should be promptly notified of any identified deficiencies, and available disciplinary actions should be enforced against repetitive non- compliant vendors or those entities that do not timely correct the identified deficiency. City of Miami Beach Administration Response: Comments are provided in their entirety following this report. 4. OUTDATED EXIGIS USER LIST WITH UNREVOKED SYSTEM ACCESS FOR 81 TERMINATED EMPLOYEES AS OF NOVEMBER 3, 2022. On November 3, 2022, the Exigis Account Manager provided the OIG Auditor with the requested City of Miami Beach Users Report, which indicated 240 total active users, containing the following User Roles and the corresponding number of assigned individuals: Admin Access (1 individual), Compliance Administrator (33 individuals), and View Only Access (206 individuals). The Admin Access User Role provides complete control and authority to the Exigis portal; while Compliance Administrators can add, edit, or archive accounts and evaluations; and the View Only Access User Role enables individuals to view the data, but not to change the data. The OIG Auditor compared the names of the active users with a November 3, 2022, listing of employees, to determine whether all were still employed and the access credentials of each. The corresponding testing determined_the following: a. The Assistant Director of Human Resources (the prior City Risk Manager) is the only individual assigned the Admin Access User Role. b. 33 individuals maintained active Compliance Administrator User Roles as summarized below by City departments/divisions (listed in descending order). Procurement - 18 Public Works- 5 Risk Management - 3 Building- 1 Code Compliance - 1 Economic Development - 1 Facilities and Fleet Management - 1 Housing and Community Services- 1 Police Patrol - 1 Tourism and Culture Development- 1 c. 206 individuals maintained active View Only Access User Roles as summarized below by City departments/divisions/organizations (listed in descending order). Public Works - 35 Parks Administration - 29 Police-13 Capital Improvement Projects- 9 Finance- 9 Office of the Inspector General - 9 Transportation and Mobility -- 9 Environmental and Sustainability - 4 Planning - 3 City Attorney - 2 Code Compliance - 2 Economic Development - 2 Emergency Management- 2 Human Resources - 2 Page 13 of 19 Budget - 8 Housing and Community Services-8 Building- 7 Facilities and Fleet Management - 7 Parking Administration - 7 City Clerk- 6 Fire - 6 Information Technology- 6 Communications -- 5 City Manager - 4 Organizational Development - 2 Procurement - 2 Public Safety - 2 PCM Miami Beach Golf Club- 1 Pension Benefit -- 1 Public Works - 1 Risk Management- 1 Sanitation - 1 Tourism and Culture Development - 1 d. OIG staff determined that 81 active users with access to the Exigis system on November 4, 2022 were assigned to terminated employees, as shown below in descending order by City departments/divisions/organizations. Public Works -- 19 Parks Administration - 6 Transportation and Mobility - 6 Budget - 4 Fleet Management - 4 Office of the Inspector General - 4 Procurement - 4 Capital Improvement Projects - 3 Communications - 3 Environmental and Sustainability - 3 Police - 3 Building- 2 City Clerk- 2 e. Two accounts belong to unknown users. Finance - 2 Housing and Community Services - 2 Information Technology- 2 Parking Administration - 2 Pension Benefit - 2 City Manager - 1 Code Compliance - 1 Economic Development - 1 Emergency Management - 1 Human Resources - 1 Organizational Development - 1 Public Safety- 1 Tourism and Culture Development - 1 Recommendation( s ): • The OIG Auditor sent an email to the current City Risk Manager recommending deactivation of all active access related to terminated employees and to determine whether the two unknown users need system access. If not already completed, any active accounts belonging to former employees should be promptly deactivated. • A documented process should be created to determine which employees need access to Exigis and to ensure that the accounts of any individuals separated from employment are timely deactivated. • Risk Management Division staff should also examine, at least annually, the Exigis system User Roles assigned to individuals to determine if any changes are needed based on the current position and job duties. City of Miami Beach Administration Response: Comments are provided in their entirety following this report. 5. THE LACK OF A CENTRALIZED LISTING OF ALL CITY AGREEMENTS HINDERS THE DETERMINATION OF THOSEREQUIRING INSURANCE COVERAGE. The June 24, 2020, Virtual Commission Meeting Minutes state the following: Page 14 of 19 Commissioner Meiner explained that a resident reached out to him that there were several City contracts that they could not find on the City's website. They confirm that these were not online, and he thinks what happened is that if there is a procurement contract, it will be on the website under Procurement, but if not, it may be on the City Clerk if it came before the City Commission. He also learned that the Administration does not have to bring items before the City Commission if it is under a certain threshold, so it would not be on the website. He suggested having one repository for these items for transparency and to make it easy for everyone. City Manager Morales added that Mark Taxis and Alex Denis think it is a wonderful idea and are working on it. As of August 9, 2023, the OIG Auditor determined that the City website does not include all contracts/agreements, as it primarily lists those that went through the procurement process. Failure to maintain a complete listing of all City contracts/agreements, among other shortcomings, makes it difficult to identify those requiring insurance and whether sufficient coverage is maintained. Further complicating matters, the OIG Auditor had difficulty locating existing City contracts/agreements, as some were found in Laserfiche2, some were in the Munis system Contract Module, some were on the Procurement website, and some departments/divisions maintained copies of its contracts in files stored on the City network drive (F Drive) that can only be accessed by its employees. Recommendation( s ): The City Manager or her designee should create and adopt a Citywide procedure requiring departments and divisions to provide copies of all contracts/agreements to the Procurement Department, including those that did not go through the established procurement process. Once received, each contract/agreement should be uploaded to the City website to centralize the related information and to facilitate identification. City of Miami Beach Administration Response: Comments are provided in their entirety following this report. 6. UNCERTAINTY EXISTS IN IDENTIFYING CITY STAFF RESPONSIBLE FOR THE EXIGIS RISKWORKS SOFTWARE ADMINISTRATION INCLUDING OWNERSHIP OF THE DATA. During the examination of the Exigis RiskWorks software usage within the City's operations, the OIG Auditor could not identify the City staff member responsible for the Exigis software, including ownership3 of the data contained within it. This uncertainty regarding data ownership may cause inefficiencies in software management, accountability, maintenance, and decision-making processes, and can potentially lead to challenges in addressing and rectifying inaccuracies present in the data. 2. Laserfiche is a Software as a Service (Saas) provider of enterprise content management and business automation (www.laserfiche.com). 3. This refers to the concept of identifying and assigning responsibility for the control, management, and accountability of data within an organization or system. As defined in the Federal Information System Controls Audit Manual (FISCAM), an Owner is a manager or director who has responsibility for a computer resource, such as a data file or application program. Page 15 of 19 Tracking tools, such as Exigis, must be accompanied by a process in which its data is regularly reviewed, and any identified deficiencies are promptly corrected. Inquiries with various City and Exigis staff by the OIG Auditor, as well as an overview of the duties performed, resulted in uncertainty regarding the responsible party for the accuracy of the existing Exigis data and correction of the deficiencies identified in this audit report. As the Risk Management Division has limited staff, the Procurement Department provided needed assistance concerning the Insurance Certificate Tracking System process, as its employees have been performing many related tasks. Despite the associated benefits, it has resulted in some confusion regarding the responsibilities of each and accountability for some deficiencies identified in this audit report. For example, several Procurement Department employees create vendor profiles in Exigis for City contracts/agreements that went through a competitive solicitation process after the 2018 initial setup and others below the bid threshold approved by the City Manager. These employees also annually evaluate the performance of Exigis and recommend the renewal of the contract through the completion of the vendor evaluation form. They also negotiated the new rate and requested Exigis staff to update the insurance requirement types. Furthermore, the questioned Exigis Account Manager informed the OIG Auditor that her primary City contact person was a Procurement Department employee. Although Procurement Department employees appear to the OIG to perform many of the system administrator duties, questioned department management responded that they didn't see themselves as the Exigis system administrators. Conversely, Risk Management Division staff members informed the OIG Auditor that they were not the system administrators, as they did not create vendor profiles or follow-up on non-compliant vendors. However, the OIG contends that Risk Management Division employees are the City's insurance experts, and, at a minimum, need to examine vendor profiles and make any needed corrections so that Exigis is determining compliance based on the proper parameters. Recommendation( s): The City Manager or her designee should implement an oversight process to monitor the data within the Insurance Certificate Tracking System, including determining the corresponding data owner and the duties of each involved department/division, to help establish accountability and prevent the deficiencies noted in this report from reoccurring. Otherwise, all the anticipated benefits of contracting with Exigis may not be realized and the associated City funds may not be well spent. City of Miami Beach Administration Response: Comments are provided in their entirety following this report. 7. NO EVIDENCE WAS PROVIDED OF A DOCUMENTED STANDARD OPERATING PROCEDURE CONCERNING EVALUATING VENDOR-MAINTAINED INSURANCE COVERAGE, SETTING INSURANCE PARAMETERS, AND FOLLOW-UP OF NON- COMPLIANT RES UL TS. Page 16 of 19 No evidence was provided to the OIG Auditor indicating the existence and approval of documented Standard Operating Procedures (SOPs) to provide staff with guidance regarding insurance certificates process review, including the following: • Risk Management Minimum Insurance Requirements are satisfied when creating a new contract/agreement or amending an existing contract/agreement. • Creation of vendors in Exigis to ensure parameters aligned with the contract/agreement. • Proper and complete annual COi documents have been provided by the vendors to Exigis. • Process to inform the City Risk Management Division of non-compliant vendors. • Establish accountability for City departments/divisions that do not routinely check Exigis to determine the compliance of its vendors. • Penalties and/or other disciplinary actions are enforced against non-compliant vendors as authorized by the executed contract/agreement. Recommendation( s): The City Administration or its designee should develop and document an oversight process to better ensure compliance with insurance requirements included in contracts/agreements and to timely follow-up on non-compliant vendors or be subject to potential disciplinary actions. City of Miami Beach Administration Response: Comments are provided in their entirety following this report. All management responses received pursuant to City Code Section 2-256(h) are attached to this final report. OIG NOTE RE: ADMINISTRATION RESPONSE TO INSURANCE CERTIFICATE TRACKING SYSTEM PROCESS DRAFT REPORT The OIG Auditor conducted both an in-person meeting and several phone conversations during the audit process with the City Risk Management Division Director (RMDD) to discuss and analyze each deficiency outlined in the findings. A consensus was reached as to the validity of each deficiency. Furthermore, on September 25, 2023, the OIG proactively sent the draft report to the RMDD for his advance review and to capture any preliminary insights or needed corrections. On September 29, 2023, the OIG received an email from the RMDD stating, "I have reviewed it {the draft report} and there are no changes." With this confirmation from the City's insurance expert regarding the accuracy of its contents, the OIG then distributed the draft report to all auditees. All evidence furnished by the City Administration to refute the identified deficiencies in this audit report, including its responses, are provided below in their entirety. It is concerning to the OIG that some responses now provided by the City Administration in relation to the audit findings seem to downplay or deny the existence of identified deficiencies, which might mislead readers about their importance. Moreover, some of the auditee responses contradict the information previously verified on multiple occasions with the RMDD. One purpose of audit findings is to highlight areas that require attention and improvement, and it is disconcerting to receive responses at this late date that attempt to diminish or dismiss these concerns without furnishing sufficient evidence or implementing Page 17 of 19 corrective action. This behavior lengthens the audit process, is confusing to the reader, and does not appropriately address the importance or correction of the identified deficiencies, thereby diminishing the value of the audit. It is important to note that the OIG can only make recommendations based on known information, and that management, not the OIG, is responsible for the establishment of internal controls and any implemented corrective actions. The OIG recognizes that it may not be pleasant to point out deficiencies in need of improvement. The provided auditee responses should either state that management is willing to accept the associated risks and not implement corrective action or it should offer a procedure or methodology to rectify the identified issues to contribute to the audit's overall effectiveness and to foster accountability and continuous improvement. It should not introduce new evidence that has not been evaluated and is contrary to prior decisions reached by the City's related subject matter experts who have been consulted with, and agreed with the findings, at various times during the audit process. It is in the City's and its residents' best interest for all parties to prospectively work together to ensure that all deficiencies are appropriately addressed and resolved. ctfully submitted, d. Deputy Chief Auditor e7 10/a1/023 Date hp Date ] cc: Alina T. Hudak, City Manager Eric Carpenter, Deputy City Manager Mark Taxis, Assistant City Manager Rickelle Williams, Assistant City Manager Marla Alpizar, Human Resources Department Director Sonia Walthour, Human Resources Department Assistant Director Marc Chevalier, Risk Manager Alex Denis, Chief Procurement Officer Frank Amelio, Controller Exigis, LLC OFFICE OF THE INSPECTOR GENERAL City of Miami Beach 1130 Washington Avenue, 6" Floor, Miami Beach, FL 33139 Tel: 305.673.7020 • Hotline: 786.897.1111 Email: CityofMiamiBeachOIG@miamibeachfl.gov Website: www.mbinspectorgeneral.com Page 18 of 19 Exhibit 1 INSURANCE REQUIREMENTS GUIDELINES Ra_e TYPES Or CONTRACTS/ AGREEMENTS N/A One-time purchases of Goods under $100K (to include ICA, P5Au, PO) General Services, Goods & Meintenence (Minor work] General Service, Gods, &, Maintenance Watercraft Repair± Towing & lutorotrwe Repair Lessees tiazr dour Marte Removal [including Mold/ Asbestos] Profer ions! Services [non-Construction] Construction Contruction w/ Design Professional Serwcet 10 Construction w/o Deign Proher+onat Services TYPES OF ACTIES ttzmtenace zc erace contract [not contraction) includirg rrot routine maintenance u a jantonai ere. rover. on-cite ecu.prent maintenance agreement. tree maintenance and other gererzi zericer Purcae of sarts material. small equipment; Per Control; Garbage Pk -Up Eile11:it0t Rc~_.r.:: Tt-n!.!>Ofto1:ion ~; Armoned I Comp.inet th..it nuke Treks Server: Security tepair:oft boat& marine tcuiprent Towing ervice: and autorrotree re2air of ey veice: and ecuiprrent Service: for pickup. for long term U!.C of I 'b"an:portation. ~nd ~ . . . c· ofE.n...;rOIY'TIC:flt.l 11:k:,. I for- all profcmonal ~~ (0th.er than d~-n), !;JJC\ 2.2727,2" ""l«rs·r-« +o««orors +-«osr++ poet arbeto, hazardous insurance broiaeer; infoematon technology popert& chemicals or ware,and proferzonal, et eqiprrent near ri±ka I fOI Public W~ « CIP proj«u. f« Public Worlu- or P for Minor Public o induce major remodeling o [roetu to nccde major ors;or OP falter fOcoerages remodeling of facitier Proe · repair oh,neeuired for the design poron t' E&O overage maybe erodeing work rojet. hually a Deign build proved in separate facliter proper contrat VALUE OF CONTRACT REQUIREMENT TYPE cG AL WC UM3 ua Pl 6LRK NsFL $5ow 5$50¥ $2M Fr Concessions »$2M I N/A I N/A I N/A I N/A ] »$10or-$1w [ s$1M I $100K ] $1oox-$s0ow [ $500¥ as up ] $10ow-$s0ow ] $500K A Up Only 7re 1 Type 1 Tye 2 Te 24 Te 2 Type 3 Te ' Te5 Type 6 Type7 Toe 74 Tye 7 Tye S Tye 9 Type 9A Troe 10 $100¥ $300¥ $1M $1M $1M $2M $2M $1M $1M $1M $2M $1M $2M $100¥ $300¥ $1M $1M $1M $1M $1M $1M $1M $1M $2M $1M $2M STAT 5TAT STA4T STAT 7AT 5TAT STAT STAT STAT STAT STAT $1M 2M $1M $1M $4M $5M $10M $2M $10M $1M $1M $2M $1M $1M $1M • REQ [Builders Risk for project ·~Q(-1 «~•a.1 RfQ(Builders Risker value) Rt0(builders Risk or Rusk or installationl lrestalietion lnetall etion $oater for ...... ,,.,. p<oj«< I , ...... ,.,. .,.;.a.,.- .. or reterel value] projector value meteriel veloe) PROP RQ' GKL $1M $1M POll $1M $1M $1M $1M EMPL CRIME WT $1M ADDITIONAL NOTES Venor: ±hall be requrec to carry insurance that is applicable bylaw with for gereral good & ere±with regard; o their profezzion -iowioz:epoozune {contra but a not required tozubsmit] ae uusyur&er $100¥] to Rigs Managemrne Sore yr: prowdirg equipment e vendor; maybe required to gpolie: which do ror require provide to provide insurance[,,=iaton or maintenance byte in accoorcare wetn vendor, ory Gl required "emrrrendztionz from Rizk Management [ee attuned g deline:) 1CA PA for erenal good: E&, erce wth arecum to h;n lo~eig,o:ure. 1ndudin.,g tcutir:,c m.air.tcnar.cc I Provic!e ~r~ fOt" of aelites or grounds; $2M AGGREGATE FOR CG City property while in Mb req@rec for Tran±portato Serice:. 1MQ Marne ortaror'± require on food& Beverage ornceson care.curocyand Agreement $5M UM8 required for high loss control. tpcure rode coverage againrt iability for damage to etciet while in control oert insurance at full repoiacerent Contraror:ca[-oiarare penalty custody anc or w/ro $2M Aggregate for POL M-90 Endorsement and Suder £, Acicerta Pollution endorerent Type78- rofezonal Svc cordutec ozte PolutiOtl Lia.bil~ I S2M .:..;re,.atc for Pfottt:ional may be required if) gasility. Pollution Liability may cope o pc berequired if cope o rvca preent: an epopure peent an expo.re $2M Aggregate for Profezonai Lualrty Pollution Liability mnay be requited ope o pc pareent; an epo:are Page 19 of 19 Page 1 of 22 City of Miami Beach, 1700 Convention Center Drive, Miami Beach, Florida 33139, www.miamibeachfl.gov Tel: 305-673-7000 TO: Joseph M. Centorino, Inspector General FROM: City of Miami Beach Administration (Human Resources Department – Risk Management Division & Procurement Department) DATE: November 9, 2023 IN RESPONSE TO: OIG draft report: Insurance Certificate Tracking System Process Review 1. MISALIGNMENT BETWEEN EXIGIS SYSTEM PARAMETERS AND INSURANCE REQUIREMENTS IN 20 of 21 OIG SAMPLED CONTRACTS/AGREEMENTS. OIG Recommendation(s): The above deficiencies related to the profile of the 20 sampled Exigis vendors with noncompliant insurance parameters should be revised by City staff to mirror the insurance requirements of the associated contracts/agreements. Given the high percentage of sampled contracts/agreements containing deficiencies (20/21 = 95.24%), the OIG strongly recommends that Risk Management Division staff review all other City contracts/agreements, including those executed prospectively, to determine whether the listed insurance parameters are sufficient. If deficient, the necessary corrections should be promptly made. It is also recommended that the Risk Management Division develop an alternate procedure for any contract/agreement with an insurance requirement not verified by Exigis (e.g., Business Interruption insurance) to determine whether pertinent vendors are compliant through an Umbrella Package or another policy. City of Miami Beach Administration Response: For a response on each item identified as a deficiency, see Attachment A. There are approximately 1,800 contracts being monitored for insurance compliance in the EXIGIS system with varying insurance requirements that may or may not have been recommended by Risk Management. There are occasions when changes to the insurance requirements are recommended and approved by Risk Management. This could be a result of the scope of services and potential risk of loss not being fully understood or known prior to contracts being executed, or because the incorrect insurance requirements were included in an agreement, or the vendor/contractor is unable to obtain the required limit or specific coverage. With the limited staffing in Risk Management, we make every effort to assist departments with the appropriate insurance requirements prior to agreements being executed. Additionally, the Risk Page 2 of 22 Management staff works closely with the EXIGIS staff to communicate any changes in the insurance requirements so that their System can accurately reflect what coverage and limits need to be monitored for each agreement. Prospectively, Risk Management continues to update the Insurance Requirement Guide for boilerplate coverage, limits and language for the various goods and services procured by the City. This past year, we added an additional staff member to the Risk Management team that supports City departmental procurement liaisons with the review of insurance certificates for those agreements not included in EXIGIS. OIG Response: While performing testing and analysis during the fieldwork stage of this audit, the Exigis Account Manager identified a Procurement Department analyst as its City contact person and the City employee most actively involved in its insurance related matters. The OIG contends that Risk Management Division employees are the City’s insurance experts, not Procurement Department staff, so it positively views the City Administration's decision to designate the Risk Management Division as its primary liaison with Exigis staff. 2. MINIMUM INSURANCE COVERAGE REQUIRED BY RISK MANAGEMENT WAS NOT SATISFIED BY INSURANCE PROVISIONS IN SOME TESTED CONTRACTS/AGREEMENTS. OIG Recommendation(s): The Risk Management Minimum Insurance Requirements, the insurance provisions in the executed contracts/agreements, and the parameters in the Exigis system should be aligned. Furthermore, the vendor-maintained insurance coverage should, at a minimum, satisfy the stated requirements during the terms of the contracts/agreements. If not, the City's related risk exposure is increased. Risk Management Division staff should be required to approve the form of all future contracts/agreements in the approval queue before their execution to verify the alignment of the stated terms with the required insurance coverage. Also, the City should contact associated vendors to try to amend any existing contracts/agreements containing materially deficient insurance coverage provisions. City of Miami Beach Administration Response: Although general liability for third-party bodily injury and property claims, workers' compensation claims and professional liability claims are a standard requirement in most agreements, it is ultimately the responsibility of the vendors/contractors to hold the City harmless in all claims regardless of insurance being in place. Any and all claims presented to the City that are the result of contractual goods and services procured from the vendor/contractor are tendered for handling pursuant to the Indemnification Clause that is included in every City agreement, as well as purchase orders for goods that may not require an agreement. OIG Response: Regardless of whose responsibility it is to hold the City harmless in all claims and the insurance provisions in place, the OIG maintains one of the most effective ways to ensure that it occurs is to include the related terms in all, not just most, prospective Page 3 of 22 executed contracts/agreements. 3. NO DOCUMENTED METHODOLOGY OR PROCESS HAS BEEN FOLLOWED TO CONFIRM THAT VENDORS MAINTAIN THE REQUIRED INSURANCE COVERAGE THROUGHOUT THE TERM OF THEIR CONTRACTS/AGREEMENTS. OIG Recommendation(s): Risk Management Division staff should document a methodology or process to determine whether each approved vendor insurance policy continues to satisfy the designated requirements during the remaining term of the contract/agreement. At a minimum, Risk Management Division staff should periodically examine the vendor's insurance coverage and document the results. Vendors should be promptly notified of any identified deficiencies, and available disciplinary actions should be enforced against repetitive noncompliant vendors or those entities that do not timely correct the identified deficiency. City of Miami Beach Administration Response: There is a documented process for the agreements monitored by EXIGIS, and the Risk Management staff is in constant communication with EXIGIS whenever a modification has been made to the insurance requirements so that the System may reflect the updated requirement. The Risk Management Division also has a Standard of Operating Procedure (SOP) for monitoring (see Attachment B). OIG Response: The SOP outlined in Attachment B is dated 9/30/2023, at which time fieldwork was being concluded, and after the SOP had been verbally requested by the OIG Auditor. It is important to note that this SOP appears to be pending approval, as the provided version is unsigned, raising some concerns whether it has been implemented. Moreover, the provided SOP does not include a process for verifying that each approved vendor's insurance policy continues to meet the required standards in the contract/agreement throughout its term. 4. OUTDATED EXIGIS USER LIST WITH UNREVOKED SYSTEM ACCESS FOR 81 TERMINATED EMPLOYEES AS OF NOVEMBER 3, 2022. OIG Recommendation(s): • The OIG Auditor sent an email to the current City Risk Manager recommending deactivation of all active access related to terminated employees and to determine whether the two unknown users need system access. If not already completed, any active accounts belonging to former employees should be promptly deactivated. • A documented process should be created to determine which employees need access to Exigis and to ensure that the accounts of any individuals separated from employment are timely deactivated. • Risk Management Division staff should also examine, at least annually, the Exigis system User Roles assigned to individuals to determine if any changes are needed based on the current position and job duties. Page 4 of 22 City of Miami Beach Administration Response: All inactive users in the EXIGIS system are automatically inactivated and not able to access the System without a valid City-issued email account. Roles and access to the EXIGIS system are updated by the City's administrator (Risk Manager) on an as-needed basis (See Attachment B). OIG Response: Following notification from the OIG Auditor, the Risk Management Division team started terminating active access for former employees. Staff’s prompt actions to resolve this deficiency is acknowledged and appreciated. Despite the claims in the above City Administration response, documented and factual evidence has not been provided to the OIG to ensure that an employee, whose access to the City network has been revoked, is prevented from accessing the Exigis system. Exigis is managed through a web interface that is not linked to the City's Active Directory and thus uses a different username and password from the ones used to access the City's network. The absence of a clear link to the City's Active Directory raises questions about the effectiveness of revoking network access for former employees which actually restricts their access to Exigis. The unsigned new SOP provided in Attachment B addresses this issue only in the following section: "Risk Management is the liaison between the insurance tracking services vendor and the City. The role is to make sure the vendor is responding timely to department users, assigning and deactivating City users, answering any inquiries regarding deviation from insurance requirements, and other duties as necessary." It lacks comprehensive guidance on crucial aspects of the procedure, such as determining access to the Insurance Tracking System, specifying the type of access permissible, outlining the process for access requests, designating approval authorities, and delineating the steps to be taken at the time of employee termination. To address these matters, the OIG recommends thoroughly examining and amending the SOP to include explicit guidance for employees on these and other important aspects of the policy. If followed thereafter by City staff, this enhancement will contribute to the overall effectiveness of the City’s access management processes. 5. THE LACK OF A CENTRALIZED LISTING OF ALL CITY AGREEMENTS HINDERS THE DETERMINATION OF THOSE REQUIRING INSURANCE COVERAGE. OIG Recommendation(s): The City Manager or her designee should create and adopt a Citywide procedure requiring departments and divisions to provide copies of all contracts/agreements to the Procurement Department, including those that did not go through the established procurement process. Once received, each contract/agreement should be uploaded to the City website to centralize the related information and to facilitate identification. City of Miami Beach Administration Response: All contracts awarded by the Procurement Department are available at the following Page 5 of 22 link: Home Page - Awarded Contracts (miamibeachfl.gov), or directly at https://apps.miamibeachfl.gov/ContractAwards/. Department-generated contracts are not entered into EXIGIS as the majority are low dollar value with terms of less than one (1) year. City departments have been provided an insurance matrix (See Attachment C) that provides guidance on the appropriate level of insurance to be required. In cases where insurance is not required, the vendor is obligated to indemnify the City. OIG Response: The above response does not appropriately address and resolve this finding, which emphasizes the absence of a centralized repository for all executed City agreements, not just those awarded through the procurement process. It is important to note that the initial proposal by then Commissioner and current Mayor Meiner, while not explicitly tied to the Insurance Tracking System, underscores the need for a unified platform to enhance transparency and accessibility for all stakeholders. 6. UNCERTAINTY EXISTS IN IDENTIFYING CITY STAFF RESPONSIBLE FOR THE EXIGIS RISKWORKS SOFTWARE ADMINISTRATION INCLUDING OWNERSHIP OF THE DATA. OIG Recommendation(s): The City Manager or her designee should implement an oversight process to monitor the data within the Insurance Certificate Tracking System, including determining the corresponding data owner and the duties of each involved department/division, to help establish accountability and prevent the deficiencies noted in this report from reoccurring. Otherwise, all the anticipated benefits of contracting with Exigis may not be realized and the associated City funds may not be well spent. City of Miami Beach Administration Response: Risk Management is the dedicated liaison between EXIGIS and the City. The Procurement Department plays an integral role in the services provided by EXIGIS, as most agreements being monitored are executed via the Procurement process. All contracts that are monitored by EXIGIS are entered by City staff. The services provided by EXIGIS include notifying vendors 30 days before the expiration of their insurance coverage(s) and notifying vendors of deficiencies in their submitted certificates of insurance. Every week, a delinquency report is generated by the Procurement Department and distributed to departmental procurement liaisons, as well as senior management. Additionally, delinquent vendors are placed on a payment hold in MUNIS until they are compliant with their insurance requirements. No requisitions or change orders may be processed while a vendor is noncompliant. Although department- generated contracts are not entered into EXIGIS, the departmental liaisons are responsible for using the insurance guide to insert the proper requirements in the contracts, or insurance is not required, then the vendor is obligated to indemnify the City via the purchase order issued for the goods and services rendered. Page 6 of 22 OIG Response: As mentioned in the OIG Response related to finding #1, the OIG supports the City Administration's decision to designate the Risk Management Division as its primary liaison with Exigis staff. The OIG Auditor was aware of the weekly courtesy emails sent by the Procurement Department to all the City Departments with the Exigis - Insurance Non-Compliance Report related to the Agreements under the Procurement Organizational Unit. However, the OIG is concerned that this delinquency report lacks the inclusion of agreements related to other City operations which do not go through the procurement process, such as those involving Parks and Recreation, Beachfront Concessions, and Tenants Organizational Units. The existence of a procedure to monitor insurance non-compliance related to units outside of those included in the Procurement Organizational Unit remains unknown. In addition, the City Administration response addresses non-compliant vendors in which the City may opt not to process requisitions or change orders, as it remits payments to the associated vendors. However, there are some contracts in which entities remit monies to the City and the above City Administration response does not include any disciplinary or corrective actions related to entities noncompliance in these scenarios. 7. NO EVIDENCE WAS PROVIDED OF A DOCUMENTED STANDARD OPERATING PROCEDURE CONCERNING THE EVALUATION OF VENDOR- MAINTAINED INSURANCE COVERAGE, THE SETTING OF INSURANCE PARAMETERS, AND FOLLOW-UP ON NONCOMPLIANT RESULTS. OIG Recommendation(s): The City Administration or its designee should develop and document an oversight process to better ensure compliance with insurance requirements included in contracts/agreements and to timely follow-up on noncompliant vendors or be subject to potential disciplinary actions. City of Miami Beach Administration Response: Risk Management has a Standard of Operating Procedure (SOP) for insurance tracking processes and recently updated it to reflect the use of EXIGIS, the third- party vendor that does most tracking certificates of insurance. OIG Response: The SOP outlined in Attachment B is dated 9/30/2023, after the completion of fieldwork and verbal requests for the document from the OIG Auditor. It is important to note that the SOP appears to be pending approval, as the provided version is unsigned, raising some concerns about whether it has been implemented, and its terms followed. Page 7 of 22 ENCLOSED ATTACHMENTS 1. ATTACHMENT A – City of Miami Beach Administration Response to Contracts Identified as Deficient in Finding 1 2. ATTACHMENT B – Risk Management SOP for Exigis 3. ATTACHMENT C – Insurance Guidelines Matrix ATTACHMENT A: City of Miami Beach Administration Response to Contracts Identified as Deficient in Finding 1 Page 8 of 22 *** Please note that the comments below in blue are from the City of Miami Beach Administration ("The Administration) in response to the findings originally published by the OIG. 1. 305 Consulting Engineers, LLC – Procurement - Public Works Administration - Exigis evaluation #1184981 The Administration has understood that the comments comingle two separate evaluations and have made the following assumptions based on the contracts below. • Exigis parameters are not aligned with the contract/agreement (#18-141-02): - The Commercial General Liability Insurance parameter is $500,000, but the Commercial General Liability required in the contract/agreement is not less than $1,000,000. Correct for 18-141-02, the Exigis evaluation reflects the solicitation insurance requirement as approved by HR Risk Management. The agreement has a scrivener's error and did not reflect the correct requirements as approved in the solicitation. The Contractor was never assigned any work under this agreement. The agreement has been replaced by a new contract and is closed in Munis. OIG Response: While the OIG Auditor understands that, according to the City Administration’s response, no specific tasks were assigned under this agreement, it is important to note that their remains a need for effective control measures. It is recommended that Risk Management Division employees prospectively evaluate the alignment of all Exigis parameters with related contract terms to timely identify and correct any observed deficiencies, including scrivener errors which also occurred in #2 and #19. - The Automobile Liability insurance coverage parameter is $100,000, but the Automobile Liability required in the contract/agreement is $500,000. On 11/20/2019, the vendor requested to waive the automobile coverage because 305 Consulting Engineers, LLC does not own or lease any vehicle and therefore requested to be exempted from Owned Auto coverage. Emails attached of waiver for 18-141-02. OIG Response: Despite being informed of the related deficiency in Automobile Liability coverage at multiple times during the audit process, the City Administration did not make its contrary claims known to the OIG until the expiration of the 30-working day period granted by Ordinance No. 2019-4239. Regardless of the lateness of its response, the effect of which delays and hinders the audit process, the City Administration has not provided the OIG Auditor with any evidence substantiating its claims prior to the issuance of this report. - There is no evidence of waiver for the changes in coverage. Incorrect; see above. - There are two contracts/agreements, but Exigis evaluated only agreement #18-141-02. Correct. No Exigis evaluation for Contract #20-096-02 Starting this new Agreement for A& E's, the Consultant was given two choices. Option A – Consultant(s) may submit an insurance certificate with the maximum limits covering all work under CCNA. These evaluation types are created in Exigis. Option B – Insurance requirements may be determined on a project-by-project basis at the time of the CSO. This was created to accommodate a project with a small scope, and the insurance requirements are excessive and place unnecessary expenses on the consultant. In these cases, the insurance requirements and the COIs are kept in the requisition process. See the Award memo attached. ATTACHMENT A: City of Miami Beach Administration Response to Contracts Identified as Deficient in Finding 1 Page 9 of 22 OIG Response: Despite being informed of this deficiency at multiple times during the audit process, the City Administration did not make its contrary claims known to the OIG until the expiration of the 30-working day period granted by Ordinance No. 2019-4239. Regardless of the lateness of its response, the effect of which delays and hinders the audit process, the City Administration has not provided the OIG Auditor with any evidence substantiating its claims prior to the issuance of this report. - Agreement #20-096-02 for Professional Architectural and Engineering Services in Specialized Categories "As-Needed" pursuant to a request for Qualifications discipline: Structural Engineering was not evaluated for compliance in Exigis 20-096-02 for 305 Engineering because the insurance requirements were determined for the Service Order Only contract profiles are created in Exigis. Article 11 of agreement #20-096- 02 stated that insurance requirements will be determined on a project- by-project basis at the time of Consultant Service Order "CSO." The OIG Auditor searched the Munis system, the City enterprise resource planning system, and did not find the CSO; instead, it found Option A - Professional services (non-construction) and Option B - Professional services (non- construction) insurance requirements. - In these occasions, the department and Consultant chose Option B, which means that pursuant to "Article 11 Insurance" of the solicitation one time services or purchases are not entered in Exigis, as recommended by Risk Management. See the following CSO Attachments in the Purchase Order Module linked to Contract 20-096-02 in Munis, which fall under the delegated authority category in PO 16.02 Competitive Requirements in the Acquisition of Goods and Services. Procurement only reviews requisitions over $15,000 or $25,000 (as applicable), and these requests did not go through the Procurement workflow in Munis. • PO # 20233442 – $8,906.00 (Facilities & Fleet) • PO # 20233443 - $11,070.00 (Facilities & Fleet) • PO # 20240572 - $10,041.00 (Facilities & Fleet) OIG Response: Despite being informed of this deficiency at multiple times during the audit process, the City Administration did not make its contrary claims known to the OIG until the expiration of the 30-working day period granted by Ordinance No. 2019-4239. Regardless of the lateness of its response, the effect of which delays and hinders the audit process, the City Administration has not provided the OIG Auditor with any evidence substantiating the existence of the specified CSO attachments prior to the issuance of this report. In instances where one-time services or purchases are not recorded in the Exigis system, as per Risk Management Division recommendations, it is essential to delineate the responsible party for monitoring and ensuring compliance with the CSOs. In addition, the provided SOP lacks a defined process for addressing these specific cases. 2. 3FM Engineering, Inc. - Procurement - Public Works Administration - Exigis evaluation #112875 • Exigis parameters are not aligned with the contract/agreement: - The Commercial General Liability Insurance parameter is $500,000, but the Commercial General Liability required in the contract/agreement is not less than $1,000,000. The Automobile Liability insurance coverage parameter is $100,000, but the Automobile Liability required in the contract/ agreement is $500,000. There was no evidence of a waiver for the change in coverage. Exigis parameters were aligned with Appendix D instead of the contract/agreement. The contract/agreement is not aligned with Appendix D of the RFQ- 2018- 141- ND. Correct for 18-141-05, the Exigis evaluation reflects the solicitation insurance requirement as approved by HR Risk Management. The agreement has a scrivener's error and did not reflect the correct ATTACHMENT A: City of Miami Beach Administration Response to Contracts Identified as Deficient in Finding 1 Page 10 of 22 requirements as approved in the solicitation. The agreement has been replaced by a new contract and is "pending to close" in Munis. OIG Response: While the OIG understands that, according to the City Administration response, a scrivener’s error may have occurred (similar response in #1 and #19), it was not identified and/or corrected during the term of the prior agreement. It is recommended that Risk Management Division employees prospectively evaluate the alignment of all Exigis parameters with related contract terms to timely identify and correct any observed deficiencies, including scrivener’s errors. 3. Smith and Wollensky (Concession) - Tenant - Various - Exigis evaluation #27832 • Exigis parameters are not aligned with the contract/agreement: The parameters do not include Business Interruption insurance as required in the contract/agreement; however, the Exigis Agreement does not include verification of the Business Interruption parameter. Consequently, the scope of the Exigis Agreement may have to be expanded to include Business Interruption insurance and other similar types of insurance coverage. There is an additional certificate of insurance for Business Interruption coverage in EXIGIS. 4. Smith and Wollensky (Lease) – Tenant - Various - Exigis evaluation #101372 • Exigis parameters are not aligned with the contract/agreement: - The parameters do not include Business Interruption insurance a required in the contract/agreement; however, the Exigis Agreement does not include verification of the Business Interruption parameter. Consequently, the scope of the Exigis Agreement may have to be expanded to include Business Interruption insurance and other similar types of insurance coverage. - The Commercial Liability parameter per occurrence is $1,000,000, but the contract/agreement requires no less than $2,000,000. There is an additional certificate of insurance for the Business Interruption coverage. Furthermore, the vendor in this case possesses excess coverage that exceeds the requirements specified in the agreement. 5. Benevate Inc. – Procurement - Capital Improvement Program - Exigis evaluation #107065 for Agreement 20-131-01 • Exigis parameters are not aligned with the contract/agreement. - The parameters do not include the required Cyber Liability insurance provision in the contract/agreement. This is incorrect. The insurance requirement is in Section 9 of the SAAS Service Agreement. See attached. OIG Response: Despite being informed of this deficiency at multiple times during the audit process, the City Administration did not make its contrary claims known to the OIG until the expiration of the 30-working day period granted by Ordinance No. 2019-4239. Regardless of the lateness of its response, which delays and hinders the audit process, the City Administration has not provided the OIG Auditor with any evidence substantiating the existence of its claims prior to the issuance of this report. As confirmed on multiple occasions with the City RMDD, Cyber Liability insurance is required pursuant to Section 9.1 of the related agreement, but it is not included in the vendor's parameters entered in the Exigis system. ATTACHMENT A: City of Miami Beach Administration Response to Contracts Identified as Deficient in Finding 1 Page 11 of 22 6. CDM Smith Inc. - Procurement - Capital Improvement Program - Exigis evaluation #101392 • The contract/agreement stated that the insurance requirement would be determined on a project-by-project basis at the time of the Consultant Service Order. • No related Consultant Service Orders were present in the related Exigis file, making the OIG Auditor unable to determine whether the parameters in Exigis were correct and whether the COI was compliant. • The vendor might have different parameters (project by project), but there was only one vendor profile on Exigis. Starting this new Agreement for A&E's, the Consultant was given two choices. Option A – Consultant(s) may submit an insurance certificate with the maximum limits covering all work under CCNA. These evaluation types are created in Exigis. Option B – Insurance requirements may be determined on a project-by- project basis at the time of the CSO. This was created to accommodate a project with a small scope, and the insurance requirements are excessive and place unnecessary expenses on the consultant. In these cases, the insurance requirements and the COIs are kept in the requisition process. See the Award memo attached. See the following CSO Attachments in the Purchase Order Module linked to Contract 20-096-16 in Munis. • PO # 20221883 – $29,189.00 (Public Works) OIG Response: Despite being informed of this deficiency at multiple times during the audit process, the City Administration did not make its contrary claims known to the OIG until the expiration of the 30-working day period granted by Ordinance No. 2019-4239. Regardless of the lateness of its response, the effect of which delays and hinders the audit process, the City Administration has not provided the OIG Auditor with any of the claimed evidence refuting the identified deficiency prior to the issuance of this report. 7. Penrod (Concession) - Tenant - Various - Exigis evaluation #116301 • Exigis parameters are not aligned with the contract/agreement: - The parameters do not include Liquor Liability insurance in the minimum amount of $1,000,000 as required by the contract/agreement. OIG's observation is accurate; this vendor lacks liquor liability coverage for both agreements. However, it's essential to note that they do have excess liability coverage amounting to $4 million. 8. Penrod (Restaurant) - Tenant - Various - Exigis evaluation #116303 • Exigis parameters are not aligned with the contract/agreement: - The parameters do not include Liquor Liability and Property Damage coverage, not less than $1,000,000, as the contract/agreement requires. OIG's observation is accurate; this vendor lacks liquor liability coverage for both agreements. However, it's essential to note that they do have excess liability coverage amounting to $4 million. 9. Miami Beach Watersport Center, Inc. - Tenant - Various - Exigis evaluation #103481 • Exigis parameters are not aligned with the contract/agreement: - The Commercial Liability Insurance parameter is $1,000,000 per occurrence, but the aggregate Liability Insurance required in the contract/agreement is $3,000,000. - The parameters do not include Automobile Insurance coverage with no less than $1,000,000 limits. The certificate of insurance demonstrates a $5 million aggregate coverage, which exceeds the $3 million aggregate coverage required in 2018. In 2019 and 2020, they meet the exact coverage requirements. 10. Lincoln Place LLC - Tenant - Various - Exigis evaluation #79345 ATTACHMENT A: City of Miami Beach Administration Response to Contracts Identified as Deficient in Finding 1 Page 12 of 22 • Exigis parameters are not aligned with the contract/agreement: - The parameter for Commercial General Liability is $1,000,000 per occurrence, but the Liability Insurance requirement in the contract/agreement is not less than $25,000,000 per occurrence. - The parameters do not include Automobile Insurance coverage of $25,000,000, Garage Keeper Liability of $5,000,000, Business Interruption Liability of $100,000, and Proceeds of Casualty Insurance of $1,000,000. The parameters do not include Business Interruption insurance as required in the contract/agreement; however, the Exigis Agreement does not include verification of the Business Interruption parameter. Consequently, the scope of the Exigis Agreement may have to be expanded to include Business Interruption insurance and other similar types of insurance coverage, which may also impact the corresponding fees due. The vendor has maintained the minimum required commercial general liability coverage, along with excess/umbrella coverage. Business Income coverage was provided on a separate certificate of insurance. Garage Keeper Liability coverage was absent. However, there is no exposure to the City since the vendor holds umbrella coverage greater than the total liability coverage requested. 11. AGC Electric Inc. - Procurement - Fleet Management - Exigis evaluation #116236 • The certification of contract/agreement stated that The contractor shall file Insurance Certificates, as required, which must be signed by a Registered Insurance Agent licensed in the State of Florida, and approved by the City of Miami Beach Risk Manager, prior to delivery of supplies and/or commencement of any service/work by Contractor. However, the OIG Auditor could not find evidence in Exigis indicating advance approval by the City Risk Manager. • The parameters were created based on ITB 2018-077-WG Appendix F's insurance requirement. • It was evaluated as compliant; however, the COI does not include Automobile Liability. Incorrect; check Exigis Evaluation 116236. The COI does indeed have Automobile Liability coverage. OIG Response: The OIG Auditor conducted both an in-person meeting and several phone conversations during the audit process, whereby each deficiency outlined in the findings was thoroughly discussed and analyzed with the City Risk Management Division Director (RMDD). A consensus was reached as to the validity of each related finding. On September 25, 2023, the OIG proactively sent the draft report to the RMDD for his advance review and to capture any preliminary insights or needed corrections. On September 29, 2023, the OIG received an email from the RMDD stating, "I have reviewed it {the draft report} and there are no changes." Based on this confirmation, the OIG proceeded to distribute the draft report to all auditees. 12. AGC Electric Inc. - Procurement - Property Management - Exigis evaluation #116235 • The contract/agreement does not include insurance requirements. • The parameters were created based on ITB 2018-124-WG Appendix F's insurance requirement. • It was evaluated as compliant; however, the COI does not include Automobile Liability. Incorrect; check Exigis Evaluation 116235. The COI does indeed have Automobile Liability coverage. OIG Response: The OIG Auditor conducted both an in-person meeting and several phone conversations during the audit process, whereby each deficiency outlined in the findings was thoroughly discussed and analyzed with the City Risk Management Division Director ATTACHMENT A: City of Miami Beach Administration Response to Contracts Identified as Deficient in Finding 1 Page 13 of 22 (RMDD). A consensus was reached as to the validity of each related finding. On September 25, 2023, the OIG proactively sent the draft report to the RMDD for his advance review and to capture any preliminary insights or needed corrections. On September 29, 2023, the OIG received an email from the RMDD stating, "I have reviewed it {the draft report} and there are no changes." Based on this confirmation, the OIG proceeded to distribute the draft report to all auditees. 13. AGC Electric Inc. - Procurement - Public Works Streets Division - Exigis evaluation #116234 • The OIG Auditor could not locate a contract/agreement; however, the Procurement Department software has a Notice of Award of Contract Pursuant to Bid (ITB) No. 2022-094-AY. The Notice of Award does not list insurance requirements, so the parameters were created based on ITB 2022-094-AY Appendix D insurance requirements. • It was evaluated as compliant; however, the COI does not include Automobile Liability or Installation Floater Insurance. Incorrect; the agreement is available online and in Munis with the applicable limits. The ITB stipulates, pursuant to Section 0200, Sub-Section 16, Binding Contract, that the approval of the City Manager's recommendation by the Mayor and City Commission shall constitute a binding Contract between the City and the awarded bidder. Attached are the screenshots of Exigis and certificates with the Automobile Liability and Installation Floater. OIG Response: Despite being informed of this deficiency at multiple times during the audit process, the City Administration did not make its contrary claims known to the OIG until the expiration of the 30-working day period granted by Ordinance No. 2019-4239. Regardless of the lateness of its response, the effect of which delays and hinders the audit process, the City Administration has not provided the OIG Auditor with any of the claimed evidence refuting the identified deficiency prior to the issuance of this report. 14. AGC Electric Inc. - Procurement - Property Management - Exigis evaluation #116233 • The certification of the contract/agreement states as follows: The contractor shall file Insurance Certificates, as required, which must be signed by a Registered Insurance Agent licensed in the State of Florida, and approved by the City of Miami Beach Risk Manager, prior to delivery of supplies and/or commencement of any service/work by Contractor. However, the OIG Auditor did not find evidence indicating prior approval by the City Risk Manager in Exigis. The parameters were created based on ITB 2019-011- ND Appendix F's insurance requirements. • It was evaluated as compliant; however, the COI does not include Automobile Liability. Incorrect; check Exigis Evaluation 116233. The COI does indeed have Automobile Liability coverage. OIG Response: The OIG Auditor conducted both an in-person meeting and several phone conversations during the audit process, whereby each deficiency outlined in the findings was thoroughly discussed and analyzed with the City Risk Management Division Director (RMDD). A consensus was reached as to the validity of each related finding. On September 25, 2023, the OIG proactively sent the draft report to the RMDD for his advance review and to capture any preliminary insights or needed corrections. On September 29, 2023, the OIG received an email from the RMDD stating, "I have reviewed it {the draft report} and there are no changes." Based on this confirmation, the OIG proceeded to distribute the draft report to all auditees. 15. Beach Towing Services, Inc. – Other - Parking Administration - Exigis evaluation #107084 • Exigis parameters are not aligned with the contract/agreement: - The Garage Keeper Liability insurance parameter is $1,000,000 per ATTACHMENT A: City of Miami Beach Administration Response to Contracts Identified as Deficient in Finding 1 Page 14 of 22 occurrence, but the aggregate required in the contract/agreement is $2,000,000. - The insurance coverage was evaluated as compliant; however, the COI included less Garage Keeper Coverage than the contract/agreement required. OIG's observation is accurate; the Garage Keeper Liability insurance was lower than the amount specified in the agreement. Exigis marked it as compliant because there is a waiver of insurance requirements on 6/29/2020 and while it lacks specific information about the type of coverage waived, this is likely why it was marked as compliant. 16. Young Musicians Unite, Inc. – Other - City Manager - Exigis evaluation #114990 • The contract/agreement is not aligned with the Risk Management Minimum Insurance Requirements. - The Exigis parameter selected was Type 2-2020; however, it should have been Type 7B for professional services that only require professional liability coverage. - Although Worker's Compensation insurance should not have been required for Type 7B, the executed contract/agreement requirement is less than the State minimum requirement for workers' compensation for more than four employees. A waiver approved by Risk Management should be required for an entity with less than four employees. This is a grant agreement, usually with a short term and such agreements/contracts should not have been entered into Exigis. OIG Response: The OIG Auditor conducted both an in-person meeting and several phone conversations during the audit process, whereby each deficiency outlined in the findings was thoroughly discussed and analyzed with the City Risk Management Division Director (RMDD). A consensus was reached as to the validity of each related finding. On September 25, 2023, the OIG proactively sent the draft report to the RMDD for his advance review and to capture any preliminary insights or needed corrections. On September 29, 2023, the OIG received an email from the RMDD stating, "I have reviewed it {the draft report} and there are no changes." Based on this confirmation, the OIG proceeded to distribute the draft report to all auditees. Regardless of whether the agreement/contract should have been entered into the Exigis system, the grantee should always maintain the appropriate insurance coverage to satisfy all designated criteria. 17. Greater Miami Convention & Visitor Bureau, Inc. – Other - Tourism and Culture Development - Exigis evaluation #104728 • The contract/agreement is not aligned with the Type 7A minimum requirement: - The Exigis parameter selected was Type 7; however, it should have been Type 7A. Type 7 is for Professional Services (non- construction) >$100 - $1M (million), while Type 7A is for Professional Services (non- construction) >$1M. Section 3.1 of the Agreement City's Contribution/Fee/Funding stated that …The GMCVB shall be entitled to receive an annual Incentive Fee, in an amount not to exceed $2,000,000… The vendor provides adequate insurance limits consistent with the requirement. OIG Response: The OIG Auditor conducted both an in-person meeting and several phone conversations during the audit process, whereby each deficiency outlined in the findings was thoroughly discussed and analyzed with the City Risk Management Division Director (RMDD). A consensus was reached as to the validity of each related finding. On September 25, 2023, the OIG proactively sent the draft report to the RMDD for his advance review and to capture any preliminary insights or needed corrections. On September 29, ATTACHMENT A: City of Miami Beach Administration Response to Contracts Identified as Deficient in Finding 1 Page 15 of 22 2023, the OIG received an email from the RMDD stating, "I have reviewed it {the draft report} and there are no changes." Based on this confirmation, the OIG proceeded to distribute the draft report to all auditees. Regardless of whether the vendor maintains the appropriate insurance limits, the finding focuses on the differences between the parameters in the Exigis system and the related terms in the executed agreement. Without proper alignment between the two, the likelihood is increased that associated vendors may not maintain the required insurance coverage. 18. Holocaust Memorial - Tenant - Various - Exigis evaluation #58129 • Exigis parameters are not aligned with the contract/agreement: - The Commercial Liability Insurance parameter is $1,000,000, but the aggregate Liability Insurance required in the contract/agreement is $3,000,000. The vendor in this case holds more liability coverage than we requested and possesses excess/umbrella coverage. OIG Response: The OIG Auditor conducted both an in-person meeting and several phone conversations during the audit process, whereby each deficiency outlined in the findings was thoroughly discussed and analyzed with the City Risk Management Division Director (RMDD). A consensus was reached as to the validity of each related finding. Furthermore, on September 25, 2023, the OIG proactively sent the draft report to the RMDD for his advance review and to capture any preliminary insights or needed corrections. On September 29, 2023, the OIG received an email from the RMDD stating, "I have reviewed it {the draft report} and there are no changes." Based on this confirmation, the OIG proceeded to distribute the draft report to all auditees. Regardless of whether the vendor maintains the appropriate insurance limits, the finding focuses on the differences between the parameters in the Exigis system and the related terms in the executed agreement. Without proper alignment between the two, the likelihood is increased that associated vendors may not maintain the required insurance coverage. 19. Infoquest Information Services, LTD - Procurement - Human Resources - Exigis evaluation #110621 • Exigis parameters are not aligned with the contract/agreement: - The parameter for Professional Liability insurance is $100,000, but the contract/agreement requires $1,000,000. Contract 2022-015-02 does require $1,000,000, and the vendor has provided a $1,000,000 coverage as requested. The number in Exigis is missing a zero inadvertently; however, the vendor is in compliance. OIG Response: While the OIG understands that, according to the City Administration response, a scrivener’s error may have occurred (similar response in #1 and #2 above), it was not identified and/or corrected. Regardless of whether the vendor maintains the appropriate insurance limits, the finding focuses on the differences between the parameters in the Exigis system and the related terms in the executed agreement. Without proper alignment between the two, the likelihood is increased that associated vendors may not maintain the required insurance coverage. It is recommended that Risk Management Division employees prospectively evaluate the alignment of all Exigis parameters with related contract terms to timely identify and correct any observed deficiencies, including scrivener’s errors. 20. Professional Course Management II LTD – Procurement - Parks and Recreation - Exigis evaluation #115061 • Exigis parameters are not aligned with the contract/agreement: - The parameters for Crime Liability do not specify an amount; however, the contract/agreement requires $1,000,000. The parameters for the ATTACHMENT A: City of Miami Beach Administration Response to Contracts Identified as Deficient in Finding 1 Page 16 of 22 Crime Liability are not specified in the Exigis profile for contract 18-186- 01; however, the vendor provided the required coverage. - The Commercial Liability Insurance parameter is $1,000,000, but the aggregate Liability Insurance required in the contract/agreement is $2,000,000. The Commercial General Liability is aligned with the contract for $1,000,000.00, and the Certificate of Insurance complies. OIG Response: Article 20 of the Agreement stated that the Commercial General Liability Insurance on an occurrence basis, including products and completed operations, property damage, bodily injury, and personal & advertising injury with limits of less than $1,000,000 per occurrence, and $2,000,000 general aggregate, but the Exigis parameters for this agreement does not mention the $2,000,000 general aggregate. ATTACHMENT B – Risk Management SOP for Exigis Page 17 of 22 MIAMIBEACH HUMAN RESOURCES DEPARTMENT STANDARD OPERATING PROCEDURE DATE ISSUED: 9-30-2023 DATE UPDATED: Page: 1 of 3 SEQUENCE NUMBER: N/A SUBJECT: Insurance Compliance by Third Parties Conducting Business with City RESPONSIBLE DIVISION: Risk Management I. PURPOSE: The Risk Management Office will establish and maintain insurance requirements for third parties conducting business with the City by contract, resolution, or ordinance. It is critical to make sure the correct insurance is required in each agreement, and that monitoring of the insurance throughout the life of the agreements is maintained. This function is necessary for transferring a potential loss away from the City. II. SCOPE: The Office of Risk Management will manage the insurance compliance function, including the services provided by the third-party vendor to track the insurance coverage in agreements. Currently, the insurance tracking services vendor is 'EXIGIS. Risk Management is the liaison between the insurance tracking services vendor and the City. The role is to make sure the vendor is responding timely to department users, assigning and deactivating City users, answering any inquiries regarding deviation from insurance requirements, and other duties as necessary. Risk Management has developed a standard insurance requirement guideline (Exhibit "A") that is provided to Procurement and all other departments for use when developing a solicitation for goods and services. Departments can seek guidance from Risk Management if they are not sure what insurance requirements to use in their solicitation. Additionally, training sessions are held biannually with city departments on insurance requirement monitoring. III. PROCEDURE: Procurement Agreements The majority of agreements for the City which are competitively bid are managed by the Procurement Department. Following are the steps once Procurement has received a request to advertise a scope for goods and services on behalf of departments: • Procurement will contact Risk Management after scope development for the solicitation. • Risk Management will provide Procurement with insurance requirements relevant to the scope of work. • Once the selection process is complete, and a contract executed, Procurement will upload the agreement in the insurance tracking portal along with the corresponding certificates of insurance for tracking by the vendor, currently EXIGIS. • 'EXIGIS will notify vendors/contractors within 30 days before insurance expirations. • 'EXIGIS will advise via email vendors/contractors of any delinquency in renewal certificates of insurance. • 'EXIGIS will continue to follow up with vendors/contractors for 30 days after expiration or failure to fix delinquency(ies). • The Procurement Department will run an insurance delinquency report every ATTACHMENT B – Risk Management SOP for Exigis Page 18 of 22 MIAMIBEACH HUMAN RESOURCES DEPARTMENT STANDARD OPERATING PROCEDURE DATE ISSUED: 9-30-2023 DATE UPDATED: Page: 2 of 3 SEQUENCE NUMBER: N/A SUBJECT: Insurance Compliance by Third Parties Conducting Business with City RESPONSIBLE DIVISION: Risk Management week and send it to the corresponding departmental procurement liaisons, and the City's management team. • The Procurement Department will place a hold in the MUNIS financial system to block any pending payments to the vendor/contractor until the delinquency is cured. Permits There are varying types of permits that are issued by the Public Works Department for easements and right-of-way. Each permit has insurance requirements corresponding to the type of work. Risk Management has developed a standard template of insurance requirements for these permits. The Public Works department is required to collect the appropriate insurance certificates and keep a record of the valid certificates for the duration of the permit. Special Events Permits Special events permits are handled by the Department of Tourism and Culture for events on public property such as the beach, a street, a park, and other properties requiring special zoning exemptions. Insurance is required of all permittees and must be submitted before any permit is issued. The coverage required is General Liability, Workers' Compensation (if applicable), and Liquor Liability. The Tourism and Culture department is required to collect the appropriate insurance certificates and keep a record of the valid certificates for the duration of the permit. Lease Agreements Instead of tracking by the third-party vendor, 'EXIGIS, all executed lease agreements are provided to the Risk Management Office for monitoring of the insurance requirements. Risk Management will monitor the insurance requirements and report deficiencies through the steps described below: 1. Obtain and document lease agreement terms, insurance requirements, and responsible department representative. 2. Send reminder notice to lessee at least 30 days before insurance expiration. 3. Update the insurance log with the received renewal certificates. 4. Advise the lessee of any deficiencies. 5. Notify the responsible department representative of any delinquency that is not resolved within 30 days of expiration or notice of deficiency. ATTACHMENT B – Risk Management SOP for Exigis Page 19 of 22 MIAMIBEACH HUMAN RESOURCES DEPARTMENT STANDARD OPERATING PROCEDURE DATE ISSUED: 9-30-2023 DATE UPDATED: Page: 3 of 3 SEQUENCE NUMBER: N/A SUBJECT: Insurance Compliance by Third Parties Conducting Business with City RESPONSIBLE DIVISION: Risk Management Risk Manager Date Assistant Director, Human Resources Date Human Resources Director Date E:\SOP-INSURANCE REQ FOR CONTRACTS.docx Appendix: Exhibit "A" – Insurance Requirement Guideline Attachment C – Insurance Guidelines Matrix Page 20 of 22 INSURANCE REQUIREMENTS GUIDELINES REQ. # N/A 1 2 3 4 5 6 7 8 9 10 TYPES OF CONTRACTS/ AGREEMENTS One-time purchases of Goods under $100K (to include ICAs, PSAs, POs) General Services, Goods & Maintenance (Minor work) General Services, Goods & Maintenance Watercraft Repairs Towing & Automotive Repair Leases Hazardous Waste Removal (including Mold/Asbestos) Professional Services (non-Construction) Construction Construction w/Design Professional Services Construction w/o Design Professional Services TYPES OF ACTIVITIES Maintenance and service contracts (not construction), including most routine maintenance such as janitorial service, movers, on-site equipment maintenance agreements, tree maintenance, and other general services. Purchase of parts, materials, small equipment; Pest Control; Garbage Pick-Up Elevator Repairs; Transportation Services; Armored Truck Services; Security Companies that make repairs of City boat & marine equipment Towing services and automotive repair of City vehicles and equipment For long term use of City-owned property and/or personal property & equipment Services for pickup, transportation, and disposal of Environmental risks, including mold abatement, asbestos, hazardous chemicals or waste, and nuclear risks. For all professional services (other than design), such as attorneys, accountants, medical professionals, insurance brokers, information technology professionals, etc. For Minor Public Works or CIP Projects - repair or remodeling work of facilities. For Public Works or CIP projects to include major remodeling of facilities. E&O coverage is required for the design portion of project. Usually a Design Build project For Public Works or CIP projects to include major remodeling of facilities. E&O coverage maybe provided in a separate contract VALUE OF CONTRACT <$50K >$50K <$2M For Concessions Only >$2M N/A N/A N/A N/A >$100K - $1M >$1M <$100K $100K - $500K $500K & Up $100K -$500K $500K & Up REQUIREMENT TYPE Type 1 Type 1B Type 2 Type 2A Type 2D Type 3 Type 4 Type 5 Type 6 Type 7 Type 7A Type 7B Type 8 Type 9 Type 9A Type 10 CGL $100K $300K $1M $1M $1M $2M $2M $1M $1M $1M $2M $1M $2M AL $100K $300K $1M $1M $1M $1M $1M $1M $1M $1M $2M $1M $2M WC STAT STAT STAT STAT STAT STAT STAT STAT STAT STAT STAT $1M $2M $1M $1M UMB $4M $5M $10M $2M $10M LIQ $1M PL $1M $2M $1M $1M $1M BLRK *REQ (Builders Risk or Installation Floater for project or material value) *REQ (Builders Risk or Installation Floater for project or material value) *REQ (Builders Risk for project or material value) *REQ (Builders Risk or Installation Floater for project or material value) INSFL PROP REQ* GKL $1M $1M POLL $1M $1M* $1M* $1M* EMPL CRIME WTCFT $1M ADDITIONAL NOTES Vendors shall be required to carry insurance that is applicable by law with regards to their profession but is not required to submit to Risk Managemnet. Some vendors may be required to provide to provide insurance in accordance with recommendations from Risk Management. (See attahed guidelines) *ICA/PSA For general goods & services with a low loss exposure (contract value usually under $100K); Vendors providing equipment or supplies which do not require installation or maintenance by the vendor, only CGL required. For general goods & services with a medium to high loss exposure, including routine maintenance of facilities or grounds; $2M AGGREGATE FOR CGL. UMB required for Transportation Services. $1M LIQ required on Food & Beverage Concession Agreements. $5M UMB required for high loss exposure. Provide coverage for City property while in Marine Contractor's care, custody and control. Provide coverage against liability for damage to vehicles while in Contractor's care, custody and control *Property insurance at full replacement cost w/no coinsurance penalty $2M Aggregate for POLL; MCS-90 Endorsement and Sudden & Accidental Pollution endorsement Type7B - Professional Svcs conducted offsite. Pollution Liability may be required if scope of svcs presents an exposure. $2M Aggregate for Professional Liability. *Pollution Liability may be required if scope of svcs presents an exposure. $2M Aggregate for Professional Liability. *Pollution Liability may be required if scope of svcs presents an exposure. Attachment C – Insurance Guidelines Matrix Page 21 of 22 ADDITIONAL REQUIREMENTS RELATING TO EACH COVERAGE COVERAGE DESCRIPTION ADDT'L INSURED WAIVER OF SUBRO A.M. BEST RATING CGL = GENERAL LIABILITY Fundamental coverage for bodily injury, property damage, and personal injury arising out of the contractor's activities X X A: VII AL = AUTOMOBILE LIABILITY This coverage is important for any work or service involving the use of motor vehicles, and is a legal requirement for all vehicle owners. AL coverage includes all Owned, Non-owned and Hired vehicles. X X A: VII WC = WORKERS' COMPENSATION & EMPLOYERS LIABILITY All employers must provide this insurance or be registered as a Self-Insured entity with the State. This is not required for sole proprietors or companies that have no employees. The "Statutory Limits" are required. X A: VII UMB = UMBRELLA LIABILITY (AS BROAD AS GL/AL) This policy provides protection for catastrophic losses and is written over the primary GL or AL policy; it provides excess limits when the primary limits are exhausted, and it provides coverage against some claims not covered by the underlying GL or AL policies. A: VII PL = PROFESSIONAL LIABILITY (ERRORS & OMISSIONS) This coverage is for errors in professional judgment or omission that lead to damages to City or others. Coverage is usually written on a claims-made basis (instead of occurrence basis). It is normally required from if a Contractor is providing a professional service regulated by the State (i.e.. Insurance Agents, Architects & Engineers, Doctors, CPAs, Lawyers, etc.); Other professional services such as computer or software designers, claims administrators, etc. should also have Professional Liability X A: VII BLDRK = BUILDER'S RISK Insurance for property under construction that protects the interest of both the owner and the contractor (includes equipment and material to be installed). Coverage is written on an "All Risk "basis; insurance should cover the full insurable value of the project; the City must be named as Loss Payee; No co- insurance penalty provision X A: VII INSFL = INSTALLATION FLOATER Insurance coverage for projects that do not include new or major construction; it is usually for improvements, remodeling, modifications, alterations, conversion or adjustment to existing buildings/structures, and installation of machinery and equipment X A: VII PROP = PROPERTY INSURANCE Property insurance is required when a tenant does improvements or betterments to a City property. Full replacement value of the improvements is required and the City shall be named as Loss Payee on the Property policy; No co- insurance penalty provision X A: VII GKL = GARAGE LIABILITY This coverage is used to protect parking lot operators, valet parking companies, and garage owners against liability for damage to vehicles that are in their care, custody and control. The garage keeper that accepts another's property for repair or keeping becomes a bailee, and the law imposes certain legal responsibilities on a bailee. These responsibilities are normally excluded by GL policies. X A: VII POLL = POLUTION LIABILITY This coverage is required when there is exposure involving remediation, asbestos abatement, and other hazardous material operations; coverage shall be endorsed to include clean-up X A: VII Attachment C – Insurance Guidelines Matrix Page 22 of 22 ADDITIONAL REQUIREMENTS RELATING TO EACH COVERAGE COVERAGE DESCRIPTION ADDT'L INSURED WAIVER OF SUBRO A.M. BEST RATING EPL = EMPLOYMENT PRACTICES LIABILITY Covers wrongful acts arising from the employment process. The most frequent types of claims covered under EPL include: wrongful termination, discrimination, sexual harassment, and retaliation. Cover extends to directors & officers, management personnel, employees and insured's. X A: VII CRM = CRIME/FIDELITY BOND Crime insurance is provides for employee dishonesty, forgery or alteration coverage; computer fraud, funds transfer fraud, kidnap, ransom, extortion, money & securities coverage; money orders and counterfeit money coverage X A: VII MCL = MARINE CONTRACTORS' LIABILITY This is another form of bailee liability insurance that protects marina operators against liability for damage to boats in their care, custody and control. X A: VII LIQ = LIQUOR LIABILITY Coverage is for bodily injury or property damage arising out of the serving or distribution of alcoholic beverages by a party not engage in this activity as a business enterprise; coverage may be included under GL policy. X A: VII WAIVER = WAIVER LETTERS Waiver letters may be accepted for WC and AL coverage when the following occurs: For WC, the vendor has 3 or less employees, and are therefore exempt by State law from providing coverage; and AL, when the vendor does not use any vehicles for the execution of the scope of services. DEFINITION OF ADDITIONAL REQUIREMENTS ADDITIONAL INSURED Endorsement to the contractors GL policy that names the City of Miami Beach as an additional insured for covered claims arising from the contractors work or activities on the City's behalf. This status gives the City direct rights under the contractor's GL policy and greatly increase our chances of recovery, especially for legal defense. WAIVER OF SUBROGATION This is a waiver of the contractor's rights to recover from the City any claim payments that the insurer made; especially in WC policies. A.M. BEST GUIDE RATING A rating given to an insurance company affording coverage that gives the City some confidence that the insurer has the ability to cover all of its liabilities, including any potential claims.