Notice of the Ordinary meeting of
Audit and Risk Subcommittee
Kōmiti Iti mō te Tātari Kaute me te Tūraru
Date: Tuesday 10 November 2020 Time: 1.30p.m. Location: Council Chamber, Civic House 110 Trafalgar Street, Nelson |
Agenda
Rārangi take
Chairperson Mr John Peters
Members Her Worship the Mayor Rachel Reese
Cr Judene Edgar
Mr John Murray
Cr Rachel Sanson
Quorum 3 Pat Dougherty
Chief Executive
Nelson City Council Disclaimer
Please note that the contents of these Council and Committee agendas have yet to be considered by Council and officer recommendations may be altered or changed by the Council in the process of making the formal Council decision. For enquiries call (03) 5460436
Areas of Responsibility
· Council’s Treasury policies
· Council’s Annual Report
· Audit processes and management of financial risk
· Monitoring organisational risks, including debtors and legal proceedings
· Internal audit
· Health and Safety
· Any matters raised by Audit New Zealand or the Office of the Auditor-General
Powers to Decide
· None
Powers to Recommend to Governance and Finance Committee
· To write off outstanding accounts receivable or remit fees and charges of amounts over the Chief Executive’s delegated authority
· Any matters within the areas of responsibility or such other matters referred to it by the Council
Powers to Recommend to Council
· Adoption of Council’s Annual Report
For the Terms of Reference for the Audit and Risk Subcommittee please refer to document A1437349.
Audit and Risk Subcommittee
10 November 2020
1. Apologies
Nil
2. Confirmation of Order of Business
3.1 Updates to the Interests Register
3.2 Identify any conflicts of interest in the agenda
Document number M14135
Recommendation
That the Audit and Risk Subcommittee 1. Confirms the minutes of the meeting of the Audit and Risk Subcommittee, held on 17 September 2020, as a true and correct record. |
6. Chairperson's Report
7. Key Organisational Risks Report - 01 July to 30 September 2020 12 - 43
Document number R19222
Recommendation
That the Audit and Risk Subcommittee 1. Receives the report Key Organisational Risks Report - 01 July to 30 September 2020 (R19222) and its attachment (A2486951). |
8. Audit NZ - Audit Engagement Letter for the Long Term Plan 2021-31 44 - 62
Document number R21345
Recommendation
That the Audit and Risk Subcommittee 1. Receives the report Audit NZ - Audit Engagement Letter for the Long Term Plan 2021-31 (R21345) and its attachment (A2479185); and 2. Notes the Audit and Risk Subcommittee can provide feedback on the Audit Engagement Letter to Audit NZ if required and that the Mayor will sign the letter once the Subcommittee’s feedback (if any) has been incorporated. |
9. Health, Safety and Wellbeing Report, July to September 2020 63 - 78
Document number R21365
Recommendation
That the Audit and Risk Subcommittee 1. Receives the report Health, Safety and Wellbeing Report, July to September 2020 (R21365) and its attachment (A2488389). |
10. Internal Audit - Quarterly Progress Report to 30 September 2020 79 - 82
Document number R21363
Recommendation
That the Audit and Risk Subcommittee 1. Receives the report Internal Audit - Quarterly Progress Report to 30 September 2020 (R21363) and its attachment (A2483911).
|
11. New and Outstanding Significant Risk Exposures and Control Issues Identified from Internal Audits - 30 September 2020 83 - 87
Document number R21364
Recommendation
That the Audit and Risk Subcommittee 1. Receives the report New and Outstanding Significant Risk Exposures and Control Issues Identified from Internal Audits - 30 September 2020 (R21364) and its attachment (A2482497).
|
12. Internal Audit Self-Assessment - 31 March 2020 88 - 98
Document number R18156
Recommendation
That the Audit and Risk Subcommittee 1. Receives the report Internal Audit Self-Assessment - 31 March 2020 (R18156) and its attachment (A2366767).
|
CONFIDENTIAL Business
Recommendation
That the Audit and Risk Subcommittee
1. Excludes the public from the following parts of the proceedings of this meeting.
2. The general subject of each matter to be considered while the public is excluded, the reason for passing this resolution in relation to each matter and the specific grounds under section 48(1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution are as follows:
Item |
General subject of each matter to be considered |
Reason for passing this resolution in relation to each matter |
Particular interests protected (where applicable) |
1 |
Quarterly Update on Legal Proceedings
|
Section 48(1)(a) The public conduct of this matter would be likely to result in disclosure of information for which good reason exists under section 7 |
The withholding of the information is necessary: · Section 7(2)(g) To maintain legal professional privilege |
2 |
Quarterly Update On Debts - 30 September 2020
|
Section 48(1)(a) The public conduct of this matter would be likely to result in disclosure of information for which good reason exists under section 7 |
The withholding of the information is necessary: · Section 7(2)(a) To protect the privacy of natural persons, including that of a deceased person · Section 7(2)(g) To maintain legal professional privilege |
Audit and Risk Subcommittee Minutes - 17 September 2020
Minutes of a meeting of the Audit and Risk Subcommittee
Held in the Council Chamber, Civic House, 110 Trafalgar Street, Nelson
On Thursday 17 September 2020, commencing at 9.04a.m.
Present: Mr J Peters (Chairperson), Her Worship the Mayor R Reese, Mr J Murray, J Edgar and R Sanson
In Attendance: Councillors T Brand and B McGurk, Chief Executive (P Dougherty), Group Manager Corporate Services (N Harrison), Group Manager Strategy and Communications (N McDonald), Governance Adviser (E-J Ruthven) and Governance Support (K McLean)
Apologies : Nil
1. Apologies
There were no apologies.
2. Confirmation of Order of Business
There was no change to the order of business.
3. Interests
There were no updates to the Interests Register, and no interests with items on the agenda were declared.
4. Public Forum
There was no public forum.
5. Confirmation of Minutes
5.1 11 August 2020
Document number M13044, agenda pages 6 - 14 refer.
Resolved AR/2020/044 |
|
|
That the Audit and Risk Subcommittee 1. Confirms the minutes of the meeting of the Audit and Risk Subcommittee, held on 11 August 2020, as a true and correct record. |
Murray/Edgar Carried |
6. Chairperson's Report
There was no Chairperson’s Report.
7. Draft Annual Report 2019/20
Document number R18130, agenda pages 15 - 20 refer.
Group Manager Strategy and Communications, Nicky McDonald, presented the report. Ms McDonald noted that the reference to ‘Council Owned Companies’ on page 190 of the Annual Report should be updated to ‘Council Controlled Organisations’, and added that further changes may come via the audit process. Ms McDonald, along with Group Manager Corporate Services, Nikki Harrison, and Manager Strategy, Mark Tregurtha, answered questions regarding: · The performance measures for, and audit processes of, the Council-Controlled Organisations and Council-Controlled Trading Organisations; · Audit NZ’s fees relating to the audit process; · The financial prudence benchmark, and whether an explanation of how this is measured could be included in the Annual Report; · How Council was tracking against the top four priorities for 2018-28; · Inclusion of the triennium priorities in the Annual Report, alongside the Long Term Plan priorities; and · The impact on Council as an organisation in collating the information required for inclusion in the Annual Report. It was noted that the draft Annual Report 2019/20 would be audited, then presented to Council for adoption following audit, prior to 31 December 2020. |
|
Resolved AR/2020/045 |
|
|
That the Audit, Risk and Finance Subcommittee 1. Receives the report Draft Annual Report 2019/20 (R18130) and its attachment (A2461046). |
Sanson/Edgar Carried |
8. Health & Safety Governance Charter Review
Document number R14815, agenda pages 21 - 32 refer.
Health and Safety Adviser, Malcolm Hughes, presented the report. He answered questions regarding elected member engagement with Council’s Health and Safety Committee, and elected member obligations with regards to site visits. It was noted that changes would be made to the Health and Safety Charter to clarify the expectations of Elected Members with regards to their health and safety obligations through site visits and observation of the Health and Safety Committee meetings, and that it would be presented to the Governance and Finance Committee for approval, subject to signoff by the Chair of the Audit and Risk Subcommittee. |
|
Resolved AR/2020/046 |
|
|
That the Audit and Risk Subcommittee 1. Receives the report Health & Safety Governance Charter Review (R14815) and its attachment (A2288754). |
Murray/Edgar Carried |
|
Recommendation to Governance and Finance Committee AR/2020/047 |
|
|
That the Governance and Finance Committee 1. Approves the revised Health and Safety Governance Charter (A2288754), subject to signoff by the Chair of the Audit and Risk Subcommittee. |
Edgar/Sanson Carried |
9. Exclusion of the Public
Resolved AR/2020/048 |
|
|
That the Audit and Risk Subcommittee 1. Excludes the public from the following parts of the proceedings of this meeting. 2. The general subject of each matter to be considered while the public is excluded, the reason for passing this resolution in relation to each matter and the specific grounds under section 48(1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution are as follows: |
Edgar/Sanson Carried |
Item |
General subject of each matter to be considered |
Reason for passing this resolution in relation to each matter |
Particular interests protected (where applicable) |
1 |
Audit and Risk Subcommittee Meeting - Public Excluded Minutes - 11 August 2020 |
Section 48(1)(a) The public conduct of this matter would be likely to result in disclosure of information for which good reason exists under section 7. |
The withholding of the information is necessary: · Section 7(2)(a) To protect the privacy of natural persons, including that of a deceased person · Section 7(2)(g) To maintain legal professional privilege |
The meeting went into confidential session at 9.54am and resumed in public session at 9.55a.m.
The only business transacted in confidential session was to confirm the minutes. In accordance with the Local Government Official Information Meetings Act, no reason for withholding this information from the public exists therefore this business has been recorded in the open minutes.
10. Confirmation of Confidential Minutes – 11 August 2020
Resolved AR/2020/049 |
|
|
That the Audit and Risk Subcommittee 1. Confirms the minutes of part of the meeting of the Audit and Risk Subcommittee, held with the public excluded on 11 August 2020, as a true and correct record. |
Murray/Sanson Carried |
11 Re-admittance of the Public
Resolved AR/2020/050 |
|
|
That the Audit and Risk Subcommittee 1. Re-admits the public to the meeting.
|
Edgar/Sanson Carried |
There being no further business the meeting ended at 9.55a.m.
Confirmed as a correct record of proceedings:
Chairperson Date
Item 7: Key Organisational Risks Report - 01 July to 30 September 2020
|
Audit and Risk Subcommittee 10 November 2020 |
REPORT R19222
Key Organisational Risks Report - 01 July to 30 September 2020
1. Purpose of Report
1.1 To provide information to the Audit and Risk Subcommittee on the key organisational risks through to end of quarter one 2020-21.
2. Recommendation
That the Audit and Risk Subcommittee 1. Receives the report Key Organisational Risks Report - 01 July to 30 September 2020 (R19222) and its attachment (A2486951). |
3. Background
3.1 This report includes information on risks to achieving Council’s priorities for the Long Term Plan 2018-28 (section 5), and the key organisational risks that could impact Council’s wider ability to deliver core functions and services (section 6). Risks related to specific assets, activities, or projects, are reported on a quarterly basis to the relevant Committee, and any significant items are summarised at section 7 of this report. In addition, section 7 provides a brief summary from each Group Manager on emerging risks for their areas of responsibility.
3.2 The attachment to this report describes each risk in more detail, its existing controls and planned risk treatments.
4. Risk Management Practice
4.1 Further configuration of the risk management software was completed during quarter one 2020-21. Final testing of the configuration is scheduled for quarter two, with the implementation to follow. The target is to transition all business unit risks rated high and above by end of December 2020. The focus for quarters three and four will be to transition all medium and low rated risks, work on embedding use of the module to support risk management activity, and decommission the existing set of risk registers. Post-project, a benefits realisation assessment will be reported to the Group Manager Corporate Services.
4.2 During quarter one, a risk identification workshop was held with a small group of managers, with a focus on Council’s ability to achieve its key responsibilities. The main risk areas identified relate to climate change impact, and factors that may affect rates revenue. A draft set of organisational level risks will be discussed by the Senior Leadership Team during quarter two.
4.3 A risk management maturity benchmarking self-assessment was completed during quarter one, and the results have been reported to the Group Manager Corporate Services. Overall, Council was assessed at maturity level two, which is the MBIE recommended minimum maturity level for an organisation of Council’s size and scope of deliverables.
Maturity Level Two – Summary |
Basic risk management practices are documented but there is a lack of detailed guidance and risk management practices are not consistently applied across all business units. Senior business leaders have a high level appreciation of the value of enterprise risk management and promote its adoption. There is some use of evidence-based data to support risk informed decision making and provide assurance that risks are being managed effectively. As a result, overall business performance is somewhat determined by 'chance' and may vary from expected outcomes. Extracted from the MBIE All of Government enterprise risk maturity assessment framework |
There were some elements of maturity level three, and a small number of areas where Council is only partially achieving maturity level two. The gaps will be addressed over the coming year, with the aim of consolidating and strengthening the organisation’s risk management practice at maturity level two. The next risk management maturity benchmarking self-assessment will be scheduled for completion during quarter one 2021-22, with consideration of a target maturity level by end of quarter two 2021-22.
5. Risks to Achieving Council Long Term Plan Top Priorities
5.1 Updated information to the end of quarter one is summarised below, with further detail on the risk areas, their controls and treatments set out in attachment one.
5.2 Priority area Infrastructure (Risk 1). There have been no reported exceptions to the risk controls. Treatments are being incorporated into the relevant draft Activity Management Plans (AMPs) being presented to Council during quarter two 2020-21. The overall consequences and likelihood for this priority area were reviewed with managers from the Infrastructure Group, resulting in some amendments and updates to risk controls. The risk rating remains at High, with no risk movement to report during quarter one 2020-21.
5.3 Priority area Environment (Risk 2). The residual risk rating remains at High, with no risk movement during quarter one 2020-21.
5.4 Priority area City Centre Development (Risk 3). The residual risk rating remains at Medium, with no risk movement during quarter one 2020-21.
5.5 Priority area Lifting Council Performance (Risk 4). Planned treatments continue to progress in most areas. Improvements to procurement processes have been implemented, and are intended to increase officer efficiency in procuring goods and services, and for suppliers, to reduce the time investment needed when submitting proposals for Council work. The risk rating remains at Medium, with no risk movement during quarter one 2020-21.
6. Key Organisational risks
6.1 At the end of quarter one, the known key risk areas for the four Long Term Plan top priorities, and nine key organisational risks, are as summarised in the heat map, and table below. Updates are provided below for the nine key organisational risk areas, with further detail in attachment one.
ID |
Risk Area |
Rating |
Owner |
1 |
Council priority area: Infrastructure |
High |
Group Manager Infrastructure |
2 |
Council priority area: Environment |
High |
Group Manager Environmental Management |
3 |
Council priority area: City Centre Development |
Medium |
Chief Executive |
4 |
Council priority area: Lift Council Performance |
Medium |
Chief Executive |
5 |
Lifeline service failure from natural hazards and similar events |
High |
Group Manager Infrastructure |
6 |
Illness, injury or stress from higher hazard work situations |
Medium |
Group Manager Corporate Services |
7 |
Loss of service performance from ineffective contracts and contract management |
Medium |
Chief Executive |
8 |
Compromise of Council service delivery from information technology failures |
Low |
Group Manager Corporate Services |
9 |
Compromised decision making and public information from incomplete and difficult to access records |
Medium |
Group Manager Strategy and Communications |
10 |
Council work compromised by loss of and difficulties in replacing skilled staff |
Medium |
Manager People and Capability |
11 |
Legal liability and reputation loss from inadequate consideration of the law in decision making |
Medium |
Group Manager Strategy and Communications |
12 |
Loss of public trust in the organisation |
Medium |
Group Manager Strategy and Communications |
13 |
Disruption to Council service delivery due to significant increase in COVID-19 cases |
Medium |
Chief Executive |
6.2 Lifeline service failure from natural hazards and similar events (Risk 5). The overall risk profile was reviewed during quarter one with managers from the Infrastructure Group, who have proposed that more granularity of the risk area will result in better oversight of the risk controls and treatments. This will be explored further through discussion with the Senior Leadership Team as per paragraph 4.2 of this report. The risk rating remains at High, with no risk movement to report during quarter one 2020-21.
6.3 Illness, injury or stress from higher hazard work situations (Risk 6). The outstanding treatment is due for completion in December 2020; as such there was no risk movement during quarter one 2020-21, and so the overall risk rating remains at Medium.
6.4 Loss of service performance from ineffective contracts and contract management (Risk 7). A feasible solution for the contract management system has been identified, and the business case has been approved. Implementation of the contract management system is scheduled to begin during quarter two, and once complete, will be a significant step towards improved visibility of contracts and a reduction in contractual risk. The risk rating remains at Medium, with no risk movement to report during quarter one 2020-21.
6.5 Compromise of Council service delivery from information technology failures (Risk 8). The implementation of multi-factor authentication technology was completed during quarter one. This adds an additional layer of cyber security, to help prevent successful cyber-attacks on Council’s systems. Controls in place are considered effective to maintain the risk rating at Low, and as such no further risk treatments are currently planned. Control effectiveness and the overall risk profile will continue to be monitored and periodically reviewed. The risk rating remains at Low, with no risk movement to report during quarter one 2020-21.
6.6 Compromised decision making and public information from incomplete and difficult to access records (Risk 9). This risk area will require further detailed reviewed in light of the findings from the recent Information Management Maturity audit. Consideration is being given to the feasibility of consolidating the electronic document and records management system, with the current cloud-based Office 365 technology. Options will be explored through the business case process, to be initiated during quarter two. The risk rating remains at Medium, with no risk movement during quarter one 2020-21.
6.7 Council work compromised by loss of and difficulties in replacing skilled staff (Risk 10). Council continues to receive a healthy volume of applications for non-specialist roles, and this is providing reasonable continuity of service delivery. Staff turnover has decreased over the last few years, however the level of short and fixed term recruitment is impacting capacity in the People and Capability team, and so the recruitment programme is being scheduled at a viable pace. Current staff turnover levels have been generally steady within the expected target range. Given the nationwide constraints in highly specialised skills, the Medium risk rating remains tolerable, with no risk movement during quarter one 2020-2-10.
6.8 Legal liability and reputation loss from inadequate consideration of the law in decision making (Risk 11). There are no changes to existing controls or treatments to report. The risk owner remains satisfied that the residual risk is at a tolerable level. The risk rating remains at Medium, with no risk movement during quarter one 2020-2-10.
6.9 Loss of public trust in the organisation (Risk 12). The risk owner remains satisfied that the residual risk is at a tolerable level. The risk rating remains at Medium, with no risk movement during quarter one 2020-21.
6.10 Disruption to Council service delivery due to significant increase in COVID-19 cases (Risk 13). A COVID-19 response readiness group was established during quarter one 2020-21. The group meets on a fortnightly basis with a remit to identify and assign actions that will increase Council’s readiness to respond to an escalation in COVID-19 alert levels, and to ensure controls for the current alert level are effective. The risk rating is Medium, with no risk movement during quarter one 2020-21.
7. Risk Areas for Each Group
7.1 General: Some staff are experiencing increased stress and heightened levels of anxiety associated with the ongoing COVID-19 pandemic. Whilst this is not affecting all staff, the impact is being seen in most parts of the organisation.
7.2 Infrastructure Group: The streamlined exception to our procurement policy approach for construction projects has been extended to remain in place through to the end of June 2022. The aim of this extension is to provide greater surety of work for the local construction sector to aid regional economic recovery following the impact of the ongoing COVID-19 pandemic that has affected all local companies. Pricing for construction work is not showing a significant increase at this stage, and combined with the streamlined procurement approach, the use of an “open book” process is helping to mitigate cost risks at the contract award stage.
7.3 Community Services Group: Risk to viability of events provided by Council or held at Council venues from changes in COVID-19 alert levels, with consequences for revenue or grant funding. The ability of some community groups or organisations to pay leases, fees or loan repayments is being affected due to impacts from COVID-19.
7.4 Environmental Management Group: No new emerging risks to report at this time.
7.5 Strategy and Communications Group: The disruption caused by COVID-19 is becoming more evident in terms of the impact on the Group’s programme of work. Multiple staff are recovering additional time accrued for COVID-19 related work undertaken during the level three and four lockdowns. The effect on the work programme is compounded by business as usual activities and projects that were delayed, that are now being re-established. Personal impacts of the pandemic are also causing ongoing stress for some staff. The size and scope of the Group’s programme of work is being reviewed and may need to be adjusted.
7.6 Corporate Services Group: No new emerging risks to report at this time.
Author: Arlene Akhlaq, Manager Business Improvement
Attachments
Attachment 1: A2486951 - Key organisational risks report Quarter 1 - July to September 2020 ⇩
Item 8: Audit NZ - Audit Engagement Letter for the Long Term Plan 2021-31
|
Audit and Risk Subcommittee 10 November 2020 |
REPORT R21345
Audit NZ - Audit Engagement Letter for the Long Term Plan 2021-31
1. Purpose of Report
1.1 To provide the subcommittee with the Audit Engagement Letter for the audit of the consultation document and Long Term Plan 2021-31 and ask for any feedback before the letter is signed by the Mayor.
2. Recommendation
3. Background
3.1 The Audit Engagement Letter (Attachment 1: A2479186) relates to the audit of the Long Term Plan (LTP) 2021 – 31 and the consultation document.
3.2 The letter sets out the terms of the audit engagement and the respective responsibilities of Council and Audit New Zealand. The letter also outlines the audit scope and objectives, the approach taken to complete the audit, the areas of audit emphasis, the audit logistics and the professional fees.
3.3 Audit NZ has indicated that COVID-19 will be a particular area of focus for this LTP audit and that it will pay more attention to the assumptions that Council has made on climate change.
3.4 The letter is to be signed by the Mayor to confirm the details of the audit match Council’s understanding of the arrangements.
4. Conclusion
4.1 Subcommittee members can provide feedback for Audit NZ prior to the letter being signed.
Author: Nikki Harrison, Group Manager Corporate Services
Attachments
Attachment 1: Audit NZ Engagement Letter for the LTP 2021-31 (A2479185) ⇩
Item 9: Health, Safety and Wellbeing Report, July to September 2020
|
Audit and Risk Subcommittee 10 November 2020 |
REPORT R21365
Health, Safety and Wellbeing Report, July to September 2020
1. Purpose of Report
1.1 To provide the subcommittee with a report on health, safety and wellbeing data collected over the period July to September 2020.
To update the subcommittee on key health and safety risks, including controls and treatments.
2. Summary
2.1 A notable incident for this period was a bus driver assaulted by a passenger after being asked to wear a mask.
2.2 Data on the COVID-19 response is included in the wellbeing section of the attachment and covers the period at alert level two during August and September.
2.3 There has been no change in the assessed risk ratings of key health and safety risks since the previous report.
3. Recommendation
That the Audit and Risk Subcommittee 1. Receives the report Health, Safety and Wellbeing Report, July to September 2020 (R21365) and its attachment (A2488389). |
4. Background
4.1 Elected members, as ‘Officers’ under the Health and Safety at Work Act 2015 (HSWA), are required to undertake due diligence on health and safety matters. Council’s Health and Safety Governance Charter states that Council will receive quarterly reports regarding the implementation of health and safety. Council has delegated the responsibility for health and safety to the Audit and Risk Subcommittee.
4.2 Health, safety and wellbeing performance data reports provide an overview based on key lead and lag indicators. Where a concerning trend is identified more detail is provided in order to better understand issues and implement appropriate controls.
4.3 Reporting on key health and safety risks provides further depth and detail to the health and safety risks reported in the organisational risk report.
5. Discussion
Incidents of note
5.1 A contractor at York Valley Landfill experienced a serious medical event while working and has since returned to work.
5.2 Two significant near miss incidents have been reported by contractors for this period. In August an electrician working at a pump station received an electric shock and was checked at hospital as a precaution. Remedial work has been identified to be carried out in all similar situations to prevent a reoccurrence. In September a motorist ignored the stop paddle at worksite on a road and continued through. No issues were identified with the temporary traffic management at this site. Ensuring effective temporary traffic management by contractors and others working in the road corridor is an ongoing challenge and area of focus for council officers.
5.3 Overcrowding in the foyer of the Council Chamber for a public forum on the first day of the return to alert level one caused some concern. The investigation identified the need for more information regarding the meeting risk assessment to be provided to the security contractor in advance.
Security Incidents
5.4 A significant security incident was when a bus driver was verbally abused and shoved by a passenger after requesting that the passenger wear a mask as was required during alert level two.
5.5 Several of the security incidents reported at CSC and libraries related to customers refusing to comply with contact tracing requirements.
Lead Indicators
5.6 Hazard near miss and incident data in the attachment shows an improvement over the previous reporting periods. Improving hazard and near miss reporting will remain a focus.
5.7 Low numbers of workstation assessments reported will be addressed by a review of the process for requesting, providing and recording workstation assessments. An objective of increasing the number of workstation assessments completed has an expected outcome of reducing the likelihood of pain and injury occurring.
Safe Driving
5.8 ERoad in vehicle monitoring data continues to show a decrease in the rate of overspeed events and no individual drivers had a concerning number of over speed events during this period.
5.9 When the ERoad system was first implemented in 2016 the rate of over speed events was close to 2 per 100km travelled, this is now down to about 0.5 events per 100km.
Staff Wellbeing
5.10 The annual ‘Ask Your Team’ staff survey was completed during this period by 76% of staff invited to participate. Health safety and wellbeing questions in the survey were some of the highest scoring and results were not significantly different from previous years. Results of this survey will be reported in more detail to the Chief Executive Employment Committee.
5.11 Sick leave data continues to show less days taken than the same months in previous years. A decrease in respiratory illness circulating in the general population and Council staff due to COVID-19 controls and the increased working from home have been identified as the cause of this. Ministry of Health data from its weekly flu-tracking survey shows that influenza like symptoms reported nationally is also considerably lower than previous years.
Contractor Health and Safety
5.12 A significant increase in safe work observations (SWOs) or contractor monitoring reported can be attributed to the large number of active projects during this period.
Due Diligence Activities
5.13 Five Councillors attended two safe work observations or safety tours during this period with two councillors attending both.
5.14 The Audit and Risk Subcommittee received a reviewed Health and Safety Governance Charter.
Key Health and Safety Risk Update
5.15 All of Council’s key health and safety risks are assessed to remain as medium risks.
5.16 Where new treatments have been planned or have been implemented as controls since the last report this is indicated by red text in the attachment.
5.17 Where possible timeframes are indicated for treatments.
Author: Malcolm Hughes, Health and Safety Adviser
Attachments
Attachment 1: Health, Safety and Wellbeing Report - July-Sept 2020 (A2488389) ⇩
Item 10: Internal Audit - Quarterly Progress Report to 30 September 2020
|
Audit and Risk Subcommittee 10 November 2020 |
REPORT R21363
Internal Audit - Quarterly Progress Report to 30 September 2020
1. Purpose of Report
1.1 To update the Audit and Risk Subcommittee on the internal audit activity for the quarter to 30 September 2020.
2. Background
2.1 Under Council’s Internal Audit Charter approved by Council on 15 November 2018, the Audit and Risk Subcommittee requires a periodic update on the progress of internal audit activities relative to any current Internal Audit Plan approved by Council.
2.2 The current Internal Audit Plan (the Plan) for the year to 30 June 2021 was approved by the Governance and Finance Committee on 27 August 2020. The Plan provides for two planned audits, with an allowance for a further four unplanned audits. As well, it provides for a contribution towards a data analytics business improvement work programme and further development of the contracts management system.
3. Recommendation
That the Audit and Risk Subcommittee 1. Receives the report Internal Audit - Quarterly Progress Report to 30 September 2020 (R21363) and its attachment (A2483911). |
4. Overview of Progress and of Related Internal Audit Activities
4.1 During the quarter the final audit for 2019-2020 Information Management Maturity, and the first of the two planned audits for 2020-2021 were completed. The latter is currently with management and will be reported on next quarter.
4.2 There has also been good progress on the other business improvement topics included in this year’s and last year’s Plans. The most recent updates are in the attachment (A2483911) Progress of Internal Audits to 30 September 2020.
4.3 While not part of the Plan, we can report that 50 staff have completed or partially completed the new online version of fraud awareness and conflicts of interest training during the period from 5 August 2020 (when it went live) to 30 September 2020. This represents 27% of total invites during that period. Staff are asked to complete within one month of receiving their invitation, and while the number of completions does not appear high, most were for newer staff. A significant proportion of longer serving staff had previously completed similar training in person and, given their competing priorities, we are exercising more flexibility with the requirement for this group to complete the new training within one month. Attendance is being managed by Business Improvement.
4.4 Also outside the Plan, testing of existing internal controls relating to the high (inherent) fraud risks identified in last year’s Fraud Risk Assessment is underway and will be completed by the end of Q2 2020-21.
Author: Lynn Anderson, Internal Audit Analyst
Attachments
Attachment 1: A2483911 - Quarterly Progress Report to 30 September 2020 ⇩
Item 11: New and Outstanding Significant Risk Exposures and Control Issues Identified from Internal Audits - 30 September 2020
|
Audit and Risk Subcommittee 10 November 2020 |
REPORT R21364
New and Outstanding Significant Risk Exposures and Control Issues Identified from Internal Audits - 30 September 2020
1. Purpose of Report
1.1 To update the Subcommittee on new or outstanding risk exposures following internal audits included in any Internal Audit Plan to 30 June 2021.
2. Recommendation
3. Background
3.1 Under section 9.1 of the Internal Audit Charter, the Audit and Risk Subcommittee and the Governance and Finance Committee are to be informed of internal audit results where appropriate.
3.2 Under section 9.4, the Audit and Risk Subcommittee requires a periodic update of any significant risk exposures and control issues identified from internal audits completed.
4. Summary
4.1 The attachment (A2482497), New and Outstanding Significant Risk Exposures and Control Issues Identified from Internal Audits, shows progress relating to four high risks outstanding from the previous report presented to the Audit, and Risk Subcommittee meeting of 11 August 2020.
4.2 There are also two new high risks from the Information Management Maturity audit to report. Since the report was finalised, the Records and Archives, IT, and Business Improvement teams have been working to mitigate these high risks. In particular they will: a) gain a better understanding of the risks associated with new cloud-based systems; b) with senior management, revisit Council’s recordkeeping vision, strategy and related policy to establish whether they best meet business needs; c) align the storage of records in systems outside Objective with Council’s records management framework; and d) complete the information asset register for high value/risk records which commenced in 2019.
4.3 Details of progress in Quarter 1 2020-2021 are shown in red for each action which was previously included in the report to 30 June 2020.
Author: Lynn Anderson, Internal Audit Analyst
Attachments
Attachment 1: A2482497 - New and Outstanding Significant Risk Exposures identified from Internal Audits ⇩
Item 11: New and Outstanding Significant Risk Exposures and Control Issues Identified from Internal Audits - 30 September 2020: Attachment 1
Item 12: Internal Audit Self-Assessment - 31 March 2020
|
Audit and Risk Subcommittee 10 November 2020 |
REPORT R18156
Internal Audit Self-Assessment - 31 March 2020
1. Purpose of Report
1.1 To provide the Audit and Risk Subcommittee with information from the first formal self-assessment undertaken since the internal audit activity was first established in September 2015 (and the first Internal Audit Annual Plan approved by Council in 15 October 2015).
2. Summary
2.1 An internal audit self-assessment has found an overall level of maturity of Level 2, with elements of Level 3. Increased use of data analytics will assist with moving the organisation to Level 3.
2.2 The likely timing for the next self-assessment is 2021/22.
3. Recommendation
That the Audit and Risk Subcommittee 1. Receives the report Internal Audit Self-Assessment - 31 March 2020 (R18156) and its attachment (A2366767). |
4. Background
4.1 The Internal Audit Charter (clauses 10.1 & 10.2) requires that the internal audit activity maintains a quality assurance and improvement programme which includes an evaluation of conformance with the Definition of Internal Auditing and the International Standards for the Professional Practice of Internal Auditing (Standards). Internal audit is to communicate to the Senior Leadership Team and Audit and Risk Subcommittee on matters relating to this programme, including the results of internal and external assessments.
4.2 While one purpose of the assessments is to assess conformance, the other is to help drive improvements to internal audit capability so that it can achieve Council’s objectives for the function.
5. Conformance with Standards and Areas for Improvement
5.1 Internal auditors are required to comply with the Institute of Internal Auditors Standards. The self-assessment found there is general compliance with many of the Standards. In its guidance, the Institute of Internal Auditors indicates that the degree of conformance with the Standards should be realistic in order to be useful in each unique circumstance. To determine that ‘realistic conformance’ in Council’s context, it is firstly necessary to understand the level of maturity of its internal audit function.
5.2 The Institute of Internal Auditors suggests that Level 3 maturity is appropriate for many internal audit functions in local government organisations. Council’s internal audit function is not far removed from this maturity level at Level 2, with elements of Level 3.
[Note, in the extract from the Internal Audit Maturity Model for the Public Sector matrix shown below, the yellow highlighted elements indicate Council’s current maturity, while those highlighted grey reflect partial maturity.]
Overall Maturity Level |
Services & Role of IA |
People Management |
Professional Practices |
Performance Management & Accountability |
Organisational Relationship & Culture |
Governance Structures |
Level 3 – Integrated |
Advisory services Performance/value-for-money audits IA evolves from conducting only traditional IA to integrating as a team player and providing advice on performance and management of risks |
Focus is on team building & competency, and its independence and objectivity Professional qualified staff
|
Quality management framework in place Generally conforms to the Standards IA policies, processes, and procedures are defined, documented and integrated into each other and the organisation’s infrastructure Risk-based audit plans |
Performance measures developed Cost information available and utilised IA management reports produced |
Co-ordination with other review groups Integral component of Management Team |
Management oversight of the IA activity Funding mechanisms |
Level 2 - Infrastructure |
Compliance auditing Audit based principally on management priorities |
Individual professional development Skilled people identified & recruited |
Professional practices & processes framework established Partial conformance with the Standards Key challenge for Level 2 is how to establish and maintain repeatability of processes and thus a repeatable capability Audit Plan based on Management/stakeholder priorities |
IA operating budget IA business plan |
Managing within the IA activity |
Full access to the organisation’s information, assets & people Reporting relationships established |
5.3 In the compliance self-assessment, at the mixed-level maturity of between Level 2 and 3, it was found there is general conformance with many of the Standards, but there are also there are some areas of non-conformance or partial conformance. The attached report Key Areas of Non-Compliance and Improvement with Options for Corrective Actions (A236676) provides a summary of the key areas where improvements could achieve the greatest impact. There is clearly room to improve the proficiency, effectiveness, repeatability and quality of services in order to better meet some Standards.
5.4 The self-assessment identified that internal audit did not have access to some business records since the introduction and use of Office 365 applications. This has since been rectified.
5.5 It is worth noting that the increased use of data analytics for audits and other improved tools and risk controls will reduce the effort required by internal audit for many assignments. This will, over time, allow increased focus on advisory services - which is more closely aligned to Level 3 maturity, and is generally accepted best practice for an internal audit function in the local government context.
5.6 The Internal Audit Charter requires that an assessment of the internal audit activity is performed at least every five years. The next assessment would therefore be due by 2024/25. Given this is the first assessment, the next assessment is proposed for late 2021/22 or thereabouts.
6. Conformance with Code of Ethics
6.1 Internal auditors should be able to demonstrate conformance with the Code of Ethics for the International Professional Practice of Internal Auditing and this is achieved at Council.
Author: Lynn Anderson, Internal Audit Analyst
Attachments
Attachment 1: A2366767 - Internal Audit Quality Assurance - Self-Assessment 31 March 2020 ⇩