Notice of the Ordinary meeting of
Audit and Risk Subcommittee
Kōmiti Iti mō te Tātari Kaute me te
Tūraru
|
Date: Tuesday
10 November 2020
Time: 1.30p.m.
Location: Council
Chamber, Civic House
110 Trafalgar Street, Nelson
|
Agenda
Rārangi take
Chairperson Mr
John Peters
Members Her
Worship the Mayor Rachel Reese
Cr Judene Edgar
Mr John Murray
Cr Rachel Sanson
Quorum 3 Pat
Dougherty
Chief
Executive
Nelson City Council Disclaimer
Please
note that the contents of these Council and Committee agendas have yet to be
considered by Council and officer recommendations may be altered or changed by
the Council in the process of making the formal Council decision. For enquiries
call (03) 5460436
· Council’s Treasury policies
· Council’s Annual Report
· Audit processes and management of
financial risk
· Monitoring organisational risks,
including debtors and legal proceedings
· Internal audit
· Health and Safety
· Any matters raised by Audit New
Zealand or the Office of the Auditor-General
Powers to Decide
·
None
Powers to Recommend to Governance and Finance
Committee
· To write off outstanding accounts
receivable or remit fees and charges of amounts over the Chief
Executive’s delegated authority
· Any matters within the areas of
responsibility or such other matters referred to it by the Council
Powers to Recommend to Council
· Adoption of
Council’s Annual Report
For the Terms of Reference for the Audit and Risk
Subcommittee please refer to document A1437349.
Audit and Risk
Subcommittee
10
November 2020
Page
No.
1. Apologies
Nil
2. Confirmation
of Order of Business
3. Interests
3.1 Updates
to the Interests Register
3.2 Identify
any conflicts of interest in the agenda
4. Public
Forum
5. Confirmation
of Minutes
5.1 17
September 2020 7 - 11
Document number M14135
Recommendation
|
That the Audit and Risk Subcommittee
1. Confirms the minutes of the meeting
of the Audit and Risk Subcommittee, held on 17 September 2020, as a true and
correct record.
|
6. Chairperson's Report
7. Key Organisational
Risks Report - 01 July to 30 September 2020 12 - 43
Document number R19222
Recommendation
|
That the Audit and
Risk Subcommittee
1. Receives the report Key Organisational Risks
Report - 01 July to 30 September 2020 (R19222) and its attachment (A2486951).
|
8. Audit NZ - Audit
Engagement Letter for the Long Term Plan 2021-31 44
- 62
Document number R21345
Recommendation
|
That
the Audit and Risk Subcommittee
1. Receives
the report Audit NZ - Audit Engagement Letter for the Long Term Plan 2021-31
(R21345) and its attachment
(A2479185); and
2. Notes the Audit and Risk
Subcommittee can provide feedback on the Audit Engagement Letter to Audit NZ
if required and that the Mayor will sign the letter once the
Subcommittee’s feedback (if any) has been incorporated.
|
9. Health, Safety and
Wellbeing Report, July to September 2020 63 - 78
Document number R21365
Recommendation
|
That
the Audit and Risk Subcommittee
1. Receives
the report Health, Safety and Wellbeing Report, July to September 2020
(R21365) and its attachment
(A2488389).
|
10. Internal Audit - Quarterly
Progress Report to 30 September 2020 79
- 82
Document number R21363
Recommendation
|
That
the Audit and Risk Subcommittee
1. Receives
the report Internal Audit - Quarterly Progress Report to 30 September 2020
(R21363) and its attachment
(A2483911).
|
11. New and Outstanding Significant
Risk Exposures and Control Issues Identified from Internal Audits - 30 September
2020 83 - 87
Document number R21364
Recommendation
|
That
the Audit and Risk Subcommittee
1. Receives
the report New and Outstanding Significant Risk Exposures and Control Issues
Identified from Internal Audits - 30 September 2020 (R21364) and its attachment (A2482497).
|
12. Internal Audit Self-Assessment
- 31 March 2020 88 - 98
Document number R18156
Recommendation
|
That
the Audit and Risk Subcommittee
1. Receives
the report Internal Audit Self-Assessment - 31 March 2020 (R18156) and its attachment (A2366767).
|
CONFIDENTIAL Business
13. Exclusion
of the Public
Recommendation
That the Audit
and Risk Subcommittee
1. Excludes the public from the following
parts of the proceedings of this meeting.
2. The general subject of each matter to be considered while the public
is excluded, the reason for passing this resolution in relation to each matter
and the specific grounds under section 48(1) of the Local Government Official
Information and Meetings Act 1987 for the passing of this resolution are as
follows:
|
Item
|
General subject of each matter to be
considered
|
Reason for passing this resolution in
relation to each matter
|
Particular interests protected (where
applicable)
|
|
1
|
Quarterly Update on Legal Proceedings
|
Section 48(1)(a)
The public conduct of this
matter would be likely to result in disclosure of information for which good
reason exists under section 7
|
The withholding of the information is necessary:
· Section 7(2)(g)
To maintain legal professional
privilege
|
|
2
|
Quarterly Update On Debts - 30 September 2020
|
Section 48(1)(a)
The public conduct of this
matter would be likely to result in disclosure of information for which good
reason exists under section 7
|
The withholding of the information is necessary:
· Section 7(2)(a)
To protect the privacy of
natural persons, including that of a deceased person
· Section
7(2)(g)
To maintain legal
professional privilege
|
Audit and Risk Subcommittee Minutes
- 17 September 2020
Present: Mr
J Peters (Chairperson), Her Worship the Mayor R Reese, Mr J Murray, J Edgar and
R Sanson
In
Attendance: Councillors T Brand and B McGurk, Chief Executive
(P Dougherty), Group Manager Corporate Services (N Harrison), Group Manager
Strategy and Communications (N McDonald), Governance Adviser (E-J Ruthven) and
Governance Support (K McLean)
Apologies : Nil
1. Apologies
There were no apologies.
2. Confirmation of
Order of Business
There was no change to the order
of business.
3. Interests
There were no updates to the
Interests Register, and no interests with items on the agenda were declared.
4. Public Forum
There was no public forum.
5. Confirmation of
Minutes
5.1 11
August 2020
Document number M13044, agenda
pages 6 - 14 refer.
|
Resolved AR/2020/044
|
|
|
That the Audit and Risk
Subcommittee
1. Confirms the minutes of the meeting
of the Audit and Risk Subcommittee, held on 11 August 2020, as a true and
correct record.
|
|
Murray/Edgar Carried
|
6. Chairperson's Report
There was no Chairperson’s Report.
7. Draft Annual Report
2019/20
Document number R18130, agenda
pages 15 - 20 refer.
|
Group Manager Strategy and Communications, Nicky McDonald,
presented the report.
Ms McDonald noted that the reference to ‘Council
Owned Companies’ on page 190 of the Annual Report should be updated to
‘Council Controlled Organisations’, and added that further
changes may come via the audit process.
Ms McDonald, along with Group Manager Corporate Services,
Nikki Harrison, and Manager Strategy, Mark Tregurtha, answered questions
regarding:
· The performance
measures for, and audit processes of, the Council-Controlled Organisations
and Council-Controlled Trading Organisations;
· Audit NZ’s
fees relating to the audit process;
· The financial
prudence benchmark, and whether an explanation of how this is measured could
be included in the Annual Report;
· How Council was
tracking against the top four priorities for 2018-28;
· Inclusion of the
triennium priorities in the Annual Report, alongside the Long Term Plan
priorities; and
· The impact on
Council as an organisation in collating the information required for
inclusion in the Annual Report.
It was noted that the draft Annual Report 2019/20 would be
audited, then presented to Council for adoption following audit, prior to 31
December 2020.
|
|
Resolved AR/2020/045
|
|
|
That
the Audit, Risk and Finance Subcommittee
1. Receives the report Draft Annual Report
2019/20 (R18130) and its
attachment (A2461046).
|
|
Sanson/Edgar Carried
|
8. Health & Safety
Governance Charter Review
Document number R14815, agenda
pages 21 - 32 refer.
|
Health and Safety Adviser, Malcolm Hughes, presented the
report. He answered questions regarding elected member engagement with
Council’s Health and Safety Committee, and elected member obligations
with regards to site visits.
It was noted that changes would be made to the Health and
Safety Charter to clarify the expectations of Elected Members with regards to
their health and safety obligations through site visits and observation of
the Health and Safety Committee meetings, and that it would be presented to
the Governance and Finance Committee for approval, subject to signoff by the
Chair of the Audit and Risk Subcommittee.
|
|
Resolved AR/2020/046
|
|
|
That
the Audit and Risk Subcommittee
1. Receives
the report Health & Safety Governance Charter Review (R14815) and its attachment (A2288754).
|
|
Murray/Edgar Carried
|
|
Recommendation to Governance and Finance Committee AR/2020/047
|
|
|
That the Governance and Finance Committee
1. Approves the revised Health
and Safety Governance Charter (A2288754), subject to signoff by the Chair of
the Audit and Risk Subcommittee.
|
|
Edgar/Sanson Carried
|
9. Exclusion
of the Public
|
Resolved AR/2020/048
|
|
|
That the Audit and Risk Subcommittee
1. Excludes
the public from the following parts of the proceedings of this meeting.
2. The
general subject of each matter to be considered while the public is excluded,
the reason for passing this resolution in relation to each matter and the
specific grounds under section 48(1) of the Local Government Official
Information and Meetings Act 1987 for the passing of this resolution are as
follows:
|
|
Edgar/Sanson Carried
|
|
Item
|
General subject of each matter to be
considered
|
Reason for passing this resolution in
relation to each matter
|
Particular interests protected (where
applicable)
|
|
1
|
Audit and Risk Subcommittee Meeting - Public
Excluded Minutes - 11 August 2020
|
Section 48(1)(a)
The public conduct of this matter would be likely to
result in disclosure of information for which good reason exists under
section 7.
|
The withholding of the information is necessary:
· Section 7(2)(a)
To protect the privacy of
natural persons, including that of a deceased person
· Section
7(2)(g)
To maintain
legal professional privilege
|
The meeting went into confidential session at 9.54am
and resumed in public session at 9.55a.m.
The only business transacted in
confidential session was to confirm the minutes. In accordance with the Local
Government Official Information Meetings Act, no reason for withholding this
information from the public exists therefore this business has been recorded in
the open minutes.
10. Confirmation of Confidential
Minutes – 11 August 2020
|
Resolved AR/2020/049
|
|
|
That the Audit and Risk Subcommittee
1. Confirms the minutes of part
of the meeting of the Audit and Risk Subcommittee, held with the public
excluded on 11 August 2020, as a true and correct record.
|
|
Murray/Sanson Carried
|
11 Re-admittance of the
Public
|
Resolved AR/2020/050
|
|
|
That the Audit and Risk Subcommittee
1. Re-admits
the public to the meeting.
|
|
Edgar/Sanson Carried
|
There being no further business the meeting ended at 9.55a.m.
Confirmed as a correct record of proceedings:
Chairperson
Date
Item 7: Key
Organisational Risks Report - 01 July to 30 September 2020
|
|
Audit and Risk Subcommittee
10 November 2020
|
REPORT R19222
Key Organisational Risks Report - 01 July to 30
September 2020
1. Purpose
of Report
1.1 To provide information to the
Audit and Risk Subcommittee on the key organisational risks through to end of
quarter one 2020-21.
2. Recommendation
|
That the Audit and Risk Subcommittee
1. Receives the report Key Organisational Risks
Report - 01 July to 30 September 2020 (R19222) and its attachment (A2486951).
|
3. Background
3.1 This report includes information
on risks to achieving Council’s priorities for the Long Term Plan 2018-28
(section 5), and the key organisational risks that could impact Council’s
wider ability to deliver core functions and services (section 6). Risks
related to specific assets, activities, or projects, are reported on a
quarterly basis to the relevant Committee, and any significant items are
summarised at section 7 of this report. In addition, section 7 provides a
brief summary from each Group Manager on emerging risks for their areas of
responsibility.
3.2 The attachment to this report describes
each risk in more detail, its existing controls and planned risk
treatments.
4. Risk
Management Practice
4.1 Further
configuration of the risk management software was completed during quarter one 2020-21. Final testing of the configuration is
scheduled for quarter two, with the implementation to follow. The target
is to transition all business unit risks rated high and above by end of
December 2020. The focus for quarters three and four will be to
transition all medium and low rated risks, work on embedding use of the module
to support risk management activity, and decommission the existing set of risk
registers. Post-project, a benefits realisation assessment will be
reported to the Group Manager Corporate Services.
4.2 During
quarter one, a risk identification workshop was held with a small group of
managers, with a focus on Council’s ability to achieve its key
responsibilities. The main risk areas identified relate to climate change
impact, and factors that may affect rates revenue.
A draft set of organisational level risks will be discussed by the Senior
Leadership Team during quarter two.
4.3 A risk management maturity benchmarking self-assessment was completed
during quarter one, and the results have been reported to the Group Manager
Corporate Services. Overall, Council was assessed at maturity
level two, which is the MBIE recommended minimum maturity level for an
organisation of Council’s size and scope of deliverables.
|
Maturity Level Two
– Summary
|
|
Basic risk
management practices are documented but there is a lack of detailed guidance
and risk management practices are not consistently applied across all
business units. Senior business leaders have a high level appreciation
of the value of enterprise risk management and promote its adoption.
There is some use of evidence-based data to support risk informed decision
making and provide assurance that risks are being managed effectively.
As a result, overall business performance is somewhat determined by 'chance'
and may vary from expected outcomes.
Extracted
from the MBIE All
of Government enterprise risk maturity assessment framework
|
There were some elements of
maturity level three, and a small number of areas where Council is only
partially achieving maturity level two. The gaps will be addressed over
the coming year, with the aim of consolidating and strengthening the organisation’s
risk management practice at maturity level two. The next risk management
maturity benchmarking self-assessment will be scheduled for completion during
quarter one 2021-22, with consideration of a target maturity level by end of
quarter two 2021-22.
5. Risks to Achieving Council Long Term Plan
Top Priorities
5.1 Updated
information to the end of quarter one is summarised below, with further detail
on the risk areas, their controls and treatments set out in attachment
one.
5.2 Priority area Infrastructure
(Risk 1). There have been no reported
exceptions to the risk controls. Treatments are being incorporated into
the relevant draft Activity Management Plans (AMPs) being presented to Council
during quarter two 2020-21. The overall consequences and likelihood for
this priority area were reviewed with managers from the Infrastructure Group,
resulting in some amendments and updates to risk controls. The risk
rating remains at High, with no risk movement to report during quarter one
2020-21.
5.3 Priority
area Environment (Risk 2). The residual risk rating remains at High, with no risk movement
during quarter one 2020-21.
5.4 Priority area City Centre Development (Risk 3). The
residual risk rating remains at Medium, with no risk movement during quarter one
2020-21.
5.5 Priority
area Lifting Council Performance (Risk 4).
Planned treatments continue to progress in most areas. Improvements to
procurement processes have been implemented, and are intended to increase
officer efficiency in procuring goods and services, and for suppliers, to
reduce the time investment needed when submitting proposals for Council
work. The risk rating remains at Medium, with no risk movement during
quarter one 2020-21.
6. Key
Organisational risks
6.1 At the end of quarter one, the
known key risk areas for the four Long Term Plan top priorities, and nine key
organisational risks, are as summarised in the heat map, and table below. Updates are provided below for the nine key organisational
risk areas, with further detail in attachment one.
|
ID
|
Risk Area
|
Rating
|
Owner
|
|
1
|
Council
priority area: Infrastructure
|
High
|
Group
Manager Infrastructure
|
|
2
|
Council
priority area: Environment
|
High
|
Group
Manager Environmental Management
|
|
3
|
Council
priority area: City Centre Development
|
Medium
|
Chief
Executive
|
|
4
|
Council
priority area: Lift Council Performance
|
Medium
|
Chief
Executive
|
|
5
|
Lifeline
service failure from natural hazards and similar events
|
High
|
Group
Manager Infrastructure
|
|
6
|
Illness,
injury or stress from higher hazard work situations
|
Medium
|
Group
Manager Corporate Services
|
|
7
|
Loss
of service performance from ineffective contracts and contract management
|
Medium
|
Chief
Executive
|
|
8
|
Compromise
of Council service delivery from information technology failures
|
Low
|
Group
Manager Corporate Services
|
|
9
|
Compromised
decision making and public information from incomplete and difficult to
access records
|
Medium
|
Group
Manager Strategy and Communications
|
|
10
|
Council
work compromised by loss of and difficulties in replacing skilled staff
|
Medium
|
Manager
People and Capability
|
|
11
|
Legal
liability and reputation loss from inadequate consideration of the law in
decision making
|
Medium
|
Group
Manager Strategy and Communications
|
|
12
|
Loss
of public trust in the organisation
|
Medium
|
Group
Manager Strategy and Communications
|
|
13
|
Disruption
to Council service delivery due to significant increase in COVID-19 cases
|
Medium
|
Chief
Executive
|
6.2 Lifeline service failure from natural hazards and similar
events (Risk 5). The overall risk profile was reviewed during quarter one with managers from the Infrastructure
Group, who have proposed that more granularity of the risk area will result in
better oversight of the risk controls and treatments. This will be
explored further through discussion with the Senior Leadership Team as per
paragraph 4.2 of this report. The risk rating remains at High, with no risk movement to report during
quarter one 2020-21.
6.3 Illness, injury or stress from higher hazard work
situations (Risk 6). The
outstanding treatment is due for completion in December 2020; as such there was
no risk movement during quarter one 2020-21, and so the
overall risk rating remains at Medium.
6.4 Loss of service performance from ineffective contracts and
contract management (Risk 7).
A feasible solution for the contract management system
has been identified, and the business case has been approved.
Implementation of the contract management system is scheduled to begin during
quarter two, and once complete, will be a significant step towards improved
visibility of contracts and a reduction in contractual risk. The risk rating remains at Medium, with no risk movement to report
during quarter one 2020-21.
6.5 Compromise of Council service delivery from information
technology failures (Risk 8). The implementation of
multi-factor authentication technology was completed during quarter one.
This adds an additional layer of cyber security, to help prevent successful
cyber-attacks on Council’s systems. Controls in place are
considered effective to maintain the risk rating at Low, and as such no further
risk treatments are currently planned. Control effectiveness and the
overall risk profile will continue to be monitored and periodically
reviewed. The risk rating remains at Low, with no risk movement to report
during quarter one 2020-21.
6.6 Compromised decision making and public information from
incomplete and difficult to access records (Risk 9). This risk area will require further detailed
reviewed in light of the findings from the recent Information Management
Maturity audit. Consideration is being given to
the feasibility of consolidating the electronic document and records management
system, with the current cloud-based Office 365 technology. Options will
be explored through the business case process, to be initiated during quarter
two. The risk rating remains
at Medium, with no risk movement during quarter one
2020-21.
6.7 Council work compromised by loss of and
difficulties in replacing skilled staff (Risk 10). Council continues to receive a healthy volume of
applications for non-specialist roles, and this is providing reasonable
continuity of service delivery. Staff turnover has decreased over the
last few years, however the level of short and fixed term recruitment is
impacting capacity in the People and Capability team, and so the recruitment
programme is being scheduled at a viable pace. Current staff turnover
levels have been generally steady within the expected target range. Given
the nationwide constraints in highly specialised skills, the Medium risk rating
remains tolerable, with no risk movement during quarter
one 2020-2-10.
6.8 Legal liability and reputation loss from
inadequate consideration of the law in decision making (Risk 11). There are no changes to existing
controls or treatments to report. The risk owner remains satisfied that the
residual risk is at a tolerable level. The risk
rating remains at Medium, with no risk movement during quarter one
2020-2-10.
6.9 Loss of public trust in the organisation (Risk 12). The risk owner remains satisfied that
the residual risk is at a tolerable level. The
risk rating remains at Medium, with no risk movement during quarter one
2020-21.
6.10 Disruption to Council service delivery due
to significant increase in COVID-19 cases (Risk 13). A COVID-19
response readiness group was established during quarter one 2020-21. The
group meets on a fortnightly basis with a remit to identify and assign actions
that will increase Council’s readiness to respond to an escalation in
COVID-19 alert levels, and to ensure controls for the current alert level are
effective. The risk rating is Medium, with no risk movement during
quarter one 2020-21.
7. Risk Areas for Each Group
7.1 General: Some staff
are experiencing increased stress and heightened levels of anxiety associated
with the ongoing COVID-19 pandemic. Whilst this is not affecting all
staff, the impact is being seen in most parts of the organisation.
7.2 Infrastructure Group:
The streamlined exception to our procurement policy approach for construction
projects has been extended to remain in place through to the end of June
2022. The aim of this extension is to provide greater surety of work
for the local construction sector to aid regional economic recovery following
the impact of the ongoing COVID-19 pandemic that has affected all local
companies. Pricing for construction work is not showing a significant
increase at this stage, and combined with the streamlined procurement approach,
the use of an “open book” process is helping to mitigate cost risks
at the contract award stage.
7.3 Community Services Group:
Risk to viability of events provided by Council or held at Council
venues from changes in COVID-19 alert levels, with consequences for revenue or
grant funding. The ability of some community groups or organisations to
pay leases, fees or loan repayments is being affected due to impacts from
COVID-19.
7.4 Environmental
Management Group: No new emerging risks to report at this time.
7.5 Strategy and Communications
Group: The disruption caused by COVID-19 is becoming more evident in
terms of the impact on the Group’s programme of work. Multiple
staff are recovering additional time accrued for COVID-19 related work undertaken
during the level three and four lockdowns. The effect on the work
programme is compounded by business as usual activities and projects that were
delayed, that are now being re-established. Personal impacts of the
pandemic are also causing ongoing stress for some staff. The size and
scope of the Group’s programme of work is being reviewed and may need to
be adjusted.
7.6 Corporate Services Group:
No new emerging risks to report at this time.
Author: Arlene
Akhlaq, Manager Business Improvement
Attachments
Attachment 1: A2486951 - Key organisational risks report
Quarter 1 - July to September 2020 ⇩
Item 7: Key Organisational Risks Report - 01 July to 30 September
2020: Attachment 1
Item 8: Audit NZ -
Audit Engagement Letter for the Long Term Plan 2021-31
|
|
Audit and Risk Subcommittee
10 November 2020
|
REPORT R21345
Audit
NZ - Audit Engagement Letter for the Long Term Plan 2021-31
1. Purpose
of Report
1.1 To
provide the subcommittee with the Audit Engagement Letter for the audit of the
consultation document and Long Term Plan 2021-31 and ask for any feedback
before the letter is signed by the Mayor.
2. Recommendation
|
That the Audit and Risk Subcommittee
1. Receives
the report Audit NZ - Audit Engagement Letter for the Long Term Plan 2021-31
(R21345) and its attachment
(A2479185); and
2. Notes the Audit and Risk
Subcommittee can provide feedback on the Audit Engagement Letter to Audit NZ
if required and that the Mayor will sign the letter once the
Subcommittee’s feedback (if any) has been incorporated.
|
3. Background
3.1 The
Audit Engagement Letter (Attachment 1: A2479186) relates to the audit of the
Long Term Plan (LTP) 2021 – 31 and the consultation document.
3.2 The
letter sets out the terms of the audit engagement and the respective
responsibilities of Council and Audit New Zealand. The letter also outlines the
audit scope and objectives, the approach taken to complete the audit, the areas
of audit emphasis, the audit logistics and the professional fees.
3.3 Audit
NZ has indicated that COVID-19 will be a particular area of focus for this LTP
audit and that it will pay more attention to the assumptions that Council has
made on climate change.
3.4 The
letter is to be signed by the Mayor to confirm the details of the audit match
Council’s understanding of the arrangements.
4. Conclusion
4.1 Subcommittee
members can provide feedback for Audit NZ prior to the letter being signed.
Author: Nikki
Harrison, Group Manager Corporate Services
Attachments
Attachment 1: Audit NZ Engagement
Letter for the LTP 2021-31 (A2479185) ⇩
Item 8: Audit NZ - Audit Engagement Letter for the Long Term Plan
2021-31: Attachment 1
Item 9: Health, Safety
and Wellbeing Report, July to September 2020
|
|
Audit and Risk Subcommittee
10 November 2020
|
REPORT R21365
Health,
Safety and Wellbeing Report, July to September 2020
1. Purpose
of Report
1.1 To
provide the subcommittee with a report on health, safety and wellbeing data
collected over the period July to September 2020.
To update the subcommittee on key
health and safety risks, including controls and treatments.
2. Summary
2.1 A
notable incident for this period was a bus driver assaulted by a passenger
after being asked to wear a mask.
2.2 Data
on the COVID-19 response is included in the wellbeing section of the attachment
and covers the period at alert level two during August and September.
2.3 There
has been no change in the assessed risk ratings of key health and safety risks
since the previous report.
3. Recommendation
|
That the Audit and Risk Subcommittee
1. Receives
the report Health, Safety and Wellbeing Report, July to September 2020
(R21365) and its attachment
(A2488389).
|
4. Background
4.1 Elected members, as ‘Officers’ under the Health and
Safety at Work Act 2015 (HSWA), are required to undertake due diligence on
health and safety matters. Council’s Health and Safety Governance
Charter states that Council will receive quarterly reports regarding the
implementation of health and safety. Council has delegated the
responsibility for health and safety to the Audit and Risk Subcommittee.
4.2 Health,
safety and wellbeing performance data reports provide an overview based on key
lead and lag indicators. Where a concerning trend is identified more detail is
provided in order to better understand issues and implement appropriate
controls.
4.3 Reporting
on key health and safety risks provides further depth and detail to the health
and safety risks reported in the organisational risk report.
5. Discussion
Incidents of
note
5.1 A
contractor at York Valley Landfill experienced a serious medical event while
working and has since returned to work.
5.2 Two
significant near miss incidents have been reported by contractors for this
period. In August an electrician working at a pump station received an electric
shock and was checked at hospital as a precaution. Remedial work has been
identified to be carried out in all similar situations to prevent a
reoccurrence. In September a motorist ignored the stop paddle at worksite on a
road and continued through. No issues were identified with the temporary
traffic management at this site. Ensuring effective temporary traffic
management by contractors and others working in the road corridor is an ongoing
challenge and area of focus for council officers.
5.3 Overcrowding
in the foyer of the Council Chamber for a public forum on the first day of the
return to alert level one caused some concern. The investigation identified the
need for more information regarding the meeting risk assessment to be provided
to the security contractor in advance.
Security
Incidents
5.4 A
significant security incident was when a bus driver was verbally abused and
shoved by a passenger after requesting that the passenger wear a mask as was
required during alert level two.
5.5 Several
of the security incidents reported at CSC and libraries related to customers
refusing to comply with contact tracing requirements.
Lead Indicators
5.6 Hazard
near miss and incident data in the attachment shows an improvement over the
previous reporting periods. Improving hazard and near miss reporting will
remain a focus.
5.7 Low
numbers of workstation assessments reported will be addressed by a review of
the process for requesting, providing and recording workstation assessments. An
objective of increasing the number of workstation assessments completed has an
expected outcome of reducing the likelihood of pain and injury occurring.
Safe Driving
5.8 ERoad
in vehicle monitoring data continues to show a decrease in the rate of
overspeed events and no individual drivers had a concerning number of over
speed events during this period.
5.9 When
the ERoad system was first implemented in 2016 the rate of over speed events
was close to 2 per 100km travelled, this is now down to about 0.5 events per
100km.
Staff Wellbeing
5.10 The
annual ‘Ask Your Team’ staff survey was completed during this
period by 76% of staff invited to participate. Health safety and wellbeing
questions in the survey were some of the highest scoring and results were not
significantly different from previous years. Results of this survey will be
reported in more detail to the Chief Executive Employment Committee.
5.11 Sick
leave data continues to show less days taken than the same months in previous
years. A decrease in respiratory illness circulating in the general population
and Council staff due to COVID-19 controls and the increased working from home
have been identified as the cause of this. Ministry of Health data from its
weekly flu-tracking survey shows that influenza like symptoms reported
nationally is also considerably lower than previous years.
Contractor
Health and Safety
5.12 A
significant increase in safe work observations (SWOs) or contractor monitoring
reported can be attributed to the large number of active projects during this
period.
Due Diligence Activities
5.13 Five
Councillors attended two safe work observations or safety tours during this
period with two councillors attending both.
5.14 The
Audit and Risk Subcommittee received a reviewed Health and Safety Governance
Charter.
Key Health and
Safety Risk Update
5.15 All
of Council’s key health and safety risks are assessed to remain as medium
risks.
5.16 Where
new treatments have been planned or have been implemented as controls since the
last report this is indicated by red text in the attachment.
5.17 Where
possible timeframes are indicated for treatments.
Author: Malcolm
Hughes, Health and Safety Adviser
Attachments
Attachment 1: Health, Safety and
Wellbeing Report - July-Sept 2020 (A2488389) ⇩
Item 9: Health, Safety and Wellbeing Report, July to September 2020:
Attachment 1
Item 10: Internal Audit
- Quarterly Progress Report to 30 September 2020
|
|
Audit and Risk Subcommittee
10 November 2020
|
REPORT R21363
Internal
Audit - Quarterly Progress Report to 30 September 2020
1. Purpose
of Report
1.1 To
update the Audit and Risk Subcommittee on the internal audit activity for the
quarter to 30 September 2020.
2. Background
2.1 Under
Council’s Internal Audit Charter approved by Council on 15 November 2018,
the Audit and Risk Subcommittee requires a periodic update on the progress of
internal audit activities relative to any current Internal Audit Plan approved
by Council.
2.2 The
current Internal Audit Plan (the Plan) for the year to 30 June 2021 was
approved by the Governance and Finance Committee on 27 August 2020. The Plan
provides for two planned audits, with an allowance for a further four unplanned
audits. As well, it provides for a contribution towards a data analytics
business improvement work programme and further development of the contracts
management system.
3. Recommendation
|
That the Audit and Risk Subcommittee
1. Receives
the report Internal Audit - Quarterly Progress Report to 30 September 2020
(R21363) and its attachment
(A2483911).
|
4. Overview
of Progress and of Related Internal Audit Activities
4.1 During
the quarter the final audit for 2019-2020 Information Management Maturity, and
the first of the two planned audits for 2020-2021 were completed. The latter is
currently with management and will be reported on next quarter.
4.2 There
has also been good progress on the other business improvement topics included
in this year’s and last year’s Plans. The most recent updates are
in the attachment (A2483911) Progress of Internal Audits to 30 September
2020.
4.3 While
not part of the Plan, we can report that 50 staff have completed or partially
completed the new online version of fraud awareness and conflicts of interest
training during the period from 5 August 2020 (when it went live) to 30
September 2020. This represents 27% of total invites during that period. Staff
are asked to complete within one month of receiving their invitation, and while
the number of completions does not appear high, most were for newer staff. A
significant proportion of longer serving staff had previously completed similar
training in person and, given their competing priorities, we are exercising
more flexibility with the requirement for this group to complete the new
training within one month. Attendance is being managed by Business Improvement.
4.4 Also
outside the Plan, testing of existing internal controls relating to the high
(inherent) fraud risks identified in last year’s Fraud Risk Assessment is
underway and will be completed by the end of Q2 2020-21.
Author: Lynn
Anderson, Internal Audit Analyst
Attachments
Attachment 1: A2483911 -
Quarterly Progress Report to 30 September 2020 ⇩
Item 10: Internal Audit - Quarterly Progress Report to 30 September
2020: Attachment 1
Item 11: New and
Outstanding Significant Risk Exposures and Control Issues Identified from
Internal Audits - 30 September 2020
|
|
Audit and Risk Subcommittee
10 November 2020
|
REPORT R21364
New
and Outstanding Significant Risk Exposures and Control Issues Identified from
Internal Audits - 30 September 2020
1. Purpose
of Report
1.1 To
update the Subcommittee on new or outstanding risk exposures following internal
audits included in any Internal Audit Plan to 30 June 2021.
2. Recommendation
|
That the Audit and Risk Subcommittee
1. Receives
the report New and Outstanding Significant Risk Exposures and Control Issues
Identified from Internal Audits - 30 September 2020 (R21364) and its attachment (A2482497).
|
3. Background
3.1 Under
section 9.1 of the Internal Audit Charter, the Audit and Risk Subcommittee and
the Governance and Finance Committee are to be informed of internal audit
results where appropriate.
3.2 Under
section 9.4, the Audit and Risk Subcommittee requires a periodic update of any
significant risk exposures and control issues identified from internal audits
completed.
4. Summary
4.1 The
attachment (A2482497), New and Outstanding Significant Risk Exposures and
Control Issues Identified from Internal Audits, shows progress relating to
four high risks outstanding from the previous report presented to the Audit,
and Risk Subcommittee meeting of 11 August 2020.
4.2 There
are also two new high risks from the Information Management Maturity audit to
report. Since the report was finalised, the Records and Archives, IT, and
Business Improvement teams have been working to mitigate these high risks. In
particular they will: a) gain a better understanding of the risks associated
with new cloud-based systems; b) with senior management, revisit
Council’s recordkeeping vision, strategy and related policy to establish
whether they best meet business needs; c) align the storage of records in
systems outside Objective with Council’s records management framework;
and d) complete the information asset register for high value/risk records
which commenced in 2019.
4.3 Details
of progress in Quarter 1 2020-2021 are shown in red for each action which was previously included in the
report to 30 June 2020.
Author: Lynn
Anderson, Internal Audit Analyst
Attachments
Attachment 1: A2482497 - New and
Outstanding Significant Risk Exposures identified from Internal Audits ⇩
Item 11: New and Outstanding Significant Risk Exposures and Control
Issues Identified from Internal Audits - 30 September 2020: Attachment 1
Item 12: Internal Audit
Self-Assessment - 31 March 2020
|
|
Audit and Risk Subcommittee
10 November 2020
|
REPORT R18156
Internal
Audit Self-Assessment - 31 March 2020
1. Purpose
of Report
1.1 To
provide the Audit and Risk Subcommittee with information from the first formal
self-assessment undertaken since the internal audit activity was first
established in September 2015 (and the first Internal Audit Annual Plan
approved by Council in 15 October 2015).
2. Summary
2.1 An
internal audit self-assessment has found an overall level of maturity of Level
2, with elements of Level 3. Increased use of data analytics will assist with
moving the organisation to Level 3.
2.2 The
likely timing for the next self-assessment is 2021/22.
3. Recommendation
|
That the Audit and Risk Subcommittee
1. Receives
the report Internal Audit Self-Assessment - 31 March 2020 (R18156) and its attachment (A2366767).
|
4. Background
4.1 The
Internal Audit Charter (clauses 10.1 & 10.2) requires that the internal
audit activity maintains a quality assurance and improvement programme which
includes an evaluation of conformance with the Definition of Internal Auditing
and the International Standards for the Professional Practice of Internal
Auditing (Standards). Internal audit is to communicate to the Senior
Leadership Team and Audit and Risk Subcommittee on matters relating to this
programme, including the results of internal and external assessments.
4.2 While
one purpose of the assessments is to assess conformance, the other is to help
drive improvements to internal audit capability so that it can achieve
Council’s objectives for the function.
5. Conformance
with Standards and Areas for Improvement
5.1 Internal
auditors are required to comply with the Institute of Internal Auditors
Standards. The self-assessment found there is general compliance with many of
the Standards. In its guidance, the Institute of Internal Auditors indicates
that the degree of conformance with the Standards should be realistic in order
to be useful in each unique circumstance. To determine that ‘realistic
conformance’ in Council’s context, it is firstly necessary to
understand the level of maturity of its internal audit function.
5.2 The
Institute of Internal Auditors suggests that Level 3 maturity is appropriate
for many internal audit functions in local government organisations.
Council’s internal audit function is not far removed from this maturity
level at Level 2, with elements of Level 3.
[Note, in the extract from
the Internal Audit Maturity Model for the Public Sector matrix shown below, the
yellow highlighted elements indicate
Council’s current maturity, while those highlighted grey reflect partial maturity.]
|
Overall Maturity Level
|
Services & Role of IA
|
People Management
|
Professional Practices
|
Performance Management & Accountability
|
Organisational Relationship & Culture
|
Governance Structures
|
|
Level 3 –
Integrated
|
Advisory services
Performance/value-for-money
audits
IA evolves from
conducting only traditional IA to integrating as a team player and providing
advice on performance and management of risks
|
Focus is on team building
& competency, and its independence and objectivity
Professional qualified
staff
|
Quality management
framework in place
Generally
conforms to the Standards
IA policies, processes,
and procedures are defined, documented and integrated into each other and
the organisation’s infrastructure
Risk-based
audit plans
|
Performance measures
developed
Cost information
available and utilised
IA management reports
produced
|
Co-ordination with other
review groups
Integral component of
Management Team
|
Management oversight of
the IA activity
Funding mechanisms
|
|
Level 2 - Infrastructure
|
Compliance
auditing
Audit
based principally on management priorities
|
Individual
professional development
Skilled
people identified & recruited
|
Professional
practices & processes framework established
Partial conformance with
the Standards
Key
challenge for Level 2 is how to establish and maintain repeatability of
processes and thus a repeatable capability
Audit
Plan based on Management/stakeholder priorities
|
IA
operating budget
IA
business plan
|
Managing
within the IA activity
|
Full
access to the organisation’s information, assets & people
Reporting
relationships established
|
5.3 In
the compliance self-assessment, at the mixed-level maturity of between Level 2
and 3, it was found there is general conformance with many of the Standards,
but there are also there are some areas of non-conformance or partial
conformance. The attached report Key Areas of Non-Compliance and Improvement
with Options for Corrective Actions (A236676) provides a summary of the key
areas where improvements could achieve the greatest impact. There is clearly
room to improve the proficiency, effectiveness, repeatability and quality of
services in order to better meet some Standards.
5.4 The
self-assessment identified that internal audit did not have access to some
business records since the introduction and use of Office 365 applications.
This has since been rectified.
5.5 It
is worth noting that the increased use of data analytics for audits and other
improved tools and risk controls will reduce the effort required by internal
audit for many assignments. This will, over time, allow increased focus on
advisory services - which is more closely aligned to Level 3 maturity, and is
generally accepted best practice for an internal audit function in the local
government context.
5.6 The
Internal Audit Charter requires that an assessment of the internal audit
activity is performed at least every five years. The next assessment would
therefore be due by 2024/25. Given this is the first assessment, the next
assessment is proposed for late 2021/22 or thereabouts.
6. Conformance
with Code of Ethics
6.1 Internal
auditors should be able to demonstrate conformance with the Code of Ethics for
the International Professional Practice of Internal Auditing and this is
achieved at Council.
Author: Lynn
Anderson, Internal Audit Analyst
Attachments
Attachment 1: A2366767 - Internal
Audit Quality Assurance - Self-Assessment 31 March 2020 ⇩
Item 12: Internal Audit Self-Assessment - 31 March 2020: Attachment
1
