AUDIT COMMITTEE MEETING 21 NOVEMBER, 2019

ITEM-4 OLG DRAFT DISCUSSION PAPER: A NEW RISK

AUDIT COMMITTEE MEETING 21 NOVEMBER, 2019

Written submissions are invited by 31 December 2019.

Feedback received will be considered by the OLG when finalising the new risk management and internal audit framework.

BACKGROUND

As outlined in the Ministers Forward (Page 2 of the Discussion Paper) the OLG has recognised:

 Risk is inevitable in any organisation, including local councils and if a council can identify its risks and how they are caused, a council is more likely to succeed in managing these risks and achieving its community objectives.

 Internal audit is a globally accepted mechanism for ensuring that an organisation has good governance and is managing its risks successfully.

 In 2016, the NSW Government made it a requirement under the Local Government Act 1993 that each council have an Audit, Risk and Improvement Committee in place (effective from March 2021). Councils are also required to proactively manage any risks they face under the new guiding principles of the Act.

 The government has since been working to develop the regulatory framework that will support the operation of these committees, and the establishment of a risk management framework and internal audit function in each council. This discussion paper details the regulatory requirements and operational framework being proposed.

 There will be nine core requirements that councils will be required to comply with when establishing their Audit, Risk and Improvement Committee, risk management framework and internal audit function. These requirements are based on international standards and the experience of Australian and NSW Government public sector agencies who have implemented risk management and internal audit. Most importantly, they reflect the unique needs, structure and resources of NSW local government.

REPORT

The purpose of the discussion paper is to propose how councils should establish and implement:

 an Audit, Risk and Improvement Committee (ARIC) as a third line of defence to continuously review and provide independent advice and assurance on council’s first and second lines of defence (s 428A of the Act);

 A risk management framework or ERM (which is ISO 31000:2018* compliant) and internal audit function (satisfy the requirements of the IPPF**) to support the work of the Committee; and,

 An internal audit function which provides independent assurance that the Councils 1

^st

and 2

^nd

lines of defence are appropriate and working effectively to support the work of the Committee.

The OLG acknowledges in the discussion paper that Councils are at different stages with

respect to the establishment and implementation of these governance structures and have

proposed the following implementation dates to ensure consistency (page 26 of the paper):

AUDIT COMMITTEE MEETING 21 NOVEMBER, 2019

In response to the release of the discussion paper, a gap analysis has been performed which indicates where the current practices in THSC compares to the requirements in the draft discussion paper. The detailed analysis is at Attachment 1, but a summary of the gap analysis indicates:

Function Status OLG Deadline Detail ARIC Not in place. March 2021

Full review responsibilities by 2026.

Council has an Audit Committee which does not satisfy the requirements of the ARIC as outlined in the discussion paper.

Risk Manage ment

Currently implementing ISO

31000:2018

December

2022 –

December 2024

Council’s ERM practices were independently reviewed against the relevant standard in 2017 resulting in 25 recommendations. The results of this review and the current actions being undertaken to implement ISO 3100:2018 were reported to the AC in May 2019. Currently 23 of the recommendations have been addressed.

Internal Audit

Internal Audit has been in place since 2005. Best practice concerning the IPPF standards are currently being

implemented

December 2022

In November 2018 the Councils Internal Audit practices were independently reviewed by the IIA against the IPPF standards. This was reported to the AC in November 2018.

The function was assessed as operating professionally and generally conforms to the international internal audit standards – this is the highest rating that can be achieved.

Overall the maturity was assessed as ‘managed’. It was identified that there was an opportunity to quickly move to

‘optimising’. The review resulted in 11 recommendations.

Currently 5 of these recommendations have been implemented.

AUDIT COMMITTEE MEETING 21 NOVEMBER, 2019

As outlined, Council’s internal audit function and risk management practices satisfy the majority of requirements identified in the discussion paper and the timeframes identified in the paper are substantially already met. The major impact of the requirements will be to the functions and structure of the Councils Audit Committee, namely:

 Renaming the Audit Committee to be an Audit Risk and Improvement Committee in line with the Act;

 Expanding the committees review responsibilities to all of the 10 requirements outlined in s428A of the Act over the period from March 2021 to 2026 (currently 2 are reviewed by the Audit Committee);

 Revising the Audit Charter to reflect the model terms of reference (when released);

 Modifying the format, location and administration concerning the meeting’s activities;

 Reducing the number of members (recommended between 3 and 5);

 Councillor participation on the Committee will cease (including the Mayor). The Committee is to be made up of independent members only;

 Independent members are to be selected from a prequalification scheme, satisfy the definition of ‘independent’ and be paid;

 The Committee will be subject to an external assessment once each Council term.

Each year a self-assessment will be undertaken.

The benefits identified by the OLG of the implementation of the discussion papers requirements are:

 Expansion of the Audit Committees ‘review’ responsibilities allowing the management of relevant and timely independent advice to the Council on all of the Councils governance requirements outlined in the Act;

 Independence in oversight and decision making;

 With the implementation of the core requirements, Councils Audit Committee, risk management and internal audit practices will satisfy the relevant international standards, reflecting best practice in the NSW Government public sector and better practice in the private sector;

 Increased likelihood that councils achieve their strategic objectives in the most efficient, effective and economical manner. The OLG has also recognised that a strong and effective risk management and internal audit framework will result in better services for the community, reduced opportunities for fraud and corruption, increased accountability of councils to their communities and a culture of continuous improvement in councils.

 Addresses the concerns raised by the NSW Audit Office and the ICAC in Operation Ricco (Botany Bay Council).

Note:

*ISO 31000:2018 refers to the International Standard on Risk Management.

**IPPF refers to the International Professional Practices Framework developed by the IIA.

CONCLUSION

The Audit Committee and Council have an opportunity to provide the OLG with feedback

concerning the draft discussion paper released in September 2019.

AUDIT COMMITTEE MEETING 21 NOVEMBER, 2019

The implementation of the requirements of the paper should strengthen the Councils governance structure, and will ensure that the Councils Risk Management, Internal Audit and Audit Committee practices reflect best practice.

The impact of the discussion paper are summarised in this report and detailed at Attachment 1.

IMPACTS Financial

If the current requirements of the discussion paper are implemented, the payment of the independent members of the Committee and associated compliance costs will have a direct financial effect on budget estimates. This impact will vary dependent on the number of independent members that the Council elect be on the Committee. It is estimated (based on figures indicated in the report), that the direct costs of the Committee will range between

$30,000 (3 members) and $43,000 (5 members). Direct compliance costs are estimated at

$10,000 per year.

Strategic Plan - Hills Future

The implementation of the requirements of the discussion paper will result in a significant extension of the current responsibilities of the Councils Audit Committee allowing the management of relevant and timely independent advice to the Council on all of the Councils governance requirements outlined in the Act. This should ensure that Councils achieve their strategic objectives in the most efficient, effective and economical manner.

A strong and effective risk management and internal audit framework reflecting the

requirements of the discussion paper will result in better services for the community, reduced

opportunities for fraud and corruption, increased accountability of councils to their communities

and a culture of continuous improvement in councils.