RECOMMENDATION

3. A New Risk Management and Internal Audit Framework for Local Councils in NSW (106 pages)

AUDIT COMMITTEE MEETING 21 NOVEMBER, 2019

The implementation of the requirements of the paper should strengthen the Councils governance structure, and will ensure that the Councils Risk Management, Internal Audit and Audit Committee practices reflect best practice.

The impact of the discussion paper are summarised in this report and detailed at Attachment 1.

IMPACTS Financial

If the current requirements of the discussion paper are implemented, the payment of the independent members of the Committee and associated compliance costs will have a direct financial effect on budget estimates. This impact will vary dependent on the number of independent members that the Council elect be on the Committee. It is estimated (based on figures indicated in the report), that the direct costs of the Committee will range between

$30,000 (3 members) and $43,000 (5 members). Direct compliance costs are estimated at

$10,000 per year.

Strategic Plan - Hills Future

The implementation of the requirements of the discussion paper will result in a significant extension of the current responsibilities of the Councils Audit Committee allowing the management of relevant and timely independent advice to the Council on all of the Councils governance requirements outlined in the Act. This should ensure that Councils achieve their strategic objectives in the most efficient, effective and economical manner.

A strong and effective risk management and internal audit framework reflecting the

requirements of the discussion paper will result in better services for the community, reduced

opportunities for fraud and corruption, increased accountability of councils to their communities

and a culture of continuous improvement in councils.

AUDIT COMMITTEE MEETING 21 NOVEMBER 2019

Attachment 1 DETAILED GAP ANALYSIS: Comparison of Core Requirements identified in the OLG Discussion paper and Councils current practices. Link: https://www.olg.nsw.gov.au/sites/default/files/A%20new%20risk%20management%20and%20internal%20audit%20framework%20for%20local%20councils%20in%20NSW%20- %20discussion%20paper.pdf No.OLG Proposed RequirementTHSC CompliantProposed Response to Discussion PaperEstimated Additional CostComment/Discussion Core Requirement 1: Appoint an independent Audit, Risk & Improvement Committee. Proposed Implementation Date –By March 2021 1aEach council is to have an independent Audit, Risk and ImprovementCommitteethatreviews allthemattersprescribedinsection428Aofthe LocalGovernment Act

NARIC Charter and LG Act responsibilities will need to be adopted by Council. 1b The Audit, Risk and Improvement Committee is to operate according to terms of reference, based on a modeltermsof reference,andapprovedbythegoverning bodyofthecouncilafterendorsementbythe Committee. The Model Terms of Reference will require each Audit, Risk and Improvement Committee’s terms of reference to: xSet out the committee’s objectives, authority, composition, tenure roles, responsibilities, duties, reporting lines, reporting and administrative arrangements Have clear guidance on key aspects of the committee’s operations

NRequest OLG to provide updated Model Terms of Reference. 1c The Audit, Risk and Improvement Committee is to comprise of three to five independent members who are prequalified via the NSW NCouncillor Membership on the ARIC?Fees to be paid is dependent on the no. of members:

Current Composition: 5 Councillors–no cost

$77$&+0(17

AUDIT COMMITTEE MEETING 21 NOVEMBER 2019

Government’s Prequalification Scheme: Audit and Risk Committee Independent Chairs and Members. The Audit, Risk and Improvement Committee is to be appointed by the governing body of council.

Chair $16,213; Other $6484 for 4 meetings pa. If there are 3 members: est. $29,181; 5 members: $42,149. (will be adjusted for CPI)

3 independents (Voluntary) – no cost 1dAudit, Risk and Improvement Committee members and the Chair are to serve a three to five-year term. A member’s term cannot exceed eight years and the Chair’s term cannot exceed five years

N No terms currently specified. 1eThe Audit, Risk and Improvement Committee is to meet quarterly, with the ability to hold extra meetingsif required. A council’s General Manager and Chief Audit Executive should attend except where excluded by the Committee

Y THSC currently holds quarterly meetings. 1fAudit, Risk and Improvement Committee members are to comply with council’s Code of Conduct and the conduct requirements of the NSW Government’s Prequalification Scheme: Audit and Risk Committee Independent Chairs and Members

PartialThe AC complies with Code of Conduct. Currently, independent members not required to be appointed from the pre-qualification scheme. Note that Councils current independent members will be able to apply to be on the pre- qualification scheme. 1gDisputes between the General Manager and/or the Chief Audit Executive are to be resolved by the Audit, Risk and Improvement Committee. Disputes with the Committee are to be resolved by the governing body of the council.

N Not required to date 1hThe Audit, Risk and Improvement Committee is to provide an annual assurance report to the PartialEst $10k every 4 All AC papers are forwarded to the

AUDIT COMMITTEE MEETING 21 NOVEMBER 2019

governing body of the council and be assessed by an external party at least once each council term as part of council’s quality assurance and improvement program

years. Council after each meeting. The AC has 5 Councillor members including the Mayor. 1iThe General Manager is to nominate a council employee/s to provide secretariat support to the Audit, Risk and Improvement Committee. Minutes are to be recorded for all committee meetings

Y Executive services provide secretarial support. Core Requirement 2: Establish a risk management framework consistent with the current Australian risk management standards Proposed Implementation Dates: - By December 2022 for development of a Framework and appointment of a Risk Management Coordinator. - By 2024 for the risk management framework to be fully implemented throughout council and operating in compliance with regulatory compliance. 2aEach council is to establish a risk management framework that is consistent with current Australian standards for risk management

Y Framework referred to the AC in May 2019 2bThe governing body of the council is to ensure that the council is sufficiently resourced to implement an appropriate and effective risk management framework N Council to ensure operational budget is sufficient to cover resourcing costs to align with the Discussion Paper requirements.

Not currently part of the AC agenda. Current resourcing for risk management is EFT of 1 staff, excluding supervisory responsibility. 2cEach council’s risk management framework is to include the implementation of a risk management policy, risk management plan and risk management process. This includes deciding council’s risk criteria and how risk that falls outside tolerance levels will be treated.

Y 2dEach council is to fully integrate its risk management framework within all of council’s Partial Developing. Referred to the May 2019 AC.

AUDIT COMMITTEE MEETING 21 NOVEMBER 2019

decision-making, operational and integrated planning and reporting processes 2eEach council is to formally assign responsibilities for risk management to the general manager, senior managers and other council staff and to ensure accountability.

Y 2fEach council is to ensure its risk management framework is regularly monitored and reviewed. Y Est cost $10k per termThe Councils Risk Management Framework was reviewed in 2017 by an independent consultant. 2gThe Audit, Risk and Improvement Committee and the council’s internal audit function are to provide independent assurance of risk management activities.

Y Review of risk controls & treatment plans included on Audit Plan. 2hThe general manager is to publish in council’s annual report an attestation certificate indicating whether during the prior financial year, the council was ‘compliant’, ‘non- compliant’or ‘in transition’ against each of the above-mentioned requirements of the council’s risk management framework. Compliance status is to be self-assessed basedpublished in the council’s annual report. A copy of the attestation statement is to also be provided to the Office of Local Government. The Chair of the Audit, Risk and Improvement Committee is to also sign the attestation statement where he/she agrees that it is a true and accurate reflection of the council’s compliance status against statutory requirements.

N Attestation to be documented and reported. Core Requirements 3: Establish an internal audit function mandated by an Internal Audit Charter Proposed Implementation Date – By December 2022

AUDIT COMMITTEE MEETING 21 NOVEMBER 2019

3aEach council is to establish and internal audit functionY Internal Audit function established in 2004 3bThe governing body is to ensure that the council’s internal audit function is sufficiently resourced to carry out its work

Y Council to ensure operational budget is sufficient to cover resourcing costs to align with Discussion Paper requirements. 3cThe governing body of the council is to assign administrative responsibility for internal audit to the general manager and to include this in their employment contract and performance reviews

Y 3dThe Chief Audit Executive is to develop an Internal Audit Charter, based on a model charter, which will guide how internal audit is conducted by the council. The Charter is to be approved by the governing body of the council after endorsement by the Audit, Risk and Improvement Committee. Each council’s Internal Audit Charter is to comply, at a minimum with a Model Internal Audit Charter.

Y OLG to provide Model Charter to be endorsed by the ARIC.Currently use Model OLG Internal Audit Charter. Core Requirements 4:Appoint internal audit personnel and establish reporting lines Proposed Implementation Date – By December 2022 4aThe general manager is to appoint a Chief Audit Executive to oversee the council’s internal audit activities in consultation with the Audit, Risk and Improvement Committee

Y Currently THSC employs a full-time Internal Auditor. The same person will become the CAE (title change only). 4bThe Chief Audit Executive is to report functionally to the Audit, Risk and Improvement Committee and administratively to the general manager and attend all committee meetings

Y

AUDIT COMMITTEE MEETING 21 NOVEMBER 2019

4cThe general manager is to ensure that, if required, council has adequate internal audit personnel to support the Chief Audit Executive. Councils will be able to appoint in-house internal audit personnel or completely or partially outsource their internal audit function to an external provider

Y Currently THSC employs a full-time Internal Auditor who has a budget to outsource part of the internal audit plan. Core Requirement 5: Develop an agreed internal audit work program Proposed Implementation Date – By 2024 5aThe Chief Audit Executive is to develop a four-year strategic plan to guide the council’s longer term internal audits in consultation with the governing body, general manager and senior managers. The strategic plan is to be approved by the Audit, Risk and Improvement Committee.

Y Currently the Audit Plan is for a 4 year period. 5bThe Chief Audit Executive is to develop policies and procedures to guide the operation of the internal audit function, including the performance of internal audits.

Y 5cThe Chief Audit Executive is to ensure performance against the annual and strategic plans can be assessed.

Y Status of Audit Plan and Program assessed at every AC meeting Core Requirement 6: Performance & Reporting of Internal Audits Proposed Implementation Date – By 2024 6aThe Chief Audit Executive is to ensure that the council’s internal audits are performed in accordance with the IPPF and current Australian risk management standards (where applicable), and approved by the Y Current Internal Auditor is member of the Institute of Internal Auditors (IIA). IA was independently reviewed by the IIA in November 2018. The

AUDIT COMMITTEE MEETING 21 NOVEMBER 2019

Audit, Risk and Improvement Committee.results were forwarded and reviewed by the Audit Committee. The IA function was assessed as operating professionally and generally conforms to the IIA standards (which is the highest rating that can be achieved). 6bThe Chief Audit Executive is to develop policies and procedures to guide the operation of the internal audit function, including the performance of internal audits

Y 6cThe Chief Audit Executive is to report internal audit findings and recommendations to the Audit, Risk and Improvement Committee. Each finding is to have a recommended remedial action and a response from the relevant senior manager/s

Y 6dAll internal audit documentation is to remain the property of, and can be accessed by, the audited council, including where internal audit services are performed by an external provider. It can also be accessed by the Audit Risk and Improvement Committee, external auditor and governing body of the council (by resolution).

Y Core Requirement 7: Undertake ongoing monitoring and reporting Proposed Implementation Date – By 2024 7aThe Audit, Risk and Improvement Committee is to be advised at each quarterly meeting of the internal audits undertaken and progress made Y Status report on Audit Plan & Program is presented to every quarterly meeting of AC

AUDIT COMMITTEE MEETING 21 NOVEMBER 2019

implementing corrective actions 7bThe governing body of the council is to be advised after each quarterly meeting of the Audit, Risk and Improvement Committee of the internal audits undertaken and the progress made implementing corrective actions Y OLG need to clarify that this can be reported via inclusion in the ARIC Minutes being provided to council after confirmation by ARIC after the quarterly ARIC meetings

Council receives the Agenda and Minutes of every quarterly AC meeting. 7cThe Audit, Risk and Improvement Committee can raise any concerns with the governing body of the council at any time through the Chair

Y This has not been required as the Chair is the Mayor Core Requirement 8: Establish a quality assurance and improvement program Proposed Implementation Date – By 2024 8aThe Chief Audit Executive is to establish a quality assurance and improvement program which includes ongoing monitoring and periodic self- assessments, an annual review and strategic external review at least once each council term. Annual review 1.Annual internal audit reviewby the Chief Audit Executive – reported to the Audit, Risk and Improvement Committee 2.Annual assurance report by the Audit, Risk and Improvement Committee of the factors the Committee must consider under s428 A of the Local Government Act– reported to the governing body of the council. Strategic review performed at least once every council term Y Estimated to be $10,000 every 4 years

Next external review is due by 2023.

AUDIT COMMITTEE MEETING 21 NOVEMBER 2019

Review by an external assessor on the effectiveness of the Audit, Risk and Improvement Committee and the internal audit function - reported to the Audit, Risk and Improvement Committee and governing body of the council 8bThe general manager is to publish in the council’s annual report an annual attestation certificate indicating whether council has complied with the core requirements for the Audit, Risk and Improvement Committee and the internal audit function. This is in addition to the risk management annual attestation certificate required as part of council’s risk management framework

N Core Requirement 9: Councils can establish shared internal audit arrangements 9aA council can share all or part of its internal audit function with another council/s by either establishing an independent shared arrangement with another council/s of its choosing, or utilising an internal audit function established by a joint or regional organisation of councils that is shared by member councils

NATHSC has a dedicated internal audit function. 9b The core requirements that apply to stand-alone internal audit functions will also apply to shared internal audit functions, with specified exemptions that reflect the unique structure of shared arrangements.

NA 9cThe general manager of each council inNA

AUDIT COMMITTEE MEETING 21 NOVEMBER 2019

any shared arrangement must sign a ‘Shared Internal Audit Arrangement’ that describes the agreed arrangements.

AUDIT COMMITTEE MEETING 21 NOVEMBER 2019