Agenda of Finance Audit & Risk Sub-committee

Meeting of the Finance Audit & Risk Sub-committee

Date: 13 October 2021

Time: 9.00am

Venue:

Council Chamber

Hawke's Bay Regional Council

159 Dalton Street

NAPIER

Agenda

Item Title Page

1. Welcome/Notices/Apologies

2. Conflict of Interest Declarations

3. Confirmation of Minutes of the Finance Audit & Risk Sub-committee meetings held on 4 August 2021 and on 18 August 2021

4. Audit NZ Report on Year ended 30 June 2020 1

5. 2020-21 Annual Report – Draft Non-financial Results 39

6. Roadsafe s17a Review 43

7. Risk Maturity Update 47

8. Annual Enterprise Internal Audit Plan 51

9. Internal Assurance Dashboard - Corrective Actions Status Update 67

Public Excluded

10. Internal Assurance Dashboard - Cyber Security Corrective Actions Status Update 79

11. Confirmation of Public Excluded Minutes of Finance Audit & Risk Sub-committee meetings held on 18 August 2021 and 4 August 2021 81

HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

13 October 2021

Subject: Audit NZ Report on Year ended 30 June 2020

Reason for Report

1. This report presents the Finance, Audit and Risk Sub-committee with the Auditors findings from the year ended 30 June 2020 audit.

Officers’ Recommendation(s)

2. Council officers recommend that the Sub-committee reviews and accepts the Audit NZ Report on the year ended 30 June 2020 as presented.

Executive Summary

3. The 2020 audit was disrupted by the impacts of Covid-19. The audit process was significantly delayed with the audit opinion eventually being delivered on 24 February 2021.

4. The 2019-20 year also saw significant personnel change within Council’s finance team which impacted on the process and the ability to clear previous audit recommendations. In addition, some outstanding recommendations were not reviewed as part of the audit process, but will be addressed as part of the 2020-21 audit process.

Background /Discussion

5. Each year, following the completion of the audit of Council’s Annual Report the auditors report back to the governing body on any findings from the audit. The report provides commentary on areas where Hawke’s Bay Regional Council is doing well and makes recommendations for improvement.

6. The specific matters identified during the audit are outlined in Section 4, which is on pages 14 to 16 of the report. In this section the auditors explain the issues identified and management have provided a response.

7. The report also comments on the status of previous recommendations raised during audits in prior years. The status of previous recommendations is set out in Attachment 1 on pages 24 to 28 of the report.

Options Assessment

8. The report is provided for information so that Council, as the governing body is aware of the issues identified during the audit process.

9. The Sub-committee can receive the report and can also seek clarification or further explanation where necessary.

Significance and Engagement Policy Assessment

10. This item is not significant in terms of Council’s policy on significance and engagement.

Financial and Resource Implications

11. There are no financial implications. Resourcing requirements are being dealt with through the ongoing management and review of Councils overall staffing and capability requirements.

Decision Making Process

12. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

12.1 The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.

12.2 The use of the special consultative procedure is not prescribed by legislation.

12.3 The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.

12.4 The persons affected by this decision are all persons with an interest in the management of Council affairs.

12.5 Given the nature and significance of the issue to be considered and decided, and also the persons likely to be affected by, or have an interest in the decisions made, Council can exercise its discretion and make a decision without consulting directly with the community or others having an interest in the decision.

12.6 Any decision of the sub-committee (in relation to this item) is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:

12.6.1 Confirm that processes are in place to ensure that financial information included in Council’s Annual Report is consistent with the signed financial statements

12.6.2 Confirm the terms of appointment and engagement of external auditors, including the nature and scope of the audit, timetable, and fees

Recommendations

That the Finance, Audit and Risk Sub-committee receives and accepts the “Audit NZ Report on Year ended 30 June 2020” and advises the Corporate and Strategic Committee accordingly.

Authored by:

Ross Franklin

Acting Chief Financial Officer

Approved by:

Jessica Ellerm

Group Manager Corporate Services

Attachment/s

1 ⇩

Audit NZ Report on findings from June 2020 audit

HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

13 October 2021

Subject: 2020-21 Annual Report – Draft Non-financial Results

Reason for Report

1. This item provides the Finance, Audit and Risk Sub-committee with the non-financial results and highlights for inclusion in the 2020-21 Annual Report.

2. Community Outcomes and Groups of Activities were presented to the Corporate and Strategic Committee (C&S) on 18 August 2021. Feedback from that meeting has been incorporated, including more explanation about the range of interventions being implemented to meet community outcomes. This information is being presented to familiarise the Finance, Audit and Risk Sub-committee with the results.

Background

3. The draft non-financial results, as provided to Audit NZ, are attached as a single document split into:

3.1. Part 1 – Introduction, provides a foreword and framework for the report

3.2. Part 2 – Regional Highlights, provides brief highlights for the year by area and infographics over the last three years of the 2018-28 Long Term Plan

3.3. Part 3 – Community Outcomes, provides results or progress made to date on the achievement of the 23 community outcomes of the Council’s 2017-21 Strategic Plan

3.4. Part 4 – Groups of Activities, reports performance by Council’s groups of activities against the level of service measures and performance targets set in the 2018-28 Long Term Plan.

Community outcomes

4. Under section 23 of schedule 10 of the Local Government Act 2002, the Council must report the results of any measurement undertaken during the year of progress towards the achievement of community outcomes.

5. We use our time-bound strategic goals from our Strategic Plan as community outcome measures. These demonstrate a desire to shift from reporting activity or outputs, to managing for and reporting on outcomes – things that matter to the community. Typically, we do not have full control over the achievement of these outcomes, but have a statutory role in contributing to them being achieved. Where possible, the outcomes align with national targets or an existing Hawke’s Bay strategy or plan.

6. The outcome measures are grouped by our four focus areas: Water, Land, Biodiversity and Infrastructure/Services. The four areas are interconnected and mutually reinforcing meaning that success in one area cannot be at the expense of another. For example, the work we are doing on farms to keep soil on the land directly contributes to water quality and aquatic biodiversity.

7. The status against the target is described as achieved, on-track, underway or off-track. Work is underway to give the outcome measures a baseline and show a timeseries and projected pathway for achievement in future reporting.

Levels of Service

8. The purpose of the non-financial performance measures, as specified in the Local Government Act 2002, is to enable the public to assess the actual versus intended level of service achieved for major aspects of groups of activities. In other words, to demonstrate we have done what we said we would do.

9. We report on the actual performance against targets set in the 2018-28 LTP as achieved, partially achieved, not achieved or not measured. 2020-21 is the third and final year of the 2018-28 LTP. We also include the previous two years’ results, commentary to provide context and more information on the performance result.

10. As per the 2018-28 LTP, we report on seven groups of activities (as opposed to the now six in the 2021-31 LTP) as this pertains to the 2020-21 financial year.

11. The groups of activities are:

11.1. Governance and Partnerships

11.2. Strategic Planning

11.3. Integrated Catchment Management

11.4. Asset Management

11.5. Consents and Compliance

11.6. Emergency Management

11.7. Transport.

Discussion

Aggregated results for community outcomes

12. Of the 23 community outcomes, 1 was achieved, 15 are on-track, 1 is underway and 5 are off-track.

13. Staff analysis suggests the reasons for being off-track generally fall into the following areas:

13.1. aspirational time-bound targets reliant on suites of interventions still to be developed, e.g. highly erodible land under tree cover and restoring prioritised terrestrial ecosystem sites

13.2. results outside our direct control (but important outcomes that we have a statutory role in contributing to) that rely on further action by others, e.g. contaminants from urban and rural environments into waterbodies.

Aggregated results for levels of service performance measures

14. Of the 60 measures, 44 were achieved, 4 were partially achieved, 8 were not achieved and 4 were not measured (or awaiting measure).

15. Staff analysis suggests the reasons for not achieving the targets generally fall into the following areas:

15.1. ambitious targets set by ourselves e.g. planting on highly erodible land, kilometres of riparian margins; compliance monitoring

15.2. results outside our direct control e.g. road toll, preparedness for CDEM events, consent compliance

15.3. continuation of a downward trend e.g. public transport passenger numbers.

16. Commentary has been added to the quantitative results to provide context, and in particular, explain why measures have not been achieved.

17. Where data allows, graphs illustrating trends have been included to give visual context.

Next Steps

18. Following the Annual Report 2020-21 being audited by Audit NZ, the final audited Report and Audit Opinion will be presented to the 8 December 2021 Finance, Audit and Risk Sub-committee for recommendation to the 15 December 2021 Regional Council meeting for adoption.

Decision Making Process

19. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

19.1. as this report is for information only, the decision-making provisions do not apply.

19.2. any decision of the sub-committee (in relation to this item) is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:

19.2.1. Satisfy itself that the financial statements and statements of service performance are supported by adequate management signoff and adequate internal controls and recommend adoption of the Annual Report by Council

19.2.2. Confirm that processes are in place to ensure that financial information included in Council’s Annual Report is consistent with the signed financial statements

19.3. Confirm the terms of appointment and engagement of external auditors, including the nature and scope of the audit, timetable, and fees.

Recommendation

That the Finance, Audit and Risk Sub-committee receives and notes the “2020-21 Annual Report – Draft Non-financial Results” staff report.

Authored by:

Sarah Bell

Team Leader Strategy & Performance

Desiree Cull

Strategy & Governance Manager

Mandy Sharpe

Project Manager

Approved by:

James Palmer

Chief Executive

Attachment/s

1 ⇨

2020-21 Annual Report –Draft Non-financial Results

Under Separate Cover

HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

13 October 2021

Subject: Roadsafe s17a Review

Reason for Report

1. This agenda item seeks the approval of the Finance, Audit and Risk Sub-committee (FARS) for a Service Delivery Review of Hawke’s Bay Roadsafe functions in accordance with Section 17a of the Local Government Act 2002.

Officers’ Recommendations

2. Council officers recommend that the FARS approves the commissioning of a s17a review of the HB Roadsafe functions led by the Hawke’s Bay Regional Council.

Executive Summary

3. The Roadsafe (Road Safety) function is currently part of the Transport team of the Hawke’s Bay Regional Council. The team plans and delivers a road safety programme for and with all of the Councils of Hawke’s Bay. Governance oversight is provided by the Regional Land Transport Committee with membership from Hawke’s Bay Regional Council, HBRC Maori Committee, Wairoa District Council, Central Hawke’s Bay District Council, Napier City Council, Hastings District Council and Waka Kotahi.

4. Following discussions at the Regional Transport Committee about what effective Governance of the Roadsafe programme might consist of, staff are recommending that a service delivery review of Roadsafe is undertaken in accordance with Section 17a of the Local Government Act 2002.

Background /Discussion

5. The Roadsafe team develops the road safety programme based on identified risks and road safety issues and then delivers that programme in partnership with key partners including the Councils, Waka Kotahi, NZ Police, Iwi, schools and ACC.

6. At its meeting on 11 December 2020, the Regional Transport Committee (RTC) sought advice in relation to their oversight and governance of the Road Safety Programme (RSP), as well as further advice about the effective delivery of their governance obligations for Road Safety.

7. In response to the request for oversight and governance of the Road Safety Programme, a workshop was held on 12 March 2021. The workshop provided an opportunity to discuss the options and preferred approach for the involvement of the Committee in the Road Safety Programme.

8. The outcome from that workshop was agreement that direction setting, oversight and accountability for the RoadSafe programme should sit with the RTC at the Governance level.

9. In response to the question of effective delivery of governance obligations, this report recommends a service delivery review subject to Section 17a of the Local Government Act 2002.

Options Assessment

10. The service delivery review will seek to address:

10.1. The level of understanding and clarity of what the Roadsafe Programme should be achieving in terms of outcomes

10.2. Improvements that could be made in services and or activities being delivered through the Roadsafe Programme

10.3. Adequacy of the current funding for Roadsafe HB to deliver the programme and desired outcomes

10.4. The effectiveness of relationships between the providers of Roadsafe HB and the four other local authorities, community groups and any other service providers

10.5. Any alternative means for service delivery that might exist already or could be developed

10.6. Any efficiency gains that might be available by utilising (or adding to) existing resources within the territorial authorities to deliver the regional road safety programme and

10.7. Any refinements that can be made even if no changes to the service delivery model is proposed.

11. Morrison Low has been approached and asked to submit a proposal for this Review. Morrison Low has proposed Gareth Chaplin, Associate Director Central Government carries out the Review.

12. The methodology proposed by Morrison Low will ensure the report delivers practical outcomes whilst meeting the statutory requirements for a S17a review and will include:

12.1. Project management throughout the project with regular liaison the Group Manager Policy and Regulation

12.2. A review will be undertaken of all relevant information relating to the current service delivery arrangements and will include such things as:

12.2.1. The Regional Land Transport Plan, the Road Safety Programme, Communication Plans

12.2.2. the current structure – governance and delivery

12.2.3. budgets and actuals for the last three years and any other relevant financial information or reports (e.g., monthly, or quarterly reports)

12.2.4. Operational processes/procedures which set out how the Road Safety team functions and operates including the engagement of volunteer and other suppliers/providers

12.2.5. Details of existing contract/s, scope and performance requirements.

12.3. Interview key staff individually to understand what currently works well, any issues and areas for improvements, including representatives of the Regional and Territorial Local Authorities, New Zealand Police Woka Kotahi and ACC

12.4. Develop and agree with the HBRC Group Manager Policy and Regulatory potential service delivery options and assessment criteria, taking into account agreed objectives and identified opportunities for efficiencies and improvements

12.5. Undertake a high‐level assessment of alternative service delivery options against the agreed criteria using Morrison Low’s Section 17a templates to ensure consistency with the legislative requirements

12.6. Facilitate a ‘challenge workshop’ with key stakeholders (to be agreed but likely to include members of HBRC and the TLAs, Waka Kotahi, NZ Police and ACC) to agree the preferred way forward using the high-level assessment as the basis for discission

12.7. Document the review and a recommended way forward in a draft report to be submitted to the Group Manager Policy and Regulation for review and feedback

12.8. Following feedback on the draft report, the final report with a presentation of that report will be provided to the Regional Transport Committee and Council.

Strategic Fit

13. The Roadsafe functions contribute to a sustainable and climate resilient infrastructure. To achieve this strategic vision, it is essential that HBRC, the TLAs, Waka Kotahi, NZ Police and ACC have good working relationships to enable the successful achievement of this goal.

14. There are a range of possible delivery methods available to the Council to achieve the Roadsafe functions. The Service Delivery review will enable the RTC and the Regional Council to decide on the best option to achieve the objectives and targets in a desired timeframe.

Significance and Engagement Policy Assessment

15. The Significance of this proposed review has been determined to be of medium significance, as reflected in the proposed methodology and the intent to undertake wide engagement with all Roadsafe partners and key stakeholders.

Considerations of Tangata Whenua

16. There are no social, cultural, or economic effects on Tangata Whenua as a result of this proposed review, but as discussed above consultation will be undertaken with key stakeholders, some of which have a primary focus on the social, cultural and economic wellbeing of Tangata Whenua in regard to road safety.

Financial and Resource Implications

17. Subject to availability of information and key stakeholders, it is estimated that the Section 17a review will take four to six weeks to complete. A cost estimate has been provided by Morrison Low to complete the Section 17a review in the order of $20,000‐$25,000 excluding GST and disbursements.

18. The cost of completing the review has not been specifically identified or budgeted for in the 2021-22 Annual Plan, however, the cost is anticipated to be met from existing operational budgets.

Consultation

19. As discussed above, consultation will be undertaken with key staff, including representatives of the Territorial Local Authorities, key stakeholders (to be agreed but likely to include members of HBRC and the TLAs, Waka Kotahi, NZ Police and ACC).

Decision Making Process

20. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

20.1. The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.

20.2. The use of the special consultative procedure is not prescribed by legislation.

20.3. The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.

20.4. The persons affected by this decision are all partners and key relationships of Roadsafe HB.

20.5. Given the nature and significance of the issue to be considered and decided, and also the persons likely to be affected by, or have an interest in the decisions made, Council can exercise its discretion and make a decision without consulting directly with the community or others having an interest in the decision.

Recommendations

That the Finance, Audit and Risk Sub-committee:

1. Receives and considers the “Roadsafe s17a Review” staff report.

2. Agrees that the decisions to be made are not significant under the criteria contained in Council’s adopted Significance and Engagement Policy, and that Council can exercise its discretion and make decisions on this issue without conferring directly with the community or persons likely to have an interest in the decision.

3. Approves the engagement of Morrison Low to undertake a Service Delivery Review of the Hawke’s Bay Regional Council’s Road Safety function.

Authored by:

Katrina Brunton

Group Manager Policy & Regulation

Jessica Ellerm

Group Manager Corporate Services

Approved by:

James Palmer

Chief Executive

Attachment/s

There are no attachments for this report.

HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

13 October 2021

Subject: Risk Maturity Update

Reason for Report

1. This item provides the Finance, Audit and Risk Sub-committee (FARS) with an update on Council’s Risk Management Maturity.

Officers’ Recommendations

2. Council Officers recommend that the Sub-committee notes the status of the Council’s risk management maturity deliverables for phases I through III of the risk maturity roadmap, and that implementation of phase IV of the roadmap will be undertaken through two discrete and concurrent projects phased in over the next two years.

Background/Discussion

3. At the FARS meeting on 4 August 2021, it was agreed that staff would review the risk maturity project plan and delivery dates against the risk maturity roadmap. The risk maturity roadmap was endorsed by the Corporate and Strategic Committee at the meeting on 10 June 2020.

4. Since mid-2020 significant progress towards implementation of the risk maturity roadmap has been made. To date the focus of risk maturity has been on ‘creating risk content’, phases I to III of the risk maturity roadmap. Examples of content developed under phases I to III, include:

4.1. A new Council approved and purposely tailored risk policy and framework

4.2. A renewed risk assessment matrix that better aligns to Council’s vision and strategy

4.3. Reset and better centring of identified enterprise risks

4.4. Redesign of enterprise risk reporting that includes supporting risk information with internal and external context

4.5. Development of risk bowties for enterprise risk that are used to: continuously review and improve critical controls, systematically identify risk causes, and provide better understand risk consequences

4.6. Drafting of Council’s risk appetite statement

4.7. A new Council approved internal audit framework

4.8. Development of dashboard reporting to enable proactive tracking of internal audit and control corrective actions

4.9. Development of a Council audit universe to better enable the internal audit programme to shift towards a risk-based approach.

5. With phases I to III of the roadmap nearly complete, focus is shifting to embedding the ‘risk content’ through ‘creation of risk processes’ into the business, phase IV of the roadmap. While phases I to III provided structured enterprise risk reporting to ELT and FARS the reporting is not systematically connected to the operational business. Through embedding risk management processes into the business risk aggregation will be stronger and therefore the ELT and FARS will be provided with more inclusive risk reporting that provides better risk oversight. With this shift of focus on risk maturity to phase IV of the roadmap it was agreed and considered timely for Staff to review the risk maturity project plan to ensure that:

5.1. deliverables for phases I to III of the roadmap are complete, and where deliverables are outstanding action plans are in place to actively close these, and

5.2. the design of the current project plan is ‘right-sized’ and effective to deliver on phase IV of the roadmap embedding ‘risk intelligence’.

6. The review of the risk maturity project plan by Staff found most deliverables for phases I to III of the plan are complete. Three activities remain outstanding for phases I to III and these have been assigned to the Risk and Corporate Compliance Manager to coordinate and close out by December 2021. These activities include:

6.1. Finalising remaining enterprise risk bowties

6.2. Strengthening identification of critical controls using the enterprise risk bowties (being done as continuous improvement), and

6.3. Finalising the risk appetite statement.

7. Phase IV of the roadmap is focussed on embedding risk management into the business. Staffs review found that the current risk maturity project plan needs strengthening to effectively achieve phase IV of the roadmap which aims to embed risk management into:

7.1. The operational business, and

7.2. Governance, strategic planning and strategic project execution activities.

8. Essentially, phase IV requires taking the risk content developed in phases I through III of the risk maturity roadmap and embedding this into business activities in a sustainable way. Therefore, Staff have redesigned the next phase of Council’s risk maturity identifying the need to develop two discrete and concurrent risk maturity projects:

8.1. The first project will focus on embedding structured risk management processes into governance, strategic planning and strategic project execution activities. The Risk Team is working closely with the Strategy and Governance Team to identify key activities to embed risk processes into. On completion of this identification phase a project plan will be developed to support the implementation. Some examples of activities already identified and currently being targeted include:

8.1.1. FY2022-23 Annual plan decision making framework based on risk-based decision making

8.1.2. Linking the new risk assessment matrix to assist with the prioritisation of ICT projects and in key ICT infrastructure reviews

8.1.3. The strategic project framework now contains the risk assessment matrix based on Council’s risk management framework

8.1.4. On commencement of the Climate Change Ambassador the Risk Team will work with the Ambassador to systematically develop an enterprise risk and control view and touch points for climate change using bowtie methodology.

8.2. The second project is focussed on embedding risk management processes and risk-based thinking consistently into the operational business. Using the Council approved Risk Management Framework, the Risk Team is formalising ‘right sized’ risk management system processes for use in the business. In the implementation phase of embedding risk processes into the business the Risk Team is be supported by a Risk Champion that sits within each Group.

9. The Executive Leadership Team (ELT) are supportive and fully commitment to embedding Council’s risk management system and processes. The ELT have carefully considered and balanced available resource against the value a risk management system with structured risk processes provides to an organisation. Each Group Manager has dedicated 0.1 of an FTE to assisting the Risk Team implement an embedded risk management system. With the level of resourcing available it is anticipated that once this project for phase IV of the risk maturity roadmap formally commences implementation will take approximately two years. However, benefits to Council will be progressive over the two-year implementation phase. These benefits will include:

9.1. Team Leaders better prepared to manage risks and identify critical controls resulting in fewer surprises

9.2. A consistent and more efficient way to allocate finite resources

9.3. Decision making that better supports business planning and strategy, and

9.4. Improved visibility of risks in the business that can be aggregated into the enterprise risk reporting to reassure ELT, FARS and other key stakeholders.

Strategic Fit

10. Maturity of the Council’s risk management system contributes towards achieving all strategic goals/vision by protecting the organisation. A mature risk system provides consistent risk intelligent decision making enabling the efficient prioritisation of finite organisational resources to deliver on strategy.

Financial and Resource Implications

11. Maturity of the risk management system is phased to minimise budgetary implications. Some facilitated risk training workshops maybe need to be provided to targeted staff. The 10 Risk Champion FTE from each Group will be managed through current resourcing.

Next Steps

12. The next steps for maturity of the Council’s risk management system include:

12.1. The Risk Team to work with the Strategy and Governance Team to develop a project plan to formalise the use of risk management processes into targeted governance, strategic planning and strategic project execution activities

12.2. The Risk Team to develop a project plan for ELT approval to embed risk management processes and risk-based thinking into the operational business

12.3. ELT to identify within each Group a Risk Champion

12.4. The Risk Team to commence upskilling Risk Champions of risk management philosophies and methodologies.

Recommendations

1. That the Finance, Audit and Risk Sub-committee receives and considers the “Risk Maturity Update” staff report.

2. The Finance, Audit and Risk Sub-committee reports to the Corporate and Strategic Committee that:

2.1. Phases I through III of the Risk Maturity Roadmap are nearing completion, and

2.2. Staff, with full Executive Leadership Team endorsement and commitment, are preparing two discrete project plans to embed risk management processes and risk-based thinking into the business; this being the delivery of phase IV ‘risk intelligence’ of the risk maturity roadmap. The timeframe for implementation of phase IV of the risk maturity roadmap is estimated to be approximately two years.

Authored by:

Helen Marsden

Risk and Corporate Compliance Manager

Approved by:

Jessica Ellerm

Group Manager Corporate Services

Attachment/s

There are no attachments for this report.

HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

13 October 2021

Subject: Annual Enterprise Internal Audit Plan

Reason for Report

1. This item seeks approval from the Finance, Audit and Risk Sub-committee (FARS), of the FY22 Annual Enterprise Internal Audit Plan that was endorsed by the Executive Leadership Team (ELT) on 28 September 2021, and also provides the status update on the current Enterprise Internal Audit Plan.

Background /Discussion

2. The Internal Audit Framework was adopted by Council on 26 May 2021. This framework requires the Annual Enterprise Internal Audit Plan to be approved by the FARS.

3. Therefore, this item presents the proposed FY22 Annual Enterprise Internal Audit Plan to FARS and seeks FARS approval. The proposed Plan was endorsed by ELT at the ELT meeting on 28 September 2021.

4. In developing the proposed FY22 plan consideration was given to the following:

4.1. Enterprise risks covered by previous internal audits and other enterprise reviews (Attachment 1 – Audit Universe)

4.2. Insights and observations relating to current issues, risks or projects

4.3. Internal audit trends and insights provided by our current internal auditors (see Attachment 2 – Proposed HBRC Internal Audit Plan 2021-22 report by Crowe), and

4.4. Availability of internal resources to:

4.4.1. support each internal audit as these are undertaken in the business, and

4.4.2. respond to audit findings and develop corrective action plans.

5. The FY22 Annual Enterprise Internal Audit Plan proposes the following two audits:

5.1. Fraud Management Framework: This audit will assess the effectiveness of Council’s existing fraud and corruption risk management strategies, policies and procedures in terms of prevention, detection and investigation of fraud. The audit will also provide a clear action plan on how to deal with identified performance gaps. With the recent implementation of TechOne’s financial module (FUSE) the timing is considered right to further strengthen and align Council’s fraud management framework to new TechOne system processes.

5.2. Data Analytics: Currently this audit is a 12-monthly cyclical review that exercises over payroll and payables master and transactional data to identify potentially suspicious relationships, trends and transactions for transactions to 30 June 2021

6. The reason for limiting the proposed 2021-22 Annual Enterprise Internal Audit Plan to two audits is the general observation that ongoing business interruption from Covid19 lockdowns have placed pressure on staff to deliver on their ‘Business as Usual’ (BAU) objectives. Undertaking an internal audit requires staff in the business to be available to support auditors as they gather information and evidence for the audit. On completion of the audit staff are also required to respond to audit findings and then develop corrective action plans. Therefore, undertaking too many internal audits in the current environment may add additional pressure on staff.

7. It is proposed that Crowe will undertake the two audits identified in the Plan. The agreement for Crowe to act as Council’s main internal auditor was extended for a further 12 months to the end of the 2021-22 financial year.

8. Lastly, the FY21 Annual Enterprise Internal Audit Plan was delivered and closed out as per the Annual Enterprise Internal Audit Plan FY21 Status Update.

Strategic Fit

9. Internal audit examines the business and provides independent assurance to Leadership and Governance that risks are being managed, and that business activities are operating in a way that is positively contributing towards achieving Council’s strategic goals and vision by protecting the organisation from unforeseen events.

Financial and Resource Implications

10. There are no financial implications or additional resource requirements resulting from this Annual Enterprise Internal Audit plan that have not already been budgeted for.

Decision Making Process

11. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

11.1. The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.

11.2. The use of the special consultative procedure is not prescribed by legislation.

11.3. The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.

11.4. The agenda item is in accordance with the FARS Terms of Reference, specifically:

11.4.1. The purpose of the Finance, Audit and Risk Sub-committee is to report to the Corporate and Strategic Committee to fulfil its responsibilities for (1.3) the independence and adequacy of internal and external audit functions

11.4.2. The Finance, Audit and Risk Sub-committee is delegated by Council to (3.6) review the objectives and scope of the internal audit function, and ensure those objectives are aligned with Council’s overall risk management framework; and (3.7) assess the performance of the internal audit function and ensure that the function is adequately resourced and has appropriate authority and standing within Council.

Recommendations

That the Finance, Audit and Risk Sub-committee:

1. Receives and considers the “Annual Enterprise Internal Audit Plan” staff report.

2. Agrees that the decisions to be made are not significant under the criteria contained in Council’s adopted Significance and Engagement Policy, and that the Sub-committee can exercise its discretion and make decisions on this issue without conferring directly with the community or persons likely to have an interest in the decision in accordance with its Terms of Reference.

3. Approves the 2021-22 Annual Enterprise Internal Audit Plan as proposed.

4. Reports to the Corporate and Strategic Committee that the 2021-22 Annual Enterprise Internal Audit Plan has been approved and will be carried out within budget provisions made in the 2021-22 Annual Plan for this purpose.

Authored by:

Helen Marsden

Risk and Corporate Compliance Manager

Approved by:

Jessica Ellerm

Group Manager Corporate Services

Attachment/s

1 ⇩	Annual Universe Plan
2 ⇩	Crowe Proposed HBRC Internal Audit Plan 2021-22
3 ⇩	FY21 Annual Enterprise Internal Audit Plan Status Update

HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

13 October 2021

Subject: Internal Assurance Dashboard - Corrective Actions Status Update

Reason for Report

1. This item updates the Finance, Audit and Risk Sub-committee (FARS) on the progress carrying out corrective actions that respond to internal audit findings as previously reported to the FARS, along with a status update on the current Annual Enterprise Internal Assurance plan approved by FARS in August 2020.

Officers’ Recommendation

2. Council officers recommend that the sub-committee considers and notes the internal assurance dashboard corrective action status update, with a view to confirming the adequacy of corrective actions undertaken and reporting as such to the Corporate & Strategic Committee (C&S).

Discussion

3. The purpose of the corrective action status update is to provide oversight to the FARS of open internal assurance findings from previously reported internal assurance reviews. The dashboard tracks progress of the corrective actions against agreed milestones, until the action is closed.

3.1. All on hold actions of the Risk Management Maturity have been rebase lined due to Risk & Corporate Compliance Manager role being vacant.

Financial and Resource Implications

4. There are no financial implications or additional resource requirements resulting from this internal audit programme update.

Decision Making Process

5. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

5.1. The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.

5.2. The use of the special consultative procedure is not prescribed by legislation.

5.3. The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.

5.4. The decision is in accordance with the Finance, Audit and Risk Sub-committee Terms of Reference, specifically to report to the Corporate and Strategic Committee to fulfil its responsibilities for:

5.4.1. receiving the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s).

5.4.2. Ensuring that recommendations in audit management reports are considered and, if appropriate, actioned by management.

5.4.3. Given the nature and significance of the issue to be considered and decided, and also the persons likely to be affected by, or have an interest in the decisions made, Council can exercise its discretion and make a decision without consulting directly with the community or others having an interest in the decision.

Recommendations

That the Finance, Audit and Risk Sub-committee:

1. Receives and notes the ‘Internal Assurance Dashboard - Corrective Actions Status Update’ staff report and accompanying dashboard.

2. Confirms that management actions undertaken or planned for the future adequately respond to the findings and recommendations of the internal audits.

3. Confirms that the dashboard reports provide adequate information on the progress of corrective actions and the progress of the approved Annual Internal Audit programme.

4. Reports to the Corporate and Strategic Committee, the Sub-committee’s satisfaction that the Internal Assurance Programme Update provides adequate evidence of the adequacy of Council’s internal assurance functions and management actions undertaken or planned respond to findings and recommendations from completed internal audits.

Authored by:

Olivia Giraud-Burrell

Business Analyst

Helen Marsden

Risk and Corporate Compliance Manager

Approved by:

Jessica Ellerm

Group Manager Corporate Services

Attachment/s

1 ⇩

Internal Assurance Dashboard - Corrective Actions Status

HAWKE’S BAY REGIONAL COUNCIL

Finance Audit & Risk Sub-committee

13 October 2021

Subject: Internal Assurance Dashboard - Cyber Security Corrective Actions Status Update

That Hawke’s Bay Regional Council excludes the public from this section of the meeting, being Agenda Item 10 Internal Assurance Dashboard - Cyber Security Corrective Actions Status Update with the general subject of the item to be considered while the public is excluded; the reasons for passing the resolution and the specific grounds under Section 48 (1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution being:

GENERAL SUBJECT OF THE ITEM TO BE CONSIDERED

REASON FOR PASSING THIS RESOLUTION

GROUNDS UNDER SECTION 48(1) FOR THE PASSING OF THE RESOLUTION

Internal Assurance Dashboard - Cyber Security Corrective Actions Status Update

7(2)(f)(ii) The withholding of the information is necessary to maintain the effective conduct of public affairs through the protection of such members, officers, employees, and persons from improper pressure or harassment.

s7(2)(j) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to prevent the disclosure or use of official information for improper gain or improper advantage.

The Council is specified, in the First Schedule to this Act, as a body to which the Act applies.

Authored by:

Olivia Giraud-Burrell

Business Analyst

Helen Marsden

Risk and Corporate Compliance Manager

Approved by:

Jessica Ellerm

Group Manager Corporate Services