Meeting of the Finance Audit & Risk Sub-committee
Date: Tuesday 20 September 2016
Time: 10.00am
Venue: |
Council Chamber Hawke's Bay Regional Council 159 Dalton Street NAPIER |
Agenda
Item Subject Page
1. Welcome/Notices/Apologies
2. Conflict of Interest Declarations
3. Confirmation of Minutes of the Finance Audit & Risk Sub-committee held on 18 May 2016
4. Matters Arising from Minutes of the Finance Audit & Risk Sub-committee held on 18 May 2016
5. Follow-ups from Previous Finance Audit & Risk Sub-committee meetings 3
Decision Items
6. Annual Report Year Ending 30 June 2016 7
7. Internal Audit Programme Proposed for 2016-17 23
8. HB LASS - Proposed Combined Approach to Internal Audits 55
9. Infrastructure Insurance 59
10. Business Continuance Plan 79
Information or Performance Monitoring
11. 2016 Sub-committee Work Programme 119
Decision Items (Public Excluded)
12. Confirmation of the Public Excluded Minutes of the Finance, Audit & Risk Sub-committee Meeting held on 18 May 2016 121
Finance Audit & Risk Sub-committee
Tuesday 20 September 2016
SUBJECT: Follow-ups from Previous Finance Audit & Risk Sub-committee meetings
Reason for Report
1. In order to track items raised at previous meetings that require follow-up, a list of outstanding items is prepared for each meeting. All follow-up items indicate who is responsible for each, when it is expected to be completed and a brief status comment. Once the items have been completed and reported to the Committee they will be removed from the list.
Decision Making Process
2. Council is required to make every decision in accordance with the Local Government Act 2002 (the Act). Staff have assessed the in relation to this item and have concluded that as this report is for information only and no decision is required, the decision making procedures set out in the Act do not apply.
That the Finance, Audit and Risk Sub-committee receives and notes the report “Follow-ups from Previous Finance Audit and Risk Sub-committee Meetings”.
|
Authored by:
Leeanne Hooper Governance & Corporate Administration Manager |
|
Approved by:
Paul Drury Group Manager |
Liz Lambert Chief Executive |
Follow-ups from Previous Finance, Audit & Risk Sub-committee Meetings |
|
|
Finance Audit & Risk Sub-committee
Tuesday 20 September 2016
Subject: Annual Report Year Ending 30 June 2016
Reason for Report
1. This report outlines the issues that Stephen Lucy, Director Audit NZ, proposes to discuss with the Subcommittee in relation to the audit of Hawke’s Bay Regional Council’s (HBRC) financial statements for the year ending 30 June 2016.
Comment
2. At the time of writing this paper there were only a few items to be resolved before Audit NZ would be in a position to complete their audit report. It is therefore anticipated that by the time Stephen Lucy makes his presentation to this meeting, the Annual Report audit would have been finalised.
3. Further, at the time of writing this paper both the Annual Report and associated Audit Report for HBRIC Ltd are still in draft and have yet to be finalised.
4. Appended as Attachment 1 are the issues that Stephen Lucy proposes to discuss with the Subcommittee.
5. The Deloitte’s report that recommends no change in the valuation of HBRC’s investment in Hawke’s Bay Regional Investment Company Ltd (HBRIC Ltd) is appended as Attachment 2. The conclusions of this report are referred to in Stephen Lucy’s paper.
6. At the conclusion of these discussions there will be an opportunity, if required, for Sub‑committee member only discussion with Stephen.
7. The audited Annual Report will be sent to Council for adoption at its meeting on 28 September 2016.
Decision Making Process
8. As this report is for information only and no decision is to be made, the decision making provisions of the Local Government Act 2002 do not apply.
That the Finance Audit and Risk Sub-committee receives and notes the issues provided by Stephen Lucy, Director Audit NZ, for discussion on HBRC’s Annual Report for Year Ending 30 June 2016. |
Authored by:
Paul Drury Group Manager |
|
Approved by:
Liz Lambert Chief Executive |
|
Audit NZ - Issues Paper on Annual Report 2015-16 |
|
|
|
2016 HBRIC Impairment Review - Final |
|
|
Finance Audit & Risk Sub-committee
Tuesday 20 September 2016
Subject: Internal Audit Programme Proposed for 2016-17
Reason for Report
1. To set out a proposed internal audit programme for the Subcommittee to consider, prioritise and approve.
Comment
2. Internal audits commissioned by this Council have, in the past been carried out by Pricewaterhouse Coopers (PWC). Since the inception of the Finance Audit and Risk Subcommittee in June 2015 the following audits have been undertaken by PWC.
2014-15
2.1. Treasury management.
2.2. Payroll.
2.3. Accounts payable.
2015-16
2.4. Business continuity and disaster recovery plan.
2.5. Cyber security risk.
3. The budget for internal audits for 2015-16 was $21,000, with $18,000 of this spent during that year.
4. The budget to cover internal audits for 2016-17 was increased to $30,000 to allow for a more comprehensive programme of audit to be undertaken.
5. Representatives from PWC, John Dixon (Partner), and Sophie Hay (Audit Manager), will attend this meeting to discuss the recommendations for the 2016-17 audit programme. This outline is appended to this paper as Attachment 1.
6. At a meeting of this Sub-committee on 9 November 2015, a number of priority areas for internal audit were set out for further consideration. These were:
6.1. Stakeholder Relationship Management (terms of reference submitted to the Sub‑committee on 9 November 2015; priced at $5,000 - $6,500
6.2. Fraud Prevention Detection Review (terms of reference considered by the Sub‑committee on 9 November 2015); priced at between $9,500 - $11,500.
6.3. Conflicts of Interest both general and procurement
6.4. Information Communication Technology (ICT) General Computer Control
6.5. Rating System
6.6. Health and Safety.
Internal Audit - Taxation Review
7. As part of Council’s internal risk programme, a tax review has been undertaken every three to four years to ensure compliance with our tax obligations. As Council is exempt from income tax, the main focus of this audit review covers GST, FBT and PAYE. These reviews have previously been carried out by Tax Team Ltd who are the local government experts in taxation and are engaged by the majority of councils throughout the country. Tax Team Ltd have recently been sold to PWC but have kept their local government team based in Wellington.
8. The last review was undertaken by Tax Team Ltd in May 2013. There is a separate budget provision in the Corporate Services budget for this three yearly audit. The budget provision for this is $20,000 for the 2016-17 year.
9. PWC will include recommendations for this tax review in Attachment 1.
Decision Making Process
10. Council is required to make a decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements contained in Part 6 Sub Part 1 of the Act in relation to this item and have concluded the following:
10.1. The decision does not significantly alter the service provision or affect a strategic asset.
10.2. The use of the special consultative procedure is not prescribed by legislation.
10.3. The decision does not fall within the definition of Council’s policy on significance.
10.4. The effect of this decision on determining what internal audits should be proceeded with will affect all stakeholders.
10.5. The options available to Council for a programme of internal audit are clearly set out in this paper.
10.6. The decision is not inconsistent with an existing policy or plan.
1. That the Finance Audit and Risk Subcommittee receives and notes the Internal Audit Programme report and advises staff which areas of HBRC business require an internal audit review during the 2016-17 financial year. 2. The Finance Audit and Risk Subcommittee recommends that Council: 2.1. Agrees that the decisions to be made are not significant under the criteria contained in Council’s adopted Significance and Engagement Policy, and can make decisions on this issue without conferring directly with the community and persons likely to be affected by or to have an interest in the decision. 2.2. That consideration be given to the areas of Council business that should be subject to an internal audit and also to consider whether the tax review should proceed for 2016-17. |
Authored by:
Paul Drury Group Manager |
|
Approved by:
Liz Lambert Chief Executive |
|
PWC Report re Internal Audit Programme 2016-17 |
|
|
Finance Audit & Risk Sub-committee
Tuesday 20 September 2016
Subject: HB LASS - Proposed Combined Approach to Internal Audits
Reason for Report
1. This report seeks endorsement by the sub-committee of a joint Hawke’s Bay LASS approach for the provision of internal audit services.
Comment
2. Pricewaterhouse Coopers (PWC) has been providing advice on risk framework and policy, approach to the analysis of risk and the areas in the business that they believe are a priority for internal audit exercises, to the sub-committee, since the latter part of 2015. It is proposed that PWC continues with the provision of internal audit for the financial year 2016-17.
3. This paper therefore sets out options for internal audits commencing year 2017-18.
4. Hawke’s Bay LASS, as part of its agenda to achieve improved Council services more efficiently and at the optimum cost, has been considering a joint approach to the provision of internal audit services. It is considered the merits of a combined internal audit approach would include:
4.1. Councils would have the same provider
4.2. There would be a sharing of knowledge between councils on internal audit requirements and delivery
4.3. There would be economies of scale achieved in both approach and learnings which can be used in each subsequent audit in the participating councils
4.4. Improved access to skills, specifically in the specialist area audits, i.e. non‑traditional financial audits.
5. It is envisaged that if a common internal audit provider was agreed to, that the communication between that provider and the Audit and Risk committees of each council would continue to be retained.
Current Situation
6. There is wide disparity among the five councils forming the Hawke’s Bay LASS in their approach to internal audit. Councils have different providers of internal audit and the development of internal audits are at varying levels of sophistication and delivery.
Options for Future Internal Audit Delivery
7. Option 1: Continue with Current Method for Delivering Internal Audit
7.1. The continuation of Hawke’s Bay councils independently securing differing levels of internal audit services is not considered the most effective and efficient way of undertaking this important risk management process. Opportunities for an improved collegial approach are reduced and opportunities to look at improved cost effectiveness are also reduced if the councils continue to operate independently of each other.
8. Option 2: Creation of an Internal Audit Position for Sharing between Councils
8.1. It is considered that this approach creates key person dependencies - whilst this approach would provide routine financial audits, the skills would need to be outsourced for audits in specialist areas, and there would be reduced opportunity for collegial support for the internal audit staff member.
9. Option 3: Tender for Internal Audit Services from Outside Providers
9.1. This is the preferred option for Hawke’s Bay LASS and it is considered this approach will deliver on all the benefits previously mentioned in this paper concerning a combined approach to internal audit through Hawke’s Bay LASS’s recommended tender process. It is believed this approach has the potential to provide a very high quality outcome at a competitive price for auditing.
9.2. The tender process would acknowledge that the Hawke’s Bay LASS councils recognise that internal audit and risk management are essential responsibilities and wish to appoint an external provider to develop and deliver internal audit work plans that provide independent and objective assurance that the financial and operational controls for Hawke’s Bay LASS councils are efficient, effective, economical and ethical.
10. The approach as outlined in option 3 above has been implemented by Bay of Plenty LASS (BOP LASS) and by five councils from the Waikato LASS. Discussions with BOP LASS and the Waikato LASS have established that the new arrangements provide each council with a degree of flexibility in how they approach their respective internal audit activities. It is also evident that the process has created a number of additional benefits including the collegial nature of this arrangement and some cost efficiencies.
Decision Making Process
11. Council is required to make a decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements contained in Part 6 Sub Part 1 of the Act in relation to this item and have concluded:
11.1. The decision does not significantly alter the service provision or affect a strategic asset.
11.2. The use of the special consultative procedure is not prescribed by legislation.
11.3. The decision does not fall within the definition of Council’s policy on significance.
11.4. All stakeholders are affected by this decision as the expectation is that Council will ensure that internal audit activities are carried out efficiently and effectively.
11.5. Options for future internal audit provision from 2017-18 are clearly set out in this paper.
11.6. The decision is not inconsistent with an existing policy or plan.
1. That the Finance, Audit and Risk Sub-committee receives and notes the “HB LASS Proposed Combined Approach to Internal Audits” report. 2. The Finance, Audit and Risk Sub-committee recommends that Council: 2.1. Agrees that the decisions to be made are not significant under the criteria contained in Council’s adopted Significance and Engagement Policy, and that Council can exercise its discretion under Sections 79(1)(a) and 82(3) of the Local Government Act 2002 and make decisions on this issue without conferring directly with the community. 2.2. Subject to sufficient support from Hawke’s Bay councils, participates in a joint request for proposal for internal audit services from external providers. |
Authored by:
Paul Drury Group Manager |
|
Approved by:
Liz Lambert Chief Executive |
|
Finance Audit & Risk Sub-committee
Tuesday 20 September 2016
Subject: Infrastructure Insurance
Reason for Report
1. The current insurance policy for insurance of HBRC infrastructure assets expires on 30 September 2016. Staff are currently awaiting quotations from insurance broker Aon for renewal of the policy.
2. This paper sets out the process HBRC has used to inform the level of infrastructure asset insurance that it would be prudent for HBRC to seek cover for, and the framework within which that infrastructure insurance is currently provided and is expected to continue.
Background
3. In June 2015, Council received a report on insurance for HBRC infrastructure assets and agreed to take out insurance cover through Aon. The insurance policy entered into was for 15 months from 1 July 2015 to 30 September 2016.
4. The level of insurance was based on a report “Natural Hazard Loss Estimate Analysis for River Management Assets – June 2015” which concluded that a maximum credible earthquake event (> 1 in 2000 year event) will cause between $11 and $59 million worth of damage to HBRC owned assets as set out in the Loss Summary below. The high level of loss is because of the significant concentration of assets on the Heretaunga Plains area and therefore the risk from a significant earthquake of damage to those assets.
Scenario |
ARI (Years) |
Loss Estimate ($m) |
||
Low |
Medium |
High |
||
Earthquake Scenario 1 |
2,100 |
11.0 |
24.1 |
59.0 |
Earthquake Scenario 2 |
110 - 400 |
4.5 |
7.7 |
17.0 |
Earthquake Scenario 3 |
26 – 110 |
2.7 |
4.1 |
7.8 |
Flood Scenario (3 main schemes) |
100 |
16.5 |
||
200 |
27 |
|||
500 |
37.1 |
|||
Volcano |
500 |
4.6 |
||
Tsunami |
500 (50th Percentile) |
9.6 |
||
|
500 (84th Percentile) |
14.4 |
||
|
2,500 (50th Percentile) |
22.4 |
||
|
2,500 (84th Percentile) |
35.5 |
5. Details of the current insurance policy are:
5.1. Insurance is taken out under the Horizons LASS
5.2. Loss estimates are as per the report “Natural Hazard Loss Estimate Analysis for River Management Assets – June 2015”.
5.3. There is a sub-limit for HBRC of 40% of $60m (to provide an additional safety margin over and above the earthquake loss estimate). The overall loss limit for the group (Horizons LASS) policy is $125m.
5.4. Cover includes 2 earthquake events up to the $60m during the period of insurance (with the reinstatement at NIL premium).
5.5. The excess is $1.5m.
5.6. The insurance premium is the equivalent of $144,000 for each 12 month period.
5.7. Optimised replacement cost/modern day equivalent value is the basis of valuation
6. Staff have met with Aon representatives over the past month and have provided the attached dossier of assets for informing insurers and reinsurers of the assets that insurance cover is being sought. Aon representatives are currently in London seeking quotations from insurance companies and will provide details of the outcome of their discussions upon their return. Aon has indicated that the premium is likely to be of a similar price to the current policy, but with some possible adjustment due to exchange rates and inflation.
7. Staff seek resolution from the Committee to recommend to Council that delegation be given to the Interim Chief Executive to enter into an agreement with Aon for insurance of HBRC infrastructure assets for a period of up to 2 years subject to being satisfied with the premium offered.
8. Staff are aware that central government are considering a review of their current policy which is to reimburse 60% of eligible costs to regional authorities above a threshold of 0.002 percent of net capital value of the region (approx. $600,000). Staff are maintaining a watching brief with regard to any potential change in policy and should a change to this policy be made, staff will work with the insurance brokers to determine how HBRC should respond.
9. It should be noted that any response to this possible change in policy will include a review by staff of emergency reserves held by HBRC to cover small events, initial response activity, the excess on any insurance policy, and the replacement of uninsured assets.
Financial and Resource Implications
10. There are no significant financial implications associated with the renewal of the insurance policy as it is expected that the renewed premium will be close to budget provisions.
Decision Making Process
11. Council is required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:
11.1. The decision does not significantly alter the service provision or affect a strategic asset.
11.2. The use of the special consultative procedure is not prescribed by legislation.
11.3. The decision does not fall within the definition of Council’s policy on significance.
11.4. No persons are directly affected by this decision.
11.5. Options have been considered in previous reports to Council.
11.6. The decision is not inconsistent with an existing policy or plan.
11.7. Given the nature and significance of the issue to be considered and decided, and also the persons likely to be affected by, or have an interest in the decisions made, Council can exercise its discretion and make a decision without consulting directly with the community or others having an interest in the decision.
1. That the Finance, Audit and Risk Sub-committee receives and notes the “Infrastructure Insurance” report. 2. The Finance, Audit and Risk Sub-committee recommends that Council: 2.1. Agrees that the decisions to be made are not significant under the criteria contained in Council’s adopted Significance and Engagement Policy, and that Council can exercise its discretion and make decisions on this issue without conferring directly with the community or persons likely to have an interest in the decision. 2.2. Delegates authority to the Interim Chief Executive to enter into an agreement for insuring HBRC infrastructure assets commencing upon expiry of the current policy, for a period of up to 2 years. |
Authored and Authorised by:
Mike Adye Group Manager |
|
|
|
Dossier of HBRC Infrastructure Assets for Insurance Purposes |
|
|
Finance Audit & Risk Sub-committee
Tuesday 20 September 2016
Subject: Business Continuance Plan
Reason for Report
1. This report provides the Sub-committee with HBRC’s Business Continuance Plan for consideration and recommendation to Council for adoption.
Comment
2. At its meeting on 18 May 2016, the Subcommittee received an update on progress on the Business Continuance Plan. This was in response to an audit completed by Pricewaterhouse Coopers (PWC) on Council’s Business Continuance Plan. The results of that Audit were presented to Council on 11 February 2016.
3. The Business Continuance Plan has now been completed and is appended to this paper as Attachment 1 for the Subcommittee to receive and note. It is proposed that this Plan be updated annually and be subject to an internal audit every five years.
4. The main recommendations on the Business Continuance Plan audit as recommended by PWC are set out below with comment as to their resolution.
Responsibility for Business Continuance Plan in the Council:
4.1. This Plan is being completed by all managers in Council that are responsible for aspects of business continuance. Overall responsibility for the compilation of the Plan sits with the Group Manager Corporate Services.
Requirements of the ICT System:
4.2. Each relevant business unit has identified the systems required by them from ICT and have assessed the impacts that the non-availability of these systems would have on their workflows. The Business Continuance Plan sets out the mitigation processes and procedures to solve this.
Business Continuance Plan Exercises to be Implemented
4.3. A schedule of exercises have been completed as part of the Plan. These scenarios will test the integrity of the Plan and the implementation of these exercises will be planned in the near future.
Communicating and Acceptance of Business Continuance Plans
4.4. Human Resources have implemented a change in position descriptions to incorporate, where appropriate, responsibility for understanding and implementing business continuity as it relates to each Council position. The introduction of this policy has been included in staff inductions. Further, to promote awareness of the Business Continuance Plan a web page has been created on the staff intranet to link to the Business Continuance Plan and the policy.
Decision Making Process
5. Council is required to make a decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements contained in Part 6 Sub Part 1 of the Act in relation to this item and have concluded the following:
5.1. The decision does not significantly alter the service provision or affect a strategic asset.
5.2. The use of the special consultative procedure is not prescribed by legislation.
5.3. The decision does not fall within the definition of Council’s policy on significance.
5.4. The decision is not inconsistent with an existing policy or plan.
1. That the Finance, Audit & Risk Subcommittee receives and notes the updated “Business Continuance Plan”. 2. The Finance, Audit and Risk Sub-committee recommends that Council: 2.1. Agrees that the decisions to be made are not significant under the criteria contained in Council’s adopted Significance and Engagement Policy, and that Council can exercise its discretion under Sections 79(1)(a) and 82(3) of the Local Government Act 2002 and make decisions on this issue without conferring directly with the community. 2.2. Endorses the Hawke’s Bay Regional Council Business Continuance Plan. |
Authored by:
Paul Drury Group Manager |
|
Approved by:
Liz Lambert Chief Executive |
|
Business Continuance Plan |
|
|
Finance Audit & Risk Sub-committee
Tuesday 20 September 2016
Subject: 2016 Sub-committee Work Programme
Reason for Report
1. In order to ensure the sub-committee’s ability to effectively and efficiently fulfill its role and responsibilities, an overall suggested work programme is provided following.
Task |
Item |
Scheduled / Status |
Internal Audits |
Processes, policies and procedures around stakeholder communications and relationship management (from risk register) |
2016-17 financial year |
|
Fraud prevention and detection (from risk register) |
2016-17 financial year |
|
Capturing and managing general and procurement related Conflicts of Interest |
· Staff policy considered at 18 May FA&R meeting · Interests Register for Executive staff initiated · Policy on how potential conflicts will be managed or mitigated on the Register of Interests for Elected Representatives and is to be declared on the Register of Interests adopted by Council 31 August 2016. |
|
Cyber security, including future proofing IT systems and IT general computer systems control |
Approved 17Feb16, and reported back to FA&R 18May16 |
|
Rating system – processes involved in striking the rate |
tbc |
|
Health & Safety compliance with policies and procedures |
tbc |
|
Stakeholder relationship management and risks in relation to elected representatives, and how such an audit might be conducted |
tbc |
|
Staff development and succession planning |
tbc |
Risk Assessment & Management |
Routine (6 monthly) reporting on risks to the FA&R Sub-committee |
December FA&R meeting |
|
Review previous 6-month Risk Assessment to note changes / improvements / areas that require attention |
December FA&R meeting |
|
Sub-committee carry out detailed review of individual Group’s Risk Management (as part of the programmed reviews of activities) |
tbc |
Insurance |
Council’s proposed 2017-18 Insurance programme |
tbc |
Annual Report |
Adoption of Audit report 20 September for recommendation to Council |
Auditor scheduled to attend September FA&R meeting |
Decision Making Process
2. As this report is for information only and no decision is to be made, the decision making provisions of the Local Government Act 2002 do not apply.
That the Finance, Audit and Risk Sub-committee receives and notes the “Sub-committee Work Programme” report. |
Authored by:
Leeanne Hooper Governance & Corporate Administration Manager |
|
Approved by:
Paul Drury Group Manager |
|
Finance Audit & Risk Sub-committee
Tuesday 20 September 2016
SUBJECT: Confirmation of Public Excluded Minutes of the Finance, Audit and Risk Sub-committee meeting held 18 May 2016
That the Council excludes the public from this section of the meeting being Confirmation of Public Excluded Minutes Agenda Item 12 with the general subject of the item to be considered while the public is excluded; the reasons for passing the resolution and the specific grounds under Section 48 (1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution being:
|
Authored by:
Leeanne Hooper Governance & Corporate Administration Manager |
|
Approved by:
Paul Drury Group Manager |
|