Meeting of the Finance Audit & Risk Sub-committee
Date: Wednesday 12 August 2020
Time: 9.00am
Venue: |
Council Chamber Hawke's Bay Regional Council 159 Dalton Street NAPIER |
Agenda
Item Title Page
1. Welcome/Notices/Apologies
2. Conflict of Interest Declarations
3. Confirmation of Minutes of the Finance Audit & Risk Sub-committee meeting held on 12 February 2020
Decision Items
4. Procurement Policy Amendments to Support the HB Economic Recovery 3
5. Risk Maturity 51
6. Six Monthly Enterprise Risk Management Report 117
7. Annual 2020-21 Internal Audit Work Plan 145
8. 2019-20 Annual Report Audit Plan 163
9. Cyber Security Internal Audit Follow-up 191
10. Data Analytics Internal Audit Report 231
11. Internal Audits Review and Action Plan 247
12. Sub-committee Work Programme August 2020 Update 283
13. Treasury Report to 30 June 2020 (late item to come)
Finance Audit & Risk Sub-committee
Wednesday 12 August 2020
Subject: Procurement Policy Amendments to Support the HB Economic Recovery
Reason for Report
1. This item provides an update on progress implementing the HBRC Procurement Policy and Manual adopted by Council in July 2019. These documents incorporate recommendations made by Crowe Horwath in a 2018 audit report, guidance issued by the Office of the Auditor General and subsequent best practices guidelines and templates issued by the Ministry of Business, Innovation & Employment.
2. Since council adopted the Procurement Policy in July 2019 there have been factors such as Covid-19, climate change mitigation and the development of a risk framework which should be reflected through updates to the procurement policy.
3. The report also provides a 2019-20 year-end report of procurement metrics requested by the Finance Audit and Risk Sub-committee.
Officers’ Recommendation(s)
4. Officers recommend councillors review the updated draft Procurement Policy and Manual (attached), and consider the proposed changes as highlighted which include Climate.Smart.Recovery. suggestions made at the Regional Council meeting on 20 May, to strengthen HBRC’s ability to support the region’s economic recovery.
Background / Discussion
5. As a ‘live’ document the HBRC Procurement Policy is being updated to reflect drivers for change. Since June 2019 when the policy was adopted by Council a greater emphasis on climate change mitigation; supporting local economic recovery from Covid-19 and alignment to the HBRC development of a risk framework have been requested.
6. On 15 May 2020 a letter was sent to local government CEOs from the Auditor General. article on OAG website. Included with the letter was a report with key observations and recommendations to review procurement policy and procedure at a local level. The report noted that while it is not mandatory for HBRC to comply with OAG Govt procurement rules, being known and accepted as best practice, it would be difficult to justify deviation. Key references from the report are listed below.
7. Governance and operational – “OAG often sees examples of procurements where the lines between governance and management are blurred. For example, mayors or other elected members might be part of tender evaluation panels. This is not good practice. However, it is entirely appropriate for major procurements to require sign-off by the governing body. In order for elected members to approve procurement decisions when required, they need enough information to make informed decisions.”
Action – Strengthened the HBRC procurement manual to include procurement plans and tender recommendation templates to the tenders committee for items over $400k, not covered the CEO’s delegated financial authorities and including a probity sign off check list to assure informed decisions, keep the organisation ‘safe’ and to get best value for money for ratepayers.
8. Conflicts of interest – “Under no circumstances should a procurement process allow council staff or elected members to receive preferential treatment. There are two specific restrictions that apply to elected members under the Local Authorities (Members’ Interests) Act 1968. Under the Act, an elected member cannot:
8.1. enter into contracts with their local authority worth more than $25,000 in a financial year; or
8.2. discuss or vote on matters before their authority in which they have a direct or indirect pecuniary interest, other than an interest in common with the public”
9.3 Action – Added the above wording to the Procurement policy under 5.2 and reference Gifts and inducements (HBRC Policy 18) and Sensitive expenditure (HBRC Policy 24). This application will also be extended to HBRC committee members to ensure consistency.
9. Emergency procurement – There are no actions required as this is already covered in the current policy and manual
10. Capability and capacity – Policy and training. “Councils need to ensure that there are regular internal audits, or other reviews, of procurement activity. The findings from these reviews should be reported to the governing body either directly or through the audit and risk committee. Regular reviews of procurement practice can also help to identify training needs and other risks.”
10.1. Action – As identified in points 19 and 20. Training and audit functions for procurement will be developed over the next six months supported by an internal communications programme. HBRC will be taking part in a national procurement benchmarking survey (Procurement Capability Index) conducted by MBIE in October 2020.
11. Broader Outcomes procurement The Government Procurement Rules require agencies to “consider, and incorporate where appropriate, broader outcomes when purchasing goods, services or works”. The rules define broader outcomes “as the secondary benefits that are generated from the procurement activity. They can be environmental, social, economic or cultural benefits.
11.1. Although it is not mandatory for councils to comply with the rules, they are encouraged to do so. Councils that fail to comply with legislative requirements, or follow best practice in their procurement practices will be at risk of legal challenge and additional scrutiny and criticism from stakeholders and other third parties.
11.2. Councils can mitigate some of this risk by engaging with their elected members about their strategic objectives and how they can align these with their intended procurement outcomes. For example, if elected members want to prioritise using local suppliers, or support suppliers that pay a living wage, councils should be exploring ways to build those objectives into procurement policies and processes.
12.3 Action – This is covered by HBRC procurement policy principle No.1 now extended to include Climate.Smart.Recovery. Practical considerations No.6; policy clauses 5.7 and 5.9 include local purchasing and fair wage. It is intended that sustainability criteria being used as part of HBRC evaluation processes be reviewed to reflect developments on an annual basis.
Procurement activity reporting 2019-20
12. Procurement reporting to FARS for the period 1 July 2019 to 30 June 2020
12.1. 212 contracts were created
12.2. 15 contracts were awarded with a value of $100k+, 6 contracts were valued at $75k-$100k, and 9 contracts valued at $50-$75k were awarded
12.3. 150 contracts (70%) were assessed by the contract owners as being low risk, 54 contracts (25%) were assessed as being medium risk, and 8 contracts (3.7%) assessed as high risk
12.4. Of the 32 contracts with a value greater than $50,000 9 completed an RFP/RFQ process, 19 considered local suppliers, and 14 confirmed living wage payments
12.5. There are 27 contracts expiring in the next three months that will be subject to post contract evaluation.
13. Procurement information is now available ‘live’ at organisation and group level utilising the Power BI Dashboard. Further levels of drill down detail are available at group, service and contract manager levels. A demonstration of the reporting data base could be provided to the FARS at a future meeting if required.
14. On average, five contracts are being generated across the organisation every week, with the contract being one part of a three stage (planning, sourcing and managing) process. The contract and deliverables are managed by the individual contract managers.
15. A contract expiring triggers an automated evaluation process with the contract owner, collecting data on advisability of supplier future use based on timeliness, budget performance, meeting specification, health and safety performance, shared HBRC environmental vision, professionalism and any learnings from the project/contract delivery.
Next Steps
16. Procurement monitoring will continue to develop as an iterative process with the procurement team applying a continuous improvement to meet organisational need.
17. Over the next six months there will be a review to increase the use of ‘All of Government’ contracts, which may provide an opportunity for further cost savings.
18. The development of an ongoing internal procurement training and procurement communications programme.
19. The design and implementation of an internal procurement audit programme in conjunction with the Strategic Risk Framework currently being developed.
20. Continued engagement with the Hawke’s Bay councils to develop and implement a Regional Strategic Procurement Plan (attachment 3). This will include utilising the results of the Procurement Capability Index survey being undertaken in October 2020.
Strategic Fit
21. The development of a centralised procurement and contract management function has assisted HBRC to adopt best procurement practice, to support HBRC strategic goals associated with Climate.Smart.Recovery.
Decision Making Process
22. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:
22.1. The decision does not significantly alter the service provision or affect a strategic asset.
22.2. The use of the special consultative procedure is not prescribed by legislation.
22.3. The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.
22.4. Any decision of the sub-committee is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:
22.4.1. Receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s)
22.4.2. Ensure that recommendations in audit management reports are considered and, if appropriate, actioned by management.
That the Finance, Audit and Risk Sub-committee: 1. Reviews the updated draft Procurement Policy and Manual and accepts the proposed changes as highlighted. 2. Receives and notes the reporting metrics provided for the period 1 July 2019 to 30 June 2020. 3. Recommends that the Corporate and Strategic Committee adopts the Procurement Policy and Manual with amendments as proposed.
|
Authored by:
Mark Heaney Manager Client Services |
|
Approved by:
Jessica Ellerm Group Manager |
|
⇩1 |
Revised Procurement Policy 2020 |
|
|
⇩2 |
Draft Revised Procurement Manual |
|
|
⇩3 |
Procurement Development Framework 2020 |
|
|
Finance Audit & Risk Sub-committee
Wednesday 12 August 2020
Subject: Risk Maturity
Reason for Report
1. This item introduces to the Committee the draft risk management policy (attachment 1), the draft risk management framework (attachment 2), and Crowe’s finalised internal audit on HBRC’s enterprise risk management maturity assessment (attachment 3).
Officers’ Recommendation(s)
2. Council Officers recommend that Finance Audit and Risk Sub-Committee (FARS) members:
2.1. approve both the HBRC Risk Management Policy and Framework as proposed, for recommending to the Corporate & Strategic Committee for adoption
2.2. consider Crowe’s report on HBRC’s enterprise risk management maturity assessment
2.3. note the risk maturity roadmap (attachment 4) as amended to include an internal assurance framework in phase III.
Executive Summary
3. At the Corporate and Strategic (C&S) Committee meeting held on 10 June 2020 external consultant Shash Davé from Ridgbak Consulting presented a high-level risk maturity assessment for HBRC. That assessment highlighted HBRC Risk Management System (RMS) needed to mature to ensure that it remained current and added value to the organisation. At the same meeting and in response to Shash Davé’s risk maturity assessment a risk maturity roadmap for HBRC was presented and endorsed by the Committee.
4. As part of risk maturity roadmap, a risk management policy and risk management framework was developed. Therefore, this paper seeks endorsement from the FARS that the scope of these documents adequately addresses the desired risk system maturity. At the time of the C&S meeting on 10 June 2020, Crowe as part of the FY20 internal audit plan had commenced, but not finalised, an internal audit that was to provide a detailed assessment of HBRC RMS maturity. That audit report is now finalised and as it relates to risk maturity has been included with this paper. Crowe’s audit report reinforced the need to mature HBRC’s RMS. Crowe’s internal audit report findings and recommendations were reviewed against the risk maturity roadmap. Phase III of the risk maturity roadmap was subsequently updated to include the development of an HBRC internal assurance framework. All other internal audit report recommendations and findings were adequately addressed by the roadmap.
Background
5. All organisations (large and small) are faced with operating in a challenging and rapidly changing world. This changing external business environment brings an increase in uncertainties and therefore increase in risks to organisations as they attempt to effectively set business objectives and efficiently execute on those objectives. Some examples of changes in the external environment include: rapidly changing stakeholder demands and expectations (e.g. social fairness, cultural, environmental, and economic), changing regulatory/political or legal landscape, increase reliance on third parties, and advancements of technology that maybe either a business disruptor or enabler.
6. By definition ‘risk’ is referred to as uncertainty on objectives. Therefore, acknowledging the rapidly changing world, Council along with the ELT identified the growing importance of a robust and embedded risk management system (RMS). An external consultant, Shash Dave from Ridgbak Consulting, was commissioned to undertake a high-level risk maturity assessment. In addition, as part of the FY20 annual internal audit programme, Crowe undertook an audit to review the design and operating effectiveness of HBRC’s RMS. The maturity assessment undertaken by Shash Davé along with the audit findings by Crowe identified the need for HBRC’s risk system to mature so that it becomes: formalised, structured and embedded into the business.
7. Acknowledging the need to mature HBRC’s RMS, C&S at the meeting on 10 June 2020 endorsed a four phased risk maturity roadmap that was developed in conjunction with the external consultant, Shash Davé. This paper covers the execution of components of phase I to III of the risk maturity roadmap, specifically the development of both HBRC’s risk management policy and framework. Several key decisions were required to right-size the formalised RMS for HBRC, these decisions are outlined in the discussion section of this paper. Essentially, the context of the RMS as it applies to HBRC is outlined in the risk management policy. While the scope of the RMS as it applies to HBRC is outlined in the proposed risk management framework.
8. Due to the six-monthly reporting cycle of risks to the FARS, management agreed to fast-track the development of the risk management policy and framework from phase III into phase I. These were formalised so that the proposed risk management policy and framework could be used as the basis to revise HBRC’S enterprise risks. The revised enterprise risks are included in the August 2020 risk report to the FARS. Both the draft risk management policy and framework were ratified by the Executive Leadership Team (ELT) at their meeting held on Monday 29 June 2020, and then workshopped with Councillors at 15 July 2020 FARS workshop.
9. It is noted that when Shash Davé presented his high-level risk maturity assessment and risk maturity roadmap to the C&S on 10 June 2020, Crowe’s HBRC risk management maturity assessment that formed part of the FY20 internal audit plan was not finalised. That internal audit is now finalised, and it is noted that Crowe in conjunction with staff reviewed the audit report findings and recommendations against the risk maturity roadmap. Subject to the inclusion of a requirement to develop an internal assurance framework the maturity roadmap adequately addresses Crowe’s audit findings. The development of an internal assurance framework has been added to phase III of the roadmap.
10. Crowe’s risk management maturity internal audit is summarised as follows. Crowe used the All-of-Government (AoG) enterprise risk maturity assessment framework as the benchmark for the audit. As part of the audit, Crowe with input from HBRC’s staff determined that given HBRC’s size, scale and mandate a minimum maturity level of ‘3’ would need to be attained using the AoG model. It was noted that a maturity level of ‘3’ would only drive a level of compliance rather than ‘value add’ and that HBRC’s risk maturity roadmap that was endorsed by the Corporate and Strategic (C&S) Committee at the meeting on 10 June 2020 would likely take HBRC to a maturity level beyond level ‘3’.
11. The audit report determined across all dimensions within the AoG enterprise risk maturity framework HBRC’s scored below the minimum threshold of ‘3’. The framework dimensions that noted the largest maturity gaps included:
11.1. Leadership and Direction:
11.1.1. Establishing a long-term vision for risk management to provide a frame that enables continuous improvement
11.1.2. Adequately trained specialist risk resources across the business (e.g. BU Risk Champions) that can assist with embedding a consistent approach to risk identification, risk assessment, risk management and risk escalation
11.2. People and Development
11.2.1. Development of a risk policy that identifies of clear risk roles and responsibilities that is supported by adequate training
11.3. Process and Tools
11.3.1. An absence of a formal ‘three lines of defence’ assurance framework that guides the corporate and operational annual internal audit programme and the execution of the individual audits within those programmes.
12. The full risk assessment maturity gaps using the AoG model is outlined in the spider diagram below. Full details for each individual dimension and the specific gaps can be found in the full Crowe internal audit report.
13. Lastly, within the report Crowe outlined specific ‘success factors’ that HBRC will need to maintain throughout the risk maturity journey. These success factors as detailed on page five of the report and are italics below:
13.1. Buy-in and tone at the top. Risk management practices are more effective when they are supported by an appropriate ‘tone at the top’, when senior leaders are actively involved in risk management activities, encourage risk-related conversations and apply risk-based decision-making
13.2. Clear direction should be provided by the Council’s Finance, Audit and Risk Subcommittee (FARS) in line with the responsibilities described in its Terms of Reference (updated in March 2020). FARS should define what risk information it should receive, provide input into the Council’s risk appetite, assist management in risk assessment, etc
13.3. Risk culture. Improving risk management processes requires the Council not only have the right processes and tools, but also embracing a culture of risk awareness and transparency. Every staff member has a role to play and each staff member should be encouraged to actively participate in the Council’s risk management activities – be it risk identification, communication or response
13.4. To support the above point, the Council should support its staff with relevant risk-related training and awareness programme. The training should cover the roles and responsibilities of staff, provide an overview of the Council’s risk management framework and processes and available risk management tools.
Discussion
14. The following section outlines the key decisions recommended by the ELT regarding the scope and context of HBRC’s RMS. These decisions are documented in either the proposed risk management policy or framework:
14.1. Enterprise risks will be reviewed by the ELT rather than establishing a separate Executive Risk Committee that focusses solely on risk management. The ELT are required to have a standing item on the ELT agenda to receive HBRC’s enterprise risks at least four times per year
14.2. Each business unit (BU) will appoint a BU Risk Champion to coordinate and oversee that BU risk activities. BU Risk Champions are required to attend risk forums to aggregate HBRC’s risks
14.3. The risk vision of HBRC’s RMS be: All HBRC staff take responsibility for owning HBRC’s risks with consistent and transparent risk intelligent decision making
14.4. The frequency of the formal risk reporting continues at least every six months to the FARS while now at least quarterly to the ELT
14.5. The formal identification, analysis and aggregation of risks including the use of ‘bowtie analysis’ be undertaken for all tier one and tier two critical risks
14.6. A three-rating approach be applied for control assessments being: effective, requires improvement or ineffective
14.7. A system exists so that any control correct actions are monitored and tracked until closed.
14.8. The risk likelihood matrix includes both a quantitative and qualitative criterion (see appendix A of the risk management framework)
14.9. That the risk consequence matrix includes both a quantitative and qualitative criterion (see appendix B of the risk management framework)
14.10. The enterprise risk report will include a risk heatmap to provide a quick snapshot residual risk comparison (see appendix C of the risk management framework)
14.11. A risk escalation scale for reporting increasing risks in real time be adopted (see appendix D of the risks management framework)
14.12. ‘Accepted risks’ those deemed outside of Council’s risk appetite be reported to the ELT whenever they receive a risk report, and to the FARS every meeting for the duration that the risk remains an ‘accepted’ risk. This ensures management continually scan for new and cost-effective risk mitigations
14.13. The effectiveness and maturity of the RMS be considered through an annual review of both HBRC’s risk management policy and framework.
Strategic Fit
15. Maturity of HBRC’s risk management system contributes towards achieving all strategic goals/vision. A mature risk system provides consistent risk intelligent decision making enabling the efficient prioritisation of finite organisational resources to deliver on strategy.
Considerations of Tangata Whenua
16. Based on feedback provided at the Corporate and Strategic Committee meeting the inclusion of ‘objects and resources of cultural and heritage meaning and importance’ was specifically added to the risk management framework as a key dimension within the risk consequence matrix. In addition, within the revised suite of risks, under risk 04 ‘Strategic Partnerships’ Tangata Whenua has been specifically detailed.
Financial and Resource Implications
17. Maturity of the risk management system is phased to minimise budgetary implications. Some facilitated workshops will be required to establish the risk appetite with Council.
Next Steps
18. With the FARS endorsement of both the Risk Management Policy and Framework, the Risk and Assurance Lead will develop detailed RMS implementation project plan. The plan will continue to deliver on the RMS roadmap while embedding into the business risk practices and processes as described by the risk management policy and framework.
Decision Making Process
19. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:
19.1. The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.
19.2. The use of the special consultative procedure is not prescribed by legislation.
19.3. The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.
19.4. The decision of the sub-committee is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:
19.4.1. Review whether Council management has a current and comprehensive risk management framework and associated procedures for effective identification and management of the council’s significant risks in place
19.4.2. Undertake periodic monitoring of corporate risk assessment, and the internal controls instituted in response to such risks
19.4.3. report on the robustness of risk management systems, processes and practices to the Corporate and Strategic Committee to fulfil its responsibilities.
That the Finance, Audit and Risk Sub-committee: 1. receives and considers the “Risk Maturity” staff report 2. confirms it is comfortable that management actions undertaken or planned for the future adequately respond to the findings and recommendations of the Crowe Internal Audit – Risk Management Maturity Assessment report 3. recommends that the Corporate and Strategic Committee approves both the Risk Management Policy and the Risk Management Framework as being sufficiently robust to manage Council’s significant risks. |
Authored by: Approved by:
Helen Marsden Risk and Assurance Lead |
Joanne Lawrence Group Manager Office of the Chief Executive and Chair |
⇩1 |
draft Risk Management Policy August 2020 |
|
|
⇩2 |
draft HBRC Risk Management Framework 2020 |
|
|
⇩3 |
2020 Crowe HBRC Risk Management Maturity Assessment Report |
|
|
⇩4 |
Path to Risk Maturity Exhibits August 2020 |
|
|
Finance Audit & Risk Sub-committee
Wednesday 12 August 2020
Subject: Six Monthly Enterprise Risk Management Report
Reason for Report
1. This item provides the Finance Audit and Risk Sub-committee (FARS) with the six-monthly update of Council’s enterprise risk profile. The update includes:
1.1. a residual risk rating for each enterprise risk
1.2. control corrective actions
1.3. supporting risk information such as known emerging issues or uncertainties that may impact Council’s risk profile.
Officers’ Recommendation(s)
2. Council Officers recommend that FARS members:
2.1. note the revised enterprise risks, the enterprise risk assessments for the revised risks, and the ‘new look’ risk reporting
2.2. note the control corrective actions that are in progress
2.3. note the supporting risk information.
Executive Summary
3. As part of HBRC’s enterprise risk management system (RMS) maturity a risk management policy and risk management framework were developed. Using both the risk management policy and framework the enterprise risks were revised and a ‘new look’ risk report produced. The revised risks and ‘new look’ risk report has been used to present HBRC’s enterprise risks to the FARS for this reporting period.
4. The August 2020 risk report noted that no enterprise risks had a residual risk rating of ‘high’. While the overall control assessment for some enterprise risks have been noted as ‘requires improvement’, controls for enterprise risks were working to a satisfactory level to mitigate any ‘high’ residual risk rating.
5. Seven enterprise risks have an overall control assessment noted as ‘requires improvement’. Of those seven risks three have been identified as a key focus for corrective actions and resource prioritisation. Those risks include; risk 06 – Core ICT Services, risk 09 – People Capability, and risk 11 – H&S and Wellbeing.
6. The remaining risk that had control assessments noted as ‘requires improvement’ included: risk 01 – Strategic, risk 05 – Information Security, risk 07 - Legal Compliance, and risk 12 - Assets and Infrastructure. However, the control corrective actions for these risks while important where not deemed as substantive and critical to mitigating HBRC’s residual risk profile.
Background
7. At the Corporate and Services (C&S) Committee meeting on 10 June 2020 the RMS maturity roadmap was endorsed. Included in the RMS maturity roadmap was the development of both a single risk management policy and framework. These documents are intended to standardise risk management activities across HBRC including processes to identify and assess risks and risk controls.
8. Due to the six-monthly reporting cycle of enterprise risks to the FARS being August 2020, management agreed to fast-track the development of the risk management policy and framework from phase III to phase I of the RMS maturity roadmap. This was to enable the August 2020 FARS enterprise risk report to contain revised enterprise risks based on a more mature RMS with guidance from the draft risk management policy and framework. Both the draft risk management policy and framework were ratified by the Executive Leadership Team (ELT) at the ELT meeting on 29 June 2020, and also permitted in principle by members of the FARS at 15 July 2020 FARS workshop.
9. With both the risk management policy and framework being ratified by the ELT and permitted in principle by the FARS. The enterprise risks were revised and ‘new look’ risk report developed (attachment 1).
10. The ‘new look’ risk report provides; supporting risk information, a snapshot comparison of the residual enterprise risks presented through the risk heat map, and a risk summary ‘one-pager’ for each enterprise risk. The risk ‘one pager’ for each risk contains:
10.1. a risk description
10.2. risk exclusions and assumptions
10.3. risk causes
10.4. an inherent risk assessment and summary
10.5. a high-level control summary
10.6. an overall control assessment and where applicable control corrective actions, and
10.7. a residual risk assessment and summary.
11. It should be noted that due to the tight timeframe between completing the ‘final’ draft of both the risk management policy and framework, revising the enterprise risk with ELT and developing the risk ‘one-pagers’ has been stretched; not all bowties for each enterprise risk were finalised and workshopped. As per the RMS maturity road each enterprise risk will continue to be mapped using bowtie analysis over the next quarter. The bowtie analysis will strengthen the identified risk causes and risk controls therefore further enhancing the residual risk assessment and allowing continual improvements of the risk report to FARS for the next six-monthly reporting period.
12. The revised enterprise risks, risk assessments, and risk one-pagers were formally discussed by the ELT at the ELT meeting on 3 August 2020. It is noted that full implementation of the risk management framework requires a structured approach to risk aggregation through a designated business unit (BU) Risk Champions. Implementation of the risk aggregation process will occur over the next six months as part of the RMS risk maturity roadmap therefore BU Risk Champions have not yet been assigned. Consequently, for this six-monthly report to the FARS as an interim solution the enterprise risk and control assessments were discussed where applicable with the Tier 3 staff member responsible for the management of that risk. Discussions with Tier 3 staff were done ahead of the risk report being presented to the ELT to provide bottom up risk insights and risk-based challenge to the ELT in lieu of the structured risk aggregation process.
Discussion
13. The following section provides staffs summary of the enterprise risk report that is attached. It is noted that no enterprise risks had a residual risk rating of ‘high’. While the overall control assessment for some enterprise risks have been noted as ‘requires improvement’ controls for enterprise risks were working to a satisfactory level that has mitigated any high residual risk rating.
14. Seven enterprise risks have an overall control assessment noted as ‘requires improvement’. Of those seven risks three have been identified as a key focus for corrective actions and resource prioritisation. Those risks include; risk 06 – Core ICT Services, risk 09 – People Capability, and risk 11 – H&S and Wellbeing.
15. Reason for prioritising the control corrective actions for these risks include:
15.1. Risk 06 – Core ICT Services is considered a core corporate competency that provides reliable information for good decision making, process automation, and consistency of output. Therefore, effective ICT is a foundational function that enables an organisation to strive for excellence as it executes its strategy.
15.1.1. The control corrective actions for this include the onboarding of a permanent Chief Information Officer (CIO), and the proactive review of the ICT strategy that risk assesses priorities. The ICT strategy review will be led by the newly appointed CIO once fully on-boarded.
15.2. Risk 09 – People Capability, the control corrective actions identified are key mitigations to this risk. In addition, people capability is a core corporate competency for good decision making and the operational execution of strategy.
15.2.1. The control corrective actions for this risk include implementation of the new ELT structure to strengthen HBRC leadership. A cohesive ELT should reduce the negative impacts of silos and can proactively lead the desired corporate culture
15.2.2. The recruitment of a People and Culture (P&C) Manager who using a new P&C strategy will proactively drive improvement to P&C processes and controls that ensure HBRC maintains the ‘right’; people capacity, competency and culture.
15.3. Risk 11 – H&S and Wellbeing, people safety and wellbeing is one of Council’s core commitments. From the Health and Safety internal audit undertaken in 2018 nine recommendations are still being worked on and therefore H&S remains a key focus area. A full work programme has been developed and additional staff resourcing put in place.
15.3.1. The control corrective actions for this risk are the development of a work plan that will continue to mature HBRC’s H&S system to an agreed and recognised standard. The previous ACC WSMP framework that HBRC used was retired late 2019.
16. In addition to the risk corrective actions that have been prioritised above the enterprise risk report also identified control improvements for, risk 01 – Strategic, risk 05 – Information Security, risk 07 - Legal Compliance, and risk 12 - Assets and Infrastructure. However, the control corrective actions for these risks while important where not assessed as substantive and critical to mitigating HBRC’s residual risk profile.
17. The residual risk ratings for each enterprise risks took into consideration supporting risk information outlined in the risk report. Specifically, the continued uncertainty from the Covid19 global pandemic, and the internal audit close out reports for; data analytics, risk management system maturity assessment, and the actions follow-up from previous audits.
Next Steps
18. Risk and Assurance Lead to continue to implement risk maturity actions as guided by the risk management framework that will support the continued improvement of the six-monthly FARS enterprise risk report.
19. The Risk and Assurance Lead to track control corrective action progress.
Decision Making Process
20. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:
20.1. The decision does not significantly alter the service provision or affect a strategic asset and is not inconsistent with an existing policy or plan.
20.2. The use of the special consultative procedure is not prescribed by legislation.
20.3. The decision does not fall within the definition of Council’s policy on significance.
20.4. The decision of the sub-committee is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:
20.4.1. review whether Council management has a current and comprehensive risk management framework and associated procedures for effective identification and management of the council’s significant risks in place, and
20.4.2. undertake periodic monitoring of corporate risk assessment, and the internal controls instituted in response to such risks
20.4.3. report the robustness of risk management systems, processes and practices to the Corporate and Strategic Committee to fulfil its responsibilities.
Recommendations That the Finance, Audit and Risk Sub-committee: 1. receives and considers the “Six Monthly Enterprise Risk Management” staff report 2. confirms its confidence that Council management has undertaken an effective risk identification and risk management process for Council’s significant risks, and that actions taken to date to mature HBRC’s risk management system are in line with Council’s expectations as provided to the 10 June 2020 Corporate and Strategic Committee meeting in the Risk Maturity Roadmap. |
Authored by:
Risk and Assurance Lead |
|
Approved by:
Jessica Ellerm Group Manager |
Joanne Lawrence Group Manager Office of the Chief Executive and Chair |
⇩1 |
August 2020 Enterprise Risk Report |
|
|
Finance Audit & Risk Sub-committee
Wednesday 12 August 2020
Subject: Annual 2020-21 Internal Audit Work Plan
Reason for Report
1. This item presents the proposed Annual Internal Audit Plan for the 2020-21 financial year (FY21) for the Sub-committee’s adoption, along with an overview of other review activities under way across the organisation.
Officers’ Recommendation(s)
2. Council Officers recommend that the Sub-committee adopts the FY21 Annual Audit Plan as proposed by Crowe in Attachment 1 and confirms the direction of travel for management of other types of reviews across the organisation, including LGA s17a reviews.
Background /Discussion
3. Council’s philosophy toward the annual internal audit plan is to select areas of the organisation where councillors seek independent assurance based on perceived organisational risks or opportunities; both of which can drive business improvement. This proactive approach aligns with good business practices of continuous business improvement, risk management and assurance.
4. For the past three years Crowe has been contracted by HBRC to manage the FARS annual internal audit plan. This agreement was based on a three-year contract which contained a further one year right of renewal. HBRC staff have exercised the one year right of renewal and Crowe will manage the annual internal audit plan for FY21.
5. Crowe has prepared a draft FY21 Annual Internal Audit Plan (attachment 1) with consideration of previous internal audits, insights and observations of current risks and issues in the local government sector, coverage across HBRC’s functions and activities, discussions with staff, and available budget.
6. The Crowe plan proposes two internal audits and that 40 hours be retained as audit capacity should a specific risk area arise during the financial year that the FARS seeks specific assurance on.
7. The two reviews recommended by Crowe are:
7.1. People Recruitment, Retention and Wellbeing Review: This audit will assess HBRC’s people recruitment, retention and wellbeing strategies against the Institute of Internal Auditors Guidance for Auditing Business Functions – Human Resources. Note this audit does not review the People and Capability team structure or delivery.
7.2. Data Analytics: currently this audit is a 12-monthly cyclical review exercised over payroll and payables master and transactional data to identify potentially suspicious relationships, trends and transactions for transactions to 30 June 2020.
8. In addition to the above reviews supplementary internal audits regularly occur across the organisation in the form of operational audits. Operational audits test the operational effectiveness of HBRC’s codes of practice in areas such as Health and Safety or Quality.
9. It should be noted that under the proposed risk management framework any activities, including audits, that identify high risks are required to be escalated to the Chief Executive and Council, therefore providing some assurance that any supplementary audits with high risk findings in FY21 will be visible to the FARS members.
10. At the FARS workshop on 15 July 2020 staff were asked to consider the inclusion of an audit of the execution of projects to achieve the 24 strategic outcomes in the 2020-21 internal audit programme. There are currently control corrective actions underway to improve the reporting to Council, with better milestone progress and trajectory linkages. A review to ensure that the improved reporting is effective will therefore be included in the 2021-22 annual internal audit plan.
11. Crowe’s proposed internal audit plan for FY21 contains a table that lists the suite of audits that they have undertaken from FY18 to FY20, and other internal audits undertaken by other providers prior to FY18.
Financial and Resource Implications
12. Budget has been provided through the annual plan budget process and provides 220 hours of capacity for Crowe to manage the FY21 annual internal audit plan.
LGA s17a Reviews
13. The Local Government Act requires Council to review the cost effectiveness of its service delivery including options for the governance, funding, and delivery of infrastructure, services, and regulatory functions. There are currently two such reviews under way, being:
13.1. S17a Review of the Works Group – this report is currently being finalised with Management and is expected to be presented to the November 2020 FARS meeting.
13.2. S17a Biosecurity review – this review is currently in progress and a high-level update has been included in the ‘work programme update’ agenda item for this meeting.
14. These reviews will now be overseen, at a high level, by the Risk and Assurance Lead through the proposed “Audit Universe” to be developed as part of Risk Maturity.
Other Review Activities
15. From time to time reviews may be initiated by a Business Unit (BU) or Group for specific purposes. It is intended that all significant reviews, right across the organisation, will be overseen, at a high level, by the Risk and Assurance Lead through the proposed “Audit Universe” to be developed as part of Risk Maturity. A preliminary snapshot of current reviews in progress is attached (attachment 2) for the Sub-committee’s information and feedback.
Decision Making Process
16. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:
16.1. The decision does not significantly alter the service provision or affect a strategic asset, nor is it inconsistent with an existing policy or plan.
16.2. The use of the special consultative procedure is not prescribed by legislation.
16.3. The decision is not significant under the criteria contained in Council’s adopted Significance and Engagement Policy.
16.4. The decision of the sub-committee is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:
16.4.1. receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s)
16.4.2. confirm the terms of appointment and engagement of external auditors, including the nature and scope of the audit, timetable, and fees
16.4.3. report the independence and adequacy of internal and external audit functions to the Corporate and Strategic Committee to fulfil its responsibilities.
That the Finance, Audit and Risk Sub-committee: 1. receives and considers the “Annual 2020-21 Internal Audit Work Plan” staff report 2. adopts the 2020-21 Internal Audit Work Plan as proposed.
|
Authored by:
Helen Marsden Risk and Assurance Lead |
|
Approved by:
Jessica Ellerm Group Manager Corporate Services |
Joanne Lawrence Group Manager Office of the Chief Executive and Chair |
⇩1 |
Crowe Proposed 2020-21 HBRC Internal Audit Plan |
|
|
⇩2 |
HBRC Audit Universe Snapshot 2020-21 |
|
|
HBRC Audit Universe Snapshot 2020-21 |
Attachment 2 |
HBRC’s Audit Universe SNAPSHOT 2020-21
RISK NUMBER & NAME |
Review(s) |
Audit (Internal or External) |
Completed 2019/2020 |
1. Strategic · Decision · Implementation · Delivered |
|
|
Risk Management Maturity Assessment |
2. Financial · Market · Liquidity · Credit |
|
Audit NZ – External Financial Audit |
|
3. People (Community) and Environmental Health |
· S17a Biosecurity review · Forestry consenting and regulation review, including sediment erosion control guidelines |
|
Water Management Follow-up Internal Audit |
4. Strategic Partnerships |
|
|
|
5. Information Security (incl cyber) |
|
|
Cyber Security Internal Audit |
6. Core ICT Services |
|
|
|
7. Legal compliance |
Privacy Policies review in anticipation of Privacy Act amendments |
|
|
8. Business Interruption to HBRC |
Covid19 Debrief |
|
|
9. People Capability (People Assets) |
|
People Recruitment, Retention and Wellbeing Internal Audit |
|
10. Fraud |
|
Data Analytics Internal Audit |
Data Analytics |
11. H&S and Wellbeing (worker & public) |
|
|
Health & Safety Follow-up Internal Audit |
12. Assets and Infrastructure |
|
|
|
13. 3rd Party / Contractors |
S17a Review of the Works Group |
|
· Contracts Management Internal Audit · Procurement Follow-up Internal Audit |
Miscellaneous (other) |
· Quality Management System (QMS) interim surveillance audit by Telarc · Civil Defence Covid-19 Response Review |
|
|
Finance Audit & Risk Sub-committee
Wednesday 12 August 2020
Subject: 2019-20 Annual Report Audit Plan
Reason for Report
1. This report is to update the Finance, Audit and Risk Subcommittee on the 2019-20 Annual Report Audit Plan.
2. Karen Young, Director, Audit NZ will be in attendance of the meeting to discuss the Audit Plan and respond to any queries.
Background
3. As part of the audit for the Annual Report each year, an audit plan is developed with management for the delivery of the audit of the Annual Report.
4. As per the Terms of Reference, the plan is being presented to the subcommittee as part of its responsibilities to review the scope of the audit and the timetable.
Discussion
5. The 2019-20 Audit Plan is being presented at this meeting due to the cancellation of the Finance, Audit and Risk subcommittee meeting during COVID and receipt of the Audit Plan in May 2020.
6. The plan sets out the approach to the audit and the main risks and issues that Audit NZ will focus on during the audit.
7. This year the following key risks and issues have been highlighted
7.1. Valuation of investments in HBRIC
7.2. COVID-19 impact on public sector accounting standards
7.3. Revaluation of Infrastructure Assets
7.4. Fair Value of other revalued assets
7.5. Changes in the Group capital structure
7.6. Managed Funds Investments
7.7. Consolidation process
7.8. Adjustments to ensure HBRIC and NPHL results are correctly incorporated into HBRC's group results
7.9. Valuation of investment properties
7.10. The risk of management override of internal controls and fraudulent reporting
7.11. Ethics and integrity.
8. The interim audit of Internal Controls and the pre-final audit have been conducted to date and there are some minor items to review as part of the year end audit.
Next Steps
9. FARS committee members are asked to provide feedback on the Audit Plan to enable its finalisation.
10. Officers will continue to work with Audit NZ to provide the information required for the audit to ensure that the timetable for adoption of the Annual Report is met.
Decision Making Process
11. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that:
11.1. as this report is for information only, the decision making provisions do not apply.
11.2. any decision of the sub-committee (in relation to this item) is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:
11.2.1. Satisfy itself that the financial statements and statements of service performance are supported by adequate management signoff and adequate internal controls and recommend adoption of the Annual Report by Council
11.2.2. Confirm that processes are in place to ensure that financial information included in Council’s Annual Report is consistent with the signed financial statements
11.2.3. Confirm the terms of appointment and engagement of external auditors, including the nature and scope of the audit, timetable, and fees.
That the Finance, Audit and Risk Sub-committee receives and notes the “2019-20 Annual Report Audit Plan” staff report and agrees the Audit Plan as proposed.
|
Authored by:
Bronda Smith Chief Financial Officer |
|
Approved by:
Jessica Ellerm Group Manager |
|
⇩1 |
Draft 2019-20 Annual Report Audit Plan |
|
|
Finance Audit & Risk Sub-committee
Wednesday 12 August 2020
Subject: Cyber Security Internal Audit Follow-up
Reason for Report
1. This item provides the Sub-committee with an update on the recommendations arising from the Crowe Horwath Cyber Security internal audit report as requested by the 12 February 2020 Finance, Audit and Risk Sub-committee meeting.
Background
2. The Finance, Audit and Risk Sub-committee (FARS) agreed at its meeting on 22 May 2019 as part of the internal audit work programme, to engage Crowe Horwath to conduct an internal audit of Council’s cybersecurity controls.
3. The agreed scope and purpose of the audit was to evaluate the maturity of cybersecurity processes, policies, procedures, governance and other controls.
4. The audit identified four high risk findings, six medium risk findings and two low risk findings.
5. Following a review of findings and recommendations, commentary has been provided in the audit document describing management actions that have been undertaken or that are planned for the future.
6. Key areas for improvement are summarised below and further detail can be found in section 2 of the report.
7. Further reporting will be provided to this sub-committee in the future to provide status updates on the planned management actions outlined in the audit report.
Report Analysis
8. The following comments summarise the management actions and map to the summary of findings in section 1.3 of the attached report.
9. IDENTIFY – Improve management of legacy software risks.
9.1. A project is underway to renew the financial management system.
9.2. The HBRC software inventory has been updated.
9.3. Software dependencies are being documented and their risks assessed.
10. IDENTIFY – Improve the definition of ICT security roles and responsibilities.
10.1. A recent review of the ICT section identified the team and role with primary responsibility for cybersecurity.
10.2. Further work planned includes:
10.2.1. A review of the ICT Policy framework.
10.2.2. Adding a reference to the ICT acceptable use policy in the job description template for all staff.
10.2.3. Develop a RACI matrix for specific cybersecurity roles and responsibilities.
10.2.4. Adding a reference to cybersecurity responsibilities in third party software support contracts.
11. PROTECT – Improve control and review processes for access permissions.
11.1. An annual review of access permissions is performed by Audit NZ to assess access to financial systems.
11.2. The ICT department will perform an annual review of access to other systems that contain confidential data (HR and Regulatory systems) at the same time as the Audit NZ review.
11.3. Third party access to Council systems has been restricted to ‘enable on demand’.
12. DETECT – Improve visibility of alerting systems.
12.1. A central mailbox for alerts has been setup and is actively monitored by key personnel.
12.2. Cybersecurity alerts will be added to the ICT dashboard that is being developed – and is displayed on a screen in the ICT work area.
13. RESPOND AND RECOVER – Develop ICT Disaster Recovery Plans and Incident Management Processes.
13.1. Funding has been requested in the annual plan for the development and implementation of an ICT Disaster Recovery Plan.
13.2. Incident Management processes and templates will be developed.
Decision Making Process
14. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that:
14.1. as this report is for information only, the decision making provisions do not apply
14.2. any decision of the sub-committee is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:
14.2.1. Receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s)
14.2.2. Ensure that recommendations in audit management reports are considered and, if appropriate, actioned by management.
That the Finance, Audit & Risk Sub-Committee Committee: 1. receives and considers the “Cyber Security Internal Audit” staff report 2. confirms it is comfortable that management actions undertaken or planned for the future adequately respond to the findings and recommendations of the Crowe Internal Audit – IT Security report. |
Authored by: Approved by:
Andrew Siddles Acting ICT Manager |
Jessica Ellerm Group
Manager |
⇩1 |
Hawke's Bay Regional Council Internal Audit - IT Security, August 2019 |
|
|
Finance Audit & Risk Sub-committee
Wednesday 12 August 2020
Subject: Data Analytics Internal Audit Report
Reason for Report
1. To present the internal audit report (attached) for the Data Analytics audit undertaken by Crowe Horwath in late 2019.
Background
2. The Finance, Audit and Risk Sub-committee (FARS) agreed at its meeting on 22 May 2019, as part of the internal audit work programme, to engage Crowe Horwath to conduct an internal audit of Council’s Data Analytics.
3. The agreed scope and purpose of the audit was to review payables and payroll, and master and transactional data for the financial year ended 30 June 2019. This data was then analysed independently by Crowe Horwath for any potential anomalies or suspicious transactions.
4. The report was then provided to staff, along with a separate spreadsheet listing the transactions that required review. These spreadsheets were initially analysed by the Payroll Officer and the Team Leader Finance and then reviewed by the Chief Financial Officer to identify any findings requiring further investigation.
5. This is the third annual Data Analytics audit conducted by Crowe Horwath. Previously reporting the findings of the 2017-18 audit to the sub-committee on 12 February 2019. A comparison to previous findings is also provided in the attached analysis.
Discussion
6. It is important to note that when a transaction is identified; it does not necessarily indicate that there is anything suspicious. There are often legitimate business reasons for a transaction being identified, such as different types of payments to a Council (rates credits versus payment for services) by way of pure example. These types of transactions may display in areas such as “duplicate address”, “GST/non-GST transactions”, or “duplicate IRD number” for example.
7. In addition, some transactions are listed purely for review purposes due to their deemed higher risk nature, such as “review of top 50 vendors” as an example. This in itself allows staff to easily assess whether vendors are in line with expectations and would highlight any vendors that may appear erroneous.
8. Given the small size of Hawke’s Bay, there are often times when an employee may share the same address as a vendor, usually a spouse. Transactional processing staff ensure that employee approvals are not allowed where any conflicts exist between an employee and a vendor.
9. Across the Accounts Payable data identified in the report, a review of each vendor and transaction required has been undertaken. This consisted of blocking vendors where required or giving valid explanations.
10. There were 4 possible duplicate payments identified with 3 payments being genuine payments. There was 1 invoice of $608.00 paid twice which has been refunded. This was an application for a Clean Heat grant that was sent twice by the applicant and processed again in error.
11. In terms of the cross matching of data between payroll and accounts payable all records were reviewed with no issues to note.
12. For the payroll data, all data was review with no issues noted.
2017-18 Comparison
13. The list of duplicates within the supplier master file has decreased substantially. For example, duplicate bank accounts have decreased from 89 to 34. Of these 34, all were legitimate duplicates, such as instances when a vendor has more than one business function i.e. Hastings District Council.
14. The number of possible duplicate payments decreased from 40 to 4 with one being an actual duplicate which was of a low value.
15. Overall improvement in internal processes is noticeable since the prior data analytics assignment was performed, with additional checks reducing the number of transactions arising within the review. Staff recognize that there is a need to maintain appropriate process to reduce errors and to ensure correct internal controls are used to reduce the risk of fraud or misappropriation.
Next Steps
16. A proposed 2020-21 internal audit plan will be presented at the 12 August 2020 FARS meeting. Staff are seeking feedback as to whether this Sub-committee would like to see another data analytics assignment included in that proposal, as Auditors recommend completing a data analytics audit every year.
Decision Making Process
17. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that:
17.1. as this report is for information only, the decision making provisions do not apply
17.2. any decision of the sub-committee is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:
17.2.1. Receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s)
17.2.2. Ensure that recommendations in audit management reports are considered and, if appropriate, actioned by management.
That the Finance, Audit and Risk Sub-committee receives and notes the “Data Analytics Internal Audit Report”. |
Authored by:
Bronda Smith Chief Financial Officer |
|
Approved by:
Jessica Ellerm Group Manager |
|
⇩1 |
Data Analytics Report |
|
|
Finance Audit & Risk Sub-committee
Wednesday 12 August 2020
Subject: Internal Audits Review and Action Plan
Reason for Report
1. This item updates the Finance Audit and Risk Sub-committee (FARS) on Crowe’s final report for the ‘Follow-up Audit’ of previous internal audits. This internal audit was requested by the FARS through the FY20 internal audit plan internal. Crowe’s full audit report headed, ‘Hawke’s Bay Regional Council Internal Audit – Follow-up Audit’, dated 25 May 2020 is attached to this paper (attachment 1).
Officers’ Recommendation(s)
2. Council Officers recommend that Finance Audit and Risk Sub-Committee (FARS) members consider Crowe’s internal audit final report and note the staff management comments in response to each internal audit finding contained within the report.
Executive Summary
3. As part of the FY20 internal audit plan Council approved an internal audit to review management actions relating to previous audits. The objective of the audit was to ensure that previously agreed recommendations and actions had been effectively implemented by staff, or, that senior management had specifically accepted the risk of taking no action.
4. Previous audits reviewed as part of this internal audit included:
4.1. Procurement and Purchasing - May 2018
4.2. Contracts Management - May 2018
4.3. Health and Safety - September 2018, and
4.4. Water Management Follow-up - May 2019.
5. Crowe noted in their conclusion that they observed ‘significant improvement in policy and processes across the areas of previous internal audits. The majority of recommendations have been completed, with 32 of the 43 recommendations implemented’.
Discussion
6. As part of the FY20 internal audit plan Council approved an internal audit to review management actions relating to the following prior internal audits:
6.1. Procurement and Purchasing - May 2018
6.2. Contracts Management - May 2018
6.3. Health and Safety - September 2018, and
6.4. Water Management Follow-up - May 2019
7. Crowe were commissioned to undertake the internal audit throughout April and May 2020. The objective of the audit was to ensure agreed recommendations and actions from the listed previous internal audits had been effectively implemented, or, that senior management had specifically accepted the risk of taking no action.
8. Crowe noted in their conclusion that they observed ‘significant improvement in policy and processes across the areas of previous internal audits. The majority of recommendations had been completed, with 32 of the 43 recommendations implemented’. Nine of the remaining 11 outstanding recommendations related to the previous Health and Safety internal audit. However, it was also noted that of the original 18 recommendations from the Health and Safety audit nine of the actions were implemented with the remaining nine outstanding actions requiring a dedicated Health and Safety resource to sustain the required actions on an ongoing basis. At the time of the Crowe’s internal audit report (May 2020) a Senior Health Safety and Wellbeing Advisor had recently been appointed.
9. The total number of outstanding audit actions broken down by the individual audits is summarised the sections below. Staff responsible for the overall actions for each individual audit have contributed to the summary update.
Procurement and Purchasing
10. There was one audit action that was rated as ‘high’ in the original audit that is partially implemented and now has a residual rating of ‘medium’. The original finding related to a lack of evidence to support procurement decisions.
11. To fully close out the original audit finding the remaining outstanding action requires an internal monitoring process to ensure the procurement and contract processes comply with the procurement policy and manual. Procurement plan to implement an operational audit process aligned to the proposed HBRC internal assurance framework that is being developed as part of the HBRC risk maturity roadmap. The internal audit structure will leverage off the structure that is used within the quality management system (QMS). The target date to close out this finding is March 2021.
Contract Management
12. There was one audit action that was rated as ‘moderated’ in the original audit that has been partially implemented, within the Crowe report that audit action is now noted as ‘medium’. The original finding related to the contract evaluation process.
13. Evaluation of contract performance is currently being reviewed with a template partially designed with good progress made. It is expected that the template design will be ready for implementation in October 2020
Water Management Follow-up
14. No unactioned outstanding internal audit findings were noted.
Health and Safety
15. Of the 18 audit actions reviewed from the September 2018 Health and Safety internal audit. Nine audit actions were noted as ‘implemented’, five ‘high’ audit actions were noted as ‘partially implemented’, two ‘moderate’ audit actions were noted as ‘partially implemented’, and two ‘moderate’ audit actions were noted as ‘yet to be actioned’.
16. In response to the follow-up Health and Safety audit the Senior Health Safety and Wellbeing Advisor has provided the subsequent update in italics below and attached to this paper the full Health, Safety and Wellbeing Work Programme for 2019-21 (attachment 2).
16.1. As a result of a combination of the 2018 audit, the June 2020 follow-up audit recommendations, and feedback from the Executive team the health and safety implementation plan has been reviewed and updated.
16.2. Hawke’s Bay Regional Council will utilise the institutional knowledge of Franz Assenmacher, the external health and safety advisor from Safe On Site, who has been contracted by Council for a considerable number of years to support some of the deliverables related to risk management, updates to Codes of Practice and for work site observations and the on-site auditing of contractors.
16.3. The work programme (attachment 2) will have a priority focus on risk management, incident reporting and investigation, contractor management and increasing the sphere of a robust staff wellbeing strategy.
16.4. In conjunction with the implementation plan, there will be active engagement with Group Managers and staff to ensure that Health Safety and Wellbeing is proactive, well understood, fully embedded and fit for purpose. This will include internal communications, safety campaigns and opportunities for to staff to support a prevention approach to health and safety.
16.5. Regular updates on the progress of the health and safety implementation plan will also be provided to the Executive team and a quarterly update given to the Corporate and Strategic Committee as part of the Organisational Performance Report.
16.6. Once the first full 12 months of the implementation plan has been undertaken and embedded, it is proposed that a follow up audit be conducted as independent assurance that Council has responded to the recommendations adequately.
Specific responses to 2018 and 2020 audit recommendations
Formalise Health and Safety Structure
17. An HBRC Strategic Plan, Implementation Plan and Governance Charter were completed and adopted by Council resolution in June 2020.
Health and Safety Reporting
18. The quarterly Organisational Performance Report has matured over time and remains a work in progress, with the health and safety reporting element not currently including lead/lag indicators or Works Group data. The intention is that these elements will become part of future Organisational Performance reports, which will also include a new Health & Safety Reporting Dashboard aligned with Crowe audit recommendations.
Officers Knowledge
19. Health and Safety and Governance-based training was delivered to ELT and Councillors in November 2019 to reinforce their responsibilities under the legislation. A copy of the presentation for this training was sent again at the request of the Finance, Audit and Risk Sub Committee (FARS) in June 2020 and uploaded into Stellar for viewing.
Risk Management
20. The Health and Safety risk register is one which is maintained at the Health & Safety Committee level which is then rolled into the organisation’s risk register. This risk register is reviewed at least six monthly and reported up to the Executive Team and the Finance, Audit and Risk Sub-committee (FARS). The Sub-committee then reports to the Corporate and Strategic Committee which in turn reports to Council. In recognition of the growth of the organisation and the need to improve our risk maturity, the new Risk and Assurance Lead will work alongside the newly established H&S Senior Advisor to support the further development of the health and safety risk management process, looking to complete some bow tie analysis against the organisation’s identified critical risks.
Incident Reporting
21. A review was conducted and concluded in August 2019 for more detail when reporting/recording incidents. There is a renewed emphasis since the recruitment of the Senior Advisor Health Safety and Wellbeing to include critical risk, potential consequences, what corrective action is proposed, what lessons have been learnt and what further training might be required. The Incident Reporting format will also be changed to reflect the Five Whys (or 5 whys), this is an iterative interrogative technique used to explore the cause-and-effect relationships underlying a particular problem. Currently the Works Group has a separate reporting form, the Process Improvement & Non-Conformance (PINC) template however it is the intention that this will form the basis of collecting incident information across the whole of Hawkes Bay Regional Council. Health and safety are currently undertaking an update to the electronic Nintex version of the Hazard, Injury & Incident form to reflect the Works Group Process Improvement & Non-Conformance (PINC).
Contractor Management
22. While not classified as ‘high’ in terms of the audit report rating, contractors are a primary focus in the workplan. It is anticipated that a full review of contractor management be undertaken as a project. This will include identifying all contractors across the organisation, contractor management, contractor pre-qualification and an audit programme. Whilst the project is a big piece of work requiring some consideration for resource, there will be some immediate work undertaken with the procurement advisors to ensure that all current Hawkes Bay Regional Council contractors have had inductions, all contractors who work with critical risks are included in the on-site observations and this is documented.
Next Steps
23. The Risk and Assurance Lead will track the progress of the 11 outstanding actions noted in Crowe’s ‘Hawke’s Bay Regional Council Internal Audit – Follow-up Audit’, dated 25 May 2020. Going forward internal audit action tracking will be reported to FARS through a corrective actions dashboard that will form part of the ‘new look’ risk reporting.
Decision Making Process
24. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that:
24.1. as this report is for information only
24.2. any decision of the sub-committee is in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 25 March 2020, specifically the Finance, Audit and Risk Sub-committee shall have responsibility and authority to:
24.2.1. Receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s)
24.2.2. Ensure that recommendations in audit management reports are considered and, if appropriate, actioned by management.
Recommendation That the Finance, Audit and Risk Sub-committee: 1. receives and notes Crowe’s ‘Hawke’s Bay Regional Council Internal Audit – Follow-up Audit’ 2. confirms it is comfortable that management actions undertaken or planned for the future adequately respond to the findings and recommendations of the Crowe Internal Audit Follow-up Audit report. |
Authored by:
Risk and Assurance Lead |
Kirsty McInnes Senior Advisor Health and Safety |
Approved by:
Joanne Lawrence Group Manager Office of the Chief Executive and Chair |
|
⇩1 |
2020 Crowe HBRC Internal Audit Follow-up Audit Report |
|
|
⇩2 |
Health Safety and Wellbeing Work Programme 2019-21 |
|
|
Finance Audit & Risk Sub-committee
Wednesday 12 August 2020
Subject: Sub-committee Work Programme August 2020 Update
Reason for Report
1. In order to ensure the sub-committee’s ability to effectively and efficiently fulfill its role and responsibilities, an overall update on its work programme is provided following.
Task |
Item |
Scheduled / Status |
Internal Audits |
Data Analytics |
2020 audit completed – report to 12 August FARS meeting |
Cyber Security follow-up for FARS |
Follow-up report on management actions to 12 August FARS meeting |
|
Risk Management Maturity Assessment |
2020 audit completed – report to 12 August FARS meeting |
|
Internal Audit Follow-up (Audit of Audits) including Contracts Management, Water Management, Procurement, Health & Safety |
Review of management actions completed – report to 12 August FARS |
|
2020-21 internal audit plan |
To 12 August FARS for adoption |
|
Risk Assessment & Management |
Risk Maturity Roadmap |
Adopted June 2020 New Policy & Framework to FARS 12 August meeting for adoption Revised 6 monthly Risk Management Report to FARS 12 August meeting |
Insurance |
Placement of insurance required within timeframes |
In June, along with Councils from Hawke’s Bay, Manawatu-Wanganui and Bay of Plenty, HBRC conducted an RFP for insurance brokers. This resulted in the Hawke’s Bay Councils changing insurance brokers for its above ground insurances to AON NZ Ltd from Marsh. Insurances have been place to for 1 July 2020 to 1 November 2020 with existing insurance companies. Prior to the 1 November 2020, AON is looking to conduct Insurance Risk Profiling to better inform the insurance placement and to develop an Insurance Maturity program. |
Annual Report |
Completion of the Annual Report and the adoption prior to the statutory deadline with an unqualified audit option |
Work is progressing on the Annual Report. The interim audit has been concluded with nothing reported to management. Auditors are due to be onsite late August early September to complete the final audit requirements and Audit NZ Auditor will be in attendance at 12 August FARS meeting. |
LGA S17a Efficiency Reviews |
Works Group |
Review completed and scheduled for Executive Leadership Team presentation ahead of November FARS meeting |
|
Biosecurity |
Review in the final stages with report drafting underway. Scheduled for Executive Leadership Team presentation ahead of going to FARS. |
Decision Making Process
2. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that, as this report is for information only, the decision making provisions do not apply.
That the Finance, Audit and Risk Sub-committee receives and notes the “Sub-committee Work Programme August 2020 Update” staff report. |
Authored by:
Leeanne Hooper Governance Lead |
Helen Marsden Risk and Assurance Lead |
Bronda Smith Chief Financial Officer |
|
Approved by:
Jessica Ellerm Group Manager |
|