Agenda of Risk & Audit Sub-committee - Wednesday, 10 May 2023

Meeting of the Risk & Audit Sub-committee

Date: 10 May 2023

Time: 9.00am

Venue:

Council Chamber

Hawke's Bay Regional Council

159 Dalton Street

NAPIER

Agenda

Item Title Page

1. Welcome/Karakia/Notices/Apologies

2. Conflict of Interest Declarations

Decision Items

3. Confirmation of the Risk & Audit Sub-committee Terms of Reference 3

4. 2022-2023 Enterprise Internal Audit Plan update and proposed 2023-2024 plan 7

5. Treasury Compliance Report for the period 1 January - 31 March 2023 13

6. Organisational Change Consolidation and Prioritisation Internal Audit findings 17

Information or Performance Monitoring

7. Audit Plan for the 2022-2023 Annual Report 33

Decision Items (Public Excluded)

8. Enterprise Risk Report 35

9. Internal Assurance corrective actions update 37

10. Privacy event 39

Hawke’s Bay Regional Council

Risk & Audit Sub-committee

10 May 2023

Subject: Confirmation of the Risk & Audit Sub-committee Terms of Reference

Reason for Report

1. This item provides the means for the Risk and Audit Sub-committee (RAS) to confirm its Terms of Reference.

Officers’ Recommendations

2. Council officers recommend that the RAS confirms the Terms of Reference as proposed and adopted by the Regional Council on 16 November 2022, for the remainder of this term of Council.

Background /Discussion

3. For the 2019-22 term of Council, the Finance, Audit and Risk Sub-committee was established as a sub-committee of Corporate and Strategic Committee (C&S), with meetings held quarterly to enable recommendations through to the C&S and then on to the Regional Council.

4. This term it was proposed that the Audit and Risk Committee (ARC) be established to report directly to Council and with a reduced meeting cycle of six monthly to reflect the auditing and risk management reporting cycles. By making this a sub-committee of Council instead of C&S, it was intended to streamline decision-making and address the issues items being considered three times, with the final decision being twice removed from the meeting at which the detailed information was presented and considered.

5. The proposed Terms of Reference presented today were amended, from the 2019 version, to clarify the different functions of the RAS and C&S. The C&S will review ongoing financial performance and financial decisions and the role of RAS to manage financial risk, i.e. investment/treasury related risk measures within the Treasury and Investment policies. As well, the RAS will continue to oversee the scope and outcomes of the external audit review of the Annual Report and its findings.

Options Assessment

6. The sub-committee has the options to either confirm the Terms of Reference as adopted by the Regional Council on 16 November 2022 or to agree amendments for recommending an updated Terms of Reference to the Council for adoption.

Decision Making Process

7. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

7.1. Councils are required to (LGA sch.7 cl.19(1)) hold the meetings that are necessary for the good governance of their district or region.

7.2. Councils may appoint (LGA sch.7 cl. 30(1)(a)) the committees, subcommittees, and other subordinate decision-making bodies that they consider appropriate, including joint committees.

7.3. Given the provisions above, the Risk and Audit Sub-committee can exercise its discretion and make these decisions without consulting with the community.

Recommendations

That the Risk and Audit Sub-committee:

1. Receives and considers the Confirmation of the Risk & Audit Sub-committee Terms of Reference staff report.

2. Agrees that the decisions to be made are not significant under the criteria contained in Council’s adopted Significance and Engagement Policy, and that the Sub-committee can exercise its discretion and make the relevant decisions without conferring with the community.

3. Recommends that Hawke’s Bay Regional Council adopts the Terms of Reference for the Risk and Audit Sub-committee as amended as agreed today, 10 May 2023.

4. Reports to the Hawke’s Bay Regional Council that the Terms of Reference for the Risk and Audit Sub-committee was confirmed today, 10 May 2023, as adopted on 16 November 2022.

Authored by:

Leeanne Hooper

Team Leader Governance

Approved by:

Desiree Cull

Strategy & Governance Manager

Susie Young

Group Manager Corporate Services

Attachment/s

1 ⇩

2022-25 Risk and Audit Sub-committee Terms of Reference adopted 16 November 2022

Hawke’s Bay Regional Council

Risk & Audit Sub-committee

10 May 2023

Subject: 2022-2023 Enterprise Internal Audit Plan update and proposed 2023-2024 plan

Reason for Report

1. This item provides the Risk and Audit Sub-committee (RAS) with an update on the 2022-2023 Enterprise Internal Audit Plan and a proposed 2023-2024 Internal Audit Plan.

Background

2. The Internal Audit Framework requires that an Annual Enterprise Internal Audit Plan be adopted by RAS each year for the following financial year.

3. The adopted plan for the 2022-2023 financial year includes:

3.1. Organisational Change Consolidation and Prioritisation internal audit

3.2. Data Analytics internal audit.

4. The Organisational Change Consolidation and Prioritisation internal audit has been completed by the Council’s Internal Auditor Crowe and the audit report is the subject of an item on today’s RAS agenda.

5. The Data Analytics internal audit will commence in July 2023 to enable a full twelve-month analysis. These findings will be presented to the October 2023 RAS.

6. In light of Cyclone Gabrielle, the Executive Leadership Team (ELT) is recommending (ELT meeting of 21 April 2023) that RAS approves the adoption of the Data Analytics Internal Audit for the 2023-2024 Internal Audit Programme along with the additional reviews outlined below:

6.1. Independent review of HBRC Flood Protection and Drainage Schemes performance during Cyclone Gabrielle

6.2. Heretaunga Plains Flood Control Scheme

6.3. Cyclone Gabrielle Flood Report

6.4. HBRC Internal Review – Timeline of Events

6.5. Telemetry Resilience Review

6.6. Hydrometric Review.

7. Council’s Assurance Universe is attached. The Assurance Universe links enterprise reviews or audits undertaken over the past four years to an enterprise risk. Reviews and audits in the Assurance Universe include external audits, enterprise internal audits, business reviews with an enterprise focus, and section 17a reviews.

Financial and Resource Implications

8. The internal audits will be undertaken, as per the approved plan, within the 2023-2024 budgets allocated.

Decision Making Process

9. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

9.1. This agenda item is in accordance with the Sub-committee’s Terms of Reference, specifically:

9.1.1. The purpose of the Risk and Audit Sub-committee is to report to the Corporate and Strategic Committee to fulfil its responsibilities for:
(1.3) the independence and adequacy of internal and external audit functions

9.1.2. The Risk and Audit Sub-committee shall have responsibility and authority to:
(2.5) Confirm the terms of appointment and engagement of external auditors, including the nature and scope of the audit timetable and fees; (2.6) Receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s); and (2.11) Oversee systematic (LGA s17a) reviews of Council operational activities against Council stated performance criteria to determine efficiency/effectiveness of the delivery of Council services

9.1.3. The Risk and Audit Sub-committee is delegated by Council to:
(3.6) Review the objectives and scope of the internal audit function, and ensure those objectives are aligned with Council’s overall risk management framework; and (3.7) assess the performance of the internal audit function and ensure that the function is adequately resourced and has appropriate authority and standing within Council.

Recommendations

That the Risk and Audit Sub-committee:

1. Receives and considers the 2022-2023 Enterprise Internal Audit Plan update and proposed 2023-2024 plan staff report.

2. Confirms the internal audit plan for the 2022-2023 financial year includes:

2.1. data analytics (as resolved 4 May 2022)

2.2. Organisational Change Consolidation and Prioritisation (as resolved 4 May 2022).

3. Confirms the proposed internal audit plan for the 2023-2024 financial year includes:

3.1. Data Analytics Internal Audit

3.2. Independent review of HBRC Flood Protection and Drainage Schemes’ performance during Cyclone Gabrielle

3.3. Heretaunga Plains Flood Control Scheme

3.4. Cyclone Gabrielle Flood Report

3.5. HBRC Internal Review – Timeline of Events

3.6. Telemetry Resilience Review

3.7. Hydrometric Review.

Authored by:

Olivia Giraud-Burrell

Quality & Assurance Advisor

Helen Marsden

Risk & Corporate Compliance Manager

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s 1 Assurance Universe as at 1 May 2023

Hawke’s Bay Regional Council

Risk & Audit Sub-committee

10 May 2023

Subject: Treasury Compliance Report for the period 1 January - 31 March 2023

Reason for Report

1. This item provides compliance monitoring of Hawke’s Bay Regional Council (HBRC) Treasury activity and reports the performance of Council’s investment portfolio for the quarter ended 31 March 2023.

Overview of the Quarter – ending 31 March 2023

2. At the end of the quarter to 31 March 2023, HBRC was compliant with all measures in its Treasury policy except for the interest rate risk control limits.

3. As at 31 March 2023 the interest rate risk position was outside policy compliance. We had previously been reporting compliance against the 80% scenario of the current adopted LTP debt forecast for interest rate management purposes. This is due to debt levels being below LTP forecast.

4. Given the sharp increase in debt requirements post-Cyclone Gabrielle, we are now looking to confirm a new debt forecast so that we can update our debt funding strategy and therefore redesign our interest rate strategy accordingly.

5. Cash balances remain adequate and borrowing requirements to date have remained relatively low.

Background

6. Council’s Treasury Policy requires a Treasury Compliance report to be presented quarterly to the Risk and Audit Sub-committee. The policy states that the Treasury Compliance report is to include:

6.1. Treasury exceptions report

6.2. Policy compliance

6.3. Borrowing limit report

6.4. Funding and liquidity report

6.5. Debt maturity profile Interest rate report

6.6. Investment management report

6.7. Treasury investments

6.8. Cost of funds report cash flow and debt forecast report

6.9. Debt and interest rate strategy and commentary

6.10. Counterparty credit report

6.11. Loan advances.

7. The Investment Management report has specific requirements outlined in the Treasury Policy. This requires quarterly reporting on all treasury investments plus annual reporting on all equities and property investments.

8. In addition to the Treasury Policy, Council has a Statement of Investment Policy and Objectives (SIPO) document setting out the parameters required for funds under management for the HBRC Long Term Investment Fund.

9. Since 2018, HBRC has procured treasury advice and services from PriceWaterhouseCoopers (PwC) and their quarterly Treasury Report is attached.

Treasury exceptions report & policy compliance

10. As at 31 March 2023 the interest rate policy parameters did not meet the Treasury policy requirements. Specifically this is due to a higher debt forecast from increased capital expenditure on repairs from cyclone Gabriel. When a new debt forecast is confirmed (incorporating expected debt levels post cyclone) with the debt funding strategy, an interest rate strategy will be designed.

11. Our action to rectify this is to confirm a new debt forecast and transact new interest rate swaps to bring this back in line with the policy.

12. All other metrics remain compliant.

Funding & Liquidity

13. To ensure HBRC has the ability to adequately fund its operations, current policy requires HBRC to maintain a liquid balance of “greater than 10% of existing total external debt”. Current liquidity ratio is 31.83% and therefore meets policy.

14. The following table reports the cash and cash equivalents on 31 March 2023.

31 March 2023	$000
Cash on Call	8,790
Short-term bank deposits	0
Total Cash & and Deposits	8,790

15. To manage HBRC liquidity risk, HBRC retains a Standby Facility with BNZ. This facility provides HBRC with a same day draw-down option, to any amount between $0.3m-$10.0m, and with a seven day minimum draw period.

Debt Management & Interest Rate Report

16. On 31 March 2023 the external debt for the Council was $60.025m (includes $1m of pre-funded debt) and $75.688m including the loan from HBRIC.

17. Since the December 2022 quarter, $10m of short term borrowings were made to assist with the increased cash requirements following Cyclone Gabrielle.

18. The following summarises the year-to-date movements in Council’s debt position.

Summary of HBRC Debt

	HBRC only	HBRC Group
Opening Debt – 1 July 2022 – excl HBRIC Loan	46,725	46,725
New Loans raised	18,450	18,450
Less amounts repaid	(5.150)	(5.150)
Less pre-funded debt	(1,000)	(1,000)
Closing Debt 31 March 2023 (excluding HBRIC loan)	59,025	59,025
Plus opening balance - loan from HBRIC	16,663	-
Total Borrowing as at 31 March 2023	75,688	59,025

19. Council debt maturity profile remains compliant, however, any further short term drawdowns will push the policy limit in the 0-3 year bucket. We intend to look at borrowing a tranche over a 4 year term to alleviate this position while we confirm the updated debt forecast.

20. Please note the total in the infographic above includes our $10m BNZ overdraft in total debt.

21. We currently are forecasting that a further $30m is likely to be required in borrowings through to 30 June 2023.

22. Council interest rate risk position has previously been reported on against the 80% scenario of the debt forecast of the current adopted LTP. Given the increased debt requirements post cyclone Gabrielle this is now assessed against the full LTP forecast until a new debt forecast is confirmed.

23. Due to the movement in how we were assessing the interest rate risk, this has temporarily pushed the lower term buckets out of policy parameters.

24. Our action to rectify this is to confirm our new debt forecast and the transact new interest rate swaps which are currently at favourable levels below 4%.

Managed Funds

25. The LTP budgets an annual return of 5.16% from managed funds. Of this, 3.16% is used to fund activities with 2.0% retained to grow the capital base to enable the future earnings to protect the capital base for future generations (page 33 of LTP – Part 3 – Financial Strategy).

26. Council budgets separately for revenue from directly-held managed funds and those held by HBRIC. HBRIC is required to deliver an overall portfolio return by way of an agreed annual dividend agreed through an annual Statement of Intent. The composition (between revenues from managed funds and other sources such as port dividends is up to the HBRIC board). Council has budgeted to receive $10.5m in dividends from HBRIC within the FY 2022-2023.

27. The Fund performances have improved this quarter with the three portfolios combined gaining $5.53m after fees.

28. The following table summarises the fund balances at the end of this quarter compared with FY22.

	31 March 2022	31 March 2023
Fund Balances HBRC	$000	$000
Fund Balance HBRC	104,449	108,451
Capital Protected Amount HBRC (2% compounded)	114,239	115,961
Current HBRC value below protected amount	(9,790)	(7,510)

Funds Balances (Group + HBRIC)
Long-Term Investment Fund (HBRC)	45,679	47,409
Future Investment Fund (HBRC)	58,770	61,041
Total HBRC	104,449	108,451
Plus HBRIC	43,226	44,815
Total Group Managed Funds	147,675	153,266
Capital Protected Amount (2% compound inflation)	162,720	165,173
Current group value below protected amount	(15,045)	(11,907)

Cost of funds

29. The last 12 months to 31 March 2023, Gross Cost of Funds (COF) was 3% and Net COF was 2.79%.

HBRIC Ltd

30. In accordance with Council Policy, HBRIC Ltd provides separate quarterly updates to the Corporate and Strategic Committee.

Decision Making Process

31. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that, as this report is for information only, the decision-making provisions do not apply.

Recommendation

That the Risk and Audit Sub-committee receives and notes the Treasury Compliance Report for the period 1 January – 31 March 2023.

Authored by:

Jess Bennett

Senior Manager - Finance Recovery

Chris Comber

Chief Financial Officer

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

PWC Treasury Compliance Report 31 March 2023

Confidential
Under Separate Cover

Hawke’s Bay Regional Council

Risk & Audit Sub-committee

10 May 2023

Subject: Organisational Change Consolidation and Prioritisation Internal Audit findings

Reason for Report

1. This item provides the Risk and Audit Sub-committee (RAS) with the draft internal audit report on the Organisational Change Consolidation and Prioritisation audit undertaken by Crowe.

Officers’ Recommendations

2. Council officers recommend that the sub-committee considers the planned actions to address the recommendations of the draft Audit report and agrees the medium findings that will be monitored and tracked as corrective actions via the Corrective Actions Dashboard.

Executive Summary

3. The previous Finance, Audit and Risk Sub-committee (now RAS) agreed the Enterprise Internal Audit Plan for 2022-2023 on 10 August 2022, which included this audit.

4. The audit was carried out by Crowe, our Internal Auditor, during the period 31 January – 10 February, interviewing a range of staff, and the draft report was delivered in March 2023.

5. The audit scope covered:

5.1. Opportunities to strengthen decision making to ensure organisational change effectively drives the creation of value while ensuring the organisation is protected from undue risk, e.g. impact on people, compliance, etc, which is sometimes referred to as ‘risk in change’.

5.2. The audit did not cover the strategic decision-making process on each individual organisational change initiative and project management process as that was out of scope.

6. The Executive Leadership Team (ELT) has not reviewed the draft report at this time and it is anticipated that the Strategy & Governance team will be consulted (due to the majority of actions being for the Project Management Office) in the first instance on the findings, recommendations and actions.

Audit findings

7. There were no high priority findings observed. The report noted staff members interviewed had differing interpretations of what a change initiative is. In addition, the organisation has the correct tools to enable good project management going forward. The main themes of the findings for corrective action and improvement, included:

7.1. A Lack of clear definitions relating to change initiatives

7.2. Lack of formal policies relating to change and project management

7.3. Development of a change management methodology

7.4. Project management requirements

7.5. Prioritisation of activities.

Decision Making Process

8. Council and its Committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

8.1. The decisions associated with this agenda item are in accordance with the Sub-committee’s Terms of Reference, specifically:

8.1.1. The purpose of the Risk and Audit Sub-committee is to report to the Corporate and Strategic Committee to fulfil its responsibilities for (1.3) the independence and adequacy of internal and external audit functions

8.1.2. The Risk and Audit Sub-committee shall have responsibility and authority to (2.6) receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s)

8.1.3. The Risk and Audit Sub-committee is delegated by Council to (3.5) ensure that recommendations in audit management reports are considered and, if appropriate, actioned by management.

Recommendation

That the Risk and Audit Sub-committee:

1. Receives and notes the Organisational Change Consolidation and Prioritisation Internal Audit findings staff report.

2. Reports to the Corporate and Strategic Committee that the medium priority findings from the Organisational Change Consolidation and Prioritisation Internal Audit report that will be monitored and tracked as corrective actions and reported to the RAS via the Corrective Actions Dashboard are:

2.1. …

2.2. …

2.3. …

Authored by:

Olivia Giraud-Burrell

Quality & Assurance Advisor

Helen Marsden

Risk & Corporate Compliance Manager

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

1 ⇩

Organisational Change Consolidation and Prioritisation draft Internal Audit report

Hawke’s Bay Regional Council

Risk & Audit Sub-committee

10 May 2023

Subject: Audit Plan for the 2022-2023 Annual Report

Reason for Report

1. This item provides an update on the timing for the audit of HBRC’s 2022-2023 Annual Report.

Executive Summary

2. The statutory deadline for the adoption of the HBRC Annual Report is 31 October 2023.

3. Our auditors, Ernst & Young (EY), will undertake an interim visit during the week beginning 8 May and will begin the audit in the week beginning 18 September 2023.

4. The Audit Planning Report from EY will follow as a late attachment to the agenda, and representatives from EY will attend the RAS meeting to present their Audit Plan and take questions.

Background /Discussion

5. The audit and adoption of the Annual Report follows timelines set out in the Local Government Act 2002.

5.1. Section 98 (3) states that the annual report of a Council “must be completed and adopted, by resolution, within 4 months after the end of the financial year to which it relates”.

6. Officers have had discussions with our auditors, EY, about audit timing (see table below). This may change as our auditors refine their work plans and resourcing.

Dates	Description
w/b 8 May to w/b 15 May 2023	Audit interim visit will be conducted (4 people onsite for 2 weeks to complete the interim work for HBRC, HBRIC and FoodEast)
w/b 4 Sep to w/b 11 Sep 2023	Audit of HBRIC and FoodEast (2 weeks)
w/b 18 Sep to w/b 16 Oct 2023	Audit of the annual report (2 weeks onsite, remainder from Wellington)

7. Staff have a level of uncertainty that the timing of the audit and the proposed date for adoption can be achieved.

8. A draft Annual Report 2022-2023 will be presented to the Corporate and Strategic Committee on 20 September for review.

Timeline of Annual Report and Summary project management

Financial and Resource Implications

9. Staff do not expect the cost of the audit for 2022-2023 to exceed the budget allocated for the audit programme.

Decision Making Process

10. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that, as this report is for information only, the decision-making provisions do not apply.

Recommendation

That the Risk and Audit Sub-Committee receives and notes the Audit Plan for the 2022-2023 Annual Report.

Authored by:

Sarah Bell

Team Leader Strategy & Performance

Chelsea Spencer

Senior Group Accountant

Approved by:

Chris Comber

Chief Financial Officer

Susie Young

Group Manager Corporate Services

Attachment/s

There are no attachments for this report.