Agenda of Risk and Audit Committee - Thursday, 15 February 2024

Hawke’s Bay Regional Council

Risk and Audit Committee

15 February 2024

Subject: Risk Maturity Refresh

Reason for report

1. This paper provides the Risk and Audit Committee (RAC) with an update on the reset of the approach to risk management within Hawke’s Bay Regional Council.

Executive Summary

2. HBRC is well advanced in adopting a different approach to risk management.

3. The purpose of the change in approach is to improve the quality of risk information and enable a comprehensive understanding of the risk profile of HBRC to feed into executive and governance discussion, planning, decision-making and monitoring.

4. The key concepts that underpin this approach are:

4.1. Defining risk in terms of HBRC’s purpose, what success looks like, and the major areas of uncertainty associated with this.

4.2. Single point accountabilities for each area of success/uncertainty (i.e. risk) at the ELT level, with supporting business leads to develop and maintain the one-page management plans for each area.

4.3. One-page management plans for each area to drive explicit action and decision-making.

4.4. Monthly sentiment surveys completed by the ELT to gauge the overall level of confidence/concern (i.e. risk rating) associated with each area, and the consistency of views across ELT.

4.5. The Enterprise Dashboard used by ELT, Council, and the Risk & Assurance Sub-committee each meeting to focus risk discussion, with two or three one-page management plans to enable deep-dives into specific areas of risk.

5. The role of Council is to enable democratic decision-making and to provide governance over the operations of HBRC. Central to this is the need for an understanding of the key risks faced by the Council and to factor this into Council decision making.

6. The role of the Risk and Audit Committee is to ensure that an effective system of risk management is in place and that this is working effectively.

7. In this regard, there is a distinction between the respective roles of the full Council and the Risk and Audit Committee of Council:

7.1. Full Council: makes effective decisions, and that decision-making takes into account the major areas of risk/uncertainty faced by HBRC (both upside opportunities and downside threats) – i.e. the content of risk management

7.2. Risk and Audit Committee: ensures there is an effective and enduring approach to identify, assess, manage and report on risk/uncertainty, and that this information is used as part of decision-making – i.e. the process of risk management.

Background

8. From a Council workshop on 18 July 2023 and councillors’ feedback, a one-page Enterprise Dashboard was developed, representing the collective view of the Executive Leadership Team and Council as to the risk profile of HBRC, expressed in terms of:

8.1. Purpose: what is most important to HBRC.

8.2. Success: what success looks like, reflecting the strategic priorities per the Long-Term Plan.

8.3. Uncertainty: the major areas of uncertainty (i.e., risk) associated with HBRC’s role and commitments.

9. Subsequent to the workshop with Council, several of the specific areas of success/uncertainty (i.e., risks reflected within the Enterprise Dashboard) have been workshopped and one page management plans developed to provide a simple way to define and describe:

9.1. the underlying risk (i.e., what matters to us).

9.2. the consequences of this (i.e., why this matters) expressed in terms of opportunities and threats.

9.3. the potential causes of this risk (i.e., what needs to be managed).

9.4. activities, controls, and mitigations in place (i.e., how this is managed).

9.5. outcomes and metrics related to this risk (i.e., how this will be monitored as part of wider organizational performance reporting).

9.6. a response plan (i.e., based on the current state, what do we want to do differently going forward).

Discussion

10. The attachment provides:

10.1. a recap on the risk maturity work that has been undertaken to date, including what we are doing in risk maturity, why we are doing the risk maturity work, and why risk maturity matters.

10.2. a summary of current state, including key work completed, emerging themes from the work completed, and insights from the implementation process to date.

10.3. HBRC’s current Enterprise Dashboards which summarise ELT’s sentiment from the December 2023 survey and Council’s sentiment from the January 2024 survey.

10.4. deep dives on two enterprise uncertainty areas, being:

10.4.1. Capability and Capacity of Service Providers and Partners

10.4.2. Health, Safety, Resilience and Wellbeing of People.

11. The two Enterprise Dashboards are based on the sentiment surveys of ELT and of Council whereas the two deep dive one-pagers are workshop assessments that include Tier 3 Managers and other Subject Matter Experts from across the business. The workshop assessments consider controls effectiveness, causes in relation to the internal and external environment, and potential gaps and issues, which is similar to a traditional risk analysis.

Next Steps

12. To further mature risk and continue to embed the new approach to risk management the following activities will occur over the next quarter:

12.1. reconfirm accountabilities for each area across the Executive Leadership Team

12.2. increase visibility of this work through communication and awareness-raising with staff (particularly tier three managers)

12.3. formalise the monthly sentiment survey

12.4. implement a process for monthly update/confirmation of the one-page management plans

12.5. cleanse identified controls for each of the success and uncertainty one pagers and develop an Enterprise control library

12.6. using the Enterprise control library establish a controls assurance programme.

Decision-making process

13. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that, as this report is for information only, the decision-making provisions do not apply.

Recommendation

That the Risk and Audit Committee receives and notes the Risk Maturity Refresh staff report.

Authored by:

Helen Marsden

Risk & Corporate Compliance Manager

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

Feburary 2024 Risk update

Under Separate Cover

Hawke’s Bay Regional Council

Risk and Audit Committee

15 February 2024

Subject: Risk Management Policy

Reason for report

1. This item seeks Risk and Audit Committee (RAC) endorsement for the revised Council Risk Management Policy (CD0023) in the form of a recommendation to Council.

Officers’ recommendation

2. Staff recommend that the RAC considers the revised Risk Management Policy (CD0023) and recommends its approval to Council.

Background

3. Council’s Risk Management Policy sets out the boundaries for establishing a Council-specific risk management framework. As part of risk management maturity and under the newly formed Risk and Audit Committee improvements to Council’s risk management practices and processes (framework) were identified. Therefore, Council’s current Risk Management Policy was reviewed to ensure alignment between Council’s new framework. And, also to confirm that under the new Terms of Reference Council’s Risk Management Policy would ensure that the Risk and Audit Committee would fulfil certain obligations.

4. At the 18 October 2023 RAC meeting staff were asked to:

4.1. articulate the culture of risk management in the Policy’s purpose or goal

4.2. link the policy to the risk management framework and strategic plan, and

4.3. provide an accompanying framework that supports the policy based on the new risk methodology.

5. The review of Council’s Risk Management Policy (CD0023) against Council’s new risk management framework did not highlight any material differences. The main changes to Council’s Risk Management Policy (CD0023) relate to the:

5.1. frequency of risk review and reporting

5.2. the inclusion of Councillor’s and Executive Leadership’s requirement to undertake regular sentiment surveys

5.3. the removal of the Risk Champion role that is no longer required under the new risk practices.

6. Council’s Risk Management Policy (CD0023) and therefore Council’s new risk management framework will continue to be benchmarked and aligned to the principles of ISO 31000:2018 Risk Management Standard and the All of Government Risk Maturity Model.

Discussion

Incident Reporting - Risk and Escalation Rating Context

7. At the 18 October 2023 RAC meeting the Committee also requested that management establish an incident escalation scale and report the new scale back to the RAC on how risk events will be reported to RAC.

8. Management then established an incident escalation scale which the Executive Leadership Team (ELT) reviewed and endorsed. ELT recommended in their review that the scale be incorporated into Council’s Risk Management Framework that accompanies Council’s Risk Management Policy (CD0023). Incorporating the incident escalation scale into Council’s Risk Management Policy and Risk Management Framework would provide a consistent approach to that which is applied in the Council’s key Risk-Based Management Systems including Health and Safety Management and Asset Management.

9. As a result, management have included in the Risk Management Framework a separate Incident and Non-conformance Management section (8.1.11 of the Framework). Figure 7 in section 8.1.11 details the new Incident Escalation Scale. In addition, the roles, and responsibilities in Council’s Risk Management Policy have been expanded to include content on incident management.

10. In setting Council’s incident escalation scale management considered and aligned to the Risk and Cause Rating Scale that is set out in the Risk Management Framework under section 8.1.6 Figure 6.

11. RAC will receive High-rated incidents for oversight. High-rated incidents have a wide impact, potential impact or operational disruption and need managing through a large scale CIMS structure. High-rated incidents highlight that immediate improvement is needed and urgent action required. Council Chair, RAC Chair, CE, ELT as well as Group Manager, Team Leader and Management System Advisor are informed at the time and there is ongoing reporting through separate report to the Risk and Audit Committee.

12. In addition to the above, it is expected management will bring to the attention of RAC any systemic issues deemed necessary as a result of thematic analysis of lower level issues.

13. As a result of the new incident escalation criteria there are no new operational risk incidents to report to RAC for this quarter. We have, however, noted a number of breaches in the Treasury Counterparty risk limits, which are presented as part of the Treasury Compliance Reporting agenda item.

Significance and Engagement Policy assessment

14. The significance of this decision is very low according to Council’s policy.

Financial and resource implications

15. Any financial impact in relation to changes to the Risk Management Policy will be managed within approved budgets.

Decision-making process

16. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

16.1. The decisions of the Risk and Audit Committee are in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 30 August 2023, specifically to provide advice and recommend actions, responses, and changes to the Council about risk management, assurance activities, governance oversight and internal control matters, including external reporting and audit matters. Specifically, this includes:

16.1.1. (1.1) The robustness of Council’s risk management systems, policies, practice, and assurance processes.

16.1.2. (2.1) Review whether Council management has a current and comprehensive risk management framework and associated procedures for effective identification and management of the Council’s significant risks in place.

Recommendations

That the Risk and Audit Committee:

1. Receives and considers the Risk Management Policy staff report.

2. Recommends that Hawke’s Bay Regional Council:

2.1. Agrees that the decisions to be made are not significant under the criteria contained in Council’s adopted Significance and Engagement Policy, and that Council can exercise its discretion and make decisions on this issue without conferring directly with the community or persons likely to have an interest in the decision.

2.2. Approves the revised Risk Management Policy (CD0023) as proposed.

Authored by:

Helen Marsden

Risk & Corporate Compliance Manager

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

1 ⇩	CD0023 Risk Management Policy 2024
2	Risk Management Framework 2024		Under Separate Cover

Hawke’s Bay Regional Council

Risk and Audit Committee

15 February 2024

Subject: External Audit Report - Control Findings for the year ended 30 June 2023

Reason for Report

1. This report presents the Audit and Risk Committee with the Ernst & Young (EY) Control Findings report from the year ended 30 June 2023.

2. Representatives from EY will attend the meeting to present their report and take any questions.

Executive Summary

3. The EY Control Findings report (attached) highlights 8 control observations identified (including two additional observations audit have identified since presenting their preliminary report).

4. Corrective actions have been assigned an owner by HBRC and timeline as appropriate.

Background

5. Each year, following the completion of the audit of HBRC’s Annual Report, the auditor’s report back to the governing body on any findings from the audit. The report provides commentary on areas where the auditors identified control matters during their audit procedures, their recommendations for improvement, and HBRC management’s response to these findings.

6. The preliminary EY Audit Close Report was presented to the committee on 18 October 2023.

7. Seven Low-rated and one Medium-rated audit observations were raised for the June 2023 external audit.

8. One of the observations has been deemed as Medium-risk needing significant improvement, ideally within the next 6 months; this relates to the reconciliation of community loans – an ongoing issue that management is aware of. Due to system limitations, HBRC is currently unable to extract a report that details all outstanding loans to support the total community loans balance shown in the financial statements. HBRC has historically calculated a manual estimate using various data extracted from our systems, however, due to the level of estimation involved and the significance of the community loans balance, there is a greater risk that inaccuracies may not be identified.

9. The future of the Sustainable Home’s activity is currently being reviewed as part of the LTP process with these issues in mind and the outcome of this review will steer any action that may be taken.

10. The remaining 7 observations have been deemed as low risk and needing some improvement ideally within the next 6-12 months. Management has no significant concerns about these observations and is comfortable that processes are underway to resolve them.

11. In a year of significant impacts on our transactional and financial position this is seen as a positive result for HBRC.

Decision-making process

12. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

13. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

13.1. The decisions of the Committee are in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 30 August 2023, specifically the Risk and Audit Committee shall have responsibility and authority to:

13.1.1. (2.8) Receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s).

13.1.2. (3.5) Ensure that recommendations in audit management reports are considered and, if appropriate, actioned by management.

Recommendations

That the Risk and Audit Committee:

1. Receives and considers the External Audit Report - Control Findings for the year ended 30 June 2023 from Ernst and Young and the staff paper.

2. Agrees that the actions to be taken to address findings are adequate in the circumstances explained.

Authored by:

Chelsea Spencer

Senior Group Accountant

Chris Comber

Chief Financial Officer

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

Ernst and Young Report on Control Findings for the year ended 30 June 2023

Under Separate Cover

Hawke’s Bay Regional Council

Risk and Audit Committee

15 February 2024

Subject: Audit Plan for the 2023-2024 Annual Report

Reason for Report

1. This item provides an update on the timing for the audit of HBRC’s 2023-2024 Annual Report.

Executive Summary

2. The statutory deadline for the adoption of the HBRC Annual Report is 31 October 2024.

3. Our auditors, Ernst & Young (EY), are planning to perform an interim visit in the two weeks beginning 8 April and intend to begin the Year End audit in the week commencing 23September 2024.

4. The Audit Planning Report from EY is attached and representatives from EY will attend the meeting to present their Audit Plan and take questions.

Background /Discussion

5. The audit and adoption of the Annual Report follows timelines set out in the Local Government Act 2002.

5.1. Section 98 (3) states that the annual report of a Council “must be completed and adopted, by resolution, within 4 months after the end of the financial year to which it relates”.

6. Officers have had discussions with our auditors, EY, about audit timing (see table below). This may change as our auditors refine their work plans and resourcing.

Dates	Description
w/b 8 April through w/e 19 April 2024	Audit interim visit will be conducted (est 4 people onsite for 2 weeks to complete the interim work for HBRC, HBRIC and FoodEast)
w/b 9 Sep through w/e 20 Sep 2024	Audit of HBRIC and FoodEast (2 weeks)
w/b 23 Sep through w/e 11 Oct 2024	Audit of the annual report (2 weeks onsite, remainder from Wellington)

7. This timing is consistent with the previous year, and although we are yet to develop our internal project plan we intend to follow a similar internal process timeline to that followed last year.

8. A number of key considerations need to be addressed, specifically:

8.1. For infrastructure assets planned to be revalued this year, EY will review the respective valuations for appropriateness. Valuations are usually prepared internally by staff and reviewed by AON valuation services. Given no valuations were undertaken in FY23 due to the significant cyclone damage, HBRC’s Asset Management Group is in the process of developing a detailed project plan for how valuations will be completed in FY24 including determining what level of external involvement may be required and by whom.

Decision-making process

9. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that, as this report is for information only, the decision-making provisions do not apply.

Recommendation

That the Risk and Audit Committee receives and considers the Audit Plan for the 2023-2024 Annual Report.

Authored by:

Chris Comber

Chief Financial Officer

Chelsea Spencer

Senior Group Accountant

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

Ernst and Young Audit Plan for the year ending 30 June 2024

Under Separate Cover

Hawke’s Bay Regional Council

Risk and Audit Committee

15 February 2024

Subject: External Audit Report - ISO 9001-2015 certification

Reason for report

1. This item provides the Risk and Audit Committee (RAC) with the external audit report on ISO 9001:2015 Annual Review undertaken by Telarc.

Executive Summary

2. The ISO 9001:2015 Annual Review was carried out in December 2023 in accordance with the 2023-2024 Internal Audit Plan. The scope of the review was to establish the effectiveness of the current Quality Management System (QMS) against the ISO9001:2015 standard and to establish actions to reduce the risk of non-conformance outcomes.

3. The Executive Leadership Team reviewed and agreed the findings at its meeting on 30 January 2024.

4. There were no major non-conformances observed. The report noted that, given that HBRC had been at the centre of the Cyclone Gabrielle recovery efforts, our QMS is operating effectively. We received two minor non-conformances:

4.1. Inconsistencies were identified in the retention of documented information required by HBRC, with respect to job sheet checklists, to the extent necessary to have confidence that the processes have been carried out as planned.

4.2. Non-conformance and corrective action information captured in the Hazmate system is currently not included in the data analysis for the quarterly management review meetings.

5. There were also a small number of opportunities for improvement. All activities assessed were observed to be appropriately controlled. The minor non-conformities will be reviewed at the revalidation of the ISO9001:2015 to be carried out in September/October 2024.

Decision-making process

6. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

7. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

7.1. The decisions of the Committee are in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 30 August 2023, specifically the Risk and Audit Committee shall have responsibility and authority to:

7.1.1. (2.8) Receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s).

7.1.2. (3.5) Ensure that recommendations in audit management reports are considered and, if appropriate, actioned by management.

Recommendations

That the Risk and Audit Committee:

1. Receives and considers the External Audit Report - ISO 9001-2015 Annual Review.

2. Confirms that the actions to be taken to address the findings are adequate in the circumstances explained.

Authored by:

Olivia Giraud-Burrell

Quality & Assurance Advisor

Helen Marsden

Risk & Corporate Compliance Manager

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

External Audit Report - ISO 9001:2015 Annual Review

Under Separate Cover

Hawke’s Bay Regional Council

Risk and Audit Committee

15 February 2024

Subject: Treasury Compliance Report for the period 30 September - 31 December 2023

Reason for report

1. This item provides compliance monitoring of Hawke’s Bay Regional Council’s (HBRC) Treasury activity and reports the performance of Council’s investment portfolio for the quarter ended 31 December 2023.

Overview of the quarter ending 31 December 2023

2. At the end of the quarter to 31 December 2023, HBRC was compliant with all measures in its Treasury Policy with the exception of the counterparty risk policy during the period.

3. In December 2023, HBRC received a dividend of $3.905m from HBRIC following receipt of the Napier Port dividend of the same value.

4. Cyclone Gabrielle has impacted both cash balances and borrowing requirements, with ongoing additional borrowing required to fund the recovery. Insurance proceeds when received will soften the effects of additional borrowing.

Background

5. Council’s Treasury Policy requires a quarterly Treasury Report to be presented to the Audit and Risk Sub-committee. The policy states that the Treasury Report is to include:

5.1. Treasury exceptions report

5.2. Policy compliance

5.3. Borrowing limit report

5.4. Funding and liquidity report

5.5. Debt maturity profile Interest rate report

5.6. Investment management report**

5.7. Treasury investments*

5.8. Cost of funds report, cash flow and debt forecast report

5.9. Debt and interest rate strategy and commentary

5.10. Counterparty credit report

5.11. Loan advances.

6. The Investment Management report has specific requirements outlined in the Treasury Policy. This requires quarterly reporting on all treasury investments plus annual reporting on all equities and property investments.

7. In addition to the Treasury Policy, Council has a Statement of Investment Policy and Objectives (SIPO) document setting out the parameters required for funds under management for the HBRC Long Term Investment Fund and the Future Investment Fund.

8. Since 2018, HBRC has procured treasury advice and services from PricewaterhouseCoopers (PwC) who provide quarterly Treasury reporting for internal monitoring purposes.

Treasury exceptions report and policy compliance

9. As at 31 December all counterparty exposures were within limits.

10. However, during the quarter to 31 December 2023, there were a number of Investment Limit breaches noted on the Jarden HBRC cash balance as outlined in the table below. (A $15m cash investment limit exists on all our Counterparties).

11. Of all breaches noted between 1/11/2023 to 17/11/2023, only 1 is primarily because of HBRC direct cash management. This was due to excess funds received for recovery-related activities and delays in receiving expected creditor invoices, therefore funds were not required until later in November as expected.

12. Other breaches are related to Recovery Funding received from the Crown held on behalf in the Jarden and BNZ Recovery accounts, i.e. silt and debris. Total recovery funds held during Q2 period ranged from c$70m in October to $45m at the end of the quarter. HBRC mitigated potential risks early on by Jarden managing their funds both across ANZ and Westpac, with remaining funds in the HBRC Recovery Funds account with BNZ. This means these funds are split across 3 main registered NZ banks.

13. Council officers are of the view that the management of the Recovery Funding held on behalf should sit outside our current HBRC Treasury policies because holding these funds is specific and is generally for a short period while programmes of work are executed, i.e. silt and debris, RRA recovery.

14. This remains an on-going issue while HBRC works through the cyclone recovery.

Funding and Liquidity

15. To ensure HBRC has the ability to adequately fund its operations, current policy requires us to maintain a liquid balance of “greater than 10% of existing total external debt”. Current liquidity ratio is 25.03% and therefore meets policy.

16. The following table reports the cash and cash equivalents on 31 December 2023.

31 December 2023	$000
Cash on Call	19,958
Short-term bank deposits	4,300
Total Cash & and Deposits	24,258

17. To manage liquidity risk, HBRC retains a Standby Facility with BNZ. This facility provides HBRC with a same-day draw-down option, to any amount between $0.3-$10.0m, and with a 7-day minimum draw period.

Debt Management

18. On 31 December 2023 the current external debt for the Council group was $103m which includes $4.3m of pre-funded debt ($120.3m including the loan from HBRIC).

19. Since Q4 an additional $4.3m in borrowings were received to pre-fund long-term debt maturing in April 2024.

20. The following summarises the year-to-date movements in Council’s debt position.

Summary of HBRC Debt

	HBRC only $000	HBRC Group $000
Opening Debt – 1 July 2023 – excl HBRIC Loan	84,830	84,830
New Loans raised*	59,500	59,500
Less amounts repaid	(40,648)	(40,648)
Closing Debt 31 December 2023 (excluding HBRIC loan)	103,682	103,682
Plus opening balance - loan from HBRIC	16,663	-
Total Borrowing as at 31 December 2023	120,345	103,682

*Includes pre-funding debt of $4.3m.

21. Council’s debt maturity profile remained compliant, however continued short term drawdowns put pressure on the policy limit in the 0-3 year bucket. This is expected to remain high while we work through the cyclone funding and insurance claims. The infographic below includes our $10m BNZ overdraft in total debt.

Funding summary

22. We have borrowed a further $4.3m in the quarter to 31 December 2023 and staff are forecasting the need for further drawdowns in Q3 to March 2024. However, the timing and values are still to be confirmed and will depend upon the execution of the capital programme planned between now and then.

23. Any insurance or NEMA proceeds will be used to repay the short-term debt which is currently $30m.

24. We have entered into 4 swap rate options during the quarter to mitigate our interest rate risk and alleviate pressure on the short-term buckets.

Managed Funds

25. Total Investment Fund portfolios capital, adjusted for inflation at 31 December 2023, was $6.117m below the inflation-adjusted contribution target. Based on results to date and the value of the protected amount of funds, funds held are not sufficient to deliver the returns required to meet Council’s requirement. No divestments have been made from managed funds this year.

26. Council budgets separately for revenue from directly-held managed funds and those held by HBRIC. HBRIC is required to deliver an overall portfolio return by way of an annual dividend agreed through an annual Statement of Intent. The composition between revenues from managed funds and other sources such as port dividends, is up to the HBRIC board. While the Council budgeted to receive $10.9m in dividends from HBRIC within the FY 2023-2024, Council has received only $3.9m to date due to reduced earnings from the Port. It is anticipated the overall dividend will fall short of the Council budget for the year.

27. The following table summarises the fund balances at the end of each period and the graph illustrates the asset allocations within each fund at 31 December 2023.

	30 June 2023	30 Sept 2023	31 Dec 2023
Fund Balances HBRC	$000	$000	$000
Fund Balance HBRC	110,828	108,038	114,407
Capital Protected Amount HBRC (2% compounded since inception)	116,541	117,124	117,709
Current HBRC value above/(below) capital protected amount	(5,713)	(9,086)	(3,302)
Funds Balances (Group + HBRIC)
Long-Term Investment Fund (HBRC)	48,400	47,164	49,975
Future Investment Fund (HBRC)	62,428	60,874	64,432
Total HBRC	110,828	108,038	114,407
Plus HBRIC Managed Funds (FIF)	45,638	44,415	47,138
Total Group Managed Funds	156,466	152,453	161,545
Capital Protected Amount (2% compound inflation)	165,998	166,828	167,662
Current group value above/(below) protected amount	(9,532)	(14,375)	(6,117)

28. Fund performances continue to be volatile this year and as at 31 December the consolidated portfolio value was up 3.2% on 30 June 2023 (to 30 September portfolio was down 2.57%). Fund performances have been steady this year with all cash returns reinvested.

Cost of funds

29. Rolling 12 months to 31 December 2023, Gross Cost of Funds (COF) was 4.33% and Net COF was 4.26%.

HBRIC Ltd

30. In accordance with Council Policy, HBRIC provides separate quarterly updates to the Corporate and Strategic Committee.

Decision-making process

31. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that, as this report is for information only, the decision-making provisions do not apply.

Recommendation

That the Risk and Audit Committee receives and notes the Treasury Compliance Report for the period 30 September - 31 December 2023.

Authored by:

Jess Bennett

Senior Manager Finance Recovery

Tracey O'Shaughnessy

Treasury & Investments Accountant

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

There are no attachments for this report.

Hawke’s Bay Regional Council

Risk and Audit Committee

15 February 2024

Subject: Internal Audit Report - Data Analytics

Reason for report

1. This item presents the internal audit report (attached) for the Data Analytics audit undertaken by Crowe in October 2023.

Executive Summary

2. The Risk and Audit Committee (RAC) agreed at its meeting on 10 May 2023, as part of the internal audit work programme, to engage Crowe to conduct an internal audit of Council’s Data Analytics.

3. This annual review is used primarily for identification of fraud or suspicious transactions across our business. Although backward-looking, it provides management with assurances on processes followed throughout the reporting period.

4. The agreed scope and purpose of the audit was to review payables and payroll, and master and transactional data for the financial year ended 30 June 2023. This data was then analysed independently by Crowe for any potential anomalies or suspicious transactions.

5. The report was then provided to staff, along with separate spreadsheets listing the transactions that required review. These spreadsheets were initially analysed by the Team Leader Payroll and the Team Leader Finance and then reviewed by the Chief Financial Officer to identify any findings requiring further investigation.

6. This is the sixth consecutive annual Data Analytics audit conducted by Crowe. Previous reporting of the findings of the 2021-22 audit was to the Finance, Audit and Risk Sub-committee on 10 August 2022.

7. It is important to note that, when a transaction is identified, it does not necessarily indicate that there is anything suspicious. There are often legitimate business reasons for a transaction being identified, such as different types of payments from a Council (rates credits versus payment for services). These types of transactions may display in areas such as ‘duplicate address’, ‘GST/non-GST transactions’, or ‘duplicate IRD number’.

8. In addition, some transactions are listed purely for review purposes due to their deemed higher risk nature, such as ‘top 50 vendors by amount’. This allows staff to easily assess whether vendors are in line with expectations and would highlight any vendors that may appear erroneous.

9. Given the small size of Hawke’s Bay, there are times when an employee may share the same address as a vendor, usually a spouse. Transactional processing staff ensure that employee approvals are not allowed where any known conflicts exist between an employee and a vendor.

Audit findings

10. The sample transactions this year were significantly higher due to cyclone spend.

11. The report includes three high risk results pertaining to:

11.1. Vendors with multiple purchase orders on same day that would exceed approver's delegation – 149 cases identified this year (33 in 2022). These were all reviewed and found that the final approver (where the approval was escalated) was not included in the data. The data extract will be reviewed for next year. There is also an issue that amendments to purchase orders show as multiple purchase orders.

11.2. Invoices approved by persons over or on their delegated authorities – 622 cases identified this year (40 in 2022). Of the 622 cases identified 603 do have an appropriate approver – and is a data issue to be resolved for next year. Of the remaining 19, 18 had the appropriate delegation at the time of the approval. The remaining case was a known issue at the time and has been raised with our software provider to identify how this occurred.

11.3. Payments to Vendors with an employee master data match approved by the employee – seven records identified this year (compared to one in 2022). All seven relate to the same company and employee. All requisitions were approved by the employee’s team leader or manager.

12. All other findings have been reviewed in detail, and no unusual or unexpected transactions were identified.

Comparison to the last (2022) Audit

13. An improvement has been seen in the vendor details sections which is as expected as we get used to the new system.

14. Records identified relating to purchase order approvals have increased significantly but this is a data issue rather than any underlying problem. The data extraction process will be reviewed ahead of the next audit.

15. There was an expected increase in overtime and allowances this year as a result of the cyclone.

Actions to address findings

16. While reviewing the findings of the audit, corrective action has been taken where needed to remove duplicates and complete any missing details. Staff are also looking at the vendor creation process to increase checks for duplicates before setup of a new vendor is finalised.

17. Staff have also been asked to update their contact details in the system, which most have now done.

18. Finance continues to train users on processes with the financial system, especially the raising of requisitions and purchase orders before goods and services are received. There is also fraud training for staff, which includes reminders about ensuring any situations where a conflict of interest may be perceived are appropriately managed.

Decision-making process

19. Council and its committees are required to make every decision in accordance with the requirements of the Local Government Act 2002 (the Act). Staff have assessed the requirements in relation to this item and have concluded:

19.1. The decisions of the Committee are in accordance with the Terms of Reference and decision-making delegations adopted by Hawke’s Bay Regional Council 30 August 2023, specifically the Risk and Audit Committee shall have responsibility and authority to:

19.1.1. (2.8) Receive the internal and external audit report(s) and review actions to be taken by management on significant issues and recommendations raised within the report(s).

19.1.2. (3.5) Ensure that recommendations in audit management reports are considered and, if appropriate, actioned by management.

Recommendations

That Risk and Audit Committee:

1. Receives and considers the Internal Audit Report - Data Analytics

2. Confirms that the actions taken to address findings are adequate in the circumstances explained.

Authored by:

Olivia Giraud-Burrell

Quality & Assurance Advisor

Chris Comber

Chief Financial Officer

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

Crowe October 2023 Internal Audit Data Analytics Report

Under Separate Cover

Hawke’s Bay Regional Council

Risk and Audit Committee

15 February 2024

Subject: Internal Assurance dashboards update

Reason for Report

1. This item updates the Risk and Audit Committee (RAC) on the progress of the following dashboards:

1.1. Internal Assurance Corrective Actions Dashboard outlines progress of the agreed corrective actions (with priority risk ratings medium and high) that respond to findings from enterprise internal assurance reviews that have been previously reported to the RAC.

1.2. Assurance Universe Dashboard provides a clear picture of the audits completed and proposed for the future.

1.3. Assurance Plan for FY 2022-23 and 2023-24 gives the position of the reviews for the last and current financial years.

Discussion

2. The Internal Assurance Corrective Actions Dashboard is attached.

3. The corrective action status update provides oversight to the RAC of the progress of actions taken to address open internal assurance findings, including total issues raised, how many closed and how many remain open. The table below is a summary of the open audits/reviews.

Audit Performed	Review Type	Date	Total Issues raised	Issues Closed	Issues Open	Comments
Regional Assets	Section 17a	March 2020	N/A	0	3	Of the remaining three actions, two are ‘on track’ and one is ‘at risk’.
Risk Management Maturity	Internal Audit	June 2020	11	10	1	One remaining action is ’behind’.
HBRC Talent Management Report	Internal Audit	April 2021	8	6	2	Two remaining actions are ‘behind’.
Hawke’s Bay Road Safety Review	Section 17a	March 2022	8	8	0	All actions are closed.

4. The dashboard gives visibility of:

4.1. open findings of the milestones plus milestones completed and to be completed by the next RAC plus the tracking status since last reported.

4.2. a summary of closed actions since the last RAC report.

5. The Assurance Universe Dashboard is attached. This links enterprise reviews or audits undertaken over the past five years, the current year, and future years to an enterprise risk. Reviews and audits in the Assurance Universe include external audits, enterprise internal audits, business reviews with an enterprise focus, and section 17a reviews.

6. The Assurance Plan for FY 2022-23 and 2023-24 is attached. This gives a status of overflow from 2022-23 approved audits and the current status of FY 2023-24.

Financial and resource implications

7. There are no financial implications or additional resource requirements resulting from this internal audit programme update.

Decision-making process

8. Staff have assessed the requirements of the Local Government Act 2002 in relation to this item and have concluded that, as this report is for information only, the decision-making provisions do not apply.

Recommendations

That the Risk and Audit Committee

1. Receives and notes the Internal Assurance Dashboards update.

2. Confirms that the Internal Assurance Corrective actions update report has provided adequate information on the status of the Internal Assurance Corrective Actions.

Authored by:

Olivia Giraud-Burrell

Quality & Assurance Advisor

Helen Marsden

Risk & Corporate Compliance Manager

Approved by:

Susie Young

Group Manager Corporate Services

Attachment/s

1 ⇩	February 2024 Internal Assurance Dashboard
2 ⇩	January 2024 Assurance Universe
3 ⇩	FY22-23 and 2023-24 Internal Assurance Plan Status - February 2024 update

Hawke’s Bay Regional Council

Risk and Audit Committee

Thursday 15 February 2024

Subject: Confirmation of 18 October 2023 Public Excluded Minutes

That the Risk and Audit Committee excludes the public from this section of the meeting being Confirmation of Public Excluded Minutes Agenda Item 12 with the general subject of the item to be considered while the public is excluded. The reasons for passing the resolution and the specific grounds under Section 48 (1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution are:

General subject of the item to be considered

Risk Maturity Refresh

Incident Report

Internal assurance dashboards

Reason for passing this resolution

s7(2)(j) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to prevent the disclosure or use of official information for improper gain or improper advantage.

s7(2)(e) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to avoid prejudice to measures that prevent or mitigate loss to members of the public.

Grounds under section 48(1) for the passing of the resolution

Cyber security measures

HB CDEM Group operational response

Cyber security measures

Authored by:

Leeanne Hooper

Team Leader Governance

Approved by:

Desiree Cull

Strategy and Governance Manager