Minutes of a meeting of the Risk and Audit Committee

 

Date:                                    15 February 2024

Time:                                    10.00am

Venue:

Council Chamber

Hawke's Bay Regional Council

159 Dalton Street

NAPIER

 

Present:                              Cr X Harding – Chair

Cr T Hokianga (online)

Cr N Kirton

Cr J Mackintosh

S Maloy (independent)

 

In Attendance:                 N Peet – Chief Executive

Cr Di Roadley (online)

S Young – Group Manager Corporate Services

C Comber – Chief Financial Officer

L Hooper – Team Leader Governance

J Bennett – Senior Manager - Finance Recovery

H Marsden – Risk & Corporate Compliance Manager

O Giraud-Burrell – Quality & Assurance Advisor

C Spencer – Senior Group Accountant

A Sofe – Ernst & Young (online)

D Nalder – Efficus Risk Consultant

P Bicknell – Senior Group Accountant

 

 


1.         Welcome/Karakia /Housekeeping/Apologies

The Chair welcomed everyone and councillor Thompson Hokianga led the group in offering a karakia to open the meeting.

 

2.         Conflict of interest declarations

There were no conflicts of interest declared.

 

3.         Confirmation of Minutes of the Risk and Audit Committee meeting held on 18 October 2023

RAC19/24

Resolution

Minutes of the Risk and Audit Committee meeting held on Tuesday, 12 December 2023, a copy having been circulated prior to the meeting, were taken as read and confirmed as a true and correct record.

Maloy/Mackintosh

CARRIED

 

4.

Risk Maturity Refresh

 

Susie Young introduced the item along with David Nalder and Helen Marsden. Discussions covered:

·    The new framework provides a way to focus on the uncertainties (risks) that are most important to manage in order for Council to achieve its goals and deliver on its purpose and mandate.

·    Extensive engagement across the organisation has agreed concepts, developed dashboards and established accountability (to ELT owner and Risk Lead {manager}) for each of the uncertainties (risks).

·    For risk scoring, sentiment surveys take a snapshot (roughly monthly) of views across the organisation and ELT – of the level of confidence or concern associated with the critical areas of risk on the dashboard.

·    Workshops identified 26 areas of uncertainty (risks) and roughly 209 specific causes/contributing factors. Now working to identify and document the critical controls to create a controls library which will be used to confirm that the controls are fit-for-purpose.

Neil Kirton arrived at 10.15am

·    There is no way to manage risk/uncertainty down to 0 for everything so the risk information is added into the decision-making process to enable Council to make good trade-off decisions within the resources available, e.g. flood protection choices about prioritising work within funds available knowing that there may still be a gap between what Council can do and what the public expects.

·    A programme of work to document key controls and common controls for the Enterprise Control Library is being undertaken over the next 2 of months. Staff will then confirm the suite of controls across the organisation within 6 months and begin to test and reverify the controls outside of the quality management system.  Controls and assurance processes are being used however are not documented in a single repository to demonstrate to RAC that there are effective and enduring processes in place.

·    Only 4 of the 12 councillors (+ Stephanie) (33%) responded to the January Risk sentiment survey so very difficult to form a realistic view of Council’s confidence/concern ratings because such a small number skews the results. The intent is to undertake the survey with councillors on a regular basis to align with RAC meetings.

·    RAC is initially getting much more detailed information as the new framework is fully embedded and in future the RAC will monitor the effective and enduring approach to identify, assess, manage and report on risk/uncertainty and that it’s working effectively by reviewing the one-page management plans and dashboards.

·    It was reiterated that day-to-day management of risks is operational and the responsibility of the Chief Executive and ELT, while the role of governors (RAC and Council) in risk management is one of governance oversight and monitoring of whether there is an effective risk management framework, processes and controls in place.

·    This approach was deliberately designed to consciously think about all those things that could impact on HBRC and prevent us from delivering on our promises to the community and environment. There is a need to balance the information contained on the 1-page management plans and the detail contained in the supporting documentation.

·    The HBRC risk profile is about managing risks to the organisation and contributes to risk and hazard management across the region, which there’s a 1-page management plan for.

RAC20/24

Resolution

That the Risk and Audit Committee receives and notes the Risk Maturity Refresh staff report.

Maloy/Mackintosh

CARRIED

 

6.

External Audit Report - Control Findings for the year ended 30 June 2023

 

Susie Young introduced the item and Ahmed Sofi of Ernst and Young. Discussions covered:

·    Six of the eight control findings have been closed

·    Sustainable Homes loans being collected through rates –  the risk with the reconciliation between the bespoke system and the rates system is nullified by reconciliation at the individual loan level upon settlement.

·    An external review of TechOne is being carried out to verify that the payroll system is accurately calculating employee entitlements.

RAC21/24

Resolutions

That the Risk and Audit Committee:

1.     Receives and considers the External Audit Report - Control Findings for the year ended 30 June 2023 from Ernst and Young and the staff paper.

2.     Agrees that the actions to be taken to address findings are adequate in the circumstances explained.

Kirton/Maloy

CARRIED

 

7.

Audit Plan for the 2023-2024 Annual Report

 

Ahmed Sofi, Ernst and Young, introduced the item and briefly explained the key aspects of the audit from EY’s perspective.

RAC22/24

Resolution

That the Risk and Audit Committee receives and considers the Audit Plan for the 2023-2024 Annual Report.

Mackintosh/Maloy

CARRIED

The meeting adjourned at 11.35am and reconvened at 11.52am

5.

Risk Management Policy

 

Susie Young introduced the item, which provides the Risk Management Policy amended in line with feedback provided at the October 2023 Risk and Audit Committee meeting for adoption, noting the lines of accountability contained in the processes underlying the Policy. Several edits were identified and will be made prior to the Policy being provided to Council for approval. Discussions covered:

·    The policy is the ‘what’ and the dashboard is the ‘how’ we are executing the policy.

·    Suggestion that committee appointees should be made aware of the Risk Management Framework.

·    To create a culture of forward thinking risk analysis, the intent is to leverage the risk profile and dashboards work and supplement that with insights into emerging issues and external environment impacts to generate discussion.

RAC23/24

Resolution

That the Risk and Audit Committee receives and considers the Risk Management Policy staff report.

Maloy/Kirton

CARRIED

 

8.

External Audit Report - ISO 9001-2015 certification

 

Susie Young introduced the item which reports on an external audit of the organisation’s ISO accredited quality management system.

Olivia Giraud-Burrell clarified the teams of the Council that are ISO accredited include Compliance, Consents, Environmental Science, Environmental Information, Harbourmaster, and Works Group.

A request was made for a one-page (road map) showing what operational quality management or audit systems apply to which groups/teams of the organisation, e.g. Finance is subject to EY Audit

Note “All activities assessed during this audit were observed to be appropriately controlled, with sufficient evidence examined to demonstrate the effectiveness of processes sampled.

RAC24/24

Resolutions

That the Risk and Audit Committee:

1.      Receives and considers the External Audit Report - ISO 9001-2015 Annual Review.

2.      Confirms that the actions to be taken to address the findings are adequate in the circumstances explained.

Harding/Mackintosh

CARRIED

 

9.

Treasury Compliance Report for the period 30 September - 31 December 2023

 

Susie Young and Jess Bennett spoke to the item. Discussions covered:

·    Counter party credit exposure non-compliances resulted from the large amounts of central government funding going through Council’s accounts and will happen again with the last tranche of funding announced for silt removal. Staff suggest this measure is removed as a reporting metric for the time being while Council is receiving central government funding.

·    Current limits were set in the Treasury Policy in the last LTP, which is being reviewed and updated for this 2024-27 LTP, and it is not considered necessary to amend the Policy for this one counter party credit exposure situation.

·    The cost of funds is currently 4.6% – HBRC credit rating process is under way with RFP decision on the provider to be made later this week. Once the provider is in place – hopefully by June – Council should be able to get a lower cost of funds.

RAC25/24

Resolution

That the Risk and Audit Committee receives and notes the Treasury Compliance Report for the period 30 September - 31 December 2023.

Maloy/Kirton

CARRIED

 

10.

Internal Audit Report - Data Analytics

 

Susie Young introduced the item, an audit undertaken every year mainly as a means of identifying mitigations against fraud and/or potential conflicts and as a way to provide assurance that there is good oversight process control over spending, and noted that during a year where nearly $200 million of extra payments were put through Council’s G/L as a result of the cyclone, this is a very good result. Discussions covered:

·    Chris Comber advised that some work will need to be done on the data provided for the audit, to insure that all of the relevant data is provided, e.g. all the relevant approval fields to prevent the audit picking up items that are not actually unauthorised.

·    There were no unusual findings or issues identified in this audit.

·    New duplicate vendors were identified again this year, and additional checks by the Finance team have been put in place to prevent future duplicates being set up.

RAC26/24

Resolutions

That the Risk and Audit Committee:

1.     Receives and considers the Internal Audit Report - Data Analytics

2.     Confirms that the actions taken to address findings are adequate in the circumstances explained.

Mackintosh/Maloy

CARRIED

 

11.

Internal Assurance dashboards update

 

Olivia Giraud-Burrell introduced the item, which was taken as read.  Discussions covered:

·    A query in relation to succession planning identified by the 2021 Talent Management audit sought information on when the P&C team will have time to progress developing and implementing best practice for this. Budget has been allocated, however the focus for the P&C team has necessarily been shifted to recruitment with current high staff turnover.

·    The finalised 2024 internal audit programme will be brought to the RAC for consideration once ELT has reviewed the plan, and then flow through to the assurance universe.

·    P&C is 75% of the way through a process to identify, for every single job, what technical skills are required. Following that, the process of identifying technical gaps within teams will be undertaken to assist with recruitment and succession planning.

·    The view was expressed, that there are gaps in Council’s s17a reviews as a means of looking at other ways of achieving outcomes, more efficiently and/or cost effectively.

RAC27/24

Resolutions

That the Risk and Audit Committee

1.      Receives and notes the Internal Assurance Dashboards update.

2.      Confirms that the Internal Assurance Corrective actions update report has provided adequate information on the status of the Internal Assurance Corrective Actions.

Harding/Mackintosh

CARRIED

 

12.

Confirmation of 18 October 2023 Public Excluded Minutes

RAC28/24

That the Risk and Audit Committee excludes the public from this section of the meeting being Confirmation of Public Excluded Minutes Agenda Item 12 with the general subject of the item to be considered while the public is excluded. The reasons for passing the resolution and the specific grounds under Section 48 (1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution are:

 

General subject of the item to be considered


Risk Maturity Refresh

 


Incident Report

 

 


Internal assurance dashboards

Reason for passing this resolution

 

s7(2)(j) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to prevent the disclosure or use of official information for improper gain or improper advantage.

s7(2)(e) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to avoid prejudice to measures that prevent or mitigate loss to members of the public.

s7(2)(j) That the public conduct of this agenda item would be likely to result in the disclosure of information where the withholding of the information is necessary to prevent the disclosure or use of official information for improper gain or improper advantage.

Grounds under section 48(1) for the passing of the resolution


Cyber security measures

 



HB CDEM Group operational response



Cyber security measures

Kirton/Maloy

CARRIED

 

12

Confirmation of 18 October 2023 Public Excluded Risk and Audit Committee Minutes

RAC29/24

Resolution

Public Excluded Minutes of the Risk and Audit Committee meeting held on Wednesday, 18 October 2023, a copy having been circulated prior to the meeting, were taken as read and confirmed as a true and correct record.

Kirton/Harding

CARRIED

 

Resolution

RAC30/24         That the meeting moves out of Public Excluded session.

Kirton/Maloy

CARRIED

 

The meeting went into public excluded session at 12.51pm and out of public excluded session at 12.53pm

 

Councillor Xan Harding led the group in offering a karakia to close the meeting.

 

Closure:

There being no further business the Chair declared the meeting closed at 12.54pm on Thursday, 15 February 2024.

Signed as a true and correct record.

Date: by Risk & Audit Committee resolution 1 May 2024                        Chair: Stephanie Maloy