Minutes of a meeting of the Risk and Audit Committee
Date: 15 February 2024
Time: 10.00am
Venue: |
Council Chamber Hawke's Bay Regional Council 159 Dalton Street NAPIER |
Present: Cr X Harding – Chair
Cr T Hokianga (online)
Cr N Kirton
Cr J Mackintosh
S Maloy (independent)
In Attendance: N Peet – Chief Executive
Cr Di Roadley (online)
S Young – Group Manager Corporate Services
C Comber – Chief Financial Officer
L Hooper – Team Leader Governance
J Bennett – Senior Manager - Finance Recovery
H Marsden – Risk & Corporate Compliance Manager
O Giraud-Burrell – Quality & Assurance Advisor
C Spencer – Senior Group Accountant
A Sofe – Ernst & Young (online)
D Nalder – Efficus Risk Consultant
P Bicknell – Senior Group Accountant
The Chair welcomed everyone and councillor Thompson Hokianga led the group in offering a karakia to open the meeting.
2. Conflict of interest declarations
There were no conflicts of interest declared.
3. Confirmation of Minutes of the Risk and Audit Committee meeting held on 18 October 2023
Minutes of the Risk and Audit Committee meeting held on Tuesday, 12 December 2023, a copy having been circulated prior to the meeting, were taken as read and confirmed as a true and correct record. CARRIED |
Risk Maturity Refresh |
|
|
Susie Young introduced the item along with David Nalder and Helen Marsden. Discussions covered: · For risk scoring, sentiment surveys take a snapshot (roughly monthly) of views across the organisation and ELT – of the level of confidence or concern associated with the critical areas of risk on the dashboard. · Workshops identified 26 areas of uncertainty (risks) and roughly 209 specific causes/contributing factors. Now working to identify and document the critical controls to create a controls library which will be used to confirm that the controls are fit-for-purpose. Neil Kirton arrived at 10.15am · A programme of work to document key controls and common controls for the Enterprise Control Library is being undertaken over the next 2 of months. Staff will then confirm the suite of controls across the organisation within 6 months and begin to test and reverify the controls outside of the quality management system. Controls and assurance processes are being used however are not documented in a single repository to demonstrate to RAC that there are effective and enduring processes in place. · Only 4 of the 12 councillors (+ Stephanie) (33%) responded to the January Risk sentiment survey so very difficult to form a realistic view of Council’s confidence/concern ratings because such a small number skews the results. The intent is to undertake the survey with councillors on a regular basis to align with RAC meetings. · It was reiterated that day-to-day management of risks is operational and the responsibility of the Chief Executive and ELT, while the role of governors (RAC and Council) in risk management is one of governance oversight and monitoring of whether there is an effective risk management framework, processes and controls in place. · This approach was deliberately designed to consciously think about all those things that could impact on HBRC and prevent us from delivering on our promises to the community and environment. There is a need to balance the information contained on the 1-page management plans and the detail contained in the supporting documentation. · The HBRC risk profile is about managing risks to the organisation and contributes to risk and hazard management across the region, which there’s a 1-page management plan for. |
That the Risk and Audit Committee receives and notes the Risk Maturity Refresh staff report. CARRIED |
External Audit Report - Control Findings for the year ended 30 June 2023 |
|
|
Susie Young introduced the item and Ahmed Sofi of Ernst and Young. Discussions covered: · Six of the eight control findings have been closed · Sustainable Homes loans being collected through rates – the risk with the reconciliation between the bespoke system and the rates system is nullified by reconciliation at the individual loan level upon settlement. · An external review of TechOne is being carried out to verify that the payroll system is accurately calculating employee entitlements. |
That the Risk and Audit Committee: 1. Receives and considers the External Audit Report - Control Findings for the year ended 30 June 2023 from Ernst and Young and the staff paper. 2. Agrees that the actions to be taken to address findings are adequate in the circumstances explained. CARRIED |
Audit Plan for the 2023-2024 Annual Report |
|
|
Ahmed Sofi, Ernst and Young, introduced the item and briefly explained the key aspects of the audit from EY’s perspective. |
That the Risk and Audit Committee receives and considers the Audit Plan for the 2023-2024 Annual Report. CARRIED |
The meeting adjourned at 11.35am and reconvened at 11.52am
Risk Management Policy |
|
|
Susie Young introduced the item, which provides the Risk Management Policy amended in line with feedback provided at the October 2023 Risk and Audit Committee meeting for adoption, noting the lines of accountability contained in the processes underlying the Policy. Several edits were identified and will be made prior to the Policy being provided to Council for approval. Discussions covered: · The policy is the ‘what’ and the dashboard is the ‘how’ we are executing the policy. · Suggestion that committee appointees should be made aware of the Risk Management Framework. · To create a culture of forward thinking risk analysis, the intent is to leverage the risk profile and dashboards work and supplement that with insights into emerging issues and external environment impacts to generate discussion. |
That the Risk and Audit Committee receives and considers the Risk Management Policy staff report. CARRIED |
External Audit Report - ISO 9001-2015 certification |
|
|
Susie Young introduced the item which reports on an external audit of the organisation’s ISO accredited quality management system. Olivia Giraud-Burrell clarified the teams of the Council that are ISO accredited include Compliance, Consents, Environmental Science, Environmental Information, Harbourmaster, and Works Group. A request was made for a one-page (road map) showing what operational quality management or audit systems apply to which groups/teams of the organisation, e.g. Finance is subject to EY Audit |
That the Risk and Audit Committee: 1. Receives and considers the External Audit Report - ISO 9001-2015 Annual Review. 2. Confirms that the actions to be taken to address the findings are adequate in the circumstances explained. CARRIED |
Treasury Compliance Report for the period 30 September - 31 December 2023 |
|
|
Susie Young and Jess Bennett spoke to the item. Discussions covered: · Current limits were set in the Treasury Policy in the last LTP, which is being reviewed and updated for this 2024-27 LTP, and it is not considered necessary to amend the Policy for this one counter party credit exposure situation. · The cost of funds is currently 4.6% – HBRC credit rating process is under way with RFP decision on the provider to be made later this week. Once the provider is in place – hopefully by June – Council should be able to get a lower cost of funds. |
That the Risk and Audit Committee receives and notes the Treasury Compliance Report for the period 30 September - 31 December 2023. CARRIED |
Internal Assurance dashboards update |
|
|
Olivia Giraud-Burrell introduced the item, which was taken as read. Discussions covered: · A query in relation to succession planning identified by the 2021 Talent Management audit sought information on when the P&C team will have time to progress developing and implementing best practice for this. Budget has been allocated, however the focus for the P&C team has necessarily been shifted to recruitment with current high staff turnover. · The finalised 2024 internal audit programme will be brought to the RAC for consideration once ELT has reviewed the plan, and then flow through to the assurance universe. · P&C is 75% of the way through a process to identify, for every single job, what technical skills are required. Following that, the process of identifying technical gaps within teams will be undertaken to assist with recruitment and succession planning. · The view was expressed, that there are gaps in Council’s s17a reviews as a means of looking at other ways of achieving outcomes, more efficiently and/or cost effectively. |
That the Risk and Audit Committee 1. Receives and notes the Internal Assurance Dashboards update. 2. Confirms that the Internal Assurance Corrective actions update report has provided adequate information on the status of the Internal Assurance Corrective Actions. CARRIED |
Confirmation of 18 October 2023 Public Excluded Risk and Audit Committee Minutes |
|
RAC29/24 |
Public Excluded Minutes of the Risk and Audit Committee meeting held on Wednesday, 18 October 2023, a copy having been circulated prior to the meeting, were taken as read and confirmed as a true and correct record. CARRIED |
Resolution
RAC30/24 That the meeting moves out of Public Excluded session.
Kirton/Maloy
CARRIED
The meeting went into public excluded session at 12.51pm and out of public excluded session at 12.53pm
Councillor Xan Harding led the group in offering a karakia to close the meeting.
Closure:
There being no further business the Chair declared the meeting closed at 12.54pm on Thursday, 15 February 2024.
Signed as a true and correct record.
Date: by Risk & Audit Committee resolution 1 May 2024 Chair: Stephanie Maloy