Home › Meetings › Audit and Risk Management Committee — 2020-11-16
Audit and Risk Management Committee — 2020-11-16
2. Update on 2019-2020 audit of Cherish the Environment Foundation as a controlled entity of council
2. Update on 2019-2020 audit of Cherish the Environment Foundation as a controlled entity of council
This is a report concerning an update on Cherish the Environment Foundation Limited (the Foundation), a controlled entity of Ipswich City Council (council), as requested at the last Audit and Risk Management Committee meeting.
Foundation Board Directors and the Chief Executive Officer of council have agreed that the Queensland Audit Office (QAO) undertake the audit of the Foundation for 2019-2020 as a controlled entity of Council.
Recommendation
That the Audit and Risk Management Committee note that the Queensland Audit Office will undertake the audit of Cherish the Environment Foundation as a controlled entity of Ipswich City Council for the 2019-2020 financial year.
DISCUSSION
Rob Jones (Chairperson) queried if there were any ongoing reporting arrangements between Council and Cherish the Environment Foundation and if there were any risks to Council at this time.
Jeff Keech (Chief Financial Officer) advised that there were no formal reporting arrangements in place at this time subject to the new Council determining its desired relationship with the Foundation in the future. CFO noted that no funding was provided to the Foundation last financial year.
David Farmer (Chief Executive Officer) advised that if Council decided to have a relationship with the Foundation it would be formalised with a formal funding agreement established and implemented. CEO advised the current risk to Council is relatively low.
Martin Power (External Member) asked when Council is expected to make its decision and the CFO advised it was expected to be early in 2021.
Mentions: Ipswich
3. Update on implementation of the Conflicts of Interest for Employees Framework
3. Update on implementation of the Conflicts of Interest for Employees Framework
This is a report requested by the Audit and Risk Management Committee providing an update on the Conflicts of Interest for Employees Framework.
Recommendation
That the Audit and Risk Management Committee note the requested update on the implementation of the Conflicts of Interest for Employees Framework.
DISCUSSION
Martin Power (External Member) queried the monitoring process for the data on any employees improperly accessing employee conflict of interest records. Sonia Cooper (General Manager Corporate Services) advised that this would be monitored as noted in the report with oversight by her.
David Farmer (CEO) advised that this was part of a broader issue in the organisation surrounding accessing information that is required for business purposes.
Sonia Cooper (General Manager Corporate Services) advised that a communication campaign had been developed, commenced and would be continuing.
Dr Annette Quayle (External Member) enquired about the role of the Committee with regards to the councillors conflict of interest framework. David Farmer (CEO) advised that the councillors conflict of interest framework was separate and has just been amended in line with revisions to legislation.
Rob Jones (Chairperson) stated that as this paper doesn’t deal with councillors it would be good to have an understanding of what is in place for councillors and how it is managed and that this may be an item for a future meeting.
ACTION: Report on Councillors Conflict of Interest Framework to be provided to a future meeting
4. Update for 2020 Audit Issues relating to Assets
4. Update for 2020 Audit Issues relating to Assets
This is a report concerning the progress in resolving internal control deficiencies identified by the Queensland Audit Office (QAO) during the 2020 audit. The three deficiencies related to assets, specifically untimely reconciliations between the physical asset register and fixed asset register, donated assets and untimely processing of disposals when renewing an asset.
Recommendation
That the report of 5 November 2020 to the Audit and Risk Management Committee by the Principal Financial Accountant regarding the progress in resolving internal control deficiencies relating to assets be received and noted.
DISCUSSION
Rob Jones (Chairperson) queried when the revised accounting policy would be implemented.
Jeff Keech (Chief Financial Officer) advised that the policy will be drafted and submitted to Council prior to Christmas.
5. Queensland Audit Office briefing paper and final management report
5. Queensland Audit Office briefing paper and final management report
This is a report concerning a briefing paper and final management report for Ipswich City Council from the Queensland Audit Office.
Recommendation
That the briefing paper and final management report be received and the contents noted.
Mentions: Ipswich
6. Planned Agenda for the Audit and Risk Management Committee for 2021
6. Planned Agenda for the Audit and Risk Management Committee for 2021
This is a report concerning the proposed structured and planned agenda for the Audit and Risk Management Committee for the period 1 January 2021 to 31 December 2021.
Recommendation
That the 2021 planned agenda for the Audit and Risk Management Committee be adopted.
DISCUSSION
Rob Jones (Chairperson) led a discussion including prior comments received relating to the planned agenda:
· Importance of receiving regular reports on financial information (including budget matters) throughout the year and not only when considering the financial statements. Action will be taken to include the financial report that is submitted to Council on a monthly basis in the Audit and Risk Management Committee reference library in LG Hub.
· For the May 2021 agenda, for the Strategic Risk Deep Dive for rates setting processes, that this be changed to Budget including rates with a presentation on the processes for the preparation of the budget.
· Additional expenditure due to COVID-19 pandemic to be monitored through monthly financial reports.
· Council will consider debt refinancing opportunity.
· Duration of meeting to be changed to 3 hours.
7. Audit and Risk Management Committee Charter
7. Audit and Risk Management Committee Charter
This is a report concerning a review of the Audit and Risk Management Committee Charter. There is only a minor change being proposed to section 8.1.2 and at the bottom of 8 as to removing the indications to the Administrator and the Interim Management Committee.
Recommendation
That the Audit and Risk Management Committee Charter as detailed in Attachment 2 be adopted.
8. Internal Audit Charter Review
8. Internal Audit Charter Review
This is a report concerning a proposed update of the Internal Audit Charter. There is only one proposed change under 10.1.2 to strengthen the protocol for timely finalisation of internal audit reports.
Recommendation
That the proposed Internal Audit Charter as detailed in Attachment 2 be adopted.
9. Audit and Risk Management Committee Self Assessment Results Report
9. Audit and Risk Management Committee Self Assessment Results Report
This is a report concerning the Self-Assessment conducted by the Audit and Risk Management Committee (ARMC) in October 2020.
Recommendation
That the Committee note the outcome of the Audit and Risk Management Committee Self-Assessment and discuss suggestions for improvement and confirm or specify actions to be taken.
Rob Jones (Chairperson) outlined that the overall assessment is that feedback falls into three or four general areas:
· Making sure the agenda is focussed on what is important to the committee and the timing of the committee
· Management input, who is approved to attend
· A desire to be more issues focussed and have trend and risk analysis in that reporting
· Following up on unresolved matters and recommendations from audit ensuring that management are held to account in order to have these resolved. Suggestion that for the important ones, the managers responsible are required to attend audit and discuss the issues.
Rob Jones (Chairperson) queried if the CEO provided a report to council on a regular basis that could also be submitted to the ARMC. He also suggested that the CEO could provide a verbal update during the year on strategy and/or issues or concerns. The CEO advised that a quarterly performance report is provided to council which could be provided to the ARMC. He also advised that in previous roles he has attended the committee to give a verbal update on matters evolving. Rob Jones (Chairperson) suggested that a verbal update by the CEO be provided twice per year in February and August with the February meeting being strategic matters and the August meeting being any other matters. Rob Jones suggested that the quarterly performance report presented to council be uploaded to the ARMC reference library in LG Hub.
Dr Annette Quayle (External Member) advised that the areas of priority focus from her perspective should be ICT, Procurement and internal controls and that she was still not convinced that the internal controls are adequate. Rob Jones advised that earlier in the year a report was provided on these matters and that this needs to be an area of continued focus in 2021.
10. Internal Audit Branch Activities Report for the period 5 August 2020 to 6 November 2020
10. Internal Audit Branch Activities Report for the period 5 August 2020 to 6 November 2020
This is a report concerning the activities of Internal Audit undertaken during the above mentioned period and the current status of these activities.
“The attachment/s to this report are confidential in accordance with section 275(1)(b), (f), (g), (i) of the Local Government Regulation 2012.”
Recommendation
That the report be received and the recommendations in Attachments 3, 4 and 5, be considered finalised and archived.
DISCUSSION
Rob Jones (Chairperson) stated that some information can be included in the LG Hub reference library instead of forming part of the agenda.
Rob Jones suggested that once per year the committee focus on what has been addressed and what needs to be addressed. He stated that cyber security, contract management and tender evaluation are important issues.
Freddy Beck (Chief Audit Executive) advised that he has had good discussions with the General Manager Corporate Services where he raised concerns about the data analytics around cyber security however will be monitoring this.
Martin Power (External Member) raised questions around planned audits one being bushfire management. He stated that this was a high risk to all councils around Australia and queried if council’s program will address the adequacy of managing the risk for back-burning. Freddy Beck advised that Mark Odan (Internal Auditor) is currently looking at whether the level of strategic implementation is adequate.
Martin Power also queried if disaster management was included in the audits and if there was a major bushfire is there a disaster management plan in place.
Councillor Kate Kunzelmann in her role as a member of Local Disaster Management group advised that disaster management is legislated and that council uses multiple partners including SES, QFES, QPS and the Department of Communities and that council’s role in a disaster is to coordinate these groups.
Rob Jones queried the protection of council assets and where this fits into the disaster recovery plan. Graham McGinniskin (Principal Risk and Compliance Specialist) advised that council has a Business Continuity Plan and within this, four response plans. He advised that Council is undertaking a live business continuity plan test on 9 February which will involve all executives and branch managers.
Councillor (Deputy Mayor) Marnie Doyle noted that the organisation had responded very well in response to the COVID-19 Pandemic.
Dr Annette Quayle (External Member) queried the status of contract management reporting and the commentary in the internal audit report referencing ICT systems. Freddy Beck (Chief Audit Executive) advised that he has had discussions with the General Manager Corporate Services regarding addressing performance reporting and that there was a lot of work to be done in this area. The General Manager Corporate Services advised the most recent update should be relied on in the report noting that existing systems were now being used to monitor, manage and report on contracts.
Martin Power (External Member) asked if there was a central contract registers. The General Manager Corporate Services advised that council has been working throughout the year to centralise procurement including all contract registers. Martin queried when the next follow up audit in relation to this should be undertaken. Freddy Beck advised that there was a procurement audit coming up. Rob Jones advised that in the annual plan there is a scheduled deep dive into procurement in May 2021. Sonia Cooper (General Manager Corporate Services) was asked if procurement internal controls were adequate and responded that with much work underway Council was making improvements but could not confidently say that all internal controls are adequate at this point.
Martin Power raised a matter in the report that talked about contracts and people being employed by council as contractors instead of employees. He advised that these matters normally get dealt with by having a clear policy about who is a contractor and who is an employee. Rob Jones suggested that advice on Council’s policy could be provided.
ACTION: Council’s policy on engagement of contractors to be provided to Audit and Risk Management Committee.
11 New Item (Committees) - Presentation on Corporate Services Department Risk Register
Presentation on Corporate Services Department Risk Register
The presentation on the Corporate Services Department Risk Register did not proceed due to available time and was therefore deferred to the meeting scheduled for February 2020.
11. Report - Risk ELT Meeting No. 2020(04) of 10 August 2020
11. Report - Risk ELT Meeting No. 2020(04) of 10 August 2020
This is the report of the Risk ELT Meeting No. 2020(04) of 10 August 2020.
Recommendation
That the report be received and the contents noted.
12. Insurance and Risk Management Update
12. Insurance and Risk Management Update
This is a report concerning Council’s insurance statistics for the period 1 July 2020 to 30 September 2020 and to provide an update on risk management.
Recommendation
A. That the report on Council’s insurance statistics for the period 1 July 2020 to
30 September 2020 be received and the contents noted.
B. That the update on Ipswich City Council’s Enterprise Risk Management be received and the contents noted.
DISCUSSION
Rob Jones (Chairperson) queried whether the Chief Audit Executive provided commentary on risk in the internal audit reports. Freddy Beck (Chief Audit Executive) advised that this hasn’t been undertaken to date but will be in the future.
Annette Quayle (External Member) advised that she can see progress but very much from the top down. She queried what processes are in place to capture those emerging risks that are at the bottom. Graham McGinniskin (Principal Risk and Compliance Specialist) advised that this is a discussion point in all risk committees. Annette stated that a question to all managers should be “what data are you collecting that gives you an opportunity to review things holistically. Who is reviewing, are there themes emerging, what data are you collecting and how does this feed into the process”.
Mentions: Ipswich
13. Governance, Internal Controls and Compliance
13. Governance, Internal Controls and Compliance
Council is progressively maturing and strengthening its governance, internal controls and compliance with the broad range of legislative, policy and procedural obligations upon it.
This report provides an update to the Audit and Risk Management Committee on key governance, internal controls and compliance matters for the past quarter.
Recommendation
That the Audit and Risk Management Committee (ARMC) note initiatives and actions being implemented to mature and strengthen Council’s governance, internal controls and compliance.
DISCUSSION
Martin Power asked what was included in the Information Management Framework. The General Manager Corporate Services and Governance Manager advised that it was an overarching framework aligned to good practice applied in the Queensland Government, that encompassed Council’s policies, administrative directives and procedures in the various domains of information management. Rob Jones asked what was meant by business case in reference to the privacy strategy under consideration and the General Manager Corporate Services advised this was a general reference to the work being undertaken to scope the strategy.
14. ICT Branch Governance and Controls Framework
14. ICT Branch Governance and Controls Framework
This is a report concerning the status and focus areas for development in the Information and Communication Technologies (ICT) governance controls framework.
Recommendation
That the Audit and Risk Management Committee note the key elements of the Information and Communication Technologies governance controls framework and the ongoing focus areas for improvement.
DISCUSSION
Rob Jones (Chairperson) queried the threat level in relation to cyber security as it currently stands. The Chief Information Officer advised that from an external penetration test council’s system is robust. She also advised that in relation to cyber-attacks in the past, the instances were because of an internal staff member. Martin Power queried what would happen if there was a major security risk in the next couple of days and if there was a plan. The Chief Information Officer advised that the external threat is managed but this is not to say that Council could not be impacted by a new ransomware attack. Council has a disaster recovery project underway to further strengthen and plan our disaster recovery responses. All digital backups are securely held in a datacentre in Sydney.
Councillor Kate Kunzelmann left the meeting at 12.20 pm.
Rob Jones (Chairperson) queried how council ensures that they have all the knowledge they need in relation to insurance contracts as they pertain to cyber risks. Rob outlined that this question needs to be considered in the governance framework.
15. Transparency and Integrity Hub Governance and Controls
15. Transparency and Integrity Hub Governance and Controls
This is a report providing an update on the implementation of the Transparency and Integrity Hub (Hub) in line with Council’s resolution on 27 April 2020. The Hub was successfully implemented by Council on 1 July 2020. The direct cost of the implementation of the Hub with the contracted service delivery partner, Redman Solutions, was $189,687. An additional $57,800 was expended in order to undertake necessary due diligence in the implementation of the Hub, including the gathering of advice and the costs of an independent Privacy Impact Assessment (PIA).
Recommendation
That the Audit and Risk Management Committee receive and note the report on the implementation of the Transparency and Integrity Hub in line with Council’s resolution of 27 April 2020 and note that the Hub was successfully implemented on 1 July 2020.
DISCUSSION
Rob Jones (Chairperson) queried the Transparency and Integrity Hub and questioned with the Hub growing, the control or governance processes over the accuracy of data, control process and any sort of intervention in relation to information that may or may not occur. The Chief Information Officer highlighted the governance controls set out in the tabled report. Rob Jones suggested that the Audit and Risk Management Committee revisit this in 6 months’ time.
Dr Annette Quayle (External Member) queried that under the controlled entities on the Transparency and Integrity Hub, Cherish is not included and what the consequences were of council acknowledging this. Cherish is on our list of controlled entities but not included on the data in the hub. The General Manager Corporate Services advised that council was acting on the information contained in the Mayoral Minute regarding the Transparency and Integrity Hub that went to council at that time and that Cherish was not listed.
ACTION: Council to provide a further report on the Hub at the August 2021 meeting.
16. ICT Steering Committee
16. ICT Steering Committee
This report provides an update to the Audit and Risk Management Committee on matters considered by the ICT Steering Committee (ICTSC) during the past quarter that may represent potential material risks relating to the ICT portfolio.
There is a significant ICT portfolio of work being led by the Chief Information Officer, reporting through to the General Manager, Corporate Services (GM, CS). Information Management (IM) is led by the Governance Manager reporting through the Manager, Legal and Governance Branch, to the GM, CS.
The ICTSC provides oversight for the ICT and IM portfolios and has met on a monthly basis since February 2020 and has now commenced meeting every six weeks.
Recommendation
That the Audit and Risk Management Committee receive and note the report on key matters considered by the ICT Steering Committee in the past quarter.
17. Program Management Office Report
17. Program Management Office Report
This is a report concerning the progress on delivery on strategic work identified within the Program of works for the Program Management Office.
“The attachment/s to this report are confidential in accordance with section 275(1)(g) of the Local Government Regulation 2012.”
Recommendation
That the report be received and the contents noted.
18. Nicholas Street Precinct (CBD) Redevelopment Update
18. Nicholas Street Precinct (CBD) Redevelopment Update
This is a report concerning the Nicholas Street Precinct Redevelopment.
In summary the project continues to track on time and on budget. Tulmur Place will officially be opened on the 28 th of November. The new Ipswich Central Library will open on the 7 th of December. The administration building will reach practical completion in March 2021 with Council to occupy the building in June 2021.
Recommendation
That the report be received and the contents noted.
Mentions: Nicholas Street · Tulmur Place · Ipswich
19. People and Culture Strategic Plan Implementation (including update on culture and pulse survey results)
19. People and Culture Strategic Plan Implementation (including update on culture and pulse survey results)
This is a report to the Audit and Risk Management Committee (ARMC) concerning the implementation of the People and Culture Strategic Plan 2019-2021.
Following major recruitment to the People and Culture Branch between February and May 2020, good progress is now being made on the implementation of the People and Culture Strategic Plan 2019-2021, noting that it is a major program of work.
An update by way of report was provided to the ARMC for the August 2020 meeting.
A Project Management Plan has been finalised and is being implemented by the People and Culture Branch. The Program Management Office is supporting and monitoring the implementation and providing a monthly report to the Executive Leadership Team on progress against the Project Management Plan.
A presentation is attached to this report setting out progress in the implementation of the People and Culture Strategic Plan. As requested by the ARMC, this report also includes an update on work underway to enhance council’s workplace culture and the results of employee pulse surveys.
Recommendation
That the Audit and Risk Management Committee note the report and the progress in implementation of the People and Culture Strategic Plan, including an update on work to enhance workplace culture and the results of employee pulse surveys.
DISCUSSION
Rob Jones (Chairperson) asked how risks were determined whether by the Program Management Office or the responsible departments. Advice was provided that the risks were determined by the PMO.
Rob Jones (Chairperson) asked Sonia Cooper (General Manager Corporate Services) for further detail on the workplace culture and the survey work underway. Sonia Cooper responded providing greater detail on the work underway to improve the workplace culture at Council.
20. NEXT MEETING
The next meeting is scheduled for February 2021 at a date yet to be determined.
PROCEDURAL MOTIONS AND FORMAL MATTERS
The meeting commenced at 10.00 am.
A members only session commenced at 1.00 pm.
The meeting closed at 1.35 pm.
Source: Ipswich City Council meeting minutes (CC BY 4.0).