MEETING NOTICE AND AGENDA – 27 May 2020
TO: THE MAYOR AND COUNCILLORS
NOTICE is given that a meeting of the Audit Committee will be held in the Wonnerup Committee Room, Administration Building, Southern Drive, Busselton on Wednesday, 27 May 2020, commencing at 9.00am.
The attendance of Committee Members is respectfully requested.
Statements or decisions made at Council meetings or briefings should not be relied on (or acted upon) by an applicant or any other person or entity until subsequent written notification has been given by or received from the City of Busselton. Without derogating from the generality of the above, approval of planning applications and building permits and acceptance of tenders and quotations will only become effective once written notice to that effect has been given to relevant parties. The City of Busselton expressly disclaims any liability for any loss arising from any person or body relying on any statement or decision made during a Council meeting or briefing.
CHIEF EXECUTIVE OFFICER
21 May 2020
Agenda FOR THE Audit Committee MEETING TO BE HELD ON 27 May 2020
TABLE OF CONTENTS
5. Confirmation Of Minutes
5.1 Minutes of the Audit Committee Meeting held 26 February 2020
That the Minutes of the Audit Committee Meeting held 26 February 2020 be confirmed as a true and correct record.
6. LEADERSHIP Visionary, collaborative, accountable
6.1 Governance systems, process and practices are responsible, ethical and transparent.
Manager Governance and Corporate Services - Sarah Pierson
Director Finance and Corporate Services - Tony Nottle
NATURE OF DECISION
Noting: the item does not require a decision of Council and is simply for information purposes and noting
Attachment a Risk Management Framework⇩
Attachment b Internal Control Review⇩
Attachment c Legislative Compliance LG Act Review⇩
That the Council note the contents of this report and endorse as required by Regulation 17 of the Local Government (Audit) Regulations (1996) the appropriateness and effectiveness of the City’s systems and procedures in relation to:
1. Risk Management
2. Internal Control
3. Legislative Compliance
Regulation 17 of the Local Government (Audit) Regulations (the “Audit Regulations”) requires the Chief Executive Officer to review the appropriateness and effectiveness of a local government’s systems and procedures in relation to risk management, internal control and legislative compliance. The results of the review are to be reported to the Audit Committee for review and deliberation, prior to formal presentation to the Council.
In February 2013, several amendments to the Audit Regulations were made. At this time, a new Regulation number 17 was effected, requiring the CEO to review the appropriateness and effectiveness of a local government’s systems and procedures in relation to risk management, internal control and legislative compliance; with the results of the review to be reported to the Audit Committee.
In order to be compliant with the new review and reporting requirements, the initial review was presented to the Audit Committee on 11 December 2014 and then to the Council on 28 January 2015; with each aspect the subject of a separate report. In accordance with Regulation 17 requirements (at the time) for systems to be reviewed at least once every two calendar years, a second review was presented to the Audit Committee on 26 October 2016 and then to Council at its ordinary meeting on 9 November 2016.
In June 2018 Regulation 17 was amended with the period of review changed to be at least once every 3 financial years. This report is provided in accordance with that amended requirement and covers all aspects of the review (risk management, internal control and legislative compliance).
As per the previous two reviews, this review has been undertaken internally by relevant areas; with overall coordination and oversight by governance. The Department of Local Government, Sport and Cultural Industries (the DLGSC) Local Government Operational Guideline 9 - ‘Audit in Local Government’ - has been used as a reference point, with other more specific tools relevant to each aspect utilised for the assessment. The results of formal audits have also been considered, such as the more recent Office of the Auditor General (OAG) focus audit on creditor master files.
Overall the review concludes that we have appropriate and effective systems and procedures in place to manage risk. This is achieved through our risk management framework and the embedding of risk identification and assessment processes in our planning; through our internal control systems where we have effective decision making processes, appropriate segregation of duties and systems which provide necessary checks and balances; and through the employment of staff who are qualified and skilled in the application of the various pieces of legislation we operate under.
As detailed in all of the guidelines referred to in conducting this review, a local government’s systems and procedures will be implemented, monitored and reviewed. It is acknowledged that reviews vary due to the size and nature of individual local governments.
A more detailed synopsis of the review and its findings in relation to each aspect, noting that there can be overlap between all three, is provided under relevant sub-headings below.
The City’s formal risk management system is outlined in the City’s Risk Management Framework (Attachment A). This framework contains the City’s risk reference tables, the City’s risk tolerance levels, and the City’s risk management processes and procedures. The Risk Management Committee, made up of officers representing each directorate, is responsible for overseeing the implementation of the Risk Management Framework and for championing a risk management culture within the City of Busselton.
Risks are most commonly identified formally at an operational level, either through annual business planning processes or as they arise during the year. Risks may also be identified through organisational processes such as safety inspections or investigations or in the process of planning for significant projects.
All identified risks are assessed to determine a residual risk rating, that is the risk level taking into account current controls); being either low, medium, high or extreme, dependant on the likelihood of an event occurring resulting in a specific consequence. The consequence of the event is measured in terms of one or more of the following consequence categories:
· Public Health
· Occupational Safety and Health
Risks are formally ‘accepted’ by the relevant Manager / Director, as appropriate to the level of risk. By ‘accepting’ a risk an officer is indicating that the risk is within acceptable tolerance levels once all reasonable and practical treatment options are considered.
Where a risk is not considered acceptable a treatment plan is generally approved and adopted to reduce the risk rating to within acceptable tolerance levels over a period of time. Acceptance of the risk will also be dependent on the effectiveness of the controls in place.
A risk with a rating of medium which has adequate controls will usually be accepted, while a risk with a rating of low will usually be accepted, irrespective of the effectiveness of the controls. High rated risks may be accepted by a Director if it has adequate controls. Alternatively a treatment plan may be put in place to reduce the level of risk, although it should be noted that given the City’s statutory responsibilities in a number of areas, there is sometimes no choice but to ‘accept’ high risks and manage them in the best and most practical and reasonable manner. Extreme rated risks could be accepted by the Senior Management Group where they have adequate controls. The City currently has no extreme risks.
As at 18 May 2020 the City has 95 risks formally captured within its risk management system.
The majority of risks, as shown by the green bars, have been assessed, evaluated and accepted and are now being monitored. Risks are reviewed at least three yearly (timing dependant on risk level), the purpose of the review being to ensure that changing environmental factors have not impacted on the level of risk and that any controls identified continue to be in place and effective.
Risks in the red bars are either previously accepted risks or risks with a treatment plan that are overdue for a formal review; or risks that have been recently identified. The orange bar shows risks with an active treatment plan. The City has currently identified three high level risks
· Dunsborough Waste site environmental issues – Previously used sites;
· Bushfire; and
· Aviation accident.
In addition the City maintains and reports on a separate hazard profile through its Occupational Safety and Health (OSH) Management System (which is effectively a risk mitigation system). The City’s current hazard risk profile is shown below, with two hazards recorded as high level risks - uneven ground and manual handling.
These hazards are rated as high risk as, due to the nature of the works being undertaken by employees, they have a high likelihood of having what is a relatively minor level consequence.
Risk reports are provided to the Senior Management Group and Managers group regularly detailing the City’s risk profile, the high level risks, and risks that are overdue for review or have treatment plans in place. Included also are the following targets:
· All extreme and high risks are assessed within 14 days; and
· All medium and low risks are assessed within 30 days.
The targets, reported on by Business Unit, are generally met, noting that we have had instances of medium and low risks not being assessed within 30 days. On these occasions, Managers and Directors responsible for these areas are notified.
The effectiveness of the City’s Risk Management systems and processes was assessed using the evaluation sheet attached. The systems and processes were assessed as effective overall, with all system aspects either in place or partially embedded. Areas identified for ongoing focus were:
· Further embedding of formal risk identification and assessment into business processes;
· Increased monitoring of risk controls and escalation of control failures;
· Improved timeliness of risk reviews; and
· Ongoing communication and championing of the Risk Management Framework.
While we continue to encourage and embed use of the City’s formal risk management system and framework it is acknowledged that City Officers also identify and treat risks using other, less formalised processes. During business planning for instance, operational risks are identified that have previously, through management practices, had controls put in place to mitigate them, and are managed as core business. Not all of these risks are formally identified and assessed, and are therefore not translated through to the formal risk register. For instance risks associated with the loss of key personnel and skills. Similarly project risks are not always formally identified through project planning processes; with this being an area identified for improvement.
In summary, the City’s risk management processes are considered effective and appropriate, taking into account the City’s size, complexity, and level of resources, both dedicated to risk management and more generally. There remains scope for the City to further integrate and mature its risk management system.
Recommended improvement actions are as follows:
· Additional and more regular review of strategic risks through the Strategic Community Plan review process;
· Review of the City’s risk management software system to determine whether there is a more efficient and effective system;
· Provision of more regular refresher training for staff on the City’s risk management framework; and
· Ongoing review of the City’s project planning processes with regards to risk management (review of project management processes is currently in progress).
Review of the City’s systems and procedures in relation to internal control has been undertaken with reference to the Department’s Operational Guideline – Audit in Local Government – and, in more detail, the Local Government Accounting Manual (the Manual); also developed by the Department.
The Local Government Operational Guideline – ‘Audit in Local Government’ - suggests that aspects of an effective internal control framework will ideally include the following:
· Delegation of authority;
· Documented policies and procedures;
· Trained and qualified employees;
· System controls;
· Effective policy and process review;
· Regular internal audits;
· Documentation of risk identification and assessment; and
· Regular liaison with auditor and legal advisors.
The guideline acknowledges that the extent to which internal controls are implemented, monitored and reviewed will be impacted by, amongst others, the size and nature of individual local governments.
The Local Government Accounting Manual further lists a range of key control and monitoring activities which local governments should be reviewing on an ongoing basis. The Manual, like the guideline, also infers that the achievement of regulatory compliance (further discussed under the Legislative Compliance sub-heading) should be viewed as the fundamental goal of an effective internal control system, with further enhancement being ongoing as part of an overall organisational risk management process.
In the absence of any specific guideline as to how the review of internal control is to be undertaken, a review of the City’s performance against each of the listed control and monitoring activities in the Manual has been considered as a reasonable basis for carrying out this review. Attachment B to this report lists each activity, provides a synopsis of the City’s current processes and procedures, and highlights further actions required where identified.
· has a delegations register, reviewed annually, that provides for a well-balanced and effective approach to decision making;
· has well documented policies and procedures across most areas, and has an active program of review to continually improve this;
· employs qualified and experienced staff and invests in training, with 1.5% of gross salaries and wages allocated to a training and development pool;
· has robust systems and internal system controls;
· has an established risk management framework and processes, as outlined under the Risk Management subheading
· undertakes regular auditing, with the majority of audits being conducted externally. The City does not currently have internal auditing resources.
Areas identified for particular focus (as against the listed controls and monitoring activities in the Manual) are those below.
Rates/debtors officers are competent for their assigned tasks, adequately trained and supervised.
Employees responsible for rates and / or sundry debtor activities are experienced and have generally been in their roles for a number of years. In order to ensure appropriate succession planning is in place, planning has commenced to ensure staff are more broadly trained in key rating / debtors functions.
All receipts, cash and cheques, deposited on a regular and timely basis.
Reconciliation of daily deposit total to receivable posting and cash sales is prepared and reviewed.
Front counter operations, and outstation banking, is completed and banked in a timely manner. Deposits are reconciled, reviewed and signed off by supervisory staff, and banked on a daily basis. Notwithstanding this, current processes and procedures documentation in relation to accounting activities are not centrally held in some instances. It is recommended that all areas dealing with cash and banking formally update associated accounting processes and procedures, and that these documents be authorised by the respective Director, with a copy to be provided to the Finance Department.
Personnel responsible for the purchasing, shipping, receiving and payable functions are competent, adequately trained and supervised.
Staff responsible for purchasing and accounts payable functions are fully competent, adequately trained and are supervised as required. Separation of duties measures are implemented widely. A new operational practice to identify/ enforce requirements associated with the addition of a new creditor and amendments to an existing creditor is in the process of being finalised.
The purchasing policy clearly defines who can issue purchase requisitions/orders and to what dollar limit.
Spending limits are set by budget or individual levels of authority. These limits are monitored by the system or manually.
The Council’s adopted Purchasing Policy details dollar thresholds for quotation requirements, but does not define individual purchasing limits (as this is not the intent of the policy). Individual purchasing limits are determined by business need, and are approved by each staff member’s supervisor. Purchasing limits are only established/ updated in the corporate system upon receipt of a valid authorisation request.
The ability to raise purchase requisitions in the system, and the associated value of the same, is controlled by system parameters. Verification of this authority is undertaken by Finance staff (at multiple levels) prior to the associated payment being processed.
While the current processes are working well, there is currently no overarching control documentation detailing the required processes to be undertaken, including the purchasing authorisation limit approval process. As part of this review, it has been identified that an OP should be established for this purpose. Additionally the ability to approve one’s own requisition in the system requires further review.
The accounting policy for when goods should be capitalised is documented and clearly understood by accounting personnel.
Accounting personnel dealing with the capitalisation of assets are fully aware of the applicable standards and associated thresholds (as per significant accounting policies). However, there is currently no endorsed control documentation available for the wider organisation, other than that issued as part of the draft budget compilation process. An Asset Capitalisation Operational Practice and Procedure, which clearly sets out the City’s capitalisation thresholds and associated requirements, is under development.
Management regularly reviews all grant income and monitors compliance with both the terms of grants and Council’s grants policy (including claiming funds on a timely basis).
The expenditure of funding in line with associated grant conditions, and subsequent grant acquittal, is administered by responsible Business Unit staff and management, with various roles providing a degree of oversight (from a financial and a strategic projects focus). To assist in this oversight functionality a centralised and detailed grants register is being developed.
In summary the internal control review has identified several instances whereby the formal documentation/ development planning of associated processes and procedures needs to occur. Outside of this finding however the review has verified that the City’s internal control systems and processes are sound.
As per previous years, when reviewing systems and processes around legislative compliance, officers have considered the outcome of the Annual Statutory Compliance Audit Return, conducted in March 2020. This return was presented to Council at its ordinary meeting held on 11 March 2020 and approved. The high level of statutory compliance noted in the Annual Statutory Compliance Audit Return should give the Council confidence in the internal systems and procedures of the City which are aimed to ensure legislative compliance.
In addition, officers have undertaken a broader longer term review of compliance with the Local Government Act 1995 and associated regulations utilising the format of the older version of the Statutory Compliance Audit Return, which used to include questions in relation to a much larger number of provisions of the Local Government Act and regulations. The results are contained in Attachment C and demonstrate an overall high level of statutory compliance, with only minor issues noted such as the review of two local laws being slightly behind schedule, noting both are currently in the process of being reviewed.
While the City is formed as a statutory body under the Local Government Act 1995, there are a broad range of other State and Federal laws that the City carries out statutory processes under or which otherwise impact on the City’s operations. A small snapshot of some of the other Acts that the City implements or adheres to is provided below:
· Bush Fires Act 1954
· Caravan Parks and Camping Grounds Act 1995
· Cat Act 2011
· Cemeteries Act 1986
· Dog Act 1976
· Emergency Management Act 2005
· Environmental Protection Act 1986
· Public Health Act 2016
· Land Administration Act 1997
· Liquor Control Act 1988
· Litter Act 1979
· Local Government (Miscellaneous Provisions) Act 1960
· Occupational Safety and Health Act 1984
· Planning and Development Act 2005
· Public Interest Disclosure Act 2003
· Rail Safety Act 2010
· State Records Act 2000
· Strata Titles Act 1985
There are a variety of processes and procedures that the City has in place in respect of these pieces of legislation and a variety of ways in which the City ensures that it complies with them. For example, many of the City’s development consent and scheme amendment processes are carried out in accordance with the Planning and Development Act 2005 and the City of Busselton Local Planning Scheme No. 21 which is delegated legislation made under that Act. Those statutory processes are reflected in a number of the City’s business systems which are automated through the City’s information technology systems, including document retention and retrieval process and online applications. Similarly with respect to obligations and responsibilities under the Occupational Safety and Health Act 1984, the City has an OSH management system consisting of many practices and procedures outlining ways in which the City will comply with its obligations.
Further, the City relies on employing qualified staff who are trained in and are aware of these statutory requirements and the requirement for this knowledge is reflected in the position descriptions for those staff, as is their authority to act in accordance with these laws. A similar approach is taken in respect of almost all pieces of legislation that the City has to comply with. For instance the City employs qualified Environmental Health Officers to carry out processes under the Public Health Act 2016 and an OSH and Risk Officer who must be qualified and have sufficient knowledge in respect of the legislative requirements of the Occupational Safety and Health Act 1984.
These are examples of some of the ways in which the City ensures compliance with the requirements and processes of the various other pieces of legislation which it is involved in the implementation of or has to comply with.
While not directly linked to legislative compliance, from a broader governance perspective it is worth noting that the City has, since the last Regulation 17 review in 2016, been involved in two independent reviews of its governance systems – one undertaken by Mr John Woodhouse (engaged by the City) and one as part of an Australian Institute of Company Directors review of local government governance. The City’s governance systems were considered as sound in both reviews; and the City has, since 2017 been actively implementing recommendations aimed at further improving our governance systems.
Ultimately the City relies on a combination of properly structured and configured IT business systems, documented processes and procedures and appropriately qualified, knowledgeable and authorised staff (whose position descriptions reflect the necessary qualifications and skills for their role) to ensure it complies with the many and varied laws impacting on its operations. While officers are comfortable that legislative compliance is being achieved, this review has highlighted the benefits that a central governance / compliance system could bring, enabling a central repository of information and for governance to more easily track delegation usage, returns, policy expiries and potentially even qualifications of key staff. This is something being explored as an improvement initiative, although would require funding.
Regulation 17 of the Local Government (Audit) Regulations states:
“17. CEO to review certain systems and procedures
(1) The CEO is to review the appropriateness and effectiveness of a local government’s systems and procedures in relation to –
(a) risk management; and
(b) internal control; and
(c) legislative compliance.
(2) The review may relate to any or all of the matters referred to in subregulation (1)(a), (b) and (c), but each of those matters is to be the subject of a review not less than once in every 3 financial years.
(3) The CEO is to report to the audit committee the results of that review.”
The City of Busselton Risk Management Policy was adopted by Council on 10 May 2006. It was subsequently reviewed and the updates endorsed by Council on 27 July 2011, the 12 August 2015, the 12 October 2016 and the 12 December 2018.
To provide guidance to local governments in the completion of the review requirements, in September 2013, the Department of Local Government and Communities (the Department) released an updated version of Local Government Operational Guideline 9 – ‘Audit in Local Government’. This guideline includes a section specifically relating to the review, and exemplifies the types of activities that could potentially be undertaken as part of the review process.
There are no financial implications associated with the officer recommendation.
No external stakeholder consultation was required or undertaken in relation to this matter.
An assessment of the potential implications of implementing the officer recommendation has been undertaken using the City’s risk management framework, with risks assessed taking into account any controls already in place. This review of the City’s systems and procedures in relation to risk management, internal control and legislative compliance found no material risks of a medium or greater level.
As an alternative to the proposed recommendation the Council could:
1. request that the CEO provide additional information to demonstrate the appropriateness and effectiveness of the City’s systems in relation to one or more of risk management, internal control or legislative compliance;
2. request the CEO to undertake specific actions in relation to risk management, internal control or legislative compliance.
Overall the review undertaken and documented in this report concludes that we have appropriate and effective systems and procedures in place to manage and mitigate risk; through our risk management framework, through our internal control systems, and through the employment of qualified staff and the implementation of robust internal management systems. While we can continue to enhance our systems and processes, the review has not identified any issues of significance, with recommended improvements instead part of ongoing development and maturation of the City’s systems and processes.
TIMELINE FOR IMPLEMENTATION OF OFFICER RECOMMENDATION
Systems and processes in relation to all aspects of risk management – risk, internal control and legislative compliance will be monitored on an ongoing basis and improved as part of general business planning and operations.