tenterfield shire council (tsc) development of a strategic ... · tenterfield shire council (tsc)...
TRANSCRIPT
TENTERFIELD SHIRE COUNCIL (TSC)
DEVELOPMENT OF A STRATEGIC INTERNAL AUDIT PLAN
IAB Job No.1275
DRAFT NOVEMBER 2012
FINAL DECEMBER 2012
i
TABLE OF CONTENTS
EXECUTIVE SUMMARY ....................................................................................... 3
INTRODUCTION ................................................................................................................................................ 3
OBJECTIVE ........................................................................................................................................................... 3
APPROACH AND SCOPE................................................................................................................................. 3
SUMMARY OF KEY FINDINGS .................................................................................................................... 4
RECOMMENDATION ....................................................................................................................................... 5
ACKNOWLEDGEMENT .................................................................................................................................. 5
ACCOUNTABILITY AND RESPONSIBILITY............................................................................................ 5
DETAILED REPORT ............................................................................................. 5
PREPARATION OF THREE YEAR INTERNAL AUDIT PLAN -1 JULY 2012 TO 30 JUNE 20155
1. HIGH LEVEL RISK REGISTER/ISSUES LOG ..................................................................................... 5
SCHEDULE I - HIGH LEVEL RISK REGISTER/ISSUES LOG ............................................................ 6
2. PREPARATION OF STRATEGIC INTERNAL AUDIT PLAN ....................................................... 10
SCHEDULE II – DRAFT TSC STRATEGIC INTERNAL AUDIT PLAN .......................................... 13
EXECUTIVE SUMMARY
IAB SERVICES The Public Sector Improvement Specialists EXECUTIVE SUMMARY 3
IAB Job No. 1275
EXECUTIVE SUMMARY
INTRODUCTION
As per our recent proposal, we have conducted a high-level review of the Tenterfield Shire Council’s (TSC) current operating environment, including key functions. The field visit was undertaken from 29-31 October 2012 in Council’s Tenterfield administration centre in the context of developing a risk based new three (3) Year Strategic Internal Audit Plan for the period 1 July 2012 to 30 June 2015.
OBJECTIVE
The overall objective of the assignment was to review all of Council’s available strategic documentation and develop a three (3) Year Strategic Internal Audit Plan for the period ending 30 June 2015.
APPROACH AND SCOPE
The approach taken has not involved a detailed enterprise–wide risk assessment, but rather a high-level risk review. This draft report should be issued to members of the Audit Review Committee and senior management and other key stakeholders for feedback, after which, we will make any amendments, as needed.
A more detailed assessment /evaluation of Council’ risks/issues should be undertaken in due course, as part of Council’s further development of its ERMS (Risk Register) and during the next Strategic Internal Audit Planning cycle. The key steps involved in our review process comprised the following:
An examination of relevant available documentation including Council’s Community Strategic Plan and other IPR documentation, Annual Report, council issue papers and other various documents that we were able to access during the field visit.
Council also advised that following the release of the 2008 Promoting Better Practice report that the then Department (now Division) of Local Government placed Council on a monitoring program to ensure that the identified deficiencies within those report recommendations would continue to be addressed. This month DLG has issued a comprehensive list of outstanding matters and these have also been considered for potential risk areas within the Strategic Internal Audit Plan.
The information collected from the documentation examined and the limited interviews conducted was analysed, assessed and used to produce a High Level Risk Register/Issues Log and a First Draft of a Strategic Internal Audit Plan for the next three (3) years ending 30 June 2015.
Following Council’s consideration of our draft report, a final report will be fine-tuned and submitted to Council Senior Management for information and the Audit Review Committee to implement the recommended internal audit program.
EXECUTIVE SUMMARY
IAB SERVICES The Public Sector Improvement Specialists EXECUTIVE SUMMARY 4
IAB Job No. 1275
From the final version of the Strategic Internal Plan, the reviews outlined for the remainder of 2012/2013 (Year1) could be considered by the Audit Review Committee and a selection made for completion for the year ending 30 June 2013.
SUMMARY OF KEY FINDINGS
We have identified 40 Council risks / issues that were prioritised from an examination of a range of potential risk exposures within Council, given the size and complexity of its operations. These risks are listed in full within Schedule I.
From the initial list in Schedule I, we have prepared a suggested Three Year Strategic Internal Audit Plan (in Schedule II) based on the current status and/or developmental stage of certain projects / activities to ensure that the timing of the reviews can maximise the potential value and assurance provided by the reviews.
Seven (7) risks have been included in the Three Year Strategic Internal Audit Plan (in Schedule II) with two (2) in each of the first two financial years and three (3) in the final year of the program subject to the availability of future funding within the budget.
Economic development and tourism has been identified as a key challenge for Tenterfield and accordingly, specific measured outcomes need to be established to ensure that staff are contracted to these achievements. Although we have included economic development in the final year of the Audit plan, we recommend that Council closely monitor the achievement of the outcomes on a regular basis. This should include establishing clear and objective KPI criteria to measure against the plan outcomes to ensure the ongoing success of these key strategies
There is also an absence of key IT strategic plans and security of networks and this risk exposure has deferred pending further assessment by Manex of the overall strategy for the operating systems and replacement of the current Enterprise Business Application Authority. This decision by the previous council following a recommendation by staff is currently under review and has not been considered in the three year Internal Audit Plan.
Procurement across all areas of Council has been identified as in need of review given the benefit of centralisation of this role in Corporate Services to more effectively control expenditure across each of the Directorates.
The identification of all legislation under the control of Council is a key risk and we recommend that Council prepares a Legislative Compliance Register to regulate the applicable Acts and Regulations related to staff and across the organisation.
Following a recent discovery of illegal asbestos placement in Council’s recycling area from unknown sources waste management has already been identified by Council as a potential organisational risk. Council acted promptly to remove all contaminated recycled mulch that was made available free to some householders. It also engaged a specialist waste consultant to prepare a waste management strategy for the consideration of Council at its December 2012 meeting. For this reason waste management has been excluded from the draft Risk Register given the new strategic approach and the increased internal controls available to Council to contain the potential risk exposure.
EXECUTIVE SUMMARY
IAB SERVICES The Public Sector Improvement Specialists EXECUTIVE SUMMARY 5
IAB Job No. 1275
From the Schedule I risk identification in this report, we recommend that, at a later date, Council finalise its Enterprise Wide Risk Management System (ERMS) This Risk Register will provide a key document that links to the Community Strategic Plan and is monitored regularly to guide Councils administration.
RECOMMENDATION
From the review work undertaken, we would recommend that the Draft Strategic Internal Audit Plan included in this report be reviewed by Manex and the Audit Review Committee, as soon as practicable.
ACKNOWLEDGEMENT
We would like to acknowledge the assistance provided by the General Manager and Directors within MANEX .
ACCOUNTABILITY AND RESPONSIBILITY
IAB Services takes responsibility for this report, which is prepared on the basis of the limitations set out below.
The matters raised in this report are only those that came to our attention during the course of our review and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. TSC should assess recommendations for improvements for their full commercial and operational impact before they are implemented.
This report is confidential, has been prepared solely for the use of TSC and ownership of the report and any attachments lies with your organisation. It is the responsibility of your organisation to determine if you wish to release this report, in whole or in part. Costs of information requests under any Freedom of Information legislation such as the NSW Government Information (Public Access) Act 2009 or the Commonwealth Freedom of Information Act 1982 or Subpoenas arising from actions taken by individuals or groups as a result of this report will be passed on to your organisation.
No responsibility to any third party is accepted as the report has not been prepared, and is not intended, for any other purpose.
Contact Persons Telephone Number Title
Shane Boyd 9261 9107 Director
Ian Melville 0418969060 Senior Business Consultant
DETAILED REPORT
IAB SERVICES The Public Sector Improvement Specialists DETAILED REPORT 5
IAB Job 1275
DETAILED REPORT
PREPARATION OF THREE YEAR INTERNAL AUDIT PLAN -1 JULY 2012 TO 30 JUNE 2015
1. HIGH LEVEL RISK REGISTER/ISSUES LOG
EXPLANATORY COMMENTS
As a result of our review of relevant documentation and limited interviews with Council Management, we have identified and recorded in the register attached as Schedule I, a number of significant risks and issues for consideration during our internal audit planning process. This listing of items should not be seen as exhaustive.
By way of explanation, the register provides the following information:
risk/issue reference number
the nature of the risk or issue identified
the functional area to which the item relates
general domain to which the item relates
a suggested mitigation response including controls already in place
an indication as to whether the item has been included in the Draft Strategic Internal Audit Plan.
The first seventeen (17) risks (Risks 1-17) in Schedule I were consolidated into seven (7) groups rated as Moderate. Risks18-40 have not initially been included in the three-year plan and should be considered for future Internal audit reviews.
The register will be provided in soft copy form to the General Manager and can be used in future risk and audit planning activities.
DETAILED REPORT
IAB SERVICES The Public Sector Improvement Specialists DETAILED REPORT 6
IAB Job 1275
SCHEDULE I - HIGH LEVEL RISK REGISTER/ISSUES LOG
No Nature of Issue/Risk Identified
Functional Area
Domain Current Controls/Suggested Mitigation Response
Rating
Included in Strategic
Internal Audit Plan
1
Potential for Records information inconsistency; files not retrieved, systems contain incorrect data on applicants and property.
Corporate Services &
Community Sustainability
Records Manager
Records Management- registration of all documents, information retrieval and monitoring file movement.
Compliance check against State Records Act.
Moderate Yes
2
Capture and maintain business records. Potential breaches of State Records Act.
Corporate Services &
Community Sustainability
Records Manager
Records management systems, business processes
Moderate Yes
3
Fraud and corruption prevention review
Corporate Services &
Community Sustainability
Director, Corporate Services &
Community Sustainability
Test current policy for assurance as to adequacy of safeguards that are in place and undertake a fraud audit..
Moderate Yes
4
Failure of procurement and contract management policies and procedures
Corporate Services & Community Sustainability
Director, Corporate Services & Community Sustainability
Contract administration procedures in place plus authority limits, workflows and approvals High Yes
5
Proper delegations for procurement and contract management
Corporate Services &
Community Sustainability
Director, Corporate Services &
Community Sustainability
Financial delegations for authorisation of payments need to be current for each responsible officer
High Yes
6
Decentralisation of procurement function
Corporate Services &
Community Sustainability
Director, Corporate Services &
Community Sustainability
Weakening of internal controls through lack of central hub within Council
Moderate Yes
7
Undertake a two yearly review of Development Assessment
Environmental Services
Director, Environmental
Services
Ensure that the current Development Assessment process is effective and compliant with legislation.
Moderate Yes
DETAILED REPORT
IAB SERVICES The Public Sector Improvement Specialists DETAILED REPORT 7
IAB Job 1275
No Nature of Issue/Risk Identified
Functional Area
Domain Current Controls/Suggested Mitigation Response
Rating
Included in Strategic
Internal Audit Plan
8
Compliance with the ICAC Development Assessment internal audit tool
Environmental Services
Director, Environmental
Services
Benchmark performance the ratings provided in the ICAC Internal Audit tool
Moderate Yes
9
Evaluate S94 Developer Contributions including use of Planning Agreements
Environmental Services
Director, Environmental
Services
Review S94Plan and determine cost benefit for determining when to and where to use using either S94 or S94A contributions plans.
Moderate Yes
10
The Register of Developer Contribution Plans should separate contributions fromS94 and S64 of the Acts.
Environmental Services
Director, Environmental
Services
Ensure transparency and compliance of transactions
Moderate Yes
11
Centralise the responsibility for both S64 and S94 to a responsible officer.
Environmental Services
Director, Environmental
Services
One officer should have final responsibility for the monitoring of receipts and payments and compliance with the plans.
Moderate Yes
12
Development Servicing Plans for levying developers under S64/S94 are not adequate
Engineering Services/
Environmental Services
All S64/S94 plans in place. Review plans, income and expenditure to programs. Moderate Yes
13
Compliance with all legislation and Regulatory responsibilities
Corporate Services &
Community Sustainability
Director, Corporate Services &
Community Sustainability
Develop or review the Legislative and Regulatory Compliance Register and identify responsibilities for all staff positions to comply.
Moderate Yes
14
Non compliance with industrial relations legislation
Corporate Services &
Community Sustainability
Manager HR Policy and procedures, legislation, workflows
Moderate Yes
15
Asset Management sustainable life cycle funding not sufficient for future asset renewal
Corporate Services &
Community Sustainability
Director, Corporate Services &
Community Sustainability
Review the effectiveness between asset management strategy and financial system
Moderate Yes
DETAILED REPORT
IAB SERVICES The Public Sector Improvement Specialists DETAILED REPORT 8
IAB Job 1275
No Nature of Issue/Risk Identified
Functional Area
Domain Current Controls/Suggested Mitigation Response
Rating
Included in Strategic
Internal Audit Plan
16
Road maintenance and bridge replacement budgetary funding is inadequate to meet future needs.
Corporate Services &
Community Sustainability
Director, Corporate Services &
Community Sustainability/
Manager Assets
Record Infrastructure gaps as deferred liabilities pending resolution of longer term asset strategies.
Moderate Yes
17
Review economic sustainability and tourism and visitation strategy
Corporate Services & Community Sustainability
Director, Corporate Services & Community Sustainability
Review/ update plan to ensure that key operational strategies are in place to reach pre determined objectives
Moderate Yes
18
Implementation review of IT Strategic Plan for effectiveness and cost strategies
Corporate Services &
Community Sustainability
Manager Finance & IT
Health check on the Information Technology Strategic Plan
High No
19
Failure to provide secure IT network systems
Corporate Services &
Community Sustainability
Manager Finance & IT
Undertake external implementation review of updated system
High No
20
Regular updates on technology such as GIS and staff training
Corporate Services &
Community Sustainability
Manager Finance & IT
Ensure that staff are suitably trained and operating Best Practice equipment.
Moderate No
21
Review the processes for Acquisition and Development within IT management.
Corporate Services &
Community Sustainability
Manager Finance & IT
Review the suitability of current procedures to ensure compliance.
Moderate No
22
Review of integrated communication devices
Corporate Services &
Community Sustainability
Manager Finance & IT
Maximise the use and effectiveness of integrated communication devices
Moderate No
23
Evaluate alternatives to the current Enterprise Business Application product Authority
Corporate Services &
Community Sustainability
Manager Finance & IT
Provide a second opinion on the availability and cost/benefit of alternate Enterprise Business Application
Moderate No
24
Council does not maintain an Enterprise Wide Risk Management System (ERMS)
Corporate Services &
Community Sustainability
Manager, Finance & IT
Prepare a customised Register using the identified Risks from this report
Moderate No
DETAILED REPORT
IAB SERVICES The Public Sector Improvement Specialists DETAILED REPORT 9
IAB Job 1275
No Nature of Issue/Risk Identified
Functional Area
Domain Current Controls/Suggested Mitigation Response
Rating
Included in Strategic
Internal Audit Plan
25
Seek economies of scale savings from sharing resources from partner alliances.
General Manager
ALL
Consider options to share limited staff resources to decrease fixed costs and increase ROI.
Moderate No
26
Staff training plan not formalised
Corporate Services &
Community Sustainability s
Human Resources Manager
Council does not meet its requirements under the LG (State) Award.
Moderate No
27
Business Continuity Plan Manex All
Review Disaster Recovery Plan/ Business Continuity Plan to reflect legislative changes and currency of proposed response strategies.
Moderate No
28
Internal controls are not effective
Corporate Services &
Community Sustainability
Director, Corporate Services &
Community Sustainability
Systems are not in place to report fraudulent or illegal activity
Moderate No
29
Failure to provide accurate Payroll and Leave management
Corporate Services &
Community Sustainability
Manager Finance & IT
Finance system controls, time sheet approvals
Moderate No
30
Ineffective succession planning and knowledge management
Corporate Services &
Community Sustainability
Manager HR
Potential loss of corporate knowledge and poor work transition for replacement staff.
Moderate No
31 Cash handling
Corporate Services &
Community Sustainability
Manager Finance & IT
Procedures in place including cash collection, developer fees and lease payments.
Moderate No
32
Properly manage property leasing and rentals
Manex Corporate Quarterly reviews Moderate No
33
Water & Sewerage charges not sufficient to provide for full cost recovery
Environmental Services
Director, Environmental
Services
Charges reviewed as part of annual Operating plan
Moderate No
34
On Site Sewage Management Plans
Environmental Services
Director, Environmental
Services
Development of database with risk categorisation; and prioritise the annual inspection program on risk basis.
Moderate No
DETAILED REPORT
IAB SERVICES The Public Sector Improvement Specialists DETAILED REPORT 10
IAB Job 1275
No Nature of Issue/Risk Identified
Functional Area
Domain Current Controls/Suggested Mitigation Response
Rating
Included in Strategic
Internal Audit Plan
35
Effectiveness of Staff appraisal system
Finance & Corporate Services
Human Resources Manager
Staff pay increase even when ‘failing’ review. Test current system against best industry practice to measure outcomes.
Moderate No
36
Non compliance with policies and procedures by staff and/or councillors
Corporate Services &
Community Sustainability
ALL
Policies and procedures reviewed on a regular basis. Code of conduct compliance. Separation of policy and operations.
Moderate No
37
Management performance not adequately assessed by KPI criteria
Manex ALL
Development of SMART KPIs that properly measure the staff performance of Managers.
Moderate No
38
Infrastructure not meeting technical specifications. standards
Engineering Services
Director, Engineering
Services
Supervisory controls in place.
Moderate No
39
Economic development, tourism and visitation strategy
Corporate Services &
Community Sustainability
Director, Corporate Services &
Community Sustainability
Improve future financial sustainability of the Region..
Moderate No
40
Environmental risks for landfill- asbestos.
Environmental Services
Director,
Environmental Services
Procedures in place and draft waste strategies developed awaiting Council approval.
Moderate No
2. PREPARATION OF STRATEGIC INTERNAL AUDIT PLAN
INTRODUCTION
Internal Audit is defined by the Institute of Internal Auditors (IIA) as “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.”
To achieve best practice, development of Council’s Strategic Internal Audit Plan should be consistent with both the DLG’s Internal Audit Guidelines (DLG Guidelines) and the IIA Professional Practices Framework (IIA Standards).
The Internal Audit’s Planning Approach should include all of the following areas mentioned in the Guidelines:
Reliability and integrity of financial and operational information.
DETAILED REPORT
IAB SERVICES The Public Sector Improvement Specialists DETAILED REPORT 11
IAB Job 1275
Effectiveness and efficiency of operations and resource usage.
Safeguarding of assets.
Compliance with laws, regulations, policies, procedures, and contracts.
Adequacy and effectiveness of the risk management framework.
The Strategic Internal Audit Plan should also be based on the highest identified risk areas and be aligned with Council’s plans and goals. This should result in a risk based internal audit plan that delivers maximum assurance to key stakeholders.
EXPLANATORY COMMENTS
Based on the contents of the preceding risk register/issues log and our discussions with the General Manager and Senior Management, we have prepared a Draft Strategic Internal Audit Plan for your consideration. This is set out in the following Schedule II.
The Plan is presented as a draft, as there may be a need to modify the Plan to reflect possible changes in priorities from a business risk perspective. By necessity, we have not included all audit areas identified on Schedule I. These areas can be carried forward to future audit planning cycles.
The suggested review areas are only briefly described and would be supported by detailed review scopes that would be prepared once the Plan has been approved and as the first planning step for the nominated review area.
We have taken the opportunity, based on our limited knowledge of each review area, to apply a notional risk rating to each item. This can assist with the Management prioritisation process. The scale used is in accordance with the Risk Management Standard ISO 31000 and outlined in the following table.
RISK RATING KEY Extreme Extreme risk, immediate action required. High High risk, urgent management attention is needed. Moderate Moderate risk, management responsibility must be specified. Low Low risk, manage by routine procedures
We have consolidated seventeen (17) areas of individual risks included in Schedule I (Risks 1-17) into the seven (7) categories of Moderate risk-based grouped audits as follows.
DETAILED REPORT
IAB SERVICES The Public Sector Improvement Specialists DETAILED REPORT 12
IAB Job 1275
Records Management
Fraud and Corruption Prevention Review
Procurement, Contracts and Project Management
Development Assessment and Contribution Plans
Review of compliance with legislation and regulation
Asset Management strategies
Review of Economic sustainability and tourism strategies
DETAILED REPORT
IAB SERVICES The Public Sector Improvement Specialists DETAILED REPORT 13
IAB Job 1275
SCHEDULE II – DRAFT TSC STRATEGIC INTERNAL AUDIT PLAN
NO. AUDITABLE AREAS 2013-2014 2014--2015 2015-2016 RISK
RATING
Schedule 1 cross reference
1
Records Management- registration of all documents, information retrieval and monitoring file movement. Moderate 1-2
2 Fraud and Corruption Prevention policy assessment and audit check. Completed.
Moderate
3
3 Procurement and contract management Moderate
4-6
4 Development Assessment and Contribution Plans Moderate
7-12
5 Review the Legislative and Policy Compliance Registers
Moderate 13-14
6
Review of Asset Management strategies and long term financial implications. Moderate 15-16
7
Review economic sustainability and tourism and visitation strategy Moderate 17
END OF REPORT