TENTERFIELD SHIRE COUNCIL (TSC) DEVELOPMENT OF A STRATEGIC ... · tenterfield shire council (tsc) development of a strategic internal audit plan iab job no.1275 draft november 2012

TENTERFIELD SHIRE COUNCIL (TSC)

DEVELOPMENT OF A STRATEGIC INTERNAL AUDIT PLAN

IAB Job No.1275

DRAFT NOVEMBER 2012

FINAL DECEMBER 2012

i

TABLE OF CONTENTS

EXECUTIVE SUMMARY ....................................................................................... 3

INTRODUCTION ................................................................................................................................................ 3

OBJECTIVE ........................................................................................................................................................... 3

APPROACH AND SCOPE................................................................................................................................. 3

SUMMARY OF KEY FINDINGS .................................................................................................................... 4

RECOMMENDATION ....................................................................................................................................... 5

ACKNOWLEDGEMENT .................................................................................................................................. 5

ACCOUNTABILITY AND RESPONSIBILITY............................................................................................ 5

DETAILED REPORT ............................................................................................. 5

PREPARATION OF THREE YEAR INTERNAL AUDIT PLAN -1 JULY 2012 TO 30 JUNE 20155

1. HIGH LEVEL RISK REGISTER/ISSUES LOG ..................................................................................... 5

SCHEDULE I - HIGH LEVEL RISK REGISTER/ISSUES LOG ............................................................ 6

2. PREPARATION OF STRATEGIC INTERNAL AUDIT PLAN ....................................................... 10

SCHEDULE II – DRAFT TSC STRATEGIC INTERNAL AUDIT PLAN .......................................... 13

EXECUTIVE SUMMARY

IAB SERVICES The Public Sector Improvement Specialists EXECUTIVE SUMMARY 3

IAB Job No. 1275

EXECUTIVE SUMMARY

INTRODUCTION

As per our recent proposal, we have conducted a high-level review of the Tenterfield Shire Council’s (TSC) current operating environment, including key functions. The field visit was undertaken from 29-31 October 2012 in Council’s Tenterfield administration centre in the context of developing a risk based new three (3) Year Strategic Internal Audit Plan for the period 1 July 2012 to 30 June 2015.

OBJECTIVE

The overall objective of the assignment was to review all of Council’s available strategic documentation and develop a three (3) Year Strategic Internal Audit Plan for the period ending 30 June 2015.

APPROACH AND SCOPE

The approach taken has not involved a detailed enterprise–wide risk assessment, but rather a high-level risk review. This draft report should be issued to members of the Audit Review Committee and senior management and other key stakeholders for feedback, after which, we will make any amendments, as needed.

A more detailed assessment /evaluation of Council’ risks/issues should be undertaken in due course, as part of Council’s further development of its ERMS (Risk Register) and during the next Strategic Internal Audit Planning cycle. The key steps involved in our review process comprised the following:

An examination of relevant available documentation including Council’s Community Strategic Plan and other IPR documentation, Annual Report, council issue papers and other various documents that we were able to access during the field visit.

Council also advised that following the release of the 2008 Promoting Better Practice report that the then Department (now Division) of Local Government placed Council on a monitoring program to ensure that the identified deficiencies within those report recommendations would continue to be addressed. This month DLG has issued a comprehensive list of outstanding matters and these have also been considered for potential risk areas within the Strategic Internal Audit Plan.

The information collected from the documentation examined and the limited interviews conducted was analysed, assessed and used to produce a High Level Risk Register/Issues Log and a First Draft of a Strategic Internal Audit Plan for the next three (3) years ending 30 June 2015.

Following Council’s consideration of our draft report, a final report will be fine-tuned and submitted to Council Senior Management for information and the Audit Review Committee to implement the recommended internal audit program.

EXECUTIVE SUMMARY


IAB Job No. 1275

From the final version of the Strategic Internal Plan, the reviews outlined for the remainder of 2012/2013 (Year1) could be considered by the Audit Review Committee and a selection made for completion for the year ending 30 June 2013.

SUMMARY OF KEY FINDINGS

We have identified 40 Council risks / issues that were prioritised from an examination of a range of potential risk exposures within Council, given the size and complexity of its operations. These risks are listed in full within Schedule I.

From the initial list in Schedule I, we have prepared a suggested Three Year Strategic Internal Audit Plan (in Schedule II) based on the current status and/or developmental stage of certain projects / activities to ensure that the timing of the reviews can maximise the potential value and assurance provided by the reviews.

Seven (7) risks have been included in the Three Year Strategic Internal Audit Plan (in Schedule II) with two (2) in each of the first two financial years and three (3) in the final year of the program subject to the availability of future funding within the budget.

Economic development and tourism has been identified as a key challenge for Tenterfield and accordingly, specific measured outcomes need to be established to ensure that staff are contracted to these achievements. Although we have included economic development in the final year of the Audit plan, we recommend that Council closely monitor the achievement of the outcomes on a regular basis. This should include establishing clear and objective KPI criteria to measure against the plan outcomes to ensure the ongoing success of these key strategies

There is also an absence of key IT strategic plans and security of networks and this risk exposure has deferred pending further assessment by Manex of the overall strategy for the operating systems and replacement of the current Enterprise Business Application Authority. This decision by the previous council following a recommendation by staff is currently under review and has not been considered in the three year Internal Audit Plan.

Procurement across all areas of Council has been identified as in need of review given the benefit of centralisation of this role in Corporate Services to more effectively control expenditure across each of the Directorates.

The identification of all legislation under the control of Council is a key risk and we recommend that Council prepares a Legislative Compliance Register to regulate the applicable Acts and Regulations related to staff and across the organisation.

Following a recent discovery of illegal asbestos placement in Council’s recycling area from unknown sources waste management has already been identified by Council as a potential organisational risk. Council acted promptly to remove all contaminated recycled mulch that was made available free to some householders. It also engaged a specialist waste consultant to prepare a waste management strategy for the consideration of Council at its December 2012 meeting. For this reason waste management has been excluded from the draft Risk Register given the new strategic approach and the increased internal controls available to Council to contain the potential risk exposure.

EXECUTIVE SUMMARY


IAB Job No. 1275

From the Schedule I risk identification in this report, we recommend that, at a later date, Council finalise its Enterprise Wide Risk Management System (ERMS) This Risk Register will provide a key document that links to the Community Strategic Plan and is monitored regularly to guide Councils administration.

RECOMMENDATION

From the review work undertaken, we would recommend that the Draft Strategic Internal Audit Plan included in this report be reviewed by Manex and the Audit Review Committee, as soon as practicable.

ACKNOWLEDGEMENT

We would like to acknowledge the assistance provided by the General Manager and Directors within MANEX .

ACCOUNTABILITY AND RESPONSIBILITY

IAB Services takes responsibility for this report, which is prepared on the basis of the limitations set out below.

The matters raised in this report are only those that came to our attention during the course of our review and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. TSC should assess recommendations for improvements for their full commercial and operational impact before they are implemented.

This report is confidential, has been prepared solely for the use of TSC and ownership of the report and any attachments lies with your organisation. It is the responsibility of your organisation to determine if you wish to release this report, in whole or in part. Costs of information requests under any Freedom of Information legislation such as the NSW Government Information (Public Access) Act 2009 or the Commonwealth Freedom of Information Act 1982 or Subpoenas arising from actions taken by individuals or groups as a result of this report will be passed on to your organisation.

No responsibility to any third party is accepted as the report has not been prepared, and is not intended, for any other purpose.

Contact Persons Telephone Number Title

Shane Boyd 9261 9107 Director

Ian Melville 0418969060 Senior Business Consultant

DETAILED REPORT

IAB SERVICES The Public Sector Improvement Specialists DETAILED REPORT 5

IAB Job 1275

DETAILED REPORT

PREPARATION OF THREE YEAR INTERNAL AUDIT PLAN -1 JULY 2012 TO 30 JUNE 2015

1. HIGH LEVEL RISK REGISTER/ISSUES LOG

EXPLANATORY COMMENTS

As a result of our review of relevant documentation and limited interviews with Council Management, we have identified and recorded in the register attached as Schedule I, a number of significant risks and issues for consideration during our internal audit planning process. This listing of items should not be seen as exhaustive.

By way of explanation, the register provides the following information:

risk/issue reference number

the nature of the risk or issue identified

the functional area to which the item relates

general domain to which the item relates

a suggested mitigation response including controls already in place

an indication as to whether the item has been included in the Draft Strategic Internal Audit Plan.

The first seventeen (17) risks (Risks 1-17) in Schedule I were consolidated into seven (7) groups rated as Moderate. Risks18-40 have not initially been included in the three-year plan and should be considered for future Internal audit reviews.

The register will be provided in soft copy form to the General Manager and can be used in future risk and audit planning activities.

DETAILED REPORT


IAB Job 1275

SCHEDULE I - HIGH LEVEL RISK REGISTER/ISSUES LOG

No Nature of Issue/Risk Identified

Functional Area

Domain Current Controls/Suggested Mitigation Response

Rating

Included in Strategic

Internal Audit Plan

1

Potential for Records information inconsistency; files not retrieved, systems contain incorrect data on applicants and property.

Corporate Services &

Community Sustainability

Records Manager

Records Management- registration of all documents, information retrieval and monitoring file movement.

Compliance check against State Records Act.

Moderate Yes

2

Capture and maintain business records. Potential breaches of State Records Act.



Records Manager

Records management systems, business processes

Moderate Yes

3

Fraud and corruption prevention review



Director, Corporate Services &


Test current policy for assurance as to adequacy of safeguards that are in place and undertake a fraud audit..

Moderate Yes

4

Failure of procurement and contract management policies and procedures

Corporate Services & Community Sustainability

Director, Corporate Services & Community Sustainability

Contract administration procedures in place plus authority limits, workflows and approvals High Yes

5

Proper delegations for procurement and contract management





Financial delegations for authorisation of payments need to be current for each responsible officer

High Yes

6

Decentralisation of procurement function





Weakening of internal controls through lack of central hub within Council

Moderate Yes

7

Undertake a two yearly review of Development Assessment

Environmental Services

Director, Environmental

Services

Ensure that the current Development Assessment process is effective and compliant with legislation.

Moderate Yes

DETAILED REPORT


IAB Job 1275


Functional Area


Rating


Internal Audit Plan

8

Compliance with the ICAC Development Assessment internal audit tool



Services

Benchmark performance the ratings provided in the ICAC Internal Audit tool

Moderate Yes

9

Evaluate S94 Developer Contributions including use of Planning Agreements



Services

Review S94Plan and determine cost benefit for determining when to and where to use using either S94 or S94A contributions plans.

Moderate Yes

10

The Register of Developer Contribution Plans should separate contributions fromS94 and S64 of the Acts.



Services

Ensure transparency and compliance of transactions

Moderate Yes

11

Centralise the responsibility for both S64 and S94 to a responsible officer.



Services

One officer should have final responsibility for the monitoring of receipts and payments and compliance with the plans.

Moderate Yes

12

Development Servicing Plans for levying developers under S64/S94 are not adequate

Engineering Services/


All S64/S94 plans in place. Review plans, income and expenditure to programs. Moderate Yes

13

Compliance with all legislation and Regulatory responsibilities





Develop or review the Legislative and Regulatory Compliance Register and identify responsibilities for all staff positions to comply.

Moderate Yes

14

Non compliance with industrial relations legislation



Manager HR Policy and procedures, legislation, workflows

Moderate Yes

15

Asset Management sustainable life cycle funding not sufficient for future asset renewal





Review the effectiveness between asset management strategy and financial system

Moderate Yes

DETAILED REPORT


IAB Job 1275


Functional Area


Rating


Internal Audit Plan

16

Road maintenance and bridge replacement budgetary funding is inadequate to meet future needs.




Community Sustainability/

Manager Assets

Record Infrastructure gaps as deferred liabilities pending resolution of longer term asset strategies.

Moderate Yes

17

Review economic sustainability and tourism and visitation strategy

Corporate Services & Community Sustainability

Director, Corporate Services & Community Sustainability

Review/ update plan to ensure that key operational strategies are in place to reach pre determined objectives

Moderate Yes

18

Implementation review of IT Strategic Plan for effectiveness and cost strategies



Manager Finance & IT

Health check on the Information Technology Strategic Plan

High No

19

Failure to provide secure IT network systems




Undertake external implementation review of updated system

High No

20

Regular updates on technology such as GIS and staff training




Ensure that staff are suitably trained and operating Best Practice equipment.

Moderate No

21

Review the processes for Acquisition and Development within IT management.




Review the suitability of current procedures to ensure compliance.

Moderate No

22

Review of integrated communication devices




Maximise the use and effectiveness of integrated communication devices

Moderate No

23

Evaluate alternatives to the current Enterprise Business Application product Authority




Provide a second opinion on the availability and cost/benefit of alternate Enterprise Business Application

Moderate No

24

Council does not maintain an Enterprise Wide Risk Management System (ERMS)



Manager, Finance & IT

Prepare a customised Register using the identified Risks from this report

Moderate No

DETAILED REPORT


IAB Job 1275


Functional Area


Rating


Internal Audit Plan

25

Seek economies of scale savings from sharing resources from partner alliances.

General Manager

ALL

Consider options to share limited staff resources to decrease fixed costs and increase ROI.

Moderate No

26

Staff training plan not formalised


Community Sustainability s

Human Resources Manager

Council does not meet its requirements under the LG (State) Award.

Moderate No

27

Business Continuity Plan Manex All

Review Disaster Recovery Plan/ Business Continuity Plan to reflect legislative changes and currency of proposed response strategies.

Moderate No

28

Internal controls are not effective





Systems are not in place to report fraudulent or illegal activity

Moderate No

29

Failure to provide accurate Payroll and Leave management




Finance system controls, time sheet approvals

Moderate No

30

Ineffective succession planning and knowledge management



Manager HR

Potential loss of corporate knowledge and poor work transition for replacement staff.

Moderate No

31 Cash handling




Procedures in place including cash collection, developer fees and lease payments.

Moderate No

32

Properly manage property leasing and rentals

Manex Corporate Quarterly reviews Moderate No

33

Water & Sewerage charges not sufficient to provide for full cost recovery



Services

Charges reviewed as part of annual Operating plan

Moderate No

34

On Site Sewage Management Plans



Services

Development of database with risk categorisation; and prioritise the annual inspection program on risk basis.

Moderate No

DETAILED REPORT


IAB Job 1275


Functional Area


Rating


Internal Audit Plan

35

Effectiveness of Staff appraisal system

Finance & Corporate Services

Human Resources Manager

Staff pay increase even when ‘failing’ review. Test current system against best industry practice to measure outcomes.

Moderate No

36

Non compliance with policies and procedures by staff and/or councillors



ALL

Policies and procedures reviewed on a regular basis. Code of conduct compliance. Separation of policy and operations.

Moderate No

37

Management performance not adequately assessed by KPI criteria

Manex ALL

Development of SMART KPIs that properly measure the staff performance of Managers.

Moderate No

38

Infrastructure not meeting technical specifications. standards

Engineering Services

Director, Engineering

Services

Supervisory controls in place.

Moderate No

39

Economic development, tourism and visitation strategy





Improve future financial sustainability of the Region..

Moderate No

40

Environmental risks for landfill- asbestos.


Director,


Procedures in place and draft waste strategies developed awaiting Council approval.

Moderate No

2. PREPARATION OF STRATEGIC INTERNAL AUDIT PLAN

INTRODUCTION

Internal Audit is defined by the Institute of Internal Auditors (IIA) as “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.”

To achieve best practice, development of Council’s Strategic Internal Audit Plan should be consistent with both the DLG’s Internal Audit Guidelines (DLG Guidelines) and the IIA Professional Practices Framework (IIA Standards).

The Internal Audit’s Planning Approach should include all of the following areas mentioned in the Guidelines:

Reliability and integrity of financial and operational information.

DETAILED REPORT


IAB Job 1275

Effectiveness and efficiency of operations and resource usage.

Safeguarding of assets.

Compliance with laws, regulations, policies, procedures, and contracts.

Adequacy and effectiveness of the risk management framework.

The Strategic Internal Audit Plan should also be based on the highest identified risk areas and be aligned with Council’s plans and goals. This should result in a risk based internal audit plan that delivers maximum assurance to key stakeholders.

EXPLANATORY COMMENTS

Based on the contents of the preceding risk register/issues log and our discussions with the General Manager and Senior Management, we have prepared a Draft Strategic Internal Audit Plan for your consideration. This is set out in the following Schedule II.

The Plan is presented as a draft, as there may be a need to modify the Plan to reflect possible changes in priorities from a business risk perspective. By necessity, we have not included all audit areas identified on Schedule I. These areas can be carried forward to future audit planning cycles.

The suggested review areas are only briefly described and would be supported by detailed review scopes that would be prepared once the Plan has been approved and as the first planning step for the nominated review area.

We have taken the opportunity, based on our limited knowledge of each review area, to apply a notional risk rating to each item. This can assist with the Management prioritisation process. The scale used is in accordance with the Risk Management Standard ISO 31000 and outlined in the following table.

RISK RATING KEY Extreme Extreme risk, immediate action required. High High risk, urgent management attention is needed. Moderate Moderate risk, management responsibility must be specified. Low Low risk, manage by routine procedures

We have consolidated seventeen (17) areas of individual risks included in Schedule I (Risks 1-17) into the seven (7) categories of Moderate risk-based grouped audits as follows.

DETAILED REPORT


IAB Job 1275

Records Management

Fraud and Corruption Prevention Review

Procurement, Contracts and Project Management

Development Assessment and Contribution Plans

Review of compliance with legislation and regulation

Asset Management strategies

Review of Economic sustainability and tourism strategies

DETAILED REPORT


IAB Job 1275

SCHEDULE II – DRAFT TSC STRATEGIC INTERNAL AUDIT PLAN

NO. AUDITABLE AREAS 2013-2014 2014--2015 2015-2016 RISK

RATING

Schedule 1 cross reference

1

Records Management- registration of all documents, information retrieval and monitoring file movement. Moderate 1-2

2 Fraud and Corruption Prevention policy assessment and audit check. Completed.

Moderate

3

3 Procurement and contract management Moderate

4-6

4 Development Assessment and Contribution Plans Moderate

7-12

5 Review the Legislative and Policy Compliance Registers

Moderate 13-14

6

Review of Asset Management strategies and long term financial implications. Moderate 15-16

7

Review economic sustainability and tourism and visitation strategy Moderate 17

END OF REPORT

Documents

TENTERFIELD SHIRE COUNCIL (TSC) DEVELOPMENT OF A STRATEGIC ... · tenterfield shire council (tsc) development of a strategic internal audit plan iab job no.1275 draft november 2012