Agenda of Internal Audit Advisory Committee Meeting

CONFLICT OF INTERESTS

What is a “Conflict of Interests” - A conflict of interests can be of two types:

Pecuniary - an interest that a person has in a matter because of a reasonable likelihood or expectation of appreciable financial gain or loss to the person or another person with whom the person is associated.

Non-pecuniary – a private or personal interest that a Council official has that does not amount to a pecuniary interest as defined in the Local Government Act (eg. A friendship, membership of an association, society or trade union or involvement or interest in an activity and may include an interest of a financial nature).

Remoteness – a person does not have a pecuniary interest in a matter if the interest is so remote or insignificant that it could not reasonably be regarded as likely to influence any decision the person might make in relation to a matter or if the interest is of a kind specified in Section 448 of the Local Government Act.

Who has a Pecuniary Interest? - a person has a pecuniary interest in a matter if the pecuniary interest is the interest of the person, or another person with whom the person is associated (see below).

Relatives, Partners - a person is taken to have a pecuniary interest in a matter if:

§ The person’s spouse or de facto partner or a relative of the person has a pecuniary interest in the matter, or

§ The person, or a nominee, partners or employer of the person, is a member of a company or other body that has a pecuniary interest in the matter.

N.B. “Relative”, in relation to a person means any of the following:

(a) the parent, grandparent, brother, sister, uncle, aunt, nephew, niece, lineal descends or adopted child of the person or of the person’s spouse;

(b) the spouse or de facto partners of the person or of a person referred to in paragraph (a)

No Interest in the Matter - however, a person is not taken to have a pecuniary interest in a matter:

§ If the person is unaware of the relevant pecuniary interest of the spouse, de facto partner, relative or company or other body, or

§ Just because the person is a member of, or is employed by, the Council.

§ Just because the person is a member of, or a delegate of the Council to, a company or other body that has a pecuniary interest in the matter provided that the person has no beneficial interest in any shares of the company or body.

Disclosure and participation in meetings

§ A Councillor or a member of a Council Committee who has a pecuniary interest in any matter with which the Council is concerned and who is present at a meeting of the Council or Committee at which the matter is being considered must disclose the nature of the interest to the meeting as soon as practicable.

§ The Councillor or member must not be present at, or in sight of, the meeting of the Council or Committee:

(a) at any time during which the matter is being considered or discussed by the Council or Committee, or

(b) at any time during which the Council or Committee is voting on any question in relation to the matter.

No Knowledge - a person does not breach this Clause if the person did not know and could not reasonably be expected to have known that the matter under consideration at the meeting was a matter in which he or she had a pecuniary interest.

Participation in Meetings Despite Pecuniary Interest (S 452 Act)

A Councillor is not prevented from taking part in the consideration or discussion of, or from voting on, any of the matters/questions detailed in Section 452 of the Local Government Act.

Non-pecuniary Interests - Must be disclosed in meetings.

There are a broad range of options available for managing conflicts & the option chosen will depend on an assessment of the circumstances of the matter, the nature of the interest and the significance of the issue being dealt with. Non-pecuniary conflicts of interests must be dealt with in at least one of the following ways:

§ It may be appropriate that no action be taken where the potential for conflict is minimal. However, Councillors should consider providing an explanation of why they consider a conflict does not exist.

§ Limit involvement if practical (eg. Participate in discussion but not in decision making or vice-versa). Care needs to be taken when exercising this option.

§ Remove the source of the conflict (eg. Relinquishing or divesting the personal interest that creates the conflict)

§ Have no involvement by absenting yourself from and not taking part in any debate or voting on the issue as if the provisions in S451 of the Local Government Act apply (particularly if you have a significant non-pecuniary interest)

RECORDING OF VOTING ON PLANNING MATTERS

Clause 375A of the Local Government Act 1993 – Recording of voting on planning matters

(1) In this section, planning decision means a decision made in the exercise of a function of a council under the Environmental Planning and Assessment Act 1979:

(a) including a decision relating to a development application, an environmental planning instrument, a development control plan or a development contribution plan under that Act, but

(b) not including the making of an order under Division 2A of Part 6 of that Act.

(2) The general manager is required to keep a register containing, for each planning decision made at a meeting of the council or a council committee, the names of the councillors who supported the decision and the names of any councillors who opposed (or are taken to have opposed) the decision.

(3) For the purpose of maintaining the register, a division is required to be called whenever a motion for a planning decision is put at a meeting of the council or a council committee.

(4) Each decision recorded in the register is to be described in the register or identified in a manner that enables the description to be obtained from another publicly available document, and is to include the information required by the regulations.

(5) This section extends to a meeting that is closed to the public.

BYRON SHIRE COUNCIL

Staff Reports - Corporate and Community Services 5.1

Staff Reports - Corporate and Community Services

Report No. 5.1 Internal Audit Report February 2015

Directorate: Corporate and Community Services

Report Author: Mark Arnold, Director Corporate and Community Services

File No: I2015/39

Theme: Corporate Management

General Manager’s Office

Summary:

This report has been prepared to allow the Internal Audit Committee to consider the Internal Audit Report – Audit Committee (February 2015) prepared by the Internal Auditor, Grant Thornton.

RECOMMENDATION:

That the Internal Audit Committee recommend to Council:

That Council receive and note the Internal Audit Report – Audit Committee (February 2015) (#E2015/9105) prepared by the Internal Auditor, Grant Thornton.

Attachments:

1 Confidential - Internal Audit Report February 2015 prepared by Grant Thornton, E2015/9105

Report

This report has been prepared to allow the Internal Audit Committee to consider the Internal Audit Report – Audit Committee (February 2015) prepared by the Internal Auditor, Grant Thornton.

A copy of the Internal Audit Report has been included as Attachment 1 to this report.

The Internal Audit Report has been prepared and it includes an update on the following:

· Status of Agreed Actions from Prior Audits

· Status update on the implementation of agreed actions from previous Internal Audit Review Reports.

The Internal Auditor will be available at the meeting to answer any questions associated with the

Report.

Resolution 14-613

Council at its Ordinary meeting held on 11 December 2014 adopted a Committee Recommendation (Resolution14-613) from the Internal Audit Committee meeting held on 13 November 2014 relating to the Internal Audit Report November 2014.

Resolution 14-613 (in part) is reproduced below:

“2. That the lnternal Audit Committee receive a report on the progress of actions 1 and 2 in Audit Review Report -1.1 lT Security at February meeting.

3. That an lT functional structure be provided to the February 2015 Ordinary meeting.”

In accordance with this Resolution the following update and information is provided.

2. That the Internal Audit Committee receive a report on the progress of actions 1 and 2 in Audit Review Report - 1.1 lT Security at February meeting.

Action 1 – IT Security

The following recommendation was made by the Internal Auditor in respect to this action in the related Internal Audit Review:

“An external and internal penetration test should be considered to be performed based on the risk of an external or internal threat.

Management should consider implementing an Intrusion Detection System (IDS). As an example Snort (http://www.snort.org/) is one of the most widely deployed open source network intrusion prevention and detection system. The IDS logs and alerts should be reviewed on a regular basis.

Management should develop and implement an Incident Response plan. The plan should include the following at minimum:

 Definitions of security issues

 How to report a security issue

 Classification of issues – security vulnerability, security incident or security breach

 Escalation processes

 Incident response checklist “

This Action in the November update was shown as completed due to the development of an alternate solution detailed in the IS Strategic Plan, which at that time was in the process of being prepared by an external consultant.

Manager Business Systems and Technology has provided the following additional comments in support of this approach.

The IS Strategic Planning Process has yielded:

· IT Strategic Plan 2015 – 2019 [E2015/5885]

· Establishment of the IT Steering Committee with agreed Charter [E2015/3147 p.1 – p.7]

· Establishment of an agreed IT Improvement Cycle [E2015/3147 Attachments 1 – 4, p.8 – p.10].

A key Strategic Action related to 1.1 IT Security, referenced in the Strategic Plan is item 9.12 Implement Information Security Management System. This system is based on globally recognised standards such as the AS/NZS ISO/IEC 27000-series. This series provides best practice recommendations on information security management, risks and controls within the context of an overall information security management system (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series).

Through the 2700 series, organisations are encouraged to assess their information security risks, and then implement appropriate information security controls according to their needs, using the guidance and suggestions where relevant. Given the dynamic nature of information security, the ISMS concept incorporates continuous feedback and improvement activities, summarised by Deming's "plan-do-check-act" approach, that seek to address changes in the threats, vulnerabilities or impacts of information security incidents. The series includes ISO/IEC 27039, Intrusion detection and protection systems (IDS) as per the recommendation of the audit committee.

It is recommended that Council consider and assess the implementation of an ISMS / IDS, as per agreed IT Improvement Cycle ([E2015/3147 Attachments 1 – 4, p.8 – p.10]), identified in the IT Strategic Plan on the basis of identified risk, priorities and availability of funding.

Action 2 – IT Strategy

The following recommendation was made by the Internal Auditor in respect to this action in the related Internal Audit Review:

“Management should consider updating the current IT Strategic Plan. The strategy should be consistent with the Council’s corporate and business objectives.

The IT Strategic Plan should schedule specific projects, identify appropriate resources and include budgets.

The objectives of the IT Strategic Plan should be measurable so that management can monitor their achievement. “

This Action in the November update was shown as completed due to the development of the IS Strategic Plan, which at that time was in the process of being completed.

Manager Business Systems and Technology has provided the following additional comments in support of this approach

Current major milestone timeline is:

Stage 1: Project Establishment (Complete)

Stage 2: Consultation and Information Gathering (Complete)

Stage 3: Strategy Development (Complete)

· IT Strategic Plan 2015 – 2019 [E2015/5885]

· Establishment of the IT Steering Committee with agreed Charter [E2015/3147 p.1 – p.7]

· Establishment of an agreed IT Improvement Cycle [E2015/3147 Attachments 1 – 4, p.8 – p.10]

Stage 4: Presentation & Closure (Complete)

· IT Strategic Plan 2015 – 2019 presented to Executive Team by Bruno Matalo Wednesday 17 December 2014 [E2014/84739 - Byron Shire Council - IS Strategy 2014 - Exec Presentation]

· IT Steering Committee Charter agreed 21 January 2015 [E2015/3885 - Executive Team Meeting 21/01/2015]

· IT Steering Committee membership agreed:

	Name	Directorate	Position	Committee Role
1	Mark Arnold	CCS	Director Corporate and Community Services	Chair
2	Shannon Burt	SEE	Director Sustainable Environment & Economy	Member
3	Phil Holloway	IS	Director Infrastructure Services	Member
4	Tony Nash	IS	Manager Works	Member
5	Phil Warner	IS	Manager Assets & Major Projects	Member
6	Shannon McKelvey	OD	Exec Manager Organisation Development	Member
7	Philip Pountney	CCS	Manager Business Systems & Technology	Secretary

· IT Steering Committee meetings scheduled, invitations and agenda sent to committee members:

Date

Wed 25 Feb

Wed 20 May

Wed 19 Aug

Wed 18 Nov

3. That an lT functional structure be provided to the February 2015 Ordinary meeting.

The Manager Business Systems and Technology has prepared a revised IT Functional Structure.

The most significant difference between the traditional and proposed Team structure is the introduction of distinct horizontal differentiation. The clear identification of functional areas within the IT Team coupled with closer ties to organisational Governance will assist with:

- understanding of responsibilities and accountabilities (Support, Infrastructure & Development);

- implementation of IT Service Management methods;

- integration with Governance structures; and

- building capacity and capability where this is required within the IT Department.

The proposed IT Team structure to meet the strategies detailed in the IS Strategic Plan 2015 – 2019 includes three key functional areas:

- Customer Service & Support

- Technology & Infrastructure Management

- Business Systems Management

The diagram below highlights these functional areas with an approximation of service responsibilities.

Functional Areas – Approximate Technical Responsibilities with Touch Points Schematic

Financial Implications

There no financial implications associated with this report.

Statutory and Policy Compliance Implications

The performance of the Internal Audit Services is required to be undertaken in accordance with the terms and conditions of Internal Audit Services Contract 2013-0024. These terms and conditions require consideration of the NSW Department of Premier and Cabinet, Division of Local Government, Internal Audit Guidelines and compliance with the associated professional accounting and audit standards.

BYRON SHIRE COUNCIL

Staff Reports - Corporate and Community Services 5.2

Report No. 5.2 Regulatory Enforcement Review

Directorate: Corporate and Community Services

Report Author: Mark Arnold, Director Corporate and Community Services

File No: I2015/40

Theme: Corporate Management

General Manager’s Office

Summary:

Council’s Internal Auditors, Grant Thornton, undertook a Regulatory Enforcement review during December 2014.

This review was part of the adopted Internal Audit Plan for Council.

The purpose of this report is to table the Internal Audit Report on Regulatory Enforcement – December 2014 for consideration by the Internal Audit Committee. A copy of the report is attached at Attachment 1.

The report includes the findings made by Grant Thornton and responses from Management to the findings.

RECOMMENDATION:

1. That the Internal Audit Report on Regulatory Enforcement – December 2014 be noted by Council, including responses and actions detailed by Management.

2. That Management implement the recommendations suggested in the report identified at Attachment 1 (#E2015/9052).

Attachments:

1 Confidential - Internal Audit Report on Regulatory Enforcement December 2014, E2015/9052

Report

Council’s Internal Auditors, Grant Thornton, undertook a Regulatory Enforcement Review during December 2014. This review was part of the adopted Internal Audit Plan for Council.

The report includes the findings made by Grant Thornton and responses from Management to the findings. The report by Grant Thornton provides an overall rating. The Review was given an overall rating of Needs Improvement (per definition meaning: “Control weaknesses were noted which if not addressed, may result in material exposure”).

Further identified in Internal Audit Report on Regulatory Enforcement – December 2014, were the findings, which have been detailed below, along with the associated rating to identify the significance of each finding.

Detailed Findings

1. Swimming Pools Inspections (Rating: High)

2. Onsite Sewerage Management System Inspections (Rating: Moderate)

3. Food Outlet Register (Rating: Moderate)

4. Actioning CRM Tasks (Rating: Moderate)

5. Council Policy and Procedures (Rating: Low)

In regard to the ratings, to define the significance of each finding identified in the report, the following definitions are provided:

Ratings	Definition
Critical	Issue represents a control weakness, which could cause or is causing severe disruption of the process or severe adverse effect on the ability to achieve process objectives.
High	Issue represents a control weakness, which could have or is having major adverse effect on the ability to achieve process objectives.
Moderate	Issue represents a control weakness, which could have or is having significant adverse effect on the ability to achieve process objectives.
Low	Issue represents a minor control weakness, with minimal but reportable impact on the ability to achieve process objectives.
Performance Improvement	Performance improvements are generally associated with control design. Performance improvement observations do not include control weaknesses and, therefore, are not implicitly internal audit findings.

Financial Implications

It is expected that the actions identified will be implemented with existing budgets or with existing or resources included in the draft 2014/2015 Budget.

Statutory and Policy Compliance Implications

This Review was undertaken in accordance with the adopted Internal Audit Strategy and Audit Plan.

BYRON SHIRE COUNCIL

Staff Reports - Corporate and Community Services 5.3

Report No. 5.3 2013/2014 Financial Statements Audit Management Letter

Directorate: Corporate and Community Services

Report Author: James Brickley, Manager Finance

File No: I2015/60

Theme: Corporate Management

Financial Services

Summary:

Council has received an Audit Management Letter from its external auditors, Thomas Noble and Russell relating to the audit of the 2013/2014 financial statements. The Audit Management Letter details four items for Management to consider and provides recommendations to improve internal controls and systems.

Each of the items raised in the audit management letter subject of this report has been itemised for consideration by the Internal Audit Committee.

RECOMMENDATION:

That the comments provided by Management in response to matters raised in the 2013/2014 Financial Statements Audit Management Letter be noted by Council.

Attachments:

1 Confidential - Final Audit Management Letter relating to 2013/2014 Financial Statements received from Thomas Noble and Russell, E2015/8914

Report

Council has received an Audit Management Letter relating to the audit of the 2013/2014 financial statements by its external auditors, Thomas Noble and Russell. Full details of this letter are contained at Confidential Attachment 1 along with comments provided by Management which have been replicated below in this report for the Internal Audit Advisory Committee to consider.

Resulting from the Audit Management Letter subject of this report, there are four matters where audit findings have been identified. Each matter also contains a recommendation for Management to consider, with a view to improving the internal controls and the documentation which supports the Council’s reported financial statements. Indicated in the table below is a priority/risk matrix developed by Thomas Noble and Russell to express an opinion as to the importance of audit matter findings:

Priority Rating	Impact
(H) High	1. Matters which pose a significant business or financial risk to the entity and should be addressed urgently, and/or 2. Matters that have resulted or could potentially result in a modified or qualified audit opinion if not addressed as a matter of urgency by the entity.
(M) Moderate	1. Matters of a systemic nature that pose a moderate business or financial risk to the entity if not addressed within the current financial year. 2. Matters that may escalate to high risk if not addressed promptly. 3. Low risk matters which have been reported to management in the past but have not been satisfactorily resolved or addressed. 4. Items that have been identified by external audit where material inefficiencies are occurring. 5. Matters where regulatory obligations have been identified that do not pose a material, financial or regulation risk to the entity, and/or 6. Matters where there is a scope for fraud and corruption without address by management.
(L) Low	1. Matters that are isolated, non-systemic or procedural in nature, and/or 2. Matters that reflect relatively minor administrative shortcomings and could be addressed in the context of the entity’s overall control environment.

Provided in the table below is a summary of the four matters raised subject to audit findings relating to the 2013/2014 financial statements. A further column is provided against each matter identifying the priority/risk referred to in the table above, assigned to the audit matter finding by Thomas Noble and Russell:

Audit Matter Finding	Risk Rating
Item 2.1 Submission of Crown Land Reporting	M5
Item 3.1 Calculation Errors within the Accounting Asset Registers	L1
Item 4.1 Provision for Long Service Leave Entitlements	L1
Item 5.1 Lack of Supporting Documentation	L1

Management have considered the Audit Management Letter related to the audit of the 2013/2014 financial statements and in respect of the four audit matter findings, offers the following responses to the recommendations provided. It is suggested these will be the basis of responses and have been inserted into the Management Letter to Thomas Noble and Russell as detailed at Confidential Attachment 1:

Item 2.1	Submission of Crown Land Reporting (2013 Repeat Matter)
Risk Rating	M5– Moderate. Matters where regulatory obligations have been identified that do not pose a material, financial or regulatory risk to the entity.
Audit Recommendation	We recommend Council ensure all outstanding yearly reporting to the NSW Department of Trade & Investment – Crown Lands is completed as soon as practicable and ensure that future Crown Land reporting is completed within the required timeframe.
Management Response:	Council is responsible for twenty one different Crown Reserve Trusts. The Crown reporting to the Department of Trade and Investment requires reporting information of a financial matter which is one item of sixteen items that needs to be included into the return submitted for each Reserve Trust. To date the asset information for each Reserve Trust has been compiled for each financial year from 2009/2020 to 2013/2014. Other financial information concerning revenue, expenses and liabilities is still being compiled as Council’s general ledger was for the periods not designed for Crown reporting but is designed for Council financial reporting. It is expected that the Crown reporting will be lodged by 30 June 2015 for the period 2009/2010 to 2013/2014. This time is required given other commitments such as the Fit for the Future response also required by the NSW Government by 30 June 2015 and which will include a significant review of the Long Term Financial Plan.

Item 3.1	Calculation Errors within the Accounting Asset Registers
Risk Rating	L1 – Low, Matters that are isolated, non-systemic or procedural in nature.
Audit Recommendation	We understand that Council is expected to implement enhanced asset management software for in the medium-term that may reduce or eliminate the use of complex spreadsheets. However, as an interim measure, we recommend Council consider the following to reduce the risk of spreadsheet calculation errors: 1) Establishing procedures for checking data including manual testing on a sample basis and built-in checks within spreadsheets; 2) Utilising the locking function in Excel to lock cells which contain formulas to ensure data is not accidentally amended; and 3) Document testing performed for review by Senior Management and the External Auditor.
Management Response:	The adjustment required to building depreciation was $545,200 or 3.7% of overall Council’s incurred depreciation expense for 2013/2014. The recommendations outlined above will be incorporated into Council’s financial statement preparation for the 2014/2015 financial year.

Item 4.1	Provision for Long Service Leave Entitlements
Risk Rating	L1 – Low, Matters that are isolated, non-systemic or procedural in nature.
Audit Recommendation	We recommend Council’s calculation for the provision for long service leave entitlements be discounted where leave balances are not expected to be wholly settled after the end of the annual reporting period.
Management Response:	It is the view of the Manager Finance that the accounting standard for the disclosure of long service leave is flawed in that it potentially allows Council and all reporting entitles to disclose a lower liability then that calculated using nominal values which is the true value at balance date. By virtue of the word discount it means less so the figures currently disclosed in Council’s financial reports are viewed as more representative to the real liability. Council’s liability for long service leave has been reported at nominal values for the last four financial years and has not in any financial year been materially different to the calculation using the discount methodology. However, given this request the liability will be recalculated using the discount methodology which is based on estimated assumptions which may allow Council to report a lesser liability but ultimately it won’t be the correct liability in real nominal terms for the 2014/2015 financial year as it will be discounted.

Item 5.1	Lack of Supporting Documentation
Risk Rating	L1 – Low, Matters that are isolated, non-systemic or procedural in nature.
Audit Recommendation	We recommend Council elevate the priority status of this issue with Civica in order to have the matter rectified as soon as possible.
Management Response:	Ledger account 5101.204 does not only account for GST transactions associated with purchase orders. It holds all GST transactions whether it is GST collected from a receipt for a GST input tax credit from a purchase. At this stage Council is unable to produce a report from Authority that verifies the balance of this account. Before the end of the 2014/2015 financial year, Council will be upgrading to version 6.10 of Authority from the current version 6.5. Reporting of this matter may be addressed in the new version of the software. Council will also contact Ballina and Lismore Councils whom are Authority users to confirm how they perform such a reconciliation given it is assumed they would have the same requirement. It is hoped that a solution to this matter will be in hand by the time the 2014/2015 financial year audit is conducted.

Financial Implications

None associated with this report. It is expected the adoption of the recommendations suggested in this report and their implementation would be met from existing budget allocations.

Statutory and Policy Compliance Implications

In regard to keeping accounting records, Section 412 of the Local Government Act 1993 requires Council to do the following:

(1) A council must keep such accounting records as are necessary to correctly record and explain its financial transactions and its financial position.

(2) In particular, a council must keep its accounting records in a manner and form that facilitate:

(a) the preparation of financial reports that present fairly its financial position and the results of its operations, and

(b) the convenient and proper auditing of those reports.

The issue of an Audit Management Letter provides an independent view on the controls and systems in place surrounding Council’s accounting records.

Venue	Conference Room, Station Street, Mullumbimby
Date	Thursday, 19 February 2015
Time	11.00am