Notice of Meeting
Audit, Risk and Improvement Committee Meeting
An Audit, Risk and Improvement Committee Meeting of Byron Shire Council will be held as follows:
|
Venue |
Conference Room, Station Street, Mullumbimby |
|
Date |
Tuesday, 18 February 2025 |
|
Time |
9:30 AM |
Esmeralda Davis
Director Corporate and Community Services
I2025/91
Distributed 04/02/25
CONFLICT OF INTERESTS
What is a “Conflict of Interests” - A conflict of interests can be of two types:
Pecuniary - an interest that a person has in a matter because of a reasonable likelihood or expectation of appreciable financial gain or loss to the person or another person with whom the person is associated.
Non-pecuniary – a private or personal interest that a Council official has that does not amount to a pecuniary interest as defined in the Code of Conduct for Councillors (eg. A friendship, membership of an association, society or trade union or involvement or interest in an activity and may include an interest of a financial nature).
Remoteness – a person does not have a pecuniary interest in a matter if the interest is so remote or insignificant that it could not reasonably be regarded as likely to influence any decision the person might make in relation to a matter or if the interest is of a kind specified in the Code of Conduct for Councillors.
Who has a Pecuniary Interest? - a person has a pecuniary interest in a matter if the pecuniary interest is the interest of the person, or another person with whom the person is associated (see below).
Relatives, Partners - a person is taken to have a pecuniary interest in a matter if:
· The person’s spouse or de facto partner or a relative of the person has a pecuniary interest in the matter, or
· The person, or a nominee, partners or employer of the person, is a member of a company or other body that has a pecuniary interest in the matter.
N.B. “Relative”, in relation to a person means any of the following:
(a) the parent, grandparent, brother, sister, uncle, aunt, nephew, niece, lineal descends or adopted child of the person or of the person’s spouse;
(b) the spouse or de facto partners of the person or of a person referred to in paragraph (a)
No Interest in the Matter - however, a person is not taken to have a pecuniary interest in a matter:
· If the person is unaware of the relevant pecuniary interest of the spouse, de facto partner, relative or company or other body, or
· Just because the person is a member of, or is employed by, the Council.
· Just because the person is a member of, or a delegate of the Council to, a company or other body that has a pecuniary interest in the matter provided that the person has no beneficial interest in any shares of the company or body.
Disclosure and participation in meetings
· A Councillor or a member of a Council Committee who has a pecuniary interest in any matter with which the Council is concerned and who is present at a meeting of the Council or Committee at which the matter is being considered must disclose the nature of the interest to the meeting as soon as practicable.
· The Councillor or member must not be present at, or in sight of, the meeting of the Council or Committee:
(a) at any time during which the matter is being considered or discussed by the Council or Committee, or
(b) at any time during which the Council or Committee is voting on any question in relation to the matter.
No Knowledge - a person does not breach this Clause if the person did not know and could not reasonably be expected to have known that the matter under consideration at the meeting was a matter in which he or she had a pecuniary interest.
Non-pecuniary Interests - Must be disclosed in meetings.
There are a broad range of options available for managing conflicts & the option chosen will depend on an assessment of the circumstances of the matter, the nature of the interest and the significance of the issue being dealt with. Non-pecuniary conflicts of interests must be dealt with in at least one of the following ways:
· It may be appropriate that no action be taken where the potential for conflict is minimal. However, Councillors should consider providing an explanation of why they consider a conflict does not exist.
· Limit involvement if practical (eg. Participate in discussion but not in decision making or vice-versa). Care needs to be taken when exercising this option.
· Remove the source of the conflict (eg. Relinquishing or divesting the personal interest that creates the conflict)
· Have no involvement by absenting yourself from and not taking part in any debate or voting on the issue as of the provisions in the Code of Conduct (particularly if you have a significant non-pecuniary interest)
Committee members are reminded that they should declare and manage all conflicts of interest in respect of any matter on this Agenda, in accordance with the Code of Conduct.
RECORDING OF VOTING ON PLANNING MATTERS
Clause 375A of the Local Government Act 1993 – Recording of voting on planning matters
(1) In this section, planning decision means a decision made in the exercise of a function of a council under the Environmental Planning and Assessment Act 1979:
(a) including a decision relating to a development application, an environmental planning instrument, a development control plan or a development contribution plan under that Act, but
(b) not including the making of an order under that Act.
(2) The general manager is required to keep a register containing, for each planning decision made at a meeting of the council or a council committee, the names of the councillors who supported the decision and the names of any councillors who opposed (or are taken to have opposed) the decision.
(3) For the purpose of maintaining the register, a division is required to be called whenever a motion for a planning decision is put at a meeting of the council or a council committee.
(4) Each decision recorded in the register is to be described in the register or identified in a manner that enables the description to be obtained from another publicly available document and is to include the information required by the regulations.
(5) This section extends to a meeting that is closed to the
public.
OATH AND AFFIRMATION FOR COUNCILLORS
Councillors are reminded of the oath of office or affirmation of office made at or before their first meeting of the council in accordance with Clause 233A of the Local Government Act 1993. This includes undertaking the duties of the office of councillor in the best interests of the people of Byron Shire and the Byron Shire Council and faithfully and impartially carrying out the functions, powers, authorities and discretions vested under the Act or any other Act to the best of one’s ability and judgment.
BUSINESS OF MEETING
2. Declarations of Interest – Pecuniary and Non-Pecuniary
3. Minutes from Previous Meetings
3.1 Minutes of the Audit, Risk and Improvement Committee Meeting held 25 November 2024.................................................................................................................................. 6
3.2 Business Arising from meeting held on 25 November 2024................................... 8
4. Staff Reports
Corporate and Community Services
4.1 Risk Management Improvement Plan 2025 - 2026 & Quarter 2 Risk Report 2024-2025........................................................................................................................................ 10
5. Confidential Reports
Corporate and Community Services
5.1 Confidential - Internal Audit Report Quarter 2 2024-2025 including Water and Sewer Utilities Management Review........................................................................ 13
5.2 Confidential - 2024 Year End Management Letter......................................... 15
5.3 Confidential - Section 355 Strategic Change Project..................................... 16
6. Late Reports
7. For Information Only
7.1 Confidential - Cyber Security and System Outages Quarterly Update....... 17
7.2 Presentation and tour of Byron Bay projects........................................................... 18
Minutes from Previous Meetings 3.1
Minutes from Previous Meetings
Report No. 3.1 Minutes of the Audit, Risk and Improvement Committee Meeting held 25 November 2024
Directorate: Corporate and Community Services
File No: I2024/1668
RECOMMENDATION:
That the minutes of the Audit, Risk and Improvement Committee Meeting held on 25 November 2024 be confirmed.
1 Minutes
25/11/2024 Audit, Risk and Improvement Committee, I2024/1543 
Report
The attachment to this report provides the minutes of the Audit, Risk and Improvement Committee Meeting of 25 November 2024.
Report to Council
The minutes of 25 November 2024 meeting will be reported to Council on 27 February 2025.
Minutes from Previous Meetings 3.2
Report No. 3.2 Business Arising from meeting held on 25 November 2024
File No: I2025/13
Business Arising from previous meeting held on 25 November 2024:
|
Subject |
Management Response |
|
1. Management to advise what contractual arrangements are in place with third party suppliers providing assurance over IT security and privacy/ confidentiality. |
The procurement process includes a mandatory step to complete a cyber security assessment for contracts where sensitive Council data is handled by an external party, (Cyber Security Vendor Checklist, E2024/95158). Whilst contracted suppliers who handle sensitive Council data are periodically reviewed for their cyber controls, there is no formal process defined as part of a contract management activity. The standard contract templates also do not explicitly define the ownership of data when managed by the supplier on behalf of Council. An improvement activity has been initiated to uplift the security of council data held by 3rd parties. Specifically, the following actions will be undertaken: · Contract templates will be updated to include reference to responsibility for data management, ownership and right to access for Council data managed by 3rd parties. · A new “Cyber Vendor Assurance” report template will be developed for use in the contract management activity. Suppliers handling sensitive Council data will have to demonstrate compliance with data security standards which support council’s statutory and legislative obligations. These improvements are planned for completion by April 2025. |
|
Subject |
Management Response |
|
2. Consider how recommendations from these Cyber Reports may be captured and reported to the Executive Team and the Audit, Risk and Improvement Committee in a similar manner to internal audit recommendations tracking. |
Cyber vulnerability assessment reports from the State and Federal Government are currently included as attachments to the ARIC Cyber Security Information Report. Rather than present this raw information, a consolidated summary of identified risks with remediation plans and progress status will be presented. This summary will also include a listing of any other active high-risk cyber issues and related improvement activities. The same format will be presented to the IT Steering Committee. The new reporting format will be presented at the next ARIC meeting. |
Staff Reports - Corporate and Community Services 4.1
Staff Reports - Corporate and Community Services
Report No. 4.1 Risk Management Improvement Plan 2025 - 2026 & Quarter 2 Risk Report 2024-2025
Directorate: Corporate and Community Services
Report Author: Amber Watt, Strategic Risk Coordinator
File No: I2025/69
Summary:
This report presents:
· An overview of the current state of risk management practices at Council against the requirements of the revised OLG Guidelines for Risk Management and Internal Audit.
· The proposed Risk Management Improvement Plan 2025 – 2026, endorsed by the Executive Team 29 January 2025 (Attachment 1).
· An outline of the action updates of the Strategic and Operational risks in Quarter 2 2024 – 2025 (Attachment 2).
RECOMMENDATION:
That the Audit Risk and Improvement Committee:
1. Endorses the Risk Management and Improvement Plan 2025 – 2026; and
2. Notes the updates to the status of Strategic and Operational risks.
1 Byron
Shire Council Risk Management Improvement Plan 2025 - 2026, E2025/8700
2 Quarter
2 Risk Update 2024 - 2025, E2025/10172
Report
This report evaluates the current state of risk management practices at Council against the requirements of the revised OLG Guidelines for Risk Management and Internal Audit. The updated guidelines were designed to address the growing complexity of risks faced by local government, as well as increasing regulatory demands and expectations for effective risk management.
Council’s enterprise risk management framework provides a strong foundation, and the focus now is on ensuring that risk management is fully integrated into decision-making and operations.
The following report provides details of a proposed risk management improvement plan (Attachment 1) that reflects a best practice approach to risk management, aids in developing a positive risk culture and ensures risk is considered as an integral part of all Council management, operations, functions, and activities.
Current situation:
Council has an Enterprise Risk Management Framework (ERMF) aligned with AS ISO 31000:2018. Details of this framework and progress made in meeting the requirements of the guidelines were reported to the ARIC at the 25 November meeting last year.
Despite the development of the ERMF and access to relevant documents, templates, training and risk resources, stakeholder engagement has been limited. It is acknowledged that risk management is being undertaken already within day-to-day operations, but individual responsibilities and accountabilities need to be improved to effectively manage the risks facing Council.
Quarterly risk register updates and risk initiative reports to the Executive Team offer a snapshot of the existing risk landscape. However, this approach does not fully leverage the strategic and operational leadership needed to ensure Council is meeting its objectives and obligations to the community.
Meeting the requirements:
In October 2024, Council completed a self-assessment against the OLG guidelines through Statewide Mutual, scoring 71.34%. While the framework and tools are in place to effectively manage risk, how well these practices are embedded across the organisation requires attention. Specifically, the guideline “the risk management process should be an integral part of management and decision-making and integrated into the structure, operations, and processes of the organisation”.
Commencing with the 2024-2025 Annual Report, Council’s General Manager will be required to publish an attestation statement indicating whether Council’s risk management framework complies with the prescribed requirements. This requirement is informed by an annual self-assessment conducted by the Strategic Risk Coordinator. It is proposed that the attached improvement plan will provide the necessary information required to demonstrate compliance or the work being undertaken to meet the requirements.
Strategic Considerations
Community Strategic Plan and Operational Plan
|
1: Effective Leadership |
1.1: Enhance trust and accountability through open and transparent leadership |
1.1.5: Risk Management - Recognise risks and manage them proactively |
1.1.5.1 |
Embed Council's Enterprise Risk Management Framework to support staff in the identification and management of risks and to drive a successful risk culture |
Alignment with ARIC Responsibilities
5.2. Risk Management
a) Review whether management has in place a risk management framework that complies with current Australian risk management standards.
b) Review whether the risk management framework operates effectively and supports the achievement of Council’s strategic goals and objectives.
c) Review whether management has integrated risk management into decision making processes and operations.
d) Review whether management has taken steps to embed a positive risk management culture.
e) Consider the adequacy of resources provided for risk management and whether employees are able to carry out their risk management responsibilities.
Consultation and Engagement
Risk owners, control owners, mitigating action owners.
Confidential Reports - Corporate and Community Services 5.1
Confidential Reports - Corporate and Community Services
Report No. 5.1 Confidential - Internal Audit Report Quarter 2 2024-2025 including Water and Sewer Utilities Management Review
Directorate: Corporate and Community Services
Report Author: Amber Watt, Strategic Risk Coordinator
File No: I2025/53
Summary:
This report presents:
· The Internal Audit Recommendations Status Report for Quarter 2 2024-2025 (Attachment 1).
· The Water & Sewerage Utilities Management Audit Report (Attachment 2). The report documents an overall risk rating of “High”.
· Suggestions from Centium regarding future reporting of quarterly internal audit recommendations (Attachment 3).
RECOMMENDATION:
1. That pursuant to Section 10A(2)(d)i of the Local Government Act, 1993, Council resolves to move into Confidential Session to discuss the report Internal Audit Report Quarter 2 2024-2025.
2. That the reasons for closing the meeting to the public to consider this item be that the report contains:
a) commercial information of a confidential nature that would, if disclosed prejudice the commercial position of the person who supplied it
3. That on balance it is considered that receipt and discussion of the matter in open Council would be contrary to the public interest, as:
the nature and content of internal audit is for operational purposes.
1 Confidential - Internal Audit Recommendations Q2 2024-2025, E2025/1473
2 Confidential - Water and Sewerage Utilities Management Internal Audit Report, E2025/6832
3 Centium - Example of ARIC Report for Byron Shire Council, E2025/9935
For Information Only 7.1
Report No. 5.2 Confidential - 2024 Year End Management Letter
Directorate: Corporate and Community Services
Report Author: James Brickley, Manager Finance
File No: I2025/93
Summary:
Council has received the 2024 Year End Audit Management Letter from the External Auditor, the Audit Office of NSW, relating to the 2023/2024 financial year audit. The Year End Audit Management Letter details three new items for management to consider and provides recommendations to improve internal controls and financial reporting processes.
Each of the audit matters raised in the 2024 Year End Audit Management Letter has been identified in this report for consideration by Council and the Audit, Risk and Improvement Committee.
RECOMMENDATION:
1. That pursuant to Section 10A(2)(f) of the Local Government Act, 1993, Council resolves to move into Confidential Session to discuss the report 2024 Year End Management Letter.
2. That the reasons for closing the meeting to the public to consider this item be that the report contains:
a) matters affecting the security of the council, councillors, council staff or council property
3. That on balance it is considered that receipt and discussion of the matter in open Council would be contrary to the public interest, as:
Nature and content of audit reports is for operational purposes and report details information about Council systems, controls and processes
Attachments:
1 Confidential - 2024 Year End Audit Management Letter from Audit Office of NSW, E2025/12451
Report No. 5.3 Confidential - Section 355 Strategic Change Project
Directorate: Corporate and Community Services
Report Author: Geeta Cheema, Manager Social & Cultural Planning
File No: I2025/9
Summary:
In May 2023, a service review (E2023/106222) found that the Section 355 model of governance for community facilities is no longer sustainable. At its 16 November 2023 meeting (I2023/1646), ARIC noted the service review and provided support for a change process to resolve risks.
The purpose of this report is to present the Section 355 Current State Analysis (E2024/99305) and to discuss the next steps of the Strategic Change Project.
RECOMMENDATION:
1. That pursuant to Section 10A(2)(f) of the Local Government Act, 1993, Council resolves to move into Confidential Session to discuss the report Section 355 Strategic Change Project.
2. That the reasons for closing the meeting to the public to consider this item be that the report contains:
a) matters affecting the security of the council, councillors, council staff or council property
3. That on balance it is considered that receipt and discussion of the matter in open Council would be contrary to the public interest, as:
report contains information about risks and risk management of a council service
1 Confidential - Section 355 Committees Service Review Grant Thornton, E2023/106222
2 Confidential - Current State Analysis Section - 355 Strategic Change Project, E2024/99305
Report No. 7.1 Confidential - Cyber Security and System Outages Quarterly Update
Directorate: Corporate and Community Services
Report Author: Colin Baker, Manager Business Systems and Technology
File No: I2025/8
Summary:
This report provides a summary of cyber security activities and online service outages for the reporting period 1 October 2024 to 31 December 2024.
Cyber improvement activities and regular vulnerability scanning of external facing systems are ongoing. A highlight for this period was the progress made for project activities. The latest vulnerability scan rated Council as having, “a robust security posture and good attack surface management”.
One cyber security incident occurred during the reporting period. A data breach resulted from a staff error when publishing a confidential attachment contained in a public council report. Personally identifiable information of 31 people was incorrectly exposed to the public for a period of 2 days.
There were no significant online service outages in the reporting period.
For Information Only 7.2
Report No. 7.2 Presentation and tour of Byron Bay projects
Directorate: Infrastructure Services
Report Author: Christopher Soulsby, A/ Manager Assets & Major Projects
File No: I2025/10
Summary:
The purpose of this report is to provide information to the committee on the Byron Bay Drainage project prior to a site inspection. This is the largest package of capital works undertaken by Council and it is important the ARIC understand our project management systems and processes.
Report
The Byron Bay Drainage project will implement the preferred Byron Drainage Strategy. This is a series of works that aims to reduce the risk of flooding in the town centre and near Cowper and Shirley Street. The preferred strategy is identified in the 2015 Belongil Creek Floodplain Management Plan.
Sandhills Wetlands is the first stage of the Byron Bay Drainage Project.
The design includes approximately 1.8 hectares of wetland and includes:
· Three interconnected wetlands, including open water zones that can manage stormwater and improve water quality.
· A network of shared paths, providing access through, and around, the wetlands.
· Seating along the paths.
The aim is to:
· Create nature-based recreation and cultural education activities.
· Encourage community use of the space.
· Improve access between key sites in Byron Bay and discourage anti-social behaviour in the space.
Once established, the proposed stormwater management system is expected to improve the water quality at:
· Clarkes Beach
· Belongil Creek
· Cumbebin Swamp.
It will also help manage stormwater and flooding in the town centre by adding significant flood storage.
The purpose of the site visit is to give ARIC an introduction to the project management framework and how we manage the following matters:
· WHS registers and procedures
· Materials tracking register
· Aboriginal Cultural Heritage
· Acid sulphate soils
· Dewatering
· Clean water diversion and erosion and sedimentation control
· Construction methodology
· EIS Compliance register
· Variations Register
· Weekly contractors report
· Monthly Project Control Group Meeting (Internal)
· Project updates to Reconstruction Authority
Strategic Considerations
Community Strategic Plan and Operational Plan
|
CSP Objective |
CSP Strategy |
DP Action |
Code |
OP Activity |
|
5: Connected Infrastructure |
5.4: Provide accessible community facilities and open spaces |
5.4.2: Parks and open spaces - Provide and maintain active and passive recreational community space that is accessible and inclusive for all |
5.4.2.12 |
Sandhills Wetland Project construction |
Alignment with ARIC Responsibilities
This report has been prepared to support the committee in fulfilling the following responsibilities as set out in the ARIC Constitution:
5.1. Compliance
a) Review whether management has in place relevant policies and procedures, and these are periodically reviewed and updated.