Response to Report on Local Government 2017 - new risk management and internal audit framework for NSW councils

Report on Local Government 2017 Auditor-General’s findings: Out of a combined 128 councils and 10 county councils: 85 councils (57%) have an Audit, Risk and Improvement Committee (ARIC) 53 do not Broken down by location: 32 metro councils have an ARIC - 2 (6%) do not 29 regional councils have an ARIC - 8 (22%) do not 23 rural councils have an ARIC - 34 (60%) do not 1 county council has an ARIC - 9 (90%) do not Risk management frameworks (if present) were outdated Significant risks were not being managed properly 55% of ARICS were not reviewing council’s financial statements

Report on Local Government 2017 Auditor-General’s recommendations: OLG mandate internal audit in councils OLG update the 2010 Internal Audit Guidelines ARICs review the financial statements of councils All councils implement a risk management framework If council already has risk management framework, ensure it includes IT Councils early adopt the requirement in s 428A of the Local Government Act to establish an ARIC* * not required by the LG Act until March 2021 at the earliest

Current status OLG is currently finalising a discussion paper proposing a mandatory risk management and internal audit framework Being developed in close consultation with: NSW Treasury Department of Finance, Services & Innovation (DFSI) Institute of Internal Auditors (IIA) NSW Audit Office Local Government Internal Audit Network Executive

Regulatory framework based on Existing 2010 Internal Audit Guidelines NSW public sector model (TPP 15-03) International Professional Practices Framework by the Institute of Internal Auditors (international standards) Auditor-General’s recommendation ICAC recommendations – Botany Bay and Burwood Council inquiries 2013 Local Government Act review 2013 Independent Local Government Review Panel Inquiry recommendations Unique structure and needs of NSW local government Minimising resourcing requirements

Proposed statutory framework 1st layer - existing legislation s 8 guiding principles (already commenced): value for money (s 8A) sound financial management (s 8B) sound policies, processes and funding decisions (s 8B) proactive and effective risk management (s 8B and s 8C) s 428A each council must have an ARIC (from March 2021 at the earliest) s 428B councils can share ARICs

Proposed statutory framework 2nd layer - proposed new regulations Will set minimum requirements for ARICs Will require councils to have a risk management framework and supporting controls and describe core statutory requirements Will require councils to establish an internal audit function and describe core statutory requirements 3rd layer - proposed new statutory guidelines Will replace the 2010 Internal Audit Guidelines Will provide further practical details and assistance on each of the core statutory requirements for councils

Audit, Risk and Improvement Committees Governed by terms of reference Supported by secretariat provided by council Role and functions: Provides overall direction for internal audit activities Reviews and advises council on all the matters in s 428A: legal compliance risk management internal audit activities fraud and corruption prevention financial management, reports, position and performance external audit service delivery implementation of IP&R plans

Audit, Risk and Improvement Committees Membership: 3-5 members Independent of council and meet DFSI prequalification scheme requirements Knowledge, skills and experience requirements Members will have direct and unrestricted access to the general manager, senior managers and council information to fulfil their role Meetings: Quarterly meetings, plus extra if required Members can request anyone to attend to provide information General manager, Chief Audit Executive and external auditor attend but have no voting rights

Risk management framework Key requirements: Must comply with Australian and New Zealand ISO risk management standards General manager has overall responsibility but can delegate to a senior management group Risk Management Coordinator appointed to oversee day-to-day activities and provide specialist skills Quarterly monitoring and review of risks Annual self-assessment of risk management framework ARIC and internal audit function provide independent assurance of risk management activities Annual attestation certificate indicating compliance

Internal audit function Key requirements: Independent of council – reports functionally to the ARIC and administratively to the general manager Sits within council but is functionally independent, reviewing day-to-day council operations Governed by an Internal Audit Charter Must be sufficiently resourced Complies with international internal audit standards

Internal audit function Led by Chief Audit Executive: Manages day-to-day internal audit activities Advises on internal audit findings Supports and advises ARIC Appoints and oversees internal audit personnel (if required) Ensures internal audit activities meet regulatory requirements Must meet independence and knowledge/skills requirements Has unrestricted access to general manager, senior managers and ARIC Governed by work plans Four-year strategic plan Annual work plan

Internal audit function Performing internal audits: Undertaken in accordance with council policies and procedures based on international standards Findings reported to Chief Audit Executive, ARIC and governing body Implementation of corrective actions monitored by Chief Audit Executive and reported to ARIC Quality assurance program: Assesses performance of the ARIC and internal audit function Annual review and four-year external review General manager publishes annual attestation certificate indicating regulatory compliance

Internal audit function Shared arrangements: Shared arrangements will be encouraged: independent sharing arrangement arranged by councils sharing arrangement through JO or ROC Councils must share whole IA function (i.e. ARIC, CAE, IA personnel, secretariat) IA function operates as individual resource for each council GM of each council must sign ‘Shared Internal Audit Agreement’ which outlines agreed arrangements

Next steps Discussion paper will be released some time in the future Get involved and have your say!