Agenda of Risk & Audit Committee - 26 August 2021

1

MEETING NOTICE

A meeting of the Risk & Audit Committee

will be held via audio visual link on Thursday 26 August 2021 at 6.30 pm

AGENDA

1 ACKNOWLEDGEMENT OF COUNTRY

Bayside Council respects the traditional custodians of the land, elders past, present and emerging, on which this meeting takes place, and acknowledges the Gadigal and Bidjigal Clans of the Eora Nation.

2 APOLOGIES

3 DISCLOSURES OF INTEREST

4 MINUTES OF PREVIOUS MEETINGS

4.1 Minutes of the Risk & Audit Committee Meeting - 27 May 2021 .............. 3

5 REPORTS

External Audit (Chief Financial Officer)

5.1 2020/21 End of Year & Audit Progress Update ....................................... 8

Internal Audit (Internal Auditor)

5.2 Re-submission of Internal Audit Charter with recommendations by the Risk & Audit Committee .......................................................................... 9

5.3 Progress Report on Internal Audit Plan 2021 ........................................ 24

5.4 Draft Strategic Five-Year Internal Audit Plan 2021-2026 ....................... 27

5.5 Extension of current Committee term .................................................... 34

Performance Management (Manager BIOD/Manager POC)

5.6 End Project Report: Print & Post ........................................................... 35

5.7 End Project Report: License Plate Recognition Trial ............................. 48

Risk Management (Manager Governance & Risk)

5.8 Strategic Risk Overview ........................................................................ 66

5.9 CONFIDENTIAL - Risk Management - Quarterly Claims and Risk Review.................................................................................................. 71

Quality Management (Chief Financial Officer)

Nil

Legislative Compliance (Manager Governance & Risk)

Nil

Risk & Audit Committee 26/08/2021

2

6 GENERAL BUSINESS

7 NEXT MEETING Meredith Wallace General Manager

Item 4.1 3


Item No 4.1

Subject Minutes of the Risk & Audit Committee Meeting - 27 May 2021

Report by Fausto Sut, Manager Governance & Risk

File SF20/7567

Officer Recommendation That the Minutes of the Risk & Audit Committee meeting held on 27 May 2021 be confirmed as a true record of proceedings.

Present Jennifer Whitten, Independent External Member Lewis Cook, Independent External Member Catriona Barry, Independent External Member Barry Munns, Independent External Member

Also, present Councillor Liz Barlow Meredith Wallace, General Manager Michael Mamo, Director City Performance Fausto Sut, Manager Governance & Risk Matthew Walker, Chief Financial Officer Rodney Sanjivi, Financial Performance Manager Ray D’Angelo, Coordinator Risk Management Umayal Sivanandan, Internal Auditor Joe Cavagnino, Manager Procurement & Fleet Karen Taylor, Audit Director – Audit Office of NSW Ben Thompson – Manager Business Transformation

The Chairperson opened the meeting in the Yarra Conference Room at 6:30pm.

1 Acknowledgement of Country

The Chairperson affirmed that Bayside Council respects the traditional custodians of the land, elders past, present and emerging, on which this meeting takes place, and acknowledges the Gadigal and Bidjigal Clans of the Eora Nation.

2 Apologies

An apology was received from Councillor Scott Morrissey

3 Disclosures of Interest

There were no disclosures of interest.


Item 4.1 4

4 Minutes of Previous Meetings

4.1 Minutes of the Risk & Audit Committee Meeting - 25 February 2021 Committee Recommendation That the Minutes of the Risk & Audit Committee meeting held on 25 February 2021 be confirmed as a true record of proceedings.

Item Action Responsible

Officer

27/02/20 5.3

Internal Audit to ensure that plan activities ranked high risk as part of the development contribution Audit report are monitored as a priority.

Internal Audit

26/11/20 5.9

Review information provided in Risk and Claims report regarding privacy and confidentiality

Manager Governance & Risk

5 Reports

5.1 End Project Report: Online Rate Payments

Committee Recommendation The Risk & Audit Committee notes this report, and the attached End Project Report.

5.2 iCHRIS Data Governance Review

Committee Recommendation The Risk & Audit Committee notes the iCHRIS Data Governance Review attached.

5.3 Planning Agreements Improvement Programme Update

Committee Recommendation The Risk & Audit Committee notes the report.

5.4 Overview of Councils Long Term Financial Sustainability

Committee Recommendation

1 The Risk & Audit Committee receives and notes the report and presentation from the Chief Financial Officer.


Item 4.1 5

2 The Risk & Audit Committee notes the strong financial performance of Council to date consistent with its responsibilities to follow principles of sound financial management including long term financial sustainability.

3 The Risk & Audit Committee, noting the serious challenges facing Bayside Council in terms of its long-term sustainability, strongly recommends to Council that it take timely and effective action to ensure the continuing sound financial performance of Council in line with its responsibilities under the Local Government Act.

5.5 Audit Office of NSW - Procurement Management in Local Government Report - How does Bayside stack up


1 The Risk & Audit Committee receives and notes the findings and actions.

2 The Risk & Audit Committee notes the commitment that the descriptors identified as needing improvement will be actioned by the Manager of Procurement & Fleet.

5.6 Strategic Risk Overview

Committee Recommendation 1 The Risk & Audit Committee notes the Strategic Risk Register.

2 The Risk & Audit Committee recommends that the Strategic Risk Register be reviewed considering the discussion around Council’s financial health.

5.7 Risk Management - Quarterly Claims and Risk Review

Committee Recommendation The report be received and noted.

5.8 Audit Report - Six-monthly Verification of Internal Audit Recommendations


1 The Risk & Audit Committee receives and notes the draft verification of the implementation of audit recommendations report.

2 That the Risk & Audit Committee notes the proposed revised due dates as outlined in the report.


Item 4.1 6

3 That, in relation to the outstanding internal audit recommendations and future audit recommendations, Council consider:

• risk ratings;

• pragmatic completion dates,

• segregation of recommendations into discrete actions for monitoring purposes;

• the level of reporting including percentage completion of an action;

• allowing Managers to accept residual risks where certain actions are not complete and for other compensating or mitigating controls to be established where appropriate.

5.9 Progress Report on Internal Audit Plan 2020/2021

Committee Recommendation The Risk & Audit Committee notes the progress of the 2020/2021 Internal Audit Plan.

5.10 Draft Internal Audit Charter - Bayside Council


1 The Risk & Audit Committee receives and notes the report on the Internal Audit Charter based on the OLG guidelines.

2 The Risk & Audit Committee notes the areas highlighted in yellow in the draft Internal Audit Charter, which are specific to Bayside Council.

3 That the Council review the Internal Audit Charter on receipt of formal comments by the Chair of the Risk & Audit Committee on behalf of the Committee.

5.11 ICAC Operation Dasha (Canterbury Council) - Relevant recommendations relating to Council policies and processes, reviewed against Bayside and actions to consider.


1 The Risk & Audit Committee receives and notes the ICAC report on Canterbury City Council - Allegations concerning former councillors and other public officials (Operation Dasha).

2 The Risk & Audit Committee notes the actions will be voluntarily considered by Council to address the relevant recommendations in the report.


Item 4.1 7

5.12 System Implementation Review Findings - Audit Office of NSW - TechnologyOne CiA Implementation - BaysideEverywhere Project

Committee Recommendation That the Risk & Audit Committee receives and notes the interim findings, recommendations, and related management responses to the TechnologyOne CiA Implementation management letter.

6 General Business

6.1 LGNSW Awards The General Manager informed the Committee that Council has been short listed for three awards to be presented by Local Government NSW being for the TechnologyOne CiA Implementation, Project 2020, and its change management process.

7 Next Meeting

The next meeting will be held in the Yarra Conference Room at 6.30pm on Thursday, 26 August 2021.

The Chairperson closed the meeting at 8:22pm.

Attachments Nil

Item 5.1 8


Item No 5.1

Subject 2020/21 End of Year & Audit Progress Update

Report by Rodney Sanjivi, Financial Performance Manager

File F21/73

Summary The preparation of Council’s General Purpose Financial Statements for the Year ended 30 June 2021 (“the Statements”) are well underway. The Financial Strategy & Reporting Manager (Rodney Sanjivi) will provide the Risk & Audit Committee with a progress update on the preparation of the Statements, including an update on external audit readiness and timelines. The update will also include a focus on the asset capitalisation process which will be presented by the City Infrastructure team.

Officer Recommendation That the Risk & Audit Committee receives and notes this update.

Background Council is preparing its draft General Purpose Financial Statements for the Year ended 30 June 2021 (“the Statements”) in accordance with the Australian Accounting Standards and Australian Accounting Interpretations, the Local Government Act 1993 (NSW) and Regulations, and the Local Government Code of Accounting Practice and Financial Reporting. The Statements will be subject to audit by the NSW Audit Office during September 2021, in accordance with their Client Engagement Plan. Council expects to maintain its an unqualified audit opinion on its financial statements, provided it addresses some key matters and areas of material concern. Council is committed to addressing these so that an unqualified audit opinion is received. The presentation will include the following topics:

1 Key changes to the Local Government Code of Accounting Practice (“the Code”);

2 Key “End of Financial Year” timeline, processes, and key controls;

3 Key areas of focus, including areas of material uncertainty;

4 Areas of key estimates and judgements;

5 Summary of New Accounting Standards;

6 Audit readiness and timeline; and

7 Summary of asset capitalisation process.

Attachments Nil

Item 5.2 9


Item No 5.2

Subject Re-submission of Internal Audit Charter with recommendations by the Risk & Audit Committee

Report by Umayal Sivanandan, Internal Auditor Fausto Sut, Manager Governance & Risk

File SF20/7567

Summary The draft Internal Audit Charter (“Charter”) was previously endorsed by the Executive Committee and presented to the Risk & Audit Committee meeting on 27 May 2021. At the meeting, following discussion, the Risk & Audit Committee decided to note draft Charter and provide formal comments for consideration and report back. The Committee’s comments have been considered and submitted in the revised version of the Charter as attached. There is one significant diversion of views relating to the structure and reporting lines for the internal audit function between Council management and the Committee, which reflects the reporting lines in the Office of Local Government (OLG) draft Guidelines. This issue was discussed at the previous Risk & Audit Committee meeting. The intent of the current Charter is to reflect and document the existing structure and practice. The fundamental discussion is around the existing organisational structural reporting lines, and it has been suggested that the status quo should remain, and the issue revisited on issue of the final Office of Local Government Guidelines. An alternate approach is to leave the matter in abeyance pending the release of the final Guidelines. Council operations will not be impacted other than the lack of a formalised position and operate leaving a recommendation outstanding from the review by Institute of Internal Auditors (IIA). The amended draft Charter is presented to the Risk & Audit Committee for consideration, and if thought fit, approval.

Officer Recommendation

1 That the Committee note the areas highlighted in blue (in red font) in the draft Internal Audit Charter, which are recommended for approval by the Risk & Audit Committee.

2 That the Committee note the table included in the report outlining the recommendations by the Risk & Audit Committee to the Internal Audit Charter and Managements response/comment to each suggested amendment.

3 That the Committee endorses the amended draft Internal Audit Charter attached to this report.


Item 5.2 10

Background In September 2010, the OLG (formerly Division of Local Government) published its Internal Audit Guidelines, which highly recommended that local councils take progressive steps towards incorporating an internal audit function as a mechanism to assist councils to manage risk and improve efficiency and effectiveness and endorsed Internal Audit as an essential component of a good governance framework for all councils. As part of that new direction to establish a formal Internal Audit function for local government, the OLG provided the industry with Draft Internal Audit Guidelines for comment and included a sample Internal Audit Charter which may be utilised by councils to develop their Internal Audit Charter meeting the local environment. In December 2020, an independent review of the Internal Audit function at Council was undertaken as agreed with the Risk & Audit Committee. The review was conducted by the IIA and identified that an Internal Audit Charter had not been developed by Council. The IIA report further illustrated that the lack of an Internal Audit Charter demonstrated non-compliance with the International Standards for the Professional Practice of Internal Auditing Standard 1000 (Purpose, Authority, Responsibility) and Standard 1100 (Independence & Objectivity) and emphasised the significance of establishing an Internal Audit Charter at the earliest. Council and the Risk & Audit Committee were supported the IIA recommendation that an Internal Audit Charter should be developed and established as soon as possible. Council’s approach was to develop a draft Charter taking into account the Standards and Guidelines noted above except that in terms of reporting lines to effectively document current practice and undertake a more in-depth review on issue of the final OLG Guidelines. At the Risk & Audit Committee meeting on 27 May 2021, Council presented the newly developed draft Internal Audit Charter based on the sample Internal Audit Charter provided in the OLG guidelines, incorporating the recommendations and feedback from the IIA. The Committee noted the draft IA Charter and put forward its views and sort a report back. Subsequently, the Committee formalised its comments. The comments made by the Committee have been considered and incorporated in the amended draft Charter. The table below outlines the comments made by the Risk & Audit Committee to the draft Internal Audit Charter and Managements response/ comment to each recommendation. It will be noted that all comments have been incorporated, other than the primary issue of divergence i.e., the reporting lines of the internal audit function. Effectively the Committee prefers the function report direct to the General Manager as per the draft OLG Guidelines rather than the existing administrative reporting line to the Manager Governance & Risk and dotted line reporting to the General Manager and Risk & Audit Committee. Table – Management response to the comments by the Committee

RISK & AUDIT COMMITTEE COMMENTS & RECOMMENDATIONS COUNCIL RESPONSE

Section 1 - Introduction [IA Charter Page number 4]

▪ Head of Internal Audit should be a Chief Internal Auditor

▪ Reporting line should be to Risk &Audit Committee with

an internal reporting line to GM.

This recommendation has not been incorporated to the draft Charter.


Item 5.2 11


▪ Head of Internal Audit should preferably be the

independent position that has operational leadership over the conduct of the Internal Audit Program (not the Manager Risk & Governance)

This recommendation will be considered and addressed following revised ARIC guidelines by OLG. As mentioned previously (please refer summary), the draft Internal Audit Charter refers to current organisational structures and reporting lines, which will be reviewed on release of the revised guidelines by the OLG and formal changes to the Local Government Act expected in the new term of Council.

[NOTE: It is noted that prior to amalgamation, both former Council’s had the internal audit function placed differently within the organisation. Rockdale, who initially had SSROC perform the function part time, had the contract Internal Auditor report direct to the General Manager. Once the function was brought in-house, the function was transferred to the Manager Executive Services (Mr Sut). The Manager reported direct to the General Manager and the dotted line reporting of the Internal Auditor to the General Manager existed. Botany’s internal audit function reported to a Director. The reporting lines were established as it would be administratively less onerous for the General Manager (given the span of control) if Internal Audit reported direct to a line Manager.

On amalgamation and the creation of the Bayside organisational structure, the Manager Governance & Risk portfolio incorporated the internal audit function, as currently exists. The internal audit function still maintains a strong and direct reporting line to the General Manager for matters related to Internal Audit.

In establishing the current structure several factors were considered including the increased direct reports to the General Manager, the functionality and performance under the then existing arrangements, and the knowledge and experience of the incumbent Manager. By default, the position also took on the nominal title


Item 5.2 12


of Chief Audit Executive for purposes of the IIA review.

Under the current structure and incumbents, the current service arrangement works well, and the function is not inhibited in its objectivity and lines of communication with the General Manager and the Committee.

The draft Internal Audit Charter therefore refers to current organisational structures and reporting lines, which will be reviewed once the revised guidelines are released by the OLG and formal changes to the Local Government Act, expected in the new term of Council].

Section 3 - Role and Authority [IA Charter Page number 4]

▪ Need to include the audit program is risk based This recommendation has been incorporated to the draft IA Charter.

Section 5 - Scope of Work [IA Charter Page number 6]

▪ The scope of services provided by Internal Audit includes

"Any special investigations as directed by the Risk and Audit Committee". This should also include as directed by the GM (i.e., quite appropriate for the GM to direct audit to look at something).

This recommendation has been incorporated to the draft IA Charter.

Section 8 - Reporting Arrangements [IA Charter Page number 7]

▪ "Head of Internal Audit shall submit a report summarising

all audit activities..." Should be "...detailing all audit activities..."


▪ "...the work of Internal Audit is solely for the benefit of

Bayside Council and is not to be...provided to any other person or organisation, except where this is formally authorised by the Risk and Audit Committee." This needs to be discussed i.e., should the GM and Council also be able to authorise release and is appropriate for the Risk & Audit Committee to be able to authorise release.

This recommendation has been incorporated to the draft IA Charter. The amendment to allow release by GM. The intent here is that the work is solely for Bayside Council and not to be relied upon by others.

Section 9 Planning Requirements - [IA Charter Page number 8]

▪ Audit Plan is overseen by Risk and Audit Committee and

cannot be changed without its approval. This recommendation has been incorporated to the draft IA Charter.

Section 10 Contract Audit Resources - [IA Charter Page number 9]

▪ "...the Head of Internal Audit may engage the services of

specialist external audit contractors...". Only needs to say "...specialist contractors...". “ .. 'external' is not necessary and misleading that might



Item 5.2 13


mean external auditors, not internal auditors that are external...”

Section 11 Co-ordination with External Audit - [IA Charter Page number 9]

▪ Discussion required on whether this needs something like

"Whilst acknowledging the different roles, purpose and methodologies of Internal and External Audit and other authorities."


Section 12 Collaboration with Business Transformation - [IA Charter Page number 9]

▪ “...need to point out that IA does not report to or get

instructions from the performance team. IA is not a test team for the performance team and would only test work implemented by the performance team as part of a previously scheduled audit.


Additional wording added “which have been appropriately identified in the internal audit planning process and included in the risk-based Internal Audit Plan”.

Section 13 Quality Assurance & Improvement Program - [IA Charter Page number 9]

▪ Is having an internal quality review every 2 years a bit too

frequent?


Section 13 changed to 3-year internal quality review. [Independent quality review remains unchanged as every 5 years].

Section 15 Review of Internal Audit Charter - [IA Charter Page number 10]

▪ Should probably be an annual review (rather than every 2

years) of the Internal Audit Charter.


▪ "If required...the Head of Internal Audit may approve non-

significant and/or minor editorial amendments that do not change the Charter's substance." Perhaps all should be approved by the ARIC, but if not, then ARIC should be advised at the next meeting. Sometimes minor things have big consequences.


Amended to require reporting to R&AC of any of these types of changes.

It should be noted that this may not be applicable, as we are moving to an annual review.

Attachments Draft Internal Audit Charter-revised with R&AC recommendations ⇩


Item 5.2 – Attachment 1 14

Item 5.3 24


Item No 5.3

Subject Progress Report on Internal Audit Plan 2021


File SF20/7567

Summary The purpose of this report is to provide the Risk & Audit Committee with an update of the progress of the 2020/2021 Internal Audit Plan.

Officer Recommendation That the Risk & Audit Committee notes the progress of the 2020/2021 Internal Audit Plan.

Background Council endorsed a Four-Year Strategic Internal Audit Plan detailing the Audit program for the period FY2020 to FY2024. It is to be noted that the plan is a rolling strategic internal audit program subject to detailed review each year, considering Council’s strategic risk register and the environment in which it operates. Table 1 below provides the progress of the current year’s Internal Audit Program as at 30 July 2021.

TABLE 1: Internal Audit Plan 2020/2021 Progress as at 30 July 2021

Internal Audit Plan 2020/2021

Name of Audit/Work to be completed

Directorate Quarter Status Internal Auditor Comments

1st Bi-annual verification of the implementation of audit recommendations

All Directorates

Q1 Completed Centium/Bayside Council

N/A

Refresh Internal Audit Framework

N/A Q1 & Q2 Completed Grant Thornton/Bayside Council

N/A

Assist in ERM Refresh N/A Q1 & Q2 Completed Bayside Council N/A

2nd Bi-annual verification of the implementation of audit recommendations

All Directorates

Q3 Completed Centium/Bayside Council

N/A

Records Management Audit (Deep Dive)

City Performance

Q3 & Q4 In Progress BDO Draft report received, some additional information requested


Item 5.3 25

Internal Audit Plan 2020/2021

Name of Audit/Work to be completed

Directorate Quarter Status Internal Auditor Comments

including survey. Final management comments to be provided

Audit of Certifications City Life Q3 & Q4 In Progress Bayside Council N/A

Health Check – Children’s Services

City Life Q3 & Q4 In Progress.

Slight delay due to NSW Covid-19 public health order.

Bayside Council Some child-care centres will have to be reviewed/ verified against relevant areas on the checklist.

Annual RMS DRIVES Audit City Life Q4 Not yet commenced.

Delayed due to NSW Covid-19 public health order.

Bayside Council Transport NSW have extended the timeline to councils to complete the RMS Drives compliance audit by 31 August 2021 or later in accordance with public health orders.

The Plan had been on track, however due to NSW Covid-19 public health order enforced, there has been a slight delay in completing the plan on time. However, no significant delays are expected, and no circumstances have arisen that require a change to the adopted Plan. As previously stated, the bulk of the internal audits were scheduled for the final two quarters of the financial year. A final draft report of the Records Management audit is awaiting some additional information prior to finalising management comments. This is expected to be completed in August 2021 and will be reported at the next Risk & Audit Committee meeting. The Audit of Certifications is almost at the draft report stage and will also be reported at the next Risk & Audit Committee meeting. The Health Check in the Children Services area is currently in progress but has been slightly delayed due to NSW Covid-19 public health order as some specific areas pertaining to child-care centres may have to be reviewed/verified against the checklist. The commencement of the Annual RMS DRIVES Audit was scheduled to commence at the end of June and has also been delayed due to NSW Covid-19 public health order from 26 June 2021. In light of the public health orders enforced, Transport NSW have extended the timeline to councils to complete the RMS Drives compliance audit by 31 August 2021 or later in accordance with NSW public health orders.


Item 5.3 26

A risk-based draft Strategic Five-Year Internal Audit Plan (2021-2026) has been completed and will be presented to the Risk & Audit Committee at the meeting on 26th August 2021 for endorsement.

Attachments Nil

Item 5.4 27


Item No 5.4

Subject Draft Strategic Five-Year Internal Audit Plan 2021-2026

Report by Umayal Sivanandan, Internal Auditor

File SF20/7567

Summary The draft Strategic Five-Year Internal Audit Plan (2021-2026) has been developed using the same methodology and approach utilised in previous years and ensuring that the plan is robust and comprehensive. This year the process has drawn from various inputs from key internal and external elements that have influenced the development of the plan. Internal Audit has considered Council’s core vision and corporate objectives to ensure the plan focuses to ensure that they will be achieved. In addition, key corporate deliverables of infrastructure and operational plans and essential services were also considered by council in developing the plan. Further, Internal Audit has also utilised Bayside Council’s recently revised risk register and strategic risks in developing the plan. The risks together with extensive consultation with Senior Managers, Directors and the General Manager contributed to the development of an Audit Universe that assisted in identifying key auditable areas for the development of the Strategic Five-Year Internal Audit Plan. Consultation with the external auditors, local government internal auditor peers, as well as a review of local government audit hotspots further contributed to ensure the audit plan is rigorous. This year the process has taken an extensive, thorough and a Council-wide, fully collaborative approach to ensure that the Strategic Five-Year Internal Audit Plan is a dynamic, robust plan that strives to mitigate risk, support Council in achieving its core vision, corporate goals, and objectives to providing exceptional service to the community.

Officer Recommendation That the Committee approves the draft Strategic Five-Year Internal Audit Plan.

Background In October 2008, the Division of Local Government (former Department of Local Government) published its Internal Audit Guidelines (revision published September 2010), which highly recommended that local councils take progressive steps towards incorporating an internal audit function as a mechanism to assist councils to manage risk and improve efficiency and effectiveness and endorse Internal Audit and a risk-based Internal Audit Plan as an essential component of a good governance framework for all councils. As part of this continued direction, Internal Audit has developed the draft Strategic Five-Year Internal Audit Plan (2021-2026) using the same methodology and approach utilised in


Item 5.4 28

previous years and ensuring that the plan is robust and comprehensive. This year the process has drawn from various inputs from key internal and external elements that have influenced the development of the plan. Council Vision and Corporate Objectives – It is the primary objective of Internal Audit to support management and assist the Council in realising its core vision and corporate goals by focusing on mitigating key risk areas. Internal Audit has taken into consideration Council’s vision and corporate objectives in every step of developing the Strategic Internal Audit Plan this year. Council’s Infrastructure/Operational Plan – Maintaining and restoring vital infrastructure and providing essential services are some of Council’s key objectives. Therefore, the consideration of Council’s capital and operational commitment, its obligations in meeting its corporate deliverables and identifying key areas that may require due focus to achieve these deliverables has been included in the development of the Audit Plan. Risk Management Framework – Bayside Council has recently revised its risk management framework and developed thirteen key Strategic Risks identified by the Executive Leadership. These risks have been presented to the Risk & Audit Committee at the meeting on 27 February 2021. The revitalisation of the risk framework has been an organisation wide collaboration, facilitated by the Risk team and captured within the Pulse system. Internal Audit has utilised the repository of risks within the “Risk Register” in Pulse to assist in the identification of potential key auditable areas that may be included when developing the Audit Universe and consequently the Internal Audit Plan. Review of the previous year’s Four-Year Audit Plan and development of an Audit Universe – A Four-Year Plan was presented and endorsed by the Risk & Audit Committee in November 2020. A review of the previous year’s Four-Year Internal Audit Plan was conducted, to ascertain the relevance of auditable areas identified in the Plan. This year an Audit Universe was also developed utilising the organisation structure to map out key functional and risks areas which assisted in identifying relevant auditable areas in collaboration with Senior Managers and Directors. The Audit Universe was an important preparatory tool in the development of a comprehensive, strategic internal audit plan that involved all levels of management and risk owners. Internal audits that could not be accommodated in the previous year (for reasons that may have been stated in prior Internal Audit progress reports) would have been taken into consideration when developing the revised Audit Plan. [As a result, no audits in the 2020-2021 Internal Audit Plan have been brought forward]. Consultation with the General Manager, Executives and Managers – This year the approach by Internal Audit involved extensive consultation and discussions with Executive Management, Senior Managers, and the General Manager, which has assisted Internal Audit in identifying significant areas that require focus and inclusion in the Internal Audit Plans. Review of the External Auditors’ Management Letter and discussions with the External Auditors – A review of the concerns raised by External Auditors in their Management Letters on elements impacting the control environment (captured in Pulse) was conducted, including discussions with External Auditors in further identifying areas that would benefit from an internal audit review and inclusion into the Internal Audit Plan. Analysis of Local Government Audit ‘Hot Spots’ – Maintaining a holistic approach to risks and pitfalls impacting local government, Internal Audit has reviewed recent publications and


Item 5.4 29

media releases on local government, documentation presented and discussed at Internal Audit conferences and forums with a focus on local government concerns and liaised with other fellow Internal Auditors as well as members of the Local Government Internal Audit Network (LGIAN). The Strategic Internal Audit Plan was primarily developed as a four-year plan to be closely aligned with Council term. However, the number of audits in each year was considered to be possibly challenging to complete and in order to ensure that the plan remains intact but at the same time achievable, a Five-Year Audit Plan was considered as an option instead. The draft Strategic Five-Year Audit Plan has identified approximately ten (10) to twelve (12) audits in each of the years. In developing the plan, audits that required specialised skills and knowledge in the subject matter have been assigned to specialist consultants with specific expertise and experience in the area. Consideration has been given to Internal Audit resourcing which is currently 3 days per week for the Internal Auditor, keeping in mind commitment to training/professional requirements and leave taken. It is proposed that each year, every audit that is scheduled to be completed in the annual plan will be carefully evaluated to assess how Council can obtain maximum benefits by optimising internal audit resources and audit contractors to assist and support the completion of the plan. Audits have also been prioritised accordingly in line with mandatory legislative requirements and ensuring that the timing of audits is suitably agreed with the relevant process owners and available resources, especially in the event of other related audits or projects that may also be conducted in the same year. In the event of any constraints or setbacks in commencing or conducting a review in a particular year, such as the unavailability of staff or significant changes in process and/or structure etc., Internal Audit may select an alternative review to be undertaken as identified in the draft Strategic Five-Year Audit Plan in consultation with Management and the Risk & Audit Committee. It is expected that for any reason if an audit is unable to be completed in the current year, it may be carried forward to the following year’s plan, which may consequently lead to the revision of the Strategic Internal Audit plan.

Attachments DRAFT-The Strategic Five-Year Internal Audit Plan (2021-2026)-Bayside Council-June 2021 ⇩

Item 5.5 34


Item No 5.5

Subject Extension of current Committee term


File SF20/7567

Summary The purpose of this report is to advise of the requirement for an extension of the current term of this existing Committee to December 2021 in line with the extension of the Council term to 4 December 2021. It also outlines the process for the appointment of independent members to the Risk & Audit Committee for the new term of office.

Officer Recommendation That the Risk & Audit Committee notes the requirement for an extension to the existing term of the Committee members and the action to commence the process to seek expressions of interest for the appointment of new independent members to the Risk & Audit Committee.

Background In April 2017 a Risk & Audit Committee was established for the newly amalgamated Bayside Council. This Risk & Audit Committee, being the inaugural committee for Bayside Council, comprised four independent members who served the entire term of this inaugural Committee. The members were appointed through a process that involved seeking expressions of interest from potential applicants that were then subject to extensive review and careful selection based on specific criteria. In accordance with the Risk and Audit Committee Charter, the tenure of the Committee is aligned with the term of Council, which was extended in 2020 to September 2021, due to the Covid-19 pandemic and the postponement of the elections. This now needs to be further extended as the Council election has been postponed to 4 December 2021. In preparedness for the new term of Council, a public process will commence seeking expressions of interest to appoint four independent members to the Risk & Audit Committee. The appointments will be formalised by the new Council in anticipation for a February 2022 meeting of the Committee.

Attachments Nil

Item 5.6 35


Item No 5.6

Subject End Project Report: Print & Post

Report by Ben Thompson, Manager Business Transformation

File SF20/4256

Summary Print & Post is a service provided by Revenue NSW whereby the state government has taken the responsibility for issuing the paper infringement notice to violating vehicle owners. A successful pilot programme was run by Revenue NSW and Burwood Council, with the option for other Councils to opt in occurring late last year. Bayside Council was an early adopter of the service, opting into the programme for the LPR trial. However, there were still 5 client codes related to parking offenses that were yet to opt in. With the success seen in the launch of Print & Post for infringements issued through the LPR solution, the Regulations Unit were well positioned to expand the offering across all parking enforcement client codes. In April 2021, the Executive Committee endorsed the move to Print & Post services for all parking related penalty infringement notices. The work required to support the implementation was undertaken over the course of May, with a ‘Go-Live’ date of 1 June 2021. Over 5000 infringements have been issued since going live on 1 June 2021 with Print & Post (to 26 July 2021). To date the Project Team is unaware of any community complaints related to the move away from leaving physical tickets on vehicles.

Officer Recommendation That the Risk & Audit Committee notes the attached End Project Report.

Project Overview Print & Post is a service provided by Revenue NSW whereby the state government has taken the responsibility for issuing the paper infringement notice to violating vehicle owners. A successful pilot programme was run by Revenue NSW and Burwood Council, with the option for other Councils to opt in occurring late last year. Bayside Council was an early adopter of the service, opting into the programme for the LPR trial. However, there were still 5 client codes related to parking offenses that were yet to opt in. With the success seen in the launch of Print & Post for infringements issued through the LPR solution, the Regulations Unit were well positioned to expand the offering across all parking enforcement client codes.


Item 5.6 36

Image 1: Example Penalty Notice from Revenue NSW

Project Benefits To date, over 5000 infringements have been issued through Revenue NSW’s Print & Post service, with no known complaints received. In addition to the streamlined processes the change has bought, the project has seen a number of benefits provided to Council. A summary of the identified benefits is provided below (for greater detail, please refer to the attached report): a. Reduction in costs associated with manual penalty mail-outs

b. Increase in productivity within the Regulations team

c. Reduction in mailing costs for manual penalty notices

d. Reduction in operating and maintenance costs of thermal handheld printers

e. Increased safety for Parking Officers and Rangers

f. Better Customer Experience – direct messaging from Revenue NSW As Revenue NSW becomes more sophisticated in their communication, the intent is to be able to send a notification electronically to an offending vehicle owner. This will see Council contribute to a completely digital experience, in partnership with the NSW State Government.

Community Feedback During the Burwood Council trial, over 4800 penalty notices were issued through Revenue NSW. Revenue NSW did not receive any written complaints or escalated calls relating to the new delivery method. Information, including images of the infringement, are uploaded to the Service NSW portal for people to see all the evidence related to the offence.


Item 5.6 37

Burwood’s feedback on the trial was also overwhelmingly positive. Burwood did not receive any negative feedback from the community on the change of method. Burwood also found a noticeable reduction in staff confrontation, with staff articulating they felt safer in their working environment. To date there has been no report of complaints from the Bayside Council community. Comments were made by community members seeing PPOs on patrol not leaving tickets on offending vehicles. Information was provided to these residents regarding the new Print & Post programme. Council’s website has also been shared with Customer Experience as a page of interest for community members wanting to know more.

Conclusion The implementation of Print & Post for LPR in December 2020 saw Council become one of the first to adopt the new service. With the expansion to all parking infringements, Council is one of less than 20 Councils currently on-board, with other Councils reportedly eager to also come on board. Bayside Council is recognised as an early adopter of the service, and Revenue NSW have provided comment on the smooth transition that Bayside was able to enjoy. Finally, it should be noted that the project would not have seen the success it has without the change capability that had been built within the Compliance and Certification Business Unit. Through the adoption of LPR, the Manager and Coordinator were eager to continue to streamline processes, and this has bought about the successful implementation of Print & Post.

Attachments End Project Report: Print & Post ⇩

Item 5.7 48


Item No 5.7

Subject End Project Report: License Plate Recognition Trial

Report by Ben Thompson, Manager Business Transformation

File SF20/4256

Summary In October 2020, Council’s Executive Committee approved the implementation of License Plate Recognition (LPR) technology on a trial basis for one Parking Patrol Officer (PPO) vehicle. Bayside Council is viewed as an early adopter of LPR technology, with very few Sydney metropolitan Council’s utilising the technology. With the successful delivery of the LPR Trial, Bayside is at the cutting edge of parking compliance in Australia, with the ability to scale up the technology.

Officer Recommendation That the Risk & Audit Committee notes the attached End Project Report: License Plate Recognition (LPR) Trial.

Project Overview In response to the need for a more efficient and safe approach to managing parking tariffs in the LGA, Bayside Council implemented the LPR system. LPR’s purpose is to provide a modern approach to parking management, delivering efficiency, and increasing productivity, and providing a safe work environment away from verbal abuse and assaults while eliminating the risk of physical violence to our staff. Due to the scale of work required to implement the project across the LGA several small pilot areas were selected to trial the technology and to assess the impact on current business processes. The new Print & Post process through Revenue NSW was also deployed as part of this trial. Print & Post is a service provided by Revenue NSW whereby the state government has taken the responsibility for issuing the paper infringement notice to violating vehicle owners. The pilot area consists of 28 Local and State-owned roads and 14 council owned carparks. Pilot areas selected were identified as hotspots with a high number of offences taking place. Streets selected for the pilot area saw high levels of traffic as well as a high demand for parking spaces. Foreshore car parks were identified as hot spots for offending vehicles and were included in the trial. The demand for parking space in the foreshore carparks over past Summer and Spring months has seen high rates of dangerous and illegal parking. However, the demand is seasonal with a significant drop seen in Autumn and Winter.


Item 5.7 49

The trial has continued to develop with the addition of ‘No Stopping’ tariffs along Vanston Parade, Ida, and Lena Streets, as well as a school zone. This has provided the trial with the opportunity to use the technology in a variety of different traffic situations as well as varying weather and day/ night conditions.

Project Deliverables The rollout of the LPR trial saw a number of deliverables achieved, including:

Deliverable Description

Parking tariff mapping of the trial areas

Detailed mapping now exists of the trial parking zones. This had never been captured by Council prior to this project. With further mapping of the LGA, Council will be able to leverage this data to provide interactive online mapping to our community displaying parking restrictions in high visitation areas.

Residential parking permit data reviewed

The RPS data Council held had never undergone a review. With the implementation of LPR, a review of the data occurred and found that there was significant improvement that could be made. This work has already commenced and will be completed with the RPS renewal period this year.

PinForce improvements deployed

A number of system improvements were made to PinForce Manager and Mobile to enable the deployment of LPR.

Print & Post implementation LPR was the first iteration of Print & Post at Bayside and allowed for the wider rollout to occur month later with no significant impact to service delivery. It has also allowed Officers to remain in the vehicle at all times when issuing infringements.

Delivery of training on LPR to the Regulations Team

Initial training was provided to system champions within the Regulations Team. Following go-live, significant training has been provided to the whole team, to enable a wider user base, and to support future roll outs of LPR.

Improved parking compliance business intelligence reporting

A dashboard is currently in the final stages of development, with the view to deploying the reporting to BaysideIntelligence in the coming month.

Deployment of LPR technology to a Regulations vehicle

The most significant deliverable, the deployment of 2 cameras, a ToughPad and numerous networking infrastructure to a Regulations vehicle has allowed the use of LPR. A long term set up has now been implemented with a built-in stand for the ToughPad now in use.


Item 5.7 50

Project Benefits The rollout of the LPR Trial was based on the fact Council Offers were being placed in situations that posed significant risk to their health and safety. Anecdotal evidence collected from the officers using LPR has found that employee job satisfaction has increased, the risk of physical violence and verbal abuse has decreased to almost zero and physical injury has significantly decreased. In addition to the above, Council has also seen an improvement in compliance coverage across the identified hotspots. During testing, it was demonstrated that the vehicle could electronically check up to 700 cars per hour. Further demonstration in testing showed a 3 hour ‘beat’ on foot took approximately 30 minutes in the vehicle. As LPR operates highspeed infra-red cameras this allowed Council’s Rangers to patrol known evening hotspots along Brighton-Le-Sands and Sandringham. To date, the night patrols had proven troublesome to attain images that were useable for issuing an infringement. With the deployment of LPR, officers can patrol and enforce evening No Stopping restrictions. With the implementation of LPR, image quality has increased significantly, and infringements are now able to be issued. Along with this, officer safety is maintained as they remain in the vehicle at all times allowing Regulations to operate with ‘one out’ – saving additional overtime costs.

Project Learnings With any implementation of new technology, the deployment of LPR was not without issue. However, it should be noted that the project team worked extremely well together to ensure LPR was delivered. Importantly, from the issues experienced, a number of lessons were learned and documented to further support any potential larger scale rollout of LPR in the future. A summary of the lessons learned is provided below: 1 Business Improvement involvement in the Change Advisory Board (CAB) process as

the Change Requestor.

2 Obtain better configuration documentation from the product supplier prior to any work been undertaken.

3 Spent time to understand the prior lessons learned from the product supplier to enable more sophisticated risk mitigation planning.

4 Engage IT early and ensure the product supplier (DCA) has an open channel of communication to IT and Council’s third-party networking and infrastructure partners (iQ3 and Intellitek).

The learnings articulated above, put Council in a strong position to scale up the rollout of LPR into the future. With the knowledge and capability now built within the organisation, the next iteration of any potential LPR rollout should see a much more seamless deployment.


Item 5.7 51

Next Steps With the implementation of the LPR trial, Business Improvement will be monitoring the success of the trail through the collection of data (dashboards), and through the anecdotal information collected from Regulations. To date, both the data and anecdotal information collected, have led the team to believe the trial has been a success. The Business Improvement Team will continue to develop a formal business case that encompasses the effort required for a larger rollout, the cost associated with more LPR technology, options of deployment and a final review of the LPR trial. In addition to the business case, a number of critical activities have been identified to ensure a large-scale rollout is successful: 1. RPS data reliability and validity

a. As stated above, work is currently underway to ensure RPS data is held and maintained to a high standard to allow LPR to exempt permit holders from parking tariffs.

2. LGA Street Sign Mapping

a. A draft RFQ has been developed. This will need to be finalised and sent out to market in order to collect the data required for LPR to work.

Conclusion To August 2021, over 1900 infringements have been issued via the LPR technology representing more than $200,000 in revenue and a 290% Return on Investment against the cost of the equipment and implementation. The deployment of the LPR trial at Bayside Council saw a number of teams come together and deliver a solution that has brought the organisation to the forefront of compliance within local government. The LPR vehicle is now operational each day and is working as expected. While the project to deploy the trial now concludes, the involvement of Business Improvement in the trial and the analysis of the trial continues to ensure future decisions on a wider rollout can be made by the Executive Committee.

Attachments End Project Report: License Plate Recognition Trial ⇩

Item 5.8 66


Item No 5.8

Subject Strategic Risk Overview

Report by Ray D'Angelo, Coordinator Risk Management

File SF21/3579

Duration 30 minutes

Summary The report to the last Risk & Audit Committee outlined the strategic risks and reported on operational risks. This report highlights progress on the integration of the Strategic Risks into Councils Operational Plan and Delivery Program. This report includes an update on the current position of operational risks. The report also highlights emerging risks and issues due to COVID-19 for attention

Officer Recommendation 1 That the Risk & Audit Committee receives and notes the strategic and operational risk

updates and emerging risk comments.

2 That the Risk & Audit Committee notes the movement in risk ratings of two operational risks as detailed in this report.

3 That the Risk & Audit Committee notes the timetable for review of the strategic risks as outlined in attachment 1 to this report.

Strategic Risks Following the comprehensive review of Council’s strategic risks in May 2021, it was agreed to undertake annual reviews in November each year of that register. In the interim strategic leads (i.e. nominated directors) and relevant tasks owners i.e. Managers would undertake their own reviews quarterly. To accommodate this process, allocation of sub risks to Managers and reporting, some minor upgrades are required to PULSE. The Risk Team has been working with the software provider to finalise enhancements to PULSE. This will be implemented shortly and communicated to the Leadership Team. It is expected that the changes will be easily managed. Moreover, the strategic risk tasks covering activities and functions within each strategic risk that have been allocated to each Manager will be articulated with the individual risk owner to ensure there is a clear understanding of the strategic risks, appreciation of their accountability for the management of the tasks and to help them ensure the controls are appropriate. Attachment 1 outlines the plan and timetable for the review of the strategic risks, with a report back in November 2021


Item 5.8 67

Operational Risks The operational risks have been reviewed and updated by each risk owner and will be part of the ongoing risk management program undergoing further assessment with each of the risk owners. The program provides refresher training on the rating of risk, how to articulate risks succinctly and align risks to Council’s risk appetite and the use of the risk matrix. The Table below summarises the operational risks extracted from PULSE and compares them to the last quarter. The risks are presented by reference to the strategic operational risk category. Currently, this data is currently manually extracted but will be automated with the proposed enhancements to PULSE. Table – Operational Risk Ratings Summary

Risk Extreme Very High High Medium Low Summary

Change 3rd Qtr.

4th Qtr.

3rd Qtr.

4th Qtr.

3rd Qtr.

4th Qtr.

3rd Qtr.

4th Qtr.

3rd Qtr.

4th Qtr.

3rd Qtr.

4th Qtr.

Change Management 1 1 1 1 2 2 -

Statutory Obligations 3 3 9 9 11 11 23 23 -

Infrastructure 4 3 4 5 8 8 -

Community 1 1 1 1 -

Personnel 1 1 2 2 3 3 -

Climate & Environment 1 1 1 2 2 -

Business Continuity 1 1 1 1 -

Projects 1 1 2 2 4 4 7 7 -

Safety 1 1 2 2 3 3 -

Data & Information 2 2 9 9 11 11 -

Stakeholders 3 3 5 5 8 8 -

Fraud & Corruption 1 6 6 8 8 14 14 -

Financial 4 4 4 4 8 9 -

Summary NIL 2 2 8 7 34 35 48 49 92 92 -

Table Notes

▪ No change in the number of operational risks reported from last quarter ▪ 2 Very Highs

i. Fraud or corruption arising from Planning Proposals [Note – changes introduced in August to the Local Planning Panel process in dealing with planning proposals pre-exhibition and post exhibition will provide improved controls with this risk]

ii. Renewal of Swinbourne Street Retaining Wall

▪ 7 High Risks i. Gardiner Park Synthetic Fields Project ii. Major Contractor failure following open tender

iii. Developer contributions financial management failures iv. Non-Compliance with legislative and regulatory obligations v. Failures to comply with evidentiary procedures issuing orders

vi. Injury or death arising from Council managed or organised event ▪ Proposed changes in Risk Ratings (2)

i. BCP rating moved from High to Medium due to Council’s pandemic response. Practices, procedures, staffing has been reviewed to ensure services continue to be

delivered safely within Public Health Orders whilst keeping people safe. Active Monitoring continuing.


Item 5.8 68

ii. Occupation of Land without valid agreement has moved from Medium to

Low. a long terms site plans, checks with Compliance on occupation of land.

Identified unauthorised occupation of land results in occupants moving off land

or entering into a valid agreement with Council.

Emerging Risks & Issues Long term, COVID-19 is having a significant impact on Council services with implications for all. Council continues to balance the maintenance of services, and staff and resident safety. Executive management continues to monitor and respond to the changing Public Health Orders. The Executive is also examining the longer-term impacts of COVID on the workforce and the community. Bayside Council as a local government area of concern is a “declared area” under the Gathering & Movement Restrictions Order. All administration staff are working from home with few exceptions (and only for essential services). Council in collaboration with NSW Health has arranged for two vaccination hubs in the Bayside LGA and the community and staff are being encouraged to attend and “get the jab”. Community Life staff have been contacting by phone the elderly in the community to check in and the Mayor facilitated an online community forum to address community issues and concerns. In addition, Council has recently resolved to provide a package of financial relief to residents and businesses. COVID-19 impacts on the following Strategic Risks:

• Strategic Risk 1 - Change Management o Disruption due to social and health issues i.e. Pandemic

• Strategic Risk 2 - Statutory Obligations o Council employees not complying with statutory requirements

• Strategic Risk 3 - Community o Loss of, or reduction in, services due to: lack of funding, skills shortage,

ineffective tendering, contract management, health issues o Failure to effectively manage media and public relations

• Strategic Risk 5 - Personnel o Failure to address pressures of: increased workloads, conflict or grievances,

political pressure, health issue

• Strategic Risk 7 - Business Continuity o Inability to respond to a municipal emergency event

o Failure to plan for a pandemic

• Strategic Risk 9 - Safety o Inadequate or ineffective WHS management systems resulting in unsafe acts

and conditions o Failure to manage contractor work health and safety compliance

o Failure to support employee life, family and work balance

• Strategic Risk 10 - Data & Information o Computer system breakdowns

o Failure of data security measures

• Strategic Risk 11 - Stakeholders o Unaware or unprepared for the impact of negative feedback on social media


Item 5.8 69

o Forums or other events fail to meet community standards

• Strategic Risk 12 - Fraud & Corruption o Inadequate contract and contractor management

• Strategic Risk 13 - Financial o Lack of controls, or controls inadequate for effective financial management

Internal processes are being adapted in light of the introduction of ‘working from home’ arrangements and Business Units continue to monitor risks, review operational practices, and introduce or modify internal controls.

Regular reporting to Risk & Audit Committee Council will continue the practice of reporting quarterly on strategic and operational risks to the Risk & Audit Committee.

Financial Implications Not applicable ☒

Included in existing approved budget ☐

Additional funds required ☐

Community Engagement Not applicable

Procurement Not applicable ☒

Attachments Risk Program Timetable ⇩

Item 5.9 71


Item No 5.9

Subject Confidential - Risk Management - Quarterly Claims and Risk Review

Report by Ray D'Angelo, Coordinator Risk Management

File SF21/3873

Duration 10 minutes

Confidential The matters in this report are confidential, as it is considered that it is in the public interest that they are not disclosed to the public. In accordance with the Code of Conduct, the matters and the information contained within this report must not be discussed with or disclosed to any person who is not a member of the meeting or otherwise authorised.

Agenda of Risk & Audit Committee - 26 August 2021

Documents

Transcript of Agenda of Risk & Audit Committee - 26 August 2021