Chief Executive Officer's Review of Systems and Procedures ...

Ordinary Meeting of Council 16 December 2020

7.1 CHIEF EXECUTIVE OFFICER'S REVIEW OF SYSTEMS AND PROCEDURES - REGULATION 17 AND ENTERPRISE RISK MANAGEMENT INTERNAL AUDIT

Ward: (No Wards) (Governance & Strategy)

Disclosure of Interest: Nil

Authorised Officer: (Chief Executive Officer)

KEY ISSUES

• Under regulation 17 of the Local Government (Audit) Regulations 1996 the Chief Executive Officer (CEO) is to review the appropriateness and effectiveness of the local government’s systems and procedures in relation to risk management, internal control and legislative compliance and provide a report to the Audit Committee with the results of that review.

• As part of the 2019/2020 Internal Audit Program, Deloitte Risk Advisory Pty Ltd (Deloitte) was engaged to undertake this review on behalf of the CEO.

• There were 9 findings, and 17 recommendations made by Deloitte. City officers have reviewed and responded to these findings and recommendations, and actions have been identified for implementation.

• At the 16 November 2020 Audit Committee meeting it was recommended this report be provided to Council.

The Audit Committee recommends that the Council notes the findings of the report and the actions for inclusion in the Internal Audit Register (including the priorities identified by the Audit Committee) for monitoring and reporting.

BACKGROUND

Under regulation 17 of the Local Government (Audit) Regulations 1996 the CEO is to review the appropriateness and effectiveness of the local government’s systems and procedures.

Regulation 17 states:

1) The CEO is to review the appropriateness and effectiveness of a local government’s systems and procedures in relation to -

a) risk management; and

b) internal control; and

c) legislative compliance.


2) The review may relate to any or all of the matters referred to in sub-regulation (1)(a), (b) and (c), but each of those matters is to be the subject of a review not less than once in every 3 financial years.

3) The CEO is to report to the Audit Committee the results of that review.

Deloitte was engaged to perform this review on behalf of the CEO. Under regulation 16(c), the Audit Committee now presents to Council the results of that review.

DETAILS

There are no mandatory or minimum requirements for conducting the Regulation 17 CEO review. However, the Department of Local Government, Sport and Cultural Industries Operational Guidelines No.9 (Revised September 2013) provides a useful overview of the issues that should be taken into account when undertaking the Regulation 17 review.

As part of the Strategic Internal Audit Plan 2019-2022, Risk Management and Data Governance – Security were endorsed to be included in the audit program. As the City was selected to participate in the Office of the Auditor General (OAG) - General IT Controls audit in 2019/2020, the proposed Data Governance – Security audit, to be completed by Deloitte was cancelled and replaced with the Risk Management review. To avoid duplication, the risk component of the Regulation 17 review was broadened to include a more thorough deep dive into the City’s Risk Management practices and culture.

As the City was selected to participant in the Office of the Auditor General - IT General Controls audit, IT/System controls were excluded from the Deloitte Regulation 17 and Enterprise Risk Management Internal Audit.

The approach taken by Deloitte included; a review of relevant documents, interviews with key stakeholders, a sample of five internal controls for testing, a rating of effectiveness of Risk Management, Internal Controls and Legislative Compliance, a review of the City's risk management practices, a survey of risk culture with key stakeholders and a validation of findings with relevant City officers. From the information gathered, the report was then developed outlining the observations, nine key findings, and 17 associated recommendations.


There were 9 main findings of the report, summarised as:

Finding Number Finding Risk

Rating

Finding 1 Continue to improve the maturity of the City's Risk Management Framework

Medium

Finding 2 Continue to improve risk management communication and reporting

Medium

Finding 3 Continue to integrate effective risk management practices in the City’s operational processes

Medium

Finding 4 Identify and review opportunities to improve the City’s Risk culture

Low

Finding 5 The City should improve training practices to better support employee knowledge and awareness of key requirements

Low

Finding 6 Improve the City’s IT Disaster Recovery Plan and testing Low

Finding 7 Improve support to the Audit Committee to better support requirements of Guidelines 9

High

Finding 8 Business unit manager authorisation of invoice requisitions should be consistently applied

Medium

Finding 9 The City should maintain a single source of truth for information regarding litigation and claims.

Medium

The 17 recommendations made by Deloitte in relation to the above findings, along with the management response and agreed actions, are provided in the attachment to this report.

At a meeting held 16 November 2020, the Audit Committee considered the report prepared by Deloitte on behalf of the CEO.

The Audit Committee, upon advice from Deloitte, modified the officer recommendation to include prioritisation of the recommendations made. The Audit Committee resolution is provided below.


The Audit Committee resolved unanimously to:

1) note the findings of the report;

2) endorse the actions to be included in the Internal Audit Register for monitoring and progress reporting; and

3) prioritise the recommendations of Deloitte Risk Advisory Pty Ltd as follows:

1. Identify and address gaps in reporting to the Audit Committee to support their monitoring function (refer to Finding 7: Recommendation 2)

2. Define the roles and responsibilities of the Audit and Risk function as well as broader functional responsibilities across the City (refer to Finding 1: Recommendation 2)

• Communicate the roles and responsibilities within this function to the broader organisation

3. Leverage the PPRisk system to develop an effective and efficient mechanism for Risk Management System reporting (risks, progress of agreed actions, system performance etc.) (Refer to Finding 2: Recommendation 1)

4) submit the report to the December Ordinary Council Meeting for consideration and noting.

Agreed actions to address the three items, as prioritised by the Audit Committee, are supported by City officers.

CONSULTATION

Nil.

ATTACHMENTS

Regulation 17 and Enterprise Risk Management Internal Audit

STRATEGIC IMPLICATIONS

The Internal Audit program is consistent with the City's Strategic Community Plan (2017 - 2027), G2.1 Improve capability and capacity.

STATUTORY IMPLICATIONS

Local Government Act 1995

Local Government (Audit) Regulations 1996

Risk Management Standard ISO AS/NZS 31000: 2009


FINANCIAL IMPLICATIONS

The cost of the audit was $23,700.

VOTING REQUIREMENTS

Simple majority

RECOMMENDATION

The Audit Committee recommends that the Council resolves to:

1) Note the findings of the report.

2) Endorse the actions to be included in the Internal Audit Register for monitoring and progress reporting.

3) Prioritise the recommendations of Deloitte Risk Advisory Pty Ltd as follows:

i. Identify and address gaps in reporting to the Audit Committee to support their monitoring function (refer to Finding 7: Recommendation 2)

ii. Define the roles and responsibilities of the Audit and Risk function as well as broader functional responsibilities across the City (refer to Finding 1: Recommendation 2)

• Communicate the roles and responsibilities within this function to the broader organisation

iii. Leverage the PPRisk system to develop an effective and efficient mechanism for Risk Management System reporting (risks, progress of agreed actions, system performance etc.) (Refer to Finding 2: Recommendation 1)

CARRIED EN BLOC

September 2020

City of SwanRegulation 17 and Enterprise Risk Management Internal Audits

.

Version: 1, Version Date: 17/11/2020Document Set ID: 6053849

© 2020 Deloitte Risk Advisory Pty Ltd 2

Executive Summary• Background and Scope• Our Point of View• High-Level Summary

3

Data Insights• Risk Culture Survey Summary• Risk Culture Survey Comments

7

Detailed findings• Finding 1 – Continue to improve the maturity of the City's

Risk Management Framework • Finding 2 – Continue to improve risk management

communication and reporting• Finding 3 – Continue to integrate effective risk management

practices in the City’s operational processes• Finding 4 – Identify and review opportunities to improve the

City’s Risk culture• Finding 5 – The City should improve training practices to

better support employee knowledge and awareness of key requirements

• Finding 6 - Improve the City’s IT Disaster Recovery Plan and testing

• Finding 7 - Improve support to the Audit Committee to better support requirements of Guidelines 9

• Finding 8 - Business unit manager authorisation of invoice requisitions should be consistently applied

• Finding 9 - The City should maintain a single source of truth for information regarding litigation and claims

• Opportunity for improvement - Leverage learnings from the Covid-19 response to update the City’s disruption response and recovery documentation

10

Appendices 23

Contents


3

Executive Summary



Background and ScopeExecutive Summary

Background

Regulation 17 of the Local Government (Audit) Regulations 1996 requires the Chief Executive Officer (CEO) of the City of Swan (the City) to undertake reviews of the appropriateness and effectiveness of local government systems and procedures in relation to risk management, internal controls, and legislative compliance not less than once in every three financial years, with results reported to the City.

Deloitte Risk Advisory Pty Ltd (Deloitte) was engaged by the City to undertake this review in FY19/20. Deloitte have completed an assessment of the City’s related systems and procedures in consideration of the former Department of Local Government and Communities’ Local Government Operational Guidelines Number 09 - Revised September 2013 (Guidelines 9).

In addition, Deloitte were engaged to complete a deep dive on the City’s Risk Management practices, including a high level review of risk culture, and consideration of ISO 31000 Risk Management: Principles and Guidelines (ISO Standard) requirements. While these were two separate pieces of work, they were conducted concurrently given common elements between the ISO Standard and Guidelines 9 requirements. As such, we have presented our findings and recommendations in one report at the City’s request.

Scope and Approach

To achieve the review objective, we assessed City and Audit Committee practices around Risk Management, Internal Control and Legislative Compliance as per Guidelines 9.

Our approach included:

• Examination of key documentation (Appendix A)

• Interviews with key stakeholders (Appendix B)

• Limited sample testing for internal controls (sample of five for key financial and procurement controls as per Appendix C)

• Determination whether control design effectiveness across Risk

Management, Internal Control and Legislative Compliance is Effective, Partially Effective, or Ineffective in consideration of Guidelines 9 (Appendices D, E and F)

• Review of the City’s risk management practices in consideration of ISO 31000 Risk Management: Principles and Guidelines

• A limited risk culture survey of key stakeholders (Appendix G)

• Validation of survey results and preliminary findings with Manager Governance and Strategy and the Risk and Assurance Officer and other key stakeholders as required

• Development of a report outlining observations and key recommendations (risk ratings are based on the City’s Risk Management Framework).

Limitations

• Our review included assessment of design effectiveness and limited testing of implementation effectiveness. Testing of key financial and procurement internal controls included a sample of five, and testing other elements included a sample of one.

• Where applicable, our work included the FY18/19 and FY19/20 financial years.



Our Point of ViewExecutive Summary

This report contains 9 findings and 17 associated recommendations generated from two separate but related scopes of work, being Regulation 17 and Risk Management. Regulation 17 itself covers a large number of requirements and recommended practices. Adding Risk Management increases the scope even further. The number of findings and recommendations need to be considered in this context.

Given the City has a small risk team compared with other local councils, our first and main recommendation is to prioritise these recommendations based on the risk appetite of the Audit Committee.

Regulation 17

While the City has systems and processes in place that review many of the requirements of Regulation 17, some exceptions were identified:

• Some requirements are not consistently applied (e.g. storage of some approval records)

• There are opportunities to improve structured application (i.e. staff training and record keeping)

• Some information is not consistently presented to the Audit Committee in line with local government guidelines.

Risk Management

This review included a detailed focus on risk management to assess the maturity of the City’s risk management system and provide guidance on next steps to continue on their maturity journey. A high level summary of our findings aligned to the risk management framework is presented in Figure 1.

Figure 1 – ISO31000 Risk Management Framework Overview (and alignment to report findings for Regulation 17 and Enterprise Risk

Management Internal Audits)



Risk Rating Findings

1. Continue to improve the maturity of the City's Risk Management Framework

2. Continue to improve risk management communication and reporting

3. Continue to integrate effective risk management practices in the City’s operational processes

4. Identify and review opportunities to improve the City’s Risk culture

5. The City should improve training practices to better support employee knowledge and awareness of key requirements

6. Improve the City’s IT Disaster Recovery Plan and testing

7. Improve support to the Audit Committee to better support requirements of Guidelines 9

8. Business unit manager authorisation of invoice requisitions should be consistently applied

9. The City should maintain a single source of truth for information regarding litigation and claims

Opportunity for Improvement

Leverage learnings from the Covid-19 response to update the City’s disruption response and recovery documentation

High-Level SummaryExecutive Summary

Positive Observations

The City applied appropriate delegation of authority and segregation of duties as evidenced through our sample testing

All interviewed staff are knowledgeable about financial processes for their area, and understand how these processes interact with those run by their peers

The City has a internal audit plan which is reviewed annually and considers a 3-year horizon. This is in addition to audits from the OAG and an internal controls assurance program undertaken by the Risk and Assurance Officer

An Audit Committee meeting planner has been recently established to support completion of regular reviews

The PPRisk system is planned to be implemented in September 2020 to support the City’s risk management maturity journey. Significant planning and risk review is underway in preparation for the rollout

79% of invited City staff responded to the Risk Culture Survey which represents higher than expected survey engagement

Survey comments indicated the following positive aspects of the City’s risk practices:

• “Feel strongly that risk is managed appropriately”• “…manages lower level or operational risks well…”• “Demonstrated commitment to limiting LTI's in the workplace”• “…easy for staff to report workplace hazards and OSH incidents

… strong investigation process”• “well sponsored, reinforced and bedded down around safety and

a handful of risk types”

Internal Audit Ratings

High

Medium

Positive observations

Low

Extreme

Opportunity for improvement


7

Data Insights



3

16

4

3 1Other

Coordinator

Manager

Executive

No response

Data Insights – Risk Culture Survey SummaryInformation is presented below to provide an overview of survey respondents and key messages. Detailed questions and responses are provided in Appendices G and H.

79% response rate (27 of 34 invitations) - a higher level of engagement than anticipated

While 67% of respondents identified themselves as risk owners, only 59% of respondents identified themselves

as having specific risk responsibilities. This raises questions around how 4 of 18 people, who feel like they own risks, do not believe they hold specific risk

responsibilities - suggests a need for clearer role definition1

4

6

6

9

1

<1 Years1-3 Years3-5 Years5-10 Years10+ YearsNo Response

Of 30% indicating they did not have specific risk responsibilities, 62.5% have been with the City 5+ years.

The City would expect people to be aware of and understand their risk responsibilities after this period of

employment.

Figure 3 – Years working at the City for Risk Culture Survey

Respondents

Figure 2 – Role of Risk Culture Survey Respondents



Data Insights – Risk Culture Survey Comments Comments have been extracted from the risk culture survey and thematically grouped them below. Some of the more useful comments have been highlighted.


10

Detailed Findings



Finding 1Continue to improve the maturity of the City's Risk Management Framework

Observations:

• We acknowledge the City is presently in a state of transition from a manual risk register to the PPRisk system

• The City has limited resources to co-ordinate both risk and audit activities, and relies on management to manage operational risks. Due to limited delineation between risk and audit functions, they do not both receive appropriate focus

• While the manual registers reviewed provide good oversight of risks, we noted the following:

o The Audit Committee is not presented with the strategic risk register for annual discussion, review, and approval. We understand the risk register will go to the Audit Committee in August and will be ongoing each year

o There are no risk owners documented for the City’s Risks

• Risk Culture Survey results (Appendix H) indicate that only 52% of survey respondents agreed “The City's risk management processes help the City achieve its strategic objectives” (Q18) suggesting that alignment between risk processes and the City’s strategic objectives can be improved.

• The Risk and Assurance Officer’s role is not clearly defined, communicated or understood within the organisation. Information required to effectively discharge the role is not easily accessible or shared (i.e. Business Unit information and documentation relating to operational and strategic risks). Throughout this audit we noted that information required to complete the review was not accessible by or available to the Risk and Assurance Officer

• The City does not report the effectiveness of the risk management system, and monitoring is not effectively applied. For example: KPIs in the City’s Risk Management Framework are not actioned or reported on

• It is understood that “Fraud Action Strategies” for FY19/20 noted in the Internal Audit and Risk Management Progress Report Q4 Apr-Jun 19 have not been completed, and progress reports haven’t been provided.

Increased potential for:

• Failure to appropriately identify and address strategic risks

• Failure to establish a consistently applied and understood enterprise wide risk framework

• Inconsistent and ineffective risk practices increasing exposure to risk events

• Inappropriate decision making based on misalignment between risk practices and strategic objectives.

MEDIUM RATING



Finding 1 cont’dContinue to improve the maturity of the City's Risk Management Framework

Recommendations:

1. Obtain Audit Committee input to the City’s Strategic Risk Register at least annually

2. Review, document and communicate key roles, responsibilities, accountabilities and authorities relating to risk management (including risk owners) and audit / assurance activities

3. Establish a regular review of risk system effectiveness as per the Risk Management Framework and ISO Standard and provide a summary report to the executive and Audit Committee.

1. Management Response: The Strategic Risk Register was presented to the Audit Committee at it’s August 2020 meeting. Going forward this item will be included in the Audit Committee Meeting Planner.

Agreed Action: Implemented. No further action required.

2. Management Response: The Risk and Assurance Officer’s role is clearly defined in their position description. During the implementation of the new Risk system, training will be provided to Managers, which will assist in their understanding of this role.

Agreed Action: Review and define the risk, audit and assurance roles and requirements. Develop a Management Practice for the Audit Function to define and articulate the purpose and operating responsibilities of the function within the organisation.

Owner: Manager Governance & StrategyDue: 31 March 2021

3. Management Response: The City is currently implementing a new system which will allow for the capture of risks and provide a more automated reporting mechanism. This will allow for more regular reporting to both Executive and the Audit Committee.

Agreed Action: City officers will develop, review and refine KPI’s for the risk and audit function. These KPI’s will be reported to the Audit Committee as part of the Annual Year in Review report and will be included in the Audit Committee Meeting Planner.

Owner: Manager Governance & StrategyDue: 30 June 2021

MEDIUM RATING



Finding 2Continue to improve risk management communication and reporting

Observations:

• Upward and downward risk communication between all levels of the City is limited. Survey comments suggest risk communication can be improved through regular communication, sharing learnings from other business units, supporting Managers to provide teams with relevant risk context and opportunity for discussion, and incorporating “easy to digest pieces to bring staff along the journey”

• This City’s risk reporting is not effectively supporting risk culture and effective risk practices. For example:

o Risk related information from BUs is not readily available to the risk teamo While specific risks (i.e. OSH and customer feedback) are included in some meeting

agendas (as per the Cascading Meeting Framework), risk management is noto The Internal Audit and Risk Management Progress Reports for the Audit Committee

demonstrate a focus on audit. They are not based on risk priority ratings, and do not include dashboards, key risks/areas, emerging risks, trends, or key changes

o The City does not report on the effectiveness of the risk management system.


• Inappropriate decision making and failure to take appropriate action (e.g. prevention or mitigation of risk events) due to gaps in understanding or knowledge

• Failure to support an appropriate risk culture (i.e. a culture based on a collective understanding and supported by effective top-down communication).

Recommendations:

1. Develop a mechanism for risk management reporting which considers:• Provision of appropriate risk information from across the City to executive team and

Audit Committee• An effective mechanism for monitoring and reporting on progress of agreed actions• Separation of risk and audit reporting

2. Consider development of a communication strategy/plan to support risk understanding. For example:• Discussion of a key risk at each executive meeting to be cascaded down to respective

BUs• Structured sharing of lessons learned Regular ‘risk snapshots’ for all City staff (e.g. key

risks, lessons learned, recent trends, emerging risks)

1 and 2. Management Response:Once implemented, the new risk system (PPRisk) will provide a mechanism for risk reporting. Risk reporting is provided to the Executive Management Team and Audit Committee on a quarterly basis. Risk and Audit reporting has been separated and was presented in this manner to the August Executive Management Team and Audit Committee meetings.

New risk reports have been developed in PPRisk. These reports provide information on key risks and the management of these risks, changing risks, and lesson learnt. These reports will be made available to all City staff on a quarterly basis to improve risk communication and information.

Agreed Action: City officers will conduct a review to determine key areas of concern that should form part of regular risk reporting (i.e. fraud, safety, litigation, complaints). Based on the review, a process will be established to collect and present the data on a quarterly basis.

Owner: Risk and Assurance OfficerDue Date: 30 June 2021

Agreed Action: Risk reporting to be published on the intranet on a quarterly basis, a communications plan will be prepared to inform the organisation of this improvement.

Owner: Risk and Assurance OfficerDue Date: 31 Dec 2020

MEDIUM RATING



Finding 3Continue to integrate effective risk management practices in the City’s operational processes

Observations:

Through interviews and review of documentation, we have identified opportunities for improving the rigour of processes directly relating to management of risks such as legislative compliance, insurable risks, and fraud. For example:

• The City’s Legal Officer supports business unit managers by disseminates information on legislative or regulatory changes to relevant City staff. Managers are also responsible for the monitoring and managing of change that impacts the business unit

• There is limited process to confirm whether the City has taken appropriate action to maintain compliance of the City’s practices impacted by legislative or regulatory changes

• The risk management function is not included in decision-making for insurance renewals to ensure adequate coverage over insurable risks. However, the Financial Services and Rates business unit, as the responsible business area, works with managers and LGIS to ensure insurance coverage is adequate. This process does not feed back into operational risk registers

• There is no available analysis or reporting of fraud and misconduct events or trends

• The City’s Fraud and corruption control plan is focused on ‘what’ should be done rather than explaining ‘how’ it should be done. The plan does not explain how to report fraud, or how allegations will be handled, investigated and (if proven) remediated. It does not link to other relevant documents which may provide this information.


• Inconsistent and ineffective monitoring of risk practices increasing exposure to risk events (i.e. legislative compliance, fraud, insurable risk events)

• Failure to take appropriate action (e.g. prevention or mitigation of risk events)

• Inappropriate decision making based on gaps in understanding or knowledge.

Recommendations:

1. Establish a register identifying City personnel responsible for City practices aligned with legal and regulatory requirements and implement a process for monitoring their progress in reviewing and updating practices to appropriately address legislative or regulatory changes

2. Develop process for inclusion of risk information in the decision making for insurance renewals

3. Review and update the Fraud and corruption control plan to provide more guidance on specific actions staff need to take should they identify a potential fraudulent action

4. Establish analysis and trend reporting on fraud and misconduct events, and integrate this into the reporting framework noted in Finding 2 Recommendation 1

MEDIUM RATING



Finding 3Continue to integrate effective risk management practices in the City’s operational processes

1. Management Response: Given the scale and variety of legislation applicable to Local Government, Business Unit Managers share the accountability for remaining abreast of changes to key legislation affecting the City’s business operations. It is noted that the auditors did not find specific examples of non-compliance.

Agree Action: Establish a register identifying City personnel responsible for City practices aligned with legal and regulatory requirements and implement a process for monitoring their progress in reviewing and updating practices to appropriately address legislative or regulatory changes .

Owner: Manager Governance and Strategy Due Date: 31 March 2021

2. Management Response: Financial Services and Rates business unit as a responsible business area for COS insurance works with Business unit managers and LGIS to ensure insurance coverage is adequate. Insurance coverage is done in consultation with LGIS, based on the City’s and Industry exposure to existing and emerging risks.

Agreed Action: The annual insurance renewal report and analysis will be presented to the Audit Committee and has been included in the Audit Committee Meeting Planner.

Owner: Manager Financial Services and RatesDue Date: 30 June 2021

3. Management Response: A review of the City’s approach to managing fraud and corruption was reported to the Audit Committee February 2020 meeting. Instances where the City's integrity and conduct controls did not align with the OAG's better practice principles, strategies to improve internal control have been recommended.

Agreed Action: Review the Fraud and Corruption Plan in line with the recommendations of the February Audit Committee report, implement actions considering finding 3, recommendation 3.

Owner: Manager Governance and StrategyDue Date: 30 June 2021

4. Agreed Action: This action will be addressed through finding 2, recommendation 1.

MEDIUM RATING



Finding 4Identify and review opportunities to improve the City’s Risk culture

Observations:

• Risk Culture Survey results (Appendix H) indicate opportunities for improved risk culture. For example:

o 19% of respondents agreed “Employees at the City are penalised if they take unacceptable risks, even if their actions generate positive results” (Q14) suggesting there is a greater focus on the outcome than the process which may result in staff taking unacceptable risks (especially if they are not penalised for taking unacceptable risk)

o 33% of respondents agreed they are “…incentivised to appropriately manage risks within my area of responsibility” (Q15). We understand that staff are not incentivised to demonstrate appropriate risk behaviour and that risk management and behaviour is not included in periodical staff reviews

o 59% of respondents agreed “Executives/Managers/Team Leaders role-model the right risk and compliance behaviours” (Q17). No respondent disagreed with this statement, however 41% of respondents answered “neutral” suggesting there is opportunity for leaders to more clearly demonstrate and model appropriate risk behaviours

o 56% of respondents agreed “The City’s culture encourages staff to readily admit when they have made errors or mistakes; intentionally or unintentionally” (Q20). 15% of respondents disagreed with this statement. This suggests potential for staff to cover up errors, even if accidental.

Note: The risk culture survey was conducted at a high level. It is worth further work to identify some root causes of these issues e.g. misalignment between scorecards/KPIs and risk management, informal recognition / feedback from leaders does not encourage appropriate risk behaviour, people are rewarded for results, rather than the process they took to achieve the results.


• Staff misconduct

• Failure to effectively mitigate risks (i.e. if incidents are not reported)

• A poor risk culture demonstrated by mistrust.

Recommendations:

1. Identify opportunities for the City to improve risk culture.

Management Response: A key opportunity for the City to improve its risk culture will be through the implementation of the new performance planning and risk system.

It is anticipated that the new Risk reporting system will help heighten awareness of risk management processes at the City of Swan. Implementation of the new system will include face to face training, which will assist with education and understanding.

Agreed Action: Working with Human Resources -Learning and Development consider approach to deliver ongoing risk management training to the appropriate level of City workers.

Owner: Risk and Assurance Officer

Due Date: 30 June 2021

LOW RATING


© 2020 Deloitte Risk Advisory Pty Ltd DRAFT17

Observations:

• While the City’s recruitment process is clearly documented and designed effectively, the City does not have a training matrix to identify roles-based training requirements for employees

• There is no training on ethical decision making, and attendance at Face-to-face risk training, conducted as part of risk review meetings, is not recorded

• While all but one risk culture survey respondent stated they understand the key risks associated with their role (Question 6), only 41% stated they “…have received appropriate training and support to meet my risk related responsibilities” (Question 8). Survey results also indicate possible lack of understanding and confusion regarding risk ownership and responsibilities. One survey responder indicated there was low general awareness of risk management basics, paradigms, and language at all levels within the City

• Risk culture The City’s Training Completion report demonstrated instances of overdue training and potentially unscheduled training. For example:

o Of 364 employees listed for induction training; 46 with a ‘completed’ status of “FALSE” have due dates expiring more than 3 weeks prior to the report being generated (including due dates from 2014 to 2019), and six have no due date

o Of 774 records listed for code of conduct training; four have a ‘completed’ status of “FALSE” with due dates expiring more than 3 weeks prior to the report being generated (including due dates from 2016 to 2019).


• Staff not receiving adequate training to support effective performance and appropriate conduct when working for the City resulting in ineffective out outdated practices being applied

• Exposing the City to fraud and health and safety risks.

Recommendations:

1. Develop a training matrix to identify training requirements and frequency for all roles across the City

2. Review current processes to capture current risk training

3. Review effectiveness of current mechanisms for monitoring and addressing overdue training

1 and 3. Management Response: This work is currently in progress.

In an assessment of the City’s controls against the OAG’s Verifying Employee Identity and Credentials, Fraud Prevention in Local Government identifiedsimilar themes to this finding. Management are in the process of implementations action to address these issues and will consider this recommendation as part of that work.

Agreed Action: Management to address the recommendation as part of the actions agreed in the OAG’s Verifying Employee Identity and Credentials, Fraud Prevention in Local Government and IT General Control audits.

Owner: Manager Human Resources Due Date: 30 June 2021

2. Management Response: New system training and annual risk review is part of education. New starters will be monitored to identify training needs.To be include in Finding 4, recommendation 1.

Finding 5The City should improve training practices to better support employee knowledge and awareness of key requirements

LOW RATING



Finding 6Improve the City’s IT Disaster Recovery Plan and testing

Observations:

We acknowledge that the City was able to respond to the Covid-19 disruption without significant issues. However, through documentation review we have identified the following in regard to the IT disaster recovery plan (DRP):

• The DRP does not include a testing plan. DRP testing is an important aspect of disaster recovery and provides the City and opportunity to test whether response and recovery strategies work and meet the needs of the City

• The DRP does not include backup review to determine whether backup processes are effective in backing up required data. Data back up should be aligned to recovery point objectives determined by the City

• Contact details for third parties or City staff are not included in the DRP. Should there be an IT related disruption, there may be time critical aspects for the City to address with key suppliers. If this information is not easily to hand, response and recovery may be delayed

• Recovery processes have not been prioritised to indicate which need to be protected or restored as a priority for the City’s operations and activities

• There is no clear plan for execution documented in the DRP.


• Delayed, incomplete, or ineffective response to a disruptive event which involves IT systems, equipment, suppliers, or information.

Recommendations:

1. Review and update the City’s IT DRP to address noted observations

1. Management Response: The City has already commenced reviewing and updating the City's IT Disaster Recovery Plan based on recommendations made in the OAG GCC audit 2020.

Agreed Action: The observations of this audit will also be incorporated into the new DRP.

Owner: Manager Information ServicesDue Date: 30 June 2021

LOW RATING



HIGH RATING

Finding 7Improve support to the Audit Committee to fully adhere to the requirements of Guidelines 9

Observations:

While the Audit Committee considers a large amount of information to support the City’s objectives, there is an opportunity to improve management reporting to better support the Committee’s monitoring role:• The Audit Committee Terms of Reference (ToR) does not specify Audit Committee practices

in regard to monitoring compliance programs (see Appendix F)

• Neither the ToR or the code of conduct specify that Audit Committee members must not misuse their position to gain an advantage for themselves

• While an Audit Committee meeting planner has been developed to support reporting to the Audit Committee, the following elements are not reported:

o Analysis/trends relating to complaints, fraud, misconduct, insurance claims, risk treatment actions, or close out of issues (i.e. to provide assurance that adverse trends are identified)

o Key risks facing the City and effectiveness of the risk management system (see also Finding 1)

o Results from BCP and ITDRP testing (see also Finding 6)o Information to demonstrate adequacy of insurance coverage (e.g. summary of

insurance coverage and aggregate claims information to monitor management of insurable risks) (see also Findings 3 and 10)

o Information to confirm the City has taken appropriate action to maintain compliance of the City’s practices impacted by legislative or regulatory changes (see also Finding 3)

o Information to support Audit Committee review of management disclosures in financial reports of the effect of significant compliance issues


• Poor decision making if required information is not provided

• Non-compliance or adverse outcomes due to limited oversight.

Recommendations:

1. Review and update the Audit Committee’s Terms of Reference to better align with Guidelines 9

2. Develop an appropriate suite of reports that need to go to the Audit Committee to support the requirements of Guidelines 9, and capture these in the Audit Committee meeting planner.

1. Management Response: The purpose of the Terms of Reference is set out the roles and responsibilities of the Committee, not to identify what will be reported to the Committee. Items for the Audit Committee are identified through the Audit Committee Meeting Planner.

Agreed Action: Following the implementation of finding 1, recommendation 2, the Audit Committee Terms of Reference will be reviewed and updated.

Owner: Manager Governance and StrategyDue Date: 31 March 2021

2. Management Response: City officers have in the past kept reports to the Audit Committee focussed on key issues, including: implementation of the Audit Plan, the results of internal audits, the major law suits report and the results of any OAG audits. The new risk and audit system implementation will help to automate some additional reporting, which can be made available to the Audit Committee.

Agreed Action: This action will be addressed in Finding 2, recommendation 1.



MEDIUM RATING

Finding 8Business unit manager authorisation of invoice requisitions should be consistently applied

Observations:

• All invoice requisitions are required to be authorised by the business unit manager before transactions are posted to the accounting system by the management accounting team

• Testing (Appendix C) identified that tenant lease billings (invoices) have been raised based on the list/file supplied by the Facilities and Assets business unit without manager authorisation.


• Incorrect billing or fraudulent activity.

Recommendations:

1. Review and amend the current process so the same management authorisation process apply to lease requisitions as with all other invoice requisitions before they are presented to Finance.

Management Response: The process in Facilities and Assets business unit has been changed to reflect the corporate invoicing process.

Agreed Action: Implemented. No further action. Owner: Manager Financial Services & Rates



Finding 9The City should maintain a single source of truth for information regarding insurance claims and associated litigation

Observations:

The City has work instructions for Insurance Claim Review (IN-INS-24) which references theInsurance Register – 19-20 and indicates it is reviewed fortnightly or weekly as needed. Our review of the Insurance Register – 19-20 Insurance Claims Index_JC (the register) demonstrated:• A list of open claims includes many dating back over 5 years (“combined pl, isr, mv” tab)

• Blank expenditure entry cells in 95 of 134 open and closed incidents for FY19/20 (e.g. public liability, vehicle damage, theft)

• No “insurers claim number” in the 39 open and closed incidents from FY19/20 that had noted expenditure (e.g. relating to vehicle damage, property damage, theft, vandalism). These incidents without claim numbers represent a combined expenditure ~$84,000.

The City has work instructions for Major Law Suits Report (IN-INS-19). While the Audit Committee Meeting Agenda (11 February 2020) included detailed information on current major lawsuits as expected from the above work instruction we noted the following:• The information in the Audit Committee Agenda was not reflected in the register

• The register contained limited information in the ‘Major Law Suit’ tab (e.g. reference numbers, key City contacts, case dates, current status, contact details, legal representatives)

• The work instruction does not reference the register.

Note: Neither of the abovementioned work instructions included a document review date or details of the document reviewer.


• Poor decision making if relying on inaccurate or incomplete information

• Increased claim costs if claims are not appropriately managed and reported

• Inappropriate insurance coverage if trends are not analysed and reported accurately.

Recommendations:

1. Review current City mechanisms for recording and updating insurance claims and litigation information.

Management Response: Staff changes left the insurance position unfilled and the registers unattended. Recent appointment to the position has given a strong focus on the process of updating systems and data.

Agreed Action: Implemented. No further action. Owner: Manager Financial Services & Rates

MEDIUM RATING



Opportunity for ImprovementLeverage learnings from the Covid-19 response to update the City’s disruption response and recovery documentation

Observations:

We acknowledge that the City was able to respond to the Covid-19 disruption without significant issues. Through documentation review we have identified the following which present opportunities for improvement in the City’s Business Continuity practices:

• The City’s has a reactive rather than proactive risk-based approach to disruptive events

• While there is no critical incident management plan as would be expected (see Figure 4), we note elements are included in the incident response checklist in the IM&BCP document

• The business impact analysis (BIA) document was last reviewed in full in 2016. A review of technology impacts and requirements was completed in 2020 in response to Covid-19

• The IM&BCP document does not clarify who should or how to notify the Incident Management Team, identify who the incident leader is (critical role for activating the plan and establishing the City’s response), or include a process for standing the team down or deactivating the plan.

Recommendations:

1. Conduct annual reviews of BIA and BCP and update documentation as required.

Figure 4 – Disaster response and recovery timeline indicating relevant supporting

documentation


23

Appendices



Appendix A – Documents examined# Document reviewed # Document reviewed # Document reviewed

1 Fraud and corruption control plan 22 Strategic community plan 43 Complaint handling and management

2 General computer controls audit report 23 Legal status report April 2020 44 Revised feedback management approach and flowcharts

3 Risk Management framework 24 Policy and status management practice development and review 45 Employee complaints process

4 Disaster recovery plan August 2017 25 Provision of legal services email 46 Workplace enquiries and investigations FAQ’s

5 Incident management plan 26 Policy and management practice development and review 47 Just culture framework

6 Risk management policy 27 Public open space and community buildings policy review 48 Council policy – Procurement

7 Strategic risk register review - 2020 28 Policy framework extract 49 Calling of public tenders process report

8 Audit committee terms of reference 29 Policy and corporate document framework 50 Calling of public expressions of interest process report

9 Business impact analysis Mar 2020 30 Managers forum 24 Sept 2019 minutes and agenda 51 Procure to pay 5k-50k process report

10 Capital works process 31 Meeting agenda template – business unit 52 Procure to pay 50k-100k process report

11Internal audit and risk management progress audit report 32 Cascading meeting framework 53 Procure to pay 100k-150k process report

12 Internal audit and risk management report 33 CEO feedback summary Jan 2020 54 Release of contract process report

13 Asset management policies 34 CoS customer satisfaction framework 55 Panel arrangement quotation under 150k process report

14 Risk management regulation 17 audit 35 Customer service charter 56 Panel arrangement quotation over 150k process report

15 Strategic asset management planning calendar 36 Community wellbeing summaries 57 Panel arrangement process report

16 Strategic internal audit plan 37 Operations summary – community wellbeing 58 Contract extension process report

17Corporate reporting and measurement framework 38 Planning summary – community wellbeing 59 Training completion spreadsheet

18 LGPEP results summary 39 Stakeholder relations summary 60 Audit process

19Local Government performance excellence program presentation 40 City services quarterly report Jul 2019 61 CEO sign off form

20Local Government Performance Excellence Program 41 Management practice – managing unreasonable

complainant conduct 62 Councillors code of conduct 2015

21Quarterly performance review 2019-2020 Quarter 2 42 Compliments management policy 63 Disclosure of gifts form



Appendix A – Documents examined (cont’d)# Document reviewed # Document reviewed # Document reviewed

64 Delegations COVID-19 EOI ect. 84 Audit committee meeting agenda August 2019, February 2020 104 Insurance register 2019-20

65 Delegations COVID-19 statutory planning 85 Audit committee meeting minutes October 2019, February 2020 105 Equity network poster

66 Delegation COVID-19 TRC 86 Audit committee meeting supplementary agenda February 2020 106 Trust fund policy – Trust account notes

67Guideline - Execution of city documents with JB amendments 87 Employee code of conduct 107 Credit card register as at 28/04/2020

68 Hospitality and entertainment (Staff) 88 Process – Annual financial returns 108 Management practice – Workplace complaints, discrimination, harassment and bullying report

69 Notifiable gift form 99 Process – Primary financial returns 109 Local Government (Audit) Regulations 1996

70Council policy – Attendance at events (Councillors and CEO) 90 Disclosure of interest register from 01/01/2015 110 Internal Audit for 2019/20 financial year email

correspondence

71Council policy – Councillors allowance and expenses 91 Conflicts of interest register (Employees) 111 Delegation of authority register

72 Risk load asset management draft 92 Cash handling at leisure centres process report 112 Financial delegations summary 01/04/2020

73 Compliance Audit Return 2019 93 Petty cash float recoups request 113 Financial delegations Technology One

74Temporary process for dealing with legal documents during COVID-19 94 Request for petty cash < $100 or a cash advance >

$100 114 Related party transactions and disclosures by key management personnel (KMP)

75 Work instruction – Common Seal 95 Requesting a float till and petty cash 115 Delegation of authority register June 2019

76Council Policy – Closed circuit television and video surveillance devices management 96 Annual report 2018 -19 116 Work instruction – Month end reporting files

77Request for a key – Contractor, Employee and Tenant 97 Trial balance 117 Work instruction – Quarterly reporting files

78 Request for a replacement access card 98 Fraud attempt – Change of supplier details email correspondence 118 Audit committee meeting planner

79 Request for security access card or alteration 99 City of Swan operations centre – Progress Payment Certificate 7 email correspondence 119 Requesting a corporate credit card process report

80 Security risk and vulnerability assessment 100 Rescheduling payroll to my new bank account email correspondence 120 Requesting a purchasing credit card process

report

81 SP&GF framework 101 AP- Amending supplier details 121 Requesting a nominated corporate credit card process report

82Performance and development appraisals process report 102 Work instruction – Fraud Prevention & Detection 122 Operational risk register Feb 18

83 Recruitment – HR engagement process report 103 Work instruction – Fraud Detection & Action 123 PPLGS risk and control spreadsheet



Appendix A – Documents examined (cont’d)# Document reviewed # Document reviewed # Document reviewed

124 Work instruction – Invoice processing pathway 144

PPLGS_Risk 100620 (2020 Major Review Fraud Risks)

125 Work instruction – Credit Note Processing –Pathway 145 Op Risk Register Feb 18 – Fraud

126 Work instruction – Debtors aged trial balance report 146

Full minutes 11 February (Audit Committee –2020)

127Work instruction – Library and out centre receipting 147

Disclosure of interests register – From 1 January 2015

128Work instruction – Daily banking, Bpay, Bpoint, Aus post 148

Disclosure of interests forms (completed), with associated minutes, abridged minutes and annual return

129 Work instruction – Leisure services receipting 149 City Services Quarterly Report – July 2019 –December 2019 (inc. complaints)

130Work instruction – Miscellaneous Revenue/Expenditure on Bank Statements 150 CEO feedback summary Feb 2020 and Mar 2020

131 Work instruction – Bank reconciliation 151 Leadership and Employee Accountabilities v4 Aug 2019

132Authorisation form – Executive managers –External funding 152 Manager new hire checklist

133 Approval process for grants under 5k 153 City of Swan corporate induction

134 Signed full assessment panel report 154 E-Learning module refresher

135 SCFS approval process 155 Community Safety BIA

136 Swan Community Funding Scheme 156 Community Safety Business Continuity Management Project Analysis & Design

137 External Grants management manual 157 Community Safety BCP

138 Insurance claim review process

139Compilation of major lawsuits for the audit committee

140 Non scheme cover list

141 Scheme cover lists

142 LGIS City insurance cover summary

143Work instruction – Insurance renewal process



Appendix B – Persons consultedName Position

Tom Carmichael Contracts and Procurement Officer

Patience Machaka Senior Management Accountant

Vicky Galvao Finance and Business Administrator

Tami Cooper Risk and Assurance Officer

Daniela Krnjic Coordinator Rating Services

Michelle Evans Accounting Officer

Gavin McCarren Acting Coordinator Financial Accounting

Amanda Albrecht Manager Governance and Strategy

Wayne Sissing Manager – Human Resources



Appendix C – Internal control results (Finance and Procurement)

Control Sample 1 Sample 2 Sample 3 Sample 4 Sample 5

Debtor reconciliations- Reconciliation is approved by the Senior Accountant- Amount in the GL is reconciled exactly to Pathways

Rates, fees and charges- The rates, fees or charges are matched to the annual budget- The rates, fees and charges are checked by the preparer, coordinate and manager

Revenue recognition- Invoice requisition is signed by both internal client and business unit manager- The invoice is accompanied with supporting documentation

Finding 9

Transfer of funds between municipal and trust funds- The transfer of funds request is prepared by the financial accounting- The transfer is sent via email to the coordinator for approval- Management accounting team approval is needed- Journal entry is posted in the correct account

Purchase transactions and tenders- Purchase orders have coordinator approval- Evaluation forms have quotations and tenders listed- Information on evaluation forms are correct

Credit card policy and approval process- Application is approved by the CEO- Finance and Business Administrator acknowledges receipt of card in register- Applicant signs the acceptance of the card

Manual journal entries- Journals are approved by the management account team- No journals raised by the management account team are approved by the preparer



The table below details the Risk Management requirements outlined in the Department of Local Government and Communities’ Operational Guidelines Number 09 (Page 18, Appendix 3), and notes whether or not the City has effective practices in place.

Appendix D: Risk management requirements

Internal controls outlined in the Department of Local Government and Communities’ Operational Guidelines Number 09 (Page 18, Appendix 3)

EffectiveNote

Yes Partial No

1 The City has an effective risk management system and that material operating risks to the City are appropriately considered o Please refer to Finding 1

2 The City has a current and effective business continuity plan (including disaster recovery) which is tested from time to time o Please refer to Finding 6

3 The City has internal processes for determining and managing material operating risks in accordance with their tolerance for risk, particularly in the following areas;

a – potential non-compliance with legislation, regulations and standards and The City's policies o Please refer to Finding 3

b - important accounting judgements or estimates that prove to be wrong;

c – litigation and claims o Please refer to Finding 10

d – misconduct, fraud and theft o Please refer to Finding 3

e– significant business risks, recognising responsibility for general or specific risk areas, for example, environmental risk, occupational health and safety, and how they are managed by the local government

o Please refer to Findings 1 & 2

4The City obtains regular risk reports, which identify key risks, the status and the effectiveness of the risk management systems, to ensure that identified risks are monitored and new risks are identified, mitigated and reported

x Please refer to Finding 2

5 The City assesses the adequacy of processes to manage insurable risks and ensure the adequacy of insurance cover, and if applicable, the level of self-insurance o Please refer to Finding 3

6 The City reviews the effectiveness of their internal control system with management and the internal and external auditors

7The City assesses whether management has controls in place for unusual types of transactions and/or any potential transactions that might carry more than an acceptable degree of risk

8 The City assesses their procurement framework with a focus on the probity and transparency of policies and procedures/processes and whether these are being applied

9As required, The City's risk staff meet periodically with key management, internal and external auditors, and compliance staff, to understand and discuss any changes in the their control environment

10

The City ascertains whether fraud and misconduct risks have been identified, analysed, evaluated, have an appropriate treatment plan which has been implemented, communicated, monitored and there is regular reporting and ongoing management of fraud and misconduct risks

o Please refer to Finding 3



The table below details the internal control requirements outlined in the Department of Local Government and Communities’ Operational Guidelines Number 09 (Page 18, Appendix 3), and notes whether or not the City has effectively designed controls.

Appendix E: Internal control requirements


EffectiveNote

Yes Partial No

1 System, policies and processes to safeguard assets

2 System, policies and processes to ensure financial reporting is accurate and reliable

3 System, policies and processes to promote compliance with legislation o Please refer to Finding 3

4 System, policies and processes to support effective and efficient operations

5 Human resource management and practices

6 Delegation of authority

7 Documented policies and procedures and effective policy and process review o Please refer to Findings 4 & 10

8 Trained and qualified employees o Please refer to Finding 5

9 System controls

10 Regular internal audits

11 Documentation of risk identification and assessment o Please refer to Findings 1 & 2

12 Regular liaison with auditor and legal advisors

13 Separation of roles and functions, processing and authorisation o Please refer to Finding 9

14 Control of approval of documents, letters and financial records o Please refer to Finding 8

15 Comparison of internal data with other or external sources of information

16 Limit of direct physical access to assets and records

17 Control of computer applications and information system standards

18 Limit access to make changes in data files and systems

19 Regular maintenance and review of financial control accounts and trial balances

20 Comparison and analysis of financial results with budgeted amounts

21 The arithmetical accuracy and content of records

22 Report, review and approval of financial payments and reconciliations

23 Comparison of the result of physical cash and inventory counts with accounting records



The table below details the legislative compliance requirements outlined in the Department of Local Government and Communities’ Operational Guidelines Number 09 (Page 18, Appendix 3).

Audit committee practices in regard to monitoring compliance programs typically include the below elements:

Appendix F: Legislative compliance requirements


EffectiveNote

Yes Partial No

1 Monitoring compliance with legislation and regulations x Please refer to Finding 7

2 Reviewing the annual Compliance Audit Return and reporting to Council the results of that review

3 Staying informed about how management is monitoring the effectiveness of its compliance and making recommendations for change as necessary o Please refer to Finding 7

4 Reviewing whether the local government has procedures for it to receive, retain and treat complaints, including confidential and anonymous employee complaints x Please refer to Finding 7

5 Obtaining assurance that adverse trends are identified and review management’s plans to deal with these x Please refer to Finding 7

6 Reviewing management disclosures in financial reports of the effect of significant compliance issues x Please refer to Finding 7

7Reviewing whether if the internal and/or external auditors have regard to compliance and ethics risks in the development of their audit plan and in the conduct of audit projects, and report compliance and ethics issues to the audit and risk committee

8 Considering the internal auditor’s role in assessing compliance and ethics risks in their plan

9 Monitoring the local government’s compliance frameworks and dealing with relevant external legislation and regulatory requirements x

Please refer to Finding 7 (NB: This also relates to Risk Management

requirement 3a in Appendix D which is rated partially effective, see Finding 3)

10

Complying with legislative and regulatory requirements imposed on audit and risk committee members, including not misusing their position to gain an advantage for themselves or another or to cause detriment to the local government and disclosing conflicts of interest

o Please refer to Finding 7



Appendix G – Risk Culture Survey Questions

# Question

- How long have you worked for the City?

- Do you have specific responsibilities within the City's risk management program?

- Are you a risk owner?

- What level is your role?

Q1 I am aware of the objectives of the City's risk management program and my responsibilities

Q2 I know where to access the City's risk management policy

Q3 I have read and understood the City's risk management procedures, particularly how they relate to me and my role

Q4 Senior Management reviews and communicates risk management practices across the City to ensure the City effectively manages risks

Q5 The people I work with have a good understanding of how risks are identified and managed at the City

Q6 I understand the key risks associated with my role

Q7 I have been asked my opinion as to the relevance and accuracy of key risks related to my role

Q8 I have received appropriate training and support to meet my risk related responsibilities

Q9 We assess and learn from risk events and mistakes when they occur at the City

Q10 We actively share good practices to manage risks across the organisation

Q11 I am encouraged to escalate potential risks to my line manager

Q12 Staff feel confident to report risk and compliance concerns without penalty

Q13 The pressure to meet performance targets negatively impacts the way the City manages its risks

Q14 Employees at the City are penalised if they take unacceptable risks, even if their actions generate positive results

Q15 I am incentivised to appropriately manage risks within my area of responsibility

Q16 I am comfortable consulting with others about potential risks in my area of responsibility

Q17 Executives/Managers/Team Leaders role-model the right risk and compliance behaviours

Q18 The City's risk management processes help the City achieve its strategic objectives

Q19 The identification and assessment of risks are taken very seriously by the City's employees

Q20 The City’s culture encourages staff to readily admit when they have made errors or mistakes; intentionally or unintentionally

A Risk Culture Survey was sent to 34 randomly selected City staff (Team Leaders and above). 27 responses were received. The 20 numbered questions below were presented with response options: Strongly agree, agree, neutral, disagree strongly disagree, and I don’t know. In addition, a free text field was provided for respondents wishing to expand on their answers.



Appendix H: Risk Culture Survey ResponsesThe chart below represents 27 responses from invitations sent to 34 City staff. The questions are provided in full in Appendix G*

* Q13 is an inverse question. It shows only 3 negative responses

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

1) I am aware of the objectives of the City's risk management program and my…

2) I know where to access the City's risk management policy

3) I have read and understood the City's risk management procedures,…

4) Senior Management reviews and communicates risk management practices…

5) The people I work with have a good understanding of how risks are identified…

6) I understand the key risks associated with my role

7) I have been asked my opinion as to the relevance and accuracy of key risks…

8) I have received appropriate training and support to meet my risk related…

9) We assess and learn from risk events and mistakes when they occur at the City

10) We actively share good practices to manage risks across the organisation

11) I am encouraged to escalate potential risks to my line manager

12) Staff feel confident to report risk and compliance concerns without penalty

13) The pressure to meet performance targets negatively impacts the way the…

14) Employees at the City are penalised if they take unacceptable risks, even if…

15) I am incentivised to appropriately manage risks within my area of responsibility

16) I am comfortable consulting with others about potential risks in my area of…

17) Executives/Managers/Team Leaders role-model the right risk and compliance…

18) The City's risk management processes help the City achieve its strategic…

19) The identification and assessment of risks are taken very seriously by the…

20) The City’s culture encourages staff to readily admit when they have made …

Strongly agree Agree Neutral Disagree Strongly Disagree I Don’t Know No Answer


Inherent LimitationsThe Services provided are advisory in nature and have not been conducted in accordance with the standards issued by the Australian Auditing and Assurance Standards Board and consequently no opinions or conclusions under these standards are expressed.

Because of the inherent limitations of any internal control structure, it is possible that errors or irregularities may occur and not be detected. The matters raised in this report are only those which came to our attention during the course of performing our procedures and are not necessarily a comprehensive statement of all the weaknesses that exist or improvements that might be made.

Our work is performed on a sample basis; we cannot, in practice, examine every activity and procedure, nor can we be a substitute for management’s responsibility to maintain adequate controls over all levels of operations and their responsibility to prevent and detect irregularities, including fraud.

Any projection of the evaluation of the control procedures to future periods is subject to the risk that the systems may become inadequate because of changes in conditions, or that the degree of compliance with them may deteriorate.

Recommendations and suggestions for improvement should be assessed by management for their full commercial impact before they are implemented.

We believe that the statements made in this report are accurate, but no warranty of completeness, accuracy, or reliability is given in relation to the statements and representations made by, and the information and documentation provided by City of Swan personnel. We have not attempted to verify these sources independently unless otherwise noted within the report.

ConfidentialityThis document and the information contained in it is confidential and should not be used or disclosed in any way without our prior consent.

Limitation of UseThis report is prepared solely for the information and internal use of the City of Swan in accordance with our terms of reference dated 13 May 2020, and is not intended to be and should not be used by any other person or entity. No other person or entity is entitled to rely, in any manner, or for any purpose, on this report. We do not accept or assume responsibility to anyone other than the City of Swan for our work, for this report, or for any reliance which may be placed on this report by any party other than the City of Swan.

About DeloitteDeloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organisation”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms in more than 150 countries and territories serves four out of five Fortune Global 500®companies. Learn how Deloitte’s approximately 286,000 people make an impact that matters at www.deloitte.com.

Liability limited by a scheme approved under Professional Standards Legislation.

Member of Deloitte Asia Pacific Limited and the Deloitte organisation.

© 2020 Deloitte Risk Advisory Pty Ltd.


Date post:	09-Apr-2022
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times