Local government has been described as a ‘place-shaper’ because it plays an important role in meeting the needs of its community. Councils deliver a wide range of services to their local community (local rate payers and residents) as well as to the broader community (visitors) who use its parks, amenities, roads, pools and beaches. For regional councils, economic development is another important role that is predominantly concerned with enhancing the prosperity and wellbeing of people and businesses within the local government area.
Council’s work within a myriad of laws and regulatory frameworks. They must not only comply with laws that apply to most other organisations, but often have to comply with and, in some cases, enforce specific laws and regulations. With mounting pressure for Councils to meet the changing legal environment and stakeholder expectations and address a rapidly evolving set of emerging risks, it is fast becoming a game of catch-up. To see some of these challenges, check out our article Most Common Control Weaknesses in Top 10 Local Government Audit Areas. The top 10 audit areas listed are likely to remain high risk for councils in the immediate future, and they are all likely to continue to appear on many Council’s 3- Year Internal Audit Plan.
The audits of tomorrow
As a leading provider of internal audit services to local government serving over 90 NSW Councils, we wanted to look into our ‘crystal ball’, and with some help from the Auditor-General for New South Wales, predict what the audits of tomorrow could look like…well, at least the higher priority audits over the next 2-3 years! Hopefully, our list can serve as a quick reference guide for Council’s Leadership Team, Chief Audit Executives and members of the Audit and Risk Improvement Committee.
1. Business continuity planning
Many services delivered by Councils are essential to the economic and social well-being of the community—a failure to deliver these could have significant consequences. Whilst we believe an effective business continuity plan is always important, it is not likely we see an end to COVID-19 cases anytime soon, so it is important that council’s have effective business continuity planning to deal with the ‘new normal’. The NSW Auditor General has also targeted this area over the next 12 months. Does your Council have these policies and practice in place?
- Business Continuity Policy and Framework
- Business continuity planning to deal with a range of plausible disruption scenarios
- A risk assessment including a business impact analysis
- Supporting sub-plan covering specific disruptions e.g. Pandemic response, IT-Disaster Recovery, Data Breach Response Plan
- Formal training of crisis management team
- Regular exercises covering various stages of the plan and sub-plans
- Regular review and update of the plans and disruption risks
2. IT Disaster recovery planning
Most of the activities performed and services delivered by Councils rely on information and communication technology—a failure or extended outage of information systems will disrupt delivery of key services. While IT is already a focus of audit, its significance continues to grow and so does the need for validated policies and practices. The worst time to find out that your disaster recovery plans have gaps and weaknesses in them is when you really, really need them and you need to restore data quickly. Check to see your council has these policies and practices in place.
- A formal IT Disaster Recovery Plan to outline specific responsibilities and steps in recovering critical business systems
- Alignment between the IT Disaster Recovery Plan and other sub-plans
- A risk assessment of system fail points and mitigating controls
- Identification of critical third party dependencies
- Regular component testing including both tabletop exercises and functional exercises
- Regular review and update of the IT Disaster Recovery Plan
According to information technology industry research , Australia is one of the world’s most hacked countries, coming in at equal sixth as a target of “significant” cyber-attacks. In June 2020, Prime Minister Scott Morrison called a snap press conference to warn that Australian Government organisations are under persistent cyber-attack from a state-based actor. There has been an increase in phishing and spear phishing email attempts during the COVID-19 pandemic.
Council’s hold very important and often sensitive personal information that if in the wrong hands, could result in identity theft. Also, some regional councils maintain essential water and sewage infrastructure and even communications infrastructure essential for emergency services. Has your Council:
- Conducted a risk assessment to identify the various cyber threats
- Developed well documented governance protocols, policies and procedures
- Implemented effective ‘layers’ of controls to protect information e.g. password policy
- Developed systems to monitor, detect, contain and respond to attacks and intrusions
- Developed procedures and plans to recover data and systems
4. IT General Controls
IT General Controls (ITGC) are defined as controls, other than application controls, that relate to the environment within which computer-based application systems are developed, maintained and operated, and are therefore applicable to all business applications. The objectives of ITGCs are to ensure the integrity of the data and processes that the applications support. Another area that is currently in the sights of audit, ITGCs will continue to become a more crucial aspect of Council operations. So what are the most common ITGCs that Council should ensure are in place and working effectively?
- Logical access controls over applications, data and supporting infrastructure
- Program change management controls
- Backup and recovery controls
- Computer operation controls
- Data centre physical security controls
- Information technology governance
- System development life cycle controls
5. Management of major projects
One of the most significant areas of expenditure for a typical Council is on major infrastructure projects. Small, large, simple or complex, every project has a range of inherent risks. So in order to manage projects to a successful outcome, project managers must understand the risks and mitigate them effectively. Why do projects fail and where are the key challenges?
- Unclear project specifications or requirements
- Poor stakeholder engagement
- Incorrect or unreasonable assumptions across the project – financial, deliverables, scheduling, timing etc
- Change of scope or requirements – scope creep
- Unforeseen circumstances such as a failure of a contractor, supply chain disruption, severe weather, worksite safety incident, loss of key person or other ‘Acts of God’
- Poor project governance or lack of an effective project management office
Specifically, the NSW Auditor general has identified road asset maintenance as an audit area in the next 3 years.
6. Third-party vendor risk management
In an attempt to gain greater efficiency and reduce cost, it is common for councils to use third parties. As the extended enterprise grows, Councils rely on more third parties, relationships can become more complex and the ability to manage third-party relationships becomes even more critical. Managing risks that arise from third-party relationships is important for protecting and securing against a wide range of risks. Third parties should be seen as part of council… remember that outsourcing the activity does not outsource the risks. Without comprehensive due diligence, outsourcing could in fact introduce risks that otherwise would not exist, such as exposure to third or fourth-party networks or devices. So what do the key steps in the third-party risk assessment process include?
- Identifying potential risks inherent in third-party relationships
- Classifying third parties according to their criticality to your activities, systems, networks, and data
- Reviewing service level agreements (SLAs) to ensure that your vendors perform as expected
- Determining and ensuring they meet the same level of compliance requirements
- Regularly sending vendors third-party risk assessment questionnaires
- Periodically conducting audits of select vendors to confirm answers to their questionnaire and potential on-site visits
- Continuously monitoring for changes in their environment as well as changes to regulations
7. Long term sustainability, financial planning and budgeting
Local Government is governed by state legislation that requires Councils to prepare a series of plans which describe and forecast future activities. Corporate planning is one of many tools that governments have adopted to improve responsiveness to ensure scarce resources are employed efficiently and effectively. In NSW, the Local Government
Amendment (Planning and Reporting) Act (2009) mandated strategic community planning and required Councils to adopt robust financial planning and reporting practices. Councils should ensure:
- Alignment between all elements of the Integrated Planning and Reporting Framework (IPR) – internal plans
- The Community Strategic Plan considers the State Plan and other relevant state and regional plans – external plans
- The IPR process is subject to continuous improvement
- Elected representatives, council officers and the community all play an important role in the process
- The plans, whilst they can be aspirational, should be operational and support a delivery program
- Annual and periodic reports need to be accurate and reflective of the status
In addition, the NSW Auditor general has identified, annual charges, development assessment process, city deals and the coordination of agencies in precinct planning as audit areas in the next 3 years.
8. Time and attendance management
With more people working from home during COVID-19, there is higher risk of timesheet and payroll related fraud. There is an increasing need for development of platforms to better monitor the time and attendance of staff. In 2018, the Auditor-General for New South Wales identified 123 control weaknesses related to payroll processes. These are some of the common control weaknesses that will subsist without changes to our new working culture:
- No review of changes made to the employee masterfile
- No review of payroll reports and timesheets
- Reconciliations not prepared or reviewed
- Lack of processes in place to reduce excessive leave balances.
How much assurance is enough? Our list is not exhaustive and there are many other areas that will be important for some council’s to review over the next 3 years.
Unfortunately, even the best environmental scans and our ‘crystal ball’ are not perfect. Council’s Leadership Team and Chief Audit Executives will also need to rely on their deep understanding of their organisation, culture, processes and intuition to foresee audit areas that need more attention over the next 12-36 months. Richard Chambers, president and CEO of The Institute of Internal Auditors once recommended that auditors ‘follow the risk’, that is, if they can’t audit everything, then they had better audit the systems, processes, controls, or risks that can inflict the most damage.
There is an increasing expectation from stakeholders to be able to verify that a council has the appropriate policies and practices in place. For Council Officers, don’t wait until internal audit comes knocking. Start looking closely at your own policies, procedures and risk registers as Internal Audit will be responsible for testing and providing assurance that controls are working effectively.
How we can help
InConsult is committed to helping organisations better understand the benefits of internal audit. We have extensive experience in internal auditing, risk management, cyber security, crisis management, business continuity, emergency management, disaster management and pandemic planning.
If you would like to know more about our internal auditing services, contact us to discuss your needs.