Item No.	Item Title	Page No.
1	Report - Audit and Risk Management Committee No. 2020(02) of 20 May 2020	10
2	**Outstanding actions	19
3	**Queensland Audit Office Briefing Paper	21
4	**Internal Audit Branch Activities Report for the period 11 May 2020 to 5 August 2020	23
5	Report - Risk ELT Meeting No. 2020(03) of 17 June 2020	39
6	**Insurance and Risk Management Update	49
7	Maturing and strengthening of Council's governance, internal controls and compliance	64
8	**Draft Unaudited 2019-2020 Annual Financial Statements	69
9	**2019-2020 Lost and Stolen Items Report	73
10	Report on Complaints Management, Information Privacy and Right to Information Compliance	76
11	Minutes from the ICT Steering Committees from April to June 2020	131
12	Update on Ipswich CBD Redevelopment Project	151
13	ICT Platform Project - Update	154
14	People and Culture update - progress of the implementation of the People and Culture Strategic Plan 2019 - 2021	184
15	Protecting the personal information of our customers and employees	197
16	Conflicts of Interest for Employees	285
17	ICT Branch Governance and Controls Framework	303
18	Transparency and Integrity Hub Implementation Report	325
19	Next Meeting	-
20	General Business	-
21	Private Session of Member (if required)	-

Audit and Risk Management Committee NO. 3

19 August 2020

AGENDA

1. Report - Audit and Risk Management Committee No. 2020(02) of 20 May 2020

This is the report of the Audit and Risk Management Committee No. 2020(02) of 20 May 2020 which was presented to the Council Ordinary Meeting of 26 May 2020.

Recommendation

That the report be received and the contents noted.

2. **Outstanding actions

This is a report concerning the outstanding actions associated with the following committees:

Audit and Risk Management Committee
Risk ELT Committee
Risk – Infrastructure and Environment Committee
Risk – Corporate Services Committee
Risk – Co-ordination and Performance Committee
Risk – Planning and Regulatory Services Committee
Risk – Community, Cultural and Economic Development Committee

Recommendation

That the report be received and the contents noted.

3. **Queensland Audit Office Briefing Paper

This is a report concerning a briefing paper presented by the Queensland Audit Office.

Recommendation

That the report be received and the contents noted.

4. **Internal Audit Branch Activities Report for the period 11 May 2020 to 5 August 2020

This is a report concerning the activities of Internal Audit undertaken during the above mentioned period and the current status of these activities.

Recommendation

That the report be received, considered and the recommendations in Attachments 3, 4 and 5, be considered finalised and archived.

5. Report - Risk ELT Meeting No. 2020(03) of 17 June 2020

This is the report of the Risk ELT Meeting No. 2020(03) of 17 June 2020.

Recommendation

That the report be received and the contents noted.

6. **Insurance and Risk Management Update

This is a report concerning Council’s insurance statistics for the period 1 April 2020 to 30 June 2020 and an update on risk management.

Recommendation

That the report on Council’s insurance statistics for the period 1 April 2020 to 30 June 2020 and the update on risk management be received and the contents noted.

7. Maturing and strengthening of Council's governance, internal controls and compliance

This is a report concerning the maturing and strengthening of Council’s governance, internal controls and compliance. Council is progressively maturing and strengthening its governance, internal controls and compliance with the broad range of legislative, policy and procedural obligations upon it. Council’s investment and focus in these critical areas has been strengthened significantly in recent years.

This report offers an update on current initiatives and actions to mature governance and document and strengthen internal controls.

Recommendation

That the Audit and Risk Management Committee (ARMC) note the actions and initiatives being scoped and implemented to mature and strengthen Council’s governance, internal controls and compliance.

8. **Draft Unaudited 2019-2020 Annual Financial Statements

This is a report concerning the draft unaudited 2019-2020 Annual Financial Statements.

Recommendation

That the draft unaudited 2019-2020 Annual Financial Statements as detailed in Attachment 1 to the report be received and noted.

9. **2019-2020 Lost and Stolen Items Report

This is a report concerning assets/items reported to the Finance Branch as suspected of being stolen during the financial year end 30 June 2020.

Recommendation

That the report be received and the contents noted.

10. Report on Complaints Management, Information Privacy and Right to Information Compliance

This is a report concerning performance in relation to Council’s legislative compliance in the management of complaints, Right to Information and Information Privacy for the period
1 April 2020 to 30 June 2020 (the Quarter).

Recommendation

That the report on complaints management and Information Privacy and Right to Information compliance for the period 1 April 2020 to 30 June 2020 be received and the contents noted.

11. Minutes from the ICT Steering Committees from April to June 2020

This is a report concerning the minutes from the ICT Steering Committee (ICTSC) meetings held between April and June 2020.

Recommendation

That the Audit and Risk Management Committee (ARMC) note the minutes from the Information and Communication Technologies Steering Committee (ICTSC) meetings held between April and June 2020.

12. Update on Ipswich CBD Redevelopment Project

This is a report concerning the risk management for the Ipswich Central Redevelopment project. At a high level, the construction is progressing well with practical completion achieved for the new library and civic space. The administration building is progressing ahead of schedule and on budget.

The retail components of the project continue to pose a significant risk for Council which is compounded by the current economic impacts of COVID-19.

Recommendation

That the report be received and the contents noted.

13. ICT Platform Project - Update

This is a report concerning the status of the Information and Communication Technologies (ICT) Platform Project to implement a significantly improved technology platform for Ipswich City Council.

Recommendation

That the report concerning the status of the Information and Communication Technologies (ICT) Platform Project to implement a significantly improved technology platform for Ipswich City Council be received and the contents noted.

14. People and Culture update - progress of the implementation of the People and Culture Strategic Plan 2019 - 2021

This is a report concerning progress in the implementation of the People and Culture Strategic Plan 2019-2021.

Recommendation

That the progress in the implementation of the People and Culture Strategic Plan 2019-2021 be noted by the Audit and Risk Management Committee.

15. Protecting the personal information of our customers and employees

This is a report to the Audit and Risk Management Committee providing information on how Ipswich City Council protects the personal information of customers and employees in accordance with the Information Privacy Act 2009.

Recommendation

That the report to the Audit and Risk Management Committee providing information on how Ipswich City Council protects the personal information of customers and employees in accordance with the Information Privacy Act 2009 be noted.

16. Conflicts of Interest for Employees

This is a report concerning Council’s Conflicts of Interest for Employees framework.

Recommendation

That the report be received and the contents noted.

17. ICT Branch Governance and Controls Framework

This is a report concerning the status and focus areas for development in the Information and Communication Technologies (ICT) governance controls framework.

Recommendation

That the Audit and Risk Management Committee note the key elements of the Information and Communication Technologies governance controls framework and the ongoing focus areas for improvement.

18. Transparency and Integrity Hub Implementation Report

This is a report providing an update on the implementation of the Transparency and Integrity Hub (Hub) in line with Council’s resolution on 27 April 2020. The Hub was successfully implemented by Council on 1 July 2020. The direct cost of the implementation of the Hub with the contracted service delivery partner, Redman Solutions, was $189,687. An additional $57,800 was expended in order to undertake necessary due diligence in the implementation of the Hub, including the gathering of advice and the costs of an independent Privacy Impact Assessment (PIA).

Recommendation

That the Audit and Risk Management Committee receive and note the report on the implementation of the Transparency and Integrity Hub in line with Council’s resolution of 27 April 2020 and note that the Hub was successfully implemented on 1 July 2020.

19. NEXT MEETING

The next meeting is scheduled for Wednesday, 7 October 2020.

20. GENERAL BUSINESS

21. PRIVATE SESSION OF MEMBER (IF REQUIRED)

** Item includes confidential papers

and any other items as considered necessary.

Audit and Risk Management Committee

Meeting Agenda

19 August

2020

Doc ID No: A6333324

ITEM: 4

SUBJECT: Internal Audit Branch Activities Report for the period 11 May 2020 to 5 August 2020

AUTHOR: Chief Audit Executive

DATE: 5 August 2020

Executive Summary

This is a report concerning the activities of Internal Audit undertaken during the above mentioned period and the current status of these activities.

Recommendation/s

That the report be received, considered and the recommendations in Attachments 3, 4 and 5, be considered finalised and archived.

RELATED PARTIES

Not applicable

Ipswich City Council Strategic Objectives

• We want to be recognised as leaders in good governance and accountability.

• We want our natural environment to be preserved and protected.

• We aim to create a community which has access to jobs and economic opportunities now and in the future.

• We desire a community which is cohesive, vibrant and resilient.

• We wish to achieve a thriving city centre which benefits communities across the city.

Individual internal audits and corrupt conduct investigations will, to a varying degree, support these themes, but the main objective for Internal Audit is to support the organisation in achieving its objectives.

Purpose of Report/Background

The purpose of this report is to keep the Audit and Risk Management Committee (ARMC) informed on a quarterly basis and to report on performance of the Internal Audit Branch:

Title of section, feedback or report provided in the section below	Included in quarter
Report the status of the audits currently under way	Yes
Summary of the general activities of the Internal Audit Branch	Yes
Finalised recommendations for Audit and Risk Management Committee closure	Yes
Report the status of open and overdue audit recommendations from completed audits	Yes
Summary of recent internal audits completed and reports issued	Yes
Progress of the Annual Internal Audit Plan (every May)	No
New Annual Internal Audit Plan including the Strategic Three Year Plan (every May)	No
Annual Performance Report and Assertion on Internal Audit Standards (every August)	Yes

The supply of the information to the Audit and Risk Management Committee, is a requirement of the Internal Audit Charter.

Status of audits underway and finalised - Internal Audit Report Register (Attachment 1)

This is a historic register recording the reference number of formal reports produced, audits commenced, report status and date completed for the last number of years.

Internal Audits, Reviews, Projects, Investigations and Activities Update (Attachment 2)

This is a report on audits, reviews, projects and internal audit activities that were conducted during the period or in progress during the above mentioned period of the report.

Audit Recommendations finalised by ARMC (Attachments 3, 4 and 5)

Extracted from the Audit Recommendations System, these reports list all Internal and External Audit recommendations as well as de-identified Investigation/Ad-hoc reports (with management comments and responses) that managers advise have been implemented since the report made to the last Audit and Risk Management Committee meeting. These reports are presented to the Audit and Risk Management Committee prior to the recommendations being finalised and/or archived.

Recommendations Origin	Risk Ratings							Total
ICC	Catastrophic	Major	Moderate	Low		Minimal
Internal Audit		2	7	7				16
Ad hoc/Investigation				1				1
QAO	Significant Deficiency	Deficiency	Other Matter	Financial reporting
				High	Medium		Low
External Audit	5	2	1				1	9
Status of open and overdue recommendations (Attachments 6, 7, 8 and 9)

Every month each Department Head is requested to update the status of both the internal, external audit and Investigation/Ad hoc recommendations due for implementation within their area of responsibility. The recommendation statistics and overdue summary (with suggested follow-up actions) as well as the Internal Audit, Investigations/Ad hoc report and External Audit overdue recommendations are attached. The following traffic lights are used with their descriptor:

Green

Orange

Red

Under control

Reasonable number

Low overall risk

Need to monitor

Number increasing

Moderate overall risk

Need to be addressed

Number problematic

High overall risk

The following Departments’ progress towards the implementation of Overdue Internal Audit recommendations is summarised below (All other departments had no recommendations overdue for more than 3 months):

Community, Cultural & Economic Development					G
Date of Report	Total overdue	Catastrophic	Major	Moderate
7 August 2020	1	0	0	0
In relation to: Operation of Fleet and Plant (A1819-12), Grants, Sponsorships and Donations (A1920-08), Receipting, Cash Handling & Floats (A1920-16)

Infrastructure and Environment					O
Date of Report	Total overdue	Catastrophic	Major	Moderate
7 August 2020	6	0	0	3
In relation to: Credit Cards Framework‐ Allocation and Use (A1819-05)

Planning and Regulatory Services					O
Date of Report	Total overdue	Catastrophic	Major	Moderate
6 August 2020	3	0	0	2
In relation to: Residential Swimming Pools (A1718-16), Penalty Infringement Process (A1819-13), Animal Management Branch – Pound Operations (A1819-15)

Total Internal Audit recommendations overdue for more than 3 months and level of risk:

Minimal and Low not indicated.

Date of Report	Total overdue	Catastrophic	Major	Moderate	O
6 August 2020	10	0	0	7
11 May 2020	5	0	0	3

Total Internal Audit recommendations open and level of risk:

Date of Report	Total open	Catastrophic	Major	Moderate	O
6 August 2020	67	0	9	47
11 May 2020	60	0	6	40

Total Investigation/Ad Hoc Report recommendations overdue and level of risk:

Minimal and Low not indicated.

Date of Report	Total overdue	Catastrophic	Major	Moderate	G
6 August 2020	1	0	0	1
11 May 2020	3	0	0	2

Total Investigation/Ad Hoc Report recommendations open and level of risk:

Date of Report	Total open	Catastrophic	Major	Moderate	G
6 August 2020	3	0	0	3
11 May 2020	3	0	0	2

Total External Audit recommendations overdue and level of risk:

Ratings as used by QAO.

Date of Report	Total overdue	Significant Deficiency	Deficiency	Other Matter	Financial reporting			G
Date of Report	Total overdue	Significant Deficiency	Deficiency	Other Matter	High	Medium	Low
6 August 2020	0	0	0	0	0	0	0
11 May 2020	1	1	0	0	0	0	0

Total External Audit recommendations open and level of risk:

Date of Report	Total open	Significant Deficiency	Deficiency	Other Matter	Financial Reporting			G
Date of Report	Total open	Significant Deficiency	Deficiency	Other Matter	High	Medium	Low
6 August 2020	6	1	2	3	0	0	0
11 May 2020	7	3	2	1	0	0	1

Overall Status	G
The total number of overdue recommendations have gone up and the overall number of open recommendations have gone up. This is still a positive result, but managers will need to monitor the open recommendations.

Summary of recent internal audits completed and reports issued in period of the report (Attachment 10, 11, 12, 13, 14 and 15)

Since the previous report to the ARMC, Internal Audit has issued/finalised the following Internal Audit reports/Consulting Tasks and the extracts of the reports containing the audit recommendations, management response and agreed action by date, are attached to enable any further discussion that may be required by the Audit and Risk Management Committee.

Control Environment Opinion Summary over Areas in Scope of Audits		5	4	3	2	1
Conflicts of Interests (A1920-03)			P
Enterprise Resource Planning (ERP) Observation/Advice (A1920-06)			P
Lakes and Retention Basins (A1920-11)			P
Private Works (A1920-14)						P
Recruitment and Selection (A1920-17)				P
Sports Operations (A1920-19)				P
Rating Definitions
5	Indicates unacceptable control environment or critical operating or control problems or extreme exposure.
4	Indicates unsatisfactory control environment or significant operational, procedural or control deficiencies or high exposure.
3	Indicates limited control environment or some operational, procedural or control deficiencies, issues or moderate exposure
2	Indicates acceptable control environment or minor operational, procedural or control deficiencies, issues or exposure.
1	Indicates well controlled environment or no or limited unfavourable audit findings, observations or exposure.

Internal Audit Performance Report and Yearly Assertion Statement to indicate compliance to the International Standards for the Professional Practice of Internal Auditing.

(Attachment 16)

Key Performance Indicators (KPIs)	History				Current	Expected
Key Performance Indicators (KPIs)	2015/16	2016/17	2017/18	2018/19	2019/20	2020/21	2021/22
Audit Reports Issued / Consulting Tasks	24	24½	26½	±29½	38^{^[1]}	±32½	±32½
% audits/jobs completed to plan	100%	100%	100%	100%	100%^{^[2]}	95%	95%
Permanent Auditors/Investigators^{^[3]}	3.11	3.35	2.96	3.28	4.25^{^[4]}	4.25	5^{^[5]}
Staff utilisation on audit related matters	90%	89%	91%	90%	92%^{^[6]}	85%	85%
Average productive hours per auditor	1537	1417	1548	1536	1563^{^[7]}	1500	1500
Productive hour cost (current value)	$92	$94	$97	$120	$115^{^[8]}	$120	$130
Customer satisfaction assessment	82%^{^[9]}	83%	92%	75%	86%^{^[10]}	75%	75%
Qualified staff	100%	100%	100%	100%	100%	100%	100%

• The number of audits is only a guide as the requirements, complexity, size and type differs according to situation.

• As in the case of audits, the number of investigations could be misleading as the complexity, size and support provided by CCC impacts on the resources and outcomes delivered.

• The unit has an integrated risk based approach to internal auditing by focussing on the higher risk areas within Council.

• Because of its size and to avoid unnecessary duplication of effort the unit is not involved in the yearly external audit but do consider financial aspects in some of its audits for External Audit to rely on.

• Other KPI’s have been developed but do not add value to this exercise. For example a 100% accuracy rate needs to be strived for as far as recommendations are concerned as it is not acceptable if inaccurate assumptions are made regarding findings.

Financial/RESOURCE IMPLICATIONS

Resources are provided to internal audit through the annual audit plan and budgeting processes. No additional resources were required because of this report. However situations will dictate if internal audits and investigations have to be outsourced and also management will have to consider their implications to implement the recommendations as per the individual reports.

RISK MANAGEMENT IMPLICATIONS

Each of the individual reports provides for a control environment opinion as well as individual risk ratings per individual findings and recommendations. The importance is for management to implement the individual recommendations well to either address or diminish the exposure for Council, or explain why it is acceptable to not implement the suggested improvements. As per the corrupt conduct investigation, the findings and risks vary in each situation and are discussed in the confidential reports. Having said that the key risks are still if the information is not well presented, well understood or does not generate an appropriate response.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

Local Government Regulation 2012

Crime and Corruption Act 2001

COMMUNITY and OTHER CONSULTATION

Internal Audit mostly consults internally to the organisation and its management in conducting the internal audits and finalising the reports. For investigations the appropriate consultations take place as the situation allows and requires.

Conclusion

During the period under review the Internal Audit Branch undertook a number of activities, including as listed in Attachment 2.

During the course of Internal Audit activities, contributions to the improvement of operational procedures, practices and the control environment have been achieved.

Attachments and Confidential Background Papers

1.	Internal Audit Register ⇩
16.	Internal Audit Annual Assertion Statement ⇩

	CONFIDENTIAL
2.	Internal Audit Activity Report
3.	Internal Audit Recommendations Implemented
4.	Investigations/Ad-hoc Report Recommendations Implemented
5.	External Audit Recommendations Implemented
6.	Recommendations Statistics and Overdue Summary
7.	Internal Audit Recommendations overdue for more than 3 months
8.	Investigations/Ad-hoc recommendations overdue for more than 3 months
9.	External Audit Recommendations ovedue for more than 3 months (nil return)
10.	Executive summaries of recent internal audit reports
11.	Internal Audit Report No. A1920-03
12.	Internal Audit Report No. A1920-11
13.	Internal Audit Report No. A1920-14
14.	Internal Audit Report No. A1920-17
15.	Internal Audit Report No. A1920-19

Freddy Beck

Chief Audit Executive

I concur with the recommendations contained in this report.

Freddy Beck

Chief Audit Executive

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

19 August

2020

Doc ID No: A6400500

ITEM: 6

SUBJECT: Insurance and Risk Management Update

AUTHOR: Principal Risk and Compliance Specialist

DATE: 4 August 2020

Executive Summary

This is a report concerning Council’s insurance statistics for the period 1 April 2020 to 30 June 2020 and an update on risk management.

Recommendation/s

That the report on Council’s insurance statistics for the period 1 April 2020 to 30 June 2020 and the update on risk management be received and the contents noted.

RELATED PARTIES

All members of ELT, Council’s third and fourth level Managers, Principal Risk and Compliance Specialist, Senior Insurance and Risk Officer and the Corporate Governance Manager.

There are no perceived or actual conflict of interest issues regarding this report.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

To inform the Committee of:

· Corporate Insurance Statistics for the Quarter

· Status of Risk Management

1. Corporate insurance Statistics for the period 1 April 2020 to 30 June 2020

The following tables and graphs provide a high-level summary of insurance claims for the period 1 April 2020 to 30 June 2020 (for more information see attachment 1 and 2):

2. Status of Risk Management

Enterprise Risk Management Program

1. The third ELT Risk Committee was held on 17 June 2020 and the fourth ELT Risk Committee was held on 10 August 2020.

On 17 June 2020 the Committee discussed the new and emerging risks which had previously been identified by PricewaterhouseCoopers (PwC) during their consultation work with Ipswich City Council. The Committee agreed that all identified new and emerging risks were adequately addressed through existing initiatives and being managed through Department Risk Registers.

The risks discussed were:

A. State/Federally funded infrastructure meeting growth demands and social equity;

B. Commercial disputes;

C. Climate Change;

D. Departmental outcomes align with Council strategy;

E. Internal Audit/Ethical Standards; and

F. Policy/Procedure approval.

2. The second Department Risk Advisory Committees for each of the five Departments was held in the second week of June 2020 with the Committee being chaired by the General Manager. The next Department Risk Advisory Committees are scheduled for the second week of September 2020.

3. Peter Tabulo, General Manager of Planning and Regulatory Services will be presenting at today’s committee meeting on how he is managing his departmental risks.

Corporate Risk Register

A review of the Corporate Risk Register was undertaken to review the contents of the register, including the descriptions, causes, impacts, ratings and the development of action plans.

This was the primary area of focus of the ELT Risk Committee meeting for June 2020 (see attachment 3).

Departmental Risk Registers

A review of each Departmental Risk Register is undertaken at the quarterly Department Risk Meetings to review the contents of the register, including the descriptions, causes, impacts, ratings and the development of action plans.

Risk Profile

Due to the COVID-19 Pandemic the CEO at the ELT Risk Committee held on 3 April 2020 suggested that all corporate risks be retained and further discussed once the threat of COVID-19 has stabilised. The CEO requested that a COVID-19 Risk Register be developed with action plans for the risks identified. In consultation with key stakeholders during the COVID-19 Working Groups, a COVID-19 Risk Register was created addressing four (4) key risks. In addition to the register, a further risk was incorporated into the Coordination and Performance Risk Register for Sean Madigan – the Chairperson of the COVID-19 Working Group – to manage.

The COVID-19 Risk Register was presented to the ELT Risk Committee on 10 August 2020 with the recommendation that ELT review the COVID-19 risk register and note the contents of the outstanding actions to be delivered.

Risk Appetite

It is proposed by the Principal Risk and Compliance Specialist to complete a review of Ipswich City Council’s current Risk Appetite Statement in 2020-2021 to develop an in-depth analysis for the nine (9) risk areas currently outlined.

At the next ELT Risk Committee Meeting there will be an agenda item to promote discussion around how Council can look at compiling a Risk Appetite Statement covering these nine (9) risk areas.

Reporting

Work is still progressing with the reporting timeframes and reporting templates.

Implementation of the Risk Management Framework and Training

The risk management training is in the process of being developed by the Learning and Development Team within the People and Culture Branch based on the Framework, Procedure and Administrative Directive and will be rolled out commencing in the third quarter of 2020.

A segment on risk management has been added to the ICC Induction Program for new employees.

Fraud and Corruption Control

Further Fraud and Corruption Training for all Ipswich City Council Staff will be rolled out commencing in the fourth quarter of 2020.

A segment on Fraud and Corruption Awareness has been added to the ICC Induction Program for new employees.

Reporting

Work is still progressing with the reporting timeframes and reporting templates.

Business Continuity Planning

On 23 March 2020 the ELT Risk Committee endorsed the recommendation that due to the current environment surrounding the COVID-19 Pandemic, the planned development of a business continuity test exercise, which was to be carried out in the first half of 2020 be postponed.

Legal/Policy Basis

In managing risk and insurance for the organisation Council officers perform their duties in keeping with the Local Government Principles of:

· Transparent and effective processes, and decision-making in the public interest;

· Good governance of, and by, local government; and

· Ethical and legal behaviour of Councillors and local government employees.

The following table outlines the relevant legislation and the administrative functions and services provided by the Section:

Relevant Legislation	Corporate Services Section Functions and Services Provided
Local Government Act 2009 Local Government Regulation 2012 AS/NZS ISO 31000:2018 Risk Management – Principles and Guidelines	Manage and coordinate: · the implementation of Council’s Risk Management Framework · public liability claims from external customers · public liability claims for Councillors and staff · negotiate (within Delegated Authority), on behalf of Council any insurance resolutions · the insurance of Council assets including but not limited to Council buildings, machinery and equipment, park infrastructure, swimming pools, sports centres, club houses, fleet vehicles, etc. · the renewal of Council insurance policies (excluding Workers Compensation) · the provision of expert insurance and risk advice to both external and internal stakeholders · recover costs from damaged made by third parties to Council assets

Relevant Legislation

Corporate Services Section

Functions and Services Provided

Local Government Act 2009

Local Government Regulation 2012

AS/NZS ISO 31000:2018 Risk Management – Principles and Guidelines

Manage and coordinate:

· the implementation of Council’s Risk Management Framework

· public liability claims from external customers

· public liability claims for Councillors and staff

· negotiate (within Delegated Authority), on behalf of Council any insurance resolutions

· the insurance of Council assets including but not limited to Council buildings, machinery and equipment, park infrastructure, swimming pools, sports centres, club houses, fleet vehicles, etc.

· the renewal of Council insurance policies (excluding Workers Compensation)

· the provision of expert insurance and risk advice to both external and internal stakeholders

· recover costs from damaged made by third parties to Council assets

RISK MANAGEMENT IMPLICATIONS

It is essential that Risk Management is successfully implemented and embedded in the organisation. The management of corporate risks lies with the CEO and all General Managers whilst the management of departmental risks are the responsibility of the respective General Manager.

The Corporate Governance Section and the Principal Risk and Compliance Specialist can provide the necessary framework, policy, procedures and advice but successful risk management will only be achieved if senior management takes responsibility for managing the risk and fraud registers, implement appropriate controls and lead the organisation in developing a strong risk management culture.

Conclusion

With the implementation of an Enterprise Risk Management Framework and an increase in the capability of the organisation to manage risk efficiently and effectively, Council has positioned itself to build to be an exemplar Council in the management of Risk and Insurance.

Attachments and Confidential Background Papers

1.	Corporate Risk Register ⇩

	CONFIDENTIAL
2.	LGM Insurance Report for Quarter April to June 2020
3.	Insurance Report for Quarter April 2020 to June 2020

Graham McGinniskin

Principal Risk and Compliance Specialist

I concur with the recommendations contained in this report.

Angela Harms

Governance Manager

I concur with the recommendations contained in this report.

Tony Dunleavy

Manager Legal and Governance (General Counsel)

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

19 August

2020

Doc ID No: A6415079

ITEM: 7

SUBJECT: Maturing and strengthening of Council's governance, internal controls and compliance

AUTHOR: General Manager Corporate Services

DATE: 11 August 2020

Executive Summary

This report offers an update on current initiatives and actions to mature governance and document and strengthen internal controls.

Recommendation/s

That the Audit and Risk Management Committee (ARMC) note the actions and initiatives being scoped and implemented to mature and strengthen Council’s governance, internal controls and compliance.

RELATED PARTIES

There are conflicts of interest to declare concerning the matters addressed in this report.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

Purpose

The purpose of this report is to update the ARMC on actions and initiatives that are underway to mature and strengthen Council’s governance, internal controls and compliance following the Business Transformation Program (BTP) that was finalised in May 2020.

Background

Business Transformation Program

The primary objective of the Interim Administrator’s ‘Vision2020’ was transforming the organisation to be an exemplar of good governance from which other Councils aim to emulate.

In order to achieve this, the Interim Administrator and Interim Management Committee defined 18 transformational projects looking to improve our processes and governance arrangements. These 18 were then defined under three separate themes: whole of council, finance and reporting and risk and governance as set out in the table that follows.

Regular updates on the BTP were provided to the ARMC.

Council has now transitioned from the BTP to embed new strategies, policies, procedures and processes into business as usual operations. However, in some areas, where the further work is required beyond the closure of the BTP, new strategic projects have been scoped and are now being advanced.

Strategic Projects relevant to governance, internal controls and compliance

In particular, four strategic projects were endorsed to be scoped, prioritised and resourced as necessary including:

1. Strategic maturity of governance

2. Asset management

3. Procurement model implementation

4. People and Culture Strategic Plan implementation

These four projects are key to the strengthening of governance, control and compliance functions of Council. Scoping of these projects is well advanced and the Project Management Plans will soon be considered by the Program Management Steering Committee.

Good Governance Policy and Guide

Going forward, it is vital that Council continues to invest in the maturing and strengthening of its governance, internal controls and compliance if it is to achieve the vision of being an exemplar of good governance.

Council has a Good Governance Policy and Good Governance Guide that was adopted by Council on 25 February 2020 which has the elements of:

a) Roles, responsibilities and relationships

b) Organisational planning, monitoring and reporting performance

c) Decision-making

d) Legal and ethical compliance, and

e) Culture and ethics.

Documenting and strengthening of internal controls for each Department’s risks

As part of the maturing of Council’s Enterprise Risk Management Program, risk owners will soon be asked to identify each control implemented as part of the first line of defence (including frameworks, policies, procedures, systems, structures and processes) to mitigate the risk and therefore self-evaluate the effectiveness of each control. Risk Control Reports will be reviewed by Council’s Risk Team to identify areas for strengthening and improvement.

Internal controls framework

An internal controls framework is also being documented using the three lines of defence model and setting out Council’s existing and proposed enablers in the following areas^{^[11]}:

1. Vision, plans, strategies and frameworks

2. Policies, procedures and processes

3. Culture, ethics, integrity and behaviour

4. People, capabilities and competencies

5. Organisational design

6. Information management and communication, and

7. Systems, security and data analytics.

An update on the internal controls framework will be provided to the next meeting of ARMC on 7 October 2020.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

RISK MANAGEMENT IMPLICATIONS

The maturing and strengthening of Council’s governance, internal controls and compliance will better position council to manage risks in the delivery of its functions and services to the Ipswich community.

Financial/RESOURCE IMPLICATIONS

Work on strengthened governance, internal controls and compliance is being undertaken within existing resources allocated in the 2020-2021 Council budget.

COMMUNITY and OTHER CONSULTATION

Community and other consultation has not been undertaken as part of the preparation of this report.

Conclusion

Council is committed to building on the good work completed through the Business Transformation Program to implement improved governance, internal controls and compliance. Specifically, Council is:

a) Scoping, prioritising and resourcing strategic projects to complete further work on:

a. Governance

b. Asset management

c. Implementation of the procurement model

d. Implementation of the People and Culture Strategic Plan 2019-2021

b) Implementing the Good Governance Policy and Guide approved by Council on 25 February 2020

c) Maturing its Enterprise Risk Management Program working with risk owners to develop and review Risk Control Reports, and

d) Documenting an Internal Controls Framework.

Sonia Cooper

General Manager Corporate Services

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

19 August

2020

Doc ID No: A6413051

ITEM: 8

SUBJECT: Draft Unaudited 2019-2020 Annual Financial Statements

AUTHOR: Principal Financial Accountant

DATE: 10 August 2020

Executive Summary

This is a report concerning the draft unaudited 2019-2020 Annual Financial Statements.

Recommendation/s

That the draft unaudited 2019-2020 Annual Financial Statements as detailed in Attachment 1 to the report be received and noted.

RELATED PARTIES

There are no conflicts of interest declared by Council Officers in relation to the matters addressed in this report.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

Section 212 of the Local Government Regulation 2012 states “Auditing of financial statements by auditor-general:

(1) A local government’s general purpose financial statement and current-year financial sustainability statement for a financial year must be given to the auditor-general for auditing.

(2) Also, a local government’s long-term financial sustainability statement for the financial year must be given to the auditor-general for information.

(3) The financial statements mentioned in subsections (1) and (2) must be given to the auditor-general by a date agreed between the chief executive officer and the auditor-general.

(4) The date agreed under subsection (3) must allow the audit of the financial statements, and the auditor-general’s audit report about the statements, to be completed no later than 4 months after the end of the financial year to which the statements relate”.

Section 211 (1) of the Local Government Regulation 2012 states that “The audit committee of a local government must-

(a) meet at least twice each financial year; and

(b) review each of the following matters-

(iii) a draft of the local government’s financial statements for the preceding financial year before the statements are certified and given to the auditor-general under section 212”

The draft unaudited 2019-2020 Annual Financial Statements are detailed in Attachment 1.

SIGNIFICANT ITEMS:

Asset Revaluation

Revaluations were conducted on land, buildings, other structures and detention basins assets during 2019-2020 by Cardno (QLD) Pty Ltd. The impact of the comprehensive revaluation resulted in an increase of $84.8 million to the property, plant and equipment and asset revaluation surplus. Refer to note 13.

Revaluation results summarised in the table below.

Asset Class	Increase/(Decrease)	% Movement	Fair Value Measureable
Land	$23.7m	12.6%	Level 2 – Observable Inputs
Buildings	$15.4m	11.9%	Level 3 – Unobservable Inputs
Other Structures	$44.3m	30.1%	Level 3 – Unobservable Inputs
Detention Basins	$16.7m	100%	Level 3 – Unobservable Inputs
Total	$84.8m

A desktop valuation of Council’s roads, bridges and footpath, and flooding and drainage assets class was performed by Cardno (QLD) Pty Ltd which resulted in a 1.29% and 0.64% increase respectively. Council assessed the increase as immaterial and did not apply the index. A desktop valuation for artworks was performed by Ross Searle and Associates which resulted in a 1.2% increase of Council’s artworks, Council assessed this as immaterial and did not apply the index.

Changes in Accounting Policies

Council adopted AASB 15 Revenue from Contracts with Customers, AASB 1058 Income of Not For Profit Entities and AASB 16 Leases using the modified retrospective (cumulative catch-up) method and therefore the comparative information for the year ended 30 June 2019 has not been restated. The impact of adopting AASB 15, AASB 1058 and AASB 16 resulted in a $4.7 million adjustment to the retained earnings at 1 July 2019. AASB 15 and AASB 1058 requires recognition of revenue based on when a performance obligations is satisfied. As at 30 June 2020, contract assets of $263,000 (refer to note 14) were recognised for revenue where the performance obligation had already been satisfied. While contract liabilities of $571,000 (refer to note 14) and unearned revenue for rates paid in advance of $4.2 million (refer to note 19) were recognised as liabilities until the performance obligation is satisfied. AASB 16 requires former operating leases to be brought onto the balance sheet. As at the 30 June 2020 right of use assets of $5.2 million and lease liabilities of $4.6 million (refer to note 15) were recognised.

Investment Property

In accordance with AASB 140 Investment Property, Council engaged Cardno (QLD) Pty Ltd to value investment properties located in the Ipswich central business district resulting in a decrease of $2.3 million which was recognised in the Statement of Comprehensive Income. Refer to note 12. Cardno valued the land component of investment properties based on site values per sqm while the 2 Bell Street Ipswich tower building value was based on the sales range of the site area and current licence fee for tenancies in the tower. Other buildings and structures located on the retail sites have been assessed as commercial obsolete.

Impairment of Capital Works in Progress

Council assessed assets including capital works in progress (CAPEX) for impairment. Council identified CAPEX relating to the reconstruction of the Commercial Hotel (5 Union Place Mall, Ipswich) was impaired by $1.5 million. Refer to note 13.

Financial Impacts from COVID-19 Pandemic

Disclosure note 33 details the significant financial impacts from the COVID-19 Pandemic. Included in the note are details about waived revenue, rates relief and the impact on asset valuations.

Consolidated Statements

2019-2020 financials for the controlled entities of Ipswich City Properties Pty Ltd, Ipswich City Enterprises Pty Ltd and Ipswich City Enterprises Investments Pty Ltd were consolidated with Council financials. Although the financial results were immaterial with only a collective net loss of $344 and equity of $456,000, the comparative reporting period reported material financial results. It is expected that 2019-2020 will be the last year of consolidation because controlled entities are expected to be immaterial in 2020-2021 due to the controlled entities being wound up and deregistered.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

Local Government Regulation 2012

Australian Accounting Standards

RISK MANAGEMENT IMPLICATIONS

There are no significant risks associated with this report. The presentation of the draft unaudited financial statements to the Audit and Risk Management Committee is a required and important step in the annual audit process and in compliance with the Local Government Act 2009, Local Government Regulation 2012 and Australian Accounting Standards.

Financial/RESOURCE IMPLICATIONS

There are no direct financial or resource implications associated with this report.

COMMUNITY and OTHER CONSULTATION

No community consultation has been undertaken in relation to this report. Information has been gathered from across a wide cross section of the organisation to assist in the compilation of the draft unaudited 2019-2020 Annual Financial Statements.

Conclusion

That the draft unaudited 2019-2020 Annual Financial Statements as detailed in Attachment 1 to the report be received and noted.

Attachments and Confidential Background Papers

	CONFIDENTIAL
1.	Draft Unaudited 2019-2020 Annual Financial Statements

Barbara Watson

Principal Financial Accountant

I concur with the recommendations contained in this report.

Jeffrey Keech

Manager, Finance

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

19 August

2020

Doc ID No: A6369724

ITEM: 9

SUBJECT: 2019-2020 Lost and Stolen Items Report

AUTHOR: Financial Accountant

DATE: 20 July 2020

Executive Summary

This is a report concerning assets/items reported to the Finance Branch as suspected of being stolen during the financial year end 30 June 2020.

Recommendation/s

That the report be received and the contents noted.

RELATED PARTIES

There are no related parties

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

Section 307A of the Local Government Regulation 2012 (the Regulation) and Council Procedure FCS-41 require that, where assets and other items are reported to the Finance Branch as being stolen, the following process is to occur. This section also requires that if Council becomes aware that the property is missing and not suspected to have been stolen, then the CEO is required to keep records of the loss where the loss is at least $1,000.

Further, where a loss is considered to be a reportable loss, the Regulation requires that written confirmation of any incident is to be provided to the Minister, Auditor-General and the Officer-in-Charge of the nearest Police Station and where appropriate the Crime and Corruption Commission. A report is also to be furnished to Council’s Audit Committee.

The following report covers the period 1 July 2019 to 30 June 2020. The report is provided for the information of the Audit and Risk Management Committee.

Asset Description	Oracle Asset ID	Date of Incident / Discovery	Date Reported to Police	Police Crime Report No	COST	Written Down Value
Stihl Brushcutter	P1095982	9/01/2020	10/01/2020	QP3082138	$672	-
Laptop, Laptop Bag and Access	Networked Asset	15/05/2019	10/03/2020	QP2000495327	$1,571	-
Corporate Laptop - Rohan Dowdy	Networked Asset	29/04/2020	1/05/2020	QP2000896509	$1,500 approx	$1,000 approx
Corporate Laptop - Nick Burke	Networked Asset	29/04/2020	1/05/2020	QP2000896509	$1,500 approx	$1,000 approx

Circumstances of the Loss:

Crime Report Number QP3082138

When Council crew arrived at work location, they noticed that someone had used a grinder to cut through the brushcutter holding box and took the brushcutter. The incident was then reported to the Queensland Police Service (Police).

Crime Report Number QP2000495327

It was found while processing a termination of employment for an employee who had been absent from work for a long period, that they had not returned their laptop. Numerous requests had been made for the return of the asset however they were not actioned by the employee. The employee subsequently claimed that the laptop had been stolen from their possession and reported to the Police. Council has also reported the incident to the Police. Refer to attachment 2.

Crime Report Number QP2000896509

Two laptops assigned to two employees were stolen from the Civic Centre. One was set up to support a meeting and the laptop was missing when the meeting commenced. Another employee noticed that his laptop was missing when he went to take it home. Safe City found supporting footage to imply the laptops were stolen. A Police report was lodged. Refer to attachment 1.

It is noted that one of these laptops has been subsequently recovered by the Police and returned to Council.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

Local Government Regulation 2012

Australian Accounting Standards

Council Procedure FCS-41

RISK MANAGEMENT IMPLICATIONS

The risk of portable and attractive items being stolen is always reasonably high therefore all Council officers need to ensure reasonable security of these items at all times. Finance also coordinates an annual stocktake of items to ensure the possession and existence of smaller plant and equipment.

Financial/RESOURCE IMPLICATIONS

The financial implications and loss to Council is the equivalent of the value of the items stolen. Council is also in most cases required to replace these items.

COMMUNITY and OTHER CONSULTATION

No community consultation has occurred in relation to this report. The finance team have liaised with the relevant sections who have reported the stolen items.

Conclusion

In accordance with the relevant procedure, the Police were informed of the above instances.

Attachments and Confidential Background Papers

	CONFIDENTIAL
1.	Stolen Laptops - Civic Centre
2.	Stolen Laptop - PRS

Dhurga Balasingam

Financial Accountant

I concur with the recommendations contained in this report.

Jeffrey Keech

Manager, Finance

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

19 August

2020

Doc ID No: A6410463

ITEM: 10

SUBJECT: Report on Complaints Management, Information Privacy and Right to Information Compliance

AUTHOR: Integrity and Complaints Manager

DATE: 7 August 2020

Executive Summary

Recommendation/s

That the report on complaints management and Information Privacy and Right to Information compliance for the period 1 April 2020 to 30 June 2020 be received and the contents noted.

RELATED PARTIES

There are no conflicts of interest identified and declared in relation to the contents of this report.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

To inform the Audit and Risk Management Committee on the performance of the complaints management, infringement review management, Right to Information and Information Privacy compliance functions for the April to June 2020 quarter.

Complaints management

This quarter saw a notable decrease in complaints received compared to the previous quarter from 211 to 128 overall. A table setting out the number of complaints of each type is set out in the Addendum to this Report.

The drop in complaint numbers is likely indicative of the COVID-19 Pandemic restrictions that were in place at that time, creating a reduction in the delivery of some Council services.

Complaint numbers will continue to be monitored as the objective of an effective complaints management system (CMS) is to drive a reduction in complaints numbers. This reduction occurs when an organisation is made aware of “failings” through captured complaints data and that data is utilised as a driver to implement changes to improve service delivery.

Reporting in the complaints space will evolve with the introduction of the use of the Insights Function of Council’s CRM database used for complaints management, Objective. Work is currently underway with a business analyst in the Coordination and Performance Department to create new reports to the business. Council will move towards including handling times in reports as a measure to improve processes in the complaints management section.

Average handling time of complaint matters for this quarter sits at 6.8 business days which is well below the agreed timeframes of 20 business days. It will be expected that this number will fluctuate based on a variance in the complexity of matters received. Achieving handling times below agreed timeframes can lend itself to a “quantity versus quality” culture with complaint handlers. Quality assurance checks are undertaken on a percentage of matters handled (5 matters per week) to ensure that the error rate in matters remains low.

The continued low numbers of requested reviews (2.34 % of all matters handled) are indicative of the efficacy of the responses being provided by the CMU to customers, with this quarter demonstrating a customer satisfaction rate of 97.66% rate on matters handled in that quarter. Further supported by no matters escalated to a stage 3 internal in Quarter 4.

Quality assurance monitoring of different processing stages will be continue to be undertaken to ensure the efficacy of the CMU remains and that robust processes continue to be used effectively in complaints management.

Management of Infringement Reviews

According to the data extracted from Council’s Crystal report, Planning and Regulatory Services (PRS) issued the least number of infringements in April 2020 (173) and issued the highest in June 2020 (633).

The decrease in numbers during the April/May period was due to the COVID-19 Pandemic and restrictions imposed by the Commonwealth and State Government seeing a reduction in activity by Council compliance officers. This also resulted in a decrease of review requests that were received.

The significant increase in infringements issued in June was a direct result of ANPR vehicles and compliance officers resuming ordinary activity.

Further detail on the types of infringements is set out in the addendum below

Management of Right to Information and Information Privacy Applications

All RTI/IP Applications were processed in accordance with legislative requirements, Council Policy and Procedures. The below tables provide details of the management of all RTI/IP Applications for the reporting period.

Three of the RTI Applications received within this reporting period were pending, awaiting for application fees to be paid to make them a compliant Application.

One external third party consultation was received and one administrative release enquiry was actioned accordingly.

Moving forward work will be undertaken with the Performance Management team to develop more robust reporting on applications and data will be utilised to inform Council on improvements to its Publication Scheme.

The efficacy of Application handling is evidenced by no internal or external reviews being undertaken on Applications received in this quarter.

Update on Business Transformation Project TP#6 Complaints Management Framework

The Project was formally closed in May 2020 by the Business Transformation Program Steering Committee. Any remaining deliverables have been transitioned to either business as usual activities or further strategic projects. All but two key deliverables are 100% delivered (Key Deliverables 1 and 2 are 90% implemented)

Follow-up by the Information Commissioner to their 2017-18 Audit Report on Ipswich City Council’s management of Right to Information and Information Privacy

On 16 June 2020 the Office of the Information Commissioner (OIC) advised Council that the follow-up report on Council’s implementation of recommendations made in their 2017-18 audit of Council’s management of Right to Information and Information Privacy was completed.

The report was tabled in the Queensland Parliament on 17 June 2020 and the Council response to the follow up Audit is included as an appendix.

Of the Audit's twelve (12) recommendations the OIC assessed that:

· six (6) of the recommendations have been fully implemented

· two (2) of the recommendations have been partially implemented (Recommendations 2 and 6)

· three (3) recommendations as in progress (Recommendations 1,3 and 11)

· one (1) of the recommendations as having limited progress. (Recommendation 8)

Council’s response set out additional action that has been taken both within the audit period, since the audit period and future planned work. A copy of Council’s response is included as an Attachment to this report. The full report is attached as Attachment 3.

Legal/Policy Basis

The following table outlines the relevant legislation and the administrative functions and services provided by the Branch:

RISK MANAGEMENT IMPLICATIONS

The greatest risk to the organisation is the lack of awareness by staff of their responsibilities under Council’s Complaint Management Framework, the Public Records Act 2002, and RTI and IP Acts. All outside staff have attended Public Records Act, RTI Act and IP Act Training delivered by the TP#6 Project Lead. Internal staff have undertaken Office of the Information Commissioner RTI and IP Training and Queensland State Archives Records Challenge Training online via E-Hub. Training in Records, RTI and IP Act obligations and responsibilities is now a component of induction training and will be incorporated into annual refresher training for all staff.

Financial/RESOURCE IMPLICATIONS

There are no financial/resource implications.

COMMUNITY and OTHER CONSULTATION

This report did not require community engagement.

Conclusion

The Governance Section has performed its responsibilities and obligations in relation to maintaining Council’s compliance with the Local Government Act 2009, Local Government Regulation 2012, Right to Information Act 2009 and Information Privacy Act 2009 for the previous Quarter.

Attachments and Confidential Background Papers

1.	Letter to Information Commissioner on Follow Up Audit Report ⇩
2.	Attachment to Letter to Information Commissioner on Follow Up Audit Report ⇩
3.	Follow up Audit Report ⇩

Dianne Nikora

Integrity and Complaints Manager

I concur with the recommendations contained in this report.

Angela Harms

Governance Manager

I concur with the recommendations contained in this report.

Tony Dunleavy

Manager Legal and Governance (General Counsel)

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

ADDENDUM

Complaints management

	APR – JUN 2020 QTR 4				JAN – MAR 2020 QTR 3
COMPLAINT TYPE	CLOSED	IN PROGRESS	SUSPENDED	TOTAL	CLOSED	IN PROGRESS	SUSPENDED	TOTAL
Administrative Action Complaints	2	0	0	2	0	2	0	2
Privacy Complaints	0	0	0	0	0	0	0	0
Publication Scheme Complaints	0	0	0	0	0	0	0	0
General Administration Action Complaints	102	14	1	117	176	18	0	194
Ombudsman Direct Referrals Received	0	0	0	0	0	0	0	0
General - Staff Complaint	9	0	0	9	12	1	0	13
Ombudsman Review	0	0	0	0	1	1	0	2
Internal Reviews on AACs	0	0	0	0	0	0	0	0
OIC Reviews	0	0	0		0	0	0	0
TOTAL NUMBER OF COMPLAINTS RECEIVED	113	14	1	128	189	22	0	211

During Quarter 4 the Complaints Management Unit (CMU) of Council received 117 general administrative action complaint matters (Stage 1 reviews). This number comprised of complaints on Waste Management, Operational Work Issues, Road Maintenance, Rates, Parking and Animal Management matters.

Of those matters 102 were successfully closed in this quarter, with 14 matters having a due date in the next quarter and still awaiting the finalisation of the investigation and 1 matter suspended waiting for more information from the complainant.

Two matters escalated to a stage 2 review (Administrative Action Complaint) which were both closed out in that quarter. One of which was a complex legacy development matter and the other was in regard to a customer seeking a retrospective refund of waste charges incurred when using a refuse centre.

This reporting period showed a slight decrease in General Staff Complaints compared to the last quarter. Of those 9 staff behaviour complaint matters received, all were successfully closed within the quarter period. These matters mainly relate to the behaviour of waste truck drivers while servicing bins, rates related matters, compliance officers who are looking after enforcement notices, animal management officers and parking infringement officers.

When staff behaviour complaint matters are disseminated to the relevant business area for investigation by the CMU a reminder is included that those areas must engage People and Culture if the complaint is substantiated to ensure that behaviours are appropriately recorded on personnel files when required and to ensure that both leaders and staff are provided the appropriate support to work through those matters.

There were no requests for Privacy Complaints or Publication Scheme Complaints received in this quarter. This will be monitored in future reporting periods.

Management of Infringement Reviews

The below table represents the breakdown of the types of infringements issued during Quarter 4:

TYPES OF PINS ISSUED	APR – 20	MAY – 20	JUN – 20
ANIMAL INFRINGEMENTS	35	11	20
ANPR INFRINGEMENTS	0	0	285
LOCAL LAWS INFRINGEMENTS	14	15	3
OTHER PARKING INFRINGEMENTS	50	157	267
WARNING INFRINGEMENTS	74	36	58
TOTAL	173	219	633

PINS REVIEWED	APRIL 2020	MAY 2020	JUNE 2020
WAIVED	102	21	45
UPHELD	21	6	16
TOTAL PINS REVIEWED	123	27	61

According to the table and graph above, April recorded the both highest number of infringements that were waived and upheld with May recording the lowest numbers.

The below graph depicts the statistics of the different exemption codes that were applied to all approved waived and upheld infringements:

Table of exemption codes for reference:

EXEMPTION CODES	APR-20	MAY-20	JUN-20	TOTAL
1	6	3	6	15
2	11	2	3	16
3	1	0	0	1
4	3	0	5	8
6	0	1	0	1
6 (A)	11	1	3	15
6 (B)	4	1	9	14
6 (F)	4	3	0	7
OWN	25	0	10	35
PPWTD	11	0	0	11
WTHNPI	26	10	8	44
WARN	0	0	1	1
TOTAL	102	21	45	168

Table of definitions for exemption codes for reference:

EXEMPTION CODES	DEFINITION
1	Incorrect/Incomplete/Unclear Information – A notice has been issued containing incorrect or incomplete information (e.g. Incorrect vehicle registration number, incorrect name of offender or incorrect offence code) and this has caused the PIN to be invalid or the information recorded on the PIN is so unclear that it cannot be read.
2	Medical Certification – A medical certificate or other acceptable supporting documentation including statements from witnesses can be produced confirming that the medical condition or a medical situation at the time of the offence caused or substantially contributed to the offence occurring and that in view of such circumstances, the PIN should be withdrawn.
3	Motor Vehicle Breakdown (regulated Parking Offence) - Evidence can be produced to prove a vehicle had a mechanical problem at the time of the parking offence and that the circumstances caused the driver to park illegally.
4	People with a Disability (Regulated Parking Offences) – A valid disabled persons parking permit can be produced in instances where the vehicle would not have been issued with a PIN had the permit been affixed to the vehicle.
5	Charity Workers (Regulated Parking Offences) – The person to whom the PIN was issued was at the time of the alleged offence undertaking a bona-fide temporary duty on behalf of a charitable organisation and the offence did not involve traffic/pedestrian obstruction or safety related offences (withdrawal of a PIN under this criterion will only be applied to a first offence)
6	Extraordinary Circumstances - In a case where an application is not addressed by the abovementioned circumstances, the decision maker may determine that the circumstances are sufficient to warrant the withdrawal of the PIN.
6 (A)	Extraordinary Circumstances – Instances where a decision to uphold the PIN would be contrary to Council’s Corporate Plan, Vision, Mission and Values.
6 (B)	Extraordinary Circumstances – Instances where the likelihood of successful prosecution is low.
6 (D)	Extraordinary Circumstances – The person to whom the infringement notice was issued was involved in an emergency situation at the time of the alleged offence. (Proof of the emergency would be required, e.g. Doctor’s certificate, statutory declaration, oaths acted witness statements)
6 (F)	Extraordinary Circumstances – Ambiguous, illegible, malfunctioning or damaged signage or devices which would lead to confusion about the requirements. (For ‘malfunction of parking meters, evidence is to include a witness statement or statutory declaration that correct monies were deposited into regulated parking devices)
7	Interstate Vehicle or Overseas Driver
ELECT	Offender has Elected to have the PIN decided in Magistrates Court
PPWTD	Prosecution Panel Withdrawn
NO EXEMPTION	PIN has been UPHELD
OTH	Other Circumstances
OWN	Owner cannot be located
SPER	Referred to SPER
WTHNPI	Withdrawn by Review Team – For new PIN to be considered by Compliance Branch
WTHNWN	Withdrawn by Management Team

The following table represents the percentage rate of how many PINS were reviewed over the total number of PINS issued:

ITEMS	JAN-20	FEB-20	MAR-20
TOTAL PINS REVIEWED	120	1113	796
TOTAL PINS ISSUED	1003	202	149
PERCENTAGE RATE	11.96%	18.15%	18.72%

Furthermore, the CMU also receive CES requests jobs where work is undertaken that hasn’t resulted in a review being conducted. Below is the breakdown of the total number of these jobs that were received via the CES portal for Qtr. 4, 2020:

RESOLUTION CODES	GRAND TOTAL
Ambiguous, illegible, damaged signage	8
Closed as Duplicate	2
Contrary to Council’s vision and values	16
Court election	1
Customer inquiry	76
Customer Satisfied	4
Incorrect/incomplete/unclear information	16
Infringement Review Duplicate	8
Likelihood of prosecution low	9
Medical certification	17
Motor vehicle breakdown (reg parking)	1
No Value	1
People with a disability (reg parking)	6
Prosecution Panel - Withdrawn	2
Referred to SPER	10
Upheld	42
Withdrawn new PIN issued	54
GRAND TOTAL	273

Audit and Risk Management Committee

Meeting Agenda

19 August

2020

Doc ID No: A6408427

ITEM: 13

SUBJECT: ICT Platform Project - Update

AUTHOR: Program Manager (Business Improvement)

DATE: 6 August 2020

Executive Summary

This is a report concerning the status of the Information and Communication Technologies (ICT) Platform Project to implement a significantly improved technology platform for Ipswich City Council.

Recommendation/s

That the report concerning the status of the Information and Communication Technologies (ICT) Platform Project to implement a significantly improved technology platform for Ipswich City Council be received and the contents noted.

RELATED PARTIES

There was no declaration of conflicts of interest.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

The purpose of this report is to provide an update on the progress of the ICT Platform Project as well as a copy of the project risk register for the information of the Committee.

In the time since the last update to this Committee (20 May 2020), significant progress has been made by the Project Team on the delivery of Stage 1 (Discovery) of the project. These include:

· Preliminary Findings

A detailed preliminary findings report and accompanying summary presentation (attached) was presented to and accepted by the ICT Steering Committee on 27 May 2020. A number of due diligence and research activities were conducted by the project team which resulted in the identification of 3 potential solution options to be considered in more detail in the project business case, along with the key considerations that must be taken into account when assessing and evaluating the various solution options. These activities included:

· Examining reports on outcomes and learning from similar projects undertaken by other local government authorities across Australia

· Interviews and meetings with representatives from other councils who have undertaken or are undertaking similar projects

· Reviewing outcomes and learnings from other projects undertaken by ICC

· Researching examples of good governance structures utilised for significant business change projects

· Leveraging and enhancing the good governance and business change approach introduced by the Business Transformation Program

· Consideration of the application of the Best Practice Guide from recent QAO report to Parliament (Effectiveness of the State Penalties Enforcement Registry ICT Reform) to this project

The most important learning from both past ICC projects and projects being undertaken by other councils, is the fact that this is not an ICT project, but is a significant organisational transformation and therefore the effort required for change management is substantial. The following points will be critical to the success of the project:

· Dedicated and expert change management resources must be allocated to the project for its duration

Mitigation: This has been partially mitigated through the current allocation of an internal change resource, supported by the People and Culture Branch.

· Senior leaders must not only participate in the change but must also lead it, in order to increase its effectiveness and drive results within the organisation

Mitigation: A change strategy has been developed and approved for the project, which incorporates the adoption of PROSCI methodology.

· Change management is a continuous activity – it is a significant component of the actual project implementation but must also be continuous post implementation if Council is to realise true value from the solution implemented

Mitigation: Ensure the change strategy for the project clearly reflects the requirement for ongoing change management.

· Establishment of a Project Advisory Group

Taking into consideration the fact that this is an organisational transformation project, it is important that early business ownership is established. The project team has established a Project Advisory Group consisting of 2-3 representatives from each department across Council. The group will act as an Advisory Group for an initial 6 months after which it will move into a Working Group. A robust Terms of Reference has been established to support this group.

The group has commenced meeting fortnightly with one of the first tasks assigned to member being to come up with a new project name that better reflects the intent of what we are trying to achieve (i.e. organisational transformation, not an IT project).

· Understanding Required Project Outcomes & Development of Business Case

During the course of delivering Stage 1 of the project, the project team has presented a number of reports to the ICT Steering Committee outlining various options and approaches available for proceeding with the development of the project business case.

A challenge for the team has been ensuring that there is clear consensus and understanding amongst members of the ICT Steering Committee as to why Council is undertaking the Platform Project and what we see as the key organisational outcomes we want to achieve.

As a consequence of discussions arising from the submission of these reports, and in an attempt to address the ‘why’ of undertaking the project, it was agreed that a workshop be held with the members of the ICT Steering Committee. The purpose of the workshop was to clarify the implications of, and add a level of confidence to, any decisions required in order for the project to progress with the development of the business case.

The workshop was held on 30 July 2020 with the following key outcomes being achieved:

· Clear agreement on the reasons for ‘why’ we are embarking on this project

· Project business case

o Agreement on the solution options to be explored in the business case

o Decision to proceed with a two-step approach to the delivery of the project business case:

1. Preliminary Business Case

2. Detailed Business Case

o Agreement on the utilisation of the services of a Business Partner to assist with the development of the project business case. One of the advantages of engaging a business partner, will be the mitigation of some of the extreme project risks around:

§ Understanding current state & pain points

§ Defining target state

§ Identifying business benefits

§ Capturing project implementation issues & costs

§ Providing access to necessary skills & experience to mitigate gaps in internal knowledge & capability, and to identify likely issues needing to be addressed

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

RISK MANAGEMENT IMPLICATIONS

As this report is for information only, there are no risks associated with the recommendation. However, high level initial risks have been identified in accordance with the ICC Project Risk Management Manual and are attached to this report.

Financial/RESOURCE IMPLICATIONS

As this report is for information only, there are no financial/resource implications of the recommendation.

COMMUNITY and OTHER CONSULTATION

For Stage 1, consultation has been undertaken with:

· CEO

· General Manager, Corporate Services (Project Sponsor)

· ICT Steering Committee members

· Members of the ICT Management Team

· Chief Audit Executive

· Members of the Project Advisory Group

It is intended that a full stakeholder impact assessment will be undertaken as part of the change management activities for the project.

Conclusion

The next step for the Platform Project is to develop the preliminary business case. In keeping in line with the decision made by the ICT Steering Committee to engage a business partner to assist with this, the project team is working to develop a detailed specification for the engagement along with a supporting strategy for the related procurement activity. Both will be presented to the ICT Steering Committee for approval to proceed.

Attachments and Confidential Background Papers

1.	Stage 1 - Summary of Preliminary Findings ⇩
2.	Project Risk Register - July 2020 ⇩

Anna Payne

Program Manager (Business Improvement)

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

19 August

2020

Doc ID No: A6399234

ITEM: 15

SUBJECT: Protecting the personal information of our customers and employees

AUTHOR: Governance Manager

DATE: 3 August 2020

Executive Summary

Recommendation/s

RELATED PARTIES

Not applicable.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

The purpose of this report is to inform the Audit and Risk Management Committee on how Council protects the personal information of customers and employees. It is noted here that information in relation to the security of data contained on Council’s network is not included in this report.

The report will discuss Council’s obligations, under the Information Privacy Act 2009 (IP Act), in relation to personal information and proposed initiatives to increase Council’s personal information culture, capabilities and practices in accordance with the areas outlined below:

1. Information Privacy Act 2009

1.1 What is Personal Information?

1.2 The Rights of Individuals under the IP Act

1.3 Council’s Privacy Protection Obligations under the IP Act

2. How does Council protect personal information?

2.1 Information Privacy Policy and Procedure

2.2 Staff Training and Awareness Campaign

2.3 Privacy Breach Management and Notification

3. Proposed initiatives to improve Council’s personal information culture, capabilities and practices

3.1 Develop a Privacy Strategy

3.2 Inclusion of appropriately skilled privacy representation on Council’s Data Governance and advisory Group and ICT Steering Committee

3.3 Develop a Council-centric Information Privacy training program, “Manager Tool Kit” and communication plan

3.4 Inclusion of Privacy Impact Assessments (PIA) in council’s project management methodology

3.5 Gap analysis of Policies, Procedures and Work Instructions

1. Information Privacy Act 2009

The IP Act provides for the protection of personal information collected and held by Queensland Government agencies (which includes local governments) and provides rules for what these agencies must and may do with personal information.

1.1 What is personal information?

The IP Act defines personal information as:

“information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”

1.2 The Rights of Individuals under the IP Act

The IP Act provides individuals with the following rights:

· the right to expect agencies to meet their privacy obligations and protect the personal information of individuals, and to make a complaint to the agency if they do not;

· the right to make a privacy complaint to the Information Commissioner where the individual believes an agency has failed to comply with their privacy obligations and the individual believes the agency has not addressed their initial complaint;

· if mediation is unsuccessful or the Information Commissioner does not believe that resolution of the complaint can be achieved through mediation then the complainant must be given written notice reflecting this decision. The complainant then has the right to ask the Information Commissioner to refer the privacy complaint to be heard by the Queensland Civil and Administrative Tribunal (QCAT);

· the right, for a complainant or respondent to a privacy complaint, to request a written and certified record of a mediated agreement resolving a privacy complaint;

· the right, for a complainant or respondent to a privacy complaint, to file a copy of a certified agreement with QCAT.

1.3 Council’s privacy protection obligations under the IP Act

The IP Act imposes the following privacy protection obligations on Council:

· complying with Information Privacy Principles;

· only transferring personal information outside of Australia in compliance with section 33 (refer Attachment 1) of the IP Act;

· taking the necessary steps to have contracted service providers adhere to the privacy principles where required by section 35 of the IP Act (refer Attachment 1);

· dealing with privacy complaints by individuals in a timely and responsive manner;

· complying with any compliance notice issued by the Information Commissioner;

· complying with the conditions of any public interest approval issued by the Information Commissioner under section 157 of the IP Act (refer Attachment 1).

2. How does Council protect personal information?

Council has adopted policies to ensure compliance with the IP Act. Procedures and work Instructions are also available to staff, along with training in the obligations under the IP Act. Staff are able to access these resources on Council’s intranet for employees, The WIRE.

Council’s external website has been designed in accordance with the Office of Information Commissioner Guidelines to ensure external parties can easily access information such as:

· Council Policies

· Local Laws

· Works and Projects

· Online Services

· Privacy Statement

· Right to Information

· Lodging a Right to Information (RTI) and IP Application

· Amending Personal Information

· Publication Scheme

Council’s Privacy Statement and Information Digest are accessible on Council’s home page. The Privacy Statement (refer Attachment 2) explains:

· Council’s commitment to respect the privacy and personal information held by Council;

· defines Personal Information

· how Council will collect and use personal information

· the conditions (as per the IP Act) under which Council is allowed to disclose personal information

· how Council stores personal information

· accessing your personal information

· how to lodge a complaint about how Council has handled an individual’s personal information.

Council’s Personal Information Digest (refer Attachment 3) summarises in general terms, the kind of information held by Council, and how this information is managed. It assists individuals in finding out what kinds of information Council holds about them, why this information is held, how this information is held and how this information is managed by the agency.

2.1 Information Privacy Policy and Procedure

Council’s Information Privacy Policy (refer Attachment 4) applies to all personal information collected, used and stored by Council in every aspect of its operations and performance. The Policy states all elected representatives and Council officers, regardless of their employment status, (full time, part time, casual, contract or volunteer) are bound by the Principles of the IP Act.

In accordance with the Policy, Councillors and staff must not:

· divulge the personal information of a customer or staff member to third parties outside of Council, for their independent use unless the person to which the information relates has authorised, in writing, for Council to do so, or the disclosure is required or allowed by law.

· make available in the public forum the personal information without the express written permission of the customer and other individuals detailed in any correspondence or collected in any way.

Council’s Information Privacy Procedure (refer Attachment 5) outlines how Council will improve processes relating to public access to personal information, whilst protecting individual privacy and other public interest issues. The Procedure assists councillors and staff to protect the privacy of individuals by taking reasonable steps to ensure that the collection, use, handling, disclosure and disposal of an individual’s personal information complies with relevant legislation. The Procedure states that to ensure legislative compliance councillors and staff will:

· adhere to the privacy principles set out in the IP Act in relation to protection of personal information including use, handling, collection, disclosure and disposal of personal information;

· establish security safeguards for personal information to protect against loss, misuse or modification or disclosure of sensitive or personal information;

· utilise appropriate processes to ensure personal information is correct and up to date and that disclosure is appropriate;

· utilise appropriate and lawful methods for the collection, storage and disposal of documentation containing personal information;

· establish processes for people to amend incorrect personal information;

· utilise collection notices to advise and record why, how and when personal information is to be used and stored for Council purposes;

· offer customer contact and support with council officer for privacy issues;

· provide information to the public on how to gain access to information and types of categories of personal information held by Council;

· follow a documented process for managing privacy breaches and privacy complaints which is available to Council officers and the public;

· utilise complaints to further improve privacy practices;

· maintain tracking data of persons seeking information and utilising data for reporting purposes;

· ensure administrative delegations in relation to information privacy functions are clearly defined and updated along with a clear authorisation process;

· appoint person/s responsible for maintaining systems for recording, tracking and monitoring information privacy applications and review;

· conduct regular training to council staff, including new staff, regarding information privacy processes and principles at Council induction. Formulate a complaints handling process to identify opportunities for improvement and implement performance management tools to monitor effectiveness of right to information privacy functions;

· undertake sufficient search processes and encourage efficient and accurate record keeping systems to avoid unnecessary non-disclosure;

· make qualified decisions regarding applications outside scope of the IP Act and provide notification to applicants regarding refusals or applications for amendments. This includes employing the Public Interest Test to determine public interest or harm issues;

· undertake internal review process ensuring procedures are in place to provide for tracking of timeframes and timely notification to applicants as well as utilising prescribed written notices of results including a statement of reasons, for decisions;

· ensuring proof of identify processes are followed in relation to applications;

· complying with the Office of the Information Commissioner (OIC) where required, in relation to reviewable applications and/or external audits by providing information requested by the OIC, from time to time; and

· compliance with annual reporting requirements identified in the legislation.

2.2 Staff Training and Awareness

All new starters undertake induction training which includes information on an employee’s responsibilities and obligations under the Right to Information Act 2009 (RTI Act) and the IP Act. Council ensures that all staff receive regular training that explains their obligations on the fair collection and handling of personal information in line with all relevant legislation and Council policies.

Council liaises with the OIC to purchase online training modules which are delivered via E-Hub for office based staff. Field workers attend tool box talks, where their obligations under the RTI Act and IP Act in relation to personal information of customers and fellow employees are discussed.

Both the Councillor Code of Conduct and Employee Code of Conduct discuss the misuse of information for personal benefit or the benefit of another or to the detriment of another person and the consequences if such misuse occurs.

2.3 Privacy Breach Management and Notification

A privacy breach occurs when there is a failure to comply with one or more of the privacy principles set out in IP Act due to:

· a technical problem

· human error

· inadequate policies and training

· a misunderstanding of the law

· a deliberate act

· loss, theft or mistaken disclosure of personal information (for example, a USB flash drive is lost or an email is sent to unintended recipients).

The IP Act does not impose a mandatory obligation on agencies to notify the OIC or affected individuals in the event of a privacy breach. However, agencies are strongly encouraged to notify OIC of a breach.

Council has self-reported two (2) privacy breaches to the OIC since 2017. Council managed the breaches as per the OIC’s Privacy Breach Guidelines and provided the required Privacy Breach Report (the Report) to the OIC. The Report requires Council to respond to the following questions:

· What are the circumstances of the breach?

· What is the type and amount of personal information involved in the breach?

· What action has been taken to contain or control the breach?

· What is the potential harm for the affected individuals?

· Are the affected individuals aware that the breach has occurred?

· Who has been notified about the breach?

· What changes will be implemented to prevent or reduce the risk or a reoccurrence?

Follow the OIC review of the Privacy Breach Report for each of the events, the OIC advised Council in writing that:

“Council’s prompt action in investigating the circumstances of the breach once notified is acknowledged. This Office concurs with Council’s evaluation of the breach and considers the steps taken to prevent or reduce the risk of reoccurrence in matters such as this to be satisfactory.”

3. Proposed Initiatives to improve Council’s personal information culture, capabilities and practices?

3.1 Initiative: Develop a Privacy Strategy

In June 2020, Council asked contracted service provider, Redman Solutions, to provide a Privacy Impact Assessment (PIA) on the Transparency and integrity Hub (refer Attachment 6). Redman Solutions engaged the specialist privacy consultancy Ground Up Consulting Pty Ltd to conduct the PIA.

Recommendation 1 of the PIA was:

a) Increase visibility of and support for privacy at all executive, management and staffing levels by developing and formalising a privacy strategy.

b) Operationalise the privacy strategy through a comprehensive program of work focused on privacy acculturation, roles and responsibilities, outcomes-based activities, internal consultation pathways and targeted training across a range.

The strategy could include core Council values around privacy (complementary to those set out in Council’s Leadership Charter) and a commitment to adopt a workable structure for privacy management. The structure could include a privacy management framework, privacy maturity model deployed across businesses, a review of the functional location and leadership requirements for a privacy team and privacy resourcing in the short and longer term.

Action: This recommendation of the PIA has been accepted and the General Manager, Corporate Services considering the timing for implementation in light of other priorities and available resources.

Initiative: Inclusion of appropriately skilled privacy representation on Council’s Data Governance and Advisory Group and ICT Steering Committee

The mandate of the Data Governance and Advisory Group (DGAG) is to provide a critical touch point for decisions relating to operationalising the Hub. DGAG membership comprises senior accountable decision makers, for the purpose of assessing the broader data governance environment at Council and identifying any data projects, program, proposal and the like that require a degree of oversight.

The objectives of the ICT Steering Committee (ICTSC) are to promote and assure:

Objective	Description
Alignment with Whole of Council Governance	· Ensure that ICT-related processes and decisions have appropriate oversight and transparency; · Compliance with legal, contractual and regulatory requirements is supported; and · Governance requirements for whole of Council are met.
ICT Portfolio Benefits Delivery	· Oversight of ICT-related initiatives, services and assets; and · Reliable and accurate capture and reporting of costs and benefits (forecast, planned and actual).
Risk Optimisation	· ICT-related risks, both individually and collectively at the portfolio level, do not exceed the Council’s risk appetite and risk tolerance; · The impact of ICT risk to Council’s value propositions are identified and managed; and · The potential for compliance failures is minimised.
Resource Optimisation	· Required resources to undertake ICT-related activities are reasonably identified and planned so as to optimise resources across the resource management lifecycle; · Sourcing and assignment of ICT-related resources is undertaken in an efficient manner; and · Resources assigned to ICT-related activities (delivering initiatives and services) represents optimal value-for-money.
Stakeholder Engagement	· Identification of business needs, improvement identification and the development of ICT-related strategies and plans; · Advocates of the ICT strategy, roadmap and execution plans; and · Promote coordinated and collaborative business participation with ICT-related matters.

Ground Up believes “privacy (represented by a person or collective) must have a confirmed “seat at the table” and privacy must be treated as a key consideration before initiatives involving personal information progress beyond early planning stages, and at appropriate junctures thereafter”. Which promoted their second Recommendation that Council:

Formally expand the new Data Governance and Advisory Group membership and the ICT Steering Committee membership to include appropriately skilled privacy representation.

Action: This recommendation of the PIA has been accepted and the General Manager, Corporate Services is considering and will direct relevant action to be taken.

3.2 Initiative: Develop a Council-centric Information Privacy training program, “Manager Tool Kit” and communication plan

Governance Section will work with People and Culture Branch to design Ipswich City Council centric information privacy training to be delivered face to face or on line via E-Hub. By utilising real Council examples and scenarios in relation to the misuse of personal information and good decision-making, staff will be able to apply the legislative requirements and obligations to real work activities, and be more engaged in the learning process while increasing their information privacy capabilities.

All Level 3 and 4 Mangers will be provided with ‘Tool Kit’ resources to continue discussions with staff regarding their obligations under the RTI and IP Acts in relation to information privacy. The intent is that managers will have a regular agenda item regarding legislative compliance on monthly Branch and Section Meeting agendas. Topics provided in the ‘Tool Kit’ will range from RTI and IP, Public Interest Disclosure Act, Local Government Act, Risk and Fraud Management and Identification etc.

An online communication plan will also be prepared and rolled out regarding RTI and IP legislation requirements and obligations for employees, misuse of Council information and breaches of privacy and the possible consequences of a breach.

The Governance Section will be more actively involved in Department and Branch meetings to further promote staff awareness of legislative obligations generally, including the misuse of information.

Staff will also have access to a “one source of truth” intranet site titled Legislative Compliance, hosted by the Legal and Governance Branch. This site will be promoted throughout the organisation as the ‘one stop shop’ as well as identifying who in the Governance Section staff can contact for advice and guidance.

Action: This initiative will be a deliverable of the Strategic Maturity of Corporate Governance Project, which will commence implementation in the first half of August 2020.

3.2 Initiative: Inclusion of Privacy Impact Assessments (PIA) in Council’s project

management methodology

A PIA is beneficial for projects that will deliver a new or changed way of handling personal information. Undertaking a PIA allows Council to assess, and where necessary, identify ways in which the obligations set out in the IP Act can be met.

Governance Section will prepare a report for the Executive Leadership Team to discuss the benefits and impacts of including PIA’s in Council’s project management methodology. If approved, project management documentation would need to be amended to include the PIA requirement and a training program developed and roll out to staff responsible for leading projects.

It should be noted that this initiative correlates with Recommendation 3 of the Transparency and Integrity Hub PIA report, which states:

a) Prioritise the review and implementation of the Project Management Office Privacy Threshold Assessment (PTA) process, whereby privacy is treated as a mandatory gate in the project management cycle (triggering a formal PIA where necessary).

b) Conduct specialist training on privacy assessment (PTA and PIA) in project management.

c) Once finalised, implement the PTA process broadly across ICC as a strategic policy matter.

Action: Governance Manager to prepare report through General Manager, Corporate Services to Executive Leadership Team regarding the implementation of the initiative / recommendation.

3.4 Initiative: Gap analysis of RTI and IP Procedures and Administrative Directives

and implement recommendations

A gap analysis of current Council procedures and Administrative Directives will be undertaken, the purpose being to identify RTI and IP processes that have not been adequately documented or placed in ProMapp. Procedures and Administrative Directives identified, will then be developed and included in any training programs.

Action: This initiative will be a deliverable of the Strategic Maturity of Corporate Governance Project, which will commence implementation in the first half of August 2020.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Right to Information Act 2009

Right to Information Regulation 2009

Information Privacy Act 2009

Information Privacy Regulation 2009

Public Records Act 2002

Local Government Act 2009 – section 171(3) use of Information by Councillors

Local Government Act 2009 – section 200(5) use of information by local government employees

Ipswich City Council Code of Conduct for Employees

Councillor Code of Conduct

Complaints Management Policy

RISK MANAGEMENT IMPLICATIONS

Information is at the very heart of Council’s operations. Most service delivery activities, all decision-making and planning activities are founded on collaborative and timely access to information. Quality information management establishes a basis of trust and confidence with customers and employees that Council serves and complies with the Public Records Act 2002, the RTI Act and the IP Act which are the cornerstones of an open, accountable, timely and participatory local government.

Council’s responsibility to protect personal information needs to be a key responsibility for all councillors and staff. The proposed initiatives will promote the growth of a personal information culture for our organisation, improve staff information privacy skills and knowledge and position Council to be considered a best practice organisation that respects and protects an individual’s personal information.

Financial/RESOURCE IMPLICATIONS

Not applicable.

COMMUNITY and OTHER CONSULTATION

Not applicable.

Conclusion

Fostering a culture of personal information and providing councillors and staff with the necessary education and resources to understand their obligations under the IP Act to ensure the safety of an individual’s personal information is a continuous process for Council that requires our senior leaders to support current and future RTI Act and IP Act initiatives.

Attachments and Confidential Background Papers

1.	Extracts from the Information Privacy Act 2009 ⇩
2.	ICC Privacy Statement ⇩
3.	ICC Personal Information Digest ⇩
4.	Information Privacy Policy ⇩
5.	Information Privacy Procedure ⇩
6.	Transparency and Integrity Hub Privacy Impact Assessment ⇩

Angela Harms

Governance Manager

I concur with the recommendations contained in this report.

Tony Dunleavy

Manager Legal and Governance (General Counsel)

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

19 August

2020

Doc ID No: A6411030

ITEM: 16

SUBJECT: Conflicts of Interest for Employees

AUTHOR: Governance Manager

DATE: 7 August 2020

Executive Summary

This is a report concerning Council’s Conflicts of Interest for Employees framework.

Recommendation/s

That the report be received and the contents noted.

RELATED PARTIES

There are no conflicts of interest related to this report.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

Both the Business Transformation Program and an internal audit of Council’s approach to managing conflicts of interest identified a need for the development of an overarching framework relating to employee conflicts of interest, including a policy and procedure.

Under the Public Sector Ethics Act 1994, conflicts of interest are required to be resolved in the public interest. This requirement has been embedded into Council’s Employee Code of Conduct, and within 16 Council policies and procedures. However, there was no overarching policy that provided a clear statement about managing employee conflicts of interest or the impact on their roles and responsibilities.

The need to address conflicts of interest was recognised as part of the Business Transformation Program (BTP), and incorporated into the Risk Management Project but was not finalised prior to the closure of the BTP. A significant amount of work was undertaken to draft a conflicts of interest policy, however the policy was not finalised prior to the closure of the Business Transformation Program.

Leveraging from the research and work of the BTP Project, a framework, policy and associated components that make up an overall framework for conflicts of interest for employees has now been completed.

The principles that underpin the conflicts of interest for employees framework are included in the Public Sector Ethics Act 1994 and the Local Government Act 2009 including:

· Ensuring decision-making is carried out in the public interest;

· Good governance of and by the local government; and

· Integrity and impartiality.

Council’s framework for managing conflicts of interest for employees includes:

· A ‘Conflicts of Interest for Employees’ policy, which outlines:

- a clear direction for employees with regard to conflicts of interest

- a clear direction on how the organisation will manage conflicts of interest for employees

- roles and responsibilities

· A supporting procedure

· An online form for staff to disclose and update conflicts of interest

· A centralised register of conflicts of interest for employees maintained by Governance Section

· A communication plan to ensure effective messaging for employees.

The components of the framework are compatible with Human Rights Act 2019 requirements and obligations.

The Conflicts of Interest for Employees Policy (refer Attachment 1) was adopted by Council on 28 July 2020.

Next Steps

In accordance with Council’s Policy and Procedure Guide that all policies should have a supporting procedure; a draft Conflicts of Interest for Employees – Identifying, Disclosing, Managing and Monitoring Procedure (refer Attachment 2) has been prepared and is in the final stage of approval by the General Manager, Corporate Services.

An organisation-wide communications and training plan has been prepared to ensure staff are aware of their responsibilities, new policy, procedure and online form – with a view to have communications ‘go live’ by end of August 2020.

Governance Section is currently liaising with the various departments responsible for the identified 16 policies and procedures that need to be reviewed and amended to align with the new policy and procedure. It is anticipated this work will be completed prior to the ‘go live’ date of the communication plan.

Opportunities to continue to increase maturity within the organisation with regard to conflicts of interest are being supported, with conflicts of interest included in the scope of the Strategic Maturity of Governance Project. This new project addresses a number of outstanding, however important, governance related outcomes still to be finalised following the closure of the Business Transformation Program.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Public Sector Ethics Act 1994

Local Government Act 2009

RISK MANAGEMENT IMPLICATIONS

Conflicts of interest pose a potential reputational and corruption risk to Council. Council’s ‘Conflict of Interest’ framework with supporting policy and procedure places Council and its employees in a strong position to be being able to identify, manage and monitor actual, potential and perceived conflicts of interest.

Financial/RESOURCE IMPLICATIONS

There are minimal financial implications associated with embedding the framework into the organisation, any costs will be absorbed internally through existing resourcing.

COMMUNITY and OTHER CONSULTATION

The Conflicts of Interest for Employees Policy and supporting draft Procedure have been reviewed internally by key stakeholders from the following areas within Council:

· Corporate Services: Procurement, Risk Management, Corporate Governance, People and Culture, Finance, Legal Services;

· Coordination and Performance: Internal Audit, Performance, Business Transformation Program Risk Management Team members;

· Planning and Regulatory Services;

· Infrastructure and Environment; and

· Community, Cultural and Economic Development.

Feedback received internally has been incorporated into the policy and associated components of the overall framework for conflicts of interest for employees.

Conclusion

Conflicts of interest are required to be resolved in the public interest. Council now has in place an overarching framework, supported by a policy and procedure for the management of conflicts of interest for employees, which ensures Council has the appropriate level of rigour around the management of conflicts of interest for employees.

Attachments and Confidential Background Papers

1.	Conflicts of Interest for Employees Policy ⇩
2.	Draft Conflicts of Interest Employees - Identifying, Disclosing, Managing and Maintaining ⇩

Angela Harms

Governance Manager

I concur with the recommendations contained in this report.

Tony Dunleavy

Manager Legal and Governance (General Counsel)

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

19 August

2020

Doc ID No: A6373841

ITEM: 17

SUBJECT: ICT Branch Governance and Controls Framework

AUTHOR: ICT Strategy, Enterprise Architecture and Governance Manager

DATE: 21 July 2020

Executive Summary

This is a report concerning the status and focus areas for development in the Information and Communication Technologies (ICT) governance controls framework.

Recommendation/s

That the Audit and Risk Management Committee note the key elements of the Information and Communication Technologies governance controls framework and the ongoing focus areas for improvement.

PURPOSE OF REPORT/BACKGROUND

ARMC has requested an update on ICT governance, focussing on:

· IT infrastructure and operations (including personal computing, cloud applications and any outsourced IT)

· Security of Data and Software (including access and cyber security)

· System development

· IT Governance

Overview of ICT Asset Portfolio

Figure 1 (larger version at Attachment 1) provides an overview of Council’s business applications and technology portfolio. Key aspects of the portfolio to note are:

· 284 different technologies/applications/modules have been identified:

o 93 enterprise applications/modules

o 106 line-of-business applications/modules

o 62 technology and infrastructure components (eg network, servers or storage related)

o 23 different applications in the standard desktop/laptop build (eg Microsoft Word or Adobe PDF reader)

· Of these 284 items, 102 have been identified as critical (Tier 1) to ongoing Council operations.

· There are approximately 220 individual servers, and ~250 terabytes of data storage in the major datacentre (Polaris). The majority of these servers, and all data/databases are backed-up to an off-site facility.

· Council network and infrastructure are protected via a mature suite of technologies (firewalls, proxies, anti-virus, intrusion detection etc). ARMC are advised that while market leading security solutions are in place there have been ongoing issues with the quality of security services and outcomes by the outsourced service provider (DXC Technology). ICT Branch is managing a project to migrate services to a new outsourced provider (Telstra) and expect to complete this migration before 30 November 2020.

· There are +50 systems (subject to further classification and analysis) that may be classified as a ‘Recordkeeping Systems’ as per current policy definitions.

· 49 systems have been identified that contain (subject to further classification and analysis) Personally Identifiable Information (PII). For clarity, most legislative obligations for managing ICT systems and data are directly related to systems that manage PII.

· 105 applications or services are hosted, either partially or fully, ‘in the cloud’.

· The corporate network currently spans to 37 discrete sites (buildings, depots, libraries etc) across the greater Ipswich Council region.

· There are currently 1100 laptops/PCs across the network with full remote access available to all laptops.

Figure 1: Council ICT Infrastructure and Systems Overview

Overview of ICT Governance and Controls Framework

The ICT Strategy 2019-2024 developed as a key outcome of Business Transformation Project #x identified a number of critical gaps in ICT governance and related controls and two initiatives were framed in the roadmap to address these gaps:

· ICT Steering Committee (ITGOV01)

· Rebuild ICT Governance & Controls Function (ITGOV02)

Figure 2 (larger version at Attachment 2) provides an overview of the governance and controls framework ICT Branch is developing in response to the needs outlined in the ICT Strategy. This framework addresses the full spectrum of ICT Branch functions and considers strategic, tactical and operational perspectives.

Figure 2: ICT Governance and Controls Framework Overview

Figure 3 (larger version at Attachment 3) summarises the main features, current state observations and improvement opportunities for each of the 8 elements of the ICT Governance and Controls Framework.

Figure 3: ICT Governance Framework – Key Observations and Opportunities

In considering and developing the larger suite of ICT controls, ICT Branch is leveraging an open/industry standard framework (CObIT). This framework provides a robust and established suite of 210 ‘practices’ against which ICT functions can frame, evaluate and develop internal controls. Figure 4 (larger version at Attachment 4) provides an overview of this framework and identifies 5 Critical, 7 High and 4 Medium ‘process families’ that are the focus of ongoing improvements within ICT Branch.

Figure 4: ICT Controls Framework – Structure and Priority for Development

Attachment 5 provides a current-state report on the ongoing effort to review/update ICT Branch Directives and Procedures.

Overview of InfoSec Controls Framework

Attachment 6 provides an overview of the InfoSec Framework used by ICT Branch to plan for and coordinate end-to-end InfoSec capability alignment and development. The framework considers 75 individual capabilities across 5 categories. Current state assessment identifies and prioritises capabilities for development and currently reports 8 Critical and 25 High capabilities requiring uplift. All Critical and most High have active and funded remediation planned or effort underway. An extended view of the attached InfoSec Framework addresses full responsibility and accountability, including across key outsourced service providers, for InfoSec capability and outcomes.

Internal Audit has recently conducted an audit of Council’s “Cyber and Digital Security” capability. The final report has not been presented however a review of the draft findings reflects a strong correlation of capability and gaps as identified in the attached InfoSec Framework.

Attachments and Confidential Background Papers

1	Council ICT Infrastructure and Systems - Overview ⇩
2	ICT Governance and Controls Framework - Overview ⇩
3	ICT Governance Framework – Key Observations ⇩
4	ICT Controls Framework – Structure and Priority for Development ⇩
5	ICT Branch Directives and Procedures ⇩
6	Council InfoSec Controls Framework ⇩
7	Presentation to 19 Aug 2020 ARMC - IT General Control Framework ⇩

Rob Stower

ICT Strategy, Enterprise Architecture and Governance Manager

I concur with the recommendations contained in this report.

Sylvia Swalling

Chief Information Officer

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

19 August

2020

Doc ID No: A6412242

ITEM: 18

SUBJECT: Transparency and Integrity Hub Implementation Report

AUTHOR: Chief Information Officer

DATE: 10 August 2020

Executive Summary

Recommendation/s

RELATED PARTIES

There were no declarations of conflicts of interest by decision-makers in the course of implementation of the Transparency and Integrity Hub.

Advance Ipswich Theme

Listening, leading and financial management.

Purpose of Report/Background

Council resolved at its meeting on 27 April 2020 to enter a new era of transparency and integrity for Ipswich City Council through the implementation of a Transparency and Integrity Hub. Mayor Harding moved a Mayoral Minute detailing the following actions, that Council:

A. Establish and implement the Ipswich City Council Transparency and Integrity Hub, a digital portal that enables the publication of the financial data displayed as contemporary open data (intuitive, interactive, auditable and downloadable by selection) suitable for public consumption. The Transparency and Integrity Hub will enable the underpinning principles and Hub deliverables and will be launched by 1 July 2020.

a. Underpinning Principles

i. Adopt global best practice approach to open and transparent public sector financial management

ii. Demonstrate responsible and transparent governance and decision-making

iii. Enable data-driven decision making and rebuild public and stakeholder trust

b. Hub Deliverables

i. Publish as near to real-time financial data for Ipswich City Council in an open, transparent, interactive portal including, at minimum:

1. Previous five financial years financial data including detailed project income and expenditure financial data for major projects i.e. The Smart City Program

2. Council’s 2020-2021 Budget, once adopted

3. Quarterly financial reporting against the budget

c. Publish detailed income and expenditure financial data for all current and past Council beneficial (controlled) entities enabling comparison over the previous five financial years, including:

i. Ipswich City Developments Pty Ltd (deregistered) ABN 155 142 288

ii. Ipswich City Developments Pty Ltd (deregistered) (former name Ipswich City Developments Enterprises Pty Ltd) ABN 167 100 441

iii. Ipswich City Enterprises Pty Ltd ABN 095 487 086

iv. Ipswich City Enterprises Investments Pty Ltd ABN 127 862 515

v. Ipswich City Properties Pty Ltd (in Members Voluntary Liquidation) ABN 135 760 637

vi. Ipswich Motorsport Park Pty Ltd (deregistered) (former name Ipswich Motorsport Precinct Pty Ltd) ABN 611 160 902

d. Publish all contracts valued $200,000 or more (excluding GST) for a rolling period of five consecutive years. New data will continue to be published monthly (in accordance with the Local Government Regulation 2012) and the information published will be improved in alignment with best practice across Queensland and Australia. The new register will included:

i. Suppliers who tendered a response

ii. Person/company with whom Council has entered into the contract

iii. Contract number

iv. Commencement and end dates

v. Value of the contract (estimated/maximum value)

vi. Purpose of the contract / description of goods and service procured

vii. Approver / Council decision reference (i.e. link to published minutes)

e. Publish all Councillor related expenses, allowances and reimbursements for each month including contextual details of expenses incurred and purpose to enable benchmarking and comparison. Data will be published for the previous five financial years. Where travel costs have been absorbed by specific project costs, these should also be included.

B. Procure, through open tender, a suitable digital platform to enable the delivery of the Transparency and Integrity Hub, ensuring that the platform:

a. Is intuitive and user friendly, easy to maintain, secure and auditable;

b. Enables contemporary open data (intuitive, interactive, auditable and downloadable by selection);

c. Is best of breed software for the task for public sector transparency;

d. Creates efficiencies in financial data reporting;

e. Enables visualisation and context suitable for public consumption;

f. Allows data to be downloaded as CKAN Open Data;

g. Produces data in machine readable format; and

h. Directly integrates with Council systems and solutions for ease of use rapid adoption.

C. Bring forward a review of Council’s Open Data Policy to ensure alignment with best-practice approaches to publishing financial data.

D. Prepare a report to Council (and for public viewing) on the Smart City Program including detailed project financial data for the past five financial years and the community outcomes delivered.

This motion was carried and the implementation was achieved by a multi-disciplinary Council officer project team led by the Chief Information Officer, Chief Financial Officer and Manager, Procurement with oversight by a newly formed Data Governance Advisory Group and the General Manager, Corporate Services.

The Hub was implemented from 1 July 2020 in line with the resolution of the Council, with information published to the extent considered lawful at that time. The following tactical actions were undertaken to expedite the initiative:

A. Council officers moved to finalise the scope and specifications for an invitation to tender which was open to the market for three weeks from Monday 4 May to Monday 25 May 2020.

a. After an evaluation process, including presentations by shortlisted tenderers, a supplier was approved and awarded a service contract on 4 June 2020.

b. Redman Solutions, a Brisbane based company, in partnership with OpenGov, was the successful supplier awarded the service contract.

B. On and from 4 June 2020 implementation was advanced on an urgent basis using existing available resources and those of Redman Solutions in line with the committed budgetary allocation.

C. Concurrently, Council began further reviewing its policy and procedures to enable all data and information on the Hub to be published in accordance with best-practice privacy, procurement and open data principles.

a. Council’s Open Data Policy was urgently reviewed and submitted to Council for adoption at its ordinary meeting on 30 June 2020.

b. A Data Classification Standard was created and used to document the classification and treatment of datasets published to the Hub.

c. A Data Asset Register was created to document the data assets identified for publication.

d. A Decision Register was created to document actions taken and decisions made by accountable officers and consulted stakeholders.

e. A System Administrator is in place, audit trail functionality is operational and briefing and training of employees in the operation of the Hub has been completed.

f. Council’s process mapping application Promapp, is being used to create detailed process maps, workflow design and supporting work practices to ensure accountable, effective and efficient Hub administration.

D. Advice was sought, including the commissioning of an independent expert Privacy Impact Assessment. This Privacy Impact Assessment (PIA) from Ms Nicole Stephensen of Ground Up Consulting was received on 30 June 2020 and has in turn been published on the Hub from 1 July 2020.

a. The PIA made nineteen recommendations to Council to further strengthen its governance and achieve best practice in the management of information privacy and to support Council’s implementation of the Hub.

i. These recommendations have been included in a Change Impact Assessment for consideration and action.

ii. Recommendation 19 of the PIA focussed on Council seeking a waiver of its obligations to comply with privacy principles in the public interest. The PIA provided that having regard to Recommendations 13 – 18 of the PIA, and to facilitate the achievement of the objectives of the Hub, Council should consult with the Queensland Office of the Information Commissioner (Privacy Commissioner) on an application under section 157 of the Information Privacy Act 2009 (IP Act) for a waiver in the public interest.

1. It was recommended that the application for a waiver set out the exact nature of the departure from the IPPs, the specific personal information involved, any timeline that applies, matters of the public interest served and any other factors relevant to an application of this type. This request has been formally submitted to the Information Commissioner and is under consideration.

E. Information published to the Hub as at 1 July 2020 includes:

a. The previous five years’ revenue and expenditure financial data against the chart of accounts and the previous five financial years’ financial data including detailed project expenditure for The Smart City Program.

b. Detailed income and expenditure (excluding capital) financial data for current and past Council controlled (beneficial) entities listed above enabling comparison over the previous five financial years.

c. Contracts valued $200,000 or more (excluding GST) for the past five financial years. New data will continue to be published monthly (in accordance with the Local Government Regulation 2012) and the information published will be improved in alignment with best practice across Queensland and Australia.

d. Councillor related expenses, allowances and reimbursements for each month over the previous five financial years. Council has published only what it considers lawful at 1 July 2020 given the information management and governance practices in existence at the time of the historical information being created. In particular, steps have been taken to de-identify any data that could breach an individual person’s privacy.

F. In the publishing of historical information prior to 1 July 2020, Council has acted with particular care and diligence to ensure that it acted lawfully in the circumstances. In particular, in applying the IP Act including the IPPs, Council has acted in line with the PIA and not published information including the names of individuals and / or contextual information that would potentially lead to the identification of individuals. This information was de-identified. However, the process of de-identification has resulted in a loss of data context, making is less consumable for the public, and limiting its relevance for re-use thereby diminishing transparency and integrity.

It should be noted that there were some operational constraints that impacted the ability to fulfil some deliverables to the full extent desired and these include:

1. The real time integration capability of OpenGov is facilitated by Application Programming Interfaces (APIs), the dominant data source only has a production environment which will require a data staging platform to enable the use of APIs to deliver near to real time or actual real time integration. Further digital infrastructure work is in progress to address this issue to achieve this goal.

2. Only expense and revenue data for Council and the controlled (beneficial) entities was published, balance sheet data was not published.

3. Names of suppliers who tendered but were not awarded were not able to be published under the information collection notification controls in place at the time that the data was created.

a. Council is taking steps to change the notification controls to allow this proactive disclosure in the future.

b. Contract end dates are not included as there is only system provision for one date in this data structure.

c. The Approver/Council decision reference and link to published minutes has not been included.

4. Councillor remuneration and superannuation expenses were not included. This privacy decision is now being reviewed to align in consideration of what information is being published on Council’s corporate website and therefore in the public domain.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Regulation 2012

RISK MANAGEMENT IMPLICATIONS

Council considered privacy and legal/liability risks in the implementation of the Transparency and Integrity Hub project, and sought expert advice to mitigate and treat these risks to ensure compliance with legislative requirements.

Financial/RESOURCE IMPLICATIONS

The resolution of Council on 27 April 2020 was that $200,000 be allocated to the implementation of the Hub by 1 July 2020 and then $100,000 for subsequent years. The initial agreed service contract value for implementation of the Hub with Redman Solutions was $150,500. Additional work orders were authorised for work performed by Redman Solutions to meet the implementation deadline taking the total to $189,687.

In addition to the direct costs of implementation of the Hub with Redman Solutions, in order to ensure that necessary due diligence was undertaken in the very short implementation timeframe, additional expenditure was authorised to a total of $57,800. This included the gathering of advice and the costs of an independent Privacy Impact Assessment (PIA).

COMMUNITY and OTHER CONSULTATION

Internal stakeholders including the Data Governance Advisory Group, the Mayor and Chief of Staff, Councillors, the Executive Leadership Team, the Finance, Legal and Governance, and Procurement Branches, the ICT Branch, and the three project working groups contributed to the successful delivery of this initiative.

Conclusion

Council has committed to the ongoing development of the Transparency and Integrity Hub, building on the momentum achieved by delivering the initiative by the 1 July 2020 deadline. A forward plan is being developed to ensure that the Hub delivers in full on its promise of proactive disclosure, transparency and integrity with the community it serves.

Sylvia Swalling

Chief Information Officer

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

[1] This year the actual numbers were 18 audits/projects and 20 investigations/projects (Number of investigations much larger but have been moderated due to size, complexity and a lot of work over and above the internal audit effort was done by CCC, Office of the Independent Assessor and Interim Management Committee).

[2]The number is more than the expected 32½ and a number of smaller jobs were calculated as fractions but it is unrealistic and impractical to claim more than 100%.

[4]Total actual days worked of 952¾ divided by current normal auditor days available of 224.

[5] Only for continuity purposes to have investigators overlap to prepare and for handover of methods and intelligence.

[6] Formula to leave out pure admin and training. Actual productive days 874½ divided by days worked 952¾.

[7] The contractors’ resources and time are included and apportioned. 874½ days divided by 4.25 auditors multiplied by 7.6 hours per normal day.

[8] Does not include all cost like overheads for computers, office space etc., but then include fraud hotline and Audit and Risk Management independent members remuneration. $761,000 divided by 874½ divided by 7.6 hours per normal day.

[9] The actual survey done in 2016 as part of the Independent Validation of the Quality Self-Assessment as done by the Institute of Internal Auditors.Error! Reference source not found.

[10] Surveys received back after completion of audits.

[11] Enablers adapted from COBIT 5 Enablers for Internal Control – Internal Control Using COBIT 5

1.	ICTSC Minutes from 29 April 2020 ⇩
2.	ICTSC Minutes from 27 May 2020 ⇩
3.	ICTSC Minutes from 24 June 2020 ⇩

INTRODUCTION

RECOMMENDATION

Attachments and Confidential Background Papers

Executive Summary

Recommendation/s

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report/Background

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Attachments and Confidential Background Papers

Executive Summary

Recommendation/s

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report/Background

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Attachments and Confidential Background Papers

INTRODUCTION

RECOMMENDATION

Executive Summary

Recommendation/s

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report/Background

RISK MANAGEMENT IMPLICATIONS

Conclusion

Attachments and Confidential Background Papers

Executive Summary

Recommendation/s

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report/Background

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Attachments and Confidential Background Papers

Executive Summary

Recommendation/s

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report/Background

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Attachments and Confidential Background Papers

Executive Summary

Recommendation/s

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report/Background

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Attachments and Confidential Background Papers

Executive Summary

Recommendation

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report/Background

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Executive Summary

Recommendation/s