Item No.	Item Title	Page No.
1	Confirmation of the Minutes of the Meeting held on 7 October 2020	11
2	Update on 2019-2020 audit of Cherish the Environment Foundation as a controlled entity of council	15
3	Update on implementation of the Conflicts of Interest for Employees Framework	19
4	Update for 2020 Audit Issues relating to Assets	23
5	Queensland Audit Office briefing paper and final management report	28
6	Planned Agenda for the Audit and Risk Management Committee for 2021	45
7	Audit and Risk Management Committee Charter	52
8	Internal Audit Charter Review	76
9	Audit and Risk Management Committee Self Assessment Results Report	105
10	**Internal Audit Branch Activities Report for the period 5 August 2020 to 6 November 2020	114
11	Report - Risk ELT Meeting No. 2020(04) of 10 August 2020	124
12	Insurance and Risk Management Update	131
13	Governance, Internal Controls and Compliance	152
14	ICT Branch Governance and Controls Framework	158
15	Transparency and Integrity Hub Governance and Controls	172
16	ICT Steering Committee	179
17	**Program Management Office Report	209
18	Nicholas Street Precinct (CBD) Redevelopment Update	211
19	People and Culture Strategic Plan Implementation (including update on culture and pulse survey results)	245
20	Next Meeting	-
21	General Business	-
22	Private Session of Member (if required)	-

Audit and Risk Management Committee NO. 5

16 November 2020

AGENDA

DECLARATIONS OF INTEREST IN MATTERS ON THE AGENDA

1. Confirmation of the Minutes of the Meeting held on 7 October 2020

Recommendation

That the Minutes of the Meeting held on 7 October 2020 be confirmed.

2. Update on 2019-2020 audit of Cherish the Environment Foundation as a controlled entity of council

This is a report concerning an update on Cherish the Environment Foundation Limited (the Foundation), a controlled entity of Ipswich City Council (council), as requested at the last Audit and Risk Management Committee meeting.

Foundation Board Directors and the Chief Executive Officer of council have agreed that the Queensland Audit Office (QAO) undertake the audit of the Foundation for 2019-2020 as a controlled entity of council.

Recommendation

That the Audit and Risk Management Committee note that the Queensland Audit Office will undertake the audit of Cherish the Environment Foundation as a controlled entity of Ipswich City Council for the 2019-2020 financial year.

3. Update on implementation of the Conflicts of Interest for Employees Framework

This is a report requested by the Audit and Risk Management Committee providing an update on the Conflicts of Interest for Employees Framework.

Recommendation

That the Audit and Risk Management Committee note the requested update on the implementation of the Conflicts of Interest for Employees Framework.

4. Update for 2020 Audit Issues relating to Assets

This is a report concerning the progress in resolving internal control deficiencies identified by the Queensland Audit Office (QAO) during the 2020 audit. The three deficiencies related to assets, specifically untimely reconciliations between the physical asset register and fixed asset register, donated assets and untimely processing of disposals when renewing an asset.

Recommendation

That the report of 5 November 2020 to the Audit and Risk Management Committee by the Principal Financial Accountant regarding the progress in resolving internal control deficiencies relating to assets be received and noted.

5. Queensland Audit Office briefing paper and final management report

This is a report concerning a briefing paper and final management report for Ipswich City Council from the Queensland Audit Office.

Recommendation

That the briefing paper and final management report be received and the contents noted.

6. Planned Agenda for the Audit and Risk Management Committee for 2021

This is a report concerning the proposed structured and planned agenda for the Audit and Risk Management Committee for the period 1 January 2021 to 31 December 2021.

Recommendation

That the 2021 planned agenda for the Audit and Risk Management Committee be adopted.

7. Audit and Risk Management Committee Charter

This is a report concerning a review of the Audit and Risk Management Committee Charter. There is only a minor change being proposed to section 8.1.2 and at the bottom of 8 as to removing the indications to the Administrator and the Interim Management Committee.

Recommendation

That the Audit and Risk Management Committee Charter as detailed in Attachment 2 be adopted.

8. Internal Audit Charter Review

This is a report concerning a proposed update of the Internal Audit Charter. There is only one proposed change under 10.1.2 to strengthen the protocol for timeous finalisation of internal audit reports.

Recommendation

That the proposed Internal Audit Charter as detailed in Attachment 2 be adopted.

9. Audit and Risk Management Committee Self Assessment Results Report

This is a report concerning the Self-Assessment conducted by the Audit and Risk Management Committee (ARMC) in October 2020.

Recommendation

That the Committee note the outcome of the Audit and Risk Management Committee Self-Assessment and discuss suggestions for improvement and confirm or specify actions to be taken.

10. **Internal Audit Branch Activities Report for the period 5 August 2020 to 6 November 2020

This is a report concerning the activities of Internal Audit undertaken during the above mentioned period and the current status of these activities.

Recommendation

That the report be received and the recommendations in Attachments 3, 4 and 5, be considered finalised and archived.

11. Report - Risk ELT Meeting No. 2020(04) of 10 August 2020

This is the report of the Risk ELT Meeting No. 2020(04) of 10 August 2020.

Recommendation

That the report be received and the contents noted.

12. Insurance and Risk Management Update

This is a report concerning Council’s insurance statistics for the period 1 July 2020 to 30 September 2020 and to provide an update on risk management.

Recommendation

A. That the report on Council’s insurance statistics for the period 1 July 2020 to 30 September 2020 be received and the contents noted.

B. That the update on Ipswich City Council’s Enterprise Risk Management be received and the contents noted.

13. Governance, Internal Controls and Compliance

Council is progressively maturing and strengthening its governance, internal controls and compliance with the broad range of legislative, policy and procedural obligations upon it.

This report provides an update to the Audit and Risk Management Committee on key governance, internal controls and compliance matters for the past quarter.

Recommendation

That the Audit and Risk Management Committee (ARMC) note initiatives and actions being implemented to mature and strengthen Council’s governance, internal controls and compliance.

14. ICT Branch Governance and Controls Framework

This is a report concerning the status and focus areas for development in the Information and Communication Technologies (ICT) governance controls framework.

Recommendation

That the Audit and Risk Management Committee note the key elements of the Information and Communication Technologies governance controls framework and the ongoing focus areas for improvement.

15. Transparency and Integrity Hub Governance and Controls

This is a report providing an update on the implementation of the Transparency and Integrity Hub (Hub) in line with Council’s resolution on 27 April 2020. The Hub was successfully implemented by Council on 1 July 2020. The direct cost of the implementation of the Hub with the contracted service delivery partner, Redman Solutions, was $189,687. An additional $57,800 was expended in order to undertake necessary due diligence in the implementation of the Hub, including the gathering of advice and the costs of an independent Privacy Impact Assessment (PIA).

Recommendation

That the Audit and Risk Management Committee receive and note the report on the implementation of the Transparency and Integrity Hub in line with Council’s resolution of 27 April 2020 and note that the Hub was successfully implemented on 1 July 2020.

16. ICT Steering Committee

This report provides an update to the Audit and Risk Management Committee on matters considered by the ICT Steering Committee (ICTSC) during the past quarter that may represent potential material risks relating to the ICT portfolio.

There is a significant ICT portfolio of work being led by the Chief Information Officer, reporting through to the General Manager, Corporate Services (GM, CS). Information Management (IM) is led by the Governance Manager reporting through the Manager, Legal and Governance Branch, to the GM, CS.

The ICTSC provides oversight for the ICT and IM portfolios and has met on a monthly basis since February 2020 and has now commenced meeting every six weeks.

Recommendation

That the Audit and Risk Management Committee receive and note the report on key matters considered by the ICT Steering Committee in the past quarter.

17. **Program Management Office Report

This is a report concerning the progress on delivery on strategic work identified within the Program of works for the Program Management Office.

Recommendation

That the report be received and the contents noted.

18. Nicholas Street Precinct (CBD) Redevelopment Update

This is a report concerning the Nicholas Street Precinct Redevelopment.

In summary the project continues to track on time and on budget. Tulmur Place will officially be opened on the 28^th of November. The new Ipswich Central Library will open on the 7^th of December. The administration building will reach practical completion in March 2021 with Council to occupy the building in June 2021.

Recommendation

That the report be received and the contents noted.

19. People and Culture Strategic Plan Implementation (including update on culture and pulse survey results)

This is a report to the Audit and Risk Management Committee (ARMC) concerning the implementation of the People and Culture Strategic Plan 2019-2021.

Following major recruitment to the People and Culture Branch between February and May 2020, good progress is now being made on the implementation of the People and Culture Strategic Plan 2019-2021, noting that it is a major program of work.

An update by way of report was provided to the ARMC for the August 2020 meeting.

A Project Management Plan has been finalised and is being implemented by the People and Culture Branch. The Program Management Office is supporting and monitoring the implementation and providing a monthly report to the Executive Leadership Team on progress against the Project Management Plan.

A presentation is attached to this report setting out progress in the implementation of the People and Culture Strategic Plan. As requested by the ARMC, this report also includes an update on work underway to enhance council’s workplace culture and the results of employee pulse surveys.

Recommendation

That the Audit and Risk Management Committee note the report and the progress in implementation of the People and Culture Strategic Plan, including an update on work to enhance workplace culture and the results of employee pulse surveys.

20. NEXT MEETING

The next meeting is scheduled for February 2021 at a time to be determined.

21. GENERAL BUSINESS

22. PRIVATE SESSION OF MEMBER (IF REQUIRED)

** Item includes confidential papers

and any other items as considered necessary.

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Audit and Risk Management Committee NO. 2020(04)

7 October 2020

Minutes

MEMBER’S ATTENDANCE: Robert Jones (External Member and Chairperson); Martin Power (External Member), Dr Annette Quayle (External Member), Deputy Mayor Marnie Doyle and Councillor Kate Kunzelmann

MEMBER’S APOLOGIES: Nil

OTHER ATTENDANCE: David Farmer (Chief Executive Officer), Steve Greenwood (Advisor to the Minister), Sonia Cooper (General Manager Corporate Services), Jeff Keech (Chief Financial Officer), Jamie Townsend (Ethical Standards Manager), Queensland Audit Office attendees – Patrick Flemming (Assistant Auditor-General Parliamentary Services) and Lisa Fraser (Director)

DECLARATIONS OF INTEREST IN MATTERS ON THE AGENDA

Nil

BUSINESS OUTSTANDING

Nil

1. Confirmation of the Minutes of the Meeting held on 19 August 2020

Recommendation

That the Minutes of the Meeting held on 19 August 2020 be confirmed.

2. QAO Briefing Paper and Closing Report

This is a report concerning a briefing paper and final closing report as at
30 September 2020 submitted by Queensland Audit Office.

“The attachment/s to this report are confidential in accordance with section 275(1)(h) of the Local Government Regulation 2012.”

Recommendation

That the briefing paper and closing report be received and the contents noted.

DISCUSSION

After discussion, the Committee asked that the ICT Platform Project (I-Volve) and other ICT projects be assessed over time using the five (5) factors identified in the Queensland Audit Office (QAO) recent publication on technology projects as referenced in their briefing report.

The committee sought explanation from QAO on the traffic light rating or the internal control environment and specifically the rating for “Control Activities” given that five (5) or six (6) significant deficiencies noted by QAO had been addressed by Council and progress made on the sixth. The committee noted QAO’s response.

The committee had a discussion on the management and treatment of donated assets. Following discussion, the Chairperson requested that the Chief Financial Officer provide clarity on policy and procedures and documentation in relation to Council’s donated assets, particularly the timing of on-maintenance of assets to the next committee meeting.

QAO extended thanks to the General Manager Corporate Services and the Chief Financial Officer for the information provided for this report, considering all the challenges that were faced with the COVID-19 pandemic. QAO noted that the audit was completed on time and within budget. General Manager Corporate Services thanked QAO for their constructive approach throughout the audit.

3. 2019-2020 DRAFT Annual Financial Statements for Controlled Entities

This is a report concerning the draft 2019‑2020 Annual Financial Statements for the following controlled entities of Ipswich City Council (Council):

· Ipswich City Properties Pty Ltd;

· Ipswich City Enterprises Pty Ltd; and

· Ipswich City Enterprises Investments Pty Ltd.

“The attachment/s to this report are confidential in accordance with section 275(1)(h) of the Local Government Regulation 2012.”

Recommendation

That the report be received and the contents noted.

DISCUSSION

The committee sought clarification in relation to the basis of presentation for the subsidiaries, specifically whether the “consistent with the Going Concern basis of presentation” was appropriate.

After discussion and consideration, the committee was comfortable with the proposed presentation.

4. 2019-2020 Annual Financial Statements and 2019-2020 Management Representation Letter

This is a report concerning the 2019-2020 annual financial statements and
2019-2020 management representation letter.

“The attachment/s to this report are confidential in accordance with section 275(1)(h) of the Local Government Regulation 2012.”

Recommendation

A. That the 2019-2020 annual financial statements as detailed in Attachment 1 to the report of the Principal Financial Accountant dated 30 September 2020 be approved for certification by the Mayor and Chief Executive Officer.

B. That the 2019-2020 management representation letter as detailed in Attachment 2 to the report of the Principal Financial Accountant dated 30 September 2020 be approved for certification by the Mayor and Chief Executive Officer.

6. GENERAL BUSINESS

In response to the question, QAO advised that it was ready to commence an audit of Cherish the Environment Foundation as it is in QAO’s view a controlled entity. However QAO is awaiting agreement and advice from the Board of the Foundation.

The Chairperson extended thanks to Members and management and to QAO officers. General Manager Corporate Services made special mention of the expertise and diligence of the Chief Financial Officer and Principal Financial Accountant for their work.

5. NEXT MEETING

The next meeting is scheduled for Wednesday, 18 November 2020.

PROCEDURAL MOTIONS AND FORMAL MATTERS

The meeting commenced at 1.09 pm.

The meeting closed at 2.33 pm.

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6593917

ITEM: 2

SUBJECT: Update on 2019-2020 audit of Cherish the Environment Foundation as a controlled entity of council

AUTHOR: Treasury Accounting Manager

DATE: 6 November 2020

Executive Summary

Recommendation/s

RELATED PARTIES

Jeffrey Keech, Chief Financial Officer has been appointed as one of council’s two Directors on the Board of the Foundation. This potential conflict of interest is being managed by the General Manager, Corporate Services taking a more active and hands on role on financial issues relevant to the Foundation, with support by expert officers in the Finance Branch.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report

The purpose of this report is to advise the Committee that through an exchange of letters between Foundation Board Directors and the Chief Executive Officer (CEO) it was agreed that the QAO will complete an audit of the Foundation for the 2019-2020 financial year. Foundation Board Directors did not unanimously agree that the Foundation remained a controlled entity during 2019-2020 but in good faith agreed it best that QAO undertake the audit. Steps have been taken to progress the audit.

Foundation Board Director Shane O’Kane attended a Mayor and Councillor Briefing Session on 5 November 2020 and briefed Councillors on activities and initiatives of the Foundation. Present for the briefing were council appointed Directors Councillor Fechner and Jeffrey Keech, Chief Financial Officer.

BACKGROUND

The Foundation was established in 2011 in conjunction with Pat Rafter’s Cherish the Children Foundation as a company, limited by guarantee. The Foundation is a registered charity with Australian Charities and Not-for-profits Commission.

From the Foundation’s Constitution, its principal objects are:

1) the protection and enhancement of the natural environment; and

2) the provision of information or education, or the carrying on of research, about the natural environment.

Again from its Constitution, the Foundation will pursue its principal objects by:

1) acquiring bushland areas within the local government area of the Ipswich City Council ("Ipswich city"); and

2) managing and protecting bushland areas within Ipswich city; and

3) protecting and enhancing biodiversity within Ipswich city; and

4) improving the quality of water in rivers and streams in and that pass through Ipswich city; and

5) working towards decreasing the quantity of waste generated, and building recycling capacity, in Ipswich city; and

6) increasing local food production and food production capacity, and improving local food linkages and returns for food producers, in Ipswich city; and

7) minimising the impact of carbon emissions from Ipswich city (including by reducing the carbon intensity of energy use in Ipswich city); and

8) promoting education within the community concerning adverse impacts on the environment; and

9) raising community awareness of the impact of carbon emissions and how to minimise or offset their impact; and

10) doing anything that the directors decide is incidental or conducive to achieving the company's principal objects or the subsidiary objects listed in paragraphs (1) to (9) above.

Up until July 2019, the Foundation operated with the primary support of Council, through the provision of officers’ time under an informal agreement between Council and the Foundation, then in more recent years under a formal secondment agreement (under which Council was reimbursed some of its officer’s time).

With the exception of 2019‑2020, Council has provided an annual contribution to the Foundation, which represents $1 per rate assessment from Council’s Enviroplan Separate Charge. Since 2011 these contributions total more than $840,000.

Council has also provided third party guarantees on behalf of the Foundation in relation to their environmental projects and agreed to allow the Foundation to utilise part of the Grandchester conservation estate for offset purposes.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

RISK MANAGEMENT IMPLICATIONS

By QAO completing the audit of the Foundation for a second consecutive financial year, council will be better informed on governance and financial issues and risks.

Council is presently informing itself and acting on the governance of CTEF and working towards a decision about its ongoing relationship with the Foundation. Council is acting to manage and mitigate governance risks.

Financial/RESOURCE IMPLICATIONS

The Foundation will meet the cost of the QAO audit for 2019-2020. If Council ultimately decides to cease any relationship with the Foundation, the CEO has agreed to meet the costs of the audit, in the amount by which (if any) they exceed the costs of an audit that would have otherwise have been arranged by the Foundation.

COMMUNITY and OTHER CONSULTATION

Consultation continues with the QAO. Foundation Directors will soon publish more information on its activities and initiatives on its website to inform the community.

Conclusion

The Foundation will be audited by QAO as a controlled entity of council.

Council is proceeding with its consideration of its ongoing (if any) relationship with the Foundation.

Paul Mollenhauer

Treasury Accounting Manager

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6588225

ITEM: 3

SUBJECT: Update on implementation of the Conflicts of Interest for Employees Framework

AUTHOR: Governance Manager

DATE: 4 November 2020

Executive Summary

This is a report requested by the Audit and Risk Management Committee providing an update on the Conflicts of Interest for Employees Framework.

Recommendation/s

That the Audit and Risk Management Committee note the requested update on the implementation of the Conflicts of Interest for Employees Framework.

RELATED PARTIES

There are no related parties or conflicts of interest to declare in relation to this report.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

At the August 2020 Audit and Risk Management Committee (ARMC) meeting, management delivered a requested report on the new Framework for managing conflicts of interest for employees in council.

ARMC had noted a number of internal audit recommendations on the development of a standalone framework building on the existing provisions of the Code of Conduct and references in numerous policies and administrative directives.

Council now has a Conflicts of Interest for Employees Framework including a policy, procedure and electronic recording and storage system. A communication plan was developed with initial and planned future communication and reminders. Existing policies and administrative directives, including the Code of Conduct, have been amended to reference the new policy and procedure. Employee onboarding and induction materials have also been amended accordingly.

After receiving and considering the report in August 2020, the ARMC asked for an update at the November 2020 meeting on the implementation of the framework.

This report offers an update to the ARMC on what has gone well with the implementation and a key lesson learned.

WHAT WENT WELL

1) Council is committed to growing a good governance culture within all areas of the organisation. For this reason it was essential for sound change management and communication to be planned with the aim of employees:

· understanding the legislative and ethical reasons for the Framework.

· recognising their obligations, role and responsibilities in identifying, declaring and managing actual, potential or perceived conflicts of interest.

· being able to appropriately identify, declare and manage conflicts of interest

· ensuring their decision-making and actions are fair, unbiased and carried out in the public interest.

2) To ensure ease of declaration and management of a conflict, a new online declaration form submitted via MyCouncil portal was developed. The process of submitting a declaration and managing the declaration via the portal was tested by several staff throughout the organisation who provided positive feedback and believed the process was clearly articulated in the procedure and readily accessible via MyCouncil.

3) The declaring officer and their supervisor provided updates on the monitoring and management of the conflict via MyCouncil.

4) MyCouncil stores data in CES (Customer Engagement System) which produces reports on declaration, monitoring and management of conflicts of interest which are distributed to General Managers. MyCouncil is Council’s formal Register of Conflicts of Interest for Employees.

5) Conflicts of Interest training is now incorporated in Council’s employee induction training.

6) An annual governance training calendar, ongoing communications plan and Manager’s Toolkit, is a deliverable of the Strategic Maturity of Governance (SMoG) Project and is in development to be delivered in early 2021. The Conflicts of Interest training and Manager’s Toolkit will be tailored for internal and external staff. The Toolkit will allow managers to discuss at team meetings a variety of governance subjects eg Right to Information, Public Interest Disclosures, Conflicts of Interest, etc. This will keep the momentum of good governance as a natural discussion and a normal practised behaviour by staff, which in turn will strengthen our good governance culture throughout the organisation.

7) The Project’s Communication Plan focused on ensuring all staff regardless of role, or previous work or life experience, learned of their obligation to identify a conflict of interest and how to declare, monitor and manage the conflict. This is illustrated by the Communication Plan clearly identifying and articulating all of the key stakeholders, key messaging, tactics and a communication schedule.

KEY LESSON LEARNED

The Governance Section has now been managing Conflicts of Interest for Employees, as business as usual for over a month. During this time an information privacy risk was identified. Due to the diligence of Corporate Governance staff ensuring employees’ personal information is appropriately protected, it was identified that the conflicts of interest data stored in CES (Customer Engagement System) was accessible by other CES users. CES users’ access privileges were reviewed and privileges updated accordingly. A monthly report is now prepared for the Corporate Governance Section to review access by CES users to Conflict of Interest data. A procedure has been put in place for Corporate Governance staff to assess why the access occurred. Dependent on the outcome of the assessment People and Culture Branch will be advised of a possible Breach of the Code of Conduct and asked to investigate the matter.

By working in partnership with ICT staff, the risk of misuse or access to another employee’s personal information has been addressed in keeping with Council’s risk appetite and the requirements of IPP 4 of the Information Privacy Act 2009.

This privacy risk illustrates while the best of intentions were to deliver a Project, a Privacy Impact Assessment was not undertaken as part of the implementation. Council is concurrently working to improve employees’ information privacy awareness and privacy controls. We have introduced Privacy Impact Assessments (PIA) for PMO and ICT Projects. However it is now clear that that all projects regardless of size or value need to be undertaking a PIA, identifying potential privacy risks and mitigating them appropriately throughout the life of the project.

Legal/Policy Basis

Council’s Conflicts of Interest for Employees Framework ensures employees identify, declare, monitor, manage and report on actual, potential and perceived employee conflicts of interest in keeping with the requirements and obligations of the following legislation relevant to a local government authority:

Public Sector Ethics Act 1994

Human Rights Act 2019

Local Government Act 2009

Local Government Regulation 2012

RISK MANAGEMENT IMPLICATIONS

Immature governance practices are identified as a corporate risk. The adoption of the Conflicts of Interest of Employees Framework establishes risk management controls for employees and managers to identify, declare, monitor, manage and report on actual, potential and perceived employee conflicts of interest.

Financial/RESOURCE IMPLICATIONS

The adoption, introduction, ongoing management and reporting of the Conflicts of Interest for Employees Framework attracts minimal financial implications which will be absorbed internally through existing organisational resourcing.

COMMUNITY and OTHER CONSULTATION

The Conflicts of Interest for Employees Framework and supporting governance documents were reviewed internally by key stakeholders from the following areas within Council:

• Corporate Services: Procurement, Risk Management, Corporate Governance, People and Culture, Finance, Legal Services;

• Coordination and Performance: Internal Audit, Performance, Business Transformation Program Risk Management Team members;

• Planning and Regulatory Services;

• Infrastructure and Environment; and

• Community, Cultural and Economic Development.

Feedback received internally was incorporated into the policy and associated components of the Conflicts of Interest for Employees Framework.

Conclusion

Conflicts of interest are required to be resolved in the public interest. The recently implemented Conflicts of Interest for Employees Framework ensures Council has the appropriate level of rigour around the management of conflicts of interest for employees. Management will continue to ensure a focus on the ongoing implementation of the Framework.

Angela Harms

Governance Manager

I concur with the recommendations contained in this report.

Tony Dunleavy

Manager Legal and Governance (General Counsel)

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6588855

ITEM: 4

SUBJECT: Update for 2020 Audit Issues relating to Assets

AUTHOR: Principal Financial Accountant

DATE: 5 November 2020

Executive Summary

Recommendation/s

RELATED PARTIES

There are no related parties.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

Set out below is an update in relation to the internal control deficiencies relating to assets raised by the QAO and the detail of progress in resolving these deficiencies.

Untimely reconciliations between physical asset register and fixed asset register.

QAO internal control deficiency 20FR-1. Regular reconciliations are not performed between the fixed asset register (FAR) and physical asset register (PAR) to confirm the completeness and accuracy of these registers for all asset classes.

The focus in relation to the reconciliation for 2020-2021 is on the Roads, Bridges and Footpaths (RBF) asset class as this class is subject to formal revaluation in the financial year.

The PAR and FAR cannot be reconciled at an individual asset level as the FAR assets are networked. In relation to the Roads Bridges and Footpaths, there are mapping tables between the systems, however as the current systems do not contain fully consistent attributes in both systems, then full reconciliation is a more difficult process.

To assist with the reconciliation, Asset Accounting in consultation with Asset Management (Infrastructure and Environment Department) are undertaking a comparison based on project numbers between the FAR’s asset additions and PAR’s closed projects for the past 4.5 years (since the 2016 comprehensive valuation of road, bridges and footpaths), with anomalies to be investigated with Project Managers and Spatial.

A similar comparison will be undertaken in relation to donated assets and Asset Accounting is also monitoring work in progress and requesting outstanding work in progress to be actioned by Project Managers and Spatial to ensure as-constructed drawings are updated into the PAR.

In early November, Finance held a meeting / workshop with IED Infrastructure Managers, Asset Management and Spatial to work through the above approach and identify responsibilities for each stakeholder and address known issues/challenges.

In addition the deficiency is being addressed and monitored as part of the Effective Asset Management Project which will outline the above actions in addition to the next additional stages including:

· Ensuring that processes are aligned that ensure both registers are kept up to date at the same time in more efficient and accurate ways.

· Outlining and scoping the new Asset Management System to ensure alignment and that the requirements of asset management, operations and accounting are included.

Donated assets - Council uses inconsistent ‘on maintenance’ dates for donated assets.

QAO internal control deficiency 20FR-2. Assets may be capitalised from a date that is different to the date that the revenue is recognised. Revenue from donated assets may be recognised in the incorrect period.

Finance, Legal and Planning and Regulatory Services (PRS) Engineering and Compliance Teams have met in October 2020 to discuss and work through the issue raised by QAO and the current processes of Council.

All Departments agreed that assets can only be taken “on maintenance” when the assessment has been completed and signed off by PRS Engineering Section and all documentation required has been provided. Anything before this, for example communication at practical completion, is preliminary and ancillary to the formal acceptance “on maintenance”, which can only occur at the end of the assessment process and formal final communication issued. Otherwise as outlined by QAO and agreed by Legal, there might be questions of liability and responsibility regarding the asset, and potential dispute in respect of Council’s use of bond monies, over the intervening period.

This aligns with the current accounting practices of revenue recognition at the time the final letter accepting the assets “on maintenance” is issued to the developer by the PRS Compliance Team.

Council however, as identified by QAO, have historical practices where for various reasons, “on-maintenance” dates have been dated back to the dates of submission of applications. The PRS Department have commenced reviewing its current processes, policies and timeframes which will require a level of consultation and transition with the development industry. This includes for example the PRS Department needing to work through its processes in relation to current sealing of lots based on partially completed assets and bonding the outstanding requirements.

The Manager of Engineering, Health and Environment (PRS) has reviewed the timeframes for processing “on-maintenance” applications once all documentation has been received and is reasonably comfortable as part of the process review, committing to processing these applications within 20 business days. Ensuring developers submit all the required information consistently in a timely way after practical completion and Council’s timely assessment of the applications as outlined, would substantially reduce the risk around this issue for both developers and Council and eliminate the use of inconsistent on maintenance dates.

Donated Assets and Accounting policy review

In a review of other Queensland Councils’ donated asset policies and planning schemes both Logan City Council and Gold Coast City Council only approve ‘on maintenance’ when both the final package of as-constructed information has to be submitted, inspections passed and approved. Then donated asset revenue and date of acquisition for the donated asset is recognised as at the ‘on maintenance’ date.

An extract of the Gold Coast Council’s policy is below and outlines what is required for assets to be accepted on “on-maintenance”:

Logan City Council’s, Acquisition of Non- Current Assets Policy includes the following section in relation to donated assets:

The Finance team will further review and update Council’s asset accounting policies to reflect the recognition of donated assets clearly.

Untimely processing of disposals when renewing an asset.

QAO internal control deficiency 20FR-3. Lengthy delays between the preparation and provision of the disposal support, and the approval and processing by the Finance.

This deficiency is being address as part of the Effective Asset Management Project.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

Local Government Regulation 2012

Australian Accounting Standards

RISK MANAGEMENT IMPLICATIONS

The risk in not resolving the deficiencies raised would result in Council incorrectly stating the value of assets in the financial statements, not complying with Australian Accounting Standards and incomplete and inaccurate asset registers for both operational and accounting requirements. As noted by QAO, inconsistent “on-maintenance” date may also raise liability risk and uncertainty in relation to responsibilities for the asset.

Financial/RESOURCE IMPLICATIONS

Reviewing current processes and policies to address the issues raised is currently being undertaken internally by staff. The PAR and FAR reconciliation may require dedicated resources from the Spatial Team to ensure the PAR is fully updated.

COMMUNITY and OTHER CONSULTATION

No community consultation has been undertaken in relation to this report.

Infrastructure and Environment Department (IED) as the owner of the PAR and manager of capital works has been consulted about the deficiencies relating to untimely reconciliations between the PAR and FAR, and untimely processing of disposals when renewing an asset.

PRS Department as the administrator of developer applications and contributed assets has been consulted about this deficiency relating to donated assets

The various department will continue to work together as part of the Efficient Asset Management project to resolve the issues raised and recommendations provided.

Conclusion

The progress in resolving the three internal control deficiencies relating to assets as detailed in this report be received and noted.

Barbara Watson

Principal Financial Accountant

I concur with the recommendations contained in this report.

Jeffrey Keech

Chief Financial Officer

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6557178

ITEM: 8

SUBJECT: Internal Audit Charter Review

AUTHOR: Chief Audit Executive

DATE: 6 November 2020

Executive Summary

Recommendation/s

That the proposed Internal Audit Charter as detailed in Attachment 2 be adopted.

RELATED PARTIES

Not applicable

Advance Ipswich Theme

The intention is for the Internal Audit activity to support all five themes:

· Strengthening our local economy and building prosperity

· Managing growth and delivering key infrastructure

· Caring for the Community

· Caring for the Environment

· Listening, Leading and Financial Management

Individual internal audits and corrupt conduct investigations will to a varying degree support these themes, but the main objective for Internal Audit is to support the organisation in achieving its objectives.

Purpose of Report/Background

The purpose of this activity is to regularly review and update the Internal Audit Charter in line with better practice and The International Professional Practices Framework (IPPF) for Internal Auditors.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

Local Government Regulation 2012

Crime and Corruption Act 2001

RISK MANAGEMENT IMPLICATIONS

The Internal Audit Charter as a whole guides the activities of internal audit to minimise and control the risks the activity faces. Each of the individual reports provides for a control environment opinion as well as individual risk ratings per individual findings and recommendations. The importance is for management to implement the individual recommendations well to either address or diminish the exposure for Council, or explain why it is acceptable to not implement the suggested improvements. As per the corrupt conduct investigation the findings and risks vary in each situation and are discussed in the confidential reports. Having said that the key risks are still that the information might not be well presented, well understood or do not generate an appropriate response.

Financial/RESOURCE IMPLICATIONS

Resources are provided to internal audit through the annual audit plan and budgeting processes. No additional resources are required because of this report. However situations will dictate if internal audits and investigations have to be outsourced and also management will have to consider the financial implications to implement the recommendations as per the individual reports.

COMMUNITY and OTHER CONSULTATION

Internal Audit mostly consults internally to the organisation and its management in conducting the internal audits and finalising the reports. For investigations the appropriate consultations take place as the situation allows and requires.

For this purpose the members and attendees of the Audit and Risk Management Committee are consulted in updating this charter.

Conclusion

The Internal Audit Charter is an important document to guide internal audit activities and to safeguard Council as a whole.

Attachments and Confidential Background Papers

1.	Current Internal Audit Charter 19 November 2019 ⇩
2.	Proposed Internal Audit Charter November 2020 ⇩

Freddy Beck

Chief Audit Executive

I concur with the recommendations contained in this report.

Freddy Beck

Chief Audit Executive

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6590469

ITEM: 9

SUBJECT: Audit and Risk Management Committee Self Assessment Results Report

AUTHOR: Chief Audit Executive

DATE: 6 November 2020

Executive Summary

This is a report concerning the Self-Assessment conducted by the Audit and Risk Management Committee (ARMC) in October 2020.

Recommendation/s

That the Committee note the outcome of the Audit and Risk Management Committee Self-Assessment and discuss suggestions for improvement and confirm or specify actions to be taken.

RELATED PARTIES

Not applicable

Advance Ipswich Theme

The intention for the Audit and Risk Management Committee (ARMC) is to support all five themes:

· Strengthening our local economy and building prosperity

· Managing growth and delivering key infrastructure

· Caring for the Community

· Caring for the Environment

· Listening, Leading and Financial Management

Individual activities will to a varying degree support these themes, but the main objective for the Committee is to support the organisation in achieving its objectives. The aim is to avoid taking over Council and management roles and to avoid regular reports being presented without strategic or significant focus.

Purpose of Report/Background

It is considered better practice to conduct a regular ARMC Self-Assessment. This has been built into the Charter of the ARMC to be conducted biennially.

The self-assessment helps to identify practical and cost effective improvements to the process and workings of the ARMC. It contributes to the ARMC providing an appropriate level of oversight over the organisation’s governance, risk, controls, including accounting, auditing and reporting responsibilities to maintain a transparent, accountable organisation and customer focussed service.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

Local Government Regulation 2012

RISK MANAGEMENT IMPLICATIONS

The self-assessment assists in guiding the activities of the ARMC in considering important aspects regarding governance, control and risk activities in helping Council achieve its objectives to an appropriate and effective level.

Financial/RESOURCE IMPLICATIONS

This will be about making adjustments and in many instances no additional resources are required because of this report. However, there will be an impact/cost in the preparation of reports and or presentations and specific circumstances will dictate if matters have to be assessed or investigated and also management will have to consider the financial implications to implement the recommendations generated or supported through the activities of this Committee.

COMMUNITY and OTHER CONSULTATION

For this purpose, the members and attendees of the ARMC were consulted in the self-assessment.

Conclusion

As the average for all questions achieved a 3 or above rating and an overall average performance rating of 3 out of a possible 4, the outcome suggests that there is general agreement of the members that the ARMC is fulfilling its responsibilities.

The following feedback detailed in answering the questionnaires is provided for consideration by the ARMC.

Below is a table to the questions and the suggested improvements from the self-assessment.

	Question	Summary of response	Suggested solution
2	The ARMC helps to establish the right “tone from the top,” which embodies insistence on integrity and accuracy within Council.	This is an essential part of our role and further discussion on how we achieve this could be good.	Have the CEO to do a presentation in regards to the maturity of the tone at the top.
7	The annual planned agenda is well targeted and effective.	Some room for further improvement.	Currently under review.
8	ARMC meetings are well organized, efficient, and effective, occur often enough and are of appropriate length to allow meaningful discussion of relevant issues consistent with the ARMC’s responsibilities.	Agendas have been very full which is challenging given the target time of 2.5 hours. Meetings should be 3 hours.	Consider to extend meetings.
9	The ARMC’s meeting documentation is complete, is received with enough lead time, and includes the right information to allow meaningful discussion.	The challenge is to have the information more succinct and focussed on issues and trends not just historical information and activities. There is a lot of documentation to get through in 5 days. The format is evolving and can continue to be improved.	Members to identify and provide advice which information can be reduced as items are considered at the meetings.
10	Management presentations to the ARMC are at a high level with appropriate detail to avoid overload.	This is mixed, but that might reflect management does not always know what we do and need from them. This is not necessarily a bad thing as I like hearing what they think we want.	Members to indicate what are required during each item if misdirection is detected.
13	The ARMC communications to the Chief Executive/Council about the committee’s deliberations and activity of an appropriate quality and on a timely basis.	The Committee would benefit from more direct input of the Mayor and CEO with the Chair outside the meeting process.	Consider discussion with Mayor and CEO on the matter.
14	The ARMC has considered the overall effectiveness of the internal control and risk management frameworks including reporting and considered key corporate risks.	Some work required. There is a focus on internal control and risk frameworks but reporting from management in these areas needs improvement particularly risk issues and trends. We have focused on this area but this should be an area of additional focus going forward.	Presentations and reports planned for the new year and members needs to press for improvements where identified.
15	There is appropriate consideration of the effectiveness of risk management and internal controls including areas such as Information Systems and Related Technology (IT) within Council.	A lot can be done in this area.	Members to challenge and suggest where improvements can be made when assessing individual areas.
20	The internal audit reporting lines and interaction with the ARMC foster an environment where issues that might involve management will be brought to the attention of the ARMC.	I think we do. But how can we re-assure ourselves that this is the case.	CAE is supported by Charter and linked to the international standards for the professional practice of internal auditors. Also the CAE has meetings with top members of Council, management and others as well as supported through the CCC Liaison role can provide a lot of comfort at the moment to internal audits independent and objective approach.
21	There is appropriate consideration of the internal audit department’s plan, scope of work, independence, resources, ability and performance.	In relation to the annual/3 year rolling plan, the Committee needs appropriate time to consider and discuss.	The plan to be circulated to the ARMC ahead of coming to the committee.
22	There is appropriate consideration of the internal audit’s reports, management’s responses, and improvement actions.	Yes. The challenge is to keep reporting succinct.	The aim is to constantly work on refining and making reports succinct.
24	The ARMC has been sufficiently probing and challenging in its deliberations.	Generally, yes. Better, more focussed reporting will help the Committee to be more effective.	The members to continue to guide management in where reports and presentations hit the mark and where they don’t.
28	What is your overall assessment of the performance of the ARMC?	There is always room for improvement.	This is supported by the concept of continuous consideration and self-assessment processes.
Summary of General Comments (provided by invited participants)			Response
“I think there is merit in getting responsible staff to front the committee on areas where significant risk has been identified or there are concerns that rectification is taking too long and the risk is significant.” “I think dealing with most of the agenda in bulk so you can focus on a few areas more deeply will be of benefit.” “I have concerns in relation to the following three areas: • ICT • Procurement • Project Management” “I find that we are required to re-litigate risks and issues at each step in the governance cycle (as appropriate for the purpose of approvals), but then again to satisfy the ARMC. The need for detail does not seem to be by-exception…….” “I think if the ARMC were to provide the core functions of monitoring and assessing the internal governance controls, proposed treatments etc. that are now in place with the objective to develop and mature Council’s internal governance instruments it would be more right-sized for Council’s needs.” “Very full agendas and also wonders whether management is bringing forward the key issues and items of risk for the ARMC and that once the committee is satisfied, items move off the agenda and are replaced by items of greater issue and risk.”			Set an agenda item for this to occur to address key long outstanding recommendations. Currently combining similar subject matter together in the draft agenda to reduce agenda items. Presentations and reports have been included in the draft 2021 agenda to address these areas. The ARMC has a fundamental obligation to understand the risk and control frameworks within the organisation and to have confidence that risk matters are being appropriately escalated and the control system is operating effectively. There is a number of obligations that the ARMC has in line with its Charter including oversighting risk management including a focus on key strategic risks, the effective operation of the 3 lines of defence and effective assurance and monitoring through internal and external audit. Refer previous comments. The ARMC will continue to implement continuous improvement opportunities including a more focused agenda over time.

Attachments and Confidential Background Papers

1.	ARMC - Self Assessment Summary 6 Nov 2020 ⇩

Freddy Beck

Chief Audit Executive

I concur with the recommendations contained in this report.

Freddy Beck

Chief Audit Executive

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6571794

ITEM: 10

SUBJECT: Internal Audit Branch Activities Report for the period 5 August 2020 to 6 November 2020

AUTHOR: Chief Audit Executive

DATE: 6 November 2020

Executive Summary

This is a report concerning the activities of Internal Audit undertaken during the above mentioned period and the current status of these activities.

Recommendation/s

That the report be received and the recommendations in Attachments 3, 4 and 5, be considered finalised and archived.

RELATED PARTIES

Not applicable

Ipswich City Council Strategic Objectives

· Strengthening our local economy and building prosperity

· Managing growth and delivering key infrastructure

· Caring for the Community

· Caring for the Environment

· Listening, Leading and Financial Management

Individual internal audits and corrupt conduct investigations will, to a varying degree, support these themes, but the main objective for Internal Audit is to support the organisation in achieving its objectives.

Purpose of Report/Background

The purpose of this report is to keep the Audit and Risk Management Committee (ARMC) informed on a quarterly basis and to report on performance of the Internal Audit Branch:

Title of section, feedback or report provided in the section below	Included in quarter
Report the status of the audits currently under way	Yes
Summary of the general activities of the Internal Audit Branch	Yes
Finalised recommendations for Audit and Risk Management Committee closure	Yes
Report the status of open and overdue audit recommendations from completed audits	Yes
Summary of recent internal audits completed and reports issued	Yes
Progress of the Annual Internal Audit Plan (every May)	No
New Annual Internal Audit Plan including the Strategic Three Year Plan (every May)	No
Annual Performance Report and Assertion on Internal Audit Standards (every August)	No

The supply of the information to the Audit and Risk Management Committee, is a requirement of the Internal Audit Charter.

Status of audits underway and finalised - Internal Audit Report Register (Attachment 1)

This is a historic register recording the reference number of formal reports produced, audits commenced, report status and date completed for the last number of years.

Internal Audits, Reviews, Projects, Investigations and Activities Update (Attachment 2)

This is a report on audits, reviews, projects and internal audit activities that were conducted during the period or in progress during the above mentioned period of the report.

Audit Recommendations finalised by ARMC (Attachments 3, 4 and 5)

Extracted from the Audit Recommendations System, these reports list all Internal and External Audit recommendations as well as de-identified Investigation/Ad-hoc reports (with management comments and responses) that managers advise have been implemented since the report made to the last Audit and Risk Management Committee meeting. These reports are presented to the Audit and Risk Management Committee prior to the recommendations being finalised and/or archived.

Recommendations Origin	Risk Ratings							Total
ICC	Catastrophic	Major	Moderate	Low		Minimal
Internal Audit		4	8	3				15
Ad hoc/Investigation			6					6
QAO	Significant Deficiency	Deficiency	Other Matter	Financial reporting
				High	Medium		Low
External Audit	1		3					4
Status of open and overdue recommendations (Attachments 6, 7, 8 and 9)

Every month each Department Head is requested to update the status of both the internal, external audit and Investigation/Ad hoc recommendations due for implementation within their area of responsibility. The recommendation statistics and overdue summary (with suggested follow-up actions) as well as the Internal Audit, Investigations/Ad hoc report and External Audit overdue recommendations are attached. The following traffic lights are used with their descriptor:

Green

Orange

Red

Under control

Reasonable number

Low overall risk

Need to monitor

Number increasing

Moderate overall risk

Need to be addressed

Number problematic

High overall risk

The following Departments’ progress towards the implementation of Overdue Internal Audit recommendations is summarised below (All other departments had no recommendations overdue for more than 3 months):

Community, Cultural & Economic Development					O
Date of Report	Total overdue	Catastrophic	Major	Moderate
6 November 2020	9	0	0	7
In relation to: Grants, Sponsorships and Donations (A1920-08), Receipting, Cash Handling & Floats (A1920-16)

Infrastructure and Environment					R
Date of Report	Total overdue	Catastrophic	Major	Moderate
6 November 2020	13	0	3	8
In relation to: Operation of Fleet and Plant (A1819-12), Grants, Sponsorships and Donations (A1920-08, Retention and Detention Basins (A1920-11), Receipting, Cash Handling & Floats (A1920-16)

Planning and Regulatory Services					O
Date of Report	Total overdue	Catastrophic	Major	Moderate
6 November 2020	1	0	0	1
In relation to: Penalty Infringement Process (A1819-13)

Total Internal Audit recommendations overdue for more than 3 months and level of risk:

Minimal and Low not indicated.

Date of Report	Total overdue	Catastrophic	Major	Moderate	O
6 November 2020	23	0	3	16
6 August 2020	10	0	0	7

Total Internal Audit recommendations open and level of risk:

Date of Report	Total open	Catastrophic	Major	Moderate	O
6 November 2020	108	0	35	64
6 August 2020	67	0	9	47

Total Investigation/Ad Hoc Report recommendations overdue and level of risk:

Minimal and Low not indicated.

Date of Report	Total overdue	Catastrophic	Major	Moderate	G
6 November 2020	0	0	0	0
6 August 2020	1	0	0	1

Total Investigation/Ad Hoc Report recommendations open and level of risk:

Date of Report	Total open	Catastrophic	Major	Moderate	G
6 November 2020	3	0	0	3
6 August 2020	4	0	0	3

Total External Audit recommendations overdue and level of risk:

Ratings as used by QAO.

Date of Report	Total overdue	Significant Deficiency	Deficiency	Other Matter	Financial reporting			G
Date of Report	Total overdue	Significant Deficiency	Deficiency	Other Matter	High	Medium	Low
6 November 2020	2	0	2	0	0	0	0
6 August 2020	1	1	0	0	0	0	0

Total External Audit recommendations open and level of risk:

Date of Report	Total open	Significant Deficiency	Deficiency	Other Matter	Financial Reporting			G
Date of Report	Total open	Significant Deficiency	Deficiency	Other Matter	High	Medium	Low
6 November 2020	2	0	2	0	0	0	0
6 August 2020	6	1	2	3	0	0	0

Overall Status	O
The total number of overdue recommendations have doubled and the overall number of open recommendations have gone up. Some of the recommendations have also not shown any movement. General Managers will need to task someone to monitor and ensure action is taken on the open recommendations.

Summary of recent internal audits completed and reports issued in period of the report (Attachment 10, 11, 12, 13, 14 and 15)

Control Environment Opinion Summary over Areas in Scope of Audits		5	4	3	2	1
Contract Management (A1920-04)				P
Cyber/Digital Security (A1920-05)			P
Tender Evaluation (A1920-20)			P
Workshops (A1920-22)				P
Transformation Program Implementation (A2021-21)					P
Rating Definitions
5	Indicates unacceptable control environment or critical operating or control problems or extreme exposure.
4	Indicates unsatisfactory control environment or significant operational, procedural or control deficiencies or high exposure.
3	Indicates limited control environment or some operational, procedural or control deficiencies, issues or moderate exposure
2	Indicates acceptable control environment or minor operational, procedural or control deficiencies, issues or exposure.
1	Indicates well controlled environment or no or limited unfavourable audit findings, observations or exposure.

Since the previous report to the ARMC, Internal Audit has issued/finalised the following Internal Audit reports/Consulting Tasks and the extracts of the reports containing the audit recommendations, management response and agreed action by date, are attached to enable any further discussion that may be required by the Audit and Risk Management Committee.

Financial/RESOURCE IMPLICATIONS

Resources are provided to internal audit through the annual audit plan and budgeting processes. No additional resources were required because of this report. However situations will dictate if internal audits and investigations have to be outsourced and also management will have to consider their implications to implement the recommendations as per the individual reports.

RISK MANAGEMENT IMPLICATIONS

Each of the individual reports provides for a control environment opinion as well as individual risk ratings per individual findings and recommendations. The importance is for management to implement the individual recommendations well to either address or diminish the exposure for Council, or explain why it is acceptable to not implement the suggested improvements. As per the corrupt conduct investigation, the findings and risks vary in each situation and are discussed in the confidential reports. Having said that the key risks are still if the information is not well presented, well understood or does not generate an appropriate response.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

Local Government Regulation 2012

Crime and Corruption Act 2001

COMMUNITY and OTHER CONSULTATION

Conclusion

During the period under review the Internal Audit Branch undertook a number of activities, including as listed in Attachment 2.

During the course of Internal Audit activities, contributions to the improvement of operational procedures, practices and the control environment have been achieved.

Attachments and Confidential Background Papers

1.	Internal Audit Register ⇩

	CONFIDENTIAL
2.	Internal Audit Activity Report
3.	Internal Audit Recommendations Implemented
4.	Investigations/Ad-hoc Report Recommendations Implemented
5.	External Audit Recommendations Implemented
6.	Recommendations Statistics and Overdue Summary
7.	Internal Audit Recommendations overdue for more than 3 months
8.	Investigations/Ad-hoc recommendations overdue for more than 3 months
9.	External Audit Recommendations ovedue for more than 3 months (nil return)
10.	Executive summaries of recent internal audit reports
11.	Internal Audit Report No. A1920-04
12.	Internal Audit Report No. A1920-05
13.	Internal Audit Report No. A1920-20
14.	Internal Audit Report No. A1920-22
15.	Internal Audit Report No. A2021-21

Freddy Beck

Chief Audit Executive

I concur with the recommendations contained in this report.

Freddy Beck

Chief Audit Executive

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6552392

ITEM: 12

SUBJECT: Insurance and Risk Management Update

AUTHOR: Principal Risk and Compliance Specialist

DATE: 20 October 2020

Executive Summary

This is a report concerning Council’s insurance statistics for the period 1 July 2020 to 30 September 2020 and to provide an update on risk management.

Recommendation/s

A. That the report on Council’s insurance statistics for the period 1 July 2020 to 30 September 2020 be received and the contents noted.

B. That the update on Ipswich City Council’s Enterprise Risk Management be received and the contents noted.

RELATED PARTIES

All members of ELT, Council’s third and fourth level Managers, Principal Risk and Compliance Specialist, Senior Insurance and Risk Officer and the Corporate Governance Manager.

There are no perceived or actual conflict of interest issues regarding this report.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

To inform the Committee of:

· Corporate insurance Statistics for the third quarter and the 2019-2020 financial year

· Status of Risk Management

1. Corporate insurance Statistics for the period 1 July 2020 to 30 September 2020

The following tables and graphs provide a high-level summary of insurance claims for the period of 1 July 2020 to 30 September 2020:

2. Corporate insurance Statistics for financial periods of 2018-2019 and 2019-2020

The following tables and graphs provide a high-level summary of insurance claims for the financial periods of 2018-2019 and 2019-2020.

Please note: The below statistics will be provided at the end of each financial year to the Audit and Risk Management Committee to provide a high level summary of the changes in insurance statistics throughout the financial year.

For the financial period of 2018-2019 the Risk and Insurance Team received a total of 16 claims which required escalation to Ipswich City Council’s insurer LGM. In the financial period for 2019-2020 the Risk and Insurance Team received a total of 19 claims which required escalation, which is an increase of 3 claims between the two periods.

For the financial year 2018-2019 the Risk and Insurance Team received a total of 74 public liability claims which are categorised into 9 separate categories. In the financial period 2019-2020 the Risk and Insurance Team received a total of 66 claims, which is a decrease of 8 claims between the two periods.

3. Status of Risk Management

Enterprise Risk Management Program

The fourth ELT Risk Committee was held on 10 August 2020. The fifth ELT Risk Committee was not held on 2 October 2020 and has been rescheduled to 4 December 2020.

1. On 10 August 2020 the Committee discussed and reviewed Corporate Risk No. 3 – “immature governance arrangements”. The General Manager, Corporate Services provided an update on the progress of the Strategic Maturity of Governance Project. The CEO advised that he wanted to make sure that this risk becomes more defined so that it does not just capture the governance arrangements which the Corporate Governance Section is completing, but also the organisation’s corporate governance arrangements for Council. The Principal Risk Advisor and Compliance Specialist and Manager Legal and Governance – General Counsel were tasked to redevelop risk No. 3 and to present their findings and recommendations to the next ELT Risk Committee.

2. In relation to emerging risks, the CEO advised that the major risks in respect of the construction of the CBD redevelopment are nearing completion, but we are now more susceptible to the financial and commercial risks affecting the CBD redevelopment. However, the CEO expects that this would only be a short term risk given COVID-19 rather than a long term risk.

3. The General Manager, Infrastructure and Environment provided a verbal update in regard to the liability of abandoned mining structures in the Local Government area. He advised the Committee that an inspection has been completed on a few of the abandoned mining structures around the Ipswich City Council local area and a report generated. He advised that moving forward Ipswich City Council had taken all the necessary preventative measures that Council are able to (i.e. marking off the area, etc.) and that Council needs to correspond with the State Government to identify the future of these structures.

4. Sonia Cooper, General Manager of Corporate Services will be presenting at today’s committee meeting on how she is managing her departmental risks.

At the 4 December 2020 ELT Risk Committee, the risk management team will be tabling proposed reporting templates to the Committee on the movements of the risk registers for both the Department and the Corporate register this year.

Those reports will form a part of the risk management update for the first ARMC meeting in 2021.

Implementation of Control Reporting for Departmental Risk Registers

The Departmental risk registers are severely lacking an accurate reflection of the controls. In order to obtain an accurate reflection of the control measures which are in place to mitigate the Departmental risks, the risk team has implemented a “Risk Control Reporting” process which requires risk owners to identify each control implemented (including frameworks, policy, procedures, work instructions, etc.) to mitigate the risk and thereafter self-evaluate the effectiveness of each control.

Once all the reports have been provided and the departmental risk registers updated, the findings will be presented to the ELT Risk Committee meeting on 4 December 2020.

COVID-19 Business Continuity Planning (BCP) Test Exercise

On 10 August 2020 the Committee endorsed that a BCP test exercise take place in the third quarter of 2020. Due to the COVID-19 outbreak in the Ipswich area and the unavailability of the Emergency Management Section the COVID-19 BCP test exercise had to be postponed.

A BCP live test exercise will now be conducted in the first quarter of 2021.

Fraud and Corruption Control Plan and Fraud and Corruption Control Risk Register review

The Committee endorsed at its meeting on 10 August 2020 the review of the Fraud and Corruption Control Plan and Fraud and Corruption Control Risk Register. The review documents are out with the identified stakeholders for their review and feedback.

The findings will be presented to the ELT Risk Committee meeting on 4 December 2020 for endorsement.

Strategic Maturity of Governance Project

The Corporate Governance Section of the Legal and Governance Branch is currently undertaking a Strategic Maturity of Governance Project (SMoG) to assist in the maturation of Council’s key governance arrangements.

As part of the SMoG project, one of the deliverables for the risk management team is to develop a five (5) year Risk Road Map. The Road Map will be presented to the ELT Risk Committee meeting on 4 December 2020 for endorsement.

Legal/Policy Basis

In managing risk and insurance for the organisation Council officers perform their duties in keeping with the Local Government Principles of:

· Transparent and effective processes, and decision-making in the public interest;

· Good governance of, and by, local government; and

· Ethical and legal behaviour of Councillors and local government employees.

The following table outlines the relevant legislation and the administrative functions and services provided by the Section:

Relevant Legislation

Corporate Services Section

Functions and Services Provided

Local Government Act 2009

Local Government Regulation 2012

AS/NZS ISO 31000:2018 Risk Management – Principles and Guidelines

Manage and coordinate:

· the implementation of Council’s Risk Management Framework

· public liability claims from external customers

· public liability claims for Councillors and staff

· negotiate (within Delegated Authority), on behalf of Council any insurance resolutions

· the insurance of Council assets including but not limited to Council buildings, machinery and equipment, park infrastructure, swimming pools, sports centres, club houses, fleet vehicles, etc.

· the renewal of Council insurance policies (excluding Workers Compensation)

· the provision of expert insurance and risk advice to both external and internal stakeholders

· recover costs from damaged made by third parties to Council assets

RISK MANAGEMENT IMPLICATIONS

It is essential that Risk Management is successfully implemented and embedded in the organisation. The management of corporate risks lies with the CEO and all General Managers whilst the management of departmental risks are the responsibility of the respective General Manager.

The Corporate Governance Section and the Principal Risk and Compliance Specialist can provide the necessary framework, policy, procedures and advice but successful risk management will only be achieved if senior management takes responsibility for managing the risk and fraud registers, implement appropriate controls and lead the organisation in developing a strong risk management culture.

Conclusion

With the implementation of an Enterprise Risk Management Framework and an increase in the capability of the organisation to manage risk efficiently and effectively, Council has positioned itself to build to be an exemplar Council in the management of Risk and Insurance.

Attachments and Confidential Background Papers

1.	Ipswich City Council Corporate Risk Register ⇩
2.	ELT Risk Committee Minutes dated 10 August 2020 ⇩

Graham McGinniskin

Principal Risk and Compliance Specialist

I concur with the recommendations contained in this report.

Angela Harms

Governance Manager

I concur with the recommendations contained in this report.

Tony Dunleavy

Manager Legal and Governance (General Counsel)

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6595347

ITEM: 13

SUBJECT: Governance, Internal Controls and Compliance

AUTHOR: Governance Manager

DATE: 9 November 2020

Executive Summary

Council is progressively maturing and strengthening its governance, internal controls and compliance with the broad range of legislative, policy and procedural obligations upon it.

This report provides an update to the Audit and Risk Management Committee on key governance, internal controls and compliance matters for the past quarter.

Recommendation/s

That the Audit and Risk Management Committee (ARMC) note initiatives and actions being implemented to mature and strengthen Council’s governance, internal controls and compliance.

RELATED PARTIES

There are no conflicts of interest associated with this report.

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

The purpose of this report is to update the ARMC on actions and initiatives that are underway to mature and strengthen Council’s governance, internal controls and compliance.

Council is committed to building on the good work completed through the Business Transformation Program to implement improved governance, internal controls and compliance.

Strategic Maturity of Governance Project

The Strategic Maturity of Governance project commenced in early August 2020 after endorsement of the Project Management Plan. Progress on the project is being monitored by the Program Management Office. The Project is being delivered within agreed timeframes and budget. Project risks and issues are being monitored and mitigated appropriately and the work is being delivered using existing budget and workforce.

Work is underway to develop an annual Governance Training Calendar, communications plans, and a manager’s tool box of governance compliance discussion topics.

Governance Checklist

A Governance Checklist has been developed to self-assess the following legislative requirements in relation to:

· The Annual Report

· The Annual Budget

· Planning, Financial Management and Accountability

· Policies, procedures and other matters

· Registers and other records

· Documents and notices that must be published

· Website Publications

The Checklist will be tabled at the December ELT Risk Management Committee for endorsement. The Governance Section will be responsible for tracking and reporting on the self-assessment of the legislative functions listed above.

Policy and Procedure Framework

Council continues to implement the Policy and Procedure Framework developed through the Business Transformation Program by reviewing existing policies and procedures and progressively introducing new or updated policies (through resolutions of Council), administrative directives and procedures.

Office of the Information Commissioner Officer 2017 Audit Recommendations

Corporate Governance Section has continued to finalise the implementation of the below Audit recommendations:

Recommendation	% Complete	Action this Reporting Period
Recommendation 2 - Council to develop and implement an Information Governance Framework and supporting documented policies and procedures to drive right to information and privacy aims	40	Information Management Framework endorsed by CEO. Supporting documents to be identified as deliverable of Information Strategic Planning Project
Recommendation 3 – Council implement performance measures for access to information and privacy principles aligned with its corporate planning and reporting framework.	100	Performance Measures have been included in the 2019/2020 Annual Report and in Quarterly Performance Report.
Recommendation 6 - Council to identify and classify its information assets and ensure it publishes information that is significant, appropriate and accurate.	30	Deliverable of Information Management Strategic Plan project.
Recommendation 8 – Council will review its template documents and manual for application handling and ensure the documents are accurate, up to date and support legislative compliant handling.	100	Completed and reviewed by Legal Section.
Recommendation 11 – Council install physical signs and notices to make people generally aware that it is using cameras to collect personal information, in the vicinity of those notices.	100	Completed over 250 signs now installed.

Information Management Framework

As referenced above, an Information Management Framework (the Framework) was endorsed by the Chief Executive Officer in August 2020. The purpose of the Framework is to identify, define and categorise the various information management activities Council will undertake to:

· drive high quality and legislatively compliant information management across Council

· reinforce the legislative requirements for right to information and information privacy

· promote the economic benefits to be achieved from improved access to and use of information and knowledge

· improve the quality of business decision-making utilising a data driven evidence based approach

· reinforce the governance of information management within Council

· build and promote information maturity and capacity within Council

· facilitate knowledge sharing across Council by making information readily accessible where appropriate

· standardise the management of all forms of Council information, and

· plan and manage digital transformation and capture within service delivery

· advocate for the use of source data in reporting and information sharing.

The endorsement of the Framework also established the Information Management Strategic Planning Project (the Project). The Project will identify the changes needed to build new capability in Council’s information management. Recognise what needs to be done and when; what information management culture we need to foster; what knowledge we need; the scope of information we are managing; and the categories of information such as legislation, on-line databases, registers, etc. The Project will deliver a 5 year road map for Council to develop and adopt the necessary governance documentation to support the Information Management Framework.

Development of a Privacy Strategy

One of the recommendations of the Privacy Impact Assessment undertaken for Council as a key component of the implementation of the Transparency and Integrity Hub, was for Council to develop a Privacy Strategy.

The Corporate Governance Section is now preparing a business case for the development of a Privacy Strategy (the Strategy). The Strategy will include core Council values around privacy (complementary to the legislated Information Privacy Principles and the values set out in Council’s Leadership Charter) and a commitment to adopt a workable structure for privacy management. It is hoped the Business Case will be endorsed and allow for a Project Plan to be developed and delivered throughout 2021.

An audit on collection notices and privacy statements is currently underway for information privacy across Council. This will identify what level of education is required to raise privacy awareness with staff. A new corporate collection notice/privacy statement will be drafted by the RTI/IP officer and any business areas requiring an individual notice, will be required to seek approval from the RTI/IP officer on that notice before use, with all notices kept on file in the RTI/IP space for auditing and quality assurance purposes.

An approach which balances proactive release of information to the public with the meeting of information privacy obligations will support better management of Council’s information assets, with all information requests recorded (including external legislative requests) with the aim of improving Council’s Publication scheme and reducing the number of RTI/IP Applications being made by the public.

A new Administrative Access policy and procedure is in draft that will afford staff the capability and confidence to ensure that any information that is being requested is appropriate to release. Work with staff to continue to ensure compliance with information privacy is maintained and potential breaches negated.

Human Rights Act 2019

The Corporate Governance Section is currently working with Legal Section to coordinate an organisational review of all policies, procedures, administrative directives and local laws to ensure compliance with the Human Rights Act 2009 (HRA). A review of all decision notices is also underway. The review will ensure all decision notices make reference to the HRA requirements and the right of appeal against a decision, if a person believes their human rights have been impacted by the decision. Departments have nominated officers who will be trained in the HRA and therefore be competent in reviewing the documents. Also staff have been nominated as Human Rights Champions, their role is to keep the organisation informed and aware of the HRA and our legislative requirements and obligations

Integrity and Complaints Management

Complaint numbers remain consistent with the previous quarter (130 pieces received per quarter).

The decrease in complaint numbers in quarters 3 and 4 in the 2019/2020 FY are believed to be the result of COVID-19 Pandemic impacts. As services have resumed and accelerated across Council and restrictions were eased, complaint numbers remain at a steady level. This is believed to be indicative of continuing improvements in Council’s customer focussed service delivery and the implementation of process improvements arising from feedback on complaints. An example of this is changes to parking bays for equipment and installation of new signage at the Refuse Centre, arising out of a complaint raised. Efficacy of the complaints handling process by the Complaints Management Unit (CMU) is considered to be evidenced by the review requests on stage one complaints remaining low.

More work will be completed on capturing these improvements through data analysis. With the engagement of the new Customer Contact Centre Coordinator, the Integrity and Complaints Manager will commence working closely with the Customer Experience (CX) team to improve CX thereby reducing complaint numbers moving forward.

Customer facing staff in Library Services, Planning and Regulatory Services (PRS) and the CMU have undertaken training in managing difficult behaviours to meet Council’s commitment under the proposed new Unreasonable Customer Conduct policy. The policy has been endorsed by ELT, a successful councillor briefing session has been held and now that training is complete, the policy will go up to Committee and Council for adoption.

Officers in the CMU undertaking infringement reviews are working closely with the new Manager, Compliance, Office of the General Manager in PRS to raise issues that are identified as not meeting Council’s desired customer experience and, changes are being made in that area as they arise and toolbox talks with staff prevent reoccurrence of issues. The aim is to drive down numbers of infringement reviews that result in the infringement being withdrawn due to staff error.

Work that has been advanced on Council’s Conflicts of Interest for Employees Framework and Enterprise Risk Management Program are the subject of separate reports to the ARMC.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

The following table outlines the relevant legislation and the administrative functions and services provided by the Branch:

Relevant Legislation

Integrity and Governance Team

Administrative Functions and Services Provided

Local Government Act 2009

Local Government Regulation 2012

Human Rights Act 2019

State Penalties Enforcement Act 1999

State Penalties Enforcement Regulation 2014

Withdrawal of Infringement Notice Policy (Council resolution, 27 February 2018)

ALARMS risk rating (Council resolution, 26 April 2007)

Management complaint types:

· Administrative Action Complaints and Internal Reviews

· Privacy Complaints

· Publication Scheme Complaints

· Ombudsman Review of Complaint Management

· Ombudsman Direct Referral of Complaints

· Office of Information Commission (OIC) Complaint Reviews

· Operational i.e. General Department complaints referred to relevant Council Depart./Branch for resolution

· Infringement Reviews

Right to Information Act 2009

Management of Right to Information Applications for:

· access to information that is not administratively available

· internal review of a reviewable decision

Information Privacy Act 2009

Management of Information Privacy Applications:

· for personal information

· to amend personal information or

· to investigate complaints of privacy breaches

· internal review of a reviewable decision

RISK MANAGEMENT IMPLICATIONS

The maturing and strengthening of Council’s governance, internal controls and compliance will better position council to manage risks in the delivery of its functions and services to the Ipswich community.

Financial/RESOURCE IMPLICATIONS

There are no financial implications associated with this report.

COMMUNITY and OTHER CONSULTATION

Community and other consultation has not been undertaken as part of the preparation of this report.

Conclusion

Council is building on the good work completed through the Business Transformation Program to implement improved governance, internal controls and compliance.

Angela Harms

Governance Manager

I concur with the recommendations contained in this report.

Tony Dunleavy

Manager Legal and Governance (General Counsel)

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6575128

ITEM: 14

SUBJECT: ICT Branch Governance and Controls Framework

AUTHOR: ICT Strategy, Enterprise Architecture and Governance Manager

DATE: 29 October 2020

Executive Summary

This is a report concerning the status and focus areas for development in the Information and Communication Technologies (ICT) governance controls framework.

Recommendation/s

That the Audit and Risk Management Committee note the key elements of the Information and Communication Technologies governance controls framework and the ongoing focus areas for improvement.

PURPOSE OF REPORT/BACKGROUND

ARMC has requested an update on ICT governance, focussing on:

· IT infrastructure and operations (including personal computing, cloud applications and any outsourced IT)

· Security of Data and Software (including access and cyber security)

· System development

· IT Governance

Overview of ICT Asset Portfolio

Figure 1 (larger version at Attachment 1) provides an overview of Council’s business applications and technology portfolio. Key aspects of the portfolio to note are:

· 284 different technologies/applications/modules have been identified:

o 93 enterprise applications/modules

o 106 line-of-business applications/modules

o 62 technology and infrastructure components (eg network, servers or storage related)

o 23 different applications in the standard desktop/laptop build (eg Microsoft Word or Adobe PDF reader)

· Of these 284 items, 102 have been identified as critical (Tier 1) to ongoing Council operations.

· There are approximately 220 individual servers, and ~250 terabytes of data storage in the major datacentre (Polaris). The majority of these servers, and all data/databases are backed-up to an off-site facility.

· Council network and infrastructure are protected via a mature suite of technologies (firewalls, proxies, anti-virus, intrusion detection etc). ARMC are advised that while market leading security solutions are in place there have been ongoing issues with the quality of security services and outcomes by the outsourced service provider (DXC Technology). ICT Branch is managing a project to migrate services to a new outsourced provider (Telstra) and expect to complete this migration before 30 November 2020.

· There are +50 systems (subject to further classification and analysis) that may be classified as a ‘Recordkeeping Systems’ as per current policy definitions.

· 49 systems have been identified that contain (subject to further classification and analysis) Personally Identifiable Information (PII). For clarity, most legislative obligations for managing ICT systems and data are directly related to systems that manage PII.

· 105 applications or services are hosted, either partially or fully, ‘in the cloud’.

· The corporate network currently spans to 37 discrete sites (buildings, depots, libraries etc) across the greater Ipswich Council region.

· There are currently 1100 laptops/PCs across the network with full remote access available to all laptops.

Figure 1: Council ICT Infrastructure and Systems Overview

Overview of ICT Governance and Controls Framework

The ICT Strategy 2019-2024 developed as a key outcome of Business Transformation Project #17 identified a number of critical gaps in ICT governance and related controls and two initiatives were framed in the roadmap to address these gaps:

· ICT Steering Committee (ITGOV01)

· Rebuild ICT Governance & Controls Function (ITGOV02)

Figure 2 (larger version at Attachment 2) provides an overview of the governance and controls framework ICT Branch is developing in response to the needs outlined in the ICT Strategy. This framework addresses the full spectrum of ICT Branch functions and considers strategic, tactical and operational perspectives.

Figure 2: ICT Governance and Controls Framework Overview

Figure 3 (larger version at Attachment 3) summarises the main features, current state observations and improvement opportunities for each of the 8 elements of the ICT Governance and Controls Framework.

Figure 3: ICT Governance Framework – Key Observations and Opportunities

In considering and developing the larger suite of ICT controls, ICT Branch is leveraging an open/industry standard framework (CObIT). This framework provides a robust and established suite of 210 ‘practices’ against which ICT functions can frame, evaluate and develop internal controls. Figure 4 (larger version at Attachment 4) provides an overview of this framework and identifies 5 Critical, 7 High and 4 Medium ‘process families’ that are the focus of ongoing improvements within ICT Branch.

Figure 4: ICT Controls Framework – Structure and Priority for Development

Attachment 5 provides a current-state report on the ongoing effort to review/update ICT Branch Directives and Procedures.

Overview of InfoSec Controls Framework

Attachment 6 provides an overview of the InfoSec Framework used by ICT Branch to plan for and coordinate end-to-end InfoSec capability alignment and development. The framework considers 75 individual capabilities across 5 categories. Current state assessment identifies and prioritises capabilities for development and currently reports 8 Critical and 25 High capabilities requiring uplift. All Critical and most High have active and funded remediation planned or effort underway. An extended view of the attached InfoSec Framework addresses full responsibility and accountability, including across key outsourced service providers, for InfoSec capability and outcomes.

Internal Audit has recently conducted an audit of Council’s “Cyber and Digital Security” capability. The final report has been submitted, a management response prepared, authorised and circulated. The findings have a strong correlation with capability and gaps as identified in the attached InfoSec Framework. Work on the accepted recommendations of the audit is being scoped and delivered.

Attachments and Confidential Background Papers

1	Council ICT Infrastructure and Systems - Overview ⇩
2	ICT Governance and Controls Framework - Overview ⇩
3	ICT Governance Framework – Key Observations ⇩
4	ICT Controls Framework – Structure and Priority for Development ⇩
5	ICT Branch Directives and Procedures Summary Report ⇩
6	Council InfoSec Controls Framework ⇩

Rob Stower

ICT Strategy, Enterprise Architecture and Governance Manager

I concur with the recommendations contained in this report.

Sylvia Swalling

Chief Information Officer

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6583041

ITEM: 15

SUBJECT: Transparency and Integrity Hub Governance and Controls

AUTHOR: Chief Information Officer

DATE: 3 November 2020

Executive Summary

Recommendation/s

PURPOSE OF REPORT/BACKGROUND

Council resolved at its meeting on 27 April 2020 to enter a new era of transparency and integrity for Ipswich City Council through the implementation of a Transparency and Integrity Hub. Mayor Harding moved a Mayoral Minute detailing the following actions, that Council:

A. Establish and implement the Ipswich City Council Transparency and Integrity Hub, a digital portal that enables the publication of the financial data displayed as contemporary open data (intuitive, interactive, auditable and downloadable by selection) suitable for public consumption. The Transparency and Integrity Hub will enable the underpinning principles and Hub deliverables and will be launched by 1 July 2020.

a. Underpinning Principles

i. Adopt global best practice approach to open and transparent public sector financial management

ii. Demonstrate responsible and transparent governance and decision-making

iii. Enable data-driven decision making and rebuild public and stakeholder trust

b. Hub Deliverables

i. Publish as near to real-time financial data for Ipswich City Council in an open, transparent, interactive portal including, at minimum:

1. Previous five financial years financial data including detailed project income and expenditure financial data for major projects i.e. The Smart City Program

2. Council’s 2020-2021 Budget, once adopted

3. Quarterly financial reporting against the budget

c. Publish detailed income and expenditure financial data for all current and past Council beneficial (controlled) entities enabling comparison over the previous five financial years, including:

i. Ipswich City Developments Pty Ltd (deregistered) ABN 155 142 288

ii. Ipswich City Developments Pty Ltd (deregistered) (former name Ipswich City Developments Enterprises Pty Ltd) ABN 167 100 441

iii. Ipswich City Enterprises Pty Ltd ABN 095 487 086

iv. Ipswich City Enterprises Investments Pty Ltd ABN 127 862 515

v. Ipswich City Properties Pty Ltd (in Members Voluntary Liquidation) ABN 135 760 637

vi. Ipswich Motorsport Park Pty Ltd (deregistered) (former name Ipswich Motorsport Precinct Pty Ltd) ABN 611 160 902

d. Publish all contracts valued $200,000 or more (excluding GST) for a rolling period of five consecutive years. New data will continue to be published monthly (in accordance with the Local Government Regulation 2012) and the information published will be improved in alignment with best practice across Queensland and Australia. The new register will included:

i. Suppliers who tendered a response

ii. Person/company with whom Council has entered into the contract

iii. Contract number

iv. Commencement and end dates

v. Value of the contract (estimated/maximum value)

vi. Purpose of the contract / description of goods and service procured

vii. Approver / Council decision reference (i.e. link to published minutes)

e. Publish all Councillor related expenses, allowances and reimbursements for each month including contextual details of expenses incurred and purpose to enable benchmarking and comparison. Data will be published for the previous five financial years. Where travel costs have been absorbed by specific project costs, these should also be included.

B. Procure, through open tender, a suitable digital platform to enable the delivery of the Transparency and Integrity Hub, ensuring that the platform:

a. Is intuitive and user friendly, easy to maintain, secure and auditable;

b. Enables contemporary open data (intuitive, interactive, auditable and downloadable by selection);

c. Is best of breed software for the task for public sector transparency;

d. Creates efficiencies in financial data reporting;

e. Enables visualisation and context suitable for public consumption;

f. Allows data to be downloaded as CKAN Open Data;

g. Produces data in machine readable format; and

h. Directly integrates with Council systems and solutions for ease of use rapid adoption.

C. Bring forward a review of Council’s Open Data Policy to ensure alignment with best-practice approaches to publishing financial data.

D. Prepare a report to Council (and for public viewing) on the Smart City Program including detailed project financial data for the past five financial years and the community outcomes delivered.

This motion was carried and the implementation was achieved by a multi-disciplinary Council officer project team led by the Chief Information Officer, Chief Financial Officer and Manager, Procurement with oversight by a newly formed Data Governance Advisory Group and the General Manager, Corporate Services.

The Hub was implemented from 1 July 2020 in line with the resolution of the Council, with information published to the extent considered lawful at that time. The following tactical actions were undertaken to expedite the initiative:

A. Council officers moved to finalise the scope and specifications for an invitation to tender which was open to the market for three weeks from Monday 4 May to Monday 25 May 2020.

a. After an evaluation process, including presentations by shortlisted tenderers, a supplier was approved and awarded a service contract on 4 June 2020.

b. Redman Solutions, a Brisbane based company, in partnership with OpenGov, was the successful supplier awarded the service contract.

B. On and from 4 June 2020 implementation was advanced on an urgent basis using existing available resources and those of Redman Solutions in line with the committed budgetary allocation.

C. Concurrently, Council began further reviewing its policy and procedures to enable all data and information on the Hub to be published in accordance with best-practice privacy, procurement and open data principles.

a. Council’s Open Data Policy was urgently reviewed and submitted to Council for adoption at its ordinary meeting on 30 June 2020.

b. A Data Classification Standard was created and used to document the classification and treatment of datasets published to the Hub.

c. A Data Asset Register was created to document the data assets identified for publication.

d. A Decision Register was created to document actions taken and decisions made by accountable officers and consulted stakeholders.

e. A System Administrator is in place, audit trail functionality is operational and briefing and training of employees in the operation of the Hub has been completed.

f. Council’s process mapping application Promapp, is being used to create detailed process maps, workflow design and supporting work practices to ensure accountable, effective and efficient Hub administration.

g. A Dataload Register has been created to list which Data Steward is responsible for each data load.

h. Data masked is being tracked in a register also. Stipulating the pertaining data file and attributes masked and masking detail.

i. Segregation of duties is in place to add process integrity between data loaders and data owners.

D. Advice was sought, including the commissioning of an independent expert PIA. This PIA by Ms Nicole Stephensen of Ground Up Consulting was received on 30 June 2020 and has in turn been published in full on the Hub from 1 July 2020.

a. The PIA made nineteen recommendations to Council to further strengthen its governance and achieve best practice in the management of information privacy and to support Council’s implementation of the Hub.

i. These recommendations have been included in a Change Impact Assessment for consideration and action.

ii. Recommendation 19 of the PIA focussed on Council seeking a waiver of its obligations to comply with privacy principles in the public interest. The PIA provided that having regard to Recommendations 13 – 18 of the PIA, and to facilitate the achievement of the objectives of the Hub, Council should consult with the Queensland Office of the Information Commissioner (Privacy Commissioner) on an application under section 157 of the Information Privacy Act 2009 (IP Act) for a waiver in the public interest.

1. It was recommended that the application for a waiver set out the exact nature of the departure from the IPPs, the specific personal information involved, any timeline that applies, matters of the public interest served and any other factors relevant to an application of this type. This request was formally submitted to the Information Commissioner in July 2020 and remains under active consideration.

E. Information published to the Hub as at 1 July 2020 includes:

a. The previous five years’ revenue and expenditure financial data against the chart of accounts and the previous five financial years’ financial data including detailed project expenditure for The Smart City Program.

b. Detailed income and expenditure (excluding capital) financial data for current and past Council controlled (beneficial) entities listed above enabling comparison over the previous five financial years.

c. Contracts Awarded $200,000 and above (ex GST) for the past five financial years. New data will continue to be published monthly (in accordance with the Local Government Regulation 2012) and the information published will be improved in alignment with best practice across Queensland and Australia.

d. Councillor related expenses, allowances and reimbursements for each month over the previous five financial years. Council has published only what it considers lawful at 1 July 2020 given the information management and governance practices in existence at the time of the historical information being created. In particular, steps have been taken to de-identify any data that could breach an individual person’s privacy.

F. In the publishing of historical information prior to 1 July 2020, Council has acted with particular care and diligence to ensure that it acted lawfully in the circumstances. In particular, in applying the IP Act including the IPPs, Council has acted in line with the PIA and not published information including the names of individuals and / or contextual information that would potentially lead to the identification of individuals. This information was de-identified. However, the process of de-identification has resulted in a loss of data context, making is less consumable for the public, and limiting its relevance for re-use thereby diminishing transparency and integrity.

It should be noted that there were some operational constraints as at go live that impacted the ability to fulfil some deliverables to the full extent desired and these include:

1. The real time integration capability of OpenGov is facilitated by Application Programming Interfaces (APIs), the dominant data source only has a production environment which will require a data staging platform to enable the use of APIs to deliver near to real time or actual real time integration. Further digital infrastructure work is in progress to address this issue to achieve this goal.

2. Only expense and revenue data for Council and the controlled (beneficial) entities was published, balance sheet data was not published.

3. Names of suppliers who tendered but were not awarded were not able to be published under the information collection notification controls in place at the time that the data was created.

a. Council is taking steps to change the notification controls to allow this proactive disclosure in the future.

b. Contract end dates are not included as there is only system provision for one date in this data structure.

c. The Approver/Council decision reference and link to published minutes has not been included.

Councillor remuneration and superannuation expenses were not included. This privacy decision is now being reviewed to align in consideration of what information is being published on Council’s corporate website and therefore in the public domain.
To achieve greater transparency in procurement and contribute to rebuilding of trust with the Ipswich community, Council is now publishing basic contract details for all awarded contracts and procurements over $10,000 (excluding GST).

Sub-working groups for the Hub will continue to meet as required for targeted project or design work.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Regulation 2012

RISK MANAGEMENT IMPLICATIONS

Council considered privacy and legal/liability risks in the implementation of the Transparency and Integrity Hub project, and sought expert advice to mitigate and treat these risks to ensure compliance with legislative requirements.

Financial/RESOURCE IMPLICATIONS

The resolution of Council on 27 April 2020 was that $200,000 be allocated to the implementation of the Hub by 1 July 2020 and then $100,000 for subsequent years. The initial agreed service contract value for implementation of the Hub with Redman Solutions was $150,500. Additional work orders were authorised for work performed by Redman Solutions to meet the implementation deadline taking the total to $189,687.

In addition to the direct costs of implementation of the Hub with Redman Solutions, in order to ensure that necessary due diligence was undertaken in the very short implementation timeframe, additional expenditure was authorised to a total of $57,800. This included the gathering of advice and the costs of an independent PIA.

COMMUNITY and OTHER CONSULTATION

Internal stakeholders including the Data Governance Advisory Group, the Mayor and Chief of Staff, Councillors, the Executive Leadership Team, the Finance, Legal and Governance, and Procurement Branches, the ICT Branch, and the three project working groups contributed to the successful delivery of this initiative.

Conclusion

Council has committed to the ongoing development of the Transparency and Integrity Hub, building on the momentum achieved by delivering the initiative by the 1 July 2020 deadline. A forward plan is being developed to ensure that the Hub delivers in full on its promise of proactive disclosure, transparency and integrity with the community it serves.

Sylvia Swalling

Chief Information Officer

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6575661

ITEM: 16

SUBJECT: ICT Steering Committee

AUTHOR: ICT Governance and Quality Controls Officer

DATE: 29 October 2020

Executive Summary

The ICTSC provides oversight for the ICT and IM portfolios and has met on a monthly basis since February 2020 and has now commenced meeting every six weeks.

Recommendation/s

That the Audit and Risk Management Committee receive and note the report on key matters considered by the ICT Steering Committee in the past quarter.

PURPOSE OF REPORT/BACKGROUND

The report provides a summary of the minutes of the ICTSC meetings held on 29 July, 26 August and 7 October 2020 and identifies any material risks and/or issues that warrant the consideration of this committee.

From the matters discussed at the ICTSC on 29 July, 26 August and 7 October, the following initiative has significant future impact for the organisation:

Agenda Item	Material Risk / Issue
ICT Platform (now iVolve) Project	This project has major strategic and operational impact for the entire organisation. A separate report has been provided on this project. Any material risk and/or issues will be discussed in the Update report on enterprise-wide or strategic projects (Program Management Office Report).

Also at the meeting held 29 July, there were two matters discussed of note from a risk perspective. The following is a brief overview of the same.

Agenda Item	Overview	Outcome
Update on Disaster Recovery Test Deferral	ICTSC noted the deferral of the DR test due to issues arising from the pending transition to a new information security provider.	ICTSC noted the deferral. The DR testing project is proceeding after the successful transition to the new provider, Telstra.
Update on Strategic Directions ICT Structure and Capability Review	This is one of the initiatives from the ICT Strategy 2019-2024. A review has been completed, communicated and the recommendations are being considered for implementation.	ICTSC noted the update.

In the meeting held 26 August, there were 5 initiatives discussed excluding standing agenda and administrative items. The following is a brief overview of the same.

Agenda Item	Overview	Outcome
Draft Ipswich City Council Information Management Policy Framework	Ipswich City Council Information Management Policy Framework and the preparation of an Information Management Strategic Plan.	ICTSC endorsed the Information Management Framework in principle Also endorsed in principle the development of the Information Management Strategic Plan. An action to explain the governance arrangements and hierarchy.
Draft Management Responses to Internal Audit of Digital and Cyber Security	Internal Audit commissioned Deloitte to conduct an audit of Council Digital and Cyber Security capability and controls. The Audit identified 19 recommendations. The report details the management responses to these recommendations.	The ICTSC endorsed Management Responses to the Audit and the actions derived from the same.
ICT Strategy Update	The ICT Strategy presented a roadmap/work plan addressing 25 individual initiatives, reflecting both BAU (OPEX) and CAPEX investment over a 3 year period. This report provides an update to the ICTSC on the progress and outcomes of these 25 items.	The ICTSC received and noted the status and issues across the 25 planned ICT Strategy initiatives.
Microsoft 365	Project to deliver a comprehensive understanding of the technology options, business value and costs for ICC migrating to a platform of Microsoft 365 and associated Microsoft supporting technologies.	The ICTSC endorsed: § Closure of the Telecommunications Delivery project § Closure of Stage 1 of the existing M365 project § Initiation of a new Microsoft 365 Program
ICT Platform (now iVolve) Project	ERP transformation project migrating the ICC process and systems to a new strategic platform. This also includes the structured management of the change journey that the staff will need to embrace.	The ICTSC endorsed the engagement scope for a Business Partner to develop the Preliminary Business Case. The ICTSC endorsed the approach to go to the open market.

From the above initiatives discussed at the ICTSC on 26 August, the following initiatives have some material risk or impact and warrant consideration.

Agenda Item	Material Risk / Issue
Draft Management Responses to Internal Audit of Digital and Cyber Security	While technical responses and controls for cyber-crime are addressed through the InfoSec Framework, not all capabilities are yet at the required level of functional maturity. There are known gaps with some cyber-crime capabilities. These will need to be analysed and reviewed by the Business System Owners for these sites and services. Internal processes to ensure visibility and understanding of effective escalation and collaboration need to be defined and documented to provide clarity and operational context for improvement. There will need to be accountability for data-driven fraud detection which must remain with Business System Owners, with identification of a gap for oversight of sample compliance and/or monitoring reporting.
ICT Strategy Update	At high-level, the material risks and issues to the ICT Strategy initiatives are: § InfoSec, Identity Management and Disaster Recovery. Risk reporting against these initiatives will be provided once project management in in-flight. § Identity Management and Analytics and Business Intelligence are expected to place a material ‘stretch’ on cross-Council operations and capability. At a more granular level, the following initiatives were identified at risk: § Digital/Smart City - has not progressed since it has been deprioritised by Council. § Information Management /Information Governance- where a capability gap may erode the benefit of Analytics and Business Intelligence. § Internet of Things (IoT)- capability is being maintained in stasis with no active development pathway. § Desktop Virtualisation / DaaS - funding is pending options and implications arising from Disaster Recovery.
ICT Platform (now iVolve) Project	Any material risks and/or issues will be discussed in the Update report on enterprise-wide or strategic projects (Program Management Office Report).

In the meeting held 7 October, there were 5 initiatives discussed excluding standing agenda and administrative items. The following is a brief overview of the same.

Agenda Item	Overview	Outcome
ICT Digital Cyber Security Audit - Management Responses FINAL	This is the final management responses to the Deloitte Audit on Council Digital and Cyber Security capability and controls. The draft response in the last meeting has been updated after peer review feedback provided by Gartner.	The ICTSC received and noted the submission of this report.
Treatment Plan for SmartCity IoT Assets	Smart City has been de-prioritised and no project funding stream is available to enable or continue development of the Smart City Blueprint published on 29 Jul 2016. The report provided a review of the nature and current-state condition of ICT/IoT assets and to make recommendations on the future treatment of these assets.	A close-out report will be prepared and published to the Transparency and Integrity Hub. Where areas of Smart City have been operationalised but still carry the banner of Smart City, they will be included in the closeout report and would no longer require updated data sets to be provided to the Transparency and Integrity Hub. The ICTSC received and noted the submission of this report with a recommendation that the report is to be discussed at ELT to determine future steps that might be required
Staff involvement in the delivery of the Information Management Strategic Plan Project and draft IKM Framework Governance Diagram	Explanation of the governance arrangements and hierarchy of framework and policies and other supporting documents, concerning the Information Management Policy Framework and Strategic Plan.	An action to develop a one-pager that describes the relationship between the framework and other governance documents.
iVolve Project - Project Status Report as of 30 September 2020	ERP transformation project migrating the ICC process and systems to a new strategic platform. This also includes the structured management of the change journey that the staff will need to embrace.	The ICTSC received and noted the submission of this report.
Digital Signatures	Provide a Digital Signature ‘capability’ that can be leveraged by any Business application/technology where that technology natively supports Digital Signing as an inbuilt/native feature of that application.	An action to form a Business Reference Group (BRG) to investigate and confirm the benefits to Council and conceptual use cases.

Attachments and Confidential Background Papers

1.	ICTSC Minutes 29 July ⇩
2.	ICTSC Minutes 26 August ⇩
3.	ICTSC Minutes 7 October ⇩

Lakmal Kamalgoda

ICT Governance and Quality Controls Officer

I concur with the recommendations contained in this report.

Rob Stower

ICT Strategy, Enterprise Architecture and Governance Manager

I concur with the recommendations contained in this report.

Sylvia Swalling

Chief Information Officer

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6599245

ITEM: 18

SUBJECT: Nicholas Street Precinct (CBD) Redevelopment Update

AUTHOR: General Manager - Coordination and Performance

DATE: 10 November 2020

Executive Summary

This is a report concerning the Nicholas Street Precinct Redevelopment.

Recommendation/s

That the report be received and the contents noted.

RELATED PARTIES

Ranbury Management Services

Ranbury Property Services

Advance Ipswich Theme

Strengthening our local economy and building prosperity

Purpose of Report/Background

This is a status report on the progress of the civil redevelopment works associated with the Nicholas Street precinct. The Hutchinson Builders’ contract contains five separable portions (SP) which include the administration building, the library, Tulmur Place (the civic space), the car park upgrade and works to the existing lift in the EATS building.

Works to the interior and exterior of the administration building (SP1) continued in October 2020. Practical completion by Hutchinson Builders is anticipated in March 2021 with occupation of the building by council staff likely from June 2021 onwards. As previously reported, practical completion has been achieved for the library (SP2), Tulmur Place (SP3) and the car park (SP4). Installation of fixtures, furnishings and equipment (FF&E) in the library continued during the month. Approved variations to the car park (infrastructure and the replacement of the air extraction fans) are yet to be finalised. Replacement of lighting on levels B3 to B6 of the car park is imminent.

Tulmur Place remains closed to the public due to the EATS streetscape improvement works which are currently underway. This part of the Nicholas Street streetscape will be completed and reopened prior to the opening of Tulmur Place and the Ipswich Central Library. It is currently planned that Tulmur Place will officially be opened on 28 November 2020 and the library will open on 7 December 2020.

Preliminary works on the Commonwealth Hotel continued in October 2020 with construction of the hotel’s western wall commenced in preparation for the re-establishment of the building’s original façade. Practical completion remains 5 March 2021.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

RISK MANAGEMENT IMPLICATIONS

COVID-19 impacts on Hutchinson Builders construction activities have continued largely unabated. Delivery of the retail redevelopment (excluding Metro A) remains dependent on the execution of the Agreement for Lease (AFL) with the key anchor tenant. As a result of delays to the retail refurbishment commencing, associated works will not be completed until October 2021 if Hutchinson Builders were to commence in early November 2020.

Financial/RESOURCE IMPLICATIONS

The current budget for the CBD’s redevelopment (including the retail project but excluding associated incentives) is $239.1M. At the time of writing, final project expenditure is forecast to meet project budget.

COMMUNITY and OTHER CONSULTATION

No consultation was conducted in the preparation of this report.

Conclusion

The Nicholas Street Precinct redevelopment is progressing well in terms to timeframes and budget.

Attachments and Confidential Background Papers

1.	Nicholas Street Redevelopment Project Report ⇩

Sean Madigan

General Manager - Coordination and Performance

I concur with the recommendations contained in this report.

Sean Madigan

General Manager - Coordination and Performance

“Together, we proudly enhance the quality of life for our community”

Audit and Risk Management Committee

Meeting Agenda

16 November

2020

Doc ID No: A6593861

ITEM: 19

SUBJECT: People and Culture Strategic Plan Implementation (including update on culture and pulse survey results)

AUTHOR: Acting Manager, People and Culture

DATE: 6 November 2020

Executive Summary

This is a report to the Audit and Risk Management Committee (ARMC) concerning the implementation of the People and Culture Strategic Plan 2019-2021.

An update by way of report was provided to the ARMC for the August 2020 meeting.

Recommendation/s

RELATED PARTIES

People and Culture Branch

Advance Ipswich Theme

Listening, leading and financial management

Purpose of Report/Background

In 2018 and 2019, under the leadership of the Interim Management Committee and the Interim Administrator, a Business Transformation Program was implemented including 18 Transformation Projects (TPs). The major deliverable of TP#2 People and Performance, was a People and Culture Strategic Plan 2019-2021 that included seven (7) strategic objectives and 23 initiatives to be delivered over that timeframe.

The seven (7) People and Culture Strategic Objectives are:

1. Build a credible and valued People and Culture Branch

2. Create a values-based culture

3. Develop capable and accountable leadership

4. Drive the effective management of change

5. Develop a capable and responsive workforce

6. Foster an environment where people feel valued and supported

7. Assist our people to stay healthy, safe and protected from harm.

An update by way of report was provided to the ARMC for the August 2020 meeting.

Workplace Culture

While there are many factors that contribute to workplace culture, the People and Culture Strategic Plan contains four initiatives for delivery against the Strategic Objective 2: Create a values based culture:

1. Develop and implement a values and behaviour principles framework

2. Develop and implement a performance framework to create a culture of feedback

3. Review values and behaviour principles framework for ongoing relevance

4. Build and support employee engagement practices.

Key deliverables to date have included:

1. A Leadership Charter setting out the behaviours expected of leaders at all levels aligned to the organisation’s values

2. A performance framework has been developed and considered by the Executive Leadership Team at its July 2020 strategic meeting with further work to finalise and implement the framework underway

3. Design, implementation and analysis of the results of four bi-monthly pulse surveys of Council’s workforce in March, May, July and September 2020.

Vast amounts of academic research exists on the topic of workplace culture. Both the research and experience tells us that workplace culture takes many years to influence as it can be deeply embedded in the norms, values and behaviours in an organisation.

As is the case with many organisations, consistent focus and investment will be required to continue to enhance the workplace culture at Ipswich City Council.

Culture and Pulse Surveys

Ipswich City Council has conducted a range of engagement surveys in the past, including the 2016 Culture Survey, 2019 Culture Survey and 2020 Pulse Surveys. The Culture Surveys were managed by an external service provider and the Pulse Surveys are managed by the People and Culture Organisational Development Section.

The purpose of the engagement surveys are to conduct diagnosis and identify actions that will support organisational effectiveness and change.

The Culture Surveys in 2016 and 2019 utilised the Human Synergistics Organisational Culture Inventory (OCI) and Organisational Effectiveness Inventory (OCE) methodology. The survey aimed to build an understanding and comparison of behavioural styles and provide unique insights into the structures, systems, and skills that affect our culture. Following the 2016 Culture Survey, the Line of Sight Program (LOS) was initiated to drive the identified actions required for culture change. Despite progress and some success in the LOS, the results from the 2016 survey to the 2019 survey did not change significantly. The desired impact in shifting Council culture toward more constructive styles was not realised. Given all that was occurring within Ipswich City Council during these years (2016-2019) this result should not be unexpected.

The bi-monthly 2020 Pulse Surveys were introduced in March 2020 to help gain a timely understanding of employee sentiment across a defined range of organisational characteristics.

The surveys feature:

· three mandatory survey questions requiring a rating using a five point Likert scale, with one of the questions featured in all surveys on organisational advocacy

· one optional free text question for additional comments, that is analysed against six interrelated factors of organisational effectiveness

· high level optional demographic questions.

Pulse Surveys 1 to 4 focused on team effectiveness, leadership, role clarity and performance and the focus for Pulse Survey 5 is on recognition and staff development. The intention of the organisational advocacy question featured in each survey is to identify employee engagement and sentiment over time. Ideally this would be measured against benchmark data for similar organisations, however, LGAQ have advised that at this time, they do not have engagement benchmark information for local government in Queensland.

Response rates have averaged in the high forty per cent range with between 550 and 600 employees responding. Response rates for the outdoor workforce have been lower than indoor workers and efforts have been invested in mobile technology options and paper based surveys.

When analysing the results of the free text survey question it is done against six interrelated factors of organisational effectiveness and change, which include strategy, structure, systems, culture, staff and skills[1]. The research suggests that for an organisation to be successful these internal elements need to align.

Over the first four (4) surveys the feedback has remained relatively consistent with the majority of the themes centred on the culture and structure categories. Feedback points to the following themes and feedback from employees, with varying degrees of sentiment, including the need for:

· greater consistency in demonstrated leadership behaviours across the organisation in managing people and teams

· greater transparency in decision-making and communication from senior leaders

· employee recognition and getting the right resourcing and development in the teams

· enhanced communication and collaboration across the organisation

· more consistent application of flexible working arrangements, and

· more consistent application of new policies for interactions with elected representatives.

The results for the organisational advocacy question ‘I would recommend Ipswich City Council as a place to work to family and friends’ have trended up and then down over the four pulse surveys with feedback indicating employees are less confident recommending branches and departments other than those they work in.

The Executive Leadership Team is working with Branch Managers and Section Leads to act in response to employee feedback with a range of actions underway. An ELT and Branch Manager Workshop is scheduled for 10 December 2020 to discuss and agree opportunities for focus in the new year.

Support for Employees

The People and Culture Branch in Council supports leaders and employees in a range of ways, including through:

· a suite of contemporary policies, administrative directives and procedures

· contemporary pay, leave and benefits

· workplace health, safety and wellbeing programs and initiatives including (but not limited to) i-health initiatives, mental health first aid support network and employee assistance program

· training, learning and development programs and opportunities

· People and Culture Business Partners who work closely with departments

· new resolving workplace grievance administrative directive and procedure

· new investigation and management of disciplinary matters administrative directive and procedure, and

· supporting leaders to address behaviour and conduct that is alleged to be out of step with the Code of Conduct in a timely and effective way, including through disciplinary action.

In recent months, Council has introduced two key Administrative Directives and Procedures for the workforce in regard to Resolving Workplace Grievances and Investigation and Management of Disciplinary Matters. These documents provide clear information for all staff in regard to actions and steps to be followed in the event of a grievance or a disciplinary matter associated with the Code of Conduct.

The People and Culture Branch works closely with Managers and employees to address workplace concerns including interpersonal conflicts, performance management issues or any attendance or health and safety breach matters. Weekly case management meetings are held to keep matters on track, to ensure a consistent approach to managing disciplinary outcomes and to share knowledge with regard to resolution strategies.

The Branch is also working closely with the Program Management Office in the implementation of a Project Management Plan for the delivery of the People and Culture Strategic Plan. The PMO is monitoring and supporting delivery and reporting to the Executive Leadership Team on a weekly basis.

Legal/Policy Basis

This report and its recommendations are consistent with the following legislative provisions:

Local Government Act 2009

RISK MANAGEMENT IMPLICATIONS

No specific risks are identified with this report, it is a report for noting.

Financial/RESOURCE IMPLICATIONS

There are no financial or resource implications arising from this report for noting.

COMMUNITY and OTHER CONSULTATION

People and Culture Branch continues to consult with leaders and employees in the implementation of the People and Culture Strategic Plan.

Conclusion

The People and Culture Branch is focussed on a positive service offering for current and potential employees of Ipswich City Council. The People and Culture Strategic Plan is the blueprint for the key programs across recruitment and selection, organisational development, workplace relations and workplace safety and wellbeing. Feedback from customers of the People and Culture Branch has been positive and the range of new or improved initiatives are being welcomed across the organisation.

Attachments and Confidential Background Papers

1.	People and Culture Strategic Plan Progress ARMC update ⇩

Nick Sheehan

Acting Manager, People and Culture

I concur with the recommendations contained in this report.

Sonia Cooper

General Manager Corporate Services

“Together, we proudly enhance the quality of life for our community”

1.	November 2020 Briefing Paper ⇩
2.	QAO Final Management Letter for Ipswich City Council ⇩

1.	Current Audit and Risk Management Committee Charter 19 November 2019 ⇩
2.	Proposed Audit and Risk Management Committee Charter November 2020 ⇩

	CONFIDENTIAL
1.	PMO Audit and Risk Committee Report - November 2020
2.	iVolve appendix - supplied at the meeting

A. That the report on Council’s insurance statistics for the period 1 July 2020 to 30 September 2020 be received and the contents noted.

Executive Summary

Recommendation/s

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Executive Summary

Recommendation/s

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report/Background

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Executive Summary

Recommendation/s

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report/Background

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Executive Summary

Recommendation/s

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report/Background

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Attachments and Confidential Background Papers

Executive Summary

Recommendation/s

RELATED PARTIES

Not applicable

Advance Ipswich Theme

Purpose of Report/Background

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Attachments and Confidential Background Papers

Executive Summary

Recommendation/s

RELATED PARTIES

Advance Ipswich Theme

Purpose of Report/Background

Legal/Policy Basis

RISK MANAGEMENT IMPLICATIONS

Financial/RESOURCE IMPLICATIONS

COMMUNITY and OTHER CONSULTATION

Conclusion

Attachments and Confidential Background Papers

Executive Summary

Recommendation/s

RELATED PARTIES

Ipswich City Council Strategic Objectives

Purpose of Report/Background

Financial/RESOURCE IMPLICATIONS

RISK MANAGEMENT IMPLICATIONS

Legal/Policy Basis

COMMUNITY and OTHER CONSULTATION

Conclusion

Attachments and Confidential Background Papers

INTRODUCTION

RECOMMENDATION

Attachments and Confidential Background Papers

Executive Summary