Audit and Risk Committee Chairs Report

Board Paper

Agenda Item 7.3: Audit and Risk Committee Chairs Report

Board

Agenda Item 7.3: Audit and Risk Committee Chairs Report

Board Paper

Agenda Item 7.3: Audit and Risk Committee Chairs Report

Board Agenda

10 August 2017

DRAFT

Meeting date: 10 August 2017 Page 1 of 4

Page 4 of 4 Meeting date: 10 August 2017

Meeting date: 10 August 2017 Page 3 of 4

Board

Agenda Item 7.3

Audit and Risk Committee Chairs Report

Meeting: 10 August 2017

Meeting

The most recent meeting of the Audit and Risk Committee (ARC) was held in Sydney on Thursday 3August2017.

The agenda covered a wide spectrum of items and in many respects marked a number of milestones in the Agencys audit and risk development. Given the extent of the agenda this report is more lengthy than usual. We do acknowledge the significant progress made by the management team in developing the finance and risk functions and whilst there remains much to do to reach a mature level acknowledgment of progress is appropriate.

Items of Business

The Committee considered the following:

The Agencys Risk Management Strategy, Policy and Framework;

The Agencys Risk Management Plan;

Risk Reporting;

The Agencys Fraud Risk Assessment and the draft Fraud Control Plan;

Progress and priorities in the development of the Agencys Finance Function;

A number of the Agencys draft accounting policy statements;

The Agencys draft Strategic Internal Audit Plan;

The Agencys Internal Audit Charter;

A report on Internal Audits completed to date;

An update from the Australian National Audit Office which included their draft Interim Management Letter;

A Finance Report;

An overview of the Agencys achievements in the first year of operation;

An update on the progress against the 2016/17 Work Plan as at 30 June; and

An update on the Board and Advisory Committee calendar for 2018.

With regard to the agenda items we report as follows:

The Agencys Risk Management Strategy, Policy and Framework

An overarching comprehensive risk management framework has been finalised which amongst other things reflects the risk appetite set by the Board. Management has confirmed that the RMSPF complies with relevant regulations and following input and discussion with management is endorsed by the ARC and is recommended to the Board for adoption.

It is recommended as part of an ongoing progamme of improvement that an overarching risk appetite statement be developed to help convey the Agencys strategic risk intent.

The Agencys Risk Management Plan

A toolkit has been developed to aid the role out the RMSP which encompasses migrating existing risks and new risks, incorporates a communication plan and includes training/awareness plans. Clearly the ultimate success will reside in the executive team embracing risk both for protecting the Agency and in delivering on strategic opportunities.ie embracing the development of a risk culture We understand risk is being embedded in executive meetings and throughout the organisation. It is planned that the ARC will monitor the implementation.

Risk Reporting

Draft Risk Reports were tabled and discussed including the nature and type of risk information that should be included. The reports are being designed to reflect the Agencys effectiveness in managing risk and to provide appropriate information particularly on major risks. It is expected that these will develop as the risk function matures. A number of suggestions were made and accepted to improve reporting.

Reporting will include risk management prioritisation, incident analysis, strategic risk improvement initiatives, and emerging risks. Formal reporting will be on a quarterly basis.

Fraud Risk Assessment and the draft Fraud Control Plan

A Fraud risk assessment has been undertaken by management using the new RMSPF. The results of this assessment were used to inform the new Fraud Control Plan. The review found weaknesses in fraud mitigation and control architecture. The draft plan responds to those findings and progress on the implementation of the strategies designed to improve the overall fraud control environment will be monitored by ARC.

The ARC discussed the draft plan, noted the findings of the review and the proposed responses to the identified weaknesses.

Progress and priorities in the development of the Agencys Finance Function

The ARC discussed progress in both prioritising the recommendations in the EY finance assessment report that was delivered in April 2017 and adopted by the management team. and the progress with their implementation. Considerable progress has been made in many areas including improvements in the speed of month end reporting, budget control frameworks, and reporting. Also internal audits of financial reporting and shared services have been conducted.

The ARC noted and was pleased with progress including the on boarding of additional capabilities into the function. There is much more to be done but progress to date has been very encouraging.

The Agencys draft Accounting Policy Statements

The ARC discussed and noted a number of new accounting policies for the Agency. The policies considered were

Capitalisation of Assets;

Consultants and Contractors;

Debtors;

Financial Instruments;

Indemnities, Guarantees & Warranties;

Prepayments;

Reserves; and

Revenue.

The policies will be adopted for the financial accounts for the Fy17 year. At this stage they have not been reviewed by the external auditors.

The Agencys draft Strategic Internal Audit Plan and Audit Charter

The ARC considered and approved the Agencys Internal Audit Plan and Audit Charter. The plan was originally reviewed by the ARC in March 2017 and has been updated to incorporate the committees recommendations. These recommendations included a reordering of some internal review priorities.

Internal Audits completed or in progress by Axiom Associates

Assurance Mapping Audit - The audit identified a number of priority areas to improve the effectiveness of assurance coverage across both operational and oversight business areas including operational risk registers, project management frameworks, the enterprise agreement and workforce plan, deficiencies in procurement and financial reporting processes, IT change management, ISM control compliance and Protective Security Policy Framework compliance. Management has acknowledged these gaps and is developing appropriate plans to manage and rectify them.

Finance Reporting Audit The audit found internal financial reporting to be relatively immature but noted significant progress has been made in developing them. The audit importantly concluded that whilst all identified issues needed to be addressed it was not likely that they would lead to material errors in internal or external financial reporting. Management has accepted the findings and is addressing each of them.

ARC also reviewed the audit topics for FY2018 which include Shared Services (underway), Project Management, Procurement Controls, Business Continuity Management, Internal Budgeting, Contract Management and Cyber Security Maturity.

A mid-year review of the Internal Audit plan will be performed by ARC in December 2017.

The Australian National Audit Office (ANAO) and draft Interim Management Letter

The ANAO has completed its interim audit work and presented its findings to ARC. Their assessment of the risk of material misstatement in the FY17 accounts is rated moderate. Please note that significant or moderate audit findings are reported to Parliament.

No issues were identified in the interim audit work which was not known to management. Having said that, they did note there were a number of matters identified that was in the process of being finalised by management primarily relating to finalisation of accounting policies and related procedures. The ANAO identified the following as areas in interest for the final audit:

1. Accounting for transfer of assets from NEHTA;

2. Supplier expenses and payables;

3. Employee benefits expenses and leave provisions; and

4. Financial Statements preparation process and policies.

The ANAO also confirmed delays to its timetable for completing the final audit. Management has prepared a revised Agency plan for finalising the Accounts and the Annual Report.

Finance Report

An abridged finance report was received on the YTD 31 May 17 results. The report was abridged given the focus of the finance team on preparing for year end. The ARC noted the 31 May reports and also discussed a revised year end audited financial statements delivery timetable. The earlier reported timetable has been amended to reflect delays in the ANAO completing its audit due to issues with their scheduling as mentioned above.

An overview of the Agencys achievements in the first year of operation

The ARC reviewed a report on the Agencys achievements in its first year of operations. The ARC agreed, based on the information in the report that significant progress has been made in the year.

An update on the progress against the 2016/17 Workplan as at 30 June

The ARC reviewed progress against the 2016/17 work plan.

An update on the Board and Advisory Committee calendar for 2018

The agenda and meeting dates for 2018 were discussed and will be finalised at our next meeting.

Minutes

Minutes for the meeting are be