Agenda of Risk and Assurance Committee Meeting

Risk and Assurance Committee Meeting Agenda

11 March 2025

9 Pūrongo | Reports

9.1 Ernst & Young Audit Plan for the year ended 30 June 2025

Kaituhi | Author: Michael Parrish, Manager, Financial Accounting

Kaiwhakamana | Authoriser: Mark de Haast, Group Manager Corporate Services

Te pūtake | Purpose

1 This report provides the Risk and Assurance Committee with Ernst & Young’s Audit Plan, on behalf of the Office of the Auditor General (OAG), for the year ending 30 June 2025.

He whakarāpopoto | EXecutive summary

2 Not required.

Te tuku haepapa | Delegation

3 Risk and Assurance Committee has delegated authority to consider this report under section C.3 of the Governance Structure and Delegations.

· Obtaining from external auditors any information relevant to the Council’s financial statements and assessing whether appropriate action has been taken by management in response to the above.

Taunakitanga | RECOMMENDATIONS

A. That the Risk and Assurance Committee receives and notes the Ernst & Young Audit Plan for the year ending 30 June 2025 attached as Appendix 1 to this report.

Tūāpapa | Background

4 The Council’s Auditors, Ernst & Young (Audit), have been engaged to undertake the audit of the Council’s Annual Report and Summary Annual Report along with compliance with its Debenture Trust Deed, for the year ended 30 June 2025.

5 The Audit Plan is attached as Appendix 1 to this report. This provides an overview of Audit’s focus areas, their risk assessment and their audit approach for the year ended 30 June 2025.

He kōrerorero | Discussion

6 The areas of audit focus are summarised below:

· Property, Plant and Equipment

· Rates setting, invoicing and collection

· Non-financial performance reporting

· Expenditure, procurement and tendering

· Debt facilities and derivatives

· Revenue from grants and subsidies.

Materiality

7 Audit has set their materiality threshold at $4.0 million, being 3% of forecast expenditure for 2024/25. Materiality is broadly defined as the quantum of any misstatements (through error or otherwise), that would likely mislead users of the financial statements. Any identified misstatements impacting on the Council’s operating result by more than $198,000 will be reported to the Committee by way of Audit’s Closing Report on conclusion of their audit

He take | Issues

8 This matter has a low level of significance under the Council’s Significance and Engagement Policy.

Ngā kōwhiringa | Options

9 There are no options to consider.

Mana whenua

10 There are no mana whenua considerations arising from this report.

Panonitanga Āhuarangi me te Taiao | Climate change and Environment

11 There are no climate change considerations within this report.

Ahumoni me ngā rawa | Financial and resourcing

12 As disclosed in the audit proposal letter dated 27 June 2023, the fees for the period ending 30 June 2025 will equate to $255,000. This is before any estimated disbursements and is exclusive of GST.

Tūraru ā-Ture me te Whakahaere | Legal and Organisational Risk

13 There are no legal and organisational risk arising from this report.

Ngā pānga ki ngā kaupapa here | Policy impact

14 There are no policy implications arising from this report.

TE whakawhiti kōrero me te tūhono | Communications & engagement

Te mahere tūhono | Engagement planning

15 An engagement plan is not required for this report.

Whakatairanga | Publicity

16 There are no specific publicity considerations arising from this report.

Ngā āpitihanga | Attachments

1. Ernst & Young Audit Plan for the year ending 30 June 2025 ⇩

Risk and Assurance Committee Meeting Agenda

11 March 2025

9.2 Ernst & Young Control Findings - Progress Update

Kaituhi | Author: Sharon Foss, Manager Risk and Assurance

Kaiwhakamana | Authoriser: Sheryl Gavin, Acting Group Manager Corporate Services

Te pūtake | Purpose

1 This report outlines how audit matters raised as control findings from Ernst and Young (EY) relating to the Annual Report 2023-24 and the corporate planning process for the 2024-34 Long Term Plan will be addressed.

He whakarāpopoto | Executive summary

2 Not required.

Te tuku haepapa | Delegation

3 The Risk and Assurance Committee is authorised to consider this matter according to section C.3 of the Governance Structure and Delegations for the 2022-2025 triennium which state the committee has the delegation to:

· Review and maintain the internal control framework

· Obtain from external auditors any information relevant to Council’s financial statements and assess whether appropriate action has been taken by management in response to the above.

Taunakitanga | RECOMMENDATIONS

A.1 That the Risk and Assurance Committee receives this report and notes the work programme to address the Ernst & Young control findings for the Annual Report 2023-24 and the corporate planning process for the 2024-34 Long Term Plan.

Tūāpapa | Background

4 EY, our external auditors, review our key financial and corporate reporting processes. They audited the Annual Report for the year ending 30 June 2024 and reviewed the Long-Term Plan 2024-34 and Consultation Document development process. While each review shares the same risk ranking reference, e.g. ‘moderate’, EY have applied different descriptives against each rank. The control findings across both reviews have been accepted by this Committee as corrective measures to strengthen the Council corporate planning process.

He kōrerorero | Discussion

5 The EY Annual Report management letter lists four control findings, one ranked moderate risk and three as low risk. EY will review these in the 2024/25 audit to see if they can be closed.

6 The EY Long-term Plan management letter lists six findings highlighting weaknesses in our controls. Three are ranked as moderate risk and three as low risk. Key areas for improvement include the forecasting model, the consultation document development process, Long-term Plan content, and other significant matters for future planning.

7 The Group Manager Corporate Services will report progress updates on EY’s 10 control findings to this Committee and these will be reviewed by EY during the 2024-25 audit. Commentary on each control finding and progress is provided in Appendix 1 to this report.

8 Summary of year-to-date progress is shown in the tables below

Risk	EY #	Part A – Annual Report Control Findings	Status: Feb 2025
Moderate	2.1.1	Accuracy of response and resolution times		In Progress
Low	2.2.1	Aged work in progress review		In Progress
Low	2.2.2	Overhead rate applied to projects.		In Progress
Low	2.2.3	Approval of expenditure		In Progress

Risk	EY #	Part B – LTP 2024-34 Control Findings	Status: Feb 2025
Moderate	2.1.1	Overall project management and timeline		In Progress
Moderate	2.1.2	Identifying consultation issues, developing the right debate, and the readability of the consultation document		In Progress
Moderate	2.1.3	Development of the Infrastructure Strategy and Financial Strategy		In Progress
Low	2.2.1	Approach to financial modelling		In Progress
Low	2.2.2	Development and peer review of asset management plans and ensuring alignment with key strategies and policies		In Progress
Low	2.2.3	Key capital project cost assessment and estimation		In Progress

He take | Issues

9 There are no additional issues arising from this report.

Ngā kōwhiringa | Options

10 There are no options arising from this report.

Mana whenua

11 There are no tangata whenua considerations arising from this report and mana whenua have not been consulted in relation to this report – as it is procedural.

Panonitanga Āhuarangi me te Taiao | Climate change and Environment

12 There are no climate change issues arising from this report.

Ahumoni me ngā rawa | Financial and resourcing

13 There are no financial considerations in addition to those already discussed in this report.

Tūraru ā-Ture me te Whakahaere | Legal and Organisational Risk

14 There are no legal or risk issues from this report. The control findings are corrective measures to strengthen the Council’s corporate planning processes. None of the findings are considered high risk.

Ngā pānga ki ngā kaupapa here | Policy impact

15 There are no policy implications in relation to this report.

Te whakawhiti kōrero me te tūhono | Communications & engagement

Te mahere tūhono | Engagement planning

16 This matter has a low level of significance under the Council’s Significance and Engagement Policy and no engagement is triggered.

Whakatairanga | Publicity

17 This report and appendices will be publicly available through the agenda for the Risk and Assurance Committee meeting.

Ngā āpitihanga | Attachments

1. Appendix 1 - Control Findings ⇩

Risk and Assurance Committee Meeting Agenda

11 March 2025

9.3 FY2024-25 Quarter 2, - Workplace Health, Safety and Wellbeing

Kaituhi | Author: Kelly Newbold, Manager Health Safety and Wellbeing

Kaiwhakamana | Authoriser: Rach Wells, Group Manager People and Capability

Te pūtake | Purpose

1 This report presents the Workplace Health, Safety and Wellbeing report for the period 1 October to 31 December 2024.

He whakarāpopoto | EXecutive summary

2 Not required for this report.

Te tuku haepapa | Delegation

3 The Risk and Assurance Committee has delegated authority to consider this report under the following delegation in the Governance Structure, Section C 1.

o Ensuring that the Council has in place a current and comprehensive risk management framework and making recommendations to the Council on risk mitigations,

o Assisting Elected Members in the discharge of their responsibilities by ensuring compliance procedures are in place for all statutory requirements relating to their role,

o Governance role in regard to the Health, Safety and Wellbeing Policy and Plan.

Taunakitanga | RECOMMENDATIONS

A. That the Risk and Assurance Committee notes the Health and Safety Quarterly Insights Report for the period 1 October to 31 December 2024, attached as Appendix One to this Report.

Tūāpapa | Background

4 The quarterly Health, Safety and Wellbeing Report is intended to provide the Council with insights into initiatives and activities and their progress, as part of the Council’s commitment to providing a safe and healthy place to work. The contents and any subsequent discussions arising from this report can support Officers to meet their due diligence obligations under the Health and Safety at Work Act (HSWA) 2015.

5 The timing of the Health and Safety Quarterly Reports does not prevent an ‘as and when required’ verbal update from the Chief Executive to the Mayor and Council regarding serious or high-profile risk events. Such events would be recorded and retrospectively included in the next available Quarterly Report.

He kōrerorero | Discussion

6 This report provides a summary update on the Health, Safety and Wellbeing activities, and initiatives that are underway or planned to be undertaken during the 2024/2025 financial year, across policies, risk review, audits and assessments.

He take | Issues

7 There are no issues arising from this report.

Ngā kōwhiringa | Options

8 There are no options arising from this report.

Mana whenua

9 There are no mana whenua considerations arising from this report.

Panonitanga Āhuarangi me te Taiao | Climate change and Environment

10 There are no climate change considerations arising from this report.

Ahumoni me ngā rawa | Financial and resourcing

11 There are no financial or resourcing considerations arising from this report.

Tūraru ā-Ture me te Whakahaere | Legal and Organisational Risk

12 There are no legal or organisational risks in addition to those noted in this report.

Ngā pānga ki ngā kaupapa here | Policy impact

13 There are 13 Health, Safety and Wellbeing related policies that are either under review or due to be reviewed in this financial year. Minor progress was planned during Q2 on these reviews due to resourcing constraints, reviews recommence in Q3. The review status is detailed in the below table.

Policy Name	Policy Description	Policy Review Due Date	Review Status
Corporate Policy Statement - Health and Safety	Statement from CEO to outlining Council's approach to H&S and expectations.	N/A	Implementation stage
HR-21 Contractors Health and Safety Management	To set Council expectations of Contractors working on Council sites.	Jan 2025	In progress
HR-13-020 Health and Safety	Outlines Council's approach to managing H&S	Feb 2022	In progress
HR-13-018 Hazard Management	Aims to ensure the safety of Council employees, visitors and contractors required to work on or around its premises.		To be revoked when HR-13-020 H&S Policy Review Complete
HR-13-022 Working Alone or in Isolation	Outlines the H&S responsibilities of the Council, its managers and workers. It applies to those who may be required to work alone or in remote.	May 2020
HR-24 Personal Protective Equipment	To ensure the provision of PPE where required to minimise the risk of harm.	2 year review cycle
HR-030 Incident and Accident Management	To ensure all safety information about accidents, incidents, and near-misses are reported and investigated appropriately	Nov 2019
HR-13-024 Smoke Free Workplace	To provide a smokefree environment that will assist to improve the health status of all those who undertake work for or visit Council workplaces.	Dec 2021
HR-16-034 Care Register	Sets out the guidelines and parameters for the use, maintenance and review of the Care Register.	July 2020	Planned Q3
HR-16-035 Visitors	To ensure a safe environment for visitors at a Council workplace so they remain safe from harm or risk during that visit.	Dec 2021	Planned Q4
HR-16-044 Preventing and Responding to Workplace Bullying	To provide guidance for how to identify, report, address, and help prevent worplace bullying and other undesirable behaviour in our workplace.	Dec 2021	Planned Q3
HR-18 Return to Work	Aims to ensure good communication is established and maintained betrween the Council, employee, treatment provider, and ACC to faciliate a RTW programme	April 2011	Planned Q3
HR-13-015 Rehabilitation Management	Aims to ensure the early, safe and lasting return to work of Council employees following injury or illness.	May 2019	Planned Q4
HR-13-017 Staff Wellness	Provides information regarding the broad range of wellness initiatives offered to employees, encompassing both emotional and physical wellbeing.	Dec 2018	Planned Q3
HR-19 Vehicle User	To clarify the responsibilities of drivers when using Council vehaicles, ensourage and promote safe driving behaviours.	Feb 2023	Planned Q4
HR-19-041 Alcohol in the Workplace	Provides guidance for supplying and consuming alcohol at social events in Council workplaces or at Council-owned or controlled facilities.	May 2024	Planned Q4
HR-26 Drug and Alcohol	To ensure that all workers can work in an environment free of alcohol and drug use or abuse.	Mar 2021	Planned Q4
HR-13-016 Emergency Preparedness	To ensure Council has effective emergency plan to manage emergencies likely to occur across Council worksites.	Dec 2018
HR-16 - Flexible Working Arrangements (FWA)	Policy to provide the process for flexible working arrangements including change in hours and location.	April 2019	In progress

TE whakawhiti kōrero me te tūhono | Communications & engagement

14 Health, Safety and Wellbeing internal communication continues to increase through a range of internal channels.

Te mahere tūhono | Engagement planning

15 An engagement plan is not needed regarding this report.

Whakatairanga | Publicity

16 There are no publicity considerations regarding this report.

Ngā āpitihanga | attachments

Ngā āpitihanga | Attachments

1. Insights Report for the period 1 October to 31 December 2024 ⇩

Risk and Assurance Committee Meeting Agenda

11 March 2025

9.4 Top 10 Organisational Risk Report

Kaituhi | Author: Nienke Itjeshorst, Lead Risk and Assurance Advisor

Kaiwhakamana | Authoriser: Mark de Haast, Group Manager Corporate Services

Te pūtake | Purpose

1 This report provides an update on the Top 10 Organisational Risks currently facing the organisation.

He whakarāpopoto | Executive summary

2 Not required.

Te tuku haepapa | Delegation

3 The Risk and Assurance Committee has delegated authority to consider this matter in line with section C.3 of the Governance Structure and Delegations for the 2022-2025 triennium which state the committee has delegation to:

· Ensure that Council has in place a current and comprehensive risk management framework and making recommendations to the Council on risk mitigation.

Taunakitanga | RECOMMENDATIONS

A. That the Risk and Assurance Committee receives and notes this report, including Appendix 1 to this report.

Tūāpapa | Background

4 The Top 10 Organisational Risks are aimed at setting a clear direction for staff as to what the Senior Leadership Team (SLT) have identified as the highest areas of potential risk for the organisation to being able to successfully achieve its objectives.

5 “Risk” for the management of the council organisation is defined as:

a. the impact of uncertain events that can happen in the future on the planned objectives that SLT wants the organisation to deliver and/or achieve (short, medium and long term), and

b. includes strategic, reputational, regulatory, legal, security, change and operational risks.

6 The current Top 10 Organisational Risks are managed in a risk register in our Enterprise Risk Management software: Camms Risk. It is important to note that these risk listings are:

a. not ranked in order of severity,

b. capped at 10, to provide a clear focus for SLT and this Committee, and

c. not ‘set in stone,” an emerging organisational risk can be brought forward to replace an existing risk when required and/or relevant.

7 Engagement on the organisational risk profile is through on-going conversations with SLT and activity managers about these risks, the controls to prevent or mitigate these risks and status of risk treatments that are underway to implement the controls to achieve the target risk level. These conversations ensure each risk is regularly reviewed providing assurance that the treatments are being conducted to further mitigate the risk.

8 The next table identifies the current Top 10 Organisational Risks.

Risk No.	Risk Title
ORG 1	Loss of life, serious injury or illness due to insufficient Health, Safety and Wellbeing management.
ORG 2	Failure to adequately maintain social licence.
ORG 3	Failure to give effect to Te Tiriti o Waitangi
ORG 4	Inadequate mitigation and adaptation responses to known and future climate change challenges.
ORG 5	Failure to achieve legislative obligations.
ORG 6	Inadequate management of the impacts of central government reform/change.
ORG 7	Inadequate safeguards against digital technology risks.
ORG 8	Failure to prudently manage Council’s financial stability including fraudulent activity.
ORG 9	Failure to maintain business continuity for essential services and inadequate planning and preparedness for emergencies.
ORG 10	Inability to attract and retain sufficient capacity to deliver Council’s objectives.

9 A list of AS/NZ/ISO 3100:2018 Standard: Risk Management – Guidelines definitions is included in the Heatmap Report on the last page.

He kōrerorero | Discussion

10 This report provides an update of the current Top 10 Organisational Risks. The associated Risk Heatmap Report (attached as Appendix 1 to this report), and details how the organisation is treating and mitigating these risks, with progress updates against each of the individual risk treatments.

11 All updates/changes to the Risk Heatmap Report have been highlighted in blue font.

He take | Issues

12 There are no additional issues arising from this report.

Ngā kōwhiringa | Options

13 There are no options to be raised in this report.

Mana whenua

14 There are no mana whenua considerations in addition to those included in Appendix 1 to this report.

Panonitanga Āhuarangi me te Taiao | Climate change and Environment

15 There are no climate change considerations in addition to those included in Appendix 1 to this report.

Ahumoni me ngā rawa | Financial and resourcing

16 There are no financial and resourcing considerations in addition to those included in Appendix 1 to this report.

17 Tūraru ā-Ture me te Whakahaere | Legal and Organisational Risk

There are no further legal and risk considerations arising directly from this report.

Ngā pānga ki ngā kaupapa here | Policy impact

18 There are no further policy considerations arising from this report.

Te whakawhiti kōrero me te tūhono | Communications & engagement

Te mahere tūhono | Engagement planning

19 This matter has a low level of significance under the Council’s Significance and Engagement Policy and no engagement is triggered.

Whakatairanga | Publicity

20 This report and appendices will be publicly available through the agenda for the Risk and Assurance Committee meeting.

Ngā āpitihanga | Attachments

1. Top 10 Organisational Risks Heatmap Report 11 March 2025 ⇩

Risk and Assurance Committee Meeting Agenda

11 March 2025

9.5 Internal Audit Work Programme Update

Kaituhi | Author: Sharon Foss, Manager Risk and Assurance

Kaiwhakamana | Authoriser: Mark de Haast, Group Manager Corporate Services

Te pūtake | Purpose

1 This report gives the Risk and Assurance Committee a progress update on the 2024 Internal Audit work programme together with a summary of the findings for each audit and seeks approval of the internal audit focus through to the close of the triennium.

He whakarāpopoto | Executive summary

2 This report does not require an Executive Summary.

Te tuku haepapa | Delegation

3 The Committee has delegated authority to consider this matter in line with section C.3 of the Governance Structure and Delegations for the 2022 – 2025 triennium which state that the committee has the delegation to:

· Ensure that the Council has in place a current and comprehensive risk management framework and making recommendations to the Council on risk mitigation.

Taunakitanga | RECOMMENDATIONS

A. That the Risk and Assurance Committee receives and notes the progress update on the 2024 Internal Audit work programme.

B. That the Risk and Assurance Committee receives and approves the 2025 internal audit work programme until the end of the triennium.

Tūāpapa | Background

4 Internal audit is line three of the ‘Four Lines of Defence’ model used in the Risk and Assurance workstream.

5 Each of the following four sources of assurance contributes to the overall assurance level and shows their integration into Council business.

First line: Day-to-day risk management and control by those responsible for specific objectives or processes.

Second line: Council oversight to ensure the control framework operates effectively.

Third line: Internal audit providing reasonable assurance of governance, risk management, and controls.

Fourth line: Assurance from external independent bodies like external auditors.

6 The Internal audits are ranked in accordance with NZ Auditing Standards and Council’s external auditors (EY).

High Risk	Matters and/or issues considered to be fundamental to the mitigation of material risk, maintenance of internal control or good corporate governance.
Moderate Risk	Matters and/or issues considered to be of major importance to maintenance of internal control, good corporate governance, or best practice for processes.
Low Risk	A weakness which does not seriously detract from the internal control framework.

7 This Committee has approved the internal audit work programme and received regular updates. Presentation of this update concludes the 2024 internal audit work programme.

8 The internal audit process collects evidence on business effectiveness, with managers and Group Managers (GMs) verifying the findings. The Chief Executive approves the final reports and relevant GM’s then commence work on the audit recommendations. Updates are shared with Ernst & Young as a contribution to their external audits.

He kōrerorero | Discussion

9 Completion of the blue audit entries below concludes the 2024 internal audit work programme.

10 The green audit entries are the 2025 internal audit work programme until the end of this triennium. This focus addresses a problem identified by the Chief Executive: not enough resources to complete audit recommendations. This decision helps reduce the risk of not improving policy and procedure effectiveness, which could affect the organisation both internally and externally.

Risk	#	Assurance Activity (third line of Defence)	Status: Feb 2025
Audit
High	1	Audit Mitigation of Fraud Policy		Completed 2023-24
High	2	Audit Procurement Policy Framework		Completed 2023-24
High	3	Audit Employee Code of Conduct document		Completed February 2025
High	4	Audit Employee Conflict of Interest Declarations
High	5	Audit General Expenses Policy
Moderate	6	Audit Protected Disclosures (Protection of Whistleblowers) Policy
Moderate	7	Audit Receipt of Gifts & Hospitality Policy
Monitor
Moderate	8	Monitor resolution of EY Control Findings		In progress
Assurance Support
Moderate	9	Provide assurance support to Datascape project as requested by GM, Corporate Services (CS).		n/a to date
Moderate	10	Provide assurance support to managers with completion of their audit recommendations as requested by GM, CS		In progress

He take | Issues

Internal Audit Findings

11 Common problems identified in the audits include low awareness of policy requirements, lack of regular communication and training to boost awareness, compliance, and accountability. The audits highlight the need for better training and obligation reminders for employees.

12 Internal audits form part of enterprise risk management and are a continuous improvement tool. Findings from internal audits reflect exact quantification of controls (i.e. pass or fail) and this approach helps continuously improve the Council’s first and second lines of defence.

13 The following table summarises the internal audit findings by way of key themes. These finding and/or themes are considered to be low risk as they do not reflect serious weaknesses in the Council’s overall control framework. Moreso, these findings/and or themes better reflect opportunities to further strengthen and improve the Council’s overall control framework.

Summary of High Level Themes	Code of Conduct	Conflict of Interest	General Expenses	Gifts and Hospitality	Protected Disclosures
Low profile. Not enough compliance reminders	X	X		X	X
Hard to follow	X	X	X		X
Incomplete or inconsistent requirements	X	X	X
No training or Induction		X		X	X
Processes don’t always align with policy requirements	X	X	X	X
Little or no compliance monitoring		X	X	X

Summary of Internal Audit Findings

Code of Conduct Audit

14 The audit identified 20 findings and made 28 recommendations.

15 The Code of Conduct includes all content recommended by the Office of the Auditor General and outlines expected behaviours for employees. However, it has a low profile on HubKap and is not often referenced in messaging to employees.

16 The audit findings are:

16.1 The Code of Conduct is an important guiding document for the Council but it has a low profile within the organisation.

16.2 Requirements of the Code do not always appear easy for employees to identify & follow.

16.3 There are areas of the Code that are out of alignment with current practice or do not show linkages to other parts of the document or other policies.

Conflict of Interest Audit

17 The audit identified 15 findings and made 18 recommendations.

18 Requirements for conflicts of interest not related to procurement are documented in the Code of Conduct. The separation of the procurement from the general conflict of interest declaration form towards the end of 2023 resulted in Council being without a standard conflict declaration form for some time. An old version of the form has now been added back onto HubKap as an interim measure while changes are considered.

19 Increasing the understanding and profile surrounding conflicts of interest would be beneficial for the organisation.

20 The audit findings are:

20.1 The Conflict of Interest guidance on the current process is incomplete.

20.2 Employees are not provided with education or reminders about non-procurement related conflicts.

20.3 Information about non-procurement related conflicts has gaps, can be confusing and is inconsistent in some places.

General Expenses Audit

21 The audit identified 15 findings and made 42 recommendations.

22 The General Expenses Policy is not being followed consistently by employees. Reasons for non-compliance was often due to employees not understanding the requirements or because current processes do not ensure that all Policy requirements are met. Some of these issues may be resolved with the Datascape project. There is an opportunity to carry out additional monitoring to ensure that spending meets Policy requirements.

23 The audit findings are:

23.1 Policy requirements are not followed consistently.

23.2 There are requirements set out in the Policy and related guidance that are not being adhered to due to gaps in the processes currently in place.

23.3 It is not always possible to tell what has been purchased, or why, from the information in MagiQ.

23.4 Monitoring of Policy requirements is limited.

Gifts and Hospitality Audit

24 The audit identified 16 findings and made 22 recommendations.

25 The Receipt of Gifts and Hospitality Policy contains the required rules for the acceptance of gifts in the workplace. However, without regular communication to employees about the Policy’s requirements, it is being overlooked and the rules are not being followed.

26 The audit findings are:

26.1 Policy requirements are not being followed.

26.2 The Policy does not provide an overview of the process to follow to notify and gain permission to accept gifts.

26.3 There is no strong messaging to employees about the need for Policy compliance in order to guard against reputational damage and the perception of impropriety.

26.4 Policy compliance is not being monitored or reported.

Protected Disclosures (Protection of Whistleblowers) Policy Audit

27 The audit identified 7 findings and made 7 recommendations. Note since the internal audit was carried out many of these findings have now been addressed and work already completed by the Legal Team following SLT direction to amend the Corporate Policy to a procedure.

28 The Protected Disclosures (Protection of Whistleblowers) Policy has been replaced by a new procedures document and the formal legal terminology on HubKap has been replaced by plain language which is easier to understand. Further work to increase staff awareness is recommended.

29 The audit findings are:

29.1 No training or education modules are available and staff are not reminded about protected disclosures.

Ngā kōwhiringa | Options

30 There are no options to be raised in this report.

Mana whenua

31 There are no mana whenua considerations arising from this report.

Panonitanga Āhuarangi me te Taiao | Climate change and Environment

32 There are no climate change issues arising from this report.

Ahumoni me ngā rawa | Financial and resourcing

33 There are no further financial and resourcing considerations arising from this report.

Tūraru ā-Ture me te Whakahaere | Legal and Organisational Risk

34 There are no legal or further risk considerations arising from this report. EY as our external audit partner have received copies of the full audit reports.

Ngā pānga ki ngā kaupapa here | Policy impact

35 There are no policy implications arising from this report.

Te whakawhiti kōrero me te tūhono | Communications & engagement

Te mahere tūhono | Engagement planning

36 This matter has a low level of significance under Council’s Significance and Engagement Policy and no engagement is triggered.

Whakatairanga | Publicity

37 This report and appendices will be publicly available through the agenda for the Risk and Assurance Committee meeting.

Ngā āpitihanga | Attachments

Nil

Risk and Assurance Committee Meeting Agenda

11 March 2025

9.6 Legislative Compliance 1 October to 31 December 2024

Kaituhi | Author: Sarah Wattie, General Counsel

Kaiwhakamana | Authoriser: Mark de Haast, Group Manager Corporate Services

Te pūtake | Purpose

1 The purpose of this report is to notify the committee of legislative non-compliance in the second quarter of the financial year, 1 October 2024 to 31 December 2024.

He whakarāpopoto | EXecutive summary

2 An executive summary is not required.

Te tuku haepapa | Delegation

3 The Risk and Assurance Committee has delegated authority to consider this report under section C3 of the Governance Structure and Delegations document for the 2022-2025 triennium. These delegations include:

· ensuring that the Council has in place a current and comprehensive risk management framework and making recommendations to the Council on risk mitigation.

assisting elected members in the discharge of their responsibilities by ensuring compliance procedures are in place for all statutory requirements relating to their role.

Taunakitanga | RECOMMENDATIONS

A. That the Risk and Assurance Committee notes legislative non-compliance for the second quarter of the financial year from 1 October 2024 to 31 December 2024 as outlined in Attachment 1 to this report.

Tūāpapa | Background

4 Local government is governed by a complex statutory framework with the Council responsible for a range of legislative requirements. Legislative compliance is important to the Council carrying out its functions under the Local Government Act 2002 in a fair and effective manner that is accountable to the local community. Failure to achieve Council’s legislative obligations has also been identified as one of the Council’s top 10 risks.

5 Each quarter key Council staff responsible for the Council’s compliance with legal obligations under different Acts are asked to complete a quarterly declaration of known non-compliance with legislative requirements and key assurance areas being privacy, procurement, authorised expenditure, cyber security and Local Government Official Information and Meetings Act 1987 (LGOIMA) requirements.

6 Council staff are asked to report against all applicable legislation. A legislative compliance schedule exists to assist staff in completing this declaration, set out in Attachment 2 to this report. The Council’s external auditors have identified the following legislation and regulations where non-compliance could have a fundamental effect on operations:

· Local Government Act 2002

· Local Authorities (Members’ Interests) Act 1968

· Local Government (Rating) Act 2002

· Local Government (Financial Reporting and Prudence) Regulations 2014

· Building Act 2004

· Resource Management Act 1991.

He kōrerorero | Discussion

7 This section sets out legislative compliance breaches for the second quarter of the financial year, 1 October 2024 to 31 December 2024, against all applicable legislation with risk ratings, corrective actions and status assigned for each breach. It also provides an assurance against key assurance areas outlined above being privacy, procurement, authorised expenditure, cyber security and LGOIMA.

Organisational Risk Levels

8 Organisational risks levels have been assigned to legislative compliance breaches reported to this Committee based on the Council’s organisational risk framework. The risk levels are set out below, noting that the assigned Risk Levels in Attachment 1 account for an assessment of the risk and corrective actions taken together:

Organisational Risk Levels
High	· Matters and/or issues considered to be fundamental to the mitigation of material risk, maintenance of internal control or good corporate governance.
Moderate	· Matters and/or issues considered to be of major importance to maintenance of internal control, good corporate governance, or best practice for processes.
Low	· A weakness which does not seriously detract from the internal control framework.

Key Assurance Areas

9 The Risk and Assurance Committee has requested the following key assurance areas be reported on in additional to legislative compliance:

· Privacy breach: A privacy breach is not meeting the requirements of the Privacy Act 2020 which may include releasing personal information to someone not authorised to receive it or using personal information in an unauthorised way.

· Procurement breach: A procurement or probity breach is a failure to follow the requirements of Council’s procurement policy, which sets out the requirements for our staff to ensure they carry out procurement in a way that is transparent, accountable, impartial and equitable.

· Unauthorised expenditure: Unauthorised expenditure is expenditure that breaches Council’s finance and purchasing policies, such as a staff member spending money without the appropriate financial delegation.

· Cyber security breach: A cyber security breach is a breach of Council’s information security systems which may result in the disclosure of sensitive, personal or commercial information to persons who are not authorised to receive the information, including members of the public.

· Local Government Official Information and Meetings Act 1987 (LGOIMA): A breach of this act relates to failure to meet deadlines or requirements for official information requests, land information memorandum (LIM) requests, and transparency and notification requirements relating to Council, committee and community board meetings.

10 Confidential investigations are not included in this legislative compliance report and will be reported in public excluded where required.

11 Table 1: Assurance against key risk areas

Risk area	Description
Privacy	There were two privacy breaches reported in the period.
Procurement	There were no reported procurement breaches in the period.
Unauthorised expenditure	There was no reported unauthorised expenditure in the period.
Cyber security	There were no reported cyber security breaches in the period.
LGOIMA	There was one reported LGOIMA breach in the period.

12 Legislative compliance breaches for the second quarter of the financial year are set out in Attachment 1 to this report. These include ongoing breaches previously reported to this Committee, where staff are still working on mitigations.

He take | Issues

13 There are no issues for this report.

Ngā kōwhiringa | Options

14 There are no options required for this report.

Mana whenua

15 The Council has a partnership with local iwi and hapū on the Kāpiti Coast District represented by Te Rūnanga O Toa Rangātira, Ngā Hapū o Ōtaki and Āti Awa ki Whakarongotai Charitable Trust.

16 The Council’s accountability to the community on legislative compliance extends to its partnership with iwi and commitments made to reflect the obligations under Te Tiriti o Waitangi, as well as other obligations to Māori, mana whenua and tangata whenua under the Local Government Act 2002, Resource Management Act 1987 and other legislation.

Panonitanga āhuarangi | Climate change

17 There are no climate change implications arising directly from this report.

Ahumoni me ngā rawa | Financial and resourcing

18 There are no financial implications arising directly from this report.

Tūraru ā-Ture me te Whakahaere | Legal and Organisational Risk

19 Except for the issues noted in this report, there are no other legal or risk implications.

Ngā pānga ki ngā kaupapa here | Policy impact

20 There are no policy implications arising directly from this report.

TE whakawhiti kōrero me te tūhono | Communications & engagement

21 This report is for the purpose of providing information only and does not trigger the Council’s Significance and Engagement policy.

Te mahere tūhono | Engagement planning

22 There is no requirement for engagement planning.

Whakatairanga | Publicity

23 There are no additional publicity considerations arising directly from this report.

Ngā āpitihanga | Attachments

1. Legislative Compliance Breaches and Updates 1 October 2024 to 31 December 2024 ⇩

2. Legislative Compliance Schedule ⇩

Risk and Assurance Committee Meeting Agenda

11 March 2025

9.7 Quarterly Treasury Compliance

Kaituhi | Author: Ian Georgeson, Chief Financial Officer

Kaiwhakamana | Authoriser: Sheryl Gavin, Acting Group Manager Corporate Services

TE PŪTAKE | PURPOSE

1 This report provides confirmation to the Risk and Assurance Committee of the Council’s compliance with its Treasury Management Policy (Policy) for the quarter ended 31 December 2024.

HE WHAKARĀPOPOTO | EXECUTIVE SUMMARY

2 An executive summary is not required for this report.

TE TUKU HAEPAPA | DELEGATION

3 The Risk and Assurance Committee (Committee) has the delegation to consider this matter under the section of Part C.3 of the Governance Structure and Delegations 2022-2025 Triennium which states: “This committee is responsible for monitoring the Council’s financial management, financial reporting mechanisms and framework, and risk and assurance function, ensuring the existence of sound internal systems.”

AUNAKITANGA | RECOMMENDATIONS

A. That the Risk and Assurance Committee:

A.1 Receives and notes the “Treasury Dashboard Report” for the December 2024 Quarter, attached as Appendix 1.

A.2 Notes the Council complied with all requirements of the Treasury Management Policy for the quarter ended 31 December 2024.

TŪĀPAPA | BACKGROUND

4 As part of the 2024-34 Long-term Plan process the Council adopted an updated Treasury Management Policy, to apply from July 2024. The objectives of the Policy are to control and manage borrowing costs, investment returns, liquidity requirements, and risks associated with treasury management activity.

5 The Council’s objectives in relation to borrowings are to:

5.1 minimise borrowing costs within approved risk parameters;

5.2 prudently manage the Council’s exposure to interest rate changes;

5.3 ensure sufficient levels of liquidity to meet planned and unforeseen cash requirements;

5.4 ensure that funding risks are managed by maintaining an appropriate spread of maturities;

5.5 prudently manage the Council’s credit exposures; and

5.6 monitor and report on the risk and the performance of debt portfolios against predetermined limits and benchmarks.

HE KŌRERORERO | DISCUSSION

6 The Treasury Dashboard Report for the December 2024 quarter, as at Appendix 1 to this report, provides an economic overview and reports against Policy requirements. The dashboard has been developed with Bancorp, our Treasury advisers, and is in a style consistent with reporting produced for many of their council clients. We are able to tailor the content to meet any specific requirements we may have.

7 Policy compliance is reported as follows:

7.1 Liquidity and funding risk

7.1.1 Overall net debt / revenue within LGFA covenant 285% (page 8)

7.1.2 Spread of debt maturities (page 3)

7.1.3 Liquidity ratio (page 3)

7.2 Interest rate risk

7.2.1 Total fixed rate hedging and spread across maturity bands (page 4)

7.3 Credit risk

7.3.1 Counterparty exposure (page 8)

8 The Council complied with all policy requirements during the quarter.

He take | Issues

9 This report has a low level of significance under the Council’s Significance and Engagement Policy).

Ngā kōwhiringa | Options

10 There are no options to be considered.

Mana whenua

11 There are no mana whenua considerations arising directly from this report.

Panonitanga Āhuarangi me te Taiao | Climate change and Environment

12 There are no climate change considerations within this report.

Ahumoni me ngā rawa | Financial and resourcing

13 There are no financial and resourcing considerations in addition to those already noted in this report.

Tūraru ā-Ture me te Whakahaere | Legal and Organisational Risk

14 There are no legal and risk considerations arising from this report.

Ngā pānga ki ngā kaupapa here | Policy impact

15 There are no policy considerations in addition to those already noted in this report.

TE WHAKAWHITI KŌRERO ME TE TŪHONO | COMMUNICATIONS & ENGAGEMENT

Te mahere tūhono | Engagement planning

16 An engagement plan is not required for this report.

Whakatairanga | Publicity

17 There are no publicity considerations arising from this report.

NGĀ ĀPITIHANGA | ATTACHMENTS

1. The Treasury Dashboard Report for the December 2024 Quarter ⇩

Risk and Assurance Committee Meeting Agenda

11 March 2025

9.8 Forward Work Programme to September 2025

Kaituhi | Author: Jayne Nock, Executive Assistant Group Manager Corporate Services

Kaiwhakamana | Authoriser: Sheryl Gavin, Acting Group Manager Corporate Services

Te pūtake | Purpose

1 This report seeks agreement to the forward work programme for the Risk and Assurance Committee to September 2025.

He whakarāpopoto | EXecutive summary

2 An executive summary is not required for this report.

Te tuku haepapa | Delegation

3 The Risk and Assurance Committee (Committee) has the delegation to consider this matter under the section of Part C.3 of the Governance Structure and Delegations 2022-2025 and set its annual work programme which contains matters relating to the committee’s purpose: “This committee is responsible for monitoring the Council’s financial management, financial reporting mechanisms and framework, and risk and assurance function, ensuring the existence of sound internal systems.”

Taunakitanga | RECOMMENDATIONS

A. That the Risk and Assurance Committee approves its Forward Work Programme to September 2025 as set out in Appendix 1 to this report.

Tūāpapa | Background

4 Under Council’s Standing Orders, the Chief Executive has the responsibility for approving the Committee agenda items, this report provides an opportunity for the Committee to discuss and endorse its work programme going forward which will shape the items to be discussed at future meetings.

He kōrerorero | Discussion

5 The forward work programme for the Risk and Assurance Committee, as developed by the Group Manager Corporate Services, is attached in Appendix 1 to this report.

6 The work programme includes those additional items that were requested by the Committee during their last meeting held in November 2024.

He take | Issues

7 The establishment and presentation of the forward work programme is in accordance with the Office of the Auditor General’s best practice guidance. This approach is used by other councils throughout New Zealand.

8 That same best practice also provides for the Committee to review its forward work programme at each subsequent meeting to ensure it remains relevant and can be adapted as necessary.

Ngā kōwhiringa | Options

9 The Committee can consider and, if necessary, make amendments to the forward work programme attached as Appendix 1 to this report.

Mana whenua

10 Whilst this report does not directly affect mana whenua, any such considerations will be included where appropriate in other reports presented to the Committee as part of the approved work programme.

Panonitanga Āhuarangi me te Taiao | Climate change and Environment

11 There are no climate change considerations for this report.

Ahumoni me ngā rawa | Financial and resourcing

12 There are no additional financial considerations for this report.

Tūraru ā-Ture me te Whakahaere | Legal and Organisational Risk

13 There are no legal considerations or risks for this report.

Ngā pānga ki ngā kaupapa here | Policy impact

14 There is no impact on existing Council policies.

TE whakawhiti kōrero me te tūhono | Communications & engagement

Te mahere tūhono | Engagement planning

15 No engagement planning is required for this report.

Whakatairanga | Publicity

16 The approved forward work programme will be publicised through the publication of the agenda and minutes of this Risk and Assurance meeting.

Ngā āpitihanga | Attachments

1. Forward Work Programme ⇩


RĀRANGI TAKE AGENDA Te Komiti Whakamauru Tūraru \| Risk and Assurance Committee Meeting
I hereby give notice that a Meeting of the Te Komiti Whakamauru Tūraru \| Risk and Assurance Committee will be held on:
Te Rā \| Date:	Tuesday, 11 March 2025
Te Wā \| Time:	9.30am
Te Wāhi \| Location:	Council Chamber Ground Floor, 175 Rimu Road Paraparaumu
Mark de Haast Group Manager Corporate Services

Mr David Shand	Chair
Mayor Janet Holborow	Member
Deputy Mayor Lawrence Kirby	Member
Cr Liz Koh	Member
Cr Jocelyn Prvanov	Member
Cr Glen Cooper	Member
Mr David Cochrane	Member