minutes of the audit committee meeting held 7 june …

MINUTES OF THE AUDIT COMMITTEE MEETING HELD 7 JUNE 2016 AT THE COUNCIL CHAMBER, SHIRE HALL WHICH COMMENCED AT 1.10 PM.

of 8

PRESENT Mr. Homi Burjorjee (Chairperson), Mr. Phil Delahunty, Mr. Brian Keane, Cr Paul Hooper, Cr Fay Hull, Mr. Andrew Evans (arrived 1.20pm), Mr. Don Cole, Mr. Alistair Rowe, Mr. Brad Eade, Mr. John Gavens (arrived 1.20pm , departed 1.50pm). 1. APOLOGIES Nil 2. CONFIRMATION OF MINUTES OF PREVIOUS MEETING

MOVED CR FAY HULL SECONDED MR PHIL DELAHUNTY That the Minutes of the previous Meeting held on 1 March 2016 be confirmed. CARRIED

3. DISCLOSURE OF ANY CONFLICT OF INTEREST Nil disclosed. Mr. Brian Keane did however advise the Audit Committee he works with Mr. Gavens at other councils. 4. MATTERS ARISING FROM THE MINUTES 1 MARCH 2016 4.1 MEETING WITH THE EXTERNAL AUDITOR Background At the meeting held 1 March 2016, the Audit Committee requested an in-camera session with the External Auditor (i.e. without management) to discuss relevant issues and that this session be scheduled for the June meeting. Discussion Council received advice from Crowe Horwath on 31 May 2016 that the person responsible for the external audit and its performance, Mr John Findlay, has recently left the organisation. Crowe Horwath are currently working with the Victorian Auditor General’s Office to transfer responsibility for the external audit from Mr. John Findlay to Mr. John Gavens. An in-camera session was not considered appropriate at this meeting. Mr. Gavens attended the meeting in person. For information 4.1 RISK MANAGEMENT REPORT UPDATE Background At the meeting held 1 March 2016, the Audit Committee requested an update on the Risk Management Report to this meeting. Discussion Council recently introduced a new intranet capability which has been designed around a new “Service Framework”. Consequently, a Risk Management Report was not presented at this meeting as the risk register is currently being aligned with the new Service Framework and its associated business responsibilities. A Risk Management Report will be presented to the September meeting.


of 8

For information 5. EXTERNAL REPORTING 5.1 FINANCIAL REPORT FOR PERIOD ENDED 31 MARCH 2016. Background The Audit Charter requires the Audit Committee to review the financial report presented to Council. Discussion The financial report presented to Council at the meeting held 19 April 2016 was for the period ended 31 March 2016. The report is included as an attachment titled “5.1 Financial Report for period ended 31 March 2016”.

MOVED MR BRIAN KEANE SECONDED CR FAY HULL That the Financial Report for the period 31 March 2016 be received. CARRIED

6. EXTERNAL AUDIT - NIL 6.1 AUDIT STRATEGY FOR THE FINANCIAL YEAR ENDING 30 JUNE 2016 Background The Victorian Auditor General appoints a service provider to undertake the annual financial audit. Mr John Findlay of Crowe Horvath was appointed by the Victorian Auditor-General’s office to undertake the annual financial audit for the year ending 30 June 2016.

Discussion An audit strategy is prepared to communicate to Council the proposed approach to the audit of its Financial Report and Performance Statement for the year ending 30 June 2016. The Audit Act 1994 requires the Auditor-General to form an opinion on Council’s Financial Report and Performance Statement. When undertaking the financial audit, Section 3A of the Audit Act 1994 requires the Auditor-General to also consider the issues of waste, probity and the prudent use of public resources. There are a number of key audit risks relating to the Financial Report identified in the strategy:

Form and contents of the financial report;

Risk of fraud through management override of controls;

Fair value assessment and revaluation of non-current physical assets;

Revenue recognition;

Employee costs and liabilities;

Superannuation funding call;

Local Government Council elections;

Capital works expenditure


of 8

The Performance Statement contains financial and non-financial data. Financial systems are predominantly established to capture financial data. Part of the audit is to review the systems that Council has in place to ensure compliance with legislative requirements. The Audit Strategy is included as an attachment titled, “6.1 Audit Strategy for the financial year ending 30 June 2016” for review by the Audit Committee. Mr John Gavens of Crowe Horwath, as Mr John Findlay’s proposed replacement, presented the Audit Strategy.

MOVED MR BRIAN KEANE SECONDED CR PAUL HOOPER That the Audit Strategy Report for the financial year ending 30 June 2016 be received. CARRIED

6.2 INTERIM MANAGEMENT LETTER FOR THE FINANCIAL YEAR ENDING 30 JUNE 2016 Background The Victorian Auditor General appoints a service provider to undertake the annual financial audit. Mr John Findlay of Crowe Horvath was appointed by the Victorian Auditor-General’s office to undertake the annual financial audit for the year ending 30 June 2016.

Discussion Part of the External Audit Program is for the external auditor to conduct an onsite interim audit. Crowe Horvath was on site in early May 2016. An interim management letter has been received and two recommendations have been made by the auditor; both rated as low risk. Council officers are currently considering the issues raised in the management letter and will implement the relevant recommendations as soon as possible. A copy of the interim management letter is included as an attachment titled “6.2 Interim Management Letter”

MOVED MR BRIAN KEANE SECONDED CR PAUL HOOPER That the Interim Management letter for the financial year ending 30 June 2016 be received. CARRIED

7. INTERNAL AUDIT


of 8

7.1 AUDIT REVIEW OUTCOMES UPDATE. Background Council appointed AFS & Associates from Bendigo as Council’s Internal Auditors. Council has since adopted a number of recommendations made by the Internal Auditor in relation to internal audit reviews. Discussion Action plans have been developed as a result of various internal audit reviews. Additional action plans have also been developed as a result of other audit reviews, including the Victorian Auditor-General. A summary of Audit Outcomes is provided for Audit Committee members and is included as an attachment titled “7.1 Audit Review Update June 2016”.

MOVED MR BRIAN KEANE SECONDED CR FAY HULL That the Audit Review Outcomes Update report be received. CARRIED

7.2 FRAUD PREVENTION AND DETECTION STRATEGIES Background AFS & Associates are Council’s Internal Auditors. Discussion AFS & Associates recently audited Council’s Fraud Prevention & Detections Strategies. The objective of the audit was to identify whether Council has an appropriate fraud prevention and detection framework in place that materially aligns to best practice. The audit concluded that whilst Ararat has a Fraud Prevention Policy, specific fraud risks are not regularly assessed. There is opportunity for Ararat to develop a Fraud Control Plan that will help guide and improve their fraud risk management framework. A Contractor Code of Conduct document should also be developed and then provided to contractors when they are added to any of Council’s Preferred Supplier panels. The final AFS report, which includes Council’s response to the audit, is provided as an attachment titled “7.2 Fraud Prevention and Detection Strategies June 2016”.

MOVED MR PHIL DELAHUNTY SECONDED CR FAY HULL That the Audit Committee recommends that Council receives the Fraud Prevention and Detection Strategies report and that Council:

1 Prepare and adopt a Fraud Control Plan aligned with better practice 2 Review and, if necessary, update the Fraud Prevention Policy 3 Review the Protected Disclosures Policy in line with the timeframe within the

policy 4 Update relevant policies, procedures and volunteer induction process to include an

acknowledgement of Council’s Employee Code of Conduct document


of 8

5 Develop a Contractor Code of Conduct document and provide it to new contractors when they are added to Council’s Preferred Supplier panels.

CARRIED

7.3 HOME AND COMMUNITY CARE & COMMERCIAL SERVICES Background AFS & Associates are Council’s Internal Auditors. Discussion AFS & Associates recently audited Council’s Home & Community Care & Commercial Home Care Services. The objective of the internal audit was to confirm cost monitoring, recoverability and accounting procedures exist over HACC & Commercial Services delivered by Ararat Rural City. The audit concluded that current budgeting and cost allocation practices do not accurately reflect all costs attributable to delivering HACC & Commercial Services as several overhead costs are not included and therefore the fees charged do not recover the full costs. Enhancements may be made through:

improving the fee setting process by tailoring data used to establish hourly fee charged to clients

reviewing costs allocated to the management of HACC & Commercial Services

establishing where responsibility lies for tasks such as fee setting within Carelink relating to HACC & Commercial Services

building budget accountability and monitoring obligations into staff roles

documenting key risks and mitigating controls associated with delivery of these services within Council’s risk register.

The final AFS report, which includes Council’s response to the audit, is provided as an attachment titled “7.3 HACC & Commercial Services Review June 2016”.

MOVED MR BRIAN KEANE SECONDED CR PAUL HOOPER That the Audit Committee recommends that Council receives the Home and Community Care & Commercial Services report and that Council:

1 Updates the Operational Risks Register for HACC Services to include the following:

Deficiencies in budgeting process

Lack of accountability for budget variances

Lack of documented processes around fee setting 2 Develop a procedure to monitor the HACC budget and regularly report results to

the Executive Leadership Group. 3 Review training records to identify HACC employees who have not received


of 8

Induction Training, and undertake induction procedures for those employees. 4 Develop a new procedure to review all on-costs associated with Commercial

Services, which will be invoked during the annual HACC budget setting process. The procedure will consider full cost recovery of all attributable costs, including administrative costs, coordination costs and direct overhead costs.

5 Develop a procedure to review cases where clients cannot afford meals and ensure appropriate financial delegations exist within Council’s Delegations Registers.

6 Develop a procedure to annually review the fees set in Carelink, including consultation with Council’s Manager Corporate Support.

CARRIED

7.4 INTERNAL AUDIT PROGRAM STATUS UPDATE Background AFS & Associates are Council’s Internal Auditors. Discussion AFS & Associates have provided an update on the remaining audit program for 2015/16 as well as the draft scopes for 2016/17. The update is included as an attachment titled “7.4 Internal Audit Program Status June 2016”

MOVED MR BRIAN KEANE SECONDED CR PAUL HOOPER That the Internal Audit Program Status Update report be received. CARRIED

8. OTHER MATTERS

8.1 INTRANET

Background Council has recently introduced a new Intranet. Discussion Mr. Don Cole gave a brief presentation on the Intranet.

For information

8.2 BUSINESS CONTINUITY PLAN UPDATE

Background At the last meeting, the Audit Committee requested that an update of Council’s Business Continuity Plan (BCP) be presented at the June meeting. Discussion


of 8

Council has received a draft BCP from Echelon’s Consultants and Council officers are now reviewing this document to understand the impact it will have on Council’s critical business processes and how these might best be managed within the Service Framework (SF) of the new Intranet system. During the design and development of the draft BCP document, council officers insisted that the document took into account the somewhat rigid structure of the proposed Services Framework. Moreover, the Services Framework has similarly been designed to take into account the requirement for effective BCP management.

In summary, the agreed approach for BCP documentation requires that an analysis be undertaken within each Service to determine all critical inputs to the service. This may include the loss of people, building access, ICT systems, electricity, etc. Special BCP processes, procedures and WIs (work instructions) are then developed to take into account the sudden loss of any of these inputs. These documents are all based on the following theme:

EXAMPLE:

LOSS OF CRITICAL INPUT: Unavailability of ICT systems

Interruption occurs

Mode Time frames Response Responsibility Resources

Wait for return of ICT service

0-1 hours Do nothing All Nil

Initial Response

1-8 hours BCP_SOP_1

Go to paper based system

Contact community

Service Owner 2x mobile phones

4x staff

Community contact list

Progressive Response

> 8 hours BCP_SOP_2

Continue with paper based system

Service Staff 3x mobile phones

6x staff

Community contact list

Recovery Response

ICT systems available

BCP_SOP_3

Restart Service Application

Upload paper based forms into ICT system

Continue to BAU

Service Staff 3x mobile phones

8x staff

Return to BAU

Responsibilities: The Executive leadership Group has recently determined that “BCP” will be established within the SF as a sub-service of the Risk Management Service. The “owner” of this new service will be empowered to deliver consistent BCP processes across the entire organisation. All Service owners are responsible for ensuring they comply with the requirements of the BCP and regularly review impacts associated with the loss of critical service inputs.


of 8

The BCP document will be restructured around the new SF, and a copy presented at the Audit Committee’s September 2016 meeting for comment.

For information 8.3 FUTURE AUDIT COMMITTEE TOPICS During each meeting, the Audit Committee considers items that should be included in the Agenda for the next meeting. Potential items for discussion at the next Audit Committee meeting could include:

External reporting

Review financial report for quarter ended 30 June 2016

Review the financial statements and performance statements for the year ended 30 June 2016 Internal audit

Past Issues – Follow up Review General

Review the Audit Committee Annual Report

Any relevant reports issued by regulatory agencies such as IBAC, Ombudsman and VAGO

Dates for future meetings Tuesday 6 September 2016 at 1pm Tuesday 6 December 2016 at 1pm Tuesday 7 March 2017 at 1pm Tuesday 6 June 2017 at 1pm Meeting closed at 3.10pm

ARARAT RURAL CITY COUNCIL MEETING – TUESDAY 19 APRIL 2016 9 - OFFICERS REPORTS

Page 1025

ITEM 9.3.1 QUARTERLY PERFORMANCE REPORT AS AT 31 MARCH 2016 13038999 ASSETS, FINANCE AND CORPORATE SERVICES

Introduction Council must establish and maintain a budgeting and reporting framework that is consistent with the principles of sound financial management. Discussion Council, at the December 2014 Council meeting, resolved to replace the current monthly and quarterly budgetary control reports with quarterly reports prepared on an accrual basis and in accordance with accounting standards, being:

a Comprehensive Income Statement,

a Statement of Financial Position, and

a Statement of Cash Flows. Council further resolved to receive quarterly reports on the Financial Performance Indicators prepared in accordance with the new Local Government Performance Framework. Key Financial information: Income Statement (Attachment 1) The Income Statement measures how well Council has performed from an operating nature. It reports revenues and expenditure from the activities and functions undertaken, with the net effect being a surplus or deficit. Capital expenditure is excluded from this statement, as it is reflected in the Statement of Financial Position. Attachment 1 shows that Council generated $22.372 million in revenue and $18.712 million in expenses to 31 March 2016. This has resulted in a surplus of $3.660 million for the nine months ended 31 March 2016.

Income Rates and charges account for 54.9% of the total budgeted income for 2015/16. Rates and charges are recognised when the rates have been raised, not when the income has been received. An amount of $15.250 million has been recognised as income for the nine months ended 31 March 2016. User fees account for 5.6% of the total budgeted income for 2015/16 and $1.048 million has been received to 31 March 2016. The majority of this relates to home care services, parking fees, transfer station fees and landfill gate fees reimbursed from Northern Grampians Shire Council. The income generated from the Great Hall at Gum San is less than the same time last year which can be expected as the Alexandra Oval Community and Recreation Centre is now available for hire. Recurrent Operating Grants total $2.956 million to 31 March 2016, including $1.241 million from the Victorian Grants Commission general purpose grants and $0.853 million for the local roads grants. Half the Federal Government funded financial assistance grants administered by the Victorian Grants Commission was paid in 2014/15 which explains the

5.1 Finance Report for period ended 31 March 2016


26

$2.657 million variance from the original budget ($6.326 million) to the current budget ($3.669 million). Non Recurrent Capital Grants total $1.316 million to 31/03/2016, including $0.437 million from the State Government for capital works at the Pomonal Hall & $0.315 million for the Alexandra Gardens/Ararat Outdoor Pool Kiosk & Change Room Development.

Expenses

Employee Costs account for approximately 42% of the total budgeted expenditure for 2015/16. For the nine months ended 31 March 2016 Council has incurred $7.923 million in employee costs, which is approximately 1% less than the budget for this period. There has been a number of vacancies due to resignation and retirement where savings occur from the time they leave to the time their replacement starts. Three new trainees have recently been appointed. Materials and Services account for approximately 29% of the total budgeted expenditure for 2015/16. For the nine months ended 31 March 2016 Council has incurred $5.205 million in materials and services costs. There are a number of projects, including those carried forward from 2014/15 that are expected to be completed before the end of the financial year.

Statement of Financial Position (Attachment 2) The Statement of Financial Position is another name for the Balance Sheet. It is one of the main financial statements and reports Council’s assets, liabilities and equity at a given date, in this case 31 March 2016. Comparative figures have been provided as at 30 June 2015. Council’s current assets have increased by $3.474 million from $16.797 million as at 30 June 2015 to $20.271 million as at 31 March 2016. Cash and cash equivalents, including financial assets, have increased $2.043 million from $13.521 million to $15.564 million and trade and other receivables have increased $1.508 million from $2.22 million as at 30 June 2015 to $3.728 million as at 31 March 2016. These movements are to be expected because Council raises its rates & charges in the first quarter of the year and Council has now received the lump sum rates due 15 February 2016 as well as the instalment due 29 February 2016. Total liabilities have reduced from $6.991 million to $6.375 million, with $1.118 million less in trade liabilities and other payables.



Page 1027

Statement of Cash Flows (Attachment 3) The Statement of Cash Flows shows how changes in the Statement of Financial Position and Income Statement affect Cash and Cash Equivalents, and breaks down the analysis to operating activities, investing activities and financing activities. The Cash and Cash Equivalents at the beginning of the financial year of $13.521 million have increased by $2.043 million to $15.564 million as at 31 March 2016. This movement is because the majority of rates and charges have been received in the second half of the year (i.e February 2016 lump sum payments and the third instalment). Net cash provided used in operating activities was $7.315 million, $5.174 million was used in investing activities and $0.098 million was used in financing activities. Investing activities includes payments for property, plant and equipment, and infrastructure totalling $5.758 million. This included capital road works and capital plant purchases. Based on the information provided by responsible officers and managers the forecast year end result for cash and cash equivalents are in line with budget. Financial Performance Indicators (Attachment 4) The new Local Government Performance Reporting Framework requires Councils to report various performance indicators at the end of each financial year. The relevance of some indicators is limited, as some are based on year end result. Nonetheless, they are always reported as they provide information on trends throughout the year. A full list of financial performance indicators is included in appendix 4. The working capital ratio of 729% at 30/9/2015 is inflated as the total amount of rates & charges raised is included as a current asset; and the $2 million loan for Alexandra Oval Community & Recreation Centre is recognised as a non-current liability.

Indicator 30/9/2015 31/12/2015 31/03/2016

Working capital Measure - Current assets compared to current liabilities. Permissible values in accordance with the Local Government Performance Reporting Framework – 0% to 500% Indicator of the broad objective that sufficient working capital is available to pay bills as and when they fall due. High or increasing level of working capital suggests an improvement in liquidity

729% 630% 483%



Page 1028

Indicator 30/9/2015 31/12/2015 31/03/2016

Loans and borrowings Measure - Loans and borrowings compared to rates. Permissible values in accordance with the Local Government Performance Reporting Framework – 0% to 100% Indicator of the broad objective that the level of interest bearing loans and borrowings should be appropriate to the size and nature of a Council’s activities. Low or decreasing level of loans and borrowings suggests an improvement in the capacity to meet long term obligations

13.37% 13% 13%

Indebtedness Measure - Non-current liabilities compared to own source revenue Permissible values in accordance with the Local Government Performance Reporting Framework – 0% to 100% Indicator of the broad objective that the level of long term liabilities should be appropriate to the size and nature of a Council’s activities. Low or decreasing level of long term liabilities suggests an improvement in the capacity to meet long term obligations

13.92% 13.31% 12.80%

Rates concentration Measure - Rates compared to adjusted underlying revenue Permissible values in accordance with the Local Government Performance Reporting Framework – 0% to 100% Indicator of the broad objective that revenue should be generated from a range of sources. High or increasing range of revenue sources suggests an improvement in stability

91% 79% 72%

Expenditure level Measure - Expenses per property assessment Permissible values in accordance with the Local Government Performance Reporting Framework $0 to $10,000 Indicator of the broad objective that resources should be used efficiently in the delivery of services. Low or decreasing level of expenditure suggests an improvement in organisational efficiency

$3,541 $3,646 $3,512



Page 1029

Indicator 30/9/2015 31/12/2015 31/03/2016

Indicator - Revenue level Measure - Average residential rate per residential property assessment Permissible values in accordance with the Local Government Performance Reporting Framework - $0 to $10,000 Indicator of the broad objective that resources should be used efficiently in the delivery of services. Low or decreasing level of rates suggests an improvement in organisational efficiency

$1,625 $1,745 $1,747

POTENTIAL IMPLICATIONS ARISING FROM THIS ISSUE Council plan reference 5.1 Good governance through leadership 5.5 Sound Financial management Financial and resource implications Council’s financial performance is in line with expectations. Council’s cash position was expected to increase in the third quarter with many ratepayers electing to pay their rates in full due 15 February 2016. Risk implications Council is required to establish and maintain a budgeting and reporting framework that is consistent with the principles of sound financial management and this report assists Council in meeting that requirement. Statutory Implications Section 137 of the Local Government Act 1989 states a Council must establish and maintain a budgeting and reporting framework that is consistent with the principles of sound financial management. Section 138 of the Local Government Act 1989 states at least every 3 months, the Chief Executive Officer must ensure that a statement comparing the budgeted revenue and expenditure for the financial year with the actual revenue and expenditure to date is presented to the Council at a meeting which is open to the public. Community Implications None identified. Environmental Implications None identified. Internal/external consultation The report has been prepared in consultation with relevant department managers and responsible officers. There has been no external consultation.



Page 1030

Options Council can: 1 Receive and adopt the Financial Reports for the period ended 31 March 2016 or 2 Reject the Financial Reports for the period ended 31 March 2016. Attachments Further information regarding this item is provided as an attachment. Conclusion The report for the nine months ended 31 March 2016 has been prepared on an accrual basis and in accordance with accounting practices, including a Comprehensive Income Statement, Statement of Financial Performance and Statement of Cash Flows. Council’s financial performance is in line with budget, with the exception of less income for Operating Grants (recurrent) as part of the Financial Assistance Grants received from the Victorian Grants Commission were received in advance and recognised as income in 2014/15.

MOVED CR G HULL SECONDED CR F HULL That the Comprehensive Income Statement, Statement of Financial Position, Statement of Cash Flows and the Financial Performance Indicators report for the period ended 31 March 2016 be received and adopted. CARRIED 3096/16



Page 1031



Page 1032



Page 1033



Page 1034



Page 1035


Auditing in the Public Interest

18 March 2016 File No.:

Mr A Evans Chief Executive Officer Ararat Rural City Council PO Box 246 ARARAT VIC 3377

Dear Mr Evans

AUDIT STRATEGY 2015–16

As previously advised by VAGO, I have been appointed as the audit service provider for the Auditor-General to assist in the conduct of the audit for the current financial year.

I enclose for your information the audit strategy for the year ending 30 June 2016.

The audit strategy provides an overview of our approach to the annual audit of the financial report of Ararat Rural City Council and will be discussed at the Audit Committee meeting on Tuesday, 7 June 2016.

I have also provided copies of the audit strategy to Mr Paul Hooper, Mayor and Mr Homi Burjorjee, Audit Chairperson.

If you have any queries concerning this audit strategy, please contact one of the following:

John Findlay on 03 5304 5745 [email protected]

Tim Loughnan (VAGO) on 03 8601 7086 [email protected]

I also take this opportunity to thank your executive team and staff for the time they made available to us during planning.

Yours sincerely CROWE HORWATH MELBOURNE

JOHN FINDLAY Partner VAGO Audit Service Provider

6.1 Audit Strategy for the financial year ending 30 June 2016

Ararat Rural City Council Audit Strategy 2015–16

Ararat Rural City Council

Audit Strategy

Year ending 30 June 2016

Our vision is to be a catalyst for continuous improvement in the accountability and performance of the public sector.


1

Contents 1 Purpose of this strategy .............................................................................................. 2

2 Independence ............................................................................................................... 2

3 Audit quality ................................................................................................................. 2

4 Scope of the audit ........................................................................................................ 2

5 Conducting the audit ................................................................................................... 3 5.1 VAGO's approach to the audit ................................................................................................ 3

5.1.1 Audit planning...................................................................................................... 3 5.1.2 Professional scepticism ....................................................................................... 3 5.1.3 Liaising with Internal Audit ................................................................................... 3

5.2 Relevant risks for the audit ..................................................................................................... 4 5.2.1 Identifying and assessing risks of material misstatement ................................... 4 5.2.2 Responding to risks of material misstatement .................................................... 4 5.2.3 Audit risks relating to the performance statement............................................... 6 5.2.4 Risk from fraud, irregularities or regulatory non-compliance .............................. 7 5.2.5 Other areas of audit focus ................................................................................... 7

5.3 Planned audit testing of material components ....................................................................... 7 5.3.1 Overview of audit testing ..................................................................................... 7 5.3.2 Internal controls ................................................................................................... 8 5.3.3 Management representations ............................................................................. 9

5.4 Materiality, audit adjustments and unadjusted differences ..................................................... 9

6 Audit administration .................................................................................................. 10 6.1 Engagement team and how to contact us ............................................................................ 10 6.2 Key milestones ..................................................................................................................... 10 6.3 Audit fee estimate ................................................................................................................. 11 6.4 Occupational Health and Safety obligations ......................................................................... 12 6.5 Client feedback ..................................................................................................................... 12

7 Reports to Parliament ................................................................................................ 12 7.1 Results of financial audits ..................................................................................................... 12 7.2 Performance audits ............................................................................................................... 12 7.3 VAGO annual report 2014–15 – Key audit themes .............................................................. 13

8 Acknowledgments ..................................................................................................... 13

9 Appendix A – Key audit themes ................................................................................ 14



2

1 Purpose of this strategy This strategy sets out our approach to the audit of the financial report and performance statement of Ararat Rural City Council for the year ending 30 June 2016. This document forms the basis for discussion at the Audit Committee meeting of 7 June 2016 and is a key tool for discharging our responsibilities in relation to communicating with those charged with the governance of Ararat Rural City Council.

2 Independence The Auditor-General is an independent officer of the Victorian Parliament, appointed under legislation to examine, on behalf of Parliament and Victorian taxpayers, the management of resources within the public sector. The Auditor-General is not subject to control or direction by either Parliament or the government. In conducting the audit, the Auditor-General, his staff and delegates will comply with all applicable independence requirements of the Australian accounting profession.

3 Audit quality Our audit is performed in accordance with the Australian Auditing Standards. These standards require us to establish and maintain policies and procedures that ensure the quality of the audit service we provide. The engagement leader is the key person responsible for the audit engagement and its performance, and should be the first point of contact if you have any concerns about the quality of this audit engagement.

A key priority for VAGO is to enhance our reputation for quality audits that are rigorous and well supported. To that end, we have created a new Standards and Quality team to focus on continuous improvement activities and quality across all aspects of the office.

4 Scope of the audit The Audit Act 1994 requires the Auditor-General to form an opinion on your financial report and performance statement and provide a copy of the audit reports to you and the Minister for Local Government.

When providing our audit opinion on your financial report:

• your ‘financial report’ includes management prepared financial statements, notes comprising a summary of significant accounting policies and other explanatory information and accountable officer and principal accounting officer declarations

• our ‘audit opinion’ is whether or not the financial report presents fairly, in all material respects, the financial position of the Council as at 30 June 2016 and of its financial performance and its cash flows for the year then ended in accordance with applicable Australian Accounting Standards, and the financial reporting requirements of the Local Government Act 1989.

When undertaking the financial audit, Section 3A of the Audit Act 1994 requires the Auditor-General to also consider the issues of waste, probity and the prudent use of public resources.

For the purposes of providing an audit opinion on your performance statement:

• your performance statement, includes the performance indicators as specified in the Local Government (Planning and Reporting) Regulations 2014

• our opinion is whether or not the performance statement presents fairly, in all material respects, in accordance with the Local Government Act 1989 and associated regulations.



3

5 Conducting the audit

5.1 VAGO's approach to the audit Our overall financial audit approach focuses our attention on areas where there is a greater risk of material misstatement of the financial report. We identify these areas in our audit planning process and then design and perform audit procedures to obtain reasonable assurance about whether the financial report as a whole is free from material misstatement.

5.1.1 Audit planning To plan the audit we had discussions with management and key members of the finance team. We have used these discussions together with other information to develop our understanding of your entity, its environment, its internal control framework and the events, transactions and processes that occurred during the year so far. Our understanding forms the basis for how we identify and assess risks of material misstatement to the financial report, whether by fraud or error, as well as designing appropriate audit responses to those risks.

Audit planning procedures continue throughout the course of the audit until the audit opinion is issued. Should we become aware of any additional significant risks which would impact the audit we will notify the Audit Committee as soon as practical.

5.1.2 Professional scepticism We approach all our audits with a degree of professional scepticism as not only is this required by Australian Auditing Standards, and consequently the Audit Act 1994, it is a key component of delivering an effective public sector audit. ASA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Australian Auditing defines professional scepticism as ‘an attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence’.

Professional scepticism is particularly relevant in areas that involve management assumptions and/or estimates. It is also critical when evaluating audit evidence to reduce the risk of the auditor:

• overlooking unusual circumstances • over generalising when drawing conclusions from observations • using inappropriate assumptions in determining the nature, timing and extent of evidence gathering

procedures and evaluating the results thereof.

5.1.3 Liaising with Internal Audit Given the nature of the internal audit program and our initial assessment of the work performed, we do not intend to place reliance on the work of internal audit. In forming this view, we considered the following matters:

• emphasis on operational risks rather than financial risks • coverage and sample sizes • timeliness of audit work



4

5.2 Relevant risks for the audit 5.2.1 Identifying and assessing risks of material misstatement Based on our risk assessment procedures we have identified a number of pervasive and specific risks of material misstatement for the audit. Risks which we have assessed as posing a high risk of misstatement are summarised in the following table. We have also highlighted whether we consider the risk is due to fraud or error and whether it involves significant judgement or estimation by management. This information helps us determine our response to the risk which is outlined in Section 5.2.2.

Table: Summary of audit risks relating to the financial report

Risk

Fraud Error Significant judgements

Pervasive (P) or Specific (S)

1 Form and content of financial report P 2 Management override of controls P 3 Revaluation of property, plant and equipment S 4 Revenue recognition S

5 Employee costs and liabilities S 6 Superannuation funding call S 7 Local Government Council elections P

8 Capital works expenditure S

5.2.2 Responding to risks of material misstatement The table below provides additional detail about some of the risks summarised in Section 5.2.1 as well as outlining our audit response to those risks.

Table: Audit risks relating to the financial report

Risk of Material Misstatement Audit area and consequence Audit response Form and content of financial report The financial reporting requirements of the Australian accounting standards and Local Government Act 1989 and Local Government (Planning and Reporting) Regulations 2014 are extensive and require the financial statements to be prepared in accordance with the Local Government Model Financial Report.

Accounting treatments or financial reporting disclosures may be incorrect or insufficient. The financial report may not be in accordance with reporting requirements of the Local Government Model Financial Report.

We will review ‘shell’ accounts and the draft financial report against the Local Government Model Financial Report and the requirements of the Australian accounting standards and the Local Government (Planning and Reporting) Regulations 2014.

Risk of fraud through management override of controls There is a risk of fraud due to management override of controls. While the level of risk of management override of controls will vary from entity to entity, the risk is nevertheless present in all entities.

Assertions, account balances and operating results may be materially misstated.

We will assess the processes in place to prevent and detect fraud. ASA 240 imposes specific audit procedures, including: • Testing the appropriateness of

journal entries and other adjustments made in preparing the financial report

• Reviewing accounting estimates for biases, and

• Reviewing significant unusual transactions

Fair value assessment and revaluation of non-current physical assets Council recorded property, plant, The value of land, buildings and We will:



5

Risk of Material Misstatement Audit area and consequence Audit response equipment and infrastructure assets totalling $162.9 million in its 2014–15 financial report. The majority of council's non-financial assets are carried at fair value. The valuation of non-current physical assets is highly complex, involves management judgement, relies on a valuation expert, and various assumptions underpin the methodology applied to determine fair value. Valuations may be inaccurate due to the judgement and complexities associated with applying AASB 13 Fair Value Measurement.

infrastructure may be materially misstated. The financial report may include a material misstatement if the valuation is not performed in line with appropriate methodology and/or based on sound assumptions and judgements. Fair value measurements and disclosures may be incorrect or insufficient.

• review management's fair value assessment within the context of AASB13

• review the valuer's report of land and buildings to evaluate the appropriateness of the methodology and assumptions adopted and the overall reasonableness of the valuation

• review the appropriateness and accuracy of the adjustments processed.

• assess the adequacy of disclosures with respect to non-financial assets recorded at fair value given the requirements of AASB 13.

Revenue recognition Council's main source of revenue include: • rates and charges (2014–15:

$14.6 million) • user fees (2014–15: $1.5 million) • operating and capital grants

(2014–15: $12.7 million) Application of revenue recognition policies may use assumptions and require the exercise of management judgement. These include: • rates determined by different

categories being applied to valuations of individual properties

• user fees recognised when goods or services have been provided

• an assessment of the recognition criteria for grants in line with accounting standards

Budgetary pressures from rate capping and performance targets may influence the revenue recognition.

Revenue may be materially misstated due to the failure to correctly recognise and measure it in accordance with accounting standards.

We will: • review and assess the systems

and process of capture and recording for each material revenue stream

• test the operating effectiveness of key controls

• perform cut-off procedures • assess whether treatment of

revenue is consistent with AASB 118 Revenue and AASB 1004 Contributions.

Employee costs and liabilities

Employee benefit costs are the largest expense incurred by the Council. Councils are subject to various contracts, awards and enterprise agreements, which may not be adequately represented in the central payroll system

The accuracy of employee expenses and related liabilities may be materially misstated.

We will: • Verify a sample of employee

details included in the employee benefit provisions back to the relevant EBA’s, contracts and awards and the payroll system.

• Review of payroll system to ensure appropriate controls and segregation of duties.

• Review the leave entitlements provisions calculations in accordance with AASB 119 Employee Benefits and review council’s leave management strategy.

Superannuation funding call



6

Risk of Material Misstatement Audit area and consequence Audit response The Local Authorities Superannuation Fund (LASF) is required to be fully funded. LASF monitors its Vested Benefit Index (VBI) on a quarterly basis and has set the shortfall limit at 97%. Where the VBI falls below 97% employers may be required to make top-up contributions. With the current volatility and downward trend in the stock market there is the potential for the VBI to fall below the 97%. The last superannuation funding call in 2011–12, resulted in the Council recognising a superannuation liability of $2.6 million.

There could be a potential cash outflow impacting the financial stability of the Council.

We will: • review the fund position at each

quarter • review disclosures for

consistency with the Local Government Model Financial Report.

• review council's ability to fund a superannuation call, should one be required.

Local Government Council elections The Council is due to hold general elections in October 2016. This is expected to occur soon after the financial statements, performance statement and annual report are finalised and published.

There may be a higher level of scrutiny of the results in the financial statements and the financial position. There may be a higher level of scrutiny of the results and commentary in the performance statement. There may be increased likelihood for unbudgeted operating and capital expenditure. Potential for subsequent events that require disclosing.

We will: • make enquires of management

on any changes occurring in advance of the elections

• review minutes and management reports for large or unusual transactions

• monitor and assess any subsequent events for disclosure requirements.

Capital works expenditure

Capital expenditure is a significant expense incurred by the Council. Budgeted capital worked for 2015-16 is $8.4million.

The occurrence and accuracy of capital expenditure may be materially misstated.

We will: • Verify a sample of capital

expenditure to supporting documentation.

• Ensure capital works approved in line with delegation policies.

• Ensure all capital works expenditure has been capitalised correctly.

5.2.3 Audit risks relating to the performance statement The following table summarises the key audit risks relating to the Performance Statement and our audit procedures in relation to each risk.

Table: Audit risks relating to the Performance Statement

Risk condition Consequence Audit procedure Performance statement The performance statement contains financial and non-financial data. Financial systems are predominantly established to capture financial data. Systems may not capture the non-financial data required to support figures in the performance statement.

The performance statement may not be prepared in accordance with legislative requirements. Incomplete and/or inaccurate data due to inadequate systems may result in material misstatements. A lack of quality assurance over the preparation of the performance statement may also result in material misstatements.

We will: • review the systems in place to

capture the financial and non-financial data

• if no systems are in place, we will determine the adequacy of the records used for compiling performance statement information and the soundness of data compiled



7

Risk condition Consequence Audit procedure • check the calculations and

assess the reasonableness of explanations included in the report of significant variations

• review the performance statement for compliance with legislative requirements.

5.2.4 Risk from fraud, irregularities or regulatory non-compliance The Council, chief executive officer and senior management have responsibility for maintaining internal controls that prevent or detect fraud or error, and assuring regulatory compliance. The Audit Committee and VAGO should be informed by management of any actual or suspected fraud or material errors.

We are not responsible for preventing or detecting fraud. However, we are required to consider the risk of material misstatement due to fraud when performing our risk assessments.

The Audit Act 1994 requires us to notify the Independent Broad-based Anti-corruption Commission (IBAC) where we become aware of any matter that appears to involve corrupt conduct by a public official. If we need to notify IBAC, this will override the existing confidentiality provisions in the Audit Act 1994.

Aside from the required standard risk due to management override of controls (as detailed in Section 5.2.2), we did not identify any further areas of material fraud risk or exposure, or regulatory non-compliance.

5.2.5 Other areas of audit focus In addition to the audit responses to specific financial report risks outlined in Section 5.2.2, we include the following areas of focus in all of our financial statement audits.

Waste, probity and financial prudence In forming an opinion on the financial report, consistent with the Audit Act 1994 Section 3A (2), we consider waste, probity and financial prudence in relation to the management and application of public resources.

If we identify issues relating to waste, probity and financial prudence they will be reported to the governing body and management and may also be included in a report to Parliament.

Accounting policies It is important that those charged with governance understand the accounting policies used by management in the preparation of the financial report.

At this time, we are not aware of any other accounting policy changes or any policies which we would consider inappropriate for the circumstances of the entity.

5.3 Planned audit testing of material components 5.3.1 Overview of audit testing The table below provides an overview of our risk assessment and planned approach for each of your entity's material financial statement components. The planned audit approach, which is based on the most effective balance of internal controls testing and substantive audit procedures, may change to respond to new or emerging risks arising during the audit. Where we have indicated that we plan to place reliance on controls, we need to gather evidence as to their operating effectiveness.

Table: Planned approach



8

Material component 2015-2016 Budget ($ million)

Inherent risk assessment(H/M/L)

Controls reliance (Y/N)

Internal audit reliance (Y/N)

Planned reliance on substantive audit procedures (H/M/L)

Income ($27.7m) Rates and Charges ($15.2m) L Yes No L User Fees ($1.5m) M Yes No L Grants ($10.2m) L Yes No L Other ($0.8m) M Yes No L Expenditure ($25.9m) Employee Benefits ($10.8m) M Yes No L Materials and services ($7.5m) L Yes No L Depreciation ($7.2m) M No No M Other ($0.4m) L Yes No L Assets ($181.0m) Cash and cash equivalents ($7.9m) M Yes No M Receivables ($1.4m) L Yes No L Assets held for resale ($1.2m) M Yes No M Property, Infrastructure, Plant and Equipment ($168.9m) M Yes No M

Investment property ($1.6m) M Yes No M Liabilities ($7.3m) Payables and Trust Funds ($1.6m) L Yes No L Employee Benefits ($2.7m) M No No M Loans and Borrowings ($3.0m) M Yes No M Equity/Capital ($173.9m) Reserves ($97.9m) L No No L Accumulated Surpluses ($76.0 m) L No No L Notes to the accounts Related parties and responsible persons M Yes No M Other note disclosures L No No M Statement of capital works M No No M

5.3.2 Internal controls Internal controls are systems, policies and procedures that help an entity reliably and cost effectively meet its objectives. Sound internal controls enable the delivery of reliable, accurate and timely external and internal reporting.

An entity's governing body is responsible for developing and maintaining its internal control framework to enable:

• preparation of accurate financial records and other information • timely and reliable external and internal reporting • appropriate safeguarding of assets • prevention or detection and correction of errors and other irregularities.

The annual financial audit enables the Auditor-General to form an opinion on an entity’s financial report. An integral part of this, and a requirement of Australian Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, is to assess the adequacy of an entity’s internal control framework and governance processes related to its financial reporting. While this understanding has a significant impact on our audit strategy, our audit of your financial report is not designed to assess, nor do we provide an opinion on, the effectiveness of internal controls.



9

We focus on the internal controls relating to financial reporting and assess whether your entity has managed the risk that the financial statements will not be complete and accurate. Poor controls diminish management’s ability to achieve the entity’s objectives and comply with relevant legislation. They also increase the risk of fraud.

During our planning procedures we gained an understanding of the following components of internal control:

• control environment • risk assessment procedures • information systems • control activities • monitoring procedures.

Our preliminary assessment of the internal control framework determined that the internal controls are likely to be effective in preventing or detecting and correcting material misstatements in the financial report. As such, we plan to place reliance on the key internal controls relating to the material components in Section 5.3.1 to support our audit opinion.

Sector-wide reviews of internal controls We examine and often test the internal controls operating over the most significant and high-risk balances each year. Other internal controls are assessed each year, but tested less frequently.

Section 16 of the Audit Act 1994 empowers the Auditor-General to report to Parliament on the results of audits, including the results of our reviews of internal controls related to the financial reporting responsibilities of the

The area of focus for reporting to Parliament on the 2016 year is on asset valuations.

We intend to report the results of these reviews in our report to Parliament entitled Local Government: 2015–16 Audit Snapshot scheduled for tabling in November 2016.

5.3.3 Management representations As part of our evidence gathering procedures and consistent with the Australian Auditing Standards, we will request explicit management representations relating to a number of matters. The management representation letter will need to be signed prior to the date of certification of the financial report.

5.4 Materiality, audit adjustments and unadjusted differences

Our audit work is planned to provide reasonable, rather than absolute assurance, that the financial report is free from material misstatement. A matter is considered material if its omission or misstatement could, individually or collectively, influence the economic decisions of users taken on the basis of the financial report.

Assessing materiality is a matter of professional judgement and includes consideration of the nature and amount of the misstatement and our perception of the financial information needs of the users of the financial report. In this context, it is reasonable for us to assume that users:

• have a reasonable knowledge of business, economic activities and accounts • have a willingness to study the information in the financial report with reasonable diligence • understand that financial reports are prepared, presented and audited to levels of materiality • recognise the uncertainties inherent in the measurement of amounts based on the use of estimates,

judgement and the consideration of future events • will make reasonable economic decisions on the basis of the information in the financial report.



10

The concept of materiality is applied in both planning and performing the audit and in evaluating the effect of identified misstatements (and uncorrected misstatements, if any) on the audit of the financial report. When applying planning and performance materiality we will make judgements about the size of misstatements that will be considered material. These judgements provide a basis for:

• determining the nature, timing and extent of risk assessment procedures; • identifying and assessing the risk of material misstatement • determining the nature, timing and extent of further audit procedures.

The materiality determined at the planning stage does not necessarily establish an amount below which uncorrected misstatements, either individually or in aggregate, will be considered as immaterial.

We may identify amounts that we believe should be recorded differently in the financial report. In accordance with ASA 450 Evaluation of Misstatements Identified During the Audit, we shall communicate on a timely basis all misstatements, other than those that are clearly trivial1, accumulated during the audit with the appropriate level of management. Further, to promote better practice in financial reporting and public accountability we will request that all misstatements, other than those that are clearly trivial, are corrected in the financial report.

We will provide management with a summary of all audit identified differences in our closing report.

6 Audit administration

6.1 Engagement team and how to contact us We have structured our team to achieve an appropriate skill and experience mix on the audit. The main team members on this audit include:

Name Position Role Contact Financial audit John Findlay Engagement

leader Client relationship manager. Responsible for the audit engagement and its performance.

[email protected] 5304 5745 or

0400 683 977

Tim Loughnan VAGO Sector Director

Sign audit opinion. Responsible for the direction, supervision and performance of the audit service provider

[email protected] 8601 7086 or 0408 277 917

Kate Richardson

Team Senior Direct and supervise audit team.

[email protected] 5304 5722 0419 342 412

Deb Main Team member Performs audit procedures assigned.

[email protected] 5304 5764 0438 631 702

The VAGO Sector Director will sign the audit opinion.

6.2 Key milestones For an orderly audit and to assist the Council achieve its financial reporting targets, planned audit visits and deliverables have been agreed with management in line with the following important dates.

Table: Key deliverables

1 ‘Clearly trivial’ is not another expression for ‘not material.’ Matters that are clearly trivial will be of a wholly different (smaller) order of magnitude than materiality determined in accordance with ASA 320, and will be matters that are clearly inconsequential, whether taken individually or in aggregate and whether judged by any criteria of size, nature or circumstances. When there is any uncertainty about whether one or more items are clearly trivial, the matter is considered not to be clearly trivial. (ASA 450, paragraph A2.)



11

Deliverable Date Responsibility Before balance date Audit strategy issued 18 March 2016 VAGO Audit strategy circulated and discussed at the audit committee meeting

7 June 2016 VAGO

Interim audit visits • controls testing

2 May 2016

Council/VAGO

Interim audit management letter issued 24 May 2016 VAGO ‘Shell’ accounts submitted to audit for review May 2016 Council Feedback on ‘shell’ accounts Jun 2016 VAGO After balance date Balance sheet reconciliations and year end supporting schedules completed and available for audit

1 August 2016 Council

Complete draft financial report submitted to audit after being subjected to internal quality assurance


Draft performance statement, with supporting schedules, submitted to audit after being subjected to an internal quality assurance


Closing report issued 31 Aug 2016 VAGO Auditor's opinion recommendation to audit committee 31 Aug 2016 VAGO Financial report and performance statement and management representation letter signed

31 Aug 2016 Council

Audit opinion signed 31 Aug 2016 VAGO Final management letter issued 31 Aug 2016 VAGO Annual Report – printer’s proof to be provided to audit Late Aug 2016 Council/VAGO

6.3 Audit fee estimate Section 10 of the Audit Act 1994 requires the Auditor-General to charge an amount which is sufficient to defray the reasonable costs and expenses incurred in conducting an audit of the financial statements and performance statements of an entity.

The estimated audit fee for the year ending 30 June 2016 was determined in light of the expected level and range of resources applied to the audit, commensurate with the audit risks and complexity of the assignment.

Changes to the audit strategy, such as the identification of other significant issues which impact on the nature and extent of planned audit procedures, have the potential to increase the audit fee. Other matters that may have an impact on our fees include:

• key milestones are not met by the agency • agency's accounting records which support the financial report do not meet appropriate standards or not

provided on a timely basis • standard and timeliness of internal audit work do not meet our requirements • limited availability of key agency staff.

We will discuss with management anticipated variations of our fee at the earliest opportunity.

VAGO will advise you directly of the estimated audit fee via a separate audit fee letter. The audit fee will be billed progressively based on work completed.



12

6.4 Occupational Health and Safety obligations VAGO recognises its responsibilities to observe, implement and fulfil its obligations under the Occupational Health and Safety Act 2004 (the Act). Similarly, the Council is required to fulfil the obligations set out by the Act. These include, but are not limited to:

• the requirement that persons other than employees of the employer are not exposed to risks to their health or safety

• maintaining any workplace under its control in a safe and healthy condition • providing equipment and facilities which will maintain the health, safety and welfare of all occupants • having arrangements for the safe use of equipment in place and monitored • having an active process of consulting on occupational health and safety matters in place • ensuring safe and healthy systems of work are in place and monitored.

6.5 Client feedback VAGO is committed to obtaining and responding to feedback received on audits conducted and the recommendations made. This process is facilitated through a Client Feedback Questionnaire to be provided to you after the completion of the audit.

7 Reports to Parliament The Constitution Act 1975 and the Audit Act 1994 provide complete discretion for the Auditor-General to report to Parliament on findings arising from audits VAGO or its service providers' conducts.

The Audit Act 1994 prohibits the Auditor-General from including in an audit report any information that would prejudice any criminal investigation or proceeding, or any IBAC or Victorian Inspectorate investigation. If at any stage prior to the report being published you become aware of any such investigation or proceeding in relation to this audit or associated report to Parliament, please notify us immediately.

7.1 Results of financial audits The results of the annual financial statement audit will be acquitted to Parliament in the Local Government: 2015–16 Snapshot Report scheduled for tabling in November 2016. Adverse references to Council in the proposed report will be subject to the procedural fairness checks as outlined in Section 16 of the Audit Act 1994.

7.2 Performance audits VAGO conducts performance audits to provide independent assurance to Parliament and the community that funds appropriated for particular activities are spent wisely and in accordance with Parliament’s expectations. A performance audit report provides an independent assessment of the area of public sector activity audited and aims to be a catalyst for continuous improvement in the accountability and performance of the public sector.

Our performance audit program is outlined in the Annual Plan posted on the publications section of our website <www.audit.vic.gov.au>.

Currently the Council is not directly involved in a performance audit.

The table below outlines the performance audits planned in consultation with the Public Accounts and Estimates Committee for tabling in 2015–16.

Table: Performance Audits



13

Title Objective Proposed tabling date Audits in Progress Local Government Service Delivery: Recreational facilities

Councils continue to face resource constraints and sustainability issues, particularly smaller councils. State-wide council community satisfaction surveys report recreational facilities as a high priority for communities. This report will include examination of identification of needs, establishment of service levels and standards, and whether specific recreational services are delivered efficiently and economically to achieve intended community outcomes.

23 March 2016

7.3 VAGO annual report 2014–15 – Key audit themes The VAGO annual report for 2014–15 was tabled in Parliament on 7 October 2015. The annual report comprises two volumes. Volume 2 of this report discussed our key themes, which are a summary of the most frequent and significant audit findings from our audit reports over recent years.

The key audit themes are:

• Oversight, monitoring and accountability • Planning for efficient and effective public sector services • Managing risks to financial sustainability • Managing risks to the public sector and community • Procurement and contract management • Measuring and reporting performance • Timely action on recommendations and reviews

Our report also includes a set of self- assessment questions for each theme, developed from the criteria applied to departments and agencies during the audit process. We invite Councils to assess their own operations against the seven audit themes and use this knowledge to improve their efficiency, effectiveness and accountability. The set of self - assessment questions have been outlined in Appendix A.

Our annual report is posted on the Reports and Publications section of our website www.audit.vic.giov.au.

8 Acknowledgments We thank you for the assistance provided by management and staff in particular, the Manager Corporate Support during the planning of our financial audit.



14

9 Appendix A – Key audit themes The following self-assessment questions are extracts from VAGO Annual Report 2014–15 Volume 2 Key Audit Themes. They are grouped against each of the seven key audit themes.

Oversight, monitoring and accountability • Does the entity have oversight mechanisms in place to monitor compliance with relevant legislation? • Do we monitor progress of other area’s / Council’s against the actions and goals in our major plans and

strategies? • How does my Council know the guidance and support we provide to Council staff is meeting the needs of

those staff? • Do we check up on compliance with our internal policies and frameworks?

Planning for efficient and effective public sector services • Are our high-level goals supported by strategies and plans with clear actions and priorities? • Do our plans include targets and indicators to help measure our progress? • Do our plans comply with applicable legislation and clearly link to the relevant statutory and government

policy and objectives? • Does our operational planning reflect an understanding of our capacity and the demand for our services?

Is this understanding informed by a sound evidence base? • Do we refresh our operational plans based on periodic analysis of both good and poor performance

across the system?

Managing risks to financial sustainability • Does my organisation have an appropriate risk management regime in place to assess and monitor

financial sustainability risks? • Are the pricing and funding models applicable to my organisation resulting in financially sustainable

revenue streams? • Is my organisation’s debt at sustainable levels? • Does my organisation have a sound basis upon which to adopt the going concern assumption for financial

reporting purposes? • Does my organisation efficiently manage its cash flows? • Is my organisation maintaining, replacing and renewing its assets as required?

Managing risks to the public sector and community • How does the entity approach compliance with the applicable Risk Management Framework / Standards? • Are our information and communications technology systems secure, with sufficient integrity and capacity

to meet our operating needs? • When we plan a major project or initiative, do we adequately consider the financial risks faced now and in

the future? • What are the risks to the community from our activities and how effectively are we monitoring and

addressing these? • Do our risk management processes prepare us for periods of peak pressure, as well as everyday

operations?

Procurement and contract management • Are our procurement policies and procedures in line with government policy and better practice? • How can we be sure that our purchases and contracts represent value for money? • Will all our procurements meet the public sector standards of honesty and integrity, and stand up to public

scrutiny? • Have we effectively used the incentives and penalties in our contracts?



15

• Do we verify important performance information provided by contractors? • Do we have the necessary assurance over the functions and controls of outsourced service providers?

Measuring and reporting performance • How do we verify the accuracy of the information in our performance reports? • Does the performance information we use cover all the key activities? • Are our indicators relevant to the activity they are intended to measure? • Do our indicators align with our goals and strategy? • Do our performance reports explain performance transparently?

Timely action on recommendations and reviews • Have we done enough to address the problems and issues we already know about? • Do our actions really address the recommendations made to us? • Do we track our actions against internal and external reviews and audits? • Do we have a process to identify and address outstanding or slow-moving actions? • Are our audit committee and management appropriately involved in monitoring progress against

recommendations? • How are reports of progress against recommendations verified?



24 May 2016 File No.:

Mr A Evans Chief Executive Officer Ararat Rural City Council PO Box 246 ARARAT VIC 3377

Dear Mr Evans

INTERIM MANAGEMENT LETTER 2015–16

The purpose of this correspondence is to bring to your attention matters arising from the audit of the financial report of Ararat Rural City Council for the year ending 30 June 2016.

During the interim phase of the audit we observed deficiencies in the design and implementation of internal controls. These are detailed in the attached Interim Management Letter. Prompt attention to these matters will assist you to mitigate the risk of misstatement in the financial statements presented for final audit.

In the prior reporting period we identified control and financial reporting issues, which were agreed to by the Ararat Rural City Council. The status of these prior period issues is detailed in the attachment.

I have also provided copies of the Interim Management Letter to Mr Paul Hooper, Mayor and Mr Homi Burjorjee, Audit Chairperson.

The assistance provided by management and staff during the course of the audit is acknowledged.

If you have any queries concerning this interim management letter, please contact one of the following:

John Findlay on 03 5304 5745 [email protected]

Tim Loughnan (VAGO) on 03 8601 7086 [email protected]

Yours sincerely CROWE HORWATH MELBOURNE

JOHN FINDLAY Partner VAGO Audit Service Provider

6.2 Interim Management Letter

Ararat Rural City Council Interim management letter 2015–16



Interim management letter

Year ending 30 June 2016


2

Contents

1 Executive Summary ..................................................................................................... 3 1.1 Purpose of the management letter ......................................................................................... 3 1.2 Scope of work performed........................................................................................................ 3 1.3 Summary of findings ............................................................................................................... 3 1.4 Management acceptance ....................................................................................................... 4

2 Detailed findings and recommendations ................................................................... 5 2.1 IT Control – Automatic Inactivity Logout ................................................................................. 5 2.2 Internal Audit of Payment Run ................................................................................................ 6

3 Prior period issues ...................................................................................................... 7 3.1 Review of payroll master file audit report ............................................................................... 7



3

1 Executive Summary

1.1 Purpose of the management letter The purpose of this management letter is to bring to your attention matters arising from the interim phase of the financial report audit of the Ararat Rural City Council for the year ending 30 June 2016.

As explained in the audit strategy issued in March 2016, the financial report audit is designed to enable the Auditor-General to express an opinion on the annual financial report and whilst the audit considered internal controls relevant to the preparation of the financial report, the audit does not express an opinion on the effectiveness of those controls.

1.2 Scope of work performed In accordance with our planned audit approach, the interim audit phase included examination of financial processes and systems supporting the following material components of the financial statements:

• Revenue • Expenditure • Payroll • IT Systems • Internal control environment

The work conducted was not a comprehensive audit of all systems and processes and was not designed to uncover all deficiencies, breaches and irregularities in those systems and processes. Inherent limitations in any management process and system of internal control may mean that errors or irregularities might occur and not be detected.

We have scheduled additional audit procedures for these key components during the final audit phase.

1.3 Summary of findings We observed deficiencies in the design and implementation of controls or other significant matters relevant to the financial reporting process during the interim phase of the audit. Prompt attention to these matters will assist the entity to mitigate the risk of misstatement in the financial statements presented for final audit.

The ratings provided in this report reflect our assessment of the likelihood and degree of a misstatement occurring due to the identified deficiency relating to:

• financial reporting, and • effective and efficient operations, including issues of probity, waste and compliance with applicable laws.

Appendix A explains the basis for the criteria used to determine ratings and includes a timetable for corrective action.

1.3.1 Current year findings The following table is a summary of the issues arising from the interim phase of the financial report audit. For further details of each issue, including management's responses, refer to section 2.

Issue reference Description of finding Rating

Extreme High Medium Low 2.1 IT Control – Automatic Inactivity Logout X 2.2 Internal Audit of Payment Run X Total 2



4

1.3.2 Prior year findings The following table is a summary of issues arising from previous audits and the status of remediation activities. For further details of each issue refer to Section 3.

Issue reference Description of finding Risk rating Issues raised Status 3.1 Review of payroll master file audit report Low May 2014 Closed

1.4 Management acceptance All findings have been discussed with management. Action plans have been developed by management to address each recommendation.



5

2 Detailed findings and recommendations This section outlines the observation, implication, recommendation and management comments and action plans for each audit finding.

2.1 IT Control – Automatic Inactivity Logout

Rating: Low

2.1.1 Observation During the review of IT controls, we noted that the automatic inactivity logout occurs after 10 minutes for all employees logged in on the virtual desktops. During this processes we identified two computers located within Finance which are not in use of the virtual desktops and therefore no automatic inactivity logout occurs.

2.1.2 Implication Increased risk of unauthorised personnel being able to access information stored in the IT system.

2.1.3 Recommendation We recommend that the Council review the IT controls surrounding the automatic inactivity logout time for computers not in use for the virtual desktops, to ensure that this control is effective and complies with management’s designated timeframes.

2.1.4 Management comments and action plan

Recommendation accepted: Yes No

Responsible officer: Manager Assets & Information Technology

Implementation date: Will be completed by August 31, 2016 (refer DAFCS).

Management comment and action plan: A “Microsoft policy” change has been implemented within Council’s ICT systems to automatically force a password screen saver to activate after 10 minutes of inactivity.



6

2.2 Internal Audit of Payment Run

Rating: Low

2.2.1 Observation During our review of expenditure controls, we had identified that the completion of “internal audit of payment run” form by a staff member independent of the payment process had ceased to continue following the implementation of the IT expenditure approval process within Open Office.

2.2.2 Implication Increased risk of inaccurate or fraudulent transactions occurring.

2.2.3 Recommendation We recommend that the Council re-evaluates the decision to cease the process of conducting monthly internal audit of payment runs of expenditure approvals with a view to re-instating this internal control process.



Responsible officer: Manager Corporate Support

Implementation date: May 2016

Management comment and action plan: Council will re-evaluate the decision to cease the process of conducting monthly internal audit of payment runs.



7

3 Prior period issues This section outlines the current status of management actions to address the audit recommendation from the prior period audit.

3.1 Review of payroll master file audit report

Rating: Low

Status: Closed

3.1.1 Observation The review of the Payroll Master File Audit Report is one of the most important controls in relation to payroll in deterring and detecting fraudulent alterations that could potentially be made.

In conducting controls testing over payroll, we observed that the Payroll Master File Audit Reports from 1/6/13 to 30/6/13 were checked on 6/8/13. All monthly reports after this date lacked proper evidence that an appropriate review had been completed.

3.1.2 Implication Lack of master file review will reduce the chances that unreasonable or fraudulent alterations to employee payroll details will be detected.

3.1.3 Recommendation Audit master file changes reports should be independently reviewed when prepared to ensure that all changes made to the master file are reasonable. Reviewer should also sign and date the report to indicate that the review has been completed.



Responsible officer: Brady Curran – Manager People & Culture

Implementation date: June 2015

Management comment and action plan: Processes have been implemented to review and sign off on the payroll master file report.

3.1.5 Current status of management action plan

Status: Closed

Audit Comment: During our audit visit held in May 2015, we confirmed that a “payroll audit report” has been created within the system and is being produced on monthly basis which is reviewed in a timely manner by the People and Culture Officer. Audit confirms that the above issue has been satisfactorily addressed.



8

Appendix A – Rating definitions The rating of audit issues in this report reflects our assessment of both the likelihood and consequence of each identified issue in terms of its impacts on:

• the effectiveness and efficiency of operations, including probity, propriety and compliance with applicable laws

• the reliability, accuracy and timeliness of financial reporting.

The rating also assists management in its prioritisation of remedial action.

We may include extreme, high or moderate rated issues in our reports to Parliament on the results of financial statement audits.

Table: Rating definitions and management action

Rating Definition Management action required Extreme The issue represents:

• a control weakness which could cause or is causing severe disruption of the process or severe adverse effect on the ability to achieve process objectives and comply with relevant legislation; or

• a material misstatement in the financial report has occurred.

Requires immediate management intervention with a detailed action plan to be implemented within one month. Requires executive management to correct the material misstatement in the financial report as a matter of urgency to avoid a modified audit opinion.

High The issue represents: • a control weakness which could have or is

having a major adverse effect on the ability to achieve process objectives and comply with relevant legislation; or

• a material misstatement in the financial report that is likely to occur.

Requires prompt management intervention with a detailed action plan implemented within two months. Requires executive management to correct the material misstatement in the financial report to avoid a modified audit opinion.

Medium The issue represents: • a control weakness which could have or is

having a moderate adverse effect on the ability to achieve process objectives and comply with relevant legislation; or

• a misstatement in the financial report that is not material and has occurred.

Requires management intervention with a detailed action plan implemented within three to six months.

Low The issue represents: • a minor control weakness with minimal but

reportable impact on the ability to achieve process objectives and comply with relevant legislation, or

• a misstatement in the financial report that is likely to occur but is not expected to be material, or

• an opportunity to improve an existing process or internal control.

Requires management intervention with a detailed action plan implemented within six to 12 months.


Assets, Finance & Corporate Services (Asset Management)

Council has an asset management system and asset management framework under constant review and development which provides monitoring and reporting functions against Council's assets.

Completed 100%31/05/2016 00:00:00

VAGO End FY 2013 Report

That Council develops and implements comprehensive asset management monitoring, reporting and evaluation systems, and publicly report their progress and performance against plans and strategies, including against capital works budgets.

24/06/2014 00:00:00

Resolution Number 2382

461

Corporate Strategy, Risk & Governance (People & Culture)

An asset review was undertaken of the "Eagles Clubrooms" at Alexandra Oval. Council has resolved to retain this building. Sale of an allotment at Caledonian Court and of the industrial building at Gordon Street has completed the requirement of the rationalisation review. In addition to this, preparation work is underway for the hand back of Rocky Point Hall to the Department of Environment, Land, Water and Planning.

Completed 100%31/10/2016 00:00:00

2015-01 Customer Request Management AND 2015-02 Long Term Financial Planning

Each year Council conduct a formal asset rationalisation review for (at minimum) two assets.

23/06/2015 00:00:00


837

Assets, Finance & Corporate Services (Contracts & Procurement), Corporate Strategy, Risk & Governance (People & Culture)

The Vehicle Policy (A.3.1) has been reviewed and draft revision prepared for consultation prior to adoption.

Completed 100%31/03/2016 00:00:00

2015-05 Fleet Management Audit

Review its vehicle purchasing process to increase consistency of vehicle allocations, and limit cost.

15/09/2015 00:00:00


852

Assets, Finance & Corporate Services (Asset Management), Assets, Finance & Corporate Services (Finance), Council Services (Operational Services)

Council currently has a capital program delivery framework, which meets Council's needs.

Completed 100%30/12/2016 00:00:00

2015-03 Capital Program Delivery Framework

Implement and document a Capital Program Delivery Framework aligning to best practice to effectively manage associated risk;

15/09/2015 00:00:00


854


Detailed road condition data and forward works projections were reported tothe Council Assembly held on 1 March 2016.

Completed 100%30/11/2015 00:00:00


Develop a renewal gap report and a corresponding Forward Works Program report for all Council-owned roads be reported to Council by 30 November 2015

15/09/2015 00:00:00


857

ARCC Report Run by

Tuesday, 31 May 2016 1

Directorate & Business Unit

Officer Update Task ProgressTask Due Audit Reference

Task Council Meeting Date

Resolution Number Task no.

Council Audit Actions Report Pages 3 of Report Run on

7.1 Audit Review Update June 2016


A renewal gap report was presented to an Assembly of Council in March 2016.

Completed 100%30/11/2016 00:00:00


Develop a renewal gap report and a corresponding Forward Works Program report for pathways, kerb & channel, bridges, storm water and buildings asset classes - to be reported to Council by 30 November 2016

15/09/2015 00:00:00


858


Performance measures for Capital Program Delivery are established via Council resolutions and the CEO's annual performance review. The current measure (2015/16) is that at least 85% of the program must be delivered in the current financial year.

Completed 100%30/11/2016 00:00:00


Council establish performance measures for all services involved in Capital Program Delivery

15/09/2015 00:00:00


862

Council Services (Operational Services)

ARCC currently has business processes in place to analyse utilisation and usage of major plant and equipment.

Completed 100%1/12/2016 00:00:00

2015-07 Major plant and equipment

Develop a new business process to regularly analyse utilisation and usage costs of major plant post purchase and to compare the results of this analysis with alternatives such as dry/wet.

8/12/2015 00:00:00


951


Developed and in use . Has been utilised 4 times to date . Completed 100%31/03/2016 00:00:00


Develop a new business process that requires a business case be developed prior to the purchase of all major plant and equipment.

8/12/2015 00:00:00


952


Work has commenced on updating Council's existing Asset Management Strategy document, and this will be reported to Council in November 2015. This document describes a 3-year plan that will upgrade Council’s asset management systems and processes to accurately capture, retain and utilise asset-related data across all asset classes. Processes are being developed to quantify the asset renewal gap, produce forward works programs to close the gap, and submit budget applications to fund such programs.

In Progress 51-99%31/03/2016 00:00:00


That Council, as a priority, develop a strategy for more effectively reducing their asset renewal gaps.

24/06/2014 00:00:00


457


Work is progressing towards the development of a PMO Service which is largely aligned with the PRINCE2 standard. This service will support projects of varying sizes, including those associated with Capital Program Delivery.

In Progress 51-99%31/05/2016 00:00:00


Develop a project management framework (for all) Ararat Rural City Council which is aligned to best practice principles.

24/06/2014 00:00:00


495

ARCC Report Run by






Council Business Pending Report Pages 3 of Report Run on



Documentation reflecting an implementation process is currently under development.

In Progress 0-50%31/10/2016 00:00:00

2015-01 Customer Request Management AND 2015-02 Long Term Financial Planning

Each year Council conduct at least two formal service level reviews to identify efficiency gain opportunities and ultimate budget savings; and

23/06/2015 00:00:00


838


A review has commenced. Opportunities for employees to contribute to council owned vehicles will be considered with the current enterprise agreement negotiation process due for completion in October 2016.

In Progress 0-50%31/05/2016 00:00:00

2015-05 Fleet Management Audit

Review the Auditor’s recommendation regarding employee vehicle contributions.

15/09/2015 00:00:00


853


Work has commenced on developing a PMO Service under the new Service Excellence Framework, which includes a process to establish project contingencies and make reference to the Procurement Policy, which in turn defines delegations for project cost variations.

In Progress 0-50%27/06/2016 00:00:00


Ensure Council’s Project Management Office (PMO) service clearly defines the processes required for establishing project contingencies, and that it makes reference to the Procurement Policy regarding approval of project cost variations

15/09/2015 00:00:00


856


The existing procurement policy will be updated to specifically reference heavy plant disposal.

In Progress 51-99%30/06/2016 00:00:00


Develop a business process that appropriately documents agreed asset disposal processes;

8/12/2015 00:00:00


956

ARCC Report Run by






Council Business Pending Report Pages 3 of Report Run on


31 May 2016 Ref No.: 977276_1

Private and Confidential Homi Burjorjee Audit Committee Chair Ararat Rural City Council PO Box 246 ARARAT VIC 3377 Dear Homi 2016‐01 Fraud Prevention and Detection Strategies We have recently completed our internal audit of the fraud prevention and detection strategies at Ararat Rural City Council. I now present our report for your attention. Yours sincerely

Brad Ead AFS & Associates Pty Ltd

7.2 Fraud Prevention and Detection Strategies June 2016

Contents


2016‐01 Fraud Prevention and Detection Strategies

April 2016


Contents

1 Executive summary.................................................................................................................................. 1

Objective ..................................................................................................................................................... 1

Conclusion ................................................................................................................................................... 1

Areas of strength ......................................................................................................................................... 1

Opportunities for improvement .................................................................................................................. 1

2 Internal audit introduction ..................................................................................................................... 2

Scope ........................................................................................................................................................... 2

Risk rating methodology ............................................................................................................................. 2

Approach ..................................................................................................................................................... 3

3 Detailed observations and recommendations ................................................................................... 4

Background.................................................................................................................................................. 4

Fraud control plan ....................................................................................................................................... 5

Fraud risk assessments ................................................................................................................................ 7

Fraud awareness training and induction ................................................................................................... 10

Monitoring and reporting, and scrutiny by management and audit ........................................................ 11

Pre‐employment screenings ..................................................................................................................... 11

Fuel cards .................................................................................................................................................. 12

Other VAGO recommendations ................................................................................................................ 12

Appendix 1 – Template Fraud Control Plan .............................................................................................. 14

Appendix 2 – Risk rating matrix and likelihood definitions ....................................................................... 20


Internal audit report 2016‐01– Fraud Prevention and Detection Strategies

1. Executive summary

AFS & Associates Pty Ltd April 2016 1

Objective

The objective of the internal audit was to identify whether Council has a fraud prevention and detection framework in place that materially aligns to best practice.

Conclusion

While Ararat has a Fraud Prevention Policy, specific fraud risks are not regularly assessed. There is opportunity for Ararat to develop a Fraud Control Plan that will help guide and improve their fraud risk management framework. The Code of Conduct should be provided to contractors and volunteers before commencing work also.

Areas of strength

Protected disclosure procedures are identified on Ararat's website and detail who a protected disclosure can be made to.

Ararat has a staff Code of Conduct which complies with the Local Government Act 1989 (the Act). Police checks are conducted for all new employees in accordance with the Security Check Policy. Ararat has robust pre‐employment screening processes in place. Fraud Awareness Training is provided within yearly Policy Education training to all Council staff.

Opportunities for improvement

3.2 Ararat does not have a Fraud Control Plan in place. We recommend Ararat develop and adopt a Fraud Control Plan.

Low

3.2 We recommend Ararat review the Fraud Prevention Policy (overdue for review since October 2014).

Low

3.2.1 We recommend Ararat review the Protected Disclosures Policy in line with the timeframe within the policy.

Low

3.2.2 We recommend the Code of Conduct is provided to contractors and volunteers. Low

3.3 We recommend fraud risk assessments are conducted in line with regular risk assessments within Ararat’s risk management framework.

Low

3.7

Controls to monitor the use of Ararat’s fleet petrol cards for private purposes were inadequate. We recommend a reasonableness test is conducted on the fleet cars’ kilometres travelled against the fuel consumed per month. Any large variances will indicate if fuel has been purchased for private use of other vehicles.

Low



2. Internal audit introduction


Scope

The scope of the audit included assessing: whether a Fraud Control Plan is in place if periodic and comprehensive assessments of the entity's fraud risks is occurring documented policies and procedures for dealing with suspected fraud exist including whistle‐blower's

protection (protected disclosures) regular fraud awareness training is occurring a sound ethical culture is supported by the code of conduct dedicated controls for activities with high fraud risk exposure are in place. In addition, we performed a gap analysis against recommendations in VAGO's report Fraud Prevention Strategies in Local Government. Our review was conducted Monday 4 and Tuesday 5 April 2016.

Risk rating methodology

The following is a visual diagram of the residual risk rating that could be given based on our assessment:

Figure 1: Risk rating matrix Ararat’s risk rating matrix which has been used throughout our assessment.

The rating scale definitions are explained in Appendix 2 – Risk rating matrix and likelihood definitions.





Approach

The review was conducted primarily by applying discussion, observation and review techniques. The approach incorporated: discussions with the following staff:

- Director Assets, Finance & Corporate Services - Manager Corporate Support - Manager People & Culture - Director Corporate Strategy, Risk & Governance - Manager, Business Compliance Framework - Chief Executive Officer - Contracts and Procurement Officer

review of policies and procedures surrounding: - fraud prevention - fraud reporting

an assessment of training and awareness undertaken consideration for protected disclosure management a gap‐analysis against recommendations made within the Victorian Auditor‐General's report Fraud

Prevention Strategies in Local Government making reference to IBAC’s A review of integrity frameworks in six Victorian Councils.



3. Detailed observations and recommendations


3.1 Background Fraud is deliberate deception by an individual to secure unfair or unlawful benefits. VAGO conducted a review of fraud management within five local councils during 20121, and made nine recommendations within the audit report. These recommendations related to: the development of a Fraud Control Plan conducting periodic fraud risk assessments providing induction and periodic fraud awareness training to all council staff systematically monitoring and reporting on the effectiveness of fraud control strategies arrangements to ensure ongoing scrutiny by executive management, internal audit and audit

committees of the effectiveness of the fraud control framework establishing effective pre‐employment screening processes effective preventative or compensating controls for account payable systems maintaining accurate and up to date asset registers systematically reviewing all internal control systems to ensure they adequately prevent, deter and

detect major frauds. To minimise the occurrence of fraud within Council, a robust fraud management framework should be implemented to help guide prevention, detection and responses to fraud. The following figure shows the key elements of an effective fraud control framework:

Figure 1: key elements of an effective fraud control framework, taken from VAGO's Fraud Prevention Strategies in Local Government 2012 report

1 Victorian Auditor‐General's Fraud Prevention Strategies in Local Government 2012





We performed an analysis of the current fraud management framework in place at Ararat Rural City Council (Ararat) and the recommendations within the VAGO report.

3.2 Fraud control plan Ararat does not have a Fraud Control Plan in place. Whilst a Fraud Prevention Policy is in place which details the fraud risk assessment and reporting processes as well as identifying controls such as obliging staff to safeguard council assets against theft and misuse, as recommended in the IBAC report2. However its effectiveness is at risk due to the absence of a defined Fraud Control Plan. A Fraud Control Plan sets the strategies to help detect and minimise the impact and occurrence of fraud, including: details of policy reviews fraud risk assessments and how often they are to be completed fraud awareness training induction procedures. An example Fraud Control Plan has been provided in Appendix 1. In developing the Fraud Control Plan, Ararat may consider distributing an IBAC survey to offers to complete to help identify fraud awareness and weaknesses. This is available upon request from IBAC directly. Contact [email protected]. The last time the Fraud Prevention Policy was reviewed was in October 2010. It was due for review in October 2014. We recommend a Fraud Control Plan is drafted and adopted by Council. In addition, when the Fraud Control Plan is adopted, the Fraud Prevention Policy should be reviewed in light of this.

2 Independent broad‐based anti‐corruption commission’ A review of integrity frameworks in six Victorian councils 2015





AFS recommendation

Low We recommend Ararat develop and adopt a Fraud Control Plan aligned with better practice.

Management comment

Owner Comment Completion date Director Corporate Strategy, Risk & Governance

The Executive Leadership Group agrees with this recommendation. Council will develop a Fraud Control Plan aligned with Local Government sector Best Practice and include as an Associated Document to the newly revised and updated Fraud Prevention Policy (C.1.12). Education on both documents will be conducted by the People and Culture team for existing employees and be included as part of the Organisational Induction Process for new employees following Council endorsement at the June 2016 Council Meeting.

28 June 2016

Low We recommend Ararat review the Fraud Prevention Policy.

Management comment

Owner Comment Completion date Director Corporate Strategy, Risk & Governance

The Executive Leadership Group agrees with this recommendation. Current ownership of the Fraud Prevention Policy (C.1.12) is with the Assets, Finances & Corporate Services Directorate. The Corporate Strategy, Risk & Governance Directorate will take ownership and review, amend and place the new policy document up to Council for endorsement at the June 2016 Council Meeting. Education on both the Fraud Prevention Policy and the Fraud Control Plan will be conducted by the People and Culture team for existing employees as a part of employee refresher training and be included as part of the Organisational Induction Process for new employees.

28 June 2016

3.2.1 Protected disclosures Ararat is required by the Protected Disclosure Act 2012 (The Protected Disclosures Act) to have a Protected Disclosures Policy to ensure people are able to make disclosures about improper conduct within the public sector without fear of their identity being compromised.





We reviewed Ararat's Protected Disclosures Policy and found this provided adequate information on how a protected disclosure can be made. This is in accordance with IBAC's Protected Disclosure Procedures: a checklist for entities receiving disclosures. Additionally, a fact page on the Council website exists; ensuring members of the public also have access to information on how to make a protected disclosure. However, the Protected Disclosures Policy was due for review in August 2015. This has not been reviewed since 2013. We recommend the Protected Disclosures Policy is reviewed in line with the timeframe permitted by the policy.

AFS recommendation

Low We recommend Ararat review the Protected Disclosures Policy in line with the timeframe within the policy.

Management comment

Owner Comment Completion date Manager People and Culture

The Executive Leadership Group agrees with this recommendation. The Protected Disclosures Procedure (P.1.21) will be reviewed and communicated to employees by 29 July 2016 as a part of employee intranet implementation and employee policy refresher training in June 2016.

29 July 2016

3.2.2 Code of conduct The Protected Disclosures Act requires Ararat to implement a Code of Conduct for Council staff. IBAC also recommends the staff Code of conduct is published on Ararat’s website. This aims to demonstrate a good culture of governance, making staff accountable to the community. We found no evidence of this on the website; however the Councillor Code of Conduct was available. We reviewed Ararat's Code of Conduct and found it was consistent with the requirements of the Act. The Code of Conduct specifically states that it applies to all employees, while contractors and volunteers are expected to behave in a manner consistent with the principles of the Code of Conduct. We further noted the Code of Conduct is provided for all new staff upon induction, with the exception of volunteers and contractors. Volunteers undertake induction with their Team Leader, which varies depending on the team in which the volunteer is working. We reviewed the Volunteer Staff Training Checklist, new volunteer information and position description for volunteers, and noted the Code of Conduct is not provided in these documents. While contractors undertake inductions with the contract managers covering safety and other matters, not being provided with a Code of Conduct reduces the assurance that contractors understand what constitutes fraudulent behaviour and what action to take in respect of a suspected fraud. IBAC recognise contractors and volunteers as intrinsically linked to an organisation and therefore should behave in alignment with the expected norms. Ararat must ensure that everyone who is expected to comply with the code is explicitly covered by the code. As such Ararat need to provide and obtain acknowledgement of receipt and reading from contractors and volunteers.





AFS recommendation

Low We recommend providing the Code of Conduct to contractors and volunteers as part of induction.

Management comment

Owner Comment Completion date Manager People and Culture

The Executive Leadership Group agrees with this recommendation. As a part of the current review into Council’s Volunteer Management System, the People and Culture team will update relevant policies, procedures and volunteer induction process to include volunteer acknowledgement and understanding of Council’s Employee Code of Conduct by July 29 2016.

29 July 2016

Manager, Assets and Procurement

Council’s Procurement Officer will develop a Contractor Code of Conduct document, and this will be included in the “Contractor Pack”, which is issued to new contractors when they are added to any of Council’s Preferred Supplier Panels.

29 July 2016

3.3 Fraud risk assessments The fraud standard AS 8001 – 2008 Fraud and Corruption Control, recommends a preliminary assessment of fraud and corruption should be completed on order to better scope Ararat’s future fraud control program. The standard also recommends fraud risk assessments should be conducted at least every two years to identify, rate and seek to prevent fraud risk exposures. The fraud and corruption risk assessment should be conducted in accordance with AS/NZS 4360:2004, which follows a seven stage process of risk assessment, the main elements are: Communicate and consult Establish the context Identify risks Analyse risks Evaluate risks Treat risks Monitor and review. Some specific factors that contribute to fraud risks are: Access and override of system controls Data integrity System security Ability to steal/distribute sensitive business information Ability to conceal.





Specific fraud risks include: Accounts payable fraud Payroll Fraud Financial reporting (reporting misleading information) Management estimates (i.e. altering ageing of account receivable, or lowering a liability) Misappropriation of assets (including cash/inventory/plant and equipment and intellectual property) Corruption. Ararat have no master risk register for fraud. No fraud‐specific risk assessments have occurred. Currently, operational risks are held within a separate risk register system than strategic risks. Strategic risk is contained within the Risk Wizard system which is under the responsibility of the Corporate Strategy, Risk and Governance department. Operational risks are to be controlled within the Service Excellence Framework system due to go live in May 2016. Operational risks will be owned by each service provider or department head. Without a specific fraud risk assessment, fraud management strategies may not be targeted at Ararat's weakest fraud risk areas. Potential fraudulent activities may not be adequately detected and prevented. Periodic fraud risk assessments will ensure identification and effective management of all major fraud risk exposures. We recommend a fraud‐specific risk assessment is conducted in line with regular risk assessments. The draft Fraud Control Plan should set out how and when fraud risk assessments are to be completed within each department at Ararat.





AFS recommendation

Low We recommend fraud risk assessments are conducted in line with regular risk assessments within Ararat’s risk management framework.

Management comment

Owner Comment Completion date Manager Business Compliance and Performance

The Executive Leadership Group does not support this recommendation. Council’s new Services Framework requires that each Service Owner considers operational risks across 6 aspects, including:

financial, social, environmental, health & safety, reputation and political Furthermore, all services within the Framework have a Service Sponsor who is responsible for reviewing and approving key elements of each Service, including the correct identification and evaluation of all risks within and to the service. Fraud is primarily a financial risk; however it also impacts Council’s social standing, reputation and political relationships. The classifications within our Service Framework account for each of these important aspects. Finally, any residual risks within the Service Framework that exceed certain threshold within each classification are automatically escalated. For example, high residual Financial Risks are escalated to our Manager, Corporate Support. Beyond that, risks may also be further escalated for consideration by our Risk Manager and then treated as Strategic Risks (i.e. tracked in the Risk Wizard system).

Not applicable

3.4 Fraud awareness training and induction Training at induction and regular refresher training ensures all staff become aware of fraud risk and understands their responsibilities in helping control fraud risk. During induction, all staff receive the Fraud Prevention Policy for review and sign off. When received and signed off, a checklist is completed to keep a record of this.





Policy refresher training occurs yearly. Training was last provided in May 2015, with the next training session due in May 2016. We confirmed the content of the training includes detail of fraud risk and identifiers of fraud. We reviewed the details of the last training session conducted and noted it had been provided to all staff (as evidenced by attendance records), and covered examples of fraud and the need to report instances of fraud. No matters noted.

3.5 Monitoring and reporting, and scrutiny by management and audit Monitoring and reporting on the adequacy of Ararat's fraud control framework ensures evaluation of the framework occurs and drives continual improvement. Ararat’s Fraud Prevention Policy outlines the steps in which employees who suspect fraud have an obligation to report it, by notifying either one of the following: Manager of Corporate Support Manager / Supervisor General Manager of Corporate Services Chief Executive Officer. The policy also outlines the fraud investigation process. There have been no reports of fraud to the executive leadership group, or the audit committee over the past two years. VAGO have recommended that internal audit programs for Councils include review of fraud management and the strategies in place. This review forms part of this. No issues noted.

3.6 Pre‐employment screenings Pre‐employment screenings seek to ensure potential employees are of good character and have no history of not acting in an unethical manner or against behaviours expected within the Code of Conduct. Ararat's Pre‐Employment Check Procedure details the need for all new employees to undertake or provide a recent police check. Working with Children Checks are also required when the position comes into contact with children. The procedure does not note the need for reference checks to be conducted for new employees. We reviewed the last three employee appointments and noted all three had police checks performed, as well as reference checks. No issues noted.





3.7 Fuel cards The purchase of fuel for fleet vehicles at any Council is an area susceptible to potential fraud without sufficient controls in place. One common control is the use of fuel cards. Each fleet vehicle at Ararat has a fuel card attached to the car, no fleet vehicles exist for which a card is not issued. When purchasing fuel for the particular car, the fuel card must be used. The fuel is then charged to Ararat's account which is invoiced monthly. Each time fuel is purchased, the employee must provide the current odometer reading to the petrol station attendant to be entered into the system. If this is not provided, the transaction will not go through. At the end of the month, the Contracts and Procurement Officer receives a report from Fleet Card (the provider of the fuel cards) which details the fuel purchases for each car. The report also details the odometer readings at the time of each purchase. The Contracts and Procurement Officer requests all managers' odometer readings at the end of each month via email. This is then compared to the report from Fleet Card to ensure there are no major discrepancies. The controls to monitor the use of Ararat’s fuel purchased via fleet petrol cards was inadequate, as no evidence of monthly reasonableness test of km’s travelled vs fuel consumption occurs. There is potential for employees to use Ararat’s fuel cards for private vehicles (or unauthorised private purposes) and this to go undetected.

AFS recommendation

Low We recommend a reasonableness test is conducted on the fleet cars’ kilometres travelled against the fuel consumed per month. Any large variances may indicate misuse of fuel cards.

Management comment

Owner Comment Completion date Manager Assets and Procurement

The Executive Leadership Group agrees with this recommendation. As a consequence of this audit report, Council’s Manager Assets and Procurement has developed and implemented a new business procedure to perform a statistical analysis (‘reasonableness test’) of fuel consumed versus kilometres travelled for all fleet vehicles. This process will be executed by Council’s Procurement Officer at least twice yearly.

30 May 2016 No further corrective action required

3.8 Other VAGO recommendations VAGO made a further three recommendations in their Fraud Prevention Strategies in Local Government 2012 report. The recommendations related to purchasing controls, asset registers and systematic reviews of all internal control systems. Our review focused on those recommendations related specifically to the fraud management framework. These additional three recommendations were outside the scope of our review and are addressed in other internal audit reviews.





We reviewed Ararat's procurement function in 2014, and performed a follow up review of recommendations from that report in December 2015. We found all recommendations with the exception of two had been addressed, resulting in a robust procurement framework. A review of Asset Management is tentatively planned to be completed in the 2016/17 financial year. We have already completed a review of Fleet Management, in addition to Major Plant and Equipment, both in 2015. One recommendation within Major Plant and Equipment related to two asset registers held by Ararat. The use of a single register would reduce maintenance of data and enables easier tracking. Please convey our thanks and appreciation to your staff for their assistance and co‐operation during the course of our audit. Please contact Josh Griffin or me if you have any questions. Yours sincerely




Appendix 1 – Template Fraud Control Plan


Ararat Rural City Council does not tolerate fraud or improper conduct by its employees, officers or members, nor the taking of reprisals against those who come forward to disclose such conduct. Council is committed to providing an organisational culture supported by appropriate policies and procedures to prevent fraud and corruption.

Fraud Risk Assessment

Risk Identification

Training

Raising Awareness

Fraud Prevention Policy

Code of Conduct Induction

Protected Disclosures Procedure

Communication of

Intent





Introduction Fraud is the crime of obtaining financial or other benefit by deception, which can have significant impact on Council and the community, potentially reducing the quality of services delivered and adversely affecting Council’s ability to achieve its objectives as set out in the Council Plan. In addition, Council’s financial sustainability may be threatened and reputation damaged. Council is the custodian of significant public funds and assets therefore it is important that the community has assurance that these are adequately protected from fraud. Whilst trust is an essential component of Ararat Rural City Council, this is not sufficient as fraud does happen and often where it is least expected.

Regulatory Framework The Local Government Act 1989 (the Act) requires Council to develop and maintain adequate internal control systems, and to establish both a code of conduct and an audit committee. The Protected Disclosures Act 2012 requires Council to establish written procedures for the handling of any disclosures. The purpose of this Fraud Control Plan is to clearly document Council’s approach to controlling fraud at both strategic and operational levels and the actions and responsibilities for implementation and monitoring of key fraud control measures.

Internal Audit Processes

Audit Committee

Monitoring

Internal Controls

Limiting

Opportunity





Communication of Intent Council’s Fraud Prevention Policy, Staff Code of Conduct and Councilor Code of Conduct are important documents for clearly articulating Council’s objectives and expected outcomes in managing fraud. The Fraud Prevention Policy establishes Council’s attitude and approach to fraud control, while the Staff Code of Conduct and Councilor Code of Conduct set out the high standards of ethical behaviour expected and Council’s commitment to those standards. The Director Corporate Strategy, Risk and Governance is responsible for the Fraud Prevention Policy, which will be reviewed every four years unless required earlier. The Staff Code of Conduct and Councilor Code of Conduct will be reviewed every four years in line with the election of a Council and development of the Council Plan, and are the responsibility of the Director Y. Both the Fraud Prevention Policy and Staff Code of Conduct will be included in the induction program that all new staff members are required to attend on commencing employment with the Council. The Councilor Code of Conduct forms an integral part of the Councilor induction program, to be carried out following each election. As required by legislation, Council’s Protected Disclosures Procedure is available on the Council website. This sets out the procedures for handling any disclosures and subsequent investigation of improper conduct or detrimental actions by any public officer or body, and provides protection to the person making the disclosure.




AFS & Associates Pty Ltd Month & Year 17

The Manager X is responsible for the Protected Disclosures Procedure, which will be reviewed every two years unless required earlier by changes to legislation, systems or procedures.

Raising Awareness Fraud Awareness Training is Council’s method for ensuring that all employees, contractors and volunteers are aware of their responsibilities for fraud control and of the expectations for ethical behaviour in the workplace. Fraud Management Training will be provided to all managers to ensure that they are aware of the additional responsibility as a manager, with regards to fraud control. The Manager X is responsible for development and delivery of fraud training, which will be included in the induction program for all new staff, and delivered across the organisation as refresher training, every two years.

Risk Identification & Limiting Opportunity The Z Committee is responsible for Council’s overall management of risk. The committee comprises the Chief Executive Officer, executive management and all department managers. The committee meets monthly to continually identify, review and manage the Council’s risk exposure as recorded in its risk registers, and reviews Council’s Risk Management Strategy annually. Fraud has been identified as an extreme risk. In order to ensure that all aspects of fraud risk are clearly understood to effectively implement control measures, the committee will undertake an organisational fraud risk assessment as part of its overall risk management strategy. The Director Y is responsible for coordination of the fraud risk assessment however each manager is responsible for the identification of potential exposure to fraud risk in their work area and the development, implementation and monitoring of internal controls (systems, processes and procedures) to minimise the risks.

Monitoring The Audit Committee provides a key role in monitoring Council’s Fraud Control Plan. Any incident of fraud will be reported to the Audit Committee (as per the standard agenda and Annual Audit Activity Plan). Council has a well‐established Audit Committee comprising two Councilors and three independent members. An Audit Committee Charter (based on the Local Government Victoria guidance document Audit Committees: A Guide to Good Practice for Local Government) was adopted by Council in DD MM YYYY, with supporting Audit Committee Guidelines. The committee reviews whole of organisation risk and has determined that rather than appointing a single internal auditor primarily focused on financial risk as has traditionally been the case, specialist auditors determined on the highest organisational risks will be appointed, in line with the Annual Internal Audit Plan.





Internal review of controls (systems, processes and procedures) will be undertaken by Council Officers as identified as reasonable in the fraud risk assessment, and may be selected by the Audit Committee for internal audit as part of the Annual Internal Audit Plan.

Key Fraud Risks

Fraud Risk Internal Controls Monitoring/Review Responsible Officer

Theft of cash Cash handling procedures

Petty cash procedures

Daily receipting reconciliations and bank reconciliation

Annual petty cash audit

Theft/misuse of assets Asset registers Inventory processes

Revaluations Stock takes All Managers

Accounts Payable fraud Creditor procedures NAR procedures

Segregation of duties

Prepayment review

Monthly creditor master file audit

Payroll fraud Payroll procedures including employee master file maintenance

Prepayment review

Monthly creditor master file audit

Procurement fraud Procurement Policy

Procurement Guidelines

Standard documents

Monthly procurement compliance audit

Recruitment fraud Recruitment procedures Referee checks

Qualification confirmation

Misuse of credit card Credit Card Policy

Credit Card Procedures

Duplicate sign off for all transactions





Reference Documents

Document Name Responsible Officer Last Review Next Review Location

Fraud Prevention Policy Internet & intranet

Staff Code of Conduct Intranet

Councillor Code of Conduct Intranet

Protected Disclosures Procedure Internet & intranet

Fraud Awareness (training presentation)

Intranet

Fraud Management (training presentation)

Intranet

Fraud Risk Assessment Intranet

Risk Management Strategy Intranet

Audit Committee Charter Internet & intranet

Audit Committee Guidelines & Annual Audit Activity Plan

Intranet

Procurement Policy Internet & intranet

Procurement Guidelines & standard documents

Continually being developed & improved

Intranet

Standards & Guidelines Australian Standard AS8001‐2008 Fraud and Corruption Control Fraud Control in Australian Government Entities (Australian National Audit Office, 2011) Framework for the Development and Review of Council Staff Codes of Conduct (Local Government

Victoria, 2011) Conflict of Interest: A Guide for Council Staff and A Guide for Councilors (Local Government Victoria,

2011) Audit Committees: A Guide to Good Practice for Local Government (Local Government Victoria, 2011)



Appendix 2 – Risk rating matrix and likelihood definitions


Risk rating matrix

Name Colour Risk Level Description

Extreme Risk

Urgent and immediate action required. Executive management is to be involved in developing a detailed plan for understanding, managing and reducing the Risk. The Executive Management Team will monitor the status of these risks.

High Risk

Senior Management oversight is needed and responsibility given to operational management to apply specific procedures to research the risk, implement specific response procedures and/or monitor the risk. Status of the risks will be monitored by senior management.

Moderate Risk Operational management to apply specific procedures to monitor the risk and to implement specific response procedures. Status is to be monitored by managers.

Low Risk No action required. Managed by routine procedures and is unlikely to need specific application of resources. Status is to be monitored by responsible team members reporting to their managers.





Name Consequence Description

Insignificant 1. Minor injury possible. 2. Able to be rectified using management processes. 3. Financial impact easily manageable within jurisdictional budget.

Minor 1. Serious injury unlikely but minor injury probable. 2. Success measures able to be achieved with some effort. 3. Some reworking of jurisdictional budget required.

Moderate

1. Loss of life unlikely but serious injury possible. 2. Some success measures affected with considerable effort necessary to rectify. 3. Minor reworking of corporate budget or significant reworking of jurisdictional budget

required.

Major 1. Loss of life possible and serious injury probable. 2. Most success measures threatened or one severely affected. 3. Significant reworking of corporate budget, including cuts to items.

Catastrophic 1. Loss of life probable and serious injury inevitable. 2. Event/project/activity would never be carried out again. 3. Financial impact could not be managed within corporate budget.

Name Likelihood Description

(A) Almost certain

The event is expected to occur in most circumstances or at least twice a year.

(B) Likely Expect this event at least annually.

(C) Possible The event might occur at some time over an extended period.

(D) Unlikely The event could occur at some time but is not usually experienced.

(E) Rare The event may occur only in exceptional circumstances.


31 May 2016 Ref No.: 977281_1

Private and Confidential Homi Burjorjee Audit Committee Chair Ararat Rural City Council PO Box 246 ARARAT VIC 3377 Dear Homi 2016‐02 HACC & Commercial Services Review We have recently completed our internal audit of the HACC & Commercial Services at Ararat Rural City Council (Ararat). I now present our report for your attention. Yours sincerely


7.3 HACC & Commercial Services Review June 2016


2016‐02 HACC & Commercial Services Review

May 2016


Contents

1 Executive summary.................................................................................................................................. 1

Objective ..................................................................................................................................................... 1

Conclusion ................................................................................................................................................... 1

Areas of strength ......................................................................................................................................... 1

Opportunities for improvement .................................................................................................................. 1

2 Internal audit introduction ..................................................................................................................... 3

Scope ........................................................................................................................................................... 3

Risk rating methodology ............................................................................................................................. 3

Approach ..................................................................................................................................................... 4

3 Detailed observations and recommendations ................................................................................... 5

Background.................................................................................................................................................. 5

Risk register ................................................................................................................................................. 7

Service agreements ..................................................................................................................................... 8

Budgeting .................................................................................................................................................... 8

Risk management ‐ employees ................................................................................................................. 10

Fee setting ................................................................................................................................................. 12

Cost allocation ........................................................................................................................................... 13

Controls over fee setting ........................................................................................................................... 16

Appendix 1 – Risk rating matrix and likelihood definitions ...................................................................... 16


Internal audit report 2016‐02 HACC & Commercial Services Review


AFS & Associates Pty Ltd May 2016 1

Objective

The objective of the internal audit was to confirm cost monitoring, recoverability and accounting procedures exist over HACC & Commercial Services delivered by Ararat Rural City.

Conclusion

Current budgeting and cost allocation practices do not accurately reflect costs attributable to delivering HACC & Commercial Services. Several overhead costs are not included. The fees charged, therefore, do not recover the full cost. Enhancements may be made through: improving the fee setting process by tailoring data used to establish hourly fee charged to clients reviewing costs allocated to the management of HACC & Commercial Services establishing where responsibility lies for tasks such as fee setting within Carelink relating to HACC &

Commercial Services building budget accountability and monitoring obligations into staff roles documenting key risks and mitigating controls associated with delivery of these services within

Ararat's risk register.

Areas of strength

Staff are aware of deficiencies within the HACC & Commercial Services process and are enthusiastic to implement procedures to improve the process. In particular, we confirmed the following areas of strength from testing performed: Timesheets of staff delivering services were being approved by management. Time inputs from timesheets to Carelink were accurate. Employee files were sufficiently complete and well organised. Compliance with agreement requirements (refer to 3.1 Background for list of organisations

agreements are held with).


3.2

A gap exists in the risk register surrounding risks associated with delivering HACC and Commercial Services. We recommend the risk register is updated to include the risks arising from the following: Deficiencies in budget setting processes. Accountability for budget variances. Lack of documented processes around fee setting.

Low

3.4.1

Accountability for budget variances does not exist and budget variance analysis reporting to executives does not occur over this area. We recommend reporting to executive management is established for budget to actual variance reporting to enable monitoring and minimise the risk of budget overruns.

Low

3.5

Employee inductions were introduced at Ararat in 2010. Employees that commenced prior to 2010 did not receive induction training. We recommend a review of the need for induction training is considered for employees who were employed prior to the introduction of inductions at Ararat.

Low

3.5 We could not find a copy of police checks for two of the five employee files tested. We recommend copies of police checks are kept on all employee files.

Low






3.6.2

Employee on‐costs of 41% (as a mark‐up on hourly rates) has been static since at least the 2008/09 financial year. No justification was given regarding how the original 41% was calculated and who it was approved by. We recommend Ararat review employee on‐costs charged for commercial services annually as part of the budgeting process.

Low

3.6.2

The calculation of service fees for other Commercial Services does not factor in certain indirect costs. We recommend Ararat review the fee setting process for commercially provided services to identify and factor in these costs.

Low

3.7 Budgeting and cost allocation processes do not factor in certain indirect costs. We recommend identification and factoring in of these costs to demonstrate the true cost of providing HACC & Commercial Services.

Low

3.7.2

Meals (under Meals on wheels program) are provided at no cost (cost is worn by Council) where clients cannot afford meals and there are concerns over their nutrition. We were unable to determine whether delegation existed to allow waving of meal/services invoices to clients. We recommend Ararat confirm delegation exists to wave the invoicing of meals.

Low

3.8 Processes surrounding fee setting are not documented and controls are weak. We recommend tightening of controls and documenting the process around fee setting.

Low





Scope

The scope of the internal audit included: Review and report on:

‐ HACC funding agreements ‐ general compliance with agreement requirements ‐ Council’s recoverability rates ‐ costing, including cost inputs ‐ administrative systems in place to ensure the administrative burden to facilitate delivery of HACC

services is minimised ‐ risk management

You requested the following additional scope: ‐ training for new and existing relevant employees that promotes compliance ‐ confirm police checks and working with children’s checks are performed and on file for staff

doing home visits. Our review was conducted on Monday 2 and Tuesday 3 May 2016.

Risk rating methodology

The following is a visual diagram of the residual risk rating that could be given based on our assessment:

Figure 1: Risk rating matrix Ararat’s risk rating matrix which has been used throughout our assessment.

The rating scale definitions are explained in Appendix 1 – Risk rating matrix and likelihood definitions.





Approach

The review was conducted primarily by applying discussion, observation and review techniques and included: review of policies and procedures surrounding:

‐ fee setting ‐ timesheets, including allocation of service charges

an assessment of:

‐ accountability for budget variances ‐ budgets and financial reports related to HACC & Commercial Services, including reports to

management ‐ budget variance reporting and frequency ‐ whether services are provided in accordance with funding program requirements ‐ whether services provided are cost neutral

discussions with the following: ‐ Accountant ‐ Director Assets, Finance & Corporate Services ‐ Director Council Services ‐ Manager Community Development & Client Services





3.1 Background The Ararat municipality has a higher than average level of people with a severe or profound disability. HACC clients aged between 0‐69 in Ararat are more than double the state average1 (410.7 per 1000 population for Ararat vs 196.9 per 1000 population for the state).

Ararat's HACC services include:

general home support services in home respite service – support and assistance to enable carers to have time away from the home personal care – assistance with showering, dressing and grooming delivered meals – hot meals delivered 5 days a week – rural areas frozen meals delivered. Cold meals

delivered on Fridays for weekends property maintenance – installation of rails/minor work on steps, cleaning spouting, small handyman

tasks.

Ararat also has agreements in place with the following organisations on a commercial basis: Grampians Community Health Villa Maria Catholic Homes Southern Cross Care East Grampians Health Services Department of Veterans' Affairs St Laurence Community Services Stawell Regional Health. Per Table 1, revenue from HACC services is attributable to over 70% of total HACC & Commercial Services revenue.

Budget 2013/14 $'000

Actual 2013/14 $'000

Budget 2014/15 $'000

Actual 2014/15 $'000

Budget 2015/16 $'000

Actual 2015/16* $'000

HACC

Revenue 529 723 538 734 621 548

Expenditure (604) (689) (626) (723) (678) (573)

Net (76) 34 (88) 11 (57) (25)

Commercial Services

Revenue 239 268 192 210 261 174

Expenditure (263) (263) (242) (225) (259) (163)

Net (24) 5 (50) (15) 2 11 Table 1: Annual Budgeted and Actual Cost for HACC & Commercial Care Services * Represents April 2016 YTD actual figure. Table 1 illustrates that HACC services derive 70% of total HACC & Commercial Services revenue. Figure 2 (below) shows that over 80% of HACC revenue is sourced from grants, verifying that budgeted revenue amounts may significantly vary once actual funded hours are confirmed.

1 Municipal Public Health and Wellbeing Plan 2013‐2017



3. Detailed observations and recommendations (continued)


* Represents April 2016 YTD actual revenue sources for HACC Services delivered by Ararat Rural City. Figure 1: HACC revenue source

* Represents April 2016 YTD actual revenue sources for Commercial Services delivered by Ararat Rural City. Figure 2: Commercial revenue source: Please note Commercial Services Charges are charged to the relevant organisation that Ararat holds an agreement with, not the client receiving the service.

Figure 3 illustrates that commercial services revenue does not rely heavily on grant revenue and therefore budget figures are less prone to variances. It is essential that processes for ensuring community care services are provided within budget and in accordance with funding requirements are in place.





3.2 Risk register We reviewed Ararat’s risk register for risks that relate to HACC & Commercial Services, noting the following high/extreme risk items: Staff safety within client homes. Decentralised management of staff legal criteria. Out of contract provision of delivered meals. Breach of procurement integrity. Stakeholder relationship strain We confirmed all of the above risks had been reviewed and have mitigating controls seeking to minimise the risk exposure. Our review found the following control weaknesses were not covered within the risk register: Deficiencies in budgeting process – leading to potential budget overruns or shortfall in recoverability

achieved. Lack of accountability for budget variances – leading to undetected and unmanaged budget overruns. Lack of documented processes around fee setting – leading to potential shortfall in recoverability

achieved.

AFS recommendation

Low

We recommend the risk register is updated to include risks associated with the following control weaknesses:

Deficiencies in budgeting process. Lack of accountability for budget variances. Lack of documented processes around fee setting.

Management comment

Owner Comment Completion date Manager Community Development & Client Services

The Executive Leadership Group agrees with this recommendation. Council’s Manager Community Development & Client Services to add the following risks and associated controls to the Operational Risks register for HACC Services: Deficiencies in budgeting process Lack of accountability for budget variances Lack of documented processes around fee setting

30 June 2016





3.3 Service agreements 3.3.1 HACC

Ararat's funding agreement with the Department of Human Services (DHS) commenced on 1 July 2015 and runs for one year. We reviewed the agreement, noting the following requirements: Ararat must obtain accreditation and remain accredited by the Independent Review Body. Funding must only be used for the Services as agreed by the Department. Ararat must warrant that, to the best of its knowledge, no conflict of interest exists. We reviewed Ararat's funding agreement and found through our testing and conversations with the Manager of Community Development & Client Services: accreditation was held from the Independent Review Body funding was used for services agreed upon by the Department no conflict of interests existed.

3.3.2 Commercial HACC services

As outlined in 3.1 Background, Ararat holds agreements with several bodies to provide commercial services. Agreement requirements for commercial services contracts was minimal, with the only on‐going requirement being that Ararat must hold sufficient public liability insurance. There are also no set hours that are required to be delivered. Unlike HACC, commercial services agreements are charged at an hourly rate based on the service provided, with the exception of meals on wheels which is charged per meal.

We confirmed public liability insurance to the value of $400M is retained by Ararat and covers claims associated with delivery of these services.

3.4 Budgeting Budgeting for HACC & Commercial Services delivery enables Council to: encourage planning over the efficient and effective delivery of these services provide a basis for responsibility of achieving budgeted targets and results provide the basis for a control mechanism – to identify, assess and react to deviations from set plans,

and delegate spending to managers to be within budgeted amounts (i.e. budgetary control) evaluate the associated revenue (grants/contracted and own‐sourced) set the level of expenditure and identify cost drivers measure the extent to which provision of the services is subsidised by Council (or a surplus is made)

and make informed decisions about the level of service delivery





* Actual represents April 2016 YTD actual surplus/loss figure. Figure 3: Budget v Actual Surplus/Loss for HACC & Commercial Services

The above graph demonstrates the budget versus actual results for the past five financial years. The Manager of Community Development & Client Services is responsible for preparing the budget. We discussed the process for setting the budget and reviewed workings. The following was noted: A conservative budgeting process exists as actual funded contact hours are not known at the time of

budget setting. A bottom up approach to budgeting exists. Prior year outcomes are used to determine expected contact hours. Hourly rates are set based on average wage costs (refer to 3.6 Fee Setting for further details). Cost of meals are based on full cost recovery approach. The Director of Council Services reviews the budget before being submitted for Council adoption. It was explained the deficit budget position and significant variances to budget have occurred in prior years (albeit favourably) due to the unknown grant allocation and conservative approach at budget time.

3.4.1 Budget variance reporting We sought to confirm whether budget variance reporting and monitoring occurs, and if budget accountability is set for HACC & Commercial Services.

Budget variance reporting allows: evaluation of the performance of the business units timely detection and curtailment of unexpected adverse trends in spending timely requests for additional budget allocation assessment of the accuracy of the budgets and the reasonableness of the budget assumptions and

budget setting process tailoring budgets prepared for future periods identifying certain key risk indicators existing within the business unit.

The Manager of Community Development & Client Services develops budget variance reports every three months. These are not reported to executives, however are for her own use and results are not formally monitored elsewhere (i.e. there is no structured accountability).





The Accountant sends reminders at least every three months for the Manager of Community Development & Client Services to update the HACC & Commercial Services forecasts within Powerbudget (Ararat's overarching budgeting system). The Accountant completes a brief review of the forecast for HACC & Commercial Services, and any significant changes are informally reported upwards (sometimes the CEO, manager or director). Responsibility for monitoring financial performance of HACC & Commercial Service lies with the Manager of Community Development & Client Services, as per her position description. There is opportunity to strengthen accountability however through more formal reporting. Accountability for variances from approved budgets ensures the likelihood of budget overruns are minimised.

AFS recommendation

Low We recommend reporting to executive management is established for budget to actual variance reporting to ensure the risk of budget overruns is minimised.

Management comment


While Council’s Executive Leadership Group accepts this recommendation we also acknowledge that it is impossible for our staff to determine exactly how many service hours they will be asked to deliver during each financial year. Consequently, our processes require that the annual budget for HACC services is determined using a conservative / worse‐case approach to ensure the likelihood of going over‐budget is minor and the financial impact, if it were to occur, is insignificant. This aligns with the auditor’s view that this is a “Low” risk process. Council’s Manager Community Development & Client Services to develop a procedure to monitor the HACC budget and regularly report results to the Executive Leadership Group.

1 July 2016

3.5 Risk management ‐ employees The nature of services provided requires staff to work at a client's home. Adequate employee screening and training is essential in ensuring they are appropriately skilled and suitable for the role. Induction procedures seek to manage OH&S risks, compliance risks and promote the delivery of appropriate levels of service. We reviewed five employee files to confirm the following documents exist: police check signed induction forms qualification certificates.





Our results are tabled below:

Employee Number Police check Induction form Qualifications

35‐04‐2875

1115.65.2895

35‐04‐2660

35‐04‐2830

35‐04‐2740 Table 2: Employee file testing

Employee inductions were introduced at Ararat in 2010. We reviewed the induction process and noted it includes: overview of role and position description instruction on timesheet completion familiarisation with HACC staff manual and associated policies and procedures explanation of personal protective equipment provisions explanation of immunizations and declaration. The tested employees that did not have an induction form on file commenced their employment prior to Ararat introducing an induction process. Ararat may consider delivering inductions to previously employed employees to ensure important components of induction are delivered to all employees, serving as a risk mitigation tool. The Manager of Community Development & Client Services advised that police checks had been obtained for all employees, however a copy of this check for the two employee files as shown in Table 2 could not be located.

AFS recommendation

Low We recommend Ararat consider undertaking induction procedures for employees who were employed prior to the introduction of inductions at Ararat.

Management comment


Council’s Executive Leadership Group accepts this recommendation. Council’s Manager Community Development & Client Services to review Council’s training records to identify HACC employees who have not yet received Induction Training, which will then be delivered by the People & Culture team.

1 July 2016





Low We recommend copies of police checks are retained on all employee files as evidence of having been received and checked for adverse outcomes.

Management comment


The Executive Leadership Group agrees with this recommendation, and since 2013 this process has been in place (see attached of “Crimcheck Application Procedure 2.1.1”). Prior to 2013, police checks were generally not undertaken for new employees when they were engaged by Council. With reference to the two employees identified in table 2 that are missing Police Check documents: 35‐04‐2660 commenced with Council in 1990 35‐04‐2740 commenced with Council in 1993

No action required

3.6 Fee setting

3.6.1 HACC

HACC fees that are charged to clients are set by the DHS in accordance with the agreement. Ararat has no control over the fees set.

3.6.2 Commercial services The Manager of Community Development & Client Services is responsible for setting fees for commercial services. This is calculated by obtaining the average wage cost per hour (based on EBA rates) from the Finance team and adding a standard employee on‐cost of 41% to that amount. The employee on‐cost of 41% is specifically used for commercial services, and is not widely used by Council. The 41% figure has been the same since at least the 2008/09 financial year. No justification was given regarding how the original 41% was calculated and who it was approved by. Opportunities exist to annually review on‐costs as part of the annual budgeting and fee setting process. Furthermore, it could not be demonstrated the calculation of service fees takes into account certain overhead and indirect (but directly attributable) costs such as: administrative costs (i.e. billing, payment processing, HR coordination and payroll) coordination costs, including the Manager of Community Development & Client Service's wage other overhead costs (i.e. rent, electricity, software subscriptions).

Costs directly attributable to the delivery of the service need to be factored into the cost structure, rather than absorbed by Council’s general corporate services overhead. This produces a more cost‐reflective outcome when analysing the true cost of delivering these services. There is scope to improve the hourly fee setting process and cost of service delivery by identifying all directly attributable costs, and factoring them in. This will ensure a more accurate hourly rate can be calculated and decreases the risk of Ararat being exposed financially through unfunded/partially funded service delivery.





AFS recommendation

Low We recommend Ararat review employee on‐costs charged for commercial services annually as part of the fee and budgeting process.

Management comment


The Executive Leadership Group agrees with this recommendation. Council’s Manager Community Development & Client Services to develop a new procedure to review all on‐costs associated with Commercial Services, and this will invoked during the annual HACC budget setting process. The aim of the procedure is to attain full recovery of all directly attributable costs.

1 August 2016

Low

We recommend Ararat review the fee setting process for commercially provided HACC services and consider recovery of directly attributable costs such as: administrative costs coordination costs direct overhead costs as part of the annual fee setting and budget setting

process.

Management comment


The Executive Leadership Group agrees with this recommendation. To be included in the aforementioned (cost recovery) procedure.

As above

3.7 Cost allocation The majority of costs are charged using hours (factoring in fuel costs) as the cost driver, with the exception of meals on wheels which is charged per meal. Costs are charged to the correct general ledger account through Ararat's specific HACC & Commercial Services software, Carelink. Carelink is used to: set rosters complete and process employee timesheets perform client billing There is ambiguity around the "HACC Planning" costs line item within the budget and the chart of accounts, which relates to both HACC & Commercial Services. This is not split between service types according to an appropriate method. Our review of the cost allocation process found that the HACC coordinator salary is proportioned between HACC and Commercial Services based on which program is breaking even, and not allocated using a cost driver (such as hours delivered, EFT split, or dollar spend).





As a result, actual HACC & Commercial Services' net figures did not accurately reflect the cost of delivering each service. Furthermore, several costs are not allocated (as discussed in 3.7.2 Commercial services), such as: administrative costs, including the Manager of Community Development & Client Services' wage overhead costs.

AFS recommendation

Low We recommend Ararat identify directly attributable costs and consider factoring these into cost allocation and fee setting procedures for HACC & Commercial Services.

Management comment


The Executive Leadership Group agrees with this recommendation. To be included in the aforementioned (cost recovery) procedure.

As above

3.7.1 Timesheets Accurate timesheet preparation ensures services are charged correctly and to the right service department. We reviewed five employee timesheets to confirm: timesheets were approved by a Manager and the client confirming hours worked and client serviced hours worked on timesheets matched Carelink, including allocation to relevant service department input of kilometre claims from timesheets to Carelink was accurate. We found: all timesheets were approved by an appropriate delegated authority all timesheets were signed by the client costs were allocated to the correct service department and client no variances existed between hours worked on timesheets and hours charged on Carelink. No issues noted.

3.7.2 Meals on wheels Ararat engaged East Grampians Health Services through a three year contract following a public tender process to prepare meals to be used for the Meals on Wheels program. The following process occurs: Meals are picked up and distributed by volunteers. Cost of meals are invoiced to Ararat monthly from East Grampians Health Services.





The Contracts Department reviews the number of meals invoices against number of meals charged to clients, ensuring they align.

The cost of meals (net of reimbursement through HACC) are charged directly to the client (to enable full cost recovery).

We reviewed revenue and expenditure relating to meals on wheels for the past five financial years:

Actual 2011/12 $'000

Actual 2012/13 $'000

Actual 2013/14 $'000

Actual 2014/15 $'000

Actual 2015/16* $'000

HACC

Revenue ‐ Meals 64 73 80 83 67

Expenditure ‐ Meals (91) (105) (96) (101) (70)

Net (27) (32) (16) (18) (3)

Commercial Services

Revenue ‐ Meals 9 6 4 1 ‐

Expenditure ‐ Meals (10) (6) (4) (1) ‐

Net (1) ‐ ‐ ‐ ‐

Table 3: Annual Cost for HACC & Commercial Care Meals on Wheels

* Represents April 2016 YTD actual figure. Table 3 demonstrates that full cost does not occur for Meals on Wheels provided under HACC. The Manager of Community Development & Client Services advised that where clients cannot afford meals and there are concerns over their nutrition, meals are provided at no cost (cost is worn by Council). We were unable to determine whether delegation existed to allow waving of meal/services invoices to clients.

AFS recommendation

Low We recommend Ararat confirm delegation exists to wave the invoicing of meals.

Management comment


The Executive Leadership Group agrees with this recommendation. Council’s Manager Community Development & Client Services to:

develop a new procedure to review cases where clients cannot afford meals and there are concerns over nutrition, and

ensure appropriate financial delegations exist within Council’s Delegations Registers.

1 August 2016





3.8 Controls over fee setting The Manager of Community Development & Client Services holds the majority of responsibilities for HACC & Commercial Services. This role includes: coordinating services fee setting for commercial services budget setting and reporting. Processes surrounding the fees being set in Carelink are not documented. Our testing of the system found one instance where a client was being charged an incorrect fee. We could not confirm who is responsible for updating these fees. Controls we would expect around fee setting and system input would include:

the finance department checking the costing and fee setting methodology, including assumptions and calculations

appropriate minuted approval of the fees set cross checking of fee inputs into Carelink by a separate employee to ensure they are entered correctly occasional testing and review of invoicing being generated from Carelink data continual (at least quarterly) review of cost recovery levels as determined from budget variance

monitoring.

AFS recommendation

Low We recommend Ararat develop a procedure document outlining where responsibility lies for tasks relating to HACC & Commercial Services, with specific reference to fee setting in Carelink.

Management comment


The Executive Leadership Group agrees with this recommendation. Council’s Manager Community Development & Client Services to develop a new procedure to annually review the fees set in Carelink, including appropriate consultation with Council’s Manager Corporate Support (Finance).

1 August 2016

Please convey our thanks and appreciation to your staff for their assistance and co‐operation during the course of our audit. Please contact Imogen Guidi or me if you have any questions. Yours sincerely






Risk rating matrix

Name Colour Risk Level Description

Extreme Risk

Urgent and immediate action required. Executive management is to be involved in developing a detailed plan for understanding, managing and reducing the Risk. The Executive Management Team will monitor the status of these risks.

High Risk

Senior Management oversight is needed and responsibility given to operational management to apply specific procedures to research the risk, implement specific response procedures and/or monitor the risk. Status of the risks will be monitored by senior management.

Moderate Risk Operational management to apply specific procedures to monitor the risk and to implement specific response procedures. Status is to be monitored by managers.

Low Risk No action required. Managed by routine procedures and is unlikely to need specific application of resources. Status is to be monitored by responsible team members reporting to their managers.





Name Consequence Description

Insignificant 1. Minor injury possible. 2. Able to be rectified using management processes. 3. Financial impact easily manageable within jurisdictional budget.

Minor 1. Serious injury unlikely but minor injury probable. 2. Success measures able to be achieved with some effort. 3. Some reworking of jurisdictional budget required.

Moderate

1. Loss of life unlikely but serious injury possible. 2. Some success measures affected with considerable effort necessary to rectify. 3. Minor reworking of corporate budget or significant reworking of jurisdictional budget

required.

Major 1. Loss of life possible and serious injury probable. 2. Most success measures threatened or one severely affected. 3. Significant reworking of corporate budget, including cuts to items.

Catastrophic 1. Loss of life probable and serious injury inevitable. 2. Event/project/activity would never be carried out again. 3. Financial impact could not be managed within corporate budget.

Name Likelihood Description

(A) Almost certain

The event is expected to occur in most circumstances or at least twice a year.

(B) Likely Expect this event at least annually.

(C) Possible The event might occur at some time over an extended period.

(D) Unlikely The event could occur at some time but is not usually experienced.

(E) Rare The event may occur only in exceptional circumstances.


31 May 2016 Ref No.: 974680_2

Private and Confidential Homi Burjorjee Audit Committee Chairperson Ararat Rural City Council PO Box 246 ARARAT VIC 3377 Dear Homi

Internal Audit Program Status Update I attach internal audit program status update for Ararat Rural City Council. Yours sincerely


7.4 Internal Audit Prgram Status June 2016

Internal Audit Program Status Update


Internal audit program

Topic Timing Status

Year 1 ‐ 1 July 2015 to 30 June 2016

Risk assessment and development of a 3 year IA plan 19 August 2015 Complete

Major Plant and Equipment 12‐13 October 2015 Complete

Procurement (follow up review incl. IBAC recommendations)

7 December 2015 Complete

Fraud Prevention & Detection Strategies 4 ‐ 5 April 2016 Complete

HACC & Commercial Services Review 2‐5 May 2016 Complete

Past Issues – Follow up Review 21 June 2016 Tentative

Year 2 ‐ 1 July 2016 to 30 June 2017

Review of IA Program (off site) 11 July 2016 Tentative

Risk Management Function Including Liability Claims Management

17‐18 October 2016 Tentative

Strategic Planning Processes – Development of Council Plan & Strategic Performance Monitoring

17‐18 January 2017 Tentative

Reputational Risk Management & External Communications

11‐12 April 2017 Tentative

Past Issues – Follow up Review 24 May 2017 Tentative

Year 3 ‐ 1 July 2017 to 30 June 2018

Review of IA Program (off site) Not scheduled

Value Assessment/Monitoring from Council’s Major Strategic Investment Areas

Not scheduled

Business Continuity & Disaster Recovery Planning Not scheduled

Information Technology Systems and Strategy Not scheduled

Past Issues – Follow up Review Not scheduled

Year 4 ‐ 1 July 2018 to 30 June 2019

Asset Management Not scheduled

Council Services (defined, budgeted, cost monitoring, reviews)

Not scheduled

Scope for approaching topics

Topic Timing Scope

Past Issues – Follow up Review 21 June 2016

Review the extent to which action has been taken towards addressing agreed recommendations within Council’s Internal and External Audit Action register. Seek sufficient evidence where deemed necessary.

Review of IA Program (off site) 11 July 2016 In consultation with management, conduct a review of the annual internal audit program and submit for approval to the Audit Advisory Committee.


Internal Audit Program Status Update

AFS & Associates Pty Ltd November 2015 3
