Audits highlight high-risk management issues

Gosford's Council Chambers.

A Central Coast Council staff member manually adjusted a rate payment by $22,000 without appropriate authority, which was identified by the NSW Audit Office in the final audit for the year ending June 30, 2019.

That was one of two instances of manual adjustments made to customer rates accounts which did not comply with Council’s approval guidelines identified by the NSW Audit Office.

The manual adjustment of $22,000 exceeded the approver’s delegation of $1000.

In another instance, the auditors could not obtain supporting documents for the approval of an adjustment of $707.

Management agreed to implement the audit recommendation to review the design and implementation of controls to ensure all adjustments to customer accounts were approved by an appropriate delegated authority.

However, an update dated September 2020 by management said “pressure of work: no update received”.

The item is still overdue, according to a report to the Audit Risk and Management Committee (ARIC) on June 24.

The report is now public.

It lists all the management actions which are overdue and their risk ranking.

The report, called the Implementation of Management Actions Arising From Independent Reviews, forms part of the standard suite of reports presented by the Chief Internal Auditor to the quarterly ordinary meetings of ARIC.

It shows there were 355 management actions to be taken in response to four different audits: internal audits, internal ombudsman, the NSW Audit Office and external consultants.

Of the 355 management actions 30 per cent have been approved for closure; a further nine per cent were either awaiting approval for closure or had not been approved for closure “presumably pending discussion or further”, the Council report stated.

That left a closing balance of 214 actions remaining open with a total of 53 of these actions considered high-risk.

Other findings included two instances where significant contracts valuing more than $20M were not included in Council’s contracts register.

These contracts had purchase orders raised against them.

ARIC was told that implementation of a corporate contract management system was on hold as per a request in March of the then chief operating officer.

The Council report to ARIC said it was incumbent upon management at all levels to ensure controls were effectively mitigating the associated risks and that their systems/processes were operating efficiently and cost-effectively.

“It is worth noting that the number of outstanding actions will fluctuate depending on the finalisation of reports, the number of reviews in train and the number of actions accepted by management,” the report said.

“Likewise, the number of overdue actions will be influenced by the length of time management indicates it will take to address the issues.

“It is important that the focus of the Committee is on the issues identified and the significance of the findings, along with how management intends to address the control weaknesses, rather than on the actual number of issues or the due dates (which are set by management),” the report said.

ARIC was encouraged to use the information in the report and the accompanying tables to identify any specific strategic or operational activities they would like to discuss with management at future meetings in respect of risk mitigation measures and system/process improvements; and/or form a view on the control framework and advise Council and the CEO accordingly.

The ARIC Charter includes: reviewing whether management has adequate internal controls in place, including over external parties such as contractors and advisors; reviewing whether management has in place relevant policies and procedures, and these are periodically reviewed and updated; progressively reviewing whether appropriate processes are in place to assess compliance with policies and procedures; reviewing the annual performance of Council against the key performance indicators documented in the Operational Plan, and providing advice to the CEO on the adequacy of Council’s performance against these indicators; reviewing whether appropriate policies and procedures are in place for the management and exercise of delegations; and reviewing whether management has taken steps to embed a culture which is committed to ethical and lawful behaviour.

ARIC Business Paper, June 24
Website, Central Coast Council