Agenda of Risk and Assurance Committee - Wednesday, 6 March 2024

Risk and Assurance Committee

Membership

Chairperson	Cr Stuart Crosby
Deputy Chairperson (Independent)	Bruce Robertson
Members	Cr Ron Scott Cr Andrew von Dadelszen Cr Te Taru White Cr Kevin Winters
Ex Officio	Chairman Doug Leeder
Quorum	Three members, consisting of half the number of members
Meeting frequency	Quarterly

Purpose

Monitor the effectiveness of Council’s funding and financial policies and frameworks to ensure the Council is managing its finances in an appropriate manner.

Monitor the effectiveness of Council's performance monitoring framework.

Ensure that Council is delivering on agreed outcomes.

Role

· Monitor the effectiveness of Council’s funding and financial policies and Council’s performance monitoring framework (financial and non-financial).

· Review Council’s draft Annual Report prior to Council’s adoption.

· Receive and review external audit letters and management reports.

· Approve and review the internal audit plan and review the annual programme report.

· Approve, review and monitor Council’s risk framework and policy.

· Review the risk register.

· Monitor Council’s legislative compliance and receive reporting on non-compliance matters as part of risk management reporting.

Power to Act

To make all decisions necessary to fulfil the role and scope of the committee subject to the limitations imposed.

Power to Recommend

To Council and/or any standing committee as it deems appropriate.

The Risk and Assurance Committee is not delegated authority to:

· Develop, review or approve strategic policy and strategy.

· Develop, review or approve Council’s Financial Strategy, funding and financial policies and non-financial operational policies and plans.

The Risk and Assurance Committee reports directly to the Regional Council.

Recording of Meetings

Please note the Public section of this meeting is being recorded and streamed live on Bay of Plenty Regional Council’s website in accordance with Council's Live Streaming and Recording of Meetings Protocols which can be viewed on Council’s website. The recording will be archived and made publicly available on Council's website within two working days after the meeting on www.boprc.govt.nz for a period of three years (or as otherwise agreed to by Council).

All care is taken to maintain your privacy; however, as a visitor in the public gallery or as a participant at the meeting, your presence may be recorded. By remaining in the public gallery, it is understood your consent is given if your image is inadvertently broadcast.

Opinions expressed or statements made by individual persons during a meeting are not the opinions or statements of the Bay of Plenty Regional Council. Council accepts no liability for any opinions or statements made during a meeting.

Risk and Assurance Committee 6 March 2024

Recommendations in reports are not to be construed as Council policy until adopted by Council.

Agenda

1. Apologies

2. Public Forum

3. Items not on the Agenda

4. Order of Business

5. Declaration of Conflicts of Interest

6. Public Excluded Business to be Transferred into the Open

7. Minutes

Minutes to be Confirmed

7.1 Risk and Assurance Committee Minutes - 7 December 2023 2

8. Reports

8.1 Chairperson's Report 2

Attachment 1 - Risk and Assurance Work Programme June 2024 - December 2024 2

Attachment 2 - Risk and Assurance Completed Work Programme March 2023 to December 2023 2

8.2 External Audit Engagement Letter: Audit of the Consultation Document and 2024 - 2034 Long-Term Plan 2

Attachment 1 - BOPRC LTP (2024-2034) - Audit Engagement Letter 2

8.3 External Audit Plan 2023/24 2

Attachment 1 - BOPRC Audit Plan 2024 2

8.4 Internal Audit Status Update 2

9. Public Excluded Section

Resolution to exclude the public

Excludes the public from the following parts of the proceedings of this meeting as set out below:

The general subject of each matter to be considered while the public is excluded, the reason for passing this resolution in relation to each matter, and the specific grounds under section 48(1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution are as follows:

Item No.	Subject of each matter to be considered	Reason for passing this resolution in relation to each matter	Grounds under Section 48(1) for the passing of this resolution	When the item can be released into the public
9.1	Public Excluded Risk and Assurance Committee Minutes - 7 December 2023	As noted in the relevant Minutes.	As noted in the relevant Minutes.	To remain in public excluded.
9.2	Key Risk Register	Withholding the information is necessary to prevent the disclosure or use of official information for improper gain or improper advantage.	48(1)(a)(i) Section 7 (2)(j).	On the Chief Executive's approval.

Minutes to be Confirmed

9.1 Public Excluded Risk and Assurance Committee Minutes - 7 December 2023

Reports

9.2 Key Risk Register

Attachment 1 - Key risk register - December 2023

10. Public Excluded Business to be Transferred into the Open

11. Readmit the Public

12. Consideration of Items not on the Agenda

Risk and Assurance Committee Minutes

7 December 2023

Risk and Assurance Committee

Open Minutes

Commencing: Thursday 7 December 2023, 9.30am

Venue: Council Chambers, Regional House, 1 Elizabeth Street, Tauranga

Chairperson: Cr Stuart Crosby

Deputy Chairperson: Bruce Robertson (Independent Member)

Members: Cr Ron Scott

Cr Andrew von Dadelszen

Cr Te Taru White

Cr Kevin Winter

In Attendance: Councillors: Cr Matemoana McDonald (via Zoom); Cr Jane Nees (via Zoom)

Staff: Fiona McTavish – Chief Executive; Mat Taylor – General Manager Corporate; Chris Ingle – General Manager, Integrated Catchments; Reuben Fraser – General Manager, Regulatory Services; Steve Groom – Governance Manager; Evaleigh Rautjoki-Williams – Digital Manager (Chief Digital Officer); Steve Slack – Risk & Assurance Manager; Aaron Huggins – Principal Internal Auditor; Mark Lennard – Internal Audit Advisor; Jo Pellew – Rates Manager; Annabel Taylor – Manager, Special Projects; Monique Brooks - Legal and Commercial Manager; Jenny Teeuwen – Committee Advisor

Apologies: Chairman Doug Leeder (Ex Officio)

Committee members and the public were reminded that the public section of the meeting was being livestreamed and recorded and that the recording would be available on the Bay of Plenty Regional Council YouTube channel following the meeting.

Recording link: Risk and Assurance Committee - 7 December 2023 - YouTube

1. Apologies

Resolved

That the Risk and Assurance Committee:

1 Accepts the apology from Chairman Doug Leeder for absence tendered at the meeting.

Crosby/von Dadelszen

CARRIED

2. Order of Business

There was no change to the order of business; however, it was noted that Item 8.3 - Audit Engagement Letter: Audit of the Consultation Document on Long-Term Plan for the period commencing 1 July 2024 – has been withdrawn from the agenda.

3. Declaration of Conflicts of Interest

Bruce Robertson, Independent Member, declared an interest that, as the Independent Member for Tauranga City Council’s (TCC) Strategy, Finance and Risk Committee, he had been engaged to undertake some work for TCC around the development of Tauriko West which would involve a level of consenting with Bay of Plenty Regional Council Toi Moana (BOPRC). Whilst this conflict was not an issue for this agenda, this Committee needed to be mindful of this conflict going forward.

4. Minutes

Minutes to be Confirmed

4.1

Risk and Assurance Committee Minutes - 5 October 2023

Resolved

That the Risk and Assurance Committee:

Confirms the Risk and Assurance Committee Minutes - 5 October 2023 as a true and correct record, subject to the following amendment:

· Item 3.3 – Progress update on the Draft Annual Report for the year ended 30 June 2023 – third bullet point under In Response to Questions, PPS was incorrectly recorded as price per share, this should read perpetual preference shares.

von Dadelszen/White

CARRIED

5. Reports

5.1

Chairperson's Report

Presented by: Mat Taylor – General Manager, Corporate

Key Points

· Noted that the March 2024 – September 2024 work programme may be amended as/if required to address any new government directives.

In Response to Questions

· Requested that a report on BOPRC’s employment practices and associated risks be included in the work programme. A report on this would be considered for a future meeting of this Committee.

9.37am - Cr Nees entered the meeting (via Zoom)

· Discussion occurred on the review of BOPRC’s risk register and when this was likely to occur in the work programme, particularly in view of the risks being identified through the long term plan (LTP) process. The draft LTP and consultation document would be presented to Council at its public meeting on 14 December 2023 for adoption for audit. A risk workshop would then be held to consider BOPRC’s risk register, including the risks that flowed from the delivery of the LTP objectives. This workshop was scheduled for March 2024.

· The scope of how the risks associated with BOPRC’s operational expenditure may be considered by this Committee, would be brought back to the March 2024 meeting, with a view for this to be to discussed, if approved, at the June 2024 meeting following completion of LTP deliberations when the operational expenditure totals would be known.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Chairperson's Report.

Crosby/Robertson

CARRIED

5.2

Assessment of Bay of Plenty Regional Council's practice in relation to the Ombudsman's "Open for Business" report on the use of workshops

Presented by: Steve Groom – Governance Manager

Key Points

· Provided a brief overview of the Ombudsman’s report.

· 25 ‘expectations’ had resulted from the investigation. BOPRC was currently in full alignment with 16, partially aligned with a further five, and not aligned with four.

In Response to Questions

· Mechanisms were already in place through Standing Orders to note divisions/abstentions when voting. If recording individual votes for every item was made compulsory, this would require an amendment to Standing Orders.

Key Points - Members

· The recording of individual elected members votes for every item was not supported.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Assessment of Bay of Plenty Regional Council's practice in relation to the Ombudsman's "Open for Business" report on the use of workshops;

2 Endorses the actions identified in section 2.2 of this paper for internal implementation; and

3 Endorses the preparation of a paper for consideration by full Council in February 2024, seeking Council’s endorsement of the proposed ‘Council-owned actions’ in section 2.2 of this paper.

Crosby/White

CARRIED

5.3

Artificial Intelligence Update

Presentation: Artificial Intelligence (AI): Objective ID A4559468

Presented by: Evaleigh Rautjoki-Williams - Digital Manager (Chief Digital Officer)

Key Points

· Provided examples of how BOPRC staff were using artificial intelligence (AI) in everyday work.

· Provided a demonstration of Microsoft Bing Chat. This platform was being promoted for staff to use. Bing Chat was a secure generative AI platform that followed ethical guidelines and protected the organisation’s data. It was part of the organisation’s existing Microsoft licence agreement so did not come at an extra cost.

· Bing Chat would be used for publicly available information only.

· Demonstrated how AI could be used to change the way BOPRC worked and provide real efficiencies, using water meter photos and consent submissions for notifiable consents as examples.

In Response to Questions

· The Bing Chat product protected the organisation’s information i.e. did not save the information and use it to train the AI, whereas other tools e.g. Chat GPT, captured information and stored it within their system.

· A privacy assessment had been undertaken for Bing Chat to ensure it was secure for BOPRC use.

· Acknowledged that this was still an emerging learning space, both for opportunities and risks. Staff were continually monitoring the best practice advice via BOPRC’s vendors as well as other government agencies, and were working collaboratively to share information and how risks were being addressed.

· A staff network had been established to explore emerging AI opportunities and maintain guidelines according to those emerging opportunities. BOPRC would continue to ensure staff had the support they needed to ensure they could utilise these tools safely.

· It was expected that some submissions to BOPRC’s LTP would be generated using an AI tool.

· It was hoped that the use of AI tools would alleviate some of the work pressure on staff working though submissions and other administrative heavy processes.

· Staff effort/time/cost invested in AI had been integrated into business as usual.

· Bing Chat had different settings which could be applied; however, it was recommended that generated content was reviewed to ensure that the information was correct and read as required.

Key Points - Members

· Suggested an update be provided in 12 - 18 months time to track how AI was advancing within the organisation.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Artificial Intelligence Update.

von Dadelszen/White

CARRIED

5.4

Rates Risk Report - Implementation of the Rates Assessment and Collection Process

Presented by: Jo Pellew – Rates Manager

Annabel Taylor – Manager, Special Projects

In Response to Questions

· The spike in customer queries and long wait times in the first year of rates collection was only for a short period of time (two to three days) and was management quickly – 1,100 queries reduced to 100 within four days. Response times had been much quicker this year.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Rates Risk Report - Implementation of the Rates Assessment and Collection Process.

Crosby/Winters

CARRIED

5.5

Internal Audit Status Update

Presented by: Aaron Huggins – Principal Internal Auditor

In Response to Questions

· The internal audit programme was currently on track. The programme could be fluid at times and flexibility was needed.

· Currently, there were no particular roadblocks to closing out management actions but this was dependent on the workload of the team responsible and the complexity of the audit actions. Progress/slippage would be reported in status updates going forward.

· The risk management review was a long term project and was currently in progress. This review was an improvement recommendations only project, not an audit.

Resolved

That the Risk and Assurance Committee:

1 Receives the report, Internal Audit Status Update.

Crosby/von Dadelszen

CARRIED

6. Public Excluded Section

Resolved

Resolution to exclude the public

1 Excludes the public from the following parts of the proceedings of this meeting as set out below:

Item No.	Subject of each matter to be considered	Reason for passing this resolution in relation to each matter	Grounds under Section 48(1) for the passing of this resolution	When the item can be released into the public
3.1	Public Excluded Risk and Assurance Committee Minutes - 5 October 2023	As noted in the relevant Minutes.	As noted in the relevant Minutes.	To remain in public excluded.
3.2	Completed Internal Audit Reviews & Overdue Actions Update	Withholding the information is necessary to protect information which is subject to an obligation of confidence or which any person has been or could be compelled to provide under the authority of any enactment, where the making available of the information would be likely to prejudice the supply of similar information, or information from the same source, and it is in the public interest that such information should continue to be supplied.	48(1)(a)(i) Section 7 (2)(c)(i).	On the Chief Executive's approval.
3.3	Key Risk Register	Withholding the information is necessary to prevent the disclosure or use of official information for improper gain or improper advantage.	48(1)(a)(i) Section 7 (2)(j).	On the Chief Executive's approval.
3.4	Flood Implications Work Programme	Withholding the information is necessary to maintain legal professional privilege.	48(1)(a)(i) Section 7 (2)(g).	To remain in public excluded.

Robertson/Scott

CARRIED

10.35am – the meeting adjourned.

11.00am – the meeting reconvened in Public Excluded.

11.40am – the meeting closed.

Confirmed

Cr Stuart Crosby

Chairperson, Risk and Assurance Committee



Report To:	Risk and Assurance Committee
Meeting Date:	6 March 2024
Report Writer:	Mat Taylor, General Manager, Corporate
Report Authoriser:	Mat Taylor, General Manager, Corporate
Purpose:	Update on Risk and Assurance Committee Activities

Chairperson's Report

Executive Summary

This report provides the Committee with an update on Risk and Assurance Committee activities.

Recommendations

That the Risk and Assurance Committee:

1 Receives the report, Chairperson's Report.

1. Introduction

The report shows an updated Risk and Assurance Work Programme for the year ahead, and an updated Risk and Assurance Completed Work Programme.

1.1 Alignment with Strategic Framework

The Way We Work

We continually seek opportunities to innovate and improve.

1.1.1 Community Well-beings Assessment

Dominant Well-Beings Affected

¨ Environmental

¨ Cultural

¨ Social

þ Economic

2. Risk and Assurance Work Programme

Attachment 1 shows the Risk and Assurance Work Programme for 2024. This Work Programme sets out the planned and scheduled reporting to the Risk and Assurance Committee.

The attachment is categorised to identify the broad areas of responsibility for the Committee. Other items may be added by councillors and staff should this be required to respond to issues as they occur throughout the year.

3. Risk and Assurance Completed Work Programme

Attachment 2 shows the Risk and Assurance Completed Work Programme for the 2023 year.

4. Considerations

4.1 Risks and Mitigations

There are no significant risks associated with this matter/subject/project/initiative.

4.2 Climate Change

The matters addressed in this report are of a procedural nature and there is no need to consider climate change impacts.

4.3 Implications for Māori

There are no implications for Māori.

4.4 Financial Implications

This work is being undertaken within the current budget for the Governance Activity of the Long-Term Plan 2021 – 2031.

Attachments

Attachment 1 - Risk and Assurance Work Programme June 2024 - December 2024 ⇩

Attachment 2 - Risk and Assurance Completed Work Programme March 2023 to December 2023 ⇩



Report To:	Risk and Assurance Committee
Meeting Date:	6 March 2024
Report Writer:	Nolene Naude, Financial Accounting Team Lead and Kumaren Perumal, Chief Financial Officer
Report Authoriser:	Mat Taylor, General Manager, Corporate
Purpose:	For the Risk and Assurance Committee to receive the Audit Engagement Letter for the Consultation Document and 2024 – 2034 Long-Term Plan.

External Audit Engagement Letter: Audit of the Consultation Document and 2024 - 2034 Long-Term Plan

Executive Summary

The purpose of this report is to provide the Committee an overview of the key elements of Audit New Zealand’s (Audit NZ) Engagement Letter for the audit of the Bay of Plenty Regional Council’s Consultation Document and 2024 – 2034 Long-Term Plan.

Recommendations

That the Risk and Assurance Committee:

1 Receives the report, External Audit Engagement Letter: Audit of the Consultation Document and 2024 - 2034 Long-Term Plan.

1. Introduction

The Audit Engagement Letter outlines the terms of the audit engagement, the respective responsibilities of Council and the Appointed Auditor, the audit scope and objectives, the audit approach and areas of audit emphasis, logistics and costs. The Engagement Letter confirms Audit NZ as Council’s appointed audit service provider for the audit of the Consultation Document and 2024-2034 Long-Term Plan.

1.1 Legislative Framework

The Local Government Act 2002 requires Council to prepare a Long Term Plan every three years that describes the community outcomes for the region and setting out its priorities over the next 10 years.

1.2 Alignment with Strategic Framework

The Way We Work

We deliver value to our ratepayers and our customers.

1.2.1 Community Well-beings Assessment

Dominant Well-Beings Affected

þ Environmental

þ Cultural

þ Social

þ Economic

The audit undertaken by Audit NZ places focus on Council’s financial and non-financial plans over the next 10 years and promotes all four aspects of community well-being.

2. Audit Engagement Letter

2.1 Audit focus

Audit New Zealand has identified the following areas of audit emphasis:

· Financial strategy and infrastructure strategy;

· Assumptions (with specific focus on climate change assumption); and

· Quality of asset-related forecasting information.

2.2 Audit timing

The key dates in the audit timetable are:

Description	Date
Audit opinion on consultation document required	28 February 2024
Finalised Report to Council on consultation document engagement	19 March 2024
LTP audit begins	4 June 2024
Verbal audit clearance on the LTP	18 June 2024
Audit opinion on adopted LTP	26 June 2024
Finalised Report to Council on LTP	17 July 2024

3. Considerations

3.1 Risks and Mitigations

There are no significant risks associated with this matter.

3.2 Climate Change

The matters addressed in this report are of a procedural nature and there is no need to consider climate change impacts.

3.3 Implications for Māori

There are no direct implications for Māori arising as a result of this report.

3.4 Community Engagement

Engagement with the community is not required as the recommended proposal / decision relates to internal Council matters only.

3.5 Financial Implications

There are no material unbudgeted financial implications and this fits within the allocated budget.

4. Next Steps

The audit of the Long-Term plan will commence in May and staff will continue to work closely with Audit NZ to enable Council to adopt the 2024-2034 Long Term Plan in June 2024.

Attachments

Attachment 1 - BOPRC LTP (2024-2034) - Audit Engagement Letter ⇩



Report To:	Risk and Assurance Committee
Meeting Date:	6 March 2024
Report Writer:	Nolene Naude, Financial Accounting Team Lead and Kumaren Perumal, Chief Financial Officer
Report Authoriser:	Mat Taylor, General Manager, Corporate
Purpose:	For the Risk and Assurance Committee to receive the Audit Plan for the year ending 30 June 2024

External Audit Plan 2023/24

Executive Summary

The purpose of this report is to provide the Committee an overview of the key elements of Audit New Zealand’s (Audit NZ) proposed Audit Plan for the year ending 30 June 2024.

Leon Pieterse (Audit Director) and Warren Goslett (Audit Manager) will attend the Committee meeting to present the Audit Plan and respond to questions from the Committee.

Recommendations

That the Risk and Assurance Committee:

1 Receives the report, External Audit Plan 2023/24.

1. Introduction

The Audit Plan sets out the audit arrangements and discusses the audit risks, issues, audit process, reporting protocols and audit logistics specifically for the year ending 30 June 2024.

1.1 Legislative Framework

The audit of the Bay of Plenty Regional Council is carried out under Section 15 of the Public Audit Act 2001 (the Act) which states that “the Auditor General must from time to time audit the financial statements, accounts, and other information that a public entity is required to have audited.”

1.2 Alignment with Strategic Framework

The Way We Work

We deliver value to our ratepayers and our customers.

1.2.1 Community Well-beings Assessment

Dominant Well-Beings Affected

þ Environmental

þ Cultural

þ Social

þ Economic

The audit undertaken by Audit NZ places focus on Council’s financial and non-financial performance for the year ending 30 June 2024 and promotes all four aspects of community well-being.

2. Audit Plan

Audit NZ’s proposed Audit plan for the audit of the Bay of Plenty Regional Council and Group for the year ending 30 June 2024 is included as an attachment to this report.

2.1 Audit Risks and Issues

Audit NZ has identified the following risks and issues which will be reviewed and tested during the audit:

· Valuation of property, plant and equipment

· The risk of management override of internal controls

· Valuation of the Put Option

· Consolidation of group financial statements

· Recovery from significant weather events

2.2 Group Audit

Audit NZ’s audit approach is to ensure they have sufficient information to issue an opinion on the Council Group, which comprises Council (parent), the Quayside Group and Toi Moana Trust.

The audit plan discusses the areas of focus relating to the audit of the Council Group as a whole.

2.3 Materiality

In performing their audit, Audit NZ will apply the following materiality settings:

Parent Financial Statements Materiality

· Overall materiality $50.5 million

· Specific materiality $9.45 million

· Clearly trivial threshold $472,000

Audit NZ has also identified several measures as material and assessed materiality for planning purposes.

Group Financial Statements Materiality

· Overall materiality $247 million

· Specific materiality $12 million

· Clearly trivial threshold $600,000

2.4 Timetable

In performing their audit, Audit NZ will apply the following materiality settings:

The key dates relating to the 2023/24 external audit are summarised in the table below.

Description	Date
Interim audit in progress	8 July 2024
Final interim report to Councillors issued	9 August 2024
Final audit commences	9 September 2024
Verbal audit clearance	15 October 2024
Audit opinion issued	23 October 2024
Final detailed Report to Council issued	22 November 2024

3. Considerations

3.1 Risks and Mitigations

There are no significant risks associated with the Audit NZ‘s audit plan.

3.2 Climate Change

The matters addressed in this report are of a procedural nature and there is no need to consider climate change impacts.

3.3 Implications for Māori

There are no direct implications for Māori arising as a result of this report.

3.4 Community Engagement

Engagement with the community is not required as the recommended proposal / decision relates to internal Council matters only.

3.5 Financial Implications

There are no material unbudgeted financial implications and this fits within the allocated budget.

4. Next Steps

Staff will begin preparations for the final audit for the year ending 30 June 2024. This will include preparation of year-end guidance for the Council Group.

Attachments

Attachment 1 - BOPRC Audit Plan 2024 ⇩



Report To:	Risk and Assurance Committee
Meeting Date:	6 March 2024
Report Writer:	Aaron Huggins, Principal Internal Auditor
Report Authoriser:	Mat Taylor, General Manager, Corporate
Purpose:	To provide an update on the internal audit programme and the audit plan.

Internal Audit Status Update

Executive Summary

This report provides an update on the status of internal audit activities as at 31 December 2023 and includes:

· The status of internal audit reviews in the current year;

· The status of follow up of internal audit recommendations and management actions to 31 December 2023;

· A summary of overdue management actions, arising from previously completed internal audits.

Recommendations

That the Risk and Assurance Committee:

1 Receives the report, Internal Audit Status Update.

1. Introduction

This report provides an update on internal audit activity undertaken by internal audit staff and external assurance specialists as part of Bay of Plenty Regional Council’s co-sourced internal audit approach. It includes:

· The status of internal audit reviews in the current year;

· The status of follow up of internal audit recommendations and management actions to 31 December 2023;

· A summary of overdue management actions, arising from previously completed internal audits.

1.1 Alignment with Strategic Framework

The Way We Work

We continually seek opportunities to innovate and improve.

2. Internal Audit Work Plan 2023/24 Status

Based on the Internal Audit Work Plan 2023/24 the following table summarises the status of internal audit reviews for 2023/24.

Review	Field work	GM Sponsor	Status	Status of Internal Audit
Review	Field work	GM Sponsor	Status	Planning /Scope	Fieldwork	Draft Report	Mgmt Actions	Final Report
CDEM Administering Authority (2022/23)	BOPRC	Regulatory Services	In Progress	Complete	In Progress (75%)
External partner project management	BOPRC	Chief Executive	In Progress	In Progress (75%)
Focus Catchments	BOPRC	Integrated Catchments	In Progress	Complete
Forecasting & budgeting	BOPRC	Corporate	In Progress	In Progress (75%)
Freshwater management key risk mitigations	BOPRC	Strategy & Science	On Hold
Health & Safety	External	Corporate	In Progress	Complete
Procurement	BOPRC	Corporate	In Progress	Complete
Science management framework	BOPRC	Strategy & Science	In Progress	In Progress (90%)
Sensitive expenditure	BOPRC	Corporate	In Progress	In Progress (90%)

The CDEM Administering Authority review remains outstanding from the 2022/23 Internal Audit Work Plan; this is expected to be completed by the next RAC meeting.

The ‘Freshwater management key risk mitigations’ audit has been placed on hold, due to the uncertainty currently present in this space.

Focus for the quarter has been scoping the audits on the 2023/24 Internal Audit Work Plan.

With the audit scoping process largely completed, focus will shift to audit delivery. This includes appointing an appropriate co-source delivery partner for the Health & Safety review. In addition, the Forecasting & Budgeting review may also be delivered via a co-source partner. Internal Audit remains confident the Internal Audit Work Plan can be delivered on schedule.

Internal audit continues to provide internal assurance and advice to BOPRC teams as required.

3. Internal Audit Follow Up

3.1 Management actions

Internal Audit has reviewed all open management actions as part of the follow up work in the 2023/24 Work Plan.

The following graph highlights the progress made within BOPRC to address open audit actions during the first quarter of the 2023/24 financial year:

Figure 1 Open management actions (1 October 2023 vs 31 December 2023)

The total of actions open as at 31 December 2023 is 58, the majority of these relate to ICT Security (20), RPMP (13), Project Management (7), and BCP (6).

Except for three overdue actions, all actions are proceeding within agreed completion timeframes. A summary of the overdue open management actions is presented in section 4 of this report.

3.2 Improvement actions

At the start of the quarter (1 October 2023) there were 14 open improvement actions (12 Risk Management, and 2 Lab Benefits Realisation); these remained open at the end of the quarter.

The following graph highlights the progress made within BOPRC to address open improvement opportunity actions during the second quarter of the 2023/24 financial year:

Figure 2 Open improvement actions (1 October 2023 vs 31 December 2023)

Improvement actions relate to efficiency/effectiveness gains that typically require longer timeframes to implement; the open improvement actions are within completion timeframes.

4. Overdue management actions

4.1 Progress update

As at 31 December 2023, three management actions are overdue for completion. A summary is presented in Table 1 below:

#	Finding	Due date	Current status
Fraud Risk Assessment (2020/21)
4.1	Separation of duties in Purchase Orders	31/03/22	Project in progress; expected go-live June 2024.
Gravel Extraction (2020/21)
4.1	Regional Gravel Management Plan (RPMP)	30/06/22	Review currently underway; ties to LTP fee update.
ICT Security (2021/22)
2.1	Cryptography	30/11/23	Action plan drafted; cost effective key management systems currently being evaluated.

5. Considerations

5.1 Risks and Mitigations

There are no significant risks associated with this matter/subject/project/initiative.

5.2 Climate Change

The matters addressed in this report are of a procedural nature and there is no need to consider climate change impacts.

5.3 Implications for Māori

No implications identified – matters are of a procedural nature only.

5.4 Community Engagement

Engagement with the community is not required as the recommended proposal / decision [relates to internal Council matters only].

5.5 Financial Implications

There are no material unbudgeted financial implications and this fits within the allocated budget.

6. Next Steps

To note the Internal Audit Status Update.