Board Agenda 10 August 2017

Board Agenda Item 7.3

Audit and Risk Committee Chair’s Report

Meeting: 10 August 2017

1 MEETING

The most recent meeting of the Audit and Risk Committee (ARC) was held in Sydney on Thursday 3 August 2017. The agenda covered a wide spectrum of items and in many respects marked a number of milestones in the Agency’s audit and risk development. Given the extent of the agenda this report is more lengthy than usual. We do acknowledge the significant progress made by the management team in developing the finance and risk functions and whilst there remains much to do to reach a mature level acknowledgment of progress is appropriate.

2 ITEMS OF BUSINESS

The Committee considered the following:

 The Agency’s Risk Management Strategy, Policy and Framework;  The Agency’s Risk Management Plan;  Risk Reporting;  The Agency’s Fraud Risk Assessment and the draft Fraud Control Plan;  Progress and priorities in the development of the Agency’s Finance Function;  A number of the Agency’s draft accounting policy statements;  The Agency’s draft Strategic Internal Audit Plan;  The Agency’s Internal Audit Charter;  A report on Internal Audits completed to date;  An update from the Australian National Audit Office which included their draft Interim Management Letter;  A Finance Report;  An overview of the Agency’s achievements in the first year of operation;  An update on the progress against the 2016/17 Work Plan as at 30 June; and  An update on the Board and Advisory Committee calendar for 2018. With regard to the agenda items we report as follows: The Agency’s Risk Management Strategy, Policy and Framework An overarching comprehensive risk management framework has been finalised which amongst other things reflects the risk appetite set by the Board. Management has confirmed that the

Meeting date: 10 August 2017 Page 1 of 4 Board Paper Agenda Item 7.3: Audit and Risk Committee Chair’s Report RMSPF complies with relevant regulations and following input and discussion with management is endorsed by the ARC and is recommended to the Board for adoption. It is recommended as part of an ongoing progamme of improvement that an overarching risk appetite statement be developed to help convey the Agency’s strategic risk intent. The Agency’s Risk Management Plan A toolkit has been developed to aid the role out the RMSP which encompasses migrating existing risks and new risks, incorporates a communication plan and includes training/awareness plans. Clearly the ultimate success will reside in the executive team embracing risk both for protecting the Agency and in delivering on strategic opportunities.ie embracing the development of a risk culture We understand risk is being embedded in executive meetings and throughout the organisation. It is planned that the ARC will monitor the implementation. Risk Reporting Draft Risk Reports were tabled and discussed including the nature and type of risk information that should be included. The reports are being designed to reflect the Agency’s effectiveness in managing risk and to provide appropriate information particularly on major risks. It is expected that these will develop as the risk function matures. A number of suggestions were made and accepted to improve reporting. Reporting will include risk management prioritisation, incident analysis, strategic risk improvement initiatives, and emerging risks. Formal reporting will be on a quarterly basis. Fraud Risk Assessment and the draft Fraud Control Plan A Fraud risk assessment has been undertaken by management using the new RMSPF. The results of this assessment were used to inform the new Fraud Control Plan. The review found weaknesses in fraud mitigation and control architecture. The draft plan responds to those findings and progress on the implementation of the strategies designed to improve the overall fraud control environment will be monitored by ARC. The ARC discussed the draft plan, noted the findings of the review and the proposed responses to the identified weaknesses. Progress and priorities in the development of the Agency’s Finance Function The ARC discussed progress in both prioritising the recommendations in the EY finance assessment report that was delivered in April 2017 and adopted by the management team. and the progress with their implementation. Considerable progress has been made in many areas including improvements in the speed of month end reporting, budget control frameworks, and reporting. Also internal audits of financial reporting and shared services have been conducted. The ARC noted and was pleased with progress including the on boarding of additional capabilities into the function. There is much more to be done but progress to date has been very encouraging.

Page 2 of 4 Meeting date: 10 August 2017 Board Agenda 10 August 2017 The Agency’s draft Accounting Policy Statements The ARC discussed and noted a number of new accounting policies for the Agency. The policies considered were  Capitalisation of Assets;

 Consultants and Contractors;  Debtors;

 Financial Instruments;  Indemnities, Guarantees & Warranties;

 Prepayments;  Reserves; and

 Revenue. The policies will be adopted for the financial accounts for the Fy17 year. At this stage they have not been reviewed by the external auditors. The Agency’s draft Strategic Internal Audit Plan and Audit Charter The ARC considered and approved the Agency’s Internal Audit Plan and Audit Charter. The plan was originally reviewed by the ARC in March 2017 and has been updated to incorporate the committee’s recommendations. These recommendations included a reordering of some internal review priorities. Internal Audits completed or in progress by Axiom Associates 3 Assurance Mapping Audit - The audit identified a number of priority areas to improve the effectiveness of assurance coverage across both operational and oversight business areas including operational risk registers, project management frameworks, the enterprise agreement and workforce plan, deficiencies in procurement and financial reporting processes, IT change management, ISM control compliance and Protective Security Policy Framework compliance. Management has acknowledged these gaps and is developing appropriate plans to manage and rectify them. 4 Finance Reporting Audit – The audit found internal financial reporting to be relatively immature but noted significant progress has been made in developing them. The audit importantly concluded that whilst all identified issues needed to be addressed it was not likely that they would lead to material errors in internal or external financial reporting. Management has accepted the findings and is addressing each of them. 5 ARC also reviewed the audit topics for FY2018 which include Shared Services (underway), Project Management, Procurement Controls, Business Continuity Management, Internal Budgeting, Contract Management and Cyber Security Maturity. A mid-year review of the Internal Audit plan will be performed by ARC in December 2017. The Australian National Audit Office (ANAO) and draft Interim Management Letter The ANAO has completed its interim audit work and presented its findings to ARC. Their assessment of the risk of material misstatement in the FY17 accounts is rated moderate. Please note that significant or moderate audit findings are reported to Parliament. No issues were identified in the interim audit work which was not known to management. Having said that, they did note there were a number of matters identified that was in the

Meeting date: 10 August 2017 Page 3 of 4 Board Paper Agenda Item 7.3: Audit and Risk Committee Chair’s Report process of being finalised by management primarily relating to finalisation of accounting policies and related procedures. The ANAO identified the following as areas in interest for the final audit: 1. Accounting for transfer of assets from NEHTA; 2. Supplier expenses and payables; 3. Employee benefits expenses and leave provisions; and 4. Financial Statements preparation – process and policies. The ANAO also confirmed delays to its timetable for completing the final audit. Management has prepared a revised Agency plan for finalising the Accounts and the Annual Report. Finance Report An abridged finance report was received on the YTD 31 May 17 results. The report was abridged given the focus of the finance team on preparing for year end. The ARC noted the 31 May reports and also discussed a revised year end audited financial statements delivery timetable. The earlier reported timetable has been amended to reflect delays in the ANAO completing its audit due to issues with their scheduling as mentioned above. An overview of the Agency’s achievements in the first year of operation The ARC reviewed a report on the Agency’s achievements in its first year of operations. The ARC agreed, based on the information in the report that significant progress has been made in the year. An update on the progress against the 2016/17 Workplan as at 30 June The ARC reviewed progress against the 2016/17 work plan. An update on the Board and Advisory Committee calendar for 2018 The agenda and meeting dates for 2018 were discussed and will be finalised at our next meeting.

6 MINUTES

Minutes for the meeting are being drafted for endorsement at the next meeting, once endorsed they will be published in Boardvantage. The next meeting of the Audit and Risk Committee will be a teleconference scheduled for 31 August to discuss the Agency’s 2016-17 financial statements.

CLEARED BY Name Keith Skinner Position ARC Chair

Page 4 of 4 Meeting date: 10 August 2017