21-26 New risk management and internal audit framework for councils and joint organisations
|21-26 / 24 August 2021 / A572161
|19-20 A new internal audit and risk management framework for local councils in NSW – release of discussion paper
|Who should read this
|General Managers / Councillors / Council governance staff / Audit, risk and improvement committee members and internal audit personnel
|Council Governance / (02) 4428 4100 / email@example.com
|Response to OLG
|21-26 New risk management and internal audit framework for councils and joint organisations
What’s new or changing
- Sections 428A and 428B of the Local Government Act 1993 (the Act) have been commenced. Under section 428A, all councils (including county councils) and joint organisations are required to have an audit risk and improvement committee (ARIC). Councils and joint organisations are permitted under section 428B to enter into arrangements with other councils or joint organisations to share ARICs.
- Under the transitional provisions of the Act, all councils (including county councils) and joint organisations must have either appointed an ARIC or entered into an arrangement with another council or joint organisation to share an ARIC before 4 June 2022.
- The Office of Local Government (OLG) will be issuing Guidelines for Risk Management and Internal Audit for Local Councils in NSW to guide the operations of ARICs and to require councils to have a risk management framework and internal audit function to support and inform their operations.
- OLG has issued a draft of the Guidelines for a three-month consultation period. These have been developed based on the feedback received in response to OLG’s New Risk Management and Internal Audit Framework for Local Councils in NSW discussion paper issued in September 2019.
- Councils, ARIC members and internal audit practitioners are encouraged to provide comment on the draft Guidelines.
What this will mean for your council
- As of 4 June 2022, all councils (including county councils) and joint organisations must have an ARIC. As noted above, councils and joint organisations may enter into arrangements to share ARICs.
- Most councils already have an ARIC and will not need to take any further action to comply with section 428A.
- Councils or joint organisations that do not currently have an ARIC should take immediate steps to ensure they have one before 4 June 2022. This may include talking to a neighbouring council or their joint organisation about entering into an arrangement to share an ARIC.
- Under the proposed Guidelines, councils and joint organisations are not required to establish a risk management framework and internal audit function that complies with the Guidelines until 30 June 2024. However, councils and joint organisations should start taking steps to establish a risk management framework and internal audit function or to transition their existing risk management and internal audit arrangements to comply with the Guidelines.
- The proposed Guidelines set out membership requirements for ARICs. Councils and joint organisations are not required to comply with these requirements until June 2027. This will allow councils and joint organisations five years to transition the membership of their existing ARICs to comply with the new requirements.
- The proposed Guidelines are available on OLG’s website at here. Information about the changes to the original model proposed in the discussion paper is also available on OLG’s website.
- OLG is seeking the views of councils and others on the proposed Guidelines. Councils should inform their ARICs about the draft Guidelines to give ARIC members the opportunity to provide comment or to have input into the council’s comment on the draft Guidelines.
- Submissions may be made to firstname.lastname@example.org, labelled ‘Draft risk management and internal audit guidelines’ and marked to the attention of OLG’s Council Governance Team.
- Submissions should be made before COB 26 November 2021.
- Under section 428A of the Act, councils and joint organisations must appoint an ARIC to keep under review the following aspects of their operations:
- risk management,
- fraud control,
- financial management,
- implementation of the community strategic plan, delivery program and strategies,
- service reviews,
- collection of performance measurement data by the council,
- any other matters prescribed by the regulations.
- ARICs must also provide information to councils and joint organisations for the purpose of improving their performance.
Where to go for further information