NEWS . LOCAL GOVERNMENT . JULY 2019

July 3, 2019

INSIDE THIS ISSUE


CYBER SECURITY


COUNCIL RECORDKEEPING


COUNCIL PROBITY ADVISORS & AUDITORS


FRAUD & CORRUPTION


BUSINESS CONTINUITY


SAFETY CULTURE


It’s easy to engage us! Centium is listed on LGP218 (Management Consulting & Internal Audit). This allows you to directly engage us based on a quote.


CYBER SECURITY

WILL YOU MAKE THE 31 AUGUST DEADLINE?

Councils process, store and transact a significant amount of “sensitive” data including personally identifiable information, commercially sensitive information and even identifiable health records. These records can be in all formats including electronic, hardcopy and in other forms, such as video. These records may be stored onsite on Council systems or hosted in the cloud. Irrespective of the format of the record, or where it’s stored, it could be susceptible to cyber risk.

Council cyber risk can increase when using innovative solutions such as “Internet of Things” (e.g. Internet connected devices such as sensors), SCADA/IACS systems (e.g. managing water or sewer facilities), community safety facilities (e.g. CCTV cameras), and Building Management Systems (e.g. access control systems, and fire systems).

Centium has had the pleasure of working with Councils for over three decades. Over that time, we’ve helped Councils to understand their current exposure and to apply practical, risk-considered mitigations.

Here are some of the ways we can help you:

  • Conducting a “fresh eyes” assessment or your Council’s cyber security exposure and defences;
  • Running vulnerability scans and penetration tests against your Council’s networks and systems;
  • Helping design controls to improve your Council’s cyber defences and capabilities;
  • Reviewing, preparing and testing Cyber Incident Response Plans for your Council (including Data Breach Notification Procedures);
  • Reviewing and testing your Council’s backup and DR capabilities to ensure records can be recovered within acceptable timeframes;
  • Assessing how susceptible your Council is to data leaks;
  • Reviewing the appropriateness of access assignments to your Council’s systems and identifying possible segregation of duties concerns;
  • Testing your staff’s susceptibility to phishing attacks;
  • Helping specify and design security controls as part of systems development projects or acquisitions;
  • Helping specify contract clauses before entering into a cloud service agreement;
  • Conducting specialist reviews of Tech-1 and Civica ERP systems;
  • Training Council staff and Councillors regarding good cyber security practices;
  • Conducting forensic analysis and investigations following a data or cyber breach;
  • Assisting with disciplinary action, insurance recovery and/or litigation support.

Contact us to find out how Centium can help your Council to assess its cyber security exposure and improve its defences.


COUNCIL RECORDKEEPING

EFFICIENCY GAINS THROUGH GOOD RECORDKEEPING

Councils are obliged to comply with the State Records Act 1998 and the State Records Regulation 1999 including parts 2, 4 and 6 (records management, transfer of control and public access provisions) and parts 3 and 5 (disposal and estray provisions). Councils are also required to comply with General Authority GA39. These apply not just to Council staff, but to Councillors as well.

But apart from just the compliance aspect, good records management and associated workflows can help Councils gain efficiencies in their day to day operations.

Many Councils use distributed recordkeeping systems. They may have an official EDRMS (such as HP-RM/TRIM or Objective), but they also use other business systems to store records. These include things like email systems, property and rating systems, HR and finance systems, DA lodgment and tracking systems, asset management systems, payment systems, cadastral/GIS systems and more. If they are to be used as recordkeeping systems, they should include certain capabilities to ensure that records can be easily identified, secured, retrieved and sentenced, and that their integrity remains intact throughout their retention periods. They also need to offer various metadata capabilities, hence the reason why file servers can’t necessarily be considered official recordkeeping systems.

Don’t forget that social media records too can sometimes be considered official records. There are particular standards concerning the storage, retention and sentencing of social media records.

Centium has worked with many Councils over the decades and has helped in the following ways:

  • Conducting a “fresh eyes” assessment or your Council’s recordkeeping practices against the State Records Act, GA39 and relevant SARA standard
  • Reviewing your Council’s recordkeeping systems;
  • Reviewing specific workflows, such as a DA assessment process, to identify recordkeeping inefficiencies and to help design improvements such as automated workflows and easy access to records;
  • Conducting a detailed review of records access assignments to identify potential segregation of duties issues;
  • Reviewing and testing your Council’s backup and DR capabilities to ensure records can be recovered within acceptable timeframes;
  • Helping specify recordkeeping requirements as part of system development projects or acquisitions;
  • Training Council staff and Councillors regarding good recordkeeping practices

To find out more about how Centium can assist you meet your records management obligations and gain efficiencies, please contact a Centium Practice Lead for an informal chat.

COUNCIL PROBITY ADVISORS & AUDITORS

LEARNINGS FROM THE NSWAO ON THE  MANGAGEMENT OF PROBITY ADVISORS

The NSW Audit Office assessed whether the state’s 40 largest procurers of probity services complied with the requirements of PBD 2013-05 “Engagement of Probity Advisers and Probity Auditors” and whether they ensured value for money from the use of probity practitioners.

The audit found that agencies tend to rely on only a limited number of probity service providers, sometimes using them on a continuous basis, which may threaten the actual or perceived independence of probity practitioners. The audit also found that agencies do not have effective processes to ensure value for money.

Although this audit focused primarily on state government agencies, the report includes many learnings that can be applied by Councils too.

'PBD-2013-05 Engagement of probity advisers and probity auditors' sets out the requirements for NSW Government agencies' use and engagement of probity practitioners. It confirms agencies should routinely take into account probity considerations in their procurement. The Direction also specifies that NSW Government agencies can use probity advisers and probity auditors (probity practitioners) when making decisions on procuring and disposing of assets. One of the key messages it conveys is that agencies should not engage the same probity practitioner on an ongoing basis, and ensure the relationship remains robustly independent.

Within this context, the NSWAO assessed whether sampled agencies:

  • complied with the requirements of ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’
  • effectively ensured they achieved value for money when they used probity practitioners.

Audit Findings

In summary, the NSWAO found instances where each of the participating agencies had not fully complied with the requirements of the NSW Procurement Board Direction ‘PBD-2013-05 Engagement of Probity Advisers and Probity Auditors’ when they engaged probity practitioners. They also found they did not have effective processes to achieve compliance or assure the engagements achieved value for money.

In the sample of engagements selected, they found instances where the participating agencies did not always:

  • document detailed terms of reference
  • ensure the practitioner was sufficiently independent
  • manage probity practitioners' independence and conflict of interest issues transparently
  • provide practitioners with full access to records, people and meetings
  • establish independent reporting lines - reporting was limited to project managers
  • evaluate whether value for money was achieved.

They also found that agencies tend to rely on only a limited number of probity service providers, sometimes using them on a continuous basis, which may threaten the actual or perceived independence of probity practitioners.

Like the NSW Audit Office, we encourage agencies and Councils to regularly cycle their probity advisors and auditors so as to avoid an actual or perceived independence issue. Centium has a very highly regarded team of probity advisors and auditors and we’d be very happy to chat with you about how we can assist with your probity needs. Our team members have held senior positions within some of NSW’s largest Councils and have decades of knowledge to share. To find out more, please contact our Director Ethical Conduct & Investigations, Roy Cottam.


FRAUD & CORRUPTION

ICAC REPORT ON CORRUPTION TRENDS ACROSS NSW

The ICAC released a report earlier this year covering modern factors that contribute to corruption and other serious forms of misconduct. It also highlights emerging trends, hotspots, case studies and notable practices that have been brought to the Commission’s attention.

The report provides a wealth of case studies, lessons learnt and better practice tips. It focusses on whole of government trends; incentives, cues and motivations; speaking up; conflicts of interest; undue influence on decision makers; HR matters; procurement and contract management; regulation and accreditation; as well as a section relating to non-government organisations. Whilst the report is state government focused, Councils can benefit from the learnings.

The full ICAC report can be found here:

Appendix 2 in particular is particularly useful as it sets out various systemic issue categories applying to:

  • Individuals
  • Business units and organisations
  • Organisational processes

The Victorian Auditor-General’s recently published audit report of VIC Councils’ fraud and corruption controls also provides some valuable learnings for NSW Councils. This audit primarily focused on expenditure and processes involving senior council staff and councillors and reviewed fraud and corruption controls and measures relating to: credit card and fuel card use; reimbursements; identifying and managing conflicts of interest; and responding to suspected incidents of fraud and corruption.

Centium has over three decades worth of practical experience helping Councils enhance their fraud and corruption prevention and detection controls. Our specialist Ethical Conduct & Investigations team members have held high profile operational positions including Heads of Governance & Risk, Certified Fraud Examiners, Certified Anti-Money Laundering Specialists, Principal Auditors and Chief Investigators at some of NSW’s largest Councils.

Some of the ways in which we have helped our Council clients improve fraud and corruption controls include:

  • Conducting a “fresh eyes” gap assessment against the ICAC’s recommendations and systemic issue categories;
  • Reviewing your Council’s existing fraud and corruption prevention framework;
  • Conducting a focussed fraud and corruption risk assessment across your Council;
  • Helping design and implement specific fraud and corruption prevention and detection controls;
  • Conducting a detailed review of systems access assignments to identify potential segregation of duties conflicts;
  • Designing bespoke data analytics tools to help identify potential fraudulent transactions;
  • Delivering bespoke fraud and corruption training for Council staff and Councillors;
  • Reviewing and enhancing your Council’s Code of Conduct and retraining staff;
  • Conducting specialist investigations;
  • Assisting with disciplinary action, insurance recovery and/or litigation support.

To find out more, please contact our Director Ethical Conduct & Investigations, Roy Cottam

BUSINESS CONTINUITY

CAN YOU SLEEP AT NIGHT KNOWING THAT ALL WILL BE FINE?

Many NSW Councils already have elements of business continuity plans and associated IT recovery plans. These form part of overall organisational resilience and good risk management.

But how confident are you that your plans are up to date and that the right people know what to do? When was the last time your plan was updated and tested?

Centium has been assisting NSW Councils to enhance and test their business continuity plans, IT recovery plans and overall emergency response plans for decades. We apply practical learnings and better practices from having worked with nearly all Councils over time.

Here are some ways in which we’ve worked with our local government clients in the recent past:

  • Conducting a “fresh eyes” review of existing Business Continuity Plans, IT (Disaster) Recovery Plans, and Emergency Response Plans
  • Refreshing your Business Impact Assessment (which should be reviewed and updated at least every year) to identify changes in your key business processes, critical ICT systems, vital records, Maximum Acceptable Outages, Recovery Point Objectives and continuity risks
  • Updating and unifying Business Continuity Plans, IT (Disaster) Recovery Plans, and Emergency Response Plans
  • Conducting exercises/tests of your Business Continuity Plans, IT (Disaster) Recovery Plans, and Emergency Response Plans
  • Training Council staff to make sure they understand their roles and obligations during a disruptive event or emergency
  • Reviewing, updating and testing Cyber Security Incident Response Plans and Data Breach Response Plans

Contact us to find out more about how we can help your Council with its business continuity and resilience efforts.

SAFETY CULTURE

YOU HAVE A WHS MANAGEMENT SYSTEM, BUT HOW MATURE IS YOUR SAFETY CULTURE?

Most NSW Councils have mature Work Health & Safety (WHS) Management Systems consisting of policies, procedures, Safe Work Method Statements and other elements.

While these are very important, WHS really takes a life of its own when accountability is given to staff and a safety culture is fostered. This approach not only reduces injuries but changes the attitude of staff to workplace safety.

Centium has developed a Safety Culture Methodology and Maturity Model to measure and enhancing safety culture across an agency. It includes nine broad behaviours, or culture actions, that we consider essential to the development of a positive safety culture: Leadership; Communication; Organisational goals and values; Supportive environment; Responsibility; Learning; Trust in people and systems; Resilience; and Engagement.

Click here to find out more about safety culture and how Centium can help measure and improve safety culture across your Council.

Centium has already helped various Councils to baseline their safety culture and to help implement practices to improve capability.

Here are some of the ways in which we can help you:

  • Taking a baseline measure of your Council’s safety culture (to allow comparative measures over time);
  • Conducting a “fresh eyes” review of existing WHS management systems and safety culture;
  • Refreshing your WHS hazard and risk assessments;
  • Training Council staff to make sure they understand their roles and obligations regarding safe work practices;
  • Helping design, implement and measure controls to help enhance your Council’s safety culture.

Contact us to find out more about how we can help your Council to measure and enhance its safety culture and WHS practices.


Our Clients

Top