April 13, 2022, at 12:00 PM

Original link

The meeting is called to order at 12:00 PM; it being noted that the following were in remote attendance: Councillors M. van

Holst, J. Helmer, S. Turner; and L. Higgs.

1.   Disclosures of Pecuniary Interest

That it BE NOTED that no pecuniary interests were disclosed.

2.   Consent

None.

3.   Scheduled Items

None.

4.   Items for Direction

4.1   Internal Audit Follow Up Activities Update Dashboard

2022-04-13 Submission - Internal Audit Follow Up Activities Update Dashboard

That the communication from MNP, with respect to the internal audit follow up activities update dashboard, BE RECEIVED.

Motion Passed

4.2   Draft Internal Audit Plan - Overview for Audit Committee

2022-04-13 Submission - Draft Internal Audit Plan – Overview for Audit Committee

That the following actions be taken with respect to the Draft Internal Audit plan:

a)     the Internal Audit Plan from MNP dated April 13, 2022, BE APPROVED; and

b)     the communication dated April 13, 2022, from MNP, with respect to the draft internal audit plan - overview for Audit Committee, BE RECEIVED.

it being noted that Audit Plan will be revised to reflect timing of Q2 2023 for the Records Management & Retention audit.

Motion Passed

4.3   Internal Audit Charter

2022-04-13 Submission - Internal Audit Charter

That the communication from MNP, with respect to the internal audit charter, BE RECEIVED.

Motion Passed

5.   Deferred Matters/Additional Business

None.

6.   Adjournment

That the meeting BE ADJOURNED.

The meeting adjourned at 1:10 PM.

Motion Passed

Full Transcript

Transcript provided by Lillian Skinner’s London Council Archive. Note: This is an automated speech-to-text transcript and may contain errors. Speaker names are not identified.

View full transcript (1 hour, 20 minutes)

Ms. Westlake Power, could we do a sound check from Council Chambers? Very fine, can you hear me? Yes, sounds good, thank you very much.

You’re welcome. Ms. Morocco, it’s Michael Schultes. Do you know who on your team will be presenting?

Yeah, so I will be presenting my screen, but Jeff and I will be both speaking. Thank you very much. You’re welcome. Okay, I’ll just have the committee members turn on their cameras so I can see if we’ve got Quorum and ready to go, it’s like we do.

Okay, so I’m gonna call the second meeting of the audit committee to order the city of London is committed to making every effort to provide alternate formats and communication supports for council standing or advisory committee meetings and information upon request to make a request for any city service, please contact accessibility at London.ca or 519-661-2489 extension 2425. I’ll start with disclosures of pecuniary interest for any members, okay, seeing none, we don’t have any consent items, we don’t have any scheduled items, and we have three items for direction, and we’re gonna go through those, and what will happen today is we have Philip and Jeff who are going to share the screen and present the items before us today, just so colleagues are aware, item 4.1 is we’ll be receiving, item 4.2 does require approval, and then we’ll receive the communications on that, and item 4.3 is an item 4 receipt, but what we can do is start with 4.1, hand it over to our auditors, and you can take us from there. I anticipate that there’ll be some questions, so we’ll handle those kind of as each section in each section of the agenda, but we’ll start with 4.1, which is the internal audit follow-up activities, and updated dashboard. I’ll turn it over to the both of you.

Thank you very much, and good afternoon, everyone. It’s a pleasure to see you all again. So this is Jeff Rodriguez with MNP. I’ll be leading the conversation, but we’ll soon be looking to fill for support and commentary as we go throughout.

So Phil, if you’re able to share your screen, I believe the first item is the follow-up audit report in dashboard that we’ll be speaking to. So essentially what you have in front of you is one of the key artifacts that we had committed to providing as part of the internal audit outsourcing arrangement with the city. This is a foundational item that is baked into kind of all of the internal audit work that we do across the board, and it’s actually codified within the internal audit charter, which is another item that we’ll be speaking to shortly. But in terms of this particular item, what’s I would say extremely important about the nature of this item is this really speaks to the value that internal audit provides, not only in terms of the traditional audit work that we perform for the city in terms of providing audits around various areas within the plan itself, but this speaks to the continuous control monitoring and follow-up that we do as an outsourced provider and partner with the city.

So essentially what this document really outlines is it provides the internal audit function with the ability to provide a transparent means and mechanism for communication to the audit committee in terms of how well management is doing in terms of not only accepting the audit findings as they’re presented, but also committing to closing them and acting upon them in what we would call a reasonable timeframe. So with each of the internal audits that we will be providing for the city, within those you’ll be noting that we will be asking management to not only confirm the accuracy and validity of the observations and recommendations, but also committing to some timelines in terms of remediating or acting upon them. So this document in front of you, which is really just a two-page overview of what it would look like is really a template of what that follow-up report would look like. And what that essentially does is this tracks a number of items, but the three key things that it tracks is not only the management action item that was committed to by management, but also the dates in terms of when those items are due because based upon the risk ranking that we have for each individual observation, there’ll be a recommendation around the urgency in terms of closing them.

So what we typically do is we’ll say anything that is of a high risk nature, it should be closed within a zero to three month timeframe. Medium risk rated items are closed within three to six months, and then green or low risk items are closed within six to 12 months. So what this does is it really captures that commitment from management in terms of closing within that reasonable timeframe. And what we can do with this is we can report back to the audit committee, because what we’ll be doing subsequent to each audit that we conduct is we will be meeting with management to validate progress and closure against those items within that timeframe.

And what we can commit to and report to the audit committee here is have items been closed within the committed to timeframes, how many have been closed, how many remain open, how many are retargeted because we do understand that sometimes exceptions occur or things happen within the organization where prioritization around previously reported or committed to items might not necessarily be able to be completed with that original timeframe. So what we do is we highlight for the audit committee where items have been retargeted, as well as how many remain open, and we will track that on an ongoing I.E. quarterly basis around what’s being closed, what remains open, how long is it taking to close? So that way we can report to the audit committee management’s commitment and effectiveness and closing items in the recent timeframe, as well as the aging around them, because obviously if something remains open for an extended period of time, then that might warrant some further escalation, maybe some higher risk rankings around them.

But that this really provides to the audit committee that line of sight in terms of how are things being closed and are things remaining open too long, as well as the effectiveness of the closure and commitment from management. That’s my high-level overview on a follow-up report, Phil. Anything to add from your point of view before I turn over any questions or comments? No, Jeff, I think you highlighted everything just for committee members on the subsequent page.

You can kind of see that it provides that the more detailed per audit is how it would definitely be laid out. But I really just wanted to highlight or emphasize what Jeff mentioned, particularly with regards to the aging piece, it’s really an important aspect of things. And it also helps us to highlight if there is something that has been for a long period of time, do we also have to revisit that because maybe again, things have evolved or the recommendation needs to be reconsidered as it might not be, is it still relevant? Is it still hitting the needs or has the situation itself evolved?

So it’s a nice tool to let us keep things in mind, but also consider what makes the most amount of sense to drive that value for the city. And I would just close off on this with saying that this is a key artifact that’s baked within the professional standards being the Institute of Internal Auditors or the IIA’s International Professional Practices Framework, which we like to call the IPPF. This is one of the foundational items that is suggested for all internal audit functions to maintain. And that’s why we’re proposing it to the city.

Okay, thank you to you both. If you do me a favor, stop sharing your screens. I can’t see my committee members when your screen is being shared. And we’ll, I certainly want to see if there are any questions on this.

I see Ms. Higgs first, go ahead. Thank you. So through the chair to Jeff and Phillip, thanks for the presentation.

The overview, I agree, this is very helpful to have a snapshot that shows the aging. And in particular, also the number of times retargeted. So two questions for clarification. On the first chart with the retargeted column, is this going to indicate for us the number of times an item has been retargeted or just if a retargeted item exists?

And I ask that because I think it’s important for us to have awareness. If a recommendation gets retargeted five times, that’s different than if it gets retargeted one time. So that’s my first question. And the second question is on the below table with the aging.

If you can clarify, is this aging from the date of completion of the report? Or is this aging that shows when we are overdue with receiving management responses? So as an example, if management says they will action an item in 12 months, it would be reasonable to see that there are items in the 12 month plus column. But I think what we would be really interested in seeing is when the response is beyond 12 months, the original target date.

So I’ll turn it back to you. Thank you very much. And through the chair, two extremely good questions. So the first of them around the retargeting column, really what that retargeting is intending to do is not only identify for the audit committee, the new retargeted date, but also how many times it’s been retargeted.

Because you’re right, that is a critical component because we’ll have certain audit committees saying, this particular item has been retargeted three to four times. I’m starting to get concerned here. Is there something that we can do to accelerate that? So it will highlight for you both of those items.

And with respect to the second question, that you’re absolutely correct. So that aging really is the aging around how much time has elapsed since it was previously committed to being closed. So if it’s closed within the original committed timeframe, then obviously it doesn’t show up in the aging because it was still within that original milestone. But the aging is really intended to capture anything going outside of the original committed date so that we can target and highlight for that committee how long it’s aged past when it was supposed to be closed.

Thank you. And just through the chair, a follow up question on that second table. I’m wondering if the language might be modified just so that we’re all clear for future committee meetings that this is the aging beyond the original target date of completion, that would be very helpful. Thank you.

Absolutely. We will commit to do that. Phil, if you can make a note of that, I think that’s a great suggestion. Okay.

Other questions or comments from committee members on this first item? If not, we’re gonna receive this. So I look for a mover of receipt. Councilor Van Holst, seconded by Ms.

Higgs. Any further discussion? No? Okay, by hand, all those in favor?

No motion carries. Okay, the next item is the draft internal audit plan. I will note for colleagues, this is for potential approval today. And then of course, receipt of the report.

So I’m gonna turn it over back to MNP and to go through this, and I anticipate there’ll be a number of questions on this one. So, but I’ll let you guys start with a presentation. Thank you very much. Phil, if you wouldn’t mind sharing that PowerPoint presentation that we had prepared.

So for the benefit of the audit committee, we have prepared a very short presentation, really highlighting the overview and context in terms of the process that was followed in developing the internal audit plan. So with that, I will briefly walk the committee through each of the slides that we can obviously dive into the meat of it being the audit plan itself and any questions you might have around those. So in terms of really the objective of this presentation is to provide the audit committee with the high level overview of the three year draft internal audit plan and the process that went into developing it. Obviously, I will highlight for the audit committee and point out that while we are proposing a period of three years for the audit plan, we do understand that baked within the internal auditor is to do at least annually and update to the risk universe and risk assessment.

And coming out of that, there may be changes to the plan over the next three years. So these are in no way static in nature, but are subject to change based on the change in environment and conditions that the city might be subject to over the course of the next three years. But having said that, Phil, if you want to turn to the next slide, I’ll just walk the committee through the process that we followed. It was a very iterative process, which was involving all key members of management and the senior leadership team, as well as various members of the audit committee because we did want to have a full sum and comprehensive review over the landscape of the city itself, as well as the risks and the opportunities being faced by the city.

So in terms of the process that we followed, certainly started out with the review of any key documentation that was made available to us, one of them being the strategic documentation for the city, as well as any previously issued audit reports, because it’s always good to have that historical context in terms of areas that we’re looked at in the past and some of the results and findings that would have been coming out of them, as well as for Google information from, as we mentioned in our last session with the audit committee, we do work with a number of other municipalities and public sector organizations. So really leveraging and utilizing information and lessons learned that we might have garnered from working with those different bodies and helping to use that to inform this audit universe and plan. We spoke, as I mentioned, with various members of the audit committee, including the chair, as well as all the members of the senior leadership team and selected members of management. During these meetings, what we really did was facilitate a risk discussion.

And I know Phil likes to use the term facilitate the discussion because it’s not us to be telling you really what your risks are, it’s to be collaboratively working with you to understand the risk landscape and how that impacts the city. So in terms of that facilitation, it was really driving conversations around what are the risks and opportunities faced by the city? What are the priorities? What are the key intersex?

And where does the city endeavor to go in the next foreseeable future? And leveraging all that information to really develop that risk universe or landscape, as we like to call it, which then led way to prioritization around the risks that were identified, as well as ordering them in terms of magnitude and impact to the city. And really what that helps do is inform the audit plan that you’ll see in front of you in a few moments. Phil, if you want to turn to the next slide.

In developing the audit risk universe, some key, I would say qualitative characteristics or areas that we looked at, obviously, is once we identified all of the areas within the universe itself, understanding which area is auditable versus not, because obviously, you can identify a number of risk areas for an organization, but not all of them may lend themselves effectively or efficiently to an audit. So it’s understanding which are the key auditable units or entities within the city. And also looking at the key priorities, either through senior leadership or through the audit committee. And then, obviously, the results of, as I said earlier, recently conducted into audits, because that helps inform us in terms of what’s been looked at before, what was noted, where was the organization through that evolution and journey, and then finally looking forward in terms of desired state and future landscape, and what major changes are expected in terms of either people, process, or systems, because obviously that impacts your risk universe.

Really, this culminated into development of a risk inventory, which we then later prioritized in terms of what items made more sense to look at within the next three years, as well as what areas should remain in that universe and could be drawn upon from time to time, but would just remain there until it made sense to either look at that area or audit it. In terms of identifying the areas to audit and the nature of the audits themselves, we really focused on three key areas being compliance, because obviously compliance is a major item for any organization, including the city, as well as operationally, because we do understand that the focus of the city is through growth, innovation, evolution. So operations really is the backbone to supporting all of that. And then finally, a concept that I think we’re all pretty much familiar with at this point, because of the focus on it over the last, I would say, decade being value for money.

So in the areas, in the programs and processes being delivered by the city and service delivery models, three key areas to look at our obviously economy, efficiency, and effectiveness. So understanding what areas would really lend themselves to a good value for money audit. Turn it to the next slide. In terms of our understanding of the risk universe and the presentation, we then did develop a three-year audit plan, which is being proposed today to the audit committee, subject to approval from the audit committee.

But it has been socialized with management and we had a lot of collaboration and discussion around the areas of focus and where we landed. I would like to highlight for you that basically we are proposing four to five audits per year, really resulting in at least one audit recorder, which I would say is typical for an internet function in terms of deployment of resources and what makes sense. Because that provides for ongoing assurance and advisory support through the organization. And as I said earlier, it’s subject to change.

This is just as we see the landscape at this current time, but obviously as we do our annual updates and risk assessments, if not more frequently, the risks could change and the opportunities could grow. And we would obviously update and maintain that plan in accordance with that. So with that, that really is the high level overview of the process that we followed and where we landed on the plan. I would say before we jump into the plan itself, Phil led a lot of those facilitation discussions and meetings with individuals.

So Phil, I would love any context or comments you might have around the process itself. I think thank you, Jeff, through the chair. So I think that excellent summary there. The only thing I would just like to communicate to the committee and again, we had the opportunity both Deepak and I to speak with everybody on the committee and you really appreciated the input that you provided.

I also just wanted to communicate with you and really highlight that collaborative process from everybody that we spoke to, management and the committee. So I just wanted to communicate that everyone was absolutely excellent with the openness and value that they, I think they saw in the process and what they shared for us really helped to make the process run smoothly from our part. So again, just wanted to impart that upon you that it was excellent from our process. We don’t always see that.

So I just wanted to make sure that you’re aware of the excellent support that we received throughout the process. Thanks, Phil. And with respect to the plan itself, understanding that it was within the package, we’ll take it as haven’t been read. So with that, we will certainly turn it over to you, Mr.

Chair, for any questions from the committee that we would certainly be happy to respond to. Yes, thank you. And if you could stop sharing your screen again too, that would be very helpful to me. As my colleagues think about asking questions, I actually have a couple.

So maybe the best thing to do is to turn the chair over to Vice Chair Helmer and just say I’m on the speaker’s list. Go ahead, Chair Morgan. So I have two questions related to the internal audit plan. The first one is more for our staff than our auditors.

And then I have some questions. The records, management and retention piece, which is the first in the order of the audits. My understanding is that that would be conducted mainly through the clerks area in that division. There’s also a very important thing they’re doing this year in running an election.

And so my question is, is this going to put any sort of undue pressure or resource constraints on our staff and the clerks department as they do what is a very important job this year in managing the election process, which I know is always a draw on resources in that area. Or should this be something we’re looking at at a different point in the cycle? Who would like to tackle that one? Councillor Helmer, I can take that.

It’s Michael Schultes. And through you to the committee, it would be a challenge. It depends on the requirement for engagement with the audit committee with clerk staff. I don’t know the exact scope of what’s being contemplated, but I can advise that until August 19th, records management staff will be highly engaged in a SharePoint migration project and post August 19th that they will be involved in the follow up work with that, as well as pivoting to primarily elections support.

So it would be a challenge to find time to work with the auditors to provide any input that may be required. And I would suggest that Q2 of 2023 would be far more suitable for availability. And as a follow up to that, more for our auditors, given that particular response, what is the level of risk with this particular item and shuffling it through the schedule as you determined it through your discussions? So before I turn over to Phil, thank you, Mr.

Chair. I would just say, obviously it’s an important area to look at. It’s an area of high topical focus across the board because obviously information and records is key and critical to any organization. The two key areas to look at when we are focusing on records management is around accessibility.

So ability to access information in a timely manner, especially in an environment where you have things like freedom information requests or urgent needs to access information on a daily basis, but also I would say safeguard information. Obviously confidentiality and data privacy is something that’s a key focus with all organizations these days. And so that’s really the impetus for considering that as being one of the initial items to look at. But having said that, and I should have probably pointed out earlier in terms of the three-year audit plan itself, while we believe these are the areas to audit, we are flexible around the timing for each of them.

So even if the audit committee were to approve the plan in terms of the audits to be focused on, we could certainly work with management around the timing and what would be more suitable understanding your operations and the environment you work in, especially in an election period. But that would be my commentary in terms of the importance of that risk, but timing I think is subject to a discussion. But Phil, any points of view from your end? No, thanks, Jeff, through the chair.

I think that everything has, I think that Jeff summarized it. Well, with regards to the risk itself, Jeff highlighted it is a very topical space and it’s becoming more and more complex just due to, obviously, the volume of information that we’re dealing with. With regards to the suggestion as far as timing, we would always want to make sure and work with those that are subject to the audit to make sure that we’re not becoming overly burdensome and whatnot, so that feedback is excellent and we can work to it. But to answer this specific question, I do not feel that adjusting the timing introduces any more or less risk based upon your specific question, Mr.

Chair. Go ahead, Councillor Morgan. Okay, thank you. So I think that’s something we should consider.

I’m gonna wait for other colleagues to weigh in on that, but that’s certainly something that I think could be an adjustment in the plan that might be beneficial given the other work that’s being done. My second question in comments, and I’ll preface this with some comments, but it will lead to a question, is on the value for money audit related to neighborhood decision making. So let me just be transparent about this, is this is something that I’m very passionate about having run on it in 2014, brought it into our strategic planning process, brought it into our multi-year budget, and Council has made some tweaks to it over the years. The challenge I have, so I’m not averse to auditing this area at all, like I think there shouldn’t be too many areas, we’re not open to auditing.

My challenge is with a value for money audit in the way that you’ve defined value for money, I wanna make sure we don’t miss, capture some of the value of the program, and I’ve said this many times over the years. This is not just about the dollars we spend, and the return on investment we get for those dollars, and how it aligns with say our Parks and Rec Master Plan, or the other projects we’re doing in the city, but there is an inherent democratic value in the way that we have structured the program, where anybody of any age can participate in voting, sometimes for the very first time. Members of the community pitch ideas, they engage with each other, they lobby for them, they start thinking about how to improve their neighborhoods, they take ownership over those ideas, and the data bank of ideas, even if they aren’t successful, is something that’s very valuable to the city, I think. And so my question, I guess, is with a value for money audit, and maybe part of the challenge is, and maybe what the audit might determine is, perhaps we haven’t really well defined, what the goals are of the program, and maybe that’s what comes out of this.

So I’m very willing to do the audit, but I certainly don’t want us to lose that the valuable pieces that are non-monetary in nature, that have inherent value in a program like that, that if we only looked at it from a financial and monetary standpoint, I think we would miss something that aligns very well with our strategic plan that I would be concerned about, depending on how the audit’s structured. So I guess that’s more commentary than a specific question, but I would like to hear our auditors’ comments on how you would handle that sort of value for money audit, given that context from my perspective. Just before you respond, I know there’s more than one person on the team, but if we could just keep the response as tight as possible, and if only one person needs to talk about it, that’s perfectly fine. Absolutely, okay.

So why don’t I start off, and if I don’t capture it all, then Phil can jump in, but I fully appreciate the comments from the chair, and I think you’ve really captured the essence of value for money quite well in your commentary, because as I was trying to, I guess I took you later earlier, is the objective of internal audit is not only to provide assurance, i.e. understanding risks, identifying risks, and identifying control effectiveness. It’s also looking for opportunities within the organization in an advisory capacity. So really the way I’m viewing this value for money component is not necessarily, or not only looking at the quantitative, I guess, areas within that program itself, is also looking at qualitative characteristics, and by virtue of the very definition value, what we endeavor to do is not only look at the effectiveness around the program itself, but also looking for opportunities to further enhance that value, whether it’s through more optimization around the outcomes of the program itself, or I would say generating additional value, because we do understand the priority and the nature and the importance of a program like this.

And also, so our intent really is to focus on how can we help the city further optimize that program, to, I would say, garner as much value as possible out of it, if hopefully that answers your question. That’s all the questions I had. Okay, I have Councilor Van Holst, is it okay if he wants to be on the speaker’s list? I’ll put myself on as well, and I’ll turn the chair back over to you.

Councilor Van Holst. Thank you, Mr. Chair. And I’m just following up on your comments about neighborhood decision-making, that I also, applying that for comment, it’s something that I believe that the value of it is substantial enough that, I wouldn’t consider we needed to look at this.

However, I’m also interested in expanding this program substantially. And so, if possible, then I would like our orders to keep in that in mind, moving forward with this, is we’re looking at processes and effectiveness. So, perhaps this can be done with the mind to how we might expand that program as well. And then I would be okay with doing this audit.

My next question was just about your timing of one audit per quarter. Are you actually planning to begin and each audit in about a quarter? Or is it more like you’re gonna be working on a number of them concurrently? And, but you expect to report out on an average of one per quarter.

Go ahead. Yep, go ahead. Phil, did you want to take this? Sure.

Yeah, thanks, Jeff. So again, appreciate the question. Thank you through the chair. It’s an excellent question with regards to the timing.

Again, everything that we would like to put forward. And again, it’s just how the number of audits work. Our goal would be to, again, work with the audited group for those that would be impacted by us going through the process. Our goal would be to, as much as possible, spread things out over the year in order to make sure that we’re not becoming overly burdensome on any group, but we also do want to be respectful of anything that may be happening, as was highlighted a little bit earlier with regards to the records management and retention one.

So our aspiration, again, would be that we would want to spread things out as much as humanly possible, but we do appreciate things that always work on a perfectly quarterly cycle. So we would endeavor to, again, as much as possible, have the functions occurring over a year. However, just by the nature of us also doing five audits within one year, there is going to be overlap in certain quarters. So long-winded answer, I apologize for that, but the goal would be, again, to aspire to have that quarter-by-quarter basis that we were able to report back and make sure that we have a regular cadence with yourself.

However, we’ll reserve some flexibility to make sure that it’s making sense given other things that both management, the Audit Committee and Council have on the docket. Hopefully, that answered your question. Okay, good, thank you very much. And I guess my concern was that there are times when something just comes up and you could be set back two months easily on an audit and then that would make it very difficult to complete in one quarter.

So I looked at a number of these as well. One of the ones I was pleased we’re going to look at creating a safe London for women and girls. That was, but that’s an audit plan, cool. And so that one, I thought was quite important.

However, the last time I’d reached out to our community stakeholders, they were, they seemed quite happy with how things were moving along with that. And perhaps I could ask Mr. Chair, through you, to our staff, how we feel that that particular strategic plan is coming along. I know there’s been updates, but just for purposes of this meeting, a comment about that one.

And if it’s fit into the plan somehow, when it might be a good time for that. Ms. Livingston. Yes, thank you, and through the Chair, I think we feel we’ve made quite significant progress, particularly in delivering on the actions that were noted in the strategic plan.

And there are a number of initiatives underway, ranging from an update to the gender equity framework that Council will see in the few short months, all the way to very specific training on bystander training, the work that’s been done on safe places with community stakeholders, the work that’s being done with Western. So there’s a huge amount of effort across the city. Our feeling about putting this in the pool is that it is a new priority, newish priority for Council. A lot of effort has gone into trying to move substantially forward on actions and making a difference.

And when there are new initiatives, it is always worthwhile to have an understanding of the progress you’re making. So that is why we put it in the pool. My personal feeling and recommendation to our internal auditors, would it be that it be later in the cycle of the audit plan? Because we are just starting to get some momentum, very similar to why we recommended the timing on the ARAO audit to be a bit later in the cycle, because the work is just being done now.

Let’s us get established, and then we can come in and do a check and see whether there’s any course correction or additional work we could be doing. Thank you, Mr. Chair. And Tim is living sin.

That was exactly the kind of comment I was hoping for. So that’s encouraging. And I know that the majority of the audits are more compliance and process versus value for money, save some of the ones in the at the end of the audit pool. Maybe I could just have our auditors comment on that.

How it turned out that they’re mostly compliance and process. Absolutely. Thank you through the chair. Very, very good observation then point.

And obviously, really the reason for that is that in developing the plan and understanding what are a reasonable quantum of audits to conduct. We also, we always have to consider items like compliance as well as process effectiveness, because obviously compliance is something that’s driven by something externally to the organization that requires or necessitates the need to not only comply with, but conform to certain standards and practices and legislation. So understanding that those are key areas that should be looked at to meet external expectations. We also understand the operations are foundational and the backbone to the city.

So things like process is an area that we felt needed to be looked at, at least to develop that baseline, understanding that this is really the first time that we’re auditing the city. So getting that understanding around the key processes that are driving the operations. And then obviously with the room that was left remaining within the plan we wanted to fill it with items like value for money, because that speaks to the, I would say the opportunities piece in terms of how to further strengthen and grow the city. So that was the, I guess the mindset for the, I guess the allocation between the three and hopefully that answers your question.

Thank you very much. So Mr. Chair, I think those are my questions for now. Councillor Helmer.

Thank you. Generally, I think the other plan is going in the right direction as a sort of practical matter. I’d suggest switching the cyber security timing and the timing for the records retention. They’re both compliance process audits.

I’m not sure, but the magnitude of each of those in terms of workload, but it seems like the timing could be flipped and addressed the issue that was identified by the chair and Mr. Shultes earlier in the meeting. So I’d be happy to do that now. If we think that’s necessary.

The other comment I would make is that I’m certainly fine with the neighborhood decision-making program being audited, but the magnitude of that program in terms of dollars is quite small. And I do think there’s value in assessing it, learning from those results. And especially if as Councillor van Hoss is talking about, there’s some idea to scale it up even more. And that could be very informative.

However, later on in the audit plan is a value for money out of around municipal housing development. And this is quite a bit larger in terms of magnitude than the neighborhood decision-making program. And frankly, I think it’s an area where we need to be focusing a lot of attention right now rather than a couple of years from now. And so I also wonder if there’s an opportunity to flip those in terms of the timing, to bring one forward and then to deal with the other one later.

I know that there’s never really a perfect time to do these audits. Generally speaking, it’s a lot of work for people to take it on in their serious areas and everybody is very busy with everything that they’re already doing. But I do think there might be an opportunity there in terms of dealing with a bigger, I would describe it maybe as like a bigger problem first and rather than waiting. My only caution having said that is that, we’ve done a lot of transformation in the organization, organizational structure changes, things like that, in terms of delivery of municipal housing.

And I’m cautious about auditing it right after that change has happened and we’re in the middle of a change. So if there’s a concern from staff that bringing that forward would be difficult, maybe it’s best to leave it for now. I guess that’s a question through the chair to the management team. If we have any concerns about doing municipal housing a bit earlier, if we were to face, flip it with neighborhood decision making.

Okay, and I think that’s a good question to go to Ms. Livingston to start on. So I’ll turn it over to her. Thank you and through the chair.

Yes, we would have a concern about that because we really are just getting the team together and established a new processes in place, HDC transitioned in. So there are a number of pieces that are just beginning to land. So to flip it at this time, if you’re interested in moving it slightly earlier, we can do a review of the ones we would shift around and bring that back to you. But I wouldn’t recommend bringing it into 2022.

Okay, well, based on that answer, I think I’d like to propose that we just switch the cyber security one unless there’s also a big problem with that one, I know IT is an area that is always very busy and they’ve had a number of internal audits recently. And so I don’t know about bringing it forward, but I do think that’s one where we can eventually, again, I think the risk there is like bigger. You know, that’s a big problem that if we focus on it now, if we learn something, sure we can get it in place the better. So I think that’s one where if it’s okay to bring it forward, I would be happy to do that.

Maybe Ms. Barbong has flipped on her camera once again. And let’s go to Ms. Barbong.

Thank you through the chair. So we did consider that. Unfortunately with the number of IT projects that are currently underway that work to accommodate that would bump a number of things during the current year. So the timing was very deliberate next year to ensure that we have the resources to be able to perform that.

So certainly from that perspective, it would not be one that we would suggest the timing to move would be able to not have any impacts. Okay, well, that’s a bit of a pickle. Once you start moving with one thing, it starts to go. So what about the alternative of just having more of them next year and just push one off and have next year be a bit busier?

‘Cause I think that might be better than moving things around or trying to get things around. Through the chair. Certainly. Maybe that’s a question for the audience.

Certainly, thank you through the chair. I have no issues with that. I mean, obviously when we look at the plan overall, we’re looking at it over a three-year horizon, whether we do four, five or even three in one year isn’t of big concern for me, as long as we kind of complete them within that three-year horizon. So we would be happy to take that away with management and figure out how better to straddle the audits across the three years to meet your request for that matter.

I’ll go back to Councilor Homer and Asaka. One of the other things that could be considered is certainly we talked to early on about the length and timing and reporting back on the audits. There’s no harm in starting something and having it take a little longer if you know the audit committee is okay with that to allow for some of these things to be adjusted as well. So I’ll go back to Councilor Homer though.

Well, I think what I’d like to propose then is we just move the records one to the following year. Mr. Schultz has suggested Q2-2023. That would mean three projects happening in that quarter, which is why I was asking about the capacity of the internal audit team to take on all that work at the same time.

But if there’s not a big concern at that point, maybe we should just make that adjustment now. And obviously things could change. We can move things around a little bit within the plan anyway. But if we know we’re not going to do it next year, there’s no reason, or this year, it’s no reason to leave it in the plan for this year to probably make a motion to do that.

Sure. And I think given we’re going to make a motion to prove the overall internal audit plan, I think the approach to this is, are there any committee members who have an objection to when we make that motion, making that adjustment from Q2-2022 to Q2-2023 for the records management and retention piece? If no one has any objections, we’ll just note that when we and Councilor Homer can make the motion to approve the overall audit plan with that change. And we’ll see if there’s any others that other colleagues have too.

I don’t see any objections to that process. So do you have any other questions, Councilor Homer? We’ll go on to other committee members. Other questions about the audit plan?

Ms. Higgs. Thank you through the chair to MNP. Question just more around the process used to develop this three year plan.

And I know that was consultation with management, audit committee and so on. How much weight, if any, did you put in the prior audit plan that was developed by Deloitte? And I guess the reason I ask is in going back to the prior three year plan that we had in front of us, the projects that were slated at that time appear to have changed fairly materially. So you’ve identified either new or different priorities, which is fine, but just wonder if you can walk us through, you know, some of those key changes and how the prior planning process influenced or did not influence the plan that you have for us today.

So through the chair, thank you for that question. So just as a bit of background, we made consideration for both again, the previous audit’s completed as well as that forecasted plan. Excuse me, apologies. I have a little bit of a frog in my throat.

Sorry if I’m coughing. So yes, we did factor them in. You will see again, a bit of a flavor, particularly within the audit pool of a couple of those items that were previously put forward. But again, so I would say that it was a factor that we definitely considered and we wanted to make sure, but we didn’t wanna necessarily be 100% beholden to them.

We had that discussion with management about why were some of these raised, what are the priorities with them? And the other interesting thing I just like to add on is we, there are a few that while they might not be explicitly noted and carried over as audits themselves, there’s flavors of them within a few of them, particularly within a couple of the value for money items as well. So again, apologies for the long winded answer, but we definitely did factor them in, was a talking point with management as we consulted and went through things to gain an understanding of the rationale behind a number of them. And again, we feel that there is value in a few of them, which is why they were kind of held over within the pool or within a couple of the years forward.

But again, just this is what we landed on as going through and through having that consult process. Okay, thank you. Councilor Vanholst. Thank you, Mr.

Chair. So I think our auditors are gonna find that most of what happens in the city here is great in terms of compliance and process. And that, of course, as an audit committee, a lot of what we’re doing is assurance. We know these things are going well, but we need somebody to show us that it is.

Beyond assurance, I think there’s some audits that where the city’s looking to make some changes and hoping that the auditors will provide some value of the direction along those lines. So my questions through you to our staff is that of these items, where do we expect to see some more substantial changes in how things are done or how we approach compliance as opposed to having the audit really be mostly about assurance? That’s where I pause to see if anybody’s gonna flip on their screen to jump in and miss Barbong, you have won the prize, so go ahead. Thank you, through the Chair.

So from a compliance perspective and from an internal audit perspective, where necessarily process changes and other recommendations may come, strictly from a pure compliance perspective is are we doing the things that we should be doing and are we achieving the objectives in which we were expecting to achieve? The value for money component really drives towards more of the can you do it better, can you do it more effective, and is it as efficient as it can be? So certainly the audits themselves may not necessarily drive a change. Those are things that civic administration are, and many of these things are things that have recently been changed and/or have reason to have just been implemented, which is where the audits come in to ensure that we have, what we’re doing is meeting the audit effectiveness, efficiency and economy at the end of the day.

So not withstanding what the audit recommendations may have, if there may be recommendations that may improve changes, but certainly a civic administration is always looking for that all those opportunities and looking for enhancements throughout the process, that the audit itself is not necessarily the driver for that. I believe that answers your question. Councilor Van Walsen. - Thank you.

Oh, Mr. Rodriguez wants to jump in on that too. Yes, thank you through the chair. I just wanted to add further commentary around this everyone’s response in terms of, you know, for all of the audits that we’re conducting, while a number of them would appear to be primarily assurance, I would commit to that in every audit we do, we always seek to drive value as well, and we will always be looking for opportunities for improvement.

So in the audits that we’re conducting, if we do identify opportunities to help further the improvement within the organization, we will certainly note those as well, and not only just the assurance results. Okay, Councilor, are you good or any further questions? Good. Okay, any other members of the committee with questions about the internal audit plan?

Councilor Turner. I’ll just really quickly, I think my colleagues have covered most of this really well. There’s two kind of grant type areas. There’s the neighborhood decision-making and the cape and chirp chip grants.

Is there any opportunity I’d imagine as this goes forward, I was looking towards the audit pool for future, but one of those exposures we’d had a chance to discuss was in how we interact with agencies, boards and commissions, and the chip and cape are certainly parts of that. And a little bit as well with the community, neighborhood decision-making grants, but not as, not to the same degree. What, and those transfers and grants that we do are actually apparently material. Any considerations of, is that something that we’ve touched on before?

And we’re not concerned about them. We are concerned about them, but it’s too much of a muddled environment to really tackle from just kind of curious by its absence. For you, Mr. Chair.

Go ahead. So, thank you for the question through the chair. So, Councillor, I appreciate the question. And I just want to make sure I’m understanding it correctly.

So, again, I know through the various conversations that we’ve had, we were discussing the topic that I’m understanding that you’re talking about is the various agencies, commissions and that relationship, how to make sure that the appropriate processes are in place with that. So, I think that that is interesting in the concept of third-party risk for third-party risk management in that oversight capacity, is obviously a key area, not just for municipalities and the public sector, but throughout all organizations, not just on the process control side, but also the reputational impacts that come from certain things and whatnot. So, I think the point is well taken. And that was one of the things that we considered and why you can see a few of the audits that we particularly wanted to highlight, the ones that you had mentioned with regards to neighborhood decision-making, as well as those two grant processes.

So, what I would just like to highlight is, we are open to, as we go forward, again, looking at not just what we’re proposing, it is not static more than willing to, as we move forward and as we kind of continue to have conversations with Council of the Audit Committee and management as we move forward in our year-to-year work, always looking to touch on those. To the comment about, is it overly muddled? It all really depends upon how we focus and scope the audit, right? It’s what are we trying to understand about that relationship?

And that’s why, again, through the grant ones that you can see there, we’re focusing on how is, how is that relationship flowing with those material grants that you’re kind of highlighting? What controls do we have in place in order to better monitor that, understand how it flows, the processes and how effective it is? So, while maybe the relationships or the governance can be potentially muddled, as you kind of put it, it’s all really about how we scope the audit and what we’re trying to get as far as an outcome. So, I apologize if that didn’t answer your question, but please any other follow-up more than willing to touch on.

That’s for you, Mr. Chair. I appreciate the answer. I think I’m still trying to form the question in my head a little bit too.

But I think that that helps. I mean, as you go forward specifically with Chippen Cape, those are transfers to other agencies, boards and commissions that we provide funding to. And I think as you do those, you might be able to develop a bit of a model to look at other transfers with boards and commissions and agencies throughout the city and those relationships. They’re numerous, there’s lots of exposure and risk as you identified both financially and reputationally.

And there might be a scoped and focused projects that might be able to be taken on. I imagine it would be really hard to take a look at the relationship between the municipality and the police, which would be one of the largest boards so that we provide transfers too. But there might be a component of that relationship that deserves the deeper dive or museums or the Elton House or those kinds of things as we go through them, the Covent Garden Market boards, any of the community improvement plans, which I saw is on a later list, but those kinds of things. So I appreciate there’s so many things to tackle.

So we’ve got to find the priorities. I think Councilor Helmer identified rightly that the materiality of neighborhood decision-making compared to some of the other things is orders magnitude and difference that sits a lot smaller. But it’s not a bad way to kind of get your feet wet and into the intricacies of the workings of the municipality and its relationship with the external bodies. Thanks.

And through the chair, I would just add, I do understand that stakeholder relations and expectations are a key component, especially the way that the agency’s boards and commissions. So perhaps when we’re focusing the detailed scope, we can do it through the lens of perhaps roles or responsibilities or understanding of those roles or responsibilities with the key counterparties and what I would say is as we’re planning each individual audit, there will be a false some discussion around the detailed scope. And we will be sharing those planning documents and discussions with the audit committee as well as management. So perhaps at that time, we can have those further detailed discussions around how to target the scope to meet all of the audit committee’s expectations.

Thank you very much. Any further questions from Cooney minute members? If not, I believe Councilor Helmer was willing to move approval of the internal audit plan, recognizing that we have made an adjustment in it, and that is the records management and retention piece would be moved from Q2 2022 to Q2 2023. And so if you’re still willing to move that, that’s great.

Okay. And I see Councilor Van Hulse is willing to second that. So there’s in the motion that’ll also be, you know, receive the documents. So approval and receive the receipt of the presentation and documents, all those in favor.

Motion chairs. Okay. Thank you. That puts us on to the last item in our items for discussion part of our agenda, which is the internal audit charter.

I’ll let you make some comments on that. And this is an item for receipt. So go ahead. Thank you, Mr.

Chair. And I’m not sure if we need to share it. I assume it’s, it’s taken as red. Just to highlight some key components to it.

The internal audit charter itself is once again, a foundational artifact baked within the standard itself. So it’s codified within the, within the IAS IPPF. It really is that overarching mandate in terms of what is the internal auditor’s role within the organization. What is the purpose for internal audit?

As we all know, it’s to provide that independent objective assurance and advisory support to help maintain and further enhance the governance risk and controls within the organization. So it’s really just codifying that mandate and authority and responsibility on in terms of the authority piece. It really highlights the fact that to remain independent and objective, internal audit does have two different reporting lines. First of all, being the administrative reporting, which we’ve indicated as being the deputy city manager for finance support.

That is really to help navigate us administratively through the organization, but to maintain and sustain the independence and objectivity of the function. We have the functional reporting to the audit committee. So it just really codifies that ultimately we do report to the audit committee in an independent nature. And then really the final components to the charter itself is obviously to maintain maintenance and sustainment of quality assurance, maintaining quality and everything we do in adherence to the professional standards.

So it has commentary in there in terms of the fact that we will be communicating to the audit committee on an annual basis that we do conforms to this professional standards and then outlines the processes we have been placed internally to ensure quality. Those are the really the key components of the charter itself. It is pretty standard in terms of promulgated by the IIA and IPPF. So not many changes made to the baseline version from the standards, but certainly customized to meet the needs of the city.

Councilor Turner. Thank you, Mr. Ojigas. Just recognizing the authority in 3.0 internal audit are authorized to have full and free access to the audit committee.

There’s a formal pathway that we take and that’s you’re working with administration to help prepare your reports and put them on an agenda for us. And I think for 99.9 to full extent of the nines, that’s going to be the pathway. If there were concerns that you had identified in terms of access from administration or otherwise, how do you see actioning the ability to directly access the committee? What would be your mechanisms for doing so to raise those concerns?

As I said, I have full confidence in our administration. I don’t think that would ever be a problem, but I just sleep better at night knowing that there’s a pathway for that. Thank you for the question through the chair. Very good question.

So within the charter itself, obviously we have the regular and quarterly cadence while we’ll be communicating formally to the audit committee, but also within that, there’s the opportunity to communicate more frequently or ad hoc as necessary. So as a matter of practice, what I endeavored to do is have that open and direct dialogue communication with the audit committee, primarily through the audit committee chair. So what I can certainly do is put in place at regular cadence where we are communicating with the audit committee chair outside of the formal meetings to have that just qualitative discussion around how things are going. But certainly if something were to arise where there was an issue that would necessitate that direct communication with the audit committee, I would not hesitate to reach out to the audit committee chair himself or herself and have that conversation.

Our direct reporting line is to yourselves. So we’d hate to have to use it, but if I did need to use it, I would certainly escalate as necessary. That’s very good, Mr. Chair.

Thank you. That’s the answer I was looking for. It’s helpful and it’s a reassuring to note. Yes, and I’ll add to that councilor Turner.

Certainly, I’m open and accessible to our audit auditors and it’s probably appropriate to go through the chair to ensure that the business that we need to be discussing in a public meeting is happening in a public meeting. So certainly they can flag for me the need to put something on the agenda or call a special audit committee meeting in some sort of exceptional circumstance. But I know that members have had the ability to engage with audit committee members are auditors in the development of the plan as well as our staff. And I just want to commit to my ability to be accessible to them should something arise and I would endeavor to follow that process.

So I think an excellent question, Councilor Turner. Any other questions on the internal audit charter? Oh, Ms. Higgs.

Yes, thank you through the chair. Just have two questions. And I believe they would both relate to the annual planning and execution section. The first one, the first point in this heading notes the development of an annual internal audit plan.

And I wondered if it would be beneficial to clarify that we will also be receiving three year rolling audit plans as well, appreciating we only approve them annually. But it’s I think very helpful to have that sightline on what’s happening in year two and three. So that would be a request for a potential amendment if you’re open to that. And the second question I have is when you’re in a transition from a prior audit firm, would there be any language in an internal audit charter that outlines MNP’s obligations in the first transition year as to clarify what you are or are not doing, relating to audit reports that were completed prior to you taking on this engagement.

And maybe that sits outside of an internal audit charter, but I thought that would be important to clarify somewhere. Thank you, through the chair. Very good comment. And in terms of the first comment, we could certainly update the charter to really reflect that it’s an annual three year rolling plan.

I’ll work on the wording for that, but that’s essentially whether they’re so happy to clarify that more. And we will make that change through the charter in terms of the second question or comment. I haven’t typically seen that within charters themselves, but certainly your points well taken. And one of the items we will endeavor to do is set, especially if there’s any items that have been open from past audit reports, we’ll be sure to reflect them in our ongoing followup and monitoring to ensure that there is closure around any previously reported audits.

And we’ll endeavor to do that and make sure that that is captured. But also in any of the areas that we’re auditing, we always look to past audit reports to help inform the planning around that. So we will be sure to leverage and utilize any of the past audit reports in that regard. Okay, thank you.

Ms. Higgs and members of the audit committee, if you’re comfortable, I think given this is an item for receipt and there’s been a commitment to update it. I think we can just bring forward the updated language for receipt at a future audit committee meeting as Mr. Rodriguez has endeavored to make that first update.

So if everybody’s comfortable with that, I think that’s how we can proceed best. That way we can also see the language that lands in the audit charter as well. For the questions, okay. Then as I said, this is an item for receipt.

So I look for a mover to receive this. Councilor Van Halst, Councilor Turner seconded. All those in favor? No motion carries.

Okay, that brings us to the end of the items for direction before I go to the next item. I just want to say to our auditors, thank you for your time today. Thanks for that kind of first go-through of introducing us to some of the documentation, going through the draft internal audit plan. I know this is the start of a multi-year relationship that we will have.

And so thank you for your time today on starting it off on the right foot and answering all of our questions adequately and professionally, we really appreciate your time and look forward to the partnership that we will have over the next few years. With that, item five is deferred matters, additional business, I have none. Does anyone else have any items of additional business? Okay, I’ll look for a motion to adjourn then.

Councilor Turner, Councilor Van Halst, all those in favor of adjournment? No motion carries. Okay, we are adjourned. Thank you very much for your time today.