SWELLENDAM MUNICIPALITY 2015/2016 COMBINED ASSURANCE PLAN APPROVED BY COUNCIL PER ITEM C20 ON 30 SEPTEMBER 2015 i
Contents 1 Introduction 3 2 Objectives 3 3 Approach 3 4 Roles and Responsibilties 3 4.1 Role of Internal in terms of Combined Assurance 3 4.2 Role of the in terms of Combined Assurance 5 5 Combined Assurance Plan 6 5.1 Results - Assurance providers 6 5.2 Combined assurance plan 6 ii
1 Introduction The Combined Assurance Plan (CAP) has been compiled from the risk analysis performed by the Swellendam Municipality, which was facilitated by PricewaterhouseCoopers on 11 and 12 May 2015 for the 2015/2016 financial year. This risk analysis enabled management to assign resource priority efficiently to mitigate the risks to an acceptable level and to identify who is responsible for each risk. 2 Objectives The objectives of the CAP are mainly to: Identify and specify the sources of assurance over the Institutions key risks (Risks above the Risk Appetite, currently at 37); Provide the Fraud and Risk (FARMCO), the Municipal Manager (MM) and Executive with a framework of the various assurance parties; Link risk management activities with assurance activities. This will also assist the MM to review the effectiveness of the Risk System; and Provide a basis for identifying any areas of potential assurance gaps. 3 Approach The Combined Assurance Plan has been designed to highlight the relevant high-risk areas and the assurance to be provided by management, external audit, internal audit and other consultants or service providers in order for the Council to be appraised of the risk management efforts undertaken to manage the risks to an acceptable level. The risk analyses performed for the 2015/2016 financial year formed the basis for determining the combined assurance plan for the municipality. The combined assurance plan was developed through: Analysis of the risk assessment; and Discussion and agreement with assurance priority. 4 Role and Responsibilities 4.1 Role of Internal in terms of Combined Assurance International Standards for the Professional Practice of Internal ing (ISPPIA) and its associate Practice Advisories (PA) state that The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts. 3
The Swellendam Internal Activity (IAA) has access to the work of other internal and external assurance providers. The IAA will provide assurance over the entire organization, including: assurance on the design and adequacy of the risk management processes; management of the top risks including the effectiveness of the controls and other responses; verification of the reliability and appropriateness of the risk assessment and reporting of the risk and control status. In instances that the Head of Internal (CAE) is hiring an assurance provider, the CAE will document engagement expectations in a contract or agreement. The following minimum expectations will be set to ensure that work is adequate and reporting requirements are fulfilled: the nature and ownership of deliverables, methods / techniques, the nature of procedures and data / information to be used, progress reports / supervision The IAA will consider the following to conclude whether to rely on the work of the assurance provider: independence and objectivity competencies and qualifications o verifying appropriate professional experience and qualifications o current registration with relevant professional body or institute o reputation for competency and integrity in the sector o elements of practice to have reasonable assurance that the findings are based on sufficient, reliable, relevant and useful information the work of the assurance provider is appropriately planned, supervised, documented and reviewed When management require an overall opinion from the CAE, the CAE should understand the nature, scope and extent of the integrated assurance map to consider the work of other assurance providers, rely on it as appropriate, before presenting an overall opinion on the municipality s governance, risk and control processes. The IA should include reference to other assurance providers where reports rely on such information. Instances where the municipality does not expect an overall opinion, the CAE can act as the coordinator of assurance providers. The CAE should report on any lack of input by other assurance providers. If the CAE believes that the assurance is inadequate or ineffective, the Municipal Manager and will be advised accordingly. The IAA will follow up on recommendations made by other assurance providers and should determine whether management has implemented the recommendations or accepted the risk of not taking action. 4
It should become common practice that internal and external audit rely on the work of the other to increase efficiencies. In this case, sufficient information should be provided to enable the other party to understand the techniques, methods and terminology to facilitate reliance on the work performed. Planned audit activities of internal and external auditors need to be discussed to ensure that audit coverage is coordinated and duplicate efforts are minimized where possible. Sufficient meetings are to be scheduled during the audit process to ensure coordination of audit work and efficient and timely completion of audit activities and to determine whether observations and recommendations from work performed to date require that the scope of planned work be adjusted. 4.2. Role of the - and Performance in terms of Combined Assurance The APAC should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance activities. This role emanates in the following primary tasks: Ensure that the responsibilities for combined assurance are appropriately reflected in the AC Policy. Encourage cooperation between internal and external audit. Review coverage and scope between internal and external audit to avoid duplication and allow for possible cost savings from the integration of the two functions. Timing of internal audits and the months during the financial period that the audit scope will cover must be aligned. Review, provide input and adopt the Combined Assurance Plan (CAP). Ensure that the CAP can be clearly linked to the risk assessment. Ensure that all high risk areas are included in the plan. Review quarterly reports that reflect actual performance by the different assurance providers and compare with the CAP. Review corrective action taken when identified risks are not being covered by assurance activities. 5
5 Combined Assurance Plan 5.1 Results - Assurance providers Based on the results of the risk assessment and discussions with as well as our experience and understanding of the underlying risk of its occurrence, certain of the risks identified may require additional independent assurance. These have been included in the combined assurance plan in point 5.2 of the report. The Municipal Manager will ultimately decide on the most appropriate assurance provider for the identified risks. Where internal audit is identified as the most appropriate assurance provider, the must approve the scope of coverage and audit plan. Similarly, if external audit is to be relied upon for assurance, the Municipal Manager should inform them of this reliance to determine from the external auditors whether or not such reliance is appropriate from work performed or will performed. Executive may be engaged as assurance providers as part of its ongoing activities or part of an identified special project. 5.2 Combined Assurance Plan The facilitated risk assessment has identified risks, which if materialize, may have a negative impact on the municipality as a whole. In order to ensure that this exposure is appropriately mitigated, a combined assurance plan has been developed to allocate responsibility and accountability for the risks to Executive, External, Internal, or a combination thereof. Due to the nature of risk management, Executive is ultimately responsible for all risks within the Institution and hence assumes overall responsibility and accountability for all the identified strategic risks. The Combined Assusrance Plan details the Residual Risks above the Risk Appetite of 37, identified during the Risk Assessment process. Although, the mitigation and management of the said risks is the responsibility of management, Internal has used the results of the risk assessment to develop its risk-based plan and accordingly focus its efforts on HIGH risk areas to determine whether actions taken by management to mitigate such risks has achieved the desired outcome. The combined assurance plan based upon the key business risks is documented below: 6
Three Line of Defense 1 st Line of Defense 2 nd Line of Defense 3 rd Line of Defense # Key Risk Description 1 Fleet : Not meeting replacement requirements for ageing fleet (not meeting the requirements of the replacement programme). 2 Records and Archives: Ineffective protection of Collaborator document system from viruses. Corporate Functions Independent Third Party Assurance Current Controls Implemented by 1. Maintenance of vehicles outsourced to private service provider with SLA. 2. Service plan in place for fleet managed by fleet administrator. 3. Inspection forms in place and completed by staff to document state of fleet when using fleet. 4. Satellite tracking system to monitor driving behavior. 5. Review of monthly petrol card usage per vehicle. 1. Daily virus scans by IT service provider. Risk Performance KPI that monitors the spending of the Fleet Maintenance Budget None Compliance Internal External / or- General Fleet policy (In development progress) National Archives Act 43 of 1996 ICT Policy Fleet Review ITC Review/ Records Review ICT Risks included in Other 7
3 Electricity Distribution & Infrastructure: Failure of equipment due to load shedding 4 Streets and Storm Water Services: Inadequate personnel resources to execute mandate. 5 Electricity Distribution & Infrastructure: Inadequate personnel resources to execute mandate. 6 Electricity Distribution & Infrastructure: Non- None 1. Use of EPWP funding to employ additional staff None. 1. Health and Safety. 2. Health and Safety None None Monthly reporting Monthly reconciliation Quarterly report to National Treasury Annual report KPI: Limit the vacancy rate to less than 10% Monthly meetings Representatives for all the towns Monthly update of the EPWP reporting system : Decision and Action to be taken on strategic level None : Decision and Action to be taken on strategic level Occupational Health and Safety Policy. OHS Act Occupational Health and Safety Review 8
compliance to health and safety standards & procedures. 7 Electricity Distribution & Infrastructure: Not meeting maintenance requirements (operational and capital maintenance). 8 Streets and Storm Water Services: Not meeting maintenance requirements (operational and capital maintenance). 9 Infrastructure Services: Lack of timely utilisation of Capital expenditure budget representatives. 1. Electrical master plan in place. 1. Pavement management system (PMS). 1. Implementation of SBDIP 2. Monitoring of SDBIP. 3. Quarterly reporting on performance targets. 4. Procurement plan in place (SCM). None None Monthly reports Quarterly reports Annual reports Quarterly reports to National Treasury SDBIP Performance Monitoring of Budget Expenditure EPWP system reporting Municipal Finance Act (MFMA) Quarterly SDBIP Performance Reviews Capital Expenditure included in 9
10 Water and Sewerage Services: Noncompliance to Water and Sanitation related Acts and Regulations (DWS). 11 Streets and Storm Water Services: Noncompliance to health and safety standards and procedures. 12 Water and Sewerage Services: Inadequate personnel resources to execute mandate. 13 Water and Sewerage Services: Noncompliance to health and safety standards and procedures. 1. Updating of the BDS and GDS systems. 2. Monthly monitoring in accordance with SANS 241. 3. Monthly monitoring in accordance with the general authorization for Waste water effluent. 1. Health and Safety. 2. Health and Safety representatives. 3. Monthly OHS staff meetings 1) Training programme in place for process controllers to address skills shortage. 1. Health and safety committee. 2. Health and safety representatives. Quarterly reports Water Services Act Quarterly SDBIP Performance Reviews Monthly meetings OHS Act Occupational Health and Safety Review Quarterly reports to LGseta. Skills plan Quarterly meetings HIV Policy Employee Policy Wellness MSA Basic Conditions of employment Act. Municipal Systems Regulation OHS Act : Decision and Action to be taken on strategic level Occupational Health and Safety Review Performance included in 10
14 Water and Sewerage Services: Industrial effluent. 15 Water and Sewerage Services: Water losses. 16 Accounting/ Financial Reporting: Implementation of new SCOA requirements. 1. Enforcement of water services By-law. 2. Monthly industrial effluent quality monitoring. 1. Monthly water loss reports 2. Monthly water meter readings. 3. Implementation of recommendations of Water master plan - Water meter audit and water demand management project. 1. No current controls - awaiting further instructions from National Treasury. 2. Attending MSCOA workgroups run by National and Provincial Treasury. 3. Overstrand engagement - they are a pilot site. Monthly monitoring Water Services Act KPI: Limit water loss to 35% Monthly report to CoGTA Back to Basics MFMA Distribution Losses Review None None Distribution Losses included Accounting/ Financial Reporting included in in 11
17 Water and Sewerage Services: Illegal connections of water 18 Electricity Distribution & Infrastructure: Theft of materials i.e copper, brass and aluminium. 1. Enforcement of water services By-law. 2. Monitoring of consumer databases. 3. Meter readers reporting on unmetered users. 1. 7 days a week security on site. 2. CCTV cameras with monitoring center. 3. Access controls to facilities. 4. Access and approval for the release of copper cables limited to superintendent and manager. 5. Superintendent and manager specify on requisition form the designation of the cable. 6. Stock takes and asset verification performed. 7. Materials stored in a secure storeroom. 8. Requisition forms must be completed and approved by supervisor when taking materials. KPI: Limit water loss to 35% Supply and deliver meters within 10 days None Credit Control and Debt Collection Policy MFMA SCM Policy Regulation on financial misconduct PPPFA Municipal Fiscal Powers and Finance Distribution Losses Review Asset Review/ Inspections at Stores and Sites Distribution Losses included in Asset / Safeguarding of assets included 12
19 Electricity Distribution & Infrastructure: Illegal connections. 20 Records and Archives: Ineffective management of Archives of remote offices 21 Water and Sewerage Services: Quality of water (not up to standard). 22 Streets and Storm Water Services: Theft of assets and materials. 1. Electrical by-law in place. 1. Records management policy in place. 2. Office instructions in place. 3. Notices on door at Records Office. 4. Access control to archive rooms in place. 1) Hourly recording and testing of water quality. 2) Independent water quality assessors test the water quality monthly (river and plant). 3) Health department (District) test water quality monthly. 1. 7 days a week security on site. 2. CCTV cameras with monitoring center. 3. Access controls to facilities. Loss limited to 25% Variances are monitoring and following up Monthly reports Monthly meetings MFMA National Archives Act Distribution Losses Review Record Review Monitoring of water Water Services Act Quarterly SDBIP Performance Reviews None MFMA Budget and Reporting Regulation Asset Review/ Inspections at Stores and Sites Distribution Losses included Availability records/ documents included in of in Performance included in Asset / Safeguarding of assets included 13
23 Infrastructure Services: Increase in downtime affecting service delivery 4. Tracking systems on vehicles. 5. Asset tagged and documented on asset register. 6. Stock takes and asset verification performed. 7. Control sheets completed by employee and supervisor when materials are taken. 8. Materials stored in a secure storeroom. 9. Requisition forms must be completed and approved by supervisor when taking materials. 10. Petrol card system introduced. None None : Decision and Action to be taken on strategic level 14