Guidelines for risk management
Risk management is an essential part of a council’s management and internal control framework. It looks at what risks the council may face and the best way to address these risks. Assessment and management of risk is central to determining internal audit activities.
The Office of Local Government developed comprehensive guidelines for risk management and internal audit to assist councils and joint organisations to implement these requirements.
All councils and joint organisations are required under the Local Government Act 1993 to have an audit risk and improvement committee from 4 June 2022. Councils and joint organisations can share audit risk and improvement committees.
Amendments have been made to the Local Government (General) Regulation 2021 to require all councils and joint organisations to have a risk management framework and an internal audit function and to prescribe membership requirements for audit risk and improvement committees. Councils and joint organisations are required to comply with these requirements from 1 July 2024 and, commencing with the 2024/25 annual report, to attest to their compliance with the requirements in their annual reports.
Self assessment checklist
Management of risk is a key element in the delivery of services for councils. The recent creation of Audit and Risk Improvement Committees (ARICs) is a step towards enabling councils to monitor and mitigate financial, governance, service delivery, asset and infrastructure, and other risks. Capturing and assessing risks is a key part of the risk management framework for councils.
This checklist is optional and is provided as a tool to assist councils. It is anticipated that the reporting and improvement measures in the Risk Register will be monitored by councils’ ARICs.
The checklist has the functionality of creating a Risk Register by selecting the responses that may have associated risk. The Risk Register enables a further risk assessment looking at likelihood, consequence, and existing controls.
- Local Government (General) Amendment (Audit, Risk and Improvement Committees) Regulation 2023 (PDF, 180 KB)
- Risk management and internal audit for local government in NSW – Guidelines (PDF, 933 MB)
- Model terms of reference for audit risk and improvement committees (DOCX, 46 KB)
- Example risk management policy (DOC, 19 KB)
- Model internal audit charter (DOCX, 44 KB)
- Attestation and non-compliance statement template (DOCX, 24 KB)
- Council Self Assessment Checklist (XLSX, 97 KB)
Internal audit
Internal audit is an essential component of a good governance framework for all councils. It is a mechanism that a council uses to receive independent assurance that its internal controls and risk management is effective and that it is performing its functions legally, effectively and efficiently and to advise on how it can improve its performance.
Internal controls are any actions taken by a council to manage both the positive and negative impact of risk on the organisation and its community. Management has primary day-to-day responsibility for the design, implementation, and operation of internal controls.
Internal audit operates independently from daily operations. The internal audit function reports to an audit, risk and improvement committee, which provides independent advice to the governing body and the general manager on the council’s performance and governance.
External audit
External audit, or financial audit, is an independent examination and opinion of a council's financial statements, and whether the council is complying with accounting standards, laws and regulations.
The Local Government Act 1993 requires each council to have their annual financial reports externally audited by the NSW Auditor-General so that the community and councillors have access to an independent opinion on its validity. The NSW Audit Office conducts these audits on behalf of the NSW Auditor-General.
Since 2017, the NSW Auditor-General has also reported to the NSW Parliament each year on local government sector wide matters arising from the examination of financial statements of councils and any other issues that the Auditor-General has identified.
- NSW Audit Office – Report on Local Government 2018
- NSW Audit Office – Report on Local Government 2017
- Workforce reform in three amalgamated councils (May 2019)
- Council reporting on service delivery (2018)
- Shared services in local government (2018)
- Fraud Control in Local Councils (June 2018)
- Waste management in local government (2019)
- NSW Audit Office
Fraud and corruption prevention
Councils should have a fraud and corruption control framework which identifies and manages the risk of incidence of fraud or corruption and includes prevention and monitoring strategies.
The Independent Commission Against Corruption (ICAC) is responsible for investigating corruption in the NSW public sector (including in councils) and actively preventing it through advice and assistance. ICAC’s website provides a wide range of useful information about how councils can prevent, identify and manage corruption risks.
Since 2017, fraud prevention by NSW councils has been independently reviewed and reported on by the NSW Audit Office, as part of its external auditing and performance auditing responsibilities for local government. A link to the Audit Office’s report on its performance audit of fraud controls in councils is provided below. The NSW Audit Office has also issued a Better Practice Guide: Fraud Control Improvement Kit (PDF, 1.5 MB) that provides useful guidance to councils when developing their fraud control framework.
Reporting suspected fraud or corruption
You should report suspected fraud or corruption, in the first instance, to your council through a recognised internal reporting mechanism. Your council’s fraud and corruption control policy or procedures should provide guidance on how to report suspected fraud or corruption.
You can also report fraud to the NSW Police and suspected corrupt conduct to the Independent Commission Against Corruption.