Report from the Audit and Risk Committee 2023–24
The objective of the Audit and Risk Committee (ARC) is to provide independent assistance to the CEO and Board by monitoring, reviewing and providing advice about our governance processes, risk management and control frameworks, and external accountability obligations.
The committee comprised the following independent members in 2023–24:
- Michael Coleman – Chair
- Peter Whitehead – Committee Member
- Leah Fricke – Committee Member, and
- Nicola Davis – Committee Member.
The CEO; Director, Legal Service & In-house Counsel (who is also the Chief Audit Executive); Executive Director, Digital Transformation; Director, Finance; Senior Internal Auditor and representatives from the NSW Audit Office attend each meeting. The committee also invites other key Executive staff and external service providers to attend as necessary.
The committee met on eight occasions in 2023–24 and assisted with a range of operational matters.
- Monitoring year one of the Legal Aid NSW Strategic Plan 2023–2028.
- Reviewing the Strategic Plan Evaluation and Learning Framework.
- Monitoring the organisation’s financial position, trends, variations, carry forwards and budget compliance.
- Monitoring compliance with circulars, guidelines and policies from the NSW Treasury, Department of Customer Service (cybersecurity) and Independent Commission Against Corruption (fraud and corruption), and sector-wide performance reports of the NSW Audit Office as applicable.
- Administering the external examination, law practice declaration and trust money.
- Auditing the Legal Aid NSW trust account.
- Completing the engagement closing report and end of financial year reports.
- Completing the NSW Audit Office’s management letter and Annual Engagement Plan to audit financial statements for the year ending 30 June 2024.
- Producing statutory financial statements for the year ended 30 June 2024.
- Compiling the financial acquittal reports for the Australian Government grant funding relating to the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability and the Royal Commission into Defence and Veteran Suicide.
- Certification of internal controls.
- Appointment and annual assessment of the performance of ARC members.
- Recording Board resolutions concerning financial impacts, policy changes and the introduction of initiatives.
- Review of and compliance with administrative arrangements under the ARC charter, internal audit charter, internal audit manual and ARC reporting cycle.
- Review of the internal audit function.
- Audit plan for 2023–24 and monitoring of internal and external audits, including reporting recommendations.
- Monitoring of internal audit budget.
- People Matter Employee Survey results, including summary and action planning.
- Review of Risk Management Framework including risk reporting framework.
- Enterprise risk maturity assessment and updating of enterprise risk framework and strategic risks.
- Business continuity and service disruption planning.
- Reviewing how Legal Aid NSW manages risks arising from inappropriate, unsafe and/or unreasonable client behaviour.
- Review of crime, family and civil practice area strategic risk profiles.
- Review of the gifts and benefits policy.
- Review of the fraud and corruption control framework, public interest disclosures, complaints, investigations and disputes.
- Review of the legal compliance framework.
- Monitoring of Project Respect and the associated risk register.
- Review of work health and safety issues and policies, the strategic action plan and excess recreation leave balances.
- Review of the wellbeing project board plan and evaluation framework.
- Progressing our cyber security, including risk maturity assessment under the NSW cyber security policy and the essential eight.
- Monitoring of the PaTH project.
- Panel lawyer audits by the Legal Aid NSW Private Lawyer Quality Standards Unit.
- Reviewing the status of the implementation of ICT projects under the digital transformation project.
- Monitoring compliance with NSW Treasury’s Outcome Budgeting Framework.
During the year 2023–24, we worked on 10 audits. Four audits were completed, with other audits in an advanced stage of completion but not counted this financial year. Audits at an advanced stage and approaching completion include a cybersecurity recertification audit by the ISO 27001 certifying agency and a review of our information security management system for conformance with ISO 27001 controls and compliance with the NSW Government’s cyber security policy. Completed audits covered:
- procurement processes and contract management
- work health and safety including handling vicarious trauma
- Centrelink access, and
- access to Transport for NSW (TfNSW) DRIVES.
| Year | Total audits |
|---|---|
| 2017–18 | 6 |
| 2018–19 | 5 |
| 2019–20 | 4 |
| 2020–21 | 9 |
| 2021–22 | 9 |
| 2022–23 | 9 |
| 2023–24 | 4 |
Target for 2024–25: 7
Cherie Pittman
Director, Legal Service & In-house Counsel
Chief Audit Executive
30 June 2024
Internal Audit and Risk Management Attestation Statement for the 2023–24 Financial Year for Legal Aid NSW
I, Monique Hitter, am of the opinion that Legal Aid NSW has internal audit and risk management processes in operation that are, excluding the exemptions or transitional arrangements described below, compliant with the seven (7) Core Requirements set out in the Internal Audit and Risk Management Policy for the General Government Sector, specifically:
| Core requirements | Status* |
|---|---|
| 1.1 The accountable authority shall accept ultimate responsibility and accountability for risk management in the agency. | Compliant |
| 1.2 The accountable authority shall establish and maintain a risk management framework that is appropriate for the agency. The accountable authority shall ensure the framework is consistent with AS ISO 31000:2018. | Compliant |
| Core requirements | Status* |
|---|---|
| 2.1 The accountable authority shall establish and maintain an internal audit function that is appropriate for the agency and fit for purpose. | Compliant |
| 2.2 The accountable authority shall ensure the internal audit function operates consistent with the International Standards for Professional Practice for Internal Auditing. | Compliant |
| 2.3 The accountable authority shall ensure the agency has an Internal Audit Charter that is consistent with the content of the ‘model charter’. | Compliant |
| Core requirements | Status* |
|---|---|
| 3.1 The accountable authority shall establish and maintain efficient and effective arrangements for independent Audit and Risk Committee oversight to provide advice and guidance to the Accountable Authority on the agency’s governance processes, risk management and control frameworks and its external accountability obligations. | Non-Compliant with respect to a) core requirement 3.1.16**, which provides a maximum term of five years for the Chair of the Audit and Risk Committee (ARC) and b) core requirement 3.1.14, which provides a maximum term of eight years for the members of the ARC. |
| 3.2 The accountable authority shall ensure the Audit and Risk Committee has a charter that is consistent with the content of the ‘model charter’. | Compliant |
*For each requirement, please specify whether compliant, non-compliant or in transition.
**Core requirement 3.1.13 as per TPP 15-03.
Membership
The independent chair and members of the Audit and Risk Committee are:
- Independent Chair, Mr Michael Coleman, 29 June 2016 to 26 September 2025
- Independent Member, Mr Peter Whitehead, 28 October 2014 to 28 October 2023
- Independent Member, Ms Leah Fricke, 1 March 2022 to 28 February 2025
- Independent Member, Ms Nicola Davis, 28 June 2023 to 28 June 2026
Monique Hitter
Chief Executive Officer
13 August 2024
Departures from core requirements
I, Monique Hitter, advise that the internal audit and risk management processes for Legal Aid NSW depart from the following core requirements set out in the Internal Audit and Risk Management Policy for the General Government Sector.
The circumstances giving rise to these departures have been determined by the responsible minister, and Legal Aid NSW has implemented the following practicable alternative measures to meet the core requirements.
| Departure | Reason for departure and description of practicable alternative measures implemented/being implemented |
|---|---|
3.1.16 of TPP 20-08 “The chair of the ARC shall be appointed for one (1) term only for a period of at least three (3) years, with a maximum period of five (5) years. The term of appointment for the chair can be extended but any extension shall not cause the total term to exceed five (5) years as a chair of the ARC.” Mr Michael Coleman is the chair of the ARC, and his maximum term of office of five years expired on 23 June 2021. He has been given three extensions: one in February 2021 to 2 September 2022, the second in November 2022 up to 28 October 2023, and the third in July 2023 up to 26 September 2025. | Legal Aid NSW maintains a practice where a Board member is the chair of the ARC. Legal Aid NSW’s Audit and Risk Committee Charter provides that an exemption from TPP 20-08 3.1.16 should be sought to ensure alignment between Board appointments and appointments to the ARC. Mr Coleman has been reappointed to the Board in accordance with the Legal Aid Commission Act 1979 for a term up to 26 September 2025. Mr Coleman is a highly respected member of the Board and has performed outstandingly as chair of the ARC. He has significant expertise and experience as a director and chairman in various organisations. His corporate experience in managing risk and finance would be very difficult to replicate. An exemption from the TPP 20-08 has been approved by the Attorney General to extend Mr Coleman as Chair of the ARC until the expiry of his Board appointment on 26 September 2025. |
3.1.14 of TPP 20-08 “Members can be reappointed or extended for further term(s) but the total period of continuous membership on the Committee shall not exceed eight (8) years (inclusive of any term as chair of the Committee).” Mr Peter Whitehead is a member of the ARC whose maximum term of office, eight years, expired on 28 October 2022. He was given an extension in November 2022 to 28 October 2023. | Mr Whitehead was appointed a member of the ARC from 28 October 2014 to 28 October 2022. Mr Whitehead’s maximum eight-year term expired on 28 October 2022. A ministerial exemption was obtained on 21 November 2022 for extension of his term to 28 October 2023. Mr Whitehead is a lawyer and the former Public Trustee of NSW. Mr Whitehead was part of the original committee reviewing the role of audit within NSW Government. He has since chaired a number of audit and risk committees, including for the NSW Department of Premier and Cabinet, what was then the Attorney General’s Department, the NSW Crime Commission and the Judicial Commission of NSW. He currently works in the financial services industry. Mr Whitehead has been reappointed as a member for a term up to 28 October 2023. |
These processes, including the practicable alternative measures implemented, demonstrate that Legal Aid NSW has established and maintained frameworks, including systems, processes and procedures for appropriately managing audit and risk within Legal Aid NSW.
Monique Hitter
Chief Executive Officer
13 August 2024
Cyber security annual attestation statement for the 2023–24 financial year for Legal Aid NSW
I, Monique Hitter, CEO of Legal Aid NSW, am of the opinion that Legal Aid NSW has managed cyber security risks in a manner consistent with the mandatory requirements set out in the NSW Government Cyber Security Policy.
Governance is in place to manage the cyber security maturity and initiatives of Legal Aid NSW.
Risks to the information and systems of Legal Aid NSW have been assessed and continue to be reviewed and managed.
There exists a current cyber incident response plan for Legal Aid NSW which has been tested during the reporting period, in addition to creating a specific significant cyber incident response plan which has also been tested during the reporting period.
Legal Aid NSW has an ISO 27001 certified Information Security Management System (ISMS) in place for four offices across Legal Aid:
- 323 Castlereagh Street, Sydney New South Wales 2000 (Head Office).
- Level 1, 160 Marsden Street, Parramatta NSW 2150.
- Level 4, 128 Marsden Street, Parramatta NSW 2150.
- 73 Church Street, Wollongong NSW 2500.
Legal Aid NSW is doing the following to continuously improve the management of cyber security governance and resilience:
- maintaining a certified Information Security Management System (ISMS) that aligns to the ISO27001:2013 standard, with the objective of continual information security improvements whilst supporting security policies and objectives
- completed a multi-year Cyber Security Uplift Program in order to improve cyber security maturity at Legal Aid NSW which has ended as of July 2024
- developing a Cyber Security Strategy and a new roadmap for Legal Aid NSW’s future Cyber Improvement Program, and
- managing all cyber security incidents and escalating incidents to Cyber Security NSW as required.
An independent audit of the ISO 27001 Legal Aid NSW Information Security Management System was undertaken during the reporting period by ISO-accredited auditors and found to be adequate.
Monique Hitter
Chief Executive Officer
17 October 2024
Share with
Facebook
Twitter
LinkedIn