Peer Review of an incomplete draft internal audit will be made public

Published on 09 August 2017


Peer Review of an incomplete draft internal audit has been made public

The KPMG Peer Review of an incomplete draft Internal Audit Report has found it lacking across many fronts.

Following the Finance, Audit & Risk Committee decision to seek a peer review of the incomplete audit report, it was leaked to media.

On Wednesday evening, the peer review was presented by KPMG to the Finance, Audit & Risk Committee during an in-committee session. During this session, Elected Members voted in favour of releasing the report.

However, private details would be redacted and the original report would remain In-Committee.

The report states that a face-to-face interview with the author of the report occurred. However, it also states that working papers supporting the findings of the report were not obtained and therefore KPMG is unable to comment on the validity of the authors audit findings and whether the testing was performed to an acceptable standard. In addition to that, the Executive Summary also notes that there were no findings in relation to sensitive expenditure in the draft audit report. It went on to state that some of the areas deemed to be high or extremely high risk do not have anything to do with sensitive expenditure.

Horowhenua District Council’s Chief Financial Officer Doug Law, says from a professional level he is saddened by the findings. However not surprised given the quality of the initial draft report.

In the report’s conclusions it states:

  • The internal audit report is not supported by appropriate work papers. Therefore, the findings cannot be validated.
  • The internal audit report contains six findings which, after considering better practice, are not normally included in the scope of a sensitive expenditure review.
  • While the word ‘blocked’ was used in the an email to advise councillors about an intended process, we understand from discussions with HDC, this was actually a quarantine and vetting process to protect staff from threatening, abusive emails.
  • That HDC cease quarantining / vetting emails into the domain in order to develop a robust process in order to protect all staff and elected officials health and safety. 
  • Council needs to confirm the contractual obligations to be exercised under the SSA agreement – this is the agreement for the internal audit to be carried out.
  • Council needs to publish the risk matrix and supporting descriptions for future audits/use.

Finance Audit and Risk Committee Independent Chair Philip Jones, appointed by Mayor Michael Feyen earlier this year, welcomed the report.

 “It has been a difficult period, for elected members, Council officers and for the public as well.”

 “KPMG have shone light on the draft report and found it wanting.”

Mr Jones says with regards to the emails the report found this issue was out of scope. That emails were not intended to be blocked, but due to their threatening offensive or abusive nature were quarantined and then vetted. It goes on to say that the authors of the Peer Review have seen emails which could be considered offensive or abusive by a recipient.

KPMG has also adjusted the risk ratings that were in the draft incomplete internal audit report:

  • Issue of Governance by the CE has been moved from Extreme to Low
  • Blocking emails has been moved from Extreme to not able to determine
  • Issues of fleet Management has moved from High to Low.

The Finance Audit & Risk Committee voted for Council to carry out the recommendations of the KPMG Audit report and Council’s Chief Executive David Clapperton will now work with Council Officers to do this.


Questions and answers

The process was introduced with staff safety and undue interference in mind, and continues to this day for the same reasons.

Quarantining involved placing the names of those who had previously emailed unacceptable comments to Council Officers on a list.

There is only one instance where emails from an Elected Member to an external person were quarantined – This was with regards to emails sent from the former Mayor to a representative of a Council Controlled Organisation (CCO) that was in contract negotiations with Council. Only emails sent between the two were quarantined.

Throughout the six-year period that the process has operated, of which three were under David Clapperton as Chief Executive, it has only been applied to nine individuals for varying amounts of time. 

The majority of the emails received were released immediately, as they related to meetings etc. and or were innocuous replies. Only those that contained offensive comments, bad language and photographs caught up in the mail marshal were not.

Every year, Council receives and sends hundreds of thousands of emails – from 1 June 2015 – 1/10/2016 Council received 657, 494 emails. In all, over the period the process has operated about 1300 emails were quarantined – that averages to about 216 a year or about four a week.

As of 9 August 2017 only one person is on the quarantine.


How does HDC’s practice differ from other Councils?

We are not aware of what the exact practises other Councils mention in their electronic messaging policies. However, we are aware of some actions taken by other Councils around emails such as outright blocking, to sending to SPAM.


Why didn’t you block them?

The intention of the process is to safeguard employees but to allow for communications to be maintained – blocking or sending to SPAM would have prevented individuals and elected members on the quarantine list from communicating with Council Officers.


How come no-one knew about the practise?

All Elected members were made aware of the practise during the previous triennium including those two councillors who had their emails quarantined. In hindsight, Council should have included the practise in its Email Usage Policy and made the policy publically available on its website.


Why hasn’t Council said anything about this, since the leak?

Council has a process to follow and it is the duty of Officers to follow that process. We have responded to some media queries. However, the majority of the questions regarding the incomplete internal audit have not been answered because the report is not public – despite it being leaked.


What effect has this issue had on Council?

Council continues to operate as per normal. The issue has taken up the time of several senior Council Officers. However, in general Council’s business as usual activities have continued as is.

The Ombudsman and Privacy Commissioner are investigating?

At the Office of the Ombudsman’s request, Council has provided a number of documents and Council will continue to provide the Office with all of the information they require. With regard to the Privacy Commissioner we are not aware of an investigation. However, we are aware a complaint was laid. Council Officers will work with the Privacy Commissioner’s Office and provide them with all information they request.


Outstanding emails highlighted in the incomplete Internal Audit report

The incomplete report also highlighted quarantining of emails between an employee of a Council Controlled Organisation that was being wound down, and the then Mayor. The reasoning for the quarantining is now qualified privilege. Note: This is the only instance of emails leaving HDC building and from an Elected Member being quarantined.


What about the other emails in the report?

The incomplete audit report makes reference to an email with a Facebook address being included in the quarantine and another address. It is thought both addresses are related to Spam and not quarantining. It also refers to an email address of a contractor of Council, this address was not part of quarantining.


Statement from the Chief Executive

Quarantining emails was always about the safety and wellbeing of my employees. No-one deserves to be treated with the disrespect that has been afforded some Officers of Council by a small minority of people.

I am very proud of my employees who serve our community with dedication, diligence and passion. They deserve the right to feel safe and to work unimpeded by political interference.

We are a democratic organisation and over the years the level of disrespect by a small minority of Elected Members has made it difficult for Council Officers to carry out their roles. I am very pleased to say this situation has improved. Currently, no Elected Member is quarantined – there has been a vast improvement in the quality of the emails and I believe this procedure led to that happening.

We are also a multicultural organisation and as this procedure has been one way that I was able to protect Officers from insulting commentary.

The wellbeing of my employees is paramount – I would do it again in a heartbeat! However, I would ensure the procedure was in Council’s Electronic Email Usage Policy.

I am grateful to Council Officers for continuing to operate and provide service to the residents and ratepayers of Horowhenua during this turbulent time.

I acknowledge the support of Council Officers during this period – It has been humbling!

I want to acknowledge the steadfast support of the majority of Elected Members during what has been an unprecedented attack on my professionalism and integrity – the unfounded allegations have been kicked to touch.

I want to publically thank my partner, who has been put through the mill – she did not sign-up for this.

As I have said to Elected Members, I am here for the long haul and will work with them to help our District grow and prosper so that we can continue to improve the lives of our residents.

David Clapperton

Chief Executive