|
|
|
AGENDA
Audit & Risk Committee meeting
Monday, 23 February 2026
|
|
I hereby give notice that a Audit & Risk
Committee meeting will be held on:
|
|
Date:
|
Monday, 23 February 2026
|
|
Time:
|
9:00 am
|
|
Location:
|
Tauranga City Council Chambers
L1, 90 Devonport Road
Tauranga
|
|
Please note that this
meeting will be livestreamed and the recording will be publicly available on
Tauranga City Council's website: www.tauranga.govt.nz.
|
|
Marty Grenfell
Chief Executive
|
Terms of reference – Audit & Risk Committee
Common
responsibility and delegations
The following common responsibilities and delegations apply
to all standing committees.
Responsibilities of standing committees
· Establish priorities and guidance on programmes relevant to the Role
and Scope of the committee.
· Provide guidance to staff on the development of investment options
to inform the Long Term Plan and Annual Plans.
· Report to Council on matters of strategic importance.
· Recommend to Council investment priorities and lead Council
considerations of relevant strategic and high significance decisions.
· Provide guidance to staff on levels of service relevant to the role
and scope of the committee.
· Establish and participate in relevant task forces and working
groups.
· Engage in dialogue with strategic partners, such as Smart Growth
partners, to ensure alignment of objectives and implementation of agreed
actions.
· Confirmation
of committee minutes.
Delegations to standing committees
· To make recommendations to Council outside of the delegated
responsibility as agreed by Council relevant to the role and scope of the
Committee.
· To make all decisions necessary to fulfil the role and scope of the
Committee subject to the delegations/limitations imposed.
· To develop and consider, receive submissions on and adopt
strategies, policies and plans relevant to the role and scope of the committee,
except where these may only be legally adopted by Council.
· To consider, consult on, hear and make determinations on relevant
strategies, policies and bylaws (including adoption of drafts), making
recommendations to Council on adoption, rescinding and modification, where
these must be legally adopted by Council.
· To approve relevant submissions to central government, its agencies
and other bodies beyond any specific delegation to any particular committee.
· Engage external parties as required.
Terms of reference – Audit & Risk Committee
Membership
|
Chair
|
Dame Kerry Prendergast
|
|
Deputy chair
|
Cr Steve Morris
|
|
Members
|
Deputy Mayor Jen Scoular
Mayor Mahé Drysdale (ex officio)
Rohario Murray - Tangata Whenua Representative
|
|
Non-voting members
|
(if any)
|
|
Quorum
|
Half of the members
present, where the number of members (including vacancies) is even;
and a majority of the members present, where the number of members
(including vacancies) is odd.
|
|
Meeting frequency
|
Quarterly
|
Role
The role of the Audit and Risk Committee is:
· To
assist and advise the Council in discharging its responsibility and ownership
of health and safety, risk management, internal control, and financial
management practices, frameworks and processes to ensure that these are robust
and appropriate to safeguard the Council’s staff and its financial and
non-financial assets.
Scope
· Oversee
Council’s relationship with the external auditor.
· Review
with the external auditor, before the audit commences, the areas of audit focus
and the audit plan.
· Review
with the external auditor, representations required by elected representatives
and senior management for the purposes of the audit.
· Receive
and review the external auditor’s report on the audit and
management’s responses to any issues raised.
· Make
any recommendations necessary to the Office of the Auditor-General regarding
the appointment or re-appointment of an external auditor.
· Review
and approve an annual internal audit plan, including the integration of that
plan with Council’s risk profile, and monitor the implementation of that
plan.
· Review
the reports of the internal audit function, in particular considering findings,
conclusions, and recommendations and management’s response to such.
Make any recommendations to Council on such as the Committee considers
appropriate.
· Review,
approve and monitor the implementation of Council’s Risk Management
Policy, including regular review of the corporate risk register.
· Review
reporting of new or emerging risks as needed.
· Review
the effectiveness of risk management and internal control systems including all
material financial, operational, compliance, and other managerial controls.
· Review
the effectiveness of health and safety policies and processes to ensure a
healthy and safe workplace for representatives, staff, contractors, visitors
and the public.
· Assist
elected representatives and the Chief Executive to discharge their statutory
roles as ‘officers’ in terms of the Health and Safety at Work Act
2015.
· Monitor
compliance with laws and regulations as appropriate.
· Review
and provide advice on policies relevant to the Committee’s role
including, but not limited to, policies addressing fraud, protected
disclosures, and conflicts of interest.
· Review
and monitor policy and processes to manage responsibilities under the Local
Government Official Information and Meetings Act 1987 and the Privacy Act 2020
and any actions from any Office of the Ombudsman's report.
· Review
and monitor current and potential litigation and other legal risks.
Power
to Act
· To
make all decisions necessary to fulfil the role, scope and responsibilities of
the Committee subject to the limitations imposed.
· To
establish sub-committees, working parties and forums as required.
Power
to Recommend
· To
Council and/or any standing committee as it deems appropriate.
|
Audit & Risk Committee meeting Agenda
|
23 February 2026
|
7 Confirmation
of minutes
7.1 Minutes
of the Audit & Risk Committee meeting held on 17 November 2025
File
Number: A19711978
Author: Anahera
Dinsdale, Governance Advisor
Authoriser: Sarah
Holmes, Team Leader: Governance & CCO Support Services
|
Recommendations
That the Minutes of the
Audit & Risk Committee meeting held on 17 November 2025 be confirmed as a
true and correct record.
|
Attachments
1. Minutes
of the Audit & Risk Committee meeting held on 17 November 2025
|
 Error! No document variable supplied. minutesError! No document variable supplied.
|
Error! No
document variable supplied.
|
|
|
|
DRAFT MINUTES
Audit & Risk Committee meeting
Monday, 17 November 2025
|
Order of Business
1 Opening
karakia. 3
2 Apologies. 3
3 Public
forum.. 3
4 Acceptance
of late items. 3
5 Confidential
business to be transferred into the open. 3
6 Change
to order of business. 3
7 Confirmation
of minutes. 4
7.1 Minutes
of the Audit & Risk Committee meeting held on 21 July 2025. 4
8 Declaration
of conflicts of interest 4
9 Business. 4
9.1 Status
Update on actions from prior Audit & Risk Committee meetings. 4
9.2 Risk
Appetite Report - November 2025. 5
9.4 Policy
Review - Risk Management Policy. 6
9.3 Policy
Review - Conflicts of Interest Policy. 6
9.5 Policy
Review - Privacy Policy. 7
9.6 LGOIMA
and Privacy Q1 Report for 2025/26. 8
10 Discussion of late
items. 8
11 Public excluded
session. 8
11.1 Public
Excluded Minutes of the Audit & Risk Committee meeting held on 21 July 2025. 8
11.2 Digital/Cyber
Risk Quarterly Report 9
11.3 Risk
Register - Quarterly Update. 9
11.4 Internal
Audit & Assurance - Quarterly Update. 9
11.5 Health,
Safety and Wellbeing Quarterly Report: Q1 July to September 2025. 9
Confidential Attachment 2 9.1 - Status
Update on actions from prior Audit & Risk Committee meetings 9
Confidential Attachment 2 9.2 - Risk
Appetite Report - November 2025 9
Confidential Attachment 3 9.2 - Risk
Appetite Report - November 2025 10
12 Closing karakia. 10
MINUTES
OF Tauranga City Council
Audit & Risk Committee meeting
HELD
AT THE Tauranga City Council Chambers,
L1 Road, Tauranga
ON
Monday, 17 November 2025 AT 9.30am
|
MEMBERS PRESENT:
|
Deputy Mayor Jen Scoular, Cr
Steve Morris, Mayor Mahé Drysdale, Tangata Whenua Representative
Rohario Murray
|
|
ALSO PRESENT
|
Cr Glen Crowther, Cr Marten
Rozeboom, Cr Rod Taylor
|
|
IN ATTENDANCE:
|
Marty Grenfell (Chief
Executive),Kathryn Sharplin (Acting COFO), Anahera Dinsdale (Governance
Advisor), Caroline Irvin (Governance Advisor)
|
Timestamps are
included at the start of each item and signal where the agenda item can be
found in the recording of the meeting held on 17 November 2025 at Tauranga
City Council’s YouTube Channel.
1 Opening
karakia
Tangata Whenua Representative Rohario Murray opened the
meeting with a karakia.
2 Apologies
Nil
3 Public
forum
Nil
4 Acceptance
of late items
Nil
5 Confidential
business to be transferred into the open
Nil
6 Change
to order of business
The Chair advised that item 9.4 – Policy Review
– Risk Management Policy would be addressed before item 9.3 –
Policy Review – Conflicts of Interest Policy.
7 Confirmation
of minutes
Timestamp: 6 minutes
|
7.1 Minutes of
the Audit & Risk Committee meeting held on 21 July 2025
|
|
Committee Resolution AR/25/4/1
Moved: Tangata
Whenua Representative Rohario Murray
Seconded: Deputy Mayor Jen Scoular
That the Minutes
of the Audit & Risk Committee meeting held on 21 July 2025 be confirmed
as a true and correct record subject to the following corrections:
(a)
Members Present section of
minutes – Correct Cr Marten Rozeboom spelling of name.
Carried
|
8 Declaration
of conflicts of interest
Nil
9 Business
Timestamp: 8 minutes
|
9.1 Status
Update on actions from prior Audit & Risk Committee meetings
|
|
Staff Kathryn
Sharplin, Acting COFO
|
|
Committee Resolution AR/25/4/2
Moved: Deputy
Mayor Jen Scoular
Seconded: Tangata Whenua Representative Rohario
Murray
That the Audit & Risk Committee:
(a) Receives the report
"Status Update on actions from prior Audit & Risk Committee
meetings".
(b) Attachment 2 can be
transferred into the open can be released when the full report is reviewed
Carried
|
Timestamp: 13 minutes
|
9.2 Risk
Appetite Report - November 2025
|
|
Staff Chris
Quest, Manager Risk & Assurance
Chris
Smith, Risk and Business Continuity Advisor
Resolution Note:
·
Resolution (b) should reference Attachment 1 not Attachment 2.
This was corrected at the meeting.
|
|
Committee Recommendation
Moved: Mayor
Mahé Drysdale
Seconded: Cr Steve Morris
That the Audit & Risk Committee:
(a) Receives the report
"Risk Appetite Report - November 2025".
(b) Endorses the risk appetite
statements as outlined in Attachment 1 of this report.
(c) Commences a 12-month
reporting cycle of Tauranga City Council’s risk against the preliminary
risk appetite statements to further define tolerance levels and consequences.
(d) Attachment 2 to remain
in public excluded permanently.
(e) Attachment 3 to remain
in public excluded permanently.
An amendment was proposed:
Moved: Tangata
Whenua Representative Ms Rohario Murray
Seconded: Deputy Mayor Jen
Scoular
(f) That
the Environmental risk be moved from moderate to low risk appetite
For: Deputy
Mayor Jen Scoular, Cr Steve Morris and Tangata Whenua Representative Rohario
Murray
Against: Cr
Mahé Drysdale
carried 3/1
|
|
Committee Resolution AR/25/4/3
Moved: Mayor
Mahé Drysdale
Seconded: Cr Steve Morris
That the Audit & Risk Committee:
(a) Receives the report
"Risk Appetite Report - November 2025".
(b) Endorses the risk appetite
statements as outlined in Attachment 1 of this report.
(c) Commences a 12-month
reporting cycle of Tauranga City Council’s risk against the preliminary
risk appetite statements to further define tolerance levels and consequences.
(d) Attachment 2 to remain
in public excluded permanently.
(e) Attachment 3 to remain
in public excluded permanently.
(f) That the Environmental
risk be moved from moderate to low risk appetite
Carried
|
Timestamp: 51 minutes
|
9.4 Policy
Review - Risk Management Policy
|
|
Staff Chris
Quest, Manager Risk & Assurance
Chris
Smith, Risk and Business Continuity Advisor
Sharon
Herbst, Policy Analyst
Actions
·
That staff create a glossary of terms, in particular with how
it refers to all associated with TCC and the groupings there of.
|
|
Committee Resolution AR/25/4/4
Moved: Cr
Steve Morris
Seconded: Deputy Mayor Jen Scoular
That the Audit & Risk Committee:
(a) Receives the report
"Policy Review - Risk Management Policy".
(b) Approves and adopts the
revised Risk Management Policy incorporating changes provided in the report
for the policy to take effect immediately, including:
(i) updating the
definitions of the terms Business Continuity, Council, Tauranga City Council,
the Committee, council staff, risk, Enterprise Risk Management System (ERMS),
group and division
(ii) including Te Ao
Māori principles in the principles section of the policy in alignment
with Tauranga City Council’s Code of Conduct/ Ngā Kawa Arataki
(iii) updating the
responsibilities in the policy for Council, the Committee and the Chief
Executive
(iv) changing the frequency of the
review of risk registers from quarterly by department to regularly by each
division
(v) including a description of
strategic risks and how they are recorded.
(c) Delegates to the Acting Chief
Operating and Financial Officer - Commercial and General Counsel to make any
necessary minor drafting or presentation changes to the Risk Management
Policy prior to it being published.
Carried
|
Timestamp: 1 hour
|
9.3 Policy
Review - Conflicts of Interest Policy
|
|
Staff Chris
Quest, Manager Risk & Assurance
Chris
Smith, Risk and Business Continuity Advisor
Sharon
Herbst, Policy Analyst
|
|
Committee Resolution AR/25/4/5
Moved: Cr
Steve Morris
Seconded: Tangata Whenua Representative Rohario
Murray
That the Audit & Risk Committee:
(a) Receives the report
"Policy Review - Conflicts of Interest Policy".
(b) Endorses the updated policy (Attachment
One).
Carried
|
Timestamp: 1 hour and 12 minutes
|
9.5 Policy
Review - Privacy Policy
|
|
Staff Andrew
Hough, General Counsel
Sharon
Powell, Privacy Officer
Sharon
Herbst, Policy Analyst
|
|
Committee Resolution AR/25/4/6
Moved: Mayor
Mahé Drysdale
Seconded: Deputy Mayor Jen Scoular
That the Audit & Risk Committee:
(a) Receives the report
"Policy Review - Privacy Policy".
(b) Endorses the creation of a
new Privacy Policy (Attachment One) for the Executive to consider and
adopt, which includes:
(i) a scope that includes
all council workers, including the mayor, councillors and persons appointed
to council committees
(ii) applying the Information
Privacy Principles (IPPs) and ensuring appropriate systems are in place to
manage personal information
(iii) a commitment to enhancing
culturally aligned practices
(iv) an annually reviewed privacy
statement on the council website
(v) clear roles and
responsibilities for privacy officers
(vi) annual privacy training for
workers
(vii) effective management of privacy
breaches.
Carried
|
Timestamp: 1 hour 17 minutes
|
9.6 LGOIMA and
Privacy Q1 Report for 2025/26
|
|
Staff Kathryn
Norris, Team Leader: Information Requests
|
|
Committee Resolution AR/25/4/7
Moved: Mayor
Mahé Drysdale
Seconded: Deputy Mayor Jen Scoular
That the Audit & Risk Committee:
(a) Receives the report " LGOIMA and Privacy Q1 Report for 2025/26".
Carried
|
10 Discussion
of late items
Nil
11 Public
excluded session
Resolution to exclude the public
|
Committee Resolution AR/25/4/8
Moved: Deputy
Mayor Jen Scoular
Seconded: Tangata Whenua Representative Rohario
Murray
That the public be excluded from the following parts of
the proceedings of this meeting.
The general subject matter of each matter to be considered
while the public is excluded, the reason for passing this resolution in
relation to each matter, and the specific grounds under section 48 of the
Local Government Official Information and Meetings Act 1987 for the passing
of this resolution are as follows:
|
General
subject of each matter to be considered
|
Reason for
passing this resolution in relation to each matter
|
Ground(s)
under section 48 for the passing of this resolution
|
|
11.1 -
Public Excluded Minutes of the Audit & Risk Committee meeting held on
21 July 2025
|
s7(2)(a) - The
withholding of the information is necessary to protect the privacy of
natural persons, including that of deceased natural persons
s7(2)(b)(i) - The
withholding of the information is necessary to protect information where
the making available of the information would disclose a trade secret
s7(2)(g) - The
withholding of the information is necessary to maintain legal professional
privilege
s7(2)(h) - The
withholding of the information is necessary to enable Council to carry out,
without prejudice or disadvantage, commercial activities
s7(2)(i) - The
withholding of the information is necessary to enable Council to carry on,
without prejudice or disadvantage, negotiations (including commercial and
industrial negotiations)
s7(2)(j) - The
withholding of the information is necessary to prevent the disclosure or
use of official information for improper gain or improper advantage
|
s48(1)(a) - the public
conduct of the relevant part of the proceedings of the meeting would be
likely to result in the disclosure of information for which good reason for
withholding would exist under section 6 or section 7
|
|
11.2 -
Digital/Cyber Risk Quarterly Report
|
s7(2)(a) - The
withholding of the information is necessary to protect the privacy of
natural persons, including that of deceased natural persons
s7(2)(b)(i) - The
withholding of the information is necessary to protect information where
the making available of the information would disclose a trade secret
|
s48(1)(a) - the public
conduct of the relevant part of the proceedings of the meeting would be
likely to result in the disclosure of information for which good reason for
withholding would exist under section 6 or section 7
|
|
11.3 -
Risk Register - Quarterly Update
|
s7(2)(j) - The
withholding of the information is necessary to prevent the disclosure or
use of official information for improper gain or improper advantage
|
s48(1)(a) - the public
conduct of the relevant part of the proceedings of the meeting would be
likely to result in the disclosure of information for which good reason for
withholding would exist under section 6 or section 7
|
|
11.4 -
Internal Audit & Assurance - Quarterly Update
|
s7(2)(j) - The
withholding of the information is necessary to prevent the disclosure or
use of official information for improper gain or improper advantage
|
s48(1)(a) - the public
conduct of the relevant part of the proceedings of the meeting would be
likely to result in the disclosure of information for which good reason for
withholding would exist under section 6 or section 7
|
|
11.5 -
Health, Safety and Wellbeing Quarterly Report: Q1 July to September 2025
|
s7(2)(a) - The
withholding of the information is necessary to protect the privacy of
natural persons, including that of deceased natural persons
|
s48(1)(a) - the public
conduct of the relevant part of the proceedings of the meeting would be
likely to result in the disclosure of information for which good reason for
withholding would exist under section 6 or section 7
|
|
Confidential
Attachment 2 - 9.1 - Status Update on actions from prior Audit & Risk
Committee meetings
|
s7(2)(j) - The
withholding of the information is necessary to prevent the disclosure or
use of official information for improper gain or improper advantage
|
s48(1)(a) the public
conduct of the relevant part of the proceedings of the meeting would be
likely to result in the disclosure of information for which good reason for
withholding would exist under section 6 or section 7
|
|
Confidential
Attachment 2 - 9.2 - Risk Appetite Report - November 2025
|
s7(2)(j) - The
withholding of the information is necessary to prevent the disclosure or
use of official information for improper gain or improper advantage
|
s48(1)(a) the public
conduct of the relevant part of the proceedings of the meeting would be
likely to result in the disclosure of information for which good reason for
withholding would exist under section 6 or section 7
|
|
Confidential
Attachment 3 - 9.2 - Risk Appetite Report - November 2025
|
s7(2)(c)(i) - The
withholding of the information is necessary to protect information which is
subject to an obligation of confidence or which any person has been or
could be compelled to provide under the authority of any enactment, where
the making available of the information would be likely to prejudice the
supply of similar information, or information from the same source, and it
is in the public interest that such information should continue to be
supplied
|
s48(1)(a) the public
conduct of the relevant part of the proceedings of the meeting would be
likely to result in the disclosure of information for which good reason for
withholding would exist under section 6 or section 7
|
Carried
|
12 Closing
karakia
Cr Steve Morris closed the meeting with a karakia.
The meeting closed at 11:28am.
The minutes of this meeting were confirmed as a true and
correct record at the Audit & Risk Committee meeting held on 23 February
2026.
|
Audit & Risk Committee meeting Agenda
|
23 February 2026
|
8 Declaration
of conflicts of interest
|
Audit & Risk Committee meeting Agenda
|
23 February 2026
|
9 Business
9.1 Results
of 2024/25 Audit by Audit New Zealand
File
Number: A19471414
Author: Marin
Gabric, Team Leader - Financial Accounting and Compliance
Sheree Covell,
Manager: Treasury & Financial Processes
Authoriser: Craig
Rice, Chief Operating and Financial Officer
Purpose of the Report
1. The purpose of this report is to present
Audit New Zealand’s (Audit NZ) findings from the audit of Tauranga City
Council for the year ended 30 June 2025. The two Audit NZ reports outline the
results of the annual audit and highlight the areas where Council is performing
well and those where improvements are recommended.
|
Recommendations
That the Audit &
Risk Committee:
(a) Receives the report
"Results of 2024/25 Audit by Audit New Zealand".
(b) Notes
the recommendations from Audit NZ contained within the report to Council.
|
Executive Summary
2. This
report presents Audit New Zealand’s (Audit NZ) findings from the audit on
TCC for the year ended 30 June 2025. The two Audit NZ reports outline the
results of the annual audit, highlighting areas where Council is performing
well and areas where improvements are recommended. While no significant risks
require the Committee’s attention, all new matters identified during the audit are summarised in the
background section of this report.
3. While this is a
report on the Audit of 2024/25 financial year, additional information has been
added for your consideration. The background section of this report highlights
matters that will likely have an impact on the 2025/26 Audit and Annual Report.
The attached 2025/26 Audit NZ audit Plan confirms that these matters that will
require specific audit focus.
Background
4. Audit New Zealand has completed its audit
of TCC for the year ended 30 June 2025. An unmodified opinion was given for the
adoption of the 2025 Annual Report on 29 October 2025.
5. The audit report outlines matters
identified during the audit, makes recommendations and includes Council
comments on these recommendations. An update on matters identified during the
previous audit is also provided.
6. Audit NZ provides recommendations for
improvement and prioritises these as urgent, necessary, or beneficial. The
report also reviews earlier recommendations and notes whether these have been
addressed by Council.
7. There were six new recommendations made by
audit, five of which are deemed medium risk and one low. These recommendations
are detailed below.
8. New Recommendation #1: One
Councillor failed to declare an interest in Council’s Conflict of
Interest Register.
9. During NZ Audit’s review of the
Council's Interest Register, NZ Audit identified one instance where a
Councillor failed to declare an interest. Council currently reviews the
Interest Register six-monthly; Council will now undertake quarterly reviews by
Internal Audit/Risk/Democracy.
10. New Recommendation #2:
The Mayor’s expenditure was not approved in one instance.
11. The Elected Members’ Expense
and Resource Policy require all the Mayor’s expenditure to be approved by
the Deputy Mayor or CEO.
12. The process has been confirmed with
relevant staff and governors and will be followed going forward. In this
instance there was verbal approval, which was not documented.
13. New Recommendation #3: Capitalisation
should occur in the correct accounting period to
support accurate financial reporting and depreciation
calculations.
14. A vehicle asset was recorded
in July 2024, but the documentation was dated June 2024. Value
was $61k. High level checks were done on material WIP balances and
adjusted accordingly. This instance was not considered material by Council
staff.
15. New Recommendation
#4: A Journal for fuel allocation was not authorised.
16. This has been raised with the team
concerned and the process of authorising journals has been noted.
17. New Recommendation #5: Two
of Council CCOs did not meet their statutory deadline to be audited.
18. After multiple requests from Council
staff to the Office of the Auditor General, and the team at Audit NZ, an
auditor was appointed for Te Manawataki o Te Papa Limited and
Te Manawataki o Te Papa Charitable Trust. The statutory accounts were
audited post adoption. Going forward this will not be an issue. The
finance team work closely with the CCOs and note the Annual Reports
are being prepared in a timely manner but the market for auditors
still remains constrained and beyond the control of Council.
19. New Recommendation #6: City
Operations have no Delegated Financial Approval for work conducted by City Care
Ltd.
20. There is an existing agreement in
place between Tauranga City Council and City Care Ltd (CCL) whereby maintenance
requests are issued by Council to CCL. When the work has been completed, CCL
notifies Council and provides a summary of the work performed, together with
costings and photos as evidence of the work performed. The workflow is then
closed off by Council staff (Senior Infrastructure Information Specialist).
Currently the Senior Infrastructure Information Specialist does not have a
Delegated Financial Authority, and no financial approval takes place for City
Operations’ work orders.
21. Prior Year Recommendations
22. There are nine recommendations from
prior years, all of which continue to be monitored and worked on. The
detail and Council staff comments are on pages 6-11 of the Audit Management
Report. Staff continue to work on solutions for these recommendations but
consider them to be of low risk to the organisation.
23. Matters for Considerations for
2025/26 Audit & Annual Report:
24. While the impacts are not fully
known, the following matters will likely be of concern to Audit NZ during the
preparation of the Audit and Annual Report.
25. The recent Mauao weather event will
incur unbudgeted costs, which will go through a cost recovery process and
create potential accounting considerations for Audit NZ to review as part of
the 2025/26 Audit.
26. Mauao landslides will include
significant write downs of the holiday park assets and Mount Hot Pools within
Bay Venues Ltd accounts for the 2025/26 financial year. There will also be
impacts for budgeted revenue and expenses for the remainder of the 2025/26
financial year for both of these venues. The effects of this event have
unidentified costs that will also affect the remainder of Council’s
Annual Financial Statements.
27. Revaluations of major infrastructure
assets occur on a three-year cycle. In the 2025/26 financial year the items to
revalue include Spaces & Places Assets (parks & reserves), Airport
Infrastructure and Marine Assets.
Impacts
of the revaluations will be presented in the first draft of the 2025/26 Annual
Report, which will be presented at the September 2026 City Delivery Committee
meeting.
28. The
Local Water Done Well (LWDW) potential transfer to the new entity in 2027, will
not have a significant impact on Council’s Annual Report for the 2025/26
financial year. The expectation is that for the 2026/27 financial year, there
will be a significant focus and impact on the Annual Report. This is dependent
on decisions regarding structure, ownership and guarantees, which will be decided by Council.
29. The
attached 2025/26 audit plan from Audit NZ confirms that these matters will
require specific focus during the annual audit. Outside of these matters
the focus continues to be the value and capitalisation of assets as well as the
accounting treatment of significant financial transactions.
Statutory Context
30. The audit report is part of the
process of financial accounting and reporting set out under the Local
Government Act 2002.
Options Analysis
31. There are no options presented in this report.
Financial Considerations
32. Audit NZ have indicated there will
be some cost overruns from the Audit. These have not been quantified at the
time of preparing this document.
Legal Implications / Risks
33. There are no specific legal
implications or risks directly as a result of this report.
Consultation / Engagement
34. No further consultation or
engagement is required in relation to this document.
Significance
35. The Local Government Act 2002
requires an assessment of the significance of matters, issues, proposals and
decisions in this report against Council’s Significance and Engagement
Policy. Council acknowledges that in some instances a matter, issue, proposal
or decision may have a high degree of importance to individuals, groups, or
agencies affected by the report.
36. This assessment considers the impact and potential consequences for:
(a) the current
and future social, economic, environmental, or cultural well-being of the
district or region
(b) any persons who are likely to be
particularly affected by, or interested in, the decision.
(c) the capacity of the local authority
to perform its role, and the financial and other costs of doing so.
37. In accordance with the
considerations above, criteria and thresholds in the policy, it is considered that
the matter is of low significance.
ENGAGEMENT
38. Taking into consideration the above
assessment, that the matter is of low significance, staff are of the opinion
that no further engagement is required prior to Council making a decision. Click
here to view the TCC
Significance and Engagement Policy
Next Steps
39. Council will continue to work
through Audit NZ’s recommendations for improvement in our processes and
reporting.
40. The impacts of LWDW and the Mauao
weather event and asset revaluations will be presented in the 2025/26 Annual
Report.
Attachments
1. 2025
Report to Governors on the audit of TCC (Final) - A19717991 ⇩ 
2. 2025
Report to Management on the audit of TCC (Final) - A19717993 ⇩
3. TCC Audit Plan
June 2026 (Final) - A19753969 ⇩
|
Audit
& Risk Committee meeting Agenda
|
23
February 2026
|
|
Audit
& Risk Committee meeting Agenda
|
23
February 2026
|
|
Audit
& Risk Committee meeting Agenda
|
23
February 2026
|
|
Audit
& Risk Committee meeting Agenda
|
23
February 2026
|
9.2 Business
Continuity Policy
File
Number: A19580655
Author: Sharon
Herbst, Policy Analyst
Chris Quest,
Manager: Risk & Assurance
Chris Smith, Risk
and Business Continuity Advisor
Authoriser: Craig
Rice, General Manager: Chief Operating and Financial Officer
Purpose of the Report
1. To approve and adopt a
new Business Continuity Policy.
|
Recommendations
That the Audit &
Risk Committee:
(a) Receives the report
"Business Continuity Policy".
(b) Approves and adopts a new
Business Continuity Policy to take effect immediately which includes:
(i) Te Ao Māori
principles and council values
(ii) a commitment to
business continuity and a consistent process for all staff
(iii) governance roles and
responsibilities
(iv) assumptions about continuity and
recovery and council actions to support them
(v) activation criteria and
triggers for Business Continuity Plans
(vi) identification and management of
high-impact events.
(c) Delegates to the Chief
Operating and Financial Officer and General Counsel to make any necessary
minor drafting or presentation changes to the Business Continuity Policy,
prior to it being published.
|
Executive Summary
2. The
Audit & Risk Committee (the Committee) is asked to approve and adopt a new
Business Continuity Policy (the policy) for Tauranga City Council (the
council). This policy strengthens organisational resilience by ensuring
essential services can continue or recover quickly during disruptions through a
structured Business Continuity Management System.
3. When reviewing
policies that have a relevant international standard (such as business
continuity and risk management), the council ensures alignment with that
standard[1].
The Risk Management Policy, which was revised and approved in November 2025,
aligns with the risk standard (ISO 31000). During that review, we identified a
gap in meeting the business continuity standard (ISO 22301).
4. To address this gap,
we recommended developing a new Business Continuity Policy that provides the
necessary depth and operational clarity to make continuity arrangements
actionable, measurable, and embedded across the organisation.
5. On 19 February 2025,
the Committee agreed to include a Business Continuity Policy in its forward
work plan to be presented to the Committee in February 2026. This work aligns
with the Committee’s Terms of Reference, which include overseeing risk management
and the effectiveness of internal control systems[2].
6. The new policy sets
high-level commitments, principles, and governance responsibilities. It is
supported by an operational framework that details processes for business
impact analysis, threat and risk assessment, continuity planning, testing, and
review. Together, these documents embed resilience across the organisation and
reflect our decentralised model, where divisions must engage with continuity
planning.
7. The Executive
considered the draft policy and framework on 4 February 2026 and recommended
the Committee adopt the policy The Committee is asked to confirm the
recommended policy elements and adopt the policy (Attachment One). The
framework has been endorsed by the Executive and will guide implementation; it
does not require Committee approval. Current budgets are sufficient to support
delivery, and any additional resource needs will be addressed through standard
planning processes.
8. There is low to
moderate public interest, so no public consultation is planned.
9. There are no direct
financial implications in adopting this policy.
10. If approved, staff will
finalise the policy, begin implementation of the Business Continuity Management
System, and report progress to the Committee.
Background
11. As a
public organisation, the council must be prepared to respond effectively to
unplanned events that could impact service delivery, community wellbeing, or
organisational viability. During the recent review of the Risk Management
Policy, which now aligns with the ISO 31000 risk standard, we identified a gap
in meeting the ISO 22301 business continuity standard. To address this, a
standalone Business Continuity Policy has been developed to ensure continuity
arrangements are actionable, measurable, and embedded across the organisation.
This supports our commitment to protecting people, assets, and reputation while
maintaining public confidence.
12. The
policy and framework have been developed as complementary documents to guide
the council’s approach to resilience and service continuity.
(a) The policy sets out high-level
commitments to business continuity, principles, governance responsibilities,
and expectations for maintaining essential services.
(b) The framework operationalises
the policy by detailing the structure, processes, and tools of the Business
Continuity Management System. It includes methodologies for business impact
analysis, threat and risk assessment, continuity planning, testing, and review.
13. On 4 February 2026, the
Executive considered the draft policy and framework, endorsed the framework,
and recommended that the Committee adopt the policy.
Statutory Context
14. While
the Local Government Act 2002 does not mandate a standalone business continuity
policy, structured continuity planning supports prudent management and service
resilience, aligning with council’s obligations under the Act. The Civil
Defence Emergency Management Act 2002 requires local authorities to plan for
the continuation of essential services during and after emergencies. It
mandates coordinated emergency management planning, making business continuity
a core responsibility for councils.
15. The
Emergency Management Bill, set to replace the Civil Defence Emergency
Management Act 2002, will strengthen local accountability, raise minimum
standards for emergency planning, and ensure continuity of essential services
through a whole-of-society approach.
STRATEGIC ALIGNMENT
16. This contributes to the
promotion or achievement of the following strategic community outcome(s):
|
Contributes
|
|
We are an inclusive city
|
ü
|
|
We value, protect and enhance the environment
|
ü
|
|
We are a well-planned city that is easy to move
around
|
ü
|
|
We are a city that supports
business and education
|
ü
|
|
We are a vibrant city that embraces
events
|
ü
|
17. Business continuity planning
supports these outcomes by ensuring essential services remain available during
disruptions: protecting vulnerable communities, safeguarding environmental
assets, maintaining transport and infrastructure, enabling business and
education continuity, and preserving the city’s cultural vibrancy through
resilient event planning.
Options Analysis
18. The policy (Attachment One)
and framework have been developed as complementary documents to guide
council’s approach to resilience and service continuity.
19. The documents have been
developed collaboratively by the Risk and Assurance and the Policy team and
reviewed by the Emergency Management team. The Risk and Assurance team will
support implementation of the policy, while the Executive will endorse the policy
and approve the framework. The Committee are asked to confirm their approval of
the creation of a new policy (Issue 1), confirm the policy elements to be
included in the policy (Issue 2) and adopt the proposed policy (Attachment
One).
Issue 1: Adopting a Business Continuity Policy
20. While business continuity is
referenced in the Risk Management Policy, there is currently no standalone
document outlining the council’s overarching approach. A dedicated policy
would elevate visibility, clarify roles, and support compliance with ISO 22301.
Table 1: Options for adopting a Business Continuity
Policy
|
Option
|
Advantages
|
Disadvantages
|
|
1a
|
Create and adopt a new business continuity policy
Recommended
|
· Establishes a formal, consistent approach to continuity
planning.
· Aligns with ISO 22301 and best practice.
· Clarifies roles and responsibilities across the
organisation.
|
· Adds another document to the policy suite.
· Requires ongoing review and maintenance.
|
|
1b
|
Status quo. Do not develop a new policy and only maintain current
references within the risk management policy
|
· Keeps policy landscape simpler.
|
· Increases risk of non-compliance and reduced preparedness
for disruptions.
· Lack of commitment to develop a business continuity policy
which represents best practice.
· May lack operational clarity.
|
Issue 2: Business Continuity Policy elements
21. To ensure the policy is
comprehensive, practical, and aligned with council values and ISO 22301, the
following elements are proposed for inclusion in the policy. The recommended
content is designed to reflect strategic commitments, provide operational clarity,
and ensure cultural responsiveness.
Table 2: Options for defining policy content
|
Option
|
Advantages
|
Disadvantages
|
|
2a
|
Include Te Ao
Māori principles and council values
Recommended
|
· Supports
culturally safe practice.
· Supports
partnership with tangata whenua and inclusive decision-making
· Aligns
with Ngā Kawa Arataki/Code of Conduct.
· Builds
trust with communities.
|
· May
require ongoing training and support.
|
|
2b
|
Include a commitment to
business continuity and a consistent process for all workers
Recommended
|
· Reinforces
organisational resilience.
· Ensures
clarity and consistency across teams.
|
· May
require tailored guidance for different roles.
|
|
2c
|
Include governance
roles and responsibilities
Recommended
|
· Clarifies
accountability.
· Supports
effective implementation and oversight.
|
· Adds
length and complexity to the policy.
|
|
2d
|
Outline assumptions about
continuity and recovery and council actions to support them
Recommended
|
· Sets
realistic expectations for service levels during disruption.
· Supports
planning and resource allocation.
|
· May
require regular review as risks and operations evolve.
|
|
2e
|
Include activation
criteria and triggers for Business Continuity Plans
Recommended
|
· Ensures
clarity during disruptions.
· Supports
timely and structured response.
|
· May
require updates as new risks emerge.
· Relies
on maintenance of Business Continuity Plans
|
|
2f
|
Include identification
and management of high-impact events
Recommended
|
· Strengthens
preparedness for critical (or essential) services.
· Supports
targeted planning and testing.
|
· May
require additional coordination across teams.
|
Financial Considerations
22. Adopting
the new policy does not have any financial implications. Implementation will be
managed within existing budgets; any additional resource needs will be
addressed through standard planning processes.
Legal Implications / Risks
23. There are no significant risks
associated with the recommendations to adopt the new policy. The review
process reflects best practice guidance consistent with AS/NZS ISO 31000 and
AS/NZS ISO 22301, supporting a systematic and integrated approach to managing
risk and organisational resilience. Adoption reduces legal and reputational
risk by aligning with ISO standards and emergency management obligations
TE AO MĀORI APPROACH
24. Application
of Te Ao Māori principles in our business continuity approach has been
considered in consultation with the Takawaenga Unit. The principles section of
the proposed draft policies aligns with the council’s Code of Conduct/
Ngā Kawa Arataki. This includes specific examples of how the values guide
the approach to business continuity through Whanaungatanga and Collaboration;
Manaakitanga and Respect; Whāia te tika and Service; and Pono and
Integrity.
25. These principles guide how we
plan for and respond to disruptions in ways that uphold mana, foster
collaboration, and support inclusive recovery. Embedding these principles
strengthens trust and ensures culturally grounded recovery planning.
CLIMATE IMPACT
26. While there are no direct
impacts resulting from the adoption of this policy, continuity planning
supports resilience to climate-related disruptions.
Consultation / Engagement
27. There
is low to moderate public interest and therefore no public consultation or
engagement has been undertaken. To ensure our policy remains aligned with best
practice, the Risk and Assurance team continues to engage with sector peers,
participate in local government forums and working groups, benchmark against
other councils, review guidance from oversight bodies, incorporate feedback
from internal audits, and monitor legislative and regulatory developments. Internal
engagement included review by the Emergency Management team and endorsement by
the Executive.
Significance
28. The Local Government Act 2002
requires an assessment of the significance of matters, issues, proposals and
decisions in this report against Council’s Significance and Engagement
Policy. Council acknowledges that in some instances a matter, issue,
proposal or decision may have a high degree of importance to individuals,
groups, or agencies affected by the report.
29. In making this assessment,
consideration has been given to the likely impact, and likely consequences for:
(a) the current
and future social, economic, environmental, or cultural well-being of the
district or region
(b) any persons who are likely to be
particularly affected by, or interested in, the decision.
(c) the capacity of the local authority
to perform its role, and the financial and other costs of doing so.
30. In accordance with the
considerations above, criteria and thresholds in the policy, it is considered
that the decision is of low significance.
ENGAGEMENT
31. Taking into consideration the
above assessment, that the decision is of low significance, officers are of the
opinion that no further engagement is required prior to the Committee making a
decision.
Next Steps
32. If the Committee decides to
adopt the new Business Continuity Policy, it will take effect immediately. The
policy will be made available on council’s website, and the framework
will be available to staff internally. Implementation will include staff
training, testing of continuity plans, and regular reporting to the Committee.
Attachments
1. Draft
Business Continuity Policy - A19688013 ⇩
|
Audit
& Risk Committee meeting Agenda
|
23
February 2026
|
|
Audit
& Risk Committee meeting Agenda
|
23
February 2026
|
9.3 Health,
Safety and Wellbeing Quarterly Report: Q2 October to December 2025
File
Number: A19727917
Author: Tracy
Benjamin, Health, Safety & Wellness Manager
Authoriser: Craig
Rice, Chief Operating and Financial Officer
Purpose of the Report
1. To
provide an overview of Health, Safety and Wellbeing activities for the 2025
October to December quarter.
|
Recommendations
That the Audit &
Risk Committee:
(a) Receives the report
"Health, Safety and Wellbeing Quarterly Report: Q2 October to December
2025".
|
Executive Summary
2. Health,
Safety and Wellbeing – Q2 2025/26: This report provides a summary of
health, safety and wellbeing activities and outcomes for the quarter, intended
to keep the Audit and Risk Committee informed. Key data for this quarter is to
raise awareness on an emerging risk with asbestos and acknowledge the recent
landslip event. Whilst the landslip event did not occur within the reporting
period, the significance warranted entry into this report. Any feedback
regarding content or topics that the Committee would like is welcome.
3. Major
Event – Mount Maunganui Landslip: A significant landslip occurred on
22 January 2026 at the Mount Maunganui Holiday Park, resulting in six
fatalities. Council submitted a WorkSafe notification on the day and continues
to fully engage in enquiries.
4. Emerging
Risk – Asbestos Management: An internal review identified improvement
opportunities within council’s asbestos management system. A structured
programme of work has commenced to strengthen assurance, prioritise high-risk
assets for resurveying, and assess digital solutions to improve visibility,
communication, and long-term management of asbestos-related risk.
5. Event
Data and Reporting Metrics: Work is nearing completion to refine event
categorisation. This will improve accuracy, enable clearer insights into event
data, and support more targeted interventions.
Attachments
1. 2025_26
Q2_HSW Quarterly Report_PDF - A19712125 ⇩
|
Audit
& Risk Committee meeting Agenda
|
23
February 2026
|
|
Audit
& Risk Committee meeting Agenda
|
23
February 2026
|
|
Audit
& Risk Committee meeting Agenda
|
23
February 2026
|
9.5 Status
Update on actions from prior Audit & Risk Committee meetings
File
Number: A19711970
Author: Anahera
Dinsdale, Governance Advisor
Authoriser: Craig
Rice, Chief Operating and Financial Officer
Purpose of the Report
1. This report provides
a status update on actions requested during previous Audit & Risk Committee
meetings.
|
Recommendations
That the Audit &
Risk Committee:
(a) Receives
the report "Status Update on actions from prior Audit & Risk
Committee meetings".
(b) Public
excluded Attachment can be transferred into the open once
the report that generated this action is released from public excluded.
|
Background
2. This is a recurring
report provided to each Audit & Risk Committee meeting. The next report
will be provided to the meeting on 5 May 2026.
3. The attached update
includes all open actions and actions completed since the last report on 17
November 2025. Once reported, completed actions are archived and made available
in the Stellar library[3].
discussion
4. A summary of
outstanding and recently closed actions is provided in the table below:
|
Status of actions
|
No. actions
|
|
Closed (completed
since the last report)
|
4
|
|
In progress
|
7
|
|
Pending (waiting
on something)
|
0
|
|
To be actioned
|
0
|
|
Total actions
included in this report
|
11
|
5. The full status
update information is provided as:
Attachment
1 (5 actions from public agenda items) and
Attachment
2 ( 6 actions from public excluded agenda items).
Attachments
1. Actions
from Audit and Risk Committee Open 23 February 2026 - A19771074 ⇩
|
Audit
& Risk Committee meeting Agenda
|
23
February 2026
|
|
Audit & Risk Committee meeting Agenda
|
23 February 2026
|
10 Discussion
of late items
|
Audit & Risk Committee meeting Agenda
|
23 February 2026
|
11 Public
excluded session
Resolution to exclude
the public
|
Recommendations
That the public be
excluded from the following parts of the proceedings of this meeting.
The general subject
matter of each matter to be considered while the public is excluded, the
reason for passing this resolution in relation to each matter, and the
specific grounds under section 48 of the Local Government Official
Information and Meetings Act 1987 for the passing of this resolution are as
follows:
|
General subject of each matter to be
considered
|
Reason for passing this resolution in
relation to each matter
|
Ground(s) under section 48 for the
passing of this resolution
|
|
11.1 - Public Excluded Minutes of the
Audit & Risk Committee meeting held on 17 November 2025
|
s7(2)(a) - The withholding of the information is
necessary to protect the privacy of natural persons, including that of
deceased natural persons
s7(2)(b)(i) - The withholding of the information
is necessary to protect information where the making available of the
information would disclose a trade secret
s7(2)(j) - The withholding of the information is
necessary to prevent the disclosure or use of official information for
improper gain or improper advantage
|
s48(1)(a) - the public conduct of the relevant
part of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
11.2 - Internal Audit & Assurance
- Quarterly Update
|
s7(2)(j) - The withholding of the information is
necessary to prevent the disclosure or use of official information for
improper gain or improper advantage
|
s48(1)(a) - the public conduct of the relevant
part of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
11.3 - Risk Register - Quarterly
Update
|
s7(2)(j) - The withholding of the information is
necessary to prevent the disclosure or use of official information for
improper gain or improper advantage
|
s48(1)(a) - the public conduct of the relevant
part of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
11.4 - Health, Safety and Wellbeing
Quarterly Report: Q2 October to December 2025
|
s7(2)(a) - The withholding of the information is
necessary to protect the privacy of natural persons, including that of
deceased natural persons
|
s48(1)(a) - the public conduct of the relevant
part of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
11.5 - Digital/Cyber Risk Quarterly
Report
|
s7(2)(a) - The withholding of the information is
necessary to protect the privacy of natural persons, including that of
deceased natural persons
s7(2)(b)(i) - The withholding of the information
is necessary to protect information where the making available of the
information would disclose a trade secret
|
s48(1)(a) - the public conduct of the relevant
part of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
11.6 - Public Excluded Attachment to
Item 9.5 - Status Update on actions from prior Audit & Risk Committee
meetings
|
s7(2)(j) - The withholding of the information is
necessary to prevent the disclosure or use of official information for
improper gain or improper advantage
|
s48(1)(a) - the public conduct of the relevant
part of the proceedings of the meeting would be likely to result in the
disclosure of information for which good reason for withholding would exist
under section 6 or section 7
|
|
|
Audit & Risk Committee meeting Agenda
|
23 February 2026
|
12 Closing
karakia