Proposed Project Details
Project #1: Covid Based Policy and practice amendments
Risks Touched Upon By Project
- Activation of BCP arrangements
- New or elevated workplace health and safety
- Transparency & Employee management
- Risk Culture
- Fraud
- Public Safety
- Remote administration & IT Support Capacity
- New or elevated cyber security risks
- Privacy & Data Protection
- Managing rapid infrastructure change
- Changes to the control environment
- Regulatory/government enforced changes due to COVID-19
Internal Audit response
Covid-19 policy and practice amendments: Focusing pandemic related updates to protocols which need to adapt to the current and medium (3-6 mos) realities of the pandemic response and return to normal..
Perspective:
- The prior, current and future pandemic circumstances require modification and enhancement to a wide variety of operating practices and policies to protect personnel, the public and mitigate risk (legaacy, emerging and escalating risks).
- While the project does not cover one City function or domain in depth it will provide a broad based touch over know risk areas and management response to those changes. Thus using limited resources to cover a broad base of potential risk areas.
Project Focus:
We will review management current, or planned, response to adaptation of key policy/procedure documents for pandemic response related updates in areas such as:
- Business Continuity
- Pandemic Response
- Cyber Risk/Response
- Information Security (Remote access/acceptable use)
- Technology Issue Response/Coordination
- Privacy/Confidentiality
- Various approvals and Decision making authorities
- Local travel control
- Staff safety and cleanliness
- Building/Facilities
- Flexible work policies
- Remote working and enablement
- other broad policies that protect employees.
Approach:
We recognize that such operations are in a state of flux and our input may be best served in current state analysis and conversations with management to identify potential considerations as to how to proactively identify risks and mitigate risks. There will be limited to no testing as part of this project but more focus on working with management to proactively identify the risks and potential controls from our perspective for management consideration. This should enable management to have a more comprehensive solution.
Reporting:
Our report will differ from the traditional format and be a memo reporting a summary of which areas we covered, if they were updated or to be updated and key areas of focus we recommended to management for consideration.