Risks and Related Projects Not Covered in the Proposed Plan

COVID-19 Emerging Risks

Risk

• Activation of BCP arrangements Management and governance structures
• New or elevated workplace health and safety IR risks associated with increased use of remote working Risk Internal Audit response
• Transparency & Employee management Protect employees during uncertainty
• Risk Culture Consider impact on risk culture across the organisation
• Fraud Lapse of key fraud controls and management attention

Internal Audit response

• Review of BCP arrangements: Critical analysis of BCP plans for weaknesses and unidentified impacts specific to COVID-19 (supply chain, staff availability, citizen demand). This could include simulation of various contingency scenarios to 'stress test' continuity plans and assess impact on associated process and controls.
• WHS remote worker readiness assessment: Assess the clarity of policies, procedures and effectiveness of communications relating to employee wellbeing and safe working arrangements from an employee perspective. Review the implementation of remote worker and mobility into BCP.
• Employer obligations for remote working: Assess processes and controls to manage impact of increased remote working arrangements and compliance with employment obligations.
• Honouring employees' entitlements: Underpayment of staff remains a hot topic across a number of industries. As the City make choices about their workforce in the time of crisis, it is critical that employees have access to entitlements and are treated with fairness. Internal Audit should focus on reviewing organisations' governance frameworks and processes related to employee entitlement policies in changing times (e.g. additional/special leave management, accuracy of wages, robustness of underlying systems that support one-off choices implemented by organisations, etc)
• Behavioural impacts of COVID-19: Employees will be facing challenges with their day-to-day tasks and decision making due to personal stress; pressure on increased demand or downturn; implications of rapid implementation of a remote workforce; potential acceptance of mistakes and oversight in the current environment; and prioritisation of 'critical activities' impacting compliance, control requirements, customer and/or regulatory obligations. This may have a direct impact on compliance with internal policies and practices, which heightens the risk faced by organisations in key areas as highlighted in this document.
• Project included in proposed plan