Transcription
INTERNAL AUDIT, RISK & COMPLIANCE SERVICESArgyll & Bute CouncilInternal audit report - IT service desk review10 June 2009Report Number 001This report is CONFIDENTIAL and its circulation and use are restricted – see notice on page 2ADVISORY
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 2009ContentsExecutive summary.3Internal audit findings to be actioned .5Appendix 1 – Objective, scope and approach.15Appendix 2 – Classification of internal audit findings .16DistributionFor actionFor informationGerry WilsonIT Infrastructure Services ManagerThe Chair and MembersAudit CommitteeDouglas BaileyIT Production ManagerIan NisbetInternal Audit ManagerIain CrockettIT Officer (Service Desk)Judy OrrHead of ICT and Financial ServicesBruce WestHead of Strategic FinanceThis report has been prepared on the basis set out in our internal audit services contract with Argyll & Bute Council (the client), dated March 2009, in respect of internal audit services, andshould be read in conjunction with the contract. This report is for the benefit only of the client and the other parties that we have agreed in writing to treat as addressees of the engagementletter (together the beneficiaries), and has been released to the beneficiaries on the basis that is shall not be copied, referred to or disclosed, in whole or in part, without our prior writtenconsent. Nothing in this report constitutes a valuation or legal advice. We have not verified the reliability or accuracy of any information obtained in the course of our work, other than thelimited circumstances set out in the engagement letter. This report is not suitable to be relied on by any party wishing to acquire rights against KPMG LLP (other than the beneficiaries) for anypurpose or in any context. Any party other than the beneficiaries that obtains access to this report or a copy and chooses to rely on this report or a copy (under the Freedom of Information(Scotland) Act 2002 or otherwise and chooses to rely on this report (or any part of it) does so at its own risk. To the fullest extent permitted by law, KPMG LLP does not assume anyresponsibility and will not accept any liability in respect of this report to any party other than the beneficiaries.2This report is CONFIDENTIAL and its circulation and use are RESTRICTED – see notice on page 2. 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 2009Executive summarySummary of objective and scopeAs part of the 2008-09 internal audit plan, as approved by the audit committee ofArgyll and Bute Council (“the Council”), an internal audit review of the IT servicedesk was performed in February and March 2009.Key findings and recommendationsThe findings identified during the course of this internal audit are summarisedbelow. A full list of the findings and recommendations are included in thisreport. Classification of internal audit findings are detailed in Appendix 2.The overall objective of this review was to consider the processes and controls tomanage the IT service desk.The specific objective, scope and approach in respect of this internal audit aredetailed in Appendix 1.Number of internalaudit findingsHighMediumLow-59BackgroundThe Information and Communication Technology (“ICT”) service desk uses a faultand request logging and monitoring system ‘HEAT’. The system lies at the heartof the ICT service and is used for fault recording, monitoring and sign-off as well asa central resource for recording all other requests for IT assistance.During the course of our review, based on the detailed scope of workcompleted, we identified no significant control weaknesses around theprocesses and controls to manage the IT service desk. In relation to thecomparison against ITIL, a series of performance improvement opportunitieshave been identified.All IT staff within ICT and financial services use the system with access alsoavailable to all departmental IT staff. One of the key factors in measuring thesuccess of the service desk and support functions is their ‘time to fix’ IT relatedproblems.These findings and recommendations were discussed with management whohave accepted the findings and have agreed actions to address therecommendations.The review considered all aspects of the service desk function, particularlywhether the technology is being used effectively to reduce the time taken toresolve IT related problems – the ‘time to fix’. The review also considered how toincrease the number of calls closed at the first time of asking.The review used the IT Infrastructure Library (“ITIL”) framework as a structure andbenchmark to compare against the Council’s IT service desk.3This report is CONFIDENTIAL and its circulation and use are RESTRICTED – see notice on page 2. 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 2009Executive summarySummary of internal audit findingsRef#Description of internal audit findings1Goals and objectives. There are no formalised / published objectives, and Service Level Agreements‘SLA’s’ for the service desk.Processes and procedures. Processes and procedures are not all formalised, reviewed and regularlyupdated.2Rating of internal audit findingsHighMediumTarget dateLow December 2009 December 20093Customer support. Customers do not have access to guidelines to enable self-service resolution of ITissues. February 20104Known error database.repository.There is no centralised ‘known error’ database or central knowledge January 20105Prevention and monitoring. The process of prevention and monitoring is inconsistently applied acrossindividual departments. March 20106User self-service. Users cannot log or track the progress of calls without contacting the helpdesk. March 20107Categorisation / prioritisation/diagnosis. Some calls are being incorrectly categorised and ticketscan lack sufficient information to diagnose the problem. September 20098Escalation. There is a lack of formalised proactive monitoring. December 20109Investigation and diagnosis. There is no formalised investigation and diagnosis process. December 201010Closure and resolution satisfaction. There is a duplication of effort in closing calls and ineffectivefeedback on user satisfaction. March 201011Reporting. There is no formalised reporting procedure, leading to inconsistent use of the reportingfunction. March 201012Risk management. There is no formal linkage with the Council’s risk management process. December 200913Incident grouping. The incident grouping functionality is not fully utilised. December 200914Service desk allocations. The service desk is not being effectively utilised due to escalation of all calls. December 20094This report is CONFIDENTIAL and its circulation and use are RESTRICTED – see notice on page 2. 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 2009Internal audit findings to be actioned1. Goals and objectivesRating of internal audit finding: LowFinding(s) and impactRecommendation(s)Agreed Management action(s)The service desk does not have a customer servicecatalogue that clearly defines targets and objectives. Thishas been acknowledged and is currently under development.At present the service level agreements are not publishedand are not updated on a regular basis. This lack of publishedinformation creates a situation where users may not be fullyaware of the services provided by IT or the expectedresponse times to resolve their problems.1)Action:In addition to limited performance related information, thereare no definitions of what a standard or major incident are,other than the escalation times and prioritisation/severity ofincidents which are in built into the system. This can resultin a lack of awareness of a major incident should it occurand, no key steps to ensure quick resolution.2)The service desk should create and publish a detailedservice catalogue that clearly defines targets and servicelevel objectives for call resolution.Management should consider developing flow charts toclearly define the routes a standard incident or a majorincident should take to ensure these calls are accuratelycategorised.The service desk catalogue will be furtherdeveloped to include SLAs that are agreedwith the user group.Flowcharts will be created for standard andmajor incidents.Responsibility: Douglas BaileyTarget Date: December 20095This report is CONFIDENTIAL and its circulation and use are RESTRICTED – see notice on page 2. 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 20092. Processes and proceduresRating of internal audit finding: MediumFinding(s) and impactRecommendation(s)Agreed Management action(s)Although the service desk does have some processes andprocedures many of these have not been reviewed/updatedregularly and do not cover all aspects of the service desk.Management should develop policies and procedures for allparts of the service desk, including second level support teams.These should also be reviewed and updated on a regular basis.Action:There is a risk that there is an inconsistent approach to thedelivery of support to customers. There are keydependencies where only certain staff members canperform procedures as they are the keepers of thisknowledge and it is no fully documented.Policies and procedures will be developed forall parts of the ICT service desk includingsecond level support teams. These policieswill be reviewed annually.Responsibility: Douglas BaileyTarget Date: December 20093. Customer supportRating of internal audit finding: LowFinding(s) and impactRecommendation(s)Agreed Management action(s)No guidance exists at present that allows users to attemptresolution of IT issues before raising a service desk call.Management should develop a user guide to communicate howto use the service desk, details of common faults with quickfixes (i.e. password reset) and guidance of where to getadditional information (e.g. MS Office user guides).Action:The development of user guidelines would have a number ofbenefits including; reducing users calling the service deskunnecessarily, or without the full details required to helpdiagnose the problem. This would then maximise the timespent by the service desk team to identify the cause of theproblem and deliver the solution.A user guide will be created to communicatehow to contact the service desk that will alsoshow the way that faults are categorised nsibility: Iain CrockettTarget Date: February 20106This report is CONFIDENTIAL and its circulation and use are RESTRICTED – see notice on page 2. 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 20094. Known error databaseRating of internal audit finding: MediumFinding(s) and impactRecommendation(s)Agreed Management action(s)The ICT department currently has no central database ofknown errors and resolution options. Each team hasdeveloped their own way of resolving incidents. These caninclude using the search function in HEAT for a similar calltype, procedural documents or experience.A centrally held ‘known error’ database should be developed toprovide the following functionality:Action:There is a risk that knowledge is not being shared, there isinconsistent resolution, and/or additional time to fix asinformation may be difficult to find.xstorage point for all procedural documentation;xdetails on how to resolve common or known errors; andxsearch facility to identify the appropriate solution to knownproblems.Infrastructure and applications staff will workwith the user group to develop a ‘knownerror’ database for each section.Responsibility: Iain Crockett5. Prevention and monitoringTarget Date: January 2010Rating of internal audit finding: LowFinding(s) and impactRecommendation(s)Agreed Management action(s)Monitoring to prevent incidents is performed by eachdepartment, however these are all done in different wayswith some automated and some manually controlled. Forexample:A consistent approach should be adopted to ensure that allmonitoring is automatic, where possible, and results in an ATGticket being generated to allow a log of all service downtime orunavailability.Action:xThe applications team use an automated monitoringsystem, Oracle’s built in tool, to monitor and raise ATG“Automatic Ticket Generator” tickets; andxThe servers team use various procedures which are notintegrated into the ATG system.We recognise that there are a number ofdifferent systems in use. A solution will beimplemented where our research shows it ispossible and practical to use an automatedalert system.Responsibility: Iain CrockettTarget Date: March 2010This inconsistent approach to monitoring raises the risk thathardware and software incidents may not be identified andtherefore resolved in a timely manner.7This report is CONFIDENTIAL and its circulation and use are RESTRICTED – see notice on page 2. 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 20096. User self-serviceRating of internal audit finding: LowFinding(s) and impactRecommendation(s)Agreed Management action(s)A number of inefficiencies were identified when consideringthe process for user self-service. These included thefollowing points:Management should consider updating and documenting theuser self service process including the following points:Action:xxxxUsers raise tickets themselves by filling in a few key fieldsrather than a freeform email. These could be used to eitherautomatically assign the call through the ATG functionalityor pass to the service desk to review and allocate.xUsers can review the activity status on their ticket andensure that all tickets are being actioned in a timely manner.xA new update process should be implemented to ensurethat all user details telephone number, department locationand IP addresses are updated on a regular basis.Users logging calls via email do not always have enoughinformation or may give too much information. Thisresults in additional time for the helpdesk to call usersback before being able to begin to work on a resolution.Users have no way of knowing the progress of their callswithout calling the help desk, which results in additionalcall volume.User contact details/locations are not updated regularly.The Council has frequent staff moves betweenlocations, offices, and departments, making it difficult totrack down users which, subsequently delays the timeto resolve calls. .xThe call capture process should be updated to ensure callerdetails are verified before proceeding with the call.Point 1&2 – A review of the service desksoftware will be undertaken with the vendorto allow this functionality to be incorporatedin the product.Point 3 – The most appropriate means ofimplementing a new update process will beinvestigated; that captures this informationand updates the service desk records.Point 4 – This will be implemented in the callinitiation process.Responsibility: Douglas BaileyTarget Date: March 20108This report is CONFIDENTIAL and its circulation and use are RESTRICTED – see notice on page 2. 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 20097. Categorisation/prioritisation/diagnosisRating of internal audit finding: MediumFinding(s) and impactRecommendation(s)Agreed Management action(s)We identified from discussions with management that anumber of instances exist where calls were categorisedincorrectly resulting in delays before the call is allocated tothe correct second level support team. This issue wasconfirmed to varying degrees in all IT areas reviewed.Management should consider implementing the followingimprovements:Action:xCall categorisations should be reviewed on a regular basisto ensure these are still valid and up to date.The main contributing factor is the lack of accurate anddetailed information to be able to categorise calls correctly.In addition, second level support teams often do not haveenough information to resolve the issue and have to call backthe user for further information, potentially delaying the ‘timeto fix’.xCall severity and SLA times should be reviewed on a regularbasis to ensure they are still valid, the ‘time to fix’ isreasonable and the descriptions are clear andunderstandable.Although calls are allocated a severity this is an automaticallygenerated field based on call category. This may not alwaysbe the most appropriate priority, based on other factors (e.g.number of people affected or certain priority calls).A review of the Service Level Agreements “SLA’s” ‘time tofix’ found that some of these are very high for the type ofincident (e.g. seven days for a virus attack). There is apotential that tickets are being measured againstinappropriate targets, which exposes the business potentiallyto risk and reduces the efficiency of issue resolution.xxTypical questions to ask for each type of fault could bedeveloped to aid the service desk staff to identify the natureof the incident to help give the engineers as muchinformation as possible.Training could be given to the service desk staff by each ofthe second level support teams to provide more informationon the types of faults they deal with and also the key piecesof information to be able to resolve the issue promptly.Point 1 & 2 – Call categories, call severity andSLA times will be reviewed on an annualbasis. It is recognised that there are someunrealistic SLA times in the database. AllSLA times will be reviewed to ascertaincorrect SLA ‘time to fix’ values.Point 3 – These questions will beincorporated in the next release of the newsoftware, including a review of call severity.Point 4 – Collection of key pieces of dataduring the first point of contact is veryimportant to providing the correct level ofsupport for users. Second line support willbe consulted to identify these key pieces ofdata:trainingrequirementswillbeinvestigated and where beneficial will beundertaken.Responsibility: Douglas BaileyTarget Date: September 20099This report is CONFIDENTIAL and its circulation and use are RESTRICTED – see notice on page 2. 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 20098. EscalationRating of internal audit finding: LowFinding(s) and impactRecommendation(s)Agreed Management action(s)When we considered the performance monitoring process itwas confirmed that once a ticket is allocated to a secondlevel support team there is no specific monitoring of theprogress by the service desk until it is over its Service LevelAgreement “SLA” time. This may result in tickets sittingidle until they breach their service level agreement time.A formalised reporting structure should be established toactively monitor the progress of the second level support teamsto ensure they are resolving tickets promptly prior to SLA’slimits.Action:The reporting structure will be formalised.Responsibility: Iain CrockettTarget Date: December 20099. Investigation and diagnosisRating of internal audit finding: LowFinding(s) and impactRecommendation(s)Agreed Management action(s)The service desk and second level support team do not havea formalised investigation and diagnosis process. This resultsin a lack of guidance for the service desk and second levelsupport teams on the steps to diagnose and resolve anissue, as well as any measures that could be taken toprevent reoccurrence.A formalised investigation and diagnosis process should bedeveloped, including:Action:xestablishing exactly what has gone wrong;xunderstanding chronological order of events;xconfirming the full impact of the incident including thenumber and range of users affected;The informal investigation and diagnosisprocess will be formalised for businesscritical incidents.Responsibility: Douglas Baileyxidentifying any events that could have triggered theincident; andxknowledge searches for previous occurrences (e.g. in theknown error database).Target Date: December 200910This report is CONFIDENTIAL and its circulation and use are RESTRICTED – see notice on page 2. 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 200910. Closure and resolution satisfactionRating of internal audit finding: MediumFinding(s) and impactRecommendation(s)Agreed Management action(s)When calls are resolved, the second level support engineerwill close their assignment and pass back to the service deskto call the user to ensure their ticket has been resolvedsatisfactorily. This can lead to delays in final closing of thecalls in comparison to when the call was resolved.Management should consider the following improvements:Action:xPoints 1& 2 – These have been implemented.If a user is uncontactable, (e.g. contact details inaccurate orindividual not available) the ticket is left open until they canbe contacted which can result in significant delays in closingtickets.If the second level support engineer has called the userthey should close the full call at that time not just theirassignment, saving duplication of effort, limiting the numberof times a user is contacted, and streamlining the process.xIf there are multiple assignments on the call this should stillbe closed by the service desk, who should monitorcompletion of each assignment.This can also result in duplication of effort as the engineersometimes will call the user to keep them up to date or totest if the solution has worked.xIf a caller cannot be contacted there should be an automaticincident closure period. For example, after 48 hour the callis closed if the ticket is resolved and the user unavailable.The user satisfaction from the resolution and servicereceived is also gauged by the service desk. However, theydo not ask the users to grade the service, they grade basedon how positive or negative the user sounds, based on howthey reply to the closure call. This does not give constructiveor useful feedback. Although user satisfaction is gained froman annual customer satisfaction survey, more timelyfeedback, direct from the customer would provide betterquality feedback on the service delivered.xThe user satisfaction process should be developed furtherto include calling only a sample of closed calls a day/week,and asking the user to rate the service themselves orsending out a short automated email questionnaire to asample/all users to gauge user satisfaction.Point 3 – If a caller cannot be contacted at thetime when a call is being closed by either linesupport or the service desk an automatedemail will be sent to the call originator andthe call will be closed.Point 4 – An automated user satisfactionsurvey system will be developed.Responsibility: Douglas BaileyTarget Date:Point 3 - September 2009Point 4 – March 201011This report is CONFIDENTIAL and its circulation and use are RESTRICTED – see notice on page 2. 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 200911. ReportingRating of internal audit finding: LowFinding(s) and impactRecommendation(s)Agreed Management action(s)Performance monitoring is informal and ad hoc with theexception of the reporting performed for ACHA (ArgyllCommunity Housing Association). The new performancemeasuring tool being implemented, Pyramid, could befurther enhanced by developing more appropriate keyperformance indicators linked to the service desk. Indicatorssuch as, ‘time to fix’, has only been recently added. Inaddition, only certain second level support teams areincluded within the monitoring.1. Management should consider the following improvements;Action:xA more consistent and all encompassing reportingframework for the service desk (i.e. Pyramid) should bestandardised for all ICT reporting requirements;xGuidance on how to run different report types could helpaddress consistency, and explain functionality.Point 1 - The appropriate performanceindicators will be adopted and reported viathe Heat system.The department willcontinue to report on the SOCITM keyperformance indicators via Pyramid.Although some of these statistics are currently available theyare only monitored on an ad hoc basis, and are not providinginformation on overall service desk and second level supportteam performance.The HEAT system has reporting functionality, but allinterviewees seem to use the system in a different way,resulting in inconsistent reporting, and the monitoring ofdifferent statistics per department.2. Management should identify the appropriate indicators to beutilised and these should be standardised across all the relevantteams. These could include:xaverage number of open tickets;xhow long each team takes to resolve tickets;xnumber of open tickets;xcost per incident;xnumber of incidents incorrectly assigned;xnumber of incidents per team and percentage of total; andxincidents resolved by each engineer.Point 2 – Agreed. Performance indicators willbe identified.Responsibility: Gerry WilsonTarget Date: March 201012This report is CONFIDENTIAL and its circulation and use are RESTRICTED – see notice on page 2. 2009 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Argyll & Bute CouncilInternal audit report – IT service desk review10 June 200912. Risk managementRating of internal audit finding: LowFinding(s) and impactRecommendation(s)Agreed Management action(s)Whilst a risk management framework was evident within theCouncil, there is no regular monitoring and updating of therisks and challenges facing the incident managementservice. This creates a situation where the risks impactingthe service desk and second level support teams are notcaptured within the Council’s existing risk managementprocess and therefore do not have clear transparency andvisibility of mitigating actions being addressed.The service desk should ensure the critical risks to the functionare communicated and incorporated into the Council’s riskmanagement process to allow its risks to be monitored regularlyand tracked via the operational and strategic risk registers. Thiswould allow process improvements to be identified and theconsideration of resource utilisation and training requirements tomeet user’s needs.Action:Ongoing business critical risks are identified.These risks will be included on thedepartmental operational risk register.Responsibility: Douglas BaileyTarget Date: December 200913. Incident groupingRating of internal audit finding: LowFinding(s) and impactRecommendation(s)Agreed Management action(s)Management confirmed that the incident groupingfunctionality is not being used to its full potential. This canresult in potential inefficient logging and closure of tickets,and major incidents not being identified and tracked.The incident grouping functionality should be used to groupsimilar incidents, and ensure that similar incidents do not clutterthe ticket queues.This would then allow the followingimprovements to be realised:Action:xthe ability to monitor ticket progress and if
The review used the IT Infrastructure Library ("ITIL") framework as a structure and benchmark to compare against the Council's IT service desk. Key findings and recommendations The findings identified during the course of this internal audit are summarised below. A full list of the findings and recommendations are included in this
