FINAL INTERNAL AUDIT REPORT

Transcription

1 FINAL INTERNAL AUDIT REPORT IT Change Control Processes in Customer Experience (IA /F) Vernon Everitt, Managing Director, Customer Experience, Marketing and Communications Audit Conclusion: Well Controlled and Audit Closed 28 August 2015 Number of issues Priority 1 0 Priority 2 0 Priority 3 0

2 CONTENTS EXECUTIVE SUMMARY... 3 APPENDIX 1 DISTRIBUTION LIST... 6 Audit information Version 1 Draft versions issued 1 Fieldwork started 1 June 2015 Fieldwork completed 7 August 2015 Draft report issued 18 August 2015 Auditor Thomas Mathew Audit Manager Emilija Antevska Director of Internal Audit Clive Walker Page 2

3 EXECUTIVE SUMMARY Introduction and background The Future Ticketing Agreement (FTA) contract that covers the delivery of public transport fare collection systems and services (ie Oyster systems and services) was awarded to Cubic Transportation Systems Ltd (Cubic) in August According to the FTA contract, Cubic is responsible for operating the Oyster systems, including the requirements for change management, configuration management and release management. Cubic has provided a documented framework and associated processes through which these changes are managed. It is important that changes to the Oyster system are undertaken within this framework and that changes made do not adversely impact the Oyster service. TfL must ensure that it has visibility of the changes being made to underlying systems and that it maintains an oversight to ensure the integrity of the systems and enable the smooth running of the Oyster service to its customers. Objective The objective of this audit was to confirm that the technical changes made to the Oyster systems are being undertaken within a robust and effective change management framework, which includes authorisation and validation of change through to testing and final release into the live production environment. Scope The audit focused on the control environment in relation to the following key risk areas: All requests for changes, system maintenance, and supplier maintenance are standardised and are subject to formal change management standards and procedures; Management has established a change control board where changes are reviewed and only approved changes are implemented; Changes are implemented in sequence without interfering with other changes; All changes to service assets and configuration items (including supporting documentation) are adequately maintained; Page 3

4 Changes are planned and tested within a development and test environment before changes are released in a controlled manner into the live/production environment; Management anticipate and manage problems resulting from changes and have back out plans in place; and Emergency changes are implemented in a way that preserves change controls. Summary of findings We carried out a review of all the areas included within the scope of this audit and the following comments summarise our findings. The change management processes are incorporated and delivered within the overall contractual agreement between TfL and Cubic, under the Future Ticketing Agreement (FTA). The change control process is owned and operated by Cubic under their overall IT Service Management obligations to TfL. Roles and responsibilities are clearly identified within the Change process. All changes are subject to formal, standardised and automated change processes using the Service Now Change Management software tool which was implemented in January Prior to this implementation a manual process was in place. The introduction of the Change Management software provides more visibility and control of the technical changes made to the Oyster systems. Changes are recorded within the change control process form (CHG) which is used to identify resources, risk level and impact severity to the Oyster systems prior to the change being subject to approval by the Change Advisory Board (CAB). The CAB has representation from the technical disciplines within Cubic and also the IT Customer Experience Change and Release Manager from TfL, who has full visibility of the changes and provides input and approval as required to enable the changes to be made. The CAB meets at scheduled times and is provided with details of all the changes prior to the meeting to enable a greater level of scrutiny before discussion and approval at the meeting. Changes are sequenced to ensure potential impact on other areas of the Oyster IT infrastructure is established prior to the changes being implemented, Where significant changes to the systems are to be made, Cubic implements a release in accordance with the documented Release Management Policy. The releases are designed, planned, tested and implemented in accordance with the release calendar as agreed with TfL. This includes testing any changes in the integration environment, pre-production environment and then approval utilising the change management process. Page 4

5 As part of the change process, various elements of the Oyster infrastructure are identified so that it is clear which areas will be affected by the change. All changes are tested prior to the CHG being closed; implementation testing and post implementation verification testing is conducted to ensure that there are no adverse impacts on the live Oyster systems as a result of introducing the change. Additionally, a regression plan is developed, prior to the change being introduced, to roll back the systems in the event the change fails. All problems are captured within the issue log and a process is in place to identify, analyse, manage and resolve these incidents. Emergency changes are carried out only when an urgent need arises. The CHG is completed and is available within the Service Now change system and undergoes the same level of scrutiny as a normal change. This type of change requires approval by the Cubic Service Delivery Manager and the Head of Service Strategy and IT. All emergency changes are discussed with the IT Customer Experience Change and Release Manager prior to implementation. The audit did not identify any issues. Conclusion Based on the findings, we have concluded that the IT change control processes in Customer Experience that have been established for the Oyster systems are well controlled. This audit is now closed. We would like to thank all those who were involved in and contributed to this audit. Page 5

6 APPENDIX 1 Distribution list This report was sent to Vernon Everitt, Managing Director Customer Experience Marketing & Communications, by Clive Walker, Director of Internal Audit, and copied to: Shashi Verma Director of Customer Experience Martin Loukes Business Development Manager Letitia Charles Customer Experience Change & Release Manager David Kershaw Revenue System Analyst Tim Carman Customer Technology Architecture Manager Nolan Miskimmin Technical Delivery Manager Clive Brooker Technical Delivery Manager Martyn Loukes as Key Risk Representative Nigel Blore Head of Group Insurance Andrea Clarke Director of TfL Legal Ian Nunn Chief Finance Officer Howard Carter General Counsel Karl Havers EY Page 6