AUDIT REPORT. Service Desk and Problem Management Audit Opinion: Satisfactory. November 14, Report Number: 2014-IT-04

Transcription

1 AUDIT REPORT Service Desk and Problem Management Audit Opinion: Satisfactory November 14, 2014 Report Number: 2014-IT-04

2 Table of Contents: Page Executive Summary Background 1 Audit Objectives and Scope 2 Audit Opinion 3 Appendix Definitions 4 Issue Classifications 5 Distribution 7 Audit Performed By 7

3 Executive Summary Background The Information Technology Infrastructure Library (ITIL) is used by IT Management as a guide for the services provided by IT to the organization. ITIL considers the Service Desk to be the central point of contact between service providers and users/customers on a day-to-day basis. It is also a focal point for reporting Incidents (disruptions or potential disruptions in service availability or quality) and for users making Service Requests (routine requests for services). ITIL defines Problem Management as the process responsible for managing the lifecycle of all Problems, which are the cause of one or more incidents. The primary objectives of problem management are to prevent incidents from happening and to minimize the impact of incidents that cannot be prevented. At Citizens, the Problem Management process is integrated with the Incident Management process. Problem management generally continues after the resolution of the immediate incident by identifying the root cause of the problem ( RCA Root Cause Analysis). RCA is the responsibility of the appropriate Subject Matter Experts within IT. If the RCA determines that a change is required, the normal Change Management process is followed. The Technical Support Center (TSC) provides the Service Desk function within Citizens. The TSC provides first level incident recording, tracking, resolution and escalation primarily by phone for Citizens internal and remote users. Over the past year the TSC has made significant strides in stabilizing and improving the functionality of the software ( ServiceDesk ) which supports the operation of the TSC and the TOC. Additional improvements and functionality are planned for Support and administration of the software is handled by the Software Quality Assurance team. A major current initiative is the development and implementation of standard roles based user access management. The TSC has a staff of 23 persons including a Manager, two Supervisors and twenty support staff, six of which are contractors. As shown below, in a typical month the TSC processes over 2,500 tickets of all types and met its Service Level Agreements approximately 90% of the time for all types of tickets. Technical Support Center (TSC) Tickets P a g e 1

4 Executive Summary The Technical Operations Center (TOC) provides 24/7/365 monitoring of Citizens IT Systems and Services and responding to alerts sent by monitoring systems in real-time. In addition to being responsible for monitoring and responding to system related issues, the TOC provides after-hours and weekend initial handling of TSC Incidents. The TOC is currently located in Tallahassee and is in the process of relocating to Jacksonville as part of the overall relocation of IT. The TOC has a staff of 10 persons including a Supervisor and nine operations staff, six of which are contractors. The relocation recently resulted in the resignation of a supervisor and it is expected that two employees will relocate while all of the contractors will be replaced. As shown below, in a typical month the TOC handles 75 incidents, of which Severity 1 is the most severe and highest priority. There were between two and seven Severity 1 incidents per month. Technical Operations Center (TOC) Incidents Audit Objectives and Scope The objective of this audit was to evaluate the adequacy and effectiveness of Service Desk processes for handling incidents and service requests which impact the business users. In addition, the review was geared to assess the transition of incidents to problems, the use of customer feedback, and the use of performance metrics and reporting. Our scope included a review of the following areas: Service Level Agreements Policies, Procedures and Documentation User Access to ServiceDesk Application Service Desk Operations Escalation Procedures P a g e 2

5 Executive Summary Problem Management Customer Feedback Performance Metrics and Reporting Audit Opinion The overall effectiveness of the processes and controls evaluated during the audit is rated as Satisfactory. Our audit of the Service Desk and Problem Management indicated that the TSC and TOC have competent management and technical personnel. In addition, we noted that adequate service is being provided to the organization and that when comments are made in response to customer satisfaction surveys, they are almost always positive. However, our work also identified seven low risk audit issues which are being addressed by management. In addition, three opportunities for process improvement were noted and discussed with management: Service Level Agreements (SLA's) should be formalized and agreed to by the business. They should be readily accessible by the users through the Citizens Portal. Enhanced reporting should be provided to the business and Service Desk performance should be provided on the Citizens Portal. The History section of ticket screen should include the full text of the appended description and the complete text of the technician notes and resolution. The ITIL Continual Service Improvement (CSI) methodology, which includes trend analysis of performance metrics, benchmarking, and comparison of performance to industry standards, should be applied to the Service Desk. We would like to thank management and staff for their cooperation and professional courtesy throughout the course of this audit. P a g e 3

6 Appendix 1 Definitions Audit Ratings Satisfactory: Critical internal control systems are functioning in an acceptable manner. There may be no or very few minor issues, but their number and severity relative to the size and scope of the operation, entity, or process audited indicate minimal concern. Corrective action to address the issues identified, although not serious, remains an area of focus. Needs Improvement: Internal control systems are not functioning in an acceptable manner and the control environment will require some enhancement before it can be considered as fully effective. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some significant areas of weakness. Overall exposure (existing or potential) requires corrective action plan with priority. Unsatisfactory: One or more critical control deficiencies exist which would have a significant adverse effect on loss potential, customer satisfaction or management information. Or the number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate pervasive, systemic, or individually serious weaknesses. As a result the control environment is not considered to be appropriate, or the management of risks reviewed falls outside acceptable parameters, or both. Overall exposure (existing or potential) is unacceptable and requires immediate corrective action plan with highest priority. P a g e 4

7 Appendix 2 Issue Classifications Control Category High Medium Low Financial Controls (Reliability of financial reporting) Operational Controls (Effectiveness and efficiency of operations) Actual or potential financial statement misstatements >USD 5 million Control issue that could have a pervasive impact on control effectiveness in business or financial processes at the business unit level A control issue relating to any fraud committed by any member of senior management or any manager who plays a significant role in the financial reporting process Actual or potential losses >USD 2.5 million Achievement of principal business objectives in jeopardy Customer service failure (e.g., excessive processing backlogs, unit pricing errors, call center non responsiveness for more than a day) impacting 10,000 policyholders or more or negatively impacting a number of key corporate accounts Actual or potential prolonged IT service failure impacts one or more applications and/or one or more business units Actual or potential negative publicity related to an operational control issue An operational control issue relating to any fraud committed by any member of senior management or any manager who plays a significant role in operations Actual or potential financial statement misstatements between USD 2.5 million to 5 million Control issue that could have an important impact on control effectiveness in business or financial processes at the business unit level Actual or potential losses between USD 0.5 to 2.5 million Achievement of principal business objectives may be affected Customer service failure (e.g., processing backlogs, unit pricing errors, call center non responsiveness) impacting 1,000 policyholders to 10,000 or negatively impacting a key corporate account Actual or potential IT service failure impacts more than one application for a short period of time Actual or potential financial statement misstatements below USD 2.5 million Control issue that does not impact on control effectiveness in business or financial processes at the business unit level Actual or potential losses below USD 0.5 million Achievement of principal business objectives not in doubt Customer service failure (e.g., processing backlogs, unit pricing errors, call center non responsiveness) impacting less than 1,000 policyholders Actual or potential IT service failure impacts one application for a short period of time P a g e 5

8 Appendix 2 Control Category High Medium Low Any operational issue leading to death of an employee or customer Any operational issue leading to injury of an employee or customer Compliance Controls (Compliance with applicable laws and regulations) Remediation timeline Actual or potential for public censure, fines or enforcement action (including requirement to take corrective actions) by any regulatory body which could have a significant financial and/or reputational impact on the Group Any risk of loss of license or regulatory approval to do business Areas of non-compliance identified which could ultimately lead to the above outcomes A control issue relating to any fraud committed by any member of senior management which could have an important compliance or regulatory impact Such an issue would be expected to receive immediate attention from senior management, but must not exceed 60 days to remedy. Actual or potential for public censure, fines or enforcement action (including requirement to take corrective action) by any regulatory body Areas of noncompliance identified which could ultimately lead to the above outcomes Such an issue would be expected to receive corrective action from senior management within 1 month, but must be completed within 90 days of final Audit Report date. Actual or potential for non-public action (including routine fines) by any regulatory body Areas of noncompliance identified which could ultimately lead the above outcome Such an issue does not warrant immediate attention but there should be an agreed program for resolution. This would be expected to complete within 3 months, but in every case must not exceed 120 days. P a g e 6

9 Appendix 3 Distribution Addressees Copies Robert Sellers, V.P. - IT Infrastructure and Operations Juan Cocuy, Citizens Audit Committee Chairman Bette Brown, Citizens Audit Committee Member Jim Henderson, Citizens Audit Committee Member Barry Gilway, President/CEO/Executive Director Kelly Booten, Chief - Systems and Operations Curt Overpeck, Chief Information Officer Christine Turner Ashburn, V.P. - Communications, Legislative & External Affairs John Rollins, Chief Risk Officer Dan Sumner, Chief Legal Officer & General Counsel Bruce Meeks, Inspector General Johnson Lambert, LLP (External Auditors) Following Audit Committee Distribution The Honorable Rick Scott, Governor The Honorable Jeff Atwater, Chief Financial Officer The Honorable Pam Bondi, Attorney General The Honorable Adam Putnam, Commissioner of Agriculture The Honorable Andy Gardiner, President of the Senate The Honorable Steve Crisafulli, Speaker of the House of Representatives Audit Performed By Auditor in Charge Audit Director Under the Direction of Gary Sharrock, Senior IT Auditor Karen Wittlinger, Director IT Audit Joe Martins Chief of Internal Audit P a g e 7