INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM OFFICIAL OFFICIAL



Similar documents
Guidance for Third Party Users of ECOES

External Audit Reviews. Report by Director of Finance

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Supervisory Policy Manual

Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015

Information Security Policies. Version 6.1

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INCIDENT AND PROBLEM MANAGEMENT

IT ACCESS CONTROL POLICY

Appendix 1e DIRECTORATE OF AUDIT, RISK AND ASSURANCE INTERNAL AUDIT SERVICE TO THE GLA

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers

SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011

Procurement Policy Note Use of Cyber Essentials Scheme certification

Cyber Essentials Scheme

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

Data Protection Act Guidance on the use of cloud computing

ARGYLL & BUTE COUNCIL Internal Audit Section INTERNAL AUDIT REPORT

Dodo Power & Gas Complaint Management Policy

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

OPERATING PROCEDURE IT CHANGE MANAGEMENT PROCEDURES MANUAL. PREPARED BY: AEMO DOCUMENT NO: Enter Document ID VERSION NO: 6.

Information Paper for the Legislative Council Panel on Financial Affairs. Protection of Consumer Credit Data

Identity Cards Act 2006

A Guide to Clinical Coding Audit Best Practice

Information Security Team

CONTRACTS REVIEW FOR INFORMATION GOVERNANCE COMPLIANCE PROCEDURE

Project Proposal Apparels Listing Website Development

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Independent Auditors Report to the Commissioner for Law Enforcement Data Security -

How To Audit A Windows Active Directory System

STANDARD TERMS AND CONDITIONS FOR PROVISION OF MEDICAL REPORTING SERVICES BY MEDICAL PRACTITIONERS

Spillemyndigheden s change management programme. Version of 1 July 2012

GUIDELINE NO. 22 REGULATORY AUDITS OF ENERGY BUSINESSES

December 21, The services being procured through the proposed amendment are Hosting Services, and Application Development and Support for CITSS.

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Operations. Group Standard. Business Operations process forms the core of all our business activities

Intel Enhanced Data Security Assessment Form

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

ARTL PKI. Certificate Policy PKI Disclosure Statement

ROYAL MAIL GROUP ADDRESS MANAGEMENT UNIT PAF DIRECT END USER LICENCE

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Employee Payroll Deduction Scheme. Protocol for direct deductions from wages between. [ ] ( the Credit Union ) and

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Scottish Sports Council Group and Lottery Fund

Avon & Somerset Police Authority

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT

Audit Report AS/NZS ISO 9001:2008. RRW and Co Pty Ltd trading as National On Site Training

DBC 999 Incident Reporting Procedure

IT OUTSOURCING SECURITY

CAMMS ONLINE SUPPORT PORTAL USER MANUAL

Nuclear Safety Council Instruction number IS-19, of October 22 nd 2008, on the requirements of the nuclear facilities management system

D-G4-L4-126 Police contact management and demand reduction review Deloitte LLP Service for G-Cloud IV

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Informatics Policy. Information Governance. Network Account and Password Management Policy

How To Monitor A Municipality

Dacorum Borough Council Final Internal Audit Report

Lexcel England and Wales v6 Standard for in-house legal departments Excellence in legal practice management and client care

Internal Audit Report Business Continuity Planning Arrangements

REGIONAL CENTRE EUROPE OF THE INTERNATIONAL FEDERATION OF TRANSLATORS

14. Privacy Policies Introduction

INTRODUCTION 1. Janet(UK) agrees to provide to the Customer the JVCRS subject to these Terms.

INTERNAL OVERSIGHT SERVICES INTERNAL OVERSIGHT AND ETHICS OFFICE

Report 6c. Final Internal Audit Report Network and Communications. April 2008

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Procuring Penetration Testing Services

Records Management & Data Quality in the Contact Centre. Internal Audit Report 2013/14

1. Applicant means a person or persons applying for any product or service offered by us;

Lexcel England and Wales v6 Standard for legal practices Excellence in legal practice management and client care

Appendix 1e. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA. Performance Management Framework

Trinity Online Application - Terms and Conditions of Use

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Guidance document for EMIS Web EPS Release 2 deployment

Corporate Information Security Policy

DOCUMATION S DOCUMENT MANAGEMENT

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY

Tenable for CyberArk

Supply Chain Finance WinFinance

Newcastle University Information Security Procedures Version 3

SQ 901 Version D. Railway Application Quality Specification REQUIREMENTS FOR THE QUALITY MANAGEMENT SYSTEM AND QUALITY PLAN

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Office 365 Data Processing Agreement with Model Clauses

COMPANY NAME. Environmental Management System Manual

Data Subscription Service. Data descriptions Order form Licence agreement

Market Research Commercial Questions

Audit and Risk Management Committee. IT Security Update

Report by the Executive Director Residents Services and the Director of Customer Services

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service

IT control environment Caerphilly County Borough Council

Procurement guidance Managing and monitoring suppliers performance

University of Liverpool

AUDIT COMMITTEE 25 JUNE 2015

Aberdeen City Council

Corporate Policy and Strategy Committee

Lexcel England and Wales v6 Guidance notes for in-house legal departments Excellence in practice management and client care The Law Society.

Please complete all sections of this form in BLOCK CAPITALS and BLACK INK.

Aberdeen City Council IT Security (Network and perimeter)

PROJECT MANAGEMENT FRAMEWORK

CERTIFIED SMS SERVICES UK ADVICE

QUALITY ASSURANCE GUIDE FOR GREEN BUILDING RATING TOOLS

Quality Management System Process/ Management Review

Transcription:

INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM AUTHOR DISTRIBUTION David Beaton Director of Finance and Corporate Resources Internal Audit Customer Service Manager (for info) Finance Service IT Manager (for info) Highland Council DRAFT DATE: 29/09/15 REF: WE23/002 FINAL DATE: 28/10/15

Contents 1. INTRODUCTION... 3 2. REVIEW OBJECTIVES... 3 3. SCOPE, METHOD & COVERAGE... 3 4. MAIN FINDINGS... 4 5. CONCLUSION... 9 6. AUDIT OPINION... 9 7. ACTION PLAN... 10

1. INTRODUCTION The purpose of this report is to record the findings of a recently completed computer audit review of the controls surrounding Comhairle IT systems hosted in the cloud and the Customer Relationship Management (CRM) System. The CNES has four systems which are externally hosted, namely: 1) The Capita Payments System 2) The SEEMiS Education Management Information System 3) The Interplan Performance Management System 4) The Northgate Social Fund The provision, licensing, operation and support are controlled by supplier license and support contracts for each system. The Information Commissioner s Office (ICO) Guidance on the Use of Cloud Computing and the government s Communications-Electronics Security Group (CESG) guidance entitled Summary of Cloud Security Principles provide guidance on the assurances a customer should obtain with regard to placing their data in the cloud. The CRM System supports the CNES Customer Service Strategy of handling all customer interactions related to enquiries, service requests, payments, appointments and bookings through a single customer service function. It went live on 29 October 2009 and since its implementation it has helped to provide a consistent, corporate approach to customer service delivery by providing a single customer service function. Using the CRM system means all interactions with customers are now recorded in one system which makes it much easier to for staff to track the progress of any ongoing queries. What is more it has enabled the Comhairle to provide a cost effective 24/7 internet service. 2. REVIEW OBJECTIVES The objectives of the review were to ensure that: (i) (ii) IT Systems operating within the cloud are in accordance with expected cloud good practice (see 4.1). Customer Relationship Management (CRM) System has the expected application controls in place (see 4.2). 3. SCOPE, METHOD & COVERAGE The review checked that the Comhairle IT Systems hosted in the cloud: 1) Have all been clearly identified 2) Have all been subject to an internal cloud governance process including a risk assessment 3) Are ISO 27001, or equivalent, certified 4) Are operated by suppliers who have secure physical infrastructure and facilities in place 5) Are operated by suppliers who have adequate HR, data protection and audit arrangements 6) Are supported by adequate service level agreements 7) Have a documented exit process. In addition the review checked that the CRM System: Page 3

1) Has strong user access controls 2) Contains complete and accurate data 3) Has adequate data processing arrangements in place, e.g. for any interfaces 4) Provides sufficient data quality and management reports which are properly verified and distributed 5) Has its electronic audit trails properly configured and monitored 6) Has a signed license and support agreement containing appropriate contract clauses 7) Operates efficiently. 4. MAIN FINDINGS The main findings of the review, referenced to the above review objectives, are as follows. 4.1 Systems Hosted in the Cloud This objective was partially achieved. 4.1.1 Comhairle IT Systems hosted in the cloud are expected to follow good practice. Examples of good practice are set out by Information Commissioner s Office Guidance on the Use of Cloud Computing and the government s Communications-Electronics Security Group (CESG) guidance entitled Summary of Cloud Security Principles. These guidance documents discuss subjects an organisation should consider when placing its data in the cloud. They include ensuring CNES cloud systems: 1) Have all been clearly identified 2) Have all been subject to an internal cloud governance process including a risk assessment 3) Are ISO 27001, or equivalent, certified 4) Are operated by suppliers who have secure physical infrastructure and facilities in place 5) Are operated by suppliers who have adequate HR, data protection and audit arrangements 6) Are supported by adequate service level agreements 7) Have a documented exit process. With reference to the above, the findings were: The CNES identified four systems during the review which are externally hosted in the cloud, namely: (i) The Capita Payments System (ii) The SEEMiS Education Management Information System (iii) The Interplan Performance Management System (iv) The Northgate Social Fund A member of the Procurement Section reported that CNES contracts are issued with standard terms and conditions. Some suppliers simply accept them whereas others respond with changes. These standard terms and conditions refer to: Confidentiality and security of information Page 4

Data protection Audit Governing law and jurisdiction Termination and exit However, there is not a specific CNES cloud checklist or risk assessment to ensure that all security aspects of cloud systems have been properly considered and are in place. A check of the various supplier agreements provided for review with regard to numbers 3) to 7) of the above guidance produced the following results: Capita Payments System The Capita Agreement and Addendum: Did not mention of ISO 27001 accreditation, but Capita is known to hold ISO 27001 accreditation Refer to a service level agreement Contains confidentiality and data protection clauses Is in accordance with the laws of Scotland Contains a termination clause. SEEMiS Integrated Education Management System The Memorandum of Understanding: Did not mention ISO 27001, but it is known the supplier is working towards ISO 27001 although it is not yet accredited Did not mention a service level agreement, but it is known the supplier is currently producing a service level agreement Is in accordance with the laws of Scotland Contains a confidentiality clause. The Interplan Performance Management System The Comhairle s contract for payment of the Interplan CAM Management Solutions proposal: Did not mention a requirement of ISO 27001 accreditation, however it was reported that the system does not contain confidential data Is accordance with the laws of Scotland Contains a termination clause Northgate Social Fund The Northgate Social Fund as a Service document: States the supplier is accredited to ISO 27001 Contains confidentiality and data protection clauses Contains a document service level and support clause Is in accordance with the laws of England Contains a documented termination clause Hence the above agreements have some, but not all, of the expected controls/assurances in place. This has to be expected as different cloud providers and cloud services have reached different stages in the development and maturity of their services. Page 5

4.2 Customer Relationship Management System This objective was mainly achieved. 4.2.1 Access Control The expected access controls are that: 1) There is an approved and documented access control policy and a formal user registration system which provides evidence that all users of the system have been properly approved. 2) Unique usernames are used to ensure staff can be held accountable for their actions and protected from unnecessary investigation in the event of misuse 3) Strong passwords are forced to be sufficiently complex and long such that they are not easily guessed and can resist brute force hacking attacks. 4) System administration activities are properly documented to ensure that they can be carried out by more than one member of staff The actual controls are that: 1) A set of user access groups have been set up and the system administrator sets up users following an email or phone request for access. However there is no documented access control policy for the system administrator to follow. An email/phone authorisation from the system owner is also required. Given the use of phone authorisations and that the authorisation emails are not always retained, there is not a complete set of documentary evidence to prove that all the requests for access have been properly authorised. 2) Customer services staff members have been allocated unique usernames to access the CRM System. However they share generic usernames to access Street Lighting System and the IDOX System. 3) Passwords are in place, but they are only forced to be a minimum of 4 characters and there is no enforcement of mixed characters, e.g. upper and lower case. This means that users can create weak passwords. 4) System administration and support is carried out by one key member of staff who has an in-depth knowledge of the system. However although the supplier manuals document some of the system administration processes, not all the in-house system administration procedures are documented, e.g. how user access should be properly authorised and how evidence of authorisation should be retained for the lifetime of the system. The risks associated with the above findings are: 1) Increased chance of errors in setting up user access given there is no clearly documented policy 2) In the event of a user misusing his/her access privileges it is more difficult to hold the user accountable for his/her actions and other staff who share the generic username could be subjected to an unnecessary and upsetting investigation 3) Passwords are easy to guess meaning it is easier to hack a user s ID 4) The CNES is overly reliant on the knowledge of a single member of key staff. 4.2.2 Data Input The expected control with regard to data input is that it is complete, accurate and up to date. Page 6

The sample data examined was on the whole satisfactory. However, two concerns were identified: 1) The client case history search, in every example checked, shows under the interactions tab that the client is not verified even although the Customer Services Team Leader stated the client is always verified in the case of council tax queries. Therefore the system is not recording correctly what is actually happening. 2) There is a section for recording notes relating to conversations with customers or members of staff. One example of these notes recorded details a dispute between staff which is not in accordance with the guidance issued by the Customer Services Manager. As the data for the notes field can be very varied it can be difficult for staff to enter the correct balance of information, therefore it should be monitored by management. 4.2.3 Interface and Integration Processing The expected control with regard to interface processing is that control totals are used to verify that the number of records extracted from one system equates to the number of records loaded into the receiving system. The CRM System receives data from the Corporate Address Gazetteer (CAG) on a monthly basis via a partially automated interface. The data is extracted manually from CAG by a member of staff and loaded automatically via Windows Scheduler into the CRM System. A member of the IT Unit checks that no error message appears in the Windows Scheduler after the load program has run. Therefore the controls are largely as expected. However there is no check within the CRM System to verify the data has loaded correctly. The CRM System is also integrated with the Council Tax System such that some customer services staff members who are CRM System users can log directly into the Council Tax System without entering a separate username and password. Although their access within the Council Tax System is limited to setting up or stopping direct debits this situation means that user access control for the Council Tax System being correct depends directly on user access control for the CRM System being correct. The Council Tax System Access Control Policy should take this type of access into account and section 4.2.1 above shows that the CRM System access controls require improvement. 4.2.4 Reports With regard to CRM System reporting, it was expected that data quality reports would exist to provide assurance that the data entered into the system was complete and correct. In addition it was expected management reports would exist to report both trends and performance in order to assist the Customer Services Manager and other senior staff with efficient and effective decision making. Only one report was provided for review which shows types of interaction and the number of each type of interaction. It was reported that the CRM System reporting module has not been purchased and there is an intention to develop reports using Jaspersoft reporting software which can take data from one or more data sources and provide easy to read and interactive reports. Page 7

4.2.5 Audit Trail User activities should be clearly identifiable in the audit trail and the CRM System does have an electronic audit trail which normally identifies the activities a user has carried out. However, the user flguest sometimes appears on the audit trail for starting and closing customer cases and staff do not know who this user is. They think it may be a system user, but this needs to be clarified with the system supplier. 4.2.6 License and Support Agreement The expected CRM System license and support agreement is that it should comply with the CNES standard contract terms and conditions. However it is accepted that this may not always be possible and exceptions may have to be agreed. The CRM supplier s Master Software License, Service and Support Agreement was found to be broadly as expected. However it is governed by and construed in accordance with the laws of England and Wales as opposed to Scotland. This means that the supplier did not accept the CNES standard contract terms and conditions. In addition it means that it will be more costly to go to court in the event of a serious dispute arising. One CNES lawyer is qualified in both Scottish and English law, but there would be higher travel expenses involved if a CNES lawyer had to go to an English court. 4.2.7 Efficiency With regard to efficiency, it is expected that full use is made of the system and the intended benefits identified in the business case to purchase the system will be realised. The Comhairle has made a significant investment in the CRM system. A Customer Service Project report that went to the ICT, Procurement and Asset Management Sub-Committee on 3 December 2007 stated the estimated cost of implementing the Lagan solution amounted to 450K. This 450K cost included 47K of annual support costs over 2 years. Since then another 5 years of annual support costs have been paid at a cost of approximately 22K per year. Hence the CNES has spent approximately 560K implementing and operating the CRM system. The system implementation did receive 170K contribution from the Modernising Government Fund. As well as the significant non-cashable improvements made by the system which were identified in the introduction above, a CRM Progress Report to the Policy and Resources Committee dated 13 October 2011 stated it had assisted in making cashable savings of 215K. Hence many of the intended benefits of the system are being realised. In addition the IT Manager has stated he is considering making use of the CRM System to carry out the IT Helpdesk function which could add further value to the investment. Part of the vision recorded in the 2008 Customer Service Strategy was that the Comhairle would have the ability to measure the effectiveness of service delivery given that all customer interactions were being recorded in one place. However the successful results of these interactions are not being recorded in the system, i.e. if a pothole is reported, this information is passed on the relevant staff and the outcome of the pothole actually being fixed is not then recorded within the CRM System. Therefore, although the CRM System has successfully pulled together all customer interactions, it cannot currently be used to report their successful resolution. Instead performance is monitored by the use of a sample of customer satisfaction reports and staff knowledge of how the system is operating. Page 8

The Comhairle should consider increasing the use of the system so that it can obtain a complete set of performance information. 5. CONCLUSION The Comhairle has placed four sets of data within the cloud and has signed up to a different agreement with each one. These agreements contain some of the expected cloud controls, but not all. When placing its data within the cloud, the Comhairle needs to be sure that it has carried out, and retained evidence of, the expected checks. If the supplier s cloud service does not meet a cloud service expectation, then the Comhairle should be aware of this and seek to mitigate the risk. With regard to the CRM System many of the expected controls were found to be in place. Users must be set up by a system administrator and they are allocated access levels appropriate to their post. Customer interactions are recorded and processed. An electronic audit trail monitors user activity. However a number of improvements are required. With regard to efficiency, the implementation of the CRM System has assisted in making a significant improvement to the customer services function and many of the benefits have already been realised. There are eight recommendations in this report all classified as medium priority. All of the recommendations are due to implemented by the end of July 2016. 6. AUDIT OPINION The opinion is based upon, and limited to, the work performed in respect of the subject under review. Internal Audit cannot provide total assurance that control weaknesses or irregularities do not exist. It is the opinion that Reasonable Assurance can be given in that whilst the system is broadly reliable, areas of weakness have been identified which put some of the system objectives at risk, and/ or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. The levels of assurance and their definitions can be found at Appendix 1. Page 9

7. ACTION PLAN The Action Plan contains 8 recommendations as follows: Description Priority Number Major issues that managers need to address as a matter of urgency. High 0 Important issues that managers should address and will benefit the Organisation if implemented. Medium 8 Minor issues that are not critical but managers should address. Low 0 Total recommendations 8 REPORT REFS. GRADES FINDINGS RECOMMENDATIONS 4.1.1 Medium Cloud Hosted CNES Systems MANAGEMENT AGREED ACTIONS IMPLEMENTATION RESPONSIBLE OFFICERS TARGET DATES There is not a specific CNES cloud checklist based on either the ICO or CESG guidance in place to ensure that all security aspects of cloud systems have been properly considered and are either in place, or are known not to be. 1) The IT Unit should produce a checklist, based on the ICO and CESG guidance to ensure that all security aspects of systems to be hosted in the cloud are considered and evaluated. 2) This checklist should be used by existing CNES cloud system owners and IT Unit staff to ensure they are fully aware of the current security arrangements. If they find any deficiencies they should seek to have them addressed. For example if a supplier stores CNES personal data and is not ISO 27001, CNES staff should try to address this risk, e.g. by raising this fact at the relevant supplier user group. Agreed. A checklist for cloud suppliers will be produced in accordance with CESG guidelines. Agreed. The status of our cloud suppliers and their ISO certifications will be checked and we will bring to their attention any risks we encounter. IT Manager IT Manager 31/07/16 31/07/16 Page 10

REPORT REFS. GRADES FINDINGS RECOMMENDATIONS 4.2.1 Medium CRM - Access Control MANAGEMENT AGREED ACTIONS IMPLEMENTATION RESPONSIBLE OFFICERS TARGET DATES 1) There is no access control policy and there is not a complete set of documentary evidence to prove that all the requests for access have properly authorised. 1) An access control policy should be produced and documentary evidence of all further user access requests retained. An annual review of user access settings should be carried out and evidence that existing user access levels have been verified as correct should be retained Agreed. User Access Control Form has been set up and requires a signature from Authorising Manager. Business Analyst Complete 2) Generic usernames are shared by customer services staff to access Street Lighting System and the IDOX System. 2) Unique usernames should be used where possible to protect staff from investigation in the event of computer misuse Limited licences for the uniform and IDOX systems currently prevent unique usernames for each officer accessing these systems. Raised with System Administrators of these systems. Business Analyst Complete 3) Forced password complexity is weak. 3) The supplier should be asked whether forced password complexity can be brought up to the current expected practice. Agreed. Password complexity changed to 7 characters 3 of which must be either upper, lower case or numbers Business Analyst Complete 4) System administration procedures are all not documented meaning there is an over reliance on one key member of staff. 4) All system administration procedures should be documented. Agreed. Cross Training and documenting procedures to be addressed. IT Manager/ Business Analyst 31/07/16 Page 11

REPORT REFS. GRADES FINDINGS RECOMMENDATIONS 4.2.2 Medium CRM - Data Input MANAGEMENT AGREED ACTIONS IMPLEMENTATION RESPONSIBLE OFFICERS TARGET DATES 1) In every example checked the client case history search shows under the interactions tab that the client is not verified even although the Customer Services Team Leader stated the client is always verified in the case of council tax queries. Therefore the system is not recording correctly what is actually happening. 1) The record of client not being verified should be queried with the supplier. The aim should be to get the system to record what is actually taking place with regard to client verification. Agreed. Verified check box on a case form needs to be marked as confirmation that the client has been verified all staff have been informed of this. Customer Services Manager Complete 2) There is a section for recording notes relating to conversations with customers or members of staff. One example of these notes recorded details a dispute between staff which is not in accordance with the guidance issued by the Customer Services Manager. As the data for the notes field can be very varied it can be difficult for staff to enter the correct balance of information, therefore it should be monitored by management. 2) Staff should be reminded of the guidance when entering notes. In addition a report of notes should be produced so that it can be reviewed easily and quickly by management to check it is correct. Agreed. Customer Service Manager receives an email of all cases so is able to monitor notes; reminder will be issued to all staff to follow guidance previously issued when entering notes. Customer Services Manager 31/10/15 4.2.3 Medium CRM - Interface Processing 1) The CRM System receives data from the Corporate Address Gazetteer (CAG) on a monthly basis via a partially automated interface. The data is extracted 1) The system administrator should check with the supplier whether there is a facility within the CRM system to verify whether a data load has been carried out The process is currently run automatically on the first Friday of each month and there is no success/fail feedback Business Support Team Complete Page 12

REPORT REFS. GRADES FINDINGS RECOMMENDATIONS manually from CAG by a member successfully. of staff and loaded automatically via Windows Scheduler into the CRM System. A member of the IT Unit checks that no error message appears in the Windows Scheduler after the load program has run. However there is no check within the CRM System to verify the data has loaded correctly. MANAGEMENT AGREED ACTIONS from this automatic process. To remedy this situation the following change to the Gazetteer upload process has been implemented. All console output from the Lagan upload application is captured and emailed to the Gazetteer and CRM Administrators. If for any reason this process fails then it will be clearly visible in this email. If for any reason there isn t a DFT Gazetteer extract in place for the Gazetteer sync/upload then the admins will be notified so that a DFT extract can be manually extracted and processed. IMPLEMENTATION RESPONSIBLE OFFICERS TARGET DATES 2) The CRM System is also integrated with the Council Tax System such that some customer services staff members who are CRM System users can log directly into the Council Tax System without entering a separate username and password. This means that user access control for the Council Tax System being correct depends 2) The Council Tax Access Control Policy should include consideration of access control via the CRM System. Review with Council Tax System Administrator Business Analyst 30/11/15 Page 13

REPORT REFS. GRADES FINDINGS RECOMMENDATIONS directly on user access control for the CRM System being correct and the Council Tax System Access Control Policy should take this type of access into account MANAGEMENT AGREED ACTIONS IMPLEMENTATION RESPONSIBLE OFFICERS TARGET DATES 4.2.4 Medium CRM - Reports Only one report was provided for review which shows types of interaction and the number of each type of interaction. It was reported that the CRM System reporting module has not been purchased and there is an intention to develop reports using Jaspersoft reporting software which can take data from one or more data sources and provide easy to read and interactive reports. A complete list of the required management and data quality reports should be identified and the corresponding Jaspersoft reports should be developed to provide this information and assurance. Agreed. The executive report that has been produced covers the high level reporting needs currently. Additional reports will be developed using a centralised reporting service, namely Jaspersoft Business Support Team 31/07/16 4.2.5 Medium CRM - Audit Trail User activities should be clearly identifiable in the audit trail. However, the user flguest sometimes appears on the audit trail for starting and closing customer cases and staff do not know who this user is. They think it maybe a system user, but this needs to be clarified with the system supplier The system administrator should contact the supplier to obtain an explanation as to why flguest appears on the audit trail. Agreed. Flguest appears because all the council tax cases have been submitted using webservices. The user that the webservices has been authenticated against to create the case is flguest which is why it appears in the audit trail. Business Analyst Complete 4.2.6 Medium CRM License Agreement The CRM supplier s Master Software License, Service and Support If it has not already been done, the supplier should be asked whether Agreed. Will be discussed in annual Customer Services 31/03/16 Page 14

REPORT REFS. GRADES FINDINGS RECOMMENDATIONS Agreement is governed by and this Agreement can be amended to construed in accordance with the laws be in accordance with the laws of of England and Wales as opposed to Scotland. Scotland. This means that it will be more costly to go to court in the event of a serious dispute. MANAGEMENT AGREED ACTIONS review IMPLEMENTATION RESPONSIBLE TARGET OFFICERS DATES Manager 4.2.7 Medium CRM - Efficiency The CRM System has made significant improvements and savings with regard to CNES customer services. Part of the vision recorded in the 2008 Customer Service Strategy was that the Comhairle would have the ability to measure the effectiveness of service delivery given that all interactions were being recorded in one place. However the successful results of these interactions are not being recorded in the system. The CNES should consider recording the successful outcomes of customer interactions within the CRM system. This would enable it then to report on performance and provide a complete and documented assurance to both the CNES management and the public that the complete customer services function was operating successfully. Will raise with departmental representatives and Customer Service Steering Group. Departments currently report KPI s separately and use corporate satisfaction surveys. Customer Services Manager 31/07/16 Page 15

Appendix 1 Internal Audit Opinion Level Definition Full Assurance Substantial Assurance There is a sound system of control designed to achieve the system objectives and the controls are being consistently applied. While there is a generally a sound system, there are areas of weakness which put some of the system objectives at risk, and/ or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. Reasonable Assurance Limited Assurance No Assurance Whilst the system is broadly reliable, areas of weakness have been identified which put some of the system objectives at risk, and/ or there is evidence that the level of noncompliance with some of the controls may put some of the system objectives at risk. Weaknesses in the system of controls are such as to put the system objectives at risk, and/ or the level of non-compliance puts the system objectives at risk. Control is generally weak, leaving the system open to significant error or abuse, and/ or significant non-compliance with basic controls leaves the system open to error or abuse. Page 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information