FINAL INTERNAL AUDIT REPORT



Similar documents
INTERIM INTERNAL AUDIT REPORT

Transport for London. Minutes of the Audit and Assurance Committee

FINAL INTERNAL AUDIT REPORT

FINAL INTERNAL AUDIT REPORT

FINAL INTERNAL AUDIT REPORT. Steve Allen, Managing Director, Finance

Voluntary Severance Process (IA /F) Tricia Riley, Director of Human Resources. Audit Conclusion: Audit Closed

Financial Controls over Payments to Contractors on Major Projects (IA F) Leon Daniels, Managing Director, Surface Transport

Management of NEC3 Compensation Events (IA ) Andrew Wolstenholme, Chief Executive. Audit Conclusion: Adequately Controlled and Audit Closed

Business Continuity Arrangements for Management and Support Activities (IA /F) EXECUTIVE SUMMARY... 3 STATUS OF AGREED ACTIONS...

Agency Temporary Worker Processes (IA /F v1) Tricia Riley, HR Director. Audit Conclusion: Audit Closed

3.5 The findings from the review will be reported to the next meeting of the Audit and Assurance Committee.

The ITIL v.3. Foundation Examination

1 What does the 'Service V model' represent? a) A strategy for the successful completion of all service management projects

Aberdeen City Council IT Security (Network and perimeter)

Jenny Obee, Head of Information Management Tel: Micailah Fleming, IT Director

TRANSPORT FOR LONDON AUDIT COMMITTEE STRATEGIC RISK MANAGEMENT PROGRESS REPORT

ITSM Reporting Services. Enterprise Service Management. Monthly Metric Report

Transport for London. Projects and Planning Panel. Procurement of the Revenue Collection System and Services Date: 26 February 2014

Internal Audit Strategic and Annual Plans 2015/16

Standard 1. Governance for Safety and Quality in Health Service Organisations. Safety and Quality Improvement Guide

Policies of the University of North Texas Health Science Center

Appendix 1C. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA PAYROLL CONTROL FRAMEWORK

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

Stakeholder management and. communication PROJECT ADVISORY. Leadership Series 3

Information Commissioner's Office

Glasgow Life Performance Management. Final Report

DERBYSHIRE COUNTY COUNCIL BUSINESS CONTINUITY POLICY

Senate. SEN15-P17 11 March Paper Title: Enhancing Information Governance at Loughborough University

Release Management Policy Aspen Marketing Services Version 1.1

Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council. Year ended 31 March 2013

Contactless Security Controls in Place to Protect Payment Card Data

3.2 Our customers and users tell us that they want four things:

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Dacorum Borough Council Final Internal Audit Report

(1) To approve the proposals set out in paragraphs to ensure greater transparency of partnership board activity; and

University of Bedfordshire ISD Change Management Policy

Audit Committee, 20 March Internal Audit Report Partners Expenses. Executive summary and recommendations. Introduction

FINANCIAL REPORTING COUNCIL AN UPDATE FOR DIRECTORS OF LISTED COMPANIES: GOING CONCERN AND LIQUIDITY RISK

Request for Proposal. Supporting Document 3 of 4. Contract and Relationship Management for the Education Service Payroll

Management of Business Support Service Contracts

IT Audit in the Cloud

Change & configuration management

EPA Classification No.: CIO P-01.1 CIO Approval Date: 06/10/2013 CIO Transmittal No.: Review Date: 06/10/2016

IMS-ST-1.04 Document and Record Management. Prepared By: Jacqueline Raynes Print Date: 20/08/13 Version No: V01 Reviewed By: Jeff Innes

Avon & Somerset Police Authority

ITP01 - Patch Management Policy

Information Security Program CHARTER

STL Microsoft SharePoint Consulting and Support Services

Free ITIL v.3. Foundation. Exam Sample Paper 1. You have 1 hour to complete all 40 Questions. You must get 26 or more correct to pass

Directing Change A guide to governance of project management

Process Improvement. Objectives

REQUEST FOR MAYORAL DECISION MD405. Title: Disaster Recovery Services

Information Commissioner's Office

Following up recommendations/management actions

SCRUTINY COMMITTEE ITEM MARCH 2012

HP Change Configuration and Release Management (CCRM) Solution

Project Team Roles Adapted for PAAMCO

STL Microsoft Dynamics CRM Consulting and Support Services

Going concern assumption for NHS foundation trust accounts

Security Incident Management Process. Prepared by Carl Blackett

DRAFT PLANNING THE OPENING OF A ROAD PROJECT GUIDELINE 1

Information Technology Services ServiceNow: Change Management Phase I Project Charter

ITIL Event Management in the Cloud

Audit Report for South Lakeland District Council. People and Places Directorate Neighbourhood Services. Audit of Grounds Maintenance

Data Quality - A Review of the Audit Committee

Appenidx 1a. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF HOUSING COMPLIANCE AUDIT PROGRAMME

Decision Maker's Guide - Evaluation Checklist for ITSM Solutions High Level Requirements

FLINTSHIRE COUNTY COUNCIL AUDIT COMMITTEE DIRECTOR OF ENVIRONMENT FLEET MANAGEMENT

Summary of Information Technology General Control Environment Findings for the year ended 30 June 2015

AUDIT AND RISK MANAGEMENT COMMITTEE CHARTER

Case Study: ICICI BANK INTERNAL AUDIT DEPARTMENT PENTANA AUDIT WORK SYSTEM IMPLEMENTATION

Transcription:

FINAL INTERNAL AUDIT REPORT IT Change Control Processes in Customer Experience (IA 15 431/F) Vernon Everitt, Managing Director, Customer Experience, Marketing and Communications Audit Conclusion: Well Controlled and Audit Closed 28 August 2015 Number of issues Priority 1 0 Priority 2 0 Priority 3 0

CONTENTS EXECUTIVE SUMMARY... 3 APPENDIX 1 DISTRIBUTION LIST... 6 Audit information Version 1 Draft versions issued 1 Fieldwork started 1 June 2015 Fieldwork completed 7 August 2015 Draft report issued 18 August 2015 Auditor Thomas Mathew Audit Manager Emilija Antevska Director of Internal Audit Clive Walker Page 2

EXECUTIVE SUMMARY Introduction and background The Future Ticketing Agreement (FTA) contract that covers the delivery of public transport fare collection systems and services (ie Oyster systems and services) was awarded to Cubic Transportation Systems Ltd (Cubic) in August 2010. According to the FTA contract, Cubic is responsible for operating the Oyster systems, including the requirements for change management, configuration management and release management. Cubic has provided a documented framework and associated processes through which these changes are managed. It is important that changes to the Oyster system are undertaken within this framework and that changes made do not adversely impact the Oyster service. TfL must ensure that it has visibility of the changes being made to underlying systems and that it maintains an oversight to ensure the integrity of the systems and enable the smooth running of the Oyster service to its customers. Objective The objective of this audit was to confirm that the technical changes made to the Oyster systems are being undertaken within a robust and effective change management framework, which includes authorisation and validation of change through to testing and final release into the live production environment. Scope The audit focused on the control environment in relation to the following key risk areas: All requests for changes, system maintenance, and supplier maintenance are standardised and are subject to formal change management standards and procedures; Management has established a change control board where changes are reviewed and only approved changes are implemented; Changes are implemented in sequence without interfering with other changes; All changes to service assets and configuration items (including supporting documentation) are adequately maintained; Page 3

Changes are planned and tested within a development and test environment before changes are released in a controlled manner into the live/production environment; Management anticipate and manage problems resulting from changes and have back out plans in place; and Emergency changes are implemented in a way that preserves change controls. Summary of findings We carried out a review of all the areas included within the scope of this audit and the following comments summarise our findings. The change management processes are incorporated and delivered within the overall contractual agreement between TfL and Cubic, under the Future Ticketing Agreement (FTA). The change control process is owned and operated by Cubic under their overall IT Service Management obligations to TfL. Roles and responsibilities are clearly identified within the Change process. All changes are subject to formal, standardised and automated change processes using the Service Now Change Management software tool which was implemented in January 2015. Prior to this implementation a manual process was in place. The introduction of the Change Management software provides more visibility and control of the technical changes made to the Oyster systems. Changes are recorded within the change control process form (CHG) which is used to identify resources, risk level and impact severity to the Oyster systems prior to the change being subject to approval by the Change Advisory Board (CAB). The CAB has representation from the technical disciplines within Cubic and also the IT Customer Experience Change and Release Manager from TfL, who has full visibility of the changes and provides input and approval as required to enable the changes to be made. The CAB meets at scheduled times and is provided with details of all the changes prior to the meeting to enable a greater level of scrutiny before discussion and approval at the meeting. Changes are sequenced to ensure potential impact on other areas of the Oyster IT infrastructure is established prior to the changes being implemented, Where significant changes to the systems are to be made, Cubic implements a release in accordance with the documented Release Management Policy. The releases are designed, planned, tested and implemented in accordance with the release calendar as agreed with TfL. This includes testing any changes in the integration environment, pre-production environment and then approval utilising the change management process. Page 4

As part of the change process, various elements of the Oyster infrastructure are identified so that it is clear which areas will be affected by the change. All changes are tested prior to the CHG being closed; implementation testing and post implementation verification testing is conducted to ensure that there are no adverse impacts on the live Oyster systems as a result of introducing the change. Additionally, a regression plan is developed, prior to the change being introduced, to roll back the systems in the event the change fails. All problems are captured within the issue log and a process is in place to identify, analyse, manage and resolve these incidents. Emergency changes are carried out only when an urgent need arises. The CHG is completed and is available within the Service Now change system and undergoes the same level of scrutiny as a normal change. This type of change requires approval by the Cubic Service Delivery Manager and the Head of Service Strategy and IT. All emergency changes are discussed with the IT Customer Experience Change and Release Manager prior to implementation. The audit did not identify any issues. Conclusion Based on the findings, we have concluded that the IT change control processes in Customer Experience that have been established for the Oyster systems are well controlled. This audit is now closed. We would like to thank all those who were involved in and contributed to this audit. Page 5

APPENDIX 1 Distribution list This report was sent to Vernon Everitt, Managing Director Customer Experience Marketing & Communications, by Clive Walker, Director of Internal Audit, and copied to: Shashi Verma Director of Customer Experience Martin Loukes Business Development Manager Letitia Charles Customer Experience Change & Release Manager David Kershaw Revenue System Analyst Tim Carman Customer Technology Architecture Manager Nolan Miskimmin Technical Delivery Manager Clive Brooker Technical Delivery Manager Martyn Loukes as Key Risk Representative Nigel Blore Head of Group Insurance Andrea Clarke Director of TfL Legal Ian Nunn Chief Finance Officer Howard Carter General Counsel Karl Havers EY Page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information