Avon & Somerset Police Authority Internal Audit Report IT Service Desk FINAL REPORT Report Version: Date: Draft to Management: 19 February 2010 Management Response: 12 May 2010 Final: 13 May 2010 Distribution: Mark Simmonds Hannah Watts Treasurer, Police Authority Inspections Coordinator, Constabulary Date of Fieldwork: 11 January to 1 February 2010 This report is prepared on the basis of the limitations at Appendix B. This report and the work connected therewith are subject to the Terms and Conditions of the engagement letter dated 29 September 2005 between Avon and Somerset Police Authority and Deloitte & Touche LLP (now known as Deloitte LLP). The report is produced solely for the use of Avon and Somerset Police Authority. Its contents should not be quoted or referred to in whole or in part without our prior written consent except as required by law. Deloitte LLP will accept no responsibility to any third party, as the report has not been prepared, and is not intended for any other purpose.
Contents 1. Executive summary 1 Background 1 Key findings 1 Summary evaluation of controls 3 Delivery of scope 3 2. Scope of review 4 3. Recommendations 6 3.1 Incident and problem management 6 3.2 Incident classification 14 3.3 Governance, roles and responsibilities 16 3.4 Incident & Problem Closure 18 Appendix A - Definitions of audit opinion 20 Appendix B - Statement of responsibility 21
1. Executive summary Background The IT Service Desk provides the first line of support for all incidents and service requests impacting on the organisations use of IT. The Police operate in a highly dynamic environment where the availability and successful operation of key IT Systems underpin business critical processes. An effective service management system is therefore vital to ensure that the required high levels of service and support are sustained at all times. As part of the 2009/10 Internal Audit plan, agreed with the Performance & Audit Committee, we have completed an internal audit of the effectiveness of the IT Service Desk. Further detail of the scope of the audit is included in Section 2 of this report. The Avon & Somerset Police IT Service Desk, which serves both the Police Authority and Constabulary, is run by Southwest One Technology Services. The Service Desk operates 24/7, acting as the first point of call for all IT related issues. Southwest One are contracted to operate the service desk in line with the Information Technology Infrastructure Library (ITIL) best practice framework. There are a number of interdependent components which make up an effective IT Service Management system. Under ITIL, these include, but are not limited to, considerations for the effective management of problems and incidents. Following a directive from the National Police Improvement Agency (NPIA), Southwest One Technology Services recently completed a mandatory self-assessment of its current service management system against core ITIL principles. This assessment identified a number of key areas for improvement particularly in the area of problem, configuration and release management. A full audit by Her Majesty s Inspectorate of Constabulary (HMIC) is to be completed in 2010/11. This design and reporting of Southwest One KPIs have not been assessed during the completion of this audit. These have been reviewed as part of a separate audit of Southwest One KPIs within the 2009/10 Internal Audit Plan. Key findings As a result of our work, we have concluded that a satisfactory level of assurance can be placed on activities in this area. Whilst an operational framework for IT Service Management has been established, there remain weaknesses in the wider system of internal control which put some of the system s overall objectives at risk. Although the existing Service Desk is functional in providing users a designated point of contact for IT queries and incident management, inherent limitations within the HEAT Service Desk tool present a major constraint to embedding ITIL aligned processes across the department. Our audit has verified the impact of these limitations and identified some further areas for improvement to operate within the ITIL framework. Specifically, there is currently no problem management process in operation and the relationships between incidents, problems and changes are not being captured. Potential improvements have also been identified in relation to incident ownership and the absence of formal escalation procedures for open incidents to ensure this operate according to ITIL principles. Our work has also highlighted weaknesses relating to staff training and awareness and the adequacy of performance reporting. We have raised one high, seven medium and three low priority recommendations. Further details of the high and medium priority recommendations are summarised below: Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 1
IT Service Management (ITSM) tools do not support ITIL processes (high priority) The current ITSM software, HEAT is not designed to support ITIL processes. Key weaknesses include the absence of integrated modules for Problem and Change Management and limited functionality for robust Service Level Management. The absence of an ITIL compliant Service Desk tool has been identified by management as a key constraint to implementing ITIL aligned processes within the department. Lack of incident ownership by Service Desk (medium priority) Ownership and responsibility for incidents is currently transferred to resolver groups once assigned by the Service Desk. ITIL specifically states Incident Ownership should remain with the Service Desk at all times, regardless of where the incident is referred to during its life. No Incident Manager role (medium priority) There is currently no Incident Manager role in operation. The role of Incident Manager, with overarching responsibility for the Incident Management process, is a key element of an ITIL aligned Service Desk. Formal escalation procedures not in place (medium priority) Formal escalation procedures have not been defined within the IT Service Desk. Furthermore, all automated escalation alerting within the HEAT IT Service Management (ITSM) tool has been switched off. Problem management process not implemented (medium priority) Whilst a documented Problem Management Policy has been in place since September 2008, the process has yet to become embedded within the department. The absence of a dedicated Problem Manager and the inherent limitations of the HEAT tool for supporting this process have been identified as the root causes. No Problem Manager role (medium priority) There is not currently a dedicated Problem Manager with a remit to focus on identifying and managing underlying IT problems. This role is a key element of an ITIL aligned service desk. Incorrect initial classification of incidents (medium priority) The correct prioritisation of Incidents relies on Service Desk staff correctly assessing the Impact and Urgency at the time the incident is logged. Our testing identified a number of instances where Incidents and Support Requests had been wrongly classified by the Service Desk. We also noted an absence of clear guidance over which systems are classed as Business Critical for the purposes of this assessment. User satisfaction surveys (medium priority) Customer satisfaction surveys, generated at call closure, provide a unique means of assessing how the Service Desk is perceived by IT users and therefore focused and timely opportunities for improvement. The results of such surveys are not currently included in monthly performance reporting. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 2
Summary evaluation of controls Area Level of Assurance Number of findings identified as: High risk Medium risk Low risk Control objectives reference Governance, roles and responsibilities 0 0 2 1, 2 Incident classification 0 1 0 6 Incident and problem management 1 5 0 7, 8, 10, 12, 13, 15, 16 Incident and problem closure 0 1 1 17 OVERALL OPINION 1 7 3 - The definitions of summary evaluations and categorisation of recommendations are in Appendix A. Delivery of scope We were able to consider all areas indicated in the scope in Section 2 and can confirm that weaknesses have been identified against those objectives referenced above. Details of all of the issues raised in the duration of the audit are summarised on the contents page and full details are provided in Section 3. We would like to take this opportunity to thank all staff involved for their co-operation during the internal audit. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 3
2. Scope of review Objective The objectives of our project were to establish whether: Governance, roles and responsibilities 1. Formal, ITIL based policies and procedures exist with regards to the handling of incidents and problems including information on their reporting, response and assessment; 2. Roles and responsibilities have been communicated to all staff, to ensure that incident and problem handlers and managers have received an appropriate level of training to successfully implement and maintain ITIL; 3. Service levels for incident response and resolution are implemented and measured in line with the Southwest One contract; and 4. The Service Desk acts as the primary point of contact for all communications in respect of questions, requests, complaints and feedback. Incident classification 5. Acting as a single point of contact, the service desk logs, monitors and controls all incidents and problems; 6. All incidents and problems are correctly categorised and prioritised before being allocated to appropriate individuals for resolution. Incident and problem management 7. All incidents and problems logged with via the TS Service Desk are assigned an appropriate owner; 8. Incidents and problems are actively and appropriately managed to ensure resolution in line with recognised priority to the business with a focus on restoration of service. 9. Management monitor the status of open incidents to ensure timely resolution; 10. Escalation trigger points have been defined and open calls are escalated to senior management when escalation points are hit; - does not really happen, no formal incident manager or problem manager 11. A Knowledge Management or Known Error database is in place to capture common or recurring issues within the IT environment and make those solutions available to both TS and Force staff, as appropriate; 12. Incidents which cannot be resolved through the Knowledge Management or Known Error database generate problems; 13. Problems are investigated according to their priority to identify an appropriate solution, restore service to users as quickly as possible (if not already done so) and identify the root cause; 14. Short term fixes and long term, solutions to problems are included in the Knowledge Management or Known Error Database; 15. A clear link is in place between problem resolution and the change management process; and 16. The Service Desk Management Software is capable and fully utilised to support ITIL based processes. Incident and problem closure 17. User satisfaction, response time and trend identification reports are generated and reviewed by senior management; and 18. Lessons learned are prepared and reviewed after high priority and statistically significant incidents and problems have been resolved. This audit will did not cover the design and reporting of Southwest One KPIs as these are to be addressed in a separate Southwest One performance audit. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 4
Link to risk register Constabulary Risk 4.5: Server disruption could impact on internal systems. Impact of Southwest One This audit was within the scope of Southwest One. Locations / Business Units The work was performed at Avon and Somerset Police Headquarters in Portishead. Work to be done Internal Audit Services performed the following steps: Made contact prior to commencement of the audit to identify key staff, arrange initial meetings and provided details of documentation to which we required access; Recorded how the various systems operate; Tested the systems and procedures that are in operation; Met with responsible management to discuss the conclusions and proposed recommendations; and Produced and issued a draft report, prior to the issue of the final report. Deliverables We will produce a report in the standard Internal Audit format, which summarises the results of the project. Limitation of scope As limited purpose audit testing will be performed, our findings cannot be relied upon to be representative of the operation of control procedures at any time other than the time of observation of these control practices and in relation to the transactions tested. There are inherent limitations in any internal control system and thus errors or irregularities may occur and not be detected in our work. Projection of evaluations to future periods is subject to the risk that the policies and procedures may become inadequate because of changes in conditions, or that the degree of compliance with those policies and procedures may deteriorate. Management s responsibilities Avon & Somerset Police Authority is responsible for establishing and maintaining an effective internal control system. An effective internal control system reduces the likelihood that errors or irregularities will occur and remain undetected; however, it does not eliminate that possibility. There are inherent limitations in any control system and thus errors or irregularities may occur and not be detected. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 5
3. Recommendations 3.1 Incident and problem management No. Rationale Priority Recommendation Action Plan, Responsibility and 3.1.1 IT Service Management (ITSM) tools do not support ITIL processes The existence of an ITIL aligned IT Service Management Tool is critical in supporting the effective application of standard ITIL processes across the department The HEAT IT Service Desk software does not support the implementation of key ITIL processes. The following weaknesses have been identified with the current solution: No support for integrated problem and change management HEAT is primarily an Incident tracking tool and does not provide support for integrated problem and change management. Under ITIL, separate problem records within the Service Desk tool should be used to document the High 3.1.1.1 Since the limitations of the current tool have been acknowledged by SW1 management and an alternative solution, Maximo ITSM, has been identified as a potential replacement, this tool should be implemented as soon as possible in line with the Service Desk s existing plans. A new Service Desk system is being implemented in 2010 with ITIL workflows built into the system. Target date is July 2010. The contractual responsibility for delivery rests with Southwest One Head of ICT, who will be held accountable for delivery by the Retained Head of ICT. SWOne have been unable to meet the originally accepted implementation date of October 2009. The current agreed target is 31July 2010. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 6
No. Rationale Priority Recommendation Action Plan, Responsibility and root cause analysis and resolution of underlying IT problems. Under this model, incident records are closed once service has been restored, with the underlying problem investigated through a linked problem record. An ITIL aligned Service Desk tool would also include an integrated change management module to ensure that appropriate control procedures and change records are implemented where necessary. Where these processes are not linked in this way, there is an increased risk of changes being implemented in the Live environment without the appropriate change process being followed. Such changes could result in increased system downtime and do not support effective Configuration Management. Automated escalation triggers disabled Although HEAT supports the configuration of automated escalation triggers, this functionality is currently disabled. Under ITIL, the level and timescales for management escalation should be defined with respect to SLA targets and then embedded within the service desk software to ensure consistent application for all ongoing incidents and problems. Basic Service Level Management The priority of all incidents is initially assigned by HEAT using a basic function of impact and urgency as assessed by the service desk operator when the incident is initially logged. 3.1.1.2 To ensure the replacement tool delivers the improvements expected of it and all functionality is supported, management should ensure that adequate due diligence is performed prior to its implementation. 3.1.1.3 All service delivery staff (including 2 nd and 3 rd line resolver groups) should be provided with adequate training once the new tool has been implemented. SWOne are contracted to seek agreement of the suitability of new service management tools, prior to introduction. The Retained Head of ICT has met with the system developers on several occasions and has accepted that the system is fit for purpose. Retained Head of ICT Implemented Training of staff is an internal issue for SWOne. SWOne have provided positive assurance that training is planned for all relevant staff. Southwest One Head of ICT has contractual responsibility for delivery and will be held to account by the Retained Head of ICT Retained Head of IS will check that training has been completed once new product implemented. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 7
No. Rationale Priority Recommendation 3.1.1 IT Service Management (ITSM) tools do not support ITIL processes (continued). Where the priority of an incident is subsequently changed, constraints within the HEAT tool make it difficult to assess the performance of the incident response against the revised SLA target time. ITIL specifically states that tools with such constraints should not be selected. The inability to re-open closed incident records within HEAT is also considered to be a weakness. There is a risk that incidents are not correctly reported where system constraints prevent priorities being changed in response to an adjustment of the initial impact assessment. Furthermore, where incident records cannot be re-opened, there is a risk that SLA performance cannot continue to be assessed where the status of the incident has been wrongly changed service restored / closed. High Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 8
No. Rationale Priority Recommendation Action Plan, Responsibility and 3.1.2 Lack of incident ownership by Service Desk ITIL states that incident ownership should remain with the Service Desk at all times, regardless of where the incident is referred to during its life. Under ITIL, the Service desk should retain responsibility for tracking progress to ensure SLA targets are met, keeping users informed and incident closure. At Avon & Somerset, once cases have been assigned by the Service Desk to a support team, ownership of that incident is deemed to have been transferred to that support team. As such, the Service Desk currently has no ownership of open incidents. Where incident ownership is not retained by the Service Desk, this significantly limits the ability of management to monitor the effectiveness of the incident management process at an operational level. Specifically, there is a risk that: slow-moving incident records are not identified promptly; users are dissatisfied with the service as progress updates are not communicated to them; and incident closure procedures are not adhered to. Medium 3.1.2.1 Incident Management procedures should be revised so that the responsibility for managing all incidents resides with the Service Desk under the supervision of a dedicated Incident Manager. 3.1.2.2 The Service Desk should retain overarching responsibility for tracking progress against SLAs, keeping users informed and for incident closure. 3.1.2.3 Where it is deemed necessary that only specialist resolver teams liaise with senior users, this should be formalised as part of the local incident management process so that roles and responsibilities are understood. Single accountability for Incident Management has been assigned to the Service Desk Manager (and documented in their Key Focus Areas which will become part of the Job Description over time) from incident receipt to incident closure. This is supported by an organisational design that is fully within the control of the Service Desk Manager and documented in various job descriptions and roles and responsibilities documents as well as process documents Increased detail has been requested in the relevant reported KPIs for Incident Resolution. This detail includes charts of historical data and associated trends. This information will be monitored for positive trends and indications of associated improvements. Southwest One Head of ICT, who is heald to account by Retained Head of ICT The provision of the services will be monitored over the next 6 months, whilst SWOne improves ITIL-related processes. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 9
No. Rationale Priority Recommendation Action Plan, Responsibility and 3.1.3 No Incident Manager role ITIL identifies the role of Incident Manager as a key element of the Incident Management process. This role does not currently exist within the Service Desk team. The absence of a dedicated Incident Manager with responsibility for co-ordinating the incident management process increases the risk of noncompliance with approved procedures and an increased number of Incident records breaching agreed Service Levels. Medium 3.1.3.1 Management should consider assigning a dedicated Incident Manager within the First Line Service Desk to co-ordinate the incident management process. Their responsibilities may include: The management and tracking of all ongoing incidents (including close co-ordination of major incidents as part of the major incident process) Managing the work of incident management support staff Developing and maintaining incident management procedures; and Producing management information. A new Incident Manager role is being introduced into the Service Desk over the next month target date end June 2010 Southwest One Head of ICT, who will be held to account by Retained Head of ICT To be reviewed July 2010 to establish that the post has been implemented. 3.1.4 Formal escalation procedures not in place The implementation of robust escalation procedures forms an essential part of the incident management Process. Escalation triggers alert management to the existence of potential SLA breaches, and provide a means for assessing whether additional resources are required. Hierarchal escalation to senior management is also imperative for all critical incidents currently under investigation. Automated escalation alerting Escalation procedures have not been defined within the Service Desk. In particular, automated escalation alerts within HEAT have been disabled due to the unmanageable number of escalation emails which it generates. Medium 3.1.4.1 Management should define formal rules governing how problems and incidents are escalated to different levels of management. The agreed target times for escalation and associated escalation paths should then be configured within the Service Desk software. Formal escalation procedures have been written and approved. They will be implemented in line with the Incident Manager role and other Incident Management related processes and functions. Target date end June 2010 Southwest One Head of ICT, who is held to account by Retained Head of ICT To be reviewed by Retained Head of ICT June 2010 Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 10
No. Rationale Priority Recommendation Action Plan, Responsibility and 3.1.4 cont Senior service management staff confirmed that communication of critical incidents is often informal, with a high level of reliance placed on resolver team managers to inform them of ongoing issues. The root cause of this issue has been attributed to a lack of functionality within HEAT to specify custom escalation rules for different types of incident. Specifically, it has not been possible to restrict the sending of escalation alerts to certain levels of management in line with the type and severity of the incident. The absence of pre-agreed escalation rules for incidents increases the risk that SLAs are breached and that incidents are not resolved in a timely manner. 3.1.4.2 Management should ensure that any new Service Desk software includes adequate support for integrated service level management so that the required escalation rules can be implemented. 3.1.4.3 As part of these escalation procedures, specific hierarchical escalation rules should be implemented to ensure that senior service delivery staff are notified of all critical incidents being investigated. Under ITIL, users should be routinely informed by the Service Desk once an incident has been escalated. Assurance that this functionality exists with Maximo has already been obtained by the Retained Head of ICT Retained Head of ICT Implemented Assurance that this functionality exists with Maximo has already been obtained by the Retained Head of ICT Retained Head of ICT confirmation of implementation is pending release of Maximo. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 11
No. Rationale Priority Recommendation Action Plan, Responsibility and 3.1.5 Absence of problem management process ITIL defines a problem as the unknown cause of one or more incidents. The problem management process is used to diagnose the root cause of such incidents, and to determine the resolution to the underlying problem. Whilst a documented Problem Management Policy has been in place since September 2008, the process has yet to become embedded within the department. Key management confirmed that whilst ongoing problems are known locally within the different support teams; these are not routinely documented, and do not follow a standard process. The absence of documented problem records has been largely attributed to a lack of support for Integrated problem management within the HEAT Service Desk tool. Without an operational problem management framework there is a greatly increased risk that underlying IT problems will continue to cause service outages and disruption to users. Medium 3.1.5.1 Management should establish an operational problem management framework which is both appropriately managed and understood by all staff. Management should also ensure that any new IT Service Management (ITSM) tool fully supports ITIL Problem Management. 3.1.5.2 Management should review how priorities are assigned to problem records and consider formalising separate SLAs for Problem resolution where necessary. This is a supporting activity to the Incident Management Process which is currently the focus area for attention. Work will begin on implementing problem management in July 2010 and expected to be completed by end August 2010. Southwest One Head of ICT who is held to account by Retained Head of ICT 31 August 2010 Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 12
No. Rationale Priority Recommendation Action Plan, Responsibility and 3.1.6 No Problem Manager role ITIL identifies the role of Problem Manager as a key element of the Problem Management process. Whilst it is acknowledged that this role has recently been allocated, the position has yet to become operational. The absence of a dedicated Problem Manager increases the risk of non-compliance with approved procedures and increased system downtime caused by known problems. Medium 3.1.6.1 The timely introduction of the Problem Manager role will be a key enabler of this process. This individual needs to be the single point of co-ordination and owner of the Problem Management Process. Key responsibilities should include: Liaison with Resolver Groups to ensure the swift resolution of all Problems within SLA targets; Input into the Major Incident Process as appropriate; Responsibility for maintaining the Known Error Database and associated knowledge basis; and Responsibility for Problem record closure and major problem reviews. Roles and responsibilities for a Problem Manager have been defined and approved. A Problem Manager has been recruited into the Service Management team and a refined role is expected to be implemented in line with the process work above. Target date end Aug 2010. Southwest One Head of ICT, who is held to account by Retained Head of ICT 31 August 2010. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 13
3.2 Incident classification No. Rationale Priority Recommendation Action Plan, Responsibility and 3.2.1 Incorrect initial classification of incidents The priority of an incident is automatically assigned by HEAT using a basic function of Impact and Urgency as assessed by the Service Desk Analyst when the incident is initially logged. Service Desk staff have access to a high level support matrix to guide them in performing this assessment. The following issues were noted: 1. The total number of critical incidents per the monthly performance reports for the past 3 months was seen to be significantly less than the reported figures generated directly from HEAT. Testing of a sample of these HEAT records broadly supported the adjusted figures, with the HEAT report containing approximately 60% of incident records which had been wrongly classified by the Service Desk. 2. In assessing the urgency criteria of a reported incident, the guidance in place requires staff to consider whether the affected system is of a business critical nature. The Service Desk does not currently maintain a defined list of systems which have been deemed business critical for the purpose of this assessment. Medium 3.2.1 In order to implement a successful ITIL Service Management system, management should ensure that all Service Desk staff have received adequate training both in generic ITIL concepts, as well as specific training to ensure they understand how these concepts are applied locally. 3.2.2 Specifically, management should ensure Service Desk staff receive adequate training on how to correctly classify incidents. Such training should incorporate practical examples for each priority assignment. The Service Desk Manger has been assigned this task (and documented in their Key Focus Areas which will become part of the Job Description over time). This will be a key area in which their performance will be assessed. This is an on-going task and one that will be supported by a plan to address consistency issues. Southwest One Head of ICT who is held to account by Retained Head of ICT Now in place. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 14
No. Rationale Priority Recommendation Action Plan, Responsibility and 3.2.1 Incorrect initial classification of incidents (continued) The absence of clear guidance over business critical systems also increases the possibility of errors being made. Furthermore, inaccurate classification of incidents can complicate the reporting process, as specialist resources are then required to analyse and manually adjust for any discrepancies. Medium Assurance will be sought from SW1 that this issues has been resolved. Retained Head of ICT 30 June 2010 Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 15
3.3 Governance, roles and responsibilities No. Rationale Priority Recommendation Action Plan, Responsibility and 3.3.1 No regular review of policies and procedures Regularly reviewed policies and procedures should be in place to guide the effective operation of the Service Desk. Whilst ITIL aligned policies for Incident, Problem and Change Management have been drafted; these have not been updated since September 2008. Furthermore, the Incident Management policy remains in draft form, having yet to be approved by Service Delivery Management. In light of our findings, it has also been confirmed that many of the documented procedures have yet to be implemented within the department (e.g. problem management). Low 3.3.1.1 Management should review all policies and procedures to ensure they accurately reflect how the developing ITIL Strategy is to be rolled out across the department. Specifically, these policies should be revised following the implementation of Maximo ITSM due to the inevitable impact this change will have on local working practices. Going forward, policies should be reviewed on at least an annual basis to ensure ongoing pertinence. This recommendation has been brought to the attention of southwest One Head of ICT and a response is awaited. Southwest One head of ICT, who is held to account by Retained Head of ICT. 31 May 2010. Where up to date policies and procedures are not established there is a risk that key elements of the Service Management provision do not operate in line with the expectations of management leading to sub-optimal working practices. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 16
No. Rationale Priority Recommendation Action Plan, Responsibility and 3.3.2 Lack of ongoing training for Service Desk staff Sufficient staff training is vital to ensuring that approved Service Management processes are consistently followed. Whilst approximately 60% of the current Service Desk team have completed a level of ITIL training, no such training has been provided to staff joining the Service Desk within the past 4 years. This will be of increasing importance with the upcoming transition to Maximo and related amendments to business processes to support the new tool. Low 3.3.2.1 In order to implement a successful ITIL Service Management system, management should ensure that all Service Desk staff have received adequate training both in generic ITIL concepts, as well as specific training to ensure they understand how these concepts are applied locally. Specifically, training needs have been identified in relation to ITIL awareness training for more recent members of the Service Desk Team. Management should also ensure that sufficient training is provided to all Service Delivery staff following the implementation of Maximo ITSM. This recommendation has been brought to the attention of Southwest One Head of ICT and a response is awaited. Southwest One Head of ICT who is held to account by Retained Head of ICT 31 May 2010. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 17
3.4 Incident & Problem Closure No. Rationale Priority Recommendation Action Plan, Responsibility and 3.4.1 Use of customer satisfaction surveys ITIL identifies the use of customer satisfaction surveys as an important measure of Service Desk performance. Automated feedback requests have historically formed part of the incident closure process, with the results of these surveys being reviewed by Service Desk Management using the Survey Monkey tool. The following issues were noted: 1. User feedback does not feature as a formal Performance Indicator in the monthly reporting packs prepared by Southwest One. 2. No customer satisfaction surveys have been requested since October 2009, when the Survey Monkey tool was disabled. Customer satisfaction surveys provide a unique means of assessing how the Service Desk is perceived by IT users. Where the results of customer feedback do not form part of the performance reporting framework, there is a risk of this important service metric being overlooked. Medium 3.4.1.1 Management should consider the reimplementation of customer satisfaction surveys as a means of capturing user feedback. In order to allow for adequate comparison, the same proportion of calls should be selected for feedback requests in each reporting period, and all instances of low satisfaction levels should be investigated by Service Desk Management. 3.4.1.2 Management should also consider designating the results of these surveys as a formal Performance indicator included in the monthly reporting packs presented by Southwest One. The Contract with Southwest One requires periodic customer satisfaction surveys but is not prescriptive. The response of the southwest One Head of ICT to this recommendation is: Providing a survey function is not within the scope of the replacement Service Desk tool; instead we will continue with annual customer surveys, which mirror those carried out within the other partner organisations. Southwest One Head of ICT, who is held to account by Retained Head of ICT 30 June 2010 Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 18
No. Rationale Priority Recommendation Action Plan, Responsibility and 3.4.2 Service catalogue and self-help The Police intranet provides little information to IT users about the services provided by the Service Desk. Specifically, there is no service catalogue published, and there are no self-help pages available, whereby users can search for common fixes and/or log their own service requests. The absence of a self-help facility via the Service Desk intranet page increases the volume of incidents and service requests which require manual processing by the Service Desk. Low 3.4.2.1 Management should consider publishing a Service Catalogue via the Police Intranet to educate users about the systems and Services supported by the IT Service Desk. This service catalogue should also document the associated support arrangements so that user expectations are appropriately managed. Accepted. Maximo self-help functionality is expected to be the ideal mechanism to provide this information. Southwest One Head of ICT, who is held to account by Retained Head of ICT Implementing a comprehensive service catalogue would also go some way to closing the expectations gap which commonly exists between IT users and the IT Service Desk Pending confirmation of Maximo availability. 3.4.2.2 Management should consider publishing self-help information via the Police Intranet to help users identify and fix common IT problems. The implementation of a real-time service Dashboard would also provide users with an up-to-date view of system availability. Accepted. Ideally via Maximo selfhelp but will pursue temporary arrangements via Intranet. Southwest One Head of ICT who is held to account by Retained Head of ICT Pending re-launch of new Constabulary Intranet Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 19
Appendix A - Definitions of audit opinion Management should be aware that our internal audit work was performed according to the Institute of Internal Auditors - UK and Ireland standards which are different from audits performed in accordance with International Standards on Auditing (UK and Ireland) issued by the Auditing Practices Board. Similarly, the assurance gradings provided in our internal audit report are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Definitions of assurance levels Level of Assurance Low Satisfactory Substantial Description The system of internal control does not meet minimum acceptable standards overall because control deficiencies exist, which could allow material losses to take place and not be detected. Whilst there is a basically sound system of internal control, there are weaknesses that put some of the system objectives at risk. The overall system of internal control may meet minimum acceptable standards overall but could be improved. Overall the system of internal control meets acceptable standards and provides reasonable, but not absolute, assurance that the process covered is reliable and material losses will be detected in the normal course of business. Definitions of risk levels Priority High Medium Low Description A critical control deficiency, which could allow material losses to take place and not be detected. Such a risk could lead to an adverse impact on the Police Service and expose the Authority and Senior Officers to criticism. Remedial action must be taken urgently. A control deficiency which could allow losses to take place. A process improvement opportunity that is not indicative of a control weakness but indicative of an opportunity for improvement in the efficiency or effectiveness of a process. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 20
Appendix B - Statement of responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. Deloitte LLP Bristol May 2010 In this document references to Deloitte are references to Deloitte LLP. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members names is available for inspection at 2 New Street Square, London EC4A 3BZ, United Kingdom, the firm s principal place of business and registered office. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198. Deloitte LLP is a member firm of Deloitte Touche Tohmatsu ( DTT ). DTT is a Swiss Verein (association), and, as such, neither DTT nor any of its member firms has any liability for each other s acts or omissions. Each member firm is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu, or other, related names. The services described herein are provided by the member firms and not by the DTT Verein. Deloitte LLP is authorised and regulated by the Financial Services Authority. 2010 Deloitte LLP. All rights reserved. Avon and Somerset Police Authority - IT Service Desk - May 2010 Page 21