FINAL INTERNAL AUDIT REPORT
IT Change Control Processes in Customer
Experience (IA 15 431/F)
Vernon Everitt, Managing Director,
Customer Experience, Marketing and
Communications
Audit Conclusion: Well Controlled and
Audit Closed
28 August 2015
Number of issues Priority 1 0 Priority 2 0 Priority 3 0CONTENTS
EXECUTIVE SUMMARY ... 3
APPENDIX 1 – DISTRIBUTION LIST ... 6
Audit information
Version 1 Draft versions issued 1
Fieldwork started 1 June 2015 Fieldwork completed 7 August 2015 Draft report issued 18 August 2015
Auditor Thomas Mathew
Audit Manager Emilija Antevska Director of Internal Audit Clive Walker
Page 3
EXECUTIVE SUMMARY
Introduction and background
The Future Ticketing Agreement (FTA) contract that covers the delivery of public transport fare collection systems and services (ie Oyster systems and services) was awarded to Cubic Transportation Systems Ltd (Cubic) in August 2010.
According to the FTA contract, Cubic is responsible for operating the Oyster systems, including the requirements for change management, configuration management and release management. Cubic has provided a documented framework and associated processes through which these changes are managed.
It is important that changes to the Oyster system are undertaken within this framework and that changes made do not adversely impact the Oyster service.
TfL must ensure that it has visibility of the changes being made to underlying systems and that it maintains an oversight to ensure the integrity of the systems and enable the smooth running of the Oyster service to its customers.
Objective
The objective of this audit was to confirm that the technical changes made to the Oyster systems are being undertaken within a robust and effective change management framework, which includes authorisation and validation of change through to testing and final release into the live production environment.
Scope
The audit focused on the control environment in relation to the following key risk areas:
All requests for changes, system maintenance, and supplier maintenance are standardised and are subject to formal change management standards and procedures;
Management has established a change control board where changes are reviewed and only approved changes are implemented;
Changes are implemented in sequence without interfering with other changes;
All changes to service assets and configuration items (including supporting documentation) are adequately maintained;
Changes are planned and tested within a development and test
environment before changes are released in a controlled manner into the live/production environment;
Management anticipate and manage problems resulting from changes and have back out plans in place; and
Emergency changes are implemented in a way that preserves change controls.
Summary of findings
We carried out a review of all the areas included within the scope of this audit and the following comments summarise our findings.
The change management processes are incorporated and delivered within the overall contractual agreement between TfL and Cubic, under the Future
Ticketing Agreement (FTA). The change control process is owned and operated by Cubic under their overall IT Service Management obligations to TfL. Roles and responsibilities are clearly identified within the Change process.
All changes are subject to formal, standardised and automated change processes using the ‘Service Now’ Change Management software tool which was implemented in January 2015. Prior to this implementation a manual process was in place. The introduction of the Change Management software provides more visibility and control of the technical changes made to the Oyster systems.
Changes are recorded within the change control process form (CHG) which is used to identify resources, risk level and impact severity to the Oyster systems prior to the change being subject to approval by the Change Advisory Board (CAB). The CAB has representation from the technical disciplines within Cubic and also the IT Customer Experience Change and Release Manager from TfL, who has full visibility of the changes and provides input and approval as
required to enable the changes to be made. The CAB meets at scheduled times and is provided with details of all the changes prior to the meeting to enable a greater level of scrutiny before discussion and approval at the meeting.
Changes are sequenced to ensure potential impact on other areas of the Oyster IT infrastructure is established prior to the changes being implemented,
Where significant changes to the systems are to be made, Cubic implements a release in accordance with the documented Release Management Policy. The releases are designed, planned, tested and implemented in accordance with the release calendar as agreed with TfL. This includes testing any changes in the integration environment, pre-production environment and then approval utilising the change management process.
Page 5
As part of the change process, various elements of the Oyster infrastructure are identified so that it is clear which areas will be affected by the change. All
changes are tested prior to the CHG being closed; implementation testing and post implementation verification testing is conducted to ensure that there are no adverse impacts on the live Oyster systems as a result of introducing the
change.
Additionally, a regression plan is developed, prior to the change being
introduced, to roll back the systems in the event the change fails. All problems are captured within the issue log and a process is in place to identify, analyse, manage and resolve these incidents.
Emergency changes are carried out only when an urgent need arises. The CHG is completed and is available within the ‘Service Now’ change system and undergoes the same level of scrutiny as a normal change. This type of change requires approval by the Cubic Service Delivery Manager and the Head of Service Strategy and IT. All emergency changes are discussed with the IT Customer Experience Change and Release Manager prior to implementation.
The audit did not identify any issues.
Conclusion
Based on the findings, we have concluded that the IT change control processes in Customer Experience that have been established for the Oyster systems are well controlled.
This audit is now closed.
We would like to thank all those who were involved in and contributed to this audit.
APPENDIX 1 – Distribution list
This report was sent to Vernon Everitt, Managing Director Customer Experience Marketing & Communications, by Clive Walker, Director of Internal Audit, and copied to:
Shashi Verma Director of Customer Experience Martin Loukes Business Development Manager
Letitia Charles Customer Experience Change & Release Manager
David Kershaw Revenue System Analyst
Tim Carman Customer Technology Architecture Manager Nolan Miskimmin Technical Delivery Manager
Clive Brooker Technical Delivery Manager Martyn Loukes as Key Risk Representative Nigel Blore Head of Group Insurance Andrea Clarke Director of TfL Legal
Ian Nunn Chief Finance Officer
Howard Carter General Counsel
Karl Havers EY