• No results found

FINAL INTERNAL AUDIT REPORT

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "FINAL INTERNAL AUDIT REPORT"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

FINAL INTERNAL AUDIT REPORT

IT Change Control Processes in Customer

Experience (IA 15 431/F)

Vernon Everitt, Managing Director,

Customer Experience, Marketing and

Communications

Audit Conclusion: Well Controlled and

Audit Closed

28 August 2015

Number of issues Priority 1 0 Priority 2 0 Priority 3 0

(2)

CONTENTS

EXECUTIVE SUMMARY ... 3

APPENDIX 1 – DISTRIBUTION LIST ... 6

Audit information

Version 1 Draft versions issued 1

Fieldwork started 1 June 2015 Fieldwork completed 7 August 2015 Draft report issued 18 August 2015

Auditor Thomas Mathew

Audit Manager Emilija Antevska Director of Internal Audit Clive Walker

(3)

Page 3

EXECUTIVE SUMMARY

Introduction and background

The Future Ticketing Agreement (FTA) contract that covers the delivery of public transport fare collection systems and services (ie Oyster systems and services) was awarded to Cubic Transportation Systems Ltd (Cubic) in August 2010.

According to the FTA contract, Cubic is responsible for operating the Oyster systems, including the requirements for change management, configuration management and release management. Cubic has provided a documented framework and associated processes through which these changes are managed.

It is important that changes to the Oyster system are undertaken within this framework and that changes made do not adversely impact the Oyster service.

TfL must ensure that it has visibility of the changes being made to underlying systems and that it maintains an oversight to ensure the integrity of the systems and enable the smooth running of the Oyster service to its customers.

Objective

The objective of this audit was to confirm that the technical changes made to the Oyster systems are being undertaken within a robust and effective change management framework, which includes authorisation and validation of change through to testing and final release into the live production environment.

Scope

The audit focused on the control environment in relation to the following key risk areas:

 All requests for changes, system maintenance, and supplier maintenance are standardised and are subject to formal change management standards and procedures;

 Management has established a change control board where changes are reviewed and only approved changes are implemented;

 Changes are implemented in sequence without interfering with other changes;

 All changes to service assets and configuration items (including supporting documentation) are adequately maintained;

(4)

 Changes are planned and tested within a development and test

environment before changes are released in a controlled manner into the live/production environment;

 Management anticipate and manage problems resulting from changes and have back out plans in place; and

 Emergency changes are implemented in a way that preserves change controls.

Summary of findings

We carried out a review of all the areas included within the scope of this audit and the following comments summarise our findings.

The change management processes are incorporated and delivered within the overall contractual agreement between TfL and Cubic, under the Future

Ticketing Agreement (FTA). The change control process is owned and operated by Cubic under their overall IT Service Management obligations to TfL. Roles and responsibilities are clearly identified within the Change process.

All changes are subject to formal, standardised and automated change processes using the ‘Service Now’ Change Management software tool which was implemented in January 2015. Prior to this implementation a manual process was in place. The introduction of the Change Management software provides more visibility and control of the technical changes made to the Oyster systems.

Changes are recorded within the change control process form (CHG) which is used to identify resources, risk level and impact severity to the Oyster systems prior to the change being subject to approval by the Change Advisory Board (CAB). The CAB has representation from the technical disciplines within Cubic and also the IT Customer Experience Change and Release Manager from TfL, who has full visibility of the changes and provides input and approval as

required to enable the changes to be made. The CAB meets at scheduled times and is provided with details of all the changes prior to the meeting to enable a greater level of scrutiny before discussion and approval at the meeting.

Changes are sequenced to ensure potential impact on other areas of the Oyster IT infrastructure is established prior to the changes being implemented,

Where significant changes to the systems are to be made, Cubic implements a release in accordance with the documented Release Management Policy. The releases are designed, planned, tested and implemented in accordance with the release calendar as agreed with TfL. This includes testing any changes in the integration environment, pre-production environment and then approval utilising the change management process.

(5)

Page 5

As part of the change process, various elements of the Oyster infrastructure are identified so that it is clear which areas will be affected by the change. All

changes are tested prior to the CHG being closed; implementation testing and post implementation verification testing is conducted to ensure that there are no adverse impacts on the live Oyster systems as a result of introducing the

change.

Additionally, a regression plan is developed, prior to the change being

introduced, to roll back the systems in the event the change fails. All problems are captured within the issue log and a process is in place to identify, analyse, manage and resolve these incidents.

Emergency changes are carried out only when an urgent need arises. The CHG is completed and is available within the ‘Service Now’ change system and undergoes the same level of scrutiny as a normal change. This type of change requires approval by the Cubic Service Delivery Manager and the Head of Service Strategy and IT. All emergency changes are discussed with the IT Customer Experience Change and Release Manager prior to implementation.

The audit did not identify any issues.

Conclusion

Based on the findings, we have concluded that the IT change control processes in Customer Experience that have been established for the Oyster systems are well controlled.

This audit is now closed.

We would like to thank all those who were involved in and contributed to this audit.

(6)

APPENDIX 1 – Distribution list

This report was sent to Vernon Everitt, Managing Director Customer Experience Marketing & Communications, by Clive Walker, Director of Internal Audit, and copied to:

Shashi Verma Director of Customer Experience Martin Loukes Business Development Manager

Letitia Charles Customer Experience Change & Release Manager

David Kershaw Revenue System Analyst

Tim Carman Customer Technology Architecture Manager Nolan Miskimmin Technical Delivery Manager

Clive Brooker Technical Delivery Manager Martyn Loukes as Key Risk Representative Nigel Blore Head of Group Insurance Andrea Clarke Director of TfL Legal

Ian Nunn Chief Finance Officer

Howard Carter General Counsel

Karl Havers EY

References

Download now ( PDF - 6 Page - 29.91 KB )

Related documents

Multiscale Biofluidic and Nanobiotechnology Approaches for Treating Sepsis in Extracorporeal Circuits

fresh capturing reagents into the bloodstream at every moment instead of repassing blood through the cap- turing surface matrix multiple times, which may gradually compromise

Estimating the Return to Schooling: Progress on Some Persistent Econometric Problems

Models in even columns include both parents’ education, age and age-squared, indicators for race, family structure at age 14, and region in 1966.. Near College subgroup are those

State Consent, Temporal Jurisdiction, and the Importation of Continuing Circumstances Analysis into International Investment Arbitration

jurisprudence that uses continuing violations to expand temporal jurisdiction. This paper will examine how investment tribunals have incorporated

Defamation, Reputation, and the Myth of Community

The chief focus of this Article has been the complex interaction between defamation, reputation, and community values and ideals. Defamation exists to protect

Private Concerns of Private Plaintiffs: Revisiting a Problematic Defamation Category

A potential objection to the above logic is that it might be thought to challenge other ways in which the public or private nature of speech fixes the degree of

What has the European Convention on Human Rights ever done for the UK?

In light of the above, Helena Kennedy and Philippe Sands, who expressed the minority view in the Commission’s report, were rightfully alarmed about “the real possibility that some

DEPARTMENT OF DEFENSE SURVEY OF HEALTH RELATED BEHAVIORS AMONG ACTIVE DUTY MILITARY PERSONNEL SERVICE PROGRAM OFFERINGS

 Alcohol and Drug Abuse Prevention and Treatment Program (ADAPT) - The ADAPT program focuses on the prevention and treatment of substance abuse, offering substance abuse

Course Outline 16 January There are two sections, both of which meet on Mondays and Wednesdays:

Other readings (not required): Pearson, Neil D., 2002, Risk Budgeting: Portfolio Problem Solving With Value-at-Risk (New York: John Wiley & Sons), Chapters 11, 12, and 13;