Internal Audit Report

IS Service Desk
2012/13
Report ref: C3/6

Report Issued Draft: 20/08/13 Good

Background page 2

Scope page 2

Audit Opinion page 3

Detailed Findings & Action Plan page 4 onwards

Service Desk Questionnaire Results Appendix A

Auditor: Distribution:

J. Fearn Name Job Title

Page 1 of 5
1 Background
1.1 This audit is being undertaken as part of the shared annual audit plan for 2012/13.

1.2 Internal Audit is an assurance function that provides an independent and objective opinion to the Council on the control environment by
evaluating its effectiveness in achieving the Council’s objectives. Internal Audit objectively examines, evaluates and reports on the
adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources.

1.3 The following key control objectives (KCOs) are applicable to the audit:
KCO1: The Service Desk is the recognised point of contact to manage, co-ordinate and resolve incidents, provide guidance and
administer network user access.
KCO2: Reported incidents are registered, classified and allocated to relevant technical officers for resolution in a timely manner.
KCO3: Reported incidents are controlled, monitored and closed on completion with appropriate user notification.
KCO4: A procedure exists for the escalation of incidents.
KCO5: Clearance of incidents is monitored to ensure timely completion.
KCO6: Trend analysis and reporting is carried out on the performance of the Service Desk.

2 Audit Scope
2.1 The testing strategy is outlined below which entailed documentation review and discussion with staff.

KCO Test
The Service Desk is the recognised Ensure that the main functions of the Service Desk are in line with the expected control
point of contact to manage, co- Determine that actual fault reporting procedure reflects expected procedure
ordinate and resolve incidents, Determine the view of the Service Desk from a sample of users
provide guidance and administer
network user access.
Reported incidents are registered, Determine from a sample of 20 reported incidents that actual procedure reflects expected
classified and allocated to relevant procedure which is in line with the control
technical officers for resolution in a
timely manner.
Reported incidents are controlled, Determine for a sample of reported incidents that they are monitored and closed and users are
monitored and closed on completion notified when this has happened
with appropriate user notification.
A procedure exists for the escalation Determine that a procedure exists for the escalation of incidents that is appropriate and that is
of incidents. followed in practice

Page 2 of 5
 Clearance of incidents is monitored to Establish that monitoring is in place for a sample of reported incidents enabling their clearance
ensure timely completion. within pre-defined timescales
Trend analysis and reporting is carried Ensure that trend analysis carried out to allow decisions to be made on improving the service
out on the performance of the Service
Desk.

3 Audit Opinion
3.1 A summary of Internal Audit’s opinion levels and their definitions is provided below:

Level Definition
The system of internal control is designed to support the Council’s corporate and service objectives
Significant Level of Assurance
and controls are consistently applied in all the areas reviewed.
There is generally a sound system of control designed to support the Council’s corporate and service
Good Level of Assurance
objectives. However, some improvements to the design or application of controls is required.
Weaknesses are identified in the design or inconsistent application of controls which put the
Partial Level of Assurance
achievement of some of the Council’s corporate and service objectives at risk in the areas reviewed.
There are weaknesses in control, or consistent non-compliance which places corporate and service
No Level of Assurance
objectives at risk in the areas reviewed.
3.2 Based on this report’s findings, Internal Audit have given a Good Level of Assurance on the Internal Control Framework within the
function at the present time. Of the 6 key control areas reviewed, 4 are being fully met; KC’s 1, 4, 5 and 6 listed in paragraph 1.3 above.
KC’s 2 and 3 above are considered to be partly met, the key risks for which are described in section 4 below. Three recommendations
have been made in total graded at priority 2.

3.3 Questionnaires were issued by the Auditor to a sample of sixteen users who had raised Service Desk calls during a one month period in
2012/13, ten (63%) of which were returned. Although 100% were happy with the actual response provided, the percentage of those
respondents who considered their issue to have been resolved within an adequate timescale was 60%. 40% of the total respondents
provided positive comments on the service, whereas 60% provided negative comments; 30% putting forward suggestions for
improvement, all of which are detailed at Appendix A

3.4 Since July 2013 the Service Desk has been hosted in house and this has resulted in significant improvements in monitoring and reporting
arrangements introduced by the Service desk Manager. These improvements have been assessed by Internal Audit as part of this review.

Page 3 of 5
4 Detailed Findings & Action Plan
The audit findings are detailed in this section on an exception basis only for the attention of management, therefore KCO’s with adequate
controls are not included.
Recommendations are prioritised as follows:
Priority 1 - These relate to significant gaps in the Internal Control Framework
Priority 2 - These relate to minor gaps in the Internal Control Framework or significant issues of non-compliance with key controls
Priority 3 - These relate to minor issues of non-compliance with controls.

Officer
Recommendations and
Responsible and
Ref Findings Risk
Management Response
Implementation
Date
KCO2: Reported incidents are registered, classified and allocated to relevant technical officers for resolution in a timely manner

The documented ICT Support Work Procedures indicate those Any officer assuming this
role would be unclear from R1: Priority 2
officers that should be assigning tickets on the system. Sample
procedure review as to their The ICT Support Work
testing identified 5 tickets that had been assigned by the ICT Shared Services
responsibilities, potentially Procedures should be
1. Apprentice ICT Technical Analyst who was not listed in the
updated to accurately reflect
Manager
procedures as being able to undertake this task. It was later causing delay in the call 15/11/13
resolution timeframe. those officers who should
confirmed with the Service Desk Manager that this task is part of
assign tickets on the system.
this officer’s remit.

Page 4 of 5
 Officer
Recommendations and Responsible and
Ref Findings Risk
Management Response Implementation
Date
R2: Priority 2
No efficiency gains could be
The Solutions section of the system, enabling a knowledge base Use of the system’s
achieved in future in terms of ICT Shared Services
to be built up for both users and Technicians is not presently Solutions section should be
2. used; the knowledge base for Technicians having been held
learning from past
explored to enable a
Manager
experiences of fault 15/11/13
separately. knowledge base to be built
resolution
up

KCO3: Reported incidents are controlled, monitored and closed on completion with appropriate user notification.
R3: Priority 2
Preferably an additional
resource should be found to
cover the knowledge gaps
incurred during leave
The ICT Technical Analyst/Applications & Development was
periods of the ICT Technical
noted as having the highest number of outstanding calls whilst on Delays in resolving calls, ICT Shared Services
Analyst/Applications &
3. leave. It is recognised that this officer’s technical skills are unique exacerbated if these are
Development. If this proves
Manager
amongst the team resulting in specific calls being unable to be urgent in nature 15/11/13
impractical, consideration
allocated to any other team member.
should be given to the
possibility of the utilisation of
contacts established through
the North Yorkshire IT
Managers group meetings.

The agreed actions will be subject to a follow up review to establish whether they have been implemented as part of the quarterly performance
monitoring clinic.

Any queries or requests for further information regarding this report should be directed to Internal Audit on 706360 or on 01423 556116.
Internal Audit would like to thank the officers involved for their assistance during this audit.

Page 5 of 5