The audit report summarizes an audit of Denver's IT Service Desk. The audit found that while the IT Service Desk meets customer needs, there are opportunities for improvement such as better managing the third-party support contract, enhancing communication with customers about issue resolution status, updating the internal knowledge base, and increasing awareness of a new web-based support tool. The report provides recommendations in these areas to further enhance the effectiveness of the IT Service Desk.
As per client request we where obliged to provide them with a comprehensive manual for the HelpDesk software I wrote. This document covers the application in detail, providing the users with an in depth functional knowledge of HelpDesk call center software.
As per client request we where obliged to provide them with a comprehensive manual for the HelpDesk software I wrote. This document covers the application in detail, providing the users with an in depth functional knowledge of HelpDesk call center software.
We are a leading global IT services and solutions company providing value propositions to our clients in the areas of banking and financial services to redefine and impact the core of their businesses. Since inception in 2003 we transformed into an integrated portfolio of services and solutions with extensive R&D and leveraged many banks in achieving their business objectives. Our extensive exposure to various core banking applications and processes and IT verticals has been our holistic approach in serving our clients with delight.
Enterprises rely on IT to provide the foundation for business services for maintaining all resources such as cloud instances, serverless infrastructure, network infrastructure, storage, etc.
I held this presentation during the Eurostar 2009 conference in Stockholm. It gives a good impression in how a simulation of a SIT helps you in determining defects during the design stage of your SOA landscape.
The must-have program/project management reporting feature before applying f...Shane Emerson
Learn more about CEC-NG Government Contract Requirements in terms of the technical functional requirements which every contract should abide by concerning the CEC-NG contract.
We are a leading global IT services and solutions company providing value propositions to our clients in the areas of banking and financial services to redefine and impact the core of their businesses. Since inception in 2003 we transformed into an integrated portfolio of services and solutions with extensive R&D and leveraged many banks in achieving their business objectives. Our extensive exposure to various core banking applications and processes and IT verticals has been our holistic approach in serving our clients with delight.
Enterprises rely on IT to provide the foundation for business services for maintaining all resources such as cloud instances, serverless infrastructure, network infrastructure, storage, etc.
I held this presentation during the Eurostar 2009 conference in Stockholm. It gives a good impression in how a simulation of a SIT helps you in determining defects during the design stage of your SOA landscape.
The must-have program/project management reporting feature before applying f...Shane Emerson
Learn more about CEC-NG Government Contract Requirements in terms of the technical functional requirements which every contract should abide by concerning the CEC-NG contract.
Case Study: Turning a Big Ship–Transforming IT Silos into IT Services at the ...Cherwell Software
Starting with 1,100 IT employees, 105,000 end users, IT organization silos, and a lot of incidents and issues, we undertook a major transformation effort centered on Cherwell Service Management (CSM) in 2013. We implemented new incident, request, problem, change and service levels including a service catalog, service portal, dashboards and metrics. The scope of our efforts included not only implementation of CSM, but new processes, organizational roles, and reporting metrics. The session covers our approach, successes, challenges, and lessons learned through this transformation to turn the big ship.
Your Challenge
Service desk managers with immature service desk processes struggle with:
Low business satisfaction.
High cost to resolve incidents and implement requests.
Confused and unhappy end users.
High ticket volumes and a lack of root-cause analysis to reduce recurring issues.
Wasted IT time and wages resolving the same issues time and again.
Ineffective demand planning.
Our Advice
Critical Insight
Don’t be fooled by a tool that’s new. A new service desk tool alone won’t solve the problem. Service desk maturity improvements depend on putting in place the right people and processes to support the technology.
Service desk improvement is an exercise in organizational change. Engage specialists across the IT organization in building the solution, and emphasize how everyone stands to benefit from the initiative.
Organizations are sometimes tempted to track their work under a single ticket type. Unfortunately, the practice obscures the fact that incidents, requests, and projects require radically different amounts of time and resources, and can create the impression that IT is underperforming. Distinguish between incidents, requests, and projects, and design specific processes to support and track the performance of each activity.
Remember, the value of any IT service management (ITSM) tool is a function of the processes it supports and the adoption of those processes. The ITSM tool with the best functionality is worth little if you do not build the right processes, configure the tool to support them, and work to improve tool adoption in your organization.
Impact and Result
Increase business satisfaction.
Reduce recurring issues and ticket volumes.
Reduce average incident resolution time and average request implementation time.
Increase efficiency and lower operating costs.
Enhance demand planning.
Improving Citizen Outcomes with Robotic Process Automation (RPA)AnthonyFungPMPITIL
Pressure, everyone in state and local government feels it — especially since the COVID-19 virus hit. Citizen expectations are rising, software and computer infrastructure are unable to keep up with the surge in transactions, regulations, and oversight but department budgets and staffing levels are stagnant — at best. Do more with less is a recurring mantra. How? Robotic Process Automation (RPA) has the potential to streamline business processes, boost capacity, and transform an agency’s position from reactive to proactive and reduce the backlog of work.
Michel hebert info tech - misa presentationMichel Hébert
AI promises to make it easier to find the content you need to resolve incidents faster, and automate tasks so humans can work more efficiently. We are still in the early stages of the AI adoption cycle, however. As with all transformative technologies, the uses cases are getting ahead of the actual tools at our disposal. This session will map out some early uses for ITSM automation in government, and propose how to proceed in light of the uncertainty surrounding the technology.
Want to learn more about Activity Based Costing or IT Delivery Services Transparency? Would you like to better communicate your Technology Services Catalog or articulate proper chargebacks to the Business Stakeholders?
The business demands Best-in-Class Solutions with a secure and reliable infrastructures with no downtime, and now the CIO can provide a portal view with comprehensive Business Unit Dashboards and custom Data Analytics reporting.
Implementing It Service Excellence For Enhanced Customer Experience Complete ...SlideTeam
This template will help organization in optimizing IT infrastructure by improving service desk and overall enhance customer retention by effective incident handling. As a technology service provider, firm will deliver IT services to end user, prepare service level agreements. The firm will address the current concerns faced by IT department such as high IT infrastructure cost due to outdated software and hardware, delay in delivering services to clients as they are facing issues in handling incidents and managing requests. Firm is also facing issue regarding customer attrition with rise in service failures. The firm will discuss present service delivery gap and will compare their performance to key competitors. The template provides information regarding the key reasons to implement IT service excellence. Firm will develop IT service implementation plan by initiating service plan. It will create help desk and service desk as single point of contact to clients. It will discuss the roles and responsibilities assigned between help desk and service desk in order manage incidents effectively. As technology solution provider, it will manage various vendors on regular basis. Firm will prepare service agreement which is considered as legal document before rendering services to clients. It will be responsibility of both parties to review it on regular basis to ensure that all conditions mentioned in it will be followed. Vital information regarding service period, renewal, devices covered, warranties, limitations are mentioned. Firm will maintain client information system which contains information regarding client onboarding list such as user, domain name, server, antivirus, backups details. It will handle client issue by service maintenance list. Cost associated to each service is also mentioned. The firm manage IT staff performance by assessing them on various key performance parameters. This template will mention cost associated for implementing IT service excellence on functional areas. The overall impact of the successful implementation is mentioned in terms of improved service delivery. https://bit.ly/2YLdMMM
Contact Management is our excellence. We leverage the Contact Management from Automation to Operation; our Business and Application Consultants work collaboratively with the performance management team along with the Customer Operations department, to produce a comprehensive contact management solution that enables our clients to better maintain healthy relationship with their customers and clients.
Social Media is indeed a critical channel, where Customers tend to get their rights through Complaint broadcasting. As a Professional Contact Management and Customer Service Outsourcing Provider, we adopt the Telephony Channel(s) for providing our services, and we also provide an up-to-date Social Media Support Service to Customer, while prompt response and fast resolution are always in mind.
Didier Delanoye en Jasper Kerremans lichten toe hoe de steeds sneller veranderende processen bij hun klanten de aanpak van financiële audits beïnvloeden.
Ze tonen hoe ze daarop antwoorden bieden via de de data-enabled audit methodologie en process mining technieken.
Vertrekkende van enorme volumes aan gegevens, biedt de data-enabled audit methodologie nieuwe inzichten en meer assurance via verbeterde risico-inschattingen, analyses en testing, bijvoorbeeld van journaalboekingen.
Process mining wordt enerzijds ingezet om het functioneren van key controls te bevestigen, en anderzijds om betere inzichten in bedrijfsprocessen te verwerven, bijvoorbeeld door middel van visualisaties en animaties die belangrijke afwijkingen van de verwachte processen blootleggen of efficiëntieverschillen tussen entiteiten tonen.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
1. Office of the Auditor
Audit Services Division
City and County of Denver
Timothy M. O’Brien, CPA
Denver Auditor
AUDIT REPORT
Technology Services
IT Service Desk
April 2016
2. Audit Committee
Timothy M. O’Brien, CPA, Chairman
Rudolfo Payan, Vice Chairman
Jack Blumenthal
Leslie Mitchell
Florine Nath
Charles Scheibe
Ed Scholz
Audit Management
Valerie Walling, CPA, CMC®, Deputy Auditor
Kip Memmott, MA, CGAP, CRMA, Director of Audit Services
Audit Staff
Shannon Kuhn, CISA, Audit Supervisor,
Nick Jimroglou, CISA, Lead Auditor,
Karin Doughty, CISA, Senior Auditor,
Tyler Kahn, Senior Auditor
You can obtain copies of this report by contacting us:
Office of the Auditor
201 West Colfax Avenue, Department 705
Denver CO, 80202
(720) 913-5000 Fax (720) 913-5247
Or download and view an electronic copy by visiting
our website at: www.denvergov.org/auditor
Report number: A2015-020
The Auditor of the City and
County of Denver is
independently elected by
the citizens of Denver. He is
responsible for examining and
evaluating the operations of
City agencies for the purpose
of ensuring the proper and
efficient use of City resources
and providing other audit
services and information
to City Council, the Mayor
and the public to improve
all aspects of Denver’s
government. He also chairs
the City’s Audit Committee.
The Audit Committee is
chaired by the Auditor and
consists of seven members.
The Audit Committee assists
the Auditor in his oversight
responsibilities of the integrity
of the City’s finances and
operations, including the
integrity of the City’s financial
statements. The Audit
Committee is structured in a
manner that ensures the
independent oversight of City
operations, thereby
enhancing citizen
confidence and avoiding
any appearance of a conflict
of interest.
3. April 21, 2016
AUDITOR’S REPORT
We have completed an audit of the IT Service Desk. The purpose of the audit was to determine
the effectiveness of the IT Service Desk and to ensure that it is meeting the needs of the City and
County of Denver’s employees. We assessed the availability of resources, the use of third-party
support, performance metrics, and the tools and technologies used by the IT Service Desk to
carry out its responsibilities.
As described in the attached report, our audit revealed that the IT Service Desk meets the needs
of its customers, however we identified some areas for improvement. Specifically, the IT Service
Desk needs to better adhere to and manage the contract with its third-party support provider,
enhance the process used to notify customers about the progress of issue resolution, update
and secure the internal knowledge base used for issue resolution, and increase customer
awareness of the new, web-based tool SupportNow. Our report includes several
recommendations for addressing these opportunities for enhancement. Through stronger vendor
management and enhanced communications and security, the IT Service Desk will be better
able to meet the growing demands of its customers.
This performance audit is authorized pursuant to the City and County of Denver Charter, Article
V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance
with generally accepted government auditing standards. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis
for our findings and conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions based on our audit
objectives.
We extend our appreciation to the IT Service Desk and the personnel who assisted and
cooperated with us during the audit.
Denver Auditor’s Office
Timothy M. O’Brien, CPA
City and County of Denver
201 West Colfax Avenue, Dept. 705 • Denver, Colorado 80202
720-913-5000 • Fax 720-913-5253 • www.denvergov.org/auditor
4. Auditor
Highlights
We found that City employees are generally satisfied with
the quality of service provided by the City’s IT Service
Desk. A large percentage of surveyed users indicated that
IT Service Desk technicians are courteous, professional,
and knowledgeable and that their technical issues are
being resolved. However, our audit found opportunities for
further enhancing the IT Service Desk’s operations in four
areas.
• Third-Party Contract Improvements—The contract
between the City and a third-party after-hours
support team is not being monitored on a regular
basis, and the vendor’s IT controls have not been
evaluated for security integrity.
• Communicating with Customers about Resolution
Status—Customers are not always notified when an
issue is escalated to a different IT team for
resolution, which has a negative impact on
customer satisfaction.
• Updating and Securing the Knowledge Base—The
knowledge base that is used internally by the IT
Service Desk to relay potential resolutions to known
problems is not being updated and reviewed on a
regular basis.
• Increasing Customer Awareness of a Web-Based
Tool—A web-based tool was rolled out to
customers in October 2015 to make the IT Service
Desk more efficient. However, the features and
location of the tool were not sufficiently
communicated to City personnel.
REPORT HIGHLIGHTS
For a complete copy of this report, visit www.denvergov.org/auditor
Or contact the Auditor’s Office at 720.913.5000
Technology
Services – IT Service
Desk
April 2016
Scope
The scope of the audit was the
City’s IT Service Desk, which is
administered by Technology
Services and serves the majority of
City employees with technology
related assistance. Our assessment
included a review of policies and
procedures, tools and technologies,
overall performance measures, and
the IT Service Desk’s third party
contract.
Background
The Information Technology (IT)
Service Desk was established to
meet the growing technology
demands of the City’s employees.
The Service Desk seeks to streamline
communication, provide trackable
records to known issues, and resolve
problems for City personnel.
Purpose
The purpose of the audit was to
assess the effectiveness of the City’s
IT Service Desk.
5. TABLE OF CONTENTS
INTRODUCTION & BACKGROUND 1
Purpose of the Service Desk 1
IT Service Desk Personnel 2
Clients & Customers of the IT Service Desk 3
Systems Used by the IT Service Desk 4
Key IT Service Desk Processes 5
SCOPE 7
OBJECTIVE 7
METHODOLOGY 7
FINDING 9
The Information Technology Service Desk Provides Quality IT Support, but Opportunities Exist to
Further Enhance the Process 9
RECOMMENDATIONS 20
AGENCY RESPONSE 22
6. Page 1 Timothy M. O’Brien, CPA
Denver Auditor
INTRODUCTION & BACKGROUND
Purpose of the City’s IT Service Desk
The operations of the City and County of Denver (City) are heavily reliant on a wide variety of
information technology systems, applications, and devices. Although most of this technology is
designed to be user friendly, problems inevitably arise and most City employees do not have the
expertise to resolve them on their own. Thus, the Information Technology (IT) Service Desk was
established to provide City employees with technical assistance, the need for which has grown
over time along with the expanded use of technology to support City functions. The IT Service
Desk provides support to approximately 11,500 City employees, resulting in a ratio of one IT
Service Desk technician per 885 customers. We benchmarked this ratio across five other cities
and counties and noted the ratio of technicians to customers is comparable.
The City uses more than 300 enterprise and business applications, hosted services and a variety
of IT hardware including mobile devices, tablets, laptops, desktops. Although many City
agencies use the same applications, some require specialized software to perform their day-to-
day activities. Supporting these systems and applications—both common and unique—through
the IT Service Desk provides employees with a central point of contact when they encounter
technology issues. Figure 1 demonstrates the most common issues submitted to the IT Service
Desk, including problems related to email, mobile devices, desktop computers, and printers.
Figure 1: Common Issues Submitted to the IT Service Desk from March 27, 2015 to November
5, 2015
Source: Created by Audit Services Division Staff.
608
543
423 418
348
298
258 228 207 177 172 151 150 134 133
0
100
200
300
400
500
600
700
Number
of
Tickets
Request Type
7. Timothy M. O’Brien, CPA Page 2
Denver Auditor
The IT Service Desk serves as a primary source for technology related information within the City
and County. The breadth and depth of knowledge of IT Service Desk technicians ranges from
assisting with general IT related questions, first level troubleshooting of problems, solving known
issues, providing notifications to users of service disruptions, and escalating issues that require
more advanced technical knowledge. The service desk is available twenty-four hours per day,
seven days per week, including holidays. City employees operate the service desk Monday
through Friday from 6:00 a.m. to 6:00 p.m. After business hours, on weekends, and on holidays, a
third-party vendor provides remote service desk support. Figure 2 shows which group provides IT
Service Desk coverage throughout the week.
IT Service Desk Personnel
For 2016, the IT Service Desk was allocated approximately $1.5 million for staffing, resources, and
operations. A portion of the budget supports the salaries of the IT Manager in charge, fourteen
tier one service desk technicians, and four advanced support technicians. The associate level
tier one position requires an associate’s degree in computer science, computer information
systems, business administration, mathematics, or a related field. Additionally, tier one staff must
have two years of experience performing user support. The tier one IT Service Desk technicians
serve as a single point of contact for employees and primarily interface with City employees
through service requests that are made via email, telephone, or a web interface option called
SupportNow. The technicians are trained to actively listen to the customer, obtain key
information, assess the situation, troubleshoot, and deliver a resolution. Each tier one technician
responds to approximately 170 calls, emails, and walk-ins on average each day.
In the event that the solution requires a more comprehensive level of knowledge or expertise,
the tier one technician will refer customer requests to an advanced support technician or to
another team within TS. This process is known as escalation. Education qualifications for
advanced support technicians include a bachelor’s degree in an information technology-
related field, and two years of experience performing user support. Advanced support
personnel serve as the technical resource for business systems and applications, including
support for projects within the system development life cycle, and assisting with the information
technology needs of designated departments and agencies.
IT Service Desk technicians have a range of other duties in addition to responding to service
requests. They are also responsible for remotely installing software upon request by the TS
Licensing Department; performing account maintenance, such as completing IT Service Desk
portions of requests and verifying with customers that resolutions are complete; and interacting
with advanced support technicians and specialized TS teams that may assist in resolving issues.
Figure 2: IT Service Desk and Third Party Vendor Staffing Schedule Coverage
Source: Created by Audit Services Division Staff.
8. Page 3 Timothy M. O’Brien, CPA
Denver Auditor
The advanced support team includes IT systems administrators who are responsible for installing
and configuring operating system hardware and user application environments, and repairing
routine to complex problems with system hardware and software across the TS environment.
According to the IT Service Desk Manager, a common misconception is that the 311 call center
answers IT support calls, when in fact this entity is responsible for helping citizens with questions
about and problems with municipal and non-emergency services.1
After-Hours IT Service Desk Support Personnel
The City has a contract with a third-party vendor to provide after hours, weekend, and holiday
support. The contract provides details about the services that will be performed, the fixed costs,
insurance requirements, record retention policies, City data confidentiality, the hours of
coverage, and Service Level Agreements (SLA). SLAs provide additional details on the
expectations of work to be performed, such as achieving certain response times based on ticket
priority. For example, one of the SLAs specifies that the third-party vendor will respond to a server
outage more quickly than to a password reset request since a server outage is far more severe
and would have a significant impact across the City. Prioritization—both by the City-employed IT
Service Desk personnel and the third-party personnel—is important so that City employees
receive a response and resolution within a reasonable specified timeframe. The SLAs also
provide consistency in service regardless of what day or time an employee is seeking support.
Third-party vendor employees must meet similar IT experience requirements as City IT Service
Desk technicians. These third-party technicians receive on average sixteen tickets per day, and
handle the same variety of issues the IT Service Desk receives. To evaluate the level of service
provided by the third party, IT Service Desk personnel regularly select tickets completed by
outsourced staff for quality evaluations. Results are communicated back to the third party so it
can address issues and ensure that City customers receive consistent and quality service.
Surveys are also used to gauge the level of customer service that is provided. Finally, The Service
Desk and the third party exchange status reports to ensure that all parties are aware of
upcoming maintenance, any known issues, and specific tickets that require follow-up.
IT Service Desk Clients
The IT Service Desk provides support to approximately 11,500 City employees. Agencies that use
the IT Service Desk more frequently than others include the Departments of Human Services,
Safety, Parks and Recreation, Finance, and Public Works. The majority of the City’s agencies rely
on the IT Service Desk for technical support, but some are supported by their own independent
IT support staff. The IT Service Desk provides support to many agencies and departments within
the City and County of Denver with the exception of the following departments: Botanic
Gardens, Denver Art Museum, Denver Convention Center, Denver Health Medical Center,
Denver International Airport, Denver Museum of Nature and Science, Denver Public Library,
Denver Zoo, Denver Health and Hospital Authority, District Attorney, and County Courts. These
agencies rarely contact the IT Service Desk since they have technology support personnel who
1 The 311 Customer Service Center (311 call center) is a comprehensive one-stop resource for anyone seeking information
about nonemergency City services. The 311 call center serves both external and internal customers by providing a quick source
of information or call routing for external callers, which assists internal City agencies with their customer service efforts.
9. Timothy M. O’Brien, CPA Page 4
Denver Auditor
specialize in their unique technology. However, these agencies may occasionally request
Service Desk support. IT Services bills these agencies for services based on a fixed fee.
The IT Service Desk regularly sends out customer satisfaction surveys to receive feedback on their
performance. Our audit work also included a survey of agencies that utilize the IT Service Desk
most; our analysis of the results is included in the findings below.
Systems Used by the IT Service Desk
IT Service Desk technicians use a variety of systems in the course of performing their duties. These
systems help with intake and organization of requests for support and store the information that
technicians use to provide that support.
ServiceNow—The IT Service Desk staff uses a suite of IT service management applications called
ServiceNow, which is designed to provide a comprehensive integrated solution for TS staff and
improve the customer experience. The ServiceNow application is the tool that IT Service Desk
technicians use for entering, tracking, and updating service requests. ServiceNow also has the
functionality to process email requests for service through an auto-ticket generation process,
creating a corresponding ticket for each request. The ServiceNow suite provides a
comprehensive tool for tracking information on users and devices, infrastructure, projects,
changes, and incidents in a single platform.
SupportNow— SupportNow, a module of ServiceNow, is an employee self-service web interface
that allows City employees to enter their own service request into the ServiceNow system.
Introduced in October 2015, SupportNow allows users to look up the status of their existing
tickets, review answers to frequently asked IT questions, and research for any known issues or
incidents affecting the City network. Currently, the SupportNow knowledge base of information
is targeted towards City employees in need of technical assistance, but this feature could be
expanded to provide content that is more technical and would serve as a resource for the
technicians as well.
Cisco Telephone System—The IT Service Desk uses a Cisco telephone system to receive
incoming calls, provide informational messages, and manage call routing and queues. Currently
the service desk has two queues, one for password resets and another for all other calls. The
Cisco supervisor module displays information including which staff members are actively taking
calls, the duration of the calls, hold times, and number of calls abandoned.2 This tool provides
real-time reporting on call statistics to keep management apprised of when call volumes are
increasing. In the event of a widespread issue, the Cisco telephone system’s messaging feature
allows the service desk to record an introductory message that all callers would hear prior to
connecting to a technician informing them that TS is aware of and is working on resolving a
known issue. Additionally, this feature is used in a marketing capacity to communicate the
availability of new tools or support desk functionality.
TS Wiki—Another tool used by the IT Service Desk is the TS Wiki, which is the key knowledge base
for all service desk technicians.3 The TS Wiki contains entries for critical enterprise applications
allowing technicians to research solutions for known issues, or find suggested troubleshooting
questions and procedures. This assists the technicians in finding the necessary information to
2 A call is considered abandoned when a caller ends the call before reaching a technician.
3 A wiki is a website that allows collaborative modification of its content and is accessible through a web browser.
10. Page 5 Timothy M. O’Brien, CPA
Denver Auditor
more quickly resolve an issue and provides consistency of service. In addition, the TS Wiki may
provide detailed contact and on-call information in the event that a technician needs to
escalate an issue. The TS Wiki is a collaborative tool that is managed by TS and shared with IT
Service Desk technicians. TS relies on subject matter experts within the organization to create
and maintain knowledge base entries. When IT Service Desk technicians encounter a new issue
not addressed by the TS Wiki, they may share with IT Service Desk technician’s information about
potential solutions using instant messaging tools. A new resolution is not added to the TS Wiki until
it has been thoroughly tested to ensure the solution is valid.
Key IT Service Desk Processes
There are three methods by which customers may request technical support from the IT Service
Desk: telephone, email, and SupportNow. The majority of customer contacts are initiated by
telephone at 78 percent, while email and SupportNow constitute 16 percent and 6 percent of
contacts, respectively. When a customer experiences an IT-related issue, the customer may call
the IT Service Desk for immediate support. A technician may answer the call immediately or, in
the event that all technicians are already helping other customers, the call will be placed in a
queue while the customer remains on hold. Once the call is answered, the technician creates a
ticket while on the telephone with the customer. All tickets have a corresponding number to
identify the request, which allows technicians to track the request through resolution.
Alternatively, the customer may request assistance from the IT Service Desk using email. Rather
than contacting an individual technician, all IT Service Desk emails are directed to one general
email address, which assigns requests to a similar but separate queue. The system automatically
generates tickets from these emails, assigning the requests numbers. Lastly, a customer may
request assistance through SupportNow, which also generates tickets and adds them to a
separate queue from the email-generated tickets. Technicians are assigned to either work the
telephone lines or respond to the ticketing or SupportNow queue, starting with the oldest tickets
in the queues.4
The subsequent process for responding to telephone calls and tickets is similar. Technicians start
by obtaining or verifying relevant information about the customer, such as telephone number,
employee ID, and computer name, and determining whether the customer has already
contacted the IT Service Desk about the same issue. This prevents more than one ticket being
created for the same issue. After gathering customer information, technicians determine
customer needs by either inquiring about the issue with customers who have called in or reading
the issue described in the ticket as submitted via email or SupportNow. Technicians assign the
ticket a priority and categorize the request based on a specific issue, such as application name
or hardware type. The technician will work to understand the issue, perform the necessary work
to fix the problem, and close out the ticket to indicate that the problem has been resolved.
Approximately 59 percent of the time, problems require more specialized assistance from an
advanced support technician or a specialized team within TS. The advanced support team’s
issue-resolution responsibilities include processing and resolving tickets that have been escalated
to them from the IT Service Desk regarding provisioning resources in accordance with customer
needs, performance management, and system recovery. IT Service Desk technicians also
4 Technicians who work for third party after-hours service desk use the same queues as those used by the IT Service Desk
employees.
11. Timothy M. O’Brien, CPA Page 6
Denver Auditor
escalate tickets to specialized TS teams. These teams are considered the Subject Matter Experts
(SMEs) in a specified area of technology. For example, the telephony SMEs will handle escalated
telephone issues. While there are over 50 specialized TS teams that are capable of responding to
escalated tickets, some of the teams that play a more significant role in this capacity include
Desktop Support, Network Operations, Business Applications, Desktop Architecture, and
Enterprise and Business Applications. Each specialized team is responsible for processing each
issue, and resolving and closing tickets. Figure 3 displays the IT Service Desk process flow.
Figure 3: IT Service Desk Process Flow
Source: Created by Audit Services Division Staff.
12. Page 7 Timothy M. O’Brien, CPA
Denver Auditor
SCOPE
The scope of the audit was the City’s IT Service Desk, which serves the majority of the City and
County of Denver employees with technology related information.
OBJECTIVE
The audit objective was to assess the effectiveness of the City’s IT Service Desk operations. The
audit objective included reviewing: documented policies and procedures, availability of
resources, access controls to the ticketing system and internal knowledge sharing site, ticketing
resolution timeliness, third-party support, performance metrics, and the tools and technologies
used by the IT Service Desk.
METHODOLOGY
We applied various methodologies during the audit process to gather and analyze information
pertinent to the audit scope and to assist with developing and testing the audit objectives. The
methodologies included the following:
• Reviewing relevant audits conducted nationwide and in Canada and comparing
them to baseline best practice standards
• Conducting a survey of 200 users from City agencies that generate high IT Service
Desk traffic to gain an understanding of customer satisfaction with the IT Service Desk
• Evaluating which users have been granted Privileged Access to the ServiceNow
application and knowledge base for appropriateness
• Conducting interviews and walkthroughs with IT Service Desk Tech Leads and
Managers on their understanding of IT Service Desk business processes
• Inspecting the ServiceNow ticketing system to understand the process flow and the
procedure for resolving tickets
• Inspecting the TS Wiki knowledge base to understand the security controls and the
completeness and accuracy of the knowledge shared between IT Service Desk
technicians and subject matter experts
• Consulting best practice standards, including the Information Technology
Infrastructure Library (ITIL) version 3, Federal Information System Controls Audit Manual
(FISCAM), the Government Accountability Office (GAO) Standards for Internal
Control in the Federal Government (the Green Book), and the Project Management
Body of Knowledge (PMBOK)
• Reviewing results from customer satisfaction surveys conducted by the IT Service Desk
• Examining IT Service Desk policies and procedures
13. Timothy M. O’Brien, CPA Page 8
Denver Auditor
• Inspecting contracts, service level agreements, and staffing schedules with third-
party vendors
• Evaluating a sample of tickets opened in 2015 to determine whether they were
resolved appropriately and in a timely manner
• Examining access request tickets opened in 2015 to determine whether they were
approved by appropriate personnel
• Selecting a sample of critical incidents to determine whether notifications are sent to
customers
• Assessing IT Service Desk metrics
• Conducting a benchmarking study of five comparable cities and counties to
determine the staffing ratio for IT Service Desk technicians to city and/or county
employees. We contacted the following cities and counties:
○ City of Seattle, Washington
○ Jefferson County, Colorado
○ City of Albuquerque, New Mexico
○ City and County of Broomfield, Colorado
○ City of Portland, Oregon
14. Page 9 Timothy M. O’Brien, CPA
Denver Auditor
FINDING
The Information Technology Service Desk Provides Quality IT Support,
but Opportunities Exist To Further Enhance its Processes
Based on customer satisfaction data and other analysis, it appears that the City and County of
Denver's (City’s) Information Technology (IT) Service Desk is providing quality customer service,
including during peak times and after hours. However, the audit identified several areas where
Technology Services (TS) can further enhance its customer support operations. First, we found
that TS could provide additional due diligence in selecting and monitoring any vendor that
provides after-hours support. Second, TS could enhance communication between customers
and IT personnel who provide issue resolution. Third, the knowledge base that the IT Service Desk
uses to inform solutions and guide troubleshooting activities is not being routinely reviewed to
ensure that all the information is accurate and current. Finally, TS can enhance the usage of a
new self-service feature for service requests, which could provide a better customer experience
and reduce the demand on the telephone help line, thereby enhancing efficiency. By
addressing these areas, TS will be better positioned to provide accurate, timely, and consistent
resolution of IT issues while continuing to protect the data that resides on the City's network.
The IT Service Desk Provides Quality Support to City Employees
The City’s IT Service Desk is committed to providing outstanding customer service, which they
evaluate through a customer satisfaction survey. Each week, the IT Service Desk sends out
customer satisfaction surveys to thirty randomly selected customers who had an issue resolved
that week. The response rate on the surveys is typically between 5 and 7 percent. Survey
questions ask about the customer’s overall experience;
the technician’s courteousness, professionalism, and
knowledge; and whether the issue was resolved to the
customer’s satisfaction. The audit team reviewed survey
results from responses that were submitted between
May 8, 2015, and December 1, 2015.5 We found that
customers largely responded with positive feedback
about the IT Service Desk. Specifically, 80 percent of
respondents indicated that their technician was
courteous, professional, and knowledgeable and that
their overall experience was very good. Additionally
eighty-nine respondents indicated that the IT Service
Desk resolved their issue. These customer satisfaction surveys are helpful to determine the
effectiveness of the IT Service Desk. Poor customer satisfaction survey results are reviewed by the
Service Manager and then discussed with the technician who handled the issue.
The audit team conducted an additional survey to determine the level of customer satisfaction
of the IT Service Desk customers. We sent the survey to 200 customers residing in agencies that
5 The IT Service Desk began conducting the survey process on May 8, 2015.
Eighty percent of respondents
indicated that their IT Service
Desk technician was courteous,
professional, and knowledgeable
and that their overall experience
was very good.
15. Timothy M. O’Brien, CPA Page 10
Denver Auditor
Table 1: Metrics of IT Service Desk Performance
Performance Measure 2014 Actual 2015 Estimated 2016 Objective
Percent of service desk calls
resolved on first contact
65% 70% 72%
Average call speed to answer
(not to exceed)
60 seconds 45 seconds 43 seconds
Average call abandon rate (not
to exceed)
7% 5% 5%
Customer satisfaction 75% 85% 85%
Source: Mayor’s 2016 Budget
frequently use IT Service Desk. Out of the thirty-one responses we received, thirty respondents
indicated that the IT Service Desk met their expectations.
Survey results are a good indication of how a service desk is performing. The Information
Technology Infrastructure Library (ITIL) is a framework which includes standards of IT components,
including the effectiveness of a service desk. ITIL suggests that customer satisfaction surveys are
helpful for customers to achieve their business objectives6. Poor customer satisfaction surveys
could be an indication that the IT Service Desk is not meeting the demands of its customers and
delivering poor quality. Since the IT Service Desk has received largely positive survey responses,
management can be reasonably assured that the service desk is meeting its business objectives.
Audit work showed that the IT Service Desk maintains high quality customer satisfaction, even
during periods where call volume is high. The customer satisfaction survey results provided by the
IT Service Desk revealed that twenty-six out of thirty respondents who submitted tickets during
high call volumes state the quality of service as “Excellent” or “Very Good.” On average, the IT
Service Desk receives ninety tickets during their peak call time from 8:00 a.m. to 10:00 a.m. Given
this high demand, IT Service Desk management ensures that the service desk is staffed to its
maximum capacity such that customers continue to receive the same high level of support.
The IT Service Desk also uses performance metrics to monitor its performance and ensure a
consistently high level of customer service. Specifically, the IT Service Desk gathers metrics such
as total tickets by agency, method of contact, issue classification, call abandonment, and
excessive hold times. They use this data to identify areas for improvement. Based on
performance trends in 2015, service desk calls resolved on first contact and customer satisfaction
appear to be increasing. Further, average call speed to answer and average call abandon rate
appear to be decreasing. Table 1 includes data regarding these performance metrics and
projections for 2016.
6 ITIL Version 3 – Service Operations, Section 6.2.1
16. Page 11 Timothy M. O’Brien, CPA
Denver Auditor
Metrics like these assist the IT Service Desk manager to help improve the efficient and
effectiveness of the IT Service Desk. For example, the IT Service Desk manager leverages the
features of the Cisco telephone system to direct calls based on technician experience. Calls
about passwords are assigned to service technicians who are less experienced while the more
experienced or lead technicians take calls requiring more knowledge and experience to
resolve. As such, the IT Service Desk is utilizing performance metrics to increase the productivity
of less experienced technicians.
Our audit found opportunities for further enhancing the IT Service Desk’s processes by improving
third-party contract management, notifying customers of ticket status, updating and securing
the knowledge base, and enhancing customer awareness of SupportNow.
Technology Services Can Strengthen Contract Administration Practices for
the Vendor That Provides After-Hours IT Support
City employees have access to IT technical support twenty-four hours per days, seven days per
week. The City employees who staff the IT Service Desk provide support during business hours,
but after-hours support is provided by a third-party vendor. After assessing the contract with the
vendor, the audit team identified several weaknesses that may put the City at risk. First,
Technology Services (TS) has not taken the necessary steps to ensure that the vendor follows
appropriate security practices. Second, TS did not verify that the vendor has the appropriate
data network security or cyber liability insurance. Third, TS has not ensured that the vendor’s
insurance has been kept up to date.
The Vendor for After-Hours IT Support May Not Follow Appropriate Security
Practices
When TS selected the vendor to provide outsourced service desk support after business hours
and on holidays and weekends, they based the decision on multiple criteria including
experience with service desk staff augmentation, company mission and best practices, and
status as a minority/women owned business. TS also took several steps to ensure that City data
accessible by the vendor would be secure. Specifically, the contract requires that the vendor
establish suitable security controls; the IT Service Desk Manager was present on site when third-
party support technicians first began answering calls under the contract; and TS required that all
of the third-party employees undergo background checks and complete Criminal Justice
Information Services (CJIS) security training prior to gaining access to the City’s Safety domain.
Despite these earnest efforts, we determined that the measures did not provide sufficient
assurance, which could have been achieved through a security evaluation of the vendor. We
interviewed TS staff about the vendor selection process, and they were not aware of a security
evaluation being performed as part of the selection process and were unable to identify any
documentation indicating that a security evaluation had been performed.
Furthermore, we discovered that the vendor does not have a Service Organization Controls
(SOC) report, which would provide an acceptable level of assurance.7 A SOC 2 Report,
7 Service Organization Controls (SOC) Reports are issued by an independent Certified Public Accountant. There are three types
of SOC Reports for service organizations: a SOC 1 Report is a report on controls at a service organization relevant to user
17. Timothy M. O’Brien, CPA Page 12
Denver Auditor
specifically, provides information and assurance about the organization’s controls around
security, data confidentiality, integrity, and availability.8 In the absence of a SOC 2 Report, TS
should have considered performing an on-site verification of security practices and a review of
the vendor’s relevant policies. Without a thorough understanding of the security policies and
practices of the third party, there is a risk in granting them access to City data and networks. The
third party indicated that it is planning on issuing a SOC 2 Report by fourth quarter of 2016.
Governments are at risk for data breach through their relationships with vendors. The Federal
Information Systems Controls Manual (FISCAM) addresses this risk specifically:
Governmental and private entities face a range of risks from contractors and
other users with privileged access to their systems, applications and data.
Contractors that provide…services or other users with privileged access to
agency/entity systems, applications, and data can introduce risks to their
information and systems…[and] there are specific risks from…offsite operations.
These risks include a poor patch management process…and inadequate
oversight at an off-site facility.9
To mitigate this risk, FISCAM recommends a variety of control techniques, including reviewing
activities of the third party for compliance with internal policies and procedures, reviewing
reports of operating effectiveness, and ensuring that security requirements are included in the
contracts based on assessment of risk.10
Accordingly, we recommend that TS perform an assessment to ensure that City data and
networks are accessed by the vendor in a secure manner. TS should obtain a copy of the
expected SOC 2 Report and review it for suitability of controls as well as review the
management responses for any exceptions that are noted. Further, TS should perform an annual
review of the vendor’s SOC 2 Reports for the duration of the contract.
Technology Services Has Not Ensured That the Vendor Contract for After-Hours
Support Requires Appropriate IT-Related Insurance
During our review of the third-party vendor contract, we noted that the insurance section did
not contain any provisions requiring data network security or cyber liability insurance. When a
third-party vendor has access to City networks and data, the organization’s Risk Management
team will typically add contract language requiring cyber liability insurance.11 However, the
current contract’s Statement of Work does not clearly specify the access that would be given to
entities’ internal control over financial reporting; a SOC 2 Report is a report on controls at a service organization relevant to
security, availability, processing integrity, confidentiality, or privacy; and a SOC 3 Report is a trust services report for service
organizations.
8 “Service Organization Controls (SOC) Reports for Service Organizations”, AICPA, accessed March 7, 2016,
http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/ServiceOrganization'sManagement.aspx
9 United States Government Accountability Office, GAO-09-232G, “Federal Information Systems Controls Audit Manual
(FISCAM)”, accessed January 28, 2016, pgs. 195-196
10 Ibid., pg. 197.
11 The City’s Risk Management team, which resides in the Department of Finance’s Cash, Risk and Capital unit, evaluates City
contracts for risk and determines the types and amounts of insurance and other risk management controls necessary to protect
City interests.
18. Page 13 Timothy M. O’Brien, CPA
Denver Auditor
the vendor team. Therefore, when performing the risk analysis, the Risk Management team did
not understand the level of access that would be granted and the related risks. Mitigating
factors for this risk include standard contract language specifying that the stated City insurance
requirements are the minimum amount, as well as the vendor obtained data network coverage
for the City. Although the vendor did obtain network security insurance, without contractual
language requiring this insurance the vendor could decide not to renew this insurance in the
future. Cyber liability insurance should be required by the Risk Management team to provide
coverage to the City in the event of a data breach or some other covered event. If a data
breach were to occur through the vendor’s access to City data, the City could face fines and
penalties. According to the International Risk Management Institute:
Cyber and privacy policies cover a business' liability for a data breach in which the firm's
customers' personal information, such as Social Security or credit card numbers, is
exposed or stolen by a hacker or other criminal who has gained access to the firm's
electronic network. The policies cover a variety of expenses associated with data
breaches, including: notification costs, credit monitoring, costs to defend claims by state
regulators, fines and penalties, and loss resulting from identity theft.12
Risk Management has determined that the coverage currently provided by the third-party
vendor through the network security insurance is at acceptable levels, therefore the contract
does not require immediate modifications. However, in the event that the contract with the
vendor is extended or modified, language requiring cyber liability insurance should be added at
that time. The type of Cyber liability insurance that the Risk Management team would like to see
purchased provides coverage for business interruptions, data loss and destruction, computer
fraud, funds transfer loss and cyber extortion.
TS Did Not Ensure That the Vendor for After-Hours Support Has Up-To-Date
Insurance
Audit work examined two key provisions of the contract: the vendor’s security practices that
safeguard City data and systems, and continued insurance coverage requirements. As noted
above, we did not find evidence that a security evaluation was conducted to ensure that the
vendor has designed and implemented appropriate security measures. The original contract
with the vendor included two ACORD insurance certificates, each with a one-year term.
However, we noted that the certificates expired in August 2015, prior to initiation of the audit
work.13, 14
TS, as the contract’s initiating authority, has a responsibility to ensure that contract provisions
continue to be met. For example, TS needs to monitor insurance components of third-party
vendor contracts for continuous compliance and monitor policy effective dates to ensure they
are current. During the course of the audit, we did contact the vendor, who provided updated
insurance certificates. TS likely did not perform this independently because its contract
12 International Risk Management Institute, accessed March 7, 2016, https://www.irmi.com/online/insurance-
glossary/terms/c/cyber-and-privacy-insurance.aspx
13 ACORD (Association for Cooperative Operations Research and Development) is a global nonprofit association working to
improve data quality for the insurance industry. https://www/acord.org/about/pages/default.aspx
14 An ACORD form is an insurance industry standardized form.
19. Timothy M. O’Brien, CPA Page 14
Denver Auditor
administration is informal, and does not allow for more effective contract control and
performance measurement. For example, the organization does not have any personnel serving
in a dedicated contract administration role.
The insurance provisions in City contracts provide coverage to the City if an event occurs that
would be covered under insurance. For example, the Workmen’s Compensation insurance
provides coverage in the event an employee is injured on-the-job. Without adequate insurance
coverage the vendor might not have the resources to cover the liability incurred. This could
result in negotiations or legal actions in order to meet any obligations.
In the absence of a contract administrator we recommend that TS designate a staff member to
monitor and request updated ACORD insurance certificates from the third-party vendor as
needed to ensure that insurance coverage is provided for the duration of the contract as
specified by the contract terms. When the vendor’s SOC 2 Report is issued, TS can review the
report on an annual basis to gain further assurance that the vendor has adequate controls in
place to safeguard City data and networks.
Customers Are Not Informed When a Ticket Is Sent to an Escalation Team
Currently, when a customer submits a request to the IT Service Desk, a ticket is created and the
customer is notified of the ticket number. The customer can then use this ticket number to follow-
up on the status of the resolution. However, for tickets that are escalated to an advanced
support technician or a specialized team within TS, which accounts for approximately 58
percent of all tickets, we found that the customer does not always receive notification. Survey
results conducted by the audit team showed that nine out of thirty-three respondents did not
know that their ticket had been escalated to a different team. It is important for customers to
know when a ticket has been escalated because these issues on average take fifteen days
Figure 4: Average time for the IT Service Desk and Escalated Teams to Close Tickets (in days)
Source: Created by Audit Services Division Staff.
0.9 Days
15 Days
0
2
4
6
8
10
12
14
16
Average
time
(in
days)
to
resolve
an
issue
Agency
IT Service Desk Escalated Teams
20. Page 15 Timothy M. O’Brien, CPA
Denver Auditor
longer to resolve. Figure 4 demonstrates the average time it takes the IT Service Desk to close a
ticket verses other teams within TS once the ticket has been escalated.
Since resolution time can be so much longer, it is important that customer are made aware that
tickets have been escalated. Otherwise they may become frustrated and impatient with the IT
Service Desk, not understanding that the IT Service Desk is no longer the party working to resolve
the issue. Therefore, the tier one technicians should inform customers when a ticket requires
expert troubleshooting or analysis.
Once the escalated teams take on ownership of a ticket, we found that they do not routinely
communicate with customers about the status of their issues. This reduced level of
communication is different from the experience of working with the IT Service Desk. For any
tickets with the IT Service Desk that have been open for three days without resolution,
technicians must follow-up with the customer to update them on the status of the resolution.
Conversely, there are no formal guidelines in place to ensure that customers are receiving
regular updates and target resolution timeframes by an escalated team about the status of their
issue. To establish continuity of service, the IT Service Desk could establish Operational Level
Agreements (OLAs) with the escalated teams regarding acceptable levels of communication
with customers. OLAs serve as guidelines to maintain a consistent delivery approach. They also
establish priorities or benchmarks for service performance. Additionally, they provide a means to
maintain customer communication and feedback to achieve customer satisfaction through to
resolution. Through inquiry with the IT Service Desk Manager, the IT Service Desk and the
escalated teams had agreements in place during prior administrations for customer
communication and timely acknowledgement of tickets. However, this is not the case anymore.
Even though an escalation team’s resolution may take more time, they should be held
accountable to the customer in the same way as the service desk is responsible for a timely
response. This approach to service is supported by ITIL, which specifies that “the continual
service improvement process includes OLAs which are an agreement between an IT Service
Provider and another part of the same organization. An OLA supports the delivery of IT Services
to customers.”15 Therefore, the IT Director should establish formal operational level requirements
between the IT Service Desk and escalated teams, to include expectations surrounding
communication to the client when a ticket has been escalated and providing regular updates
on when resolution may be expected.
The IT Service Desk’s Knowledge Base Contains Out-of-Date Information
and Has Not Been Properly Secured
IT Service Desk Technicians use a knowledge base, called the TS Wiki, for technical information
while resolving the wide variety of IT-related issues encountered by City employees. This internal
website allows users to work collaboratively to edit the content as new issues arise and new
solutions are generated. Using the same body of technical information helps ensure that
Technicians are addressing issues consistently and accurately. Implementing the TS Wiki has
been useful in providing information in a centralized site available to all technicians. Further,
each technician has access to read, update, and create steps for performing tasks,
implementing workarounds, and issuing resolutions throughout the TS Wiki. Subject Matter Experts
15 ITIL Version 3 – Service Operations, Definitions List
21. Timothy M. O’Brien, CPA Page 16
Denver Auditor
(SMEs) are encouraged to create and update content relevant to their respective areas of
expertise and approve content updated by other technicians where appropriate. The result is a
repository of processes and resolutions that are readily available for use by technicians as they
work to resolve tickets. However, we found that this knowledge base is not always accurate and
may pose a security risk.
Information Used To Help Solve Employee IT Issues Is Out of Date
Although the TS Wiki is a convenient and useful tool, which improves technician efficiency, we
found that much of the content in the TS Wiki is out of date. The audit team selected ten
applications with information available on the TS Wiki and contacted the SMEs for each
application to determine whether the information was up-to-date and accurately reflects how
to troubleshoot the application. Out of the ten SMEs contacted, six indicated that the TS Wiki is
out-of-date and does not accurately reflect the current working environment of their respective
applications.
We determined that the Wiki is out of date because TS has not developed a process by which to
maintain and update the content on a regular basis. Best practice in information technology
support emphasizes the importance of providing accurate information to support staff in an
effort to improve issue resolution. Specifically, ITIL explains that it is necessary to provide “first-line
staff with an effective knowledge-base, diagnostic scripts and integrated support tools…, as well
as ongoing training and awareness, so that first-line resolution rates can gradually be
increased.”16
In order to operate to its full potential, the knowledge base should reflect the current operating
environment of the processes and applications contained within the TS Wiki. An out-of-date
knowledge base can result in poor application troubleshooting support and lead to increased
troubleshooting time. Accordingly, TS should develop a process to have SMEs review the TS Wiki,
or other knowledge bases used by the IT Service Desk, on a regular basis to ensure that
information is complete, accurate, and up-to-date.
TS Knowledge Base Is Not Adequately Secured
In addition to determining that some of the information within the TS Wiki is out of date, we also
determined that access to the knowledge base is not appropriately configured. Through our test
work, we concluded that inappropriate access was granted to an employee who did not work
in TS. This individual was able to add, modify, and delete information within the knowledge base.
This individual did not require access to perform his or her job.
The access was granted as a result of human error, as the employee with incorrect access had
the same name as a TS employee, who did require access to the TS Wiki. Best practice in
information technology as provided by ITIL specifies that management should verify every
request for access to an IT service from two perspectives: first, that the user requesting access is
who they say they are, and second, that the person has a legitimate requirement for access to
that service.17
16 Information Technology Infrastructure Library Version 3 – Service Operations, Section 6.2.4.2.
17 ITIL Version 3 – Service Operations, Section 4.5.5.2.
22. Page 17 Timothy M. O’Brien, CPA
Denver Auditor
When seeking to determine how this error was made, we found that TS does not perform
periodic reviews of which users have access to the TS Wiki. If a review of TS Wiki access were
performed, any users with inappropriate access would have been identified and subsequently
removed. Another source of information technology best practices, the Federal Information
System Controls Audit Manual (FISCAM), specifies that security managers should review access
authorizations and discuss any questionable authorizations with resource owners.18
Inappropriate access to the knowledge base by unauthorized personnel can result in a misuse
of data residing on the TS Wiki, which can further lead to incorrect and increased issue resolution
times. By properly confirming access requests as described in ITIL, and implementing a process to
review user access as described in FISCAM, TS Wiki access will operate at a more secure level.
Few City Employees Are Using SupportNow
In October 2015, Technology Services launched a web-based tool called SupportNow that City
employees can use for IT help as an alternative to calling or emailing the IT Service Desk. The
purpose of this tool is to improve the customer experience by adding transparency to the IT
Service Desk process and reduce the volume of calls that are directed to the IT Service Desk.
However, we determined that many customers are not using the SupportNow tool when seeking
IT support.
The audit team conducted a survey of agencies that frequently contact the IT Service Desk to
better understand customer satisfaction. According to the survey results, twenty-two out of thirty-
three respondents indicated that they have not used SupportNow when seeking IT support. We
also looked at data from the IT Service Desk about the number of contacts they received each
month since the deployment of SupportNow by contact type. As shown in Figure 3, from
November 2015 through February 2016, customers most frequently contacted the IT Service Desk
by telephone, and were least likely to use SupportNow. In fact, customers were thirteen times
more likely to call the IT Service Desk than they were to seek support through SupportNow.
Although use of SupportNow appears to be on the rise, most notably in February 2016, it is still
being used significantly less frequently than telephone.
18 FISCAM section AC-3.1.3.
23. Timothy M. O’Brien, CPA Page 18
Denver Auditor
We determined that many employees are not using SupportNow because TS did not effectively
communicate the change to the City. TS has relied on just two formal communications sent to
notify customers about SupportNow. Specifically, in early October 2015, TS sent an initial email
announcement with the release date of SupportNow, explaining some of the new tool’s support
features. Later that month, after SupportNow had been released, a formal communication was
sent out to all City employees, also via email. Until recently, these two emails were the only
methods used to inform the IT Service Desk’s customers about SupportNow and how to access it.
During the course of this audit, we discovered that several months after SupportNow was
introduced the IT Service Desk’s telephone greeting was updated to inform customers about
SupportNow and how to access it, but this message was not added in concurrence with the
launch of the tool.
IT projects such as the launch of a new customer service tool take a lot of time to implement
and often require significant financial and personnel resources. Accordingly, it is important to
communicate and educate customers on the existence of a new tool so that it will be used as
intended. Regardless of how well a project is managed during planning and implementation, if
the intended users are unaware of its existence or are not educated about how to use the end
product, customers will not benefit from the expected features and functionality. Effective
communication to end users during and after a project’s closure is critical to ensure a successful
outcome. This principle is emphasized by the Project Management Body of Knowledge
(PMBOK), which is a recognized standard for project management. PMBOK Section 10.2.2
FIGURE 3: IT Service Desk Contact by Type
Source: Created by Audit Services Division staff.
0
1000
2000
3000
4000
5000
6000
7000
November 2015 December 2015 January 2016 February 2016
Number
of
Tickets
Month
Email
Phone
SupportNow
24. Page 19 Timothy M. O’Brien, CPA
Denver Auditor
recommends that a communications strategy be developed and disseminated using a variety
of methods, such as electronic communications and hard copy document distribution.19
Email communications and telephone messages, like the ones used by Technology Services, do
help to inform customers. However, without a more strategic and robust communications plan,
many customers may miss the communications altogether. In fact, according to the results of
our survey, sixteen out of thirty-three respondents indicated they had no knowledge of
SupportNow. Of those who did pay attention, the communications may not have been sufficient
to change behavior from using telephone or email for requesting IT help to using SupportNow. By
not using SupportNow, customers do not receive the enhanced user experience that allows a
customer to submit a ticket without the need for a lengthy telephone call. If customers are
unaware of this tool, valuable features such as a knowledge base of common answers, ticket
status, technology requests, and no hold times are just a few of the services that will go
underutilized. Finally, since the initial purpose of the tool was to reduce call volume, the IT Service
Desk will continue to receive a large volume of with telephone calls as long as users are not
opting to use SupportNow. Accordingly, Technology Services should develop methods for
increasing the user awareness of SupportNow and develop communication that encourages
customers to use the new tool as a means for getting a quicker response.
19 Project Management Institute, A Guide to the Project Management Body of Knowledge Third Edition, Newton Square, PA,
2004.
25. Timothy M. O’Brien, CPA Page 20
Denver Auditor
RECOMMENDATIONS
1.1 Technology Services should continuously monitor the contract between the IT Service Desk
and the third-party vendor contract for continued compliance with contractual terms,
including verifying that the vendor is maintaining insurance coverage.
Auditee Response: Technology Services will establish a process to periodically review the
contract between the IT Service Desk and the third-party vendor for continued compliance
with contractual terms, including verifying that the vendor is maintaining insurance
coverage. – September 30, 2016
1.2 If the contract with the third-party vendor is renewed, requirements for cyber-liability
insurance should be included in the contract language.
Auditee Response: Technology Services will ensure that requirements for cyber-liability
insurance are included in the contract language during the contract renewal process. -
December 30, 2017
1.3 Technology Services should obtain a copy of the SOC 2 Report from the third-party vendor
upon release and review the report.
Auditee Response: Technology Services will obtain and review a copy of the SOC2 Report or
similar independent audit report from the third-party vendor upon release. – December 31,
2016
1.4 The IT Director should establish formal operational level requirements between the IT Service
Desk and escalated teams, which establish expectations surrounding communication to the
client that a ticket was escalated and providing regular updates on when resolution may be
expected.
Auditee Response: The Director of Service Operations will establish formal operational level
requirements for time to update as well as for providing communication to the client when a
ticket is escalated and regular updates when resolution may be expected. – October 31,
2016
1.5 Technology Services should develop a process to have subject matter experts review the TS
Wiki, and any other knowledge bases used by the IT Service Desk, to ensure that information
is complete, accurate, and up-to date. Additionally, access to the TS Wiki should be
reviewed on a periodic basis in order to monitor access at a more secure level.
Auditee Response: Technology Services has completed the requirements gathering phase of
the Knowledge Base project that will replace the TS Wiki and all other knowledge bases used
by the IT Service Desk. TS will develop a process to have subject matter experts review the
information that populates the new Knowledge Base. In addition, TS will ensure that access
to the new knowledge base is secure and reviewed on a periodic basis. – June 30, 2017
1.6 Technology Services should develop methods for increasing the user awareness of
SupportNow, and develop communication that encourages customers to use the new tool
26. Page 21 Timothy M. O’Brien, CPA
Denver Auditor
as a means for getting a quicker response and making the IT Service Desk function more
effectively.
Auditee Response: Technology Services will create a marketing campaign to increase user
awareness of SupportNow and develop communications that encourage customers to use
the self-service feature as a means for getting quicker response and improving the
effectiveness of the IT Service Desk function. – October 31, 2016