internal audit report - soundtransit.org 180315 it... · internal audit report . it asset...

11

Click here to load reader

Upload: danglien

Post on 06-Sep-2018

216 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: Internal Audit Report - soundtransit.org 180315 IT... · Internal Audit Report . IT Asset Management Audit. Report Number: 2018-03 | Report Date: March 7, 2018 . ... • Agency System

Internal Audit Report

IT Asset Management Audit

Report Number: 2018-03 | Report Date: March 7, 2018

Page 2: Internal Audit Report - soundtransit.org 180315 IT... · Internal Audit Report . IT Asset Management Audit. Report Number: 2018-03 | Report Date: March 7, 2018 . ... • Agency System

Executive Summary

Audit Report No.: 2018- 03 March 7, 2018

WE AUDITED the current IT Asset Management process to ensure that the division has effective controls in place.

WHAT DID WE FIND? Organizations with effective and efficient processes over IT Asset Management (ITAM) are able to provide stronger alignment between IT and the business, better management of business risk, disruption or failure prevention, reduced costs through improved use of resources, and more stable service environment to support constant business changes. The agency’s ITAM manages the physical/virtual, financial, and contractual information of IT asset as it moves through its lifecycle. It is the primary point of accountability for the life-cycle management of IT hardware and software assets throughout the Agency. Sound Transit ITAM is a decentralized process where each IT business unit is responsible for recording and maintaining assets and asset information. At the time of audit, IT capital assets were $29.2M which includes roughly 114 hardware and 49 software assets. The audit concluded that the agency lacks effective IT asset management controls. Asset definitions, staff roles/responsibilities and configuration attributes are incomplete to reasonably ensure the integrity of the IT assets.

AUDIT OBJECTIVE was to determine whether the agency has effective controls to ensure: • Policies and procedures

provide concrete definition of IT assets based on relevant criteria to enable the complete identification of all IT assets

• Roles & responsibilities of staff involved are clearly defined at process level

• IT asset data attributes are closely aligned with the IT lifecycle (including change and configuration) management

The audit examined management controls in place as of December 2017.

Jack Hutchinson, CPA, CIA, CISA Internal Audit Director

Page 3: Internal Audit Report - soundtransit.org 180315 IT... · Internal Audit Report . IT Asset Management Audit. Report Number: 2018-03 | Report Date: March 7, 2018 . ... • Agency System

Table of Contents Executive Summary ...................................................................................................................................................................... i Background ..................................................................................................................................................................................... 1 Audit Objectives............................................................................................................................................................................. 2 Scope and Methodology ............................................................................................................................................................. 2 Conclusion....................................................................................................................................................................................... 3 Findings and Recommendations ............................................................................................................................................. 4

1. Agency IT Asset Management (ITAM) System Lacks Discipline and Controls. ............................................ 4

Page 4: Internal Audit Report - soundtransit.org 180315 IT... · Internal Audit Report . IT Asset Management Audit. Report Number: 2018-03 | Report Date: March 7, 2018 . ... • Agency System

INTERNAL AUDIT DIVISION AUDIT REPORT

IT Asset Management Audit

1

Background IT function falls under the umbrella of Finance & Information Technology (FIT) led by Chief Information Officer who formerly reported to CFO but currently reports to Deputy CEO. IT plays an important role in Sound Transit operations, and represents an essential component of the organization’s strategy to address challenges of increasing services and productivity for the benefits of employees, external users, and the public. Sound Transit as an Agency has grown tremendously over the last decade and the need for a more holistic and proactive approach to manage IT assets with respect to risk, cost, control, governance, compliance, and business performance objectives is ever more present especially with ST3 extension. IT has grown from 75 approved full-time positions in 2015 to 81 and 94 roles in 2016 and 2017, respectively. The plan for 2018 is to reach 110 full-time positions. In 2017, IT operated with a total budget of $27M, representing $6.7M in capital projects and $20.7M in operating budget. IT supports the day-to-day operations of the Agency through the maintenance and support of software, hardware, and technology infrastructure. IT provides services in two broad categories of systems:

• Agency System or Corporate System – Administrative systems utilized by internal staff, agency business users

• Transit and Rider Systems – Web systems and data services utilized by ST riders and the public

The agency’s IT asset management system oversees the physical/virtual, financial, and contractual information of IT asset as it moves through its lifecycle. It is the primary point of accountability for the lifecycle management of IT hardware and software assets throughout the Agency. The following table gives a summary of IT capitalized assets.

Asset Type 2015 2016 2017

Count* Amount Count* Amount Count* Amount Hardware 112 $8,043,478 114 $8,203,278 114 $8,203,278 Software 51 $18,460,378 49 $20,992,902 49 $20,992,902

Total 163 $26,503,856 163 $29,196,180 163 $29,196,180 Source: 2015 & 2016 data based on Fixed Asset group support provided. Year 2017 w asn’t closed at the time of audit

*Assets are aggregated in the f ixed asset module of the f inancial system.

Page 5: Internal Audit Report - soundtransit.org 180315 IT... · Internal Audit Report . IT Asset Management Audit. Report Number: 2018-03 | Report Date: March 7, 2018 . ... • Agency System

INTERNAL AUDIT DIVISION AUDIT REPORT

IT Asset Management Audit

2

Audit Objectives To determine whether the agency has effective controls to ensure:

• Policies and procedures provide concrete definition of IT assets based on relevant criteria to enable the complete identification of all IT assets

• Roles & responsibilities of staff involved are clearly defined at process level • IT asset data attributes are closely aligned with the IT lifecycle (including change and

configuration) management

Scope and Methodology We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We gained an understanding of IT Asset Management processes through data analysis, documentation reviews, and personnel interviews. We identified risks in the processes and assessed management controls in place to mitigate those risks. Based on the assessment, we determined to focus on the fundamentals of an IT asset management system such as concrete IT asset definitions, roles & responsibilities of staff, and the alignment of IT asset data attributes with IT lifecycle management. We examined policies, procedures, processes and records as of December, 2017. The scope of the audit was limited to operations directly under the control of IT. As such, areas including operational technology, transit and rider systems and small and attractive assets are not included in the scope. To determine whether the agency has effective controls over non-revenue vehicles inventory, operating costs, and utilization, we performed the following procedures: 1. To determine whether the agency has the effective controls to ensure that policies and

procedures provide concrete definition of IT assets based on relevant criteria to enable the complete identification of all IT assets, we performed the following procedures:

a. We reviewed all applicable agency policies/procedures including ones under development and IT industry best practices (e.g., COBIT, ITIL).

b. We reviewed process level documentation to identify compliance requirements for IT assets.

c. We performed process walkthroughs to identify IT assets with different process owners. d. We selected 35 asset purchases totaling $1.4 million to test whether management asset

lists are complete. The selection was based on transactions from: 1) capital accounts, 2) non-capital IT vendor purchases, and 3) IT items under $5,000.

2. To determine whether the agency has the effective controls to ensure that roles & responsibilities of staff are clearly defined at process level, we performed the following procedures:

Page 6: Internal Audit Report - soundtransit.org 180315 IT... · Internal Audit Report . IT Asset Management Audit. Report Number: 2018-03 | Report Date: March 7, 2018 . ... • Agency System

INTERNAL AUDIT DIVISION AUDIT REPORT

IT Asset Management Audit

3

a. We conducted management interviews to identify documentation defining roles & responsibilities.

b. We performed walkthroughs to review the current IT asset processes for completeness, consistency and proper documentation.

3. To determine whether the agency has the effective controls to ensure that there is close

alignment of IT asset data attributes with the IT lifecycle (including change and configuration) management, we performed the following procedures:

a. We reviewed policies/procedures including ones under development and IT industry best

practices to identify a set of commonly used configuration attributes. b. We tested the current hardware and software asset configuration attributes against the

set of commonly used configuration attributes for completeness. c. We performed walkthroughs of the current IT change management processes.

Conclusion The agency lacks effective IT asset management controls. Asset definitions, staff roles/responsibilities and configuration attributes are incomplete to reasonably ensure the integrity of the IT assets. See Finding #1.

Page 7: Internal Audit Report - soundtransit.org 180315 IT... · Internal Audit Report . IT Asset Management Audit. Report Number: 2018-03 | Report Date: March 7, 2018 . ... • Agency System

INTERNAL AUDIT DIVISION AUDIT REPORT

IT Asset Management Audit

4

Findings and Recommendations 1. Agency IT Asset Management (ITAM) System Lacks Discipline and Controls.

An ITAM is a process to gather and maintain a detailed set of information about assets. According to ITIL, a framework of best practices for delivering IT services, an ITAM is necessary to effectively manage assets throughout their lifecycle. A well-functioning ITAM provides information essential in securing IT infrastructure, eliminating waste, making the best use of current resources, and improving efficiency.

Sound Transit ITAM is a decentralized process where each IT business unit is responsible for recording and maintaining assets and asset information. Whether centralized or decentralized, all effective ITAM systems share certain defining features that make the system an indispensable tool. The audit noted that the agency’s current ITAM lacks certain defining features of an effective ITAM, as follows:

Incomplete Asset Inventory Listing

A complete inventory is a foundational building block in any ITAM systems and a prerequisite to effective asset controls. IT functions such as lifecycle management and strategic/tactical decisions simply cannot be effective/efficient without knowing a universe. As the agency’s ITAM system is decentralized, completeness is even more critical. However, the audit observed a high degree of incompleteness in hardware and software listing, as noted below, due to incomplete asset definitions, inconsistent processes, inaccurate roles & responsibilities around effective IT asset management. • 8 assets or 40% of a sample1 of 20 weren’t located in either hardware or software

inventory listing. • 4 software assets or 50% of a sample1 of 8, software assets weren’t found in business

owner inventory listing. Unlike capital assets for financial reporting purposes, IT assets that need to be tracked are not entirely determined on the basis of a purchase amount or a number of service years. Whether an IT asset needs to be inventoried and tracked is a question of how the asset functions in the organization’s IT landscape and how the asset is utilized by end users. Example, the make and model of a dedicated firewall needs to be tracked in case device specific vulnerabilities are identified, and a productivity software program needs to be tracked to identify a total number of users for licensing fees.

Best practices suggest tailoring IT asset definitions to the specific needs of the organization. While tailored definitions would offer guidance to help the staff who records assets make an informed decision on how to record them correctly and consistently, existing procedures do not provide such definitions. There appears to be a general understanding of what assets to be tracked, but in the absence of the specific guidance, each group has been using its own ad-hoc definitions and processes. Incomplete asset listing is not conducive to effective and efficient asset utilization and optimization. Less than complete information necessitates non-value add processes (i.e.,

1 Samples included selections from capital accounts, non-capital IT vendor purchases, and IT purchases under $5,000 as described in the Scope & Methodology section.

Page 8: Internal Audit Report - soundtransit.org 180315 IT... · Internal Audit Report . IT Asset Management Audit. Report Number: 2018-03 | Report Date: March 7, 2018 . ... • Agency System

INTERNAL AUDIT DIVISION AUDIT REPORT

IT Asset Management Audit

5

inefficient use of resources and time) to compensate for the lack of a complete list, as well as making management processes reactive, as opposed to proactive, to IT risks. For IT asset strategy to be successful, the agency needs to clearly define roles and responsibilities in order to direct and guide staff who undertake the processes and activities. Management has been working on policies and procedures related to IT assets but they haven’t been implemented at the time of audit. Specific guides outlining roles/responsibilities were non-existent for the current roles. Clear definitions of accountability and responsibility are essential for effective asset management. IT organizations need to ensure that based on the structure whether centralized or decentralized, taking into account constraints and the size, nature and needs of the business and customers, service offerings and processes, relevant roles are identified, documented and assigned, and constantly reviewed.

Other documents related to ITAM are being developed as well such as process level documentation. However, current processes are inconsistent and there was no documentation available at the time of audit.

Incomplete IT Asset Attributes

Asset or configuration attributes refer to a set of datapoints about assets (e.g., serial number), and how the assets are implemented/maintained (e.g., purchase amount, last patch date). Properly maintained attributes provide up-to-date information on the current asset status which consequently facilitates effective asset management.

The audit reviewed attributes currently in use against configuration attributes that was put together by management to be implemented in the future. The review noted that a number of lifecycle management attributes from acquisition to disposal are missing. The asset acquisition date, for example, isn’t tracked making it impossible to determine how many assets were purchased in the past.

Overall, approximately 80% of the attributes to be implemented in the future aren’t tracked currently. Specifically, audit tests noted the following: • Out of 45 total infrastructure hardware attributes. IT isn’t tracking 38 of the attributes

(84%). • Out of 49 total infrastructure software attributes. IT isn’t tracking 40 of the attributes

(82%). • Out of 49 total software attributes. IT isn’t tracking 36 of the attributes (73%).

o For 13 attributes currently being tracked, they are not always populated. For example: “IT Business Owner,” “IT Budget Owner,” and “ST Dept” attributes were 74%, 77% and 74% blank, respectively for software assets in December 2017 asset listing.

Missing attributes complicate financial, operations and security planning as management struggles with incomplete information. The agency’s ability to make informed decisions becomes more dependent on unstructured institutional knowledge, resulting in inconsistent and fragmented lifecycle management practices. Moreover, without readily available information, staff expends extraneous and often duplicate efforts to seek and compile information that should already exist.

Page 9: Internal Audit Report - soundtransit.org 180315 IT... · Internal Audit Report . IT Asset Management Audit. Report Number: 2018-03 | Report Date: March 7, 2018 . ... • Agency System

INTERNAL AUDIT DIVISION AUDIT REPORT

IT Asset Management Audit

6

Recommendations: We recommend IT management:

• Design and implement an IT asset management system

The following specific procedures are suggested for management consideration:

Refine the asset definition to facilitate efficient management practices Define IT critical assets Identify applicable compliance requirements and include them as attributes Define roles and responsibilities of IT business owners Formalize ad-hoc practices into specific procedures Reconcile between asset lists and service manager tickets at regular intervals Revisit attributes to ensure continuing relevancy and to identify additional future

needs Define & document processes & controls in place for IT asset lifecycle,

change/configuration management, asset tracking and reporting, asset identification, etc.

Management Response: Management agrees with the finding and seeks to clarify the degree to which controls are lacking. In recognition of issues like those outlined in the report, IT Leadership had already prioritized and initiated a program in March of 2017 to improve Sound Transit’s IT Service Delivery practices in alignment with industry standards (ITIL v3 and CoBIT 5). IT Asset Management is only one of the many aspects of this complex, multi-year program. When the audit was conducted, significant progress had been made on the high-level design of core processes, but none of the processes was implemented in production. As such, the future state processes related to IT Asset Management were not ready to be evaluated as production processes. The documentation provided throughout the course of the audit included information on both the current state at the time of audit, as well as the designed future state. In some areas, the report evaluates against planned future state vs. previous accepted practice. Specifically, while management agrees that a full ITIL based IT Service Delivery practice would include a more comprehensive list of asset-specific attributes, that was not the standard at the time of the audit. The amount and quality of the asset attributes tracked had previously been deemed sufficient. This perception is supported by the absence of identified insufficiencies in the number of attributes tracked in previous audits. Going forward, management agrees to the implement an expanded list of attributes as identified in the future state design documents. The overarching IT Service Delivery program extends well beyond Asset Management to include all core areas of IT Service Delivery, as Management recognizes that no sustainable, effective solution can be achieved without taking a strategic approach that includes people, process and technology components. The recommendations contained in this report specific to IT Asset Management will be incorporated into the existing plans as deliverables. The mitigation plan for the findings in the report to be implemented by Management is structured as follows:

Page 10: Internal Audit Report - soundtransit.org 180315 IT... · Internal Audit Report . IT Asset Management Audit. Report Number: 2018-03 | Report Date: March 7, 2018 . ... • Agency System

INTERNAL AUDIT DIVISION AUDIT REPORT

IT Asset Management Audit

7

Phase 1: Implementation of immediate corrective actions. Following receipt of the report, Sound Transit IT has initiated immediate corrective measures to mitigate the impact of the findings. Such measures include:

• Accelerating the rollout of items pertaining to asset definitions, and assignment roles and responsibilities encompassed in the master IT Service Delivery overhaul project plan

• Communicating the asset definitions, roles and responsibilities to all Service Owners, and facilitate implementation through the change enablement effort that is part of the IT Service Delivery project

• Immediately initiating work on the planned documentation of work-level instructions that reflect the process flow and controls that have been incorporated in the future state design of the IT core Service Delivery processes, as well as all IT Services (in the documented Service Catalog) that impact the quality of IT asset records

• Conducting periodic spot checks on the different records repositories currently used to track IT assets, to ensure data quality issues can be promptly addressed

It is the sense of Management that these corrective actions supported by the findings in this report will adequately mitigate the impact to the agency until the Phase 2 activities have been completed. Phase 2: Implementation of process and tool improvements and controls. In order to effectively address the core problem that leads to the risks highlighted in the report, Management will structure its mitigation plan based on the following high level milestones:

a. Continue and complete the overhaul of its IT Service Delivery practices. As previously mentioned, IT is currently conducting a complete redesign of its Service Delivery practices, to address structural problems that may be impacting record quality, incorporate proper controls into any activities with an impact the lifecycle of IT assets, and ensure end-to-end definition of all IT Services and core delivery processes. The effort includes process design, documentation, and change enablement components to facilitate adoption and ensure process stability.

Owner: Chief Information Security Officer (CISO) Target completion date: Phase 1: December 31, 2018. Phase 2: December 31, 2019

b. Engagement of the Audit Support Service from ST Information Security. IT has engaged

the newly-created Audit Support function from Information Security, to provide subject matter expertise in process engineering, control set development, as well as tracking the implementation status of the respective mitigation plan.

Owner: Chief Information Security Officer (CISO) Target completion date: COMPLETE

c. Addressing record quality issues and consolidating record repositories. Management will

rollout a new, enterprise-grade IT Service Management platform (currently undergoing competitive procurement), which will serve as a single record repository for IT assets and support all activities that affect the lifecycle of the assets. The use of an adequate, centralized IT asset repository that is integrated into IT Service Delivery activities will increase record quality, avoid record conflicts, enable IT to collect relevant information on

Page 11: Internal Audit Report - soundtransit.org 180315 IT... · Internal Audit Report . IT Asset Management Audit. Report Number: 2018-03 | Report Date: March 7, 2018 . ... • Agency System

INTERNAL AUDIT DIVISION AUDIT REPORT

IT Asset Management Audit

8

asset attributes, and support lifecycle management activities. As part of the rollout of this platform, a records audit and reconciliation will take place to ensure data quality.

Owner: Chief Information Officer (CIO) Target completion date: October 31, 2018