Help Desk Internal Control Questionnaire Submitted 1/24/99 by Anthony Formosa (firstname.lastname@example.org) Bank Of Valletta p.l.c A OPERATIONS A1 How are incoming calls handled? * Answered promptly * Are number of lines available enough * Politeness and courtesy while handling calls
* Patient in listing to problem * Focusing attention only on call being attended to * Logging of problem up to eventual solving the problem. A2 Are procedures in place to ensure that all client queries are adequately registered by Help Desk? A3 Is a logging system
used to register request for service?
A4 Is this process of logging of problems and requests from branches for service adequate? A5 Do procedures relate to problem receipt, registration and logging, tracking and follow-up, escalation and timely resolution of user problems/request for service? A6 Do procedures ensure that client queries which cannot be immediately resolved, are appropriately escalated within IT for timely follow-up? A7 Is time frame for clearing queries adequate? timely manner? A8 Are queries cleared in a
Are there any long outstanding queries? these long outstanding queries?
What action is being taken on
A9 Are procedures in place which assure adequate reporting with regard to customer queries and resolution, response times and trend identification? A10 Are incoming help requests classified into separate priorities? e.g. Level A (most important) to Level C (least important), taking care of Level A problems within a few hours or at most a day. A11 What tools/technique is used to enhance productivity? A12 Are there sufficient resource (staff, hardware, etc.) to provide for an efficient resolving of problems? A13 Is the number of people at the Help Desk section adequate for the daily needs of the section? Number of personnel at Help Desk? A14 Are available resources effectively used to resolve problems in the most effective and cost efficient manner possible? A15 For which of the following tasks are help desk service responsible? * providing computing systems * repairing / adjusting users * ordering equipment * user training * software applications queries * statistical/management reports * installing software * IT hardware inventory * other (password changes)
A16 Are users of the Help Desk Function required to follow a specific procedure in approaching/contacting Help Desk? A17 What means are used at the Help Desk in order to solve problems? * Product instruction manuals * Reference sources - printed/online * Expert system * Call logging / tracking software * Staff expertise * Other A18 Do staff work at the Help Desk: * exclusively * on a rotational basis * while performing other duties A19 At one time, how many staff: * only answer phones? * only resolve problems? * answer phones and resolve problems? A20 Approximately, how many calls are received daily? A21 Approximately, what percentage of calls are: * solved at the first call? * Require further analysis? A22 Is the area allocated for Help Desk within ITSD and the physical arrangement, adequate and sufficient to promote productivity? A23 Is furniture and equipment adequate and sufficient? Are there enough PCs, printers, and sufficient room to place manuals, working notes, etc.? A24
Is the area allocated to Help Desk quiet? Is there some form of sound proofing? (The job of help desk is stressful - to help relieve some of the stress, a quiet area should be created.)
A25 Are Help Desk infrastructure requirements adequate? * Are wireless headsets used rather than hand-held phones (hands need to be free to access manuals or computer keyboards)?
* Is a single telephone number in use for customers to dials? A26 Are hours of operations adequate? (during normal business hours and outside office hours i.e. Saturdays and afternoon Exchange Bureaux Service)? Mobile Telephone? A27 Briefly, what do you perceive as the major problem(s) facing the help service, or ways in which service can be improved? A28 Which are the most three common problems handled daily by Help Desk? * ATM Problems * Beam Enquiries * Cashlink Enquiries * Diskette Request * Report Requests * Hardware Request * Software Request / Installation * Statement / Laser Librarian Request * Hardware Faults * Network Problems
* Software Problems / Scanning for Virus * Communication Problems * Other (state which) A29 Is it possible to identify regular hardware/software faults? users' processing requirements?
B ADMINISTRATION B1 Are Bank Personnel policies in force? * Vacation * Performance Reviews * Overtime B2 Is sufficient personnel documentation available? * Job descriptions * Attendance records * Contract B3 Are there any indications of personnel problems? * Correct staffing level * Excessive overtime * Excessive lateness/absenteeism * Staff turnover B4 Are staff required to have a certain level of expertise before joining the Help Desk? * Help Desk experience
* IT/computer experience B5 Is staff at Help Desk properly trained with appropriate expertise? specific training do staff receive for working at Help Desk? * Training in systems support * On the job training * Telephone Communication skills * Others B6 Do staff have good communication skills, customer service experience and an ability to handle stress? B7 Is management training conscious? * Training goals, objectives * Library * Periodicals * Course literature C BACKUPS AND DISASTER RECOVERY PLAN C1 Are backups effected regularly? C2 Are backups stored off-site? C3 Have restoration exercises from the backups been effected? C4 Is a Contingency Plan in place and is it sufficient to assure continuity of operations?
C5 Is a copy of all necessary documentation held at the off-site location? E.g. reference manuals for all the Bank's systems. C6 Does the Disaster Recovery Plan take into account maintaining communications with callers and routing problems where necessary to other ITSD personnel? C7 What happens in the event that telephone lines are not available at Help Desk?
D APPLICATION ACCESS CONTROLS D1 Will the system prevent users from activating sensitive utility programs/data held? D2 Will the system prevent unauthorised access to and/or manipulation of data held? D3 Is sensitive data protected from unauthorised access? i.e. password file encrypted. D4 Does a review of the user list reveal any personnel who should not have access to the system? D5 Are any fictitious names used? D6 Is a user locked out of the system after a set number of unsuccessful attempts? 3 unsuccessful attempts. D7
Are these attempts logged? D8 Are passwords echoed on the screen at input stage or any other stage? D9 Do passwords have to be changed after any length of time? 30 days. D10 Are password lengths in accordance with normal bank policy? Password length, unique ID and Password. D11 Are passwords kept secret and not disclosed or written down anywhere? D12 Is there a facility to extract a print-out of user ids? D13 What is the maximum number of users that can be created on the system? D14 Is the system adequate for present and future needs of Help Desk? D15 Has a review of the user list revealed personnel who have been given more than one user id? D16 Are rights assigned to users commensurate with their grades and requirements? D17 When logging transactions does the system record adequate details for audit trail purposes? D18 If a user logs on and leaves the workstation unattended, does the system automatically lock the PC to prevent other users gaining access? D19
In the absence of such a feature, what organisational controls in place are there to prevent such a situation? D20 Have all system security features been implemented? If not are there plans to implement them? D21 In respect of the number of authorised users on the system, has the Bank complied with the supplier's instructions? D22 Is system user friendly and efficient and is system flexible to business requirements? D23 Who designed the system? D24 Does the system meet the daily needs of the Help Desk Function? D25 What data types are input into the system? * Date of Call * Time of Call * Call Number * Branch/Department * Person Placing Call * Priority * Problem Type (Software / Hardware / etc.) * Problem Description * Help Desk Staff attending to call * Problem Status (Open / Escalated / Solved) * Person to whom problem was escalated * Date problem was escalated to someone else
* Date problem was solved * Others (state which) D26 Are the data entry fields sufficient / enough? D27 Are there any enhancements / improvements which the user wants to make to the system and which would facilitate his/her daily work? D28 Does the system provide adequate reporting options to assist Help Desk monitor problem trends ? E.g. reports of errors by branch / frequency of a particular problem D29 Is the system Year 2000 competent? D30 Is there adequate / sufficient system documentation Audit Area Help Desk Ref. Internal Control Questionnaire Technique Y/N RCW W/P Ref Remarks Risk Evaluation Technique:- Observation = obs, Compliance/Substantive Test = Com/Sub, Review = Rev. Discussion = Dis. Risk Evaluation = H - High, M - Medium, L - Low 11 of 12