Compliance Check of the Compliance Requirements of the IT Services Department

General Audit Information
Coverage IT Services
Auditor Sandra Meier
Audit planned date 2019/08/14
Audit execution date 2019/08/21
Audit type Process audit
Audit status open

Examination of the processes for the implementation of the EU data protection regulation.


Results

The audit was carried out in accordance with the previously communicated audit plan.

The inspection of the server rooms scheduled for the 2nd day of the audit had to be canceled due to time constraints. Therefore, a catch-up date for August 2019 has been scheduled.

All planned aspects were adequately discussed.

Considered aspects of the regulations

  • Context of the organization and interested parties
  • Dealing with risks and opportunities
  • Operational processes of IT service, process landscape, interfaces and ticket system
  • Identification and systemisation of binding commitments
  • Evaluation of performance and improvement
  • Application of operational ticket processes and compliance
  • Training and knowledge of the organization
  • Communication
  • Document control
  • Order processing
  • Work and test equipment
  • Evaluation of service providers / contractors
  • Production / performance
  • CIP issues


Conclusion

As part of the internal audit, the IT service was audited.

Within the scope of the internal audit, numerous positive findings could be made. This particularly applies to the leadership role of team leadership. Their active leadership has a positive impact on the implementation of processes and measures, such as the handling of the ticket system "Easy Redmine". The employees are actively informed and trained by the executives.

Many requirements and processes from the management systems are actively implemented and are easy to understand.

Individual results

Communications

The staff were trained on the change in the process documentation and how to use the Easy Redmine software (group training of April 10, 2018). It presented the process overview Easy Redmine and individual company processes. Dealing with Easy Redmine is known to the audited employees.

As an example, the request process was audited.

Based on the message "Contact request personal data" dated 3 May 2018, the process flow in Easy Redmine was verified. The process was easy to follow and met the requirements of the ticket system documentation in the IT service manual. The necessary steps during processing the request were made properly.

Further documents viewed:

  • Training certificate Rüdiger Strauß from April 10, 2018 (area related processes / Easy Redmine)
  • Proof of permissions Mr. Rüdiger Strauß

SW-analysis

Summary of strengths, weaknesses and potential for improvement
Positive Potential for improvement
  • Active leadership by the team lead
  • Many requirements from the management systems are already being implemented
  • Employees are also trained in documentation and process requirements (e.g., Easy Redmine)
  • Exemplary compliance management in the entire enterprise
  • Dealing with risks and opportunities as well as process management must be further developed and systematized.
  • Integration of external consultants (mainly legal advice).






Attachments

Discussions