Assess customer satisfaction.

UCF ID: 00652

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish monitoring and logging operations for all key systems. [UCF Control ID 00637]

There are no supporting controls.

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 69; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 1.5, Obj 4.3; FFIEC IT Examination Handbook – Management, Exam Obj 7.4; FFIEC IT Examination Handbook – Operations, July 2004, Pg 39; CobiT, Version 4.1, ME1.2; The Standard of Good Practice for Information Security, CB1.1.3, CB1.2.3, CB1.3.3, SD3.2.4, SD3.3.4, SD3.4.4; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 6.2.3; OMB Circular A-123 Management’s Responsibility for Internal Control, § III (Clinger-Cohen Act of 1996); Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 36

Sarbanes Oxley Guidance

[Pg 69, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

The organization should measure its information technology performance. The measurements should measure how well the information technology supports the organization. [§ III (Clinger-Cohen Act of 1996), OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

[Obj 1.5, Obj 4.3, FFIEC IT Examination Handbook – E-Banking, August 2003]

[Exam Obj 7.4, FFIEC IT Examination Handbook – Management]

Management should review the metrics to assess customer satisfaction. [Pg 39, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

Bank management develop and maintain a plan to ensure that key employees and vendors have the expertise and skills to perform necessary functions and that they are properly trained. Management should allocate sufficient resources to hire and train employees and to ensure that adequate back-up exists if a critical person leaves. Training may include technical course work, attendance at industry conferences, participation in industry working groups, as well as time allotment for appropriate staff to keep abreast of important technological and market developments. Training also includes outreach to customers to ensure that a bank's customers understand how to use or access a bank's technology products and services and that they are able to do so in an appropriate and sound manner. [¶ 36, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

General Guidance

The organization should define, implement and maintain standard procedures for IT operations and ensure the operations staff is familiar with all operations tasks relevant to them. Operational procedures should cover shift hand over (formal hand over of activity, status updates, operational problems, escalation procedures and reports on current responsibilities) to ensure continuous operations.
The organization should ensure that IT management, working with the business, defines a balanced set of performance objectives, measures, targets and benchmarks, and has them signed off on by the business and other relevant stakeholders. Performance indicators should include:
• Business contribution including, but not limited to financials
• Performance against the strategic business and IT plan
• Risk and compliance with regulations • Internal and external user satisfaction
• Key IT processes including development and service delivery
• Future-oriented activities, for example, emerging technology, reusable infrastructure, business and IT personnel skill sets
Processes should be established to collect timely and accurate data to report on progress against targets. [ME1.2, CobiT, Version 4.1]

The customer-related impact of the loss of availability of the system, products, services, etc., the disclosure of confidential information, and/or the accidental or deliberate manipulation of data should be analyzed for its impact on the organization in terms of loss of customers, damaged reputation, loss of confidence, and possible delayed deliveries. [CB1.1.3, CB1.2.3, CB1.3.3, SD3.2.4, SD3.3.4, SD3.4.4, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

Customer satisfaction should be measured to enable the service provider to compare performance with customer satisfaction targets and previous surveys. The scope and complexity of the survey should be designed so customers can respond easily and without excessive time being required to complete the survey accurately.
After assessing the customer satisfaction levels, if management finds significant variations in customer satisfaction, the reasons should be investigated and understood. Trends or other comparisons should only be made on comparable satisfaction questions and across comparable sampling methods. The document also advises that the results and conclusions of customer satisfaction surveys should be discussed with the customer. [§ 6.2.3, IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]