Telecommunications Audit Summary

Last Modified Sunday, 17-Aug-1997 17:05:07 PDT

Telecommunications Audit Summary

BY
Slemo Warigon
ALL RIGHTS RESERVED; RESTRICT DISTRIBUTION

We completed an audit of telecommunications function at [organization] in November 1994. Thus, issues discussed here might be helpful to anyone who is currently conducting or plans to conduct an operational audit of the telecommunications function.

Text included below is lengthy. Background information is necessary to get a better picture of the audit issues and concerns addressed in the later portions of the text. One can't grasp the enormity of an elephant by looking at its tail alone!

AUDIT OBJECTIVES

The telecommunications function at ETSU was audited to determine the effectiveness and efficiency of operations. Specifically, operational activities were reviewed to determine whether the function implemented proper internal controls to provide reasonable assurance that:

SCOPE OF AUDIT

The audit was conducted in accordance with Generally Accepted Information Systems Auditing Standards. In performing the audit, we used the 1992 edition of the "Control Objectives: Controls in an Information Systems Environment - Objectives, Guidelines, and Audit Procedures" issued by the ISACA; "Telecommunications: Detecting and Preventing Fraud" audit manual published by the IIA, and; the SAC's Telecommunications Module published by the IIA. Audit scope included the following:

AN OVERVIEW

Telecommunications is generally defined as the series of mechanical, electrical, and electronic activities that enable people and machines to communicate with each other over distances. The following three types of communications are facilitated by telecommunications:

The audit focused on data communications (email facilities), telephone operations, and addressed voice technology in those areas that affect the ability of the University to maintain business communications. The audit also examined the management of communications system. Three University campuses were covered in the audit.

Telecommunications function is a part of the Computing, Telecommunications and Information Services (CTIS) Department. Two major assignments associated with this sector are telephone and computing operations.

TELECOMMUNICATIONS ADMINISTRATION

The Telecommunications Coordinator reports to the Assistant VP for Business and Administration on fiscal matters, and to the CTIS Director on all other administrative/operational issues. Telephone responsibilities include moves, adds, changes, bills (incoming and outgoing calls), authorization codes (for use in making long distance and international calls), CDR (call detail recording), updating telephone books/directories (for XXXX and outside vendors). The University currently has a maintenance contract with the United Telephone of Texas (UTT). The UTT is responsible for maintaining the telephone switch for any failures reported. If XXXX personnel are unavailable for installations, UTT will do an installation service order for $55 per hour on the current contract. The maintenance contract with UTT costs the University $40,718 annually.

CHARGES FOR SERVICES

The University administration sets standard fees for the installation of telephones. If a telephone wire is in place, the charge is $67 to install and have a telephone service fully operational. If telecommunications staff pulls a wire, the charge is $134. The reason for the standardization in fees is that some buildings are relatively easy to pull wires and others are extremely difficult. Departments don't make decisions about the buildings they are in. Hence the general feeling is not to charge a department more because they are in a building that has brick walls (difficult to pull wires).

Procedures in place are as follows: A department will contact the Telecommunications Coordinator to request an add, a move, and/or a change. If the Coordinator can accommodate the user by a software procedure, the user does an interdepartmental (IDT) order, and forwards it to Purchasing for encumbrance. After receipt of the order (signed by all necessary officials), the telecommunications staff (if available), or UTT staff complete the requested task/service. Upon completion of the work, the IDT order is sent to the Fiscal Office for payment from the departmentís account to the telecommunications income account. All telephone bills, and special charges such as wire, hubs, routers, and repeaters are paid from a telecommunications expense account. These items are needed for installation, and the expenses incurred are ultimately charged to the departments for reimbursement.

TELEPHONE SWITCH

The University purchased a NORTHERN TELECOM SL-1 TELEPHONE SWITCH in 1986 (with cutover in mid 1987). The telephone switch is programmed to block all long distance calls unless an authorization code is entered to override the block. Every employee that needs access to LD service is requested to complete an authorization code form, have it signed by his/her immediate supervisor, and submit it to the telecommunications Coordinator. The information is then transferred to the mainframe program for chargeback to the departments. The switch is also programmed for LEAST COST ROUTING.

When an authorized persons inputs his/her LD code, the switch automatically routes the call to TEXAN (state's telecommunications systems). Each month the Coordinator, through an in-house developed software program, transfers the CDR information from the switch to the mainframe program. The program then sorts the data and prints the monthly phone bills for distribution to various departments. Each phone bill lists the LD code used, where the calls were made, and when the calls were made. This affords the department heads the opportunity to review the LD charges incurred by their departments. The Fiscal Office is provided with copies of the printed monthly bills so that the office can charge the departments for their equipment and LD usage.

The charges are paid through IDT's and involve crediting the telephone income account. At the beginning of each year, a list of the employees that have authorization codes on file for the individual departments is sent to each department head for verification. Also, each month when the Fiscal Office receives the monthly telephone bill from various commercial telephone companies (for calls not routed through TEXAN), a copy is sent to the Telecommunications Coordinator for verification (this is very important as we will see later). If there is a discrepancy in the bill, the Coordinator notifies the Fiscal Office not to pay the questionable charges, and then contacts the telephone companies to issue credit to the University account for these charges.

DATA COMMUNICATIONS

Data access installations are intricate parts of the telecommunications area. The data network utilizes the same wire the telephone system uses (different pairs). For every wire that is existing or added, the user has the option to have one telephone and one data device. Depending on the user's preference, the telecommunications determines where the wires are cross-connected in the wiring closet and whether or not there is a fee involved. Currently, for mainframe/Internet connection through the main campus data switch, there is no charge. However, if the user wants Ethernet or AppleTalk, there is a $75 per port charge to offset the cost of the hubs. The same system of transferring funds from the departments to telecommunications income account is used if there is a charge. After the connections of the wires, the data that runs through them is not a concern of the telecommunications area (responsibility shifts to the using departments). Thus, the user departments are responsible for the integrity and security of the data subject to transmission on the distributed data networks.

Malfunction of network equipment is also reported to the telecommunications area for problem identification and resolution. Currently the telecommunications has a maintenance contract with Data Applications of Dallas (DAD). They have a DAD technician who checks in with the Coordinator a minimum of 3 times a day for dispatch. It is up to the Coordinator to determine whether telecommunications personnel can be of service, or if the call is to be dispatched to the DAD technician. Each morning the DAD technician gives the Coordinator a readout of the status of the calls (service requests) that are outstanding.

LONG DISTANCE TELEPHONE CHARGES

As noted, our normal LD calls are automatically routed through TEXAN (state's long distance telecommunications systems). Credit card and other "non-routine" calls (i.e., temporary LD access, international calls, 900 numbers, etc.) are routed through commercial carriers such as the United Telephone, MCI, AT&T, Spring, and Zero Plus Dialing, Inc. Our private branch exchanges (PBXs) record all outgoing LD calls with the from/to number and date and time, along with the call duration. Billing statements for these LD charges are received monthly from the commercial carriers in an integrated form (single phone bill).

The Telecommunications Coordinator routinely matches these phone bills to the telephone toll tape (from the PBX details) monthly to verify that the charges are legitimately incurred by the University. We noted that the monthly telephone bills routinely contain charges not legitimately incurred by the University. The Coordinator has been very successful in contesting these incorrect/illegitimate charges (we noted 77% and 75% of the long distance charges to the University were in error -- not legitimately incurred by the University -- during the 1992-93 and 1993-94 fiscal years respectively). The Coordinator's efforts in reconciling the LD charges with our in-house maintained records of outgoing calls translated into a net saving of $12,159 from phone bills improperly charged to the University over the last two years alone (most of these charges were buried among legitimate charges, hoping that big customers like us would share the cost of fraud calls without detecting the errors). Pay very close attention to controls exercised in this area -- otherwise your organization will continue to incur substantial losses.

Commercial telephone companies have polished their strategies of burying illegitimate charges among legitimate ones -- hoping that the extensive details will be daunting or frustrating enough for anyone to notice the errors (just pay up as charged without reviewing the details if you don't have the time or the patience to do so!).

OTHER AUDIT ISSUES AND CONCERNS

We made numerous audit findings -- most of which were resolved informally during the audit, while some were included in the audit report as reportable conditions demanding management's immediate attention (to correct reported deficiencies). Some issues and concerns that generally affect most telecommunications installations based on our audit and research include:

The telecommunications policy should be formally documented and distributed as a part of the University's overall control structure. A clear definition as to responsibility and enforcement of the policy enhances effectiveness. As with other policies and procedures, the telecommunications policy should be reviewed and updated on a regular basis.


[ Home Page ] [ Newsline ] [ IS Audit ] [ IS Security ] [ Control Issues ]

For comments or problems, please e-mail
Slemo Warigon lonestar@rain.org
or call (805) 893-3817.
Copyright © 1996 The WariNet Haven