TELECOMMUNICATIONS OPERATIONAL AUDIT PROGRAM

OBJECTIVES

Conduct an operational audit of the Telecommunications department at [Organization] to determine whether:

• departmental goals and objectives are being met,
• resources are being safeguarded,
• applicable laws, regulations, policies, and procedures are being followed, and
• reliable data are being obtained for management decision-making.

SCOPE

• Review policies and procedures.

• Identify operational processes and conduct a "walkthrough" of transactions.

• Analyze operations principally for the three year period ended with fiscal year 199X based on discussions, limited tests of the records and observations.

• Conduct personal interviews with management representatives of user departments selected at random to evaluate customer satisfaction.

BACKGROUND

The Telecommunications function is a part of the Computing, Telecommunications and Information Services (CTIS) department. It originated as a department in [year] under its current director, [name]. The Director reports administratively to the Vice President for Business and Administration, [name]. The annual budget for fiscal year 199X-XX is $1.5 million (Account #XXXX-XXXX). [Name] is currently the Telecommunications Coordinator, and her annual salary is drawn from Designated Funds #XXXX (Telephone Operations).

REVIEW POLICIES AND PROCEDURES

1. Review policies and procedures supporting routing departmental operations. Obtain a thorough understanding of these operations by conducting a "walkthrough" of the main processes:
   • Annual budget
   • Payroll certification
   • Personnel leave reports
   • Policy/procedures manual
   • Vendor payments
   • XXX reconciliation
   • Equipment inventory
   • Record maintenance
   • Job responsibilities
   • Departmental billings
   • Billing formulas
   • Operations reports
   • Work order requests
   • Records retention
2. Scan payroll journals for three years period ended August 31, 199X. Take note of anything unusual, and if necessary expand the scope of review.

3. Scan the leave records for two employees during the three year period ended August 31, 199X. Determine if any comp time was worked, and if so, how it was applied compared with campus policy. Take note of anything unusual, and if necessary expand the scope of review.

4. During the course of this review, take particular note of any activities that involved a former employee who was terminated in 199X. Consider expanding the scope of review if anything unusual is noted.

ANALYZE TELECOMMUNICATIONS OPERATIONS

1. Analyze financial activities for three years period ended August 31, 199X with regard to the following:
   • Compare actual versus budget
   • Note trends from year to year
   • Calculate approximate total of volume activity
   • Compute ratios for comparison to those previous year, other universities, or industry averages.
2. Verify detailed local telephone bills for two months in both fiscal years 199X and 199X based on existing resources. Analyze expenditures for three years to XXX and Cellular One bills by vendor and by year. Consider expanding the review if necessary.

3. Analyze telecommunications charges to departments for three years period ended fiscal year 199X, and verify them on the basis of accuracy, completeness and reasonableness. Compare actual and budgeted amounts. Review journal vouchers from Telecommunications as to purpose and overall propriety.

4. Review contract for telephone maintenance services during the three year period ended with fiscal year 199X. Reconcile contract terms with actual XXX charges for that period of time.

5. Obtain service records of contract maintenance performed and analyze in relation to the contract price paid for the last three fiscal years. Determine if the frequency of service justify the amount paid. Review contract for covered repairs to justify reasonableness. Also, review a sample of service orders, and determine:
   • How prices are computed,
   • How pricing disputes are settled, and
   • How costs are recovered.
6. Obtain long distance bills for two months in both fiscal years 199X and 199X (same as in #2 above), and conduct the following tests:
   • Analyze total long distance charges for each of the two years. Determine total journal voucher billings for the same period of time and account for any differences from actual telephone charges per telephone bills. Evaluate the reasonableness of any over-recoveries. Trace a sample of call summary reports to related journal vouchers and XXX.

   • Trace charges to appropriate accounts on XXX for five departments. Sample departments with both large and small amounts. Determine the reasons for any differences. These amounts will be based on estimates of internal billing reports.

   • Review bills for unusual items (large dollar amounts, 900 numbers, unusual locations, time and weather calls, etc.). Determine how they were handled, and evaluate the appropriateness of that action.
7. Identify five campus departments that use telephone service (4 large and 1 small). Prepare a user survey (10 to 20 questions) to assess the efficiency and effectiveness of telecommunications' services. Personally visit the designated departments, and discuss the questions with a representative of management (business manager or higher) to obtain responses. Evaluate the results and share them with the Director of CTIS.

8. Review agreements for telephone services with on-campus contractors. Scan related billings to determine compliance with the agreements. Determine the reasons for any differences.

9. Summarize statistical operations reports prepared by the director or Telecommunications Coordinator for the three year period ended with fiscal year 199X. Compare the results and note any meaningful trends. Reconcile the volume of operations with related costs.

10. Review the XXX statements for the last three fiscal years. Judgementally select five vendor payments in each year other than for payment of routine telephone bills, and verify that the payments were accurate, complete, and reasonable. Include two small dollar purchase order ($200 to $500) for each year. Use XXX program for vouching vendor payments.

11. Obtain the latest capital equipment inventory listing. Review the listing for accuracy with the Director. Identify any inaccuracies. Consider a physical verification of selected items. Also determine if the listing is accurate and representative of the equipment on hand. Determine the adequacy of control for non-capital equipment. Examine documents supporting the addition/reduction of the capital inventory during the three year period ended as of August 31, 199X, and evaluate the nature of that action.

12. Review equipment purchases and leases during the three year period ended with fiscal year 199X. Compare actual expenditures to the amount budgeted. Verify unit prices for reasonableness. Determine total expenditures and charges to users. Perform additional analysis as deemed appropriate.

13. Obtain network documentation/diagrams and verify their completeness and accuracy.

14. Obtain a listing of all network hardware used by the installation and verify that operating documentation, instructions, etc. are maintained for each hardware component.

15. Obtain documentation supporting hardware switch settings (operators instructions, procedures, etc.). Review the switch settings by observing the physical configuration of the hardware. Evaluate controls over access to these switches and whether documentation is adequate to restore switch settings to normal in the event of accidental or intentional tampering.

16. Obtain a system-generated logical device address listing (configuration listing). Evaluate the extent to which terminal assignments have been logically defined and determine whether these assignments compromise segregation of duties or data security.

17. Obtain a system VTOC of the modules and programs used to support telecommunications services. Determine whether network software is secured from access by authorized personnel, and whether these libraries are adequately protected (OS-WRITE protected).

18. Evaluate the level of logon or dial-up security utilized to gain access to the computer. Note that the use of standardized vendor default logons should be removed from the system once the package has been operationally tested and accepted.

19. Review communications software configuration(s) for the existence of third-party (vendor, field service) logon authorization(s) or access privileges. Determine whether these third-parties have a demonstrated need for such access (remote diagnostic capabilities) or whether vendor default parameters have not been changed since implementation.

20. Obtain messaging routing tables (for store and forward messaging systems) and evaluate whether change controls to messaging software is restricted to the appropriate personnel. (Note: Routing tables usually form the basis for billable charges. Unauthorized changes could result in errors in both message destination and inter-institutional billable charges).

21. Obtain a line or port dedication listing and evaluate the extent to which system and file access have been restricted.

22. Review telecommunications controller documentation and determine whether controller software (i.e., ACT/VTAM-NCP) can be adequately secured by stand alone means or through mainframe software security.

23. Obtain system accountability (USAGE, HISTORY, SECURITY) listings and verify, on a sample basis, that users have been authorized to access the system.

24. Review any security violations/attempts listings and determine corrective actions taken by management.

COMPLETE AUDIT

1. Review work papers and prepare draft report. Submit working papers to the director for review, and clear all review notes.

2. Discuss draft report with responsible personnel, adjust as needed, and issue refined draft report.

3. Ensure management response is received. Issue final audit report with management response included.

4. Place management response in the working papers, and record any data needed for the follow-up or next review.