TELECOMMUNICATIONS OPERATIONAL AUDIT PROGRAM
OBJECTIVES
Conduct an operational audit of the Telecommunications department
at [Organization] to determine whether:
- departmental goals and objectives are being met,
- resources are being safeguarded,
- applicable laws, regulations, policies, and procedures are
being followed, and
- reliable data are being obtained for management decision-making.
SCOPE
- Review policies and procedures.
- Identify operational processes and conduct a "walkthrough"
of transactions.
- Analyze operations principally for the three year period ended
with fiscal year 199X based on discussions, limited tests of the
records and observations.
- Conduct personal interviews with management representatives
of user departments selected at random to evaluate customer satisfaction.
BACKGROUND
The Telecommunications function is a part of the Computing, Telecommunications
and Information Services (CTIS) department. It originated as a
department in [year] under its current director, [name]. The Director
reports administratively to the Vice President for Business and
Administration, [name]. The annual budget for fiscal year 199X-XX
is $1.5 million (Account #XXXX-XXXX). [Name] is currently the
Telecommunications Coordinator, and her annual salary is drawn
from Designated Funds #XXXX (Telephone Operations).
REVIEW POLICIES AND PROCEDURES
- Review policies and procedures supporting routing departmental
operations. Obtain a thorough understanding of these operations
by conducting a "walkthrough" of the main processes:
- Annual budget
- Payroll certification
- Personnel leave reports
- Policy/procedures manual
- Vendor payments
- XXX reconciliation
- Equipment inventory
- Record maintenance
- Job responsibilities
- Departmental billings
- Billing formulas
- Operations reports
- Work order requests
- Records retention
- Scan payroll journals for three years period ended August
31, 199X. Take note of anything unusual, and if necessary expand
the scope of review.
- Scan the leave records for two employees during the three
year period ended August 31, 199X. Determine if any comp time
was worked, and if so, how it was applied compared with campus
policy. Take note of anything unusual, and if necessary expand
the scope of review.
- During the course of this review, take particular note of
any activities that involved a former employee who was terminated
in 199X. Consider expanding the scope of review if anything unusual
is noted.
ANALYZE TELECOMMUNICATIONS OPERATIONS
- Analyze financial activities for three years period ended
August 31, 199X with regard to the following:
- Compare actual versus budget
- Note trends from year to year
- Calculate approximate total of volume activity
- Compute ratios for comparison to those previous year, other
universities, or industry averages.
- Verify detailed local telephone bills for two months in both
fiscal years 199X and 199X based on existing resources. Analyze
expenditures for three years to XXX and Cellular One bills by
vendor and by year. Consider expanding the review if necessary.
- Analyze telecommunications charges to departments for three
years period ended fiscal year 199X, and verify them on the basis
of accuracy, completeness and reasonableness. Compare actual and
budgeted amounts. Review journal vouchers from Telecommunications
as to purpose and overall propriety.
- Review contract for telephone maintenance services during
the three year period ended with fiscal year 199X. Reconcile contract
terms with actual XXX charges for that period of time.
- Obtain service records of contract maintenance performed and
analyze in relation to the contract price paid for the last three
fiscal years. Determine if the frequency of service justify the
amount paid. Review contract for covered repairs to justify reasonableness.
Also, review a sample of service orders, and determine:
- How prices are computed,
- How pricing disputes are settled, and
- How costs are recovered.
- Obtain long distance bills for two months in both fiscal years
199X and 199X (same as in #2 above), and conduct the following
tests:
- Analyze total long distance charges for each of the two years.
Determine total journal voucher billings for the same period of
time and account for any differences from actual telephone charges
per telephone bills. Evaluate the reasonableness of any over-recoveries.
Trace a sample of call summary reports to related journal vouchers
and XXX.
- Trace charges to appropriate accounts on XXX for five departments.
Sample departments with both large and small amounts. Determine
the reasons for any differences. These amounts will be based on
estimates of internal billing reports.
- Review bills for unusual items (large dollar amounts, 900
numbers, unusual locations, time and weather calls, etc.). Determine
how they were handled, and evaluate the appropriateness of that
action.
- Identify five campus departments that use telephone service
(4 large and 1 small). Prepare a user survey (10 to 20 questions)
to assess the efficiency and effectiveness of telecommunications'
services. Personally visit the designated departments, and discuss
the questions with a representative of management (business manager
or higher) to obtain responses. Evaluate the results and share
them with the Director of CTIS.
- Review agreements for telephone services with on-campus contractors.
Scan related billings to determine compliance with the agreements.
Determine the reasons for any differences.
- Summarize statistical operations reports prepared by the director
or Telecommunications Coordinator for the three year period ended
with fiscal year 199X. Compare the results and note any meaningful
trends. Reconcile the volume of operations with related costs.
- Review the XXX statements for the last three fiscal years.
Judgementally select five vendor payments in each year other than
for payment of routine telephone bills, and verify that the payments
were accurate, complete, and reasonable. Include two small dollar
purchase order ($200 to $500) for each year. Use XXX program for
vouching vendor payments.
- Obtain the latest capital equipment inventory listing. Review
the listing for accuracy with the Director. Identify any inaccuracies.
Consider a physical verification of selected items. Also determine
if the listing is accurate and representative of the equipment
on hand. Determine the adequacy of control for non-capital equipment.
Examine documents supporting the addition/reduction of the capital
inventory during the three year period ended as of August 31,
199X, and evaluate the nature of that action.
- Review equipment purchases and leases during the three year
period ended with fiscal year 199X. Compare actual expenditures
to the amount budgeted. Verify unit prices for reasonableness.
Determine total expenditures and charges to users. Perform additional
analysis as deemed appropriate.
- Obtain network documentation/diagrams and verify their completeness
and accuracy.
- Obtain a listing of all network hardware used by the installation
and verify that operating documentation, instructions, etc. are
maintained for each hardware component.
- Obtain documentation supporting hardware switch settings (operators
instructions, procedures, etc.). Review the switch settings by
observing the physical configuration of the hardware. Evaluate
controls over access to these switches and whether documentation
is adequate to restore switch settings to normal in the event
of accidental or intentional tampering.
- Obtain a system-generated logical device address listing (configuration
listing). Evaluate the extent to which terminal assignments have
been logically defined and determine whether these assignments
compromise segregation of duties or data security.
- Obtain a system VTOC of the modules and programs used to support
telecommunications services. Determine whether network software
is secured from access by authorized personnel, and whether these
libraries are adequately protected (OS-WRITE protected).
- Evaluate the level of logon or dial-up security utilized to
gain access to the computer. Note that the use of standardized
vendor default logons should be removed from the system once the
package has been operationally tested and accepted.
- Review communications software configuration(s) for the existence
of third-party (vendor, field service) logon authorization(s)
or access privileges. Determine whether these third-parties have
a demonstrated need for such access (remote diagnostic capabilities)
or whether vendor default parameters have not been changed since
implementation.
- Obtain messaging routing tables (for store and forward messaging
systems) and evaluate whether change controls to messaging software
is restricted to the appropriate personnel. (Note: Routing tables
usually form the basis for billable charges. Unauthorized changes
could result in errors in both message destination and inter-institutional
billable charges).
- Obtain a line or port dedication listing and evaluate the
extent to which system and file access have been restricted.
- Review telecommunications controller documentation and determine
whether controller software (i.e., ACT/VTAM-NCP) can be adequately
secured by stand alone means or through mainframe software security.
- Obtain system accountability (USAGE, HISTORY, SECURITY) listings
and verify, on a sample basis, that users have been authorized
to access the system.
- Review any security violations/attempts listings and determine
corrective actions taken by management.
COMPLETE AUDIT
- Review work papers and prepare draft report. Submit working
papers to the director for review, and clear all review notes.
- Discuss draft report with responsible personnel, adjust as
needed, and issue refined draft report.
- Ensure management response is received. Issue final audit
report with management response included.
- Place management response in the working papers, and record
any data needed for the follow-up or next review.