Conduct an operational audit of the Telecommunications department at [Organization] to determine whether:



The Telecommunications function is a part of the Computing, Telecommunications and Information Services (CTIS) department. It originated as a department in [year] under its current director, [name]. The Director reports administratively to the Vice President for Business and Administration, [name]. The annual budget for fiscal year 199X-XX is $1.5 million (Account #XXXX-XXXX). [Name] is currently the Telecommunications Coordinator, and her annual salary is drawn from Designated Funds #XXXX (Telephone Operations).


  1. Review policies and procedures supporting routing departmental operations. Obtain a thorough understanding of these operations by conducting a "walkthrough" of the main processes:
  2. Scan payroll journals for three years period ended August 31, 199X. Take note of anything unusual, and if necessary expand the scope of review.

  3. Scan the leave records for two employees during the three year period ended August 31, 199X. Determine if any comp time was worked, and if so, how it was applied compared with campus policy. Take note of anything unusual, and if necessary expand the scope of review.

  4. During the course of this review, take particular note of any activities that involved a former employee who was terminated in 199X. Consider expanding the scope of review if anything unusual is noted.


  1. Analyze financial activities for three years period ended August 31, 199X with regard to the following:
  2. Verify detailed local telephone bills for two months in both fiscal years 199X and 199X based on existing resources. Analyze expenditures for three years to XXX and Cellular One bills by vendor and by year. Consider expanding the review if necessary.

  3. Analyze telecommunications charges to departments for three years period ended fiscal year 199X, and verify them on the basis of accuracy, completeness and reasonableness. Compare actual and budgeted amounts. Review journal vouchers from Telecommunications as to purpose and overall propriety.

  4. Review contract for telephone maintenance services during the three year period ended with fiscal year 199X. Reconcile contract terms with actual XXX charges for that period of time.

  5. Obtain service records of contract maintenance performed and analyze in relation to the contract price paid for the last three fiscal years. Determine if the frequency of service justify the amount paid. Review contract for covered repairs to justify reasonableness. Also, review a sample of service orders, and determine:
  6. Obtain long distance bills for two months in both fiscal years 199X and 199X (same as in #2 above), and conduct the following tests:
  7. Identify five campus departments that use telephone service (4 large and 1 small). Prepare a user survey (10 to 20 questions) to assess the efficiency and effectiveness of telecommunications' services. Personally visit the designated departments, and discuss the questions with a representative of management (business manager or higher) to obtain responses. Evaluate the results and share them with the Director of CTIS.

  8. Review agreements for telephone services with on-campus contractors. Scan related billings to determine compliance with the agreements. Determine the reasons for any differences.

  9. Summarize statistical operations reports prepared by the director or Telecommunications Coordinator for the three year period ended with fiscal year 199X. Compare the results and note any meaningful trends. Reconcile the volume of operations with related costs.

  10. Review the XXX statements for the last three fiscal years. Judgementally select five vendor payments in each year other than for payment of routine telephone bills, and verify that the payments were accurate, complete, and reasonable. Include two small dollar purchase order ($200 to $500) for each year. Use XXX program for vouching vendor payments.

  11. Obtain the latest capital equipment inventory listing. Review the listing for accuracy with the Director. Identify any inaccuracies. Consider a physical verification of selected items. Also determine if the listing is accurate and representative of the equipment on hand. Determine the adequacy of control for non-capital equipment. Examine documents supporting the addition/reduction of the capital inventory during the three year period ended as of August 31, 199X, and evaluate the nature of that action.

  12. Review equipment purchases and leases during the three year period ended with fiscal year 199X. Compare actual expenditures to the amount budgeted. Verify unit prices for reasonableness. Determine total expenditures and charges to users. Perform additional analysis as deemed appropriate.

  13. Obtain network documentation/diagrams and verify their completeness and accuracy.

  14. Obtain a listing of all network hardware used by the installation and verify that operating documentation, instructions, etc. are maintained for each hardware component.

  15. Obtain documentation supporting hardware switch settings (operators instructions, procedures, etc.). Review the switch settings by observing the physical configuration of the hardware. Evaluate controls over access to these switches and whether documentation is adequate to restore switch settings to normal in the event of accidental or intentional tampering.

  16. Obtain a system-generated logical device address listing (configuration listing). Evaluate the extent to which terminal assignments have been logically defined and determine whether these assignments compromise segregation of duties or data security.

  17. Obtain a system VTOC of the modules and programs used to support telecommunications services. Determine whether network software is secured from access by authorized personnel, and whether these libraries are adequately protected (OS-WRITE protected).

  18. Evaluate the level of logon or dial-up security utilized to gain access to the computer. Note that the use of standardized vendor default logons should be removed from the system once the package has been operationally tested and accepted.

  19. Review communications software configuration(s) for the existence of third-party (vendor, field service) logon authorization(s) or access privileges. Determine whether these third-parties have a demonstrated need for such access (remote diagnostic capabilities) or whether vendor default parameters have not been changed since implementation.

  20. Obtain messaging routing tables (for store and forward messaging systems) and evaluate whether change controls to messaging software is restricted to the appropriate personnel. (Note: Routing tables usually form the basis for billable charges. Unauthorized changes could result in errors in both message destination and inter-institutional billable charges).

  21. Obtain a line or port dedication listing and evaluate the extent to which system and file access have been restricted.

  22. Review telecommunications controller documentation and determine whether controller software (i.e., ACT/VTAM-NCP) can be adequately secured by stand alone means or through mainframe software security.

  23. Obtain system accountability (USAGE, HISTORY, SECURITY) listings and verify, on a sample basis, that users have been authorized to access the system.

  24. Review any security violations/attempts listings and determine corrective actions taken by management.


  1. Review work papers and prepare draft report. Submit working papers to the director for review, and clear all review notes.

  2. Discuss draft report with responsible personnel, adjust as needed, and issue refined draft report.

  3. Ensure management response is received. Issue final audit report with management response included.

  4. Place management response in the working papers, and record any data needed for the follow-up or next review.