We completed an audit of telecommunications function at [organization] in November 1994. Thus, issues discussed here might be helpful to anyone who is currently conducting or plans to conduct an operational audit of the telecommunications function.

Text included below is lengthy. Background information is necessary to get a better picture of the audit issues and concerns addressed in the later portions of the text. One can't grasp the enormity of an elephant by looking at its tail alone!

• functional goals and objectives were being met
• resources were being safeguarded
• reliable data were being obtained from telecommunications systems, and
• applicable laws, regulations, policies and procedures were being followed internal controls over billings and related processes existed and were being disciplined.

• Reviewed policies and procedures as well as current research publications on good business practices related to telecommunications.

• Identified operational processes and conducted a "walk through" of telecommunications transactions.

• Analyzed operations principally for the two year period ended with fiscal year 1994 (August 31) through use of discussions, comprehensive tests of the records and observations.

• Conducted in-person interviews and user surveys to evaluate customer satisfaction as well as to identify potential areas of improvement.

• people-to-people
• people-to-machine
• machine-to-machine

The audit focused on data communications (email facilities), telephone operations, and addressed voice technology in those areas that affect the ability of the University to maintain business communications. The audit also examined the management of communications system. Three University campuses were covered in the audit.

Telecommunications function is a part of the Computing, Telecommunications and Information Services (CTIS) Department. Two major assignments associated with this sector are telephone and computing operations.

Procedures in place are as follows: A department will contact the Telecommunications Coordinator to request an add, a move, and/or a change. If the Coordinator can accommodate the user by a software procedure, the user does an interdepartmental (IDT) order, and forwards it to Purchasing for encumbrance. After receipt of the order (signed by all necessary officials), the telecommunications staff (if available), or UTT staff complete the requested task/service. Upon completion of the work, the IDT order is sent to the Fiscal Office for payment from the department’s account to the telecommunications income account. All telephone bills, and special charges such as wire, hubs, routers, and repeaters are paid from a telecommunications expense account. These items are needed for installation, and the expenses incurred are ultimately charged to the departments for reimbursement.

When an authorized persons inputs his/her LD code, the switch automatically routes the call to TEXAN (state's telecommunications systems). Each month the Coordinator, through an in-house developed software program, transfers the CDR information from the switch to the mainframe program. The program then sorts the data and prints the monthly phone bills for distribution to various departments. Each phone bill lists the LD code used, where the calls were made, and when the calls were made. This affords the department heads the opportunity to review the LD charges incurred by their departments. The Fiscal Office is provided with copies of the printed monthly bills so that the office can charge the departments for their equipment and LD usage.

The charges are paid through IDT's and involve crediting the telephone income account. At the beginning of each year, a list of the employees that have authorization codes on file for the individual departments is sent to each department head for verification. Also, each month when the Fiscal Office receives the monthly telephone bill from various commercial telephone companies (for calls not routed through TEXAN), a copy is sent to the Telecommunications Coordinator for verification (this is very important as we will see later). If there is a discrepancy in the bill, the Coordinator notifies the Fiscal Office not to pay the questionable charges, and then contacts the telephone companies to issue credit to the University account for these charges.

Malfunction of network equipment is also reported to the telecommunications area for problem identification and resolution. Currently the telecommunications has a maintenance contract with Data Applications of Dallas (DAD). They have a DAD technician who checks in with the Coordinator a minimum of 3 times a day for dispatch. It is up to the Coordinator to determine whether telecommunications personnel can be of service, or if the call is to be dispatched to the DAD technician. Each morning the DAD technician gives the Coordinator a readout of the status of the calls (service requests) that are outstanding.

The Telecommunications Coordinator routinely matches these phone bills to the telephone toll tape (from the PBX details) monthly to verify that the charges are legitimately incurred by the University. We noted that the monthly telephone bills routinely contain charges not legitimately incurred by the University. The Coordinator has been very successful in contesting these incorrect/illegitimate charges (we noted 77% and 75% of the long distance charges to the University were in error -- not legitimately incurred by the University -- during the 1992-93 and 1993-94 fiscal years respectively). The Coordinator's efforts in reconciling the LD charges with our in-house maintained records of outgoing calls translated into a net saving of $12,159 from phone bills improperly charged to the University over the last two years alone (most of these charges were buried among legitimate charges, hoping that big customers like us would share the cost of fraud calls without detecting the errors). Pay very close attention to controls exercised in this area -- otherwise your organization will continue to incur substantial losses.

Commercial telephone companies have polished their strategies of burying illegitimate charges among legitimate ones -- hoping that the extensive details will be daunting or frustrating enough for anyone to notice the errors (just pay up as charged without reviewing the details if you don't have the time or the patience to do so!).

• TELECOMMUNICATIONS SOFTWARE: Auditors should insist that changes and upgrades to the telecommunications software be properly documented. Without proper documentation, proper controls can't be exercised or evaluated (no one will knows what the contractors or the resident technicians are doing to the software and whether the changes/upgrades were properly authorized).

• PASSWORD TABLES: We were unable to obtain records of entries showing who among those with "superuser privileges" accessed the password tables during the last fiscal year. Auditors should be able to obtain such records in order to determine how access to the password tables is restricted and whether such access is actually restricted to those who really need to access the password tables (if those tables are not properly encrypted). Some people with "su" privileges can abuse their access privileges (they are humans, and the temptation to play "digital Gods" by finding passwords and snooping in users' accounts can be too much to resist). Users can also be put in trouble if a disgruntled employee with "su" privileges start sending and receiving "offensive" materials on using their accounts.

• ACCESS STATUS REPORTS: If not in place, auditors need to suggest that status reports of all employees with both telephone and Internet access be submitted to the user departments periodically (say monthly) to enable department heads validate the access capabilities currently provided to employees in their departments. Sometimes terminated employees can still use these access privileges long after they were terminated.

• MONITORING SECURITY VIOLATIONS: Maintaining logs of security violations serves no useful purpose if the logs are not being reviewed continuously and actions taken. Hence procedures should be instituted to ensure that reports of security violations are reviewed and resolved (not to just keep them for the convenience of auditors). Auditors are not paid to do the job of security administrators. Also, if possible, ensure that such procedures provide for automatic suspension of user ID/Code or the disability of terminal, PC, data entry device, etc., after a determined number of security procedure violations such as persistent unsuccessful access attempts. Records of security violations should also be protected from accidental or intentional destruction/alterations.

• NETWORK DATA CLASSIFICATION: Data/information residing on computer networks should be classified (e.g., as sensitive, critical, or otherwise), and have the telecommunications function address how such classification impact network routing or design. This is essentially one of the first steps to ensuring the overall security program mechanism on a relatively open computing network (i.e., distributed data processing environment), and such responsibility should not be left to the departments.

• NETWORK MONITORING MECHANISMS: Adequate information should be maintained about the reporting and surveillance facilities within the network software to enable auditors and network engineers make a determination on whether or not they are adequate to provide audit trail of network activities and to alert management of both actual and potential security violations.

• COMMUNICATIONS SYSTEMS PLAN: Encourage the development of a formal communications plan for standard telecommunications architecture, and ensure that formal approach is taken for the telecommunications systems design and acquisition. Have the telecommunications function conduct formal reviews of communications facilities periodically to assess their delivery of services and user satisfaction. Network optimization studies should also be conducted to ensure a cost-effective facility design.

• DIRECTORY CALLS: Employees frequently make "directory calls" (calls to telephone operators asking them for the phone numbers of people to call). These calls incur charges, and can be easily abused by employees under the pretense that they are asking for the numbers to make "business-related calls". We found that we pay substantial amount for "directory calls" every month. Unless the department heads review all "directory calls" marked on monthly phone bills as "Information" calls, and ask the appropriate employees who made these calls as to the purposes of the calls, there is NO way the University will know whether these calls were proper and valid (i.e., for business purposes). We can only scrutinize employees with patterns of making many "directory calls" every months (we did this several times and questioned the employees; after the questioning, the patterns seemed to stop altogether).

• RESTRICTION OF AUTHORIZATION CODES: We don't restrict the use of LD authorization codes to telephone stations or offices within the campuses. Anyone who has an authorization code or discovers one illegally can use it to make LD calls anywhere on campus and anytime. This has some control weaknesses. Student or temporary workers will get to know the authorization codes of full-time employees while working with them, and will use the codes to make numerous LD calls from anywhere on campus (i.e., dorms, student union center, etc.). We discovered several instances of such abuses, fortunately we placed "calls traceback" and caught most of the perpetrators (they were forced to reimburse the University for personal calls made with the employees' codes).

• CALL-BACK FEATURE: A "call-back" to a specific phone number and re-verification of the user ID is not required at XXXX and we are concerned. Per the CTIS Director, the number of students, faculty and staff that use the telecommunications facilities is a contributing factor for not making use of the call-back feature. Accordingly, the CPU cannot interrogate a dial-up terminal, automatically get its ID, and verify that the terminal calling is the same terminal it says it is calling. If you are in the same shoes with us, you have to get a degree of comfort from compensating controls in this area. Otherwise, raise enough "hell" to get management to act on this matter. Very critical. (Note: Call-back feature can now be easily circumvented by a procedure known as call-forwarding. Strong access controls are needed in this area).

• REMOTE ACCESS: If your networks are configured to allow remote terminal functions (e.g., vendor maintenance or service), verify that vendor field service default parameters have been reviewed formally for DEMONSTRATED NEED (otherwise recommend that they be removed!).

• PERSONAL CALLS: 23% of phone calls we reviewed were found to be personal in nature. These personal calls averaged $13 per call and were mostly made by employees from their phone stations to locations where they were seeking employment positions or chatting with friends on personal matters. Reimbursements for these personal calls were sought by the university.

• THIRD-PARTY CALLS: 18% of calls reviewed for LD charges by commercial carriers (not through TEXAN) were made by third-parties (e.g., individuals outside the University, but somehow the calls got charged to the University). These calls were not paid because the Telecommunications Coordinator had them screened out prior to payment of valid charges.

• TOLL FRAUDS: We noted that 32% of calls reviewed for LD charges by non-TEXAN companies (commercial carriers) were so-called "operator assistance" calls that the United Telephone company failed to block, but billed the University for the same nevertheless. These charges were not paid (were contested vigorously), and they were apparently fraud calls -- generally known as "toll frauds."

• CREDIT CARD CALLS: 27% of calls reviewed were credit card calls that appeared legitimate, but were not actually legitimate upon closer examination (i.e., fraud calls) since they were not identified with our proper series of numbers assigned to all our credit card holders. These calls were not paid.

• "HOT" LINES CALLS: Between February and June 1994, we noted 25 calls that were made to the 900 numbers (porn lines/adult entertainment). All commercial carriers were supposed to automatically block the 900 number calls, but for some reasons failed to do so in these instances. It was their responsibility, but they tried to pass the buck to us. We refused to pay these charges, and they did not contest our refusal to pay.

• TELECOMMUNICATIONS POLICY: One of the 4 formal recommendations we made relative to the telecommunications audit addressed the need for the University to develop and enforce a telecommunications policy detailing the operational rules for telephone, cable, satellite, and computer networks. A policy is needed that will be proactive in protecting access privileges for the use of University's telecommunications system. We recommended that the telecommunications policy should:

  • Delineates permissible (authorized and official) calls and impermissible (unauthorized and unofficial) calls placed on the state's long distance telecommunications systems by furnishing examples of permissible calls. Also, provides department-wide standards to be applied when collecting money from persons making unofficial use of the state's LD telecommunications systems.

  • Stresses the importance of changing access codes as often as possible to safeguard against misuse of employees' access codes by others for unauthorized and unofficial calls. The attitude of "if it ain't broke, don't fix it" should be strongly discouraged. It does not pay to become complacent.

  • Reminds department heads continually of their responsibilities to review telephone bills for propriety and compliance with the University policies and procedures.

  • Delineates disciplinary measures to be taken for all unofficial use of the state's LD telecommunications systems.

The telecommunications policy should be formally documented and distributed as a part of the University's overall control structure. A clear definition as to responsibility and enforcement of the policy enhances effectiveness. As with other policies and procedures, the telecommunications policy should be reviewed and updated on a regular basis.