Telecommunications Audit Summary
Last Modified Sunday, 17-Aug-1997 17:05:07 PDT
Telecommunications Audit Summary
BY
Slemo Warigon
ALL RIGHTS RESERVED; RESTRICT DISTRIBUTION
We completed an audit of telecommunications function at [organization] in November 1994. Thus, issues discussed here might be helpful to anyone who is currently conducting or plans to conduct an operational audit of the telecommunications function.
Text included below is lengthy. Background information is necessary to get a better picture of the audit issues and concerns addressed in the later portions of the text. One can't grasp the enormity of an elephant by looking at its tail alone!
AUDIT OBJECTIVES
The telecommunications function at ETSU was audited to determine the effectiveness and efficiency of operations. Specifically, operational activities were reviewed to determine whether the function implemented proper internal controls to provide reasonable assurance that:
- functional goals and objectives were being met
- resources were being safeguarded
- reliable data were being obtained from telecommunications systems, and
- applicable laws, regulations, policies and procedures were being followed
internal controls over billings and related processes existed and were being disciplined.
SCOPE OF AUDIT
The audit was conducted in accordance with Generally Accepted Information Systems Auditing Standards. In performing the audit, we used the 1992 edition of the "Control Objectives: Controls in an Information Systems Environment - Objectives, Guidelines, and Audit Procedures" issued by the ISACA; "Telecommunications: Detecting and Preventing Fraud" audit manual published by the IIA, and; the SAC's Telecommunications Module published by the IIA. Audit scope included the following:
- Reviewed policies and procedures as well as current research publications on good business practices related to telecommunications.
- Identified operational processes and conducted a "walk through" of telecommunications transactions.
- Analyzed operations principally for the two year period ended with fiscal year 1994 (August 31) through use of discussions, comprehensive tests of the records and observations.
- Conducted in-person interviews and user surveys to evaluate customer satisfaction as well as to identify potential areas of improvement.
AN OVERVIEW
Telecommunications is generally defined as the series of mechanical, electrical, and electronic activities that enable people and machines to communicate with each other over distances. The following three types of communications are facilitated by telecommunications:
- people-to-people
- people-to-machine
- machine-to-machine
The audit focused on data communications (email facilities), telephone operations, and addressed voice technology in those areas that affect the ability of the University to maintain business communications. The audit also examined the management of communications system. Three University campuses were covered in the audit.
Telecommunications function is a part of the Computing, Telecommunications and Information Services (CTIS) Department. Two major assignments associated with this sector are telephone and computing operations.
TELECOMMUNICATIONS ADMINISTRATION
The Telecommunications Coordinator reports to the Assistant VP for Business and Administration on fiscal matters, and to the CTIS Director on all other administrative/operational issues. Telephone responsibilities include moves, adds, changes, bills (incoming and outgoing calls), authorization codes (for use in making long distance and international calls), CDR (call detail recording), updating telephone books/directories (for XXXX and outside vendors). The University currently has a maintenance contract with the United Telephone of Texas (UTT). The UTT is responsible for maintaining the telephone switch for any failures reported. If XXXX personnel are unavailable for installations, UTT will do an installation service order for $55 per hour on the current contract. The maintenance contract with UTT costs the University $40,718 annually.
CHARGES FOR SERVICES
The University administration sets standard fees for the installation of telephones. If a telephone wire is in place, the charge is $67 to install and have a telephone service fully operational. If telecommunications staff pulls a wire, the charge is $134. The reason for the standardization in fees is that some buildings are relatively easy to pull wires and others are extremely difficult. Departments don't make decisions about the buildings they are in. Hence the general feeling is not to charge a department more because they are in a building that has brick walls (difficult to pull wires).
Procedures in place are as follows: A department will contact the Telecommunications Coordinator to request an add, a move, and/or a change. If the Coordinator can accommodate the user by a software procedure, the user does an interdepartmental (IDT) order, and forwards it to Purchasing for encumbrance. After receipt of the order (signed by all necessary officials), the telecommunications staff (if available), or UTT staff complete the requested task/service. Upon completion of the work, the IDT order is sent to the Fiscal Office for payment from the department’s account to the telecommunications income account. All telephone bills, and special charges such as wire, hubs, routers, and repeaters are paid from a telecommunications expense account. These items are needed for installation, and the expenses incurred are ultimately charged to the departments for reimbursement.
TELEPHONE SWITCH
The University purchased a NORTHERN TELECOM SL-1 TELEPHONE SWITCH in 1986 (with cutover in mid 1987). The telephone switch is programmed to block all long distance calls unless an authorization code is entered to override the block. Every employee that needs access to LD service is requested to complete an authorization code form, have it signed by his/her immediate supervisor, and submit it to the telecommunications Coordinator. The information is then transferred to the mainframe program for chargeback to the departments. The switch is also programmed for LEAST COST ROUTING.
When an authorized persons inputs his/her LD code, the switch automatically routes the call to TEXAN (state's telecommunications systems). Each month the Coordinator, through an in-house developed software program, transfers the CDR information from the switch to the mainframe program. The program then sorts the data and prints the monthly phone bills for distribution to various departments. Each phone bill lists the LD code used, where the calls were made, and when the calls were made. This affords the department heads the opportunity to review the LD charges incurred by their departments. The Fiscal Office is provided with copies of the printed monthly bills so that the office can charge the departments for their equipment and LD usage.
The charges are paid through IDT's and involve crediting the telephone income account. At the beginning of each year, a list of the employees that have authorization codes on file for the individual departments is sent to each department head for verification. Also, each month when the Fiscal Office receives the monthly telephone bill from various commercial telephone companies (for calls not routed through TEXAN), a copy is sent to the Telecommunications Coordinator for verification (this is very important as we will see later). If there is a discrepancy in the bill, the Coordinator notifies the Fiscal Office not to pay the questionable charges, and then contacts the telephone companies to issue credit to the University account for these charges.
DATA COMMUNICATIONS
Data access installations are intricate parts of the telecommunications area. The data network utilizes the same wire the telephone system uses (different pairs). For every wire that is existing or added, the user has the option to have one telephone and one data device. Depending on the user's preference, the telecommunications determines where the wires are cross-connected in the wiring closet and whether or not there is a fee involved. Currently, for mainframe/Internet connection through the main campus data switch, there is no charge. However, if the user wants Ethernet or AppleTalk, there is a $75 per port charge to offset the cost of the hubs. The same system of transferring funds from the departments to telecommunications income account is used if there is a charge. After the connections of the wires, the data that runs through them is not a concern of the telecommunications area (responsibility shifts to the using departments). Thus, the user departments are responsible for the integrity and security of the data subject to transmission on the distributed data networks.
Malfunction of network equipment is also reported to the telecommunications area for problem identification and resolution. Currently the telecommunications has a maintenance contract with Data Applications of Dallas (DAD). They have a DAD technician who checks in with the Coordinator a minimum of 3 times a day for dispatch. It is up to the Coordinator to determine whether telecommunications personnel can be of service, or if the call is to be dispatched to the DAD technician. Each morning the DAD technician gives the Coordinator a readout of the status of the calls (service requests) that are outstanding.
LONG DISTANCE TELEPHONE CHARGES
As noted, our normal LD calls are automatically routed through TEXAN (state's long distance telecommunications systems). Credit card and other "non-routine" calls (i.e., temporary LD access, international calls, 900 numbers, etc.) are routed through commercial carriers such as the United Telephone, MCI, AT&T, Spring, and Zero Plus Dialing, Inc. Our private branch exchanges (PBXs) record all outgoing LD calls with the from/to number and date and time, along with the call duration. Billing statements for these LD charges are received monthly from the commercial carriers in an integrated form (single phone bill).
The Telecommunications Coordinator routinely matches these phone bills to the telephone toll tape (from the PBX details) monthly to verify that the charges are legitimately incurred by the University. We noted that the monthly telephone bills routinely contain charges not legitimately incurred by the University. The Coordinator has been very successful in contesting these incorrect/illegitimate charges (we noted 77% and 75% of the long distance charges to the University were in error -- not legitimately incurred by the University -- during the 1992-93 and 1993-94 fiscal years respectively). The Coordinator's efforts in reconciling the LD charges with our in-house maintained records of outgoing calls translated into a net saving of $12,159 from phone bills improperly charged to the University over the last two years alone (most of these charges were buried among legitimate charges, hoping that big customers like us would share the cost of fraud calls without detecting the errors). Pay very close attention to controls exercised in this area -- otherwise your organization will continue to incur substantial losses.
Commercial telephone companies have polished their strategies of burying illegitimate charges among legitimate ones -- hoping that the extensive details will be daunting or frustrating enough for anyone to notice the errors (just pay up as charged without reviewing the details if you don't have the time or the patience to do so!).
OTHER AUDIT ISSUES AND CONCERNS
We made numerous audit findings -- most of which were resolved informally during the audit, while some were included in the audit report as reportable conditions demanding management's immediate attention (to correct reported deficiencies). Some issues and concerns that generally affect most telecommunications installations based on our audit and research include:
- TELECOMMUNICATIONS SOFTWARE: Auditors should insist that changes and upgrades to the telecommunications software be properly documented. Without proper documentation, proper controls can't be exercised or evaluated (no one will knows what the contractors or the resident technicians are doing to the software and whether the changes/upgrades were properly authorized).
- PASSWORD TABLES: We were unable to obtain records of entries showing who among those with "superuser privileges" accessed the password tables during the last fiscal year. Auditors should be able to obtain such records in order to determine how access to the password tables is restricted and whether such access is actually restricted to those who really need to access the password tables (if those tables are not properly encrypted). Some people with "su" privileges can abuse their access privileges (they are humans, and the temptation to play "digital Gods" by finding passwords and snooping in users' accounts can be too much to resist). Users can also be put in trouble if a disgruntled employee with "su" privileges start sending and receiving "offensive" materials on using their accounts.
- ACCESS STATUS REPORTS: If not in place, auditors need to suggest that status reports of all employees with both telephone and Internet access be submitted to the user departments periodically (say monthly) to enable department heads validate the access capabilities currently provided to employees in their departments. Sometimes terminated employees can still use these access privileges long after they were terminated.
- MONITORING SECURITY VIOLATIONS: Maintaining logs of security violations serves no useful purpose if the logs are not being reviewed continuously and actions taken. Hence procedures should be instituted to ensure that reports of security violations are reviewed and resolved (not to just keep them for the convenience of auditors). Auditors are not paid to do the job of security administrators. Also, if possible, ensure that such procedures provide for automatic suspension of user ID/Code or the disability of terminal, PC, data entry device, etc., after a determined number of security procedure violations such as persistent unsuccessful access attempts. Records of security violations should also be protected from accidental or intentional destruction/alterations.
- NETWORK DATA CLASSIFICATION: Data/information residing on computer networks should be classified (e.g., as sensitive, critical, or otherwise), and have the telecommunications function address how such classification impact network routing or design. This is essentially one of the first steps to ensuring the overall security program mechanism on a relatively open computing network (i.e., distributed data processing environment), and such responsibility should not be left to the departments.
- NETWORK MONITORING MECHANISMS: Adequate information should be maintained about the reporting and surveillance facilities within the network software to enable auditors and network engineers make a determination on whether or not they are adequate to provide audit trail of network activities and to alert management of both actual and potential security violations.
- COMMUNICATIONS SYSTEMS PLAN: Encourage the development of a formal communications plan for standard telecommunications architecture, and ensure that formal approach is taken for the telecommunications systems design and acquisition. Have the telecommunications function conduct formal reviews of communications facilities periodically to assess their delivery of services and user satisfaction. Network optimization studies should also be conducted to ensure a cost-effective facility design.
- DIRECTORY CALLS: Employees frequently make "directory calls" (calls to telephone operators asking them for the phone numbers of people to call). These calls incur charges, and can be easily abused by employees under the pretense that they are asking for the numbers to make "business-related calls". We found that we pay substantial amount for "directory calls" every month. Unless the department heads review all "directory calls" marked on monthly phone bills as "Information" calls, and ask the appropriate employees who made these calls as to the purposes of the calls, there is NO way the University will know whether these calls were proper and valid (i.e., for business purposes). We can only scrutinize employees with patterns of making many "directory calls" every months (we did this several times and questioned the employees; after the questioning, the patterns seemed to stop altogether).
- RESTRICTION OF AUTHORIZATION CODES: We don't restrict the use of LD authorization codes to telephone stations or offices within the campuses. Anyone who has an authorization code or discovers one illegally can use it to make LD calls anywhere on campus and anytime. This has some control weaknesses. Student or temporary workers will get to know the authorization codes of full-time employees while working with them, and will use the codes to make numerous LD calls from anywhere on campus (i.e., dorms, student union center, etc.). We discovered several instances of such abuses, fortunately we placed "calls traceback" and caught most of the perpetrators (they were forced to reimburse the University for personal calls made with the employees' codes).
- CALL-BACK FEATURE: A "call-back" to a specific phone number and re-verification of the user ID is not required at XXXX and we are concerned. Per the CTIS Director, the number of students, faculty and staff that use the telecommunications facilities is a contributing factor for not making use of the call-back feature. Accordingly, the CPU cannot interrogate a dial-up terminal, automatically get its ID, and verify that the terminal calling is the same terminal it says it is calling. If you are in the same shoes with us, you have to get a degree of comfort from compensating controls in this area. Otherwise, raise enough "hell" to get management to act on this matter. Very critical. (Note: Call-back feature can now be easily circumvented by a procedure known as call-forwarding. Strong access controls are needed in this area).
- REMOTE ACCESS: If your networks are configured to allow remote terminal functions (e.g., vendor maintenance or service), verify that vendor field service default parameters have been reviewed formally for DEMONSTRATED NEED (otherwise recommend that they be removed!).
- PERSONAL CALLS: 23% of phone calls we reviewed were found to be personal in nature. These personal calls averaged $13 per call and were mostly made by employees from their phone stations to locations where they were seeking employment positions or chatting with friends on personal matters. Reimbursements for these personal calls were sought by the university.
- THIRD-PARTY CALLS: 18% of calls reviewed for LD charges by commercial carriers (not through TEXAN) were made by third-parties (e.g., individuals outside the University, but somehow the calls got charged to the University). These calls were not paid because the Telecommunications Coordinator had them screened out prior to payment of valid charges.
- TOLL FRAUDS: We noted that 32% of calls reviewed for LD charges by non-TEXAN companies (commercial carriers) were so-called "operator assistance" calls that the United Telephone company failed to block, but billed the University for the same nevertheless. These charges were not paid (were contested vigorously), and they were apparently fraud calls -- generally known as "toll frauds."
- CREDIT CARD CALLS: 27% of calls reviewed were credit card calls that appeared legitimate, but were not actually legitimate upon closer examination (i.e., fraud calls) since they were not identified with our proper series of numbers assigned to all our credit card holders. These calls were not paid.
- "HOT" LINES CALLS: Between February and June 1994, we noted 25 calls that were made to the 900 numbers (porn lines/adult entertainment). All commercial carriers were supposed to automatically block the 900 number calls, but for some reasons failed to do so in these instances. It was their responsibility, but they tried to pass the buck to us. We refused to pay these charges, and they did not contest our refusal to pay.
- TELECOMMUNICATIONS POLICY: One of the 4 formal recommendations we made relative to the telecommunications audit addressed the need for the University to develop and enforce a telecommunications policy detailing the operational rules for telephone, cable, satellite, and computer networks. A policy is needed that will be proactive in protecting access privileges for the use of University's telecommunications system. We recommended that the telecommunications policy should:
- Delineates permissible (authorized and official) calls and impermissible (unauthorized and unofficial) calls placed on the state's long distance telecommunications systems by furnishing examples of permissible calls. Also, provides department-wide standards to be applied when collecting money from persons making unofficial use of the state's LD telecommunications systems.
- Stresses the importance of changing access codes as often as possible to safeguard against misuse of employees' access codes by others for unauthorized and unofficial calls. The attitude of "if it ain't broke, don't fix it" should be strongly discouraged. It does not pay to become complacent.
- Reminds department heads continually of their responsibilities to review telephone bills for propriety and compliance with the University policies and procedures.
- Delineates disciplinary measures to be taken for all unofficial use of the state's LD telecommunications systems.
The telecommunications policy should be formally documented and distributed as a part of the University's overall control structure. A clear definition as to responsibility and enforcement of the policy enhances effectiveness. As with other policies and procedures, the telecommunications policy should be reviewed and updated on a regular basis.
[ Home Page ]
[ Newsline ]
[ IS Audit ]
[ IS Security ]
[ Control Issues ]
For comments or problems, please e-mail
Slemo Warigon lonestar@rain.org
or call (805) 893-3817.
Copyright © 1996 The WariNet Haven