A PBX Audit Checklist

This list was compiled from a brave posting made on the CISSA's mailing list and then augmented with principles from Protection and Security on the Information Superhighway .

Part C - Standards and Procedures

Check all that apply:


Phone bills are tracked and reviewed at least once per month.
PBX traffic, performance, circuit outage, and problem reports are reviewed by telecom management at least once per month.
There is an agreement with the LEC, the IXC, and the equipment vendors for the ability of only authorized personnel to request service level changes, and to report errors.
There is a periodic dump of all PBX parameters which is automatically compared to the previous dump with differences reported to management.
The frequency of the periodic dump and comparison is determined as a normal part of risk management.
There are specific procedures for making PBX software, hardware, and configuration changes.
The PBX program and configuration is backed up whenever changes are made, and even if no changes are made, at least once per month.
PBX backups are stored off-site, are verified by being read back in, and are periodically tested on backup equipment to assure that they work properly.
A properly trained individual who is responsible for handling PBX issues is identified and available at all times, and the information required to reach that individual is available to all employees, vendors, and others with a need to know.
All orders for services are in writing, are confirmed in writing, and have authorized service order numbers.
Bills are reviewed for accuracy at least once per month by the person(s) (typically line managers) responsible for paying those bills.
The person(s) responsible for paying telephone bills sign approval for each billing period and are responsible for all copsts associated with their telephone usage.
Phone charges are allocated to each cost center and a procedure exists for verifying the accuracy of tyhose charges.
All toll calls billed are verified against PBX traffic reports.
There is a procedure in place for resolving disputed billings.
There is internal recording of all Install/Remove/Change services.
All leased trunks, lines, and circuits billed are verified against PBX inventory reports.
Detailed call audit records are reconciled with phone bills at least once per month.
Maintenance bills are reviewed, broken down, and verified by those responsible for PBX management.
An internal responsible party with appropriate training and knowledge escourts maintenance people at all times when they are within the facility.
There are specific and identified standards and procedures for assuring the integrity, availability, and confidentiality of PBX operations.
With maximum value of