TELECOMMUNICATIONS AUDIT PROGRAM SUBMITTED BY: -----------------------------------------------------------------------------Denis Kelly, | Phone: 7027137 / 6765831 Senior Computer Auditor | Fax: 6778463 / 6615376 Electricity Supply Board | Int Phone: 353-1-7027137. Lr Fitzwilliam St, | Internet: Denis.Kelly@N1.ESB.IE Dublin 2. Ireland. | < Standard Disclaimers Apply> -------------------------------------------------------------------------------
AUDIT OF A CORPORATE TELECOMMUNICATIONS FUNCTION Introduction: Telecommunications is a critical service for the majority if not all businesses. The scale of dependence on telecommunications will vary greatly from the sole trader with a mobile phone, to large corporates such as banks and power utilities with vast telecommunication infrastructures. This audit program concentrates on the large corporate end of the scale where organisations have a large telecommunications infrastructure. These organisations usually have internal divisions or subsidiaries which are responsible for the operations and management of the infrastructure. With the high dependence on telecomm services and the large expenditure usually incurred in providing these services effective control is essential. This audit program therefore considers the telecomms group as a business entity in it's own right and considers all users of the services as customers. In the context of my own organisation the group are internal but this approach could also be used for a subsidiary. This audit program was designed to look at both the financial and technical
controls employed. The control objectives and standards of both ISACA and the Institute of Internal Auditors (IIA) were incorporated into the design of tests. In addition relevant local and corporate regulations were considered. This audit program is a prototype of how a telecommunications function can be audited. Each auditor needs to consider the specific needs of their own organisation and the jurisdiction where the organisation operates. These differences may have a very significant impact on the emphasis and coverage of the audit program. However this program should give a good general framework for such an audit. TELECOMMUNICATIONS AUDIT
AUDIT SCOPE To assess the quality of internal controls in the Telecommunications Function including controls over the achievement of Value for Money.
DETAILED OBJECTIVES O O O regulations, O O O Review the objectives and plans. Assess the management information provided. Review the compliance with internal and external procedures and legislation. Review the controls in place for safeguarding assets. Review the controls in place to ensure that the required quality of service is provided. Assess the control of Projects.
REVIEW THE OBJECTIVES AND PLANS.
Review of the objectives of telecomms for compatibility with Corporate, Business Unit and Department Objectives. Ensure plans and structures are in place to meet those objectives.
Objectives: Review objectives including Corporate, Departmental and Division. Are they clear, coherent and compatible. Telecomm Planning: Are plans in place to meet objectives. Assess the planning process, is it well controlled. Is there a Strategic Plan for Corporate Communications, Assess its coverage and content. Structures: Review the structure of the Telecommunications Function. Is it logical and effective. Is is compatible with the objectives and plans. Are roles and responsibilities clearly defined.
ASSESS THE MANAGEMENT INFORMATION PROVIDED.
General test of management information centres around testing for accuracy, relevance, timelines, usability and presentation. How well informed are management. 2.1 Review the Financial Information.
Establish what financial information managers currently receive for capital and revenue purposes. Review the Financial Information provided to managers and assess it's relevance, timelines and input into the decision making process. Sample the data provided and verify its accuracy and completeness. Review the budgeting process. Identify information gaps and shortfalls.
Review overtime, expenses, work in progress and other operational costs including the cost of delays in job closing. 2.2 Review Operational Information. Review information provided to managers on Work Plans, including progress reporting and work allocation. Review information provided to managers to assist with the management of traffic and control of the cost of the telecomms network. Review information provided to management on faults and outages on the telecomms network. Review information provided to management on staff productivity including job costing and time usage. Review information provided to verify the accuracy of external service providers bills. e.g. PABX billing information to cross check PTT Bills. Review information provided on transport fleet management. Review the information provided on accommodation/ space management. What management information is available, Is it reviewed on an ongoing basis? 2.3 Operational Review the links achieved between Financial and Information. Are management using the information effectively. Is it adequate for control purposes. Review the tracking of jobs from a financial and operational perspective. How is the Financial and operational information linked to maximise VFM. 3 REVIEW THE COMPLIANCE WITH INTERNAL AND EXTERNAL REGULATIONS, PROCEDURES AND LEGISLATION. Review the compliance of telecomms to internal and external
regulations. The main focus being the controls in place to ensure this is happening. 3.1 compliance Review the controls in place to ensure awareness and with non technical Internal Regulations/Procedures including Human Resources, Purchasing, etc... Do clear lines of responsibility exist. Establish how compliance assured. 3.2 compliance lines of responsibility exist. The following points will be tested. 1. Identify the key regulations and procedures which apply to telecomms in the following areas: Safety e.g. Certificates of Fitness, Safety procedures, etc. Security and Data Protection. Code of Ethics including Conflict of Interests. Corporate Regulations and Circulars. Review the controls in place to ensure awareness and with technical Internal Regulations/Procedures. Do clear
2. Discuss with Telecomms Management how they are made aware of and ensure that Internal Regulations and Procedures are complied with ? Briefings. Library/ Standards Files. Reviews and Technical Audits.
3. Review the documentation which is produced by Telecomms to comply with Regulations and Procedures ? Safety Manuals. Training Records. Security Documentation. Operating and Maintenance. Circulation and Update of same.
4. Review the awareness of staff to the compliance required ? 3.3 compliance Awareness with requirements. Training/Briefings. Review the controls in place to ensure awareness and
with External Technical Regulations/Legislation. lines of responsibility exist. The following points will be tested. 1. Identify the key legislation and regulations. -
Safety. Broadcasting Act. Conditions of Service from TE. Communications Regulations and Licensing Conditions. Equipment Supplier Conditions. Procedures for work at Third Party sites including insurance.
2. Discuss with Telecomms Management how they are made aware of and ensure that Legislation and Regulations are complied with ? Briefings. Library/ Standards Files. Legal advice. Reviews and Technical Audits.
3. Review the documentation which is produced by Telecomms to comply with Legislation and Regulations? Correspondence, Certificates and Licences. Copies of standards, Legislation and Regulations. Safety Manuals. Training Records. Security Documentation. Operating and Maintenance Instructions.
4. Review the awareness of staff to the compliance required ? 4 Awareness with requirements. Training/Briefings.
REVIEW THE CONTROLS IN PLACE FOR SAFEGUARDING ASSETS. Review the controls, procedures and standards in place to ensure corporate telecommunications assets are safeguarded. This
should include accurate recording and tracking of assets, safe operation, regular maintenance, adequate security and orderly disposal. 4.1 place Establish what policies, procedures and standards are in to safeguard assets. This should include maintenance,
operations and security controls.
Review the procedures and controls in place to ensure and efficient Risk Management is undertaken. The following points will be tested. 1. Identify the main risks which exist? 2 Does a formal Risk management strategy and plans exist?. Does this include regular review?
3. Are the plans adequate? 4. Are management and staff aware of risks and plans? 5. Are liability exposures identified? Insurance cover?. 4.3 place. Is there sufficient
Review the general security controls and procedures in This should include Physical Security, Logical Security, Segregation of Duties, etc. How is liaison with the Corporate Security Manager and IT Security Manager achieved. What Authorisation Procedures and Reviews take place. ? What management information is provided to ensure security is operating and effective. ? Do standards exist which specify the level of controls to be implemented ? Review the contingency Planning which has been undertaken by Telecomms under the following points Does an overall contingency strategy exist for Telecomm systems ? Identify the the Contingency Plans which exist?. Is the coverage adequate. Do regular formal reviews, including testing, take place? Assess the staff awareness of contingency and contingency plans?
4.4 acquired in including
Review the controls in place that ensure assets are compliance with established policies and procedures VFM.
Review the controls in place to ensure that recording of assets, for financial and operational purposes, is accurate adequate.
Review the procedures and systems in place to ensure the continued existence and protection of assets occurs over entire lifetime. Do stock checks take place.
Review the procedures in place to ensure that maintenance operation of telecommunications assets is carried out effectively, safely and to the required standard. Testing will include: 1. 2. 3. Refer to OBJ 4.1 Re policy. Review how Telecomms Management ensure maintenance and operations are effective. Review how Telecomms Management ensure the standards of maintenance and operations are assured. Including compliance to supplier requirements and recommended procedures. Review how Telecomms Management ensure operations and maintenance is carried out how safely and in compliance relevant regulations. 5. Review the control of maintenance carried out by contractors. How is the work verified and it's quality checked. 6. 7. Does fault analysis take place to ensure maintenance is optimised to reduce failures ? Is the analysis adequate? Review the use of periodic performance monitoring of systems to predict when preventive maintenance is How are failures or service degradation detected and monitored.? Is the monitoring adequate.?
How is the cost effectiveness of maintenance and assured? Are systems reviewed to identify potential improvement and cost savings? Consider the following:
Checks on PTT Bills. Inventory of Lines on lease and their use. On going Cost Benefit Analysis of services. Review of service quality and availability from alternative suppliers. Capacity Planning ?
9. Review the maintenance undertaken by Telecomms staff using a sample of maintenance records. 10. Review the recording of faults, tracking of progress and sign off of work. ? Review the controls in place to ensure assets are in compliance with established procedures. 5 QUALITY REVIEW THE CONTROLS IN PLACE TO ENSURE THAT THE REQUIRED OF SERVICE IS PROVIDED. Review the controls in place to ensure that the services required by customers are delivered cost effectively and to the agreed level of quality. Specific emphasis should be given to the VFM aspects of the service delivery. 5.1 staff Review the controls which ensure Telecomms management and are aware of Customer requirements. 5.2 are those requested by users and are provided in a timely and cost effective manner. 5.3 5.4 money is Assess the controls in place to assure the quality of the services provided by Telecommunications. Assess the controls in place to assure that value for maximised in the provision of services to customer. Review the controls which ensure the Services Delivered
4.8 disposed of
ASSESS THE CONTROL OF PROJECTS. Review the control of Telecommunications Projects to ensure that they are effectively managed and controlled. ( The
project management objective was reviewed in two parts (i) Business and Financial Controls (ii) Technical controls.)
FINANCIAL AND MANAGEMENT INFORMATION ASPECTS.
These tests will be applied to each of the sample projects selected Test 6.1 Establish the current status of the project, ie. completed, in-progress, etc. Test 6.2 Approval stage should be reviewed under the following headings procedures for project approval. approval and authorisation records. establish if the project was subject to re-approval or modification at any stage. Were controls complied with. Review procedures in place
Test 6.3 Implementation Planning: for control of the following. -
Material/Services and Spares procurement planning including lead times. Work Planning, including scheduling, work breakdown and the impact on the resources other areas inside and outside of Telecomms. Planning of the control procedures to be put in place for the control and management of the Project.
Test 6.4 Project Implementation: Review procedures in place for the following. Procurement of materials/services (including external contractors)
Individual job control, including authorisations. Work Scheduling - Time - Materials Distribution - Feedback controls - ie reporting Project Mgt. Project Tracking - Performance monitoring - Budget/financial resources incl. re-approvals - Progress vs Plans for work and materials. Disposal of Retired Assets Review procedures in place for disposal of retired assets including following aspects: - Authority - Procedures (Stores) - Documentation to remove from Asset Register including approval.
Test 6.5 Project Handover: Review procedures for the following. Handover to customers Handover to maintainers including Listing Listing Listing Capitalisation of of equipment for handover. of Test equipment of Spares Completed Projects including:
Costs reviewed before capitalisation. Re-approval procedures. Controls over capitalisation to asset identifier. Asset Register Updates.
Test 6.6 Post Project Review Review procedures in place for reviewing the following: Assessment of the project as a whole and it's sub components. Lessons learnt from the project. planning and control of the project.
how well were objectives achieved Completed Cost V Budget and approvals.
PROJECT REVIEW TECHNICAL ASPECTS. These tests will be applied over a number of projects but will concentrate on the general approach taken. 6.1 and approvals of Telecomms Projects. Consider the controls mechanisms used for the following steps. 6.2 address divergence from plans. The control of contractors, equipment compliance to specification, Acceptance Testing and Commissioning should be considered. consider the control of projects in progress under the following headings. How How How How is progress reported. are divergences from plans addressed. are contractors controlled and managed. do Telecomms ensure equipment delivered is in compliance with the specification. What level of Acceptance Testing and Pre-Commissioning is undertaken. Does this include Pilot tests. Review the documentation and recording of systems while they are being installed. How is Risk Managed during a project? Is it formally reviewed regularly and changes reported? Review the controls in place to ensure projects are completed and post implementation reviews are undertaken. Project initiation, fit to the overall Strategy and Approvals. Decision to opt for Turnkey or Build Internally. Planning and Associated Approvals. Management of the Risks associated with the project. Technical Benefit Analysis Process. Tendering/Approvals. Award of contract. Review the control of project in progress with specific attention to the reporting on progress and actions to Review the controls in place on the initiation, planning
Specific emphasis should be given to Commissioning, Hand over and Operation. Review for each of the following: 1. Commissioning Procedures. 2. Hand over and Operation Procedures. Review the documentation and records compiled for systems when they have been commissioned. 3. Post Implementation Review. Is the delivered system reviewed to ensure it meets the original specification with approved changes.
This audit program was developed by Denis Kelly, Senior IT Auditor, Electricity Supply Board, Dublin, Ireland.
DISCLAIMER: This document is to be considered a prototype and no warranty or guarantee of accuracy, implied or stated exists. No responsibility for loss occasioned to any person acting or refraining from action as a result of any material included in this paper is taken by the author or his employer. Permission for use is granted for non-commercial, personal or educational purposes. Permission is granted to describe this document in product or on-line services, but not to produce it in whole or in part without written permission. For written permission please contact Denis.Kelly@N1.ESB.IE