Follow-up Audit Report on the Call Accounting System of the Department of Information Technology and Telecommunications

June 27, 2002 | 7F02-070

Table of Contents

    SUMMARY OF FINDINGS AND CONCLUSIONS

    This follow-up audit determined whether the New York City Department of Information Technology & Telecommunications (DoITT) implemented the recommendations made in a previous audit, Audit Report on the Department of Information Technology & Telecommunications’ Call Accounting System (Audit No.7A96-082 issued June 28, 1996). The City’s Call Accounting System processes telephone call information concerning local and long distance calls made by City agency personnel. The earlier audit evaluated the effectiveness of the Astra-Phacs call accounting system, as well as the Request for Proposal for its successor, the Tele-management System (TMS), which was developed by Telecom Services Limited (TSL). In our current audit, we discuss the recommendations made earlier regarding TMS and the implementation of those recommendations.

    In our previous audit, we made 30 recommendations to DoITT. Of the 30 recommendations, 15 were implemented, five were partially implemented, five were not implemented, and five are no longer applicable. The details of these recommendations and their implementation status follow. DoITT should:

    • "Establish a management objective by including all City agencies in the new system except for a portion of some agencies whose personnel are involved in undercover assignments and who need confidentiality in their work." IMPLEMENTED
    • "Establish surveys delineating Agency-managed traffic and usage pattern information." IMPLEMENTED
    • "Ensure that specifications for direct and allocated costs, reconciliation, reimbursement, organizational structure, automation of spreadsheet tasks, and a general ledger software are resolved with TSL." PARTIALLY IMPLEMENTED
    • "Develop a direct costing methodology and processing module for the new system, thereby charging agencies for their actual telecommunication usage." IMPLEMENTED
    • "Ensure the use of vendor rates (i.e., Sprint Toll Rates) for the calculation of long distance calls." IMPLEMENTED
    • "Establish reconciliation procedures between the new system and the vendors."NOT IMPLEMENTED
    • "Develop a module to perform the reconciliation between the TSL System and City of New York vendors encompassing consistent methods for any field conversions required because of incompatible data formats." NOT IMPLEMENTED
    • "Establish procedures requiring accountability in the reimbursement process." NO LONGER APPLICABLE
    • "Develop a reimbursement module in the new system in order to enter reimbursement information." NO LONGER APPLICABLE
    • "Ensure that the new system processes reimbursements for international calls." NO LONGER APPLICABLE
    • "Create exception reports to monitor reimbursements." IMPLEMENTED
    • "Establish a formal computer security standard user’s guide appropriate to the environment of the new system." IMPLEMENTED
    • "Develop appropriate authorization code policies/procedures for the new system:
    • Ensure that authorization codes are kept confidential; Implemented
    • Ensure that authorization codes are changed periodically; Not Implemented
    • Ensure that long distance calls cannot be made without the use of a current authorization code; Not Implemented
    • Have authorization codes encrypted; Implemented
    • Use a central authorization code database as the basis for interacting with the call records of the call accounting system; Implemented
    • Develop a procedure for reconciling the authorization codes in the switches with the authorization codes in the central authorization code database." Implemented

    Overall status of Recommendation #13: PARTIALLY IMPLEMENTED

    • "Ensure that tariff changes are entered timely into the system so that the charges are consistent with those charged by the carriers to facilitate reconciliation and billing." NOT IMPLEMENTED
    • "Update and maintain the Directory file in order to establish the reliability and integrity of the call data." IMPLEMENTED
    • "Make sure that exchanges are entered into the system, especially for tenants with various exchanges." IMPLEMENTED
    • "Ensure that the indicated threshold time is not by-passed." IMPLEMENTED
    • "Ensure that all data and call records for all tenants are complete through data validation techniques and the review of exception reports." PARTIALLY IMPLEMENTED
    • "Ensure that all call records, requiring a cost amount, contain a cost amount through data validation techniques and the review of exception reports." IMPLEMENTED
    • "Ensure that specifications for logical security are resolved with TSL." PARTIALLY IMPLEMENTED
    • "Establish an audit group in order to review and to appraise activities within the organization." NOT IMPLEMENTED
    • "Audit the reimbursement process for the DoITT-managed and Agency-managed agencies." NO LONGER APPLICABLE
    • "Ensure that the Financial Services area and other members of the development committee are aware of all TSL developments and modifications."NO LONGER APPLICABLE
    • "Limit access to the TSL environment according to necessity by installing card readers (devices that read information from magnetically encoded cards), installing an alarm system, hiring a security guard, or acquiring other physical security methods." IMPLEMENTED
    • "Develop written policies for a disaster recovery plan for the TSL System environment, including backup of all call records and local calls, as well as off-site storage of all City call data including the parameters specific to each site." PARTIALLY IMPLEMENTED
    • "Establish a contract for disaster recovery with an appropriate company." IMPLEMENTED
    • "Test the disaster recovery plan after its establishment." IMPLEMENTED
    • "Provide secure storage of all backup tapes including current system backups and historical system backups from Astra-Phacs." IMPLEMENTED
    • "Establish the retention of local call information for analytical purposes." IMPLEMENTED
    • "Establish formal procedures for program changes." NOT IMPLEMENTED

    To address the issues that still exist, we now recommend that DoITT:

    • Create parameters for reconciling vendor and system data.
    • Establish procedures to reconcile TMS data and vendors’ data.
    • Develop appropriate authorization code policies/procedures for TMS; these should include changing codes periodically.
    • Ensure that calls cannot be made without an authorization code.
    • Ensure that tariff changes are entered promptly into TMS so that TMS charges are consistent with charges made by the carriers. This will facilitate reconciliation and billing.
    • Ensure that all data and call records for all users are reviewed for accuracy.
    • Follow-up with TSL and verify that all findings identified by the consultant have been addressed.
    • Conduct an independent assessment of DoITT’s TMS unit to improve the reimbursement and reconciliation procedures.
    • Ensure that Financial Services and the TMS unit are aware of all TMS updates, upgrades, and modifications to the system.
    • Ensure that all elements required by Comptroller’s Directive 18 are addressed in TSL’s and DoITT’s disaster recovery plans.
    • Establish formal procedures for program changes.

      NEW FINDING AND RECOMMENDATION

      TMS is a call accounting system that tracks calls made within the 82 DoITT-managed agencies and six Non-DoITT-managed agencies. The system uses proprietary software that was developed and is owned by TSL. Since DoITT does not have a copy of TMS’s source code, certain problems that arise require TSL to fix them. For this reason, access to the source code is vital in the event that TSL were to cease operation. Further, the June 1995 contract between DoITT and TSL states, "If requested by the City, TSL will cause a copy of the Source Code for the Licensed Software to be delivered to a mutually agreeable escrow agent." DoITT’s access to the source code would ensure that all City data could be accessed if TSL is no longer in operation.

      To address this new issue, we recommend that DoITT:

    • Request a copy of the source code for the Licensed Software (TMS) to ensure that DoITT can resume telecommunications operations in the event that TSL were to cease operation.

    Agency Response

    The matters covered in this report were discussed with officials from DoITT during and at the conclusion of this audit. A preliminary draft report was sent to DoITT officials and discussed at an exit conference held on June 6, 2002. On June 7, 2002, we submitted a draft report to DoITT officials with a request for comments. We received a written response on June 21, 2002. DoITT agreed with nine of the audit’s 12 recommendations. DoITT partially agreed with the two recommendations (#3 and #4) that it develop policies and procedures to ensure that authorization codes are changed periodically and to prevent calls from being made without an authorization code. DoITT did not agree with the recommendation (#6) that it review all data and call records for accuracy, citing the need for additional staffing for such reviews.

    $285 billion
    Feb
    2025