Copyright 2008 ISACA. All rights reserved. www.isaca.org.

Billing Audit on a Mobile Operator Call Detail Record

By Dale Johnstone and Ellis Chung Yee Wong, CISA, CFE, CISSP
call detail record (CDR) in the telecom sector is a file that contains information about voice calls. CDR files are used to help determine call rates and the calculation of billable amounts, such as international direct dialing (IDD) calls, as they contain information about source and destination identifiers, and the starting time and duration of calls. In spite of the emergence of new telecommunications technologies, i.e., from fixed line to mobile networks, the fundamental concept of and reliance on CDRs for rating and billing purposes remain more or less the same. In todays mobile network, CDRs may contain information on more than one type of traffic, e.g., voice calls, video calls, Short Message Service (SMS) traffic and other data services. The change of business model in mobile network business, due to the new technology capabilities of third generation (3G) mobile networks, has shifted the importance from voice calls to other value-added content services. As a result, the formats and generation of CDRs have increased in terms of their complexity. According to a study1 on revenue loss in 2006 based on feedback from almost 100 telecom operators around the world: Mobile operators have the highest average revenue leakage (14 percent) Fraud (external, internal and by other operators) is the number one factor in losses; the average fraud losses have grown to 4.5 percent of revenue from 2.9 percent in the previous year In addition to fraud, three other sources of revenue leakage are discussed in the study: poor processes and procedures, poor systems integration, and problems associated with applying new products and pricing schemes. This article highlights some high-risk areas for potential CDR leakage or fraud in postpaid services, and explains how the potential losses can be identified. An overview of the billing process provides a basis for understanding, the major sources of CDRs are then identified, and finally the four distinct control areas designed to address revenue leakage that results from the processing of CDRs are presented.

Figure 1Simplified Billing Process

CDRs From Providers/ Partners Voice CDRs

Mediation Data CDRs

Rating

Billing Engine

SMS CDRs

partners (e.g., IDD unilateral/bilateral agreements and content services providers), roaming2 partners (data and/or voice), and Short Message Service (SMS) clearinghouses. These CDRs, unlike those generated internally, could be routed to either the mediation module for preprocessing or directly to the billing system. CDRs entering the billing engine first undergo the rating process; the actual billable amount is adjusted further according to the subscribed services and products.

Major Sources of CDRs

There are three major sources of CDRs: Voice servers SMS Data services Voice Servers Mobile phone call conversation traffic (whether it is outgoing or incoming, and involves a fixed or mobile network) is deemed to pass through a key mobile network element known as a mobile switching center (MSC). Since the core function of an MSC is call routing, the raw CDR of a call is typically being collected, generated and maintained within the MSC. In a local call scenario, the traffic may be connected through the MSC to a public-switched telephone network (PSTN) for a fixed-line network or directly to an MSC of another mobile network operator. For an IDD call being made from a mobile phone, its traffic may be routed from an MSC to an international toll gateway (ITG) or other IDD services providers. The functions of an ITG are similar to an MSC in the maintenance of CDRs and call routing, except the former
1

Billing Process
A simplified billing process of a mobile operator is shown in figure 1. The raw CDRs generated from various network elements within the operator are sent to a centralized location, often referred to as a mediation module, for prebilling process. A prime function of the mediation module is to transform and clean raw CDRs and place them into a format acceptable by a billing engine. Apart from the internally generated CDRs, a mobile operator may also be required to obtain CDRs from its business
JOURNALONLINE

is for IDD calls only. Figure 2 illustrates the flow of both local and international voice calls. Figure 2Illustration of an Outgoing Call to Both Local and Overseas Destinations

Figure 4Typical Data Services

Application Broadband access Description Video and audio streaming, file download, web surfing and corporate virtual private network (VPN) services Banking, games and chatting Micropayment transactions Push mail, web mail, multimedia messaging and corporate e-mail services

Online services Payment services E-mail and picture messaging

Short Message Service The CDR of an SMS is generated and recorded in a network element called a Short Message Service center (SMSC). The SMSC provides a store and forward function delivering SMS messages to intended destination users when they are available. The SMS messages designated to networks of other fixed-line or mobile operators are routed to the respective SMS message partners or SMS clearinghouse(s) for further delivery. An SMS clearinghouse provides dedicated routing paths for a mobile operator to send/receive SMS messages to/from other telecommunication operators. Therefore, the mobile network operator can minimize both technical and business arrangements in operating SMS business. Figure 3 describes the SMS operation. Figure 3Illustration of SMS Routing Through an SMS Clearinghouse

The packet-based data transmission nature of GPRS distinguishes the data services billing mechanism from voice services that are charged mainly on duration of calls and time of day. Information being used for data service billing purposes may include volume, in terms of packet or byte count; transmission start and end times; applications; and types of content-related information. Typically, usage sources of data services are recorded at the Serving GPRS Support Note (SGSN)3 and the Gateway GPRS Support Node (GGSN).4 The information collected from the SGSN and the GGSN is first sent to a dedicated charging gateway (CG) prior to being forwarded to the mediation module. The CG makes a log entry, i.e., creates a CDR, whenever there is network activity on data being transferred, a change in the charging terms, an alteration in quality of service or if a data session ends. The main function of a CG is to collect CDRs from both the SSGN and GGSN, buffering and transferring CDRs to the mediation module of the billing system. Figure 5 is a simplified diagram of the GPRS architecture, demonstrating how CDRs are routed to the billing system. Figure 5A Simplified GPRS Network Diagram

Data Services The Global System for Mobile Communication (GSM), a second generation (2G) network, has a maximum data speed of 9.6 kilobits per second (Kbps) and is based on circuitswitching technology. The General Packet Radio Service (GPRS) 2.5-gigabyte network architecture is the foundation for mobile operators that offer high-speed data services. The progression of GPRS infrastructure allows enhanced data rates for GSM Evolution (EDGE) technology to offer data rates up to 384 Kbps, while a data rate up to 2 Megabits per second (Mbps) can be achieved in 3G mobile networks. Selected data services are listed in figure 4.
2

Audit Considerations
The major audit considerations for CDRs include routing path selection, CDR reconciliation, filtering rules maintenance and logical protection. Routing Path Selection As mentioned in the previous sections on voice services and SMS, a mobile operator requires connectivity to other telecommunications providers when routing IDD calls through MSC/ITG and SMS through SMSC. A mobile operator often connects to more than one counterpart for reasons associated with costing, contingency requirements and availability of
JOURNALONLINE

services within particular regions. Due to strong competition within the telecommunications industry, an operator might want to maintain a versatile routing-path-selection procedure, which can assist in lowering the running costs wherever possible. In this respect, an auditor could explore internal control questions (ICQs) related to the routing-path-selection criteria controls in making a change, availability and protection of an audit trail, and validity of business arrangements with the counterparts. CDR Reconciliation CDRs between various network elements and billing engines should be compared and reconciled on a regular basis, to identify any discrepancies, leading to the prevention of revenue leakages. Figure 6 identifies typical network elements involved in the CDR reconciliation process. Figure 6Network Elements for CDR Reconciliation
Service Type Voice SMS Data Typical Network Elements MSC, ITG, base station SMSC, SMS server Internet Protocol (IP) router, IP switch, SSGN, GGSN, CG, web server, wireless access point (WAP) server, ring tone server, content server

origination and format are expected to be compatible with defined business requirements, e.g., collection of CDRs from web content servers. System interfaces control of key network elements (e.g., MSC, ITG, SMSC, SSGN, GSGN, CG, mediation module). This should be well documented, and any modification on the system interface should be approved adequately. Filtering Rules Maintenance The correctness of filtering rules, i.e., programming of conditions according to predefined business requirements found in the mediation module, is the most important factor to ensure that appropriate and complete information is delivered to the billing engine for rating and calculation. It is necessary, for example, for the service type to be mapped accurately against the corresponding rate plan for correct billing. An assessment of filtering rules, such as types of service (e.g., voice, SMS, roaming, data), volume of data in content services, duration, source and destination (e.g., IP address, called number, calling number), commencing time and end time, and trunk ID (e.g., trunk assignment according to a different pricing zone), may require inspection of program logic and a determination of whether the programs would have any adverse effect on information. Furthermore, an auditor should determine the adequacy of change controls over filter rules and the retention management process of the CDRs prior to being filtered for future verification and/or regulatory purposes. Logical Protection The evaluation of network-level logical controls can be focused on the data services infrastructure, accessible by subscribers of a mobile operator. To this extent, typical information technology (IT) audit tasks could be carried out on network routers and switches, firewalls, domain name service machines, Dynamic Host Configuration Protocol (DHCP) servers, and intrusion detection/prevention systems. At the host level, an auditor may access the adequacy of protection on critical network elements including ITG, MSC, CG, mediation module, GGSN, SGSN, SMSC, billing engine, home location register (HLR)6 and visitor location register (VLR)7 from unauthorized access and/or configuration change. An auditor should be aware that, together, HLR and VLR maintain a list of authorized subscribers admissible to a mobile operators infrastructure, so an inspection of the integrity of the database and its modification process would be a useful task to perform.

It can be seen from figure 6 that many network elements are involved in data services, and, therefore, the reconciliation of CDRs is complicated. In addition, the CDRs among the network elements within a mobile operator are required to be reconciled. The mobile operator is required to settle and approve CDRs with its business partners, including other telecom carriers, SMS clearinghouses, roaming partners, content service providers and mobile virtual network operators (MVNOs).5 A mobile operators reconciliation process must be adaptable enough to accommodate the complexity of technology and the need for prompt response to emerging business requirements. A new type of service offering, a change in charging mechanism by a content service provider, a replacement of a network element with that of a different manufacturer, a delay in the scheduled delivery of CDR files from roaming partners, or newly imposed pricing schemes of the IDD service carriers could all have various degrees of impact on reconciliation controls. It is, therefore, possible to find mobile operators accepting a certain level of discrepancy/loss in their CDRs instead of extending resources and efforts to ensure the necessary controls. In evaluating potential revenue leakages or frauds that arise from deficiencies in the CDR reconciliation process, an auditor might examine the following areas: Segregation of duties between the operation of the network infrastructure and the reconciliation process. This is necessary to maintain the integrity and independence of the verification of CDR entries. Appropriateness and timeliness of CDR reconciliation testing. The scope of the test should be extensive in terms of the coverage and range of service agreed to by the internal parties and external counterparts. Alignment of business arrangements associated with CDR generation and collection establishments. The CDRs
JOURNALONLINE

Conclusion and Summary

An audit on the billing (i.e., CDR) of a mobile operator is not a trivial task because of the diversity of technology and number of manual and automatic processes involved. Auditors are expected to conduct in-depth reviews and analysis on CDRs, e.g., sorting of records by service type, identification of called and calling parties, duration of service. Some common observations that coincide with the findings from the study8 introduced previously are described in figure 7.

Figure 7Sources of Revenue Leakage and Observation

High-risk Areas Contributing to Revenue Leakage Poor processes and procedures Common Observation Lack of/incomplete documentation: Routing path selection, configuration and audit trail Filtering rule programming and specification Infrastructure diagrams detailing the inflow and outflow of traffic Logic on billing process Inadequate process: Approval of change in configuration (e.g., ITG, MSC, routing path, system interfaces, HLR, VLR) Control over testing process (e.g., abusing the use of testing SIM cards) Selection of business partners Business partners/customers of similar services, but with different technical arrangements (e.g., external system interfaces are customized on an individual basis, as opposed to a more unified approach, to minimize the number of control points) Inadequate planning in deployment/replacement of new technology, leading to additional workloads (e.g., additional programming efforts required to convert CDRs of new brand/type equipment to a format acceptable by the existing billing process) A newly imposed pricing scheme, i.e., business rules, that supersedes the existing pricing arrangement, resulting in lost revenue (The following does not have a direct relationship with leakage due to CDR.) Business rules could not be enforced on the billing system due to a technical reason or a poor business decision. Promotion programs, in particular, are maintained by other means instead of the billing system. For a subscriber to be entitled to a free handset, for example, he/she must fulfill the minimum contractual period; however, the early cancellation of a contract would not be detected.

Poor systems integration

Problems associated with applying new products and pricing schemes

Endnotes
Subex Azure, Operator Attitudes to Revenue Management Survey 2007, www.subexazure.com 2 According to the GSM Association, www.gsmworld.com/ roaming/index.shtml, roaming is the ability for a cellular customer to automatically make and receive voice calls, send and receive data, or access other services when traveling outside the geographical coverage area of the home network, by means of using a visited network. 3 SGSN is the node within the GSM infrastructure that sends and receives packet data to and from the mobile stations and keeps track of the mobile devices within its service area. It also performs functions including tracking a mobile device location, user verification and collection of information for billing. 4 GGSN is the node that interfaces to external public data networks, such as the Internet, and maintains necessary routing information to tunnel the data traffic to the SGSN. 5 MVNO is a mobile operator that does not own any radio frequency spectrum and usually does not maintain a mobile network infrastructure. Instead, an MVNO has a business arrangement with traditional mobile operators (e.g., those who process both the radio frequency and infrastructure) to buy minutes and services of use at a discount to sell to its own customers.
1

HLR is a database that maintains mobile subscriber information, e.g., international mobile subscriber identity (IMSI), service subscription information, service restrictions. 7 VLR is a database that contains temporary information about the mobile subscribers who are currently located in a given SMSC service area, but the HLR is located elsewhere. 8 Op cit, Subex Azure
6

Dale Johnstone is the chief security consultant for the Risk Management Group of PCCW Ltd. As an information security evangelist with more than 20 years of professional information security management and IT experience, Johnstone has been involved in various industry sectors including government, defense, law enforcement, finance, manufacturing, transportation and telecommunications. He maintains active memberships with a number of international standards bodies. He can be reached at dale.johnstone@pccw.com. Ellis Chung Yee Wong, CISA, CFE, CISSP is an IT audit manager in Hang Seng Bank of HSBC Group. He has focused on such areas as IT operations, IT security, auditing, risk assessments and investigation. He has experience in a number of industries, including finance, telecommunications and manufacturing. He can be reached at elliswong@hangseng.com.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. 2008 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org