Professional Documents
Culture Documents
Billing Process
A simplified billing process of a mobile operator is shown
in figure 1. The raw CDRs generated from various network
elements within the operator are sent to a centralized location,
often referred to as a mediation module, for prebilling
process. A prime function of the mediation module is to
transform and clean raw CDRs and place them into a format
acceptable by a billing engine.
Apart from the internally generated CDRs, a mobile
operator may also be required to obtain CDRs from its business
JOURNALONLINE
CDRs
From
Providers/
Partners
Voice
CDRs
Mediation
Rating
Billing Engine
Data
CDRs
SMS
CDRs
Online services
Payment services
E-mail and picture
messaging
Data Services
The Global System for Mobile Communication (GSM), a
second generation (2G) network, has a maximum data speed
of 9.6 kilobits per second (Kbps) and is based on circuitswitching technology. The General Packet Radio Service
(GPRS) 2.5-gigabyte network architecture is the foundation
for mobile operators that offer high-speed data services. The
progression of GPRS infrastructure allows enhanced data
rates for GSM Evolution (EDGE) technology to offer data
rates up to 384 Kbps, while a data rate up to 2 Megabits per
second (Mbps) can be achieved in 3G mobile networks.
Selected data services are listed in figure 4.
2
Description
Video and audio streaming, file download,
web surfing and corporate virtual private
network (VPN) services
Banking, games and chatting
Micropayment transactions
Push mail, web mail, multimedia messaging
and corporate e-mail services
Audit Considerations
The major audit considerations for CDRs include routing
path selection, CDR reconciliation, filtering rules
maintenance and logical protection.
Routing Path Selection
As mentioned in the previous sections on voice services and
SMS, a mobile operator requires connectivity to other
telecommunications providers when routing IDD calls through
MSC/ITG and SMS through SMSC. A mobile operator often
connects to more than one counterpart for reasons associated
with costing, contingency requirements and availability of
JOURNALONLINE
Common Observation
Lack of/incomplete documentation:
Routing path selection, configuration and audit trail
Filtering rule programming and specification
Infrastructure diagrams detailing the inflow and outflow of traffic
Logic on billing process
Inadequate process:
Approval of change in configuration (e.g., ITG, MSC, routing path, system interfaces, HLR, VLR)
Control over testing process (e.g., abusing the use of testing SIM cards)
Selection of business partners
Business partners/customers of similar services, but with different technical arrangements (e.g., external
system interfaces are customized on an individual basis, as opposed to a more unified approach, to
minimize the number of control points)
Inadequate planning in deployment/replacement of new technology, leading to additional workloads
(e.g., additional programming efforts required to convert CDRs of new brand/type equipment to a format
acceptable by the existing billing process)
A newly imposed pricing scheme, i.e., business rules, that supersedes the existing pricing arrangement,
resulting in lost revenue
(The following does not have a direct relationship with leakage due to CDR.) Business rules could not be
enforced on the billing system due to a technical reason or a poor business decision. Promotion programs,
in particular, are maintained by other means instead of the billing system. For a subscriber to be entitled to
a free handset, for example, he/she must fulfill the minimum contractual period; however, the early
cancellation of a contract would not be detected.
Endnotes
Subex Azure, Operator Attitudes to Revenue Management
Survey 2007, www.subexazure.com
2
According to the GSM Association, www.gsmworld.com/
roaming/index.shtml, roaming is the ability for a cellular
customer to automatically make and receive voice calls, send
and receive data, or access other services when traveling
outside the geographical coverage area of the home network,
by means of using a visited network.
3
SGSN is the node within the GSM infrastructure that sends
and receives packet data to and from the mobile stations and
keeps track of the mobile devices within its service area. It
also performs functions including tracking a mobile device
location, user verification and collection of information
for billing.
4
GGSN is the node that interfaces to external public data
networks, such as the Internet, and maintains necessary
routing information to tunnel the data traffic to the SGSN.
5
MVNO is a mobile operator that does not own any radio
frequency spectrum and usually does not maintain a mobile
network infrastructure. Instead, an MVNO has a business
arrangement with traditional mobile operators (e.g., those
who process both the radio frequency and infrastructure) to
buy minutes and services of use at a discount to sell to its
own customers.
1
Dale Johnstone
is the chief security consultant for the Risk Management
Group of PCCW Ltd. As an information security evangelist
with more than 20 years of professional information security
management and IT experience, Johnstone has been involved
in various industry sectors including government, defense, law
enforcement, finance, manufacturing, transportation and
telecommunications. He maintains active memberships with a
number of international standards bodies. He can be reached
at dale.johnstone@pccw.com.
Ellis Chung Yee Wong, CISA, CFE, CISSP
is an IT audit manager in Hang Seng Bank of HSBC Group.
He has focused on such areas as IT operations, IT security,
auditing, risk assessments and investigation. He has
experience in a number of industries, including finance,
telecommunications and manufacturing. He can be reached at
elliswong@hangseng.com.
Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to
the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT
Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of
authors' content.
2008 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.
Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly
prohibited.
www.isaca.org