Copyright 2008 ISACA. All rights reserved. www.isaca.org.

Billing Audit on a Mobile Operator

Call Detail Record
By Dale Johnstone and Ellis Chung Yee Wong, CISA, CFE, CISSP

call detail record (CDR) in the telecom sector is a file

that contains information about voice calls. CDR
files are used to help determine call rates and the
calculation of billable amounts, such as international direct
dialing (IDD) calls, as they contain information about source
and destination identifiers, and the starting time and duration
of calls.
In spite of the emergence of new telecommunications
technologies, i.e., from fixed line to mobile networks, the
fundamental concept of and reliance on CDRs for rating and
billing purposes remain more or less the same. In todays mobile
network, CDRs may contain information on more than one type
of traffic, e.g., voice calls, video calls, Short Message Service
(SMS) traffic and other data services. The change of business
model in mobile network business, due to the new technology
capabilities of third generation (3G) mobile networks, has
shifted the importance from voice calls to other value-added
content services. As a result, the formats and generation of
CDRs have increased in terms of their complexity.
According to a study1 on revenue loss in 2006 based on
feedback from almost 100 telecom operators around the world:
Mobile operators have the highest average revenue leakage
(14 percent)
Fraud (external, internal and by other operators) is the number
one factor in losses; the average fraud losses have grown to
4.5 percent of revenue from 2.9 percent in the previous year
In addition to fraud, three other sources of revenue leakage
are discussed in the study: poor processes and procedures,
poor systems integration, and problems associated with
applying new products and pricing schemes.
This article highlights some high-risk areas for potential
CDR leakage or fraud in postpaid services, and explains how
the potential losses can be identified. An overview of the
billing process provides a basis for understanding, the major
sources of CDRs are then identified, and finally the four
distinct control areas designed to address revenue leakage that
results from the processing of CDRs are presented.

Billing Process
A simplified billing process of a mobile operator is shown
in figure 1. The raw CDRs generated from various network
elements within the operator are sent to a centralized location,
often referred to as a mediation module, for prebilling
process. A prime function of the mediation module is to
transform and clean raw CDRs and place them into a format
acceptable by a billing engine.
Apart from the internally generated CDRs, a mobile
operator may also be required to obtain CDRs from its business
JOURNALONLINE

Figure 1Simplified Billing Process

CDRs
From
Providers/
Partners
Voice
CDRs

Mediation

Rating

Billing Engine

Data
CDRs

SMS
CDRs

partners (e.g., IDD unilateral/bilateral agreements and content

services providers), roaming2 partners (data and/or voice), and
Short Message Service (SMS) clearinghouses. These CDRs,
unlike those generated internally, could be routed to either
the mediation module for preprocessing or directly to the
billing system.
CDRs entering the billing engine first undergo the rating
process; the actual billable amount is adjusted further
according to the subscribed services and products.

Major Sources of CDRs

There are three major sources of CDRs:
Voice servers
SMS
Data services
Voice Servers
Mobile phone call conversation traffic (whether it is
outgoing or incoming, and involves a fixed or mobile
network) is deemed to pass through a key mobile network
element known as a mobile switching center (MSC). Since the
core function of an MSC is call routing, the raw CDR of a
call is typically being collected, generated and maintained
within the MSC.
In a local call scenario, the traffic may be connected
through the MSC to a public-switched telephone network
(PSTN) for a fixed-line network or directly to an MSC of
another mobile network operator. For an IDD call being made
from a mobile phone, its traffic may be routed from an MSC
to an international toll gateway (ITG) or other IDD services
providers. The functions of an ITG are similar to an MSC in
the maintenance of CDRs and call routing, except the former
1

is for IDD calls only. Figure 2 illustrates the flow of both

local and international voice calls.
Figure 2Illustration of an Outgoing Call
to Both Local and Overseas Destinations

Figure 4Typical Data Services

Application
Broadband access

Online services
Payment services
E-mail and picture
messaging

Short Message Service

The CDR of an SMS is generated and recorded in a
network element called a Short Message Service center
(SMSC). The SMSC provides a store and forward function
delivering SMS messages to intended destination users when
they are available. The SMS messages designated to networks
of other fixed-line or mobile operators are routed to the
respective SMS message partners or SMS clearinghouse(s) for
further delivery. An SMS clearinghouse provides dedicated
routing paths for a mobile operator to send/receive SMS
messages to/from other telecommunication operators.
Therefore, the mobile network operator can minimize both
technical and business arrangements in operating SMS
business. Figure 3 describes the SMS operation.
Figure 3Illustration of SMS Routing
Through an SMS Clearinghouse

Data Services
The Global System for Mobile Communication (GSM), a
second generation (2G) network, has a maximum data speed
of 9.6 kilobits per second (Kbps) and is based on circuitswitching technology. The General Packet Radio Service
(GPRS) 2.5-gigabyte network architecture is the foundation
for mobile operators that offer high-speed data services. The
progression of GPRS infrastructure allows enhanced data
rates for GSM Evolution (EDGE) technology to offer data
rates up to 384 Kbps, while a data rate up to 2 Megabits per
second (Mbps) can be achieved in 3G mobile networks.
Selected data services are listed in figure 4.
2

Description
Video and audio streaming, file download,
web surfing and corporate virtual private
network (VPN) services
Banking, games and chatting
Micropayment transactions
Push mail, web mail, multimedia messaging
and corporate e-mail services

The packet-based data transmission nature of GPRS

distinguishes the data services billing mechanism from voice
services that are charged mainly on duration of calls and time
of day. Information being used for data service billing purposes
may include volume, in terms of packet or byte count;
transmission start and end times; applications; and types of
content-related information. Typically, usage sources of data
services are recorded at the Serving GPRS Support Note
(SGSN)3 and the Gateway GPRS Support Node (GGSN).4
The information collected from the SGSN and the GGSN
is first sent to a dedicated charging gateway (CG) prior to
being forwarded to the mediation module. The CG makes a
log entry, i.e., creates a CDR, whenever there is network
activity on data being transferred, a change in the charging
terms, an alteration in quality of service or if a data session
ends. The main function of a CG is to collect CDRs from both
the SSGN and GGSN, buffering and transferring CDRs to the
mediation module of the billing system. Figure 5 is a
simplified diagram of the GPRS architecture, demonstrating
how CDRs are routed to the billing system.
Figure 5A Simplified GPRS Network Diagram

Audit Considerations
The major audit considerations for CDRs include routing
path selection, CDR reconciliation, filtering rules
maintenance and logical protection.
Routing Path Selection
As mentioned in the previous sections on voice services and
SMS, a mobile operator requires connectivity to other
telecommunications providers when routing IDD calls through
MSC/ITG and SMS through SMSC. A mobile operator often
connects to more than one counterpart for reasons associated
with costing, contingency requirements and availability of
JOURNALONLINE

services within particular regions. Due to strong competition

within the telecommunications industry, an operator might want
to maintain a versatile routing-path-selection procedure, which
can assist in lowering the running costs wherever possible.
In this respect, an auditor could explore internal control
questions (ICQs) related to the routing-path-selection criteria
controls in making a change, availability and protection of an
audit trail, and validity of business arrangements with the
counterparts.
CDR Reconciliation
CDRs between various network elements and billing
engines should be compared and reconciled on a regular basis,
to identify any discrepancies, leading to the prevention of
revenue leakages. Figure 6 identifies typical network
elements involved in the CDR reconciliation process.
Figure 6Network Elements
for CDR Reconciliation
Service Type
Voice
SMS
Data

Typical Network Elements

MSC, ITG, base station
SMSC, SMS server
Internet Protocol (IP) router, IP switch, SSGN, GGSN,
CG, web server, wireless access point (WAP) server,
ring tone server, content server

It can be seen from figure 6 that many network elements are

involved in data services, and, therefore, the reconciliation of
CDRs is complicated. In addition, the CDRs among the
network elements within a mobile operator are required to be
reconciled. The mobile operator is required to settle and
approve CDRs with its business partners, including other
telecom carriers, SMS clearinghouses, roaming partners,
content service providers and mobile virtual network operators
(MVNOs).5
A mobile operators reconciliation process must be
adaptable enough to accommodate the complexity of
technology and the need for prompt response to emerging
business requirements. A new type of service offering, a
change in charging mechanism by a content service provider,
a replacement of a network element with that of a different
manufacturer, a delay in the scheduled delivery of CDR files
from roaming partners, or newly imposed pricing schemes of
the IDD service carriers could all have various degrees of
impact on reconciliation controls. It is, therefore, possible to
find mobile operators accepting a certain level of
discrepancy/loss in their CDRs instead of extending resources
and efforts to ensure the necessary controls.
In evaluating potential revenue leakages or frauds that arise
from deficiencies in the CDR reconciliation process, an
auditor might examine the following areas:
Segregation of duties between the operation of the network
infrastructure and the reconciliation process. This is
necessary to maintain the integrity and independence of the
verification of CDR entries.
Appropriateness and timeliness of CDR reconciliation
testing. The scope of the test should be extensive in terms of
the coverage and range of service agreed to by the internal
parties and external counterparts.
Alignment of business arrangements associated with CDR
generation and collection establishments. The CDRs
JOURNALONLINE

origination and format are expected to be compatible with

defined business requirements, e.g., collection of CDRs
from web content servers.
System interfaces control of key network elements (e.g.,
MSC, ITG, SMSC, SSGN, GSGN, CG, mediation module).
This should be well documented, and any modification on
the system interface should be approved adequately.
Filtering Rules Maintenance
The correctness of filtering rules, i.e., programming of
conditions according to predefined business requirements
found in the mediation module, is the most important factor to
ensure that appropriate and complete information is delivered
to the billing engine for rating and calculation. It is necessary,
for example, for the service type to be mapped accurately
against the corresponding rate plan for correct billing.
An assessment of filtering rules, such as types of service
(e.g., voice, SMS, roaming, data), volume of data in content
services, duration, source and destination (e.g., IP address,
called number, calling number), commencing time and end
time, and trunk ID (e.g., trunk assignment according to a
different pricing zone), may require inspection of program
logic and a determination of whether the programs would
have any adverse effect on information. Furthermore, an
auditor should determine the adequacy of change controls
over filter rules and the retention management process of the
CDRs prior to being filtered for future verification and/or
regulatory purposes.
Logical Protection
The evaluation of network-level logical controls can be
focused on the data services infrastructure, accessible by
subscribers of a mobile operator. To this extent, typical
information technology (IT) audit tasks could be carried out
on network routers and switches, firewalls, domain name
service machines, Dynamic Host Configuration Protocol
(DHCP) servers, and intrusion detection/prevention systems.
At the host level, an auditor may access the adequacy of
protection on critical network elements including ITG, MSC,
CG, mediation module, GGSN, SGSN, SMSC, billing engine,
home location register (HLR)6 and visitor location register
(VLR)7 from unauthorized access and/or configuration
change. An auditor should be aware that, together, HLR and
VLR maintain a list of authorized subscribers admissible to a
mobile operators infrastructure, so an inspection of the
integrity of the database and its modification process would
be a useful task to perform.

Conclusion and Summary

An audit on the billing (i.e., CDR) of a mobile operator is
not a trivial task because of the diversity of technology and
number of manual and automatic processes involved. Auditors
are expected to conduct in-depth reviews and analysis on
CDRs, e.g., sorting of records by service type, identification
of called and calling parties, duration of service.
Some common observations that coincide with the findings
from the study8 introduced previously are described in figure 7.

Figure 7Sources of Revenue Leakage and Observation

High-risk Areas Contributing to
Revenue Leakage
Poor processes and procedures

Poor systems integration

Problems associated with applying

new products and pricing schemes

Common Observation
Lack of/incomplete documentation:
Routing path selection, configuration and audit trail
Filtering rule programming and specification
Infrastructure diagrams detailing the inflow and outflow of traffic
Logic on billing process
Inadequate process:
Approval of change in configuration (e.g., ITG, MSC, routing path, system interfaces, HLR, VLR)
Control over testing process (e.g., abusing the use of testing SIM cards)
Selection of business partners
Business partners/customers of similar services, but with different technical arrangements (e.g., external
system interfaces are customized on an individual basis, as opposed to a more unified approach, to
minimize the number of control points)
Inadequate planning in deployment/replacement of new technology, leading to additional workloads
(e.g., additional programming efforts required to convert CDRs of new brand/type equipment to a format
acceptable by the existing billing process)
A newly imposed pricing scheme, i.e., business rules, that supersedes the existing pricing arrangement,
resulting in lost revenue
(The following does not have a direct relationship with leakage due to CDR.) Business rules could not be
enforced on the billing system due to a technical reason or a poor business decision. Promotion programs,
in particular, are maintained by other means instead of the billing system. For a subscriber to be entitled to
a free handset, for example, he/she must fulfill the minimum contractual period; however, the early
cancellation of a contract would not be detected.

Endnotes
Subex Azure, Operator Attitudes to Revenue Management
Survey 2007, www.subexazure.com
2
According to the GSM Association, www.gsmworld.com/
roaming/index.shtml, roaming is the ability for a cellular
customer to automatically make and receive voice calls, send
and receive data, or access other services when traveling
outside the geographical coverage area of the home network,
by means of using a visited network.
3
SGSN is the node within the GSM infrastructure that sends
and receives packet data to and from the mobile stations and
keeps track of the mobile devices within its service area. It
also performs functions including tracking a mobile device
location, user verification and collection of information
for billing.
4
GGSN is the node that interfaces to external public data
networks, such as the Internet, and maintains necessary
routing information to tunnel the data traffic to the SGSN.
5
MVNO is a mobile operator that does not own any radio
frequency spectrum and usually does not maintain a mobile
network infrastructure. Instead, an MVNO has a business
arrangement with traditional mobile operators (e.g., those
who process both the radio frequency and infrastructure) to
buy minutes and services of use at a discount to sell to its
own customers.
1

HLR is a database that maintains mobile subscriber

information, e.g., international mobile subscriber identity
(IMSI), service subscription information, service restrictions.
7
VLR is a database that contains temporary information
about the mobile subscribers who are currently located in a
given SMSC service area, but the HLR is located elsewhere.
8
Op cit, Subex Azure
6

Dale Johnstone
is the chief security consultant for the Risk Management
Group of PCCW Ltd. As an information security evangelist
with more than 20 years of professional information security
management and IT experience, Johnstone has been involved
in various industry sectors including government, defense, law
enforcement, finance, manufacturing, transportation and
telecommunications. He maintains active memberships with a
number of international standards bodies. He can be reached
at dale.johnstone@pccw.com.
Ellis Chung Yee Wong, CISA, CFE, CISSP
is an IT audit manager in Hang Seng Bank of HSBC Group.
He has focused on such areas as IT operations, IT security,
auditing, risk assessments and investigation. He has
experience in a number of industries, including finance,
telecommunications and manufacturing. He can be reached at
elliswong@hangseng.com.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to
the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT
Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of
authors' content.
2008 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.
Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly
prohibited.
www.isaca.org