Objective/Sub Objective/Sub- Risk Control

Process Process Name Process Name Risk Description Risk Significance Risk Type Name
Description

Absence of policies and procedures to guide

x Network Operations could lead to inconsistent Planning
practices within Network department.

Network
x Operation
Policies and x
Procedures Non - compliance to enterprise policies and
x procedure for Network Operations could lead to Compliance
irregularities and delay in regular operations

In the absence of periodic review, policies and x

standards may not reflect the current needs of the
x Access
organisation / department which could impact
service delivery.
x
Accountability of the employees for the roles
Network performed may not be established in the absence
Operations
environment x of approved and documented organization Organization
infrastructure structure. structure
Network Department may not be functioning at
and processes the optimum level due to shortage of man-power.

x x In the absence of contracts with Vendors, there Outsourcing

would be no legal recourse in case of disputes.

Contract
Management
x

Contract x
Management
In the absence of defined SLAs and tracking
mechanism, timely completion of work cannot be
x ensured and penalties may not be applied for Outsourcing
delays and inefficiency.

Inadequate Network Maintenace scheduling could

x result in improper planning of maintenance Planning
activities leading to outages.

x
Failure to prioritize PM plan based on severity and
x traffic could lead to inefficiencies in PM resulting in Planning
outages leading higher revenue losses.

x
Failure in reviewing and revising PM plan could
lead to:
a. Inadequate planning causing improper
functioning of cell sites.
b. PM plan not updated on the basis of TT's
x (issues) reported leading to failure to incorporate Planning
sites with frequent incidents. This may lead to
frequent outages.
c. Newly installed sites may not be covered in the
PM plan which could lead to incident resulting into
outages

Preventive
x Maintenance
Scheduling and
Execution
 Preventive x
Maintenance
x
Scheduling and
Execution

Inadequate execution of preventive maintenance

x may expose to more number of incidents leading Planning
to power outages

Inadequate recording of the incidents, issues could

lead to failure or delay in resolving the problem at
x cell or core sites. This may lead to outages which Efficiency
could have been avoided or reduced.

x
In the absence of defined site visit guidelines, the
x PM performed may not be adequate and could Illegal acts
lead to risk of security breach at cell-sites

In the absence of camera monitoring at X and Y x

x centers, there could be risk of security breached Unauthorized use
no tracked.
x

x Unauthorised access to cell sites could lead to Illegal acts

security breaches and damage to equipments.

Physical and
 x

In the absence of a periodical physical verification

Physical and process, adequate maintenance of the network
x Environmental equipment may not be ensured leading to poor
Security functioning. This could lead to theft of equipment
x Planning
eventually leading to revenue loss.
Further, any missing equipment may not be
identified on time leading to site outage or service
disruption

Absence of defined site visit guidelines could lead

x to risk of security breach at cell and core sites Planning

Operations and
Maintenance x

Higher prices may be paid for the fuel which can

x Commodity pricing
be available at cheaper rate

Excessive fuel consumption may take place due to

x leakage or theft of fuel in the absence of fuel Commodity pricing
monitoring system.

x Fuel Maintenance
x

x Necessary actions may not be taken in the absence Commodity pricing

of reporting of fuel leakge or theft.
 x

Excessive or incorrect payments may be made to

x the fuel vendor if adequate reconciliation and Commodity pricing
regular norms of payments are followed

x
If generator maintenance is not adequately carried
out on timely basis, efficiency and performance of
x the DGs may be compromised. Poor peforming Efficiency
DGs will lead to increase in fuel consumption
Generator thereby increasing cost of operation.
x Maintenance
x
If overhauling of generators is not carried out on
x timely basis, it may lead to DG stoppage thereby Efficiency
causing revenue loss.

x
In the absence of an automated tool for inventory
management, the inventory tracking mechanism
x would not be effective leading to inventory losses Availability
not being tracked.

Spare Parts x
x
Management
In the absence of a monitoring and minimum and
maximum level of spares, there would be shortage
x of spares which could lead to delay in corrective Planning
maintenance causing prolonged network outages.

In the absence of periodic cost-benefit analysis,

cell-sites with low traffic will not be identified and
Cost benefit x the company may not be able to evaluate return Efficiency
analysis
on investments and other revenue generating
opportunities.

x
 x
In the absence of communication and adequate
x documentation of changes to site owner
x information may lead to incorrect payments / Unauthorized use
payments made to non existent site owners.

x
Cell site rental
contracts x Lease agreements for acquired sites may not be Contract
signed/renewed on timely basis commitment

x
x Rent escalation clauses in the site rental contracts Contract
may be punitive/unclear. commitment

In the absence of contract between Site Owner

x and Company X, there could be no legal recourse Illegal acts
in case of dispute

x
Processing of payments without critical supporting
documents including copy of contract, Networks
x site rental list etc may lead to incorrect payments Revenue Loss
x Site Rentals made to site owners.

Payment process and reconciliation not being

x performed between Netwrok's site rental list and Performance gap
Finances' x invoices list may lead to payment
processed for non existent / decommisioned sites.
 x
Inadequate segregation of duties among the x
Segregation of
duties x Accountants for creation, approval of invoice may Unauthorized use
result in unauthorized payments being processed

x
If KPIs are not defined or documented, efficient
performance review may not be ensured and
x penalties (in case of outsourcing) may not be Efficiency
levied.

SLA and KPIs In the absence of monitoring of mentioned tasks,

monitoring and x additional payments may be made for the services
reporting not offered

x
Failure to review the performance reports by the
management may lead to delay in providing
x resolution to issues highlighted. This could lead to Revenue Loss
poor performance of network resulting into
outages.
 Type of Nature of Information Testing Detail
Control Description Frequency control control processing Name Type
Objective

Policies and procedure should exist and be adequate Annually Preventive Manual Completeness x Inquiry
for Network operations and processes.

Practice followed to carry out activities of operations

and maintenance should be in compliance with the Annually Preventive Manual Completeness x Inspection
procedures as defined in the process documents

Periodic reviews of these policies should be done to Completeness;

Annually Detective Manual x Inspection
make them relevant. Accuracy

An approved organizational chart showing Network

Operations functions, reporting lines defined roles and Semi Preventive Manual Completeness; x Inquiry
responsibilities should be in existence. annually Accuracy

A contract document with necessary details should be

negotiated, agreed to and signed off for every Annually Preventive Manual Completeness; x Inspection
outsourced service. Validity
Appropriate service levels should be set, agreed to,
monitored and reported on regularly. Monthly Detective Manual Validity x Inspection

Completeness;
Network equipment maintenace schedule need to be Weekly Preventive Manual Accuracy; x Inquiry
prepared. Validity;
Timelines

Network elements should be given priorties on the

basis of importance & maintenace need to be scduled Daily Detective IT and Validity; x Observation
accordingly Manual Timelines

a. Network PM plan should be revised on periodic

basis to incorporate all changes
b. PM plan is being reviewed and approval is provided Monthly Detective Manual Validity x Inquiry
by senior management to validate if all criteria are
considered
a. PM is executed as per the monthly plan.
b. All the steps mentioned in the checklist are
adequately followed and snags noted if any reported
on timely basis. Monthly Detective Manual Validity x Inquiry
c. Snags noted during the PM are closed within the
specified time limit

a. All the alarms reported should be recorded in the

trouble ticketing system.
b. Required severity configuration should be available
to ascertain the priority and urgency of the alarm. Completeness;
c. Status report on the % of closure of tickets should be IT and Accuracy;
prepared and shared with the Senior Management on Ad hoc Preventive Manual Validity; x Inquiry
periodic basis. Timelines
d. Reconciliation should be done on sample basis to
ensure that all alarms reports have a trouble ticket
generated

Physical access policy and procedure should be Quarterly Preventive IT Restricted x Observation
present. Access

There should be adequate monitoring mechanisms at X IT and Restricted

and Y. Quarterly Preventive Manual Access x Observation

There should be adequate access authorization lists

present which should be updated periodically. Monthly Preventive IT and Restricted x Observation
Access reports should be maintained to monitor the Manual Access
entry and exit of personnel.
a. Surprise visits should be carried out to cell and core
sites on periodic basis to test the adequacy of physical Completeness;
and environmental security. Adhoc Preventive IT and Accuracy; x Reperformance
b. There should be adequate monitoring (CCTV) Manual Validity
mechanisms at X (high priority) and core sites.

a. There is a well defined physical access policy and

procedure in place covering steps to be followed for
physically accessing the site. IT and Completeness;
b. There should be adequate access authorization lists Adhoc Preventive Manual Accuracy; x Observation
present which should be updated periodically. Validity
c. Access reports should be maintained to monitor the
entry and exit of personnel.

Ensure that fuel is procured at the most reasonable IT and Completeness;

Daily Preventive Accuracy; x Inquiry
rate. Manual Validity

There should be adequate fuel monitoring system to Completeness;

track the amount of fuel filled and consumed at the Daily Preventive IT and Accuracy; x Inquiry
sites. Manual Validity

Completeness;
Additional fuel consumption or leakage if any should Daily Preventive IT and Accuracy; x Inquiry
be reported to find the root cause. Manual
Validity
Payments made to the vendor carrying out fuel filling IT and Completeness;
activity should follow the regular norms of payments. Daily Preventive Manual Accuracy; x Inquiry
Validity

a. Maintenance of diesel generators should be carried

out appropriately after xxx running hours. Completeness;
b. Oil, water and and parts replacement should be Adhoc Preventive IT and Accuracy; x Inspection
Manual
carried out based on the brand recommendation. Validity

No of running hours of generator should be noted. IT and Completeness;

Minor and major overhauling of generators should be Adhoc Preventive Accuracy; x Inspection
carried out depending on the brand. Manual Validity

IT and Validity;
Inventory control tool should be present. Weekly Detective Manual Restricted x Inspection
Access

a. Inventory movement of the network spares should

be monitored on daily basis. Completeness;
b. Adequate passive network spares should be Weekly Preventive Manual Accuracy x Observation
available to ensure smooth corrective maintenance.

a. Cost benefit analysis is carried out for all cell sites.

b. Expenses such as rent, maintenance cost and other Completeness;
variable cost are considered while carrying out cost Quarterly Detective IT and Accuracy; x Inquiry
Manual Validity;
benefit analysis. Based on the result of such analysis, Timelines
site planning and expenditure should be decided.
Adequate documentation is maintained for all Completeness;
IT and Accuracy;
payment requests and changes in contract Adhoc Preventive Manual Validity; x Inspection
information of the suppliers
Timelines

a. Database maintained for all sites showing the status

of lease agreements.
b. Site Management Team monitors timely renewal of Ad hoc Preventive Manual C; A x Inspection
lease agreements.

Legal Department reviews contracts to ensure that

standard and competitive escalation clauses are Ad hoc Detective Manual A; V x Inspection
written into each contract.

a. There is a signed contract between the Site Owner

and Company X
b. The supporting documents such as site owner ID,
location ownership documetns, approvals from city Annually Preventive Manual Accuracy x Inspection
and other govt. authorites are provided along with the
contract.

a. Payment processing is done with critical documents

including approved payment voucher, copy of contract,
IT and Completeness;
bank payment voucher etc. Monthly Preventive Manual Accuracy x Reperformance
b. Payment is processed for only those Cell Sites that
are reconciled with the Network's list

a. Process for reconciliation is enforced between x

Invoice List and Networks Site Rental list on a periodic
basis.
b. The Network's Site rental list is reviewed and
approved by the authorized personnel at Network Monthly Preventive IT and Completeness; x Inquiry
dept and x Finance dept. Manual Accuracy
c. The exceptions noted in the reconcilitaion between
Networks Site rental list and x Invoice list are being
reviewed and resolved.
The user acess rights for Invoice Creation, Invoice
IT and
Approval and Cheque Printing has been restricted to Adhoc Detective Manual Validity x Inspection
the staff member who is in that specific role.

KPI's for network operation team need to be defined &

documented Quarterly Preventive Manual Completeness x Inquiry

All the reports are prepared and submitted each

month to ensure that all the relevant services
mentioned are adequately provided and adherence to Monthly Preventive Manual Completeness x Inquiry
the same has been ensured

Capacity & performance reports genrated form the

system need to be reviewed by approipate Completeness;
Weekly Detective Manual Accuracy; x Observation
management level & proper action taken against issue Validity
reported.
 TO BE UPDATED
Test Description DURING FIELDWORK

Date
Scope Mapping List of Requirements Date Sent Received Testing Status Testing

a. Determine the existence of all relevant policies

/procedures such as Preventive Maintenace (PM), Site
Access, Payments processing for the maintenance
services etc. that apply to Network operations and
processes.
b. Check if all the relevant policies are communicated
and shared on common portal and are easily
accessible
Maintenance policies
and procedures for Policies and procedures for
Determine if the security policies that apply to cell-sites for adequacy operations & maintenance;
Network operations are complied with. and compliance

Review policies/procedures if they are adequate,

approved, and reviewed periodically.

Organization chart of
Operation & Maintenance
team with allocated
responsibilities

a. Determine if there exists a contracts with all

operations and maintenance vendors List of vendor /
b. Determine whether contract documents are maintenance agencies;
available and maintained for outsourced services. Contracts with vendors and
maintenance agencies;
Passive maintenance
contracts relating to
cell-sites for adequacy
and compliance
 Passive maintenance
a. Obtain a copy of the complete contract signed with contracts relating to
all the vendors involved in Operations & Maintenance cell-sites for adequacy
of passive components. and compliance
b. Verify if the SLAs, KPIs and timelines for various
activities mentioned in the contract are as per the
Operations & Maintenance processes / procedures.

a. Obtain network preventive maintenance schedule

planned for the mentioned sample.
b. Review if the scheduling is as per policy.
c. Review if all the cell sites are adequately covered in
the PM plan.
d. Check and review if the changes in severity are not
adverse to the original PM plan

a. Check the priorities given to various networ

elements & time interval defined between two
scheduled maintenance.
b. Check if the scheduling is carried out based on the
site priority and as per policy.

a. Check if the management review the PM plan to

ensure the plan/schedule is as per the requirement.
b. Check for instances (if any) where management has
revised the plan.
c. Review if the plan is revised on periodic basis based
on the issues reported (TT's). Also change in the
priority (if any) is considered in revision. In addition,
new sites planned are added in the PM plan and there
is no charging for the decommissioned sites.
a. Check if the PM is executed as per the plan.
b. Review if all the mentioned steps in the checklist
are adequately followed and snags if any are reported. a. Preventive and corrective
c. Check if all the external alarms are tested during the maintenance (for radio and
PM. core sites) procedures /
d. Obtain sample alarms logs and validate the testing checklist & schedule for
of alarms. 2016
e. Check if the snags are cleared on timely basis. b. Preventive Maintenance
f. Check if all the critical site related information (such actual report for year to
as site ID, power source type, PM plan date, PM actual year
date, genset running hours etc) is noted during the PM c. Photo reports of the
is adequately captured. preventive maintenance
performed for 10 samples
(radio site) per month from
date
d. Dump of all alarms
generated at cell sites in last
3 months (date);

a. Carryout a walkthrough of the trouble ticketing

system to ensure that all required fields are
adequately captured and reported to.
b. Check if adequate severity of the trouble tickets are
captured at the time of creation.
c. Check if all the alarms are reported in the trouble
ticketing system.
d. On sample basis, carry out reconciliaton of alarms
and trouble tickets to ascertain that all alarms are
recorded in trouble ticketing system.

Check how physical access is restricted & appropriate

security levels are maintained

Check logs of engineer visit made to the network site

are being recorded or not along with type of activities
carried out by engineers on the sites
Verify that access authorization list is prepared for
various network sites
Check change made in access authorization list on
regular basis or not

Safety, health and

environmental
a. Check if there is a process in place to carry out
surprise visits to assess the physical and
environmental security.
b. Obtain reports on suprise visits and validate if any Safety, health and
exceptions are noted. environmental
c. Check if actions to make correction is taken for the guidelines and their
exceptions noted. compliance
d. Check if the PM is rejected for the site visited.
e. Check how physical access is restricted &
appropriate security levels are maintained by visiting
sample radio sites and core sites.

a. Check if logs of engineer visit made to the network

site are being recorded, along with different activities
carried out by engineers on the sites.
b. Review logs of the engineer visit with that of the
previous months PM visit details.
c. Check if adequate access is taken by the team
visiting the site for PM.
d. Verify that access list is prepared for various
network sites.

a. Understand the process of initiating fuel purchases

b. Review the procedures for identifying suppliers and
whether long term contracts have been signed with a. List of all vendors for fuel
these suppliers. management activity
b. Contracts with all vendors
for fuel management

a. Review the procedures in place for periodic

evaluation of the suppliers (quality, adherence to
timelines, etc)
b. Has trigger levels (reorder, minimum & maximum
levels) been set for each site based on consumption
pattern Fuel management
process and control
mechanisms for
reducing cell site
a. Review the average fuel consumption report. downtimes due to
b. Review the process to report leakage or theft of untimely supply of fuel
fuel.
c. Review the actions taken on the instances of theft of
fuel
 downtimes due to
untimely supply of fuel

a. Check whether purchase requisitions have been

initiated as per the procedures
b. Review whether the PO have been raised and
authorized by the respective authorities within the
company
c. Check for trail of PO delivery to the preferred
supplier with time and quantity and price.

a. Review the process for maintaining generators.

b. Review the Annual maintenance contracts for
generators.
c. Review the controls on average monthly running
expenses of generators.

a. Review the periodicity of preventive maintenance

done over generators.
b. Review the process for overhauling of generators.

a. Determine whether there is network inventory

management tool or not?
b. Check whether inventory updating is automatic if List of warehouses for
not check the mechanism for updating in the system storage of spare parts;

a. Check if the spares inventory is monitored on daily Inventory procedures

basis. for spares
b. Obtain monthly reports of passive equipments of
spares to ensure that adequate monitoring is in place Inventory reports from all
for the spares. warehouses for last 3
c. Check if minimum and maximum level of spares are months
ensured based on policy

a.Inquire if Network is monitoring/preparing cost

benefit analysis for each cellsites.
b. If yes, obtain the sample report in the last 6 months
and check if all relevant variable costs were
considered in the computation of expenses.
c. If no, perform an analysis by comparing the
traffice/revenue per cellsites vs the variable cost
allocated for each cellsites like fuel, electricity, water
and other relevant utilies.
Review the adequacy of documentation maintained
for all payment requests and changes in contract List of all cell site vendor
information from suppliers along with the details such
as start date of contract,
end date, rent to be paid

a. Check whether lease agreements are valid and that Contracts for cell-site
they have not expired. Sample contracts with radio
sharing and recognition site vendors (site owners) -
b. Review the process of lease agreement renewal. of relevant revenue minimum 20 contracts (5
and expenses samples for shared
location);
Review a sample of site contracts to understand the
escalation clauses, payment of statutory dues etc.

a. Review the Contract, supporting documents and

sign on the contract with the site owner
b. Review whether the agreement Terms & conditions
are reviewed by Legal team.
c. Review if the supporting documents are complete Reconciliation of
and adequate. payments for the cell
site rentals as per the
Network Database
a.Review the reconciliation performed by between AP (including dump from
Invoice list and the Site Management cell site data NOC on site status) and
b.Review the documents verified, past payment Finance Department
history of supplier by the AP Accountant prior to
approval of invoice

a. Reviewthe process of validation of Networks list

prior to invoice creation
b. Review the signatures on the reconcilied Networks
list
c. Review of cell site payments / Statement of
Supplier A/Cs to ensure payments are made in
accordance to the contract terms
a. Details of radio site rental
payments made in last 3
Payment processing for months;
the cell site vendors b. Details of electricity
payments made in last 3
months for radio sites;
a. Review the if User Access rights in Oracle AP have
been granted to the AP Accountants that are above
their authority matrix Access rights for the
b. Review any overlaping fucntions access granted to relevant activities
AP Accountants been granted

Obtain the list of KPI for network operation team

Key performance
indicators relating to
cell-site operations and
maintenance

a. Review if there list of reports which are required to

be submitted by vendor each month.
b. Review if there exist monitoring on the number of
reports agreed in the contract. List of vendor performance
c. Review if the SLAs and KPIs as defined are measurement KPIs for &
monitored on periodic basis (as mentioned in the interdepartmental SLAs for
contract) to reflect the performance of the 2016;
maintenance vendor.
d. Request for reports for all SLA and KPIs on sample
basis.
e. Validate the reports to ensure that the final Service Level
calculated SLA and KPIs achievement is as per the Agreements and
target and deviation if any is being penalized compliance

Check reports are being reviewed by approximate

management level on regular basis & their analysis &
feedback.
Evidence/WP Review Manager's Auditor's
reference Status of Review Reply to Initial Findings
Manager Comments Comments