JOnline: Billing Audit on a Mobile Operator—Call Detail Record 

Download Article

A call detail record (CDR) in the telecom sector is a file that contains information about voice calls. CDR files are used to help determine call rates and the calculation of billable amounts, such as international direct dialing (IDD) calls, as they contain information about source and destination identifiers, and the starting time and duration of calls.

In spite of the emergence of new telecommunications technologies, i.e., from fixed line to mobile networks, the fundamental concept of and reliance on CDRs for rating and billing purposes remain more or less the same. In today’s mobile network, CDRs may contain information on more than one type of traffic, e.g., voice calls, video calls, Short Message Service (SMS) traffic and other data services. The change of business model in mobile network business, due to the new technology capabilities of third generation (3G) mobile networks, has shifted the importance from voice calls to other value-added content services. As a result, the formats and generation of CDRs have increased in terms of their complexity.

According to a study1 on revenue loss in 2006 based on feedback from almost 100 telecom operators around the world:

  • Mobile operators have the highest average revenue leakage (14 percent)
  • Fraud (external, internal and by other operators) is the number one factor in losses; the average fraud losses have grown to 4.5 percent of revenue from 2.9 percent in the previous year

In addition to fraud, three other sources of revenue leakage are discussed in the study: poor processes and procedures, poor systems integration, and problems associated with applying new products and pricing schemes.

This article highlights some high-risk areas for potential CDR leakage or fraud in postpaid services, and explains how the potential losses can be identified. An overview of the billing process provides a basis for understanding, the major sources of CDRs are then identified, and finally the four distinct control areas designed to address revenue leakage that results from the processing of CDRs are presented.

Billing Process

A simplified billing process of a mobile operator is shown in figure 1. The raw CDRs generated from various network elements within the operator are sent to a centralized location, often referred to as a mediation module, for prebilling process. A prime function of the mediation module is to transform and clean raw CDRs and place them into a format acceptable by a billing engine.

Figure 1

Apart from the internally generated CDRs, a mobile operator may also be required to obtain CDRs from its business partners (e.g., IDD unilateral/bilateral agreements and content services providers), roaming2 partners (data and/or voice), and Short Message Service (SMS) clearinghouses. These CDRs, unlike those generated internally, could be routed to either the mediation module for preprocessing or directly to the billing system.

CDRs entering the billing engine first undergo the rating process; the actual billable amount is adjusted further according to the subscribed services and products.

Major Sources of CDRs

There are three major sources of CDRs:

  • Voice servers
  • SMS
  • Data services

Voice Servers

Mobile phone call conversation traffic (whether it is outgoing or incoming, and involves a fixed or mobile network) is deemed to pass through a key mobile network element known as a mobile switching center (MSC). Since the core function of an MSC is call routing, the raw CDR of a call is typically being collected, generated and maintained within the MSC.

In a local call scenario, the traffic may be connected through the MSC to a public-switched telephone network (PSTN) for a fixed-line network or directly to an MSC of another mobile network operator. For an IDD call being made from a mobile phone, its traffic may be routed from an MSC to an international toll gateway (ITG) or other IDD services providers. The functions of an ITG are similar to an MSC in the maintenance of CDRs and call routing, except the former is for IDD calls only. Figure 2 illustrates the flow of both local and international voice calls.

Figure 2

Short Message Service

The CDR of an SMS is generated and recorded in a network element called a Short Message Service center (SMSC). The SMSC provides a store and forward function delivering SMS messages to intended destination users when they are available. The SMS messages designated to networks of other fixed-line or mobile operators are routed to the respective SMS message partners or SMS clearinghouse(s) for further delivery. An SMS clearinghouse provides dedicated routing paths for a mobile operator to send/receive SMS messages to/from other telecommunication operators. Therefore, the mobile network operator can minimize both technical and business arrangements in operating SMS business. Figure 3 describes the SMS operation.

Figure 3

Data Services

The Global System for Mobile Communication (GSM), a second generation (2G) network, has a maximum data speed of 9.6 kilobits per second (Kbps) and is based on circuitswitching technology. The General Packet Radio Service (GPRS) 2.5-gigabyte network architecture is the foundation for mobile operators that offer high-speed data services. The progression of GPRS infrastructure allows enhanced data rates for GSM Evolution (EDGE) technology to offer data rates up to 384 Kbps, while a data rate up to 2 Megabits per second (Mbps) can be achieved in 3G mobile networks. Selected data services are listed in figure 4.

Figure 4

The packet-based data transmission nature of GPRS distinguishes the data services billing mechanism from voice services that are charged mainly on duration of calls and time of day. Information being used for data service billing purposes may include volume, in terms of packet or byte count; transmission start and end times; applications; and types of content-related information. Typically, usage sources of data services are recorded at the Serving GPRS Support Note (SGSN)3 and the Gateway GPRS Support Node (GGSN).4

The information collected from the SGSN and the GGSN is first sent to a dedicated charging gateway (CG) prior to being forwarded to the mediation module. The CG makes a log entry, i.e., creates a CDR, whenever there is network activity on data being transferred, a change in the charging terms, an alteration in quality of service or if a data session ends. The main function of a CG is to collect CDRs from both the SSGN and GGSN, buffering and transferring CDRs to the mediation module of the billing system. Figure 5 is a simplified diagram of the GPRS architecture, demonstrating how CDRs are routed to the billing system.

Figure 5

Audit Considerations

The major audit considerations for CDRs include routing path selection, CDR reconciliation, filtering rules maintenance and logical protection.

Routing Path Selection

As mentioned in the previous sections on voice services and SMS, a mobile operator requires connectivity to other telecommunications providers when routing IDD calls through MSC/ITG and SMS through SMSC. A mobile operator often connects to more than one counterpart for reasons associated with costing, contingency requirements and availability of services within particular regions. Due to strong competition within the telecommunications industry, an operator might want to maintain a versatile routing-path-selection procedure, which can assist in lowering the running costs wherever possible.

In this respect, an auditor could explore internal control questions (ICQs) related to the routing-path-selection criteria controls in making a change, availability and protection of an audit trail, and validity of business arrangements with the counterparts.

CDR Reconciliation

CDRs between various network elements and billing engines should be compared and reconciled on a regular basis, to identify any discrepancies, leading to the prevention of revenue leakages. Figure 6 identifies typical network elements involved in the CDR reconciliation process.

Figure 6

It can be seen from figure 6 that many network elements are involved in data services, and, therefore, the reconciliation of CDRs is complicated. In addition, the CDRs among the network elements within a mobile operator are required to be reconciled. The mobile operator is required to settle and approve CDRs with its business partners, including other telecom carriers, SMS clearinghouses, roaming partners, content service providers and mobile virtual network operators (MVNOs).5

A mobile operator’s reconciliation process must be adaptable enough to accommodate the complexity of technology and the need for prompt response to emerging business requirements. A new type of service offering, a change in charging mechanism by a content service provider, a replacement of a network element with that of a different manufacturer, a delay in the scheduled delivery of CDR files from roaming partners, or newly imposed pricing schemes of the IDD service carriers could all have various degrees of impact on reconciliation controls. It is, therefore, possible to find mobile operators accepting a certain level of discrepancy/loss in their CDRs instead of extending resources and efforts to ensure the necessary controls.

In evaluating potential revenue leakages or frauds that arise from deficiencies in the CDR reconciliation process, an auditor might examine the following areas:

  • Segregation of duties between the operation of the network infrastructure and the reconciliation process. This is necessary to maintain the integrity and independence of the verification of CDR entries.
  • Appropriateness and timeliness of CDR reconciliation testing. The scope of the test should be extensive in terms of the coverage and range of service agreed to by the internal parties and external counterparts.
  • Alignment of business arrangements associated with CDR generation and collection establishments. The CDRs’ origination and format are expected to be compatible with defined business requirements, e.g., collection of CDRs from web content servers.
  • System interfaces control of key network elements (e.g., MSC, ITG, SMSC, SSGN, GSGN, CG, mediation module). This should be well documented, and any modification on the system interface should be approved adequately.

Filtering Rules Maintenance

The correctness of filtering rules, i.e., programming of conditions according to predefined business requirements found in the mediation module, is the most important factor to ensure that appropriate and complete information is delivered to the billing engine for rating and calculation. It is necessary, for example, for the service type to be mapped accurately against the corresponding rate plan for correct billing.

An assessment of filtering rules, such as types of service (e.g., voice, SMS, roaming, data), volume of data in content services, duration, source and destination (e.g., IP address, called number, calling number), commencing time and end time, and trunk ID (e.g., trunk assignment according to a different pricing zone), may require inspection of program logic and a determination of whether the programs would have any adverse effect on information. Furthermore, an auditor should determine the adequacy of change controls over filter rules and the retention management process of the CDRs prior to being filtered for future verification and/or regulatory purposes.

Logical Protection

The evaluation of network-level logical controls can be focused on the data services’ infrastructure, accessible by subscribers of a mobile operator. To this extent, typical information technology (IT) audit tasks could be carried out on network routers and switches, firewalls, domain name service machines, Dynamic Host Configuration Protocol (DHCP) servers, and intrusion detection/prevention systems.

At the host level, an auditor may access the adequacy of protection on critical network elements including ITG, MSC, CG, mediation module, GGSN, SGSN, SMSC, billing engine, home location register (HLR)6 and visitor location register (VLR)7 from unauthorized access and/or configuration change. An auditor should be aware that, together, HLR and VLR maintain a list of authorized subscribers admissible to a mobile operator’s infrastructure, so an inspection of the integrity of the database and its modification process would be a useful task to perform.

Conclusion and Summary

An audit on the billing (i.e., CDR) of a mobile operator is not a trivial task because of the diversity of technology and number of manual and automatic processes involved. Auditors are expected to conduct in-depth reviews and analysis on CDRs, e.g., sorting of records by service type, identification of called and calling parties, duration of service.

Some common observations that coincide with the findings from the study8 introduced previously are described in figure 7.

Figure 7


1 Subex Azure, Operator Attitudes to Revenue Management Survey 2007,

2 According to the GSM Association,, “roaming” is the ability for a cellular customer to automatically make and receive voice calls, send and receive data, or access other services when traveling outside the geographical coverage area of the home network, by means of using a visited network.

3 SGSN is the node within the GSM infrastructure that sends and receives packet data to and from the mobile stations and keeps track of the mobile devices within its service area. It also performs functions including tracking a mobile device location, user verification and collection of information for billing.

4 GGSN is the node that interfaces to external public data networks, such as the Internet, and maintains necessary routing information to tunnel the data traffic to the SGSN.

5 MVNO is a mobile operator that does not own any radio frequency spectrum and usually does not maintain a mobile network infrastructure. Instead, an MVNO has a business arrangement with traditional mobile operators (e.g., those who process both the radio frequency and infrastructure) to buy minutes and services of use at a discount to sell to its own customers.

6 HLR is a database that maintains mobile subscriber information, e.g., international mobile subscriber identity (IMSI), service subscription information, service restrictions.

7 VLR is a database that contains temporary information about the mobile subscribers who are currently located in a given SMSC service area, but the HLR is located elsewhere.

8 Op cit, Subex Azure

Dale Johnstone
is the chief security consultant for the Risk Management Group of PCCW Ltd. As an information security evangelist with more than 20 years of professional information security management and IT experience, Johnstone has been involved in various industry sectors including government, defense, law enforcement, finance, manufacturing, transportation and telecommunications. He maintains active memberships with a number of international standards bodies. He can be reached at

Ellis Chung Yee Wong, CISA, CFE, CISSP
is an IT audit manager in Hang Seng Bank of HSBC Group. He has focused on such areas as IT operations, IT security, auditing, risk assessments and investigation. He has experience in a number of industries, including finance, telecommunications and manufacturing. He can be reached at

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.