Download (1.3M; Member Only)
Purchase the Book
Provide feedback on this document
Visit the Audit Tools and Techniques Knowledge Center community
IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.
A typical VoIP network comprises a complex series of cooperating protocols, networks (wireless and wired), servers, security architectures, special services (such as E-911), backup and recovery systems, and interfaces to the PSTN.
During the audit planning process, the auditor must determine the scope of the audit. Depending on the specific implementation, this may include:
- Evaluation of governance, policies and oversight relating to VoIP
- Data classification policies and management
- The appropriate VoIP business case, actual deployment or upgrade processes, strategy and implementation controls
- Technical architecture(s), including security systems, multiple platforms (different vendors which supply and/or support VoIP), interfaces with data networks, backup and recovery, data retention and destruction policy, and technology
- Assessments of IT infrastructure and personnel to support the VoIP architecture(s)
- Baseline configurations of deployed hardware and software
- Issues related to decentralized VoIP servers
- Issues related to failover clustering, where appropriate
Security considerations for the public switched telephone network (PSTN or dial-up) are outside the scope of this document.