<div>
It does, much appreciated.<br />
<br />
Aside from the security issues / elements of IT audit, is there any other key areas to review around voip/telephony? 
</div>


<div>
- Redundancy: if your primary voip server fails, how much will the business suffer? How long would it take to have a replacement? Is it necessary to have a redundant box?<br />
- Backup and restore: does your VOIP solution implement an effective and efficient way of backing the data and restoring it?<br />
- Survivability: if there are remote sites where you deploy phones using a WAN link to connect to their server, what would happen if the link goes down? Is there a solution to have basic calling features in that scenario?<br />
- Emergency dialling: for example, if there is an access code in place for outbound calls, call it 9 for example, how will users dial 911? 9911or &nbsp;just 911?. Also it is important to make sure that the circuits used for emergency dialling allow the 911 service to identify the real location of the emergency. VOIP trunks tend to be tricky.<br />
- Network infrastructure: VOIP is a very large topic. The underlying network requires preparation to make it work, specially when you want to pull out toll bypass and intersite calling. This item includes voice vlans, DHCP offers with the necessary options (TFTP servers, NTP servers, SIP proxies), bandwidth calculation, Quality of Service, Call Admission Control, Power over Ethernet considerations and so forth.<br />
<br />
These are some items I can think of, but I think they are a mouthful.<br />
<br />
Regards,
</div>


<div>
Great points, what about management control of 'calls' which is what it is for at the end of the day, excessive or inappropriate use etc
</div>


<div>
VOIP systems have Class of Control, or Class of Restriction. This means you can categorize calls, and then allow certain users with appropriate calling privileges that will route some calls while blocking others.<br />
<br />
You can also enforce Forced Authorisation Codes so that certain patterns (international, services, etc) require the caller a code with the necessary weight to allow the call through.<br />
<br />
Some VOIP systems, like Cisco, have a hard time when it comes to inbound calling restriction. Many times I have seen users harassed by external callers, and the only way to achieve call blocking based on the caller number (one specific number alone) is to have H.323 gateways. Other systems like Asterisk and OpenSIPS have less issues or none at all on these regards.<br />
<br />
Finally, if you have Call Detail Records, and a nice analysis tool, like this one for illustration purposes: <br />
<br />
<a href="http://www.cdr-stats.org/screenshot/" rel="ugc">http://www.cdr-stats.org/screenshot/</a><br />
<br />
Then you will be able to tell if a user is abusing of the system or things like that. 
</div>


<div>
<div class="content wysiwyg-content">
What should be coverered/reviewed in a voip/telephony IT audit? WOuld prefer comments as opposed to links. And what you pereive to be the biggest risks to voip/telephony - if this is your filed of expertese?
</div>
</div>


What should be coverered/reviewed in a voip/telephony IT audit? WOuld prefer comments as opposed to links. And what you pereive to be the biggest risks to voip/telephony - if this is your filed of expertese?

Voip assessment

Voice over IP (VoIP) is a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. Other terms commonly associated with VoIP are IP telephony, Internet telephony, broadband telephony, and broadband phone service. The term specifically refers to the provisioning of communications services (voice, fax, SMS, voice-messaging) over the public Internet, rather than via the public switched telephone network (PSTN).  Examples of the VoIP protocols are H.323, Media Gateway Control Protocol (MGCP), Session Initiation Protocol (SIP), H.248 (also known as Media Gateway Control (Megaco)), Real-time Transport Protocol (RTP), Real-time Transport Control Protocol (RTCP), Secure Real-time Transport Protocol (SRTP), Session Description Protocol (SDP), and Inter-Asterisk eXchange (IAX).

Voice Over IP

IP telephony (Internet Protocol telephony) is a general term for the technologies that use the Internet Protocol's packet-switched connections to exchange voice, fax, and other forms of information that have traditionally been carried over the dedicated circuit-switched connections of the public switched telephone network (PSTN). Using the Internet, calls travel as packets of data on shared lines, avoiding the tolls of the PSTN. The challenge in IP telephony is to deliver the voice, fax, or video packets in a dependable flow to the user.

IP Telephony

Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.