Why Enterprises Fail DoT Audits?

Recently a global PBX manufacturer, with a major presence in India, encountered trouble with their DoT (Department of Telecommunication) audits. Weeks of anxiety, architecting, paperwork and other risks to operations followed. So, if enterprises that manufacture PBXs can go foul of DoT audits, what chance do other organizations have?

The key, as is usually the case, lies in establishing efficient processes and engaging expertise.

India Toll Compliance and OSP Registration

The Government of India, through the DoT and TRAI (Telecom Regulatory Authority of India), have created a set of regulations for the coexistence of traditional telephony and VoIP. These regulations constitute what is generally referred to as ‘India Toll Compliance’. Additionally, all call centers (and many other service providers) operating out of India are required to register with the DoT to be certified as an OSP (Other Service Provider).

The OSP registration involves adhering to the India toll compliance regulations, complying to the OSP terms and conditions, liaising with the DoT officials and submitting detailed documentation to DoT and the auditors.

Underestimating the configuration complexity

One of the key reasons enterprises fail DoT audits is their underestimation of the configuration complexity involved in establishing a compliant OSP center. Consider some of these regulations — Domestic OSPs and International OSPs can co-exist on the same PBX but are barred from communicating with each other in any manner, International OSPs are barred from communicating over domestic PSTN trunks, calls involving PSTN trunks and private VoIP trunks cannot bypass long distance or international toll, call records and logs need to be stored at each location, for a period of one year in a tamper-proof and audit-worthy format and many more.

Each of these regulations require multiple configurations across a PBX to effectively enforce, and missing any of them would create gaps and result in toll compliance failures and toll bypass.

The complexity of these configurations requires enterprises to engage proper expertise to ensure they are compliant. Often, enterprises with good track records have engaged external consultants to guide them, rather than rely completely on their overworked IT departments.

Inadequate change control mechanisms

Frequently, we see enterprises establishing fully compliant communications infrastructure at the time of initial configuration, but having inadequate change control mechanisms for subsequent modifications. A simple trunk configured in an incorrect tenant or geolocation could result in total failure of compliance. Even something as trivial as adding a new extension with incorrect properties could result in compliance violations.

So, a key tenet of ensuring continuing compliance is to ensure all configuration changes in the system are vetted by compliance and system experts before they are enforced. In a call center environment, where there is a large human resource churn, ensuring proper change control mechanisms can be a daunting task. Automation systems that monitor and ensure compliance can be used in environments with significant configuration activity like call centers.

Communication and Process deficiencies

When multiple stakeholders are involved — like technical consultants, administrators, liaising contractors etc. — unambiguous process and clear communication become key to maintaining a compliant enterprise. Configuration changes, addition of capacities, sites or locations, acquisitions or mergers of companies or even something as trivial as adding additional agents or trunks to increase capacities can turn an enterprise non-compliant. Communicating these changes to liaising contractors and technical consultants in a timely manner, is key to maintaining a compliant enterprise. One mechanism to ensure effective management of this risk, is to use end-to-end assurance services or turnkey solutions.

While there are many options for managing compliance and to ensure DoT audits don’t fail, to rely purely on filing paperwork to get you through these audits is a risk that is not worth taking for most enterprises. Risk of compliance failure always needs to be measured in the quantum of monetary, operational and reputational loss.