What Happens During a Free VICIdial Audit (And Why It Takes 24 Hours, Not 24 Days)

You have been thinking about getting your VICIdial system audited. Maybe connect rates are dropping. Maybe your IT person left and nobody really understands the configuration anymore. Maybe you just have a nagging feeling that your dialer is underperforming but you cannot pinpoint where.

The problem is not knowing what you are signing up for. “Free audit” sounds like the start of a sales pitch that ends with someone pressuring you into a contract. We get it. So this article explains exactly what happens during our 247-point VICIdial audit, what you need to provide, what the report looks like, and what happens after. No ambiguity.

What You Need to Provide

The audit requires SSH access to your VICIdial server (or servers, if you run a cluster). That is it.

We need a non-root user with read access to the VICIdial database and Asterisk configuration files. We do not need admin panel credentials. We do not need your carrier passwords. We do not need access to your CRM.

Here is the typical setup:

# Create a read-only audit user (you run this, not us)
useradd -m vicistack-audit
# Grant read-only MySQL access
mysql -e "CREATE USER 'vicistack_audit'@'localhost' IDENTIFIED BY 'your-password-here';"
mysql -e "GRANT SELECT ON asterisk.* TO 'vicistack_audit'@'localhost';"
mysql -e "FLUSH PRIVILEGES;"

If you are uncomfortable giving SSH access to an outside party, we can walk you through running our audit scripts yourself and sending us the output. About 15% of our clients choose this option. Takes an extra 30 minutes on your end but gives you full control over what data leaves your server.

Total setup time: 10-15 minutes.

The 247 Checkpoints, Broken Down

The audit is not one person poking around your system for an afternoon. It is a structured diagnostic that covers seven categories, each with specific checkpoints. Here is what we actually look at.

Category 1: Server Health (38 checkpoints)

The foundation. If your hardware or OS is struggling, nothing else matters.

Checkpoint Area	What We Check	Common Findings
CPU utilization	Load averages, per-core usage, steal time (if virtualized)	30% of audits find CPU steal above 5% on shared hosting
Memory	RAM usage, swap activity, OOM killer history	Swap usage above 1 GB kills call quality
Disk I/O	Read/write latency, IOPS, queue depth	Spinning disks on recording servers are the #1 disk issue
Disk space	All mount points, recording directory growth rate	22% of audits find servers within 60 days of disk exhaustion
Network	Packet loss, jitter, latency to SIP endpoints	Anything above 30ms jitter degrades voice quality
OS configuration	Kernel tuning, file descriptor limits, TCP settings	Default kernel parameters are wrong for telephony workloads
Time sync	NTP/chrony status and drift	Time drift above 500ms breaks CDR accuracy and billing
Security patches	OS version, kernel version, pending updates	Average unpatched server has 14 known CVEs

We run these checks programmatically. The server health section takes about 3 minutes to execute.

Category 2: MySQL/MariaDB Performance (42 checkpoints)

VICIdial’s database is where most performance problems actually live. The web interface feels slow, reports take forever, the hopper stalls — it is almost always MySQL.

We check:

• Buffer pool size vs data size. If your InnoDB buffer pool is smaller than your active dataset, every query hits disk. We see this in 60% of audits. The fix is one line in my.cnf.
• Slow query log analysis. We pull the top 20 slowest queries from the last 7 days. The usual suspects: unindexed JOINs on vicidial_log, full table scans on vicidial_list, and that one custom report someone wrote in 2019 that locks tables for 45 seconds.
• Table fragmentation. VICIdial tables grow and shrink constantly. Without periodic OPTIMIZE TABLE runs, fragmentation wastes disk space and slows reads. The vicidial_log table is the worst offender — on a 50-agent floor, it accumulates millions of rows per month.
• Replication health (if applicable). Lag, errors, broken relay logs. A replication lag above 5 seconds means your real-time reports are lying to you.
• Connection pool exhaustion. Default max_connections is 100. A 50-agent operation with real-time reports open can exhaust that during peak hours. We see connection refused errors in 18% of audits.

Category 3: Asterisk Telephony (35 checkpoints)

This is the phone system itself. If Asterisk is misconfigured, calls drop, audio sounds terrible, or the system runs out of channels.

Key items:

• SIP registration status. Are all your trunks registered and active? We have seen carriers silently deregister trunks that then fail over to a secondary with worse routing.
• Codec configuration. G.711 (ulaw/alaw) vs G.729 vs Opus. Wrong codec selection wastes bandwidth or degrades audio quality. G.729 saves bandwidth but adds 15ms latency per hop.
• RTP port range. Default Asterisk RTP range is 10000-20000 (10,000 ports). If your firewall only opens a subset, you will run out of RTP ports under load and get one-way audio.
• DTMF mode. Mismatch between RFC 2833 and SIP INFO causes IVR failures and touchtone recognition problems. This breaks transfer-to-closer flows.
• Channel limits. Are you hitting your carrier’s concurrent channel cap? If your carrier allows 100 simultaneous calls and your dialer tries to place 120, the extra 20 get SIP 503 responses and burn through leads without connecting.
• STIR/SHAKEN attestation level. Full attestation (A) vs partial (B) vs gateway (C). Anything below A-level attestation increases your spam labeling risk. We check both your Asterisk configuration and your carrier’s attestation capabilities.

Category 4: Campaign Configuration (52 checkpoints)

This is where the money is. Campaign settings directly control how many conversations your agents have per hour.

We audit every active campaign for:

• Dial method and adaptive settings. RATIO vs ADAPT_AVERAGE vs ADAPT_TAPERED. 40% of audited campaigns still use fixed RATIO mode, which leaves 15-25% of agent time wasted on wait.
• AMD parameters. We compare your CPD settings against benchmarks for your demographic. Default settings produce false positive rates of 15-25% on modern campaigns. That means up to a quarter of your live connections are getting killed by AMD.
• DID rotation configuration. How many DIDs, rotation method, per-DID call limits. Operations with fewer than 3 DIDs per agent consistently show answer rates below 4%.
• Hopper settings. Level, lead order, filter rules. An undersized hopper causes the dialer to stall and agents to sit idle.
• Disposition settings. Callback timing, lead recycling rules, auto-dispositioning. Misconfigured recycling wastes good leads or overworks bad ones.
• Wrap-up time and pause codes. Are agents spending 30 seconds between calls or 3 seconds? The difference across 50 agents over an 8-hour shift is 400 agent-hours.

Category 5: Compliance and Legal (34 checkpoints)

This one can save your business. TCPA violations carry penalties of $500 to $1,500 per call, and class action filings jumped 67% in 2024 to 2,788 cases, with average settlements at $6.6 million. We check:

• Predictive dialer abandonment rate. FCC mandates no more than 3% abandoned calls. We calculate your actual rate from call data.
• Time zone enforcement. Are you dialing outside the 8am-9pm window for the recipient’s time zone? We check VICIdial’s timezone settings against your list data.
• DNC scrubbing. When was your last scrub? Are you checking both the federal and state DNC lists? We verify the scrub dates in your list data.
• STIR/SHAKEN compliance. After June 2023, all carriers must implement STIR/SHAKEN. We verify your attestation level and certificate validity.
• State-specific rules. 12 states have their own telemarketing statutes. Connecticut alone imposes fines up to $20,000 per violation. We check your campaign settings against every applicable state law.
• Consent revocation handling. New FCC rules effective April 2025 require processing opt-out requests within 10 business days. We verify your workflow handles this.

Category 6: Security Posture (28 checkpoints)

The CVE-2024-8503 and CVE-2024-8504 vulnerabilities allow unauthenticated attackers to gain root access to VICIdial servers. Exploit code is public. We have seen servers compromised within hours of exposure.

We check:

• VICIdial version and patch level. Are you on the latest SVN revision? Specifically, have you applied patches from SVN revision 3848?
• Firewall configuration. Open ports, SIP exposure, management interface exposure to the public internet.
• SSH hardening. Root login, password authentication, key-based auth, fail2ban status.
• Web interface security. SSL/TLS configuration, session management, admin password strength.
• Asterisk security. SIP authentication, allowed/denied networks, registration limits.
• Toll fraud indicators. Unusual international call patterns, calls outside business hours, unauthorized extensions.

Category 7: Performance Metrics Analysis (18 checkpoints)

We pull 30 days of call data and calculate your actual performance metrics, then compare against benchmarks we have built from auditing 100+ VICIdial operations.

Metric	What We Calculate	Industry Benchmark	What “Bad” Looks Like
Connect rate	Live human answers / total attempts	6-10%	Below 4%
AMD accuracy	Correct classifications / total AMD decisions	90-95%	Below 85%
Agent utilization	Talk + wrap time / total logged time	72-80%	Below 60%
Drop rate	Dropped calls / answered calls	Under 2%	Above 3%
Average wait time	Seconds between calls for agents	5-10 sec	Above 20 sec
DID answer rate	Answers per DID / attempts per DID	8-12%	Below 4%
Calls per agent per hour	Completed calls / agent hours	15-25	Below 10

What the Report Looks Like

You get a PDF report, typically 15-25 pages, delivered within 24 hours of us getting access. Here is the structure:

Executive Summary (1 page). A traffic-light overview: green, yellow, red for each of the 7 categories. If you are a call center manager who does not want the technical details, this page tells you everything you need to know in 60 seconds.

Priority Findings (2-3 pages). The top 5-10 issues ranked by revenue impact. Each finding includes: what we found, why it matters, the estimated revenue impact per month, and the fix. We give you the actual fix — the specific setting changes, the exact my.cnf parameters, the commands to run. This is not a teaser designed to make you hire us. You can implement every finding yourself.

Detailed Analysis (10-15 pages). The full checkpoint results organized by category. Every checkpoint gets a pass/fail/warning status with notes. This is reference material for your IT team.

Benchmark Comparison (2-3 pages). How your metrics compare against similar-sized operations running VICIdial. We anonymize the comparison data, but it gives you context for whether your 4.2% connect rate is fixable or typical.

A Real Example: What We Found in a Recent Audit

Last month we audited a 65-agent debt collection operation running VICIdial on three servers. They thought their system was “fine” — no outages, agents could dial, reports worked. They requested the audit because their connect rate had been slowly declining over six months from 5.8% to 3.9%.

Here is what we found:

Finding 1: 14 of 25 DIDs flagged as spam. Answer rate on flagged DIDs averaged 2.1%. Clean DIDs averaged 7.8%. Impact: approximately 1,200 lost connects per day. This single issue accounted for most of their connect rate decline. Fix: replace flagged DIDs, implement rotation with 30 calls/DID/hour cap.

Finding 2: InnoDB buffer pool set to 128MB on a server with 64GB RAM. Their database had 12GB of active data hitting disk for every query. Real-time reports were taking 8-12 seconds to load. The fix was straightforward:

# Check current buffer pool vs data size
mysql -e "SELECT
    ROUND(@@innodb_buffer_pool_size/1024/1024) AS buffer_pool_MB,
    ROUND(SUM(data_length + index_length)/1024/1024) AS data_size_MB
FROM information_schema.tables
WHERE table_schema = 'asterisk';"

# Fix: edit /etc/my.cnf and set:
# innodb_buffer_pool_size = 48G
# Then restart: systemctl restart mariadb

Finding 3: AMD running with default parameters on a 50+ demographic. False positive rate estimated at 18.3%. They were dropping approximately 650 live human connections per day. Fix: adjust initial_silence to 3200ms, after_greeting_silence to 1100ms, tune for their specific demographic.

Finding 4: No DNC scrub in 90+ days. Their list data had been loaded without scrubbing against updated federal and state DNC lists. Estimated exposure: 2,400+ potentially non-compliant calls per day at $500/violation. Fix: immediate scrub through their existing DNC provider, then automate weekly scrubs.

Finding 5: CVE-2024-8503 unpatched. Their VICIdial installation had not been updated in 11 months. The SQL injection vulnerability was actively exploitable from the public internet. Fix: apply SVN revision 3848 patches immediately.

Total estimated revenue impact of findings 1-3: $47,000/month in lost connects and sales. The compliance finding (4) represented potential liability in the millions. The security finding (5) was a ticking bomb.

They fixed findings 2 and 5 themselves within 24 hours of receiving the report. They hired us to handle findings 1, 3, and 4. Their connect rate was back to 6.4% within 10 days.

What We Do NOT Do During the Audit

Clear expectations matter. Here is what the free audit does not include:

• We do not make changes to your system. Read-only access means read-only. We look, we document, we report. We do not touch your configuration.
• We do not access call recordings. We analyze metadata (duration, disposition, timestamps) but we never listen to actual calls. Your customer conversations stay private.
• We do not share your data. Your audit report and system data are confidential. We use anonymized aggregate benchmarks from all our audits, but your specific data never leaves our analysis environment.
• We do not require a follow-up call. You get the PDF. If you want to talk about it, great. If you want to fix everything yourself and never talk to us again, also great. There is no mandatory sales pitch, no “let us schedule a call to discuss the results” pressure.

What Happens After the Audit

You have the report. Now what?

Option 1: Fix it yourself. The report contains specific, actionable fixes for every finding. If you have a competent Linux sysadmin and a VICIdial-knowledgeable engineer, you can implement everything without us. Roughly 25% of our audit clients do this. We are fine with it — the audit cost us a few hours of engineering time, and those clients refer others.

Option 2: Hire us to fix the critical items. Most clients have 2-5 high-impact findings that require VICIdial-specific expertise. We offer a fixed-price $5,000 optimization engagement ($1,000 down, $4,000 on completion) that covers the first two weeks of implementation. That engagement typically addresses all audit findings plus additional optimizations we identify during hands-on work. Details on what the first two weeks look like.

Option 3: Ongoing managed optimization. For $1,500/month, we handle continuous monitoring, monthly tuning, DID management, compliance updates, and priority support. This is for operations that want expert management without hiring a full-time VICIdial specialist at $93,000+/year.

There is no pressure toward any option. The audit stands on its own as a diagnostic tool, regardless of what you do next.

How Long Does It Take?

• Setup: 10-15 minutes (creating the read-only user, providing SSH access)
• Audit execution: 2-4 hours (mostly automated, we review the results manually)
• Report delivery: Within 24 hours of receiving access
• Report review call (optional): 30 minutes

Compare that to hiring a freelance VICIdial consultant at $150/hour who needs 8-16 hours just to understand your setup before they can make recommendations. That is $1,200-$2,400 for what we do for free — and the freelancer’s assessment will not be as structured or thorough because they are working from experience and intuition rather than a systematic 247-point methodology.

Frequently Asked Questions

“What’s the catch?” We make money when audits turn into optimization engagements. The audit examines your vicidial_campaigns settings, vicidial_log performance data, and Asterisk configuration at /etc/asterisk/pjsip.conf. About 60% of audit clients hire us for some level of follow-up work. The other 40% take the report and handle things themselves. We are good with both outcomes because the 40% who leave still talk about us to other call center operators.

“Will this disrupt our operations?” No. The audit runs read-only queries against your database and reads configuration files. It does not modify anything, does not restart services, and does not affect call processing. We typically run audits during off-peak hours anyway.

“What if our system is really old?” We have audited VICIdial installations running versions from 2.8 through the latest 3.x releases. Older systems actually benefit more from audits because they have had more time to accumulate configuration drift, unpatched vulnerabilities, and performance degradation.

“Do you work with clustered environments?” Yes. Multi-server clusters require access to each server, but the audit process is the same. We check inter-server communication, replication health, and load distribution across the cluster.

“Can we see a sample report first?” Contact us and we will send you an anonymized sample audit report so you know exactly what to expect before granting any access.

Request Your Free Audit

If your VICIdial system is running and you want to know where the problems are, request your free audit here. No credit card, no contract, no commitment.

Setup takes 10 minutes. Report arrives within 24 hours. Everything in it is yours to keep and act on however you want.

Or call us at 343-204-2353. We pick up.