8/3/2019 Is Audit Process
1/69
Be okay with what will come and you
would be able to handle it.
8/3/2019 Is Audit Process
2/69
Certified Information Systems Auditor
(CISA)
8/3/2019 Is Audit Process
3/69
The Process of Auditing
Information Systems
8/3/2019 Is Audit Process
4/69
IS audit encompasses the entire practice of IS
auditing including procedures and a thorough
methodology which allows an IS auditor toperform on any given IT area in a professional
manner.
8/3/2019 Is Audit Process
5/69
Objective
The objective of this area is to ensure that a
CISA candidate has the knowledge necessary toprovide information systems audit services in
accordance with IS audit standards, Guidelines
and best practices
8/3/2019 Is Audit Process
6/69
Task
1. Develop and implement a risk-based IS auditstrategy for the organization in compliance withIS audit standards, guidelines and best practices.
2. Plan specific audit to ensure that IT and businesssystems are protected and controlled.
3. Conduct audits in accordance with IS auditstandards, guidelines and best practices to meetplanned audit objectives.
4. Communicate emerging issues, potential risksand audit results to key stakeholders
5. Advise on the implementation of riskmanagement and control practices with theorganization while maintaining independence.
8/3/2019 Is Audit Process
7/69
The audit function should be managed and led
in a manner that ensures that the task
performed and achieved by the audit teamwill fulfill audit function objectives while
preserving audit independence and
competence. Both internal and external auditors should be
independent and report to an audit
committee if available or to the highestmanagement level such as the board of
directors.
8/3/2019 Is Audit Process
8/69
Audit Charter / Engagement letter
8/3/2019 Is Audit Process
9/69
Audit Charter / Engagement letter
The role of the IS internal audit function should be documented inan audit charter
Charter should clearly state managements responsibility andobjectives for, and delegation of authority to the IS audit function.
The charter should outline the overall authority, scope andresponsibility of the audit function.
The highest level of management should approve the charter.
The charter should only be changed if change can be and is
thoroughly justified.ISACAs IS auditing standard require that responsibility, authority and
accountability of the information are appropriately documented inan audit charter or engagement letter.
Engagement letters are more focused on a particular audit exercise
that is sought to be initiated in an organization with a specificobjective in mind.
For external IS audit firms the scope and objective of these servicesshould be documented in a formal contract of statement of workbetween the contracting organization and the service provider.
8/3/2019 Is Audit Process
10/69
Steps to plan an IS audit
Gain an understanding of the business mission,objectives, purpose and processes.
Identify stated contents such as policies,standards and regulatory guidelines.
Perform risk analysis to help in designing audit
plan. Conduct a review of intended control related to
IT.
Set the audit scope and audit objectives.
Develop the audit approach or audit strategy.
Assign personnel resources to the audit.
Address engagement logistics.
8/3/2019 Is Audit Process
11/69
Ways to gain understanding of the business
Reading background material e.g. Industrial
publications, annual reports and independentfinancial analysis reports.
Review business and IT long term business
issues.
Interviewing key managers to understand
business issues.
Review prior audit documentations andreports.
8/3/2019 Is Audit Process
12/69
Effects of laws and regulations on IS audit planning
Each organization need to comply with a number
of governmental and external requirementsrelated to computer system practice and controlsand to the manner in which computer programsand data stored and used.
Special attention should be given to these issuesin those industries that, historically have beenclosely regulated.
Is auditors should review management policy toascertain whether it takes account therequirements of applicable laws and regulationsincluding data flow requirements.
8/3/2019 Is Audit Process
13/69
Steps to determine an organizations level of compliancewith external requirements.
1. Identify those government or other relevant externalrequirements.
2. Document pertinent laws and regulations.
3. Access whether the management of the organization
and the IS function have considered the relevantexternal requirements in making plans and in settingpolicies, standards and procedures.
4. Review internal IS function documents that addressadherence to laws applicable to the industry.
5. Determine adherence to established procedures thataddress these requirements.
8/3/2019 Is Audit Process
14/69
RISK
8/3/2019 Is Audit Process
15/69
WHAT IS RISK?
8/3/2019 Is Audit Process
16/69
The potential that a given threat will exploit
venerabilitys of an asset or group of assets and
thereby cause harm to the organization.
8/3/2019 Is Audit Process
17/69
RISK ANALYSIS
Risk analysis is part of the audit planning and helps identifyrisks and vulnerabilities as the auditor can determine the
controls needed to mitigate those risks. Understanding the relationship between rule and control is
important for IS audit and control professionals. Is auditorsmust be able to identify ad differentiate risk types and thecontrols used mitigate these risks.
Is auditor must have knowledge of common business risks,related technology risks and related controls.
They must also be able to evaluate the risk assessment andmanagement techniques used by business managers.
They should be able to assess the risk and help focus and
plan audit work. The IS audit is often focused towards high risk issues
associated with the confidentiality, availability and integrityof sensitive and critical information.
8/3/2019 Is Audit Process
18/69
The risk assessment process begins with identifying businessobjectives, information assets and the underlying systems orresources that generate, store, use or manipulate the assetscritical to achieving these objectives.
Controls are identified for mitigating identified risks.
Controls are risk mitigating counter measures that preventor reduce the likelihood of a risk event occurring.
Monitoring performance levels of the risks being managedwhen identifying any significant changes in theenvironment that would trigger a risk reassessment.
Risk analysis comprises three processes Risk assessment
Risk mitigation
Risk reevaluation
8/3/2019 Is Audit Process
19/69
Advantages of risk analysis.
1. It assists the auditor in identifying risk and
treats to an IT environment that would needto be addressed by management and system
specific internal controls.
2. It helps the auditor in his evaluation ofcontrols in audit planning.
3. It assists the auditor in determining audit
objectives.4. It supports risk-based audit decision making.
8/3/2019 Is Audit Process
20/69
Controls
8/3/2019 Is Audit Process
21/69
Internal controls
Policies procedures practices and
organizational structured implemented toreduce risk are referred to as internal controls.
Elements of controls that should be
considered when evaluating control strengthsare classified as preventive, detective or
corrective in nature.
Controls could be manual or automated.
8/3/2019 Is Audit Process
22/69
Control Type Implementation
Method
Some Examples
Preventative
stops
Administrative
Technical
Physical
Hiring procedures, background checks, segregation of
duties, training, change control process, acceptable use
policy (AUP), organizational charts, job descriptions,written procedures, business contracts, laws and
regulations, risk management, project management,
service-level agreements (SLAs), system documentation
Data backups, virus scanners, designated redundantsystem for high availability system ready for failover
(HA standby), encryption, access control lists (ACLs),
system certification process
Access control, locked doors, fences, property tags,security
guards, live monitoring of CCTV, human-readable
labels,
warning signs
8/3/2019 Is Audit Process
23/69
Control Type Implementation
Method
Some Examples
Detective
finds
Administrative
Technical
Physical
Auditing, system logs, mandatory vacation periods,
exception
reporting, run-to-run totals, check numbers, control
self-assessment (CSA), risk assessment, oral testimony
Intrusion detection system (IDS), High availability
systems
detecting or signaling system failover condition(HA
failure
detection), automated log readers (CAATs), checksum,
verifying digital signatures, biometrics for identification
(many search), CCTV used for logging, network
scanners,
computer forensics, diagnostic utilities
physical inventory count, alarm system
(burglar, smoke, water, temperature, fire), tamper seals,
fingerprints, receipts and invoices
8/3/2019 Is Audit Process
24/69
Control Type Implementation Method Some Examples
Corrective
fixes
Administrative
Technical
Physical
Termination procedures (friendly/unfriendly),
business
continuity and disaster recovery plans,outsourcing,
implementing recommendations of prior
audit, lessons learned, property and casualty
insurance
Data restoration from backup, High availability
system
failover to redundant system (HA failover
occurs),redundant network routing, file repair utilities
Hot-warm-cold sites for disaster recovery, fire-
control
sprinklers, heating and AC, humidity control
8/3/2019 Is Audit Process
25/69
Types of internal control include
Internal accounting controls These are controls
directed at accounting operations to ensure thatthe operations such as safeguarding of assets andthe reliability of financial records.
Operational controls controls directed at day to
day operations to ensure that the operation ismeeting the business objectives.
Administrative controls concerned withoperational efficiency in a functional area andadherence to management policies includingoperational controls.
8/3/2019 Is Audit Process
26/69
Internal control objectives
These are statements of the desired results or purposeto be achieved by implementing control activities. E.g
Safeguarding of IT assets
Compliance with corporate policies and legalrequirements
Authorization and authentication Confidentiality
Accuracy and completeness of data
Reliability of process
Availability of IT services
Efficiency and economy of operations
Change management process for IT and relate systems.
8/3/2019 Is Audit Process
27/69
IS CONTROLS
A well designed information system should have controls built in for allits sensitive and critical functions.
IS Controls domain include:
Strategy and direction
Controls on computer operations Operation procedures
Business continuity and disaster recovery planning
Networks and communication
Protective and detective mechanisms against internal and externalattacks.
Access to IT resources including data and programs Physical access controls
Logical access controls
Network, application and Database administration System development methodology and change controls
System programming and technical support function
System migration processes
8/3/2019 Is Audit Process
28/69
Performing an IS audit
8/3/2019 Is Audit Process
29/69
Performing an IS audit
Auditing can be defined as a systematic
process by which a qualified, competent,independent, team or person objectively obtainsand evaluates and evaluates evidence regardingassertions about a process for the purpose of
forming an opinion about and reporting on thedegree to which the assertion is implemented.
Is auditing can be defined as any audit thatencompasses review and evaluation of an
automated information processing system,related nonautomated processes and theinterfaces between them.
8/3/2019 Is Audit Process
30/69
Steps to perform an IS audit
Plan for the audit
For effective use of IS audit resources, audit
organizations must assess the overall risk for
the general and application areas and related
services beign audited and develop an auditprogram that consists of objectives and audit
procedures to satisfy the audit objective.
8/3/2019 Is Audit Process
31/69
Gather evidence
Evaluate the strength and weaknesses of
controls based upon the evidence gatheredthrough audit tasks and prepare an auditreport that presents those issues in anobjective manner to management.
Audit managers must ensure the availability ofadequate audit resources and a schedule forperforming the audit and in the case of
internal IS audit, for follow-up reviews on thestatus of corrective actions taken bmanagement.
8/3/2019 Is Audit Process
32/69
The audit process includes
Defining the audit scope
Formulating audit objectives Identifying audit criteria
Performing audit criteria
Performing audit procedures Reviewing and evaluating evidence
Forming audit conclusions and opinions
Reporting to management after discussionwith key process owners.
8/3/2019 Is Audit Process
33/69
Classification of Audits Financial audits
Assess the correctness of an organizations financial statement.
Operational audit
Designed to evaluate the internal control structures in a given auditprocess or area.
Integrated audit
Combines financial and operational audits
Administrative audits
Oriented to assess issues related to the efficiency of operationalproductivity within an organization
Forensic audits
Auditing specialized in discovering, disclosing and following up onfrauds ad crimes.
IS AUDIT
The process collects and evaluates to determine whether theinformation system and related resources adequately safeguard assets.
8/3/2019 Is Audit Process
34/69
Procedures for understanding, evaluating andvalidating IT controls
The use of generalized audit software to surveythe contents of data files. E.g. System logs.
Use of specialized software to access thecontents of operating system database andapplication parameter files.
Flow charting techniques for documentingautomated applications and business processes.
Observation
Enquiry Examination and review of documents
Re-performance
8/3/2019 Is Audit Process
35/69
The IS auditor would need to follow at a
minimum a sequential program of:
1. Understanding the entity under audit
2. Evaluating the control structure
3. Validating the controls
8/3/2019 Is Audit Process
36/69
Fraud Detection
Management is primarily responsible forestablishing, implementing and maintaining aframework and design of IT controls to meet theinternal control objectives.
A well designed internal control system providesgood opportunities for deterring and or timely
detection of fraud. Internal controls may fail where such controls are
circumvented by exploitation vulnerabilities orthrough management perpetuating weaknesses
in controls or collision between people.-Design weaknesses
- Operating efficiency
8/3/2019 Is Audit Process
37/69
Legislation and regulations relating to
corporate governance cast significant
responsibility on management, auditors andthe audit committee regarding detection and
disclosure of any frauds whether material or
not. IS auditors should be aware of the possibility
and means of perpetuating fraud, especially
by exploiting the vulnerabilities and overriding
controls in the IT enabled environment.
8/3/2019 Is Audit Process
38/69
Risk- Based Audit
8/3/2019 Is Audit Process
39/69
Risk- Based Auditing
By understanding the nature of the business,
Is auditors can identify the types of risks thatwill better determine the risk model or
approach in conducting the audit.
The risk model can be simple as creatingweights for the risk associated with the
business.
8/3/2019 Is Audit Process
40/69
Simple Risk based approach
Gather information and plan
Obtain understanding of internal control
Perform compliance test (walk through)
Perform substantive tests
Conclude the audit
8/3/2019 Is Audit Process
41/69
Part of documenting risk data is for the auditor to identify potential riskresponse strategies that can be used in the audit with each identified risk.The four risk responses are as follows:
AcceptTake your chances. Ignoring a risk is the same as accepting it. The auditorshould be concerned about the acceptance of high-risk situations.
Mitigate (reduce)
Do something to lower the odds of getting hurt. Most internal controls are
designed to mitigate risk.
Transfer
Let someone else take the chance of loss by using a subcontractor orinsurance. You can transfer the risk but not the liability for failure. Blindtransfer of risk would be a genuine concern. This applies to outsourcingagreements and the reason for a right to auditclause in the contract.
Avoid
Reject the situation; change the situation to avoid taking the risk.
8/3/2019 Is Audit Process
42/69
Inherent risks
These are natural or built-in risks that alwaysexist.
E.g. Driving your automobile holds the inherentrisk of an automobile accident or a flat tire. Theftis an inherent risk for items of high value.
Business risksThese are risks that are inherent in the business orindustry itself. They may be regulatory, contractual, orfinancial.
Technological risks
These are inherent risks of using automatedtechnology. Systems do fail.
8/3/2019 Is Audit Process
43/69
Detection risks
These are the risks that an auditor will not be able todetect what they are looking to find. It would be
terrible to report no negative results when materialconditions (faults) actually exist.
Detection risks include sampling and non-sampling risks:
Sampling risks These are the risks that an auditor will falsely accept or
erroneously reject an audit sample (evidence).
Non-sampling risks These are the risks that an auditor will fail to detect a condition
because of not applying the appropriate procedure or usingprocedures inconsistent with the audit objective (detection fault).
8/3/2019 Is Audit Process
44/69
Control Risk
The risk that a material error exists that will
not be prevented or detected in a timelymanner by the internal control system.
8/3/2019 Is Audit Process
45/69
Audit risks
These are the combination of inherent,
detection, control, and residual risks.
Audi risk = Inherent risk+ Detection risk +
Control risk
8/3/2019 Is Audit Process
46/69
Operational risks
These are the risks that a process or
procedure will not perform correctly.
Residual risks
These are the risks that remain after all
mitigation efforts are performed.
8/3/2019 Is Audit Process
47/69
Evidence
8/3/2019 Is Audit Process
48/69
Evidence
Evidence is any information used by an IS
auditor to determine whether the entity ordata being audited follows the established
criteria or objectives, and supports audit
conclusion.
8/3/2019 Is Audit Process
49/69
Types of Evidence
There are two primary types of evidence, according to legal definition:
Direct evidence
This proves existence of a fact without inference or presumption.Inference is when you draw a logical and reasonable propositionfrom another that is supposed to be true. Direct evidence includesthe unaltered testimony of an eyewitness and written documents.
Indirect evidenceIndirect evidence uses a hypothesis without direct evidence tomake a claim that consists of both inference and presumption.Indirect evidence is based on a chain of circumstances leading to aclaim, with the intent to prove the existence or nonexistence ofcertain facts. Indirect evidence is also known as circumstantialevidence.
8/3/2019 Is Audit Process
50/69
Grading evidence
All evidence is graded according to criteria
using four characteristics of evidence. Thisgrading aids the auditor in assessing the
evidence value. It is important to obtain the
best possible evidence.The four characteristics are as follows:
8/3/2019 Is Audit Process
51/69
1. Timing of Evidence
Evidence timing indicates whether evidence is
received when it is requested, or several hoursor days late. In electronic systems, the timing
has a secondary meaning; electronic evidence
may be available only during a limited windowof time before it is overwritten or the software
changes to a new version.
8/3/2019 Is Audit Process
52/69
2. Evidence objectivity
Evidence objectivityrefers to its ability to be acceptedand understood with very little judgment required. The
more judgment required, the less objective theevidence.
As you increase the amount of judgment necessary tosupport your claims, the evidence quickly becomessubjective or circumstantial, which is the opposite of
objective. Objective evidence is in a state of unbiasedreality during examination without influence byanother source. Objective evidence can be obtainedthrough qualitative/quantitative measurement, andfrom records or statements of fact pertaining to thesubject of the investigation. Objective evidence can beverified by observation, measurement, or testing.
8/3/2019 Is Audit Process
53/69
3. Competency of the evidence provider
Evidence supplied by a person with direct involvementis preferred. The source of their knowledge will affect
the evidence value and accuracy. A secondhand storystill holds value by providing information that may leadto the evidence the auditor is seeking.
An expertis legally defined as a person who possesses
special skill or knowledge in a science or professionbecause of special study or experience with thesubject. An expert possesses a particular skill informing accurate opinions about a subject; in contrast,
a common person would be incapable of deducing anaccurate conclusion about the same subject.
8/3/2019 Is Audit Process
54/69
4. Evidence independence
Evidence independence is similar to auditorindependence, meaning the provider should not have
any gain or loss by providing the evidence. Evidencesupplied by a person with a bias is often questionable.The auditor should ask whether the evidence provideris part of the auditees organization. Qualifications of
the evidence provider should always be considered. Aperson with a high degree of detailed understanding isvastly more qualified than an individual of limitedknowledge. Evidence and data gathered from a novice
may have a low value when compared to data gatheredby an expert. A person who is knowledgeable andindependent of the audit subject would be consideredthe best source of evidence.
8/3/2019 Is Audit Process
55/69
Sampling
SAMPLING
8/3/2019 Is Audit Process
56/69
SAMPLING
Statistical Sampling
Statistical sampling uses mathematical techniques that
result in an outcome that is mathematicallyquantifiable. Statistical samples are usually presentedas a percentage. The purpose of statistical sampling isto gain an objective representation. Samples areselected by an objective mathematical process.
Examples of statistical sampling include the following: Random sampling:
Samples are selected at random.
Fixed interval sampling:
The sample existing at every n + interval increment isselected for testing.
N i i l S li
8/3/2019 Is Audit Process
57/69
Nonstatistical Sampling
Nonstatistical sampling is based on the auditorsjudgment (also referred to asjudgmental
sampling). The auditor determines the samplesize, the method of generating the sample, andthe number of items to be analyzed. This is asubjective process usually based on elements of
risk or materiality. An example of nonstatistical sampling includes
haphazard sampling, in which the samples arerandomly drawn for testing.
After the samples are selected, the next step is toperform compliance tests or substantive testing.
Id tif i A dit T ti
8/3/2019 Is Audit Process
58/69
Identifying Audit Testing
As stated earlier, the basic test methods used will beeither compliance testing or substantive testing.
Appropriate audit samples will have to be generatedfor the test.
Compliance testing tests for the presence or existenceof something. Compliance testing includes verifyingthat policies and procedures have been put in place,
and that user access rights, program change controlprocedures, and system audit logs have been activated.An example of a compliance test is comparing the listof persons with physical access to the data centeragainst the HR list of current employees.
C li t ti i b d f th f ll i t f dit
8/3/2019 Is Audit Process
59/69
Compliance testing is based on one of the following types of auditsamples:
Attribute sampling
The objective is to determine whether an attribute is present orabsent in the subject sample. The result is specified by the rate ofoccurrence
Stop-and-go sampling
Used when few errors are expected. Stop-and-go allows the test tooccur without excessive effort in sampling and provides theopportunity to stop testing at the earliest possible opportunity. It isa simple form of testing to reinforce any claim that errors areunlikely in the sample population.
Discovery sampling
Used to detect fraud or when the likelihood of evidence existing islow. This is an attempt to discover evidence.
8/3/2019 Is Audit Process
60/69
Substantive testing
seeks to verify the content and integrity of
evidence. Substantive tests include verifyingaccount balances, performing physical inventory
counts, and executing detailed scans to detect
effectiveness of a specific system configuration.Substantive testing uses audit samples selected
by dollar value or to project a total for groups
with related characteristics.
Substantive testing is based on one of the following types of audit samples:
8/3/2019 Is Audit Process
61/69
Substantive testing is based on one of the following types of audit samples:
Variable sampling
Used to designate dollar values or weights (effectiveness) of an entire subject population byprorating from a smaller sample. Consider the challenge of counting large volumes of
currency by its weight. Variable sampling could be used to count currency by multiplying thephysical weight of one unit by the total weight of the combined sample, and then multiplyingby the face value printed on the bill or coin. A demonstration would be a single $50 billweighing 0.8 grams, with the entire sample of $50 bills weighing 48 grams altogether.
The combined sample weight would indicate a total quantity of 60 bills for an estimateddollar value of $3,000. This is a common technique for forecasting quantity and value ofinventory based on particular characteristics.
Unstratified mean estimationUsed in an attempt to project an estimated total for the subject population.
Stratified mean estimation
Used to calculate an average by group, similar to demographics, whereby the entirepopulation is divided (stratified) into smaller groups based on similar characteristics.
Examples are teenagers from the ages of 13 to 19, people from the ages of 20 to 29, people
from the ages of 30 to 39, and those who are male or female, smokers or nonsmokers, and soon.
Difference estimation
Used to determine the difference between audited and unaudited claims of value.
SAMPLING TERMS
8/3/2019 Is Audit Process
62/69
SAMPLING TERMS
Tolerable error rateIs the maximum number of errors that can exist without declaring a
material misstatement.Regardless of the audit sample and test method used, the auditor ispresumed to have a high degree of confidence when the audit coefficientis 95 percent or higher.
The audit coefficientrepresents your level of confidence about the auditresults. It is also referred to as a reliability factor.
Precision, or expected error rate
The precision rate indicates the acceptable margin of error betweenaudit samples and the total quantity of the subject population. Thisis usually expressed as a percentage such as 5 percent. To obtain a
very low error rate, it is necessary to use a very large sample intesting. The larger sample can yield a higher average.
8/3/2019 Is Audit Process
63/69
Computer Assisted Audit Tools
U i C t A i t d A dit T l
8/3/2019 Is Audit Process
64/69
Using Computer Assisted Audit Tools
Computer assisted audit tools (CAAT) are invaluable forcompiling evidence during IS audits.
The auditor will find several advantages of using CAATsin their analytical audit procedure.
CAAT tools are capable of executing a variety ofautomated compliance tests and substantive tests that
would be nearly impossible to perform manually.
These specialized tools may include multifunction auditutilities, which can analyze logs, perform vulnerabilitytests, or verify specific implementation of compliance
in a system configuration compared to intendedcontrols.
CAAT includes the following types of software tools and
8/3/2019 Is Audit Process
65/69
CAAT includes the following types of software tools andtechniques:
Network traffic and protocol analysis
Testing the configuration of specific applicationsoftware such as an SQL database
Testing for password compliance on user loginaccounts
Many CAAT tools have a built-in report writer that cangenerate more than one type of predefined report offindings on your behalf.
A significant amount of time may be required to becomea competent CAAT operator.
S f th f i t i CAAT
8/3/2019 Is Audit Process
66/69
Some of the concerns for or against using CAATinclude:
Auditors level of computer knowledge andexperience
Level of risk and complexity of the auditenvironment
Cost and time constraints
Specialized training requirements
Speed, efficiency, and accuracy over manual
operations
Security of the data extracted by CAAT
8/3/2019 Is Audit Process
67/69
Control Self-Assessments
Traditional Audit Compared to Control Self Assessments
8/3/2019 Is Audit Process
68/69
Traditional Audit Compared to Control Self-Assessments
A discussion of the audit process would not be complete without mentioning the
benefits of using control self-assessments. The auditee can work to improve their
audit score between audits by using these self-assessment techniques.
To employ the formal skills of a professional auditor is considered a traditional
audit. In a traditional audit, the auditor manages the audit through the entire audit
process and renders a final opinion.
A control self-assessment (CSA) is executed by the auditee. The auditee uses theCSA to benchmark progress with the intention of improving their score.
This CSA process can generate benefits by empowering the staff to take ownership
and accountability. With a CSA, the auditor becomes a facilitator to help guide the
clients effort toward self-improvement.
A great deal of pride can be created by the accomplishment of CSA tasks and
learning the detail necessary to succeed in a traditional audit. A CSA is not going to
fulfill the independence requirement, so a traditional audit will still be required. A
CSA will help your client understand the specific actions
8/3/2019 Is Audit Process
69/69
THANK YOU