IS AUDIT PROCESS CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Information systems auditing is a process of collecting and evaluating evidence to determine whether : a computer system safeguards assets, maintain data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Information Systems Auditing O R G A N I S A T I O N Safeguarding of Assets Data Integrity System Efficiency CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) The asset should not be destroyed, stolen or used for unauthorized purposes. Data is the most important asset of any organization. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) The completeness, soundness, purity, authenticity and genuineness of the data. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) An efficient information system uses minimum resources to achieve its required objectives. Resources like machine time, peripherals, system software and labour are scarce and different application systems usually compete for their use. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Availability: Will the organisation computer systems be available for the business at all times when required? Confidentiality: Will the information in the systems be disclosed only to authorized users? Integrity: Will the information provided by the system always be accurate, reliable and timely? CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) IS Audit strategy Audit Objective Audit environment CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Audit Mission: The mission statement defines the primary purpose of the Audit function and provides an overview of the focus, priorities, values and principles that will measure the audit decisions. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Audit charter should clearly state management’s responsibility Audit charter is usually a part of internal audit, hence may include other audit functions Should state objectives of audit Role of IS audit is established by audit charter CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) An IS auditor require a clear mandate from the company to perform the IS audit. This mandate is called AUDIT CHARTER or ENGAGEMENT LETTER. Audit charter should be approved by highest level of management and once established should not be altered except in exceptional circumstances. Audit charter should clearly address three aspects of responsibility, authority and accountability of the IS auditor as under: CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) ◦ Responsibility – This may include Scope Objectives Specific auditee requirements deliverables ◦ Authority – This may include Right of access to information, personnel, locations and systems relevant to the performance of audit CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) ◦ Accountability - This may include Designated recipients of the report Auditee's right Agreed completion dates Agreed fees, if applicable CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Purpose Engagement letters are often used for individual assignments or for setting the scope and objectives of a relationship between the external IS auditor and an organisation. Content The engagement letter should clearly address the three aspects – responsibility, authority and accountability CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) To perform audit planning, IS auditor should perform the following steps : ◦ Gain understanding of business’s mission, objectives, purposes and processes ◦ Touring key organizational facilities ◦ Studying applicable laws and regulations ◦ Conduct internal control review ◦ Reading background material including industry publications, annual reports etc. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) ◦ Reviewing long term strategic plans ◦ Interviewing key managers to understand business issues ◦ Reviewing prior audit reports ◦ Set audit scope and audit objectives ◦ Develop audit strategy ◦ Assign personnel resources to audit CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Is used to determine the extent of compliance and /or substantive testing an auditor should undertake to fulfill the objectives of audit. Factors to consider include: ◦ Knowledge of business ◦ Degree of operational/internal controls available Risk assessment model may use a scoring system based on ◦ Technical complexity ◦ Level of controls in place ◦ Level of financial loss CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) These factors may or may not be weighed to arrive at a measure of overall risks. Another way of risk assessment is judgmental based upon management directives, historical perspectives, business goals and environment factors. A typical overview of risk based audit approach is presented below CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Gather information and plan Knowledge of business and industry Prior years’ audit results Recent financial information Regulatory statutes Inherent risk assessment Obtain understanding of internal controls Control environment Control procedures Detection risk assessment Control risk assessment Equate total risks CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Perform Compliance Test Test policies and Test segregation of procedures duties Perform Substantive Tests Analytical procedures Other substantive audit Detailed test of account balances CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Conclude the Audit Create recommendations Write audit reports CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Audit programs are based on objective and scope of the assignment and becomes guide for documenting ◦ Various audit steps to be performed ◦ Extent and type of evidential matters to be reviewed Though not necessarily to be followed in a sequence, IS auditor will be best advised to take a sequential approach in understanding the entity, evaluating control structure and testing the controls. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Risk that financial statements may contain material errors or material errors may remain undetected. Sometimes audit risk may also refer to the risk that an auditor is prepared to accept Types of risks in an audit: ◦ Inherent risk – based on nature of business and is independent of audit ◦ Control risk - a risk that a material error may not be prevented or detected CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) ◦ Detection risk – a risk that an IS auditor may use inadequate test procedure and conclude that material errors do not exist when in fact they do. ◦ Overall risk – a combination of the risk factors as above. The objective is to keep overall risk within acceptable levels. Materiality concept is applicable in case of financial audits. In the context of IS audit, materiality may mean that a significant internal control weakness exist which leaves the organization susceptible to threat leading to financial loss, business interruptions, loss of customer trust etc., CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Materiality always require sound judgment from an auditor. For an IS auditor the task is still more difficult CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Information Systems Auditors ultimately are concerned with evaluating the reliability or operating effectiveness of controls. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) After identifying the key control, the auditor has to determine whether to test these control through compliance or substantive testing Compliance testing determines whether the controls are functioning as intended. Substantive testing – refer to verifying the integrity of processing. It provides evidence as to the validity and proprietary of balances in financial statements and the transactions supporting such statements There is direct correlation between the level of internal control and the amount of substantive testing to be applied. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Information used to determine whether audit criteria or objective is met May include ◦ Observations ◦ Notes taken during interviews ◦ Correspondence ◦ Internal documentation ◦ Result of test conducted by auditor Reliability may depend on ◦ Independence of the provider of evidence CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) ◦ Qualification/competence level of the person providing information ◦ Objectivity of evidence Techniques of gathering evidence may include ◦ Review IS organization structure – key word here is adequate separation of duties ◦ Reviewing IS documentation standard – key word here is that documentation may be in automated form rather than on paper. Documentation may include System development initiating document Functional design specifications CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Program change histories User manual Database specifications Test plans and reports Quality assurance reports ◦ Interviewing appropriate personnel – an interview form or checklist may be used. Also remember that interviews are not accusatory CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) ◦ Observing process and performance - key here is to document as much detail as is possible. Also remember that your observations do not obstruct the on going business Finally, judgment call has to be made to determine which material is relevant for meeting audit objective and to what extent reliance should be placed there upon. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) End product of the audit The Audit Report format should be considered at the time of planning stage itself. No fixed format but may include : ◦ Introduction including audit objectives, scope, period etc., ◦ Overall conclusion and opinion on the adequacy of controls in the areas covered as per scope of audit ◦ Any reservations or qualifications ◦ Detailed findings/recommendations depending upon materiality and intended recipient of the report CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) ◦ Management responses including plan if any for implementation of the recommendations.( This may be included if required by terms of reference) It is a good practice to also give an executive summary preferably in a visual presentation mode CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) There cannot be a standard format. However the contents and format of the IS audit report should contain the minimum requirements as per the reporting standards. Some of the features of Audit report: Report, Content and form. Purpose and Content Intended Receipients Style and Content Statement of Objectives. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Scope of Audit Restrictions on distribution Significant findings Conclusion Recommendations Reservations or qualifications Presentations Timeliness Subsequent events Follow Up CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) IS audit documentation includes the audit plan, a description or diagram of network environment, audit programs, minutes of meetings, audit evidence, findings, conclusions and recommendations, any report issued as result of audit work and management responses. Audit documentation should support the findings and conclusions/ opinions. Also include questionnaires and understandable flow charts CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Sometime, terms of reference may require an auditor to submit follow up action report. If so, IS auditor must set up a follow up program to determine if the agreed corrective actions have been taken Follow up reporting may involve ◦ Inquiry as to the current status ◦ Certain audit steps to determine the extent and correctness of the implementation measures CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Sampling used when entire population cannot be examined for reasons of cost, time or sheer volume Sample is a subset of population. Sampling approaches are: ◦ Statistical – sample size and selection process are based on objective criteria. Each item in population has equal opportunity of being selected. ◦ Non-statistical – sample size and the the selection process are based on judgment. This type of sampling is also called judgmental sampling. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Both are subject to risk that conclusions may be wrong (sampling risk) Methods of sampling are: ◦ Attribute sampling ◦ Variable sampling Attribute sampling ◦ Is applied in compliance testing ◦ Deals with presence or absence of characteristics (attribute) ◦ Conclusions are expressed in terms of rates of occurrence CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Variable sampling ◦ Is applied in substantive testing ◦ Deals with rupee value, weight etc., (variable characteristics) ◦ Conclusions are expressed in terms of range of value or deviation from an expected value CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Important sampling terms include ◦ Confidence coefficient – a measure of confidence in the testing process and is expressed as a percentage. Remember Stronger the internal control, lower can be the confidence coefficient Greater the confidence coefficient, larger the sample size ◦ Level of risk – is equal to 100 minus confidence coefficient CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) ◦ Expected error rate – applicable in attribute sampling only. Remember Higher the expected error rate, larger the sample size ◦ Tolerable error rate – acceptable upper limit of error. Used to set the precision amount in respect of compliance testing CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Key steps in using sampling in audit include ◦ Determine the objectives of the test. ◦ Define the population to be sampled. ◦ Determine the sampling method, such as attribute versus variable sampling. ◦ Determine the precision and reliability desired ◦ Calculate the sample size. ◦ Select the sample. ◦ Evaluate the sample from an audit perspective CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) An IS auditor should clearly understand the basic concept of risks, techniques of risk assessment and relationship between risk and controls. ISO define risk as “ The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of loss/damage and to the estimated frequency of the threat” CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Threats includes : ◦ Power loss ◦ Communication failure ◦ Disgruntled employee ◦ Malicious code ◦ Natural disasters ◦ Abuse to access privileges by employees CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Based on above, elements of risk are ◦ Threats to and vulnerabilities of assets ◦ Impact of threats and vulnerabilities ◦ Probability of occurrence of threats IS audit is focused towards a particular class of risk defined potential for loss of confidentiality, availability or integrity of information CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Process of identifying vulnerabilities and threats to an organization resources and deciding on countermeasures to reduce the risk to an acceptable level based on the value of information resource to the organization. Step 1 ◦ Identify and classify the information resources or assets which need protection. Examples of assets associated with IT include: Information and data Hardware Software CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Services Documents Personnel Step 2 ◦ Assess vulnerabilities which are characteristics of information resources that can be exploited by a threat to cause harm. Examples of vulnerabilities are: Lack of user knowledge Lack of security functionality Poor choice of passwords CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Untested technology Transmission over unprotected communications Step 3 ◦ Assess threats which are events with potential to cause harm such as destruction, disclosure, modification, denial of service etc., Common classes of threats are: o Errors o Malicious damage or attack o Fraud CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) o Theft o Equipment/software failures • Step 4 ◦ Assess impact if threats were to materialize. Impact is usually in terms of financial loss both in short/long term. Example of losses are: Loss of money Breach of legislation Loss of reputation or goodwill CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Endangering of staff or customers Breach of confidence Loss of business opportunity Reduction in operational efficiency or performance Interruption of business activity Step 5 ◦ Assess probability of occurrence and form an overall view of risk. The risk is = (Value of loss x Probability of occurrence) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Step 6 ◦ Evaluate existing controls and identify the risks which are inadequately controlled Step 7 ◦ Prioritize all the identified risks requiring protection, design effective and efficient countermeasures and select appropriate countermeasures keeping in view: o The cost of control compared to the benefit of minimizing risk o Management appetite for risk CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Preferred risk reduction method -Terminate the risk -Minimize probability of occurrence -Minimize impact -Transfer (Insurance) • Some organization may start the process with identification of threats rather than assets. This is just a matter of choice without any significance. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Risk remaining after the controls have been applied is called residual risk. The management could decide to further work upon countermeasures to mitigate the risks or take them as unavoidable component of doing business and thus laying down an acceptable level of risk. Acceptable level of risk so defined should be used to determine the areas which might be subjected to excessive level of controls and where cost savings can be achieved by removing the excessive element of controls. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Risk assessment techniques : o Scoring system – useful in prioritizing audits based on evaluation of risk factors, considering various variables such as technical complexity, level of control procedures and level of financial loss o Judgemental – Decision is made based on business knowledge, executive management directives, historical perspectives, business goals and environmental factors. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Control is defined as: “ the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesirable events will be prevented or detected and corrected” The strength of a control is measured by its inherent or design strength and the likelihood of its effectiveness. The elements to be considered while evaluating control strengths include whether controls are: CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) An IT control objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. IT control objectives aim to ensure confidentiality, integrity and availability of information resources. COBIT and IT Governance Institute provide an excellent framework for setting IT control objectives. Example of IT control objectives include: ◦ Information is secured from improper access. ◦ Each transaction is authorized and recorded only once. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) ◦ All exceptions are duly recorded, investigated and followed through. ◦ Files are adequately backed up to allow for proper recovery ◦ Changes to software are tested and approved. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Controls are generally classified under three categories as under ◦ Preventive ◦ Detective ◦ Corrective CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Function Examples Prevent an error, omission or malicious act from occurring Predict potential problems before they occur and make adjustments Detect problems before they arise Employ qualified personnel Segregate duties Control physical access Use well designed documents Have authorization procedure Complete programmed edit checks Use logical access controls CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Function Detect that an error, omission or malicious act has occurred and report the occurrence Examples Hash totals Check points Echo controls Error messages Duplicate (re verification) of calculations Variance reporting Internal audit CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Function Examples Minimize the impact of a threat Remedy problems discovered by detective tests Correct errors arising from a problem Modify systems to minimize future occurrences of the problem Contingency planning Backup procedures Re-run procedures CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) AAS 29- Auditing in CIS Environment issued by ICAI states that: “ The overall objective and scope of the Audit doesnot change in a CIS environment. However , the use of a computer changes the processing, storage, retrieval and communication of Financial Information and may affect the accounting and internal control systems employed by the entity” CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CAATs are important tools for the IS auditor in gathering information from these environments. When systems have different hardware and software environments, different data structure, record formats or processing functions, it is almost impossible for auditors to collect evidence without a software tool to collect and analyze the records. CAATs also enable IS auditors in performing audits to gather information independently. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) The procedures followed by the Auditor in obtaining a sufficient understanding of the accounting and Internal Control System. The auditors evaluation of Inherent risk through which the auditor accesses the audit risk. The Auditor’s design and performance of tests of control and substantive procedures appropriate to meet the audit objective. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) AAS 29 specifically requires auditor to consider the effect of CIS environment on the audit: 1. Extent to which the CIS environment is used in control 2. System of Internal Control 3. Audit trail CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) The Auditor should have sufficient knowledge of CIS to plan, Direct, Supervise, Control and Review the work performed Specialised skills may be needed, to 1. Obtain sufficient understanding of the effect of the CIS environment on accounting and Internal Control System. 2. Determine the effect of the CIS environment on the assessment of overall audit risk 3. And design and perform appropriate tests of control and substantive procedures CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) The IT environment contains Business Risks. This risks could result from lack of various controls that includes: 1. Lack of an IS Security Policy framework, procedures and controls. 2. Approach for control over IT and related resources. 3. Risks of outsourcing of IT processes 4. Physical and environmental security of IT equipment and related assets. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) 5. Poor controls over communication and N/w technology and infrastructure. 6. Poor Controls over system parameters settings and critical systems files. 7. Risks from Viruses, hackers and malicious code. 8. Poor controls over SDLC. 9. Poor Business Continuity Planning. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Auditing Around the Computer- Black Box Approach- The concept of ignoring what is happening inside the computer and conducting the audit using the inputs and outputs as in Manual Audits CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Auditing through the Computer- White Box Approach- Considering the Audit trail and auditing the process followed by the computer system. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Software intended to facilitate or expedite the auditing process Examples of CAATs include ◦ Generalized audit software ◦ Test data generators ◦ Expert systems ◦ Standard utilities ◦ Software library packages ◦ Integrated test facilities ◦ Snapshot ◦ Specialized audit software CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) GAS refers to standard software that has the capability to directly read and access data from various database platforms, flat-file systems and ASCII formats. ACL & IDEA Functions supported by GAS: File access – reading from different formats File reorganization – indexing, sorting, merging. Data selection Statistical functions – sampling, Arithmetical functions CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) It is written for special audit purposes or targeting specialized IT environments. For eg: Testing for NPA’s, testing for UNIX controls, testing for overnight deals in Forex Application s/w etc. This s/w may be developed by Auditor’s , the auditor should take care to get an assurance on the integrity and security of s/w developed by the client CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Utility software or utilities, though not developed or sold specifically for audit are often extremely useful and handy for conducting audits. CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) Remember ◦ Seek read only access to production data while using CAATs Advantages of using CAATs are ◦ Reduce the level of audit risk ◦ Greater independence from the auditee ◦ Broader and more consistent audit coverage ◦ Faster availability of information CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) ◦ Improved exception identification ◦ Greater flexibility of run times ◦ Greater opportunity to quantity internal control weakness ◦ Enhanced sampling ◦ Cost saving over time Important factor while considering usage of CAATs may include ◦ Ease of use ◦ Installation requirement CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) ◦ Availability of source data Important documentation to be retained for own developed CAATs may include ◦ Online reports detailing high-risk issues for review ◦ Flowchart ◦ Record and File layouts ◦ Field definitions ◦ Operating instructions ◦ Sample reports CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) AAS 29 / SA 401– by ICAI on Auditing in Computer Information Systems Environment IS Audit standards issued by ISACA COBIT – Control Objectives for Information and related Technology BS7799 SAS 70 SysTrust ITIL ISO 9000 CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) SEI – CMM IT ACT 2000 UNCITRAL Model Law on electronic commerece SOX BASEL II CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) CA.Shweta Ajmera, M.Com,CA,DISA(ICAI) By: CA.Shweta Ajmera M.Com,CA,DISA(ICAI) cashwetaajmera@gmail.com You can join me at: At Linkedin & twitter: Shweta Ajmera At FB: shweta.ajmera.3 CA.Shweta Ajmera, M.Com,CA,DISA(ICAI)