It's not carried out by auditors; it is done by the databrackets crew to find out the gaps within the process. This gives them extremely certain tips of controls they should structure and put into practice. Companies need to determine what they wish to secure and discover the procedure boundaries. https://www.nathanlabsadvisory.com/blog/nathan/cyber-security-consulting-solutions-by-nathan-labs-advisory-in-the-usa/