Watch this video on YouTube
From a security perspective, what must be defined for an audit before any testing or collection is performed?