Pilot IT Audit Training

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 1
ហិរញ្ញ វត្ថ
Contents

1. IT Audit Definition and Objective

2. Step to Perform IT Audit Planning
3. Audit IT General Controls
4. Audit Documentation

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 2
ហិរញ្ញ វត្ថ
 1. Definition and Objectives

IT Audit is the formal examination and evaluation of an organization’s information

technology infrastructure, information system, policies and operations whether:
• Compliance with applicable regulations, policy, procedure and/or industry guidelines
• IS data and information appropriate levels of confidentiality, integrity and availability
• IT operations are being accomplished efficiently and effectiveness targets are being met

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 3
ហិរញ្ញ វត្ថ
2. Step to Perform IT Audit Planning

- To understand the IT environment:

• Understanding IT environment:
o IT organization (IT staff, role and responsible, IT org chart…)
o IT Infrastructure (external connection, domain controller, email, Network/system diagram…)
o IT policy/procedure (IT security policy/procedure, user management, backup and recovery, change
management…)
• Nature of business process which include information process such as availability, integrity, security and
business technology and information confidentiality.

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 4
ហិរញ្ញ វត្ថ
2. Step to Perform IT Audit Planning

- To understand IT system
• To obtain the IT system inventory list which support each business process
• Identify of IT system and evaluate of related risk associate
• To document or draw system flow or landscape

System inventory list sample

Business Process Application Name Server Name OS Database Interface with Description/Used for

Procurement FMIS (oracle xxx Window server 2012 Oracle 11g xxx xxx
AR/AP PeopleSoft)    
GL    
XX            
XX            

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 5
ហិរញ្ញ វត្ថ
2. Step to Perform IT Audit Planning

- IT Risk Assessment
To helps the IT auditors to achieve quality and efficiency, the risk-based approach is usually adopted. The
approach involves:
• Understanding the process environment
• Evaluation and risk assessment
• Planning audit response – to identify the control for testing
• Gathering evidence and completion

It also assists IT auditors in the scope of issues that generally should be considered in any review of computer
related controls over the integrity, confidentiality and availability of electronic data.

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 6
ហិរញ្ញ វត្ថ
 3. Audit IT General Controls

The IT general controls are concerned with the auditee’s IT infrastructure, IT system with IT related policies,
procedures and working practices by help ensure the confidentiality, integrity and availability of its IT system and
data.

• Confidentiality: The preventing of information from unauthorized access.

• Integrity: The prevention or detection of unauthorized modification of, for example, data.
• Availability: Relates to information being available when required by the business process now and in
the future.
IT General Controls includes:
a. Logical/Physical access management
b. Computer operation
c. Change management
d. System development

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 7
ហិរញ្ញ វត្ថ
a. Logical/Physical Access Management

Objective: To ensure that only authorized access is granted to system and data upon authentication of a user’s
identify which mean systems and data are protected from invalid changes and physical interruption.
Activities include:
1. User access management
2. Powerful user account/Super user
3. Segregation of Duties (SoD)
4. Password configuration

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 8
ហិរញ្ញ វត្ថ
a. Logical/Physical Access Management

1. User access management

Security administration / access rights
• Process of granting access to systems and data:
o New/modify user access request
o User access right and review
o User de-register or removal of access right
o User access to server room

Example area to review:

• User access is requested by relevant people
• User access requests are actioned by a separate IT function
• Periodic reviews of the levels of access people have are performed
• Leavers access is revoked in a timely manner
• Security incidents are identified and investigated

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 9
ហិរញ្ញ វត្ថ
a. Logical/Physical Access Management

2. Powerful user account/Super user

All applications, operating systems and databases (and other IT components such as firewalls) will have
‘administrator’ or privileged accounts e.g.:
• Windows server = Administrator
• UNIX = Root
• SQL Server database = sa
• Oracle database = SYS, SYSTEM

Example area to review:

• admin/super user is proper controlled
• activity or audit trail log and review

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 10
ហិរញ្ញ វត្ថ
a. Logical/Physical Access Management

3. Segregation of Duties (SoD)

• Segregation of Duties is the effective restriction of any individual from having access to too many functions
within a business or process e.g: the separation between inputter and approver
• Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organization’s
assets.
• Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as
far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of
activities, audit trails and management supervision should be considered.
Example review:
• Role and responsible clearly defined and documented
• The restriction within the system between inputter and approver
• Other monitoring activity or audit trail review

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 11
ហិរញ្ញ វត្ថ
a. Logical/Physical Access Management

4. Password management
Password is a component of a user identification and authentication process. The password configuration or
setting normally consists of:
• Minimum length
• Complexity
• Password history
• Fail login attempt
• Password age or expiration date

Example area to review:

• The password configure based on approval policy/procedure
or industry practices
• Single sign on may used (SSD)

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 12
ហិរញ្ញ វត្ថ
a. Logical/Physical Access Management

What are the risks associated?

• Unauthorized access to systems by business users
• Unauthorized access to systems and data by IT users
• Unauthorized changes to data
• Weak password controls or security configurations allow access rights to be circumvented.
• Unauthorized access to facilities, equipment and resources is not prevented.

How is this controlled?

• User registration and de-registration
• Management of privileged access rights
• Removal or adjustment of access rights
• Password configuration configure in the secure manner

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 13
ហិរញ្ញ វត្ថ
b. Computer Operations

Objective:To ensure that production system data is processed completely and accurately in accordance with
management's control objectives, and that processing problems are identified and resolved completely and
accurately to maintain the integrity of financial data. Systems process data as intended, and where they don’t, this
is identified and corrected.
Activities include:
1. Batch processing/Job Scheduling
2. Monitoring of computer processing
3. Backups and Recovery
4. Computer centre operations
5. Incident management

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 14
ហិរញ្ញ វត្ថ
b. Computer Operations

1. Batch processing/Job Scheduling

• Batch processing/Job scheduling refer to the batch which consist of thousands of data files for transfer within system or other system.
A job schedule is typically created that lists the jobs that must be run and the order in which they are run, including any dependencies.

Application
Job A

Example area to review:

• The monitoring over the processing
• Problem are identified and resolve on timely basis

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 15
ហិរញ្ញ វត្ថ
b. Computer Operations

2. Backups and Recovery

A copy of computer data taken and stored elsewhere so that it may be used to restore the original after a data loss
event. The process of Backup copies of information, software and system images shall be taken and tested
regularly in accordance with an agreed backup policy.
Backup types:

Full backup Differential backup Incremental backup

Example area to review: Backup of data modified/add Backup of data modified/add

• Backup schedule and monitoring since last full backup since last backup
• Backup storage and encryption
• Backup restoration test Full backup Last backup
• Off-site backup

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 16
ហិរញ្ញ វត្ថ
b. Computer Operations

3. Computer centre operations

Objectives: to ensure that there are tools and process to recover data and systems and the environment that the system are
operating is in safe from unauthorized access, damage.
Activities include:
• Disaster recovery plan (DRP) and testing: for the recovery of IT infrastructure, critical systems and associated data.
o Business impact analysis (BIA)
o All key business functions, process and supporting system
o Role, responsible and communication process
o Define RPO (recovery point objective) and RTO (recovery time objective)
o Critical backup media , recovery/testing plan
o Etc.
• Environmental/Physical protection (server room)
o Visitor log book, lock door
o CCTV coverage
o UPS, smoke detection system, fire extinguisher, temperature measurements
o Air conditioner/cooling system, raise floor
o Emergency contact number
o Etc.

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 17
ហិរញ្ញ វត្ថ
b. Computer Operations

4. Problem management
Objective: ensures problems are identified and resolved and system downtime is kept to a minimum.
Activities include:
• Helpdesk functions/Problem identification:
o Problem identification and recording in helpdesk or problem management system
o Problem are assigned to responsible person and promptly resolve
o Escalation procedure

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 18
ហិរញ្ញ វត្ថ
b. Computer Operations
What are the risks associated?
• Transaction records are lost (e.g. due to system failure) and data is not recoverable or is corrupted
• Transaction records transferred between systems are in complete or in accurate
• Inappropriate change or failures in batch process/job schedule
• Business disruption in the event of an environmental incident (e.g. fire, flood, power failure, excessive
heat/humidity)
How is this controlled?
• Only approved and tested changes are made to the batch/Job scheduler
• Errors in production processing (e.g. batch/job schedule/backup and recovery) are identified and resolved
• Data is appropriately backed up and recoverable
• Formal disaster recovery plan are regularly tested and results are documented
• Data Centre or server room environmental control should be in place

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 19
ហិរញ្ញ វត្ថ
c. Change Management

Objective: To ensure that changes to system and related infrastructure components are requested, authorised,
performed, tested, and implemented to achieve the objective. Changes to systems and data do not adversely
affect their integrity, availability or confidentiality.

Overall change process

Change request Construction Testing & QA Implementation

Segregation of duties

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 20
ហិរញ្ញ វត្ថ
c. Change Management

1. Change requests

User initiates Business Business and Change

Change Requests specification
change request approval IT prioritisation

 Formally documented
Detailed specification of what
 Consistent format the change needs to be
Appropriate business
sponsor and approval

 Business can explain criticality

 IT can plan resources

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 21
ហិរញ្ញ វត្ថ
 c. Change Management

Changes not requiring business approval

Infrastructure changes Emergency changes

• Business may not know they are needed
• Business users may not be able to complete the change
request as they may not understand the implications of the
change, and the priority
• Should still be formally requested and approved – by IT
• Need to be considered for prioritisation alongside all other
changes.
• Often sent out by vendors of applications/operating systems
when a bug is found
• Need to be implemented quickly to keep systems running
• May not have time to go through the formal change request
process before implementation
• Should be retrospectively documented and approved

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 22
ហិរញ្ញ វត្ថ
c. Change Management

2. Construction

Developer
Construction
Makes change

• Developers program the changes in line with specifications

• Application code changes should always be done in a development environment
• There may be some types of changes which can only be made directly in production (e.g.
data fix, some configuration changes)
• Controls within the development environment to ensure version control

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 23
ហិរញ្ញ វត្ថ
c. Change Management

3. Testing and QA

Testing & Quality Developer Migration to test IT performs User performs

Assurance Performs Unit testing environment Integration testing UAT and signs off

• Unit testing – does the changed program work on its own?

• System testing – does the changed program work within the system?
• Integration testing – does the change work with other applications, reports, data?
• User acceptance testing (UAT) – does the change meet the users requirements?
• Regression testing – did additional errors arise from fixing other problems?
• Stress testing – does it operate reliably for significant number of transactions?

Development Environment Test/QA environment Production Environment

Unit and System testing Integration, system, stress and UAT No testing

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 24
ហិរញ្ញ វត្ថ
c. Change Management

4. Implementation

Review for Review impact on Migrate to

Implementation
appropriate approvals automated controls Production

• Were the original change requests appropriately authorised?

• Has all necessary testing has been performed and signed off?
• Developers should not be able to migrate changes to the live
environment

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 25
ហិរញ្ញ វត្ថ
c. Change Management

What are the risks associated?

• Unauthorized/unapproved changes implemented into production environment
• Untested changes, or failure to make change in production environment
• Developers with access to migration code into production may implement unauthorized changes

How is this controlled?

• Request for changes to production system are approved, documented and subject to formal change management
procedure.
• Only approved and adequately tested changes to application programs, configuration are mitigated into
production
• Access to migrate program change to production system is restricted to authorized person.

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 26
ហិរញ្ញ វត្ថ
d. System Development

Objectives: To ensure that systems are developed, configured, and implemented to achieve management’s
objectives which mean Systems that are developed actually work as required.
System development life cycle approach:
1. Feasibility Study
2. Requirements
3. Software Selection and Acquisition/Design
4. Configuration/Development
5. Final Testing and Implementation
6. Post-implementation Review

Te
im sting
ple &
me
nta
tion/
tio
n Configura
ent
Developm

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 27
ហិរញ្ញ វត្ថ
 d. System Development

1. Feasibility Study
What happens at this stage ?
Fe as ib il i ty study 2.
• Define the business problem and implement solution 1. R eq
• Identify whether to use current system with some update, develop or ui
re
me

tation
acquire a system nt
• Define a time frame for implementation and return on investment s

en
Determines whether a vendor product offers a solution to the problem

-
implem
6. Post
• Determines the approximate cost to develop the system

gn
SDLC Phases

Desi
selec tware
Example area to review:

tion/
• Ensure the results of criteria analysed reports (e.g costs , benefits,

f
5.

3. So
risk, resources required and organizational impact) are documented. im Test
• Reasonableness of selection solution based on strength and weakness pl e i n g
me &
• Identification of all relevant stakeholders and approval from them for nta
tio .C o nf i gu ration/
initiation n 4
ent
Developm

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 28
ហិរញ្ញ វត្ថ
d. System Development

2. Requirements

t y s
atsuibdiyl i ty s tRudy 2. R
What happens at this stage ? Feasib1il.iFe eq
ui
eq
ui
• Identify and specify the business/user requirements or function rem re
en me
needs

tation
n ts

tation
ts
• Technical specifications

en
• Business, contractual and regulatory processes

en
-
implem
6. Post
implem
Post-

gn
gn
Example area to review: SDLC Phases

Desi
Desi
re
• The business user requirement and system specifications

ftwa
tion/
selec are
tion/
proper documents
5.

Softw
• Review and approval of design by key stakeholders (including Tes

3. So
T

selec
im tingimp esti
business owners, IT, Risk Management / IA function) ple & le ng
me me &
nta nt a
tio tio nfiguratniofing/uration/
n nCo 4.Co
ent t
DeveloDpemvelopmen

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 29
ហិរញ្ញ វត្ថ
d. System Development

3A. Software Selection and Acquisition (purchased systems)

• Based on requirement define prepare request for proposal
• Invite for biding from respective suppliers or solution providers
ty stu dy 2.
1. Feasibili R eq
3B. Design (in-house development) ui
re
• Develop system flowchart how information will flow through the system me

tation
nt
• Illustrating inputs and outputs s
• Interfaces with other system, security and segregation of duties

en
-
implem
6. Post
• Listing the processing steps and completion rules

gn
• Determining the types of database system in use if any SDLC Phases

Desi
selec tware
• Creating a plan for various levels of testing

tion/
f
3. So
Example area to review: 5.
• Proposal and biding documentation im Test
ple ing
• System design documentation me &
nta
ration
• Testing design plan tio
n 4.Configu
ent
/Developm

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 30
ហិរញ្ញ វត្ថ
d. System Development

4A. Configuration (purchased system)

• Defining, tracking and controlling changes in an acquired system
to meet the needs of the business ity study 2.
• Modification of tables configuration and ensure the system is 1. Feasibil R eq
ui
integrated into the existing IT architecture (ERP system) rem

tation
en
t s
4B. Development (in-house development)

en
• Coding and developing program and system-level documents

-
implem
6. Post
• Debugging and testing the programs developed

gn
SDLC Phases

Desi
• Developing programs for data conversion/migration

selec tware
• Creating user procedures to handle transition to the new system

tion/
• Training selected users on the new system

f
5.

3. So
• Involve with various of testing: im Test
o Unit testing which is the testing of individual programmer ple ing
me &
module nta
tio ration
o Interface or integration testing which is a hardware of n 4.Configu
ent
software test, evaluates the connection of two or more /Developm
components and how well they pass information

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 31
ហិរញ្ញ វត្ថ
 d. System Development

4B. Development (in-house development)

o System testing, which is a series of tests against the entire
ity study 2.
solution to check for proper functionality 1. Feasibil R eq
o Final acceptance testing, should be done at the conclusion of ui
rem

tation
other testing and before the general release of the solution. en
t s

en
Example area to review:

-
implem
6. Post
• Formal mapping of old to new data, that is automatically applied

gn
to all records SDLC Phases

Desi
selec tware
• Record counts, sample testing, exception reporting

tion/
• Test conversion prior to UAT

f
5.

3. So
• Review of test script design im Test
• Review of test results and approval to close test phases ple ing
me &
• Monitoring, investigation and resolution of defects nta
tio ration
n 4.Configu
ent
/Developm

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 32
ហិរញ្ញ វត្ថ
d. System Development

5. Final Testing and Implementation

Will focus on the following:
• Final acceptance testing:
ity study 2.
o QAT: quality assurance testing focusing on technical aspects of the 1. Feasibil R eq
application uir
em

tation
o UAT: user acceptance testing focusing on functional aspects of the en
t s
application

en
• System is ready migrate to production environment

-
implem
6. Post
• All necessary data have been successfully converted and loaded into the

gn
SDLC Phases
new system

Desi
selec tware
• Implementation by authorised personnel, not by developers

tion/
o “Go Live” decision

f
5.

3. So
o Back-out procedures im Test
o Scheduled implementation ple ing
me &
Example area to review: n ta
tio ration
• Final acceptance testing plan and results sign off n 4.Configu
ent
• Data migration method/procedure /Developm
• Data verification/reconciliation results
• Final approval of go-live by steering committee / key stakeholders

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 33
ហិរញ្ញ វត្ថ
d. System Development

6. Post-implementation Review
The review should meet the following objectives: ea s i bi li t y study Re
F qu
• Assessing the adequacy of the system ire
m
o Does the system meet user requirements and business objective? en

tation
ts
o Have access controls been adequately defined and implemented?

en
• Evaluating the projected cost benefits or ROI measurements

implem
• Developing recommendations that address the system’s inadequacies and

Post-

gn
SDLC Phases
deficiencies

Desi
• Developing a plan for implementing the recommendations

selec are
tion/
• Assessing the development project process

Softw
o Were the chosen methodologies, standards and techniques followed? Te
im sting
o Were appropriate project management techniques used? ple &
me
n ta
tion/
Example area to review:
tio
n Configura
e nt
• Post-implementation documents Developm

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 34
ហិរញ្ញ វត្ថ
 5. Audit Documentation

Audit documentation should include, at a minimum, a record of the following:

• Planning and preparation of the audit scope and objectives
• Description and/or walk-throughs on the scoped audit area
• Audit program and checklist
• Audit steps performed and audit evidence gathered
• Audit findings, conclusions and recommendations

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 35
ហិរញ្ញ វត្ថ
 Question?

រៀបចំដោយ អគ្គនាយកដ្ឋា នសវនកម្មផ្ទៃក្នុង នៃក្រសួងសេដ្ឋកច

ិ ន
្ច ង
ិ 36
ហិរញ្ញ វត្ថ