In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:
A、identify and assess the risk assessment process used by management.
B、identify information assets and the underlying systems.
C、disclose the threats and impacts to management.
D、identify and evaluate the existing controls.