During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:
A、create the procedures document.
B、terminate the audit.
C、conduct compliance testing.
D、identify and evaluate existing practices.