An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review:
A、the controls already in place.
B、the effectiveness of the controls in place.
C、the mechanism for monitoring the risks related to the assets.
D、the threats/vulnerabilities affecting the assets.