During a security audit of IT processes, an IS auditor found that there were no documented security
procedures. What should the IS auditor do?

A.
Identify and evaluate existing practices

B.
Create a procedures document

C.
Conduct compliance testing

D.
Terminate the audit

Explanation:
The auditor should first evaluated existing policies and practices to identify problem areas and opportunities.