An IS auditor evaluating logical access controls should FIRST:

A.
document the controls applied to the potential access paths to the system.

B.
test controls over the access paths to determine if they are functional.

C.
evaluate the security environment in relation to written policies and practices

D.
obtain an understanding of the security risks to information processing.

Explanation:
When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risks
facing information processing by reviewing relevant documentation, by inquiries, and by conducting a risk
assessment. Documentation andevaluation is the second step in assessing the adequacy, efficiency and
effectiveness, thus identifying deficiencies or redundancy in controls. The third step is to test the access pathsto determine if the controls are functioning. Lastly, thelS auditor evaluates the security environment to assess
its adequacy by reviewing the written policies, observing practices and comparing them to appropriate security
best practices.