An IS auditor reviewing access controls for a client-server environment should FIRST:

A.
evaluate the encryption technique.

B.
identify the network access points.

C.
review the identity management system.

D.
review the application level access controls.

Explanation:
A client-server environment typically contains several access points and utilizes distributed techniques,
increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server
environment, all network access points should be identified. Evaluating encryption techniques, reviewing the
identity management system and reviewing the application level access controls would be performed at a later
stage of the review.