After an IS auditor has identified threats and potential impacts, the auditor should:

A. Identify and evaluate the existing controls

B. Conduct a business impact analysis (BIA)

C. Report on existing controls

D. Propose new controls

Explanation:

After an IS auditor has identified threats and potential impacts, the auditor should then identify and evaluate the existing controls.