After identifying potential security vulnerabilities, what should be the IS auditors next step?

A. To evaluate potential countermeasures and compensatory controls

B. To implement effective countermeasures and compensatory controls

C. To perform a business impact analysis of the threats that would exploit the vulnerabilities

D. To immediately advise senior management of the findings

Explanation:

After identifying potential security vulnerabilities, the IS auditors next step is to perform a business impact analysis of the threats that would exploit the vulnerabilities.