An IS auditor reviewing access controls for a client-server environment should FIRST:

A. evaluate the encryption technique.

B. identify the network access points.

C. review the identity management system.

D. review the application level access controls.

Explanation:

A client-server environment typically contains several access points and utilizes distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network access points should be identified. Evaluating encryption techniques, reviewing the identity management system and reviewing the application level access controls would be performed at a later stage of the review.