During a security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS

auditor do?

A. Identify and evaluate existing practices

B. Create a procedures document

C. Conduct compliance testing

D. Terminate the audit

The auditor should first evaluated existing policies and practices to identify problem areas and opport

unities.