After an IS auditor has identified threats and potential impacts, the auditor should:

A.
Identify and evaluate the existing controls

B.
Conduct a business impact analysis (BIA)

C.
Report on existing controls

D.
Propose new controls

Explanation:
After an IS auditor has identified threats and potential impacts, the auditor should then identify and
evaluate the existing controls.