After an IS auditor has identified threats and potential impacts, the auditor should:

A.
Identify and evaluate the existing controls
B.
Conduct a business impact analysis (BIA)
C.
Report on existing controls
D.
Propose new controls
Explanation:
After an IS auditor has identified threats and potential impacts, the auditor should then identify and
evaluate the existing controls.