In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts.
Next, the IS auditor should:
identify and assess the risk assessment process used by management.
identify information assets and the underlying systems.
disclose the threats and impacts to management.
identify and evaluate the existing controls.
It is important for an IS auditor to identify and evaluate the existing controls and security once the
potential threats and possible impacts are identified. Upon completion of an audit an IS auditor
should describe and discuss with management the threats and potential impacts on the assets.