During a security audit of IT processes, an IS auditor found that there were no documented security
procedures. What should the IS auditor do?
A.
Identify and evaluate existing practices
B.
Create a procedures document
C.
Conduct compliance testing
D.
Terminate the audit
Explanation:
The auditor should first evaluated existing policies and practices to identify problem areas and opportunities.