In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should: 
A、identify and assess the risk assessment process used by management. 
B、identify information assets and the underlying systems. 
C、disclose the threats and impacts to management. 
D、identify and evaluate the existing controls.