An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: 
A、the controls already in place. 
B、the effectiveness of the controls in place. 
C、the mechanism for monitoring the risks related to the assets. 
D、the threats/vulnerabilities affecting the assets.