After identifying a business process for an audit, what should the IS auditor identify NEXT?

Following the identification of a business process for an audit, the most logical next step is to define the control objectives and activities. This is critical because understanding the control objectives helps the auditor determine what the audit aims to assess regarding the effectiveness and efficiency of the controls governing the business process.

Control objectives specify what needs to be achieved through the controls in place, providing a framework for evaluating whether the business process operates as intended. Identifying these objectives allows the auditor to create a structured approach to assess the reliability of the system, compliance with regulations, and the safeguarding of assets.

In subsequent steps, the auditor may indeed consider valuable information assets, audit resources, and personnel interviews, but these elements become useful only after the control objectives have been established. This sequence ensures that the audit process is focused and relevant, allowing for a deeper understanding of the specific controls that need to be examined for effectiveness and alignment with the organization's goals.