What should an IS auditor do first upon discovering undocumented devices in a network during an audit?

Upon discovering undocumented devices in a network during an audit, the first step an IS auditor should take is to evaluate the impact of the undocumented devices on the audit scope. This is important because understanding how these devices influence the overall security posture, compliance with policies, and the effectiveness of existing controls is critical before taking further action. Evaluating the impact allows the auditor to assess risks associated with these devices, such as potential vulnerabilities or unauthorized access points that may not have been accounted for in the initial audit scope.

This initial evaluation informs subsequent decisions, ensuring that any further actions or changes to the audit scope are well-founded and based on a clear understanding of the risks presented by the undocumented devices. By doing so, the auditor can prioritize their efforts and focus on areas that may pose the greatest risk to the organization.