An internal IS auditor discovers that a service organization did not notify its customers following a data breach. Which of the following should the auditor do FIRST?
A. Notify audit management of the finding.
B. Report the finding to regulatory authorities.
C. Notify the service organization’s customers.
D. Require the service organization to notify its customers.
A. Notify audit management of the finding.
B. Report the finding to regulatory authorities.
C. Notify the service organization’s customers.
D. Require the service organization to notify its customers.