• Prioritize risk: The first phase involves the prioritization of risk which in turn involves following task:
  – Analyze and prioritize risks to organizational objectives.
  – Identify the necessary application components and flow of information through the system.
  – Examine and understand the functionality of the application by reviewing the application system documentation and interviewing appropriate personnel.
• Identify controls: After prioritizing risk now the controls are identified, and this involves following tasks:
  – Key controls are identified across the internal control system that addresses the prioritized risk.
  – Applications control strength is identified.
  – Impact of the control weaknesses is being evaluated.
  – Testing strategy is developed by analyzing the accumulated information.
• Identify information: Now the IS control information should be identified:
  – Identify information that will persuasively indicate the operating effectiveness of the internal control system.
  – Observe and test user performing procedures.
• Implement monitoring: Develop and implement cost-effective procedures to evaluate the persuasive information.
• Report results: After implementing monitoring process the results are being reported to relevant stakeholders.

Incorrect Answers: A, C, D: These all phases occur in IS monitoring and maintenance process after prioritizing risks.