Once the auditor is sure of his or her understanding of the standard, the next step is to identify the cause of the deviation. This is based on the reexamination of the standards involved. Determining the cause of a deviation is answering the who, what, why, where, and when of a particular asset, transaction, or event. The answers provide the raw material to help make judgments about the control system currently in place. Determining the cause helps identify the exposures and aids in formulating recommendations.