3. A compliance audit of the reporting cycle is being planned. The auditors are specifically concerned with the control of sensitive data on quarterly reports that could be used by competitors. The distribution of sensitive financial data should be determined by

AThe vice president of finance

BApproved corporate policy

CThe audit committee

DThe data security officer

Athe vice president of finance would not determine the distribution of sensitive data.

BThe scope of work of internal auditing includes reviewing the control systems established to ensure compliance with those policies, plans. procedures, laws, regulations, and contracts that could have a significant impact on operations and reports (standard 320). The treatment of confidential information is of such importance to the organization that it should be the subject of a corporate policy, which is a standing plan for repetitive situations that consists of general statements to guide managers’ thinking and action.

CDistribution of sensitive data would not be determined by the audit committee.

Dthe data security officer may distribute sensitive data but only in accordance with corporate policy.