Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members? 

Answer options:

A. Staff members were not notified about the test beforehand.
B. Test results were not communicated to staff members.
C. Staff members who failed the test did not receive follow-up education.
D. Security awareness training was not provided prior to the test.

C