A business has requested an IS audit to determine whether information stored in an application system is adequately protected. Which of the following is the MOST important action before the audit work begins? 

Answer options:

A. Establish control objectives
B. Conduct a vulnerability analysis
C. Perform penetration testing
D. Review remediation reports

A