Which statement BEST describes the structure of security audits?

Security audits are conducted in a structured, methodical way to evaluate an organization's security controls and governance, with the aim of identifying gaps and improving the security posture. The process is planned and scoped, with defined criteria, evidence collection, testing of controls, and interviews, spanning technical, administrative, and physical domains. Audits compare actual practices against written policies and standards, assess effectiveness, and result in documented findings and prioritized remediation. This structured approach ensures consistency, traceability, and accountability, which are essential for credible results and ongoing improvement. Relying on ad hoc assessments would lack standard criteria and repeatability; focusing only on physical access narrows the scope and ignores many other critical controls; relying solely on automated tools misses context, human judgment, and the reasonableness of policies. The essence is that security audits are systematic reviews of policies, controls, and procedures to identify gaps and improve security posture.