Which of the following would not be an appropriate step for an internal auditor to perform during an assessment of compliance with an organization’s privacy policy?
A. Determine who can access databases containing confidential information.
B. Evaluate the organization’s privacy policy to determine if appropriate information is covered.
C. Analyze access to permanent files and reports containing confidential information.
D. Evaluate the government’s security measures related to confidential information received from the organization.