An IS audit report highlighting inadequate network internal controls is challenged because no serious incident has ever occurred. Which of the following actions performed during the audit would have BEST supported the findings?

A. Compliance testing
B. Threat risk assessment
C. Penetration testing
D. Vulnerability assessment