The BEST way to validate whether a malicious act has actually occurred in an application is to review:

A. segregation of duties
B. access controls
C. activity logs
D. change management logs