During a post-incident review of a security breach, what type of analysis should an IS auditor expect to be performed by the organization's information security team?

A. Gap analysis
B. Business impact analysis (BIA)
C. Qualitative risk analysis
D. Root cause analysis