Which of the following provides an IS auditor with the BEST evidence that an organization's information security program is aligned to business objectives?

A. Balanced scorecard
B. Risk assessment results
C. Business impact analysis (BIA)
D. Cost-benefit analysis