Which of the following would be MOST effective when justifying the cost of adding security controls to an existing web application?

A. Internal audit reports
B. Application security policy
C. Vulnerability assessment results
D. A business case