A new system has been developed that does not comply with password-aging rules. This noncompliance can BEST be identified through:

A. a business impact analysis
B. an internal audit assessment
C. an incident management process
D. a progressive series of warnings