An internal auditor is assigned to conduct an audit of security for a local area network (LAN) in the finance department of the organization. Investment decisions, including the use of hedging strategies and financial derivatives, use data and financial models which run on the LAN. The LAN is also used to download data from the mainframe to assist in decisions. Which of the following should be considered outside the scope of this security audit engagement?

A. Investigation of the physical security over access to the components of the LAN.
B. The ability of the LAN application to identify data items at the field or record level and implement user access security at that level.
C. Interviews with users to determine their assessment of the level of security in the system and the vulnerability of the system to compromise.

D. The level of security of other LANs in the company which also utilize sensitive data.