The PRIMARY objective of an audit of IT security policies is to ensure that:

A.
they are distributed and available to all staff.

B.
security and control policies support business and IT objectives.

C.
there is a published organizational chart with functional descriptions.

D.
duties are appropriately segregated.

Explanation:
Business orientation should be the main theme in implementing security. Hence, an IS audit of IT security
policies should primarily focus on whether the IT and related security and control policies support business and
IT objectives. Reviewing whether policies are available to all is an objective, but distribution does not ensure
compliance. Availability of organizational charts with functional descriptions and segregation of duties might be
included in the review, but are not the primary objective of an audit of security policies.