To ensure an organization is complying with privacy requirements, an IS auditor should FIRST
review:

A.
the IT infrastructure.

B.
organizational policies, standards and procedures.

C.
legal and regulatory requirements.

D.
the adherence to organizational policies, standards and procedures.

Explanation:
To ensure that the organization is complying with privacy issues, an IS auditor should address legal
and regulatory requirements first. To comply with legal and regulatory requirements, organizations
need to adopt the appropriate infrastructure. After understanding the legal and regulatory
requirements, an IS auditor should evaluate organizational policies, standards and procedures to
determine whether they adequately address the privacy requirements, and then review the
adherence to these specific policies, standards and procedures.