Which of the following reasons justifies why you should audit failed events?

A.
To log resource access for reporting and billing

B.
To monitor for malicious attempts to access a resource which has been denied

C.
None of these

D.
To monitor access that would suggest users are performing actions greater than you had planned

Explanation:
http://technet.microsoft.com/en-us/library/cc778162%28v=ws.10%29.aspx
Auditing Security Events Best practices
If you decide to audit failure events in the policy change event category, you can see if unauthorized users or
attackers are trying to change policy settings, including security policy settings. Although this can be helpful for
intrusion detection, the increase in resources that is required and the possibility of a denial-of-service attack
usually outweigh the benefits.