What security element must an organization have in place befor it can implement a security audit and validate the audit results?

What security element must an organization have in place befor it can implement a
security audit and validate the audit results?

A.
a security policy

B.
an Incident Response Team

C.
Network access control

D.
Firewalls

E.
a Security Operations Center