Correct Answer: B
The primary purpose for an organization to conduct a security audit is to ensure that the organization is applying security controls to mitigate identified risks. A security audit is a systematic and independent examination of the security posture and performance of an organization, system, or network, against a set of predefined criteria, standards, or regulations. A security audit can help to ensure that the organization is applying security controls to mitigate identified risks, by evaluating the effectiveness and adequacy of the security controls and measures that are implemented on the organization, system, or network, and by identifying and resolving any security issues or gaps that may expose the organization, system, or network to various security threats and risks. A security audit can also help to provide recommendations and solutions to improve the security posture and performance of the organization, system, or network, as well as to demonstrate the compliance and accountability of the organization with the relevant security policies and regulations. To ensure the organization is adhering to a well-defined standard, to ensure the organization is configuring information systems efficiently, or to ensure the organization is documenting findings are not the primary purposes for an organization to conduct a security audit, as they are more related to the quality, optimization, or reporting aspects of security. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 18: Security Assessment and Testing, page 1001; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 6: Security Assessment and Testing, Question 6.1, page 243.