What is the first step a bank should take regarding auditing sensitive information?

• A. Hire external auditors
• B. Disable auditing to minimize risk
• C. Determine the impact of enabling the audit feature
• D. Conduct a risk assessment for auditing

Answer: (C)

When auditing sensitive information, you first need to understand what happens if the audit feature is turned on. Determining the impact means identifying exactly what data will be logged, where those logs will be stored, who can access them, how long they are kept, and what privacy and regulatory requirements apply. This upfront assessment shows whether auditing is appropriate, what controls are needed to protect the data, and what performance or operational effects to expect. With that clarity, you can then plan a proper risk assessment and implement appropriate safeguards. Hiring external auditors or disabling auditing are actions that come later in the process, and a risk assessment for auditing makes more sense once you know the scope and impact.