In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure: A、implementation. B、compliance. C、documentation. D、sufficiency.