Which statement best describes the relationship between IT auditing placement and independence from IT security?

The key idea is that independence of the audit function comes from where it sits in the organization and who it reports to. When IT auditing is placed in the existing auditing department, it typically reports to the audit committee or board rather than to IT leadership. This reporting line creates distance from IT security management, allowing auditors to evaluate controls and raise issues without being influenced by those they audit. That objective stance is what preserves independence and credibility of the audit findings. If IT auditing were placed inside the IT department, it would be more vulnerable to management influence over priorities, access, and how findings are reported, which can compromise perceived and real independence. Outsourcing can vary in its impact on independence depending on governance and contract terms, but the arrangement described in placing auditing in the auditing department aligns most strongly with maintaining independence from IT security.