Answer (B) is correct. The internal audit activity evaluates risk exposures related to governance, operations, and information systems regarding, among other things, compliance with laws, regulations, and contracts. Based on the risk assessment, the internal audit activity evaluates the adequacy and effectiveness of controls encompassing governance, operations, and information systems. This evaluation should include, among other things, compliance with laws, regulations, and contracts (Standards 2110.A2 and 2120.A1). Operation in accordance with contracts and regulations takes precedence over all other objectives because it relates to the most basic aspects of the programs.