Which statement best captures a limitation of audits?

Audits provide a snapshot of an organization’s controls at a specific time, but they cannot guarantee ongoing security. They assess whether controls exist and are operating effectively during the audit, but threats evolve, configurations drift, and new vulnerabilities can appear after the assessment. The scope and testing depth are finite, often relying on sampling, documentation, and evidence available at the moment, so not every issue can be found or verified. Remediation may address known gaps, yet security can still be compromised later by changes, misconfigurations, or advanced attacks, meaning a passing audit does not ensure a secure environment. The other statements aren’t as accurate about limitations: audits don’t guarantee security after remediation, because fixes can be incomplete or later undone; audits don’t identify every vulnerability due to scope and time constraints; and audits do not make security unnecessary—ongoing vigilance and continuous improvement are still required.