An external audit finds that the organization has inconsistent implementation of its network security controls. What does this imply?