The exact definition of the service levels and their measurement is the first thing that the IS auditor should review in order to understand the problem of different opinions on the availability of their application servers.
Service levels are the agreed-upon standards or targets for delivering IT services, such as availability, reliability, performance, and security. Service level measurement is the process of collecting, analyzing, and reporting data related to the achievement of service levels. By reviewing the exact definition of the service levels and their measurement, the IS auditor can identify any gaps, inconsistencies, or ambiguities that may cause confusion or disagreement among IT and the business. The other options are not as important as reviewing the exact definition of the service levels and their measurement, as they do not address the root cause of the problem. References: CISA Review Manual, 27th Edition, page 372

Explanation
The best recommendation to prevent unauthorized access to a highly sensitive data center by piggybacking or tailgating is to use an airlock entrance. An airlock entrance is a type of access control system that consists of two doors that are interlocked, so that only one door can be opened at a time. This prevents an unauthorized person from following an authorized person into the data center without being detected. An airlock entrance can also be integrated with other security measures, such as biometrics, card readers, or PIN pads, to verify the identity and authorization of each person entering the data center.
Biometrics (option A) is a method of verifying the identity of a person based on their physical or behavioral characteristics, such as fingerprints, iris scans, or voice recognition. Biometrics can provide a high level of security, but they are not sufficient to prevent piggybacking or tailgating, as an unauthorized person can still follow an authorized person who has been authenticated by the biometric system.
Procedures for escorting visitors (option B) is a policy that requires all visitors to the data center to be accompanied by an authorized employee at all times. This can help prevent unauthorized access by visitors, but it does not address the risk of piggybacking or tailgating by other employees or contractors who may have legitimate access to the building but not to the data center.
Intruder alarms (option D) are devices that detect and alert when an unauthorized person enters a restricted area. Intruder alarms can provide a deterrent and a response mechanism for unauthorized access, but they are not effective in preventing piggybacking or tailgating, as they rely on the detection of the intruder after they have already entered the data center.
References: 1: CISA Certification | Certified Information Systems Auditor | ISACA 2: CISA Certified Information Systems Auditor Study Guide, 4th Edition 3: CISA - Certified Information Systems Auditor Study Guide [Book]

Section: Information System Acquisition, Development and Implementation

Section: Information System Acquisition, Development and Implementation Explanation:
Final Acceptance Testing -It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application.
For CISA exam you should know below types of testing:
Unit Testing - The testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensure internal operation of the programs according to the specification.
Interface or integration testing - A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another.
System Testing - A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-production test/development environment by software developers designated as a test team. The following specific analysis may be carried out during system testing.
Recovery Testing - Checking the system's ability to recover after a software or hardware failure.
Security Testing - Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems.
Load Testing - Testing an application with large quantities of data to evaluate its performance during peak hour.
Volume testing - Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process.
Stress Testing - Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process.
Performance Testing - Comparing the system performance to other equivalent systems using well defined benchmarks.
Final Acceptance Testing - It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application.
QAT focuses on documented specifications and the technology employed. It verifies that application works as documented by testing the logical design and the technology itself. It also ensures that the application meet the documented technical specifications and deliverables. QAT is performed primarily by IS department. The participation of end user is minimal and on request. QAT does not focus on functionality testing.
UAT supports the process of ensuring that the system is production ready and satisfies all documented requirements. The methods include:
Definition of test strategies and procedure.
Design of test cases and scenarios
Execution of the tests.
Utilization of the result to verify system readiness.
Acceptance criteria are defined criteria that a deliverable must meet to satisfy the predefined needs of the user. A UAT plan must be documented for the final test of the completed system. The tests are written from a user's perspective and should test the system in a manner as close to production possible.
The following were incorrect answers:
The other presented options incorrectly describe the difference between QAT and UAT Reference:
CISA review manual 2014 Page number 166

Section: Protection of Information Assets
Explanation:
The primary reason an IS auditor reviews an organization chart is to better understand the responsibilities and authority of individuals.