The best recommendation to prevent unauthorized access to a highly sensitive data center by piggybacking or tailgating is to use an airlock entrance. An airlock entrance is a type of access control system that consists of two doors that are interlocked, so that only one door can be opened at a time. This prevents an unauthorized person from following an authorized person into the data center without being detected. An airlock entrance can also be integrated with other security measures, such as biometrics, card readers, or PIN pads, to verify the identity and authorization of each person entering the data center.
Biometrics (option A) is a method of verifying the identity of a person based on their physical or behavioral characteristics, such as fingerprints, iris scans, or voice recognition. Biometrics can provide a high level of security, but they are not sufficient to prevent piggybacking or tailgating, as an unauthorized person can still follow an authorized person who has been authenticated by the biometric system.
Procedures for escorting visitors (option B) is a policy that requires all visitors to the data center to be accompanied by an authorized employee at all times. This can help prevent unauthorized access by visitors, but it does not address the risk of piggybacking or tailgating by other employees or contractors who may have legitimate access to the building but not to the data center.
Intruder alarms (option D) are devices that detect and alert when an unauthorized person enters a restricted area. Intruder alarms can provide a deterrent and a response mechanism for unauthorized access, but they are not effective in preventing piggybacking or tailgating, as they rely on the detection of the intruder after they have already entered the data center.
References: 1: CISA Certification | Certified Information Systems Auditor | ISACA 2: CISA Certified Information Systems Auditor Study Guide, 4th Edition 3: CISA - Certified Information Systems Auditor Study Guide [Book]

An IT balanced scorecard (BSC) is a performance metric that is used to identify, improve, and control the various functions and outcomes of an IT department or organization. An IT BSC is based on the concept of the balanced scorecard, which was introduced by Robert Kaplan and David Norton in 1992 as a strategic management system that translates the vision and strategy of an organization into measurable objectives and actions. An IT BSC adapts the balanced scorecard framework to the specific needs and goals of the IT function, aligning it with the business strategy and value proposition.
An IT BSC typically consists of four perspectives that help managers plan, implement, and evaluate the IT performance: customer, internal process, learning and growth, and financial. Each perspective defines a set of objectives, measures, targets, and initiatives that reflect the IT contribution to the organization's success. For example, the customer perspective may measure the satisfaction and retention of internal and external customers who use IT services or products; the internal process perspective may measure the efficiency and effectiveness of IT processes such as development, delivery, support, or security; the learning and growth perspective may measure the skills, knowledge, innovation, and culture of the IT staff; and the financial perspective may measure the costs, benefits, and return on investment of IT projects or assets.
An IT BSC provides a new IS auditor with the most useful information to evaluate overall IT performance because it:
* Provides a comprehensive and balanced view of the IT function from multiple angles and stakeholders
* Links the IT objectives and activities to the business strategy and value creation
* Enables a clear communication and alignment of expectations and priorities among IT managers, staff, customers, and other stakeholders
* Facilitates a continuous monitoring and improvement of IT performance based on data-driven feedback and analysis
* Supports a holistic and integrated approach to IT governance, risk management, and compliance Therefore, an IT BSC is a valuable tool for a new IS auditor to assess how well the IT function is fulfilling its mission and delivering value to the organization.
References:
* The IT Balanced Scorecard (BSC) Explained - BMC Software
* What Is a Balanced Scorecard (BSC), How Is it Used in Business?
* Lost in the Woods: COBIT 2019 and the IT Balanced Scorecard - ISACA

The primary objective of a control self-assessment (CSA) is to educate functional areas on risks and controls. CSA is a technique that allows managers and work teams directly involved in business units, functions or processes to participate in assessing the organization's risk management and control processes1. CSA can help functional areas to obtain a clear and shared understanding of their major activities and objectives, to foster an improved awareness of risk and controls among management and staff, to enhance responsibility and accountability for risks and controls, and to highlight best practices and opportunities to improve business performance2.
The other options are not the primary objective of a CSA. Ensuring appropriate access controls are implemented is a specific type of control that may be assessed by a CSA, but it is not the main goal of the technique. Eliminating the audit risk by leveraging management's analysis is not a realistic or desirable outcome of a CSA, as audit risk can never be completely eliminated, and management's analysis may not be sufficient or reliable without independent verification. Gaining assurance for business functions that cannot be audited is not a valid reason for conducting a CSA, as all business functions should be subject to audit, and a CSA is not a substitute for an audit.
References:
Control Self Assessments - PwC
Control self-assessment - Wikipedia
Control Self Assessment - AuditNet

Leveraging an IT governance framework is the best way to enable alignment of IT with business objectives, as it provides a set of principles, standards, processes, and practices that guide the effective delivery of IT services that support the organization's strategy and goals. Benchmarking against peer organizations, developing key performance indicators (KPIs), and completing an IT risk assessment are useful activities that can help measure and improve the performance and value of IT, but they are not sufficient to ensure alignment without a governance framework. References: CISA Review Manual (Digital Version), Chapter 1:
Information Systems Auditing Process, Section 1.2: IT Governance