Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable
sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.

Section: Protection of Information Assets
Explanation:
Prioritization of projects on the basis of their expected benefit(s) to business, and the related risks, is the
best measure for achieving alignment of the project portfolio to an organization's strategic priorities.
Modifying the yearly process of the projects portfolio definition might improve the situation, but only if the
portfolio definition process is currently not tied to the definition of corporate strategies; however, this is
unlikely since the difficulties are in maintaining the alignment, and not in setting it up initially. Measures
such as balanced scorecard (BSC) and key performance indicators (KPIs) are helpful, but they do not
guarantee that the projects are aligned with business strategy.

Section: Protection of Information Assets
Explanation:
For your exam you should know below information about S/HTTP and SSL protocol:
Secure Hypertext Transfer Protocol (S/HTTP) -As an application layer protocol, S/HTTP transmits individual messages or pages securely between a web client and server by establishing SSL-type connection. Using the https:// designation in the URL, instead of the standard http://, directs the message to a secure port number rather than the default web port address. This protocol utilizes SSL secure features but does so as a message rather than the session-oriented protocol.
Secure Socket Layer (SSL) and Transport Layer Security (TLS) - These are cryptographic protocols which provide secure communication on Internet. There are only slight difference between SSL 3.0 and TLS 1.0.
For general concept both are called SSL.
SSL is session-connection layer protocol widely used on Internet for communication between browser and web servers, where any amount of data is securely transmitted while a session is established. SSL provides end point authentication and communication privacy over the Internet using cryptography. In typical use, only the server is authenticated while client remains unauthenticated. Mutual authentication requires PKI development to clients. The protocol allows application to communicate in a way designed to prevent eavesdropping, tampering and message forging.
SSL involves a number of basic phases
Peer negotiation for algorithm support
Public-key, encryption based key exchange and certificate based authentication Symmetric cipher based traffic encryption.
SSL runs on a layer beneath application protocol such as HTTP, SMTP and Network News Transport Protocol (NNTP) and above the TCP transport protocol, which forms part of TCP/IP suite.
SSL uses a hybrid hashed, private and public key cryptographic processes to secure transmission over the INTERNET through a PKI.
The SSL handshake protocol is based on the application layer but provides for the security of the communication session too. It negotiates the security parameter for each communication section. Multiple session can belong to one SSL session and the participating in one session can take part in multiple simultaneous sessions.
The following were incorrect answers:
The other choices presented in the options are not valid asSSL works at transport layer where as S/HTTP works at application layer of OSI model.
Reference:
CISA review manual 2014 Page number 352