Stress testing is designed to evaluate a system's performance under extreme conditions1. It is typically carried out in a test environment that closely mirrors the production environment, using production workloads1. This approach ensures that the test results accurately reflect how the system would perform under similar conditions in the production environment1. Using a test environment also prevents any disruptions or damage to the production environment during testing1.
References:
* Stress Testing Best Practices: A Seven Steps Model

The auditor's best action is to re-perform the audit before changing the conclusion, because the auditor needs to obtain sufficient and appropriate evidence to support the audit opinion. The evidence provided by IT management may not be reliable or relevant, and it may not reflect the actual effectiveness of the control during the audit period. Therefore, the auditor should verify the evidence independently and test the control again to ensure that it meets the audit criteria and objectives. The other options are not appropriate, because they either ignore or accept the evidence provided by IT management without verification, which may compromise the quality and integrity of the audit. References:
* ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.51
* ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12062

A black box penetration test is a type of security assessment that simulates an attack on a system or network without any prior knowledge of its configuration or architecture. The main objective of this test is to identify vulnerabilities and weaknesses that can be exploited by external or internal threat actors. To plan a black box penetration test, it is most important to ensure that the environment and penetration test scope have been determined. This means that the tester and the client organization have agreed on the boundaries, objectives, methods, and deliverables of the test, as well as the legal and ethical aspects of the engagement. Without a clear definition of the environment and scope, the test may not be effective, efficient, or compliant with relevant standards and regulations. Additionally, the tester may cause unintended damage or disruption to the client's systems or networks, or violate their privacy or security policies.
References:
* What are black box, grey box, and white box penetration testing?
* What Is Black-Box Penetration Testing and Why ShouldYou Choose It?

The most important thing for an IS auditor to examine when reviewing an organization's privacy policy is its legitimate purpose for collecting personal data. A legitimate purpose is a clear and specific reason for collecting personal data that is necessary for the organization's business operations or legal obligations, and that respects the rights and interests of the data subjects. A legitimate purpose is the basis for establishing a lawful and fair processing of personal data, and it should be communicated to the data subjects in the privacy policy. The other options are not as important as the legitimate purpose in reviewing the privacy policy.
Explicit permission from regulators to collect personal data is not always required, as there may be other lawful bases for data collection, such as consent, contract, or public interest. Sharing of personal information with third-party service providers is not prohibited, as long as there are adequate safeguards and agreements in place to protect the data. The encryption mechanism selected by the organization for protecting personal data is a technical control that can enhance data security, but it does not determine the legality or fairness of data collection. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.3.2

Function point analysis (FPA) is the best methodology to use for estimating the complexity of developing a large business application. FPA is a technique that measures the functionality of a software system based on the user requirements and the business processes that the system supports. FPA assigns a numerical value to each function or feature of the system, based on its type, complexity, and relative size. The total number of function points represents the size and complexity of the system, which can be used to estimate the development effort, cost, and time.
FPA has several advantages over other estimation methods, such as:
It is independent of the technology, programming language, or development methodology used for the system. Therefore, it can be applied consistently across different platforms and environments.
It is based on the user perspective and the business value of the system, rather than the technical details or implementation aspects. Therefore, it can be performed early in the project life cycle, before the design or coding phases.
It is objective and standardized, as it follows a set of rules and guidelines defined by the International Function Point Users Group (IFPUG). Therefore, it can reduce ambiguity and improve accuracy and reliability of the estimates.
It is adaptable and scalable, as it can handle changes in the user requirements or the system scope. Therefore, it can support agile and iterative development approaches.
References:
1: Function Point Analysis - Introduction and Fundamentals
2: Software Engineering | Functional Point (FP) Analysis