Before making any recommendations, an IS auditor needs to understand the project and the factors that have contributed to making the project over budget and over schedule. The organization may have effective project management practices and sound IT governance and still be behind schedule or over

budget. There is no indication that the project manager should be changed without looking into the reasons for the overrun.

To retain a competitive advantage and meet basic business requirements, organizations must ensure that the integrity of the information stored on their computer systems preserve the confidentiality of sensitive

data and ensure the continued availability of their information systems. To meet these goals, logical access controls must be in place. Awareness (choice A) itself does not protect against unauthorized access or

disclosure of information. Knowledge of an information systems security policy (choice B), which should be known by the organization's employees, would help to protect information, but would not prevent the unauthorized access of information. A security committee (choice C) is key to the protection of information

assets, but would address security issues within a broader perspective

Earned value analysis (EVA) is an industry standard method for measuring a project's progress at any

given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule

and budget as the project proceeds. It compares the planned amount of work with what has actually been

completed, to determine if the cost, schedule and work accomplished are progressing in accordance with

the plan. EVA works most effectively if a well-formed work breakdown structure exists. Function point

analysis (FPA) is an indirect measure of software size and complexity and, therefore, does not address the

elements of time and budget. Cost budgets do not address time. PERT aids in time and deliverables

management, but lacks projections for estimates at completion (EACs) and overall financial management

During the data conversion stage of a project, the data owner is primarily responsible for reviewing and

signing-off that the data are migrated completely, accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted datA. However, an IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. A database administrator's primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated datA. A project manager provides day-to-day management and leadership of the project, but is not responsible for the accuracy and integrity of the data

Production programs are used for processing an enterprise's datA. It is imperative that controls on changes

to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data.Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of data. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only

A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need other controls. Nonrepudiation can beensured by using digital signatures