Project Report

Of
DISA 2.0
Course
 CERTIFICATE

Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training conducted
at: Hotel Golden Tulip, C-5, Sector 18, Vasundhara, Ghaziabad from 05 Oct, 2019 to 10 Nov,
2019 and we have the required attendance. We are submitting the Project titled: Migrating to
Cloud Based ERP Solutions.

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.

1. Name: Palak Gupta DISA No: 431078 Signed…………………….…………

2. Name: Mukesh Rajak DISA No: 542880 Signed…………………….…………

3. Name: Kapil Gupta DISA No: 545383 Signed…………………….…………

Place: Ghaziabad
Date:
 Table of Contents

Details of Case Study/Project(Problem)

Project Report (Solution)

1. Introduction

2. Auditee Environment

3. Background

4. Situation

5. Terms and Scope of assignment

6. Logistic arrangements required

7. Methodology and Strategy adapted for execution of assignment

8. Documents reviewed

9. References

10. Deliverables

11. Format of Report/Findings and Recommendations

12. Summary/Conclusion
 Project Report

Title: Migrating to Cloud based ERP Solution

A. Details of Case Study/Project (Problem)

ABC Automobile Ltd. (Auditee) makes luxury buses in south India. It is Well Equipped with total
infrastructure and has kept in pace with the changing technology and producing real high quality
buses. They are currently using stand-alone accounting and inventory package which has
limited functionality. They have an aggressive business growth plans and found that the current
software solution cannot meet their future requirements.

ABC Automobiles have decided to migrate to ‘Wilson’s On Cloud Solution (WOCS)- Standard
Version’ a robust full suite of ERP Developed using Wilson Virtual works, a state of the art
software engineering and delivery platform. WOCS is expected to enable ABC to reap the
benefits of the solutions with “Built in Best Practices” together with a highly “Flexible Framework”
to ensure solution alignment to “dynamic business requirements” of ABC.

The WOCS solution has standard product features which cannot be modify except based on the
methodology followed by Wilson and the customer has to use the existing product without any
changes. As a part of the software as service (SAS)development model, WOCS will not make
any changes in the data entry screens/ Processes as per individual customers need.

B. Project Report (solution)

1. Introduction

The Auditee is engaged in the business of making luxury buses in South India. The company
has more than 300 employees spread across head office which is in Chennai and 4 branch
offices which are in Coimbatore, Mysore, Bangalore and Cochin. The Finance and accounts
department has more than 40 employees. The auditee is a public limited company founded by
its Chairman Mr. R. Venkateshwar who is a M.B.A. from a very reputed institution. A visionary
man has taken this company to achieve great success
.The company have aggressive growth plans and wants to expand its operations across India
but the current software packages are stand-alone, non-integrated and there is extensive
documentation maintained. The company is now largely managed by its M.D. Mr. T.
Venkateshwar who is also the son of Mr. R. Venkateshwar, a B.Tech. and M.B.A. from one of
the finest and superior institutes of the world.

The Auditee is currently using ERP package which includes stand- alone accounting and
inventory packages with limited functionalities which is not sufficient keeping in view the
company’s expansion plans.
Technology is changing and developing faster than ever before, and everyday people are faced
with new tools and services in their daily life. Cloud ERP is an approach to enterprise resource
planning (ERP) that makes use of cloud computing platforms and services to provide a business
with more flexible business process transformation. Cloud based ERP benefits customers by
providing application scalability and reduced hardware costs.

So the company has decided to migrate to ‘Wilson’s On Cloud Solution (WOCS) - Standard
Version’ a robust full suite of ERP developed using Wilson Virtual Works, a state- of-the-art
software engineering and delivery platform. WOCS is expected to enable ABC to reap the
benefits of a solution with “built-in best practices” together with a highly “flexible framework” to
ensure solution alignment to “Dynamic Business Requirements” of ABC.

However, the constraint is that most of the staff are not computer savvy and have limited
knowledge of using computers .For this the young MD of the company who has taken charge is
confident of training employees and implementing the proposed ERP solution. Further, the cost
consideration based on model implementation of 10 user license shows cost benefit analysis
and justification for the investment. The vendor is expected to provide one week training to
employees so that they configure and implement the solution as per their specific business
processes

The Business policies and procedures to be followed are divided into 4 sections:

a) Foundation Discipline: - It discusses the ERP Database and required procedures to

support the maintenance and updating activity with respect to key data elements such as
inventory, bill of material structures, routings and open orders.

b) Modules of ERP: - It documents those policies and procedures which are required to
operate an ERP System on an on-going basis. It documents the functions with respect to
sales forecasting material requirements planning, purchasing etc. Including the
measurements which will be put in place to ensure a successful Class ‘A’ ERP
operations.

c) ERP Project: - It discusses the policies and procedure which are required during the
implementation phase with respect to areas such as education, documentation and the
project control plan.

d) Responsibility Index: - It will cross reference all of the policy and procedure to the
respective departments that would need to use some or all of those procedures in their
daily operations. These departments would include such areas as finance, material
management and ERP project team.

Although each document is referred to as a procedure, the document truly represent a

combination of policies, procedures and documentation. This Policy and procedure manual is a
part of the total documentation for this Cloud based ERP System.
In above referred scenario, we M/S SRN & Associates, Chartered Accountants have been
appointed to perform risk assessment of the deployment solution, to provide assurance on the
reliability and practical implementation of the solution to perform cost benefit analysis of the
solution.

We at SRN have an expertise in performing IS Audits, we are in total a firm of 10 partners with
more than five partners are DISA qualified and 3 partners are CISA. We have an experience of
around 10 years in conducting IS Audit and around 3 years in assistance in reviewing cloud
system ERP for various clients.

This particular assignment shall be carried by one of our senior partner CA DK Khandelwal
(FCA, CISA, DISA) along with our other partner CA KK Jain(ACA) and 5 article assistants.

2. Auditee Environment

The Auditee as specified above deals in making luxury buses for its customers in South India, is
a limited company headed by its M.D. Mr. T. Venkateshwar. The auditee presently has a stand-
alone accounting and inventory package ERP for its head office and its 4 branches which is not
sufficient seeing the business’s growth plans.

The Finance and accounts department has more than 40 employees and current software
packages are stand-alone, non-integrated and there is extensive documentation maintained.
They have aggressive business growth plans and found that the current software solution
cannot meet their future business requirements.

ABC Automobiles have decided to migrate to Wilson's On Cloud Solution (WOCS) - Standard
Version' a robust full suite of ERP developed using Wilson Virtual Works, a state-of-the-art
software engineering and delivery platform. WOCS is expected to enable ABC to reap the
benefits of a solution with "built-in best practices" together with a highly "flexible framework" to
ensure solution alignment to "Dynamic Business Requirements" of ABC. The WOCS solution
has standard product features which cannot be modified except based on the methodology
followed by Wilson and the customer has to use the existing product without any changes. As
a part of the Software as Service (SAS) development model, WOCS will not make any
changes to the data entry screens/processes as per individual customer needs.

Wilson Solutions provides a single version of the product at any point of time. All product
feature upgrades and updates shall be made available as a part of the standard offering.
Basically the requirements are market driven and will prioritized based various criteria like
Statutory needs, Best business practice, key business process etc. As a practice,
upgrades are provided once a month. The scope of the project includes implementation of
Wilson ERP on Cloud - Standard Version for Legal Entities of ABC for the below modules
within the available product features of Wilson ERP on Cloud -Standard Version. The modules
included in the scope are:

Sales & Shipping Management

Accounts Receivable Management

Purchase Management

Accounts Payable Management

Financial Accounting Management

Accounting Management

Information System

Fixed Asset Management

Inventory Management

Service Management

Sales Opportunities Management

Discrete Production

Maintenance Management

HR & Payroll

Following security policy present in deployed technology...

Physical security

Even a cloud application and data must be located somewhere. The physical surroundings
.
of the software and data is an important component of a business continuity Plan as well as a
software security plan. A physical security breach means that somebody with
malicious intent has physical access to the hardware where either your application is running or
where your data is stored.

If other forms of security are in place, a physical security breach will not result in loss of data.
However if the intruder's intent is to disrupt your service, then a lapse in physical security will be
a problem. Part of your business continuity plan should include a solid physical security plan,
when applications and data run in an external cloud; the physical environment is located off-
premise. In most cases physical security in a tier 1 datacenter is many times better than that in
an office building or an internally run server room. All building access is logged, cameras are in
place, and cleaning people are not generally milling about after hours. State of the art
authentication technology (fingerprint, ID badge, retina scans) are often implemented, SaaS
applications are run by administrators who are employed by the software vendor or cloud
provider and not the company who purchased the ERP software. The quality and reliability of
administrators depends more on the resources and focus than the employer.
Transmission Security

When data is communicated between the user the server, and the database, there is a chance
that transmissions can be intercepted. An easy way to prevent this involves encrypting all
communications between source and destination. However, encryption comes at a cost to
performance. If you spend too many processing cycles encrypting and decrypting data, you will
have to purchase more expensive hardware or endure delays.

There are several types of security algorithms that are used to protect communications. The
underlying idea is that sensitive or private data is scrambled using an encryption key and a data
encryption algorithm. The data cannot be read or deciphered without the decryption key. The
decryption key can be the same (symmetric) or different (asymmetric) from the encryption key.
Once scrambled, the data is sent to its destination. If intercepted, the data can only be
reconstructed by using an algorithm that tries to guess the description key — a process that
takes many years using powerful computers. When the scrambled data arrives at its destination,
the receiving party knows the proper decryption key by querying a key master or certificate
authority. Several common algorithms include RSA, Secure Socket Layer MO, Data Encryption
Standard (DES), and Triple DES. An explanation of these algorithms is beyond the scope of this
post but is well documented elsewhere.

Applications running in an external cloud require passing data between the cloud and the user
location. Frequently this occurs over the Internet and over wireless networks. Furthermore, client
machines are mobile (access from anywhere being a big advantage of the cloud) so processing
power and bandwidth may be at a premium. Web-based systems
utilize a browser on the client device and take advantage of SSL encryption to protect all
communications with the server. The SSL algorithm is supported by all major browsers and
encapsulates application-specific protocols like HTTP to form HTTPS so no one can hijack a
session or read the data SSL requires negligible computing overhead and is acceptable security
for banking, health care, and other sensitive ind ustries.

Some folks ask about SOAP and how that differs from HTTPS. HTTPS helps you communicate
between browsers and servers, but SOAP provides secure communications between
applications. SOAP encapsulates additional data in the form of XML so cloud applications can
communicate more efficiently than if they were required to send a series HTTP requests.

Storage security

When ERP data is accessed by users, business logic limits unauthorized access to users with
the proper credentials (see section on application security). But suppose a network administrator
has access directly to data in the database. In this case, the data could be viewed without going
through the business logic.
To protect against this vulnerability, sensitive data should be encrypted when it rests in the
database or in a file system. This prevents direct access and ensures that all data is only
accessed via the application logic. The application knows how to decrypt the data, so a
legitimate user will not be impacted.

As with transmission security, the encryption and decryption processes create processing
overhead, so non-sensitive data should be stored in the clear to minimize costs. Additionally,
make sure that any required data indexing is not broken in the encryption process,

In cloud systems, data is stored in a remote location on servers maintained by a cloud provider.
The cloud provider should have procedures in place to ensure that there is no direct snooping
into client data. But somebody has to be responsible for database administration, and usually
this person is not employed by the client. The ability to pick and choose Fields to encrypt on the
database is important to provide protection without adversely impacting performance.

Access Security

Access (or perimeter) security is important for preventing unwanted users from grabbing
resources and sending unauthorized queries to your servers. Usually this is accomplished
through the use of firewalls that prevent unwanted traffic from communicating with your business
applications. Lack of access security could impact your application availability (in
the case of a denial of service attack) and provide hackers with a way in to make it easier to
steal resources or Passwords,

There are many types of firewalls ... network level firewalls (fast inspection of IP, port, and
service in the packet headers), circuit level firewalls (monitor sessions between computers),
application level firewalls (inspect data content to protect against viruses and intruders), network
address translation devices (NAT — assigns private IP addresses that cannot be reached from
outside the network), and proxy servers (application level firewall that mediates transactions
between computers).

Network and circuit level firewalls can be implemented in an appliance or as software.

Application level firewalls are most frequently implemented as software to allow for specific
configuration requirements.

Additional details of perimeter security devices are well documented elsewhere.

Cloud systems should be protected by perimeter security just as you would protect any on
premise application. Verify that your cloud provider has firewall protection in place to prevent
intruders and denial of service attacks. A multi-tenant cloud application is slightly different
because by definition, multiple users are accessing the same application code and the same
resources. In this case, processes must be in place to ensure that bad things do not happen to
customer A if customer B's application is compromised.

Data security

Data security limits access to data objects to specific individuals. Different levels of data security
include read-only, edit, insert, and delete, Data security can be set at the application or object
level.

Data security for ERP systems may be enforced through business logic or at the database layer.
In most cases the business logic authenticates users and provides them with specific rights to
data objects. This means that authenticated users gain access to objects based on specific
capabilities assigned by the system. For example, a sales person may have read-only access to
product information so he cannot change the pricing/margins/commissions associated with the
product. A sales person may have access to customer records that he manages, but not have
access to customers managed by others. To simplify management, systems offer role-based
security so administrators can assign broad security policies to specific individuals. Accounting,
marketing, sales, shipping, and management roles can be established and assigned to individual
employees. Employees that perform more than one role can receive multiple policies. By
assigning roles, administrators can change security for many people at once without the
responsibility of changing individual records.
Most data security is limited to data access. Once a user gains access to specific information,
screens, or reports, the information can be downloaded and shared with others. Digital rights
management goes one step farther by "wrapping" data objects with rights that follow the object
no matter where it goes. In this case, users can forward the encrypted .data, but that data
cannot be viewed or changed unless the recipient can be verified.

Data security in cloud applications is similar to traditional applications. Once individuals gain
access to the system, the business logic controls the specific capabilities that individual users
can perform on different objects. In some types of multi-tenant SaaS applications, database
level security may be utilized as an additional measure to separate data objects from different
companies.

Application security

Application security encompasses two major areas — the way the application
authenticates and manages users and the way in which application code is managed.

User Authentication

User authentication usually involves username and password to identify legitimate

users. User identity is critical not only for establishing identity, but also to ensure
security of data.

3. Background

The Auditee is currently facing the problem of an ERP which has limited functionalities. The
company has aggressive growth plans and found that the current software solution cannot meet
their future business requirements.

The management have decided to migrate to ‘Wilson’s On Cloud Solution (WOCS) – Standard
Version’ a robust full suite of ERP, a state-of-the-art software engineering and delivery platform.

In this regards the auditee has appointed M/S SRN & Associates to conduct an IS Audit on the
reliability and practical implementation of the new ERP solution. Further auditors are required to
perform a risk assessment of the proposed solution and also to provide specific risk
management strategy to be adapted covering security, performance and business value.

Auditors have also to recommend key controls to be implemented and cost and benefit analysis
is also to be done with comparison to Capex and Opex for the current and proposed solution.
4. Situation

The Auditee is currently using an ERP system which provides stand-alone accounting and
inventory packages which has limited functionalities. The company has aggressive growth plans
for which the current software solution is not enough. The company’s finance and accounts
department has more than 40 employees and current software packages are stand-alone and
non-integrated and extensive documentation is maintained. So it has been decided by the
management to migrate to cloud based ERP.

The proposed Wilson’s solution provides a single version of the product at any point of time. All
product feature upgrades and updates shall be made available as a part of the standard offering.
Basically the requirements are market driven and will prioritized based various criteria like
Statutory needs, Best business practice, key business process etc. There are 14 modules
included in the scope such as sales & shipping management, accounts receivable, purchase,
HR & Payroll, etc.

Moreover the current staff is not computer savvy and have limited knowledge of using
computers but the young MD has taken charge of training employees and the cost consideration
based on model implementation of 10 user license shows cost benefit analysis and justification
for the investment. So seeing these current problems and the benefits of the cloud based
solution it has been decided by the management to migrate to cloud based ERP. The proposed
solution also provides complete applications which are sold on a subscription model for a
specific period. This model provides the capability to use the provider’s applications running on
cloud infrastructure. The applications are accessible
from various client devices through a thin client interface such as a web browser. This brings in
saving to ABC Automobiles as there is no need to buy licenses for running programs on their
own computers. The software solution is accessible using existing computers.

5. Terms and Scope of assignment

Areas being reviewed are as follows:

Criticality of application being sent to the cloud.

Outsourcer’s Experience with SLA and vendor management
Cloud Vendor’s policy on vulnerability management – reporting, commitment to following
up, promptly responding to reports etc.
Information systems audit of all/any aspect of security policy, business continuity, environmental
excess, physical excess, logical excess and application security.
Compliance with enterprises policy, procedures, Standards and practices as relevant.
 Compliance with regulations as applicable.
Provide management with an assessment of impact by implementation of Wilsons on
cloud solutions, security policy and procedures and their operating effectiveness.
Identify internal control and regulatory deficiencies that would affect the
organisation. Identify information security control concerns that could affect the
reliability, accuracy and security of enterprises data due to weaknesses in
the package
solutions offered by the vendor.
The Review will focus on the following risks:
a) The dependency level on the vendor

b) If the computing services fails will the users will be enabling to access the programs
or data.
c) Can the computing services lose the auditees data?
d) The risk of increased complexity of compliance with laws and regulations
e) The risk of information retrieval when required is done without delays.
f) In case of disaster information may not be immediately located.

6. Logistic arrangements required

In order to obtain assurance that the data processed by the system is complete, valid and
accurate and is giving the desired results, computer assisted audit techniques (CAAT) shall be
used.

Computer Assisted Audit Technique (CAATs) are computer based tools, which help us in
carrying out various automated tools to evaluate an IT system or data. These are very useful,
where a significant volume of auditee data is available in electronic format. CAATs provide
greater level of assurance as compared to other techniques, especially manual testing methods.

Further boarding and lodging requirements of the audit team to conduct the desired audit.

7. Methodology and Strategy adapted

A) Assessing the Adoption and its Business Impact: - Once a company achieves go-live with its
Enterprise system, it’s important to monitor new process adoption and impact on business
performance. The process of comparing and assessing baseline and post- implementation
performance measures has been carried out. A gap analysis is useful for comparing expected
deliverables versus project results. It’s also important to consider employee transition to the new
system. Our methodology incorporates steps for effective knowledge transfer and overall
support to change management.
B) Considering Satisfaction of Stakeholders:-Querying the stakeholders including employees,
managers, the IT department, customers and vendors about their satisfaction with the new
system. The system’s impact on customers’ and vendors’ interactions with the business.

C) Reviewing Costs versus Benefits: - Once a comprehensive review of the project is

completed, it’s time to analyze actual versus projected costs and benefits. The cost escalation is
one of the most common problems with ERP implementations. We know that many ERP
providers charge additional fees for separate modules and add-ons. It’s one of the primary
reasons cost escalation occurs. With Trek Cloud, your risk of cost escalation is substantially
reduced because the system is all-inclusive: there are no separate modules or add-on features
to buy. We know how intertwined your business processes are, which is why we provide a
comprehensive system to all our customers.

D) Risk Analysis: - Considering the following risks associated with implementation of cloud
based ERP software:-

Dependence upon the third parties wherever third party services are used.

Computing services do fail, leaving users unable to access programs or data.

Computing services can lose customer data.

Increased complexity of compliance with laws and regulations.

The dynamic nature of cloud computing may result in confusion as to where information
actually resides. When information retrieval is required this may create delays.

Due to the dynamic nature of cloud, information may not immediately be located in the
event of a disaster.

After risk analysis, assessing the probability that the risks identified will materialize together with
their likely effect and documenting the risks along with the controls that mitigate these risks.
Inclusion of most likely source of threats- internal as well as external sources- such as hackers,
competitors and alien governments.

E) Audit Objectives:- Review of security areas, such as:-

Communications (covering risks such as sniffing and denial-of-service, and

protocols such as encryption technologies find fault tolerance).
Network
architecture Virtual
private network
Application delivery
 Security
awareness User
administration
User and session administration (covering risk such as hijacking, spoofing. Loss of
integrity of data)
Physical security
Public key infrastructure
Backup and recovery procedures
Operations (such as incident response and back-office processing)
Technology architecture (such as feasible, expandable to accommodate business needs
and usable)
Security architecture.
Security software(such as IDS, firewall and
antivirus) Security administration.
Patch deployment
Business contingency planning

F) Work Plan:- It includes the following

Based on the information obtained and the scope and objectives of the
engagement, we shall document the way business security and IS objectives (when
applicable) are affected by the identified risks and controls that mitigate those risks.
In this process we shall evaluate areas of weakness or vulnerabilities that need
strengthening. New controls identified as mitigating the risks considered shall be
included in a work plan for testing purposes.

8. Documents reviewed

User Manuals and Technical Manuals relating to System Software and ERP.
Organization chart outlining the organization hierarchy and job responsibilities
Access to circulars & guidelines issued to employees.
Access to user manuals and documentation relating to ERP Implementation by ABC
Automobiles Ltd.
Any other documentation as identified by us as required for the assignment
Security policy document relating to system.
Audit Findings documents.
9. References
 Best practices relating to international accepted standard for IS Audit — COBIT
(Control Objectives for Information and Related Technology, issued by the
Information Systems Audit and Control Association, USA, COSO framework etc.
Best practices relating to security policy
Best practices relating to confidentiality policy CAAT
tools
Information Systems Audit and Control Association- IS Auditing Guidelines
Information Systems Audit 2.0 Course – Volume I- Module 1- Chapter-3 Part-1- Cloud
and Mobile Computing
Information Systems Audit 2.0 Course – Volume 1 – Module 2 – Chapter 2 – IS Audit in
Phases

10. Deliverables

1. Draft Report including executive sum nary of the result of the review along with the
recommendations of findings and recommendations with risk analysis of findings.

2. Final Report incorporating Management Comment and agreed priority plan of action
based on exposure analysis.

3. Soft or hard Copy of Checklist used for the audit.

4. Soft or hard Copy of Audit Methodology and documentation

11. Format of Report/ Findings and

Recommendations Objectives of the Assignment

The primary objective of this Information Systems Audit assignment was to provide
assurance to the management of ABC Limited (ABC) on the availability,
appropriateness and adequacy of controls in the critical operations and transaction processing,
capex and opex through review of the control framework of their in-
house package - critical operations and transaction processing, review of Logical access
controls of critical operations and transaction processing, capex, opex. conduct
Implementation audit of General Controls at 2 select branches with specific emphasis on
implementation of controls.

Proposed Scope of Review/Terms of Reference

Based on understanding of ABC's needs for conducting systems audit the major
questions to be answered in determining which ERP system to select are:
1. What is the return on investment of a cloud environment versus an in-house hosted
solution

2. What is the total cost of ownership for each system under each option (cloud
based if available versus in-house hosted)

3. Will additional hardware be necessary to operate in a cloud environment versus an in-

house hosted one with remote access

4. Is a vertical vendor such as Deltek (oriented towards a specific industry) more

desirable than a more generic vendor such as SAP (works across multiple industries and has a
broad client base in many countries)

5. Can the ERP system manage the level of seats required for functionality

6. Ease of data migration from one system to another (e.g., will data integrity remain
intact, can data be migrated easily or will it require manual efforts)

7. Understanding any unique requirements at a country and site level and

ensuring that these needs can be met by the selected system

8. Which system offers the greatest capability for ABC's needs with the least amount of
customization

9. What is required for implementation and what type of support does the vendor
offer

10. Who will actually be doing the implementation (e.g., does the vendor have its own
in-house implementation team or do they subcontract this out)

11. How flexible is the system and how easily can it be modified to meet changing
business needs

12. Are there any other business processes that can be improved through the
implementation of one ERP system over another

Given this set of issues to be resolved, the recommendations for an ERP system in a
cloud solution or in-house solution is as follows:

1. Hire an experienced system analyst and other appropriate SMEs to aid in the
review of ERP options and the analysis of unique requirements

2. Have each of the four vendors provide proposal and a demonstration of their
system capabilities
3. Down select to two vendors, provide them with a script that contains all of the
business processes the system must encounter in a day and have them provide a proof of
concept.
Audit Findings/Recommendations:

ABC must perform further research to determine if it should install an on-site ERP application or
if it should look to a cloud-based solution (client-server versus a web-based solution in a public
or private cloud deployment). We will address factors that should be reviewed and addressed as
a part of this determination process and discuss how these might impact the four ERP solutions
being considered — Oracle's PeopleSoft, Deltek'sCostpoint, SAP and Infor.

Audit team identified several basic areas to address when considering whether a
cloud solution is reasonable:

1. Is your application a web application?

2. is your application native .NET/..lava?

3. What database type do you use?

4. What kind of management/monitoring tools do you use on your

application?

5. What security risks would a cloud deployment will reveal?

6. Will you be able to move between. cloud providers? Are you 'locked into a specific
provider after the application is deployed?

7. Are you able to scale dynamically?

Web Application

The question being considered is whether the application in question is a web application. We
have already established that only two of the four software solutions being considered by ABC
are fully web compatible — Deltek's Cost point and Oracle's PeopleSoft. IBM's WebSphere Cast
Iron Cloud Integration solution (Cast Iron) offers a configuration-based solution for data
migration and application integration of the SAP solution in lieu of requiring the writing of
potentially complex code and it requires no middleware. Cast Iron indicates that it can integrate
with BaaN; however, BaaN no longer truly exists and was integrated into the Infor ERP solution.
It is unclear whether Cast Iron can support Infor as it currently exists, which may mean that a
source would need to be found so that code could be written. Since cloud providers are clearly
offering Cost point and PeopleSoft on the web with no conversion needs, these applications
are recommended as the two to review
further. Although SAP can be converted through Cast Iron, it will require more effort than Cost
point and PeopleSoft and the convertibility of Infor is fully in question, so neither application is
considered a viable solution for further consideration and will not be assessed further.
Native .NET/Java

The purpose of this question is to determine whether a cloud provider can support the
technology stack of the software application selected. A technology stack means the layers of
components or services that are used to provide a software solution or application.

PeopleSoft uses PeopleCode, AE, SCAR, CI, DMS, HTTP(5)/XML (extensible markup
language), JDK (Java Development Toolkit), .NET/Java, COM or C/C++ to interface with their
components. Oracle has teamed with Amazon Web Service Cloud (EC2) to provide its
PeopleSoft product, so can fully support the application.

According to Jakovijevich (Jakovijevich, 2006) "Delt•ekCostpoint 5 is a scalable Java 2

Enterprise Edition (J2EE)-based platform of 'industrial strength,' capable of supporting even
organizations with over a billion dollars in revenues. The product is standardized for integration
with other technologies, and has the flexibility to support multiple OS platforms, with support for
Web-native HTML, DHTML, Java Script, or rich client on the Ul tier; Microsoft SQL Server or
Oracle as databases; and the Actuate reporting server," Costpoint uses a Microsoft _NET
platform to enable real-time transparent connections via Web Service and XML across multiple
platforms and applications. Deltek has also teamed with AppForge to deliver mobile applications
to mobile and wireless devices including FDA's, smart phones and other industrial devices
without having to be connected to the network, potentially reducing hardware investment by the
company.

In summary, Costpoint and PeopleSoft should be supportable by a cloud provider, so both are
still equal contenders for selection in a cloud-based solution. Costpoint may offer more flexibility
through mobile applications.

Database Type

This question asks us to look at the database type that we are using and determine if it is
supportable by the cloud provider. ABC is already using both Deltek and PeopleSoft applications
in a client-server deployment. Further, we know that the cloud providers such as Amazon (EC2)
and Salesforce.com support these applications in a public cloud environment so we know that
these database types are supportable. The question that would need to be addressed in an
analysis other than this is what a data migration solution would entail for the ABC divisions that
are presently utilizing SAP and lnfor applications. In
essence a data migration process would need to be developed to include the following
(Database Answers):

1. Choose a data modeling tool with Reverse Engineering Capability

2. Define and create the data dictionary

3. Identify all the required data sources and the "owner" for each source
considering data feeds, legacy systems and operational data stores
4. Define the data items required, in consultation with the users

5. Create the data models for the source data

6. Define the data validation checks (bottom-up) and clean-up business rules for
source data

7. Carry out an audit of the data quality in the major databases, (bottom-up and top-
down)

8. Define the staging area with MIRror Tables to store extract files.

9. Create the business data model for the consolidated database

10. Create the data model for the target ERP database

11. Define the data mapping between source and target data items.

12. Define acceptance tests for data in the integrated database.

Management/Monitoring Tools

This area reviews whether the management tools (e.g., dashboards, status reports) used can be
used on the web or in a cloud-based environment. The management tools currently
used by ABC are those developed in their "Obtuse" product from a PeopleSoft base. We. know
that ABC's intent is to migrate from the four ERP applications presently used to a single
application — in this study PeopleSoft or Deltek
— and the management tools utilized by either of these solutions would be adopted. ABC would
be more comfortable with the look and feel of the PeopleSoft tools because Obtuse utilizes
similar management tools; however, the Deltek tools are more relevant to the industry that ABC
support — management consulting. Through the answers to the previous questions we know
that PeopleSoft and Deltek all have web-compatible as well as cloud- compatible management
tools since both are currently being used in a public cloud environment.

Security Risks
This is a critical area of evaluation and impacts whether a public cloud deployment or a private
one is more appropriate for ABC. MaIlya (rviallya, 2006) states that there are two steps to
evaluating the security risks:

1. Review the provider's regulations and trust level

2. Know that security hazards can be created by making the client available from any
PC that is connected to the web

The EUKhost Blog indicates the location of deployment is the prime differentiating factor
between" a public or private cloud option. A public cloud hosting solution is one that is offered
over the Internet and the service provider bears the cost and responsibility of managing the
infrastructure and security. Data storage is shared with all of the users of the service. In this type
of a situation, ABC would have to
rely upon the security measures the host implemented as satisfactory. For example, if ABC were
to consider using Amazon's EC2 option of cloud support, Amazon's privacy policy states, "we
will implement reasonable and appropriate measures designed to help you secure Your Content
against accidental or unlawful loss, access or disclosure." This does not tell the consumer much
about what exactly Amazon does to protect the data in their care.

EUKhost Blog states that a Private cloud hosting is created "using software operating on
hardware provided by the customer." In this case, the data is fully managed by the customer, not
by E the cloud provider, so all security is that which the customer institutes. Another advantage
that eUKhost Blog identifies with a Private cloud solution is that of greater scalability because of
the ability to expand existing architecture.

In 2010, the Cloud Security Alliance (CSA) issued their report on the top threats to
public cloud computing (CSA, 2010). The report indicates the following:

1. The abuse and nefarious use of cloud computing. This impacts mostly Infrastructure as
a Service (laaS) and Platform as a Structure (PaaS) and exploits their weak registration systems
and limited fraud detection. Botnets have used IaaS for command and control functions as well
as to introduce trojan horses and malicious code. Solutions include stricter initial registration and
validation processes, enhanced fraud monitoring and coordination, comprehensive introspection
of customer network traffic and the monitoring of public blacklists for one's own network blocks.

2. Insecure interface and APIs. The security and availability of general cloud services is
dependent upon the basic APIs used to manage and interact with cloud services and this threat
impacts IaaS, PaaS and Software as a Solution (SaaS). This potential weakness can
impact the confidentiality, integrity, availability and accountability of data. Examples include
reusable tokens or passwords and limited monitoring and logging capabilities. Solutions include
analyzing the security model of cloud provider interfaces, ensuring strong authentication and
access controls are used in conjunction with encryption and understanding the dependency
chain associated with the API.

3. Malicious Insiders. Impacting laaS, PaaS and SaaS in a public cloud setting, this issue
is amplified due to a single management domain coupled with a lack of transparency into
provider processes and procedures. For example, the hiring practices of cloud providers may be
unknown or undisclosed and could create a potential avenue for access to private and sensitive
data. Consumers of cloud services must ask and understand what cloud providers are going to
protect them against the threat of malicious insiders. Some solutions to mitigate exposure
include specifying human resource requirements as a part of the service contract or demanding
transparency into overall information security and management practices as well as compliance
reporting.
4. Shared technology issues. This threat is focused on IaaS and exploits the shared
technology aspects of a cloud computing environment — specifically CPU caches, disk
partitions, GPUs and other shared elements lacking strong compartmentalization. Even the use
of a virtualization hypervisor, designed to address this issue has proven to have its weaknesses
and inappropriate access has been gained to the underlying platform. Solutions to this problem
include implementing a security best practices for installation/configuration, promoting strong
authentication and access controls for administrative access and operations, or the enforcement
of service level agreements (SLAs) for patching and vulnerability remediation.

5. Data loss or leakage. This is a serious threat across laa5, PaaS and SaaS. The loss of
data can have devastating impacts upon competitive edges and financial positions. Depending
upon the type of data lost, there could also be compliance and legal complications. Data can be
compromised through the accidental alternation or records without a backup to restore from. The
loss of an encoding key could result in the effective destruction of critical data. Data center
reliability and operational failures are yet other avenues to create data, loss or leakage. Some
solutions to this issue include implementing strong API access controls, the encryption and
protection of data in transit, and the contractual specification of cloud 'provider backup ad
retention strategies.

6. Account or service hijacking. This is most frequently accomplished through the stealing
of access credentials and impacts laaS, PaaS and SaaS. In a cloud environment,
this could allow the hijacker to manipulate sensitive data, return falsified information or even
redirect clients to an illegitimate site. Possible solutions to the threat include prohibiting the
sharing of account credentials between users and services or understanding the cloud providers
security procedures and SLAs.

7. The unknown risk profile. Because functionality (e.g., the maintenance of hardware or
software) in an laaS, PaaS or SaaS offering may be provided by the cloud provider, the ability to
understand the details/compliance to needs such as security procedures, auditing and logging
may be a vulnerability. For instance, who has access to your data and related logs stored?
Solutions to reduce risk in this area include a partial or full disclosure by the cloud provider of
infrastructure details (e.g.,. patch levels, firewalls) or a disclosure of applicable network intrusion
logs, redirection attempts and/or successes, and other logs or pertinent data.

Due to the sensitivity of ABC's data that is to be managed, it appears that the public cloud may
yet be too vulnerable. it is therefore recommended that ABC pursue a private cloud deployment
over a public one and an appropriate platform would need to be evaluated and selected.

Changing Cloud Providers

This area explores whether ABC would be locked into a specific vendor should there be a
reason to change service providers in the future and is only relevant if using a public cloud
provider. Due to the complexity of a full FRP system and the limited number of cloud service
providers who support Deltek or PeopleSoft in a cloud environment, at this time, it is reasonable
to anticipate that the selection of a cloud provider would require the strong negotiation of
services and rates as it would not be easy to migrate between providers. Amazon has a
standard contractual termination clause of a thirty-day notice; however, as noted, the ability to
find a different provider may be prohibitive.

If ABC agrees that it is more appropriate to deploy a private cloud solution, then the
concern over issues with changing cloud providers becomes moot.

Dynamic Scaling

The goal of this question is to ensure that the cloud provider offers a fully scalable option for the
ERP software selected. A scalable system is on whose performance has reached capacity but
can be immediately improved through the addition of something else to the infrastructure, e.g.,
more hardware, software licenses, servers. Assuming that a private cloud deployment is
selected, this means that ABC's servers would need to be fully scalable. At this point, ABC has
sufficient server capacity and resources to grow a larger
"server farm" if required. Regardless of the ERP system implemented, scalability is not a
concern in this environment.

In summary, we are able to conclude that two of the ERP solutions under review, Cost point and
PeopleSoft, are fully supportable in a public cloud environment; however, in a private cloud
would be better able to meet the security needs of ABC and is strongly encouraged. Data can be
migrated to a single application from all four of the ERP solutions being considered and this is a
common practice for these specific application vendors. ABC can easily support scalability with
any

. solution selected.

Cost point or PeopleSoft would prove the most efficient/feasible application option to transition to
a private or public cloud-based deployment. SAP would be a distant option because it requires
middleware for a cloud deployment, therefore it is considered less viable. Infor does not appear
to be in a sufficiently advanced stage to be considered for a cloud deployment option without a
great deal of effort and cost.

High-level Implementation Plan

In order for ABC to successfully implement a conversion to a single ERP application, it will
need to consider the additional following details;

Changes to Technology
As ABC converts to a single ERP application they would decommission the obsolete
.
systems. Assuming that ABC accepts the recommendation to utilize either PeopleSoft or Cost
point, this means that Obtuse, SAP and Infor would become legacy systems. As the conversion
process is reviewed, decisions will need to be made as to how the data on these systems will
be preserved. There are several options; however, the most common approach is to have all of
the systems "frozen" as of a point in time and preserved so that
no further changes can be made to the data. The various applications would then be maintained
by the Finance and Administration group in the Home Office when and if legacy financial data at
the division level was needed for audit or other purposes. ABC can then keep the legacy data
on a smaller server that is accessible only through password protection for those who have a
need to know. This server can be made web accessible
so, that finance oriented staff in the various divisions may be granted access if they need their
legacy data for any purpose,

ABC will need to consider whether it is still reasonable to use Hyperion for financial
consolidation purposes as there are so many reporting divisions whose data must be combined
to create a single financial statement for reporting purposes. Both Cost point
and PeopleSoft are able to manage a consolidation process without having to use an external
program; however, neither system may not be able to handle the volume of data as easily as
Hyperion.

All other applications are anticipated to remain intact at this time. Microsoft products such as
Excel and Access are good and useful tools to support any accounting activities. They allow
large amounts of data to be downloaded from the system for manipulation and review, and the
data can then serve as auditable backup to adjustments that are ultimately recorded into the
ERP system (e.g., documenting depreciation schedules for fixed assets, documenting journal
entries and their purpose, or meeting government reporting requirements such as Incurred Cost
Submissions).

A cloud-based solution is being contemplated at this time; however, is not critical to this process
— it is an added benefit that may provide groundwork for future improvements and will aid in the
ease of functionality with the entire ERP system.

Changes to Personnel

ABC maintains personnel in each division specifically to support FT infrastructure. As there will
be no further need for software development, it is anticipated that the overall IT requirement
(inclusive of divisions) will be reduced by at least 33 percent. By moving to a centralized ERP
application that is based at its home office, the need to have IT staff at the division level for
maintenance purposes is reduced or eliminated. Any system/application issues would be
resolved by the Home Office IT staff who are maintaining the ERP application in the private
cloud solution. Further, there will no longer be a requirement for continued software
development once the Obtuse application is decommissioned.
It is anticipated that, while each ABC division will still need to retain some IT staff to resolve
local issues such as PC issuance and imaging, hand held device support, and the maintenance
of internal networks, due to a centralized ERP application, such staffing requirements will be
reduced by at least one third in each division. It will be the responsibility of management within
each division to determine and their staffing needs and to coordinate through Human
Resources to ensure that all retention and termination processes are conducted in accordance
with the laws of each country.

There will also be a requirement to train staff (all ►sers and the IT group) on how to use the
selected ERP solution and to ensure sufficient staff is proficient in SQL reporting queries. User
training will be performed as a part of the conversion process and training needs/recipients will
be identified by management so that an appropriate schedule may be developed with the
conversion specialist for the ERP implementation. IT staff training for maintenance and other
ERP application should also be identified by management and addressed prior to
implementation. ABC will also need to ensure that the appropriate number of IT staff be
proficient in the implementation and maintenance of a private cloud development and
deployment. This can be accomplished through training or through the acquisition of individuals
with the necessary skill sets.
Risk Assessment of Deployment Solution and Controls Recommended
Risks Assessed Controls Recommended
S. Risks Assessed
No.
Security: Moving a vital system into a shared
1 environment is compelling for the customers.
Building trust is not easy; providers enhance their
own customer and partner relationships by
enhancing their security services. A complex
application like ERP also needs an intensive set up
and management. Cloud Computing does not
change the services of the ERP but is only a
delivery mechanism and the solution changes.
Authentication and Authorization: Complexity of the
2 ERP systems increases the complexity of security
configurations, which may lead to potential security
vulnerabilities. Cloud Computing has proposed new
challenges and opportunities for tenant
authentication. In the cloud
environment, responsibility is divided among few
parties such as the users, the cloud providers and
the third party providers.
Controls Recommended
For this, the cloud provider
Can offer higher-level
security of user, unit of
storage, unit of processing
power etc. Because they are dealing
with bigger systems as well as many
customers. At the same time, they
have to satisfy the service
requirements, which are explained
on SLA previously.
The RBAC can be a
solution to enhance current
cloud ERP security to access only
of authorized sources. Moreover, it
is important to set appropriate
access roles for the user, the cloud
ERP provider and the third party.
The cloud ERP application interface
is accessible via the Internet
browser, so the User is
authenticated by system with an
Identifier and a password to reach
the cloud ERP service. In tenant in
the system.
3 Recovery of Data: Recovery of data on cloud in The reliability and security
case of data lose can be a major issue. of vendor can be verified by
security audit conducted
there
.

Compliance risks: Lack of legal and data Protection Cloud ERP needs to ensure
4 compliances are significant risks to consider in the the standards and
cloud model. Each country has different restrictions legislations of both Cloud
and requirements for accessing the sensitive data. Computing and the ERP.
The cloud customer needs to pay attention for
jurisdictions of the data Regarding processed.
As an example to this, the
cloud ERP providers should
meet or exceed the
traditional ERP security
compliance requirements
such as ISO 27001
certification, SAS Type 70 II
certification and ISAE 3402
certification

Application and its

5 components should be tested
and monitored regularly.
Companies need to consider
Availability of Data: An ERP system contains of of appropriate solutions to
several modules and their connections with the ERP prevent ERP service
components. In order to maintain business unavailability, which may be
continuity, an ERP system needs to remain caused from a system restore
available 7/24 and depending on the complexity of and a downtime. Preventing
the system, a number of risk factors can threat the of unavailability situations can
availability of the system. For example, ERP uses a Be achieved by creating and
central database, which connects all of function. applying a set of security
There can be another issue related with the policies. Internet browser
Application Interface of the ERP, which is the user’s security is vital and can be
control panel for the ERP system, any possibility of achieved by using several
a software bug or application crush might cut the enhancements such as
connection between the SSL,Virtual Local Area
components and make the services unavailable Networks, firewalls, packet
filters etc. The user access to
the cloud application is Also
important. Current solutions
requires user to Write their
identifier and
Their password to the The
cloud vendor’s identity
 Control and management
Service would establish an
identity check of the written
details. This session can be
enhanced by using multi-
factor authentication
methods such as biometrics,
one-time password, smart
cards etc.

6 Performance risks: Speed and Reliability of data Need to ensure by test

processing is to be comparable with the existing check on frequent basis.
system.

7 Strategic risks: Outsource such a business critical Appropriate management

system as ERP, companies usually bear lookout is required to
increased strategic risk of high dependency on decide which information
the service provider. processing can be
outsourced and which
cannot.

SLA issues: In many cases it is rather hard to The SLAs should be designed
8 Accurately define Service Level Agreements carefully in consultation with
(SLAs) negotiated between cloud service provider all experts especially IS
and their corporate clients. These SLAs usually do auditor.
not really cover such aspects as confidentiality
and integrity leaving space for unclear damage
liability.

Recommended Strategy for deployment and Risk Management

In keeping with the theme of cosmological evolution, phased rollout would be analogous to the
Steady State theory: instead of an implementation happening in a single instance, small changes
occur over time. An organization moves off the legacy system and onto the new ERP system in a
series of predetermined steps. This can be achieved in several different ways. The most
appropriate strategy for ABC will be Phased rollout by business unit - Under this approach
implementation is carried out in one or more business units or departments at a time. For
example, you begin with implementing the new ERP system in human resources, then move to
accounting. Some organizations may put together an implementation project team that travels
between each department during implementation phases. As the team gains more experience
with each implementation, subsequent phases become more efficient.

The detailed step wise implementation of strategy shall be as follows:

1. Define your ERP strategy around your company’s core business needs
The first step in any ERP implementation is to identify your company’s needs and business
objectives accurately. Start by finding and documenting the critical business processes,
inflection points and key performance indicators (KPI).This will help you identify the right ERP
solution, and need for specialists or additional services to manage this transition. Before you
begin to implement, you must have a complete plan or roadmap in place. You must be able to
clearly define your expectations from the ERP system and the benefits you want for your
organization. As Gartner puts it, “The most successful ERP projects support strategic business
objectives and goals. This helps to ensure the right level of executive involvement to support
the major business changes that enterprises demand.”

2. Management and involvement of team for better utilization of resources

An ERP system impacts the entire business cycle, so it is advisable to involve all the
stakeholders in the initial stages of discussion. This will ensure that there are fewer
bottlenecks and arguments down the road, giving you more time to focus on the critical
tasks. Even after your system is configured, you would need to train your employees on
how to use the new program. User ‘buy-in’ is the most critical factor for the success of any ERP
program. You could engage a group that specializes in onsite training or prepare your IT team to
handle the day-to-day tech problems and user requirements.

3. Ensure tight control of the budget throughout the implementation process

An ERP implementation may require substantial investment, especially when

enterprises have special requirements. So make sure you assess the expenditure
clearly before you begin and maintain a close watch on spending even throughout the
implementation process. Most successful ERP projects have a dedicated project
manager to ensure the project is kept on track, on budget and moving in the right
direction.

4. Develop performance metrics for evaluation of the program

During the implementation process or even after it, enterprises need to develop and put in
place key performance metrics to measure the impact the ERP system is creating. This would
help in determining whether the implementation is going in the right direction or not, and if you
need to take any corrective action to improve things.

5. Knowledge transfer and awareness for user acceptance

Make sure there is sufficient awareness about the need and scope of the new ERP system, and
that employees are able to extract maximum benefits from it. Before you even begin the
deployment process, it is important that employees have sufficient knowledge about the new
system and are convinced about using it for their respective business functions.

6. Testing for smooth execution

Testing is a very critical step that is often overlooked. Several weeks of parallel testing is
recommended for the success of any ERP program. It is crucial that your daily work is processed
on your old system and also on your new system before going live so that everyone knows their
new roles and responsibilities and questions/issues can be addressed
without the added pressure beforehand. Testing will not only help in ironing out any
obstacles on the path, but will also help in gaining employee confidence that is very
important for the success of any program.

7. Preparing to ‘go live’ finally…

Once your system has been configured, tested and your employees have been trained, it’s time
to ‘go live’ or activate your ERP system. Before you finally go live on the program, make sure
you are fully prepared to take on the new system. A well-prepared and clearly defined
implementation strategy can go a long way in ensuring the success of any ERP system.

12. Overall Conclusions

Based on our review our overall conclusions on specific areas are:

Security and Access Controls

Our review of security and access controls at the IT Environment as reviewed by us and as
implemented in ABC using Unix, Oracle and FALPS confirms that appropriate security and
access controls have been implemented by using related functions and features of the
packages. Our test checks have revealed that systems of security and controls are reliable.
However, there are some areas where controls need to be strengthened and these are given in
annexure.

Business. Process Controls

Our review of business process validations and data integrity controls covering all the core
functions of ABC as facilitated by FALPS such as interest computation, allocation and aging,
confirms that all related data have been duly captured, processed and stored correctly and
completely subject to some transaction data not available pertaining to previous years. However,
there are also missing data in master tables
which impact the MIS and statements of accounts. The issues, which have come to our
notice during the process of our review, are given in annexure,

Further Action

We consider that the recommendations given in annexure to this report would be very useful for
facilitating business process controls of ABC and will aid in improving the effectiveness of
FALPS package and computer operations. We would like to affirm that the matters included in
this report are those which came to our notice during our review by following normal Information
System audit procedures by complying with globally
applicable Information Systems Auditing Standards, Guidelines and procedures that apply
specifically to Information Systems Auditing issued by

-
Information Systems Audit and Control Association, USA and Security and Controll Practices as
outlined in COBIT 5 issued by ISACA as adapted to ABC operations for review of Application
software and implementation audit. Further, on account of limitations of
scope and time, vie have used sample test and test check approach. Hence, certain
areas, which are outside the scope of this review such as source code, review, implementation
controls and general controls specific to branches are not covered.

Summary/Conclusion

The goal of this proposal was to determine if it was reasonable for ABC to move to a cloud based
ERP application Wilson's On Cloud Solution (WOCS) - Standard Version' in order to improve
operational efficiencies, reduce IT costs related to ERP systems, and improve insight into the
financial management aspects of the company for improved strategic planning and performance
monitoring.

A sub-goal was to also determine if by migrating to a single ERP application 'Wilson's on

Cloud Solution (WOCS) - Standard version' ABC might be able to recognize a cost savings
through the reduction of support personnel and through a reduction in licensing/maintenance
costs.

This review has established that a reduction in maintenance costs would be highly likely, yet a full
assessment of current costs against maintenance costs of a single solution remains necessary to
fully recognize the scope of that savings. This white paper cannot adequately address a true cost
savings until management approaches the two recommended providers
— Oracle (PeopleSoft) and Deltek (Cost point) - and obtains their quotations. Regardless, we
have established that moving to a single ERP application will reduce the required level of IT
support at the divisional and corporate level by approximately one third, which does allows for a
cost savings. Again though, until a final solution is selected by management, the fill significance
of this savings cannot be firmly established.
Moving to a single ERP solution `Wilson's On Cloud Solution (WOCS) - Standard Version' will
allow all divisions to function from a common ERP platform and will, remove the need to perform
many of the accounting and operational functions outside of the system. This ensures that
management has immediate and relevant access to meaningful data that is system driven,
immediate and on demand instead of having to wait for somebody to "manipulate" the data into a
format that may or may not be truly accurate depending upon the human error factor.
We have demonstrated that a strong cost savings potential exists as well as a definite ability to
meet the greater need of improving operational functionality and management decision-making
capabilities should ABC migrate to a single ERP solution 'Wilson's On Cloud Solution (WOCS) -
Standard Version'. The determination to place an ERP solution into a cloud environment remains
an open item in terms of cost savings; however, it is clear that a reduction of IT department
infrastructure can be realized with a move from a decentralized IT department structure to one
that is centralized.

Summary of Recommendations

Migrate from supporting multiple ERP solutions on a divisional level to supporting a

single ERP solution on a web-based or cloud-based platform from a centralized location at the
Home Office.

Retain system analysts and appropriate subject matter experts to review the options
provided by migration to the full ERP solution offered by Oracle's PeopleSoft or Deltek's
Costpoint applications and to determine which solution provides the greatest value to ABC and if
a cloud-based platform is appropriate at this point. In addition, review whether migration to a
private cloud-based environment is a reasonable consideration to pursue in conjunction with
migration to a single ERP solution.

Select a single ERP application to use on a corporate-wide basis after analysis.

Upon selection of a single ERP application engage appropriate implementation

specialists and other subject matter experts to aid management in developing an adequate
migration and training plan, whether to utilize an in-house or cloud based platform, and to
determine appropriate overall staff training requirements and reductions to the size and
complexity of existing IT departments from the divisional level to a centralized operation.

Retain or obtain appropriate IT personnel to support the new environment.

Review the capabilities of the selected application to determine if Hyperion must be

retained.

Review legacy systems to determine best solution for preservation of data, access
requirements and access protocols.