Audit Scope The objective of this audit is to assist UNCCG in reviewing its enterprise data warehouse technology platform.

The scope of work for this audit will consist of < ! hours of professional services and the objectives for this audit will include a review of the following control points" #ata o o o o o #ata o o o o o o o o $arehouse %anagement #ata $arehouse Governance &inancial %anagement 'isk %anagement (uman 'esources )ortfolio )roject %anagement $arehouse *perations #$ +rchitecture and ,ntegration -ystems #evelopment and Testing Change %anagement -ystem %onitoring )roblem %anagement .ogical -ecurity #ata Transmission %etadata

/usiness ,ntegration o -ervice #elivery 0/usiness )rocess ,ntegration and +nalysis1 o )roject %anagement o (elp #esk

Audit Approach *ur approach for the e2ecution of this audit engagement will consist of interviews with key employees3 review of documents3 inspections3 data e2tractions and the usage of applicable audit tools. The audit will consist of the components described below. The phases are listed in se4uential order and should provide an overview of the se4uencing of the proposed engagement. Phase description 5. Mobilization phase G& Consulting will perform the following" #evelop and provide to UNCCG an advanced data re4uest 0+#'1 of the relevant documents and materials that will support our fieldwork. #evelop and provide to UNCCG an initial interview list of those business and ,T professionals that we anticipate Deliverables +dvanced data re4uests 0see appendi2 for a sample re4uest1 ,nterview lists of key employees that we would like to interview 0see appendi2 for a sample list1 #etailed +udit )rogram document0s1 for each of

needing to meet with in order to perform this audit. #evelop an audit program to guide activities during the course of this audit. The audit program guide should include a list of the controls that would be reviewed along with a defined approach for understanding the design of the control and how it would be tested to determine if it was operating effectively. 6. Execution phase *nce the audit program has been finali7ed3 and the appropriate resources have been identified3 fieldwork will proceed in accordance with the audit plan.

the following areas" #ata $arehouse %anagement3 #ata $arehouse *perations and /usiness ,ntegration.

'esults from the e2ecution of the detailed +udit )rogram $orking papers that support the results from the detailed +udit )rogram #raft report for discussion containing an e2ecutive summary3 audit findings and recommendations for improvement. &inal report with edits and comments from UNCCG management

8. Reporting phase +ll ,T audit work is summari7ed in the ,T audit report. *ur team will compile and present a draft report to UNCCG management within three weeks of completing the e2ecution phase. The purpose of this draft is discussion and incorporation of any comments prior to issuing a final report to UNCCG.

Risk Assessment /ased on the information provided by UNCCG during our initial conversation3 combined with our understanding about the business environment in which UNCCG operates3 we have formulated the following risk considerations that we understand are relevant to your business. *ur goal is to incorporate these risk considerations in our audit program to be developed in the %obili7ation )hase of this engagement. Risk category: Regulatory Risk 5 +s a publicly traded company3 UNCCG is subject to compliance with the -arbanes9*2ley +ct of 6::6 0-* 1. +s a result3 UNCCG;s management must" +ccept responsibility for the effectiveness of the company;s internal control over financial reporting. <valuate the effectiveness of the company;s internal control over financial reporting using suitable control criteria. -upport is evaluation with sufficient evidence3 including documentation.

)resent a written assessment of the effectiveness of the company;s internal control over financial reporting as of the end of the company;s most recent fiscal year.

+lthough this legal re4uirement may not have a direct impact on the data warehouse applications subject to this audit3 once it is not categori7ed as a =financial reporting related> application3 it may have an indirect impact in the case that technology infrastructure is common among the financial reporting systems and the data warehouse applications. Technology infrastructure 0operations3 security3 processes3 people1 that support financial reporting systems are subject to -* compliance re4uirements. Risk category: Techonology/Reputational Risk 6 )rivacy regulations The )ersonal #ata )rivacy ? -ecurity +ct of 6::@ bill states that organi7ations must =adopt reasonable procedures to ensure the security3 privacy and confidentiality of personally identifiable information> and notify relevant governing bodies when security breaches occur. The bill also states that3 if there is reason to believe the stolen data can be used for identity theft3 then the organi7ation must make public notification. $e have seen increased pressure in the marketplace pushing companies to move to a better defined and better controlled data privacy controls environment. $e understand that a significant portion of UNCCG;s revenue comes from check cards3 credit and debit card transactions on which some consumer information is collected3 processed and may or may not be stored. ,t is our understanding that payment information processing is processed e2ternally. ,n addition3 UNCCG;s consumer loyalty program collects and stores consumer private information such as telephone numbers3 addresses3 names and a history of purchases. /ased on those facts3 we understand that current and future privacy regulations are a relevant risk to the business at UNCCG that has both a regulatory impact and also a brand impact3 given that fact that future privacy breaches will be re4uired to be made public. Risk category: Operational Risk 8 <2ternal Aendor;s access to enterprise data /ased on the information provided by UNCCG during our initial conversations3 we understand that credit and debit card payment processing is outsourced with an e2ternal vendor. ,n addition3 UNCCG indicated that it relies on a third party vendor3 located in ,ndia3 to perform program change and program development functions for the data warehouse 0#$1 management system. This e2ternal vendor has remote access to the UNCCG environment. $e understand that3 even though UNCCG has outsourced program change and program development functions to a third party vendor3 it is still responsible for ensuring the accuracy3 completeness and appropriateness of program changes and developments on the #$ environment. ,n order to perform their business function3 both these vendors will have the ability to get access to sensitive enterprise data including consumer information. /ased on that fact3 we consider that this is a relevant risk to the company;s ,T environment.

Risk category: Credit Risk/Technology Risk B Unavailability of credit andCor debit card processing application $e understand that a significant portion of UNCCG;s revenue comes from check cards3 credit cards and debit cards transactions3 which are processed e2ternally 0for approval purposes1 and stored by one of the company;s mainframe based systems 0for reconciliation and historic purposes1. Unavailability of either the e2ternal processing vendor or of the mainframe9based system would cause point of sales systems 0)*-1 at the stores to operate in an =offline mode> and only cash payments would be allowed3 until functionality is completely restored. /ased on that information3 we consider that unavailability of card payment applications is a relevant risk to the business that has a direct impact on the customer;s perception of 4uality of service and a direct impact on sales. Communications Through regular meetings and ongoing communication with management3 we will establish a relationship of openness and teamwork through which we can discuss significant audit findings3 recommendations for improving internal controls or operations3 and current industry issues 0or any other issues management wishes to discuss13 and ultimately develop solid solutions without surprises. $e commit to holding regular meetings with management3 both formally and informally3 to foster such a relationship. %anagement letters and communication are an important element of professional service. ,t is our policy to discuss our findings and recommendations with the appropriate members of management prior to issuance so that we can verify factual accuracy. *ur final report will only include findings and recommendations considered significant. *ther matters will be communicated throughout the engagement and during our regular meetings and fieldwork. Planned schedule G& Consulting estimates this engagement will re4uire appro2imately 2222 weeks of effort3 and we are prepared to begin fieldwork on a date mutually agreed upon with UNCCG. ,n addition3 we understand the final report for this audit must be completed no later than Duly 5@3 6::E.

APPENDIX I Sample Advanced Data Request The following information would be helpful in evaluating the e2isting data warehouse environment to the e2tent it already e2ists. 5. *rgani7ation Charts a. Technology 0#evelopment and *perations1 b. /usiness 6. Telephone #irectory 8. User #ocumentation a. #ata warehouse user training guides b. #ata warehouse user operational manuals B. -ystems documentation a. +pplication architecture 0including an e2planation of any automated interfaces1 b. -ystems operations overview 0platform and network1 c. Third party vendor agreements @. %anagement procedures and policies a. *perations %anagement 0system monitoring3 maintenance3 and or scheduled support1 b. ,nformation -ecurity 0logical access1 c. Change %anagement 0change control and configuration management1 d. /usiness Continuity )lan0s1 e. #isaster 'ecovery )lan0s1 f. )roblem %anagement

APPENDIX II Sample Intervie

request

The following is a list of individuals we anticipate will be likely re4uested to participate in a one9hour interview with one of our team member. -hedule will be arranged by our team in observance to UNCCG;s personnel commitments and priorities. *ther interviews may be determined necessary as we make progress and we will make our best efforts to communicate this as soon as possible so it can be scheduled in a non9disruptive manner. Indi idual Derry .ewis /runno 'odrigue7 Chris )oknis +ndy Tatum +ndrew #eloach Chris %aiden %ike %aher Dosh -mith +manda &ernande7 -teve .ucas Role Chief ,nformation *fficer Chief -ecurity *fficer Aendor 'elationship %anager ,T *perations %anager #atabase +dministrator 0#/+1 #ata $arehouse .ead #ata $arehouse -ervice #elivery %anager #ata $arehouse +rchitect -+) )roject .ead #ata $arehouse -enior +nalyst