Documente Academic
Documente Profesional
Documente Cultură
Of
This is to certify that we have successfully completed the DISA 2.0 course
training conducted at: ICAI Jaipur from 6th May 2017 to 4th June 2017 and we
have the required attendance. We are submitting the Project titled: Migrating to
Cloud Based ERP Solution.
We hereby confirm that we have adhered to the guidelines issued by ClT, lCAl
for the project. We also certify that this project report is the original work of our
group and each one of us have actively participated and contributed in preparing
this project. We have not shared the project details or taken help in preparing
project report from anyone except members of our group.
Place: Jaipur
Date: 17-Jun-2017
Table of Contents
1. Introduction
2. Auditee Environment
3. Background
4. Situation
8. Documents reviewed
9. References
10. Deliverables
12. Summary/Conclusion
Project Report
Title: Migrating to Cloud based ERP Solution
ABC Automobile Ltd. (Auditee) makes luxury buses in south India. It is Well Equipped with
total infrastructure and has kept in pace with the changing technology and producing real
high quality buses. They are currently using stand-alone accounting and inventory package
which has limited functionality. They have an aggressive business growth plans and found
that the current software solution cannot meet their future requirements.
The WOCS solution has standard product features which cannot be modify except based
on the methodology followed by Wilson and the customer has to use the existing product
without any changes. As a part of the software as service (SAS)development model,
WOCS will not make any changes in the data entry screens/ Processes as per individual
customers need.
1. Introduction
The Auditee is engaged in the business of making luxury buses in South India. The
company has more than 300 employees spread across head office which is in Chennai
and 4 branch offices which are in Coimbatore, Mysore, Bangalore and Cochin. The
Finance and accounts department has more than 40 employees. The auditee is a public
limited company founded by its Chairman Mr. R. Venkateshwar who is a M.B.A. from a
very reputed institution. A visionary man has taken this company to achieve great success
.The company have aggressive growth plans and wants to expand its operations across
India but the current software packages are stand-alone, non-integrated and there is
extensive documentation maintained. The company is now largely managed by its M.D.
Mr. T. Venkateshwar who is also the son of Mr. R. Venkateshwar, a B.Tech. and M.B.A.
from one of the finest and superior institutes of the world.
The Auditee is currently using ERP package which includes stand- alone accounting and
inventory packages with limited functionalities which is not sufficient keeping in view the
company’s expansion plans.
Technology is changing and developing faster than ever before, and everyday people are
faced with new tools and services in their daily life. Cloud ERP is an approach to enterprise
resource planning (ERP) that makes use of cloud computing platforms and services to
provide a business with more flexible business process transformation. Cloud based ERP
benefits customers by providing application scalability and reduced hardware costs.
However, the constraint is that most of the staff are not computer savvy and have limited
knowledge of using computers .For this the young MD of the company who has taken
charge is confident of training employees and implementing the proposed ERP solution.
Further, the cost consideration based on model implementation of 10 user license shows
cost benefit analysis and justification for the investment. The vendor is expected to provide
one week training to employees so that they configure and implement the solution as per
their specific business processes
The Business policies and procedures to be followed are divided into 4 sections:
This particular assignment shall be carried by one of our senior partner CA DK Khandelwal
(FCA, CISA, DISA) along with our other partner CA KK Jain(ACA) and 5 article assistants.
2. Auditee Environment
The Auditee as specified above deals in making luxury buses for its customers in South
India, is a limited company headed by its M.D. Mr. T. Venkateshwar. The auditee presently
has a stand- alone accounting and inventory package ERP for its head office and its 4
branches which is not sufficient seeing the business’s growth plans.
The Finance and accounts department has more than 40 employees and current software
packages are stand-alone, non-integrated and there is extensive documentation
maintained. They have aggressive business growth plans and found that the current
software solution cannot meet their future business requirements.
Wilson Solutions provides a single version of the product at any point of time. All product
feature upgrades and updates shall be made available as a part of the standard offering.
Basically the requirements are market driven and will prioritized based various criteria like
Statutory needs, Best business practice, key business process etc. As a practice,
upgrades are provided once a month. The scope of the project includes implementation
of Wilson ERP on Cloud - Standard Version for Legal Entities of ABC for the below
modules within the available product features of Wilson ERP on Cloud -Standard Version.
The modules included in the scope are:
Purchase Management
Financial Accounting
Management Accounting
Inventory Management
Service Management
Discrete Production
Maintenance Management
HR & Payroll
Physical security
Even a cloud application and data must be located somewhere. The physical surroundings
.
of the software and data is an important component of a business continuity Plan as well
as a software security plan. A physical security breach means that somebody with
malicious intent has physical access to the hardware where either your application is
running or where your data is stored.
If other forms of security are in place, a physical security breach will not result in loss of
data. However if the intruder's intent is to disrupt your service, then a lapse in physical
security will be a problem. Part of your business continuity plan should include a solid
physical security plan, when applications and data run in an external cloud; the physical
environment is located off-premise. In most cases physical security in a tier 1 datacenter
is many times better than that in an office building or an internally run server room. All
building access is logged, cameras are in place, and cleaning people are not generally
milling about after hours. State of the art authentication technology (fingerprint, ID badge,
retina scans) are often implemented, SaaS applications are run by administrators who are
employed by the software vendor or cloud provider and not the company who purchased
the ERP software. The quality and reliability of administrators depends more on the
resources and focus than the employer.
Transmission Security
When data is communicated between the user the server, and the database, there is a
chance that transmissions can be intercepted. An easy way to prevent this involves
encrypting all communications between source and destination. However, encryption
comes at a cost to performance. If you spend too many processing cycles encrypting and
decrypting data, you will have to purchase more expensive hardware or endure delays.
There are several types of security algorithms that are used to protect communications.
The underlying idea is that sensitive or private data is scrambled using an encryption key
and a data encryption algorithm. The data cannot be read or deciphered without the
decryption key. The decryption key can be the same (symmetric) or different (asymmetric)
from the encryption key. Once scrambled, the data is sent to its destination. If intercepted,
the data can only be reconstructed by using an algorithm that tries to guess the description
key — a process that takes many years using powerful computers. When the scrambled
data arrives at its destination, the receiving party knows the proper decryption key by
querying a key master or certificate authority. Several common algorithms include RSA,
Secure Socket Layer MO, Data Encryption Standard (DES), and Triple DES. An explanation
of these algorithms is beyond the scope of this post but is well documented elsewhere.
Applications running in an external cloud require passing data between the cloud and the
user location. Frequently this occurs over the Internet and over wireless networks.
Furthermore, client machines are mobile (access from anywhere being a big advantage of
the cloud) so processing power and bandwidth may be at a premium. Web-based systems
utilize a browser on the client device and take advantage of SSL encryption to protect all
communications with the server. The SSL algorithm is supported by all major browsers and
encapsulates application-specific protocols like HTTP to form HTTPS so no one can hijack
a session or read the data SSL requires negligible computing overhead and is acceptable
security for banking, health care, and other sensitive ind ustries.
Some folks ask about SOAP and how that differs from HTTPS. HTTPS helps you
communicate between browsers and servers, but SOAP provides secure communications
between applications. SOAP encapsulates additional data in the form of XML so cloud
applications can communicate more efficiently than if they were required to send a series
HTTP requests.
Storage security
When ERP data is accessed by users, business logic limits unauthorized access to users
with the proper credentials (see section on application security). But suppose a network
administrator has access directly to data in the database. In this case, the data could be
viewed without going through the business logic.
To protect against this vulnerability, sensitive data should be encrypted when it rests in the
database or in a file system. This prevents direct access and ensures that all data is only
accessed via the application logic. The application knows how to decrypt the data, so a
legitimate user will not be impacted.
As with transmission security, the encryption and decryption processes create processing
overhead, so non-sensitive data should be stored in the clear to minimize costs.
Additionally, make sure that any required data indexing is not broken in the encryption
process,
Access Security
Access (or perimeter) security is important for preventing unwanted users from grabbing
resources and sending unauthorized queries to your servers. Usually this is accomplished
through the use of firewalls that prevent unwanted traffic from communicating with your
business applications. Lack of access security could impact your application availability (in
the case of a denial of service attack) and provide hackers with a way in to make it easier
to steal resources or Passwords,
There are many types of firewalls ... network level firewalls (fast inspection of IP, port, and
service in the packet headers), circuit level firewalls (monitor sessions between
computers), application level firewalls (inspect data content to protect against viruses and
intruders), network address translation devices (NAT — assigns private IP addresses that
cannot be reached from outside the network), and proxy servers (application level firewall
that mediates transactions between computers).
Cloud systems should be protected by perimeter security just as you would protect any on
premise application. Verify that your cloud provider has firewall protection in place to
prevent intruders and denial of service attacks. A multi-tenant cloud application is slightly
different because by definition, multiple users are accessing the same application code
and the same resources. In this case, processes must be in place to ensure that bad
things do not happen to customer A if customer B's application is compromised.
Data security
Data security limits access to data objects to specific individuals. Different levels of data
security include read-only, edit, insert, and delete, Data security can be set at the
application or object level.
Data security for ERP systems may be enforced through business logic or at the database
layer. In most cases the business logic authenticates users and provides them with specific
rights to data objects. This means that authenticated users gain access to objects based
on specific capabilities assigned by the system. For example, a sales person may have
read-only access to product information so he cannot change the
pricing/margins/commissions associated with the product. A sales person may have
access to customer records that he manages, but not have access to customers managed
by others. To simplify management, systems offer role-based security so administrators
can assign broad security policies to specific individuals. Accounting, marketing, sales,
shipping, and management roles can be established and assigned to individual
employees. Employees that perform more than one role can receive multiple policies. By
assigning roles, administrators can change security for many people at once without the
responsibility of changing individual records.
Most data security is limited to data access. Once a user gains access to specific
information, screens, or reports, the information can be downloaded and shared with
others. Digital rights management goes one step farther by "wrapping" data objects with
rights that follow the object no matter where it goes. In this case, users can forward the
encrypted .data, but that data cannot be viewed or changed unless the recipient can be
verified.
Application security
Application security encompasses two major areas — the way the application
authenticates and manages users and the way in which application code is managed.
User Authentication
3. Background
The Auditee is currently facing the problem of an ERP which has limited functionalities. The
company has aggressive growth plans and found that the current software solution cannot
meet their future business requirements.
In this regards the auditee has appointed M/S SRN & Associates to conduct an IS Audit on
the reliability and practical implementation of the new ERP solution. Further auditors are
required to perform a risk assessment of the proposed solution and also to provide specific
risk management strategy to be adapted covering security, performance and business
value.
Auditors have also to recommend key controls to be implemented and cost and benefit
analysis is also to be done with comparison to Capex and Opex for the current and
proposed solution.
4. Situation
The Auditee is currently using an ERP system which provides stand-alone accounting and
inventory packages which has limited functionalities. The company has aggressive growth
plans for which the current software solution is not enough. The company’s finance and
accounts department has more than 40 employees and current software packages are
stand-alone and non-integrated and extensive documentation is maintained. So it has
been decided by the management to migrate to cloud based ERP.
The proposed Wilson’s solution provides a single version of the product at any point of
time. All product feature upgrades and updates shall be made available as a part of the
standard offering. Basically the requirements are market driven and will prioritized based
various criteria like Statutory needs, Best business practice, key business process etc.
There are 14 modules included in the scope such as sales & shipping management,
accounts receivable, purchase, HR & Payroll, etc.
Moreover the current staff is not computer savvy and have limited knowledge of using
computers but the young MD has taken charge of training employees and the cost
consideration based on model implementation of 10 user license shows cost benefit
analysis and justification for the investment. So seeing these current problems and the
benefits of the cloud based solution it has been decided by the management to migrate to
cloud based ERP. The proposed solution also provides complete applications which are
sold on a subscription model for a specific period. This model provides the capability to
use the provider’s applications running on cloud infrastructure. The applications are
accessible
from various client devices through a thin client interface such as a web browser. This
brings in saving to ABC Automobiles as there is no need to buy licenses for running
programs on their own computers. The software solution is accessible using existing
computers.
In order to obtain assurance that the data processed by the system is complete, valid and
accurate and is giving the desired results, computer assisted audit techniques (CAAT) shall
be used.
Computer Assisted Audit Technique (CAATs) are computer based tools, which help us in
carrying out various automated tools to evaluate an IT system or data. These are very
useful, where a significant volume of auditee data is available in electronic format. CAATs
provide greater level of assurance as compared to other techniques, especially manual
testing methods.
Further boarding and lodging requirements of the audit team to conduct the desired audit.
A) Assessing the Adoption and its Business Impact: - Once a company achieves go-live
with its Enterprise system, it’s important to monitor new process adoption and impact on
business performance. The process of comparing and assessing baseline and post-
implementation performance measures has been carried out. A gap analysis is useful for
comparing expected deliverables versus project results. It’s also important to consider
employee transition to the new system. Our methodology incorporates steps for effective
knowledge transfer and overall support to change management.
B) Considering Satisfaction of Stakeholders:-Querying the stakeholders including
employees, managers, the IT department, customers and vendors about their satisfaction
with the new system. The system’s impact on customers’ and vendors’ interactions with
the business.
Dependence upon the third parties wherever third party services are used.
Due to the dynamic nature of cloud, information may not immediately be located in
the event of a disaster.
After risk analysis, assessing the probability that the risks identified will materialize together
with their likely effect and documenting the risks along with the controls that mitigate these
risks. Inclusion of most likely source of threats- internal as well as external sources- such
as hackers, competitors and alien governments.
Based on the information obtained and the scope and objectives of the
engagement, we shall document the way business security and IS objectives (when
applicable) are affected by the identified risks and controls that mitigate those
risks.
In this process we shall evaluate areas of weakness or vulnerabilities that need
strengthening. New controls identified as mitigating the risks considered shall be
included in a work plan for testing purposes.
8. Documents reviewed
User Manuals and Technical Manuals relating to System Software and ERP.
Organization chart outlining the organization hierarchy and job responsibilities
Access to circulars & guidelines issued to employees.
Access to user manuals and documentation relating to ERP Implementation by
ABC Automobiles Ltd.
Any other documentation as identified by us as required for the assignment
Security policy document relating to system.
Audit Findings documents.
9. References
Best practices relating to international accepted standard for IS Audit — COBIT
(Control Objectives for Information and Related Technology, issued by the
Information Systems Audit and Control Association, USA, COSO framework etc.
Best practices relating to security policy
Best practices relating to confidentiality policy
CAAT tools
Information Systems Audit and Control Association- IS Auditing Guidelines
Information Systems Audit 2.0 Course – Volume I- Module 1- Chapter-3 Part-1-
Cloud and Mobile Computing
Information Systems Audit 2.0 Course – Volume 1 – Module 2 – Chapter 2 – IS Audit
in Phases
10. Deliverables
1. Draft Report including executive sum nary of the result of the review along with the
recommendations of findings and recommendations with risk analysis of findings.
2. Final Report incorporating Management Comment and agreed priority plan of action
based on exposure analysis.
The primary objective of this Information Systems Audit assignment was to provide
assurance to the management of ABC Limited (ABC) on the availability,
appropriateness and adequacy of controls in the critical operations and transaction
processing, capex and opex through review of the control framework of their in-
house package - critical operations and transaction processing, review of Logical
access controls of critical operations and transaction processing, capex, opex.
conduct Implementation audit of General Controls at 2 select branches with specific
emphasis on implementation of controls.
2. What is the total cost of ownership for each system under each option
(cloud based if available versus in-house hosted)
5. Can the ERP system manage the level of seats required for functionality
6. Ease of data migration from one system to another (e.g., will data integrity
remain intact, can data be migrated easily or will it require manual efforts)
8. Which system offers the greatest capability for ABC's needs with the least
amount of customization
9. What is required for implementation and what type of support does the
vendor offer
10. Who will actually be doing the implementation (e.g., does the vendor have its
own in-house implementation team or do they subcontract this out)
11. How flexible is the system and how easily can it be modified to meet
changing business needs
12. Are there any other business processes that can be improved through the
implementation of one ERP system over another
Given this set of issues to be resolved, the recommendations for an ERP system in a
cloud solution or in-house solution is as follows:
1. Hire an experienced system analyst and other appropriate SMEs to aid in the
review of ERP options and the analysis of unique requirements
2. Have each of the four vendors provide proposal and a demonstration of their
system capabilities
3. Down select to two vendors, provide them with a script that contains all of the
business processes the system must encounter in a day and have them provide a proof of
concept.
Audit Findings/Recommendations:
ABC must perform further research to determine if it should install an on-site ERP
application or if it should look to a cloud-based solution (client-server versus a web-based
solution in a public or private cloud deployment). We will address factors that should be
reviewed and addressed as a part of this determination process and discuss how these
might impact the four ERP solutions being considered — Oracle's PeopleSoft,
Deltek'sCostpoint, SAP and Infor.
Audit team identified several basic areas to address when considering whether a
cloud solution is reasonable:
6. Will you be able to move between. cloud providers? Are you 'locked into a
specific provider after the application is deployed?
Web Application
The question being considered is whether the application in question is a web application.
We have already established that only two of the four software solutions being considered
by ABC are fully web compatible — Deltek's Cost point and Oracle's PeopleSoft. IBM's
WebSphere Cast Iron Cloud Integration solution (Cast Iron) offers a configuration-based
solution for data migration and application integration of the SAP solution in lieu of
requiring the writing of potentially complex code and it requires no middleware. Cast Iron
indicates that it can integrate with BaaN; however, BaaN no longer truly exists and was
integrated into the Infor ERP solution. It is unclear whether Cast Iron can support Infor as it
currently exists, which may mean that a source would need to be found so that code could
be written. Since cloud providers are clearly offering Cost point and PeopleSoft on the web
with no conversion needs, these applications are recommended as the two to review
further. Although SAP can be converted through Cast Iron, it will require more effort than
Cost point and PeopleSoft and the convertibility of Infor is fully in question, so neither
application is considered a viable solution for further consideration and will not be
assessed further.
Native .NET/Java
The purpose of this question is to determine whether a cloud provider can support the
technology stack of the software application selected. A technology stack means the
layers of components or services that are used to provide a software solution or
application.
PeopleSoft uses PeopleCode, AE, SCAR, CI, DMS, HTTP(5)/XML (extensible markup
language), JDK (Java Development Toolkit), .NET/Java, COM or C/C++ to interface with
their components. Oracle has teamed with Amazon Web Service Cloud (EC2) to provide its
PeopleSoft product, so can fully support the application.
Database Type
This question asks us to look at the database type that we are using and determine if it is
supportable by the cloud provider. ABC is already using both Deltek and PeopleSoft
applications in a client-server deployment. Further, we know that the cloud providers such
as Amazon (EC2) and Salesforce.com support these applications in a public cloud
environment so we know that these database types are supportable. The question that
would need to be addressed in an analysis other than this is what a data migration solution
would entail for the ABC divisions that are presently utilizing SAP and lnfor applications. In
essence a data migration process would need to be developed to include the following
(Database Answers):
3. Identify all the required data sources and the "owner" for each source
considering data feeds, legacy systems and operational data stores
4. Define the data items required, in consultation with the users
6. Define the data validation checks (bottom-up) and clean-up business rules for
source data
7. Carry out an audit of the data quality in the major databases, (bottom-up and
top-down)
8. Define the staging area with MIRror Tables to store extract files.
10. Create the data model for the target ERP database
11. Define the data mapping between source and target data items.
Management/Monitoring Tools
This area reviews whether the management tools (e.g., dashboards, status reports) used
can be used on the web or in a cloud-based environment. The management tools currently
used by ABC are those developed in their "Obtuse" product from a PeopleSoft base. We.
know that ABC's intent is to migrate from the four ERP applications presently used to a
single application — in this study PeopleSoft or Deltek
— and the management tools utilized by either of these solutions would be adopted. ABC
would be more comfortable with the look and feel of the PeopleSoft tools because Obtuse
utilizes similar management tools; however, the Deltek tools are more relevant to the
industry that ABC support — management consulting. Through the answers to the previous
questions we know that PeopleSoft and Deltek all have web-compatible as well as cloud-
compatible management tools since both are currently being used in a public cloud
environment.
Security Risks
This is a critical area of evaluation and impacts whether a public cloud deployment or a
private one is more appropriate for ABC. MaIlya (rviallya, 2006) states that there are two
steps to evaluating the security risks:
2. Know that security hazards can be created by making the client available from
any PC that is connected to the web
The EUKhost Blog indicates the location of deployment is the prime differentiating factor
between" a public or private cloud option. A public cloud hosting solution is one that is
offered over the Internet and the service provider bears the cost and responsibility of
managing the infrastructure and security. Data storage is shared with all of the users of the
service. In this type of a situation, ABC would have to
rely upon the security measures the host implemented as satisfactory. For example, if ABC
were to consider using Amazon's EC2 option of cloud support, Amazon's privacy policy
states, "we will implement reasonable and appropriate measures designed to help you
secure Your Content against accidental or unlawful loss, access or disclosure." This does
not tell the consumer much about what exactly Amazon does to protect the data in their
care.
EUKhost Blog states that a Private cloud hosting is created "using software operating on
hardware provided by the customer." In this case, the data is fully managed by the
customer, not by E the cloud provider, so all security is that which the customer institutes.
Another advantage that eUKhost Blog identifies with a Private cloud solution is that of
greater scalability because of the ability to expand existing architecture.
In 2010, the Cloud Security Alliance (CSA) issued their report on the top threats to
public cloud computing (CSA, 2010). The report indicates the following:
1. The abuse and nefarious use of cloud computing. This impacts mostly
Infrastructure as a Service (laaS) and Platform as a Structure (PaaS) and exploits their
weak registration systems and limited fraud detection. Botnets have used IaaS for
command and control functions as well as to introduce trojan horses and malicious code.
Solutions include stricter initial registration and validation processes, enhanced fraud
monitoring and coordination, comprehensive introspection of customer network traffic and
the monitoring of public blacklists for one's own network blocks.
2. Insecure interface and APIs. The security and availability of general cloud services
is dependent upon the basic APIs used to manage and interact with cloud services and this
threat impacts IaaS, PaaS and Software as a Solution (SaaS). This potential weakness can
impact the confidentiality, integrity, availability and accountability of data. Examples
include reusable tokens or passwords and limited monitoring and logging capabilities.
Solutions include analyzing the security model of cloud provider interfaces, ensuring strong
authentication and access controls are used in conjunction with encryption and
understanding the dependency chain associated with the API.
3. Malicious Insiders. Impacting laaS, PaaS and SaaS in a public cloud setting, this
issue is amplified due to a single management domain coupled with a lack of transparency
into provider processes and procedures. For example, the hiring practices of cloud
providers may be unknown or undisclosed and could create a potential avenue for access
to private and sensitive data. Consumers of cloud services must ask and understand what
cloud providers are going to protect them against the threat of malicious insiders. Some
solutions to mitigate exposure include specifying human resource requirements as a part of
the service contract or demanding transparency into overall information security and
management practices as well as compliance reporting.
4. Shared technology issues. This threat is focused on IaaS and exploits the shared
technology aspects of a cloud computing environment — specifically CPU caches, disk
partitions, GPUs and other shared elements lacking strong compartmentalization. Even the
use of a virtualization hypervisor, designed to address this issue has proven to have its
weaknesses and inappropriate access has been gained to the underlying platform.
Solutions to this problem include implementing a security best practices for
installation/configuration, promoting strong authentication and access controls for
administrative access and operations, or the enforcement of service level agreements
(SLAs) for patching and vulnerability remediation.
5. Data loss or leakage. This is a serious threat across laa5, PaaS and SaaS. The
loss of data can have devastating impacts upon competitive edges and financial positions.
Depending upon the type of data lost, there could also be compliance and legal
complications. Data can be compromised through the accidental alternation or records
without a backup to restore from. The loss of an encoding key could result in the effective
destruction of critical data. Data center reliability and operational failures are yet other
avenues to create data, loss or leakage. Some solutions to this issue include implementing
strong API access controls, the encryption and protection of data in transit, and the
contractual specification of cloud 'provider backup ad retention strategies.
7. The unknown risk profile. Because functionality (e.g., the maintenance of hardware
or software) in an laaS, PaaS or SaaS offering may be provided by the cloud provider, the
ability to understand the details/compliance to needs such as security procedures, auditing
and logging may be a vulnerability. For instance, who has access to your data and related
logs stored? Solutions to reduce risk in this area include a partial or full disclosure by the
cloud provider of infrastructure details (e.g.,. patch levels, firewalls) or a disclosure of
applicable network intrusion logs, redirection attempts and/or successes, and other logs or
pertinent data.
Due to the sensitivity of ABC's data that is to be managed, it appears that the public cloud
may yet be too vulnerable. it is therefore recommended that ABC pursue a private cloud
deployment over a public one and an appropriate platform would need to be evaluated and
selected.
If ABC agrees that it is more appropriate to deploy a private cloud solution, then the
concern over issues with changing cloud providers becomes moot.
Dynamic Scaling
The goal of this question is to ensure that the cloud provider offers a fully scalable option
for the ERP software selected. A scalable system is on whose performance has reached
capacity but can be immediately improved through the addition of something else to the
infrastructure, e.g., more hardware, software licenses, servers. Assuming that a private
cloud deployment is selected, this means that ABC's servers would need to be fully
scalable. At this point, ABC has sufficient server capacity and resources to grow a larger
"server farm" if required. Regardless of the ERP system implemented, scalability is not a
concern in this environment.
In summary, we are able to conclude that two of the ERP solutions under review, Cost
point and PeopleSoft, are fully supportable in a public cloud environment; however, in a
private cloud would be better able to meet the security needs of ABC and is strongly
encouraged. Data can be migrated to a single application from all four of the ERP
solutions being considered and this is a common practice for these specific application
vendors. ABC can easily support scalability with any
. solution selected.
Cost point or PeopleSoft would prove the most efficient/feasible application option to
transition to a private or public cloud-based deployment. SAP would be a distant option
because it requires middleware for a cloud deployment, therefore it is considered less
viable. Infor does not appear to be in a sufficiently advanced stage to be considered for a
cloud deployment option without a great deal of effort and cost.
In order for ABC to successfully implement a conversion to a single ERP application, it will
need to consider the additional following details;
Changes to Technology
As ABC converts to a single ERP application they would decommission the obsolete
.
systems. Assuming that ABC accepts the recommendation to utilize either PeopleSoft or
Cost point, this means that Obtuse, SAP and Infor would become legacy systems. As the
conversion process is reviewed, decisions will need to be made as to how the data on
these systems will be preserved. There are several options; however, the most common
approach is to have all of the systems "frozen" as of a point in time and preserved so that
no further changes can be made to the data. The various applications would then be
maintained by the Finance and Administration group in the Home Office when and if
legacy financial data at the division level was needed for audit or other purposes. ABC can
then keep the legacy data on a smaller server that is accessible only through password
protection for those who have a need to know. This server can be made web accessible
so, that finance oriented staff in the various divisions may be granted access if they need
their legacy data for any purpose,
ABC will need to consider whether it is still reasonable to use Hyperion for financial
consolidation purposes as there are so many reporting divisions whose data must be
combined to create a single financial statement for reporting purposes. Both Cost point
and PeopleSoft are able to manage a consolidation process without having to use an
external program; however, neither system may not be able to handle the volume of data
as easily as Hyperion.
All other applications are anticipated to remain intact at this time. Microsoft products such
as Excel and Access are good and useful tools to support any accounting activities. They
allow large amounts of data to be downloaded from the system for manipulation and
review, and the data can then serve as auditable backup to adjustments that are ultimately
recorded into the ERP system (e.g., documenting depreciation schedules for fixed assets,
documenting journal entries and their purpose, or meeting government reporting
requirements such as Incurred Cost Submissions).
A cloud-based solution is being contemplated at this time; however, is not critical to this
process — it is an added benefit that may provide groundwork for future improvements
and will aid in the ease of functionality with the entire ERP system.
Changes to Personnel
There will also be a requirement to train staff (all ►sers and the IT group) on how to use
the selected ERP solution and to ensure sufficient staff is proficient in SQL reporting
queries. User training will be performed as a part of the conversion process and training
needs/recipients will be identified by management so that an appropriate schedule may
be developed with the conversion specialist for the ERP implementation. IT staff training
for maintenance and other ERP application should also be identified by management and
addressed prior to implementation. ABC will also need to ensure that the appropriate
number of IT staff be proficient in the implementation and maintenance of a private cloud
development and deployment. This can be accomplished through training or through the
acquisition of individuals with the necessary skill sets.
Risk Assessment of Deployment Solution and Controls Recommended
Risks Assessed Controls Recommended
Security: Moving a vital system into a shared For this, the cloud provider
1 environment is compelling for the customers. Can offer higher-level
Building trust is not easy; providers enhance their security of user, unit of
own customer and partner relationships by storage, unit of processing
enhancing their security services. A complex power etc. Because they are
application like ERP also needs an intensive set dealing with bigger systems as
up and management. Cloud Computing does not well as many customers. At the
change the services of the ERP but is only a same time, they have to satisfy the
delivery mechanism and the solution changes. service requirements, which are
explained on SLA previously.
Compliance risks: Lack of legal and data Cloud ERP needs to ensure
4 Protection compliances are significant risks to the standards and
consider in the cloud model. Each country has legislations of both Cloud
different restrictions and requirements for Computing and the ERP.
accessing the sensitive data. The cloud customer
needs to pay attention for jurisdictions of the data As an example to this, the
Regarding processed. cloud ERP providers should
meet or exceed the
traditional ERP security
compliance requirements
such as ISO 27001
certification, SAS Type 70 II
certification and ISAE 3402
certification
In keeping with the theme of cosmological evolution, phased rollout would be analogous to
the Steady State theory: instead of an implementation happening in a single instance, small
changes occur over time. An organization moves off the legacy system and onto the new
ERP system in a series of predetermined steps. This can be achieved in several different
ways. The most appropriate strategy for ABC will be Phased rollout by business unit - Under
this approach implementation is carried out in one or more business units or departments at
a time. For example, you begin with implementing the new ERP system in human
resources, then move to accounting. Some organizations may put together an
implementation project team that travels between each department during implementation
phases. As the team gains more experience with each implementation, subsequent phases
become more efficient.
1. Define your ERP strategy around your company’s core business needs
The first step in any ERP implementation is to identify your company’s needs and
business objectives accurately. Start by finding and documenting the critical business
processes, inflection points and key performance indicators (KPI).This will help you
identify the right ERP solution, and need for specialists or additional services to manage
this transition. Before you begin to implement, you must have a complete plan or
roadmap in place. You must be able to clearly define your expectations from the ERP
system and the benefits you want for your organization. As Gartner puts it, “The most
successful ERP projects support strategic business objectives and goals. This helps to
ensure the right level of executive involvement to support the major business changes that
enterprises demand.”
An ERP system impacts the entire business cycle, so it is advisable to involve all the
stakeholders in the initial stages of discussion. This will ensure that there are fewer
bottlenecks and arguments down the road, giving you more time to focus on the critical
tasks. Even after your system is configured, you would need to train your employees on
how to use the new program. User ‘buy-in’ is the most critical factor for the success of any
ERP program. You could engage a group that specializes in onsite training or prepare your
IT team to handle the day-to-day tech problems and user requirements.
Make sure there is sufficient awareness about the need and scope of the new ERP system,
and that employees are able to extract maximum benefits from it. Before you even begin
the deployment process, it is important that employees have sufficient knowledge about the
new system and are convinced about using it for their respective business functions.
Testing is a very critical step that is often overlooked. Several weeks of parallel testing is
recommended for the success of any ERP program. It is crucial that your daily work is
processed on your old system and also on your new system before going live so that
everyone knows their new roles and responsibilities and questions/issues can be addressed
without the added pressure beforehand. Testing will not only help in ironing out any
obstacles on the path, but will also help in gaining employee confidence that is very
important for the success of any program.
Once your system has been configured, tested and your employees have been trained, it’s
time to ‘go live’ or activate your ERP system. Before you finally go live on the program,
make sure you are fully prepared to take on the new system. A well-prepared and clearly
defined implementation strategy can go a long way in ensuring the success of any ERP
system.
Our review of security and access controls at the IT Environment as reviewed by us and as
implemented in ABC using Unix, Oracle and FALPS confirms that appropriate security and
access controls have been implemented by using related functions and features of the
packages. Our test checks have revealed that systems of security and controls are reliable.
However, there are some areas where controls need to be strengthened and these are
given in annexure.
Our review of business process validations and data integrity controls covering all the core
functions of ABC as facilitated by FALPS such as interest computation, allocation and
aging, confirms that all related data have been duly captured, processed and stored
correctly and completely subject to some transaction data not available pertaining to
previous years. However, there are also missing data in master tables
which impact the MIS and statements of accounts. The issues, which have come to our
notice during the process of our review, are given in annexure,
Further Action
We consider that the recommendations given in annexure to this report would be very
useful for facilitating business process controls of ABC and will aid in improving the
effectiveness of FALPS package and computer operations. We would like to affirm that the
matters included in this report are those which came to our notice during our review by
following normal Information System audit procedures by complying with globally
applicable Information Systems Auditing Standards, Guidelines and procedures that apply
specifically to Information Systems Auditing issued by
-
Information Systems Audit and Control Association, USA and Security and Controll
Practices as outlined in COBIT 5 issued by ISACA as adapted to ABC operations for review
of Application software and implementation audit. Further, on account of limitations of
scope and time, vie have used sample test and test check approach. Hence, certain
areas, which are outside the scope of this review such as source code, review,
implementation controls and general controls specific to branches are not covered.
Summary/Conclusion
The goal of this proposal was to determine if it was reasonable for ABC to move to a cloud
based ERP application Wilson's On Cloud Solution (WOCS) - Standard Version' in order to
improve operational efficiencies, reduce IT costs related to ERP systems, and improve
insight into the financial management aspects of the company for improved strategic
planning and performance monitoring.
This review has established that a reduction in maintenance costs would be highly likely, yet
a full assessment of current costs against maintenance costs of a single solution remains
necessary to fully recognize the scope of that savings. This white paper cannot adequately
address a true cost savings until management approaches the two recommended providers
— Oracle (PeopleSoft) and Deltek (Cost point) - and obtains their quotations. Regardless,
we have established that moving to a single ERP application will reduce the required level of
IT support at the divisional and corporate level by approximately one third, which does
allows for a cost savings. Again though, until a final solution is selected by management,
the fill significance of this savings cannot be firmly established.
Moving to a single ERP solution `Wilson's On Cloud Solution (WOCS) - Standard Version'
will allow all divisions to function from a common ERP platform and will, remove the need
to perform many of the accounting and operational functions outside of the system. This
ensures that management has immediate and relevant access to meaningful data that is
system driven, immediate and on demand instead of having to wait for somebody to
"manipulate" the data into a format that may or may not be truly accurate depending upon
the human error factor.
We have demonstrated that a strong cost savings potential exists as well as a definite
ability to meet the greater need of improving operational functionality and management
decision-making capabilities should ABC migrate to a single ERP solution 'Wilson's On
Cloud Solution (WOCS) -Standard Version'. The determination to place an ERP solution
into a cloud environment remains an open item in terms of cost savings; however, it is
clear that a reduction of IT department infrastructure can be realized with a move from a
decentralized IT department structure to one that is centralized.
Summary of Recommendations
Retain system analysts and appropriate subject matter experts to review the
options provided by migration to the full ERP solution offered by Oracle's PeopleSoft or
Deltek's Costpoint applications and to determine which solution provides the greatest value
to ABC and if a cloud-based platform is appropriate at this point. In addition, review
whether migration to a private cloud-based environment is a reasonable consideration to
pursue in conjunction with migration to a single ERP solution.
Review legacy systems to determine best solution for preservation of data, access
requirements and access protocols.