Project Report

Of

Migrating to Cloud based ERP solution

DISA 2.0 Course

 CERTIFICATE
Project Report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course
training conducted at: ICAI Jaipur from 6th May 2017 to 4th June 2017 and we
have the required attendance. We are submitting the Project titled: Migrating to
Cloud Based ERP Solution.

We hereby confirm that we have adhered to the guidelines issued by ClT, lCAl
for the project. We also certify that this project report is the original work of our
group and each one of us have actively participated and contributed in preparing
this project. We have not shared the project details or taken help in preparing
project report from anyone except members of our group.

SR.NO. NAME DISA NO. SIGNATURE

1. Vinay Kumar Sharma 51004

2. Vikas Jain 1000209

3. Vivek Soni 1000069

4. Yatendra Agarwal 50604

Place: Jaipur

Date: 17-Jun-2017
 Table of Contents

Details of Case Study/Project(Problem)

Project Report (Solution)

1. Introduction

2. Auditee Environment

3. Background

4. Situation

5. Terms and Scope of assignment

6. Logistic arrangements required

7. Methodology and Strategy adapted for execution of assignment

8. Documents reviewed

9. References

10. Deliverables

11. Format of Report/Findings and Recommendations

12. Summary/Conclusion
 Project Report
Title: Migrating to Cloud based ERP Solution

A. Details of Case Study/Project (Problem)

ABC Automobile Ltd. (Auditee) makes luxury buses in south India. It is Well Equipped with
total infrastructure and has kept in pace with the changing technology and producing real
high quality buses. They are currently using stand-alone accounting and inventory package
which has limited functionality. They have an aggressive business growth plans and found
that the current software solution cannot meet their future requirements.

ABC Automobiles have decided to migrate to ‘Wilson’s On Cloud Solution (WOCS)-

Standard Version’ a robust full suite of ERP Developed using Wilson Virtual works, a state
of the art software engineering and delivery platform. WOCS is expected to enable ABC to
reap the benefits of the solutions with “Built in Best Practices” together with a highly
“Flexible Framework” to ensure solution alignment to “dynamic business requirements” of
ABC.

The WOCS solution has standard product features which cannot be modify except based
on the methodology followed by Wilson and the customer has to use the existing product
without any changes. As a part of the software as service (SAS)development model,
WOCS will not make any changes in the data entry screens/ Processes as per individual
customers need.

B. Project Report (solution)

1. Introduction

The Auditee is engaged in the business of making luxury buses in South India. The
company has more than 300 employees spread across head office which is in Chennai
and 4 branch offices which are in Coimbatore, Mysore, Bangalore and Cochin. The
Finance and accounts department has more than 40 employees. The auditee is a public
limited company founded by its Chairman Mr. R. Venkateshwar who is a M.B.A. from a
very reputed institution. A visionary man has taken this company to achieve great success
.The company have aggressive growth plans and wants to expand its operations across
India but the current software packages are stand-alone, non-integrated and there is
extensive documentation maintained. The company is now largely managed by its M.D.
Mr. T. Venkateshwar who is also the son of Mr. R. Venkateshwar, a B.Tech. and M.B.A.
from one of the finest and superior institutes of the world.

The Auditee is currently using ERP package which includes stand- alone accounting and
inventory packages with limited functionalities which is not sufficient keeping in view the
company’s expansion plans.
Technology is changing and developing faster than ever before, and everyday people are
faced with new tools and services in their daily life. Cloud ERP is an approach to enterprise
resource planning (ERP) that makes use of cloud computing platforms and services to
provide a business with more flexible business process transformation. Cloud based ERP
benefits customers by providing application scalability and reduced hardware costs.

So the company has decided to migrate to ‘Wilson’s On Cloud Solution (WOCS) -

Standard Version’ a robust full suite of ERP developed using Wilson Virtual Works, a state-
of-the-art software engineering and delivery platform. WOCS is expected to enable ABC to
reap the benefits of a solution with “built-in best practices” together with a highly “flexible
framework” to ensure solution alignment to “Dynamic Business Requirements” of ABC.

However, the constraint is that most of the staff are not computer savvy and have limited
knowledge of using computers .For this the young MD of the company who has taken
charge is confident of training employees and implementing the proposed ERP solution.
Further, the cost consideration based on model implementation of 10 user license shows
cost benefit analysis and justification for the investment. The vendor is expected to provide
one week training to employees so that they configure and implement the solution as per
their specific business processes

The Business policies and procedures to be followed are divided into 4 sections:

a) Foundation Discipline: - It discusses the ERP Database and required procedures to

support the maintenance and updating activity with respect to key data elements
such as inventory, bill of material structures, routings and open orders.
b) Modules of ERP: - It documents those policies and procedures which are required to
operate an ERP System on an on-going basis. It documents the functions with
respect to sales forecasting material requirements planning, purchasing etc.
Including the measurements which will be put in place to ensure a successful Class
‘A’ ERP operations.
c) ERP Project: - It discusses the policies and procedure which are required during the
implementation phase with respect to areas such as education, documentation and
the project control plan.
d) Responsibility Index: - It will cross reference all of the policy and procedure to the
respective departments that would need to use some or all of those procedures in
their daily operations. These departments would include such areas as finance,
material management and ERP project team.

Although each document is referred to as a procedure, the document truly represent a

combination of policies, procedures and documentation. This Policy and procedure manual
is a part of the total documentation for this Cloud based ERP System.
In above referred scenario, we M/S SRN & Associates, Chartered Accountants have been
appointed to perform risk assessment of the deployment solution, to provide assurance on
the reliability and practical implementation of the solution to perform cost benefit analysis
of the solution.

We at SRN have an expertise in performing IS Audits, we are in total a firm of 10 partners

with more than five partners are DISA qualified and 3 partners are CISA. We have an
experience of around 10 years in conducting IS Audit and around 3 years in assistance in
reviewing cloud system ERP for various clients.

This particular assignment shall be carried by one of our senior partner CA DK Khandelwal
(FCA, CISA, DISA) along with our other partner CA KK Jain(ACA) and 5 article assistants.

2. Auditee Environment

The Auditee as specified above deals in making luxury buses for its customers in South
India, is a limited company headed by its M.D. Mr. T. Venkateshwar. The auditee presently
has a stand- alone accounting and inventory package ERP for its head office and its 4
branches which is not sufficient seeing the business’s growth plans.

The Finance and accounts department has more than 40 employees and current software
packages are stand-alone, non-integrated and there is extensive documentation
maintained. They have aggressive business growth plans and found that the current
software solution cannot meet their future business requirements.

ABC Automobiles have decided to migrate to Wilson's On Cloud Solution (WOCS) -

Standard Version' a robust full suite of ERP developed using Wilson Virtual Works, a
state-of-the-art software engineering and delivery platform. WOCS is expected to enable
ABC to reap the benefits of a solution with "built-in best practices" together with a highly
"flexible framework" to ensure solution alignment to "Dynamic Business Requirements" of
ABC. The WOCS solution has standard product features which cannot be modified except
based on the methodology followed by Wilson and the customer has to use the existing
product without any changes. As a part of the Software as Service (SAS) development
model, WOCS will not make any changes to the data entry screens/processes as per
individual customer needs.

Wilson Solutions provides a single version of the product at any point of time. All product
feature upgrades and updates shall be made available as a part of the standard offering.
Basically the requirements are market driven and will prioritized based various criteria like
Statutory needs, Best business practice, key business process etc. As a practice,
upgrades are provided once a month. The scope of the project includes implementation
of Wilson ERP on Cloud - Standard Version for Legal Entities of ABC for the below
modules within the available product features of Wilson ERP on Cloud -Standard Version.
The modules included in the scope are:

Sales & Shipping Management

Accounts Receivable Management

Purchase Management

Accounts Payable Management

Financial Accounting

Management Accounting

Management Information System

Fixed Asset Management

Inventory Management

Service Management

Sales Opportunities Management

Discrete Production

Maintenance Management

HR & Payroll

Following security policy present in deployed technology...

Physical security

Even a cloud application and data must be located somewhere. The physical surroundings
.
of the software and data is an important component of a business continuity Plan as well
as a software security plan. A physical security breach means that somebody with
malicious intent has physical access to the hardware where either your application is
running or where your data is stored.

If other forms of security are in place, a physical security breach will not result in loss of
data. However if the intruder's intent is to disrupt your service, then a lapse in physical
security will be a problem. Part of your business continuity plan should include a solid
physical security plan, when applications and data run in an external cloud; the physical
environment is located off-premise. In most cases physical security in a tier 1 datacenter
is many times better than that in an office building or an internally run server room. All
building access is logged, cameras are in place, and cleaning people are not generally
milling about after hours. State of the art authentication technology (fingerprint, ID badge,
retina scans) are often implemented, SaaS applications are run by administrators who are
employed by the software vendor or cloud provider and not the company who purchased
the ERP software. The quality and reliability of administrators depends more on the
resources and focus than the employer.

Transmission Security

When data is communicated between the user the server, and the database, there is a
chance that transmissions can be intercepted. An easy way to prevent this involves
encrypting all communications between source and destination. However, encryption
comes at a cost to performance. If you spend too many processing cycles encrypting and
decrypting data, you will have to purchase more expensive hardware or endure delays.

There are several types of security algorithms that are used to protect communications.
The underlying idea is that sensitive or private data is scrambled using an encryption key
and a data encryption algorithm. The data cannot be read or deciphered without the
decryption key. The decryption key can be the same (symmetric) or different (asymmetric)
from the encryption key. Once scrambled, the data is sent to its destination. If intercepted,
the data can only be reconstructed by using an algorithm that tries to guess the description
key — a process that takes many years using powerful computers. When the scrambled
data arrives at its destination, the receiving party knows the proper decryption key by
querying a key master or certificate authority. Several common algorithms include RSA,
Secure Socket Layer MO, Data Encryption Standard (DES), and Triple DES. An explanation
of these algorithms is beyond the scope of this post but is well documented elsewhere.

Applications running in an external cloud require passing data between the cloud and the
user location. Frequently this occurs over the Internet and over wireless networks.
Furthermore, client machines are mobile (access from anywhere being a big advantage of
the cloud) so processing power and bandwidth may be at a premium. Web-based systems
utilize a browser on the client device and take advantage of SSL encryption to protect all
communications with the server. The SSL algorithm is supported by all major browsers and
encapsulates application-specific protocols like HTTP to form HTTPS so no one can hijack
a session or read the data SSL requires negligible computing overhead and is acceptable
security for banking, health care, and other sensitive ind ustries.

Some folks ask about SOAP and how that differs from HTTPS. HTTPS helps you
communicate between browsers and servers, but SOAP provides secure communications
between applications. SOAP encapsulates additional data in the form of XML so cloud
applications can communicate more efficiently than if they were required to send a series
HTTP requests.

Storage security

When ERP data is accessed by users, business logic limits unauthorized access to users
with the proper credentials (see section on application security). But suppose a network
administrator has access directly to data in the database. In this case, the data could be
viewed without going through the business logic.

To protect against this vulnerability, sensitive data should be encrypted when it rests in the
database or in a file system. This prevents direct access and ensures that all data is only
accessed via the application logic. The application knows how to decrypt the data, so a
legitimate user will not be impacted.

As with transmission security, the encryption and decryption processes create processing
overhead, so non-sensitive data should be stored in the clear to minimize costs.
Additionally, make sure that any required data indexing is not broken in the encryption
process,

In cloud systems, data is stored in a remote location on servers maintained by a cloud

provider. The cloud provider should have procedures in place to ensure that there is no
direct snooping into client data. But somebody has to be responsible for database
administration, and usually this person is not employed by the client. The ability to pick and
choose Fields to encrypt on the database is important to provide protection without
adversely impacting performance.

Access Security

Access (or perimeter) security is important for preventing unwanted users from grabbing
resources and sending unauthorized queries to your servers. Usually this is accomplished
through the use of firewalls that prevent unwanted traffic from communicating with your
business applications. Lack of access security could impact your application availability (in
the case of a denial of service attack) and provide hackers with a way in to make it easier
to steal resources or Passwords,

There are many types of firewalls ... network level firewalls (fast inspection of IP, port, and
service in the packet headers), circuit level firewalls (monitor sessions between
computers), application level firewalls (inspect data content to protect against viruses and
intruders), network address translation devices (NAT — assigns private IP addresses that
cannot be reached from outside the network), and proxy servers (application level firewall
that mediates transactions between computers).

Network and circuit level firewalls can be implemented in an appliance or as software.

Application level firewalls are most frequently implemented as software to allow for specific
configuration requirements.

Additional details of perimeter security devices are well documented elsewhere.

Cloud systems should be protected by perimeter security just as you would protect any on
premise application. Verify that your cloud provider has firewall protection in place to
prevent intruders and denial of service attacks. A multi-tenant cloud application is slightly
different because by definition, multiple users are accessing the same application code
and the same resources. In this case, processes must be in place to ensure that bad
things do not happen to customer A if customer B's application is compromised.

Data security

Data security limits access to data objects to specific individuals. Different levels of data
security include read-only, edit, insert, and delete, Data security can be set at the
application or object level.

Data security for ERP systems may be enforced through business logic or at the database
layer. In most cases the business logic authenticates users and provides them with specific
rights to data objects. This means that authenticated users gain access to objects based
on specific capabilities assigned by the system. For example, a sales person may have
read-only access to product information so he cannot change the
pricing/margins/commissions associated with the product. A sales person may have
access to customer records that he manages, but not have access to customers managed
by others. To simplify management, systems offer role-based security so administrators
can assign broad security policies to specific individuals. Accounting, marketing, sales,
shipping, and management roles can be established and assigned to individual
employees. Employees that perform more than one role can receive multiple policies. By
assigning roles, administrators can change security for many people at once without the
responsibility of changing individual records.
Most data security is limited to data access. Once a user gains access to specific
information, screens, or reports, the information can be downloaded and shared with
others. Digital rights management goes one step farther by "wrapping" data objects with
rights that follow the object no matter where it goes. In this case, users can forward the
encrypted .data, but that data cannot be viewed or changed unless the recipient can be
verified.

Data security in cloud applications is similar to traditional applications. Once individuals

gain access to the system, the business logic controls the specific capabilities that
individual users can perform on different objects. In some types of multi-tenant SaaS
applications, database level security may be utilized as an additional measure to separate
data objects from different companies.

Application security

Application security encompasses two major areas — the way the application
authenticates and manages users and the way in which application code is managed.

User Authentication

User authentication usually involves username and password to identify legitimate

users. User identity is critical not only for establishing identity, but also to ensure
security of data.

3. Background

The Auditee is currently facing the problem of an ERP which has limited functionalities. The
company has aggressive growth plans and found that the current software solution cannot
meet their future business requirements.

The management have decided to migrate to ‘Wilson’s On Cloud Solution (WOCS) –

Standard Version’ a robust full suite of ERP, a state-of-the-art software engineering and
delivery platform.

In this regards the auditee has appointed M/S SRN & Associates to conduct an IS Audit on
the reliability and practical implementation of the new ERP solution. Further auditors are
required to perform a risk assessment of the proposed solution and also to provide specific
risk management strategy to be adapted covering security, performance and business
value.

Auditors have also to recommend key controls to be implemented and cost and benefit
analysis is also to be done with comparison to Capex and Opex for the current and
proposed solution.
4. Situation

The Auditee is currently using an ERP system which provides stand-alone accounting and
inventory packages which has limited functionalities. The company has aggressive growth
plans for which the current software solution is not enough. The company’s finance and
accounts department has more than 40 employees and current software packages are
stand-alone and non-integrated and extensive documentation is maintained. So it has
been decided by the management to migrate to cloud based ERP.

The proposed Wilson’s solution provides a single version of the product at any point of
time. All product feature upgrades and updates shall be made available as a part of the
standard offering. Basically the requirements are market driven and will prioritized based
various criteria like Statutory needs, Best business practice, key business process etc.
There are 14 modules included in the scope such as sales & shipping management,
accounts receivable, purchase, HR & Payroll, etc.

Moreover the current staff is not computer savvy and have limited knowledge of using
computers but the young MD has taken charge of training employees and the cost
consideration based on model implementation of 10 user license shows cost benefit
analysis and justification for the investment. So seeing these current problems and the
benefits of the cloud based solution it has been decided by the management to migrate to
cloud based ERP. The proposed solution also provides complete applications which are
sold on a subscription model for a specific period. This model provides the capability to
use the provider’s applications running on cloud infrastructure. The applications are
accessible
from various client devices through a thin client interface such as a web browser. This
brings in saving to ABC Automobiles as there is no need to buy licenses for running
programs on their own computers. The software solution is accessible using existing
computers.

5. Terms and Scope of assignment

Areas being reviewed are as follows:

Criticality of application being sent to the cloud.

Outsourcer’s Experience with SLA and vendor management
Cloud Vendor’s policy on vulnerability management – reporting, commitment to
following up, promptly responding to reports etc.
Information systems audit of all/any aspect of security policy, business continuity,
environmental excess, physical excess, logical excess and application security.
Compliance with enterprises policy, procedures, Standards and practices as
relevant.
 Compliance with regulations as applicable.
Provide management with an assessment of impact by implementation of Wilsons
on cloud solutions, security policy and procedures and their operating effectiveness.
Identify internal control and regulatory deficiencies that would affect the
organisation. Identify information security control concerns that could affect
the reliability, accuracy and security of enterprises data due to weaknesses in
the package
solutions offered by the vendor.
The Review will focus on the following risks:
a) The dependency level on the vendor
b) If the computing services fails will the users will be enabling to access the
programs or data.
c) Can the computing services lose the auditees data?
d) The risk of increased complexity of compliance with laws and regulations
e) The risk of information retrieval when required is done without delays.
f) In case of disaster information may not be immediately located.

6. Logistic arrangements required

In order to obtain assurance that the data processed by the system is complete, valid and
accurate and is giving the desired results, computer assisted audit techniques (CAAT) shall
be used.

Computer Assisted Audit Technique (CAATs) are computer based tools, which help us in
carrying out various automated tools to evaluate an IT system or data. These are very
useful, where a significant volume of auditee data is available in electronic format. CAATs
provide greater level of assurance as compared to other techniques, especially manual
testing methods.

Further boarding and lodging requirements of the audit team to conduct the desired audit.

7. Methodology and Strategy adapted

A) Assessing the Adoption and its Business Impact: - Once a company achieves go-live
with its Enterprise system, it’s important to monitor new process adoption and impact on
business performance. The process of comparing and assessing baseline and post-
implementation performance measures has been carried out. A gap analysis is useful for
comparing expected deliverables versus project results. It’s also important to consider
employee transition to the new system. Our methodology incorporates steps for effective
knowledge transfer and overall support to change management.
B) Considering Satisfaction of Stakeholders:-Querying the stakeholders including
employees, managers, the IT department, customers and vendors about their satisfaction
with the new system. The system’s impact on customers’ and vendors’ interactions with
the business.

C) Reviewing Costs versus Benefits: - Once a comprehensive review of the project is

completed, it’s time to analyze actual versus projected costs and benefits. The cost
escalation is one of the most common problems with ERP implementations. We know that
many ERP providers charge additional fees for separate modules and add-ons. It’s one of
the primary reasons cost escalation occurs. With Trek Cloud, your risk of cost escalation is
substantially reduced because the system is all-inclusive: there are no separate modules or
add-on features to buy. We know how intertwined your business processes are, which is
why we provide a comprehensive system to all our customers.

D) Risk Analysis: - Considering the following risks associated with implementation of

cloud based ERP software:-

Dependence upon the third parties wherever third party services are used.

Computing services do fail, leaving users unable to access programs or

data. Computing services can lose customer data.

Increased complexity of compliance with laws and regulations.

The dynamic nature of cloud computing may result in confusion as to where

information actually resides. When information retrieval is required this may create
delays.

Due to the dynamic nature of cloud, information may not immediately be located in
the event of a disaster.

After risk analysis, assessing the probability that the risks identified will materialize together
with their likely effect and documenting the risks along with the controls that mitigate these
risks. Inclusion of most likely source of threats- internal as well as external sources- such
as hackers, competitors and alien governments.

E) Audit Objectives:- Review of security areas, such as:-

Communications (covering risks such as sniffing and denial-of-service, and

protocols such as encryption technologies find fault tolerance).
Network
architecture Virtual
private network
Application delivery
 Security awareness
User
administration
User and session administration (covering risk such as hijacking, spoofing. Loss of
integrity of data)
Physical security
Public key infrastructure
Backup and recovery procedures
Operations (such as incident response and back-office processing)
Technology architecture (such as feasible, expandable to accommodate business
needs and usable)
Security architecture.
Security software(such as IDS, firewall and
antivirus) Security administration.
Patch deployment
Business contingency planning

F) Work Plan:- It includes the following

Based on the information obtained and the scope and objectives of the
engagement, we shall document the way business security and IS objectives (when
applicable) are affected by the identified risks and controls that mitigate those
risks.
In this process we shall evaluate areas of weakness or vulnerabilities that need
strengthening. New controls identified as mitigating the risks considered shall be
included in a work plan for testing purposes.

8. Documents reviewed

User Manuals and Technical Manuals relating to System Software and ERP.
Organization chart outlining the organization hierarchy and job responsibilities
Access to circulars & guidelines issued to employees.
Access to user manuals and documentation relating to ERP Implementation by
ABC Automobiles Ltd.
Any other documentation as identified by us as required for the assignment
Security policy document relating to system.
Audit Findings documents.
9. References
 Best practices relating to international accepted standard for IS Audit — COBIT
(Control Objectives for Information and Related Technology, issued by the
Information Systems Audit and Control Association, USA, COSO framework etc.
Best practices relating to security policy
Best practices relating to confidentiality policy
CAAT tools
Information Systems Audit and Control Association- IS Auditing Guidelines
Information Systems Audit 2.0 Course – Volume I- Module 1- Chapter-3 Part-1-
Cloud and Mobile Computing
Information Systems Audit 2.0 Course – Volume 1 – Module 2 – Chapter 2 – IS Audit
in Phases

10. Deliverables

1. Draft Report including executive sum nary of the result of the review along with the
recommendations of findings and recommendations with risk analysis of findings.

2. Final Report incorporating Management Comment and agreed priority plan of action
based on exposure analysis.

3. Soft or hard Copy of Checklist used for the audit.

4. Soft or hard Copy of Audit Methodology and documentation

11. Format of Report/ Findings and Recommendations

Objectives of the Assignment

The primary objective of this Information Systems Audit assignment was to provide
assurance to the management of ABC Limited (ABC) on the availability,
appropriateness and adequacy of controls in the critical operations and transaction
processing, capex and opex through review of the control framework of their in-
house package - critical operations and transaction processing, review of Logical
access controls of critical operations and transaction processing, capex, opex.
conduct Implementation audit of General Controls at 2 select branches with specific
emphasis on implementation of controls.

Proposed Scope of Review/Terms of Reference

Based on understanding of ABC's needs for conducting systems audit the major
questions to be answered in determining which ERP system to select are:
1. What is the return on investment of a cloud environment versus an in-house
hosted solution

2. What is the total cost of ownership for each system under each option
(cloud based if available versus in-house hosted)

3. Will additional hardware be necessary to operate in a cloud environment versus

an in-house hosted one with remote access

4. Is a vertical vendor such as Deltek (oriented towards a specific industry) more

desirable than a more generic vendor such as SAP (works across multiple industries and
has a broad client base in many countries)

5. Can the ERP system manage the level of seats required for functionality

6. Ease of data migration from one system to another (e.g., will data integrity
remain intact, can data be migrated easily or will it require manual efforts)

7. Understanding any unique requirements at a country and site level and

ensuring that these needs can be met by the selected system

8. Which system offers the greatest capability for ABC's needs with the least
amount of customization

9. What is required for implementation and what type of support does the
vendor offer

10. Who will actually be doing the implementation (e.g., does the vendor have its
own in-house implementation team or do they subcontract this out)

11. How flexible is the system and how easily can it be modified to meet
changing business needs

12. Are there any other business processes that can be improved through the
implementation of one ERP system over another

Given this set of issues to be resolved, the recommendations for an ERP system in a
cloud solution or in-house solution is as follows:

1. Hire an experienced system analyst and other appropriate SMEs to aid in the
review of ERP options and the analysis of unique requirements

2. Have each of the four vendors provide proposal and a demonstration of their
system capabilities
3. Down select to two vendors, provide them with a script that contains all of the
business processes the system must encounter in a day and have them provide a proof of
concept.
Audit Findings/Recommendations:

ABC must perform further research to determine if it should install an on-site ERP
application or if it should look to a cloud-based solution (client-server versus a web-based
solution in a public or private cloud deployment). We will address factors that should be
reviewed and addressed as a part of this determination process and discuss how these
might impact the four ERP solutions being considered — Oracle's PeopleSoft,
Deltek'sCostpoint, SAP and Infor.

Audit team identified several basic areas to address when considering whether a
cloud solution is reasonable:

1. Is your application a web application?

2. is your application native .NET/..lava?

3. What database type do you use?

4. What kind of management/monitoring tools do you use on your

application?

5. What security risks would a cloud deployment will reveal?

6. Will you be able to move between. cloud providers? Are you 'locked into a
specific provider after the application is deployed?

7. Are you able to scale dynamically?

Web Application

The question being considered is whether the application in question is a web application.
We have already established that only two of the four software solutions being considered
by ABC are fully web compatible — Deltek's Cost point and Oracle's PeopleSoft. IBM's
WebSphere Cast Iron Cloud Integration solution (Cast Iron) offers a configuration-based
solution for data migration and application integration of the SAP solution in lieu of
requiring the writing of potentially complex code and it requires no middleware. Cast Iron
indicates that it can integrate with BaaN; however, BaaN no longer truly exists and was
integrated into the Infor ERP solution. It is unclear whether Cast Iron can support Infor as it
currently exists, which may mean that a source would need to be found so that code could
be written. Since cloud providers are clearly offering Cost point and PeopleSoft on the web
with no conversion needs, these applications are recommended as the two to review
further. Although SAP can be converted through Cast Iron, it will require more effort than
Cost point and PeopleSoft and the convertibility of Infor is fully in question, so neither
application is considered a viable solution for further consideration and will not be
assessed further.
Native .NET/Java

The purpose of this question is to determine whether a cloud provider can support the
technology stack of the software application selected. A technology stack means the
layers of components or services that are used to provide a software solution or
application.

PeopleSoft uses PeopleCode, AE, SCAR, CI, DMS, HTTP(5)/XML (extensible markup
language), JDK (Java Development Toolkit), .NET/Java, COM or C/C++ to interface with
their components. Oracle has teamed with Amazon Web Service Cloud (EC2) to provide its
PeopleSoft product, so can fully support the application.

According to Jakovijevich (Jakovijevich, 2006) "Delt•ekCostpoint 5 is a scalable Java 2

Enterprise Edition (J2EE)-based platform of 'industrial strength,' capable of supporting
even organizations with over a billion dollars in revenues. The product is standardized for
integration with other technologies, and has the flexibility to support multiple OS platforms,
with support for Web-native HTML, DHTML, Java Script, or rich client on the Ul tier;
Microsoft SQL Server or Oracle as databases; and the Actuate reporting server," Costpoint
uses a Microsoft _NET platform to enable real-time transparent connections via Web
Service and XML across multiple platforms and applications. Deltek has also teamed with
AppForge to deliver mobile applications to mobile and wireless devices including FDA's,
smart phones and other industrial devices without having to be connected to the network,
potentially reducing hardware investment by the company.

In summary, Costpoint and PeopleSoft should be supportable by a cloud provider, so both

are still equal contenders for selection in a cloud-based solution. Costpoint may offer
more flexibility through mobile applications.

Database Type

This question asks us to look at the database type that we are using and determine if it is
supportable by the cloud provider. ABC is already using both Deltek and PeopleSoft
applications in a client-server deployment. Further, we know that the cloud providers such
as Amazon (EC2) and Salesforce.com support these applications in a public cloud
environment so we know that these database types are supportable. The question that
would need to be addressed in an analysis other than this is what a data migration solution
would entail for the ABC divisions that are presently utilizing SAP and lnfor applications. In
essence a data migration process would need to be developed to include the following
(Database Answers):

1. Choose a data modeling tool with Reverse Engineering Capability

2. Define and create the data dictionary

3. Identify all the required data sources and the "owner" for each source
considering data feeds, legacy systems and operational data stores
4. Define the data items required, in consultation with the users

5. Create the data models for the source data

6. Define the data validation checks (bottom-up) and clean-up business rules for
source data

7. Carry out an audit of the data quality in the major databases, (bottom-up and
top-down)

8. Define the staging area with MIRror Tables to store extract files.

9. Create the business data model for the consolidated database

10. Create the data model for the target ERP database

11. Define the data mapping between source and target data items.

12. Define acceptance tests for data in the integrated database.

Management/Monitoring Tools

This area reviews whether the management tools (e.g., dashboards, status reports) used
can be used on the web or in a cloud-based environment. The management tools currently
used by ABC are those developed in their "Obtuse" product from a PeopleSoft base. We.
know that ABC's intent is to migrate from the four ERP applications presently used to a
single application — in this study PeopleSoft or Deltek
— and the management tools utilized by either of these solutions would be adopted. ABC
would be more comfortable with the look and feel of the PeopleSoft tools because Obtuse
utilizes similar management tools; however, the Deltek tools are more relevant to the
industry that ABC support — management consulting. Through the answers to the previous
questions we know that PeopleSoft and Deltek all have web-compatible as well as cloud-
compatible management tools since both are currently being used in a public cloud
environment.

Security Risks
This is a critical area of evaluation and impacts whether a public cloud deployment or a
private one is more appropriate for ABC. MaIlya (rviallya, 2006) states that there are two
steps to evaluating the security risks:

1. Review the provider's regulations and trust level

2. Know that security hazards can be created by making the client available from
any PC that is connected to the web

The EUKhost Blog indicates the location of deployment is the prime differentiating factor
between" a public or private cloud option. A public cloud hosting solution is one that is
offered over the Internet and the service provider bears the cost and responsibility of
managing the infrastructure and security. Data storage is shared with all of the users of the
service. In this type of a situation, ABC would have to

rely upon the security measures the host implemented as satisfactory. For example, if ABC
were to consider using Amazon's EC2 option of cloud support, Amazon's privacy policy
states, "we will implement reasonable and appropriate measures designed to help you
secure Your Content against accidental or unlawful loss, access or disclosure." This does
not tell the consumer much about what exactly Amazon does to protect the data in their
care.

EUKhost Blog states that a Private cloud hosting is created "using software operating on
hardware provided by the customer." In this case, the data is fully managed by the
customer, not by E the cloud provider, so all security is that which the customer institutes.
Another advantage that eUKhost Blog identifies with a Private cloud solution is that of
greater scalability because of the ability to expand existing architecture.

In 2010, the Cloud Security Alliance (CSA) issued their report on the top threats to
public cloud computing (CSA, 2010). The report indicates the following:

1. The abuse and nefarious use of cloud computing. This impacts mostly
Infrastructure as a Service (laaS) and Platform as a Structure (PaaS) and exploits their
weak registration systems and limited fraud detection. Botnets have used IaaS for
command and control functions as well as to introduce trojan horses and malicious code.
Solutions include stricter initial registration and validation processes, enhanced fraud
monitoring and coordination, comprehensive introspection of customer network traffic and
the monitoring of public blacklists for one's own network blocks.

2. Insecure interface and APIs. The security and availability of general cloud services
is dependent upon the basic APIs used to manage and interact with cloud services and this
threat impacts IaaS, PaaS and Software as a Solution (SaaS). This potential weakness can
impact the confidentiality, integrity, availability and accountability of data. Examples
include reusable tokens or passwords and limited monitoring and logging capabilities.
Solutions include analyzing the security model of cloud provider interfaces, ensuring strong
authentication and access controls are used in conjunction with encryption and
understanding the dependency chain associated with the API.

3. Malicious Insiders. Impacting laaS, PaaS and SaaS in a public cloud setting, this
issue is amplified due to a single management domain coupled with a lack of transparency
into provider processes and procedures. For example, the hiring practices of cloud
providers may be unknown or undisclosed and could create a potential avenue for access
to private and sensitive data. Consumers of cloud services must ask and understand what
cloud providers are going to protect them against the threat of malicious insiders. Some
solutions to mitigate exposure include specifying human resource requirements as a part of
the service contract or demanding transparency into overall information security and
management practices as well as compliance reporting.

4. Shared technology issues. This threat is focused on IaaS and exploits the shared
technology aspects of a cloud computing environment — specifically CPU caches, disk
partitions, GPUs and other shared elements lacking strong compartmentalization. Even the
use of a virtualization hypervisor, designed to address this issue has proven to have its
weaknesses and inappropriate access has been gained to the underlying platform.
Solutions to this problem include implementing a security best practices for
installation/configuration, promoting strong authentication and access controls for
administrative access and operations, or the enforcement of service level agreements
(SLAs) for patching and vulnerability remediation.

5. Data loss or leakage. This is a serious threat across laa5, PaaS and SaaS. The
loss of data can have devastating impacts upon competitive edges and financial positions.
Depending upon the type of data lost, there could also be compliance and legal
complications. Data can be compromised through the accidental alternation or records
without a backup to restore from. The loss of an encoding key could result in the effective
destruction of critical data. Data center reliability and operational failures are yet other
avenues to create data, loss or leakage. Some solutions to this issue include implementing
strong API access controls, the encryption and protection of data in transit, and the
contractual specification of cloud 'provider backup ad retention strategies.

6. Account or service hijacking. This is most frequently accomplished through the

stealing of access credentials and impacts laaS, PaaS and SaaS. In a cloud environment,
this could allow the hijacker to manipulate sensitive data, return falsified information or
even redirect clients to an illegitimate site. Possible solutions to the threat include
prohibiting the sharing of account credentials between users and services or understanding
the cloud providers security procedures and SLAs.

7. The unknown risk profile. Because functionality (e.g., the maintenance of hardware
or software) in an laaS, PaaS or SaaS offering may be provided by the cloud provider, the
ability to understand the details/compliance to needs such as security procedures, auditing
and logging may be a vulnerability. For instance, who has access to your data and related
logs stored? Solutions to reduce risk in this area include a partial or full disclosure by the
cloud provider of infrastructure details (e.g.,. patch levels, firewalls) or a disclosure of
applicable network intrusion logs, redirection attempts and/or successes, and other logs or
pertinent data.

Due to the sensitivity of ABC's data that is to be managed, it appears that the public cloud
may yet be too vulnerable. it is therefore recommended that ABC pursue a private cloud
deployment over a public one and an appropriate platform would need to be evaluated and
selected.

Changing Cloud Providers

This area explores whether ABC would be locked into a specific vendor should there be a
reason to change service providers in the future and is only relevant if using a public cloud
provider. Due to the complexity of a full FRP system and the limited number of cloud
service providers who support Deltek or PeopleSoft in a cloud environment, at this time, it
is reasonable to anticipate that the selection of a cloud provider would require the strong
negotiation of services and rates as it would not be easy to migrate between providers.
Amazon has a standard contractual termination clause of a thirty-day notice; however, as
noted, the ability to find a different provider may be prohibitive.

If ABC agrees that it is more appropriate to deploy a private cloud solution, then the
concern over issues with changing cloud providers becomes moot.

Dynamic Scaling

The goal of this question is to ensure that the cloud provider offers a fully scalable option
for the ERP software selected. A scalable system is on whose performance has reached
capacity but can be immediately improved through the addition of something else to the
infrastructure, e.g., more hardware, software licenses, servers. Assuming that a private
cloud deployment is selected, this means that ABC's servers would need to be fully
scalable. At this point, ABC has sufficient server capacity and resources to grow a larger
"server farm" if required. Regardless of the ERP system implemented, scalability is not a
concern in this environment.

In summary, we are able to conclude that two of the ERP solutions under review, Cost
point and PeopleSoft, are fully supportable in a public cloud environment; however, in a
private cloud would be better able to meet the security needs of ABC and is strongly
encouraged. Data can be migrated to a single application from all four of the ERP
solutions being considered and this is a common practice for these specific application
vendors. ABC can easily support scalability with any

. solution selected.

Cost point or PeopleSoft would prove the most efficient/feasible application option to
transition to a private or public cloud-based deployment. SAP would be a distant option
because it requires middleware for a cloud deployment, therefore it is considered less
viable. Infor does not appear to be in a sufficiently advanced stage to be considered for a
cloud deployment option without a great deal of effort and cost.

High-level Implementation Plan

In order for ABC to successfully implement a conversion to a single ERP application, it will
need to consider the additional following details;

Changes to Technology
As ABC converts to a single ERP application they would decommission the obsolete
.
systems. Assuming that ABC accepts the recommendation to utilize either PeopleSoft or
Cost point, this means that Obtuse, SAP and Infor would become legacy systems. As the
conversion process is reviewed, decisions will need to be made as to how the data on
these systems will be preserved. There are several options; however, the most common
approach is to have all of the systems "frozen" as of a point in time and preserved so that
no further changes can be made to the data. The various applications would then be
maintained by the Finance and Administration group in the Home Office when and if
legacy financial data at the division level was needed for audit or other purposes. ABC can
then keep the legacy data on a smaller server that is accessible only through password
protection for those who have a need to know. This server can be made web accessible
so, that finance oriented staff in the various divisions may be granted access if they need
their legacy data for any purpose,

ABC will need to consider whether it is still reasonable to use Hyperion for financial
consolidation purposes as there are so many reporting divisions whose data must be
combined to create a single financial statement for reporting purposes. Both Cost point
and PeopleSoft are able to manage a consolidation process without having to use an
external program; however, neither system may not be able to handle the volume of data
as easily as Hyperion.

All other applications are anticipated to remain intact at this time. Microsoft products such
as Excel and Access are good and useful tools to support any accounting activities. They
allow large amounts of data to be downloaded from the system for manipulation and
review, and the data can then serve as auditable backup to adjustments that are ultimately
recorded into the ERP system (e.g., documenting depreciation schedules for fixed assets,
documenting journal entries and their purpose, or meeting government reporting
requirements such as Incurred Cost Submissions).

A cloud-based solution is being contemplated at this time; however, is not critical to this
process — it is an added benefit that may provide groundwork for future improvements
and will aid in the ease of functionality with the entire ERP system.

Changes to Personnel

ABC maintains personnel in each division specifically to support FT infrastructure. As there

will be no further need for software development, it is anticipated that the overall IT
requirement (inclusive of divisions) will be reduced by at least 33 percent. By moving to a
centralized ERP application that is based at its home office, the need to have IT staff at
the division level for maintenance purposes is reduced or eliminated. Any
system/application issues would be resolved by the Home Office IT staff who are
maintaining the ERP application in the private cloud solution. Further, there will no longer
be a requirement for continued software development once the Obtuse application is
decommissioned.
It is anticipated that, while each ABC division will still need to retain some IT staff to
resolve local issues such as PC issuance and imaging, hand held device support, and the
maintenance of internal networks, due to a centralized ERP application, such staffing
requirements will be reduced by at least one third in each division. It will be the
responsibility of management within each division to determine and their staffing needs
and to coordinate through Human Resources to ensure that all retention and termination
processes are conducted in accordance with the laws of each country.

There will also be a requirement to train staff (all ►sers and the IT group) on how to use
the selected ERP solution and to ensure sufficient staff is proficient in SQL reporting
queries. User training will be performed as a part of the conversion process and training
needs/recipients will be identified by management so that an appropriate schedule may
be developed with the conversion specialist for the ERP implementation. IT staff training
for maintenance and other ERP application should also be identified by management and
addressed prior to implementation. ABC will also need to ensure that the appropriate
number of IT staff be proficient in the implementation and maintenance of a private cloud
development and deployment. This can be accomplished through training or through the
acquisition of individuals with the necessary skill sets.
Risk Assessment of Deployment Solution and Controls Recommended
Risks Assessed Controls Recommended
S. Risks Assessed
No.
Security: Moving a vital system into a shared
1 environment is compelling for the customers.
Building trust is not easy; providers enhance their
own customer and partner relationships by
enhancing their security services. A complex
application like ERP also needs an intensive set
up and management. Cloud Computing does not
change the services of the ERP but is only a
delivery mechanism and the solution changes.
Authentication and Authorization: Complexity of
2 the ERP systems increases the complexity of
security configurations, which may lead to
potential security vulnerabilities. Cloud Computing
has proposed new challenges and opportunities
for tenant authentication. In the cloud
environment, responsibility is divided among few
parties such as the users, the cloud providers and
the third party providers.
Controls Recommended
For this, the cloud provider
Can offer higher-level
security of user, unit of
storage, unit of processing
power etc. Because they are
dealing with bigger systems as
well as many customers. At the
same time, they have to satisfy the
service requirements, which are
explained on SLA previously.
The RBAC can be a
solution to enhance current
cloud ERP security to access only
of authorized sources. Moreover,
it is important to set appropriate
access roles for the user, the cloud
ERP provider and the third party.
The cloud ERP application
interface is accessible via the
Internet browser, so the User is
authenticated by system with an
Identifier and a password to reach
the cloud ERP service. In tenant in
the system.
3 Recovery of Data: Recovery of data on cloud in The reliability and security
case of data lose can be a major issue. of vendor can be verified by
security audit conducted
there
.

Compliance risks: Lack of legal and data Cloud ERP needs to ensure
4 Protection compliances are significant risks to the standards and
consider in the cloud model. Each country has legislations of both Cloud
different restrictions and requirements for Computing and the ERP.
accessing the sensitive data. The cloud customer
needs to pay attention for jurisdictions of the data As an example to this, the
Regarding processed. cloud ERP providers should
meet or exceed the
traditional ERP security
compliance requirements
such as ISO 27001
certification, SAS Type 70 II
certification and ISAE 3402
certification

Application and its

5 components should be
tested and monitored
regularly. Companies need
Availability of Data: An ERP system contains of to consider of appropriate
several modules and their connections with the solutions to prevent ERP
ERP components. In order to maintain business service unavailability, which
continuity, an ERP system needs to remain may be caused from a
available 7/24 and depending on the complexity system restore and a
of the system, a number of risk factors can threat downtime. Preventing of
the availability of the system. For example, ERP unavailability situations can
uses a central database, which connects all of Be achieved by creating and
function. There can be another issue related with applying a set of security
the Application Interface of the ERP, which is the policies. Internet browser
user’s control panel for the ERP system, any security is vital and can be
possibility of a software bug or application crush achieved by using several
might cut the connection between the enhancements such as
components and make the services unavailable SSL,Virtual Local Area
Networks, firewalls, packet
filters etc. The user access
to the cloud application is
Also important. Current
solutions requires user to
Write their identifier and
Their password to the The
cloud vendor’s identity
 Control and management
Service would establish an
identity check of the written
details. This session can be
enhanced by using multi-
factor authentication
methods such as
biometrics, one-time
password, smart cards etc.

6 Performance risks: Speed and Reliability of data Need to ensure by test

processing is to be comparable with the existing check on frequent basis.
system.

7 Strategic risks: Outsource such a business critical Appropriate management

system as ERP, companies usually bear lookout is required to
increased strategic risk of high dependency on decide which information
the service provider. processing can be
outsourced and which
cannot.

SLA issues: In many cases it is rather hard to The SLAs should be

8 Accurately define Service Level Agreements designed carefully in
(SLAs) negotiated between cloud service provider consultation with all experts
and their corporate clients. These SLAs usually especially IS auditor.
do not really cover such aspects as confidentiality
and integrity leaving space for unclear damage
liability.

Recommended Strategy for deployment and Risk Management

In keeping with the theme of cosmological evolution, phased rollout would be analogous to
the Steady State theory: instead of an implementation happening in a single instance, small
changes occur over time. An organization moves off the legacy system and onto the new
ERP system in a series of predetermined steps. This can be achieved in several different
ways. The most appropriate strategy for ABC will be Phased rollout by business unit - Under
this approach implementation is carried out in one or more business units or departments at
a time. For example, you begin with implementing the new ERP system in human
resources, then move to accounting. Some organizations may put together an
implementation project team that travels between each department during implementation
phases. As the team gains more experience with each implementation, subsequent phases
become more efficient.

The detailed step wise implementation of strategy shall be as follows:

1. Define your ERP strategy around your company’s core business needs
The first step in any ERP implementation is to identify your company’s needs and
business objectives accurately. Start by finding and documenting the critical business
processes, inflection points and key performance indicators (KPI).This will help you
identify the right ERP solution, and need for specialists or additional services to manage
this transition. Before you begin to implement, you must have a complete plan or
roadmap in place. You must be able to clearly define your expectations from the ERP
system and the benefits you want for your organization. As Gartner puts it, “The most
successful ERP projects support strategic business objectives and goals. This helps to
ensure the right level of executive involvement to support the major business changes that
enterprises demand.”

2. Management and involvement of team for better utilization of resources

An ERP system impacts the entire business cycle, so it is advisable to involve all the
stakeholders in the initial stages of discussion. This will ensure that there are fewer
bottlenecks and arguments down the road, giving you more time to focus on the critical
tasks. Even after your system is configured, you would need to train your employees on
how to use the new program. User ‘buy-in’ is the most critical factor for the success of any
ERP program. You could engage a group that specializes in onsite training or prepare your
IT team to handle the day-to-day tech problems and user requirements.

3. Ensure tight control of the budget throughout the implementation process

An ERP implementation may require substantial investment, especially when enterprises

have special requirements. So make sure you assess the expenditure clearly before you
begin and maintain a close watch on spending even throughout the implementation
process. Most successful ERP projects have a dedicated project manager to ensure the
project is kept on track, on budget and moving in the right direction.

4. Develop performance metrics for evaluation of the program

During the implementation process or even after it, enterprises need to develop and put in
place key performance metrics to measure the impact the ERP system is creating. This
would help in determining whether the implementation is going in the right direction or not,
and if you need to take any corrective action to improve things.

5. Knowledge transfer and awareness for user acceptance

Make sure there is sufficient awareness about the need and scope of the new ERP system,
and that employees are able to extract maximum benefits from it. Before you even begin
the deployment process, it is important that employees have sufficient knowledge about the
new system and are convinced about using it for their respective business functions.

6. Testing for smooth execution

Testing is a very critical step that is often overlooked. Several weeks of parallel testing is
recommended for the success of any ERP program. It is crucial that your daily work is
processed on your old system and also on your new system before going live so that
everyone knows their new roles and responsibilities and questions/issues can be addressed
without the added pressure beforehand. Testing will not only help in ironing out any
obstacles on the path, but will also help in gaining employee confidence that is very
important for the success of any program.

7. Preparing to ‘go live’ finally…

Once your system has been configured, tested and your employees have been trained, it’s
time to ‘go live’ or activate your ERP system. Before you finally go live on the program,
make sure you are fully prepared to take on the new system. A well-prepared and clearly
defined implementation strategy can go a long way in ensuring the success of any ERP
system.

12. Overall Conclusions

Based on our review our overall conclusions on specific areas are:

Security and Access Controls

Our review of security and access controls at the IT Environment as reviewed by us and as
implemented in ABC using Unix, Oracle and FALPS confirms that appropriate security and
access controls have been implemented by using related functions and features of the
packages. Our test checks have revealed that systems of security and controls are reliable.
However, there are some areas where controls need to be strengthened and these are
given in annexure.

Business. Process Controls

Our review of business process validations and data integrity controls covering all the core
functions of ABC as facilitated by FALPS such as interest computation, allocation and
aging, confirms that all related data have been duly captured, processed and stored
correctly and completely subject to some transaction data not available pertaining to
previous years. However, there are also missing data in master tables

which impact the MIS and statements of accounts. The issues, which have come to our
notice during the process of our review, are given in annexure,

Further Action

We consider that the recommendations given in annexure to this report would be very
useful for facilitating business process controls of ABC and will aid in improving the
effectiveness of FALPS package and computer operations. We would like to affirm that the
matters included in this report are those which came to our notice during our review by
following normal Information System audit procedures by complying with globally
applicable Information Systems Auditing Standards, Guidelines and procedures that apply
specifically to Information Systems Auditing issued by

-
Information Systems Audit and Control Association, USA and Security and Controll

Practices as outlined in COBIT 5 issued by ISACA as adapted to ABC operations for review
of Application software and implementation audit. Further, on account of limitations of
scope and time, vie have used sample test and test check approach. Hence, certain
areas, which are outside the scope of this review such as source code, review,
implementation controls and general controls specific to branches are not covered.

Summary/Conclusion

The goal of this proposal was to determine if it was reasonable for ABC to move to a cloud
based ERP application Wilson's On Cloud Solution (WOCS) - Standard Version' in order to
improve operational efficiencies, reduce IT costs related to ERP systems, and improve
insight into the financial management aspects of the company for improved strategic
planning and performance monitoring.

A sub-goal was to also determine if by migrating to a single ERP application 'Wilson's on

Cloud Solution (WOCS) - Standard version' ABC might be able to recognize a cost
savings through the reduction of support personnel and through a reduction in
licensing/maintenance costs.

This review has established that a reduction in maintenance costs would be highly likely, yet
a full assessment of current costs against maintenance costs of a single solution remains
necessary to fully recognize the scope of that savings. This white paper cannot adequately
address a true cost savings until management approaches the two recommended providers
— Oracle (PeopleSoft) and Deltek (Cost point) - and obtains their quotations. Regardless,
we have established that moving to a single ERP application will reduce the required level of
IT support at the divisional and corporate level by approximately one third, which does
allows for a cost savings. Again though, until a final solution is selected by management,
the fill significance of this savings cannot be firmly established.

Moving to a single ERP solution `Wilson's On Cloud Solution (WOCS) - Standard Version'
will allow all divisions to function from a common ERP platform and will, remove the need
to perform many of the accounting and operational functions outside of the system. This
ensures that management has immediate and relevant access to meaningful data that is
system driven, immediate and on demand instead of having to wait for somebody to
"manipulate" the data into a format that may or may not be truly accurate depending upon
the human error factor.
We have demonstrated that a strong cost savings potential exists as well as a definite
ability to meet the greater need of improving operational functionality and management
decision-making capabilities should ABC migrate to a single ERP solution 'Wilson's On
Cloud Solution (WOCS) -Standard Version'. The determination to place an ERP solution
into a cloud environment remains an open item in terms of cost savings; however, it is
clear that a reduction of IT department infrastructure can be realized with a move from a
decentralized IT department structure to one that is centralized.

Summary of Recommendations

Migrate from supporting multiple ERP solutions on a divisional level to supporting

a single ERP solution on a web-based or cloud-based platform from a centralized location
at the Home Office.

Retain system analysts and appropriate subject matter experts to review the
options provided by migration to the full ERP solution offered by Oracle's PeopleSoft or
Deltek's Costpoint applications and to determine which solution provides the greatest value
to ABC and if a cloud-based platform is appropriate at this point. In addition, review
whether migration to a private cloud-based environment is a reasonable consideration to
pursue in conjunction with migration to a single ERP solution.

Select a single ERP application to use on a corporate-wide basis after analysis.

Upon selection of a single ERP application engage appropriate implementation

specialists and other subject matter experts to aid management in developing an adequate
migration and training plan, whether to utilize an in-house or cloud based platform, and to
determine appropriate overall staff training requirements and reductions to the size and
complexity of existing IT departments from the divisional level to a centralized operation.

Retain or obtain appropriate IT personnel to support the new environment.

Review the capabilities of the selected application to determine if Hyperion must be

retained.

Review legacy systems to determine best solution for preservation of data, access
requirements and access protocols.