Professional Documents
Culture Documents
Contents
No. Topic Page No.
Introduction
ABC Automobile Ltd. (Auditee) makes luxury buses in south India. It is Well Equipped
with total infrastructure and has kept in pace with the changing technology and
producing real high quality buses. They are currently using stand‐alone accounting and
inventory package which has limited functionality. They have an aggressive business
growth plans and found that the current software solution cannot meet their future
requirements.
ABC Automobiles have decided to migrate to 'Wilson's On Cloud Solution (WOCS)‐
Standard Version' a robust full suite of ERP Developed using Wilson Virtual works, a
state of the art software engineering and delivery platform. WOCS is expected to
enable ABC to reap the benefits of the solutions with "Built in Best Practices" together
with a highly "Flexible Framework" to ensure solution alignment to "dynamic business
requirements" of ABC.
The WOCS solution has standard product features which cannot be modify except
based on the methodology followed by Wilson and the customer has to use the
existing product without any changes. As a part of the software as service
(SAS)development model, WOCS will not make any changes in the data entry screens/
Processes as per individual customers need.
Technology is changing and developing faster than ever before, and everyday people
are faced with new tools and services in their daily life. Cloud ERP is an approach to
enterprise resource planning (ERP) that makes use of cloud computing platforms and
services to provide a business with more flexible business process transformation.
Cloud based ERP benefits customers by providing application scalability and reduced
hardware costs.
So in the given situation the company has decided to migrate to ‘Wilson’s On Cloud
Solution (WOCS) ‐ Standard Version’ a robust full suite of ERP developed using Wilson
Virtual Works, a state‐ of‐the‐art software engineering and delivery platform. WOCS is
2 | P a g e
expected to enable ABC to reap the benefits of a solution with “built‐in best practices”
together with a highly “flexible framework” to ensure solution alignment to “Dynamic
Business Requirements” of ABC.
However, the constraint is that most of the staff are not computer savvy and have
limited knowledge of using computers. For this the Managing director of the company
who has taken charge is confident of training employees and implementing the
proposed ERP solution. Further, the cost consideration based on model
implementation of 10 user license shows cost benefit analysis and justification for the
investment. The vendor is expected to provide one week training to employees so that
they configure and implement the solution as per their specific business processes
The Business policies and procedures to be followed are divided into 4 sections:
Foundation Discipline: ‐ It discusses the ERP Database and required procedures to
support the maintenance and updating activity with respect to key data elements
such as inventory, bill of material structures, routings and open orders.
Modules of ERP: ‐ It documents those policies and procedures which are required
to operate an ERP System on an on‐going basis. It documents the functions with
respect to sales forecasting material requirements planning, purchasing etc.
Including the measurements which will be put in place to ensure a successful Class
‘A’ ERP operations.
ERP Project: ‐ It discusses the policies and procedure which are required during the
implementation phase with respect to areas such as education, documentation and
the project control plan.
Responsibility Index: ‐ It will cross reference all of the policy and procedure to the
respective departments that would need to use some or all of those procedures in
their daily operations. These departments would include such areas as finance,
material management and ERP project team.
Although each document is referred to as a procedure, the document truly represent a
combination of policies, procedures and documentation. This Policy and procedure
manual is a part of the total documentation for this Cloud based ERP System above
referred scenario, we M/S RSA and Associates, Chartered Accountants have been
appointed to perform risk assessment of the deployment solution, to provide
assurance on the reliability and practical implementation of the solution and to
perform cost benefit analysis of the solution.
3 | P a g e
We at RSA and Associates have an expertise in performing IS Audits, we are in total a
firm of 8 partners with more than 2 partners are DISA qualified and 3 partners are
CISA. We have an experience of around 10 years in conducting IS Audit and around 3
years in assistance in reviewing cloud system ERP for various clients.
We believe that these 11 steps are to be followed to execute the successful
migration from on‐premise to Cloud ERP solution:‐
1. Get management’s nod: To make such a big change, such as moving entire IT
structure to the cloud in any organization, it is important to bring everyone on the
same page; especially the decision makers of the company. As soon as you realize
the need to move on the cloud, get involved with senior managers, the board of
directors and IT team to analyze the potential pitfalls and ways to overcome them
before, during and after the migration.
2. Pre‐migration decisions: It may be possible that your existing IT infrastructure is
not fit for the cloud. Certain applications might not be compatible with cloud
portability or you probably run on a frequent stock trading platform that is not
functional on cloud servers but on local ones. Hence, it is imperative to distinguish
the applications best suited to run on cloud and prepare for the migration of only
those.
3. SWOT analysis: It is a widely adopted method for estimating the strength,
weakness, opportunity and possible threats due to the decision of switching to
Cloud‐based ERP solution. This can be achieved by practicing process mapping to
redefine, reorganize and filter existing processes. Moving to the cloud doesn’t
mean copying the same processes for the on‐cloud solution; rather you must
identify only those processes imperative to meet the ends. Only the best practices
must be selected to map the needed configurations and future needs of the
organization. Thus, you avoid age old, redundant, and inefficient practices and
welcome much simpler and easy to follow steps that are compatible with Cloud‐
based solutions.
4. Select the right team, right vendor, and right platform: Ensure suitable
representatives upfront for deciding strategic objectives, funding decisions,
managing resources, and risks for the big switch. There is no such thing as good or
bad solution vendor, but ensure that your vendor is a certified Cloud solution
provider.
4 | P a g e
Every solution is unique and upright in its own right. The one that relates truly to
your business processes is the best Cloud ERP solution for you. The team involved
in the process of moving to the cloud must research over available Cloud ERP
options and evaluate on the grounds of module set, organization size, workload
standards, flexibility, and costs.
6. Make a plan: Since there is no substitute for planning, you must have a blueprint
ready in your kitty. Realignment of the assigned team, resources, and workload
sharing during the process of migration must be done well in advance. Define clear
deadlines for what is to be done, when is to be done, and how is to be done.No
solution is tailor‐fit and performance gaps are bound to occur, hence decide on the
type and extent of customization beforehand and convey your concerns to the
vendor’s team. Today, customizations are possible even with Cloud ERP and you
must not hesitate to ask for it from your vendor.
7. Strong backup: Since data is not stored on local servers in Cloud‐based ERP
solutions, it remains more secure, inaccessible and away from you. Therefore,
ensure safe and reliable data backup before taking the plunge, in order to avoid
any mishaps and data disasters. In case you are migrating a large amount of data to
the cloud, your partner must be well versed in data batching, replication, and
backup. Encourage the involvement of your team with cloud specialists,
developers, system architects, and project managers so that they gain knowledge
for any such future migrations. Begin the implementation process slow yet steady,
step by step.
8. Execute & deploy: The execution of plan deals with step‐wise carrying out of
implementation strategies. Though there is no need to install any additional
hardware, making the IT environment cloud‐ready is a must.Deployment deals with
uploading the new ERP solution design on existing IT infrastructure, data
visualization and enabling the Business Intelligence capabilities to offer the
5 | P a g e
cutting‐edge functionality. Data migration over the cloud must be performed with
extreme caution. Ensure a dry run just before going live.
9. Monitor the progress: Monitoring is always essential even when you are switching
to cloud from an on‐premise solution. A formal issue tracking process should be
formulated to identify and address the roadblocks in the new cloud environment.
Since migration to the cloud needs everyone’s attention and contribution, hence
periodic reports must be prepared based on the respective goals of individuals and
the team as well. With the help of regular monitoring, the delays can be identified
and also covered up by obtaining the expert opinion.
10. Go live & handover: Soon after everything is in place, it’s time to finally switch to
the new Cloud‐based ERP system. The on‐cloud solution can be made live under
consultant’s guidance. It’s best to consider the vendor’s advice as the thumb rule.
Gradually, the new system is handed over to your staff and tested for smooth and
uninterrupted operations.
11. Training and change management: Since working on the cloud is a totally new
experience for your staff, detailed information about absolutely everything should
be demanded by the management. Though the training is not extensive and as
elaborate as during on‐premise implementation, detailed insights by the experts
on every aspect certainly help in smooth running of the operations even in their
absence.
6 | P a g e
Auditee Environment
Key take aways of the client is:‐
a) Client is a manufacturer who makes motor vehicles (luxury buses) requiring huge
assembling working and multiple inventories.
b) Client has a geographically scattered business at a head office and four branches.
c) Client has standalone accounting and inventory package thus all the transactions
have to updated manually again at different module levels and synced constantly
with them.
d) Client maintains extensive documents mainly to keep all the records and verify data
integrity.
e) Client has aggressive Growth plans however with the presents limitations and without
effective IT management, It can be inferred that the current software solution cannot
meet their future business requirements.
It has been proposed by the client that they will migrate to Wilson's On Cloud
Solution (WOCS) ‐ Standard Version'; a robust full suite of ERP developed using
Wilson Virtual Works, a state‐of‐the‐art software engineering and delivery platform.
Its key benefits are as under:‐
1. It has built in Best practices
2. Highly Flexible Framework
3. Ensure alignment of business requirements of the client.
The WOCS solution has standard product features which cannot be modified except
based on the methodology followed by Wilson and the customer has to use the
existing product without any changes. As a part of the Software as Service (SAS)
development model, WOCS will not make any changes to the data entry
screens/processes as per individual customer needs.
7 | P a g e
Wilson Solutions provides a single version of the product at any point of time. All
product feature upgrades and updates shall be made available as a part of the
standard offering. Basically the requirements are market driven and will prioritized
based various criteria like Statutory needs, Best business practice, key business
process etc. As a practice, upgrades are provided once a month. The scope of the
project includes implementation of Wilson ERP on Cloud ‐ Standard Version for Legal
Entities of ABC for the below modules within the available product features of Wilson
ERP on Cloud ‐Standard Version.
The modules included in the scope are:
1. Sales & Shipping Management
2. Accounts Receivable Management
3. Purchase Management
4. Accounts Payable Management
5. Financial Accounting Management
6. Accounting Management
7. Information System
8. Fixed Asset Management
9. Inventory Management
10. Service Management
11. Sales Opportunities Management
12. Discrete Production Maintenance Management
13. HR & Payroll
8 | P a g e
a) Physical security
Even a cloud application and data must be located somewhere. The physical
surroundings of the software and data is an important component of a business
continuity Plan. as well as a software security plan. A physical security breach
means that somebody with malicious intent has physical access to the hardware
where either your application is running or where your data is stored.
If other forms of security are in place, a physical security breach will not result in loss
of data. However if the intruder's intent is to disrupt your service, then a lapse in
physical security will be a problem. Part of your business continuity plan should
include a solid physical security plan, when applications and data run in an external
cloud; the physical environment is located off‐premise. In most cases physical security
in a tier 1 datacenter is many times better than that in an office building or an
internally run server room. All building access is logged, cameras are in place, and
cleaning people are not generally milling about after hours. State of the art
authentication technology (fingerprint, ID badge, retina scans) are often implemented,
SaaS applications are run by administrators who are employed by the software vendor
or cloud provider and not the company who purchased the ERP software. The quality
and reliability of administrators depends more on the resources and focus than the
employer.
b) Transmission Security
When data is communicated between the user the server, and the database, there is a
chance that transmissions can be intercepted. An easy way to prevent this involves
encrypting all communications between source and destination. However, encryption
comes at a cost to performance. If you spend too many processing cycles encrypting
and decrypting data, you will have to purchase more expensive hardware or endure
delays.
9 | P a g e
There are several types of security algorithms that are used to protect
communications. The underlying idea is that sensitive or private data is scrambled
using an encryption key and a data encryption algorithm. The data cannot be read or
deciphered without the decryption key. The decryption key can be the same
(symmetric) or different (asymmetric) from the encryption key. Once scrambled, the
data is sent to its destination. If intercepted, the data can only be reconstructed by
using an algorithm that tries to guess the description key — a process that takes many
years using powerful computers. When the scrambled data arrives at its destination,
the receiving party knows the proper decryption key by querying a key master or
certificate authority. Several common algorithms include RSA, Secure Socket Layer
MO, Data Encryption Standard (DES), and Triple DES.
c) Storage security
When ERP data is accessed by users, business logic limits unauthorized access to users
with the proper credentials (see section on application security). But suppose a
network administrator has access directly to data in the database. In this case, the
data could be viewed without going through the business logic.
To protect against this vulnerability, sensitive data should be encrypted when it rests
in the database or in a file system. This prevents direct access and ensures that all
data is only accessed via the application logic. The application knows how to decrypt
the data, so a legitimate user will not be impacted.
In cloud systems, data is stored in a remote location on servers maintained by a cloud
provider. The cloud provider should have procedures in place to ensure that there is
no direct snooping into client data. But somebody has to be responsible for database
administration, and usually this person is not employed by the client. The ability to
pick and choose Fields to encrypt on the database is important to provide protection
without adversely impacting performance.
d) Access Security
Access (or perimeter) security is important for preventing unwanted users from
grabbing resources and sending unauthorized queries to your servers. Usually this is
accomplished through the use of firewalls that prevent unwanted traffic from
communicating with your business applications. Lack of access security could impact
your application availability (in the case of a denial of service attack) and provide
hackers with a way in to make it easier to steal resources or Passwords.
10 | P a g e
Cloud systems should be protected by perimeter security just as you would protect
any on premise application. Verify that your cloud provider has firewall protection in
place to prevent intruders and denial of service attacks. A multi‐tenant cloud
application is slightly different because by definition, multiple users are accessing the
same application code and the same resources. In this case, processes must be in
place to ensure that bad things do not happen to customer A if customer B's
application is compromised.
e) Data security
Data security limits access to data objects to specific individuals. Different levels of
data security include read‐only, edit, insert, and delete, Data security can be set at the
application or object level.
Most data security is limited to data access. Once a user gains access to specific
information, screens, or reports, the information can be downloaded and shared with
others. Digital rights management goes one step farther by "wrapping" data objects
with rights that follow the object no matter where it goes. In this case, users can
forward the encrypted .data, but that data cannot be viewed or changed unless the
recipient can be verified.
Data security in cloud applications is similar to traditional applications. Once
individuals gain access to the system, the business logic controls the specific
capabilities that individual users can perform on different objects. In some types of
multi‐tenant SaaS applications, database level security may be utilized as an additional
measure to separate data objects from different companies.
f) Application security
Application security encompasses two major areas — the way the application
authenticates and manages users and the way in which application code is managed.
g) User Authentication
User authentication usually involves username and password to identify legitimate
users. User identity is critical not only for establishing identity, but also to ensure
security of data.
11 | P a g e
Security is a major threat in Cloud Environment. They could be overcome by applyling
controls however operability of the deployed software model and its use acceptance is
still a question for any organization before they opt to migrate to a different
environment. It is very important for any organization to conduct pre review study
and feasibility study.
b) Outsourcer’s Experience with SLA and vendor management
c) Cloud Vendor’s policy on vulnerability management – reporting, commitment
to following up, promptly responding to reports etc.
d) Information systems audit of all/any aspect of security policy, business
continuity, environmental excess, physical excess, logical excess and application
security.
e) Compliance with enterprises policy, procedures, Standards and practices as
relevant.
f) Compliance with regulations as applicable.
g) Provide management with an assessment of impact by implementation of
Wilsons on cloud solutions, security policy and procedures and their operating
effectiveness.
h) Identify internal control and regulatory deficiencies that would affect the
organization. Identify information security control concerns that could
affect the reliability, accuracy and security of enterprises data due to
weaknesses in the package solutions offered by the vendor.
12 | P a g e
b) If the computing services fails will the users will be enabling to access the
programs or data.
c) Can the computing services lose the auditees data?
d) The risk of increased complexity of compliance with laws and regulations.
e) The risk of information retrieval when required is done without delays.
f) In case of disaster information may not be immediately located.
g) GDPR regulations are being followed accordingly.
h) Data collection and storage policies of the Service provider.
13 | P a g e
Audit Procedures
Assurance on Reliability/ Audit of pre‐migration activities
The IS Auditor should prepare a checklist of audit steps on the pre‐migration activities,
which is similar to the one illustrated below.
a) Check whether a migration plan has been prepared
To ensure that the project is progressing in the correct direction, it is important that a
project quality plan or method document is produced. This document explains to both
the supplier and the customer the principles of the approach and how they will be
implemented across the project. Along with this, it is essential to develop a detailed
project plan stating the project phases, milestones and dependencies as well as the
responsibilities for each activity.
Implementing ERP software is generally too complex for "in‐house" skill, so it is
desirable to hire professionally trained outside consultants for three types of services ‐
Consulting, Customization, Support. The length of time to implement an ERP system
depends on the size of the business, the number of modules, the extent of
customization, and the scope of the change and the willingness of the customer to take
ownership of the project.
b) Verify the business blue print or business process mapping document
Identifying critical business processes is essential for business process mapping, which
involves defining what activities the business entity performs, the people who are
responsible for them, the standards to which the activities or the process should adhere
to, and measuring the success of the business process. The specific assessment of the
processes will obviously be dependent on the business sector and key drivers within
the individual organization. For example, the criteria to select critical business processes
may include:
• What are the high volume business processes?
• What are the major revenue generating processes?
14 | P a g e
• What are the processes which have the greatest impact on customer satisfaction?
• What are the areas which generate high profits?
Once identified, these critical business processes can be used as metrics to measure
progress.
c) Check whether a conference room pilot has been done
Conference Room Pilots are meant to progressively validate the design, configuration
and customization activities. CRP can designed as
i. A project team presenting areas of the system to representatives from the business
ii. The business representatives actually performing job roles on the system, carrying
out specific activities in a simulated environment
d) Check whether proper risk assessment exercise has been conducted
Effective risk management is fundamental to the success of any project. Risk registers
created at the start of the project should be used throughout the project life cycle and
serve as a mechanism to avoid deviations from acceptable quality, costs, or timescale
standards. Risks identified should be categorized in terms of their likelihood and their
consequences.
Regular review meetings with managers and stakeholders where decisions can be made
relating to the management of risks are pivotal for managing risks effectively.
The most common method for evaluating completeness of the configuration is to
measure modules configured in each of the business areas (e.g., Customer Service,
Operations and Finance) and report back on a weekly basis. Customization involves
modifying the program code of the ERP system to gain a competitive advantage. Key
differences between customization and configuration are :
• Customization is always optional, whereas some degree of configuration (setting up
cost/profit centre structures, organizational trees, purchase approval rules, etc.) may be
needed before the software can work
• Configuration is available to all customers, whereas customization allows individual
15 | P a g e
g) Check whether BCP or fall back plans have been developed
Whatever the size of an ERP project, a fallback or contingency plan is required to
provide options, if any key component of the new solution is late or absent. The plan
should first be developed on completion of the business process mapping and the high
level design. At this point it will be clear where the key elements of the solution are
located and what would be required at a high level for a successful launch should they
not be available. The contingency plan should then be revisited after each CRP where
input from the business will highlight or provide additional operational information
regarding the importance of the various elements of the solution.
Assurance on Security and Functionality / Audit of post‐migration
activities
a) Verify whether User Acceptance Testing has been carried out
The IS Auditor should review the user acceptance testing records. On completion of the
ERP migration or implementation, the users are requested to test the configured ERP
application. Based on the test results, the ERP application is fine tuned and further tests
are conducted. The results of such user acceptance testing should be reviewed by the
auditor to ensure that the
business blueprint requirements have been configured in the new ERP system and that
the end users are committed to the new ERP application.
b) Check the new ERP configurations with the business blueprint requirements
The IS auditor should check whether the business requirements as per the business
blueprint have been configured in the new ERP environment. For this the auditor should
have reasonable knowledge of the ERP application. He may engage module specific
functional consultants to carry out this task.
c) Verify whether the organization’s DOA has been properly incorporated in the new system
ERP applications have robust user role and profile management functionalities. The IS
auditor should check whether these configurations have been set as per the company’s
Delegation of Authority document. This can be checked by using various off‐the‐shelf
tools or through a walk through of the application and its user configurations. The
17 | P a g e
auditor should also check that these settings do not violate the segregation of duties
concept.
d) Verify whether users have been provided adequate training
The IS Auditor should check the training documents to find out whether adequate
end user training has been provided to the users. He should also ensure that user
guides and system manuals have been provided by the ERP implementer.
e) Traditional GL balance checks and master data checks to be carried out
The IS auditor should also compare the GL data from the migrated ERP application
with the data available in the old GL. He should also look into the control accounts in
each of the modules and verify whether they tally with the control accounts balances in
the GL. Similarly, the auditor should look at the cut‐off documents in the old system and
the new ERP environment to take care of such cut‐offs.
18 | P a g e
After risk analysis, assessing the probability that the risks identified will
materialize together with their likely effect and documenting the risks along
with the controls that mitigate these risks. Inclusion of most likely source of
threats‐ internal as well as external sources‐ such as hackers, competitors and
alien governments.
e) Audit Objectives:‐ Review of areas, such as:‐
a) Communications (covering risks such as sniffing and denial‐of‐service,
and protocols such as encryption technologies find fault tolerance).
b) Network architecture Virtual private network Application delivery
c) Security awareness User administration
d) User and session administration (covering risk such as hijacking,
spoofing. Loss of integrity of data)
e) Physical security
f) Public key infrastructure
g) Backup and recovery procedures
h) Operations (such as incident response and back‐office processing)
i) Technology architecture (such as feasible, expandable to accommodate
business needs and usable)
j) Security architecture.
k) Security software (such as IDS, firewall and antivirus)
l) Security administration.
m) Patch deployment
n) Business contingency planning
f) Work Plan:‐ It includes the following
Based on the information obtained and the scope and objectives of the
engagement, we shall document the way business security and IS objectives
(when applicable) are affected by the identified risks and controls that mitigate
those risks.
In this process we shall evaluate areas of weakness or vulnerabilities that need
strengthening. New controls identified as mitigating the risks considered shall
be included in a work plan for testing purposes.
20 | P a g e
21 | P a g e
The primary objective of this Information Systems Audit assignment was to
provide assurance to the management of ABC Limited (ABC) on
the availability, appropriateness and adequacy of controls in the critical
operations and transaction processing, capex and opex through review of the
control framework of their in‐ house package ‐ critical operations and
transaction processing, review of Logical access controls of critical
operations and transaction processing, capex, opex. conduct
Implementation audit of General Controls at all branches with specific
emphasis on implementation of controls.
Proposed Scope of Review/Terms of Reference
Based on understanding of ABC's needs for conducting systems audit the major
questions to be answered in determining which ERP system to select are:
What is the return on investment of a cloud environment versus an in‐house
hosted solution?
What is the total cost of ownership for each system under each option
(cloud based if available versus in‐house hosted)?
Will additional hardware be necessary to operate in a cloud environment
versus an in‐house hosted one with remote access?
22 | P a g e
Can the ERP system manage the level of seats required for functionality
Ease of data migration from one system to another (e.g., will data integrity
remain intact, can data be migrated easily or will it require manual efforts)
Understanding any unique requirements at a country and site level and
ensuring that these needs can be met by the selected system
Which system offers the greatest capability for ABC's needs with the
least amount of customization?
What is required for implementation and what type of support does
the vendor offer?
Who will actually be doing the implementation (e.g., does the vendor have
its own in‐house implementation team or do they subcontract this out)
How flexible is the system and how easily can it be modified to meet
changing business needs
Are there any other business processes that can be improved through the
implementation of one ERP system over another?
Given this set of issues to be resolved, the recommendations for an ERP system in
a cloud solution or in‐house solution is as follows:
1. Hire an experienced system analyst and other appropriate SMEs to aid in the
review of ERP options and the analysis of unique requirements
2. Have each of the four vendors provide proposal and a demonstration of their
system capabilities
3. Down select to two vendors, provide them with a script that contains all of the
business processes the system must encounter in a day and have them provide a
proof of concept.
23 | P a g e
S. Risks Assessed Controls Recommended
Security: Moving a vital system into a shared For this, the cloud provider
1 environment is compelling for the customers. Can offer higher‐level
Building trust is not easy; providers enhance their own security of user, unit of
customer and partner relationships by enhancing storage, unit of processing
their security services. A complex application like power etc. Because they are dealing
ERP also needs an intensive set up and management. with bigger systems as well as many
Cloud Computing does not change the services of the customers. At the same time, they
ERP but is only a delivery mechanism and the solution have to satisfy the service
changes. requirements, which are explained
on SLA previously.
Authentication and Authorization: Complexity of the The RBAC can be a
2 ERP systems increases the complexity of security solution to enhance current
configurations, which may lead to potential security cloud ERP security to access only of
vulnerabilities. Cloud Computing has proposed new authorized sources. Moreover, it is
challenges and opportunities for tenant important to set appropriate
authentication. In the cloud environment, access roles for the user, the cloud
responsibility is divided among few parties such as the ERP provider and the third party. The
users, the cloud providers and the third party cloud ERP application interface is
providers. accessible via the Internet browser,
so the User is authenticated by
system with an Identifier and a
password to reach the cloud ERP
service. In tenant in the system.
3 Recovery of Data: Recovery of data on cloud in case The reliability and security of vendor
of data lose can be a major issue. can be verified by security audit
conducted there.
24 | P a g e
4 Compliance risks: Lack of legal and data Cloud ERP needs to ensure the
Protection compliances are significant risks to standards and legislations of both Cloud
consider in the cloud model. Each country has Computing and the ERP.
different restrictions and requirements for accessing
the sensitive data. The cloud customer needs to pay As an example to this, the cloud ERP
attention for jurisdictions of the data Regarding providers should meet or exceed
processed. the traditional ERP security
compliance requirements such as
ISO 27001 certification, SAS Type 70 II
certification and ISAE 3402 certification
Availability of Data: An ERP system contains of several Application and its components should be
5 modules and their connections with the ERP tested and monitored regularly.
components. In order to maintain business continuity, Companies need to consider of
an ERP system needs to remain available 7/24 and appropriate solutions to prevent ERP
service unavailability, which may be
depending on the complexity of the system, a number
caused from a system restore and a
of risk factors can threat the availability of the system. downtime. Preventing of unavailability
For example, ERP uses a central database, which situations can Be achieved by creating and
connects all of function. There can be another issue applying a set of security policies.
related with the Application Interface of the ERP, Internet browser security is vital and can
which is the user’s control panel for the ERP be achieved by using several
system, any possibility of a software bug or enhancements such as SSL,Virtual Local
Area Networks, firewalls, packet filters
application crush might cut the connection
etc. The user access to the cloud
between the components and make the
application is Also important. Current
services unavailable solutions requires user to Write their
identifier and Their password to the The
cloud vendor’s identity control and
management Service would establish an
identity check of the written details. This
session can be enhanced by using multi‐
factor authentication such as biometrics ,
one‐time password, smart cards etc.
6 Performance risks: Speed and Reliability of data Need to ensure by test check
processing is to be comparable with the existing on frequent basis.
system.
25 | P a g e
7 Strategic risks: Outsource such a business critical Appropriate management lookout is
system as ERP, companies usually bear required to decide which information
increased strategic risk of high dependency on processing can be outsourced and
the service provider. which cannot.
SLA issues: In many cases it is rather hard to The SLAs should be designed
8 Accurately define Service Level Agreements carefully in consultation with all
(SLAs) negotiated between cloud service provider experts especially IS auditor.
and their corporate clients. These SLAs usually
do not really cover such aspects as confidentiality
and integrity leaving space for unclear damage
liability.
effectively.
Inventory should not go negative
and be reduced in a ratio else
warning should be generated.
4. Accounts Payable Management Creditor Bank details should not be
allowed to be modified without
authorizations.
A complete 3 way match
Manual Duplicate Payment Search
Split cheque printing and signing
5. Financial Accounting FICO module should be syned and
updated
Date of last sync and time should be
printed on reports if required
Automatic locking of books on
monthly basis
Automatic account posting only
after review and approval
6. Management Accounting Cost should be updated based on
purchase order
Variance beyond a limit should be
automatically reported
Costing methodology should not be
allowed to edit without authoriztion
7. Management Information System MIS access should be very discreet
and only limited access should be
allowed based on user designation
Log of access to be maintained
Report printing and Emailing or
transfers should be restricted and
allowed only after authorizations.
8. Fixed Asset Management Asset addition and deletion should
be manually approved.
Disposal of asset only after
accounting in accounts receivable
Asset transfer should not be allowed
without a transfer note generation
in ERP
9. Inventory Management Raw material and FG Availability
Reorder point
Bottleneck enhancement
Unauthorized modification in SKU’s
or consumption values to be
restricted.
10. Service Management Services to be approved only after a
ticket generation by customer
27 | P a g e
Parts replaced or reissued to be
issued by stores only after system
generated memos.
Service invoices to be generated as
soon as services are completed and
should be matched with service logs
11. Sales Opportunities Management Lead commissions to be disbursed
only after sale completion and
payment receipts or as per terms of
contract with leads.
12. HR and Payroll Salary figure should be highly
confidential
Change authorizations
Change logs to be maintained
Expense Trend lines
Separation of Duties
Automatic time keeping system
integrations
Moving to cloud could be very costly. In terms of ERP Costs, businesses need to
consider:‐
Acquisition costs – cost of acquisition and deployment
28 | P a g e
Customization costs – cost to implement ERP as per needs and wants of
business
Testing Costs – Technical tests, compatibility tests, availability tests and user
acceptance tests
Upgrades Cost – Conduction Periodic ERP reviews and management of ERP
accordingly
Conversion costs – cost of conversion of present file to new erp system
Personal Development and Training costs to employees
Unforeseen Expenditures – costs which cannot be budgeted.
Thus, even though the Initial costs may be higher, if implemented successfully,
considering the future business needs, Cost should not weigh much in decision making
provided the expenditure is budgeted and adequate checks are implemented on
expenditures.
29 | P a g e
Summary/Conclusion
The goal of this proposal was to determine if it was reasonable for ABC to move to a cloud
based ERP application Wilson's On Cloud Solution (WOCS) - Standard Version' in order to
improve operational efficiencies, reduce IT costs related to ERP systems, and improve insight
into the financial management aspects of the company for improved strategic planning and
performance monitoring.
A sub-goal was to also determine if by migrating to a single ERP application 'Wilson's on Cloud
Solution (WOCS) - Standard version' ABC might be able to recognize a cost savings through
the reduction of support personnel and through a reduction in licensing/maintenance costs.
This review has established that a reduction in maintenance costs would be highly likely, yet a
full assessment of current costs against maintenance costs of a single solution remains
necessary to fully recognize the scope of that savings. Regardless, we have established that
moving to a single ERP application will reduce the required level of IT support at the divisional
and corporate level by approximately one third, which does allows for a cost savings. Again
though, until a final solution is selected by management, the fill significance of this savings
cannot be firmly established.
Moving to a single ERP solution `Wilson's On Cloud Solution (WOCS) - Standard Version' will
allow all divisions to function from a common ERP platform and will, remove the need to perform
many of the accounting and operational functions outside of the system. This ensures that
management has immediate and relevant access to meaningful data that is system driven,
immediate and on demand instead of having to wait for somebody to "manipulate" the data into
a format that may or may not be truly accurate depending upon the human error factor.
We have demonstrated that a strong cost savings potential exists as well as a definite ability to
meet the greater need of improving operational functionality and management decision-making
capabilities should ABC migrate to a single ERP solution 'Wilson's On Cloud Solution (WOCS) -
Standard Version'. The determination to place an ERP solution into a cloud environment
remains an open item in terms of cost savings; however, it is clear that a reduction of IT
department infrastructure can be realized with a move from a decentralized IT department
structure to one that is centralized.
30 | P a g e
Summary of Recommendations
Scope
The regulation applies if the data controller (an organisation that collects data from EU residents), or
processor (an organisation that processes data on behalf of a data controller like cloud service
providers), or the data subject (person) is based in the EU. Under certain circumstances,[5] the
regulation also applies to organisations based outside the EU if they collect or process personal data
of individuals located inside the EU. The regulation does not apply to the processing of data by a
person for a "purely personal or household activity and thus with no connection to a professional or
commercial activity." (Recital 18)
According to the European Commission, "personal data is any information relating to an individual,
whether it relates to his or her private, professional or public life. It can be anything from a name, a
home address, a photo, an email address, bank details, posts on social networking websites,
medical information, or a computer's IP address.
The regulation does not purport to apply to the processing of personal data for national security
activities or law enforcement of the EU; however, industry groups concerned about facing a potential
conflict of laws have questioned whether Article 48[7] of the GDPR could be invoked to seek to
prevent a data controller subject to a third country's laws from complying with a legal order from that
country's law enforcement, judicial, or national security authorities to disclose to such authorities the
personal data of an EU person, regardless of whether the data resides in or out of the EU. Article 48
states that any judgement of a court or tribunal and any decision of an administrative authority of a
third country requiring a controller or processor to transfer or disclose personal data may not be
recognised or enforceable in any manner unless based on an international agreement, like a mutual
legal assistance treaty in force between the requesting third (non-EU) country and the EU or a
32 | P a g e
member state. The data protection reform package also includes a separate Data Protection
Directive for the police and criminal justice sector that provides rules on personal data exchanges at
national, European, and international levels.
A single set of rules will apply to all EU member states. Each member state will establish an
independent supervisory authority (SA) to hear and investigate complaints, sanction administrative
offences, etc. SAs in each member state will co-operate with other SAs, providing mutual assistance
and organising joint operations. If a business has multiple establishments in the EU, it will have a
single SA as its "lead authority", based on the location of its "main establishment" where the main
processing activities take place. The lead authority will act as a "one-stop shop" to supervise all the
processing activities of that business throughout the EU(Articles 46–55 of the GDPR). A European
Data Protection Board (EDPB) will co-ordinate the SAs. EDPB will replace the Article 29 Data
Protection Working Party. There are exceptions for data processed in an employment context or in
national security that still might be subject to individual country regulations (Articles 2(2)(a) and 88 of
the GDPR).
For the legitimate interests of a data controller or a third party, unless these interests are
overridden by the Charter of Fundamental Rights (especially in the case of children).
To perform a task in the public interest or in official authority.
To comply with a data controller's legal obligations.
To fulfil contractual obligations with a data subject.
To perform tasks at the request of a data subject who is in the process of entering into a contract
with a data controller.
To protect the vital interests of a data subject or another person.
If informed consent is used as the lawful basis for processing, consent must have been explicit for
data collected and each purpose data is used for (Article 7; defined in Article 4). Consent must be a
specific, freely-given, plainly-worded, and unambiguous affirmation given by the data subject; an
online form which has consent options structured as an opt-out selected by default is a violation of
the GDPR, as the consent is not unambiguously affirmed by the user. In addition, multiple types of
processing may not be "bundled" together into a single affirmation prompt, as this is not specific to
each use of data, and the individual permissions are not freely-given. (Recital 32).
A data controller may not refuse service to users who decline consent to processing that is not
strictly necessary in order to use the service (Article 7(4)). Consent may be withdrawn at any time.
Consent for children, defined in the regulation as being less than 16 years old (although with the
option for member states to individually make it as low as 13 years old (Article 8(1)),[12] must be given
by the child's parent or custodian, and verifiable (Article 8).[13]
If consent to processing was already provided under the Data Protection Directive, a data controller
does not have to re-obtain consent if the processing is documented and obtained in compliance with
the GDPR's requirements (Recital 171).
33 | P a g e
Thank You