Details of Case Study/Project
ABC Automobile Ltd. (Auditee) makes luxury buses in south India. It is Well Equipped with total infrastructure and has kept in pace with the changing technology and producing real high quality buses. They are currently using stand‐alone accounting and inventory package which has limited functionality. They have an aggressive business growth plans and found that the current software solution cannot meet their future
ABC Automobiles have decided to migrate to ‘Wilson’s On Cloud Solution (WOCS)‐ Standard Version’ a robust full suite of ERP Developed using Wilson Virtual works, a state of the art software engineering and delivery platform. WOCS is expected to enable ABC to reap the benefits of the solutions with “Built in Best Practices” together with a highly “Flexible Framework” to ensure solution alignment to “dynamic business requirements” of ABC.
The WOCS solution has standard product features which cannot be modify except based on the methodology followed by Wilson and the customer has to use the existing product without any changes. As a part of the software as service (SAS)development model, WOCS will not make any changes in the data entry screens/Processes as per individual customers need.
Proposed Solutions to case study
Technology is changing and developing faster than ever before, and everyday people are faced with new tools and services in their daily life. Cloud ERP is an approach to enterprise resource planning (ERP) that makes use of cloud computing platforms and services to provide a business with more flexible business process transformation. Cloud based ERP benefits customers by providing application scalability and reduced hardware costs.
So in the given situation the company has decided to migrate to ‘Wilson’s On Cloud Solution (WOCS) ‐ Standard Version’ a robust full suite of ERP developed using Wilson Virtual Works, a state‐ of‐the‐art software engineering and delivery platform. WOCS is expected to enable ABC to reap the benefits of a solution with “built‐in best practices” together with a highly “flexible framework” to ensure solution alignment to “Dynamic Business Requirements” of ABC.
However, the constraint is that most of the staff are not computer savvy and have limited knowledge of using computers. For this the Managing director of the company who has taken charge is confident of training employees and implementing the proposed ERP solution. Further, the cost consideration based on model implementation of 10 user license shows cost benefit analysis and justification for the investment. The vendor is expected to provide one week training to employees so that they configure and implement the solution as per their specific business processes.
The Business policies and procedures to be followed are divided into 4 sections:
Foundation Discipline: ‐ It discusses the ERP Database and required procedures to support the maintenance and updating activity with respect to key data elements such as inventory, bill of material structures, routings and open orders.
Modules of ERP: ‐ It documents those policies and procedures which are required to operate an ERP System on an on‐going basis. It documents the functions with respect to sales forecasting material requirements planning, purchasing etc. Including the measurements which will be put in place to ensure a successful Class ‘A’ ERP operations.
ERP Project: ‐ It discusses the policies and procedure which are required during the implementation phase with respect to areas such as education, documentation and the project control plan.
Responsibility Index: ‐ It will cross reference all of the policy and procedure to the respective departments that would need to use some or all of those procedures in their daily operations. These departments would include such areas as finance, material management and ERP project team.
Although each document is referred to as a procedure, the document truly represent a combination of policies, procedures and documentation. This Policy and procedure manual is a part of the total documentation for this Cloud based ERP System above referred scenario, we M/S RSA and Associates, Chartered Accountants have been appointed to perform risk assessment of the deployment solution, to provide assurance on the reliability and practical implementation of the solution and to perform cost benefit analysis of the solution.
We at RSA and Associates have an expertise in performing IS Audits, we are in total a firm of 8 partners with more than 2 partners are DISA qualified and 3 partners are CISA. We have an experience of around 10 years in conducting IS Audit and around 3 years in assistance in reviewing cloud system ERP for various clients.
We believe that these 11 steps are to be followed to execute the successful migration from on‐premise to Cloud ERP solution:‐
Get management’s nod: To make such a big change, such as moving entire IT structure to the cloud in any organization, it is important to bring everyone on the same page; especially the decision makers of the company. As soon as you realize the need to move on the cloud, get involved with senior managers, the board of directors and IT team to analyze the potential pitfalls and ways to overcome them before, during and after the migration.
Pre‐migration decisions: It may be possible that your existing IT infrastructure is not fit for the cloud. Certain applications might not be compatible with cloud portability or you probably run on a frequent stock trading platform that is not functional on cloud servers but on local ones. Hence, it is imperative to distinguish the applications best suited to run on cloud and prepare for the migration of only those.
SWOT analysis: It is a widely adopted method for estimating the strength, weakness, opportunity and possible threats due to the decision of switching to Cloud‐based ERP solution. This can be achieved by practicing process mapping to redefine, reorganize and filter existing processes. Moving to the cloud doesn’t mean copying the same processes for the on‐cloud solution; rather you must identify only those processes imperative to meet the ends. Only the best practices must be selected to map the needed configurations and future needs of the organization. Thus, you avoid age old, redundant, and inefficient practices and welcome much simpler and easy to follow steps that are compatible with Cloud-based solutions.
Select the right team, right vendor, and right platform: Ensure suitable representatives upfront for deciding strategic objectives, funding decisions, managing resources, and risks for the big switch. There is no such thing as good or bad solution vendor, but ensure that your vendor is a certified Cloud solution provider. Every solution is unique and upright in its own right. The one that relates truly to your business processes is the best Cloud ERP solution for you. The team involved in the process of moving to the cloud must research over available Cloud ERP options and evaluate on the grounds of module set, organization size, workload standards, flexibility, and costs.
Finalize key Cloud components: Shifting to Cloud ERP solution from an on‐premise one involves a major change in the IT structure of your organization, and you must be well prepared for that change. One must decide on what you are going to do with the existing IT infrastructure and how much of that can be used with the new Cloud‐based solution. Determine the specific cloud components necessary for the migration, such as monitors, databases, and networking or collaboration equipment. This way, you cut down on additional expenses and make use of existing resources. Pre‐decide in which order the applications or environment will be migrated to the cloud so that the continuity of the production does not suffer.
Make a plan: Since there is no substitute for planning, you must have a blueprint ready in your kitty. Realignment of the assigned team, resources, and workload sharing during the process of migration must be done well in advance. Define clear deadlines for what is to be done, when is to be done, and how is to be done. No solution is tailor‐fit and performance gaps are bound to occur, hence decide on the type and extent of customization beforehand and convey your concerns to the vendor’s team. Today, customizations are possible even with Cloud ERP and you must not hesitate to ask for it from your vendor.
Strong backup: Since data is not stored on local servers in Cloud‐based ERP solutions, it remains more secure, inaccessible and away from you. Therefore, ensure safe and reliable data backup before taking the plunge, in order to avoid any mishaps and data disasters. In case you are migrating a large amount of data to the cloud, your partner must be well versed in data batching, replication, and backup. Encourage the involvement of your team with cloud specialists, developers, system architects, and project managers so that they gain knowledge for any such future migrations. Begin the implementation process slow yet steady, step by step.
Execute & deploy: The execution of plan deals with step‐wise carrying out of implementation strategies. Though there is no need to install any additional hardware, making the IT environment cloud‐ready is a must. Deployment deals with uploading the new ERP solution design on existing IT infrastructure, data visualization and enabling the Business Intelligence capabilities to offer the cutting‐edge functionality. Data migration over the cloud must be performed with extreme caution. Ensure a dry run just before going live.
Monitor the progress: Monitoring is always essential even when you are switching to cloud from an on‐premise solution. A formal issue tracking process should be formulated to identify and address the roadblocks in the new cloud environment. Since migration to the cloud needs everyone’s attention and contribution, hence periodic reports must be prepared based on the respective goals of individuals and the team as well. With the help of regular monitoring, the delays can be identified and also covered up by obtaining the expert opinion.
Go live & handover: Soon after everything is in place, it’s time to finally switch to the new Cloud‐based ERP system. The on‐cloud solution can be made live under consultant’s guidance. It’s best to consider the vendor’s advice as the thumb rule. Gradually, the new system is handed over to your staff and tested for smooth and uninterrupted operations.
Training and change management: Since working on the cloud is a totally new experience for your staff, detailed information about absolutely everything should be demanded by the management. Though the training is not extensive and as elaborate as during on‐premise implementation, detailed insights by the experts on every aspect certainly help in smooth running of the operations even in their absence.
Analysis of Present System/Auditee Environment
Key take away of the client is:‐
a) Client is a manufacturer who makes motor vehicles (luxury buses) requiring huge assembling working and multiple inventories.
b) Client has a geographically scattered business at a head office and four branches.
c) Client has standalone accounting and inventory package thus all the transactions have to updated manually again at different module levels and synced constantly with them.
d) Client maintains extensive documents mainly to keep all the records and verify data integrity.
e) Client has aggressive Growth plans however with the presents limitations and without effective IT management, It can be inferred that the current software solution cannot meet their future business requirements.
Analysis of Proposed System
It has been proposed by the client that they will migrate to Wilson’s On Cloud Solution (WOCS) ‐ Standard Version’; a robust full suite of ERP developed using Wilson Virtual Works, a state‐of‐the‐art software engineering and delivery platform.
Its key benefits are as under:‐
1. It has built in Best practices
2. Highly Flexible Framework
3. Ensure alignment of business requirements of the client.
The WOCS solution has standard product features which cannot be modified except based on the methodology followed by Wilson and the customer has to use the existing product without any changes. As a part of the Software as Service (SAS) development model, WOCS will not make any changes to the data entry screens/processes as per individual customer needs.
Wilson Solutions provides a single version of the product at any point of time. All product feature upgrades and updates shall be made available as a part of the standard offering. Basically the requirements are market driven and will prioritized based various criteria like Statutory needs, Best business practice, key business process etc. As a practice, upgrades are provided once a month. The scope of the project includes implementation of Wilson ERP on Cloud ‐ Standard Version for Legal Entities of ABC for the below modules within the available product features of Wilson ERP on Cloud ‐Standard Version.
The modules included in the scope are:
1. Sales & Shipping Management
2. Accounts Receivable Management
3. Purchase Management
4. Accounts Payable Management
5. Financial Accounting Management
6. Accounting Management
7. Information System
8. Fixed Asset Management
9. Inventory Management
10. Service Management
11. Sales Opportunities Management
12. Discrete Production Maintenance Management
13. HR & Payroll
Security policies are present in presently deployed system, their concerns and comparison with Cloud systems
a) Physical security
Even a cloud application and data must be located somewhere. The physical surroundings of the software and data is an important component of a business continuity Plan. as well as a software security plan. A physical security breach means that somebody with malicious intent has physical access to the hardware where either your application is running or where your data is stored.
If other forms of security are in place, a physical security breach will not result in loss of data. However if the intruder’s intent is to disrupt your service, then a lapse in physical security will be a problem. Part of your business continuity plan should include a solid physical security plan, when applications and data run in an external cloud; the physical environment is located off‐premise. In most cases physical security in a tier 1 datacenter is many times better than that in an office building or an internally run server room. All building access is logged, cameras are in place, and cleaning people are not generally milling about after hours. State of the art authentication technology (fingerprint, ID badge, retina scans) are often implemented, SaaS applications are run by administrators who are employed by the software vendor or cloud provider and not the company who purchased the ERP software. The quality and reliability of administrators depends more on the resources and focus than the employer.
b) Transmission Security
When data is communicated between the user the server, and the database, there is a chance that transmissions can be intercepted. An easy way to prevent this involves encrypting all communications between source and destination. However, encryption comes at a cost to performance. If you spend too many processing cycles encrypting and decrypting data, you will have to purchase more expensive hardware or endure delays.
There are several types of security algorithms that are used to protect communications. The underlying idea is that sensitive or private data is scrambled using an encryption key and a data encryption algorithm. The data cannot be read or deciphered without the decryption key. The decryption key can be the same (symmetric) or different (asymmetric) from the encryption key. Once scrambled, the data is sent to its destination. If intercepted, the data can only be reconstructed by using an algorithm that tries to guess the description key — a process that takes many years using powerful computers. When the scrambled data arrives at its destination, the receiving party knows the proper decryption key by querying a key master or certificate authority. Several common algorithms include RSA, Secure Socket Layer MO, Data Encryption Standard (DES), and Triple DES.
c) Storage security
When ERP data is accessed by users, business logic limits unauthorized access to users with the proper credentials (see section on application security). But suppose a network administrator has access directly to data in the database. In this case, the data could be viewed without going through the business logic.
To protect against this vulnerability, sensitive data should be encrypted when it rests in the database or in a file system. This prevents direct access and ensures that all data is only accessed via the application logic. The application knows how to decrypt the data, so a legitimate user will not be impacted.
In cloud systems, data is stored in a remote location on servers maintained by a cloud provider. The cloud provider should have procedures in place to ensure that there is no direct snooping into client data. But somebody has to be responsible for database administration, and usually this person is not employed by the client. The ability to pick and choose Fields to encrypt on the database is important to provide protection without adversely impacting performance.
d) Access Security
Access (or perimeter) security is important for preventing unwanted users from grabbing resources and sending unauthorized queries to your servers. Usually this is accomplished through the use of firewalls that prevent unwanted traffic from communicating with your business applications. Lack of access security could impact your application availability (in the case of a denial of service attack) and provide hackers with a way in to make it easier to steal resources or Passwords.
Cloud systems should be protected by perimeter security just as you would protect any on premise application. Verify that your cloud provider has firewall protection in place to prevent intruders and denial of service attacks. A multi‐tenant cloud application is slightly different because by definition, multiple users are accessing the same application code and the same resources. In this case, processes must be in place to ensure that bad things do not happen to customer A if customer B’s application is compromised.
e) Data security
Data security limits access to data objects to specific individuals. Different levels of data security include read‐only, edit, insert, and delete, Data security can be set at the application or object level.
Most data security is limited to data access. Once a user gains access to specific information, screens, or reports, the information can be downloaded and shared with others. Digital rights management goes one step farther by “wrapping” data objects with rights that follow the object no matter where it goes. In this case, users can forward the encrypted .data, but that data cannot be viewed or changed unless the recipient can be verified.
Data security in cloud applications is similar to traditional applications. Once individuals gain access to the system, the business logic controls the specific capabilities that individual users can perform on different objects. In some types of multi‐tenant SaaS applications, database level security may be utilized as an additional measure to separate data objects from different companies.
f) Application security
Application security encompasses two major areas — the way the application authenticates and manages users and the way in which application code is managed.
g) User Authentication
User authentication usually involves username and password to identify legitimate users. User identity is critical not only for establishing identity, but also to ensure security of data.
Scope of the Assignment
The Board of directors are concerned about security of their data and capability of the solution to meet current and future requirements. They want an independent assurance on the reliability and practical implementation of the solution in safe and secure manner to achieve current and future business goals in cost effective manner. They also want a total review of overall cost of the proposed solution.
Security is a major threat in Cloud Environment. They could be overcome by applying controls however operability of the deployed software model and its use acceptance is still a question for any organization before they opt to migrate to a different environment. It is very important for any organization to conduct pre review study and feasibility study.
Areas being reviewed are as follows:
a) Criticality of application being sent to the cloud.
b) Outsourcer’s Experience with SLA and vendor management
c) Cloud Vendor’s policy on vulnerability management – reporting, commitment to following up, promptly responding to reports etc.
d) Information systems audit of all/any aspect of security policy, business continuity, environmental excess, physical excess, logical excess and application security.
e) Compliance with enterprises policy, procedures, Standards and practices as relevant.
f) Compliance with regulations as applicable.
g) Provide management with an assessment of impact by implementation of Wilsons on cloud solutions, security policy and procedures and their operating effectiveness.
h) Identify internal control and regulatory deficiencies that would affect the organization. Identify information security control concerns that could affect the reliability, accuracy and security of enterprises data due to weaknesses in the package solutions offered by the vendor.
The Review will focus on the following risks:
a) The dependency level on the vendor
b) If the computing services fails will the users will be enabling to access the programs or data.
c) Can the computing services lose the auditees data?
d) The risk of increased complexity of compliance with laws and regulations.
e) The risk of information retrieval when required is done without delays.
f) In case of disaster information may not be immediately located.
g) GDPR regulations are being followed accordingly.
h) Data collection and storage policies of the Service provider.
Assurance on Reliability/ Audit of pre‐migration activities
The IS Auditor should prepare a checklist of audit steps on the pre‐migration activities, which is similar to the one illustrated below.
a) Check whether a migration plan has been prepared
To ensure that the project is progressing in the correct direction, it is important that a project quality plan or method document is produced. This document explains to both the supplier and the customer the principles of the approach and how they will be implemented across the project. Along with this, it is essential to develop a detailed project plan stating the project phases, milestones and dependencies as well as the responsibilities for each activity.
Implementing ERP software is generally too complex for “in‐house” skill, so it is desirable to hire professionally trained outside consultants for three types of services ‐ Consulting, Customization, Support. The length of time to implement an ERP system depends on the size of the business, the number of modules, the extent of customization, and the scope of the change and the willingness of the customer to take ownership of the project.
b) Verify the business blue print or business process mapping document
Identifying critical business processes is essential for business process mapping, which involves defining what activities the business entity performs, the people who are responsible for them, the standards to which the activities or the process should adhere to, and measuring the success of the business process. The specific assessment of the processes will obviously be dependent on the business sector and key drivers within the individual organization. For example, the criteria to select critical business processes may include:
What are the high volume business processes?
What are the major revenue generating processes?
What are the processes which have the greatest impact on customer satisfaction?
What are the areas which generate high profits?
Once identified, these critical business processes can be used as metrics to measure progress.
c) Check whether a conference room pilot has been done
Conference Room Pilots are meant to progressively validate the design, configuration and customization activities. CRP can designed as
i. A project team presenting areas of the system to representatives from the business
ii. The business representatives actually performing job roles on the system, carrying out specific activities in a simulated environment
d) Check whether proper risk assessment exercise has been conducted
Effective risk management is fundamental to the success of any project. Risk registers created at the start of the project should be used throughout the project life cycle and serve as a mechanism to avoid deviations from acceptable quality, costs, or timescale standards. Risks identified should be categorized in terms of their likelihood and their consequences.
Regular review meetings with managers and stakeholders where decisions can be made relating to the management of risks are pivotal for managing risks effectively.
The most common method for evaluating completeness of the configuration is to measure modules configured in each of the business areas (e.g., Customer Service, Operations and Finance) and report back on a weekly basis. Customization involves modifying the program code of the ERP system to gain a competitive advantage. Key differences between customization and configuration are :
Customization is always optional, whereas some degree of configuration (setting up cost/profit centre structures, organizational trees, purchase approval rules, etc.) may be needed before the software can work.
Configuration is available to all customers, whereas customization allows individual customer to implement proprietary “market‐beating” processes.
Configuration changes tend to be recorded as entries in vendor‐ supplied data tables, whereas customization usually requires some element of programming and/or changes to table structures or views.
The effect of configuration changes on the performance of the system is relatively predictable and is largely the responsibility of the ERP vendor. The effect of customization is unpredictable and may require time‐ consuming stress testing by the implementation team.
Configuration changes are almost always guaranteed to survive upgrades to new software versions. Some customizations (e.g., codes that use pre‐defined “hooks” that are called before/after displaying data screens) will survive upgrades, though they will still need to be re‐ tested. More extensive customizations (e.g., those involving changes to fundamental data structures) will be overwritten during upgrades and must be reimplemented manually
e) Check the migration plan for migration of data relating to ERP
Data migration is one of the most important activities for determining the success of an ERP implementation. Since many decisions must be made before migration, a significant amount of planning has to be there. Unfortunately, because data migration is the last activity before the production phase of an ERP implementation, it receives minimal attention, mostly because of time constraint. The following steps of a data migration strategy can help with the success of an ERP implementation:
1. Identifying the data to be migrated
2. Determining the timing of data migration
3. Generating the data templates
4. Freezing the tools for data migration
5. Deciding on migration related setups
6. Deciding on data archiving
f) Check whether BCP or fall back plans have been developed
Whatever the size of an ERP project, a fallback or contingency plan is required to provide options, if any key component of the new solution is late or absent. The plan should first be developed on completion of the business process mapping and the high level design. At this point it will be clear where the key elements of the solution are located and what would be required at a high level for a successful launch should they not be available. The contingency plan should then be revisited after each CRP where input from the business will highlight or provide additional operational information regarding the importance of the various elements of the solution.
Assurance on Security and Functionality / Audit of post‐migration activities
a) Verify whether User Acceptance Testing has been carried out
The IS Auditor should review the user acceptance testing records. On completion of the ERP migration or implementation, the users are requested to test the configured ERP application. Based on the test results, the ERP application is fine tuned and further tests are conducted. The results of such user acceptance testing should be reviewed by the auditor to ensure that the
business blueprint requirements have been configured in the new ERP system and that the end users are committed to the new ERP application.
b) Check the new ERP configurations with the business blueprint requirements
The IS auditor should check whether the business requirements as per the business blueprint have been configured in the new ERP environment. For this the auditor should have reasonable knowledge of the ERP application. He may engage module specific functional consultants to carry out this task.
c) Verify whether the organization’s DOA has been properly incorporated in the new system
ERP applications have robust user role and profile management functionalities. The IS auditor should check whether these configurations have been set as per the company’s Delegation of Authority document. This can be checked by using various off‐the‐shelf tools or through a walk through of the application and its user configurations. The auditor should also check that these settings do not violate the segregation of duties concept.
d) Verify whether users have been provided adequate training
The IS Auditor should check the training documents to find out whether adequate end user training has been provided to the users. He should also ensure that user guides and system manuals have been provided by the ERP implementer.
e) Traditional GL balance checks and master data checks to be carried out
The IS auditor should also compare the GL data from the migrated ERP application with the data available in the old GL. He should also look into the control accounts in each of the modules and verify whether they tally with the control accounts balances in the GL. Similarly, the auditor should look at the cut‐off documents in the old system and the new ERP environment to take care of such cut‐offs.
Strategy and Procedures Adopted
Assurance on Reliability/ Audit of pre‐migration activities
a) Assessing the Adoption and its Business Impact:
Once a company achieves go live with its Enterprise system, it’s important to monitor new process adoption and impact on business performance. The process of comparing and assessing baseline and post‐ implementation performance measures has been carried out. A gap analysis is useful for comparing expected deliverables versus project results. It’s also important to consider employee transition to the new system. Our methodology incorporates steps for effective knowledge transfer and overall support to change management.
b) Considering Satisfaction of Stakeholders
Querying the stakeholders including employees, managers, the IT department, customers and vendors about their satisfaction with the new system. The system’s impact on customers’ and vendors’ interactions with the business.
c) Reviewing Costs versus Benefits
Once a comprehensive review of the project is completed, it’s time to analyze actual versus projected costs and benefits. The cost escalation is one of the most common problems with ERP implementations. We know that many ERP providers charge additional fees for separate modules and add‐ons. It’s one of the primary reasons cost escalation occurs. With Trek Cloud, your risk of cost escalation is substantially reduced because the system is all‐inclusive: there are no separate modules or add‐on features to buy. We know how intertwined your business processes are, which is why we provide a comprehensive system to all our customers.
d) Risk Analysis
Considering the following risks associated with implementation of cloud based ERP software:‐
a. Dependence upon the third parties wherever third party services are used.
b. Computing services do fail, leaving users unable to access programs or data. Computing services can lose customer data.
c. Increased complexity of compliance with laws and regulations.
The dynamic nature of cloud computing may result in confusion as to where information actually resides. When information retrieval is required this may create delays. Due to the dynamic nature of cloud, information may not immediately be located in the event of a disaster.
After risk analysis, assessing the probability that the risks identified will materialize together with their likely effect and documenting the risks along with the controls that mitigate these risks. Inclusion of most likely source of threats‐ internal as well as external sources‐ such as hackers, competitors and alien governments.
e) Audit Objectives
Review of areas, such as:‐
a) Communications (covering risks such as sniffing and denial‐of‐service, and protocols such as encryption technologies find fault tolerance).
b) Network architecture Virtual private network Application delivery
c) Security awareness User administration
d) User and session administration (covering risk such as hijacking, spoofing. Loss of integrity of data)
e) Physical security
f) Public key infrastructure
g) Backup and recovery procedures
h) Operations (such as incident response and back‐office processing)
i) Technology architecture (such as feasible, expandable to accommodate business needs and usable)
j) Security architecture.
k) Security software (such as IDS, firewall and antivirus)
l) Security administration.
m) Patch deployment
n) Business contingency planning
f) Work Plan
It includes the following
Based on the information obtained and the scope and objectives of the engagement, we shall document the way business security and IS objectives (when applicable) are affected by the identified risks and controls that mitigate those risks.
In this process we shall evaluate areas of weakness or vulnerabilities that need strengthening. New controls identified as mitigating the risks considered shall be included in a work plan for testing purposes.
Internal Documents Reviewed
1) User Manuals and Technical Manuals relating to System Software and ERP.
2) Organization chart outlining the organization hierarchy and job responsibilities
3) Access to circulars & guidelines issued to employees.
4) Access to user manuals and documentation relating to ERP Implementation by ABC Automobiles Ltd.
5) Any other documentation as identified by us as required for the assignment Security policy document relating to system.
6) Audit Findings documents.
The documents reviewed were followed by a series of interviews, Questioners about employees and stakeholders intent and acceptance of new ERP system.
Deliverables and Reporting
Key deliverables of the study includes:‐
Risk assessment of deployment solution
Recommend controls to be implemented covering all critical operations and transaction processing
Provide sample list of key controls – per module‐as relevant to ABC
Risk management strategy to cover
3. Business values
Cost benefit analysis‐ comparison of Capex and Opex for current and proposed solutions
The primary objective of this Information Systems Audit assignment was to provide assurance to the management of ABC Limited (ABC) on
the availability, appropriateness and adequacy of controls in the critical operations and transaction processing, capex and opex through review of the control framework of their in‐ house package ‐ critical operations and transaction processing, review of Logical access controls of critical
operations and transaction processing, capex, opex. conduct Implementation audit of General Controls at all branches with specific emphasis on implementation of controls.
Proposed Scope of Review/Terms of Reference
Based on understanding of ABC’s needs for conducting systems audit the major questions to be answered in determining which ERP system to select are:
What is the return on investment of a cloud environment versus an in‐house hosted solution?
What is the total cost of ownership for each system under each option (cloud based if available versus in‐house hosted)?
Will additional hardware be necessary to operate in a cloud environment versus an in‐house hosted one with remote access?
Can the ERP system manage the level of seats required for functionality
Ease of data migration from one system to another (e.g., will data integrity remain intact, can data be migrated easily or will it require manual efforts)
Understanding any unique requirements at a country and site level and ensuring that these needs can be met by the selected system
Which system offers the greatest capability for ABC’s needs with the least amount of customization?
What is required for implementation and what type of support does the vendor offer?
Who will actually be doing the implementation (e.g., does the vendor have its own in‐house implementation team or do they subcontract this out)
How flexible is the system and how easily can it be modified to meet changing business needs
Are there any other business processes that can be improved through the implementation of one ERP system over another?
Given this set of issues to be resolved, the recommendations for an ERP system in a cloud solution or in‐house solution is as follows:
1. Hire an experienced system analyst and other appropriate SMEs to aid in the review of ERP options and the analysis of unique requirements
2. Have each of the four vendors provide proposal and a demonstration of their system capabilities
3. Down select to two vendors, provide them with a script that contains all of the business processes the system must encounter in a day and have them provide a proof of concept.
Risk Assessment of Deployment Solution and Controls Recommended
|S.||Risks Assessed||Controls Recommended|
|1||Security: Moving a vital system into a shared environment is compelling for the customers. Building trust is not easy; providers enhance their own customer and partner relationships by enhancing their security services. A complex application like ERP also needs an intensive set up and management. Cloud Computing does not change the services of the ERP but is only a delivery mechanism and the solution changes.||For this, the cloud provider Can offer higher?level security of user, unit of storage, unit of processing power etc. Because they are dealing with bigger systems as well as many customers. At the same time, they have to satisfy the service requirements, which are explained on SLA previously.|
|2||Authentication and Authorization: Complexity of the ERP systems increases the complexity of security configurations, which may lead to potential security vulnerabilities. Cloud Computing has proposed new challenges and opportunities for tenant authentication. In the cloud environment, responsibility is divided among few parties such as the users, the cloud providers and the third party providers.||The RBAC can be a solution to enhance current cloud ERP security to access only of authorized sources. Moreover, it is important to set appropriate access roles for the user, the cloud ERP provider and the third party. The cloud ERP application interface is accessible via the Internet browser, so the User is authenticated by system with an Identifier and a password to reach the cloud ERP service. In tenant in the system.|
|3||Recovery of Data: Recovery of data on cloud in case of data lose can be a major issue.||The reliability and security of vendor can be verified by security audit conducted there.|
|4||Compliance risks: Lack of legal and data Protection compliances are significant risks to consider in the cloud model. Each country has different restrictions and requirements for accessing the sensitive data. The cloud customer needs to pay attention for jurisdictions of the data Regarding processed.||Cloud ERP needs to ensure the standards and legislations of both Cloud Computing and the ERP. As an example to this, the cloud ERP providers should meet or exceed the traditional ERP security compliance requirements such as ISO 27001 certification, SAS Type 70 II certification and ISAE 3402 certification|
|5||Availability of Data: An ERP system contains of several modules and their connections with the ERP components. In order to maintain business continuity, an ERP system needs to remain available 7/24 and depending on the complexity of the system, a number of risk factors can threat the availability of the system. For example, ERP uses a central database, which connects all of function. There can be another issue related with the Application Interface of the ERP, which is the user’s control panel for the ERP system, any possibility of a software bug or application crush might cut the connection between the components and make the services unavailable||Application and its components should be tested and monitored regularly. Companies need to consider of appropriate solutions to prevent ERP service unavailability, which may be caused from a system restore and a downtime. Preventing of unavailability situations can Be achieved by creating and applying a set of security policies. Internet browser security is vital and can be achieved by using several enhancements such as SSL,Virtual Local Area Networks, firewalls, packet filters etc. The user access to the cloud application is Also important. Current solutions requires user to Write their identifier and Their password to the The cloud vendor’s identity control and management Service would establish an identity check of the written details. This session can be enhanced by using multifactor authentication such as biometrics , one?time password, smart cards etc.|
|6||Performance risks: Speed and Reliability of data processing is to be comparable with the existing system.||Need to ensure by test check on frequent basis.|
|7||Strategic risks: Outsource such a business critical system as ERP, companies usually bear increased strategic risk of high dependency on the service provider.||Appropriate management lookout is required to decide which information processing can be outsourced and which cannot.|
|8||SLA issues: In many cases it is rather hard to Accurately define Service Level Agreements (SLAs) negotiated between cloud service provider and their corporate clients. These SLAs usually do not really cover such aspects as confidentiality and integrity leaving space for unclear damage liability.||The SLAs should be designed carefully in consultation with all experts especially IS auditor.|
Sample List of Key Controls to be implemented in each module as relevant to ABC Automobiles
|No.||List of Modules||Key Controls to be implemented|
|1||Sales & Shipping Management||Costing Module should be Updated
Internal Stock Transfers allowed only after authorization
Sales quotation should not be allowed to be modified without approvals
Dispatch only after credit approvals of the customer
Statutory compliances should followed automatically while raising an invoice
|2||Accounts Receivable Management||Credit limit should be centrally authorized and payments to be reconciled by HO only.
Receipt confirmation only after acceptance of payment by HO
Debtor credit not should not be accessible without authorization.
|3||Purchase Management||Reorder Level or automated purchase should be periodically verified.
Manual Purchase Orders should be only modified after approvals
3?way match controls are working effectively.
Inventory should not go negative and be reduced in a ratio else warning should be generated.
|4||Accounts Payable Management||Creditor Bank details should not be allowed to be modified without authorizations.
A complete 3 way match
Manual Duplicate Payment Search
Split cheque printing and signing
|5||Financial Accounting||FICO module should be syned and updated
Date of last sync and time should be printed on reports if required
Automatic locking of books on monthly basis
Automatic account posting only after review and approval
|6||Management Accounting||Cost should be updated based on purchase order
Variance beyond a limit should be automatically reported
Costing methodology should not be allowed to edit without authoriztion
|7||Management Information System||MIS access should be very discreet and only limited access should be allowed based on user designation
Log of access to be maintained
Report printing and Emailing or transfers should be restricted and allowed only after authorizations.
|8||Fixed Asset Management||Asset addition and deletion should be manually approved.
Disposal of asset only after accounting in accounts receivable
Asset transfer should not be allowed without a transfer note generation in ERP
|9||Inventory Management||Services to be approved only after a ticket generation by customer
Parts replaced or reissued to be issued by stores only after system generated memos.
Service invoices to be generated as soon as services are completed and should be matched with service logs
|10||Sales Opportunities Management||Lead commissions to be disbursed only after sale completion and payment receipts or as per terms of contract with leads.|
|11||HR and Payroll||Salary figure should be highly confidential
Change logs to be maintained
Expense Trend lines
Separation of Duties
Automatic time keeping system integrations
Recommended Strategy for deployment and Risk Management
In keeping with the theme of cosmological evolution, phased rollout would be analogous to the Steady State theory: instead of an implementation happening in a single instance, small changes occur over time. An organization moves off the legacy system and onto the new ERP system in a series of predetermined steps. This can be achieved in several different ways. The most appropriate strategy for ABC will be Phased rollout by business unit ‐ Under this approach implementation is carried out in one or more business units or departments at a time. For example, you begin with implementing the new ERP system in human resources, then move to accounting. Some organizations may put together an implementation project team that travels between each department during implementation phases. As the team gains more experience with each implementation, subsequent phases become more efficient.
Cost Benefit analysis
Moving to cloud could be very costly. In terms of ERP Costs, businesses need to consider:‐
Acquisition costs – cost of acquisition and deployment
Customization costs – cost to implement ERP as per needs and wants of business
Testing Costs – Technical tests, compatibility tests, availability tests and user acceptance tests
Upgrades Cost – Conduction Periodic ERP reviews and management of ERP accordingly
Conversion costs – cost of conversion of present file to new erp system
Personal Development and Training costs to employees
Unforeseen Expenditures – costs which cannot be budgeted.
|Comparision of present with proposed system|
|Information system||Standalone system||Integrated system|
|Coordination||Lack of coordination among business function (e.g. manufacturing & sales)||Supports coordination across business function|
|Database||Non?integrated data||Integrated data|
|Maintenance||It is costly to maintain separate legacy systems||Uniform maintenance; Changes affect multiple systems|
|Interfaces||Difficult to manage interfaces between systems||Common interfaces across systems|
|Information||Redundant, inconsistent information||Consistence real time information (e.g., about customers, vendors)|
|System architecture||May not be state of the art||Relies on a client server model|
|Processes||Incompatible processes||Consistent business processes which are based upon an information level|
|Application||Disparate application (e.g., many Different purchasing systems)||Single application (e.g., a common purchasing systems)|
Thus, even though the Initial costs may be higher, if implemented successfully, considering the future business needs, Cost should not weigh much in decision making provided the expenditure is budgeted and adequate checks are implemented on expenditures.
The goal of this proposal was to determine if it was reasonable for ABC to move to a cloud based ERP application Wilson’s On Cloud Solution (WOCS) – Standard Version’ in order to improve operational efficiencies, reduce IT costs related to ERP systems, and improve insight into the financial management aspects of the company for improved strategic planning and performance monitoring.
A sub-goal was to also determine if by migrating to a single ERP application ‘Wilson’s on Cloud Solution (WOCS) – Standard version’ ABC might be able to recognize a cost savings through the reduction of support personnel and through a reduction in licensing/maintenance costs. This review has established that a reduction in maintenance costs would be highly likely, yet a full assessment of current costs against maintenance costs of a single solution remains necessary to fully recognize the scope of that savings. Regardless, we have established that moving to a single ERP application will reduce the required level of IT support at the divisional and corporate level by approximately one third, which does allows for a cost savings. Again though, until a final solution is selected by management, the fill significance of this savings cannot be firmly established.
Moving to a single ERP solution `Wilson’s On Cloud Solution (WOCS) – Standard Version’ will allow all divisions to function from a common ERP platform and will, remove the need to perform many of the accounting and operational functions outside of the system. This ensures that management has immediate and relevant access to meaningful data that is system driven, immediate and on demand instead of having to wait for somebody to “manipulate” the data into a format that may or may not be truly accurate depending upon the human error factor.
We have demonstrated that a strong cost savings potential exists as well as a definite ability to meet the greater need of improving operational functionality and management decision-making capabilities should ABC migrate to a single ERP solution ‘Wilson’s On Cloud Solution (WOCS) -Standard Version’. The determination to place an ERP solution into a cloud environment remains an open item in terms of cost savings; however, it is clear that a reduction of IT department infrastructure can be realized with a move from a decentralized IT department structure to one that is centralized.
Summary of Recommendations
1. Migrate from supporting multiple ERP solutions on a divisional level to supporting a single ERP solution on a web-based or cloud-based platform from a centralized location at the Home Office.
2. In addition, review whether migration to a private cloud-based environment is a reasonable consideration to pursue in conjunction with migration to a single ERP solution.
3. Select a single ERP application to use on a corporate-wide basis after analysis.
4. Upon selection of a single ERP application engage appropriate implementation specialists and other subject matter experts to aid management in developing an adequate migration and training plan, whether to utilize an in-house or cloud based platform, and to determine appropriate overall staff training requirements and reductions to the size and complexity of existing IT departments from the divisional level to a centralized operation.
5. Retain or obtain appropriate IT personnel to support the new environment.
6. Review the capabilities of the selected application to determine if Hyperion must be retained.
7. Review legacy systems to determine best solution for preservation of data, access requirements and access protocols.
DISA 3.0 Project Report on: