Project Report

of
DISA 2.0 Course
 CERTIFICATE
Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training conducted at:

1542, Sector 13, Hisar Branch of ICAI from 06 August to 04 September 2016 and we have
the required attendance. We are submitting the Project titled: Migrating to Cloud based ERP
solution.

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.

1. Name……CA Anuradha ...……………….……DISA No……48864...Signed…………………….…………

2. Name……CA Shiva Bhardwaj…………....……DISA No….. 48242...Signed…………………….…………

3. Name……CA Manal Chawla …………….……DISA No…...49513….Signed…………………….…………

PLACE: HISAR
DATE: 19.09.2016
 Table of Contents

Details of Case Study/Project (Problem)

Project Report (solution)

1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Terms and Scope of assignment
6. Logistic arrangements required
7. Methodology and Strategy adapted for execution of assignment
8. Documents reviewed
9. References
10. Deliverables
11. Format of Report/Findings and Recommendations
12. Summary/Conclusion
 Project Report

Title: Migrating to Cloud based ERP solution

A. Details of Case Study/Project (Problem)

B. Project Report (solution)

1. Introduction
ABC Automobiles Ltd. (ABC) makes luxury buses in South India. It is well equipped with total
infrastructure and has kept in pace with the changing technology and producing real high quality
buses. They are currently using stand-alone accounting and inventory package which has
limited functionalities. They have aggressive business growth plans and found that the current
software solution cannot meet their future business requirements.

2. Background
ABC Automobiles have decided to migrate to ‘Wilson’s On Cloud Solution (WOCS) - Standard
Version’ a robust full suite of ERP developed using Wilson Virtual Works, a state-of-the-art
software engineering and delivery platform. WOCS is expected to enable ABC to reap the
benefits of a solution with “built-in best practices” together with a highly “flexible framework” to
ensure solution alignment to “Dynamic Business Requirements” of ABC. The WOCS solution
has standard product features which cannot be modified except based on the methodology
followed by Wilson and the customer has to use the existing product without any changes. As a
part of the Software as Service (SAS) development model, WOCS will not make any changes to
the data entry screens/processes as per individual customer needs.

3. Situation
Every organization is in a global world where all the businesses are very much familiar to use
information communication technology (ICT) for processing daily work

[1]. Cloud computing now is a virtualized ICT resource and dynamically reconfigurable to meet
the specific needs of the adopting organization. The Cloud computing enables enterprises to
unleash their potential for innovation through greater intelligence, creativity, flexibility and
efficiency, all at reduced cost. Some cloud software are widely accepted and implemented by
organizations.
They include customer relationship management (CRM), such as Salesforce.com, Microsoft
CRM, and Human Resources, such as ADP, Ultimate Software Group, PDS. Now the next
generation of ERP (Enterprise resource planning) has been seeing a high-level of interest for
organizations. Cloud ERP offers businesses speed of implementation and lower costs of entry.
It is the shortest possible route to a new ERP system. One of the main advantages of cloud
ERP is the low cost of entry.

No need to purchase expensive equipment or make sure that you have sufficient infrastructure
to handle the system. Simply downloading a software application onto computers and allow a
hosting company to provide the service. Despite widespread interest in adopting cloud ERP,
many organizations are “flying blind” with respect to making them secure, potentially putting
their operations, intellectual property and customer information at risk.

4. Terms and Scope of assignment

Cost Considerations

Cloud vendors claim that companies will realize significant cost savings by using cloud
solutions. But whether that’s true for your company requires an individual cost analysis. Moving
to a cloud ERP simply means that you’re moving cost from an in-house expenditure to an
outsourced expense, which is similar to buying a car (on premises and hosted) vs. riding a city
bus (cloud).

This also has an impact on the financial statements because instead of setting up a capital
asset for on-premises ERP that’s depreciated over time, companies can expense the annual
service fees of a cloud ERP provider. The cost savings that cloud vendors tout comes from the
fact that the initial up-front license fees are lower and that many internal costs can be eliminated
to support the ERP system. These internal costs include IT infrastructure, hardware, and the
time required for personnel to support the on-premises ERP system and install periodic
Upgrades. The actual cost of these items varies widely by company, so you’ll need to look at the
specific internal cost for your company to determine how much savings you could realize by
implementing a cloud ERP solution. Let’s look at the main components of external (out-of
pocket) costs for implementing an on-premises solution vs. subscribing to a cloud solution.

On-premises Software Cost:

1. Software License (One-time cost—based on a concurrent or named user model.)

2. Software Maintenance and Support (Annual cost—typically 18%-25% of the software license
cost.)

3. Implementation Services (One-time cost—typically one to two times the cost of the software
license, and it includes training. You may also have implementation services for upgrades,
which may occur about every three to seven years.)

4. Hardware (One-time cost—frequently costing only 5% of the total cost of the software,
implementation, and periodic upgrades.)
Cloud Software Cost:

1. Software Subscription Fee Modules (Annual/monthly cost—based on the modules or areas of

functionality used.)

2. Software Subscription Fee Users (Annual/monthly cost—based on the number of named

users that will be accessing the system.)

3. Implementation Services—Implementation Cost (One-time cost—typically one to two times

the cost of one year of annual subscription fee.)

4. Support (Annual cost—similar to on-premises software with different levels of annual phone
and software support.)

Keep in mind that a major upgrade may be required with an on-premises scenario, usually
between years three and seven. Depending on the software you select and the specifics of your
implementation, this upgrade can be easy with minimal impact on your organization, or it can be
costly and disruptive. On the other hand, cloud vendors don’t have this issue because all
customers are automatically upgraded with every release (whether they want to upgrade or not).

These upgrades usually aren’t as difficult because the vendor handles most of the upgrade
activities for all of their customers at the same time. Make sure that you discuss the impact of
upgrades when you go through the software selection process. A good way to get additional
information in this area is to conduct reference checks by asking current customers about the
impact of upgrades on their organization. In working with our clients, we’ve found that the initial
cost to purchase the software license and implement a cloud solution generally is less than the
initial outlay for an on-premises solution. But the ongoing annual fees the cloud vendor requires
are typically higher than the annual maintenance fees of purchasing an on-premises license.

We recommend that, at a minimum, you do a five-year cost comparison that clearly identifies
both the internal and external costs for both options. If you have cash flow issues, moving to a
cloud solution may be helpful because the up-front cost is lower and payments are spread out
over time. If your needs dictate an on-premises ERP solution, you should explore software
lease options that let you implement on premises yet have a cost and payment structure that’s
spread over time, similar to a cloud payment plan.
Cloud ERP Pros and Cons

In general, cloud ERP vendors have the latest technology and are currently building new
functionality into their offering. They don’t have the baggage of supporting an installed base with
old versions and can be nimble in their development. Because many cloud solutions aren’t
as functional or as complex as the on-premises vendors and limit software customization,
implementation can be faster. Internal cost also is lower because you don’t have
to buy server hardware or have significant technology infrastructure.

On the other hand, because the software is less mature, you may have to wait for key functional
upgrades to become generally available. Probably the biggest drawback of a cloud solution is
that you’re completely dependent on the cloud vendor. If you or the vendor loses connection to
the Internet, if you miss your monthly or annual payment, if there’s a natural disaster, or if the
vendor goes out of business, you could lose access to the system. The SLA that you sign with
the cloud provider will dictate the terms of the agreement for the ERP service. Make sure that
you carefully review how the vendor will support you in the event of possible system
interruptions, ownership and retention of data, as well as what happens if you choose to leave
the vendor’s solution.
Be aware that leaving a cloud solution is rarely discussed by the cloud providers. In what
format will you get your proprietary data? Will the vendor support you as you migrate off their
service and implement a different solution?

Now let’s look at some of the pros and cons of cloud ERP solutions.

Pros:
1. It’s modern technology with new functionality. The vendor doesn’t have to support any
old versions of the software.

2. Solutions are faster and easier to implement. Systems aren’t as complex and may be
more intuitive and configurable.

3. The first-year cost is lower.

4. There’s no hardware or infrastructure cost.

5. It has scalability. You can add or reduce users as your needs change, which works
especially well for seasonal businesses or companies on a high-growth path.

6. You’re always on the latest release. There are no big upgrade scenarios.

7. You own the data (but not the software) and can leave the vendor at the end of the
subscription term.

8. The software is easily accessible anywhere through a browser.

9. The vendors have put a heavy investment in security and backup infrastructure.

10. The vendor provides technical resources

.
11. Software fees are expensed rather than set up as an asset and depreciated.

Cons:

1. At this time, cloud ERP solutions are still building out functionality as compared to the
traditional on premises software vendors.

2. There are many new and small cloud ERP vendors that are entering the market
because of the opportunity to start with a fresh ERP solution. Capitalization and viability
may be an issue for some of them.

3. The majority of the current cloud ERP users are smaller companies, so some vendors
may not have the sophistication or capacity to work with larger, more complex
organizations. This is changing because larger companies are now implementing cloud
ERP solutions.
 4. Though configuration of cloud ERP is available to all customers, major customizations
usually aren’t allowed so the vendor can maintain the upgrade path.

5. Customers are required to upgrade to the latest version of every release.

6. Annual subscription fees are higher than annual maintenance fees for on-premises
solutions.

7. A consistent connection to the Internet is required. If you lose connectivity because of a

natural disaster or cyber attack or if the vendor goes out of business, you may have no
access to the system or data.

8. Cloud security varies depending on the vendor and is outside your control.

9. You’re contractually committed to the cloud ERP vendor for a specified time period.

It may be difficult to leave the vendor and migrate your data to a new system. Though you own
the data, the software vendor owns the data structure, rules, reporting tools, and audit trail
information to view and analyze the data effectively.

Depending on the terms of your agreement, you must keep vendor payments current or you
may lose access to the system.

On-Premises ERP Pros and Cons

On-premises ERP solutions typically have deeper functionality because they’re more mature
solutions and offer significant modification and customization capabilities to fit unique
requirements. The software license and on premises installation allow you to have more control
over the software, which means you can run the software even if you lose Internet connection,
decide to stop paying maintenance, or the vendor goes out of business.

On the other hand, on-premises implementations require hardware and infrastructure

maintenance, a much larger initial cash outlay for the license and implementation, and you have
to implement periodic upgrades. Let’s look at some pros and cons of on premises ERP software
solutions
.
Pros:

1. There’s deeper functionally as of the time of this writing.

2. There’s more flexibility to make company-specific configuration and customization.

3. Installation on proprietary company servers enables use of the software even if you lose
connectivity to the Internet, stop paying annual maintenance, or the software vendor
goes out of business.

4. Upgrades aren’t required—you can maintain older versions. But many vendors will only
support the current version and one or two previous versions.
 5. Long term, the out-of-pocket recurring annual maintenance cost is lower than the annual
subscription cost of a cloud ERP solution.

6. You can implement in a hosted environment that allows you to outsource the hardware
and maintenance of the software but still maintain control. You can move from a hosted
environment to an on-premises environment.

Cons:

1. You have to buy and maintain internal hardware and infrastructure.

2. The initial cost for the first year is higher, but lease arrangements may help with cash
flow issues.

3. Flexibility also creates complexity. Configuration and customization require longer

implementation time frames.

4. You must plan for and implement upgrades. Customizations may make upgrades more
difficult.

5. Many solutions require IT resources (either internal or outsourced) to maintain the

system.

6. You must develop, provide, and maintain data security internally. This may include
securing equipment, backup

5. Logistic arrangements required

Business Impact

Assuming the cost and service analyses described above are favorable, then additional
business factors must be weighed in order to develop a complete business analysis, and should
be monitored on an ongoing basis:

• Revenue impact. If the application is used to generate revenue, is the move to cloud
computing expected to increase that revenue?

• Customer acquisition or engagement impact. For a customer-facing application, is the move to

cloud computing expected to increase the number of customers accessing it?

• User satisfaction. Does one expect an improvement in availability or response times that will
result in increased user satisfaction?
• Time to market improvements. Will the move to cloud computing shorten the time it takes to
deliver functional enhancements to end users?

• Cost of handling peak loads. The cost of scaling server capacity up and down to match spikes
in demand for the cloud-based application should be compared with similar costs before
migration.

6. Methodology and Strategy adapted for execution of assignment

One of the biggest impediments to the adoption of the cloud model in the ERP space is concern
for security. Reports of security breaches of credit card and personal customer data at large
online companies have contributed to this concern. The good thing is that, at this time, we aren’t
aware of any specific case where sensitive data was exposed from a cloud ERP provider. Still,
companies have been concerned that putting financial and operational information in the cloud
increases the possibility of exposing sensitive data to hackers and outside entities.

To address this concern, cloud vendors have put significant resources into improving the
security of their systems. Many cloud ERP vendors are adopting compliance with Statement on
Standards for Attestation Engagements No. 16 (SSAE 16), “Reporting on Controls at a Service
Organization,” which replaced Statement on Auditing Standards No. 70 (SAS 70), “Service
Organizations.” This attest standard developed by the American Institute of Certified Public
Accountants (AICPA) includes requirements for in-depth audits of internal controls over data
and network security, backup and restoration procedures, and system availability. Because
cloud ERP vendors can’t afford to lose data for their clients, their focus on security is typically
much higher than if you were to set up security for an in-house/on-premises solution.

Nevertheless, the strategy for maintaining security varies by vendor, so be sure you review the
security policies of the cloud ERP vendor before signing the service level agreement (SLA). For
larger organizations that want to take advantage of the benefits of cloud technology but are still
concerned with regulatory compliance, security, and control issues, there’s a growing trend to
form a “private cloud.” This involves a single company or group of companies with common
requirements that set up a cloud to deploy software solutions that are accessed only by that
private group.

7. Documents reviewed

Address Security & Privacy Requirements

Security and privacy are two of the issues that concern cloud service customers the most.
Depending on the sector, these may be just above or below concerns about availability and
performance as highest priority. At the same time, cloud service customers should remember
that many of the security and privacy concerns raised by cloud computing have existed since
the first forms of IT outsourcing were introduced.

Security involves multiple concerns. It includes such aspects as:

How hard is it for an intruder to steal confidential data from the cloud provider’s systems
(external threat)?

• If this happens, will you even know it?

• Can you trust the provider’s personnel, especially system administrators who have many
privileges over the systems you use (internal threat)?

• What does the SLA promise you in terms of security measures?

• What is the impact on your business of a denial-of-service attack, which may not endanger
your data but prevents users from accessing the application?

• How do you authorize an employee to access a system or application in the cloud? How do
you unauthorized them, and how quickly can you do that in a serious situation (termination for
cause, etc.)? What levels of trust do you grant different users, and how do you identify and
authenticate trusted users?

• How do you prove to a client or an auditor that adequate security measures are in place, now
that this is not only your problem, but a shared responsibility between you and a cloud provider?

• How can you verify that the virtualization platform or cloud management software running on
the systems you use, which you did not install and do not control, does not contain malware?

• How can you protect yourself from malware that could be introduced by another customer in a
multi-tenant environment?
• What is the risk that your data will be delivered to a domestic or foreign law enforcement
agency by the cloud service provider in response to a legally binding request?

Privacy is closely related to security, but it carries with it the additional burden that a violation of
privacy, for example the disclosure of PII about your own users or customers to people who do
not have a right to access it, will cause major damage to your company, including:

• Loss of business
• Legal action by the people whose information has been disclosed
• Non-compliance with government regulations

In addition, data subjects may have rights to inspect and correct PII that relates to them, which
will need to be supported by the application even when it runs in a cloud service.
Now that we have examined all the risks and threats that arise when migrating an application to
the cloud, it turns out that doing so may, in fact, increase its security. This statement is based on
two facts:

• Cloud service providers have, in all likelihood, more expert resources at their disposal than
many of their customers. They need to make that investment because a successful attack could
damage their entire business. Therefore, customer data may be safer in the cloud provider’s
custody than in customer’s in-house systems. This is the same principle that leads people to
rent a safe deposit box at their bank rather than keeping their valuables at home.
• Once your data is held in a cloud service, an attacker who specifically wants to gain access to
your information no longer knows exactly where to attack. Even if they successfully penetrat the
network of the cloud provider, there may be thousands of virtual servers whose names do not
reveal whose data they contain.

Knowing all the above, here are some logical steps to follow (again, see the “Security in the
Cloud” white paper for more information). Note that as a result of performing these tasks, you
will never be 100% protected, and after a risk analysis you may even end up deciding that you
cannot in fact migrate certain data or applications. But they will certainly increase the chances of
success.

1. Understand exactly what data (including what code, since code may be the confidential asset
to protect) will be migrated to the cloud service.

2. Map this data to your security classification. If a security classification does not exist, or if it
does not specify where and in which format (cleartext vs. encrypted) data may be held on the
basis of its classification, this is an issue that must be resolved.

3. Identify which information raises privacy concerns – for example, account numbers, dates of
birth, addresses, etc.

4. Examine applicable regulations (especially in the finance and health domains) and determine
what needs to be done to meet these regulations, and whether it is possible to meet these
demands while migrating to cloud computing.

5. Perform the normal risk management tasks of assessing the risk of security or privacy
violations, and the impact on the business.
6. Review the cloud providers’ security/privacy measures (including physical security, personnel
screening, incident notifications, etc., not just the technical security protection measures), and
make sure that they are documented in the cloud SLA.

7. Determine whether the results of these steps actually allow the project to continue.

8. Consider and implement ways in which the information can be protected in four different
situations:

a. During the bulk migration of data from the on-premises system to the cloud service, when the
cloud service is provisioned. This can be a weak point of the whole process, as an entire
database backup may be carried physically, or shipped via courier, to the cloud service
provider’s site.
b. “Data at rest,” while stored in the cloud. An obvious solution for sensitive data is to encrypt
the data, and the practical question is whether the provider can perform this service, or whether
the client needs to research and implement a solution.
c. “Data in motion,” during the routine exchange of data that occurs while using the cloud based
application. Encrypting data in transit is advisable, but runs into some issues: the cloud provider
must support the encryption chain, cryptographic keys may need to be installed at both ends
(requiring a key management solution), and on-the-fly encryption may affect transfer speeds.
d. “Data in use,” that is when the data is actually read and processed by an application. For
sensitive data, it may be advisable for the application to encrypt the data. This may not be
possible if the migrated application is a commercial one that can only read the data in clear text
from a database. A customer written application, on the other hand, can be modified to
read/write encrypted data, so that only some temporary memory buffers will contain clear text
data. The handling of encryption keys is a concern.
9. Design how to authenticate and authorize users. For systems that have their own sign-on
facility, there may be no impact (as long as passwords are not sent in clear text from the user’s
workstation to the cloud-based system, which should not be the case even for an on-premises
system). But if there is any form of Enterprise or Single Sign-On (SSO) facility, making this work
from an application running in a cloud service may require integration work. An enterprise
identity and access management system (IdAM) needs to be accessible from the application
migrated to the cloud service. You will need to understand which protocols are supported by the
IdAM and by the cloud service – additional integration components may be required to enable
them to interoperate.
The silver lining is that once that effort has been made for the first migration, it should make
future migrations easier.

10. Regardless of the solution chosen for authentication and authorization, you need to make
sure that your user de-provisioning process can be executed quickly. Disabling a user’s
credentials for access to cloud systems may be even more critical than disabling their access to
an on-premises system. The reason is that access to an internal system may be made
immediately impossible or more difficult if someone has been escorted out the door; but might
still be able to access the login page of a cloud application from the browser on their
smartphone.

Service Levels

In addition to assessing the costs of application migration, it is equally important to ensure that
the level of service provided by the cloud-based application will be comparable to current
service levels. The required service levels should be agreed with the cloud service provider and
explicitly documented in the cloud service agreement. In fact, the service levels provided by an
internal IT department to its business customers are often not well specified, or not specified at
all. Migrating an application to cloud computing places a spotlight on those essential
commitments. Refer to the CSCC Practical Guide to Cloud Service Agreements and the CSCC
Public Cloud Service Agreements: What to Expect and What to Negotiate for specific
considerations that need to be taken into account when developing an enterprise strategy for
cloud computing.

For each application being migrated to cloud computing, consider the following application
characteristics:

• Application availability. The criticality of the application to business operations will determine
the availability requirements that must be clearly specified in the cloud SLA.

• Application performance. Depending on the performance requirements of the application,

specific performance targets may need to be achievable with the cloud service.

• Application security. Moving an application to the cloud will require due diligence on the part of
the cloud service customer to ensure proper security controls are in place and operating
effectively.
• Privacy. Personally Identifiable Information (PII) handled by a cloud-based application must be
properly stored and maintained. Access to PII stored in a cloud service must be restricted as
required, including from cloud service provider personnel.

• Regulatory compliance. Government and industry regulations may require additional

measures, such as restricting the migrated applications and data to reside in a specific
geographic region.

8. References

[1] Cloud Standards Customer Council (2011). Practical Guide to Cloud Computing.
http://www.cloud-council.org/resource-hub.htm#practical-guide-to-cloud-computing-v2

[2] Cloud Standards Customer Council (2012). Practical Guide to Cloud Service Agreements.
http://www.cloud-council.org/resource-hub.htm#practical-guide-to-cloud-service-agreements-
version-2

[3] Cloud Standards Customer Council (2013). Public Cloud Service Agreements: What to
Expect and What to Negotiate. http://www.cloud-council.org/resource-hub.htm#public-cloud-
service-agreements-what-to-expect-what-to-negotiate

[4] University of Stuttgart. A Collection of Patterns for Cloud Types, Cloud Service Models, and
Cloud-based Application Architectures.
www.iaas.uni-stuttgart.de/institut/mitarbeiter/fehling/TR-2011-
05%20Patterns_for_Cloud_Computing.pdf

[5] CloudDesignPattern.org. AWS cloud design patterns.

http://en.clouddesignpattern.org

[6] Microsoft. Windows Azure design patterns.

www.windowsazure.com/en-us/develop/net/architecture/

[7] IBM. IBM Workload Deployer Pattern-based Application and Middleware Deployments in a
Private Cloud.
www.redbooks.ibm.com/redbooks/pdfs/sg248011.pdf

[8] Cloud Standards Customer Council (2013). Convergence of Social, Mobile and Cloud: 7
Steps to Ensure success.
http://www.cloud-council.org/resource-hub.htm#convergence-of-social-mobile-and-cloud-7-
steps-to-ensure-success

[9] Cloud Standards Customer Council (2012). Security for Cloud Computing: 10 Steps to
Ensure Success.
http://www.cloud-council.org/resource-hub.htm#security-for-cloud-computing-10-steps-to-
ensure-success
Additional References
Study material issued by ICAI.

9. Deliverables
Please provide details of specific deliverables of the assignment. These would include the draft IS Audit
Report, Final IS Audit report, executive summary, detailed findings and recommendations, etc.

10. Format of Report/Findings and Recommendations

Please provide report in standard/specific format as required. Each of the findings is also to be provided
in the standard/specific format. You may adapt this from best practices or customize these as required.

11. Summary/Conclusion
Is a cloud ERP solution right for your organization? The answer depends on resource
availability, functional requirements, IT infrastructure, and the total cost of ownership for the
software and delivery options at your organization. In our independent software consulting
experience, we’ve found that there’s no one-size-fits-all scenario. In general, we’ve seen that if
companies require deep functionality, have specialized requirements that require customization,
need to maintain complete control of the software,don’t have a reliable and fast Internet
connection, and/or have a strong IT infrastructure and support, then on-premises or hosted
solutions are most likely to be the best fit. On the other hand, if a company has relatively
standard functional requirements, a reliable and fast connection to the Internet, a need to
quickly scale up and down the number of users, and/or a desire to outsource IT infrastructure
and support, then a cloud solution fits well. Either way, make sure you have someone with
experience in software licensing, hosting, and cloud agreements review the contract documents
prior to signing an agreement to protect your interests in the contract.

In the future, ERP in the cloud will mature and gain significant market share, but on-premises
ERP solutions won’t disappear. The bottom line is that companies now have multiple viable
ERP implementation options, so you should make an objective evaluation of both cloud and on-
premises/hosted ERP solutions to make the best decision for your organization.