Audit Scope The objective of this audit is to assist UNCCG in reviewing its enterprise data warehouse technology platform.

The scope of work for this audit will consist of <XXXX> hours of professional services and the objectives for this audit will include a review of the following control points: Data o o o o o Data o o o o o o o o Warehouse Management Data Warehouse Governance Financial Management Risk Management Human Resources Portfolio Project Management Warehouse Operations DW Architecture and Integration Systems Development and Testing Change Management System Monitoring Problem Management Logical Security Data Transmission Metadata

Business Integration o Service Delivery (Business Process Integration and Analysis) o Project Management o Help Desk

Audit Approach Our approach for the execution of this audit engagement will consist of interviews with key employees, review of documents, inspections, data extractions and the usage of applicable audit tools. The audit will consist of the components described below. The phases are listed in sequential order and should provide an overview of the sequencing of the proposed engagement. Phase description 1. Mobilization phase GF Consulting will perform the following: Develop and provide to UNCCG an advanced data request (ADR) of the relevant documents and materials that will support our fieldwork. Develop and provide to UNCCG an initial interview list of those business and IT professionals that we anticipate Deliverables Advanced data requests (see appendix for a sample request) Interview lists of key employees that we would like to interview (see appendix for a sample list) Detailed Audit Program document(s) for each of

needing to meet with in order to perform this audit. Develop an audit program to guide activities during the course of this audit. The audit program guide should include a list of the controls that would be reviewed along with a defined approach for understanding the design of the control and how it would be tested to determine if it was operating effectively. 2. Execution phase Once the audit program has been finalized, and the appropriate resources have been identified, fieldwork will proceed in accordance with the audit plan.

the following areas: Data Warehouse Management, Data Warehouse Operations and Business Integration.

Results from the execution of the detailed Audit Program Working papers that support the results from the detailed Audit Program Draft report for discussion containing an executive summary, audit findings and recommendations for improvement. Final report with edits and comments from UNCCG management

3. Reporting phase All IT audit work is summarized in the IT audit report. Our team will compile and present a draft report to UNCCG management within three weeks of completing the execution phase. The purpose of this draft is discussion and incorporation of any comments prior to issuing a final report to UNCCG.

Risk Assessment Based on the information provided by UNCCG during our initial conversation, combined with our understanding about the business environment in which UNCCG operates, we have formulated the following risk considerations that we understand are relevant to your business. Our goal is to incorporate these risk considerations in our audit program to be developed in the Mobilization Phase of this engagement. Risk category: Regulatory Risk 1 As a publicly traded company, UNCCG is subject to compliance with the Sarbanes-Oxley Act of 2002 (SOX). As a result, UNCCGs management must: Accept responsibility for the effectiveness of the companys internal control over financial reporting. Evaluate the effectiveness of the companys internal control over financial reporting using suitable control criteria. Support is evaluation with sufficient evidence, including documentation.

Present a written assessment of the effectiveness of the companys internal control over financial reporting as of the end of the companys most recent fiscal year.

Although this legal requirement may not have a direct impact on the data warehouse applications subject to this audit, once it is not categorized as a financial reporting related application, it may have an indirect impact in the case that technology infrastructure is common among the financial reporting systems and the data warehouse applications. Technology infrastructure (operations, security, processes, people) that support financial reporting systems are subject to SOX compliance requirements. Risk category: Techonology/Reputational Risk 2 Privacy regulations The Personal Data Privacy & Security Act of 2005 bill states that organizations must adopt reasonable procedures to ensure the security, privacy and confidentiality of personally identifiable information and notify relevant governing bodies when security breaches occur. The bill also states that, if there is reason to believe the stolen data can be used for identity theft, then the organization must make public notification. We have seen increased pressure in the marketplace pushing companies to move to a better defined and better controlled data privacy controls environment. We understand that a significant portion of UNCCGs revenue comes from check cards, credit and debit card transactions on which some consumer information is collected, processed and may or may not be stored. It is our understanding that payment information processing is processed externally. In addition, UNCCGs consumer loyalty program collects and stores consumer private information such as telephone numbers, addresses, names and a history of purchases. Based on those facts, we understand that current and future privacy regulations are a relevant risk to the business at UNCCG that has both a regulatory impact and also a brand impact, given that fact that future privacy breaches will be required to be made public. Risk category: Operational Risk 3 External Vendors access to enterprise data Based on the information provided by UNCCG during our initial conversations, we understand that credit and debit card payment processing is outsourced with an external vendor. In addition, UNCCG indicated that it relies on a third party vendor, located in India, to perform program change and program development functions for the data warehouse (DW) management system. This external vendor has remote access to the UNCCG environment. We understand that, even though UNCCG has outsourced program change and program development functions to a third party vendor, it is still responsible for ensuring the accuracy, completeness and appropriateness of program changes and developments on the DW environment. In order to perform their business function, both these vendors will have the ability to get access to sensitive enterprise data including consumer information. Based on that fact, we consider that this is a relevant risk to the companys IT environment.

Risk category: Credit Risk/Technology Risk 4 Unavailability of credit and/or debit card processing application We understand that a significant portion of UNCCGs revenue comes from check cards, credit cards and debit cards transactions, which are processed externally (for approval purposes) and stored by one of the companys mainframe based systems (for reconciliation and historic purposes). Unavailability of either the external processing vendor or of the mainframe-based system would cause point of sales systems (POS) at the stores to operate in an offline mode and only cash payments would be allowed, until functionality is completely restored. Based on that information, we consider that unavailability of card payment applications is a relevant risk to the business that has a direct impact on the customers perception of quality of service and a direct impact on sales. Communications Through regular meetings and ongoing communication with management, we will establish a relationship of openness and teamwork through which we can discuss significant audit findings, recommendations for improving internal controls or operations, and current industry issues (or any other issues management wishes to discuss), and ultimately develop solid solutions without surprises. We commit to holding regular meetings with management, both formally and informally, to foster such a relationship. Management letters and communication are an important element of professional service. It is our policy to discuss our findings and recommendations with the appropriate members of management prior to issuance so that we can verify factual accuracy. Our final report will only include findings and recommendations considered significant. Other matters will be communicated throughout the engagement and during our regular meetings and fieldwork. Planned schedule GF Consulting estimates this engagement will require approximately xxxx weeks of effort, and we are prepared to begin fieldwork on a date mutually agreed upon with UNCCG. In addition, we understand the final report for this audit must be completed no later than July 15, 2006.

APPENDIX I Sample Advanced Data Request The following information would be helpful in evaluating the existing data warehouse environment to the extent it already exists. 1. Organization Charts a. Technology (Development and Operations) b. Business 2. Telephone Directory 3. User Documentation a. Data warehouse user training guides b. Data warehouse user operational manuals 4. Systems documentation a. Application architecture (including an explanation of any automated interfaces) b. Systems operations overview (platform and network) c. Third party vendor agreements 5. Management procedures and policies a. Operations Management (system monitoring, maintenance, and or scheduled support) b. Information Security (logical access) c. Change Management (change control and configuration management) d. Business Continuity Plan(s) e. Disaster Recovery Plan(s) f. Problem Management

APPENDIX II Sample Interview request The following is a list of individuals we anticipate will be likely requested to participate in a one-hour interview with one of our team member. Shedule will be arranged by our team in observance to UNCCGs personnel commitments and priorities. Other interviews may be determined necessary as we make progress and we will make our best efforts to communicate this as soon as possible so it can be scheduled in a non-disruptive manner. Individual Jerry Lewis Brunno Rodriguez Chris Poknis Andy Tatum Andrew Deloach Chris Maiden Mike Maher Josh Smith Amanda Fernandez Steve Lucas Role Chief Information Officer Chief Security Officer Vendor Relationship Manager IT Operations Manager Database Administrator (DBA) Data Warehouse Lead Data Warehouse Service Delivery Manager Data Warehouse Architect SAP Project Lead Data Warehouse Senior Analyst