KPMG - Buiness Guidelines to Cloud Computing and Beyond

Advisory

Orchestrating the
New Paradigm
KPMG’s Business Guidelines to
Cloud Computing and Beyond

kpmg.com

2 | KPMG’s Business Guidelines to Cloud Computing and Beyond

© 2011 KPMG Advisory N.V.

Contents
1 Foreword

3

2 Introduction

5

3 Current business challenges

6

4 The old paradigm of IT

9

5 The shift towards the cloud

11

6 Into perspective

15

7 Considerations

18

8 Steps forward: orchestration

25

9 Key message

33



34

Appendix

KPMG’s Business Guidelines to Cloud Computing and Beyond | 3

© 2011 KPMG Advisory N.V.

01

Foreword

Organisations face immense challenges
in the aftermath of the financial crisis.
In the current fragile economic climate
IT often represents a costly and rigid
structure that does not live up to
expectations. Meanwhile a paradigm
shift is taking place: a transition
from locally installed and maintained
IT towards the centralisation and
commoditisation of IT services.
A growing number of organisations
embrace concepts such as cloud
computing in order to reduce IT
spending, to increase the speed
of implementations and to ensure
an innovative business approach.
Concurrently, questions arise regarding
security, compliance and privacy.

This paper will deal with these
issues from a strategic point of view.
We believe that the key challenge
for CEOs and CIOs is to orchestrate
complex IT ecosystems encompassing
both traditional IT systems and cloud
services from various providers.

What are the potential rewards and the
main risks of this new paradigm of IT?

We look forward to continuing the
dialogue on this subject with you.

This paper assists in a wider understanding
of this current evolution/transition in IT
and provides guidance from a business
perspective. Just as you might expect
from KPMG, we aim to clarify the process
by demystify the hype and to inform
decision-makers beyond the obvious
success stories as told by cloud service
providers and the reluctant stance of many
‘traditional’ IT service integrators.

John Hermans
Partner, KPMG Advisory
KPMG in the Netherlands

4 | KPMG’s Business Guidelines to Cloud Computing and Beyond

© 2011 KPMG Advisory N.V.

KPMG’s Business Guidelines to Cloud Computing and Beyond | 5

© 2011 KPMG Advisory N.V.

02

Introduction
We aim to demystify the hype and to inform decision-makers.

Cloud computing is undoubtedly
the most significant phenomenon
in IT today. Although there seems
to be some confusion within the IT
industry regarding the exact definition
of the term, from a business point of
view cloud computing simply means
obtaining IT services from the internet
without owning an IT infrastructure.
The internet is often depicted by
technicians as a ‘cloud’, hence the term
cloud computing. Gmail and Facebook
are good examples of cloud computing.
The increasing significance of cloud
computing is supported by the fact
that many organisations are slowly but
surely adopting this model. A recent
survey by KPMG in the Netherlands
also indicates that the majority of
participants considers cloud computing
to be the future model of IT. On the other
hand, some people still feel that cloud
computing is nothing more than a hype
and that it will subside. After all, the IT
industry has made many ‘promises’
over the years that were not fulfilled.

Amidst the debate decision-makers’
most pressing questions often
go unanswered. The business
perspective on cloud computing
and potential developments in
the IT landscape remain largely
underexposed, unrecognised and/or
misunderstood.
We are convinced that this broader
perspective is essential for a thorough
understanding of the impact of
cloud computing, since IT is of vital
importance for creating business
value in the majority of organisations.
Therefore, we interviewed CEOs
and CIOs as well as the leading
specialist within KPMG with regard
to cloud computing and the future
of IT in general. As a result of our
conversations we gained a clearer
understanding of the main difficulties
and opportunities in organisations
related to their IT infrastructure.
Based on this information, the
following key items were identified:

• Current business challenges:
what are the foremost challenges
for organisations in the aftermath
of the financial crisis?
• The old paradigm of IT: what is
‘traditional’ IT’s reaction to the
current business challenges?
• The paradigm shift: what developments in IT can be observed?
• Perspective: what does the new
paradigm actually mean?
• Considerations: what are the risks
of this new paradigm?
• Steps forward: what steps should
organisations take?
This paper aims to provide answers
to these questions. In addition,
Appendix A explains the definition and
characteristics of cloud computing in
more detail.

6 | KPMG’s Business Guidelines to Cloud Computing and Beyond

03

© 2011 KPMG Advisory N.V.

Current business
challenges
Organisations are challenged with cost savings,
faster time-to-market and innovation.
In the aftermath of the financial crisis, it is clear that market
conditions have remained extremely volatile. While there
is room for optimism regarding the economic future, many
companies are confronted with persistent pressure on profit
margins and a highly competitive, fast changing and globalised
business environment. Rising energy prices and unstable
political situations are making matters increasingly challenging.
According to the decision-makers of
large organisations, the main business
challenges are cost savings, time-tomarket and innovation.
3.1 Cost savings
Cost savings can help to maintain
profit margins during a period of
recession. Despite signs of economic
recovery, many private enterprises face
uncertain market conditions and have
intensified their cost-saving efforts. This
is often a daunting task, particularly when
it comes to changing cost structures.

© 2011 KPMG Advisory N.V.

KPMG’s Business Guidelines to Cloud Computing and Beyond | 7

© 2011 KPMG Advisory N.V.

3.2 Faster time-to-market
Time-to-market is undoubtedly one
of the critical success factors for
organisations. Consumer and
employee demands have become
increasingly volatile, forcing
organisations into fast and flexible
market approaches. The lifetime
cycle has changed and today’s
products are characterised by:
• an early, high peak in sales volume;
• a rapid decline in sales after the peak;
• short market time.

3.3 Innovation
Product development has become a
major factor for companies, particularly
in Europe and the US, while emerging
economies such as China, India and
Brazil excel in the efficient production
of many generic products.
It is obvious that constant innovation
has a decisive impact on a company’s
success. The ability to collaborate,
to exchange ideas and access to the
relevant information resources are
prerequisites for innovation.

Product lifetimes

Sales volume

Therefore, in order to meet
demands quickly and with precision,
organisations must be able to react
instantly to ensure fast delivery of
their products. Delays not only result
in a significant loss of opportunity but
also a (much) smaller market share
amongst fierce competition.

Current product’s lifetime
‘Traditional’ product’s lifetime
Source: KPMG in the Netherlands, 2011

Time

8 | KPMG’s Business Guidelines to Cloud Computing and Beyond

KPMG’s Business Guidelines to Cloud Computing and Beyond | 9

© 2011 KPMG Advisory N.V.

04

The old paradigm of IT
Traditional IT is unable to support the business.

It is quite shocking to see how traditional IT concepts fail to

Moreover, the bulk of these costs,
usually around 80 percent, are
spent on maintenance of existing
IT rather than on new and innovative
applications. While IT spending did
not increase dramatically for most
EU companies in the last two years,
the IT operational budget as a
percentage of revenue continued the
upward trend. Overdue investment in
the IT infrastructure and exceedingly
complicated software releases are
important causes of this increase.

deliver on the three aforementioned business challenges of cost
saving, quicker time-to-market and innovation. IT simply does not
deliver these concepts and thereby fails to meet the needs and
requirements of contemporary business.
Traditional, locally installed and
maintained IT typically comprises
various incompatible systems,
numerous applications and a myriad
of interfaces and connections between
all these different parts. IT has become
extremely complex for the majority
of organisations. This complexity is
not only expensive to maintain, but
changes bear high risks and the
deployment of new applications also
involves greater time and effort.

at up to five percent of revenue for
Fortune500 enterprises and well over
five percent of government budgets in
most OECD countries.

IT operational budget as percentage of revenue
2,6

2,5
2,3
2

1,9

According to many decision-makers,
their organisation’s IT costs are
unreasonably high, IT is too rigid and
outdated and instead of supporting the
business, IT has become a hindrance.
4.1 Increasing expenditure
Despite the pressure on IT spending
during the last two years, expenditure
on IT remains unconscionably high:

2007

2008

Source: KPMG in the Netherlands, 2010

2009

2010

2011
(expected)

10 | KPMG’s Business Guidelines to Cloud Computing and Beyond

© 2011 KPMG Advisory N.V.

IT departments have to acquire
hardware and software, set-up
different environments (development,
test, acceptance, production),
implement procedures, train their
IT staff and appoint application
managers.
In short, traditional IT is unable to
provide the flexibility and speed
needed to shorten time-to-market.
4.3 Outdated infrastructure
Consumer IT products and services
have evolved dramatically during
the last decade. An explosion of
smartphones and tablet computers,
new ready-to-use web-based
applications and social networks
have enabled mobile use of IT,
information sharing and collaboration
on a scale never seen before.
It is obvious that reducing IT spending
while assuring similar levels of
service will be an exceptionally
challenging task for CIOs in the
coming years.
Recent studies by KPMG also show
that investment in IT often does not
add tangible value to the business
(approximately 30 percent) with a
significant portion of IT projects failing
to meet time and budget constraints.
Less than 40 percent of IT projects can
be considered successful, having been
completed on time, on budget and
meeting quality standards.
In short, traditional IT is costing more
and providing less.

4.2 Rigidity
In order to shorten time-to-market of
new products, businesses need to have
flexible, scalable and instantly available
IT resources. In reality however, many
organisations depend entirely on local
IT resources that are bound to their
existing hardware, network bandwidth
and personnel. As a result, traditional IT
is hardly scalable and this rigidity
contrasts sharply with the business’s
required agility.
In addition to limited scalability,
traditional IT is unsuited to making new
applications instantly available in
accordance with business demands.
Deploying new applications often takes
months and involves high operational
and financial risks.

Traditional IT appears to be
unsuccessful at coping with the
changing computing habits of
consumers. It generally comprises
static, legacy components which
were never designed to facilitate
mobile use or to provide platforms
for collaboration and the exchange
of ideas.
While the new generation of
employees are accustomed to the
new possibilities of IT in their private
lives, corporate IT falls short in
fulfilling their expectations.
In short, traditional IT fails to keep
pace with innovation and the way
consumers use IT.

© 2011 KPMG Advisory N.V.

05

KPMG’s Business Guidelines to Cloud Computing and Beyond | 11

The shift towards
the cloud
Cloud computing seems to offer solutions.
As the old paradigm of IT simply no longer lives up to its
expectations, organisations are looking for alternative concepts.
Cloud computing seems to offer the ideal solution in this
respect; it enables organisations to phase out parts of their
IT including hardware and software, they can regain authority
over their core business and keep the costs under control.

5.1 Lower costs
IT operational costs can be reduced
significantly by adopting cloud
computing, since this model’s initial
investments (capital expenditure) are
marginal compared to the costs that
are involved with the large-scale, costly
and risky implementations of traditional
IT resources. All installations actually
take place on the provider’s servers
and the management costs for making
the services continuously available are
borne by the provider. Moreover, there
are considerable savings in terms of
hardware, server rooms, air conditioning
and electricity. The costs passed on
to customers are relatively low due to
the economies of scale of most cloud
service providers, efficient use of (shared)
resources and centralisation of expertise.

12 | KPMG’s Business Guidelines to Cloud Computing and Beyond

With cloud computing, charges only
apply to the use of the IT service, as the
IT resource remains in the possession
of the provider. Although paying by
subscription remains the norm, ‘pay-asyou-go’ has recently come into vogue,
enabling the customer to pay each time
the service is employed. The advantage
of pay-as-you-go is that payment is
only made for services that are actually
used, and unnecessary overheads are
avoided.
5.2 Flexibility of deployment
Faster deployment of IT services is an
important driver of cloud computing.
The on-demand nature of the cloud
enables the rapid implementation of
applications to business users.
IT complexity is no longer an issue for
organisations as IT is owned and run
by specialised cloud service providers.
Instead of building and running an
internal IT factory, commoditised IT
services are delivered via the internet,
similar to the way in which electricity is
sourced from specialised power plants.
Cloud based e-mail services such as
Gmail and Hotmail are well known
examples and positive testimonials of
this trend.

© 2011 KPMG Advisory N.V.

Furthermore, using the public internet
as the basic network infrastructure for
services means that business users
are able to access applications and
data via various devices from multiple
access points all over the world. This
can enhance productivity, improve
collaboration and enrich the user
experience.
5.3 Instant scalability
Cloud computing also offers the
advantage of being able to adjust the
use of IT resources either upwards
or downwards, thus improving the
scalability of IT. This is possible due to
the enormous of scale of the foremost
cloud service providers whose IT
capacity easily exceeds that of individual
customer organisations.
By using technologies such as various
types of virtualisation and loadbalancing, cloud computing solutions
can easily be scaled up and down.
Combined with the ‘pay-as-you-go’ or
subscription models that are common
to cloud computing, customers only pay
for what they use and the required IT
capacity is always available. In contrast
to traditional IT, IT capacity in the cloud
is in theory never idle or scarce.

© 2011 KPMG Advisory N.V.

Storage requirement

The scalability of cloud computing

On-premise

Loss of 
opportunity

Unused
resources

Storage requirement

Time

Cloud

Time
Source: KPMG in the Netherlands, 2010

14 | KPMG’s Business Guidelines to Cloud Computing and Beyond

© 2011 KPMG Advisory N.V.

KPMG’s Business Guidelines to Cloud Computing and Beyond | 15

© 2011 KPMG Advisory N.V.

06

Into perspective
A hybrid IT environment with growing significance of
cloud services will prevail over the next five years.

Despite the popularity of cloud computing, its market share is
still low. Only a small percentage of overall IT budgets are spent
on cloud services. Meanwhile, the growth of cloud computing is
too large to disregard and the investments by leading players in
the IT industry too big to ignore. Cloud computing is both
marginal and significant.
Paradigm shift

High

Cloud computing

Centralisation

Outsourcing
Hosting
SSC
On-premise IT

Low
Source: KPMG in the Netherlands, 2011

Commoditisation

High

6.1 Marginality of the cloud
Based on OECD and KPMG’s figures,
the current share of cloud computing
is negligible in terms of the total IT
spending of organisations at between
two percent to four percent globally.
With the US as the leading outlet
(60 percent), the rest of the world
including Europe can be considered
as periphery. Cloud computing
applications in our private lives, such
as Facebook and Gmail, may be very
popular but large-scale adoption
of cloud services by the corporate
community has yet to take place. In
particular, concerns about the level of
security and compliance in the cloud
are decelerating factors.
Notwithstanding the continuous
development of cloud computing,
the catalogue of cloud services
is relatively limited to already
commoditised services such as
e-mail, ‘office’ applications, CRM
and data storage. The cloud currently
offers virtually no complex, integrated
business applications as yet.

16 | KPMG’s Business Guidelines to Cloud Computing and Beyond

Enterprise Resource Planning and
custom-made billing systems only make
their way to the cloud in isolated cases
and remain locally installed in a traditional
way, at least for the time being.
6.2 Significance of the cloud
Yet the emergence of cloud computing
should not be underestimated.
According to market estimates of leading
analysts the growth of commercial cloud
services is between 20 percent to 30
percent per year for 2010 - 2015, despite
(or perhaps thanks to) the economic low
tide. Even though the current market
share of cloud computing is marginal, it
will own a considerable portion by 2015.
Moreover, the move towards
centralisation and commoditisation
of IT services is a process that has
been taking place since the turn of the
millennium. Centralisation enhances
efficiency by using the economies of
scale and resource sharing. Centralised
delivery of services also facilitates
volatile demand more effectively.
Commoditisation by using standardised
services instead of custom-made
solutions involves lower costs and less
time as the turnkey solutions are easier
to deploy. From locally installed and
managed IT, organisations chose to setup Shared Service Centres (SSC) often
in combination with harmonisation of
their IT portfolio. Then came the waves
of hosting applications on external
platforms and outsourcing/offshoring of

IT departments to low-wage countries.
In this respect, cloud computing is the
next phase in this process and part of
the paradigm shift in IT from traditional
IT towards the centralised provision of
services and shared use of IT resources.
The foremost players in the IT industry
also anticipate this trend. While the
established pioneers of cloud computing
(Google, Salesforce.com and Amazon
being the best known) are steadily
expanding their service portfolios, almost
all major IT providers are investing
heavily in cloud services in order to meet
the apparently rising demand. Even
the goliaths (or perhaps mastodons)
of traditional IT such as Microsoft, IBM
and Oracle are offering cloud services,
occasionally in collaboration with other
software vendors and IT integrators who
do not want to miss the boat.
It will take at least another five years
before cloud computing becomes the
de facto standard for the majority of IT
services, but the course towards the
cloud has been clearly set.

© 2011 KPMG Advisory N.V.

6.3 The hybrid environment as the
new paradigm
Given the current, minor position
of cloud computing and the
ongoing wave of centralisation
and commoditisation of IT, most
organisations will adapt to a hybrid
environment. Only a relative few
organisations will sustain an
entirely traditional IT infrastructure
by ignoring or disregarding the
drivers of cloud computing. On the
other hand, there is no business case
for a full-scale move of IT to the cloud
for the vast majority of organisations
anytime soon. A hybrid environment,
a mixture of traditional IT and
outsourced elements with growing
significance of cloud services, will
prevail over the next five years. For the
greater part, IT will be installed and
managed locally whether by internal
units or by an IT service provider.
A growing portion of IT will, however,
depend on external resources and on
cloud computing in particular.
This paradigm shift will not be a
sudden transition from the old
paradigm of predominantly traditional,
on-premise IT to the cloud. Neither
will it mark an end to all the short­
comings of the old paradigm. The
future mode of IT will be a hybrid
environment offering huge potential
for organisations as well as points of
consideration, which will be discussed
in the next chapter.

KPMG’s Business Guidelines to Cloud Computing and Beyond | 17

© 2011 KPMG Advisory N.V.

Hosting, outsourcing and cloud computing
Business aspects

Delivery of
service

Dedicated

Management of
IT resources

Internal

External

Ownership of
assets

Customer

Provider

On-premise IT

Shared

SSC

Hosting

Outsourcing

Cloud Computing

Source: KPMG in the Netherlands, 2011

Cloud computing shares certain characteristics with hosting
and outsourcing from the viewpoint of decision-makers.
All three models involve a certain degree of using shared IT
resources from external providers. In reality, the boundaries
between hosting, outsourcing and cloud computing are
often vague and overlapping. Providers frequently present
their hosting solutions in the form of a ‘private’ cloud while
cloud computing can be seen as a radical form of outsourcing.
Where outsourcing usually means moving internal IT
resources to an external party, cloud computing means

a phasing out of internal IT resources and using those of the
provider instead.
The specific definition of each of these models is of minor
importance so long as the following business aspects can
be determined correctly: the exclusivity of the delivery of IT
services, the assignment of the management of IT resources
and the ownership of software and hardware. The extent to
which these aspects are adopted determines the potential
benefits and risks of the solution.

18 | KPMG’s Business Guidelines to Cloud Computing and Beyond

07

© 2011 KPMG Advisory N.V.

Considerations
Managing multiple concepts regarding data,
contracts and technology can be a daunting
task for organisations.
As with opportunity comes danger, organisations should be aware
of the risks of operating in a hybrid IT environment and cloud
computing in particular. Security and compliance are important
factors as rules and regulations with respect to risk management
have been tightened in the last two years. Compliance with these
rules and regulations may be difficult in a hybrid environment.
Additionally, as organisations are inherently reliant on their provider’s
controls within the cloud with regards to compliance monitoring
and reporting, decision-makers will need to cope with different
contracts, integration issues and an ever-changing IT industry.
7.1 Dependency on the cloud
With an ever greater proportion of
the IT components moving to external
premises, organisations will be
increasingly dependent on their
providers. This form of dependency
on providers already exists, such as
dependency on energy providers, banks
and public facilities e.g. the transport
infrastructure. Yet when it comes to IT
many organisations maintain the notion
that they are in control, although in
practice most have issues on this point.

© 2011 KPMG Advisory N.V.

KPMG’s Business Guidelines to Cloud Computing and Beyond | 19

At the same time, the level of trust
between organisations and their IT
service providers remains relatively low
compared to, for example, financial
institutions (in spite of the credit
crunch), and there are valid reasons for
this reserved stance towards IT service
providers, particularly with regard to
cloud computing.
Cloud computing is not devoid of
dangers. Although the number of
major incidents involving commonly
used cloud services was relatively
small in 2010 in relation to the number
of customers, all the ‘Big Four’ cloud
service providers (Google, Salesforce.
com, Amazon and Microsoft) have
needed to remedy several critical
vulnerabilities in their cloud offerings in
which customer data was, to a certain
extent, compromised. Consequences
of loss, leakage or the unavailability of
data residing at providers’ premises
can be disastrous to the business. One
crucial point is emphasised by this – the
customer is highly dependent on the
cloud service provider when it comes
to data protection.
Another aspect of dependency is
provider lock-in. Due to the limited,
albeit growing, number of cloud service
providers combined with the lack of
(open, interchangeable) standards
for provider interoperability, it can
be extremely difficult to switch to
alternative providers and/or to migrate
back to locally installed IT. A provider’s
failure to support the extraction of data

in open formats after termination of
service may aggravate this issue. This
means that the data is only suitable for
one specific solution or at one specific
provider.
Provider lock-in also comprises
unforeseen circumstances such as
bankruptcy, litigation, SEC probing or
any other act of provider defamation
that could significantly damage an
organisation’s business. Shutdown
of services, change of service levels,
shift of focus in the event of strategy
alterations and the mergers or
acquisitions of the provider may also
have undesired effects.

Dependency on public internet
can have implications on service
reliability and uptime outside the
scope of control of both the customer
organisation and provider. Although
leased lines and proprietary networks
can be used for cloud computing,
the primary infrastructure of cloud
computing is the public internet.
Given the fact that the public internet’s
ownership and accountability are for
the greater part undefined, ensuring
contractual obligations with network
providers and accountable parties
that enable internet connectivity
is virtually impossible and legally
cumbersome.

20 | KPMG’s Business Guidelines to Cloud Computing and Beyond

© 2011 KPMG Advisory N.V.

The risk profile of the cloud
The risks of cloud computing should
be put into perspective. On the one
hand, cloud computing is mainly
based on existing technologies such
as virtualisation, data segregation and
web services. The existing IT risks
apply, albeit the controls and mitigating
measures are largely the provider’s
responsibility as the provider owns
and manages the IT resources within
the cloud. On the other hand, cloud
computing has characteristics which
considerably affect the risk profile
compared to traditional, on-premise IT.
These characteristics are:

Considerations

Data processing
and storage

On-premise

Off-premise

Access and
authorisation

Single-tenant

Primary network
Infrastructure

LAN

Multi-tenant

(Public) Internet

• external data storage and processing;
On-premise IT

• the sharing of IT resources with other
customers (multi-tenancy);
• dependency on the public internet.

SSC

Hosting

Outsourcing

Cloud
Computing

Source: KPMG in the Netherlands, 2011

Traditional IT

Cloud computing

Location of data storage
and IT assets

Within the (internal)
security domain of the
customer’s organisation

Outside the internal security domain of the
customer’s organisation; hosted/located at cloud
service provider or distributed/scattered over a
multitude of (third party) providers

Usage of (IT) resources

Exclusive to the customer

Varying degrees of multi-tenancy

Primary infrastructure for
data transfer

LAN, leased lines

Public internet

© 2011 KPMG Advisory N.V.

7.2 Complexity of the hybrid
environment
As the name suggests, the hybrid
environment covers multiple
concepts regarding data management,
contracts, and technology. Managing
these items can be a daunting task for
organisations.
Data management is important to
prevent disruption of business. The
complexity of data management in

KPMG’s Business Guidelines to Cloud Computing and Beyond | 21

hybrid environments is primarily
caused by the processing and storage
of data at different physical locations.
Data is distributed or scattered
between several providers’ premises
as well as being located on-site and
this implies challenges concerning
security and privacy. It is difficult to
implement integrated control
measures and processes for data
management over several, often
incompatible infrastructures.

Insufficient data segregation and
process isolation can lead to data
contamination and/or breach of
confidentiality, while lack of identity
and access controls can cause
illegitimate access to sensitive data
such as intellectual property. For large
corporations that often need to comply
with specific regulations, inadequate
measures regarding data management
may also result in regulatory
incompliance.
In addition, storing data outside the
organisation’s perimeters may raise
privacy issues. For example, within
the European Economical Area laws
are applicable regarding the processing
of personal data. Anyone who handles
personal data has to comply with these
rules, no matter how and where the
data is actually being processed. Simply
put, the customer who is using the
cloud services will remain responsible
for their data. This poses a risk for the
customer, as in cloud scenarios it is
often unclear where and when data is
being processed, how it is being
transported and who has access to
this data. The international presence
of cloud service providers compounds
this problem.
With the growing share of cloud services
that can be purchased and delivered
from all over the planet, organisations
will have contracts involving providers
from different jurisdictions.

22 | KPMG’s Business Guidelines to Cloud Computing and Beyond

Different jurisdictions imply different
legislations, rules and procedures.
Regulations which apply for defined
geographical locations are at odds
with cloud computing services
crossing various borders.
As a result, the location of data in
different jurisdictions can conflict
with local legislations applicable to
the customer.
When it comes to technical integration,
integration of access controls and
authori­sation pose the biggest chal­
lenges for organisations.

Different authentication strengths,
especially when authentication of the
cloud service is weaker than the
customer’s requirements, can lead to
weaknesses in the IT environment with
the result that the integrity and
confidentiality of data is compromised.
In most large organisations, the
processes for authorisation to access
internal IT resources are complex
and open to improvement. Frequently,
authorisations for role/function changes
within the organisation include new
permissions while the old permissions
may not have been removed, resulting
in too many permissions and the

© 2011 KPMG Advisory N.V.

potential infringement of segregation of
duties. This complexity is increased by
cloud services that use different
procedures and/or other technologies
to facilitate these processes.
7.3 Assurance
Hybrid environments have far-reaching
consequences on the degree of
assurance, especially where it comes
to financial statements. To obtain
assurance, transparency from provi­ders
concerning data and management of the
physical and logical security is essential.
In practice however, assurance
frameworks are often inadequate.
This is principally an issue for the
customer organisation, as legislation
such as privacy laws state that a
customer has the legal obligation to
validate the measures implemented
by the service provider. Therefore
when using externally hosted
services such as cloud computing,
it is the customer’s responsibility
to know what is outsourced, to
whom and where the data is
processed and located.
SAS70 reports and various other
certifications appear to offer a
solution to this issue, but only a
minority of providers engage
independent parties to regularly
perform external audits.

© 2011 KPMG Advisory N.V.

Moreover, the selected IT controls are
often based on the single-tenant
structure and not on the multi-tenancy
characte­ristic of cloud services.
Many of the controls necessary to
ensure segregation of the data and
resource utilisation of various customers
are not selected and therefore rarely
audited. New IT controls are currently
being formulated, but the number of
initiatives remains large without any of
the frameworks being widely accepted
on the market. In addition, the public
internet, which is the main infrastructure
facilitating the cloud, is exceptionally hard
to audit and to monitor as accountability
on internet traffic is difficult to assign and
even more difficult to enforce. As a result,
management across multiple providers,
the ‘black box’ nature of cloud computing
and the public internet rarely resonates
well with tightly controlled industries.
It should be noted that the current
SAS70 standard, which is used
globally to meet assurance on activities
impacting the financial statements,
will be replaced by June 2011 by the
ISAE3402 standard. This new standard
will establish an international basis for
practice supported by IFAC (International
Federation of Accountants) and ASB
(US Auditing Standards Board). This
new standard will also relate to all
outsourced controls relevant to the
financial statements.

24 | KPMG’s Business Guidelines to Cloud Computing and Beyond

© 2011 KPMG Advisory N.V.

KPMG’s Business Guidelines to Cloud Computing and Beyond | 25

© 2011 KPMG Advisory N.V.

08

Steps forward: orchestration
Orchestration of the hybrid environment is a critical success factor.

To reap the benefits of the new paradigm of IT, organisations
will need to be in control of the hybrid environment. This implies
that the ability to define business cases, analyse and mitigate
risks and govern IT services will be the success factors. The
combination of these elements is what we call orchestration.

Orchestration
Orchestration

Business
Case

Risk
Management

Governance

Selecting
solutions

Minimising
risks

Optimising
benefits

Source: KPMG in the Netherlands, 2011

8.1 Business case
A solid business case for using the
cloud is preconditional. Organisations
should devise a business case based
on how to utilise different technologies
and models. Some elements of the IT
landscape should be left in their legacy
state, while other elements could be
moved to the cloud. The lifecycle and
depreciation of the existing IT assets
should also be assessed and evaluated.
The question of whether a service in the
cloud is fit for the job is largely dependent
on the organisation’s business needs. In
practice, custom-tailored and complex
services are far less common in the cloud
than commodity services such as e-mail
and storage. Furthermore, it is unlikely
that highly confidential and/or sensitive
data will be moved to the cloud within
the near future.
Close monitoring of the market is strongly
recommended. Changes occur one after
another at a rapid pace, each with its new
opportunities and drawbacks.

26 | KPMG’s Business Guidelines to Cloud Computing and Beyond

© 2011 KPMG Advisory N.V.

Case study 1:
The cloud computing strategy for the Dutch government

KPMG’s cloud analysis method
IT Dutch government

Cloud computing

No mature cloud
services available
Highly
confidential data

Suitable for
the cloud

- External private cloud
- Public cloud

Complex systems
Recently purchased systems
Internal private cloud
Legacy systems

Source: KPMG in the Netherlands, 2010

KPMG was asked by the Dutch
government to perform an analysis
of the possibilities of the cloud as
part of the cloud computing strategy
development. The objective of this
project was to identify which part of the
Dutch government’s IT could be moved
to the cloud and what types of cloud
computing offering were feasible.
Based on the information collected
during workshops and expert
sessions, KPMG determined that
cloud computing was only suitable
for a subset of IT within the Dutch
government, comprising the parts that
comply with the following conditions:

• Contains no highly confidential data:
this type of data cannot be taken to
external domains due to the need
for security, privacy and for political
reasons.
• Is not part of the legacy systems:
migration or transformation of large
scale legacy systems with specific
functionalities are too labour intensive
and bear too great a risk.
• Was not recently purchased: systems
in the initial stage of their lifecycle
are financially unfit given the long
depreciation period involved.
• Has a limited number of connections
with other systems: as the standards
to interconnect different systems

between the cloud and on-premise
need to crystallise out, complex
systems can be excluded.
KPMG also determined that an
internal private cloud was only
viable for a limited proportion of the
government’s IT systems due to the
required (high level of) investments
and specialist knowledge versus
virtually no benefits.
Although the supply of cloud services
will increase and diversify in time, the
external cloud market’s proven and
matured services are limited to mainly
e-mail, ‘office’ applications, CRM,
collaboration, application development
platforms, data storage and server/
infrastructure capacity.

KPMG’s Business Guidelines to Cloud Computing and Beyond | 27

© 2011 KPMG Advisory N.V.

Case study 2:
A cloud computing opportunity scan for an international bank

KPMG was asked by an international
bank to perform an opportunity scan
with the aim of identifying the areas in
the bank’s application landscape that
could be moved to the cloud.

- a proven track record at financial
organisations;

• Opportunity analysis: suitable areas
for cloud computing were identified.

- data residing within EU;

Only a fraction of the bank’s
applications were suitable for the cloud.
The main restricting factors regarding
cloud computing were the low number
of providers with a solid track record,
risk of lock-in and the confidentiality of
the bank’s data.

- ISO27001 certified.

• Definition: a practicable and
consistent definition of cloud
computing within the organisation
was agreed.
• Scope definition: the scope of
applications within the bank was
defined.
• Selection of cloud services: an
overview of cloud service providers
and their solutions were defined
and briefly described. Prerequisites
were:

• Outline of risk assessment: potential
risks, mitigations and residual risks
were assessed.

KPMG’s cloud opportunity scan
Suitable

In the long term
Development
platform

Public domain data

During two sessions KPMG and
representatives from the bank (senior
business representatives, CIO, IT
architects, security officer, audit and
risk managers) defined the following
items:

• Outline of business case: potential
benefits of those selected solutions
were identified.

Confidential data

Given the exceptionally valuable and
confidential nature of the data involved,
the bank demanded a high level of
security and control over its IT systems,
therefore compliance with applicable
regulations and standard such as PCI
DSS was required.

Intranet

BPM

Office

ESB

E-mail

CRM
ERP

Portals

DMS

Billing
BI

Finance
Unsuitable

Primary process applications

Source: KPMG in the Netherlands, 2010

HR
Under stringent conditions only
Commodity applications

28 | KPMG’s Business Guidelines to Cloud Computing and Beyond

8.2 Risk management
Risk management is an essential
element in the hybrid environment.
Next to the ‘traditional’ risk manage­
ment activities for the traditional
IT, specific attention should be paid
to measures mitigating the risks
of excessive provider-dependency,
complexity of processes and
technology, and assurance.
Regarding the dependency on
providers and their solutions, risk
assessment at an early stage is
advised. The provider’s track record, its
integrity and financial/market position
should all be assessed and verified.
When it comes to cloud computing,
decision-makers should bear in mind
that the cloud computing market is in
its development stage and large-scale
migrations to the cloud and expertise
on this subject are scarce.
In any event, the customer should have
an exit/migration strategy prepared.
Regarding the complexity of processes
and technology, the entire ecosystem
including the various relations between
the components of the hybrid
environment should be identified.
Cloud services frequently comprise
many parties at various locations,
operating under different conditions
and subject to different legislations.
It is essential to identify the entire
ecosystem and to obtain sufficient
assurance on all its components.

A right-to-audit for all off-premise
services is recommended, although
the reality is that large cloud service
providers honour few requests for
audits. Moreover, many auditors
lack the technical knowledge and
experience with the architecture of
the cloud. As a consequence, many
organisations are forced to rely on
provider transparency through reports
and certifications. It is advisable to
utilise this secondary option to its
maximum extent.
Cloud computing has a number of
specific characteristics with major a
impact on risk profile, such as external
data storage and processing, the
sharing of IT resources with other
customers (multi-tenancy) and the
dependency on the public internet.
These characteristics imply potential
high risks and mitigations concerning
multiple dimensions including data,
security, privacy, compliance and
finance. Therefore, risks relating to
all dimensions should be assessed,
mitigating measures defined and
responsibilities/accountabilities
assigned.

© 2011 KPMG Advisory N.V.

KPMG’s Business Guidelines to Cloud Computing and Beyond | 29

© 2011 KPMG Advisory N.V.

Case study 3:
A cloud computing risk assessment for an organisation
in the industrial markets sector
KPMG was asked to assess the risks
for an organisation already using cloud
services. IT and security units were not
involved during the purchasing process
which complicated the eventual
mitigating measures.
In the case of this organisation, we
identified the following four relevant
characteristics of cloud services
concerning risks:

This led to undesired weaknesses
in the IT environment with the result
that the integrity and confidentiality of
(financial) data could be harmed.
Secondly the processes for user
management (creating, changing and
disabling/deleting computer accounts)

and authorisation (who and/or which
roles have which permissions for which
data) to internal IT resources could not
be integrated with the processes of the
cloud service provider. This situation
of two, separate domains therefore
increased the risk of higher complexity,
additional costs and management.

KPMG’s risk dimensions model

• external data storage;
Security
and Privacy

• multi-tenancy architecture;
• use of the public internet;
• integration with the internal IT
environment.
These four characteristics were plotted
on several risk dimensions.
The main risks related to integration
with the internal IT environment, and
more specifically to authentication and
authorisation of business users.

Operational

Financial

BUSINESS RISKS

Technology

Vendor
Regulatory
and
Compliance

Firstly the customer organisation’s
authentication (3-factor) was stronger
than the authentication supported by
the cloud service provider (2-factor).
Source: KPMG in the US, 2010

30 | KPMG’s Business Guidelines to Cloud Computing and Beyond

© 2011 KPMG Advisory N.V.

8.3 Governance
Governance encompasses the
management of multiple service
providers, demand/purchase control,
and the integration of processes and
technology. Optimal governance of a
hybrid environment will lead to a
higher effectiveness of IT on the
customer’s side.

order to control the purchase of
cloud computing services and
promote correct use of the cloud.
This policy should also outline
conditions, commitments, service
level requirements, the terms of
engagement between provider
and customer and procedures
concerning compliance with the policy.

Management of multiple service
providers encompasses similar
elements to those of traditional IT.
However there is greater emphasis on
vendor management, legal support,
compliance monitoring and integration.
The main components of governance
are depicted below.

Defining architecture to ensure
adequate interoperability between
various technologies and service
models is an important step and
ensures alignment with the
organisation’s strategy. In general,
a consistent architecture within one
organisation outweighs the advantages
of using several models. Understanding
the architecture of various services and
their relations is of major importance
when implementing services. In this
regard, it is recommended to pay
specific attention to Identity and Access
Management (IAM) and workflow
integration, as they frequently pose
technical difficulties in practice.

Cloud computing services can be
purchased on-demand by everyone in
the organisation outside the control
of IT and risk/audit departments. As a
result, business users circumventing
IT may result in a surplus/duplication
of applications. A policy on cloud
computing should be drafted in

Governance
Vendor
management

Contract
management

Service level
management

Legal
support

Enterprise risk
management

Compliance
monitoring

Demand
management

Service portfolio
management

Identity & access
management

Service
integration

Technical
integration

Security
management

Source: KPMG in the Netherlands, 2010

© 2011 KPMG Advisory N.V.

KPMG’s Business Guidelines to Cloud Computing and Beyond | 31

Cloud computing and Tax issues – Minimising risk and exposure

Cloud computing’s impact triggers taxation issues in the
service provider’s country as well as in the customer’s
country. Typically, three taxation themes need thorough
consideration.

A third point of consideration is the set-up of cloud computing
services. Under certain circumstances tax authorities may
take the position that a cloud computing service rendered to
a customer is subject to local withholding tax.

The first is the fact that a permanent establishment issue
may occur if a cloud computing vendor has a server in
another country. In such cases, the other country’s tax
authorities may have the fiscal viewpoint that the server
creates a local permanent establishment and that part of
the related profits are taxable in their country.

It is important that the structure is set-up correctly and
processes are continuously monitored in order to minimise
tax exposures and risks. This requires an integrated process
and control framework.

The second is in the field of VAT. For VAT purposes, a cloud
computing vendor may need to register itself in foreign
countries where its customers are based and local VAT
may be due.

Through planning and structuring, there are opportunities
to design tax-efficient structures under the appropriate
circumstances.

32 | KPMG’s Business Guidelines to Cloud Computing and Beyond

KPMG’s Business Guidelines to Cloud Computing and Beyond | 33

© 2011 KPMG Advisory N.V.

9 Key message
Organisations are facing immense
challenges during the aftermath of the
financial crisis. Cost savings, faster
time-to-market and innovation in an
increasingly competitive business
environment are the decision-makers’
main concerns. Against the background
of these challenges, to what extent
does IT provide valuable support? The
reality is that IT costs too much without
adding sufficient value and can even
hinder innovation.

in the cloud, at least for the time being
(2011 - 2015). This offers opportunities
for organisations; cost effectiveness,
flexibility and speed, as well as
specific points to consider.

A paradigm shift in IT is currently taking
place, away from traditional, locally
installed and managed IT towards
applications on the internet, the ‘cloud’.
Cloud computing corresponds with
the aims of business by delivering
services at lower costs, enabling
faster deployment of applications
and facilitating innovation. Yet, cloud
computing’s share in the IT market is
marginal and the portfolio of services
limited. And yet the growth of cloud
computing is solid, in accordance with
industry’s high expectations.

Key message

Nonetheless, a new paradigm is
underway. It will not be a sudden
transition from traditional IT to the
cloud. Neither will it mark an end
to all the shortcomings of the old
paradigm.
The new paradigm of IT will be
a hybrid environment with both
traditional, on-premise IT and services

Orchestration of the hybrid environ­
ment will be a critical success factor.
Orchestration encompasses the
ability to define business cases, risk
assessments and the governance of

multiple service providers,
demand/purchase control and
the integration of processes and
technology.
Optimal orchestration of a hybrid
environment will lead to a higher
effectiveness of IT on the customer’s
side. And to an organisation that
can cope with tomorrow’s challenges
in an ever changing marketplace.

Organisations are challenged with cost savings,
faster time-to-market and innovation
Traditional IT is unable to support the business
Cloud computing seems to offer solutions
Cloud computing is emerging but still a marginal phenomenon
Hybrid environment is the mode of IT for 2011 - 2015
Hybrid environment harbours opportunities and risks
Orchestration of the hybrid environment
is a critical success factor
Source: KPMG in the Netherlands, 2011

34 | KPMG’s Business Guidelines to Cloud Computing and Beyond

Appendix

© 2011 KPMG Advisory N.V.

KPMG’s Business Guidelines to Cloud Computing and Beyond | 35

© 2011 KPMG Advisory N.V.

Appendix A

Cloud computing in more detail
A search using an internet search
engine delivers a multitude of
definitions, descriptions and opinions
on cloud computing. Some speak
of ‘applications on the internet’
or ‘a computational style in which
IT provides scalable and flexible
capabilities as services to external
customers through the use of internet
technology’, while others qualify it
with terms such as ‘old wine in new
bottles’. Obviously there is a lack of
consensus and a lot of confusion on
what cloud computing actually is.
Simply viewed, cloud computing
stands for the provision of IT services
from shared resources via the
internet. The internet is often
metaphorically depicted as a cloud,
hence the term ‘cloud computing’.
Well known examples of cloud
computing applications include
Gmail, Google Apps, Hotmail and
Apple MobileMe.
The reason why this seemingly simple
concept is so differently explained by
IT providers, analysts and academics
is mainly due to the fact that cloud
computing is a combination of
important technological and business
elements.
From a technological perspective,
cloud computing is based on already
existing technologies such as

Traditional, on-premise IT versus cloud computing
‘On-premise’

Cloud computing

Customer

Customer

Users

Users

IT services

IT services

Hardware, Software + data

Internet
Subscription
Pay-as-you-go

Licences and
support costs
Vendor

Vendor
Hardware, Software + data

Source: KPMG the Netherlands, 2010

“Cloud computing stands for hosted applications
and platforms, built on shared infrastructure,
delivered via a web browser.” An Industry Head at
Google Enterprise
virtualisation, web services, shared
data caches and grid computing.
Since ASPs (Application Service
Providers) have been providing IT
applications over the internet for
more than a decade, cloud computing
can indeed be described as ‘old wine
in new bottles’.

However, the commercial provision of
IT services over the internet on a large
scale from shared pools of IT resources
has only become economically
viable due to three relatively recent
developments. Firstly, the above
mentioned technologies, of which
virtualisation and web services are the

36 | KPMG’s Business Guidelines to Cloud Computing and Beyond

most important, have been refined,
standardised and widely applied
during the last five years. Secondly,
public broadband networks have
become abundant and readily available
at a reasonable cost. Thirdly, some
providers have expanded the scale of
their IT resources enormously, making
them the major players in today’s cloud
computing market.
The business principle of cloud
computing is based on the fact
that possession/ownership of IT
resources (i.e. applications, platforms
or infrastructure) is independent of
the use of these resources. In cloud
computing, the IT resources, whether
it is an application or storage, remain
the property of the cloud service
provider and customers only pay
for the use of the IT service without
requiring local software or hardware
installations. In theory, cloud
computing does not require upfront
investments (capital expenditure)
unlike the traditional, on-premise IT.
The customer only needs access to
the internet.
Cloud services can be offered at
various layers of IT. At the software
layer, this service is called Softwareas-a-Service (SaaS). Platform-as-aService (PaaS) provides IT services
at the platform level (e.g. operating
systems, application frameworks)
and, in this case, additional software
must then be developed or installed by
customers. Infrastructure-as-a-Service
(IaaS) provides technical infrastructure
components (e.g. storage, memory,

© 2011 KPMG Advisory N.V.

Layers of cloud computing

Salesforce.com, Microsoft Office 365, Gmail
Software + Platform + Infrastructure

SaaS

App Engine, Force.com, Azure
Platform + Infrastructure

PaaS

Amazon EC2, Terremark, RackSpace
Infrastructure

IaaS

Source: KPMG the Netherlands, 2010

CPU, network). Additional platforms
and software have to be installed by
the customer or specific infrastructure
components can be utilised for onpremise processes (see the diagram
below). In general, cloud service
providers specialise in one or two
layers only.
Depending on the layer, cloud
computing has the following
characteristics:
• External data storage and
processing. Unlike traditional IT, data
is stored and processed outside
the customer’s domain at the cloud
service provider’s location(s)
• Multi-tenancy. Contrary to traditional
IT, resources are (to a certain degree)
shared by multiple customers

• Internet-dependent. Although
leased lines and proprietary
networks can be used for cloud
computing, its primary infrastructure
is the public internet
• Contracted services. Customers pay
for a service (‘pay-as-you-go’ or by
subscription) instead of licences and/
or hardware
• On-demand services. In contrast
to the vast majority of traditional IT,
cloud services can be used almost
instantly
• Elasticity. Cloud services can be
easily upscaled and downsized
Multi-tenancy may be limited to a
select group of customers or even
a single customer, although there is

KPMG’s Business Guidelines to Cloud Computing and Beyond | 37

© 2011 KPMG Advisory N.V.

Different types of cloud computing

Internal cloud computing

Private cloud computing

Public cloud computing

Customer A

Customer A

Customer B

Customer C

Customer A

Customer B

Customer C

Service

Service

Service

Service

Service

Service

Service

Internet

Internet

Internet

Internet

IT

Internal IT Customer A

Source: KPMG the Netherlands, 2010

always a degree of multi-tenancy (e.g.
physical facilities, cooling, support
staff) with cloud computing. This
form of private or dedicated cloud
computing represents an alternative
to the public cloud with a high degree
of multi-tenancy. In either form, the
customer’s data is stored at the
provider’s location(s).
Some providers offer private cloud
computing solutions in which an
organisation’s internal IT department
uses cloud computing technologies
to create an ‘on-premise cloud’. Since
this internal form of cloud computing
is fully dependent on internal, onpremise IT, it is highly questionable
whether this type can truly be called
cloud computing. Therefore, any such
notion of an internal cloud has not
been discussed in this paper.

IT

IT

Provider

IT

Internet

IT

IT

Provider

IT

38 | KPMG’s Business Guidelines to Cloud Computing and Beyond

© 2011 KPMG Advisory N.V.

Appendix B

Approach, project organisation
and references
Approach
This paper reflects KPMG’s vision of
cloud computing in a broad perspective.
The basis of the content was provided
by a team of international specialists
on this subject within the KPMG
International network of member firms
during September and October 2010.
In addition, existing KPMG reports and
publications have also been used.

References
• From Hype to Future, KPMG’s 2010
Cloud Computing Survey, KPMG,
2010
• Clouds in the Forecast – Canadian
perspectives on the promise of cloud
computing services for businesses,
KPMG, 2010

Project organisation

• IT Attestation in the cloud, KPMG,
2010

Author:
Mike Chung

• Audit and Compliance in the cloud,
KPMG, 2010

Project executives:
John Hermans and Frank Rizzo

• Executive Considerations When
Building and Managing a Successful
Cloud Service, KPMG, 2009

Project manager:
Mike Chung
With valuable support from:
Nasreen Patel, Roy van der Veld, Dennis
van Ham, Edo Roos Lindgreen, Ingar
Glenn Pedersen, Tudor Aw, Matthias
Bossardt, Alfred Koch, Rick Wright,
Maarten de Boer, Serge Wallagh, Marco
Franken, Willem Guensberg, Bhargav
Shah, Marloes de Jong and Ralph
Houtveen.

• Audit in the cloud, security audits
versus cloud computing, Mike
Chung, KPMG, 2010
• Assurance in the cloud, impact
of cloud computing on financial
statements, Mike Chung, Compact,
2011.
• OECD Information Technology
Outlook 2010, OECD, 2010

Contact us
KPMG
Laan van Langerhuize 1
1186 DS Amstelveen
The Netherlands
P.O. Box 74500
1070 DB Amsterdam
The Netherlands
John Hermans
T: +31 (0)20 656 8394
M: +31 (0)6 5136 6389
[email protected]
Mike Chung
T: +31 (0)20 656 4034
M: +31 (0)6 1455 9916
[email protected]

Key contacts
John Hermans
Partner

Tudor Aw
Partner

KPMG in the Netherlands

KPMG in the UK

T: +31 6 5136 6389
E: [email protected]

T: +44 207 694 1265
E: [email protected]

Mike Chung
Manager

Alain Beuchat
Partner

KPMG in the Netherlands

KPMG in Switzerland

T: +31 6 1455 9916
E: [email protected]

T: +41 44 249 2017
E: [email protected]

Frank Rizzo
Partner

Matthias Bossardt
Senior Manager

KPMG in South Africa

KPMG in Switzerland

T: +27 11 6477 388
E: [email protected]

T: +41 44 249 2239
E: [email protected]

Greg Bell
Partner

Uwe Bernd-Striebeck
Partner

KPMG in the US

KPMG in Germany

T: +1 404 222 7197
E: [email protected]

T: +49 201 455 6870
E: [email protected]

Rick Wright
Partner

Arne Helme
Director

KPMG in the US

KPMG in Norway

T: +1 617 988 1163
E: [email protected]

T: +47 40 63 9507
E: [email protected]

© 2011 KPMG Advisory N.V. is a subsidiary of KPMG Europe LLP and a member firm of the KPMG-network of independent member
firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name, logo
and ‘cutting through complexity’ are registered trademarks of KPMG International Cooperative. 045_0311
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual
or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is
accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough examination of the particular situation.