Cloud-based ERP solutions are not immune to fraud, cyber-breaches, or weak controls — which are all serious threats to modern organizations. One core issue facing CFOs is understanding their role in Cloud ERP security—i.e., ensuring that their organization minimizes the vulnerabilities of cloud-based platforms (which contain their most sensitive data), while still taking full advantage of the flexibility and visibility of the cloud.
KPMG recently surveyed 300 executives across multiple industries about their experience with cloud ERP security issues. Key findings of the KPMG ERP Controls Survey 2017: Risk Is Real survey include:
- 71% of executives are concerned about moving finance and human resource applications to a cloud ERP platform.
- 17% of organizations have had a cyber-breach associated with their ERP solution.
- 75% of executives plan to allocate 3% to 10% of the total cost of a future cloud ERP implementation to security.
To shed some further light on the survey results, CFO.com sat down with survey co-author Laeeq Ahmed, Managing Director, Advisory, at KPMG, to discuss the risks and better understand how organizations can manage ERP cloud strategies to secure their finance functions.
CFO.com: They survey reveals a high number of executives are concerned about moving to the cloud. Where are the main issues?
Laeeq: As cloud adoption levels rise, we’re going to see organizations pay more attention to how risk and compliance requirements, including cyber-breaches, impact the scope of their Cloud ERP solutions.
There are also concerns around fraud and data theft as a part of cyber-crime, whether it’s through cyber-breaches or internal theft. The potential for financial reporting manipulation is also top of mind for company executives.
To support their Cloud ERP solutions, companies have to design anti-fraud mechanisms that look both ways, inside and outside. And they need to be aware of the possibility that a lone, inside fraudster may be working with a sizeable group of people on the outside.
Compliance is another issue on the radar when it comes to cloud ERP adoption. Auditors are enacting their financial auditing approach and frameworks to support the unique risk profile of cloud hosting, and organizations need to ensure that the compliance aspect of cloud-based ERP solutions is being handled appropriately.
Lastly, in some instances moving to the cloud can also heighten user frustration. Users are accustomed to using mobile and cloud-based technologies at home and may have a negative reaction to overly restrictive cloud security solutions, so finding the appropriate risk and enablement balance is key to the success of a cloud ERP solution.
How does the risk surrounding cloud ERP differ from off-premise solutions?
The movement of financial and HR data to the cloud creates new risks related to “anywhere, anytime, any device” access. Business and IT leaders need to fully understand the cloud shared-responsibility model requirements related to security and compliance, and allocate appropriate budgets for cloud security and controls. To meet client needs, major ERP vendors have very potent security, audit, and compliance frameworks in place, but each organization has to build a controls-in-depth solution to align the end-to-end application and cyber-security and compliance components.