Cloud-based ERP solutions are not immune to fraud, cyber-breaches, or weak controls — which are all serious threats to modern organizations. One core issue facing CFOs is understanding their role in Cloud ERP security—i.e., ensuring that their organization minimizes the vulnerabilities of cloud-based platforms (which contain their most sensitive data), while still taking full advantage of the flexibility and visibility of the cloud.
KPMG recently surveyed 300 executives across multiple industries about their experience with cloud ERP security issues. Key findings of the KPMG ERP Controls Survey 2017: Risk Is Real survey include:
- 71% of executives are concerned about moving finance and human resource applications to a cloud ERP platform.
- 17% of organizations have had a cyber-breach associated with their ERP solution.
- 75% of executives plan to allocate 3% to 10% of the total cost of a future cloud ERP implementation to security.
To shed some further light on the survey results, CFO.com sat down with survey co-author Laeeq Ahmed, Managing Director, Advisory, at KPMG, to discuss the risks and better understand how organizations can manage ERP cloud strategies to secure their finance functions.
CFO.com: They survey reveals a high number of executives are concerned about moving to the cloud. Where are the main issues?
Laeeq: As cloud adoption levels rise, we’re going to see organizations pay more attention to how risk and compliance requirements, including cyber-breaches, impact the scope of their Cloud ERP solutions.
There are also concerns around fraud and data theft as a part of cyber-crime, whether it’s through cyber-breaches or internal theft. The potential for financial reporting manipulation is also top of mind for company executives.
To support their Cloud ERP solutions, companies have to design anti-fraud mechanisms that look both ways, inside and outside. And they need to be aware of the possibility that a lone, inside fraudster may be working with a sizeable group of people on the outside.
Compliance is another issue on the radar when it comes to cloud ERP adoption. Auditors are enacting their financial auditing approach and frameworks to support the unique risk profile of cloud hosting, and organizations need to ensure that the compliance aspect of cloud-based ERP solutions is being handled appropriately.
Lastly, in some instances moving to the cloud can also heighten user frustration. Users are accustomed to using mobile and cloud-based technologies at home and may have a negative reaction to overly restrictive cloud security solutions, so finding the appropriate risk and enablement balance is key to the success of a cloud ERP solution.
How does the risk surrounding cloud ERP differ from off-premise solutions?
The movement of financial and HR data to the cloud creates new risks related to “anywhere, anytime, any device” access. Business and IT leaders need to fully understand the cloud shared-responsibility model requirements related to security and compliance, and allocate appropriate budgets for cloud security and controls. To meet client needs, major ERP vendors have very potent security, audit, and compliance frameworks in place, but each organization has to build a controls-in-depth solution to align the end-to-end application and cyber-security and compliance components.
What does an ERP risk assessment look like, and what stakeholders should be involved?
KPMG risk assessments focus on areas such as cloud application controls, cloud application security, cyber and data security, and cloud security operations. It’s an enterprise issue, so functional and IT leaders, as well as the CFO, have to have a hand in the assessment for it to work effectively.
How often should you perform a risk assessment?
In many cases, risk assessments are completed in conjunction with the initial cloud ERP rollout cycles, as well as with the subsequent quarterly ERP solution releases—i.e., to help identify changes between the pre-patch and post-patch versions. In particular, you want to ensure you have an appropriate risk mitigation solutions in place at go-live and then examine the impact on controls and shared risks as the platform evolves.
As more applications and data move to the cloud, are organizations budgeting appropriately for security?
As always, there is more work to be done. The opportunities for fraud and cyber-exposure increase as organizations expand their use of new cloud platforms. Leaders have to ensure that their organization appreciates the need to mitigate the risk associated with today’s cloud ERP platforms and develop an appropriate program and budget. In our Risk Is Real study, we found that business leaders estimate up to 10% of the total cost of the cloud ERP implementation is needed to ensure a good security and controls framework.
What stakeholders are responsible for ongoing management of cloud ERP risk?
Ultimately the ERP risk management responsibilities are shared between senior business executives and the CIO, with supporting contributions from cyber-security and internal audit leaders. To tactically manage cloud ERP risk, organizations should look to leverage a Cloud Security Architect to align the cloud ERP security and controls resources.
How will audits change?
Cloud ERP platforms are constantly evolving, which will drive auditors to advance their thinking to more of a continuous-audit approach, to address the uniqueness of cloud ERP operations. In addition, auditors will need to better understand the cloud ERP shared-responsibility model’s impact on their audit scope.
Should we expect to see more cloud ERP breaches in the news?
We are already are seeing an uptick in cloud ERP breaches. Today’s cyber-security threats are increasingly diverse, technically violent, and often specifically engineered to target an organization’s most valuable assets, which are residing on the ERP platform in most cases.
It comes down to having a solid, Securing the Cloud ERP program and framework. Finding the right balance between cloud enablement and data/transaction protection is the key.
Want to learn more about KPMG’s cloud ERP Risk Is Real study and how to budget for better security? Click here.