Today’s maturing and evolving Cloud ERP solutions allow organizations to streamline their financial operations and business processes — with employees able to access and support the organization from anywhere, at any time. Easy access, however, also means increased risk. Unfortunately, many companies struggle to strike a good balance between business enablement and security protections, and proceed without a clear direction.
“Moving to Cloud ERP introduces new complexities for organizations to consider, such as increased cyber threats, data security challenges, burdensome regulatory requirements, and cloud-centric operational complications,” says KPMG’s Managing Director of GRC Technology, Laeeq Ahmed, who explains that it’s essential to address those risks and requirements as early as possible in the Cloud ERP implementation process. “Our clients that proactively address the universe of cloud risk, controls and compliance requirements are better prepared and positioned to avoid significant cost and disruption,” he says.
Conflicting Priorities, Siloed Decision-Making
When a company takes on a Cloud ERP implementation project, there is typically a long to-do list that often includes conflicting priorities — from core functionality and user experiences to transaction and data protection. Unrealistic time frames abound, says Ahmed, with overwhelmed project teams who push critical considerations such as security, controls and risk management to the bottom of the priority heap. “This tactical approach can result in risk and control compromises that aren’t fully appreciated until the project goes live,” he explains. Then, as organizations and auditors realize the significance of this oversight, remediation projects are required to make corrections, which then disrupt the user community and are expensive and time-consuming.
In addition, implementations sometimes are scattered and decentralized, which amplifies siloed organizational decision-making. Individual departments might choose different subscription-based or out-of-the-box solutions for different functions — one for financials and one for human resources, for instance — without understanding integration risks, IT architectural challenges, and how economies of scale are affected.
“Three different vendors may be best-of-breed, but the company may not be fully looking at the trade-offs,” says KPMG’s Managing Director for Emerging Technology Risk, Sailesh Gadia. “For example, with different systems, you could lose visibility into who has the ability to update vendor information and pay the vendor, or you could run the risk of someone creating dummy customer accounts and siphoning out money — these aren’t just hypothetical situations, but ones that we see with clients,” he says. “Some of these concerns existed with on-premise solutions, but cloud has exacerbated the situation.” It’s important for organizations to understand the next level of complex challenges resulting from the cloud.
A Holistic View of Securing Cloud ERP
For IT leaders as well as the larger organization, doing the work to secure Cloud ERP earlier in the cycle rather than later is clearly beneficial. KPMG’s Securing the Cloud ERP framework takes a holistic view that cuts across individual functions and departments, and goes beyond tactical exercises specific to functions such as general ledger, payroll or CRM. “This is a strategic opportunity to do some business process reengineering,” says Gadia. “It’s about striking a balance between copying your existing/familiar business processes flows and leveraging what the cloud vendor has to offer.”
The KPMG framework focuses on five core areas that help establish and maintain the organization’s overall security posture with Cloud ERP and work to minimize costly rework after the implementation: Application controls, application security, cyber and data security, security operations and user access administration and governance.
Each organization is different in terms of what they need — for some companies, especially for smaller, simplistic business processes, it might make sense to adopt what the vendor provides right out of the box. For others, there might be a mixture of best-of-breed point solutions, legacy solutions and out-of-the-box capabilities. “It’s about helping companies reengineer and find the right balance,” says Ahmed. “Too often companies think that buying and installing software is enough — that everything will follow and fall into place. Instead, it has to be an enterprise-wide, joint effort between the CIO and the business. IT is absolutely involved, but so are business groups, controllers, and the CFO.”
Three Ways Companies Can Get in Front of Cloud ERP Security
1) Make sure all the right groups are involved. “The whole concept of teaming is important,” says Ahmed. A Cloud ERP implementation involves more than just the IT group — it’s the CFO’s organization, the controller’s group, human resources, risk management and compliance. All of these groups need to be involved, perhaps at a steering committee level. “To be successfully functional and technical leaders, they need to collaborate throughout the project implementation phases and look to address cross-functional risk and controls requirements and unique cloud security details,” he says.
2) Put the right talent management in place. For a successful and secure Cloud ERP implementation, you need talent with a combination of business process understanding as well as relevant training in the vendor solution,” says Gadia. That means sending employees for cloud vendor training and conferences, to become part of the solution community that helps build their knowledge. “Understanding the direction the vendor is going is particularly important,” he says: “For example, if cloud-based companies get acquired, what does it mean for the enterprise roadmap?”
3) Make sure HR has a hand in. When it comes to ERP, a great deal of personnel data is owned by HR — it can be a single source of truth where you impose certain roles and responsibilities, says Ahmed, so they need to be involved in the Cloud ERP implementation and efforts to secure the solutions. “That’s where organizations need to start in terms of understanding roles and responsibilities, segregating the kind of access you assign to different users to prevent certain types of unwanted behaviors,” he explains.