KPMG ERP controls survey 2017

New findings suggest more support is required for risk mitigation.

Fraud, cyber security, and weak controls are serious and growing problems for today’s organizations, and cloud enterprise resource planning (ERP) applications are not immune to this challenge.

With increased frequency, businesses and organizations are reporting problems ranging from breaches involving personally identifiable information (PII) such as Social Security numbers, as well as, dates, places of birth and addresses of millions of people to the theft of millions of dollars by employees.

KPMG recently asked 300 executives across multiple industries about their experience with cloud ERP security issues.

Almost one-fifth of respondents reported a cyber breach and/or a fraud event in their organization over the past five years. Not surprisingly, the overwhelming majority of these executives expressed concern about moving finance and human resource applications to a cloud ERP platform. An even larger number stated that they were worried about unauthorized access to sensitive information.

Security issues: Recognized but not resolved

Although executives were clearly concerned about security issues, the survey also suggested that in many cases these issues had not been resolved. For example, 64 percent of respondents said that their organization was still challenged in addressing segregation of duties for their ERP solutions. In addition, only 48 percent of the organizations leveraged automated controls for their ERP controls.

At the same time, nearly one-third of the executives indicated that more than 10 percent of their users had issues during periodic access certification review cycles. Granted, this might be seen as a small number, but it can have a serious impact. In fact, it suggests that at any given time, one-tenth of the total population of ERP users has the ability, due to inappropriate access, to commit fraud or errors. In the face of this risk, only 13 percent of respondents said their internal audit organization conducts periodic security and controls assessments, and just 11 percent said the internal audit team had the appropriate knowledge, skills, and expertise to support these assessments.

Moreover, moving forward, executives look to increase spending on security measures as 75 percent of executives surveyed plan to allocate 3 percent to 10 percent of a future ERP project budget for security and controls. However, this level of investment may not be adequate as KPMG’s experience has shown that appropriately secure cloud ERP projects have allocated at least 8 percent to 12 percent of an ERP project budget for security and controls.