Corporate fraud, audit failures, and compliance violations are increasingly tied to how enterprises manage access to their critical business systems. As enterprises migrate to cloud-based Enterprise Resource Planning (ERP) systems and diversify their applications, CFOs must rethink their role in reducing business risks and ensuring financial integrity.
The increased interconnectedness specifically heightens the risks associated with elevated permissions, rendering traditional role-based security models insufficient for preventing unauthorized access. This shift leads to segregation of duties (SoD) conflicts and other vulnerabilities, presenting unprecedented challenges for CFOs in terms of preventing fraud and ensuring regulatory compliance.
The Zero Trust framework has been around for a while as a key approach to addressing the risk of unauthorized access. This article explores how increasing complexity and evolving enterprise risks are reshaping Zero Trust, pushing it beyond IT into the CFO’s domain, while also examining its limitations.
Recommended: Beyond the Bottom Line: How CFOs are Fueling Innovation and Growth
Complexity Is Still at Its Early Stage – More to Come
According to IDC, ERP has trailed other application-software areas in its cloud migration, with 48% still on-premise, suggesting that enterprises are still in the process of modernizing their ERP environments. The IDC study also forecasts the public cloud ERP market to reach $73 billion by 2026. Overall, this data means that enterprises will continue their migration projects and diversify their applications further.
Complexity and Weaknesses in ERPs
There are multiple ways access risks can pop up in a modern enterprise with multiple ERPs, exposing an organization to risks. For instance, if a procurement specialist can create and approve purchase orders for vendors in SAP S/4HANA and approve purchase requisitions in Coupa, they can potentially initiate a purchase request in Coupa, convert it to an order in SAP S/4HANA, and approve it, bypassing the necessary validation. If the same individual also has access to BlackLine reconciliation reports, they could manipulate expense records – similar to what happened at Macy’s, where a lone employee manipulated the retailer’s accounting systems for three years, hiding as much as $154 million. Another example is Amazon, where an employee stole $9.4 million from the company based on a brazen fraud scheme involving fake vendors and fictitious invoices.
The examples above illustrate that even Fortune 500 companies with vast security budgets are not immune from the risk of corporate fraud. What is worse, potential financial damage from such incidents can be compounded by regulatory fines. For example, SOX clearly states such permissions are unacceptable, requiring that access should be granted on a least-privilege basis and that no single person should be able to complete a financial transaction from start to finish without oversight.
Recommended: How 47-Day Certificate Lifecycles Will Transform Digital Security
Zero Trust as a Financial Risk Mitigation Strategy
The digitalization of critical business functions, combined with evolving financial risks enterprises face means that CFOs can’t afford to treat access security as just an IT issue; instead, they must consider it a core financial risk that impacts compliance, revenue, and business continuity. This shift signals the convergence of CFO and CIO roles and means that Zero Trust implementation oversight must go beyond IT, contrary to traditional practices.
Since its introduction in 2010, Zero Trust has evolved from a radical “never trust, always verify” concept into a more adaptive approach, where it has become clear that achieving full Zero Trust is both impractical and impossible. Instead, heading towards a “zero risk” concept should be the new benchmark.
A modern framework designed to continuously minimize financial risk requires a dynamic, agile access control technology that automates compliant provisioning, monitors high-risk access, and ensures the security of critical application infrastructures in real-time, rather than only at identity lifecycle stages – such as only when a user joins the company, moves within it, or leaves. As a result, the risk of unauthorized access to regulated applications is prevented at the transaction level, reducing an organization’s exposure to corporate fraud and compliance violations. In cases like Macy’s and Amazon’s, which are described above, such a technology could have flagged access risks before the involved individuals had even started performing potentially illegitimate actions.
A phased implementation strategy should be adopted, prioritizing risk severity and automation modernization sequencing to achieve seamless integration and operational resilience.
As organizations modernize their business-critical systems to keep pace with time, it’s essential that security controls catch up. This is particularly important because auditors no longer turn a blind eye to internal controls.
Last year, lawmakers pushed the PCAOB for insufficient control over auditing firms, which suggests that auditors will increase their scrutiny of organizations. Ensuring comprehensive identity and access governance is not just about regulatory compliance – it is about security and financial integrity.
Recommended: Avoid These 3 Costly Mistakes in Database & Cloud Management
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com