Enterprise resource planning (ERP) systems are rapidly evolving from traditional on-premises solutions to cloud-based platforms increasingly empowered by artificial intelligence (AI) and reshaping how organizations manage their finance and operations functions. Industry data underscores this evolution: According to Gartner®, “Worldwide end-user spending on public cloud services is forecast to total $723.4 billion in 2025, up from $595.7 billion in 2024.”¹

What’s driving this accelerating trend? The advantages of cloud ERP systems are too convincing for C-suite leaders to ignore: enhanced scalability, smarter cost management, effective data integration, remote accessibility, and a steady stream of innovation. Another specific driver? Timing. ERP system vendors plan to phase out on-premises systems as early as 2027, making cloud ERP migration a strategic imperative.

The importance of internal controls

While moving to cloud ERP creates exciting possibilities, it also introduces new complexities in areas such as data security, compliance, and risk management. That’s where internal controls play a major role. With effective governance and modern controls, you can confidently navigate the challenges of cloud ERP, safeguard organizational assets, and lay the groundwork for growth and effectiveness.

CFOs, whether acting as chief risk mitigators, finance transformation leaders, or champions of financial innovation, can recognize the importance of internal controls across many of these domains. A modern, well-designed control environment can reduce risk and enhance value—before, during, and after an ERP system transformation and migration to the cloud. By harnessing automated controls that leverage the ERP system’s built-in capabilities and accelerators like AI, organizations can boost operational efficiency and mitigate risks throughout the ERP implementation life cycle and into future-state processes.

Inadequate controls: Risks and consequences

What happens when internal controls aren’t sufficient during the phases of a cloud ERP migration? Inadequate internal controls can create substantial risk, resulting in serious consequences, such as:

• A higher risk of errors in financial statements, which can result in failed audits, misstatements, and a general loss of trust among stakeholders—investors, customers, and employees.
• Data breaches that expose sensitive financial data or customer information, leading to regulatory penalties and reputational damage.
• Inefficient operational processes, which can result in increased operational costs, reduced productivity, and operational disruptions, such as system outages.
• Compliance failures such as noncompliance with regulations like Sarbanes-Oxley (SOX), the General Protection Data Regulation (GDPR), or other industry-specific standards, which can result in substantial fines, penalties, and even legal actions.

Controls throughout the transformation life cycle—during implementation and beyond

To manage risks throughout a cloud finance transformation, it’s important to integrate internal controls into the finance transformation workstream from the beginning. Embedding modern controls from the outset makes them a core part of the system architecture—rather than an afterthought—across the phases: requirements of gathering, design, development, testing, deployment, and maintenance. This proactive strategy helps address increased risks, such as data loss, corruption, and unauthorized access, that can arise in cloud ERP migrations due to greater connectivity and data movement.

After go-live, effective financial and risk management controls are essential in post-implementation operations and should be central to ERP finance transformation efforts. COSO and SOX-compliant financial controls such as segregation of duties and account reconciliation are important on an ongoing basis. Operational controls like change management procedures and system audit processes are just as important. AI and other accelerators can automate and enhance these accounting, financial reporting, and operational control tasks for post-implementation.

The C-suite’s role in ERP control governance

C-suite leaders, especially CFOs and CIOs, are instrumental in the effectiveness of cloud ERP transformations. They are responsible for integrating strong internal controls at each stage of the implementation, working with the board and audit committee to align frameworks with business goals and risk tolerance. This alignment positions controls to support both strategy and risk management.

To build a resilient, future-ready control environment, executives should invest in people, processes, and technology, including advanced accelerators and AI. Ongoing oversight and engagement are vital. Leaders should monitor progress and drive improvement while fostering a culture where AI and human ability complement each other. This approach strengthens controls and helps secure long-term organizational effectiveness.

To learn more

By embracing these principles, along with other leading practices, CFOs can empower cloud ERP initiatives to support organizational goals, provide measurable value, and set a high standard for governance and control. To learn more, read Deloitte’s new guide to ERP internal controls, or contact one of our Audit & Assurance leaders.

Endnotes

¹ Gartner, “Gartner forecasts worldwide public cloud end-user spending to total $723 billion in 2025,” November 19, 2024. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

This publication contains general information only, and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (DTTL), a UK private company limited by guarantee, its network of member firms, and their related entities. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States, and their respective affiliates.

Copyright ©2026 Deloitte Development LLC. All rights reserved.