The importance of effective internal controls for cloud digital transformation in financial services

Talking points

• The financial services industry (FSI) is undergoing rapid transformation as organizations modernize their enterprise resource planning (ERP) platforms and migrate to the cloud.
• These finance transformations can expose FSI organizations to heightened risks specific to the cloud environment.
• Embedding effectively designed internal controls, enhanced with artificial intelligence (AI) and accelerators, can mitigate risks before, during, and after cloud migration.

Risk management in the financial services industry has come a long way since the global financial crisis of 2008. In the past decade, advances in ERP system technology have transformed how banks, wealth managers, insurers, and other FSI organizations manage and report financial data—making risk management, oversight, and compliance faster and more reliable.

Ironically, the same technologies that can reduce risk—digital transactions, AI, and cloud computing—can also introduce new and sometimes unforeseen vulnerabilities. With the rapid rise of cloud computing, more FSI organizations are migrating on-premises ERP systems to the cloud.¹ In the process, they may face challenges specific to the cloud and cloud migration process. A recent Forbes survey found that 31% of financial services firms worldwide are concerned about cybersecurity threats from cloud-based sources.²

System security is one reason effectively designed internal controls are taking center stage as key safeguards throughout the cloud migration process. In this blog, we’ll consider how effective internal controls can help FSI firms confidently manage risk at each step of a cloud ERP finance transformation.

Keeping pace with rising FSI industry challenges 

Today’s financial services organizations face increasing pressure to modernize their ERP technology stacks in response to shifting industry demands—including evolving consumer preferences, rapid product innovation using AI and blockchain, and heightened regulatory scrutiny. Banks now accommodate stablecoin payments and deposits, wealth managers use AI for asset management, real estate firms are starting to offer fractional property investments via tokenization, and insurers are leveraging AI for both fraud detection and fee-based risk management.

As regulators work to keep pace with these rapid innovations, FSI businesses should adapt to the rapidly evolving regulatory landscape surrounding new products and increasingly complex financial instruments. At the same time, they still have to comply with long-standing Sarbanes-Oxley (SOX), Basel III, and anti-money laundering/know your client (AML/KYC) regulations, among others. There’s also increasing demand for effective integration of diverse data sources and real-time insights and reporting, greater operational efficiency, and improved risk management to mitigate fraud and reduce errors.

Managing risk with modern internal controls

To meet these rising challenges, FSI organizations are increasingly migrating to cloud ERP platforms for greater performance and agility. However, this shift can bring new complexities and risks specific to cloud environments, especially around system integration, data management, and system security. Up-to-date, effectively designed internal controls can help manage these risks.

Leveraging ERP system accelerator and AI technology to develop intelligent controls boosts efficiency and confidence that risks are addressed. Generative AI, autonomous agents, robotic process automation (RPA), and machine learning can strategically update accounting, IT, governance, and operational controls. Examples include intelligent access and segregation controls, real-time integration monitoring, audit and SOX readiness, machine learning for risk assessment and predictive analytics, and ongoing improvement via AI-driven feedback and insights.

Consequences of inadequate controls

“Lift and shift” cloud migration approaches—or simply migrating existing control procedures to a cloud platform—can result in inadequate controls in the new system due to lack of appropriate cloud considerations. What happens when controls aren’t up to the task? Outdated, manual, or poorly design controls can increase the potential for data loss, corruption, and unauthorized access during cloud migration.

After migration, control gaps can lead to persistent financial reporting and operational risks, such as prolonged close cycles, reconciliation issues, and SOX gaps and deficiencies. The consequences can be severe, ranging from financial misstatements and regulatory penalties to data breaches, intellectual property theft, reputation and brand impact, and eroded stakeholder trust.

ERP governance and control leading practices

Of course, effective cloud ERP internal controls go beyond just leveraging technology like AI. They require careful design and implementation, along with strong governance, including AI governance, while using a trustworthy AI framework. Deloitte’s internal controls and governance framework highlights leading practices for building a modern, compliance-ready controls environment. It includes these steps:

• Proactively design and embed controls early across the transformation workstream.
• Conduct a risk and controls assessment tailored to FSI complexities.
• Prioritize control updates and redesign using a measured, phased approach to avoid “lifting and shifting” outdated controls.
• Facilitate cross-functional collaboration between IT, finance, and compliance teams.
• Integrate AI and automation into control frameworks to reduce manual processes.
• Continually update and test controls as technology and regulations evolve.
• Invest in user training and change management.
  

What role can Deloitte play?

Deloitte’s dedicated Audit & Assurance risk and controls professionals can advise you on how to embed modern, compliance-ready ERP internal controls throughout the design and development of your ERP system. To learn more, read our new article on navigating cloud ERP transformation with strong internal controls. You can also contact your Deloitte representative or reach out to us for more information.

Endnotes

1. Oyku Ilgar, “2025 cloud ERP trends according to industry giants,” Forbes, January 21, 2025.
2. Andrew Beatty, “Cloud computing is a strategy that financial services firms need to get right,” Forbes, March 17, 2025.

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2026 Deloitte Development LLC. All rights reserved.