Agentic ERP with MCP: KPMG and Microsoft Transform Finance and Audit in Dynamics 365

KPMG’s early-access partnership with Microsoft for the Model Context Protocol (MCP) marks a decisive step toward agentic ERP systems—enterprise resource planning platforms that no longer just record transactions but can access, act, and decide in near real time across finance, procurement, and audit workflows.

Background / Overview​

Enterprises have long treated ERPs as ledger systems: durable stores of truth that require human prompts to move work forward. That model is changing as Microsoft and strategic partners like KPMG introduce technologies that embed intelligent agents directly into Dynamics 365 Finance and other Microsoft surfaces. The thrust is straightforward: combine Copilot Studio, the Model Context Protocol (MCP), and Azure-hosted agent runtimes (for example, Azure AI Foundry) to let agents query ERP data, call discrete business actions (tool calls), and surface or execute human-approved changes inside Teams, Excel, and Dynamics.
KPMG is one of seven global alliances chosen for early access to MCP for Dynamics 365 Finance and Operations, and is positioning that access to reimagine audit and finance operations—turning KPMG Clara and other delivery platforms into a playground for agentic automation that tightly couples audit workflows with ERP data and external signals.

---

What is the Model Context Protocol (MCP)?​

MCP is a protocol-first approach to tool and data integration for agents. Instead of brittle point‑to‑point connectors or ad-hoc prompt engineering, MCP defines structured tool interfaces, capability manifests, and security contracts that agents (and other agents) can discover and call deterministically. The protocol standardizes accepted inputs/outputs, credentials, and schema-based contracts so an agent can, for example, ask a GRNI (Goods Received Not Invoiced) tool to query unmatched receipts, enrich results with contextual fields, and request a human-in-the-loop update action.
Key operational primitives MCP brings to the enterprise:

• Tool discovery: Agents can locate published capabilities rather than hard‑coded endpoints.
• Structured tool calls: Deterministic API-like invocations rather than free-form LLM prompts.
• Identity and least‑privilege: Entra-backed agent identities and short-lived credentials for tool access.
• Auditable traces: OpenTelemetry-style tracing and logs for every agent action.

These primitives aim to make agent actions both repeatable and verifiable—requirements for regulated finance and audit operations.

---

KPMG’s MCP Use Cases: From GRNI Chasers to Supplier Risk​

KPMG’s early MCP pilots are pragmatic and domain-focused: short, high-frequency tasks where the combination of ERP context and agent automation delivers immediate ROI.

GRNI Chaser — closing the working-capital gap​

The GRNI Chaser exemplifies a simple-yet-powerful pattern. The agent periodically queries Dynamics 365 (or Dataverse) for unmatched receipt records that exceed defined SLAs, enriches each record with PO, supplier, and receipt metadata, and then triggers an outreach into Microsoft Teams asking the responsible owner for confirmation or correction. User responses update the ERP (or spawn an AP case) and every step is logged for auditability. The result: faster invoice matching, shorter days-to-match, and reduced manual follow‑up volume. Early pilots report transitions from multi-day reconciliation cycles to near‑hourly exception triage—though results depend heavily on master-data hygiene and connector reliability.
Practical dependencies and caveats:

• Master-data quality (supplier IDs, PO consistency) must be improved for meaningful automation.
• Robust, low-latency ERP connectors and deterministic mappings are essential.
• Human approvals remain the gate for financial write-backs to maintain control.

Supplier Performance Insight — blending ERP telemetry with external intelligence​

Another KPMG pattern enriches ERP-derived supplier metrics with external feeds—financial filings, credit indicators, sanctions lists, and news sentiment—to compute a supplier reliability score and surface prioritized alerts. The agent can suggest mitigations (alternative sourcing, payment holds) and produce rationale narratives linking recommendations to specific evidence items—an essential ingredient to reduce hallucination risk and facilitate decision-making in procurement committees.
Operational limits:

• Mapping external identifiers to ERP supplier master data and licensing third‑party data are recurring practical constraints.
• External feed fidelity determines the signal-to-noise ratio of alerts; governance is needed for data sourcing decisions.

Audit automation inside KPMG Clara — full-population analysis and evidence packaging​

KPMG’s vision for KPMG Clara AI is to move audit procedures from statistical sampling toward whole-dataset analysis. Agents can execute structured procedures—searching for anomalies, vouching expenses, building workpapers, and drafting disclosure checklists—while preserving provenance and creating reusable evidence packages for reviewers and regulators. The technical stack KPMG cites includes .NET 8, Azure App Service, Cosmos DB for state and memory, and Azure AI Foundry for agent model hosting and lifecycle controls.
What KPMG emphasizes:

• Whole-dataset analysis to reduce missed anomalies.
• Agentic substantive procedures that prepare, not replace, auditor judgment.
• Immutable logs and observability for compliance and traceability.

---

Technical Architecture: How these agents are built and governed​

KPMG’s and Microsoft’s published design patterns converge on a consistent architecture: Copilot Studio for authoring, MCP for tooling and integration, Azure AI Foundry as a managed runtime, and enterprise primitives—Entra, Purview, and OpenTelemetry—for identity, governance, and observability.
A canonical stack:

• Authoring: Copilot Studio (prompt-first dev flows, Agent Builder, model selection).
• Protocol & tooling: Model Context Protocol (MCP) for tool manifests and Agent Framework for SDKs (.NET and Python).
• Runtime hosting: Azure AI Foundry (model catalog, evaluation pipelines, telemetry, and runtime protections).
• Data foundation: Dataverse / Microsoft Fabric / OneLake or direct ERP connectors supplying governed facts.
• Identity & governance: Microsoft Entra (agent identities), Microsoft Purview (data controls), and Copilot Control System for tenant policies.
• Observability: OpenTelemetry-style tracing and per-action audit logs.

Notable engineering choices KPMG cites:

• Use of Azure Cosmos DB as a backing store for chat histories, session state, and agent memory to support regional redundancy and multi-region replication at scale.
• A .NET-first approach that keeps enterprise .NET teams inside their native toolchains while still supporting Python where appropriate.

---

Strengths: why this matters for finance and audit operations​

KPMG and Microsoft’s MCP-driven approach addresses several perennial enterprise problems.

• Scale and repeatability: Once an MCP server (or catalog) is established, many agents can reuse the same connectors and tool definitions, reducing one-off integration costs and accelerating pilot-to-production cycles.
• Operational observability: Standardized agent traces and OpenTelemetry integration produce auditable evidence for regulatory review and security investigations.
• Lower barrier to building agents: Copilot Studio’s prompt-first and IDE integrations allow domain teams to prototype and iterate quickly without full software rewrites, improving developer velocity.
• Productivity uplift: Automating repetitive tasks—GRNI follow-ups, bank reconciliations, variance narratives—frees finance professionals to focus on higher-value analysis and decision support.
• Governance primitives baked into platform: Entra-backed agent identities, PII filters, prompt shields, and task-adherence controls provide an initial safety scaffold for regulated enterprises.

Collectively, these capabilities represent a material change in how record-to-report (R2R) and audit workflows can be executed at scale.

---

Risks, gaps, and the governance reality​

Agentic ERP is powerful, but it introduces new failure modes that organizations must manage deliberately.

Model risk and hallucinations​

Large language models can generate plausible but incorrect outputs. When an agent proposes a journal entry or a putative supplier action, human sign-off and corroboration against source data must remain mandatory. Several advisory notes emphasize the necessity of review workflows and measurable quality gates (human edit rates, hallucination incidence).

Data exposure and compliance​

Agents that reach into payroll, supplier, and customer records increase the attack surface. MCP’s identity and token model helps, but misconfiguration can allow over-privileged agents or unintended data flows. Best practice: adopt ephemeral credentials, tenant-level DLP policies, and strict Purview classification before enabling write-back capabilities.

Operational complexity and agent sprawl​

Introducing many agent identities, MCP connectors, and third‑party tools expands operational surface area. Without tight lifecycle management and cost controls, organizations can experience agent sprawl—too many small automations with little monitoring. Staffing a Copilot Center of Excellence and enforcing CI/CD for agents significantly reduces that risk.

Vendor claims and unverifiable metrics​

Some platform-level claims—such as large adoption numbers for Azure AI Foundry—are directional and require independent validation before being treated as procurement-level guarantees. Enterprises should insist on concrete SLAs, third‑party audit reports, and customer references when evaluating vendor promises.

Regulatory and audit scrutiny​

Regulators are already asking whether AI-driven audit tools measurably improve audit quality or merely accelerate existing workflows. Organizations should design pilot measurement frameworks to prove improvements in accuracy, not just speed, and preserve traceability for regulatory review.

---

Practical rollout playbook: how to deploy MCP-driven agents safely​

KPMG and Microsoft material converges into a pragmatic phased approach that enterprises can adopt.

• Start small and measurable.
• Pilot a single, high-frequency use case (e.g., GRNI Chaser) in one tenant or business unit.
• Define KPIs: time-to-match, human edit rate, exception backlog reduction.
• Harden master data and connectors.
• Clean supplier and PO masters; validate connector latency and mapping fidelity.
• Pair automation with a master-data remediation program.
• Build governance-in-the-loop.
• Configure Entra agent identities, Purview classifications, and Copilot Control System policies.
• Require explicit human approvals before any financial write-back.
• Instrument and observe.
• Use OpenTelemetry traces, structured logs, and per-action audit trails to monitor agent behavior and feed quality metrics into monthly governance reviews.
• Establish a Copilot Center of Excellence.
• Centralize prompt templates, MCP catalogs, and staging/production environments.
• Maintain CI/CD pipelines for agent updates and evaluation suites for hallucination and task adherence.
• Vendor and partner due diligence.
• For third-party MCP agents and connectors, require vendor certification, security testing, and lifecycle support commitments before production deployment.

Following these steps reduces the likelihood that automation introduces systemic control failures while preserving the productivity upside.

---

Strategic implications for CIOs and CFOs​

For CIOs, MCP and agent frameworks reframe integration work: instead of bespoke connectors for each new model, a centralized MCP catalog and agent lifecycle pipeline create reusable, secure tool definitions. That reduces engineering duplication and shortens time-to-value for new agent features.
For CFOs, the promise is improved working-capital visibility, faster close cycles, and higher-quality variance narratives. However, CFOs must also demand rigorous measurement of audit quality and leave in‑place manual review gates for financial postings to avoid compliance regressions.
For audit leaders, the new paradigm introduces both opportunity and scrutiny: agents can improve coverage and documentation, but audit quality must be proven empirically and regulators kept informed about algorithmic decision points and traceability.

---

Critical assessment — strengths and potential blind spots​

Strengths worth noting:

• Interoperability-first design (MCP, A2A) reduces vendor lock-in and allows mixed-model strategies.
• Enterprise-grade controls embedded in the stack (identity, telemetry, approvals) make regulated workloads feasible.
• Developer productivity improvements lower the cost of experimentation through prompt-first tooling and IDE integrations.

Potential blind spots:

• Protocol and preview maturity — MCP and several agent lifecycle features are still in early availability or preview in many accounts; production readiness varies by region and tenant. Treat previews as experimentation platforms, not GA-level services.
• Over-reliance on model routing for cost control — multi-model orchestration can shift billing dynamics unpredictably; cost governance is essential.
• Governance is necessary but not sufficient — platform primitives exist, but organizational processes (periodic audits of agent privileges, change management and staff training) will determine real-world safety.

Where claims require cautionary framing:

• Vendor statements about adoption scale or speed-of-value should be validated locally via pilot KPIs and independent assessments. Public adoption numbers are useful signals but not substitutes for SLA-backed procurement terms.

---

Conclusion​

KPMG’s early work with Microsoft on MCP for Dynamics 365 Finance and Operations signals a practical move from conceptual AI assistants to operational agents embedded in ERP and audit workflows. The combination of Copilot Studio, MCP, Azure AI Foundry, and enterprise governance primitives creates a realistic path for automating routine finance and audit tasks while preserving oversight and traceability.
The business case is strong for repeatable, high-volume processes like GRNI chasing, supplier risk scoring, and reconciliation — but success depends on disciplined program management: master-data remediation, staged pilots, clear human-in-the-loop gates, and relentless measurement of not just speed but quality. Organizations that pair KPMG-style domain expertise with Microsoft’s platform plumbing can materially accelerate digital transformation—provided they treat governance and measurable auditability as first-class citizens rather than afterthoughts.
In short: MCP and agentic ERP are no longer science fiction. They are a pragmatic engineering and governance challenge that, when handled with discipline, can deliver measurable operational gains—while demanding new organizational practices to keep accuracy, compliance, and control intact.

---

Source: KPMG KPMG Microsoft Alliance – MCP Use Cases