Teams should govern IT application controls as living controls, not static documentation. That means maintaining a current inventory, testing after every relevant change, and tying control ownership to access and change governance. If the control cannot be shown to execute correctly in production, it should not be treated as reliable assurance.
Why This Matters for Security Teams
ERP and SaaS controls often look strong on paper because they are documented in policies, spreadsheets, or audit narratives. The real risk is that application controls drift as configurations change, integrations expand, and owners rotate. NHI Mgmt Group’s Ultimate Guide to NHIs shows how quickly control exposure accumulates when identities, secrets, and access paths are not continuously governed, and the same pattern applies to application control assurance.
For security teams, the important issue is not whether a control exists, but whether it still operates as intended after patching, role redesign, workflow changes, or a new SaaS connector. The NIST Cybersecurity Framework 2.0 supports this operational view by tying governance to continuous monitoring and risk response rather than one-time documentation. In practice, control failures in ERP and SaaS are often discovered only when auditors ask for evidence or when an exception is triggered during an incident, rather than through disciplined control testing.
How It Works in Practice
Teams should treat each application control as a living safeguard with an owner, a test method, a test frequency, and a change trigger. That means the control inventory should identify where the control runs, what business process it protects, which system owner approves changes, and what evidence proves it executed correctly. For ERP, this often includes segregation of duties, approval workflows, posting controls, master data change controls, and interface monitoring. For SaaS, it usually includes role design, conditional access, admin activity logging, token governance, and integration permissions.
A practical operating model usually includes three layers:
-
Control design review to confirm the logic still matches the business process.
-
Control operating effectiveness testing after material changes, not only on a calendar cycle.
-
Change governance that forces revalidation when roles, integrations, or business rules shift.
Because ERP and SaaS environments are highly interconnected, control assurance also depends on identity and secret hygiene. The NHI Mgmt Group notes that Top 10 NHI Issues include excessive privilege, secret exposure, and weak lifecycle controls, which directly affect whether automated controls can be trusted. Where controls rely on service accounts, API keys, or integration users, teams should confirm the credential lifecycle is aligned to change cadence and offboarding. That evidence should be tied back to audit-ready artefacts, not informal screenshots or stale policy text. If the control cannot be demonstrated in the production path, it should be treated as a gap, not a control. These controls tend to break down when ERP customisations and SaaS integrations are changed outside formal release governance because the control logic and evidence trail diverge.
Common Variations and Edge Cases
Tighter control governance often increases operational overhead, so organisations have to balance assurance value against the cost of frequent retesting and evidence collection. That tradeoff is especially visible in large ERP estates, where one workflow change can affect multiple downstream controls, and in SaaS portfolios where vendor-managed updates can alter behaviour without a traditional release window.
Current guidance suggests a risk-based approach rather than identical testing for every control. High-impact controls, such as financial posting approvals or privileged admin access, should be retested after any relevant configuration or role change. Lower-risk monitoring controls may be sampled on a scheduled basis if the underlying environment is stable. For complex estates, the strongest practice is to map application controls to the actual change triggers that can invalidate them, then require re-approval and retesting when those triggers occur. The Lifecycle Processes for Managing NHIs perspective is useful here because many ERP and SaaS controls depend on the same identity lifecycle discipline as machine accounts and service integrations. Where third-party administrators, outsourced finance operations, or vendor-managed SaaS features are involved, there is no universal standard for this yet, so teams should document compensating controls and explicit ownership. The strongest programs also align control evidence with audit and regulatory expectations, as described in the Regulatory and Audit Perspectives guidance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Application controls need clear business ownership and operational context. |
| NIST CSF 2.0 | DE.CM-01 | Controls must be monitored continuously after changes to remain trustworthy. |
| OWASP Non-Human Identity Top 10 | NHI-03 | ERP and SaaS controls often depend on service accounts, tokens, and other NHI lifecycles. |
Assign each ERP and SaaS control a named owner and verify it still matches current business process.
Related resources from NHI Mgmt Group
- How should security teams govern non-human identities in cloud environments?
- How should security teams implement PBAC in ERP and SaaS applications?
- How should security teams govern cryptographic assets across cloud and DevOps environments?
- How should security teams prioritise NHI remediation in cloud environments?
