Continuous assurance in multi-ERP audits needs better control data

At a glance

What this is: This is an internal audit and control automation analysis showing how multi-ERP assurance is moving from periodic testing to continuous, data-driven monitoring.

Why it matters: It matters because IAM, IGA, PAM, and access governance teams increasingly supply the control evidence audit relies on, so weak identity telemetry now becomes an assurance problem as well as an operational one.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.

👉 Read SafePaaS's analysis of continuous assurance in multi-ERP internal audit

Context

Internal audit in a multi-ERP environment depends on whether the organisation can turn access, configuration, and change data into defensible evidence. When control testing still relies on sample-based review and spreadsheets, auditors see only fragments of the actual risk surface, especially across Oracle, SAP, Workday, and connected SaaS systems.

The governance issue is broader than internal audit alone. Identity, access, and control teams increasingly feed the same evidence layer, so gaps in privileged access, segregation of duties, orphan accounts, and configuration change tracking affect audit quality, compliance readiness, and operational resilience at the same time. That is typical of mature ERP estates, not an edge case.

The article frames SafePaaS as an automation layer for the audit lifecycle, but the deeper point is that assurance is becoming continuous. That changes what practitioners must be able to prove, not just what they can review after the fact.

Key questions

Q: How should internal audit teams reduce reliance on manual sampling in multi-ERP environments?

A: They should shift as many controls as possible to population-based testing, especially access, segregation of duties, and configuration controls that can be validated from system data. Manual sampling should be reserved for judgement-heavy areas. The goal is to make the audit programme executable against live evidence, not merely documented after the fact.

Q: Why do access and entitlement issues matter to internal audit, not just IAM teams?

A: Because access data is often the evidence behind control effectiveness. If privileged roles, orphan accounts, or SoD conflicts are not visible across systems, audit cannot reliably determine whether controls are operating as designed. Weak identity governance becomes an assurance failure, not only an access management problem.

Q: What breaks when audit evidence is still assembled manually after control execution?

A: The evidence trail becomes incomplete, late, and hard to reproduce. Manual screenshots and spreadsheets may support a point-in-time review, but they do not prove continuous control operation across a distributed ERP estate. That creates gaps in traceability, repeatability, and confidence in the final audit conclusion.

Q: How should organisations use continuous monitoring without turning audit into operations?

A: They should separate control ownership from assurance ownership, while sharing the same evidence layer. Operations should remediate and maintain controls, while audit validates the logic, exceptions, and re-test results. Continuous monitoring works best when it improves oversight without making audit the day-to-day control owner.

Technical breakdown

Audit universe mapping and risk-based scoping in multi-ERP estates

A defensible audit plan starts with the audit universe, then maps systems, processes, and control objectives to a risk taxonomy. In multi-ERP environments, that means linking entities and applications to domains such as financial reporting, fraud, cyber, and operational risk, then scoping at the control-objective level for access, change, and operations. The technical value comes from making the audit program executable, reusable, and tied to real system data rather than generic workpapers. Control telemetry such as privileged access concentrations and SoD conflicts sharpens where assurance effort should go.

Practical implication: auditors should scope from live control data, not static templates, before fieldwork begins.

Continuous ITGC testing and system-generated evidence

Traditional fieldwork samples a narrow slice of transactions, approvals, or access changes. Automated testing changes that model by checking full populations, validating control conditions continuously, and attaching system-generated evidence such as approvals, configuration exports, and access records to each test. In ERP environments, that matters because SoD logic and entitlement patterns change faster than manual audit cycles can follow. The strongest audit evidence is no longer a screenshot collected after the fact; it is a time-stamped control event that can be traced back to the exact rule, user, or transaction.

Practical implication: replace sample-heavy tests with continuous checks wherever the control is machine-verifiable.

From exceptions to continuous assurance dashboards

Analysis and reporting now depend on aggregation, trend detection, and remediation tracking across systems and business units. Heatmaps, open-issue trends, and linked action plans let internal audit distinguish isolated exceptions from structural weaknesses such as over-privilege, fragmented ownership, or weak change governance. When the evidence layer is integrated across ERP and ticketing tools, auditors can see whether a remediation action actually changed control performance over time. This is where audit becomes a governance function, not just a retrospective report.

Practical implication: build reporting around recurring control patterns and remediation outcomes, not one-off exceptions.

NHI Mgmt Group analysis

Continuous assurance is really an identity evidence problem. When audit moves from periodic sampling to live monitoring, the limiting factor becomes whether access, role, and change data is complete enough to support defensible conclusions. That makes identity telemetry part of audit infrastructure, not just security operations. Practitioners should treat evidence quality as a first-class control.

Multi-ERP environments expose control fragmentation faster than traditional audit cycles can absorb it. Oracle, SAP, Workday, and SaaS applications rarely share the same entitlement model, so segregation of duties, emergency access, and configuration changes drift apart. The result is not just more findings, but less confidence that findings reflect the real population. Internal audit teams need a cross-system control view, or they end up certifying fragments.

System-generated evidence changes the governance standard for assurance. Once control execution, approval, and remediation are captured automatically, manual screenshots and spreadsheet trails look increasingly like compensating artefacts for weak instrumentation. That does not eliminate auditor judgement, but it shifts the burden toward validating control logic and exception handling. The practitioner conclusion is clear: if the evidence layer is weak, the assurance opinion is weak.

Continuous monitoring makes follow-up part of the control design, not the closeout step. The article’s five-stage model shows that remediation only matters if the organisation can re-test the control in the same environment where the issue occurred. That requires shared ownership between audit, IT, and business control owners. Practitioners should rework follow-up so the monitoring loop is built into operations rather than deferred to the next audit cycle.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, 38% have no or low visibility, and a further 47% have only partial visibility, according to The State of Non-Human Identity Security.
• Visibility is not just an access problem. The same research found that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap is why practitioners should pair audit automation with lifecycle governance using NHI Lifecycle Management Guide and control validation across entitlement sources.

What this signals

Control evidence is becoming an identity governance dependency. As audit teams move toward continuous assurance, the quality of access and entitlement data begins to shape the quality of the audit opinion itself. For identity programmes, that means poor visibility is no longer just a security hygiene issue; it is a reporting risk that can undermine SOX confidence across ERP estates.

Evidence debt: the gap between what a control did and what the organisation can prove it did. In multi-ERP programmes, that debt accumulates when access approvals, SoD checks, and remediation events are not captured in a shared evidence layer. Teams that want durable assurance should align audit telemetry with the NIST Cybersecurity Framework 2.0 and identity controls that can be re-tested automatically.

The practical signal for practitioners is straightforward: if a control cannot produce time-stamped evidence on demand, it will be difficult to defend in a continuous assurance model. Teams should prepare for more demand on entitlement completeness, workflow traceability, and remediation proof across both human and non-human identities.

For practitioners

• Map the audit universe to live control data Tie systems, entities, and processes to risk objectives before building the audit plan. Use current privileged access, SoD conflicts, and configuration change data to determine where assurance effort belongs.
• Replace sample-heavy tests with population-based checks Use automated testing for controls that are machine-verifiable, such as access segregation and change approvals. Reserve manual testing for areas where judgement or context cannot be encoded cleanly.
• Standardise time-stamped evidence capture Store approvals, entitlement exports, exception records, and remediation evidence in a shared repository that can be traced back to each test step. This reduces dependence on ad hoc screenshots and spreadsheet chains.
• Build continuous follow-up into the control lifecycle Link action plans to re-performance checks and recurring monitoring rules so remediation is validated in the same ERP or cloud environment where the issue was found.

Key takeaways

• Multi-ERP audit quality now depends on whether access, change, and exception data can be turned into defensible evidence at scale.
• Automated testing improves assurance only when the underlying control logic and evidence capture are complete across every relevant system.
• Practitioners should treat continuous monitoring as part of the control lifecycle, not as a reporting overlay added after remediation.

Key terms

• Continuous assurance: Continuous assurance is an audit model that uses live control data, automated testing, and recurring monitoring instead of relying mainly on periodic samples. In practice, it requires systems to generate time-stamped evidence that can be traced back to control logic, exceptions, and remediation actions.
• Segregation of duties: Segregation of duties is a control principle that prevents one identity from holding combinations of access or authority that create fraud or error risk. In ERP environments, it is usually enforced through role design, rule sets, and exception monitoring across finance, operations, and IT controls.
• System-generated evidence: System-generated evidence is audit evidence created directly by the underlying platform rather than assembled manually after the fact. It includes approvals, entitlement records, configuration changes, and exception logs, and it is more reliable when the control must be re-tested across time or at scale.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SafePaaS: internal audit in a SOX-scoped, multi-ERP environment. Read the original.