TL;DR: ERP and financial application security gaps can let fraud slip through internal controls, with ACFE estimating organisations lose 5% of revenue to fraud each year and more than half of occupational fraud cases tracing to missing or overridden controls, according to Delinea and ACFE. The underlying problem is not perimeter defense but weak application access governance that leaves business-critical access overprovisioned, unreviewed, and misaligned with how work is actually done.
NHIMG editorial — based on content published by Delinea: Top 10 business application security mistakes
Questions worth separating out
Q: How should teams reduce fraud risk in ERP and financial applications?
A: Start with role design, not monitoring.
Q: Why do overprovisioned business application roles create audit problems?
A: Because they blur the line between technical access and approved business authority.
Q: How do security teams know if business application controls are working?
A: Look for three signals: fewer standing exceptions, cleaner SoD outcomes after role combination tests, and access review results that consistently remove unused permissions.
Practitioner guidance
- Rebuild high-risk roles around least privilege Review ERP and financial application roles for create, approve, and modify combinations that violate segregation of duties.
- Tie access reviews to business events Run periodic user access reviews after role changes, contractor exits, and major process changes so temporary access does not become permanent.
- Test security in the same way you test functionality Validate each role in isolation, then test combined roles for SoD conflicts and licensing impact before production deployment.
What's in the full article
Delinea's full blog covers the operational detail this post intentionally leaves for the source:
- A breakdown of each of the ten application security mistakes and the specific control gap behind it
- Practical examples from ERP and financial application environments, including security design and review patterns
- Discussion of telemetry-driven access analysis and how role changes affect licensing exposure
- Guidance on where built-in application controls can replace custom workarounds
👉 Read Delinea's analysis of the top 10 business application security mistakes →
Business app security mistakes: what IAM teams need to fix now?
Explore further
Application access governance is the missing control layer in many financial systems. Organisations often overinvest in perimeter controls while leaving ERP and line-of-business access to ad hoc administration. That creates a gap between who can technically log in and who should be allowed to create, approve, or change financial records. The practical conclusion is straightforward: governance has to extend into business applications, not stop at the network edge.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who should own application access governance in finance systems?
A: Ownership should be shared. IT enforces the configuration, but business application owners decide what access is functionally necessary and managers validate whether it is still appropriate. Security teams should own the governance model and escalation path, because finance systems create control, fraud, and compliance exposure that no single function can manage well alone.
👉 Read our full editorial: Business application access governance gaps are driving hidden fraud risk