TL;DR: IT Application Controls, or ITACs, are automated checks inside ERP and business applications that keep transactions complete, accurate, and authorized, and the article argues they matter most when continuous monitoring replaces annual evidence gathering. The real issue is control drift, because static design assumptions fail once configurations, roles, and releases keep changing.
NHIMG editorial — based on content published by SafePaaS: IT application controls and continuous assurance in ERP and SaaS environments
Questions worth separating out
Q: How should teams govern IT application controls in ERP and SaaS environments?
A: Teams should govern IT application controls as living controls, not static documentation.
Q: Why do IT application controls fail even when IT general controls look strong?
A: IT application controls can fail because the business rule inside the application has drifted, even while access, change, and operations controls around it remain acceptable.
Q: What signals show that IT application controls are drifting out of date?
A: The clearest signals are repeated exceptions, controls that no longer match current workflows, and evidence packs that require manual reconstruction every audit cycle.
Practitioner guidance
- Inventory every in-scope IT application control Create a single control register that links each ITAC to the process, risk, system owner, and evidence source.
- Test the control path after each change Validate the rule, approval path, and exception behaviour whenever a configuration, role, or custom code change touches an in-scope application.
- Replace annual evidence gathering with monitoring Track whether controls ran, what exceptions occurred, and whether the same exceptions recur across periods.
What's in the full article
SafePaaS's full article covers the operational detail this post intentionally leaves for the source:
- How the platform maps specific IT Application Controls to Oracle, SAP, and other ERP processes.
- How automated testing is configured to validate key control behaviour and exception handling.
- How change and transaction monitoring are structured to detect control drift in production.
- How audit, risk, and IT teams can maintain a shared control inventory over time.
👉 Read SafePaaS's analysis of IT application controls and continuous assurance →
IT application controls in ERP and SaaS: are your controls keeping up?
Explore further
IT application controls are now a governance problem, not just an audit design problem. The article correctly frames ITAC as a control layer that depends on stable configuration, reliable approvals, and consistent operating evidence. That makes it inseparable from access governance and lifecycle discipline, because the control only works if the people and systems that can change it are themselves controlled. Practitioners should treat ITAC as part of the identity and governance stack, not as a finance-only mechanism.
A few things that frame the scale:
- Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who is accountable when a broken application control affects financial reporting?
A: Accountability sits with the business owner of the process, the IT owner of the application, and the control owner responsible for design and monitoring. Regulators and auditors expect those responsibilities to be explicit, because a control failure is a governance failure even when the underlying system still runs.
👉 Read our full editorial: IT application controls are shifting from audit evidence to continuous assurance