IT application controls in ERP and SaaS: are your controls keeping up?

TL;DR: IT Application Controls, or ITACs, are automated checks inside ERP and business applications that keep transactions complete, accurate, and authorized, and the article argues they matter most when continuous monitoring replaces annual evidence gathering. The real issue is control drift, because static design assumptions fail once configurations, roles, and releases keep changing.

NHIMG editorial — based on content published by SafePaaS: IT application controls and continuous assurance in ERP and SaaS environments

Questions worth separating out

Q: How should teams govern IT application controls in ERP and SaaS environments?

A: Teams should govern IT application controls as living controls, not static documentation.

Q: Why do IT application controls fail even when IT general controls look strong?

A: IT application controls can fail because the business rule inside the application has drifted, even while access, change, and operations controls around it remain acceptable.

Q: What signals show that IT application controls are drifting out of date?

A: The clearest signals are repeated exceptions, controls that no longer match current workflows, and evidence packs that require manual reconstruction every audit cycle.

Practitioner guidance

• Inventory every in-scope IT application control Create a single control register that links each ITAC to the process, risk, system owner, and evidence source.
• Test the control path after each change Validate the rule, approval path, and exception behaviour whenever a configuration, role, or custom code change touches an in-scope application.
• Replace annual evidence gathering with monitoring Track whether controls ran, what exceptions occurred, and whether the same exceptions recur across periods.

What's in the full article

SafePaaS's full article covers the operational detail this post intentionally leaves for the source:

• How the platform maps specific IT Application Controls to Oracle, SAP, and other ERP processes.
• How automated testing is configured to validate key control behaviour and exception handling.
• How change and transaction monitoring are structured to detect control drift in production.
• How audit, risk, and IT teams can maintain a shared control inventory over time.

👉 Read SafePaaS's analysis of IT application controls and continuous assurance →

IT application controls in ERP and SaaS: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →