Multi-ERP internal audit automation: what changes for assurance teams?

TL;DR: Internal audit in SOX-scoped, multi-ERP environments is shifting from periodic sampling to continuous assurance, with SafePaaS positioning control telemetry, automated testing, and evidence capture across planning, fieldwork, reporting, and follow-up. The governance shift is real: audit programmes now depend on live control data, not assumptions, to keep pace with change.

NHIMG editorial — based on content published by SafePaaS: internal audit in a SOX-scoped, multi-ERP environment

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.

Questions worth separating out

Q: How should internal audit teams reduce reliance on manual sampling in multi-ERP environments?

A: They should shift as many controls as possible to population-based testing, especially access, segregation of duties, and configuration controls that can be validated from system data.

Q: Why do access and entitlement issues matter to internal audit, not just IAM teams?

A: Because access data is often the evidence behind control effectiveness.

Q: What breaks when audit evidence is still assembled manually after control execution?

A: The evidence trail becomes incomplete, late, and hard to reproduce.

Practitioner guidance

• Map the audit universe to live control data Tie systems, entities, and processes to risk objectives before building the audit plan.
• Replace sample-heavy tests with population-based checks Use automated testing for controls that are machine-verifiable, such as access segregation and change approvals.
• Standardise time-stamped evidence capture Store approvals, entitlement exports, exception records, and remediation evidence in a shared repository that can be traced back to each test step.

What's in the full article

SafePaaS's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step examples of how SafePaaS structures planning, testing, and reporting across Oracle, SAP, and Workday environments.
• Specific control telemetry fields used to identify SoD violations, privileged access, and configuration changes inside the audit workflow.
• Evidence handling details for attaching approvals, exports, and remediation artefacts directly to audit workpapers.
• Dashboard and workflow examples showing how follow-up status is tracked across control owners and internal audit teams.

👉 Read SafePaaS's analysis of continuous assurance in multi-ERP internal audit →

Multi-ERP internal audit automation: what changes for assurance teams?

Explore further

View Full Forum →  |  NHI Foundation Course →