Notifications
Clear all
Topic starter
02/06/2026 6:59 pm
TL;DR: Oracle ERP teams may run strong native access and segregation-of-duties controls, but auditors increasingly want independent evidence that those controls worked across the year, not just inside the runtime, according to SafePaaS. The governance problem is no longer control design alone, but whether the evidence story is defensible across systems, timelines, and reviewers.
NHIMG editorial — based on content published by SafePaaS: Oracle ERP evidence, access controls, and segregation-of-duties under audit scrutiny
Questions worth separating out
Q: How should security teams handle audit evidence for Oracle ERP controls?
A: They should separate control operation from evidence storage.
Q: Why do Oracle ERP environments create SoD and access evidence problems?
A: Because the same platform that enforces roles and segregation-of-duties often becomes the only place where proof exists.
Q: What breaks when access reviews happen only at audit time?
A: Mid-year changes go untested, temporary access can outlive the business need, and service accounts may never be reviewed in the same cycle as human users.
Practitioner guidance
- Implement an independent evidence layer for Oracle ERP Store access, SoD, review, and remediation evidence outside the Oracle runtime so auditors are not forced to validate the system against itself.
- Rebuild controls around end-to-end business processes Trace vendor creation, purchasing, journal posting, and payment workflows across Oracle and connected apps before deciding whether a single-system report is enough.
- Extend review cycles to non-human identities Include integrations, bots, overrides, and service accounts in the same review model you use for privileged human access, then document how each identity is validated.
Teams that still rely on runtime reports alone will keep running into the same audit friction because proof now has to survive outside the system being reviewed?
👉 Read SafePaaS's Oracle ERP self-assessment on evidence, SoD, and audit readiness →
Explore further
02/06/2026 7:14 pm
Independent evidence is now part of the control itself. In Oracle-heavy environments, the question is no longer only whether access is configured correctly. The question is whether the organisation can prove that correctness without relying on the same system under review. That makes evidence architecture a control design issue, not a documentation afterthought. Practitioners should treat auditability as a first-class requirement.
A few things that frame the scale:
- Recent analysis of SEC filings shows that IT, software, security and access issues, along with segregation-of-duties and design control gaps, are among the top root causes of material weaknesses over the last five years, according to Top 10 NHI Issues.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who is accountable when Oracle control evidence is hard to defend?
A: IT-ERP, Internal Audit, and SOX all share accountability, but the control owner usually owns the evidence model. If the programme cannot produce independent proof, the issue is not just operational. It is a governance gap that can affect audit outcomes, remediation timelines, and confidence in financial controls.
👉 Read our full editorial: Oracle ERP control evidence gaps are widening under audit scrutiny
