🏛️

ERP Security Assessment

Specialist security audits for SAP, Oracle, and Microsoft Dynamics environments — segregation of duties, authorisation, and module-specific risks.

SAPOracle EBSDynamics 365SoDAuthorisation AuditRFC
Serving clients across the United Kingdom & United States of America

What You Receive

  • Segregation of Duties (SoD) conflict matrix
  • Authorisation and role design review with remediation roadmap
  • Platform-specific vulnerability findings (SAP, Oracle, Dynamics)
  • Integration and interface security review (RFC, IDoc, REST/OData)
  • Compliance evidence package mapped to SOX, ISO 27001, or sector frameworks

ERP systems hold the most sensitive data in most organisations — financial records, HR information, customer data, intellectual property, and the integrity of business operations themselves. They are also among the most complex security environments to audit correctly. Generic application security testing misses ERP-specific risks entirely; only platform-specific expertise produces meaningful findings.

We deliver ERP security assessments for SAP, Oracle, Microsoft Dynamics, and Workday environments across the UK and USA, supporting clients through SOX compliance, ISO 27001 certification, M&A due diligence, post-incident assurance, and pre-go-live validation.

What We Assess

Segregation of Duties (SoD)

The foundational control in ERP security. Users with access to both initiate and approve sensitive transactions — vendor creation and payment authorisation, customer credit limit changes and order release, GL journal entry and posting — represent material fraud risk and SOX/ISO 27001 control failures.

We extract role and user assignments, map authorisations to a standardised SoD ruleset customised to your business processes, and produce a quantified conflict matrix. Findings are prioritised by frequency, business impact, and remediation complexity.

Authorisation and Role Design

ERP authorisation models accumulate complexity over time. Roles built years ago contain authorisations no longer required; users carry historical access from prior roles; emergency access granted "temporarily" persists indefinitely. Authorisation drift creates over-privileged users — even where no single role is excessively privileged.

We analyse role design (single roles vs composite roles, authorisation object composition), user-role assignment patterns (rolesphere analysis, ABAP role optimisation in SAP), and identify dormant authorisations that can be removed without business impact.

Platform-Specific Configuration

SAP

  • Authorisation object configuration and critical authorisation review (S_TCODE, S_PROGRAM, S_DEVELOP)
  • Critical transaction code access (SM30, SM31, SE16, SE38, RZ10, SU01, PFCG)
  • RFC destination security — trusted RFC, anonymous RFC, communication users
  • Gateway and message server configuration (gw/reg_info, gw/sec_info)
  • SAP Router and SAProuter rules
  • Default password review (SAP*, DDIC, SAPCPIC, EARLYWATCH)
  • ICM and HTTP service configuration
  • Custom ABAP code review for security-sensitive functions
  • BTP service binding and instance configuration

Oracle

  • Responsibility and menu structure analysis
  • Function security and form function configuration
  • Direct database access auditing (SYS, SYSTEM, APPS schema)
  • DBMS_LDAP and DBMS_SCHEDULER privilege review
  • Concurrent program parameter security
  • Profile option configuration
  • Database listener security and TNS configuration
  • Custom PL/SQL package privilege analysis

Microsoft Dynamics 365

  • Security role composition and inheritance
  • Duty and privilege analysis (D365 F&O)
  • Entity-level and field-level security
  • Common Data Service permissions
  • Power Platform integration security (Power Automate, Power Apps)
  • Business event configuration
  • Data entity security and OData endpoint exposure

Integration and Interface Security

ERPs rarely exist in isolation. We audit:

  • SAP RFC destinations, IDoc partner profiles, PI/PO integration security
  • Oracle integration via SOA Suite, OIC, REST APIs
  • Dynamics integrations via Logic Apps, Power Automate, dual-write
  • Direct database connections from BI tools, reporting, and bolt-on applications
  • File-based integrations and shared file system permissions
  • Identity federation with corporate Entra ID / Okta / Azure AD

SOX and Compliance Evidence

For US-listed companies and UK-listed companies under similar frameworks (UK Corporate Governance Code, FCA SYSC), ERP control evidence forms a substantial portion of the IT General Controls audit scope. Our reports deliver evidence aligned to:

  • SOX Section 404 ITGC controls (access, change management, computer operations)
  • COSO 2013 framework control activities
  • ISO 27001 Annex A (8.2, 8.3, 9.1, 9.2, 9.4 — access management)
  • COBIT 2019 control objectives where applicable
  • Sector-specific frameworks: HIPAA (US healthcare), GLBA (US financial), FCA SYSC (UK financial)

UK & USA Coverage

We deliver ERP security audits across both jurisdictions. UK clients receive GBP pricing and reports aligned to UK regulatory frameworks; US clients receive USD pricing and reports aligned to US frameworks (SOX, sector-specific). For multinational deployments, we produce consolidated reports with jurisdiction-specific mappings.

What You Receive

  • Executive summary — material findings in business risk language
  • SoD conflict matrix — quantified by user, role, and conflict type
  • Authorisation findings report — detailed technical findings with remediation steps
  • Platform-specific configuration findings — SAP system configuration, Oracle responsibilities, Dynamics roles
  • Integration security findings — interface and integration risk assessment
  • Compliance mapping — evidence package for SOX, ISO 27001, or applicable sector frameworks
  • Remediation roadmap — sequenced plan prioritised by risk and effort
  • Optional managed remediation — ongoing support to close findings, available as a retainer

Frequently Asked Questions

What ERP platforms do you assess?
SAP (ECC, S/4HANA on-premises and Private Cloud, S/4HANA Cloud, BTP), Oracle (E-Business Suite, Fusion Cloud ERP, JD Edwards), Microsoft Dynamics 365 (Finance & Operations, Business Central), and Workday. Each platform has distinct security models and we maintain specialist tooling and expertise for each.
What is Segregation of Duties and why does it matter?
Segregation of Duties (SoD) means no single user has the access to both initiate and approve a sensitive transaction — for example, creating a vendor and approving payments to that vendor. SoD violations are a primary control failure in financial fraud, and SoD review is a mandatory part of SOX, ISO 27001, and most regulatory audits.
How do you identify SoD conflicts?
We extract role and user assignments from your ERP, map authorisations to a standard SoD ruleset (based on industry-standard matrices and customised to your business processes), and identify users with conflicting access combinations. Findings are quantified by number of conflicts, business impact, and remediation effort.
Is ERP security different from general application security?
Fundamentally yes. ERP systems have unique security models — SAP authorisation objects, Oracle responsibilities and menus, Dynamics security roles — that require platform-specific expertise. General application security testing (OWASP-driven) misses entirely the ERP-specific risks: SoD violations, profile composition flaws, transaction code abuse, and module-specific vulnerabilities.
Can you test SAP S/4HANA Cloud or Dynamics 365 Cloud?
Yes. Cloud ERP changes some attack surface (no operating system access; reduced patching responsibility) but adds others (BTP service binding configurations, Power Platform integrations, Common Data Service permissions). We assess SaaS and on-premises ERPs with appropriate platform-specific methodology.
Do you find zero-day vulnerabilities in ERP platforms?
Our research team has disclosed multiple CVEs against major ERP platforms including a 2025 SAP BTP privilege escalation (CVE-2025-0482). Where we identify previously unknown vulnerabilities during client engagements, we work with the vendor on responsible disclosure and ensure clients receive remediation guidance for their immediate environment.
How long does an ERP security assessment take?
SAP authorisation review for a single ECC/S4 instance: 5-10 working days. Full SAP security audit including configuration, RFC, integration: 15-25 working days. Oracle EBS / Fusion Cloud: 7-15 working days. Dynamics 365 F&O: 7-15 working days. Multi-platform engagements scale accordingly.
What evidence do you need to start?
User and role extracts, authorisation object assignments (SAP) / responsibilities (Oracle) / security role assignments (Dynamics), configuration tables, transport/change documents for the audit period, integration endpoint inventory. A scoping call defines the exact data extraction required.

Book an ERP Security Audit

Tell us about your environment. We'll respond within one working day with a scoping call calendar invite and an initial price guide.

By submitting this form you agree to our privacy policy. We will only use your details to respond to this enquiry.