ERP Security Assessment
Specialist security audits for SAP, Oracle, and Microsoft Dynamics environments — segregation of duties, authorisation, and module-specific risks.
What You Receive
- Segregation of Duties (SoD) conflict matrix
- Authorisation and role design review with remediation roadmap
- Platform-specific vulnerability findings (SAP, Oracle, Dynamics)
- Integration and interface security review (RFC, IDoc, REST/OData)
- Compliance evidence package mapped to SOX, ISO 27001, or sector frameworks
ERP systems hold the most sensitive data in most organisations — financial records, HR information, customer data, intellectual property, and the integrity of business operations themselves. They are also among the most complex security environments to audit correctly. Generic application security testing misses ERP-specific risks entirely; only platform-specific expertise produces meaningful findings.
We deliver ERP security assessments for SAP, Oracle, Microsoft Dynamics, and Workday environments across the UK and USA, supporting clients through SOX compliance, ISO 27001 certification, M&A due diligence, post-incident assurance, and pre-go-live validation.
What We Assess
Segregation of Duties (SoD)
The foundational control in ERP security. Users with access to both initiate and approve sensitive transactions — vendor creation and payment authorisation, customer credit limit changes and order release, GL journal entry and posting — represent material fraud risk and SOX/ISO 27001 control failures.
We extract role and user assignments, map authorisations to a standardised SoD ruleset customised to your business processes, and produce a quantified conflict matrix. Findings are prioritised by frequency, business impact, and remediation complexity.
Authorisation and Role Design
ERP authorisation models accumulate complexity over time. Roles built years ago contain authorisations no longer required; users carry historical access from prior roles; emergency access granted "temporarily" persists indefinitely. Authorisation drift creates over-privileged users — even where no single role is excessively privileged.
We analyse role design (single roles vs composite roles, authorisation object composition), user-role assignment patterns (rolesphere analysis, ABAP role optimisation in SAP), and identify dormant authorisations that can be removed without business impact.
Platform-Specific Configuration
SAP
- Authorisation object configuration and critical authorisation review (S_TCODE, S_PROGRAM, S_DEVELOP)
- Critical transaction code access (SM30, SM31, SE16, SE38, RZ10, SU01, PFCG)
- RFC destination security — trusted RFC, anonymous RFC, communication users
- Gateway and message server configuration (gw/reg_info, gw/sec_info)
- SAP Router and SAProuter rules
- Default password review (SAP*, DDIC, SAPCPIC, EARLYWATCH)
- ICM and HTTP service configuration
- Custom ABAP code review for security-sensitive functions
- BTP service binding and instance configuration
Oracle
- Responsibility and menu structure analysis
- Function security and form function configuration
- Direct database access auditing (SYS, SYSTEM, APPS schema)
- DBMS_LDAP and DBMS_SCHEDULER privilege review
- Concurrent program parameter security
- Profile option configuration
- Database listener security and TNS configuration
- Custom PL/SQL package privilege analysis
Microsoft Dynamics 365
- Security role composition and inheritance
- Duty and privilege analysis (D365 F&O)
- Entity-level and field-level security
- Common Data Service permissions
- Power Platform integration security (Power Automate, Power Apps)
- Business event configuration
- Data entity security and OData endpoint exposure
Integration and Interface Security
ERPs rarely exist in isolation. We audit:
- SAP RFC destinations, IDoc partner profiles, PI/PO integration security
- Oracle integration via SOA Suite, OIC, REST APIs
- Dynamics integrations via Logic Apps, Power Automate, dual-write
- Direct database connections from BI tools, reporting, and bolt-on applications
- File-based integrations and shared file system permissions
- Identity federation with corporate Entra ID / Okta / Azure AD
SOX and Compliance Evidence
For US-listed companies and UK-listed companies under similar frameworks (UK Corporate Governance Code, FCA SYSC), ERP control evidence forms a substantial portion of the IT General Controls audit scope. Our reports deliver evidence aligned to:
- SOX Section 404 ITGC controls (access, change management, computer operations)
- COSO 2013 framework control activities
- ISO 27001 Annex A (8.2, 8.3, 9.1, 9.2, 9.4 — access management)
- COBIT 2019 control objectives where applicable
- Sector-specific frameworks: HIPAA (US healthcare), GLBA (US financial), FCA SYSC (UK financial)
UK & USA Coverage
We deliver ERP security audits across both jurisdictions. UK clients receive GBP pricing and reports aligned to UK regulatory frameworks; US clients receive USD pricing and reports aligned to US frameworks (SOX, sector-specific). For multinational deployments, we produce consolidated reports with jurisdiction-specific mappings.
What You Receive
- Executive summary — material findings in business risk language
- SoD conflict matrix — quantified by user, role, and conflict type
- Authorisation findings report — detailed technical findings with remediation steps
- Platform-specific configuration findings — SAP system configuration, Oracle responsibilities, Dynamics roles
- Integration security findings — interface and integration risk assessment
- Compliance mapping — evidence package for SOX, ISO 27001, or applicable sector frameworks
- Remediation roadmap — sequenced plan prioritised by risk and effort
- Optional managed remediation — ongoing support to close findings, available as a retainer
Frequently Asked Questions
What ERP platforms do you assess?
What is Segregation of Duties and why does it matter?
How do you identify SoD conflicts?
Is ERP security different from general application security?
Can you test SAP S/4HANA Cloud or Dynamics 365 Cloud?
Do you find zero-day vulnerabilities in ERP platforms?
How long does an ERP security assessment take?
What evidence do you need to start?
Book an ERP Security Audit
Tell us about your environment. We'll respond within one working day with a scoping call calendar invite and an initial price guide.