HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Home/ Insights/ IT Audit
IT Audit

Auditing User Access and Segregation of Duties in ERP Systems

Kamran Iqbal, CIA, CISA, CFE, CRMA March 2026 8 min read
Excessive user access and inadequate segregation of duties are the most frequently cited findings in IT audit work — and the most difficult to remediate sustainably. ERP systems like SAP, Oracle, and Microsoft Dynamics concentrate enormous amounts of transactional capability in single platforms, creating access risk profiles that are structurally different from those of legacy systems. Understanding how to audit these risks effectively is an essential IT audit capability.

Why ERP Access Risk Is Different

Traditional access control audits assessed whether users had access to the specific systems and files relevant to their roles. ERP systems change this dynamic fundamentally. In a large ERP implementation, a single user account may have access to hundreds of transaction types across multiple modules — and the risk arises not from access to any single transaction but from combinations of access that together create the ability to commit and conceal fraud or error.

The most important access risk in ERP environments is Segregation of Duties (SoD) conflict — a situation where a single user has access to transaction types that should be separated across different individuals to prevent fraud and error. Classic SoD conflicts include access to both create and approve purchase orders, create and pay vendors, create and authorise journal entries, or add and process payroll records. Each of these combinations creates the opportunity for one individual to initiate and complete a transaction cycle without any independent check — removing the control that segregation is designed to provide.

The Audit Approach

Auditing access and SoD in ERP systems requires a structured approach that addresses four related questions:

1. What access does each user have? ERP role and access extracts provide the raw data for access analysis. These extracts should capture not just the high-level roles assigned to users but the specific transaction codes and authorisations that each role provides — the transaction-level detail is where SoD conflicts actually exist.

2. Are there SoD conflicts? SoD conflict analysis compares each user's access profile against a defined SoD conflict matrix — a document that specifies which combinations of transaction types constitute conflicts. This analysis is typically performed using GRC (Governance, Risk, and Compliance) tools or custom scripts that can process the volume of user-transaction combinations in large ERP environments. Manual analysis of SoD in a system with thousands of users is not practical.

3. Are conflicting access rights compensated by mitigating controls? Not every SoD conflict constitutes an unacceptable risk. Some conflicts exist in the access profiles of users who never actually execute both conflicting transaction types; others are mitigated by independent supervisory monitoring. Effective SoD audit includes assessment of compensating controls and their adequacy — not just production of a conflict list.

4. Is the access provisioning and de-provisioning process effective? The current state of access is only partly a function of current decisions — it is also a product of historical provisioning decisions, role modifications, and the consistency of de-provisioning when staff leave or change roles. An access audit that does not examine the provisioning process will not understand why the current access profile exists or how to prevent future accumulation.

Super User and Privileged Access

Privileged access — including system administrator accounts, super user IDs, and batch processing accounts — represents a distinct and often higher category of access risk. These accounts typically bypass standard authorisation controls and can perform administrative operations that override transaction-level security. Audit procedures for privileged access should address whether these accounts are necessary, who has them, how their use is monitored and logged, and whether the logs are reviewed by an independent party.

The most dangerous access in most ERP environments is not the access that is obviously wrong — it is the access that looks legitimate but creates unmonitored SoD conflicts that could be exploited by a determined insider with patience. Detecting this requires systematic analysis, not sampling.

Remediation Challenges

One reason access and SoD audit findings are so persistent is that remediation is genuinely difficult. In mature ERP implementations, access has typically accumulated over years of provisioning decisions — removing access disrupts business processes that have become dependent on individual users' broad access. Management often pushes back on SoD remediation by arguing that it is operationally impractical. The auditor's role is to document the risk of the conflict, assess the adequacy of proposed compensating controls, and ensure that the residual risk is understood and accepted by appropriate governance levels — not to accept impracticality as a reason to leave significant control gaps in place indefinitely.

Share

Request Training

CTC Global delivers expert-led training on IT Audit topics for corporate teams across all sectors.

Request Training Proposal View All Services

Related Publications

Deepen your knowledge with our practical books, revision kits, and toolkits.

Book
ITGC Audit PlaybookComprehensive guide to auditing IT general controls across all four domains.
Book
Cybersecurity Audit for Internal AuditorsA practical, non-technical guide to auditing information security controls.
 Browse All Publications →

About the Author

Kamran Iqbal is a seasoned internal audit and risk professional holding CIA, CISA, CFE, and CRMA credentials. He leads CTC Global's training and consultancy practice across Pakistan and the UAE.

View Full Profile →

Continue Reading

More practical insights from CTC Global on IT Audit and related topics.

← Back to All Articles & Insights