Modern business applications drive efficiency—but they also expand your security risk surface. When users have excessive or inappropriate access to Enterprise Resource Planning (ERP), Human Capital Management (HCM), or Customer Relationship Management (CRM) systems, this exposes your organization to serious issues, like fraud, data privacy issues, and failed audits.
Business applications—like Microsoft Dynamics, NetSuite, Oracle, Workday, and Salesforce—hold your most sensitive data and power your most critical operations. However, manually tracking who has access to what across these applications is nearly impossible.
That’s where Application Access Governance (AAG) comes in. If you’re new to this space, you might be wondering: Where does it actually fit in your organization, and what teams should be responsible?
There are more employees with access to critical business applications than ever before. Today, most organizations rely on 10 to 15 different business applications to manage critical functions like financial transactions, HR operations, and customer data. When access is not tightly managed:
According to the Association of Certified Fraud Examiners (ACFE), organizations lose 5% of annual revenue to fraud, with the average case costing $1.7 million. Managing access is not just an IT task; it’s a risk that must be addressed across the business.
Best practice:
The Finance department has a direct stake in ensuring that access to financial systems doesn't open the door to fraud or failure of an audit, and will need the ability to identify Segregation of Duties (SoD) and Sensitive Access risks. Finance teams are responsible for defining SoD policies based on financial processes and controls, reviewing SoD exceptions, and collaborating with the internal audit team to ensure controls align with compliance frameworks like the Sarbanes-Oxley Act (SOX).
The Finance team typically serves as the business owner of the ERP system and understands the workflows and business impact of toxic combinations of access.
Risk:
One of the leading sources of financial exposure in an organization is the financial risk caused by error or fraud due to too much employee or user access in the company's financial applications.
Best practice:
Both internal and external auditors are invested in internal controls around user access management and SoD within and across these applications collectively. Internal audit teams are responsible for validating the design of internal controls—including those tied to SoD enforcement—testing the effectiveness of internal controls, including mitigating controls and reviewing processes for completeness and accuracy.
They need to be confident that the proper access controls are in place and functioning correctly, especially when it's time for an audit.
Risk:
Excessive user access to sensitive business applications like ERP, HCM, and CRM can lead to internal fraud and compliance violations. Without clear oversight, access risks may go undetected until an issue arises.
Best practice:
Many business applications involve activities outside of strictly financial operations, including Sales, Warehousing, Human Resources, and Marketing. The application owners are closest to the day-to-day operations within their systems and periodically review and certify employee access to these applications. They are in the best position to determine whether access within each application is appropriate for the business's needs.
Application owners typically complete the User Access Reviews (UARs) certifying that each user has the proper access needed to do their job. They understand the security models of the apps they own, so they can easily identify elevated privileges and roles that are overprovisioned. These are also the folks who review role-based reports to make sure roles are built with the concept of least privilege in mind.
Risk:
When application owners aren't included in reviews, users may retain outdated or excessive permissions, especially after role changes, creating operational and compliance risks.
Best practice:
As more organizations move to best-of-breed applications, they must rely on the complex integration of sophisticated software to keep their business moving forward. Most of the technical aspects of these business applications' security, maintenance, and provisioning—including SAP, NetSuite, Microsoft Dynamics, Oracle, Workday, Salesforce, and more—fall on the IT department. IT and security teams play a crucial role in technical implementation and are often the administrators of application access governance tools.
They are responsible for integrating key business applications, managing the provisioning and deprovisioning of access to applications, monitoring and responding to access violations, and generating reports for evidence of control testing.
Risk:
While IT teams can help accelerate productivity and reduce manual errors through automation, they lack the context needed to determine what level of access is appropriate for a role. They need input from application owners and internal audit to design access policies and review access over time. Without input from application owners, they may grant users excessive or insufficient access to critical business applications, since they lack the detailed understanding of business processes and role requirements needed to define and review appropriate access levels.
One of the most common mistakes during an application access governance implementation is assuming that IT will "just own it". While IT plays a critical role, access governance only succeeds when it’s a business-driven initiative supported by technical execution.
So, who owns application access governance in an organization? The best answer is that everyone plays a part. The key is having clear roles and strong collaboration.
In the best-case scenario, an application access governance tool isn’t owned by a single team but treated as a governance program where ownership is shared collectively by the finance team, audit teams, application owners, IT and security teams.
Generally, the application owners would know what their users do and the level of access they require to be the most productive. The audit team reviews the application owners’ findings and assessments and help them balance productivity with prevention and risk mitigation. The Finance department will be able to identify the areas of risk and advise on SoD mitigations. And the security team would be tasked with making the appropriate changes based on those findings.
An effective program must have buy-in from all organizational stakeholders, regardless of whose cost center is ultimately responsible for paying for the technology.
Application access governance solutions from Fastpath, now part of Delinea, provide the automation to make collaboration between finance, internal audit, IT, security, and application teams effective.
These solutions empower each stakeholder with visibility into access risk across applications, automated workflows to streamline operations, and risk insights to guide informed access decisions.
To learn more about the advantages of automated controls, download our whitepaper: Automating Your Control Environment: Get a Clear View of Access Risk Across Multiple Applications.