Security audits for SAP and Oracle systems analyze the existing security level of your implementation and identify security weaknesses that could compromise your organization.

Using solutions and expertise developed from thousands of ERP security engagements, Onapsis consultants perform a whitebox assessment of the target platforms. This provides identification of security misconfigurations, missing security patches and dangerous user authorizations.

Equipped with an ever-evolving knowledge-base of security threats affecting ERP systems, Onapsis consultants are able to reliably detect existing risks throughout your entire ERP implementation. Due to differing industry-dependent compliance guidelines, our services consist of various sub-services as applicable to your organization.

The following audits are included in our full service, as applicable:

  • Baseline Security Audit:
    This is the first step of our comprehensive security audit. Your SAP or Oracle platforms are analyzed to determine how well your organization’s current security methods measure up to industry best practices. Key components of your business-critical platforms are checked for technical and process vulnerabilities.
  • SAP AG Guidelines Security Audit:
    In 2010, SAP released a set of guidelines that outline security measures for ABAP, HANA and JAVA against unauthorized access within the corporate network. Our SAP AG Guidelines Security Audit verifies if your SAP platform is compliant with these guidelines by identifying missing security measures. Once identified, we provide high-level guidance on how to effectively implement best practices to ensure streamlined resolutions across your SAP platforms.
  • PCI DSS Security Audit:
    Every company that processes cardholder information must comply with the PCI DSS regulation. Since many ERP platforms are subject to PCI DSS, it is imperative to verify whether there are compliance violations or potential data breaches. Our PCI DSS Security Audit analyzes your SAP or Oracle platform to detect non-compliance items and provide information on how to effectively resolve PCI related issues prior to performing a company-wide PCI assessment by an auditor.
  • SOX Security Audit:
    Our SOX Security Audit verifies if your business-critical applications are within the scope of SOX compliance. To do so, our consultants assess your SAP or Oracle platforms beyond the segregation of duties conflict matrix to identify and mitigate risk wherever applicable.
  • ISACA Security Audit:
    Our ISACA Security Audit evaluates whether your essential security functions are being managed effectively. To do so, our consultants perform a comprehensive assessment of your organization’s security team, focusing on the main areas of management including identity, IT risk, systems and vulnerability.
  • NERC CIP Security Audit:
    Our NERC CIP Security Audit identifies whether your business-critical applications are compliant with CIP standards. To do so, our consultants analyze your SAP or Oracle platforms to identify non-compliant areas and deliver a comprehensive action plan for resolution.

Key Benefits:

  • Efficiently uncover security and compliance gaps within applications running on SAP or Oracle at the application layer and prioritize a resolution
  • Increase visibility of risks, vulnerabilities and compliance issues that span across SAP and Oracle ERP, HCM, SCM, CRM and BI applications
  • Identify security issues at the network, operating system and database layers of your implementation
  • Improve best practice planning around mitigating discovered risks with the goal of increasing the security posture of ERP system and connections to key systems
  • Decrease business risks, enforce evolving compliance requirements and significantly reduce security operating costs


  • Executive summary of detected vulnerabilities and the possible impacts for the business
  • Detailed technical report detailing detected vulnerabilities and associated risks
  • Mitigation plan report outlining a step-by-step action plan with detailed mitigation activities for each detected issue

To learn more about how Onapsis's security audit services can assist your company, please contact us here.