Audits across
SAP S/4HANA
SAP Business One
Oracle Fusion ERP
Microsoft Dynamics 365
Oracle NetSuite
Sage Intacct
Sage X3
Sage 300 People
Amazon Web Services
Microsoft Azure
SAP S/4HANA
SAP Business One
Oracle Fusion ERP
Microsoft Dynamics 365
Oracle NetSuite
Sage Intacct
Sage X3
Sage 300 People
Amazon Web Services
Microsoft Azure
SAP S/4HANA
SAP Business One
Oracle Fusion ERP
Microsoft Dynamics 365
Oracle NetSuite
Sage Intacct
Sage X3
Sage 300 People
Amazon Web Services
Microsoft Azure
Cited on every finding
COSO 2013
COBIT 2019
NIST CSF 2.0
ISO/IEC 27001:2022
CIS v8
SOX ITGC
SOC 2 TSC
PCI DSS v4.0
HIPAA Security Rule
EU DORA
EU NIS2 Directive
GDPR
Kenya DPA 2019
COSO 2013
COBIT 2019
NIST CSF 2.0
ISO/IEC 27001:2022
CIS v8
SOX ITGC
SOC 2 TSC
PCI DSS v4.0
HIPAA Security Rule
EU DORA
EU NIS2 Directive
GDPR
Kenya DPA 2019
COSO 2013
COBIT 2019
NIST CSF 2.0
ISO/IEC 27001:2022
CIS v8
SOX ITGC
SOC 2 TSC
PCI DSS v4.0
HIPAA Security Rule
EU DORA
EU NIS2 Directive
GDPR
Kenya DPA 2019
Live · ERP + Cloud Audit Platform
Your ERP and Cloud are no longer separate silos. Your audit platform should not be either.
Deep security checks across SAP, Oracle, Dynamics 365, NetSuite, Sage, AWS and Azure — simultaneously. Every finding cites COSO 2013, COBIT 2019, NIST CSF 2.0, ISO 27001, CIS, SOX, SOC 2, PCI DSS v4, HIPAA, DORA, NIS2, GDPR and Kenya DPA — out of the box, no configuration. Cross-system SoD conflicts that single-platform tools miss entirely. Board-ready reports in minutes.
V/ergent: fluid enough to flow across any framework, sharp enough to find every gap.
app.vergent.co.ke/runs/sap-oracle-q2-2024
LIVE
Nexora Group — Q2 2024 Audit
SAP S/4 HANA · Oracle Fusion · AWS · Azure · Cross-System SoD
SAP S/4
Oracle
AWS
Azure
D365
NetSuite
+4
Risk Score
Findings by Severity
Critical12
High22
Medium30
Low16
SAP-001
RFC_READ_TABLE exposed without SNC
Critical
XSOD-03
Oracle HCM Payroll ↔ Azure AD Global Admin
Critical
AWS-011
Root access keys active — no MFA
High
Compliance
NIST CSF · 78%
ISO 27001 · 71%
SOC 2 · 84%
SOX · 69%
1,100+Checks across 10 platforms
589SoD, fraud & cross-system rules
13Frameworks mapped on every finding
Platform coverage
Deep specialist checks across ten ERP and cloud platforms.
SAP S/4HANA, SAP Business One, Oracle Fusion ERP, Microsoft Dynamics 365, Oracle NetSuite, Sage Intacct, Sage X3, Sage 300 People, AWS, and Microsoft Azure — every one with native checks built around its own data model, not generic compliance templates.
SAP
ERP · Core Finance
SAP S/4 HANA
75+ checks
ORC
ERP · Cloud
Oracle Fusion ERP
55+ checks
D365
ERP · Microsoft
Microsoft Dynamics 365
44+ checks
NS
ERP · Oracle
Oracle NetSuite
45+ checks
INT
ERP · Sage
Sage Intacct
42+ checks
X3
ERP · Sage
Sage X3
38+ checks
B1
ERP · SAP
SAP Business One
53+ checks
S3P
HR · Sage
Sage 300 People
32+ checks
AWS
Cloud · Live API
Amazon Web Services
41+ checks
AZ
Cloud · Live API
Microsoft Azure
39+ checks
Cross-system coverage
Access conflicts that span your ERP and your Cloud, in one assessment.
Most teams audit each platform in isolation, and cross-system SoD usually needs a dedicated GRC tool. V/ergent runs the same policy engine across ERP and cloud in a single assessment, so boundary-spanning conflicts surface next to everything else you're already reviewing.
SAP AP Entry + AWS Lambda Deploy Critical
Engineer who can deploy payment-processing Lambda functions and post AP invoices in SAP can route payments to attacker accounts and overwrite the evidence trail.
Oracle HCM Payroll Create + Azure AD Global Admin Critical
Payroll creation rights plus identity admin enables undetectable ghost employee creation.
D365 Vendor Maintenance + AWS S3 Full Access High
Vendor master editor with unrestricted S3 access can exfiltrate and conceal payment data.
SAP Vendor Create + AWS IAM Admin Critical
Vendor master editor controlling AWS IAM can create access paths bypassing all application controls.
Platform capabilities
Built on three pillars. Not a checklist tool.
A security intelligence platform that works the way auditors think.
Unmatched Depth
1,100+ security checks built specifically for each platform's data model. Not generic compliance templates — checks that understand SAP authorisation objects, Oracle role hierarchies, AWS IAM trust policies, and Azure RBAC + Entra role pairings. Includes 514 SoD and fraud-pattern conflict rules + 50 cross-system SoD rules (multi-ERP) + 25 AML / Wolfsberg programme controls across all 10 platforms plus Banking-Extended (Wolfsberg / FFIEC), Insurance (NAIC / Solvency II) and Healthcare (HIPAA / HITRUST) vertical packs.
- 75+ SAP checks across 15 security domains
- HCM payroll & ghost employee detection
- Every finding ships with a specific remediation step
- DOCX & PDF audit-ready reports, instantly
Cross-System SoD Intelligence
8 built-in cross-system SoD rules, expandable to 20+ with platform-specific conflict packs. They fire only when data from two or more platforms is present — catching the access conflicts that siloed tools structurally cannot.
- 8 built-in cross-system SoD rules (ERP ↔ Cloud ↔ SaaS), expandable with platform packs
- Baseline drift — new, resolved, persisting findings
- Auto-mapped to SOX, ISO 27001, SOC 2, PCI-DSS, NIST
- AI-generated CLI remediation commands — copy-paste ready
Audit Workflow Engine
Finding lifecycle management from detection to resolution. Assign findings to owners, track remediation progress, schedule recurring audits, and produce final sign-off reports — all in one place.
- Finding lifecycle — Open → In Review → Resolved
- Scheduled recurring audits — weekly, monthly, custom cron
- Risk score trends & baseline drift across runs
- Role-based access — Admin, Auditor, Viewer
Live API Connectors
AWS and Azure connect directly via live API — no CSV export, no stale data. SAP connects via RFC extraction scripts. Oracle and D365 connect via OAuth2/OData. Schedule runs to stay continuously current.
- SAP S/4 HANA: RFC extraction (15+ tables)
- Oracle Fusion: OAuth2 OData v4 live pull
- AWS & Azure: real-time API — no agent required
- Hourly / daily / weekly automated schedules
AI & Anomaly Detection
Isolation Forest detects statistical outliers in user behaviour and transaction patterns. Benford's Law flags manipulated financial data. XGBoost models predict which findings will surface in 30 days.
- Isolation Forest outlier detection across 4 domains
- Benford's Law financial fraud detection
- 7/14/30-day predictive risk scoring (XGBoost)
- AI CLI remediation commands for Critical & High findings
Executive Reporting
Professional audit reports that non-technical executives can act on. Executive summary, prioritised finding list, compliance scorecard, SoD heatmap, and remediation plan — generated in seconds.
- DOCX & PDF — board-ready in one click
- NIST / CIS / ISO 27001 / SOX compliance scorecard
- SoD conflict heatmap with role-conflict matrix
- Real-time executive dashboard — auto-refresh every 5 min
Check coverage
Domain-specific checks across every platform.
Deep domain checks across identity, SoD, financial controls, compliance, and more.
Cross-System SoD fires when data from two or more platforms is uploaded. 8 predefined conflict rules identify users whose combined access creates an SoD violation no single-platform audit would detect.
SAP AP Entry ↔ NetSuite Payment Approval
AP invoice entry in SAP + payment approval in NetSuite bypasses dual-authorisation.
Oracle HCM Payroll ↔ Azure AD Global Admin
Payroll creation rights plus identity admin enables ghost employee creation.
SAP Vendor Create ↔ AWS S3 Full Access
Vendor master editor with unrestricted S3 can exfiltrate and conceal data.
D365 Vendor Maintenance ↔ NetSuite Payment
Vendor maintenance in D365 + payment approval in NetSuite circumvents segregation.
NetSuite AP Entry ↔ AWS IAM Admin
AP clerk controlling AWS IAM can create access paths bypassing app controls.
SAP Payroll Process ↔ Azure Storage Write
Payroll processor with cloud write can divert output files before GL posting.
Oracle GL Posting ↔ AWS CloudTrail Admin
GL poster managing CloudTrail can disable audit logging over their own transactions.
NetSuite Bank Account Edit ↔ Azure Key Vault
Bank account access plus Key Vault management creates a credential-diversion risk.
HANA Database
PUBLIC role grants, default users, encryption, password policy, audit policies.
RFC & ICF Security
Trusted RFC without SNC, RFC_READ_TABLE, unauthenticated ICF services.
System Parameters
auth/no_check bypass, SAP* backdoor, SNC enforcement, login thresholds.
Default & Critical Accounts
SAP*, DDIC, EARLYWATCH not locked in production; service accounts as dialog.
Table & Data Controls
SE16/SE16N in production, S_TABU_DIS change activity, CATT test tools.
Payment Run Security
F110 propose=execute SoD, unapproved payments, post-approval modifications.
Background Job Security
Jobs running as SAP*/DDIC, orphaned schedulers, dialog-type batch users.
Segregation of Duties
26 conflict rules across FI, CO, MM, HR — AP/payment, PO, GL, payroll.
Fiori / OData
Unauthenticated services, admin tiles, sensitive OData APIs exposed.
Change & Transport
Open transports, skipped QA, emergency transports, developer access in PRD.
ABAP / Authorization
Debug+replace, S_DEVELOP, sensitive t-codes, deprecated profiles.
Audit Logging
SM19 security audit log, event classes, HANA audit policies, retention.
Client Security
SCC4 production client settings, client-independent changes, CATT.
Emergency Access
Firefighter account usage, SAP GRC EAM log review, unreviewed sessions.
Software Currency
SPAM/SAINT patch levels, HotNews outstanding, version below minimum.
Identity & MFA
IDCS MFA enforcement, SSO, session timeout, time-based access.
User Management
Inactive accounts, locked users with roles, generic/shared accounts.
Segregation of Duties
23 SoD rules — full P2P / O2C / FA / payroll / treasury / tax conflict matrix.
HCM Segregation of Duties
Ghost employee, salary escalation, bank account diversion, payroll super-user.
Period Close Controls
Reopened closed periods, post-close journal entries, prior-year adjustments.
Financial Controls
Journal approval disabled, payment threshold gaps, missing approvers.
Reporting Security
BI Publisher/OTBI reports without row-level security, PII without masking.
API & Integration Security
Wildcard OAuth scopes, unauthenticated endpoints, long-lived tokens.
Identity & Access
Excess System Administrator roles, guest accounts, service account controls.
MFA & Conditional Access
Users without MFA, no CA policy for D365, non-compliant device access.
Field Security
Salary/SSN field update rights, overshared records, hierarchy depth.
Audit & Compliance
Org-level audit disabled, critical entities not audited, short retention.
Platform Security
Unmanaged solutions in PRD, no DLP policies, high-risk connectors unblocked.
Financial Controls
Open prior periods, unapproved journal entries, duplicate vendors.
Identity & Access
Super Admin outside IT, shared logins, single-factor on sensitive modules.
Segregation of Duties
AP entry + payment approval, vendor create + payment conflict.
Audit & Compliance
SuiteAudit disabled, log retention below 12 months, system notes off.
Financial Controls
Journals without approval workflow, vendor bank change without dual auth.
TBA & Integration Security
TBA tokens with admin permissions, OAuth without expiry, RESTlet without auth.
Data Security
Payment data to non-finance roles, PII in saved searches, mass export open.
Identity & Access
System Admin outside IT, shared web services credentials, inactive with roles.
Segregation of Duties
AP bill creation + payment approval, vendor + payment processing conflict.
Audit Trail
Audit trail disabled, login history not retained, entity-level audit off.
Financial Controls
Journal batches without approval, vendor payment without dual authorisation.
Multi-Entity Security
Cross-entity access beyond role scope, top-level admin propagation.
System Configuration
Session timeout >60 min, weak passwords, debug mode in production.
Identity & Access
ADMIN/ADMIN default credentials not changed, shared accounts in PRD.
Segregation of Duties
Purchase entry + payment approval, vendor create + payment conflict.
ADXTRACE Audit
Audit table disabled for critical objects, connection log not retained.
Financial Controls
Journal entries without supervisor approval, open fiscal periods unrestricted.
Syracuse API Security
Web service endpoints without auth, REST API over HTTP, unrestricted function codes.
System Configuration
Default credentials not rotated, debug mode in production, HTTPS not enforced.
Identity & Access
Manager user default credentials, shared service users, inactive active accounts.
Segregation of Duties
26 B1-native SoD rules covering OUSRG authorisation groups, OATM approval templates, OINV billing, OPCH purchasing, ODSC payment-run, and SuperUser flag abuse — all derived from B1's licensing model.
Financial Controls
JE without approval, open periods, payment batch without dual authorisation.
Data Security
Sensitive field access, reporting without row-level security, export open.
Identity & Access
System Admin user outside HR, shared payroll user credentials.
Payroll SoD
Salary create + pay authorisation, employee create + payroll run conflict.
POPIA Compliance
Personal data access beyond role, missing data processing records, retention policy.
Audit Trail
HR audit log retention, system access log completeness, change tracking.
Identity & Access (IAM)
Root access keys active, MFA missing, keys older than 90 days, wildcard policies.
S3 Data Security
Public bucket access, missing encryption, versioning disabled, no object lock.
Network Security
Open SSH/RDP to 0.0.0.0/0, VPC flow logs missing, default VPC in use.
CloudTrail & Audit Logging
No CloudTrail, single-region trail, log validation off, no CloudWatch.
Encryption (KMS & RDS)
Unencrypted RDS at rest, publicly accessible RDS, KMS without auto-rotation.
Access Control
Full admin (Action:* Resource:*) policies, wildcard trust roles, over-privileged principals.
Azure AD Identity & Access
More than 5 Global Admins, admin without MFA, stale accounts 90+ days.
Conditional Access
No CA policy requiring MFA, no sign-in risk for privileged users.
Storage & SQL Data Security
Public blob access, HTTP transfer allowed, TLS 1.0/1.1, SQL TDE disabled.
NSG & VM Network Security
SSH/RDP from Internet, all-ports-open rules, VMs without disk encryption.
Key Vault Management
No soft delete, no purge protection, unrestricted public access, no audit logs.
RBAC Access Control
Owner at subscription scope, guest users as Contributor, >3 Owner assignments.
Getting started
Live API or CSV export — your choice.
AWS & Azure connect via live API. ERP platforms use read-only extraction scripts. No agents to install. Results in under 5 minutes.
1
Select your platforms
Choose one or more platforms. Each has a tailored check set built for that system's data model and risk surface.
2
Connect live or upload CSV
AWS & Azure: enter credentials for a real-time pull. ERP platforms: run our read-only PowerShell or ABAP script, upload the output.
3
Analyse & schedule
1,100+ checks — including 514 SoD / fraud-pattern conflict rules, 50 cross-system SoD rules spanning multiple ERPs, and 25 Wolfsberg AML programme controls — complete in under 5 minutes. Set a weekly or monthly schedule and it runs automatically.
4
Act on the findings
Professional report with executive summary, prioritised findings, remediation steps, compliance mappings, and risk score — ready to share.
Per-audit pricing · One credit per audit run
Ready to see your full hybrid security posture?
Buy credits, run your audit, get results in minutes. Use the same account for CyberCore.
SAP S/4
Oracle Fusion
Dynamics 365
NetSuite
Sage Intacct
Sage X3
Sage 300 People
SAP B1
AWS ⚡
Azure ⚡