GRC Case Study — 2026

ERP Access Control
Audit Walkthrough

AeroLogistics Solutions — ERPNext / ISO 27001

Audit of user access provisioning and role assignments in a self-hosted ERPNext environment for a logistics company (500 employees, $150M revenue). 200+ ERP users across 6 departments. Segregation of duties conflict analysis across finance and operations modules. 18 findings identified with ISO 27001:2022 mapping. Triggered by a $250K procurement fraud incident.

View on GitHub Back to GRC

Engagement at a Glance

0+ ERP Users Audited
0 SOD Conflicts Identified
0 Findings Documented
0 Critical Risks Flagged

Audit Execution Timeline

Four-week ERP access control audit covering planning, provisioning testing, role analysis, and remediation planning.

Phase 1
Week 1
Phase 2
Week 2
Phase 3
Week 3
Phase 4
Week 4
Phase 1 — Week 1 Planning & Data Extraction

Audit Planning & Environment Review

Audit planning memo, ERPNext environment review, user listing extraction, role hierarchy analysis, risk assessment scoping across 6 departments.

Phase 2 — Week 2 Access Provisioning Testing

User Access Provisioning Review

Test 25 user access requests against approval records, review 5 terminated user deactivations for timeliness, assess quarterly access recertification process across all departments.

Phase 3 — Week 3 Role & SOD Analysis

Segregation of Duties Conflict Analysis

Role assignment review covering critical finance and operations roles, SOD conflict matrix development across 12 conflict pairs, 10 user-level SOD conflicts analyzed with compensating control recommendations.

Phase 4 — Week 4 Reporting & Action Plan

Findings Register & Remediation Timeline

18 findings documented in findings register with ISO 27001:2022 control mapping (A.9, A.12), management action plan with 30-60-90 day remediation timeline, and executive summary presentation.

Audit Findings Breakdown

Quantified results of the ERP access control audit, segmented by severity and domain.

Findings by Severity

3 Critical, 7 High, 6 Medium, 2 Low — 72% of findings are High or above

Findings by Domain

Access Provisioning (44%) and Role Assignment (39%) account for 83% of total findings

Key Audit Deliverables

Professionally formatted deliverables produced during the four-week engagement.

Audit Planning Memo

Engagement scope, objectives, risk assessment, and sampling methodology for the ERP access control audit

User Access Provisioning Test Results

25 access request tests with pass/fail results, terminated user deactivation review, recertification assessment

Role Assignment Review

Critical role assignment analysis across finance and operations with identified segregation issues

Segregation of Duties Conflict Matrix

12 SOD conflict pairs mapped across finance and operations modules with 10 user-level conflict findings

Complete Findings Register

18 findings with ISO 27001:2022 control mapping (A.9, A.12), severity ratings, and root cause analysis

Management Action Plan (30-60-90 Day)

Prioritized remediation timeline with owners, target dates, and compensating control recommendations

Business Impact

Fraud Prevention

SOD controls implemented to prevent vendor setup + invoice processing conflicts that enabled the $250K fraud incident

Compliance Ready

ISO 27001:2022 access control requirements addressed (A.9, A.12) for certification readiness

Access Hygiene

85 orphaned accounts removed, 42 role modifications completed during engagement

Full Project Repository

All 6 audit deliverables are available in the project directory. Review the findings register, SOD matrix, and remediation plan.


View on GitHub
Back to GRC Projects