AeroLogistics Solutions — ERPNext / ISO 27001
Audit of user access provisioning and role assignments in a self-hosted ERPNext environment for a logistics company (500 employees, $150M revenue). 200+ ERP users across 6 departments. Segregation of duties conflict analysis across finance and operations modules. 18 findings identified with ISO 27001:2022 mapping. Triggered by a $250K procurement fraud incident.
Four-week ERP access control audit covering planning, provisioning testing, role analysis, and remediation planning.
Audit planning memo, ERPNext environment review, user listing extraction, role hierarchy analysis, risk assessment scoping across 6 departments.
Test 25 user access requests against approval records, review 5 terminated user deactivations for timeliness, assess quarterly access recertification process across all departments.
Role assignment review covering critical finance and operations roles, SOD conflict matrix development across 12 conflict pairs, 10 user-level SOD conflicts analyzed with compensating control recommendations.
18 findings documented in findings register with ISO 27001:2022 control mapping (A.9, A.12), management action plan with 30-60-90 day remediation timeline, and executive summary presentation.
Quantified results of the ERP access control audit, segmented by severity and domain.
3 Critical, 7 High, 6 Medium, 2 Low — 72% of findings are High or above
Access Provisioning (44%) and Role Assignment (39%) account for 83% of total findings
Professionally formatted deliverables produced during the four-week engagement.
Engagement scope, objectives, risk assessment, and sampling methodology for the ERP access control audit
25 access request tests with pass/fail results, terminated user deactivation review, recertification assessment
Critical role assignment analysis across finance and operations with identified segregation issues
12 SOD conflict pairs mapped across finance and operations modules with 10 user-level conflict findings
18 findings with ISO 27001:2022 control mapping (A.9, A.12), severity ratings, and root cause analysis
Prioritized remediation timeline with owners, target dates, and compensating control recommendations
SOD controls implemented to prevent vendor setup + invoice processing conflicts that enabled the $250K fraud incident
ISO 27001:2022 access control requirements addressed (A.9, A.12) for certification readiness
85 orphaned accounts removed, 42 role modifications completed during engagement
All 6 audit deliverables are available in the project directory. Review the findings register, SOD matrix, and remediation plan.