Case Study Notecards – Meridian Energy Holdings

MEH Company Profile · Identity Stack · Control Objectives AC-01 thru AC-05 CS-1 / 6

Meridian Energy Holdings (MEH)

Mid-sized energy co. Houston TX · NYSE-listed
~2,800 employees · SAP S/4HANA (ERP)
Subject to: SOX 404, NERC CIP, FERC

Identity Stack

Entra ID (fka Azure AD) -- Identity Provider; MFA enforced for all users
SSO -- Entra ID federates into SAP; no separate SAP password needed
RBAC -- SAP roles bundle permissions (e.g. Z_FI_AP_PROC = enter invoices)
KEY Disabling Entra ID = cutting SAP access. All termination SLA flows through Entra ID, not SAP directly.

Control Objectives (Policy IT-SEC-004)

ID	What it requires	Test type
AC-01	MFA enforced via Entra ID for all users	TOD
AC-02	New access = mgr + data owner approval, job-aligned, within 2 BD SLA	TOE
AC-03	Entra ID disabled within 4 hours of HR termination	TOE
AC-04	Quarterly access reviews validate continued appropriateness	TOE
AC-05	SoD conflicts identified; remediated or mitigated with documented MCs	TOE

TOD = "Could this control work?" (inspect config/policy design)   TOE = "Did it actually work?" (sample evidence over the period)

Exhibit A -- SAP User Population Flags · Exhibit B -- AC-02 Provisioning Exceptions CS-2 / 6

Exhibit A -- Key Users to Know for the Exam

User ID	Role(s) in SAP	Flag
dkim77 -- AP Supervisor	Z_FI_AP_PROC + Z_FI_AP_PAY	HIGH SoD conflict
tgarcia08 -- Cash Manager	Z_FI_AP_PAY + Z_MM_VENDOR	HIGH SoD conflict
jbrown61 -- GL Analyst	Z_FI_GL_POST + Z_FI_GL_APPROVE	HIGH SoD / NO MITIGATING CONTROL
pjohnson88 -- Fin. Analyst	Z_FI_GL_POST	TERMINATED 01/31 -- still active in population!
aclark99 -- Security Admin	Z_SEC_ADM	CRITICAL role -- verify CISO approval on provisioning
rthomas15 -- Buyer	Z_MM_PURCH	SoD conflict with Z_MM_PO_APP (medium risk)

Exhibit B -- AC-02 Provisioning Exceptions (2 of 6 tickets = 33%)

Ticket	Exception found	Classification
REQ-2503 (rthomas15, Z_MM_PURCH)	Data owner approval field = blank. Access granted anyway. Policy requires BOTH manager AND data owner approval before any access grant.	Control Deficiency
REQ-2505 (mchen66, Z_FI_GL_POST)	Access granted in 4 business days vs. 2-BD SLA. No exception or override documented.	Control Deficiency

Critical role additional approvers per Exhibit F: Z_FI_AP_PAY = Treasurer · Z_MM_VENDOR = Controller · Z_SEC_ADM = CISO

Exhibit C -- Termination Testing (AC-03) · Exhibit H -- Access Review (AC-04) CS-3 / 6

Exhibit C -- AC-03 Termination SLA Results (Policy: Entra ID disabled within 4 hours of HR termination)

User	HR Term Date/Time	Entra Disabled	Elapsed	4-hr SLA	Post-Term Login?
pjohnson88	01/31 17:00	01/31 18:30	1.5 hrs	MET	None (last login 16:45)
swright42	02/14 17:00	02/14 17:15	0.25 hrs	MET	None
jdavis55	03/07 17:00 (Fri)	03/08 09:45 (Sat)	16.75 hrs	MISSED	None confirmed via logs
arobinson19	03/28 17:00	03/28 17:30	0.5 hrs	MET	None
mhernandez07	04/15 17:00	04/15 18:00	1.0 hrs	MET	None

jdavis55 root cause (SYSTEMIC): Workday-to-Entra ID batch sync runs weekday mornings only. Friday 5pm termination not processed until Saturday 9:45am. Every Friday-evening termination has the same gap. Fix: real-time sync trigger. Significant Deficiency

Exhibit H -- Q2 Access Review (July 2025) -- AC-04 Exception

pjohnson88 shows "NO RESPONSE" -- Terminated 01/31. Entra ID disabled same day (AC-03 SLA met). But SAP role Z_FI_GL_POST was NEVER removed. By July access review, no active manager exists to respond. Policy requires auto-revoke on no response -- not enforced. Orphaned SAP role remains 5+ months post-termination. SD / MW candidate

Exhibits D + E -- SoD Conflicts and Mitigating Controls (AC-05) CS-4 / 6

User	SoD Conflict (Role 1 + Role 2)	Fraud Scenario / Risk	Mitigating Control	MC Adequate?
dkim77 AP Supervisor	Z_FI_AP_PROC (enter invoices) + Z_FI_AP_PAY (release payments)	HIGH Create fraudulent invoice AND release payment to self or shell vendor with no second reviewer on either step	MC-001: Controller reviews payment batches over $10,000 before release; evidenced by sign-off log	PARTIAL -- Payments under $10K unreviewed; structuring risk. No control over invoice entry side at all.
tgarcia08 Cash Mgr	Z_FI_AP_PAY (release payments) + Z_MM_VENDOR (create/modify vendors)	HIGH Classic ghost vendor fraud -- add fictitious vendor AND pay them directly	MC-002: Vendor master changes require dual approval; weekly AP Manager review of changes	ADEQUATE if operating effectively -- dual approval breaks the single-person chain
jbrown61 GL Analyst	Z_FI_GL_POST (post journal entries) + Z_FI_GL_APPROVE (approve journal entries)	HIGH Post AND self-approve journal entries on the general ledger -- enables earnings manipulation on SOX-material accounts	NO MITIGATING CONTROL DOCUMENTED	DEFICIENCY -- Unmitigated HIGH SoD on GL of a SOX entity. MW candidate. No fraud required -- the risk alone triggers classification.
rthomas15 Buyer	Z_MM_PURCH (create PO) + Z_MM_PO_APP (approve PO)	MEDIUM Self-create and self-approve purchase orders	MC-003: All POs require Procurement Director approval regardless of amount (100% coverage)	ADEQUATE -- independent director approval at 100% overrides self-approval risk entirely

jbrown61 key point: Material Weakness threshold = "reasonable possibility" of material misstatement. No actual fraud needed. Zero MC = zero mitigation on a SOX GL account = immediate escalation required.

Exhibit F -- SAP Role Classification Matrix · All Deficiencies Quick-Reference CS-5 / 6

Exhibit F -- SAP Role Risk Levels

Role ID	Function	Risk	Approver
Z_FI_GL_POST	Post journal entries to GL	High	Controller
Z_FI_GL_APPROVE	Approve journal entries	High	CFO
Z_FI_AP_PROC	Enter and process vendor invoices	High	AP Manager
Z_FI_AP_PAY	Execute payment runs and release payments	Critical	Treasurer
Z_MM_PURCH	Create purchase orders	Medium	Dept Manager
Z_MM_PO_APP	Approve purchase orders	High	Proc. Director
Z_MM_VENDOR	Create/modify vendor master records	Critical	Controller
Z_SEC_ADM	Administer user accounts and roles	Critical	CISO
Z_PM_MAINT	Create plant maintenance work orders	Low	Plant Mgr

All Findings -- Classification Summary

Finding	Control	Class.
REQ-2503: no data owner approval	AC-02	CD
REQ-2505: SLA missed (4 days vs. 2)	AC-02	CD
jdavis55: 16.75 hr gap, systemic	AC-03	SD
pjohnson88: orphaned SAP role 5+ mo.	AC-03/04	SD/MW
jbrown61: unmitigated GL SoD, no MC	AC-05	SD/MW
dkim77: MC only covers over $10K	AC-05	CD

CD = Control Deficiency   SD = Significant Deficiency   MW = Material Weakness
MW = "reasonable possibility" of material misstatement -- no actual fraud required

Sampling reminder: High-risk control = 40-60 samples (AICPA/PCAOB). Testing only 5 terminations (Exhibit C) insufficient for full SOX conclusion without documented rationale.

pjohnson88 Three-Control Failure · Management Letter Template · Case to Didion Connection CS-6 / 6

pjohnson88 -- Three-Control Failure Chain

AC-03 design gap: Policy disables Entra ID within SLA but has no procedure to clean up orphaned SAP roles after termination
AC-04 operating failure: Q2 access review shows NO RESPONSE -- policy requires auto-revoke; not enforced because no manager escalation process exists
Result: Active SAP role Z_FI_GL_POST persists 5+ months after termination (01/31 to July+)
Reactivation risk: If SSO reconfigured or local SAP account exists, access could be restored

Case Study -- Didion Connections

Objectivity (P2): Accepting mgmt's "$10K MC is fine" without independently testing it = calibrating judgment to approval, not character
Integrity (P1) / courage of mistakes: Writing "mgmt is aware" on jbrown61's unmitigated SoD instead of escalating = lacking the courage of one's mistakes
Small disciplines = larger ones: Cross-referencing Exhibit A with C and H is the documentation habit that catches the compounding pjohnson88 failure -- the auditor who skips the cross-ref misses it entirely

Management Letter -- jdavis55 (8 Rules Applied)

Element	Content
Condition	1 of 5 (20%) terminations tested exceeded the 4-hour SLA. jdavis55 disabled 16.75 hours after HR termination (Fri 03/07 17:00 to Sat 03/08 09:45)
Criteria	IT-SEC-004 Section 4.3: Entra ID account must be disabled within 4 hours of HR termination record
Cause	Workday-to-Entra ID batch sync runs weekday mornings only; Friday terminations are not processed until the following business day (systemic gap)
Effect	16.75-hour window of potential SAP financial system access. Compensating: no post-termination logins confirmed via Entra sign-in logs.
Rec.	Implement real-time Workday-to-Entra ID sync trigger for all termination events regardless of day or time of day

8 Rules check: Headline first (1/5 = 20%) -- Quantified (16.75 hrs) -- Show math (timestamps) -- Named population -- Compensating control noted -- Actionable specific rec -- Writes for the skeptic