← Back to Audit Reports

Access Control Audit Report Ref: MCG-GRC-001 | May 2026

Access Control & Identity Management Audit

Subject organization: Meridian Consulting Group — 22 employees, cloud-based Microsoft 365 environment, no dedicated IT staff. Audit conducted against NIST CSF 2.0 and ISO 27001:2022 Annex A controls.

Overall RiskHigh

Findings4

FrameworksNIST · ISO

Review PeriodQ1 2026

Executive Summary

An access control review of Meridian Consulting Group identified four findings across user provisioning, shared account usage, multi-factor authentication enforcement, and offboarding procedures. The overall risk rating is High. Two findings represent immediate risk requiring remediation within 30 days. Without structured access governance, the organization is exposed to unauthorized access, insider threat scenarios, and audit non-conformance under ISO 27001 Annex A.5 and A.8 controls.

1. Audit Scope and Methodology

Scope

Systems Reviewed	Microsoft 365 (Azure AD / Entra ID), shared file storage, email platform
Users in Scope	All 22 active accounts plus 3 former employee accounts identified during review
Review Method	Account inventory export, permission review, conditional access policy inspection, interview with office manager
Framework Alignment	NIST CSF 2.0 (PR.AA, PR.AC), ISO 27001:2022 Annex A.5.15, A.5.16, A.5.18, A.8.2

Methodology

Evidence was collected through direct system configuration review and user account export. The audit assessed whether access controls are appropriately designed (design effectiveness) and whether they are consistently applied and maintained over time (operating effectiveness).

2. Findings

F-001 Three former employee accounts remain active High

Observation

Account export identified three Microsoft 365 accounts belonging to employees who departed between 4 and 11 months ago. All three accounts had active licenses and valid passwords at the time of review. Two accounts had last login activity recorded within the past 60 days, suggesting possible unauthorized or unmonitored access.

Risk

Active accounts for departed employees create a direct path for unauthorized access. If credentials were shared or compromised prior to departure, the organization would have no awareness of ongoing access. This also constitutes a non-conformance against ISO 27001 Annex A.5.18 (Access rights) and NIST CSF PR.AA-02 (Identities are proofed and bound to credentials).

Framework Citations

ISO 27001 A.5.18 NIST CSF PR.AA-02 CIS Control 6.2

F-002 MFA not enforced for all users High

Observation

Conditional Access policy review found that MFA is enabled for the administrator account but is not enforced organization-wide. 14 of 22 standard user accounts have no MFA registered. Password spray and credential stuffing attacks against Microsoft 365 are among the most frequently observed attack vectors for small organizations.

Risk

A single compromised credential in a non-MFA account provides full access to email, files, and cloud resources. The organization's data and client communications are exposed to account takeover with no compensating control in place.

Framework Citations

ISO 27001 A.8.5 NIST CSF PR.AA-03 CIS Control 6.3

F-003 Shared team account in use for client portal access Medium

Observation

One shared credential is used by five members of the operations team to access a third-party client portal. The credential is stored in a shared email thread. No individual accountability exists for actions taken under this account.

Risk

Shared accounts prevent attribution of activity to individual users, undermine audit trail integrity, and create a persistent access risk when team members leave. The credential storage method (email thread) increases exposure.

Framework Citations

ISO 27001 A.5.16 NIST CSF PR.AA-01 CIS Control 5.1

F-004 No documented offboarding procedure for system access Medium

Observation

No written procedure exists for revoking system access when an employee departs. Access removal is performed informally and inconsistently. Finding F-001 is a direct consequence of this gap.

Risk

Without a documented and enforced offboarding checklist, access revocation will continue to be incomplete. This is both an operational risk and a governance non-conformance.

Framework Citations

ISO 27001 A.6.5 NIST CSF GV.PO-01 CIS Control 6.2

3. Recommendations

Recommendation	Priority	Owner	Effort
Immediately disable the three former employee accounts and review login history for unauthorized activity	Immediate	Office Manager	Low — 1 hour
Enable and enforce MFA for all Microsoft 365 accounts via Conditional Access policy	Immediate	IT / MSP	Low — 2 hours
Replace the shared client portal credential with individual accounts or a password manager with per-user vaults	30 Days	Operations Lead	Medium
Document and implement a formal offboarding checklist that includes system access revocation as a required step	30 Days	Office Manager	Low — template required

Analyst note: Findings F-001 and F-002 should be treated as a combined immediate action item. Disabling inactive accounts and enforcing MFA in the same remediation window closes the most significant attack surface with minimal effort and no cost beyond implementation time.

4. Control Maturity Assessment

User provisioning process

1/4

MFA enforcement

0.5/4

Offboarding procedure

0/4

Privileged access control

1.5/4

Access review process

0/4

← Back to Audit Reports

Logging & Monitoring Audit Report Ref: MCG-GRC-002 | May 2026

Security Logging & Monitoring Readiness Review

Subject organization: Meridian Consulting Group — 22 employees, Microsoft 365 environment. Review assessed logging configuration, retention periods, alert coverage, and the organization's ability to investigate a security event.

Overall RiskHigh

Findings4

FrameworksNIST · ISO

Review PeriodQ1 2026

Executive Summary

Meridian Consulting Group currently lacks the logging and monitoring capability needed to detect, investigate, or respond to a security event. Microsoft 365 audit logging is partially enabled but not configured for complete coverage. No alert rules are in place. Log data is not retained beyond 90 days in any structured format. The organization would not be able to determine the scope or timeline of a compromise if one were discovered today. Overall risk is rated High.

1. Audit Scope and Methodology

Systems Reviewed	Microsoft 365 Purview Audit, Azure AD Sign-In Logs, SharePoint activity, Exchange audit trail
Review Method	Audit configuration review, log export sample analysis, retention policy inspection
Framework Alignment	NIST CSF 2.0 (DE.AE, DE.CM), ISO 27001:2022 Annex A.8.15, A.8.16, A.5.25

2. Findings

F-001 Unified Audit Log not enabled for all workloads High

Observation

Microsoft 365 Unified Audit Log (UAL) is enabled at the tenant level, but audit logging for Exchange mailbox activity and SharePoint file access events is not configured. These two workloads contain the organization's most sensitive data — client communications and project files.

Risk

Without mailbox and SharePoint audit logging, the organization cannot determine whether email data was exfiltrated, files were accessed by unauthorized parties, or permissions were changed. These are the exact events relevant to a data breach investigation or insider threat scenario.

Framework Citations

ISO 27001 A.8.15 NIST CSF DE.AE-02 CIS Control 8.2

F-002 No alert rules configured for high-risk events High

Observation

Microsoft 365 Defender and Purview both support alert policies for events such as mass file deletion, impossible travel logins, forwarding rules added to mailboxes, and failed MFA attempts. Zero alert rules are currently configured. No one at the organization would be notified if any of these events occurred.

Risk

Business email compromise (BEC) attacks frequently begin with a forwarding rule added to a compromised mailbox. Without alerts, this rule could persist for weeks or months while communications are silently forwarded to an attacker. This is a known pattern in small business BEC incidents.

Framework Citations

ISO 27001 A.8.16 NIST CSF DE.CM-01 CIS Control 8.11

F-003 Log retention policy not documented; effective retention is 90 days Medium

Observation

No formal log retention policy exists. Microsoft 365 E3 licenses retain audit logs for 90 days by default. The organization has not extended retention and has no policy governing what should be retained or for how long.

Risk

Many security incidents are not discovered within 90 days. If a compromise is discovered at the 120-day mark, the relevant log data will be gone. Industry guidance (and several regulatory frameworks) recommends a minimum of 12 months retention for security event logs.

Framework Citations

ISO 27001 A.8.15 NIST CSF DE.AE-03 CIS Control 8.3

F-004 No process exists for reviewing security logs Medium

Observation

Even where logging is enabled, no individual at Meridian is assigned responsibility for reviewing logs. There is no schedule, no review criteria, and no escalation path if an anomaly were identified. Logging without review provides no detective control value.

Risk

A detective control that is never checked is functionally the same as no detective control. Logging infrastructure creates a false sense of security unless paired with a defined review and response process.

Framework Citations

ISO 27001 A.5.25 NIST CSF DE.AE-06 CIS Control 8.1

3. Recommendations

Recommendation	Priority	Owner	Effort
Enable mailbox and SharePoint audit logging via Microsoft Purview Audit configuration	Immediate	IT / MSP	Low — 1–2 hours
Configure a minimum of 5 alert policies: mass file deletion, impossible travel, mailbox forwarding rules, failed sign-ins exceeding threshold, new admin account creation	Immediate	IT / MSP	Low — 2 hours
Upgrade to Microsoft 365 E5 Compliance or Purview Audit (Premium) to extend log retention to 12 months, or export logs monthly to a secure, long-term storage location	30 Days	Office Manager + MSP	Medium — cost decision required
Assign a named individual (or MSP contact) responsible for monthly log review. Document the review scope and escalation criteria in a one-page procedure.	30 Days	Office Manager	Low — process documentation

Analyst note: Findings F-001 and F-002 can both be remediated within a single 2-hour configuration session at no additional licensing cost. These should be treated as the highest-priority action items given that the absence of logging and alerting leaves the organization completely blind to active threats.

4. Control Maturity Assessment

Audit log coverage

1/4

Alert configuration

0/4

Log retention policy

0/4

Log review process

0/4

Incident detection capability

0.5/4

← Back to Audit Reports

Data Protection Audit Report Ref: MCG-GRC-003 | May 2026

Data Protection & Backup Controls Assessment

Subject organization: Meridian Consulting Group. This assessment reviewed backup configuration and verification, data encryption posture, data classification, and retention policy coverage across cloud and local storage.

Overall RiskMedium

Findings4

FrameworksNIST · ISO

Review PeriodQ1 2026

Executive Summary

Meridian Consulting Group has a partial backup posture. Microsoft 365 cloud data benefits from platform-level redundancy, but no structured backup process exists for local device data, and backup restoration has never been tested. Data classification is absent, and sensitive client data is stored without consistent controls. The overall risk is rated Medium, with one finding that could escalate to High in the event of a ransomware incident.

1. Audit Scope and Methodology

Systems Reviewed	Microsoft 365 SharePoint/OneDrive, local workstations (sample of 4), external drive usage, email platform
Review Method	Interview with office manager, SharePoint versioning configuration review, spot-check of workstation backup agent status
Framework Alignment	NIST CSF 2.0 (PR.DS, RC.RP), ISO 27001:2022 Annex A.8.13, A.5.12, A.8.24

2. Findings

F-001 Backup restoration has never been tested High

Observation

Microsoft 365 versioning is enabled in SharePoint, and OneDrive provides file recovery capability. However, no restoration test has ever been performed. The organization assumes data can be recovered from these services but has no verified evidence of successful recovery. Three workstations are enrolled in a Microsoft backup service, but enrollment dates could not be confirmed and no restore test record exists.

Risk

An untested backup is not a reliable backup. In a ransomware scenario, discovering that backups are incomplete or unrestorable at the point of recovery significantly extends downtime and may result in permanent data loss.

Framework Citations

ISO 27001 A.8.13 NIST CSF RC.RP-03 CIS Control 11.3

F-002 Four workstations store work files locally without any backup Medium

Observation

Site visit and user interviews identified four workstations where employees save project files to local desktop or Documents folders rather than OneDrive or SharePoint. These files are not covered by any backup solution. Two of these workstations belong to employees who work primarily on client deliverables.

Risk

Hardware failure, theft, or ransomware on any of these devices would result in permanent loss of work product. The risk is higher for client-facing files where loss could have contractual or reputational consequences.

Framework Citations

ISO 27001 A.8.13 NIST CSF PR.DS-10 CIS Control 11.1

F-003 No data classification policy or scheme in place Medium

Observation

The organization stores client contracts, financial records, employee HR files, and general project documents in a single SharePoint environment without any classification, labeling, or differentiated access controls. There is no policy defining what types of data exist, how they should be handled, or what protections are appropriate for each category.

Risk

Without classification, sensitive data cannot be systematically protected, and employees cannot make informed decisions about how to handle client information. This also creates a compliance exposure if the organization handles data subject to contractual data protection obligations.

Framework Citations

ISO 27001 A.5.12 NIST CSF ID.AM-05 CIS Control 3.2

F-004 Encryption at rest not verified for all data stores Low

Observation

Microsoft 365 encrypts data at rest by default. However, BitLocker status on workstations was confirmed on only 2 of 6 devices reviewed. The four remaining devices could not be confirmed as encrypted. If any of these devices is lost or stolen, the data on local storage would be accessible without authentication.

Framework Citations

ISO 27001 A.8.24 NIST CSF PR.DS-01 CIS Control 3.6

3. Recommendations

Recommendation	Priority	Owner	Effort
Conduct a documented backup restoration test for both SharePoint/OneDrive and workstation backup, and schedule quarterly thereafter	30 Days	IT / MSP	Low — 2–3 hours
Enforce OneDrive Known Folder Move (KFM) via Microsoft 365 policy to redirect Desktop, Documents, and Pictures folders to OneDrive on all workstations	30 Days	IT / MSP	Low — policy change
Develop a simple 3-tier data classification scheme (Public, Internal, Confidential) and communicate handling requirements to all staff	90 Days	Office Manager	Medium — policy + comms
Audit BitLocker status on all workstations and enable on all devices where absent. Confirm via Intune compliance policy if available.	30 Days	IT / MSP	Low

4. Control Maturity Assessment

Backup coverage

1.5/4

Backup testing

0/4

Data classification

0/4

Encryption at rest

2/4

Retention policy

0/4

← Back to Audit Reports

Vulnerability Management Audit Report Ref: MCG-GRC-004 | May 2026

Vulnerability & Patch Management Audit

Subject organization: Meridian Consulting Group. This audit assessed the organization's asset inventory accuracy, patching cadence, end-of-life software exposure, and remediation tracking capability.

Overall RiskHigh

Findings4

FrameworksNIST · ISO

Review PeriodQ1 2026

Executive Summary

Meridian Consulting Group does not have a structured vulnerability or patch management program. No complete asset inventory exists, patch status is inconsistent across workstations, and two devices are running software versions that are no longer supported by the vendor and will not receive security updates. The overall risk rating is High. Unpatched systems in a small business environment are among the most common entry points for ransomware and opportunistic attacks.

1. Audit Scope and Methodology

Systems Reviewed	6 Windows workstations (sample), Microsoft 365 tenant, router and network switch firmware
Review Method	Windows Update status review per device, installed application inventory, OS version check, interview with office manager
Framework Alignment	NIST CSF 2.0 (ID.AM, PR.PS), ISO 27001:2022 Annex A.8.8, A.8.9, A.5.9

2. Findings

F-001 Two workstations running Windows 10 with no upgrade plan High

Observation

Windows 10 reaches end-of-life support on October 14, 2025. Two workstations at Meridian are running Windows 10 and have not been upgraded to Windows 11. After end-of-life, Microsoft will no longer issue security patches for these operating systems. Both devices are used daily for client-facing work and have internet access.

Risk

End-of-life operating systems will accumulate unpatched vulnerabilities indefinitely. These devices represent a persistent, escalating risk that will not be mitigated without hardware or OS upgrade. Attackers actively scan for and target EOL systems because exploitation requires no zero-day — only known, unpatched CVEs.

Framework Citations

ISO 27001 A.8.8 NIST CSF PR.PS-02 CIS Control 2.2

F-002 Windows Update deferred or disabled on 3 of 6 devices reviewed High

Observation

Of the six workstations reviewed, three showed pending Windows Update patches that were 45, 62, and 91 days outstanding respectively. On one device, automatic updates appear to have been manually disabled. No centralized patch management tool is in use, and patch status is not tracked.

Risk

Patches outstanding for more than 30 days represent a significant window of exposure. The 91-day deferred device has missed multiple cumulative security updates that likely address actively exploited vulnerabilities.

Framework Citations

ISO 27001 A.8.8 NIST CSF PR.PS-02 CIS Control 7.3

F-003 No formal asset inventory exists Medium

Observation

The organization does not maintain a documented inventory of hardware or software assets. The office manager was able to identify most devices from memory, but could not confirm whether all devices in use were accounted for. Two devices purchased by remote employees could not be located in any record.

Risk

You cannot protect what you cannot see. An unknown asset on the network is an unmanaged attack surface. Without inventory, the organization cannot confirm patch coverage, cannot conduct access reviews tied to devices, and cannot respond accurately to a data breach.

Framework Citations

ISO 27001 A.5.9 NIST CSF ID.AM-01 CIS Control 1.1

F-004 Network router firmware not updated in 18+ months Medium

Observation

The office network router was last updated at installation approximately 18–24 months ago. Firmware version review identified the current version as two major releases behind the vendor's current release. Known CVEs exist for the installed firmware version.

Framework Citations

ISO 27001 A.8.9 NIST CSF PR.PS-03 CIS Control 7.4

3. Recommendations

Recommendation	Priority	Owner	Effort
Upgrade or replace the two Windows 10 devices. If hardware supports Windows 11, upgrade immediately. If not, plan hardware replacement within 60 days.	Immediate	Office Manager + MSP	Medium — possible hardware cost
Re-enable automatic Windows Update on all workstations and apply all outstanding patches. Verify via manual check or Intune compliance dashboard.	Immediate	IT / MSP	Low — 2–3 hours
Create a hardware and software asset register (spreadsheet minimum). Record device name, OS version, owner, and date of last update for all devices.	30 Days	Office Manager	Low — 2–3 hours
Update router firmware to current vendor release and establish a semi-annual firmware review for network devices.	30 Days	IT / MSP	Low — 1 hour

4. Control Maturity Assessment

Asset inventory

0.5/4

Patch management process

0.5/4

EOL software management

0/4

Network device patching

0/4

Remediation tracking

0/4

← Back to Audit Reports

Governance Review Report Ref: MCG-GRC-005 | May 2026

Security Governance & Policy Framework Review

Subject organization: Meridian Consulting Group. This review assessed the completeness of the organization's security policy framework, staff awareness training, and third-party vendor management practices against ISO 27001 and NIST CSF governance requirements.

Overall RiskMedium

Findings4

FrameworksNIST · ISO

Review PeriodQ1 2026

Executive Summary

Meridian Consulting Group operates without a formal security policy framework. No documented policies exist for information security, acceptable use, or incident response. Staff have not received security awareness training in the past 12 months. Third-party vendors with access to company systems or data are not subject to any formal review or contractual security requirements. The overall risk is rated Medium. While policy gaps alone do not create immediate technical risk, they underpin the failure of nearly every other control area reviewed in this audit series.

1. Audit Scope and Methodology

Areas Reviewed	Security policy inventory, staff training records, vendor/supplier list and contracts, incident response readiness
Review Method	Document request and review, interview with office manager and one department lead, vendor contract sample review
Framework Alignment	NIST CSF 2.0 (GV.OC, GV.PO, GV.RM), ISO 27001:2022 Clause 5, Annex A.5.1, A.6.3, A.5.19, A.5.23

2. Findings

F-001 No information security policies exist High

Observation

The organization has no documented information security policy, acceptable use policy, password policy, or data handling guidance. When asked about security expectations, staff responses varied significantly — indicating that security responsibilities are understood differently across the team, if at all.

Risk

Without documented policies, there is no baseline against which employee behavior can be measured, no standard for auditors to test controls against, and no defensible governance position if a breach occurs. Policies are the directive control layer that all other controls depend on for legitimacy.

Framework Citations

ISO 27001 A.5.1 NIST CSF GV.PO-01 CIS Control 0 (Foundation)

F-002 No security awareness training delivered in past 12 months Medium

Observation

No security awareness training records exist. Staff have not received phishing simulation, email security guidance, or any documented security training. Two staff members interviewed were unfamiliar with the concept of social engineering or how to identify a phishing attempt.

Risk

Human error and phishing remain the leading initial access vectors for small business breaches. An untrained workforce is particularly vulnerable in a cloud-first environment where a single credential compromise can expose all company data.

Framework Citations

ISO 27001 A.6.3 NIST CSF GV.OC-03 CIS Control 14.1

F-003 Vendors with system access are not subject to security requirements Medium

Observation

Meridian uses three third-party vendors that have direct or administrative access to company systems: a managed service provider, a cloud-based HR platform, and an external bookkeeper with access to financial software. No vendor security questionnaire, contract security clause, or access review process exists for any of these relationships.

Risk

Third-party access represents a trust extension. A compromise at any of these vendors could provide unauthorized access to Meridian systems or data. Without contractual security requirements, the organization has no enforceable standard and no recourse if a vendor incident results in a breach.

Framework Citations

ISO 27001 A.5.19 ISO 27001 A.5.23 NIST CSF GV.SC-06 CIS Control 15.1

F-004 No incident response plan or documented response contacts Medium

Observation

No incident response plan exists. When asked what they would do if they believed their email account was compromised, two of three staff members interviewed said they were unsure who to contact. No escalation path, response procedure, or contact list is documented or distributed.

Risk

Response time in the first hours of an incident has a direct relationship with containment effectiveness. An organization without a plan — or even a contact list — will lose critical time while determining how to respond. This directly extends the impact window of any incident.

Framework Citations

ISO 27001 A.5.25 NIST CSF RS.MA-01 CIS Control 17.1

3. Recommendations

Recommendation	Priority	Owner	Effort
Draft and distribute a one-page Information Security Policy covering acceptable use, passwords, data handling, and incident reporting. All staff acknowledge in writing.	30 Days	Office Manager	Low — template-based
Enroll staff in a low-cost annual security awareness training platform (examples: KnowBe4 Free, Proofpoint Security Awareness, Microsoft Training). Track completion.	30 Days	Office Manager	Low–Medium — cost varies
Add a basic security clause to vendor contracts for all vendors with system access, and send a short security questionnaire to each. Review responses annually.	90 Days	Office Manager	Medium — legal review advised
Create a one-page Incident Response Contact Sheet and distribute to all staff. Include: who to call, what to do immediately, and what not to do (e.g., do not delete emails).	30 Days	Office Manager + MSP	Low — 2–3 hours

Analyst note: The four findings in this report are governance-layer gaps. Individually, they are rated Medium. Collectively, they represent the root cause of many of the High-risk findings identified across this audit series. Technical controls cannot be consistently maintained without the policy and ownership structures that governance provides. Remediating this report's findings will increase the effectiveness of every other remediation activity in this audit program.

4. Control Maturity Assessment

Security policy framework

0/4

Security awareness training

0/4

Vendor/supplier management

0/4

Incident response readiness

0/4

Governance ownership

0.5/4

Security audit reports for a small business environment.

Access Control & Identity Management Audit

Executive Summary

1. Audit Scope and Methodology

2. Findings

3. Recommendations

4. Control Maturity Assessment

Security Logging & Monitoring Readiness Review

Executive Summary

1. Audit Scope and Methodology

2. Findings

3. Recommendations

4. Control Maturity Assessment

Data Protection & Backup Controls Assessment

Executive Summary

1. Audit Scope and Methodology

2. Findings

3. Recommendations

4. Control Maturity Assessment

Vulnerability & Patch Management Audit

Executive Summary

1. Audit Scope and Methodology

2. Findings

3. Recommendations

4. Control Maturity Assessment

Security Governance & Policy Framework Review

Executive Summary

1. Audit Scope and Methodology

2. Findings

3. Recommendations

4. Control Maturity Assessment