Cyber Horizon
Back to Blog
Access ControlSOC 2ISO 27001

User Access Reviews That Actually Pass Audits

8 July 2026·7 min read·Cyber Horizon Team

Ask auditors which control they sample most — and which fails most — and the answer to both is the user access review. It appears in SOC 2 (CC6.2–CC6.3), ISO 27001 (A.5.18), PCI DSS, NIST and virtually every framework. It fails not because it’s hard, but because it’s usually performed as a ritual: a spreadsheet, a deadline, and a wall of “approved” clicks nobody thought about.

The anatomy of a defensible review

ElementWhat good looks like
CadenceQuarterly for privileged and audit-scope systems; at least twice a year elsewhere. Event-driven reviews on role change.
ScopeEvery system in your audit boundary — identity provider, cloud consoles, production databases, code repos, finance tools. Admins first.
ReviewerSomeone who can judge need: the system owner or line manager — never the access administrator reviewing their own grants.
DecisionConfirm, reduce, or revoke — with least privilege as the test, not “are they still employed?”
EvidenceDated user list reviewed, who reviewed it, decisions per user, and revocation tickets closed — retained per your evidence policy.
Follow-throughRevocations executed within a defined SLA and verified. An unactioned “revoke” is worse than no review.

How auditors catch rubber-stamping

  • Timing forensics: 400 approvals logged in 6 minutes tells its own story.
  • The leaver test: they cross-reference HR leaver lists against your review — one leaver still “approved” unravels the control.
  • Zero-revocation reviews: quarters of 100% confirmations across a growing company are statistically implausible.
  • The interview: “walk me through how you decided this engineer still needs production write access” — rehearsed answers collapse fast.

Making reviews cheap enough to do properly

  • Shrink the problem first: role-based access with SSO/SCIM provisioning means you review role mappings, not thousands of individual grants.
  • Pull user lists automatically from the IdP and connected systems — retyping exports into spreadsheets is where errors (and excuses) breed.
  • Split reviews by owner so each reviewer sees only what they can actually judge — 20 meaningful decisions beat 500 blind ones.
  • Auto-create revocation tickets from “revoke” decisions and track them to closure against an SLA.
  • Treat privileged access separately: smaller list, tighter cadence, stricter justification.
  • Time-bound exceptions: any “keep, but…” decision gets an expiry date, not a permanent pass.

The off-boarding connection

Access reviews are the detective control; same-day off-boarding is the preventive one. Auditors test them together: a clean quarterly review doesn’t compensate for leavers keeping access for three weeks. Wire HR off-boarding to identity deprovisioning (ideally automated via SCIM), and let the quarterly review be the safety net that proves the automation works — not the mechanism that discovers it doesn’t.

The bottom line

An access review is a genuine security control pretending to be paperwork. Scope it to what matters, give each slice to someone who can judge it, evidence the decisions, and close every revocation. Do that quarterly and the most-sampled control in your audit becomes the least stressful.

Access-review evidence, collected as you go

Cyber Horizon’s identity integrations (Okta, Entra ID, Google Workspace) pull user and access data automatically and map review evidence to SOC 2, ISO 27001 and every other framework at once.

Book a Demo