User Access Reviews That Actually Pass Audits
Ask auditors which control they sample most — and which fails most — and the answer to both is the user access review. It appears in SOC 2 (CC6.2–CC6.3), ISO 27001 (A.5.18), PCI DSS, NIST and virtually every framework. It fails not because it’s hard, but because it’s usually performed as a ritual: a spreadsheet, a deadline, and a wall of “approved” clicks nobody thought about.
The anatomy of a defensible review
| Element | What good looks like |
|---|---|
| Cadence | Quarterly for privileged and audit-scope systems; at least twice a year elsewhere. Event-driven reviews on role change. |
| Scope | Every system in your audit boundary — identity provider, cloud consoles, production databases, code repos, finance tools. Admins first. |
| Reviewer | Someone who can judge need: the system owner or line manager — never the access administrator reviewing their own grants. |
| Decision | Confirm, reduce, or revoke — with least privilege as the test, not “are they still employed?” |
| Evidence | Dated user list reviewed, who reviewed it, decisions per user, and revocation tickets closed — retained per your evidence policy. |
| Follow-through | Revocations executed within a defined SLA and verified. An unactioned “revoke” is worse than no review. |
How auditors catch rubber-stamping
- Timing forensics: 400 approvals logged in 6 minutes tells its own story.
- The leaver test: they cross-reference HR leaver lists against your review — one leaver still “approved” unravels the control.
- Zero-revocation reviews: quarters of 100% confirmations across a growing company are statistically implausible.
- The interview: “walk me through how you decided this engineer still needs production write access” — rehearsed answers collapse fast.
Making reviews cheap enough to do properly
- Shrink the problem first: role-based access with SSO/SCIM provisioning means you review role mappings, not thousands of individual grants.
- Pull user lists automatically from the IdP and connected systems — retyping exports into spreadsheets is where errors (and excuses) breed.
- Split reviews by owner so each reviewer sees only what they can actually judge — 20 meaningful decisions beat 500 blind ones.
- Auto-create revocation tickets from “revoke” decisions and track them to closure against an SLA.
- Treat privileged access separately: smaller list, tighter cadence, stricter justification.
- Time-bound exceptions: any “keep, but…” decision gets an expiry date, not a permanent pass.
The off-boarding connection
Access reviews are the detective control; same-day off-boarding is the preventive one. Auditors test them together: a clean quarterly review doesn’t compensate for leavers keeping access for three weeks. Wire HR off-boarding to identity deprovisioning (ideally automated via SCIM), and let the quarterly review be the safety net that proves the automation works — not the mechanism that discovers it doesn’t.
The bottom line
An access review is a genuine security control pretending to be paperwork. Scope it to what matters, give each slice to someone who can judge it, evidence the decisions, and close every revocation. Do that quarterly and the most-sampled control in your audit becomes the least stressful.
Access-review evidence, collected as you go
Cyber Horizon’s identity integrations (Okta, Entra ID, Google Workspace) pull user and access data automatically and map review evidence to SOC 2, ISO 27001 and every other framework at once.
Book a Demo