The Complete Guide to Quarterly Access Reviews

Nothing generates more audit findings than access reviews. The control is simple — confirm that who has access to what is still appropriate — but the execution is where teams get tripped up. Here's how to do it well.

What auditors actually look for

When a SOC 2 auditor samples an access review, they check:

• Cadence: Did it happen on the schedule the policy describes?
• Scope: Did it cover the systems it was supposed to?
• Reviewer: Did the right person do it? (System owner, not just "someone in engineering.")
• Decisions: For each user, was access confirmed, modified, or revoked? Not just "reviewed."
• Follow-through: If decisions were made, were they actually implemented?
• Evidence: Is the review itself documented?

What to include in your review

At minimum, every quarter:

• Production infrastructure accounts (AWS, GCP, Azure)
• Your primary identity provider (Okta, Google Workspace)
• Source control (GitHub, GitLab)
• Your customer data systems
• Privileged access roles across all of the above

Low-risk systems (design tools, internal wikis) can move to annual reviews. Prioritize anything that can touch customer data or production.

How to run one in under two hours

Assuming you have the right tooling:

1. Export user lists from each system. Most compliance platforms do this automatically.
2. Send each system owner their list, with simple instructions: "For each user, reply confirm, modify, or revoke."
3. Collect the responses, typically within a week.
4. Implement the decisions: revocations happen within the SLA your policy specifies.
5. Archive the evidence: original list, system owner's response, confirmation that revocations were implemented.

The whole thing should take 90–120 minutes of real work across a quarter. Longer than that means your tooling is wrong.

Common findings to pre-empt

• Orphaned accounts. Ex-employees still in the system. If you find these during the review, note them and their termination dates; if the gap is greater than your SLA, it's a finding — but a self-identified one that you're remediating is much better than an auditor-identified one.
• Privilege creep. Someone got admin access for a project six months ago and never lost it. Documenting the revocation is more important than hiding that it happened.
• Shared accounts. "ops@" with a shared password. These are security problems in disguise as access problems — fix the root issue, not just the review.

The calendar trick

Set up four recurring calendar events — one for each quarter's review — with the required system owners invited and a checklist in the description. Let the calendar drive the cadence, not your willpower.