Access reviews can be difficult to coordinate and manage, consume significant time for all parties involved, and occasionally not be executed at all. However, access reviews are a critical control across many compliance frameworks, including SOX, PCI DSS, ISO 27001, SOC 2, HITRUST, NIST 800-53 &171, HIPAA, GDPR and more.

A well-executed access review mitigates the risk of individuals having:

1) Unauthorized and/or inappropriate access to programs and data based on their roles and responsibilities

2) Too much access (i.e. segregation of duties conflicts).

This guide provides an 8-step process for establishing and conducting a quality access review that will satisfy multiple compliance frameworks.

Step 1: Identify Relevant Compliance Frameworks and Standards that Require an Access Review

Prior to performing an access review, determine which regulations and standards your organization must adhere to. This will help establish the frequency, scope, control ownership and documentation requirements. In the absence of a specified frequency, organizations should take a risk-based approach to determine how frequent the review should be performed. The following should be considered:

Before identifying compliance requirements, organizations should begin with a clear strategy for their access review process. This includes understanding the overarching goals, such as reducing security risk, maintaining regulatory compliance, enhancing operational efficiency or supporting audit readiness. With this strategic direction in mind, organizations can then determine which regulations and standards they must adhere to. This will help establish the frequency, scope, control ownership and documentation requirements of the review. In the absence of a specified frequency, a risk-based approach should be used to determine how often reviews should occur. The following factors should be considered:

1. Minium required frequency to meet compliance requirements
2. Complexity of the access within the system
3. Volume of accounts and frequency of access changes
4. Significance of the data stored within the system
5. History of errors
6. Effectiveness of preventive provisioning and termination controls
7. Inherent risks of processes being supported by the systems

Step 2: Identify the Information Systems in Scope

Determine which systems (i.e., applications, tools, database management systems, operating systems/servers and network domains) require an access review. This could include enterprise and/or financial applications, PaaS (Platform as a Service), database management systems, operating systems/servers, identity & access management (IAM) systems, source code migration and development tools, facilities and infrastructure components. Ultimately, the scope should be driven by the relevance and significance of the underlying data and/or system function governed by the system.

Step 3: Assign Ownership

Clearly define who is responsible for:

1. Generating the information used in the reviews, and
2. Coordinating and/or executing the review and remediating any exceptions identified.

Tip: Consider leveraging an off-the shelf tool to assist with automating and tracking reviews.

Step 4: Generate the Access Listings

Generate a complete and accurate listing of accounts from each system. Consider automating these reports for efficiency. The access listings should be granular enough so that the reviewer can see what role and/or permissions are assigned to each account. Provide enough details in the review documents so reviewers can make informed decisions. Some examples are below:

Field Name	Source
User ID/Username	System under review
Employee Number	System under review or HR system of record
First Name & Last Name	System under review
Account Status (Active/Inactive)	System under review
Access – Role Level (Admin, AP Manager etc.)	System under review
Access – Permission Level (Create User = Full etc.)	System under review
Privileged Access (Yes/No)	Must be manually added
Account Type (i.e. User, Generic, System/Service)	System under review or must be manually added
Job Title & Department	HR System of record

Tip: Retain documentation for how all access listings were generated (i.e. menus, reports, parameters, queries, time/date stamps, etc.). Explain any exclusions such as inactive accounts or accounts with read-only access. If the report is automated, include evidence that the underlying queries have not been modified.

Step 5: Train the Reviewers

Provide clear expectations, guidelines, timelines and definitions for reviewers to reference.  Ensure roles and responsibilities are clearly defined.   

Tip: Consider implementing a joiner-mover-leaver process in your IAM tools to automatically grant, revoke or modify access when employees join, leave or get promoted. This helps mitigate the risk of individuals being inadvertently granted the wrong level of access or access not being removed upon termination.

Step 6: Execute the Review and Retain Sufficient Evidence

Reviewers: Document proof of review, including justifications for approved and revoked access.

Control Owner: Retain audit logs, screenshots, spreadsheets or other reports as needed. 

Tip: Store evidence in a central location that makes it easy to distinguish what is being reviewed. Consider using a template to consistently document each review.

Step 7: Revoke Unnecessary Access and Validate Remediation

Immediately remove or disable access that has been identified as needing to be revoked. Document the reason for revocation and verify timely deactivation of revoked accounts.

Tip: Run a follow-up report to confirm that all access identified as a revoke within the access review are appropriately disabled and/or removed from the system.

Step 8: Perform a Lookback for Anomalous Activity

Before closing the review:

• Review logs and audit trails for any inappropriate and/or unauthorized activity performed by revoked accounts.
• Investigate and follow up on any unusual activity. Define the scope of activities that are relevant to the framework and/or standard. Pay close attention to administrative accounts who can perform all transactions (including modifying user access).

Tip: Accounts with admin privileges, segregation of duties conflicts or terminations are the revoked accounts with the highest risk of potential misuse.

Final Thought: Making User Access Reviews a Business-as-Usual Process

While each organization has unique circumstances, these steps may support you in conducting thorough, repeatable and audit-ready access reviews that will allow your organization to meet multiple compliance requirements and mitigate logical security risks in an efficient, consistent and cost-effective manner.

Need help making your access reviews more efficient and compliant?

Our team can help you design a process that meets your compliance requirements while saving time and reducing risk.

Explore related insights

Explore Insights & Resources

• • Article

  •

  April 29, 2025

  Oregon’s R&D Tax Credit: A Valuable Opportunity for Semiconductor Companies

  Read more: Oregon’s R&D Tax Credit: A Valuable Opportunity for Semiconductor Companies

  

• • Article

  •

  April 23, 2025

  How to Untangle the Web of State Tax Complexity: A Guide for Tech Companies

  Read more: How to Untangle the Web of State Tax Complexity: A Guide for Tech Companies