How to perform quarterly access reviews (step-by-step guide)
Frameworks like SOC 2, ISO 27001, HIPAA, and SOX expect organizations to regularly verify who has access to what—and auditors want proof it happens on a defined cadence.
For most teams, access reviews are still manual, slow, and easy to get wrong. This guide explains how to perform quarterly access reviews effectively: ownership, what to check, how to document evidence, and how to automate work that does not need a spreadsheet.
GIF via GIPHY
Related guides:
- How to set up role-based access controls
- ISO 27001 access control policy checklist
- SOC 2 controls explained
- Authorization as a platform: fine-grained access lessons
- Your auditor is about to ask about AI agents
Key takeaways
- Access reviews (entitlement review, recertification) confirm each user’s rights are appropriate for their role across apps, data, and infrastructure.
- Quarterly reviews are a practical default for most organizations; high-risk systems may need monthly attestation.
- Business owners—not IT alone—should attest access; managers know role changes better than central admins.
- Reviews should catch privilege creep, orphaned accounts, and excessive vendor access.
- Evidence = roster + decisions + remediation + timestamps—not only a policy statement.
- SecureSlate automates campaigns, reminders, and auditor-ready exports tied to compliance controls.
What is a user access review?
A user access review monitors the rights and privileges of everyone who can interact with your systems and data—including employees, contractors, and third parties.
Also called entitlement review, account attestation, or account recertification, the process answers:
| Question | Why it matters |
|---|---|
| Which access rights are authorized? | Proves least privilege |
| What level of access does each user have? | Admin vs read-only vs custom roles |
| Who has access to what? | Maps users to systems and data classes |
Access reviews support separation of duties, need-to-know, and least privilege—and are required or expected under frameworks including:
- HIPAA, SOC 1/2, SOX, ISO 27001 / 27002, PCI DSS, CMMC, and others
They are a control mechanism—not a one-time project during audit week.
How often should you perform access reviews?
Unauthorized or stale access drives insider risk, fraud, and audit findings. Common drivers:
- Outdated access policies
- Account misconfiguration
- Joiner / mover / leaver gaps
- Privilege creep (accumulated permissions over time)
- Vendor and service account sprawl
Cadence by organization size
| Profile | Typical cadence |
|---|---|
| Small teams, low churn | Semi-annual may suffice if risk assessment supports it |
| Growing or enterprise orgs, frequent role changes | Quarterly for most in-scope systems |
| High-risk (production, PHI, PCI, admin consoles) | Monthly or continuous attestation triggers |
Best practice for most companies: perform access reviews at least quarterly to stay ahead of changing rights—while tiering so critical systems are reviewed more often than low-risk tools.
Document your cadence in policy and stick to it—auditors compare stated frequency to evidence.
Who should perform access reviews?
Access reviews are not “IT only.” IT provides data; business owners attest correctness.
Typical roles
| Role | Responsibility |
|---|---|
| Security / GRC lead | Program design, scope, audit evidence, escalation |
| System or application owner | Defines who should have access to that system |
| Department / team manager | Certifies direct reports’ access matches job function |
| IT / IdP admin | Produces access lists, implements removals, documents changes |
Why managers matter
Managers know role changes, transfers, and contractors ending—central IT often does not. The security lead ensures consistency, timelines, and remediation tracking.
Include non-human identities in scope where material: service accounts, integration users, and AI agents with API access (auditor expectations for agents).
How to perform quarterly access reviews
Use this repeatable quarterly workflow:
Step 1: Define scope and inventory
List in-scope systems for the quarter (IdP, SaaS, cloud consoles, databases, VPN, code repos, etc.). Tie scope to your risk assessment—not “every app ever purchased.”
Pull current entitlements from:
- Identity provider (Okta, Azure AD, Google Workspace, etc.)
- Application admin exports
- Cloud IAM (AWS, GCP, Azure)
- HRIS for active vs terminated users
Step 2: Generate the access roster
For each system, produce a report showing:
- User identifier (email / employee ID)
- Role / group membership
- Privilege level (admin, standard, read-only)
- Last login or account status (if available)
- Account type (employee, contractor, service)
Flag anomalies before sending to reviewers: terminated users still active, shared accounts, dormant admins.
Step 3: Assign reviewers and deadlines
Route rosters to application owners or managers with:
- Clear due date (e.g., 10 business days)
- Instructions: Approve, Revoke, or Modify per line
- Escalation path for non-response
Step 4: Review and attest
Reviewers confirm each entitlement is required for current job duties. Common outcomes:
- Approve — access remains
- Revoke — remove immediately (or per change window)
- Modify — adjust role/group
Document business justification for sensitive or privileged access.
Step 5: Remediate and verify
IT or admins implement changes. Verify removals in source systems—not only in the spreadsheet. Track tickets to closure.
Step 6: Handle exceptions
Some privileged access may be temporary or break-glass. Document owner, expiry, and approval—review again next quarter.
Step 7: Close the campaign and retain evidence
Package:
- Roster snapshots (before review)
- Attestations (signed/exported decisions)
- Remediation tickets and verification
- Summary metrics (% reviewed on time, revocations, open items)
Store for auditor sampling—typically 12+ months retention per your policy.
What evidence auditors expect
Auditors typically sample:
- Policy — access review frequency and ownership
- Population — complete user list for a system
- Attestation — manager/owner approval per period
- Remediation — proof excessive access was removed
- Timeliness — campaign completed within defined window
Weak evidence: a policy saying “we review quarterly” with no roster or sign-off. Strong evidence: system-generated lists, timestamped attestations, and ticket-linked removals.
Map evidence to control language for SOC 2 (logical access), ISO 27001 (A.5/A.8 access themes), HIPAA (access establishment and review), or SOX (ITGC access).
How compliance platforms help
Spreadsheet-only reviews break at scale. Manual retracing of permissions is error-prone and hard to prove.
Strong compliance automation platforms should:
- Aggregate access data across IdP, cloud, and key SaaS apps
- Present reviewer-friendly UIs to approve/revoke in bulk
- Remind overdue reviewers and escalate non-response
- Schedule quarterly campaigns by system or department
- Map reviews to controls across ISO, SOC 2, PCI, HIPAA
- Export audit-ready reports with timestamps
- Correlate users to HR status (terminated, role change) where integrated
Automation does not remove human judgment—managers still decide if access is appropriate—but it removes copy-paste and lost email threads.
Run quarterly access reviews with SecureSlate
SecureSlate helps teams replace spreadsheet chaos with structured access review campaigns:
- Workflows for quarterly (or tiered) recertification with owners and due dates
- Integrations with identity, cloud, and business systems (200+ connectors) to pull entitlement context
- Reminders and escalation when reviewers miss deadlines
- Evidence collection mapped to SOC 2, ISO 27001, HIPAA, PCI DSS, and related frameworks
- Remediation tracking so revocations are verified—not assumed
- Continuous monitoring between quarters when access drifts (new admins, stale contractors)
Pair access reviews with joiner/mover/leaver processes and RBAC design—see RBAC setup guide.
Stop spending audit season reconstructing Q2 in a shared drive. Run the next quarter in a system built for proof.
FAQ
Are quarterly access reviews required for SOC 2?
SOC 2 does not mandate “quarterly” in every case—but auditors expect regular, risk-based recertification with evidence. Quarterly is a common, defensible cadence.
Who signs off on an access review?
Usually application owners or people managers attest; security/GRC owns the program and evidence package.
What is privilege creep?
Users accumulate permissions over time through role changes and one-off grants. Quarterly reviews remove unnecessary rights.
Do contractors need access reviews?
Yes. Include vendors, consultants, and non-employee accounts in scope—or explicitly document exclusions with risk acceptance.
How long should a quarterly campaign take?
With automation, active reviewer time is often days—not weeks. Budget calendar time for remediation and verification.
Can AI agents be in scope?
Yes. Any non-human identity with production access should appear on rosters or have documented exclusion rationale.
Disclaimer (legal note)
SecureSlate is not a law firm, and this article does not constitute legal advice. Access review frequency and scope should align with your risk assessment, contracts, and framework obligations. Control requirements vary—confirm with your auditor or assessor.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
Jun 1, 2026 · Vendor RiskGRC
10 important questions to add to your security questionnaire (with examples)
SecureSlate Team
Jun 1, 2026 · GRCRisk Management
The 9 compliance risks hiding in your organization (and how to fix them)
SecureSlate Team
Jun 1, 2026 · AIGRC
8 in 10 companies bet on AI agents—but fewer than half have a policy to govern them
SecureSlate Team
