Quarterly Access Review Process

Why it matters

Inactive or over-privileged user accounts create exploitable attack surface and violate the principle of least privilege, increasing risk of unauthorized data access or system modification. Without periodic review, access creep compounds over time—especially after role changes, departures, or system migrations—leaving dormant credentials that attackers can leverage or insiders can abuse.

Evidence to collect

• Quarterly access review summary documents (spreadsheet/GRC tool export showing dates, reviewer names, account counts, and disposition for each reviewed account)
• System owner attestation forms or email approvals for the three most recent quarters, signed or dated
• Access revocation tickets or system logs showing removal/suspension of accounts within 5 business days of review findings
• User-access exports from critical systems (e.g., Active Directory, database, cloud IAM) dated at review start

Testing procedure

Select the three most recent quarterly review cycles. For each cycle, verify: (1) an automated or manual user-access report was generated from each critical system and retained; (2) system owners completed and signed an attestation document confirming account appropriateness within 30 days of review start; (3) a documented disposition (keep, revoke, modify) exists for every flagged account; (4) access revocations occurred within 5 business days of the review finding, evidenced by system logs or ticket closure records.

Common gotchas