Why Access Reviews Keep Failing Audits
Nearly every organization runs access reviews. Nearly every organization runs them poorly. The typical process looks like this: someone in IT exports a user list from the IdP, pastes it into a spreadsheet, emails it to managers, and hopes the responses come back before the audit window closes. Managers click “approve all” because reviewing 300 line items is not a productive use of their Wednesday afternoon. The spreadsheet gets saved to a SharePoint folder. Three months later, the auditor finds it, asks five questions it cannot answer, and writes a finding.
The failure is not a lack of effort. It is that the evidence does not meet the standard. Auditors are trained to look for specific qualities in review evidence, and most manual processes miss at least three of them.
The Review Lifecycle
A compliant access review follows a defined lifecycle. Each stage produces evidence, and skipping any stage creates a gap the auditor will find. The complete lifecycle has five stages.
Each stage of the access review lifecycle produces specific evidence artifacts. Skipping any stage creates a gap auditors will find.
What Constitutes Good Review Evidence
Auditors evaluate access review evidence on five dimensions. Meeting all five is what separates a clean audit from a finding. Understanding these dimensions helps you design a review process that produces compliant evidence from the start.
| Dimension | What Auditors Look For | Red Flag |
|---|---|---|
| Completeness | Every user and role in scope was reviewed | Service accounts excluded, contractors missing |
| Authority | Reviewer has management or ownership authority | IT intern reviewed DBA access |
| Timeliness | Review completed within the defined window | Q1 review completed in May |
| Specificity | Individual decisions per user-role pair | “All approved” with no per-item detail |
| Remediation | Revocation decisions were actually executed | “Revoke” marked but access still active |
Reviewer Selection and Authority
Not just anyone can review access. The reviewer must have authority over the resource or the team. Typically this means the direct manager for team-level access, the resource owner for system-level access, and the CISO or security lead for privileged and administrative access. Delegating reviews to someone without authority is a common finding.
A good practice is to encode reviewer authority in your access management platform: when a review campaign is generated, reviewers are assigned automatically based on resource ownership metadata. The platform enforces that a manager can only review their direct reports’ access, and a resource owner can only review access to their resources.
Reviewer Authority Matrix
Team managers review general team access (development tools, staging environments, internal apps). Resource owners review system-specific access (production databases, cloud accounts, infrastructure). Security team reviews privileged and administrative access (root, admin, service accounts). This separation ensures both domain knowledge and organizational authority.
Point-in-Time Snapshot Requirements
The snapshot is the foundation of the entire review. It must be a point-in-time capture of every user-role-resource mapping that existed at the moment the review was initiated. The snapshot must be immutable: once generated, it cannot be modified. If a user gains or loses access after the snapshot is taken, that change does not affect the current review — it will be captured in the next cycle.
Auditors specifically check that the snapshot was generated from authoritative sources (the IdP, the access management platform, the cloud IAM console) and that it includes all identity types: employees, contractors, service accounts, and break-glass accounts.
Decision Documentation
Each line item in the review must have an explicit decision: Certify (access is appropriate, keep it), Revoke (access is no longer needed, remove it), or Exception (access is unusual but justified for a documented reason). Blank entries are findings. Bulk “approve all” without per-item rationale is a finding. Reviewers must understand what they are approving.
- Certify: “Jane needs production read access for on-call duties as per SRE role requirements.”
- Revoke: “Bob moved to the marketing team in Q2 and no longer needs staging SSH access.”
- Exception: “Contractor Alex retains database access for the ongoing migration project. Review again in 60 days.”
Exception Handling and Rationale
Exceptions are not failures — they are evidence of thoughtful decision-making. An auditor would rather see a well-documented exception than a rubber-stamped approval. The exception record must include the business justification, an expiration date or re-review trigger, the name of the person who authorized the exception, and any compensating controls in place.
Common valid exceptions include: contractors with project-specific access that will expire at a known date, engineers with cross-team access required by an active incident response, and service accounts that require legacy access during a migration. The key is documentation: an undocumented exception is indistinguishable from an oversight.
Remediation Proof: Actual Removal vs. Just Approval
This is the area where the most access reviews fail. The reviewer marks a line item as “revoke,” but nobody actually removes the access. The auditor then tests a sample of revocations and finds that the user still has active credentials. This is a guaranteed finding.
Remediation Is Not Optional
A “revoke” decision that is not executed is worse than no review at all. It shows that the organization identified unauthorized access and then failed to act on it. Auditors treat this as a control failure, not a documentation gap. The remediation must be provable: before-state, action taken, after-state, and a timestamp showing the removal happened within the SLA window.
Strong remediation evidence includes:
- Before-state: screenshot or log showing the user had the access at the time of the review decision
- Action log: system log showing the access was removed, by whom, and when
- After-state: confirmation that the user no longer has the access, tested after remediation
- SLA compliance: evidence that removal happened within the defined remediation window (typically 7–14 days)
Privileged Access: Separate Review Track
Privileged accounts — root access, cluster-admin, database admin, cloud account owners — require a separate, more rigorous review track. Auditors expect privileged access to be reviewed more frequently (monthly or quarterly vs. semi-annually), by a higher-authority reviewer (CISO or security lead vs. direct manager), with more detailed justification for each certified access.
| Attribute | Standard Access Review | Privileged Access Review |
|---|---|---|
| Frequency | Quarterly or semi-annually | Monthly or quarterly |
| Reviewer authority | Direct manager or resource owner | CISO, security lead, or VP of Engineering |
| Justification depth | Role-based rationale | Named business need with expiration plan |
| Remediation SLA | 14 days | 48–72 hours |
| Compensating controls | Standard monitoring | Session recording, JIT, MFA re-verification |
Frequency Requirements by Framework
| Framework | Standard Access Review | Privileged Access Review | Notes |
|---|---|---|---|
| SOC 2 Type II | Quarterly (common practice) | Quarterly | Frequency defined by the entity, but must be consistent |
| ISO 27001 | Annually (minimum) | Semi-annually | A.9.2.5 requires regular review of access rights |
| PCI DSS 4.0 | Semi-annually | Quarterly | Requirement 7.2.5 specifically covers user account reviews |
| HIPAA | Annually (common practice) | Quarterly | No specific frequency, but “periodic” means at least annually |
| FedRAMP | Annually | Quarterly | AC-2(3) requires periodic account reviews |
Automation Strategies
Manual reviews do not scale and produce inconsistent evidence. Automation addresses both problems. A well-designed review automation platform handles snapshot generation, reviewer assignment, decision collection, remediation execution, and evidence archival — with every step timestamped and immutable.
OnePAM’s access review builder generates campaigns from live access data, assigns reviewers based on resource ownership from the users and teams configuration, enforces per-item decisions, triggers automated revocation for “revoke” decisions, and archives the complete evidence package. The result is a review that takes 12 minutes to complete instead of 4 hours — and produces evidence that passes audit without follow-up questions.
Common Failures Auditors Catch
- Missing service accounts: The review covered employees but excluded 47 service accounts with production access
- Stale review data: The snapshot used was 6 weeks old by the time the review was completed
- No remediation proof: 12 accounts marked “revoke” still had active access when the auditor tested
- Unauthorized reviewer: A junior engineer approved database admin access for senior staff
- Bulk approval: 100% approval rate with no exceptions, suggesting rubber-stamping
- Late completion: Q1 review completed in week 14, outside the defined review window
Each of these failures is preventable with automation that enforces completeness, authority, timeliness, and remediation execution. The access policy documentation shows how to configure review scopes and SLA enforcement. The OnePAM Trust Center includes a sample review evidence package you can reference when building your own process.
Automate Access Reviews That Pass Audits
OnePAM generates review campaigns from live access data, assigns reviewers by authority, enforces per-item decisions, executes revocations automatically, and archives immutable evidence packages.
Start Free Trial