User Access Review Checklist

List the systems covered this cycle: Entra ID / AD, Okta, M365, Salesforce, GitHub, AWS / Azure, ERP, plus any HIPAA-covered or SOX-significant apps. Tag each with its applicable framework (SOX ITGC, SOC 2 CC6, HIPAA 164.308(a)(4)) so the evidence matches what the auditor will ask for.

Pull the source-of-truth roster from Workday / BambooHR / ADP, including department, manager, status (active / LOA / terminated), and termination date. The HRIS roster is the reconciliation baseline — every system's user list gets compared back to it.

Export user + group + role membership from Entra ID (Get-MgUser / Access Reviews), Okta (System Log + group rules), AWS IAM (credential report + IAM Access Analyzer), and each in-scope SaaS app. Snapshot the date — auditors will ask what point-in-time the data represents.

Diff the entitlement exports against the HRIS roster. Flag three buckets: terminated users still active, active users with no HRIS record (likely contractor / service accounts), and accounts last-logon > 90 days. The ghost-account count is a number the audit will ask for.

For each terminated user still active in any system: disable in Entra ID, revoke sessions, and document the disable timestamp vs. the HRIS termination date. SOX and SOC 2 both look at the gap — anything beyond the documented SLA (typically 24 hours) is a finding.

List every non-human account: service accounts, shared mailboxes, break-glass accounts, application identities. Each needs a named human owner, a documented purpose, and a last-rotation date. Orphaned service accounts running as Domain Admin are a recurring audit finding.

Any account with no interactive logon in 90+ days gets flagged for manager confirmation. Stale accounts are the easiest path for an attacker — they're unmonitored and often retain prior entitlements. Default action is disable; manager must justify retention in writing.

Run the Entra ID MFA registration report and the Okta factor enrollment report. Verify conditional access blocks legacy basic-auth (IMAP / POP / SMTP) — MFA enabled with legacy auth still allowed is a bypass auditors specifically test for.

Send each people manager their direct reports' entitlements per system. Use Entra ID Access Reviews, SailPoint, or a tracked spreadsheet — whichever your auditor has accepted before. Set a 10-business-day response SLA and copy the manager's VP on the request.

Walk Domain Admins, Enterprise Admins, Global Administrators, AWS root / OrgAdmin, and Tier 0 groups line by line with the security lead. Privileged group membership gets the most auditor scrutiny — every member needs a documented business justification, not just a manager's nod.

For SOX-significant systems (ERP, financial close apps), run the SoD matrix: no single user can both create and approve a vendor, post and approve a journal entry, or change pay rates and approve payroll. Document mitigating controls for any unavoidable conflict.

Tally returned attestations: approved as-is, modify entitlement, or revoke access. Non-responses default to revoke after escalation to the VP. The completeness percentage is a number the audit asks for — anything below 100% needs a documented exception.

Execute the revoke list in each source system (Entra ID, Okta groups, AWS IAM, app-level roles). Capture before / after screenshots or API confirmations as evidence. Revocations must trace back to the named manager who requested them.

Pull a 25-ticket sample from ServiceNow / Jira Service Management / Freshservice covering new hires, transfers, and ad-hoc access requests. The sample size is what your SOC 2 auditor agreed to; document the population and selection method.

For each sampled ticket, confirm the requester, approver (manager + system owner where required), approval timestamp, and that the granted access matches what was approved. Verbal approvals or self-approvals are findings.

For each bypass: identify the user, the access granted without approval, the system owner notified, and the corrective action (revoke + re-request, or retroactive approval with justification). File the remediation plan with the security lead before the cycle closes.

Bundle the entitlement snapshots, attestation responses, revocation evidence, and approval-sample workpapers into a single dated package. Index it the way your auditor's PBC list expects — workpapers without an index get re-requested.

SOX and SOC 2 expect access reviews on a regular cadence — quarterly is the most common. Put the next cycle on the calendar with the data-pull date locked, so the population is reproducible.

Final sign-off captures the review outcome, exceptions accepted, and the next review date. The CISO or Director of IT signs as control owner; for SOX-significant systems, the application owner co-signs.