Access Reviews for SOC 2: What They Are, How Often You Need Them, and What Auditors Actually Check

SOC 2SaaS
Written By Bonnie Powell

If there is one SOC 2 control that consistently produces audit findings across SaaS companies of every size, it is the access review. Not because it is technically complex. Because it is operationally inconvenient — and most teams treat it that way until an auditor asks for evidence.

Here is what access reviews actually require, why they matter, and what separates a review that satisfies an auditor from one that creates a finding.

What an Access Review Is

An access review is a documented, periodic process in which your organization verifies that the right people have the right level of access to the right systems — and that anyone who shouldn't still have access, doesn't.

That sounds straightforward. In practice, it requires you to:

  • Pull a current user list from every system in scope.

  • Compare that list against current employment status and role.

  • Identify accounts that belong to terminated employees, contractors whose engagements have ended, or users whose roles have changed since access was originally granted.

  • Document what you found, what action was taken, and who approved the review.

The operative word in all of that is "documented." An access review that happened but wasn't recorded is, from an auditor's perspective, an access review that didn't happen.

Which SOC 2 Criteria Require It

Access reviews map primarily to CC6.2 and CC6.3 in the SOC 2 Trust Services Criteria. CC6.2 requires that access is granted based on authorization and that credentials are issued appropriately. CC6.3 requires that access is removed when no longer needed, and that the process for doing so is controlled and evidenced.

Auditors testing these criteria will ask for your access review logs, your offboarding records, and your process documentation. They will sample specific users and verify that access changes match the documented review outcomes. A compliance readiness assessment can identify where your current access control evidence falls short before an auditor does.

How Often Access Reviews Need to Happen

SOC 2 does not prescribe a specific frequency. What it requires is that your policy defines a frequency and that you actually execute reviews at that interval.

Most organizations commit to quarterly reviews in their access control policy. Some go semi-annual. Either can pass a SOC 2 audit — but only if the reviews are actually performed and documented on schedule. Quarterly is the safer commitment because it reduces the blast radius of any access that shouldn't exist. An account left active for six months after a termination is a much more serious finding than one caught within 90 days.

Where teams get into trouble is committing to quarterly in their policy and then producing zero evidence of reviews during a Type II audit period. That is not a minor gap. That is a material finding against a control you told your auditor you had.

What Auditors Actually Look For

Beyond frequency, auditors are evaluating whether your access review process has integrity. Specifically, they want to see:

A defined owner. Someone is responsible for initiating, performing, and closing each review cycle. "The team handles it" is not a sufficient answer.

Evidence of remediation. When a review identifies access that should be removed, is there a ticket, a record, a system log showing the access was actually revoked? Identifying a problem and not acting on it is worse than not finding it at all.

Coverage across in-scope systems. If your SOC 2 scope includes your cloud infrastructure, your production database, your code repository, and your support tooling, your access reviews need to cover all of them. Auditors will check whether your review process is comprehensive or selective.

Separation between reviewer and reviewee. A manager reviewing their own access, or an engineer approving access to systems they administer, undermines the control. Reviews need to involve someone with authority to make access decisions who is independent of the accounts being reviewed.

The Offboarding Connection

Access reviews and offboarding checklists are two sides of the same control. If your offboarding process reliably terminates access within 24 hours of a departure, your quarterly reviews become a verification step rather than a remediation exercise. If your offboarding is inconsistent, access reviews become the last line of defense against terminated user accounts sitting active in production systems.

Both need to exist. Neither substitutes for the other. Our compliance program services include building the governance structure that ties these controls together into a process your team can actually sustain.

A Practical Starting Point

If you have never run a formal access review, the first one is the hardest. Pulling complete, accurate user lists from every in-scope system takes longer than expected. Reconciling that list against HR records surfaces surprises. The process gets significantly easier after the first cycle, particularly if you use a compliance automation platform like Vanta or Drata to maintain continuous visibility into user access.

The goal is not a perfect first review. The goal is a documented first review that demonstrates your process works and that identified issues were resolved. That evidence base is what your auditor will evaluate.

Book a discovery call to talk through where your access control program currently stands.

Bonnie Powell
Previous

What Fractional Compliance Support Actually Looks Like: How TCS Engagements Work
Next

SOC 2 Audit Services for SaaS Companies: What You Actually Need (and What You Don’t)