The problem
Periodic user access reviews are a core control for SOX, ISO 27001, SOC 2 and most internal audit frameworks. In practice, they are often run through a patchwork of spreadsheets, system exports and email chains. Someone in IT pulls user lists from Active Directory, the ERP, the CRM and a handful of SaaS tools. Those exports are emailed to managers, who tick boxes in Excel and send them back. Evidence is then collated manually, exceptions are chased over email, and the final pack is stitched together just in time for the auditor.
The data is rarely consistent. Leavers still appear in some systems. Job titles do not match across platforms. Reviewers approve access they do not fully understand because the spreadsheet does not explain what the entitlement actually grants.
Why it matters
Access reviews are one of the most scrutinised controls in any audit. Weak evidence, missed reviewers or unexplained exceptions lead to control deficiencies, management letter points and, in regulated environments, reportable issues. Beyond audit, poor access hygiene is a direct security risk: dormant accounts, excessive privileges and unreviewed service accounts are common routes to incidents.
The manual approach also consumes significant time from IT, compliance and line managers every quarter, with little assurance that the review was meaningful rather than a tick-box exercise.
The opportunity
A no-code, governed workflow can pull user and entitlement data directly from source systems, normalise it, route review tasks to the right managers, capture decisions with full audit trail, and produce evidence packs automatically. AI can assist by summarising what each entitlement means in plain language, highlighting unusual access patterns and drafting reviewer commentary for sign-off.
The goal is not to remove human judgement, but to give reviewers better information and to make the evidence trail complete, consistent and repeatable.
Example workflow
1. Connect the source data
Pull user, role and entitlement data from Active Directory, Entra ID, the ERP, the CRM, finance systems and key SaaS platforms. Include HR data for joiners, movers and leavers.
2. Standardise and prepare the data
Map users to a single identity, reconcile job titles and departments against HR, and flag service accounts, shared accounts and privileged accounts separately.
3. Apply business logic
Group entitlements by system and risk level. Identify users with access that does not match their current role, leavers still active in any system, and accounts with no login activity for a defined period.
4. Run checks and controls
Validate data completeness against HR headcount. Check for missing reviewers, duplicate accounts and entitlements with no clear owner. Flag segregation of duties conflicts.
5. Produce outputs
Generate reviewer-specific task lists with plain-language descriptions of each entitlement. Route them through a structured approval workflow with timestamps, comments and digital sign-off.
6. Review exceptions
Surface revocations, disputed access and unresponsive reviewers in a single exceptions dashboard. Track remediation through to closure.
7. Move to governed operation
Schedule the review on a quarterly or half-yearly cycle. Lock down the workflow, version-control the logic, and produce a complete evidence pack for audit on demand.
What good looks like
- A single source of truth for users, roles and entitlements across all in-scope systems.
- Reviewers see entitlements explained in business language, not raw technical codes.
- Every decision is timestamped, attributed and stored with supporting context.
- Leavers and role changes are detected automatically, not at the next review cycle.
- Exceptions are tracked to closure with clear ownership.
- The audit evidence pack is produced from the workflow, not rebuilt in Excel.
Benefits
For the compliance and IT teams
- Significant reduction in manual collation, chasing and reformatting.
- Consistent evidence that stands up to internal and external audit.
- Faster identification of inappropriate or dormant access.
For leadership
- Clear visibility of access risk across the estate.
- Confidence that a key control is operating effectively.
- Reduced likelihood of control deficiencies and audit findings.
For the wider business
- Line managers spend less time on spreadsheets and more time making informed decisions.
- Improved security posture and reduced risk of access-related incidents.
- A repeatable process that scales as new systems are added.
Where to start
Begin with the systems that carry the highest risk and the most audit attention, typically the ERP, finance systems and core identity platform. Build the workflow for one review cycle, prove the evidence quality, then extend to additional systems. Resist the temptation to boil the ocean; a working workflow covering three critical systems is more valuable than a half-built solution covering thirty.
How 4th Revolution can help
4th Revolution is finance-led and data-led. We build no-code automation and embed AI where it genuinely adds value, with a strong focus on governance, controls and audit evidence. Our work on access reviews is not just about building a workflow; it is about creating a governed, repeatable process that holds up under audit and reduces the burden on your teams every cycle.
We work alongside compliance, IT and internal audit to design something pragmatic, defensible and aligned with your existing control framework.
Example outcome
Before: a quarterly access review consumed several weeks of effort across IT, compliance and line managers. Evidence was spread across emails, spreadsheets and shared drives. Auditors raised observations about incomplete reviewer sign-off and inconsistent treatment of leavers.
After: the review runs on a defined schedule from a single workflow. Data is pulled automatically, reviewers receive clear tasks with plain-language entitlement descriptions, and the evidence pack is generated at the end of the cycle. Audit observations on access reviews have closed, and the team has time back to focus on higher-value control work.