How do I run a user access review for SOC 2?
What Is a User Access Review?
A user access review (UAR) is a periodic check where you verify that everyone who has access to your systems still needs it and has the right level of access. For SOC 2, auditors expect at least quarterly reviews.
How to Run One
Step 1: List Your Critical Systems
Identify every system that handles customer data or production infrastructure:
- Google Workspace / Okta (identity provider)
- AWS / GCP / Azure (cloud infrastructure)
- GitHub (code repository)
- Database (Supabase, PlanetScale, RDS)
- Application admin panel
- Monitoring tools (Sentry, DataDog)
Step 2: Export User Lists
For each system, export the list of active users with their roles. Screenshot the admin panel or download the user CSV.
Step 3: Review Each Account
For every user, verify:
| Check | Action |
|---|---|
| Still employed? | Remove access for former employees |
| Still in this role? | Adjust permissions if role changed |
| Needs this level? | Downgrade admin to member if full access isn't required |
| Active account? | Disable dormant accounts (no login in 90+ days) |
Step 4: Document the Review
Record: date of review, who performed it, systems reviewed, changes made, and any exceptions noted. Save this document — the auditor will ask for it.
Step 5: Make Changes
Remove or downgrade access immediately for any issues found. Don't just document the finding — fix it.
Evidence to Keep
- Screenshots of user lists with dates
- A summary document listing review date, reviewer, and findings
- Records of any access changes made as a result
- Calendar invite showing the quarterly cadence
Timing
Set a quarterly calendar reminder. The whole review takes 1-2 hours for a team under 50 people. The cost of not doing it: an audit finding that's easy to prevent.