FREE TEMPLATE

Quarterly Access Review Template

A step-by-step template for conducting thorough SaaS access reviews.

6 sections · 41 items

Quarterly access reviews are a core requirement for SOC 2, ISO 27001, and many other compliance frameworks. This template walks you through a complete access review process — from scoping to evidence collection. Follow it step by step, or use it as a starting point for your own review process.

Step 1: Scope the Review

Define what's in scope before you start pulling data.

List all SaaS tools and infrastructure services used by the company

Identify which tools are in scope for your compliance framework (SOC 2, ISO 27001, etc.)

Determine the review period (last 90 days for quarterly reviews)

Identify the reviewers — typically managers or team leads who can validate their team's access

Set a deadline for the review completion

Document the review methodology you'll follow

Step 2: Collect Access Data

Export user lists and permission data from every in-scope tool.

Export the user list from your identity provider (Okta, Entra ID, Google Workspace)

Export user lists from each in-scope SaaS tool

Cross-reference SaaS users against your HR system / employee directory

Flag any accounts that don't match an active employee (contractors, former employees, shared accounts)

Document each user's permission level (admin, standard, read-only)

Note any service accounts or API keys that provide access

Record the date and source of each data export

Step 3: Identify Anomalies

Flag accounts and permissions that need closer review.

Accounts belonging to former employees that are still active

Users with admin access who don't need it for their current role

Inactive accounts (no login in 60+ days) that are still provisioned

External/guest accounts that have been active beyond their project scope

Users with access to tools outside their department's normal toolset

Shared accounts or credentials that violate individual accountability requirements

Service accounts with overly broad permissions

Users without MFA enabled on critical systems

Step 4: Manager Review & Approval

Route access lists to managers for review and sign-off.

Send each manager a list of their direct reports and their access across all in-scope tools

Ask managers to confirm each user's access is appropriate for their current role

Ask managers to flag any access that should be added, removed, or modified

Set a clear deadline for manager responses (typically 5-7 business days)

Follow up with managers who haven't responded before the deadline

Document each manager's approval with a timestamp

Step 5: Remediate Issues

Take action on flagged items.

Disable accounts belonging to former employees

Downgrade admin access for users who don't need elevated privileges

Deactivate inactive accounts or confirm they're still needed

Remove external/guest accounts that have exceeded their project scope

Revoke access to tools that are outside the user's departmental scope

Enable MFA for users who are missing it on critical systems

Document each remediation action with the date and person who performed it

Step 6: Generate Evidence & Report

Compile your review into an audit-ready report.

Document the total number of accounts reviewed across all tools

List all anomalies found and their remediation status

Include manager approval records with timestamps

Calculate key metrics: % of accounts reviewed, % of anomalies remediated, average remediation time

Note any exceptions that were approved (with justification and approver)

Store the report in your compliance documentation repository

Schedule the next quarterly review date

Pro tips

Start your access review at the beginning of the quarter, not at the end — give yourself buffer time for remediation.

Use a consistent format across all tools so managers can review access quickly without learning new layouts.

Track metrics quarter-over-quarter (anomalies found, remediation time) to show auditors that your program is maturing.

Don't just review who has access — review what level of access they have. Admin access should be rare.

Consider using ViglaFort to automate data collection and anomaly detection — cutting review time from days to minutes.

Skip the manual checklist.

ViglaFort automates everything in this template. Connect your tools once, and manage access with one click.

Join the Beta — Free

More templates

Employee Offboarding Checklist

A complete checklist for revoking SaaS access when employees leave your company.

View template

SaaS Security Audit Checklist

A comprehensive checklist for auditing security across your SaaS tool stack.

View template