Quarterly Access Reviews for SOC 2: Step-by-Step Guide

Why Access Reviews Are Required for SOC 2

SOC 2 Trust Services Criteria CC6.2 and CC6.3 require organizations to manage access to systems and data throughout the user lifecycle. CC6.2 addresses the provisioning and registration of users, while CC6.3 focuses on the removal of access when it is no longer appropriate. Together, they mandate that you periodically verify that every user's access is still justified.

Quarterly access reviews are the most common mechanism for satisfying these criteria. While SOC 2 does not explicitly mandate a quarterly cadence, auditors widely consider it the minimum acceptable frequency. Semi-annual reviews may be acceptable for lower-risk systems, but quarterly reviews for production infrastructure and customer data systems are effectively the industry standard.

What to Review: Every In-Scope System

An access review must cover every system within your SOC 2 audit scope. This typically includes your cloud infrastructure provider (AWS, GCP, Azure), your version control system (GitHub, GitLab), your CI/CD pipeline, your production database, your monitoring and logging platforms, your customer data stores, your identity provider, and any third-party SaaS tools that can access customer data.

For each system, you need to pull a complete list of all users with access, their permission levels, and when access was last granted or modified. Compare this list against your current employee roster and their job functions. Every user on the access list should have a legitimate business reason for their level of access. Former employees, contractors whose engagements have ended, and employees who have changed roles should have their access updated or removed.

How to Document Decisions

Each user's access must receive an explicit decision: approve (access is appropriate and should continue) or revoke (access should be removed or modified). The reviewer must document who they are, when the review was conducted, and the rationale for each decision. A simple "approved" is sufficient for users whose access is clearly appropriate. For revocations, document why the access is no longer needed and confirm that removal was completed.

The reviewer should be someone with authority over the system — typically a team lead, engineering manager, or system owner. The reviewer should not be reviewing their own access. Maintain the completed review as a formal record with a timestamp and the reviewer's identity. This is the artifact the auditor will request.

Common Mistakes That Cause Audit Exceptions

Missing a quarter is the most damaging mistake. If your policy says quarterly access reviews and you skip Q2, the auditor will issue an exception for the entire quarter. There is no way to retroactively fix a missed review. The exception will appear in your SOC 2 report, and customers will see it. Set calendar reminders, assign an owner, and treat access reviews as non-negotiable deadlines.

Other common failures include: reviewing only some systems and missing others, failing to remove access that was flagged for revocation, not documenting the reviewer's identity, and conducting reviews without the authority to make access decisions. Each of these can result in a finding. The auditor will sample your reviews and trace revocation decisions to completion — saying "revoke" without actually removing access is worse than not reviewing at all.

How AuditKit Automates Access Reviews

AuditKit automates the most painful parts of the access review process. It integrates with your identity provider and in-scope systems to pull current access lists automatically. It presents a review interface where the system owner can approve or revoke each user's access with a single click, adding notes where needed. Every decision is timestamped, attributed to the reviewer, and stored as tamper-proof evidence.

AuditKit sends automated reminders when a quarterly review is due and escalates if the deadline is approaching without completion. When the auditor requests access review evidence, you export a complete, cryptographically verified record of every review conducted during the audit period — no scrambling through spreadsheets or Slack threads. The entire process takes minutes instead of days.

Key Takeaways

• CC6.2 and CC6.3 require periodic verification that user access is still appropriate — quarterly is the industry standard.
• Review every in-scope system: cloud infrastructure, version control, CI/CD, databases, SaaS tools, and identity providers.
• Document explicit approve or revoke decisions for each user with reviewer identity and timestamps.
• Missing a single quarter means an audit exception — there is no retroactive fix.
• AuditKit automates access list collection, review workflows, reminders, and tamper-proof evidence storage.