Skip to content

Field note

Field notesAccess reviews without the spreadsheet

Access reviews without the spreadsheet

The quarterly access review is a spreadsheet by accident, not by design. Here is how to stop running it like one.

~2 min read

Why it became a spreadsheet

The access review spreadsheet was not designed. Someone exported the user-access list from the identity provider because the manager needed to see who had access. The export got emailed. The manager made some notes. It was sent to the auditor. The auditor accepted it. That was the review.

The problem is what happened next: the spreadsheet became the canonical artifact because nothing replaced it. Six months later, the same export was produced, the same process ran. Auditors started asking for “the access review spreadsheet” by name. Now the review is defined by the format of the export, not by what the review is actually supposed to accomplish.

What gets lost is the question the review is supposed to answer: does every user who has access still need it, and is every grant still appropriate? A spreadsheet of raw access data does not answer that question. It just moves the problem to whoever is reading the rows.

How to stop

Treat the review as a continuous query against live entitlement data, not a quarterly export. The query runs on a schedule and produces a list of violations: access grants that fail a defined rule. A user who has had an app assigned for more than 90 days without a manager reconfirmation is a violation. A user in the finance system who is not in the finance HRIS group is a violation. Access held by someone whose employment status is inactive is a violation.

Managers approve diffs against a defined baseline, not raw lists of who has what. The question is not “does Alice have access to this system” but “Alice has had this access since Q3; do you confirm she still needs it?” The reviewer is confirming a delta, not reading a table.

The spreadsheet is the symptom. It showed up because the review was run point-in-time, against a static export, with no machine-readable baseline to compare against. Move the review to a system that holds the baseline, runs the query, and tracks each confirmation. The output can still be a spreadsheet for the auditor, but it is generated from live data, not manually assembled. That is the difference between a review and a report.

More like this?

We publish notes like this when we spot patterns worth writing down. Subscribe to get them when they drop, or reach out if you want to talk through your access review setup.

Subscribe

Get new notes and guides when they drop. One email when there is something to read.