Quarterly User Access Review and Recertification

Quarterly inspection template for managers to recertify user access, identify unnecessary or excessive permissions, and assign revocation owners and due dates for remediation.

Review Scope and Access List

• Review period is identified as the current quarter
  Select the quarter covered by this review.
• In-scope application, system, or business process is documented
  Record the application, platform, or process being reviewed.
• User roster for the review is complete and current
  Enter the total number of users included in the review.
• Temporary, terminated, and transferred users are included in scope where applicable
  Confirm the roster includes users whose access may need removal or adjustment due to role changes.

Access Recertification by Manager

• Each user's access is explicitly recertified by the responsible manager
  Confirm each user in scope has been reviewed and approved or flagged for action.
• User access aligns with current job role and business need
  Rate how well the assigned access matches the user's current responsibilities.
• Unnecessary, excessive, or dormant rights are identified
  Confirm whether any access rights exceed the user's current need-to-know or job function.
• Privileged or elevated access has been separately reviewed
  Confirm administrative, privileged, or high-risk access was reviewed with additional scrutiny.

Exceptions, Revocation Owners, and Due Dates

• All access exceptions are documented with justification
  Record any approved exceptions and the business justification for retaining access.
• Revocation owner is assigned for each unnecessary access item
  Enter the person or team responsible for removing or adjusting the access.
• Revocation due date is assigned and realistic
  Enter the date and time by which the access change must be completed.
• High-risk access removals are escalated to security or system owners
  Confirm escalations are made for privileged, shared, or sensitive access that requires additional approval.

Evidence, Audit Trail, and Compliance Attestation

• Supporting evidence is attached for the review
  Attach screenshots, export files, or review reports showing the access recertification results.
• Review findings are recorded in the ticketing or GRC system
  Confirm the review outcome and remediation actions were logged in the system of record.
• Manager attests the review was completed accurately and in full
  Manager signature confirming the recertification review and findings are complete.

Corrective Actions and Follow-Up

• Corrective actions are created for all failed or flagged items
  Confirm each deficiency has a documented corrective action.
• Follow-up review date is scheduled for unresolved access items
  Enter the date for verifying completion of revocations or approved exceptions.
• Residual risk is accepted by the appropriate approver when access is retained
  Document the approver and rationale when unnecessary access cannot be removed immediately.