13) How many access audits does your organisation conduct each year, for regular employee accounts?
IT Operations Access Review
Written by Haydn Brooks
Created on March 18, 2019
Modified on July 7, 2020

If your organisation does conduct regular access audits of employee accounts, please state the number of times access audits are completed for users each year. If no access audits are completed, please put 0 (zero).

Your company Security Policy should determine the frequency for access audits based on your company’s capacity to administer them, and based on the inherent risk of the systems being audited; higher risk systems should be audited more often than lower risk systems.

Depending on the nature and size of your business you may choose to perform the audits monthly, quarterly or bi-annually. As a minimum, it is recommended that audits are performed at least twice a year.

How to implement the control:

Your IT team can complete an access audit either using access lists (typically spreadsheets that show a users access to each IT system) or by using a tool.

Access lists should be sent to line managers or system owners for them to review and approve the access to the systems.

Access reviews should be completed regularly and consistently, Risk Ledger would recommend completing 2 access reviews a year for all employees with regular user accounts, and quarterly access reviews for all employees with privileged user accounts.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.