TL;DR: Auditors test access reviews for control design, operating effectiveness, and evidence quality, and they will reject completed tickets if revocations, scope, or remediation cannot be independently proven, according to Zluri. Completion metrics alone do not establish audit readiness, and that gap is where many otherwise sound IAM programmes fail.
NHIMG editorial — based on content published by Zluri: Security & Compliance User Access Review Audit: What Auditors Actually Test
By the numbers:
- 94% completion rate, 127 inappropriate access grants revoked, evidence package delivered on time.
Questions worth separating out
Q: What do auditors actually test in access review audits?
A: Auditors test both control design and operating effectiveness.
Q: Why do access review findings happen even when completion rates look strong?
A: Strong completion metrics do not prove the control was effective.
Q: How can security teams prove that access revocations really worked?
A: Use system logs, application confirmations, and validation testing to show that access no longer functions after remediation.
Practitioner guidance
- Separate completion evidence from effectiveness evidence Store the review sign-off, the revocation action, and the post-remediation validation as three distinct artefacts so auditors can test each step independently.
- Make scope completeness a pre-review gate Reconcile system inventories, identity sources, and privileged account lists before certification starts so the auditor is not relying on a partial extract.
- Use immutable system logs as the primary record Keep review timestamps, approval history, and access-change events in system-generated logs that cannot be rewritten after the fact.
What's in the full article
Zluri's full research covers the operational detail this post intentionally leaves for the source:
- Evidence-package structure for SOX, SOC 2, ISO 27001, PCI DSS, and HIPAA audit trails
- Framework-by-framework testing expectations for access review cadence, scope, and remediation proof
- Examples of auditor questions and the evidence artefacts they use to challenge control effectiveness
- Practical preparation timeline for internal testing, evidence indexing, and pre-audit remediation
👉 Read Zluri's guide to what auditors actually test in access review audits →
Access review audits: what auditors actually test for now?
Explore further
Evidence completeness is now the real access review control. Completion rates, revocation counts, and on-time delivery are only meaningful if the underlying artefacts can be independently verified. The article shows that auditors care less about the ceremony of review and more about whether the proof set is immutable, complete, and replayable. For identity teams, the control is no longer the review meeting itself, but the evidence chain that surrounds it.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when access review evidence cannot be verified?
A: Accountability usually sits with the control owner, the identity governance team, and the business approver, because each owns part of the evidence chain. Auditors will judge the control on what can be proven, not on internal intent. If evidence cannot be reproduced, the organisation owns the finding.
👉 Read our full editorial: Access review audits fail on evidence, not just completion rates