Access Review Evidence for Auditors: What to Prepare

When an auditor, a customer's security questionnaire, or a cyber-insurer asks for access review evidence, they want a dated record showing who reviewed which access, when, what was decided, and what follow-up happened — not a screenshot of a permissions screen. Access review evidence is operational documentation that a periodic review was performed and signed off; it supports an audit conversation, but it is not a compliance certification and not a guarantee of any audit outcome.

This article covers what reviewers actually ask for, the properties that make the evidence defensible, and how to assemble a review pack you can hand over without overclaiming. It uses CertPilot's Access Reviews module as the worked example.

What auditors and insurers actually ask for

The wording varies, but the underlying questions are consistent. An auditor checking a user-access-review control, a customer running vendor due diligence, and an insurer pricing a cyber policy all converge on a short list:

| What they ask | What they are really checking | Evidence that answers it | |---|---|---| | "Do you perform access reviews?" | A control exists | A documented, repeated review cadence | | "How often, and when was the last one?" | The control is operating, not theoretical | A dated completion record with the period | | "Who reviewed it?" | Accountability, not a script | A named reviewer on the sign-off | | "What was reviewed?" | Scope and coverage | The register of people, systems, and access levels | | "What did you do about problem access?" | The review has teeth | Recorded decisions and follow-up actions | | "Can you produce this on demand?" | It is a routine, not a scramble | An exportable, dated report |

Notice what is not on the list: a certificate, a compliance badge, or a third-party seal. Reviewers want evidence that a real control runs on a cadence and produces records. That is exactly what a maintained access review register provides.

What counts as access review evidence

Access review evidence is the dated, attributable record that a periodic access check was performed: the population that was in scope (people, systems, and access levels), the decisions made, the follow-up actions, and a sign-off stating who completed the review and when. It is the access-specific case of IT governance evidence — proof of a routine, not a one-time snapshot.

A single screenshot of an admin console fails this test on every count. It is undated (it proves a moment that has passed), unscoped (one system, not the estate), unowned (usernames with no reviewer), and unrepeatable (no cadence). Auditors have seen thousands of screenshots and discount them accordingly. A completed review backed by a register is a different class of evidence.

The four properties of defensible evidence

Whether your register lives in a spreadsheet or a tool, strong access review evidence shares four properties:

• Dated. The review has a completion date and a defined review period. "We do reviews" is an assertion; "the Q1 review was completed on 14 April covering January–March" is a record.
• Owned. A named reviewer signed off. Anonymous evidence invites the question "who actually checked this?"
• Scoped. The evidence states which people and systems were covered — and, honestly, which were not. Stated scope is more credible than implied total coverage you cannot back.
• Immutable. The sign-off is a record that does not silently change after the fact. An editable note is weaker than a fixed completion event with snapshot counts captured at the time.

A review pack with all four reads as a routine that genuinely operates. Missing any one is usually the first thing a sharp reviewer probes.

How CertPilot captures each property

The four properties map directly onto live features rather than discipline alone:

• Dated + owned + immutable: completing a review writes one immutable completion record for the register — who completed it, the completion date, the review period, the cadence, the next due date, an optional note, and snapshot counts taken at that moment. That single event is the sign-off, so you do not have to mark every row "reviewed" to prove a review happened.
• Scoped: the register and matrix show the people, systems, and access levels in scope (read/view, write/edit, admin/manage, owner, custom, or no access), and systems no longer in the active catalog stay visible when records still reference them — so historical scope is not silently dropped.
• Follow-up: action-required and overdue states, plus recorded keep / change / remove decisions, show the review had consequences, not just a tick.

These are the same building blocks behind showing management that access is under control; auditors and leadership want the same dated, owned record, framed for different readers.

How to assemble the evidence pack

When a request lands, you should be assembling a pack, not starting a review. The practical sequence:

1. Confirm scope and cadence. State the systems and people covered and how often you review (e.g., quarterly). If something is out of scope, say so.
2. Pull the latest completed review. The dated sign-off — reviewer, period, cadence, next due date, counts — is the centerpiece. A run of consecutive completed cycles is stronger than a single one, because it shows the control operating over time.
3. Attach the register. The list of people, systems, and access levels that were in scope gives the reviewer the underlying detail.
4. Show follow-up. Point to the decisions and any action-required items, so the review demonstrably changed something.
5. Export the artifact. Generate the Access Review Register PDF for the period and hand that over.

If you keep the register current between cycles, this is minutes of assembly rather than a fire drill — which is the entire argument for a maintained register over an annual scramble. A maintained people and accounts register feeding the review is what makes step 3 fast.

The Access Review Register PDF

The PDF is the deliverable. It contains the access records grouped for review, summary counts (such as active, action required, and overdue), and — when one exists — the latest completed-review summary block with completion date, reviewer, review period, cadence, next due date, and snapshot counts. It carries a governance-evidence methodology note and avoids certification language by design. The sample reports gallery shows the exact format with fictional data, so you can see what an auditor receives before producing your own. For how this artifact sits alongside domain and renewal evidence, see management-ready IT evidence reports.

What this evidence is — and is not

This is the part to get exactly right, because overclaiming here is what damages credibility with a real auditor.

• It is operational evidence that an access review was performed: dated, owned, scoped, and signed off.
• It is not a compliance certification. CertPilot does not certify NIS2, ISO 27001, SOC 2, GDPR, or any other regime, and the report supports an audit conversation rather than replacing a qualified auditor. See what CertPilot is and is not.
• It is not legal advice or an audit guarantee. It is a record of a customer-run review; it does not warrant an outcome.
• It does not come from a connector. CertPilot does not read access inside Google Workspace, Microsoft 365, HR systems, or any identity provider, and it does not discover accounts or remove access. Records are customer-entered or CSV-imported.
• It is not employee monitoring. The register records what access exists and that it was reviewed — it does not track activity, score productivity, or read emails, documents, chats, or files.

Stating these limits plainly is not a weakness in the evidence; it is part of what makes it trustworthy. An auditor trusts a vendor that knows the boundary of its own claims.

Prepare your access review pack

The best time to build audit-ready evidence is before the request arrives. Run your reviews on a cadence in Access Reviews, complete each one so the sign-off is captured, and keep the Access Review Register PDFs for each period. Review the sample reports to see the deliverable, and if you have not standardized the review itself yet, start with the step-by-step quarterly access review guide.

In short

• Auditors and insurers ask whether access reviews happen, how often, who reviewed, what was covered, and what was done about problems — they want records, not screenshots.
• Defensible access review evidence is dated, owned, scoped, and immutable; CertPilot captures each via the register, matrix, and immutable completion log.
• Assemble a pack — scope, latest completed review, register, follow-up, exported PDF — rather than starting a review when the request lands.
• The Access Review Register PDF is the artifact; a maintained register makes producing it a matter of minutes.
• The output is operational evidence that supports an audit conversation — not a compliance certification, legal advice, an audit guarantee, a connector, or employee monitoring.

Frequently Asked Questions

Is an Access Review Register PDF enough to pass an audit?

It is strong evidence that the access review control exists and operates, which is what auditors check — but no single document "passes" an audit, and CertPilot does not certify compliance or guarantee an outcome. The PDF supports the conversation; the auditor reaches their own conclusion. A run of consecutive completed reviews is more persuasive than one.

What evidence do cyber-insurers want for access reviews?

Typically: that you perform access reviews, how often, when the last one was completed, who reviewed it, and that problem access is acted on. A dated completion record plus the register answers all of these. Confirm the specific wording on your questionnaire, since insurers phrase it differently.

Does CertPilot certify compliance with NIS2, ISO 27001, or SOC 2?

No. CertPilot produces operational governance evidence to support internal reviews, customer questionnaires, management check-ins, and audit preparation. It does not certify any compliance regime and does not replace a qualified auditor or legal advice.

How far back should access review evidence go?

Keep the completed-review records and exported PDFs for each period so you can show a trend, not just the latest cycle. Auditors and insurers find a consistent cadence over several periods more convincing than a single recent review. Match retention to your own policy and any contractual requirements.

Where does the access data in the evidence come from?

From records your team enters or imports by CSV. CertPilot does not connect to Google Workspace, Microsoft 365, HR systems, or identity providers, and it does not discover accounts or pull access automatically. The evidence reflects exactly what you maintain in the register.