How a People & Accounts Register Supports Access Reviews

A maintained people and accounts register is the input that makes an access review faster and more credible. The register answers who exists and what accounts they hold; the access review answers is that access still correct? The first is the raw material for the second. The two are linked by your upkeep, not by automation — keeping the register current is what lets a review start from real data instead of a scramble. This article explains the bridge between the two, and where the manual line sits.

If you are new to the underlying record, start with what a people and accounts register is; this article assumes you have one and shows how it feeds the review.

How the Register Supports the Review

An access review is a periodic check that everyone who has access still needs it. To run one honestly, you first need a current list of people and the accounts they hold — and that list is exactly what a people and accounts register keeps. The register organizes the evidence; the Access Reviews module is where you actually make and record the keep-or-remove decisions.

The relationship is preparation, not automation. The register does not run the review for you, and it does not silently push its contents into it. What it does is remove the worst part of any review — assembling who-has-what from memory, screenshots, and three half-current spreadsheets — so the review becomes a judgement exercise instead of a data-archaeology project. This is the same separation behind the checks + registers → evidence reports model: internal records exist so periodic governance work starts from something written down.

Why Access Reviews Fail When Account Evidence Is Scattered

Most access reviews do not fail because the reviewer lacks judgement. They fail because the inputs are missing or stale, and the review collapses into an afternoon of reconstruction:

• No single list of people. When the only roster lives in someone's head or an HR export that omits contractors, the review starts by arguing about who even belongs on it.
• No owner per account. An account with no recorded owner cannot be judged — "is this still needed?" has no one to ask, so it gets skipped and survives another quarter.
• Leavers invisible. If the record never marked who left, departed employees' accounts do not surface as obvious action items; they simply blend in.
• Stale exports. A list pulled six weeks ago and never updated produces a review that proves a moment that no longer exists.

The common thread is scattered, undated evidence. A review built on it is slow, and worse, not credible later — you cannot show what you reviewed or when the picture was true.

What the Register Gives Reviewers Before the Review Starts

A maintained register hands a reviewer four things on day one, before any judgement is needed:

• A current people list — name, role, department, person type (employee or contractor), and status — so the population under review is settled, not debated.
• Accounts joined to owners — each system account tied to the person responsible for it, so every row is answerable.
• Leavers already flagged — anyone marked offboarding or left, surfaced as the rows that most need attention while their accounts may still be live.
• The relevant systems already listed — so the review is shaped around the tools your team actually runs, not a blank page.

The most useful layout for this is the joined view — the accounts matrix — which lets you scan people against the systems they hold accounts on. That is the picture a reviewer wants in front of them when the review opens.

What Questions It Helps Answer

A clean register turns the recurring hard questions of a review into lookups:

• Who has access to this system, and who owns each account?
• This person left last month — what did they still hold?
• This account has no obvious owner — whose is it?
• Did anything change since the last review — new people, new accounts, status changes?

None of these require new tooling — only that the answer was written down before the question was asked, which is the register's entire job.

What It Does Not Do

The register supports the review by organizing evidence — it does not be the review, and it does not act on systems:

• It does not perform the access review by itself. A person still makes and records the keep-or-remove decisions.
• It does not remove access, disable accounts, or deprovision anyone. Those actions happen in the underlying systems; the register and review record that they were done.
• It does not discover accounts automatically or sync from a directory. It is only as complete as your team keeps it.
• It does not monitor employee activity, score productivity, or scan email, documents, chats, or files. It holds the records you enter, nothing more.
• It is not a certification or an audit guarantee. It supports internal governance routines and evidence preparation.

These limits are deliberate. A register that quietly reached into systems to discover or revoke access would be a different, riskier product — see what CertPilot is and is not for where those lines are drawn.

How to Use the Register During an Access Review

In practice the workflow is a short, repeatable loop — and every step stays manual-first:

1. Maintain the register first. Before the review window opens, bring the people and accounts records current: add new joiners, mark leavers, and update account statuses. The review is only as good as this snapshot.
2. Open the review against your systems and matrix. Use the Access Reviews systems catalog and matrix to walk people against systems, system by system, using the register's owner and status data to decide each one.
3. Record decisions and complete the review. Mark access as keep, change, or no-access as you go, then complete the review. In CertPilot that completion is written as one immutable record — who reviewed, the period, the cadence, the next due date, and snapshot counts — so the sign-off itself is evidence.
4. Generate the Access Review Register PDF. The dated artifact comes out at the end, capturing what was reviewed and the latest completed-review summary.

The register does not auto-populate or reconcile the review at any step; it informs it. The connection is your upkeep, and that is the point — manual control over what is recorded is what keeps the evidence trustworthy.

How It Supports Management-Ready Evidence

When leadership, a client, or an insurer asks for proof that access is controlled, "we review it" is an assertion; a completed review backed by a current register is a dated record. The register supplies the population and ownership; the review supplies the decisions and the sign-off date. Together they feed the broader job of producing management-ready evidence reports — part of what it means to have real IT governance evidence rather than a verbal claim.

The dated evidence lives in the Access Review Register PDF and in the cross-module evidence reports, where access-review activity appears alongside domains and renewals. The sample reports gallery shows the finished artifact, so you can see the output before maintaining a single record.

A Practical First Version for a Lean IT Team

You do not need a complete dataset to get value from the register-to-review loop. A workable first pass takes an afternoon:

1. Populate the register from your people list — name, email, department, role, employee or contractor, and status. Mark anyone you know is leaving.
2. Add the accounts that matter most — start with the systems where a forgotten account would hurt: email, core SaaS tools, and admin consoles. Record the system, identifier, and owner for each. Import by CSV if the data already lives in a spreadsheet.
3. Run a first short review against those systems in the matrix, deciding keep or remove for each, and recording any change you make in the actual system.
4. Complete the review and export the PDF. Even an imperfect first review establishes the routine — and the routine, repeated quarterly, is the governance work most teams actually need to show.

Each pass improves the register, and a better register makes the next review faster — the compounding is why the two modules sit next to each other.

In Short

• A people and accounts register is the input to an access review: it answers who has access and who owns each account so the review can answer is that access still correct?
• Reviews fail when account evidence is scattered, unowned, or stale; a maintained register gives reviewers a current, dated starting point instead.
• The link is your upkeep, not automation — the register does not auto-populate or reconcile the review, and neither module syncs from a directory.
• It does not remove access, discover accounts, monitor employees, or scan content, and it is not certification or an audit guarantee.
• The dated evidence lives in the Access Review Register PDF; maintain the register, run the review, and the artifact comes out the other end.

Frequently Asked Questions

Does the register automatically fill in my access review?

No. The register and the access review are both customer-maintained and manual-first. The register gives you a current picture of people and their accounts to inform the review, but it does not auto-populate or reconcile the review — a person still makes and records each keep-or-remove decision.

What data should be current before a review?

Your people list (with leavers marked), the accounts each person holds, an owner for every account, and the systems in scope. If those four are current in the register, the review starts from real data rather than reconstruction.

How do offboarded people show up in a review?

Anyone marked offboarding or left in the register surfaces as an obvious row to check — the accounts they may still hold become action items in the review. That is why keeping status current is the single most valuable habit for review preparation.

Where is the evidence after the review?

In the Access Review Register PDF, which captures what was reviewed and the latest completed-review summary. Access-review activity also appears in the cross-module evidence reports, and the sample report gallery shows the format.

Do either of these connect to my identity provider?

No. Neither People & Accounts nor Access Reviews syncs from Google Workspace, Microsoft 365, an HR system, or any identity provider today. Both reflect exactly what your team enters or imports by CSV — nothing is discovered or pulled automatically.