What Is a People & Accounts Register? A Plain-English Guide for Lean IT Teams

A people and accounts register is a customer-maintained record of two linked things: the people connected to your organization — employees and contractors — and the system accounts each of them holds. It answers two questions a small IT team is repeatedly asked but rarely has written down: who has access here, and who is responsible for each account?

It is not an HR system, and it is not a tool that logs into your environment to find accounts for you. It is a structured list you keep — by hand or by importing a spreadsheet — so that when someone leaves, when access is reviewed, or when leadership asks who can get into what, the answer is a record rather than a memory. This article covers what belongs in that register, what deliberately does not, and how it fits the wider job of producing IT governance evidence.

What a People & Accounts Register Actually Is

At its simplest, the register has two sides that join together: a people side (one row per person) and an accounts side (one row per system account). The value is in the link between them. A list of people without accounts tells you headcount; a list of accounts without owners tells you nothing about accountability. Joined, they answer the questions that actually come up: this account exists — whose is it? This person is leaving — what do they still hold?

This is one half of a broader pattern — the checks + registers → evidence reports model, which separates evidence into public-signal checks and internal registers. A machine can read your DNS or certificate state from outside, but no external scan knows that an account belongs to a contractor who finishes next month. A register is where that internal knowledge becomes a written, dated record instead of tribal memory.

Why Lean IT Teams Need One

In a 50–500-employee company, the person who runs IT usually also runs onboarding, offboarding, and "can you give Marketing access to the new tool?" The account knowledge lives in their head and a few spreadsheets, and it works — until it is tested. The tests are predictable:

• Someone leaves, and you need every account they held to make sure each one is handled. A vague list is how forgotten accounts linger for months.
• Access gets reviewed. When leadership, a customer questionnaire, or an insurer asks how you control access, a current people-and-accounts picture is the starting point for any honest access review.
• An account turns up with no owner — and with a register, "whose is this?" is a lookup, not an investigation.
• The IT person is unavailable. If the only record of access lives in one head, the organization has a single point of failure for a governance question.

None of this requires enterprise software — only that the knowledge live somewhere durable, owned, and readable by someone other than whoever entered it.

What a People & Accounts Register Tracks

A practical register stays close to what you need to answer questions. On the people side: full name and work email; department and role; person type (employee, contractor, or other — contractors are exactly the records that go missing); status (active, offboarding, or left, so you can find people on their way out while their accounts still need attention); start and end dates; and notes.

On the accounts side: the system and account identifier; the account creation date; account status and status-change date (active, disabled, and when that last changed); and account notes for anything that explains the account, such as a shared mailbox or a service login.

A joined view — sometimes called an accounts matrix — lets you scan people against the systems they hold accounts on, which is the most useful layout when preparing a review. Each field serves the same goal: every record should be dated, owned, and understandable later.

What It Should Not Track

A register earns trust partly by what it refuses to hold. It is not a place for:

• Passwords, secrets, API keys, or recovery codes. A record of which accounts exist should never become a store of credentials. Keep secrets in a password manager built for them.
• Sensitive HR data — payroll, performance, health, or disciplinary information. That belongs in an HR system, not an IT account list.
• Employee behavior. A register records that an account exists and who owns it. It is not a log of what anyone did, typed, sent, or opened.

This restraint is deliberate: the register's job is to make access accountable, not to widen the amount of sensitive data the IT team must protect.

How It Differs From HRIS, MDM, Spreadsheets, and Access Review Tools

It is easy to assume an existing tool already covers this. Usually none quite does:

• An HRIS is your system of record for employment — it knows who works for you, but not that someone has a login on a niche SaaS tool IT set up.
• An MDM manages devices and can enforce controls on them, but device management is not a record of account ownership across your systems.
• A spreadsheet can hold the data, but a loose spreadsheet is rarely owned, dated, or reviewed — which is what separates a record from a note.
• An access review tool runs the periodic "is this access still correct?" review, and depends on a current picture of people and accounts to do it well.

A people and accounts register is the lightweight, IT-owned inventory that sits between them. For the full picture of where CertPilot draws its lines, see what CertPilot is — and what it is not.

How It Supports Access Reviews

An access review asks a simple question on a cadence: does everyone who has access still need it? You cannot answer that honestly without first knowing who has access — which is what the register holds. A maintained register means a review starts from current data instead of a scramble to reconstruct it: leavers are flagged by status, accounts carry owners, and the relevant systems are already listed.

The register and the review are separate, and both are manual-first: the register does not automatically populate or reconcile the review; it gives it a clean starting point. The depth of running reviews — cadence, completion records, and the report — belongs to the Access Reviews module rather than this article.

How It Supports Management-Ready Evidence

Eventually someone above the IT team asks for proof. A register turns "we have access under control" from an assertion into a dated record of who exists, what accounts they hold, and what status each is in — feeding the broader job of producing management-ready evidence reports and helping a team prove IT is under control without another pile of spreadsheets.

In CertPilot, people and account information appears as summary counts inside the cross-module evidence reports, alongside domains, renewals, and access reviews — the sample reports gallery shows the resulting artifact. The register is the source; the report is the dated, shareable form it takes when it leaves the team.

How CertPilot Fits — With Strict Boundaries

CertPilot's People & Accounts register is a manual-first, CSV-friendly implementation of everything above: you add people and accounts directly or import a spreadsheet, keep status and dates current, and use the accounts matrix to review people against systems. It sits alongside the Renewals & Vendor Register, the Assets Register, and Access Reviews as one of the internal registers on the platform.

It records operational facts you maintain. What it does not do matters just as much:

• It does not remove access, disable accounts, or deprovision anyone. Those actions happen in the underlying systems; the register records that they were done.
• It does not discover accounts automatically, sync with a directory, or connect to Google Workspace or Microsoft 365 today. It is only as complete as you keep it.
• It does not monitor employee activity, score productivity, or scan email, documents, chats, or files. It holds the records you enter, nothing more.
• It is not a certification, a compliance guarantee, or an audit substitute. It supports internal governance routines and evidence preparation.

These boundaries are the point, not a limitation: a record that quietly expanded into surveillance or automatic deprovisioning would be a different — and riskier — kind of tool.

A Practical First Version of the Register

You do not need a perfect dataset to start. A useful first version takes an afternoon:

1. List people first from your HR list: name, email, department, role, employee or contractor, and status. Mark anyone you know is leaving as offboarding.
2. Add the accounts that matter most — start with the systems where a forgotten account would hurt (email, main SaaS tools, admin consoles), recording the system, identifier, and owner for each.
3. Set status honestly. A register that admits "we are not sure about these three" beats one that pretends to be complete.
4. Import rather than retype. If the data is already in a spreadsheet, import it by CSV and clean it up in place.
5. Pick a review cadence — monthly or quarterly, walk the list, update statuses, and resolve anything with no clear owner.

The first pass will be imperfect, and that is fine: the register improves through review, and the review is the governance work most teams need to show anyway.

In Short

• A people and accounts register is a customer-maintained record linking people to the system accounts they hold — answering "who has access, and who owns each account?"
• Lean IT teams need one because offboarding, access reviews, orphaned accounts, and key-person risk all test knowledge that otherwise lives in someone's head.
• It tracks people (name, role, type, status, dates) and accounts (system, identifier, status, dates), joined into a reviewable view, and should never hold passwords, secrets, or sensitive HR data.
• It supports access reviews and management-ready evidence, but does not remove access, discover accounts, sync directories, monitor employees, or scan content — and it is not certification or an audit guarantee.

Frequently Asked Questions

Is a people and accounts register the same as an HR system?

No. An HRIS is the system of record for employment and HR data. A people and accounts register is an IT-owned inventory focused on which system accounts each person holds and whether they are still appropriate. The two overlap on basic person details but answer different questions, and a register should not store sensitive HR data.

Does CertPilot's People & Accounts register connect to Google Workspace or Microsoft 365?

No. The live module is manual-first: you add records directly or import a CSV. It does not sync with a directory, log into your systems, or discover accounts automatically — so the register reflects exactly what your team chooses to enter.

What is the difference between the people side and the accounts side?

The people side is one row per person (name, role, status, dates); the accounts side is one row per system account (system, identifier, status, dates). Joined, they let you see which accounts a person holds and which person owns an account — the link is what makes the register useful.

Does this register remove access or offboard people?

No. The register records account status and ownership; it does not act on accounts. Disabling or removing access happens in each system — the register is where you record that it was done, which is what makes offboarding provable later.

Can I just use a spreadsheet instead?

You can start in a spreadsheet, and a CSV import brings that data straight in. The difference a register makes is structure, ownership, status, dates, and a habit of reviewing it. A loose spreadsheet usually fails as evidence precisely because no one owns it or dates it.