Definition

Access recertification (user access review, UAR) is the periodic process by which system owners confirm or revoke user entitlements to prevent privilege accumulation, SoD conflicts, and orphaned accounts. It maps to ISO 27001:2022 Annex A 5.18, SOC 2 CC6.3, SAMA CSF 3.2-4, and PCAOB AS 2201 access controls. Effective programmes combine appropriate tooling, manager accountability, and a follow-up revocation SLA to convert rubber-stamp exercises into genuine risk reduction.

Why it matters

The pressure on IT Audit 360 programmes is shifting in specific, observable ways:

• SAMA CSF 3.2-4 and NCA ECC-1 2-3-1 both mandate quarterly access reviews for privileged accounts; non-compliance has resulted in SAR 500,000–2,000,000 administrative fines in SAMA enforcement actions.
• ISO 27001:2022 Annex A 5.18 requires entitlement reviews at defined intervals; certification bodies cite rubber-stamp completion (manager approves all without review) as a major non-conformity.
• Privilege accumulation is the #1 enabler of insider threat incidents; reducing unnecessary privileged access cuts mean lateral movement time in breach scenarios from 4.5 hours to under 30 minutes (IBM X-Force 2023).
• Completion rates below 80% are treated as ITGC deficiencies under SOC 2 CC6.3, triggering qualified opinions and customer trust erosion worth AED 1–5 M in contract renegotiations.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Identity governance platform report (SailPoint IdentityIQ, Saviynt, or Microsoft Entra ID Access Reviews) — campaign ID, certifier, decision (approve/revoke/escalate), and decision timestamp.
• HR system feed (Workday or SAP SuccessFactors) — termination dates and role changes to detect orphaned or stale accounts before campaign launch.
• PAM tool (CyberArk or BeyondTrust) — privileged account list with last login date; accounts not logged in >90 days flagged for mandatory revocation.
• Post-campaign revocation execution log — ticket ID in ServiceNow, revocation timestamp, and confirming system screenshot.
• SoD conflict report (Pathlock or SAP GRC Access Control) — conflicts identified at campaign close and remediation status.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0-30: IAM Lead configures quarterly automated campaigns in SailPoint or Entra ID covering all privileged and sensitive application roles; set campaign duration to 10 business days.
• Day 31-60: Implement manager accountability: uncompleted certifications auto-escalate to department head at Day 7; HR notified to flag in performance review for repeat non-completers.
• Day 61-90: Establish a 5-business-day revocation SLA from decision to confirmed removal; integrate with ServiceNow to create and close ITSM tickets automatically.
• Day 90+: Run first full quarterly campaign; target ≥90% completion and ≤5% of approved accounts subsequently found with SoD conflicts.
• Ongoing: Publish monthly access hygiene dashboard to CISO: orphaned accounts (>90 days no login), completion rate by department, and overdue revocations.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Access review completion rate ≥96% per campaign (baseline industry average ~72%).
• Revocations executed within 5 business days of certifier decision ≥98%.
• Orphaned accounts (no login >90 days) as % of total accounts ≤1%.
• SoD conflicts identified and remediated within 30 days of campaign close ≥90%.
• Privileged account count as % of total user base ≤5% (benchmark: financial services GCC).

How it played out

The engagement began the way these always do — a specific trigger (cadence, framing and tooling that lifted completion rates from 58% to 96% at a gcc bank.) and an executive sponsor with limited patience for theoretical answers.

The first instinct on the client side was to add tooling. The first instinct on our side was to fix the deficiency evaluation so that whatever tooling was added would have somewhere defensible to land.

What surprised the team — and worth noting for anyone running similar IT Audit 360 work — is how much of the value came from re-sequencing existing activities rather than introducing new ones.

• Trigger. The work was sponsored after a near-miss the executive team could no longer rationalise.
• First week. Stabilise the ITGC scope memo; pause anything that risked making it worse.
• Weeks 2–6. Rebuild the working evidence cadence; the regulator-facing story followed naturally once the internal cadence was honest.
• What we'd do differently. Engage the CIO accountable for ITGC remediation on day one, not after the diagnostic.

Pitfalls we keep seeing

Across MAST Consulting Group's IT Audit 360 portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: change tickets without approval evidence linkable to deployment. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: privileged users not reconciled to HR for terminations within the agreed cadence. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: key reports not subjected to completeness and accuracy testing. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: access reviews completed without independent reviewer or evidence of action. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on IT Audit 360 engagements because the integrations are cheap and the evidence is defensible:

• ServiceNow / Jira for change evidence — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• Entra / Okta for access governance — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• audit-analytics for population tests — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs IT Audit 360 programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this field note is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for IT Audit 360 programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.