How many vendor accounts are still active after a project ends? In many companies, more than anyone expects. Third-party user access tends to drift because teams stay busy with delivery, not cleanup.

A quarterly review keeps that drift under control. It helps you catch stale accounts in SaaS apps, cloud consoles, VPNs, and internal systems before they become security gaps or audit findings.

Start with a complete access inventory

Begin with a live list of every external user. Include vendors, contractors, consultants, partners, and temporary support staff. Pull data from identity tools, SaaS admins, cloud IAM, VPN logs, and any internal app that still uses local accounts.

Then add the details that make the list usable. Record the system owner, user name, role, last login, approval date, contract end date, and any expiry date. Also note how access is granted, whether through SSO, a local account, an API token, or a shared password. That matters because the risk changes with the path used.

For a clear view of what auditors often expect, user access reviews for SOC 2 is a useful reference.

If you can’t name the owner of an account, you don’t have a valid review.

This first pass matters because missing one system creates a blind spot. A review only works when it covers the whole access surface, not just the easy parts.

Follow this step-by-step review process

1. Pull the current account list from each platform. Use exports from SaaS tools, cloud services, VPNs, and internal systems. Compare them with the vendor roster and current project list, then flag any mismatch right away.
2. Check whether each account still has a business need. If the user finished the project, moved roles, or left the vendor, the account should go. Ask the owner to confirm the reason, not the requester.
3. Test the access level against least privilege. A support engineer rarely needs admin rights, and a contractor seldom needs broad data access. If the account is for emergency work, time-box it and add a review date.
4. Confirm the right approver signed off. The business owner should review the access, while security checks for exceptions, privileged roles, and sensitive data exposure. This split keeps approvals from becoming rubber stamps.
5. Record the action and close the loop. Revoke, reduce, or renew access, then save the proof in the ticket or review log. If nothing changed, note why the access stayed in place.

That flow lines up with common SOC 2 expectations for access review controls. It also fits a clean third-party risk program. For more context, see SOC 2 third-party requirements.

Use the same sequence every quarter, and the process gets faster. More importantly, no one has to guess what happened last time.

Use a simple checklist for every account

A short checklist keeps the review consistent, even when you have many vendors. It also helps managers make fast decisions without lowering the bar.

Use three clear outcomes for each account, approved, pending, or revoked. If the answer is unclear, leave it pending until the owner responds.

Check	What to look for	If it fails
Business need	The account maps to an active contract, ticket, or task	Remove access
Role match	The user has the rights needed for the job	Reduce the role
Privilege level	No admin access without a clear reason	Downgrade or add PAM
Recent activity	The account has been used for current work	Flag for cleanup
Expiry date	Time-limited access still has an end date	Set a new review date

If an account fails more than one item, treat it as a cleanup case. That keeps the review honest and avoids rubber-stamping old access.

Document the review so it holds up later

Good documentation turns a quarterly task into evidence. Auditors, security teams, and compliance officers all want the same thing, a clean trail from review to action.

Keep the review date, reviewer name, system name, account list, decision, and follow-up ticket in one place. Add the approver, the reason for any exception, and the date the change took effect. Save the export you used, not just the summary. If the list changes after the review starts, keep that version too.

Evidence should show who reviewed, what changed, and when the change took effect.

Access review controls are easier to defend when the proof is complete and easy to find. If you work toward ISO 27001, tie the review back to access control and supplier oversight. ISO 27001 third-party risk requirements is a helpful benchmark when you want to compare your process with common expectations.

A good file name also helps. Use a simple pattern like 2026-Q2-third-party-access-review. That makes searches easier later, especially when an auditor asks for last quarter’s proof.

Clean up the access that no longer belongs

The review should end with action, not a spreadsheet that sits untouched. Remove accounts tied to ended contracts, finished projects, and expired support windows. Contract renewals should trigger a fresh check, not automatic carryover.

Shared accounts deserve special attention. They make it hard to prove who did what, and they often hide stale access. Where possible, replace them with named users and stronger authentication.

Privileged access needs the tightest control. Give admin rights only when the task requires them, then take them away as soon as the work ends. If a vendor needs ongoing access, set a new approval date and a clear review owner. Also remove the same user from SaaS, cloud, VPN, and internal systems at the same time, so one forgotten system does not keep the risk alive.

A quarterly cadence works because it catches drift before it turns into a bigger problem. It also gives IT, security, and compliance one clear rhythm to follow.

If your team needs help tightening the process or filling an IAM or PAM gap, Book a Discovery Call with Bud Consulting.

Quarterly reviews stay useful when they are specific, repeatable, and backed by evidence. Keep the inventory complete, apply least privilege, and document each decision with care. That is how third-party user access stays under control, one quarter at a time.