Compliance

Preparing for an IT Audit Without Burning Three Months

The auditor sends the request list on a Tuesday. Twenty-three items. Most of them about access. "List all users with admin privileges in Entra ID." "Evidence of access reviews in the last 12 months." "Termination procedure with proof it was followed for these five sample emplo...

3 juni 2026Uppdaterad: 17 juli 20264 min läsningDaniel Persson

The auditor sends the request list on a Tuesday. Twenty-three items. Most of them about access. "List all users with admin privileges in Entra ID." "Evidence of access reviews in the last 12 months." "Termination procedure with proof it was followed for these five sample employees."

You glance at your calendar. The audit is in seven weeks.

You have not run an access review since the last audit. You have not documented your offboarding process. You also have an actual job to do.

The reason audit prep eats months

The work the auditor wants is not hard. Pull a list. Show evidence a control ran. Match a process to reality. None of that is rocket science.

The problem is that the evidence does not exist yet. You have the controls (kind of). You have the processes (somewhere). What you do not have is the audit trail. Evidence those controls fired at the right moments. Over the last twelve months.

So you spend three months rebuilding it. You go through every leaver from the last twelve months and manually confirm their access was revoked. You ask managers to "validate" who reports to them. You take screenshots of group memberships and timestamp them. You write a memo explaining your offboarding procedure, then quietly fix the parts of the procedure you wrote down.

That is the burn. Not the audit. The reconstruction.

What actually moves the needle

Three things make audit prep short. None of them are exciting.

First, evidence that already exists. If your offboarding produces a log entry every time it runs, you do not need to reconstruct anything. The auditor asks for the leaver sample, you export the log, you are done in twenty minutes.

Second, a recent access review. Anything from the last six months counts. The auditor wants to see a review happened, who approved what, and what changed afterward. The mechanics of running one are in how to run an access review without drowning in spreadsheets. A short note saying "reviewed October 2025, removed 47 entries, signed by IT manager" beats a perfect access list. One with no provenance is worth nothing.

Third, a written process that matches what you actually do. Auditors are not impressed by 40-page policies. They want one page. When someone leaves, you do these five things. Here is who does them. Here is where the evidence lands. If the process says you do six things and your logs show five, that gap is the finding.

The seven-week plan

If the audit is in seven weeks and you have nothing, here is the order that hurts least.

Week one. Pull the leaver list from HR for the last 12 months. For each one, screenshot the disabled account in Entra ID with the timestamp. Yes, all of them. This is the single most common finding and the one auditors check hardest. The Entra ID offboarding checklist has the full list of what to check per leaver.

Week two. Pull the admin list. Entra ID, Microsoft 365 admin roles, anything with global access. Ask each admin's manager to confirm they still need it. Document the responses. Remove any "no" answers immediately.

Week three. Pull privileged group memberships. Same drill. One email to each group owner, one yes or no, one log of what changed.

Week four. Write your one-page joiner, mover, leaver process. Match it to what you actually did in weeks one through three.

Weeks five through seven. Whatever specific evidence the auditor asked for that you have not already produced. For SOC 2 specifically, SOC 2 access reviews covers what the auditors usually want.

This works. It is also miserable. By week three you will be tired of writing emails to managers who do not reply.

The bit nobody mentions

Doing this once does not help you next year. Twelve months later you will be back here. Doing the same reconstruction. With one extra year of access creep on top.

The thing that breaks the cycle is making the evidence a side effect of normal work. When someone leaves, the offboarding produces the log. When someone changes role, the change is recorded with who approved it. When the quarterly review runs, the result is saved. Audit prep stops being a project and becomes "export the last 12 months."

That is what identity governance is supposed to do. Not a six-month enterprise rollout. Just the boring plumbing that turns daily work into evidence.

Full transparency, this is our product. Adcyma handles the Entra ID lifecycle and access reviews so the audit trail builds itself. If next year's audit prep is a six-week block of dread on your calendar, have a look at the platform.

Testa Adcyma gratis — inget kreditkort behövs

Sätt upp identitetsstyrning för din Entra ID- eller Active Directory-miljö på mindre än en dag.