TrailProof
BlogFree ChecklistSign in
← Back to blog

June 3, 2026 · 5 min read

SOC 2 Access Review Template — What to Document Every Quarter

Quarterly access reviews are a SOC 2 requirement but nobody tells you what to actually write down. Here is the exact template auditors want to see, with real examples.

SOC 2 access review template

Quarterly access reviews come up on almost every SOC 2 audit. The auditor asks for evidence that you regularly reviewed who has access to your systems and removed anything that should not be there.

Most teams know they need to do this. The part that catches people off guard is the documentation. "We reviewed access" is not enough. Auditors want to see a record — who reviewed it, what was covered, what the outcome was, and when the next review is scheduled.

Here is the exact information you need to document each quarter.

What goes in an access review record

Date of review The specific date the review was conducted. Not the month, the date.

Reviewed by The name and role of the person who conducted the review. For a small team this is usually the founder, CTO, or whoever owns security.

Systems covered List every system that was included in this review. Be specific. Examples:

  • AWS IAM (production account)
  • GitHub organisation
  • Google Workspace
  • Okta
  • Database access (RDS production)
  • Third-party SaaS tools with access to customer data

What was reviewed For each system, note what you actually looked at. Auditors want to know you checked active users, permissions, and whether anything looked wrong. A one-liner per system works fine.

Outcome One of three things: no changes required, access removed for specific users, or issues found and remediated. If you removed access, list who and from what. If you found nothing to change, say that explicitly — "all access confirmed appropriate, no changes made" is a valid outcome.

Next review date Set the next review date at the time you complete the current one. This shows you have a process, not just a one-off exercise.

A real example

Here is what a completed access review record looks like for a 12-person startup:

Review date: 15 March 2026

Reviewed by: Raphael Tzy, CTO

Systems covered: AWS IAM, GitHub, Google Workspace, Okta, Notion, Linear

Review notes:

  • AWS IAM: 4 active users, all with appropriate permissions. Root MFA confirmed active. No stale credentials found.
  • GitHub: 11 members, 2 outside collaborators. Removed outside collaborator access for contractor who finished engagement in January.
  • Google Workspace: 12 active users. Confirmed MFA enrolled for all. No inactive accounts.
  • Okta: 12 active users. No flagged inactive sessions.
  • Notion: 9 members. Removed 1 former employee account that was missed during offboarding.
  • Linear: 8 members. All appropriate.

Outcome: Access removed for 1 GitHub collaborator and 1 Notion account. All other access confirmed appropriate.

Next review date: 15 June 2026

That is it. One page. Auditors are looking for evidence of a consistent process, not a 20-page report.

Common mistakes

Reviewing only AWS Most teams remember to check IAM but forget GitHub, Google Workspace, and the SaaS tools. Auditors will ask about all systems that touch customer data.

Not documenting when nothing changed If you found nothing to remove, you still need to write that down. "Nothing to report" with no record looks like you skipped the review.

Doing it annually instead of quarterly SOC 2 requires quarterly reviews for a Type II audit. Doing it once a year will fail. Set a recurring calendar reminder the day after each review.

Waiting until the audit to start For SOC 2 Type II you need evidence of reviews across the entire audit period, typically 6 to 12 months. If you start documenting access reviews the month before the audit, you will fail this control.

How often and when

Quarterly means four times a year. Pick a schedule that works and stick to it. Many teams tie it to the end of each calendar quarter — end of March, June, September, December. Others do it monthly to make it a lighter lift each time.

The important thing is consistency. An auditor seeing four quarterly reviews dated roughly 90 days apart is much more convincing than one comprehensive review.

Making it easier

The review itself takes 20 to 30 minutes for a small team once you have a system. The hardest part is remembering to do it and having somewhere to record it.

TrailProof's access review tracker logs each review with all the fields above, reminds you when the next one is due, and exports the full history as a PDF you can hand to your auditor. If you are tracking this in a spreadsheet or a Google Doc right now, it works but it is one more thing to remember.

Whatever system you use, start the paper trail now. Quarterly access reviews are one of the easier controls to get right — as long as you are not starting from scratch at audit time.

Ready to check your SOC 2 readiness?

Free interactive checklist — 65 controls, saves progress, no signup required.

Open the free checklist →