Skip to content

An auditor asks for evidence that access reviews happen quarterly. What do you provide?

Short answer

Auditors test for evidence, not intent: show the access-review policy, dated records of each review with approver sign-off, and confirmation that flagged access was revoked and verified. A verbal confirmation proves nothing repeatable, a promise to start next quarter shows the control was not operating in the audit period, and an org chart describes reporting lines, not access decisions. Only the dated, attributable artifacts demonstrate the control operated as designed across the whole period.

Auditors do not score good intentions. They test whether a control operated as designed throughout the period under review, and the only thing that demonstrates that is evidence you can point to, date, and attribute to a person.

What "evidence" actually means

For a quarterly access review, an auditor expects a chain of artifacts: the policy that says reviews happen quarterly and who owns them; a dated record for each review (a ticket, a signed report, an export from your IGA tool); approver sign-off showing a named manager confirmed each user's access; and proof of follow-through — that any access flagged for removal was actually revoked and that the revocation was verified. Together these show the control fired four times, was performed by the right people, and changed reality.

Why the wrong answers fail

Verbal confirmation is unverifiable and unrepeatable; an auditor cannot test it, and it carries no date or owner. Promising to start next quarter is an outright admission that the control did not operate during the audit period, which is a finding, not evidence. The org chart describes reporting lines, not who reviewed access or what they decided — it answers a different question entirely.

The judgment being probed

The interviewer wants to see that you think like the audited, not the auditor: you anticipate the request and keep the artifacts as a byproduct of running the control, rather than scrambling to reconstruct them. A strong answer also distinguishes design (the review exists and is well-defined) from operating effectiveness (it actually ran every quarter), because auditors test both. Finally, the best candidates mention sampling: an auditor will pick specific users or quarters and ask you to produce the trail, so the evidence must be complete and retrievable, not a single screenshot. Treating evidence as a continuous output of the process — not a last-minute deliverable — is the mark of a mature GRC practitioner.

Likely follow-ups

  • How would you sample reviews to show the control operated every quarter, not just once?
  • What evidence proves that access flagged for removal was actually revoked and stayed revoked?
  • How do you handle a quarter where a review was missed entirely?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.