A control gap we missed for 8 months. Sharing in case it helps someone else's audit prep.
We thought our access review workflow was airtight. Quarterly manager reviews, sign-offs in our task system, evidence captured. Then our auditor found a gap nobody noticed for 8 months.
The gap: when an employee changed roles within the company (engineering to product, IC to manager, etc.), their old role-based access wasn't being revoked. The access review process only checked "does this person still work here" and "do they still need their current access." It never asked "should they still have access from their previous role."
By the time our auditor caught it during sample testing, three employees had access permissions from old roles they hadn't held in over a year. Auditor flagged it as a finding.
The fix was process, not tool. Added a step in our role-change workflow (handled by HR) that triggers an access revocation review with IT before the role change is finalized. Now every internal transfer fires an access cleanup task.
Sharing because I keep meeting teams whose access review process has this same gap and they don't realize it. Internal transfers fall between the cracks of "still employed" and "current role access" if you don't specifically design for it.
Anyone else hit this in their first or second audit?