US · AICPA Standard · Trust Services Criteria · Type I & Type II Reports
Do I Need User Access Review for SOC 2?
SOC 2 is the dominant security assurance standard for US-based technology companies and service providers. The Common Criteria 6 — Logical and Physical Access Controls — makes User Access Review a core requirement.
OUR INTERPRETATION
Why SOC 2 mandates User Access Review?
What is SOC 2? SOC 2 (Service Organisation Control 2) is an auditing standard developed by the AICPA (American Institute of Certified Public Accountants). It is not a law, but it is contractually required by most enterprise customers and is effectively mandatory for SaaS companies, cloud providers, and managed service providers operating in the US market.
SOC 2’s Trust Services Criteria — specifically Common Criteria 6 (CC6) — governs all logical and physical access controls. CC6.2 explicitly requires that user access is authorised, regularly reviewed, and revoked when no longer appropriate. Auditors require quarterly evidence of completed reviews — not just a policy that says reviews should happen.
User Access Authorisation & Review
Prior to granting access, entities must register and authorise users. Access must be reviewed periodically — quarterly is the expected standard — and revoked promptly upon termination or role change.
Access Modification & Role Changes
When roles, responsibilities, or employment status change, access must be updated or removed. This is the “mover/leaver” dimension of access review, explicitly required under CC6.3.
Logical Access Security Infrastructure
Requires access control software and architectures that restrict access to protected information. Reviews validate that these technical controls are working as intended and remain current.
External & Third-Party Access
Logical access to assets from outside the network perimeter requires controls and — critically — periodic review. Vendor and contractor access is a common audit finding when not actively managed.
Directly from the AICPA Trust Services Criteria
Source: AICPA Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2017, updated 2022)
aicpa.org · Trust Services Criteria · CC6 — Logical and Physical Access Controls
CC6.2 — Prior to Issuing System Credentials
“Prior to issuing system credentials and granting system access, the entity registers and authorises new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorised.”
CC6.3 — Points of Focus: Removes Access to Protected Assets
“The entity authorises, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.” Points of focus include: Review of Access Rights: Periodically reviews and updates user access privileges to ensure they remain appropriate for current roles and responsibilities.
CC6.2 — Points of Focus: Removes Access When Appropriate
“Access is removed when an individual no longer requires access. The types of access removed include logical access, physical access and access to restricted areas.” — This is actively tested by SOC 2 auditors through requests for termination records cross-referenced against access system exports.
Where to find this in the standard?
→ AICPA.org → Trust Services Criteria → Common Criteria 6 (CC6) → CC6.2 and CC6.3
→ AICPA Trust Services Criteria document (PDF) → Section CC6: Logical and Physical Access Controls
→ SOC 2 Audit Reports → Management Assertion and Points of Focus for CC6.2
→ AICPA SOC 2 Examination Guidelines → Evidence requirements for access reviews
→ Your SOC 2 auditor’s Request List — typically includes quarterly access review screenshots and logs
The SOC 2 CC6 Access Control Framework
CC6 spans eight sub-criteria. CC6.2 and CC6.3 are where User Access Review is explicitly required — but all eight are interconnected.
CC6.1
Logical Access Infrastructure
CC6.2
User Auth & Access Review
CC6.3
Access Modification & Removal
CC6.4
Physical Access Controls
CC6.5
Authentication Mechanisms
CC6.6
External / Vendor Access
CC6.7
Transmission & Data Security
CC6.8
Malware & Unauthorised Software
Squarum's Interpretation
What SOC 2 auditors test?
Quarterly screenshots of user lists from every in-scope system
SOC 2 auditors typically request timestamped screenshots or exports of the full user list from each system in scope, taken at the time of the review. They then cross-reference against HR data to find ghost accounts.
The "Ghost Account" is the most common CC6.2 failure
A former employee is terminated in HR and the primary IdP, but their account remains active in a developer tool or database for weeks. This is a direct CC6.2 violation and one of the top reasons companies fail or receive exceptions in their SOC 2 report.
Access provisioning must have approval tickets
Not only must you show that access was reviewed — you must also show it was properly authorised when granted. Auditors look for linked approval tickets or manager sign-off for each access grant.
Vendor and contractor access is actively tested
CC6.6 means third-party and contractor access to your systems is in scope for review. Auditors frequently flag when vendor accounts exist but lack a review cadence or scope limitation.
What your SOC 2 auditor's request list looks like
A typical SOC 2 Type II audit evidence request for CC6 will include: quarterly access review screenshots from all in-scope systems, a list of users terminated during the audit period with deprovisioning confirmation dates, manager approval records for access grants, and evidence of vendor access limitations. Without automated tooling, collecting this evidence manually consumes weeks of engineering and HR time.
Sail through your SOC 2 audit with Squarum
Squarum automates quarterly CC6.2 evidence collection across all your systems — complete with timestamped screenshots, reviewer workflows, and a full audit-ready export. Stop spending weeks on manual evidence collection.