The 30-Minute Quarterly Access Review for Startups Without an IT Team
A practical, repeatable process for reviewing who has access to what at your startup — no IT department, no enterprise IAM tools required.
The 30-Minute Quarterly Access Review for Startups Without an IT Team
A quarterly access review is a scheduled, recurring audit of who has access to your company's tools, data, and systems. For startups, running one every quarter takes about 30 minutes, catches the access drift that builds up between hires and departures, and costs nothing beyond a spreadsheet and 30 minutes of a founder's time each quarter. You do not need Okta, an IT team, or a compliance consultant to do this well.
Why Quarterly — Not Annual
At a 20-person startup, 18% annual turnover means roughly 3–4 people changing status every year. Add contractors who come and go, one or two promotions, and a couple of tool migrations, and by the time you run your annual review, you are looking at a year's worth of accumulated access drift.
Quarterly reviews catch the drift while it is still small. A designer who left in January and still has Figma access — that gets caught in April. A junior dev who got promoted to tech lead in February and now has both their old read-only access AND their new admin access — that shows up in the next pass.
Running a one-time audit is the starting point. SaaS access sprawl compounds over time if you only look at it once a year. The quarterly cadence is what keeps it manageable at the 15–50 person range, before you're large enough to need enterprise IAM tooling.
What to Review: 5 Categories
Structure your quarterly review around five access categories. Most startups can cover all five in under 30 minutes once they have a working template.
1. Full-time employees who changed roles. Pull your headcount list and flag anyone who was promoted, changed teams, or shifted responsibilities since the last review. Promotions are the most common source of accumulated over-permission. A promoted designer doesn't automatically lose guest access to the client Figma boards they used as a junior. Cross-reference their current role with their current tool access. See our piece on handling access when an employee changes roles for the full checklist.
2. Contractors and freelancers who finished engagements. Anyone whose contract ended in the last quarter but who hasn't been formally offboarded across all tools. This is especially common with project-based contractors who get removed from Slack but not from Notion, GitHub, or shared Google Drive folders.
3. Departed employees. Confirm that everyone who left in the last quarter had all access revoked — not just their Google Workspace account, but every tool they were individually provisioned into.
4. Dormant accounts. Any user account that hasn't logged in for 60+ days. Could be a parental leave, a role that stopped using that tool, or simply a forgotten account for someone who left. Flag them, confirm status, and remove or suspend.
5. Shared credentials. Any tool where multiple people share one login. This is the hardest category to track but the most critical: if a shared credential wasn't rotated after someone left, everyone who knows the password still has effective access.
How to Run It in 30 Minutes
You don't need an enterprise IAM platform for this. A Google Sheet and your tool admin dashboards are enough. Here is the process, step by step.
Step 1: Pull your current headcount (5 minutes). Export or screenshot your active employee list. Include full-time staff AND any active contractors. Mark anyone who changed status since the last review: new hires, departures, promotions, or contract endings. This is your change log for the quarter.
Step 2: List your tools (5 minutes). If you don't already have a master list of the tools your team uses, now is the time to build one. Start with the obvious: Slack, Notion, GitHub, Figma, Google Workspace, your project management tool (Linear, Jira, Asana), your CRM, and any finance or HR tools. Add any shared accounts your team keeps in a password manager.
Step 3: Cross-reference access against the change log (10 minutes). For each person on your change log, verify their access across your tool list. Departed? They should be removed from everything. Promoted? Their old-role access should be cleaned up. Contractor who finished? Check every tool, not just Slack.
Step 4: Spot-check dormant accounts (5 minutes). In your most critical tools (GitHub, Notion, your CRM, any finance tool), check last-login timestamps. Most SaaS tools surface this in their admin console. Any account that hasn't logged in for 60+ days gets flagged. Ping the account holder's manager or check your headcount list — if the person is still active, they can confirm. If they're gone, remove the account.
Step 5: Rotate any shared credentials where membership changed (5 minutes). For each shared credential in your password manager, check if anyone left or was added since the last rotation. If someone who had access to that credential has departed, rotate the password before the end of the day. No exceptions.
At the end of this, you should have a short action list: accounts to remove, permissions to downgrade, passwords to rotate. Aim to complete the action list within 48 hours. If you are consistently finding more than 10–15 items per quarter, that's a signal your initial access discovery needs a more thorough one-time pass before you can use the quarterly cadence effectively.
Quick-Reference Checklist
| Category | What to check | Time |
|---|---|---|
| Role changes | Promoted/changed-team employees — old permissions still active? | 3 min |
| Contractor endings | Project-based contractors — removed from all tools, not just comms? | 5 min |
| Departed employees | Full offboarding verification across entire tool list | 5 min |
| Dormant accounts | Last login >60 days — account still needed? | 5 min |
| Shared credentials | Anyone with access departed since last rotation? Rotate the password | 5 min |
| Action list | Remove, downgrade, rotate — all items within 48 hours | 7 min |
When to Automate vs. When to Keep It Manual
If you have fewer than 25 people, this process works manually. A Google Sheet with your tool list and employee roster, updated quarterly, is sufficient. The cost of the manual process is roughly 30 minutes of a founder or ops lead's time per quarter — about 2 hours annually. That's worth it.
Once you cross 30–40 people, or once you have more than 25 active contractors cycling through in a year, the manual process starts to break down. At that point you have two options: adopt a lightweight tool-access layer that tracks provisioning from hire, or accept that your quarterly review will take longer and catch fewer issues. A platform like Optserv tracks access grants across the employee lifecycle — so by the time you run your quarterly review, the change log is already populated and cross-referenced for you.
FAQ
How often should startups review user access? Quarterly is the right default for most startups between 10 and 50 people. Annual reviews miss too much — at 18% turnover, a year's worth of drift is hard to untangle. Monthly is overkill unless you have fast-cycling contractors or are in a regulated industry (fintech, healthcare). Quarterly hits the right balance: frequent enough to catch issues before they compound, infrequent enough not to be a burden.
Do startups need to run access reviews for SOC 2 compliance? SOC 2 Type II auditors typically look for evidence that access reviews happen at least quarterly for privileged accounts and annually for all accounts. If you're targeting SOC 2, a quarterly cadence and documented evidence (a dated Google Sheet or exported log) is the minimum. You don't need enterprise tooling — documented, consistent quarterly reviews satisfy most auditors at the startup stage.
What's the difference between a quarterly access review and a one-time access audit? A one-time audit is the discovery exercise: figure out who currently has access to what, often from scratch. A quarterly access review is the maintenance exercise: given that you already know your baseline, check what changed in the last 90 days and clean it up. If you haven't done the audit yet, start there — it gives you the baseline that makes quarterly reviews fast.
What happens if I find an account that should have been removed months ago? Remove it immediately, then trace back how it got missed. Was the person offboarded but the tool wasn't on your list? Was there no checklist? Document what happened and add that tool or step to your quarterly template. The review cadence is only as good as the action it drives — finding issues is valuable only if you close them.
Keep Access Clean Without Adding Overhead
The quarterly access review is a 30-minute habit that prevents months of cleanup. Run it at the start of each quarter: pull your change log, cross-reference against your tool list, flag dormant accounts, rotate any affected shared credentials, action the list within 48 hours.
If you want the change log pre-built — access provisioned at hire, tracked on role change, and flagged automatically at departure — Optserv handles the lifecycle layer so your quarterly review becomes a confirmation exercise rather than a detective exercise.
Sources
- Vanta: How to Perform Quarterly User Access Reviews
- AccountableHQ: How to Conduct a Quarterly Access Review
- AccessOwl: User Access Reviews Best Practices
- Zluri: Quarterly User Access Reviews: Timing Guide
By Optserv Team
Run your entire team from one place.
Optserv handles hiring, onboarding, access management, and offboarding — built for startups that want to operate like grown-ups without the enterprise overhead.
Try Optserv free