AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Cloudanix – Your Partner in Cloud Security Excellence

Why Excel Is the Biggest Security Risk in Your User Access Review Process

  • Tuesday, May 05, 2026

If Your UAR Lives in a Spreadsheet, You Already Have a Problem

Here is a scenario that plays out in enterprises every quarter: an IT security manager exports a list of user accounts from Active Directory into Excel, shares it with a dozen department heads over email, waits two weeks for responses, chases down the ones who have not replied, manually consolidates the feedback, and then uploads the final file to a shared drive — hoping it is the right version. This is a User Access Review. And for a significant number of mid-to-large enterprises managing anywhere from 1,000 to 10,000 users, this is still how it gets done.

The uncomfortable truth is that Excel-based UAR is not just slow and frustrating — it is a compliance liability and a security blind spot. Auditors are getting more specific about what they want to see. Regulations are getting tighter. And attackers are getting better at exploiting exactly the gaps that spreadsheet-based reviews leave open.

What Is a User Access Review and Why Does It Exist?

A User Access Review is a periodic, structured process where an organization verifies that every user has only the access they actually need to do their job — and nothing more. It is the operational mechanism for enforcing the principle of least privilege over time, as roles change, people leave, and permissions accumulate.

The purpose is straightforward: people’s roles change, but their access permissions often do not. An employee who moved from the finance team to marketing six months ago may still have read access to payroll systems. A contractor whose engagement ended in January may still have an active account with VPN credentials. A developer who got promoted to team lead may have accumulated admin permissions across three systems during the transition. None of these are malicious — they are the natural result of access never being reviewed and cleaned up.

Who Requires It?

UAR is not optional for any organization operating under a recognized security or compliance framework. The major ones are explicit:

  • ISO 27001:2022 (Control 5.18 — Access Rights): Requires that access rights are provisioned, modified, and removed in a controlled manner, with documented reviews.
  • SOC 2 (CC6.3): Requires that access to data and systems is reviewed and revoked when no longer required — and that there is evidence of those reviews.
  • PCI-DSS (Requirement 7): Mandates that access to system components is limited to what is required by job function, reviewed at least every six months for privileged accounts.
  • Cyber Essentials: Requires that user accounts — particularly those with administrative privileges — are authorized, controlled, and regularly reviewed.

How Often and What Should It Capture?

Frequency depends on the framework and the sensitivity of the access:

  • Privileged accounts and those with access to sensitive data should typically be reviewed quarterly.
  • Standard user accounts are often reviewed semi-annually or annually.

What a proper UAR must capture:

  • Who has access to what, at what privilege level, and when that access was last used.
  • Whether the access is still justified, and who reviewed and approved that determination, with a timestamp.

That last point is where Excel-based processes collapse. Capturing the review and the approval decision with a verifiable, timestamped audit trail is something a spreadsheet fundamentally cannot do reliably.

How Most Teams Actually Do It

The typical Excel UAR workflow goes something like this:

  • The IT team exports user and permission data from one or more systems — Active Directory, an HRMS, a cloud IAM tool — and pastes it into a spreadsheet.
  • Columns are added for ‘Review Status’ and ‘Comments’.
  • The spreadsheet is emailed to managers and system owners with a deadline.
  • Some respond promptly. Many do not. A week later, a reminder goes out. Then another.

Eventually, the responses come back — but in different formats. Some managers added new columns. Some replied inline in the email instead of updating the sheet. Some updated an older version they had saved locally. Now the IT or compliance team has to manually reconcile five different versions of the same spreadsheet to produce a single consolidated review. Then they re-upload it. Then someone notices a department is missing. The cycle starts again.

What This Looks Like at Scale

For a 1,000-user organization, this process typically takes two to three weeks when run well. For a 5,000-user organization, four to six weeks is common — and that is before factoring in the corrections that need to happen once errors are spotted.

Reality Check: For a 5,000-user organization, a manual Excel-based UAR cycle can take 4 to 6 weeks to complete — and still be inaccurate by the time it is finished. The data was already stale on day one.

The errors that surface are predictable:

  • Access permissions that were changed between the export and the review are not reflected.
  • Users who left the organization after the export but before the review is complete appear as active.
  • Managers who are unsure whether an account is still needed mark it as ‘keep’ to avoid the risk of removing something important.
  • Entries go missing when spreadsheets are merged.
  • And because multiple versions circulate over email, nobody can say with certainty which file represents the final, authoritative state of the review.

The Security Risks of Excel-Based UAR

The operational pain of a slow, manual UAR process is frustrating. The security consequences are serious.

Risk 1: Orphaned Accounts Are Never Caught

When an employee leaves, their account should be deprovisioned immediately. In practice, deprovisioning is often delayed or incomplete — especially for access to third-party SaaS tools, shared credentials, or legacy systems that are not connected to the main HR workflow.

By the time the next UAR cycle runs, that account has been active for months. Excel-based reviews that run quarterly or semi-annually mean an orphaned account can persist for up to six months before anyone looks at it. And even then, if the reviewer does not recognize the name, they may simply leave it in place.

Risk 2: Privilege Creep Goes Undetected

Privilege creep is the gradual accumulation of access permissions over time — each addition individually justified, but the cumulative result is an account with far more access than the user’s current role requires.

A quarterly spreadsheet review is a poor tool for detecting creep because reviewers see a snapshot, not a trend. Without visibility into how permissions have changed over time, it is nearly impossible to identify that an account now has access to five systems when it only needed two.

Risk 3: No Real-Time Visibility

A UAR spreadsheet is a photograph of your access state at a single point in time. By the time the review is complete, that photograph is weeks old. Significant access changes — a contractor being onboarded, a developer being granted temporary elevated access, a system migration that copies permissions across — happen in the gaps between reviews and are invisible until the next cycle.

Risk 4: No Reliable Audit Trail

When an auditor asks “who reviewed this access decision and when?”, the answer needs to be specific and verifiable.

A spreadsheet with a ‘Reviewed by: John’ column and no timestamp does not meet that bar. Even with timestamps, there is no way to verify that the review was genuine — that John actually looked at the account rather than bulk-approving a hundred rows to clear his backlog.

Risk 5: The Spreadsheet Is a Security Risk Itself

A UAR spreadsheet contains a full inventory of users, their system access, their privilege levels, and often their employment status and department. This is sensitive data. When that spreadsheet is shared over email, saved to personal drives, and passed between managers who may forward it further, the organization has lost control of where that data lives. The file that was meant to reduce access risk has itself become an access risk.

Real-World Consequences

The 2020 SolarWinds breach and multiple healthcare sector incidents in subsequent years demonstrated how unreviewed privileged accounts — some belonging to former employees or contractors — became the entry points for significant compromises.

The common thread: access that should have been removed was not, because the review process was not rigorous enough to catch it.

What Auditors Actually Look For

Compliance frameworks have become more specific about UAR requirements over time — and auditors have become more experienced at spotting the gaps that spreadsheet-based processes leave.

ISO 27001:2022 — Control 5.18

ISO 27001:2022 replaced the older A.9 access control annex with Control 5.18, which is more explicit about what documented evidence of access rights management means. It requires that access rights are reviewed at regular intervals, that the reviews be documented, and that access is adjusted when there are changes to roles.

The standard does not prescribe the tool, but it does require evidence that the review happened, who conducted it, what decisions were made, and when. A spreadsheet that went through ten email iterations before reaching a final version does not provide clear, auditable evidence of any of those things.

Cyber Essentials

Cyber Essentials requires that organizations maintain control over user accounts, particularly privileged ones, and that accounts are removed or disabled when they are no longer needed. Assessors will ask how often accounts are reviewed, how quickly departed users are deprovisioned, and how the organization knows that only authorized users have administrative access. These are operational questions that require operational evidence — not a spreadsheet that was last updated six weeks ago.

What Auditors Expect vs. What Excel Provides

Auditors want to see a timestamped record of who reviewed each access decision, evidence that the reviewer had the context to make an informed decision, confirmation that identified issues were acted on with a traceable remediation, and a process that runs at the required frequency without depending entirely on manual effort. What Excel provides is a file with no reliable record of who changed what, when, or why.

Auditor’s Perspective: ISO 27001:2022 explicitly requires documented evidence of access reviews — including who reviewed, what was decided, and when. Excel-based processes rarely provide an audit trail that meets this standard under close scrutiny.

The Cost of a Failed UAR Finding

A failed UAR finding in a SOC 2 or ISO 27001 audit does not automatically mean losing certification — but it does mean a formal non-conformity or exception that must be remediated and re-evidenced. This triggers additional audit cycles, internal remediation work, and, in regulated industries, potential reporting obligations.

More practically, it raises the question of what else was missed if the access review process was not working — a question that auditors will not leave unanswered.

What Automated UAR Looks Like

Automated UAR is not simply a fancier spreadsheet. It is a fundamentally different approach to access governance — one where the data is always live, the process is structured and enforced, and the audit trail is built in by default.

A Single Source of Truth

Instead of exporting data from multiple systems and hoping nothing changes during the review, an automated UAR platform connects directly to your identity sources — Active Directory, cloud IAM, HR systems — and maintains a continuous, up-to-date view of who has access to what. Reviews are conducted against live data, not a snapshot that was accurate three weeks ago.

Structured Review Workflows

Access review campaigns are created within the platform and pushed directly to the relevant reviewers — managers, system owners, security leads — with built-in deadlines, reminders, and escalation paths. If a reviewer does not respond by the deadline, the system automatically escalates to their manager or triggers a defined default action. No chasing, no email threads, no version conflicts.

Each review decision — approve, revoke, or flag for further investigation — is recorded with a timestamp, the identity of the reviewer, and any notes provided. This is the audit trail that survives scrutiny.

Self-Service Access Requests with Multi-Level Approvals

Modern UAR platforms also handle the access request side of the equation. When a user needs access to a system, they submit a request through the platform. The request routes to the appropriate approvers — the system owner, the user’s manager, or a security team depending on the sensitivity level. Every step is documented.

This closes the loop between access being granted and access being reviewed — everything flows through the same system. This is the same principle behind Just-in-Time access: granting the right access, for the right time, with full accountability.

Compliance Reporting Built In

One-click reports mapped to specific compliance frameworks eliminate the manual work of translating review outcomes into audit evidence. Instead of spending days formatting spreadsheet data into a format auditors can use, the report is generated in minutes and is already structured to the requirements of ISO 27001, SOC 2, PCI-DSS, or Cyber Essentials.

Cloudanix generates UAR reports mapped directly to ISO 27001, SOC 2, PCI-DSS, and Cyber Essentials — giving compliance officers audit-ready evidence without any manual reformatting. The reports capture not just what was reviewed, but who reviewed it, what was decided, and when — meeting the documentation requirements these frameworks require.

Automated Review Cycles with Escalations

Cloudanix automates the entire review cycle — scheduling reviews at the required frequency, notifying reviewers, tracking completion status in real time, and escalating non-responses automatically. Security managers get a live dashboard showing exactly where each review stands, rather than spending hours manually chasing status updates.

Identity Integration

Connecting to your identity sources is what makes automated UAR work. The platform needs to know who your users are, what access they have, and when that access changes.

Cloudanix integrates with Azure Entra ID for accessing data, with support for live role synchronization currently in active development. For organizations already using Entra ID as their primary identity provider, this means your UAR campaigns can draw on identity data directly from the source — reducing the manual export step that introduces stale data in spreadsheet-based processes.

Excel vs. Automated UAR — Side by Side

The difference between spreadsheet-based and automated UAR is not marginal. Across every dimension that matters for security and compliance, the gap is significant.

FactorExcel UARAutomated UAR
Data freshnessStale snapshot at export timeReal-time, always current
Audit trailMinimal — who changed what is unclearComplete — every action timestamped
Review timeWeeks for large organizationsHours with automated workflows
Compliance mappingManual — done separately post-reviewAutomated — reports generated per framework
Error rateHigh — copy-paste, version conflictsNear zero — single source of truth
Scalability (5,000+)Breaks down — unmanageable at scaleSeamless — designed for enterprise scale
Orphaned account detectionMissed between cyclesContinuous, flagged immediately
Privilege creep trackingInvisible across review cyclesDetected and surfaced automatically

The argument for keeping Excel is usually familiarity and cost. The counter-argument is straightforward: the cost of a failed audit, a compliance non-conformity, or a breach that traces back to an unreviewed orphaned account is orders of magnitude higher than the investment in automating the process.

Conclusion

Excel served its purpose when organizations were smaller, compliance requirements were lighter, and access environments were simpler. That moment has passed. Today, managing access governance for 1,000 to 10,000 users through a shared spreadsheet is not a resource constraint — it is a risk decision. And it is one that auditors, regulators, and attackers are all paying attention to.

The shift to automated UAR is not about replacing human judgment in access decisions. Managers still review, security teams still set policy, and business context still matters. What automation removes is the manual, error-prone scaffolding around those decisions — the exports, the email chains, the version conflicts, and the gaps in the audit trail that those processes inevitably create.

If your UAR process still runs on spreadsheets, the question is not whether to change it — it is how quickly you can.

See How Your UAR Process Stacks Up: Book a free access review assessment with Cloudanix — get a clear picture of where your current process has gaps, what your audit exposure looks like, and what a structured UAR program would look like for your organization.

People Also Read

Blog

Read More Posts

Your Trusted Partner in Data Protection with Cutting-Edge Solutions for
Comprehensive Data Security.

Wednesday, Apr 29, 2026

Code Security Best Practices for DevSecOps Teams in 2026

In 2026, the speed of software development has reached a point where traditional security methods can no longer keep up.

Read More

Wednesday, Apr 29, 2026

Integrating Security into Every Stage: A Blueprint for Secure Software Development

The escalating frequency and severity of software vulnerabilities exploited in the wild forced a paradigm shift in how a

Read More

Tuesday, Apr 14, 2026

Top 15 Cloud Misconfigurations in 2026 - How to Fix Them?

Most cloud breaches today are not the result of sophisticated zero-day exploits. They are the result of misconfiguration

Read More

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo