CA-2 / CA-7 / A.18.2.2 / CIS-5.3 NIST SP 800-53 Rev 5

Annual recheck workflow

Demonstrate that security controls, access rights, and compliance posture are systematically reviewed and validated at least annually through documented workflows that produce traceable evidence of completion and remediation.

Description

What this control does

Annual recheck workflows are automated or semi-automated processes that re-verify security controls, user access rights, system configurations, or compliance posture at defined yearly intervals. These workflows typically trigger review tasks, collect fresh evidence, compare current state against baseline or policy requirements, and generate reports for remediation or approval. They ensure that controls do not drift over time due to changes in personnel, technology stack, threat landscape, or business processes, and provide auditable evidence of periodic validation.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Undetected privilege creep where users accumulate excessive access rights over time without periodic review
Configuration drift causing security controls to deviate from approved baselines without detection
Stale or orphaned accounts remaining active after personnel changes or role transitions
Expired or unpatched security configurations persisting beyond their intended lifecycle
Compliance gaps emerging from changes in regulatory requirements or organizational policy not reflected in controls
Audit findings or corrective actions from prior reviews not being implemented or verified
Lack of evidence to demonstrate due diligence and continuous monitoring during regulatory audits or breach investigations

Testing procedure

How an auditor verifies this control

Obtain and review the organization's documented annual recheck workflow policy and schedule, identifying which controls, access rights, and systems are subject to annual review.
Request the workflow automation configuration or procedure documentation showing trigger mechanisms, task assignments, notification processes, and escalation paths.
Select a representative sample of at least 10 controls or access review cycles from the most recent annual recheck period.
For each sampled item, retrieve the workflow execution logs, task completion records, reviewer sign-offs, and timestamp data to verify the recheck occurred.
Examine the evidence collected during each sampled recheck, including snapshots, configuration exports, access reports, or attestations, and verify it demonstrates actual validation activity.
Compare findings from the annual rechecks against baseline or policy requirements to confirm discrepancies were identified and documented.
Review remediation tracking records or change tickets to verify that identified gaps or deviations resulted in corrective actions with documented resolution.
Interview the process owner or responsible personnel to confirm workflow continuity, coverage completeness, and handling of exceptions or missed deadlines.

Evidence required Artefacts include the annual recheck workflow policy document, workflow automation configuration files or runbook procedures, execution logs showing scheduled triggers and task assignments, reviewer attestation records with timestamps and digital signatures, configuration snapshots or access reports generated during rechecks, and change tickets or remediation tracking records demonstrating closure of identified gaps.

Pass criteria The control passes if all sampled recheck workflows executed on schedule within the past 12 months, produced documented evidence of validation activity, identified discrepancies were tracked to resolution, and no control subject to annual review was excluded without documented exception approval.

Where this control is tested

Audit programs including this control

SOC 2 Vendor Evidence Check

Quick check on whether you are reviewing vendor SOC 2 reports properly — not just collecting them.