Are vendor user accounts and integrations reviewed at the same cadence as employees?
Demonstrate that vendor user accounts, service accounts, and third-party integrations are subject to the same documented access review process and cadence as employee accounts.
Description
What this control does
This control requires that vendor-owned user accounts, service accounts, API keys, and third-party integrations undergo periodic access reviews at the same frequency as internal employee accounts. Organizations often implement quarterly or semi-annual user access reviews for employees but neglect vendor credentials, leading to orphaned privileged access. The control ensures that vendor access is inventoried, validated against business need, and revoked when no longer required, treating external entities with the same rigor as internal users.
Control objective
What auditing this proves
Demonstrate that vendor user accounts, service accounts, and third-party integrations are subject to the same documented access review process and cadence as employee accounts.
Associated risks
Risks this control addresses
- Former vendor personnel retain active credentials after contract termination or project completion, enabling unauthorized system access
- Vendor service accounts with excessive privileges persist indefinitely without business justification or ownership accountability
- API keys and OAuth tokens granted to third-party integrations remain active after the business relationship ends or the integration is deprecated
- Vendor accounts bypass multi-factor authentication or other security controls applied to employee accounts due to separate provisioning workflows
- Lack of centralized inventory prevents detection of shadow IT integrations or unofficial vendor access arrangements
- Vendors gain cumulative privilege escalation over time through successive projects without holistic entitlement review
- Compliance violations occur when vendor access audits are incomplete or use different retention periods than employee reviews
Testing procedure
How an auditor verifies this control
- Obtain the organization's user access review policy or procedure document and identify the documented review cadence for employee accounts
- Request the complete inventory of vendor user accounts, service accounts, API credentials, and third-party integrations across all systems and applications
- Identify the process and documented cadence for vendor access reviews, including responsible parties and approval workflows
- Select a representative sample of vendor accounts from the inventory spanning at least three review cycles and multiple system types
- Examine access review records for sampled vendor accounts and verify reviews occurred at the same frequency as employee reviews during the audit period
- Compare vendor review timestamps against employee review completion dates to confirm alignment of cadence
- Interview the access management team to confirm vendor accounts are included in the same tools, workflows, and reporting as employee accounts
- Validate that vendor accounts lacking recent reviews within the prescribed cadence were either deactivated or have documented exception approvals with business justification