The Quarterly Access Review

Northbridge Capital is a 180-person Australian fintech offering buy-now-pay-later services. Their information security policy states that "all privileged user accounts must be reviewed quarterly by the system owner, with the review documented in the access register." The control was written in 2021 and approved by the Risk Committee.

When the policy was implemented, the IT team set up calendar reminders, created a shared SharePoint review template, and trained the original three system owners. The first three quarterly reviews ran cleanly. However, in 2023, two of the original system owners left and were replaced. The new owners were never trained on the access-review process. Calendar reminders kept firing, but the new owners marked them as "done" without performing the review. The SharePoint register shows a complete and signed-off audit trail for every quarter.

An external auditor sampled three quarters of access reviews in 2024 and confirmed all were "completed and documented." Six months later, an internal incident revealed that a former contractor had retained privileged database access for fourteen months after their contract ended.