What a Systems and Access Cleanup actually delivers
The report is the product. It turns "who can access our systems?" into a findings table with evidence, risk, actions, owners, and a sequenced plan your team can approve in one sitting. Everything below uses hypothetical data and shows the real structure of the Systems and Access Cleanup deliverable.
The ten finding categories
Every audit reports against the same categories, so nothing gets skipped and you can compare audits over time. Findings can be mapped to CIS-style baseline controls where applicable; the audit is not a compliance certification and does not claim to be one.
1. Stale users
Ex-employees, finished contractors, and dormant accounts that can still sign in or hold paid licenses.
2. Admin role sprawl
Super admins, delegated admins, and privileged roles measured against what each job actually requires.
3. External sharing
Files, folders, and drives shared outside the organization or open to anyone with the link.
4. File ownership
Documents and drives owned by departed users, personal accounts, or the wrong departments.
5. Shared inbox access
Delegates, forwarding rules, and send-as permissions that accumulated without review.
6. OAuth and connected apps
Third-party grants to mail, files, calendars, and CRMs, including apps from tools you stopped using.
7. Contractors and vendors
External accounts, guest access, and client-side access held by your team in other people's systems.
8. Automation ownership
Zapier, Make, and n8n workflows, service accounts, and API keys with unclear or departed owners.
9. AI tools and app access
Assistants, agents, meeting bots, and extensions connected to business data, with scopes and approvers.
10. Offboarding gaps
What the current departure process misses, rewritten as a repeatable checklist for your actual stack.
Sample findings table
Hypothetical rows shown for structure. Real findings carry evidence references and are specific to your environment.
| Category | Finding | Recommended action | Effort | Owner | Risk | Notes |
|---|---|---|---|---|---|---|
| Stale users | Former employee account active with mail and drive access, 94 days after departure | Disable sign-in, transfer file ownership, reclaim license | Low | Workspace admin | High | Owns 212 files used by finance |
| Admin role sprawl | Four Global Admins where one break-glass plus one owner is sufficient | Reduce roles, document break-glass process | Low | IT lead | High | Confirm emergency access first |
| OAuth and connected apps | Abandoned scheduling tool retains full mailbox and calendar scope for 11 users | Revoke grant org-wide after owner confirmation | Low | Operations | High | Vendor contract ended last year |
| Automation ownership | Invoice sync workflow runs under a former contractor's personal account | Recreate under named service account, rotate credentials | Medium | Ops + VXSec | Medium | Breaks silently if account is disabled first |
| AI tools and app access | Meeting bot with drive read scope, no inventory entry or named approver | Add to inventory, narrow scope, assign owner | Low | Operations | Medium | Used by sales team only |
| External sharing | Client folder shared to anyone with the link, edit access | Restrict to named users after client owner review | Low | Account lead | Medium | Verify no external workflow depends on link |
| Offboarding gaps | No documented departure checklist; last three exits handled from memory | Adopt the checklist included in this report | Low | Operations | Low | Template provided, tailored to stack |
What your team does with it
Approve in one sitting
Findings arrive pre-classified as safe, approval-needed, or dependency-check-needed, so the review meeting produces decisions.
Get it fixed
Approve the plan and VXSec implements it in a cleanup sprint. Prefer in-house? Your team gets a sequenced list with owners and dependencies, not a PDF of vague concerns.
Fix the process
The included offboarding checklist turns the biggest recurring source of access debt into a routine.
Keep the record
The report is a dated baseline. Useful for clients, insurers, and diligence questions that ask how access is governed.
Want this report for your systems?
The 15-minute scope check confirms your stack and team size and gives you a fixed fee. The audit is read-only, so nothing changes until you approve it.
Book a 15-minute scope check