Sample deliverable

What a Systems and Access Cleanup actually delivers

The report is the product. It turns "who can access our systems?" into a findings table with evidence, risk, actions, owners, and a sequenced plan your team can approve in one sitting. Everything below uses hypothetical data and shows the real structure of the Systems and Access Cleanup deliverable.

FormatExecutive summary, findings table, sequenced cleanup plan, and offboarding checklist
Each finding includesEvidence, risk, recommended action, effort, owner, dependencies, and savings where relevant
Built forApproval in one sitting, then a VXSec Cleanup Sprint or your own team's execution

The ten finding categories

Every audit reports against the same categories, so nothing gets skipped and you can compare audits over time. Findings can be mapped to CIS-style baseline controls where applicable; the audit is not a compliance certification and does not claim to be one.

1. Stale users

Ex-employees, finished contractors, and dormant accounts that can still sign in or hold paid licenses.

2. Admin role sprawl

Super admins, delegated admins, and privileged roles measured against what each job actually requires.

3. External sharing

Files, folders, and drives shared outside the organization or open to anyone with the link.

4. File ownership

Documents and drives owned by departed users, personal accounts, or the wrong departments.

5. Shared inbox access

Delegates, forwarding rules, and send-as permissions that accumulated without review.

6. OAuth and connected apps

Third-party grants to mail, files, calendars, and CRMs, including apps from tools you stopped using.

7. Contractors and vendors

External accounts, guest access, and client-side access held by your team in other people's systems.

8. Automation ownership

Zapier, Make, and n8n workflows, service accounts, and API keys with unclear or departed owners.

9. AI tools and app access

Assistants, agents, meeting bots, and extensions connected to business data, with scopes and approvers.

10. Offboarding gaps

What the current departure process misses, rewritten as a repeatable checklist for your actual stack.

Sample findings table

Hypothetical rows shown for structure. Real findings carry evidence references and are specific to your environment.

CategoryFindingRecommended actionEffortOwnerRiskNotes
Stale usersFormer employee account active with mail and drive access, 94 days after departureDisable sign-in, transfer file ownership, reclaim licenseLowWorkspace adminHighOwns 212 files used by finance
Admin role sprawlFour Global Admins where one break-glass plus one owner is sufficientReduce roles, document break-glass processLowIT leadHighConfirm emergency access first
OAuth and connected appsAbandoned scheduling tool retains full mailbox and calendar scope for 11 usersRevoke grant org-wide after owner confirmationLowOperationsHighVendor contract ended last year
Automation ownershipInvoice sync workflow runs under a former contractor's personal accountRecreate under named service account, rotate credentialsMediumOps + VXSecMediumBreaks silently if account is disabled first
AI tools and app accessMeeting bot with drive read scope, no inventory entry or named approverAdd to inventory, narrow scope, assign ownerLowOperationsMediumUsed by sales team only
External sharingClient folder shared to anyone with the link, edit accessRestrict to named users after client owner reviewLowAccount leadMediumVerify no external workflow depends on link
Offboarding gapsNo documented departure checklist; last three exits handled from memoryAdopt the checklist included in this reportLowOperationsLowTemplate provided, tailored to stack

What your team does with it

Approve in one sitting

Findings arrive pre-classified as safe, approval-needed, or dependency-check-needed, so the review meeting produces decisions.

Get it fixed

Approve the plan and VXSec implements it in a cleanup sprint. Prefer in-house? Your team gets a sequenced list with owners and dependencies, not a PDF of vague concerns.

Fix the process

The included offboarding checklist turns the biggest recurring source of access debt into a routine.

Keep the record

The report is a dated baseline. Useful for clients, insurers, and diligence questions that ask how access is governed.

Want this report for your systems?

The 15-minute scope check confirms your stack and team size and gives you a fixed fee. The audit is read-only, so nothing changes until you approve it.

Book a 15-minute scope check