This post provides a practical, step-by-step Identity and Access Management (IAM) audit process tailored to Compliance Framework — ECC 2:2024 Control 2-2-4 so you can verify account lifecycle controls, least-privilege enforcement, privileged access monitoring, and logging are implemented and effective in your environment.
Understand Control 2-2-4 and define scope
Control 2-2-4 in the Compliance Framework expects organizations to regularly verify that user accounts and privileges are provisioned, reviewed, and revoked according to policy. Begin by defining scope: include all identity stores (Active Directory, Azure AD, Google Workspace, AWS IAM, LDAP), privileged accounts (domain admins, cloud root, DBAs), service accounts, and accounts on critical servers and SaaS applications. For a small business (25–200 employees) the scope commonly includes on-prem AD, Microsoft 365/Azure AD, the primary cloud provider, and core SaaS apps such as Slack, Salesforce, and payroll systems.
Step-by-step IAM audit process for Compliance Framework
1) Plan and collect policy artifacts
Gather the Compliance Framework-required artifacts: IAM policy, privileged access policy, account provisioning/deprovisioning procedure, access review schedule, MFA and password policy, and log retention policy. Confirm expected review frequencies (for example, privileged accounts: quarterly; regular users: semi-annually). These artifacts are your control baseline for test evidence.
2) Inventory identity sources and map owners
Create an inventory spreadsheet listing each identity source, platform owner, number of active accounts, and the channel used for provisioning (HR system, manual, SCIM). For small businesses this is often a single AD domain and one cloud tenant — make sure you list service accounts separately and identify who is authorized to create them.
3) Perform automated and manual evidence collection
Run queries and exports from each identity store to collect: user last logon, account enabled/disabled flags, group memberships, admin role assignments, MFA enrollment state, and access key usage. Example PowerShell for on-prem AD stale accounts:
Get-ADUser -Filter * -Properties LastLogonDate,Enabled |
Where-Object {$_.Enabled -eq $true -and $_.LastLogonDate -lt (Get-Date).AddDays(-90)} |
Select Name,SamAccountName,LastLogonDate
For AWS IAM, check each user's access key last used:
aws iam list-users --query 'Users[].UserName' --output text |
xargs -n1 -I{} aws iam get-access-key-last-used --user-name {}
For Azure AD sign-ins and MFA status, use Microsoft Graph sign-in and authentication methods reports or AzureAD/MSOnline modules to extract lastSignInDateTime and authentication methods.
4) Validate provisioning & deprovisioning workflows
Interview HR and IT staff and review ticketing system logs for onboarding and termination events for a sample of users (at least 10% or 10 users, whichever is greater). Confirm that termination in HR triggers an automated or documented deprovisioning action within the timeframe required by Compliance Framework (typically within 24–48 hours for leavers). For recurring contractor accounts verify expiry dates and whether access is automatically removed when contracts end.
5) Review privileged access and role membership
Extract admin role assignments (Domain Admins, Global Admins, AWS root/AdministratorAccess, DB sysadmins). Verify no more than the documented number of privileged users exist, that emergency/temporary elevated access is logged and time-boxed, and that shared accounts are eliminated or tightly controlled. For small businesses, aim for a maximum of 2–3 Global/Admin roles and require break-glass procedures for the root account (stored securely in a vault with access audit).
Technical checks, logging and evidence to collect
Collect audit logs for at least the lookback period required by Compliance Framework — typical minimums are 90 days for sign-ins and 12 months for privileged actions. Check that authentication events, privilege elevation, and account changes are forwarded to a central log store or SIEM. Example log checks: confirm Conditional Access/MFA failures, privileged role activation events (Azure PIM), file permission changes for sensitive shares, and SSH key additions. If you have no SIEM, export logs to an immutable storage bucket with access controls and retention policy as evidence.
Remediation, reporting and compliance tips
Document findings in a report mapping each issue to the specific clause in Control 2-2-4 and include risk, priority, recommended remediation, owner, and target date. Typical remediation actions: revoke unused admin accounts, enforce MFA for all interactive accounts, rotate or disable unused API keys, implement RBAC and remove wildcard permissions, and automate deprovisioning. Compliance tips for small businesses: enforce SCIM provisioning for SaaS apps to minimize manual errors, enable conditional access policies to require compliant devices, and adopt a cloud-based PAM (privileged access management) or just-in-time access for small privilege pools.
Risks of not implementing Control 2-2-4
Failure to perform these IAM audits exposes the organization to orphaned or over-privileged accounts, credential misuse, lateral movement after compromise, regulatory non-compliance and potential fines, and disrupted business operations from delayed terminations. For small businesses the biggest practical risk is a compromised account with cloud or admin privileges leading to data theft, ransomware deployment, or billing fraud that can be materially damaging.
Summary: Implementing Control 2-2-4 is operationally achievable for small businesses by scoping your identity sources, collecting policy artifacts, running targeted technical queries (PowerShell/AWS CLI/Microsoft Graph), validating onboarding/offboarding workflows, reviewing privileged access, ensuring centralized logging, and producing a remediation-driven report mapped to the Compliance Framework. Regular (quarterly) audits, automation of provisioning/deprovisioning, and enforcing MFA and least privilege will keep you compliant and reduce risk.
