The timing question for quarterly access reviews — whether to review at the start of a new quarter or at the end of the current one — is a practical one that has a real answer depending on your compliance framework, your operational constraints, and what your auditors are actually looking for. Both approaches are defensible. They produce different evidence and carry different operational tradeoffs.

What Does Each Approach Actually Mean in Practice? End-of-Quarter Review (Review the Quarter Just Completed) In this model, the review happens after the quarter closes. You’re reviewing who had access during Q1 before Q2 gets underway, or during Q2 before Q3 begins. The evidence you’re producing demonstrates that access during the prior period was appropriate. The auditor receives a report showing that at the end of Q1, someone reviewed Q1 access and confirmed or remediated it. This approach is common in environments where the compliance requirement is framed as “demonstrate that access was appropriate during each quarter.” The review is retrospective: it looks back at a completed period. The practical challenge with end-of-quarter reviews is that the access being reviewed already happened. If the review reveals that an overprivileged user had elevated access for the entire quarter, the risk materialized before the review could prevent it. Remediation is corrective rather than preventive. Beginning-of-Quarter Review (Review Before the New Quarter Begins) In this model, the review happens at the transition between quarters. Before Q2 starts, you review current access and confirm that what’s in place is appropriate going into the new period. The evidence demonstrates that access was verified before the next quarter’s activity begins. This approach is more common when the compliance requirement is framed as “ensure access is appropriate on an ongoing basis.” The review is prospective: it confirms the current state is correct before another quarter of activity occurs. The practical advantage of beginning-of-quarter reviews is that remediation is preventive rather than corrective. Access that shouldn’t exist is removed before it can be exercised during the next quarter. The practical challenge is timing — the review needs to be complete before quarter-start activity begins, which creates scheduling pressure that end-of-quarter reviews avoid.

Which Do Compliance Frameworks Prefer? SOC 2 SOC 2 Type II doesn’t prescribe a specific timing model for access reviews. It requires that access reviews occur at defined, regular intervals and that the evidence demonstrates who reviewed what and what happened as a result. Both timing approaches satisfy this requirement if the cadence is consistent and the evidence is complete. Auditors looking at a SOC 2 Type II report will examine whether the reviews happened within the defined interval and whether the evidence is substantive. The timing within the quarter is less important than the consistency of the cadence and the quality of the evidence. ISO 27001 ISO 27001:2022 (specifically controls A.5.18 and A.8.2) requires that access rights are reviewed at regular intervals. Like SOC 2, it doesn’t prescribe a specific timing model within the review cycle. The standard requires that the review process be documented and consistently executed — which means your choice of beginning-of-quarter or end-of-quarter needs to be reflected in your access review procedure document, and you need to execute to that document consistently. SOX SOX has the clearest preference for the two approaches, and it leans toward the beginning-of-quarter model for financially significant systems. The SOX framing is that access controls need to be effective during the quarter, which implies that access should be verified before quarter-start rather than after quarter-end. In practice, SOX auditors will look for evidence that access was reviewed on a schedule that aligns with the fiscal quarter, and that reviews happened close enough to the quarter boundary to be meaningful as a prospective control. A review that happens 45 days into the quarter isn’t satisfying the intent of the control even if it technically falls within the “quarterly” window.

What Happens When Reviews Span Holidays and Organizational Cycles? This is the practical constraint that determines which approach is workable for most organizations. End-of-quarter and beginning-of-quarter are the same moment — the last days of one quarter and the first days of the next are often the busiest and least available period for the managers and application owners who need to complete reviews. If your quarterly cadence puts reviews at December 31/January 1, June 30/July 1, or September 30/October 1, you’re scheduling reviews during holiday periods and fiscal year-end crunches when reviewers are least available. The practical mitigation is to build the review launch into a consistent schedule that gives reviewers adequate time within the quarter rather than treating the quarter boundary as the review window. A review that launches on the 15th of the last month of the quarter and closes by the last day gives reviewers two weeks without placing the burden at the exact moment of maximum organizational distraction. The evidence records the close date, which falls within the quarter boundary.

How Do You Set Up a Recurring Cadence That Actually Runs? The access review cadence that actually runs consistently has these characteristics: Fixed launch dates, not variable ones. “The first Monday after quarter-end” produces a different date every quarter. “The 15th of March, June, September, and December” produces the same dates every year. Fixed dates are easier to schedule resources against, easier to track compliance with, and easier to explain to auditors. Fixed review windows with enforced deadlines. A 30-day review window with automatic escalation for non-responsive reviewers is more reliable than an open-ended review that closes when everyone has responded. Reviewers who know there’s a deadline respond differently than reviewers who know the review will just sit open. Automated launch, not manual launch. A review campaign that requires a human to remember to start it will eventually not get started. Governance platforms that support scheduled campaign launch — the campaign begins on the configured date without manual intervention — are how you get a review program that actually runs quarterly for three years without a miss. Evidence that records the launch date, close date, and completion status. The audit evidence needs to show that the review happened within the required interval. Campaign metadata that records when the review launched and when it closed is the straightforward way to demonstrate this.

What Should the Evidence Package Capture? For either timing approach, the quarterly access review evidence package needs to include: The review period — whether this is a retrospective review of Q1 or a prospective review before Q2 should be documented explicitly. Reviewer decisions for each access record, with timestamps. Remediation actions taken and completion confirmation for any access that was revoked or modified. Campaign completion metadata: when the review launched, when it closed, what percentage of reviewers responded within the window, and what happened to access that wasn’t reviewed within the deadline. A non-editable format. Quarterly reviews produce four evidence packages per year, and the cumulative evidence record is what auditors examine during a SOC 2 Type II or ISO 27001 surveillance audit. Each package needs to be in a format that demonstrates it wasn’t modified after the fact — system-generated PDF reports with timestamps satisfy this; spreadsheets do not.

The Practical Recommendation For most organizations, beginning-of-quarter is the more defensible approach for high-risk and financially significant systems, because it frames the review as a prospective control — verifying that access is appropriate before the quarter’s activity begins. End-of-quarter works for lower-risk applications where the retroactive framing is acceptable. The specific choice matters less than consistency: pick one approach for each tier of systems, document it in your access review procedure, and execute to it consistently across all four quarters. An auditor reviewing three years of quarterly access review evidence will care more about whether you executed your documented procedure consistently than about whether you chose beginning-of-quarter or end-of-quarter as your timing model. Both are defensible. Inconsistency is not.