I used to work at a company where "audit season" was treated like a natural disaster. Something unavoidable that you could only prepare for so much.
Every year, sometime around March, the same pattern. Someone from compliance would send a mail that started with "As you know, our annual audit is approaching" and ended with a list of things IT needed to produce. Access reports. Evidence of review processes. Screenshots of security configurations. Documentation of change management procedures.
Every year, the team acted surprised. Every year, it was not a surprise at all.
The annual scramble
If you have been through this at a Nordic company, you know exactly what I am describing.
It starts with pulling data. Export user lists from Active Directory. Export the same from Entra ID (and hope the two match, because Entra Connect sync has a habit of being slightly off). Export group memberships from both. Export license assignments. Screenshot conditional access policies. Pull audit logs. Each system has its own export format, its own quirks, its own version of reality.
Then comes the reconciliation. Compare the exports against what is supposed to exist. The organisational chart says Sara moved to marketing four months ago. Active Directory still has her in the engineering security group, and that group synced to Entra ID, so she has cloud access she should not have either. The spreadsheet (there is always a spreadsheet) says a consultant's access was revoked in December, but the actual account is still active.
Now you need explanations. Why does this former employee still have a mailbox? Why does this group have 12 members when only 5 should be there? Why is there a conditional access policy in report-only mode that was supposed to go live last autumn?
So you start chasing people down. Managers who need to confirm their team's access. Application owners who need to verify who should have admin rights. People who are busy with their actual work and do not want to review a spreadsheet with 50 names on it.
The whole thing takes weeks. It is stressful, it is manual, and it pulls people away from things that actually move the company forward.
The root cause
Here is what frustrates me: the audit is not the problem. The problem is that audit readiness is treated as a project instead of a daily practice.
If your access management were continuously accurate, the audit would be straightforward. Pull the report, hand it over, done. The scramble only exists because things drift during the year and nobody corrects them until the auditor shows up.
Access drift is constant. People join, leave, change roles, take on new projects, finish old ones. Every one of these events should trigger an access change. In most organisations, some of them do and some do not. The gap between what should happen and what actually happens grows every week.
By audit time, you are not demonstrating your access management practice. You are reconstructing it from scattered evidence.
What audit readiness actually looks like
The companies I work with who do not dread audits have a few things in common. They do exist, though they are a minority.
Access changes happen based on events, not requests. When HR marks someone as terminated, their access gets revoked automatically, both in Active Directory and Entra ID. When someone changes departments, their group memberships update. This is not magic. It is connecting your HR system to your identity platform with a set of rules.
Reviews happen continuously, not once a year. Instead of one big review before the audit, access gets reviewed on a rolling basis. Maybe each department reviews quarterly. Maybe critical application access gets reviewed monthly. The point is that drift gets caught early, not twelve months later.
Evidence is generated automatically. Every access change, every review decision, every approval is logged. When the auditor asks for evidence, it already exists. No screenshots. No manual exports. Just a report.
Ownership is distributed. IT does not own every access decision. Department managers own their team's access. Application owners own their app's access. IT provides the tools and the framework. This scales. Having one IT team manually review 500 people's access does not.
None of this requires a massive platform
You do not need a 200,000 EUR IGA platform to get here. You need defined processes, basic automation connecting HR events to identity changes, and a way to run and track periodic reviews.
Some of this you can build with Entra ID P2's access reviews. Some of it needs a tool on top. The specifics matter less than the mindset shift from "audit readiness is a March project" to "audit readiness is how we work."
A confession
I mentioned I used to work at a company that dreaded audits. I should be more specific: I was part of the problem.
I was the one pulling late nights before audits, rushing to reconcile access lists, hastily documenting processes that should have been documented months earlier. I told myself we were too busy during the year. The honest answer is that I prioritised the urgent over the important, every single time, and then paid for it when the auditor arrived.
Building Adcyma was partly a response to that. If the system handles it, it does not matter whether I am disciplined enough to stay on top of things manually. The system does not get busy. The system does not put things off.
That might be the most honest product motivation I have ever written down.