Plenty of community banks run a perfectly defensible access review with nothing more than spreadsheets, email, and discipline. Software isn't a prerequisite for compliance — a repeatable, documented process is. Here's how to build one that holds up in an exam, and the signs that tell you when the manual version is starting to cost more than it saves.
Step 1: Build a complete system inventory first
Before reviewing any access, write down every system that touches customer or financial data: core banking platform, online and mobile banking, Active Directory, loan origination, wire and ACH systems, and any ancillary or vendor-hosted applications. This list is the single most common gap examiners find — not incorrect access, but an incomplete inventory of what should have been reviewed in the first place.
Step 2: Export user and entitlement data from each system
Pull a current user list from each system on your inventory, including role or privilege level where the system supports it. Note the export date on each file — examiners will sometimes ask when the underlying data was pulled, and "as of" dates matter more than most institutions expect.
Step 3: Reconcile to a single roster
Combine the exports into one master sheet, one row per person, one column per system. This is the step that takes the longest by hand, and the one most prone to error — a terminated employee missed in one system, a name mismatch between HR records and a legacy application's username format.
Step 4: Route to department heads for certification
Send each department head their team's access listing and require a sign-off: confirm, revoke, or flag for follow-up. Keep the request and response — email is fine, as long as it's retained somewhere retrievable later.
Step 5: Document exceptions and remediate promptly
Any flagged access should have a documented remediation date, not just a note that it was "addressed." Examiners look for evidence that follow-up happened, not just that an issue was identified.
Step 6: File the whole package with a date and owner
The completed review — exports, reconciled roster, sign-offs, and remediation notes — should be filed together with a clear date and the name of who ran it. This is what gets pulled during an exam, so it should stand on its own without someone having to reconstruct the story from memory.
The manual process above is legitimate and examiner-tested. What breaks it isn't the method — it's scale. Steps 2 and 3 are where the time goes, and that time grows roughly linearly with the number of systems you run.
Signs it's time to stop doing this by hand
- Step 2 and 3 together take more than a day or two of staff time per review cycle
- You've had a near-miss where a terminated employee's access wasn't fully removed across every system
- The person who "owns" the process is a single point of failure — if they're out, the review doesn't happen
- You're adding systems faster than your process can absorb them
None of these are a compliance failure on their own. They're signs the manual version is becoming a labor and risk problem rather than a documentation problem — which is a different conversation, and the one worth having before an examiner has it for you.
Want the checklist version of this process?
We put steps 1-6 above into a fillable checklist your team can use for your next review cycle, no software required.