Access Reviews

Article 13: Reporting & Audit Trail

The audit trail

Every significant action in an access review cycle is automatically recorded in Ploy's audit trail. This is a chronological, immutable log of what happened, who did it, and when.

What the audit trail captures

Campaign and cycle events:

  • Cycle created (including the filters and settings used)

  • Review started

  • Campaign completed or archived

Reviewer actions:

  • Account set submitted (with reviewer identity and timestamp)

  • Revision requested (with admin's message)

  • Account set approved (with approver identity)

Account-level decisions:

  • Each account reviewed: outcome recorded, reviewer recorded, timestamp recorded

  • Outcome changed (if a revision was requested and resubmitted)

  • Account marked as already removed

Remediation events:

  • Remediation initiated (type, target account, who triggered it)

  • Remediation completed (outcome, timestamp)

  • Remediation failed (error details preserved)

Snapshot data:

The audit trail also preserves point-in-time snapshots for every account reviewed. These capture the state at the moment the review cycle was generated, not at the time of approval — so the record is always historically accurate even if the employee's situation changed during the review. Snapshots include:

  • Department, job title, and manager

  • Location (region and country)

  • MFA status

  • When access was originally granted and when it expires

  • Last active date in the application

Exporting review data

You can export the results of a completed review to CSV from the admin dashboard. Exports include:

  • Resource name and type

  • Employee name, email, department, and job title (from the point-in-time snapshot)

  • Outcome decision and reviewer notes

  • Access level / role and entitlement details

  • Access granted date, expiry date, last accessed date

  • MFA status at review time

  • Reviewer name and the timestamp of their decision

You can export a single review or multiple reviews at once. Exports are useful for feeding into your own compliance tracking tools, sharing with auditors, or archiving alongside your certificates.

Viewing review history

All past cycles are preserved in the admin dashboard under the campaign they belong to. You can navigate to any previous cycle and see:

  • The full list of reviews within the cycle and their outcomes

  • The progress timeline for each review

  • The decisions made on each individual account

  • Remediation status and history

  • The generated compliance certificates

There is no time limit on how long review history is retained — completed cycles and their records persist in line with the Terms of Service and DPA you agreed to upon signing up to Ploy.

What admins use reporting for

Common reporting use cases:

  • Pre-audit prep: Export completed review results for the period being audited and package them with certificates as your evidence set

  • Remediation tracking: Monitor which "not appropriate" accounts have been actioned and which are still in progress or failed

  • Reviewer performance: See which reviewers completed on time, which requested revisions, and where revision loops occurred

  • Programme health: Track completion rates across campaigns over time to spot where your review programme is working well and where it needs attention

Was this helpful?