How to Audit Your VA's Access Permissions Quarterly
Access permissions drift over time. A VA hired for customer service somehow ends up with billing access. A former VA's Google Workspace account is still active three months after they left. A shared password wasn't changed at offboarding.
A quarterly access audit catches these issues before they become security incidents. This guide gives you a systematic process you can complete in under an hour.
See also: secure access setup for virtual assistants, VA termination and access revocation, data security best practices.
Why Quarterly Is the Right Cadence
Annual reviews are too infrequent - a lot can change in 12 months. Monthly is often overkill for small teams. Quarterly audits catch:
- Permissions granted for temporary tasks that were never revoked
- Former VAs with lingering access
- Account creep (VAs added to tools "just temporarily" that became permanent)
- Changes in VA role that should trigger access adjustments
- Password manager vaults with outdated or unnecessary entries
Building Your Access Inventory
The audit starts with having a complete list of every system your VA can access. If you don't have this list, build it now - it also serves as your offboarding checklist.
Access Inventory Template:
| System | VA Name | Account Type | Access Level | Date Granted | Last Reviewed |
|---|---|---|---|---|---|
| Google Workspace | Jane Smith | Named user ([email protected]) | Standard user | 2025-01-15 | - |
| Shopify | Jane Smith | Staff account | Orders + Products | 2025-01-15 | - |
| HubSpot | Jane Smith | Sales member | Contacts + Deals | 2025-01-15 | - |
| 1Password | Jane Smith | Team member | Client vault | 2025-01-15 | - |
| Slack | Jane Smith | Member | #general, #client-work | 2025-01-15 | - |
Maintain this in a simple Google Sheet. Update it when access is granted or changed.
Quarterly Audit: Step-by-Step
Step 1: Review the access inventory Pull up your access list. For each entry, ask: Is this VA still active? Is this access level still appropriate for their current role?
Step 2: Verify accounts are still active in each system Log into each platform and confirm the VA's account status. Check for:
- Former VAs whose accounts were not deactivated
- Accounts showing no activity for 60+ days (investigate why)
- Admin or elevated permissions that should have been downgraded after a temporary task
Step 3: Check file and folder sharing In Google Drive (or whatever file storage you use):
- Search "Shared with [VA name or email]"
- Review each shared item - does the VA still need access to this folder or file?
- Remove sharing on anything no longer relevant
Step 4: Review password manager vault access Open your password manager's admin panel:
- Confirm active VAs have access only to their designated vault/collection
- Confirm former VAs have been removed from all vaults
- Check for any passwords shared outside the vault (via email or other methods)
Step 5: Check communication tools In Slack, Teams, or other messaging tools:
- Confirm active VAs are only in channels relevant to their current work
- Remove from private strategy, finance, or HR channels they were added to temporarily
Step 6: Verify 2FA status
- Confirm 2FA is active on all shared accounts
- If using Authy for shared 2FA, verify only authorized devices are enrolled
Step 7: Update the access inventory Record the review date and any changes made for each entry. Schedule the next quarterly review.
Checklist: What to Look For in Each System
Google Workspace / Microsoft 365
- Is the VA's account active and in use?
- Are they in the correct organizational unit?
- Do they have admin access? (Should be rare)
- Are there email forwarding rules set up they shouldn't have?
CRM (HubSpot, Salesforce, etc.)
- Is their user role appropriate for their current tasks?
- Do they have access to deal/pipeline data beyond their scope?
- Do they have export permissions? (Often should be disabled)
E-commerce Platform
- Staff permissions match their current function?
- No access to financial reports, payout settings, or tax information unless needed?
Project Management Tools
- Only in the projects they're currently working on?
- Not in archived or sensitive projects?
Social Media / Marketing Tools
- Only connected accounts they currently manage?
- No admin/owner roles unless managing the tool itself?
Red Flags That Need Immediate Action
- An account for a VA who left more than 30 days ago is still active → Revoke immediately
- A VA has admin access to systems where only standard access was intended → Downgrade immediately
- Shared passwords haven't been changed since the last VA departed → Change now
- Access inventory hasn't been reviewed in more than 6 months → Do a full audit this week
Frequently Asked Questions
How long does a quarterly access audit take?
For a VA team of 1–3 people across 10–15 tools, a thorough audit takes 45–90 minutes. The first audit takes longer; subsequent audits are faster once you have a complete inventory.
What if I discover unauthorized access during an audit?
Revoke access immediately, change relevant passwords, and investigate what was accessed. If business or client data was exposed, you may have notification obligations. Document the discovery and your response.
Should I tell my VA I'm running audits?
Yes - it should be standard practice communicated at onboarding. "We conduct quarterly access reviews as part of our security program" sets the expectation professionally. It's not a surveillance issue; it's sound business hygiene.
Ready to Hire With Security Built In?
Virtual Assistant VA connects you with vetted, professional VAs. Build a secure VA relationship from day one.
Learn how to hire a virtual assistant for your VA. Use a VA onboarding checklist for your VA tasks. Apply a delegation framework to scale your VA operations.