The certification auditor will look for evidence that access of users is granted and revoked according to the defined access control policy. This includes reviewing the company's Access Control Policy to ensure it clearly defines the rules for granting, modifying, and revoking access rights. The auditor may also check records of the latest hired personnel, personnel who have changed jobs, and the latest dismissed personnel to verify if access rights were granted and revoked according to the policy. Additionally, the auditor will check if there is a documented process for provisioning, reviewing, modifying, and removing access rights and if these processes are followed consistently. The auditor might also look at the technology used to manage access rights and assess whether employees are aware of the importance of managing access rights and if IT staff are trained on how to manage them effectively. Regular reviews of access rights may also be checked to ensure they are still appropriate for the user's role and responsibilities.