The certification auditor will look for evidence that access of users is granted and revoked according to the defined access control policy. This includes reviewing the company's Access Control Policy to ensure it clearly defines the rules for granting, modifying, and revoking access rights. The auditor may also ask to see records of the latest hired personnel, personnel who have changed jobs, and the latest dismissed personnel to verify if access rights were granted and revoked according to the policy. Additionally, the auditor will check if there is a documented process for provisioning, reviewing, modifying, and removing access rights, and verify if these processes are followed consistently.