The certification auditor will look for evidence that access of users is granted and revoked according to the defined access control policy. This includes reviewing the company's Access Control Policy to ensure it clearly defines the rules for granting, modifying, and revoking access rights. The auditor may also check records of personnel changes, such as the latest hired personnel, personnel who have changed jobs, and the latest dismissed personnel, to verify if access rights were managed according to the policy. Additionally, the auditor will check if there is a documented process for provisioning, reviewing, modifying, and removing access rights, and if these processes are followed consistently. The auditor might also assess the technology and tools used to manage access rights, as well as the training and awareness of employees regarding access rights management. Regular reviews of access rights to ensure they are still appropriate for the user's role and responsibilities may also be checked.