How I Built a SQL-Driven User Access Review & Compliance Audit

Introduction One of the most common findings in a compliance audit is simple: the wrong people still have access to systems they shouldn't. Terminated employees. Sales reps with admin rights. Accounts that haven't been touched in months. This is exactly what a GRC Analyst is hired to catch and in this project, I built a SQL-based User Access Review (UAR) to simulate a real audit workflow. The Scenario Imagine you're a GRC Analyst at a mid-sized company. The IAM (Identity and Access Management) policy says: Terminated employees must have database access revoked within 24 hours Only IT and DevOps staff can hold Admin privileges (Principle of Least Privilege) Any account inactive for 90+ days is considered stale and must be disabled Your job: write SQL audit queries to find every policy violation. Step 1 — Building the Mock Database I created a simple user_access table with intentional policy violations baked in: sqlCREATE TABLE user_access ( user_id INT, name VARCHAR(50), department VARC