We use a different method for auditing our access. First access is only granted by submitting an Access Request From, that must be approved by a manager. Once submitted, it is processed and access to specific security groups is given and the from is archived. Monthly a job is run to grab each account and the access they have and an automated system has the resources manager review and attest to the access. If they fail to attest, or decide to remove groups, the tech team has a couple of days to remove the access. All of this is logged. Failure to remove access, or attest gets escalated.