In my opinion, it's up to the system owner/admin to review permissions. I can help generate a list of who has access, but then its up to you to know who, what, and why people have that level of access.

The other way of doing this is with AD groups.. name the groups appropriately, then who has access is not my problem. Maybe setup an automatic report to goto the system owner either on a schedule or when users are added to roles.