The Employee Offboarding IT Checklist

Most small businesses run a tight process for collecting badges, closing out final payroll, and updating HR records on someone's last day. The IT side of the same event is usually softer, sometimes by weeks. During assessments we routinely find active accounts, live VPN credentials, and unrevoked SaaS access belonging to people who left months earlier. That gap is one of the quieter ways an environment becomes exposed, and it is almost always a process problem rather than a tooling problem.

Why the quiet risk is the real risk

The mental image most owners hold about offboarding risk is a departing employee taking data with them. That happens. It is not, in our experience, the dominant pattern. The more common scenario is mundane. An account nobody is watching gets compromised through a password reuse breach. A former contractor's VPN credentials end up in a list traded on the dark web. A shared password that was never rotated is used months later to read sensitive files. The attacker does not need to be sophisticated. The account simply needs to still exist.

Industry research has put the share of organizations that experienced a security incident involving a former employee's lingering access at more than half. The exact figure matters less than the direction. Once an environment has any meaningful number of users, the probability that one of those abandoned accounts becomes the entry point is high enough to plan around.

What a complete offboarding looks like

The work breaks down into access and authentication, devices and physical assets, data preservation, and license cleanup. None of it is technically difficult. The discipline is in doing every item, every time, on the day the person leaves rather than later in the week. The sequencing also matters. Cut authentication first, capture data second, clean up licenses and inventory last. Collecting a laptop before the account is disabled leaves a window where the credentials are live and the device is in transit.

Access

• Disable the email account immediately, do not delete it. You will often need access to the mailbox for business continuity. Convert it to a shared mailbox or set delegation, and forward incoming mail to the manager using a server-side rule rather than one that depends on the client running.
• Revoke active sessions on top of disabling the account. Disabling a user stops new logins. The refresh tokens already issued to their phone and laptop can keep working for hours unless you explicitly sign the user out everywhere. In Microsoft 365 that is the Revoke sessions action on the user. In Google Workspace it is Sign out user. Skipping this step is the most common technical miss we see in offboarding.
• Revoke access across every cloud service. Microsoft 365 or Google Workspace is the start. The misses are usually the CRM, the accounting system, the project management tool, the file sync service, the marketing platform, and any vendor portals.
• Cut VPN and remote access at the same moment as email. If a user could connect to the network from outside the office, that path should be closed before the badge is.
• Rotate any shared credentials the user had access to. Shared admin logins, social accounts, vendor portals, conference room screens. If the password was known to the departing user, it is no longer a secret.
• Remove the user from group mailboxes, distribution lists, and team accounts. These are easy to miss because they are not tied to a single license.

Devices and data

• Collect every company-issued device against a written inventory. Laptops, phones, tablets, external drives, security keys. If you do not know what was assigned, you cannot confirm what was returned.
• Preserve the user's data before wiping any device. Mailbox, OneDrive or Google Drive, local files that were not synced. Move what the business needs to a known location before reformatting.
• Remove company data from any personal device that touched the environment. A mobile device management tool can scope the wipe to corporate data without touching personal photos and contacts.
• Reclaim or reassign the software licenses. This is partly hygiene and partly cost control. Unassigned licenses billed monthly add up faster than most owners realize.

Documentation and review

• Record what was done and when. A timestamped log of which accounts were disabled, which devices were returned, and who completed each step. If a question surfaces six months later about whether a system was actually closed off, that record is what answers it.
• Review access logs for the period leading up to the departure. Large file downloads, mailbox forwarding rules, access to systems outside the user's normal pattern. None of these are conclusive on their own. All of them are worth a second look.
• Update the asset inventory in the same pass. Returned devices either go back into the pool or get marked for retirement. The inventory only stays accurate if it is updated as part of the work.

The gaps we see most often

A few patterns show up repeatedly when we audit offboarding during a Technology Confidence Assessment.

The first is incomplete SaaS coverage. The provider disables email and considers the job done. Meanwhile the departing user is still a licensed seat in eight other applications, several of which hold customer or financial data. Without an authoritative list of what each user had access to, the offboarding is structurally incomplete.

The second is delay. Offboarding gets queued behind other work and slides from Friday to Monday to Wednesday. Every day an unused account stays active is a day a credential stuffing attack can succeed against it without anyone noticing. The discipline that matters is doing the access revocation on the last day, even when nothing else can happen on the same timeline.

The third is forgetting non-employees. Contractors, agency staff, bookkeepers, fractional executives, and outside consultants frequently end up with credentials that outlast the engagement by years. They need the same treatment as a W-2 employee, and the process should be triggered by the end of the engagement rather than by HR.

The fourth is the absence of a master access list in the first place. If nobody can produce a definitive document of which systems each user is in, the offboarding will always miss something. Building that list is one of the higher-leverage hygiene projects a small business can complete, and it ties directly back to the essential security baseline for small business.

What a managed provider should be doing

If you pay a managed IT provider, offboarding should be a documented, repeatable workflow that runs the same way every time, triggered by a single notification from your side. You should not be reminding them to disable accounts. You should not be asking whether the VPN was closed. The completed offboarding should arrive in your inbox as a ticket summary with a list of what was done, what was preserved, and what was deferred, with reasoning.

The proactive half of the work matters at least as much. A good provider maintains the access inventory continuously so that the offboarding event is small and predictable rather than a scramble. If your current provider's offboarding feels improvised, or if it depends on you remembering to mention the smaller applications, the issue is rarely the technician. It is the absence of a process. The MSP Frustration Quiz is a useful read on whether that gap is isolated or part of a broader pattern.