IT Offboarding Checklist: What to Do When an Employee Leaves
When someone quits or gets let go, the paperwork moves fast. IT access doesn't.
Zippia research found 71% of companies have no formal employee offboarding process. The average employee accumulates 31 separate app accounts over their tenure. State of SaaS 2025 data shows about a third of businesses take longer than 24 hours to close those accounts after someone walks out the door.
That's a long time for a live login.
Here's what a complete IT offboarding process looks like and why the businesses that get it right don't leave it to chance.
Why IT Offboarding Is a Security Issue, Not Just a Paperwork One
Most breaches don't start with a sophisticated attack. They start with credentials that were never disabled.
Former employees, contractors, and vendors accumulate access over time: email, file storage, CRM, accounting software, VPN, HR platforms, shared social accounts. In a growing business where IT oversight is informal, those accounts pile up. When someone leaves, they often stay open.
IBM's 2025 Cost of a Data Breach Report put the average global breach cost at $4.44 million. Incidents involving malicious insiders averaged $4.92 million. Those numbers typically involve someone who retained access they should have lost months earlier.
The 2022 Twitter case is a documented example. A former employee kept admin-level access well after leaving and used it in ways that created serious legal exposure for the company. No complex attack. Someone just never closed an account.
For a 50-person firm in Bergen County or a 75-person team in Midtown, the dollar amounts are different but the exposure is real. One former employee with open access to a client portal, accounting system, or company email is a liability the business may not even know it's carrying.
The IT Offboarding Checklist
Here's what should happen, in order, starting the moment you know someone is leaving.
1. Inventory Their Access Before the Last Day
You can't revoke what you don't know about. Pull a complete list of every system that person accessed, working backward from their role.
Most businesses are surprised how long that list gets. Email and Microsoft 365 are obvious. Less obvious: the CRM they configured three years ago, the vendor portal they set up for a contractor, the shared social accounts, the cloud console a developer used once and never officially transferred.
This is where centralized identity management pays off. Azure Active Directory or Okta lets you see connected apps in one place. Without it, you're piecing the list together from memory and hoping nothing gets missed.
2. Disable Accounts on the Last Day
Same-day disablement is the standard. Not next week. Not after HR finishes their paperwork.
Start with SSO if you have it. Disabling there revokes connected apps at once. Then work through the rest: email, VPN, cloud storage, anything not covered by SSO.
One note: disable the email account before deleting it. You'll need it accessible to reassign contacts, forward active threads, or pull records. Deletion can wait a few weeks. Disablement should happen day one.
3. Recover Devices and Wipe Them
Laptops, phones, USB drives, and access badges all need to come back. Issue a receipt when you collect them.
MDM software lets you remote-wipe a device that isn't returned, but only if MDM was configured before the person left. That's the part most businesses skip until they need it. Wipe and reimage before reassigning. Don't assume the previous user's credentials are gone just because someone new is using the machine.
4. Clean Up SaaS and Shared Accounts
This step takes longer than most businesses expect.
The average company uses more than 100 SaaS applications. Many were provisioned outside formal IT channels, so there's no central record. A sales rep may have signed up for a scheduling tool, a design platform, or a LinkedIn automation app using their company email. When they leave, those accounts stay active. The login still works. The charge keeps coming.
Update shared account passwords. Look for OAuth connections the employee created. Check for automated workflows running under their credentials. These are the accounts that get missed in the day-one rush and cause problems months later.
5. Reassign, Archive, and Document
Before closing anything out, transfer ownership. Email should forward to the employee's manager. Shared drives should move to a team folder or a named owner. Any automated process running under their credentials needs a new owner before the access is cut.
Then document everything. What was revoked, when, and by whom. That record matters for compliance if your business falls under HIPAA, SOC 2, or state privacy frameworks that have been ramping up enforcement this year. It also protects you if a dispute comes up later about what access the person retained.
6. Run a Follow-Up Audit at 30 Days
One pass isn't enough. Accounts get missed. OAuth connections go unnoticed. Shared credentials don't always make it onto the initial list.
Thirty days after the departure, pull an access report and look for anything still tied to their name, email, or credentials. This catches what the day-one rush overlooked, which is usually a few things.
Why This Is Hard to Do Consistently Without Dedicated IT Support
The checklist itself isn't that complicated. Getting it done consistently, with someone accountable for every step, is where it falls apart.
At a 40-person company without dedicated IT staff, offboarding lands on whoever is available. HR finishes their paperwork and assumes IT handled access. IT assumes HR flagged every account. Neither has a master list. The result is a partial offboarding: the main email is closed, everything else is still open.
This is the gap a managed IT partner fills. Not because the process is technically difficult, but because it requires someone who owns the full list, executes in the right order, and documents what was done. When offboarding is part of a managed service relationship, it happens the same way every time, regardless of whether it's a quiet Tuesday or the middle of a busy quarter.
For businesses managing compliance obligations on top of day-to-day operations, the deprovisioning trail also connects directly to compliance and regulatory requirements that regulators are actively scrutinizing in 2026.
Frequently Asked Questions
How quickly should you revoke employee access when someone leaves? Same day, at the moment employment ends. For roles with admin access, finance permissions, or IT credentials, revocation should happen before the exit meeting is over. Every hour after that is unnecessary exposure.
What systems get missed most often during IT offboarding? SaaS tools provisioned outside of IT, shared social accounts, vendor portals, OAuth-connected automations, and workflows running under the employee's personal credentials. These aren't covered by SSO and require manual review.
What if a former employee still has access to your systems? Disable it immediately. Even with no malicious intent, those credentials can be compromised in an unrelated breach and then used to access your systems. Any active account tied to someone who no longer works there is an open risk.
Does your business need to document IT offboarding steps? Yes, if you handle regulated data. SOC 2, HIPAA, and state privacy laws require documented evidence of timely deprovisioning and access controls. An audit trail is what keeps you compliant when you're asked to prove it.
How is IT offboarding different from HR offboarding? HR offboarding covers final pay, benefits, paperwork, and exit interviews. IT offboarding covers access revocation, device recovery, account cleanup, and documentation. They need to run in parallel, with clear ownership on both tracks.