A Checklist for Better Digital Offboarding of Employees

Employee departures are a normal part of running a business. Poorly managed IT offboarding is not something you can afford to treat as normal - and yet it’s one of the most consistently under-executed processes we see at Australian SMBs.

The risk is straightforward: a former employee with active credentials is a potential entry point. Whether their departure was amicable or not is irrelevant. Unrevoked access is a liability.

Here’s a practical, thorough digital offboarding checklist your team can follow every time.

Why Digital Offboarding Fails in Practice

Most businesses have some kind of HR offboarding process, but IT-specific steps are often:

• Handled inconsistently, depending on who’s managing the departure
• Completed days or weeks after the employee’s last day
• Focused on the obvious (disabling the email account) while missing less visible access points (shared credentials, third-party app logins, cloud storage)

A 2024 study found that over 50% of organisations had experienced a data security incident linked to a former employee. The fix isn’t complicated - it’s process discipline.

Before the Last Day

Start these steps as soon as you know an employee is leaving, even if notice was just given:

• Notify IT immediately - your IT team or managed service provider needs lead time to prepare, not a surprise call on the employee’s last afternoon
• Identify all systems the employee has access to - pull this from your access management records (you have these, right?), HR system, and by asking the employee’s manager
• Begin data transfer planning - identify files, emails, and projects that need to be handed over; start this process before the last day, not on it
• Check for shared credentials - are there team email accounts, social media logins, or service accounts this person knew the password for? Flag these for rotation

Access Revocation Checklist

On or before the last day, revoke access in this order (prioritising the most sensitive first):

Identity and Email

• Disable Microsoft 365 / Google Workspace account (do not delete immediately - archive it)
• Remove from all distribution lists and shared mailboxes
• Set up an auto-reply or redirect for the email address
• Revoke all active sessions (force sign-out from all devices)
• Remove from Microsoft 365 or Google admin roles if applicable

Internal Systems

• Disable VPN access
• Remove from Active Directory / Azure AD groups
• Revoke access to CRM, ERP, accounting, and project management tools
• Remove from internal communication platforms (Teams, Slack)
• Disable any privileged or admin accounts

Cloud and Third-Party Services

• Remove from cloud storage (SharePoint, OneDrive, Google Drive, Dropbox)
• Revoke access to any SaaS tools the employee was provisioned on
• Check for personal accounts used for business purposes (e.g., personal Dropbox linked to work files)
• Rotate any shared API keys or service account passwords the employee had access to

Physical and Remote Access

• Disable building access cards or security codes
• Revoke remote desktop or remote access credentials
• Collect any physical keys or access devices

Device Recovery

• Collect company-owned devices - laptop, phone, tablet, monitors, peripherals
• If the device is remote, arrange secure return shipping or collection
• Before wiping, ensure any business data is backed up or transferred
• Perform a full factory reset or corporate wipe via your MDM (Mobile Device Management) platform
• For BYOD (bring your own device) arrangements, use MDM to selectively wipe corporate data only

Data Transfer and Knowledge Retention

• Transfer ownership of key files from the employee’s account to their manager or successor
• Forward or archive important emails
• Export and preserve any critical account data before disabling the account
• Document any processes, passwords, or institutional knowledge the employee held
• Check if the employee had admin rights on any systems and document what was managed

Audit Trail

Maintaining an audit trail protects your business if a dispute arises later:

• Log the date and time each access point was revoked
• Record who performed each offboarding step
• Archive the employee’s account for a minimum of 90 days before deletion
• Retain email records per your data retention policy (and relevant legal obligations)
• Document any anomalies - attempted logins after departure, unusual file downloads in the days before leaving

Under Australian Privacy Act obligations, you also need to ensure the former employee’s personal data stored in your systems is handled appropriately.

After the First Week

A few follow-up steps are easy to miss:

• Check whether the former employee’s account is still receiving notifications or being tagged in systems
• Confirm their replacement has the access they need
• Review whether any recurring reports, automated emails, or workflows were running under their account
• Run an access review across your key systems to catch anything missed

Build This Into Your HR Process

The most effective organisations treat digital offboarding as a non-negotiable HR step, not an IT afterthought. Build the IT checklist into your HR offboarding workflow so it triggers automatically every time, regardless of how amicable or rushed the departure is.

A managed IT provider can automate large portions of this - single-click account suspension across connected systems, automatic MDM wipe triggers, and audit logging without manual effort.

Want to tighten up your offboarding process? Talk to CX IT Services about identity management and offboarding automation for your Melbourne business.