Creating an Audit-Ready Employee Offboarding Process: A Guide for IT teams

Offboarding usually goes one of two ways: You hear about it five minutes before it’s supposed to happen—a message from HR saying it’s urgent. Or worse, you don’t hear about it at all, and find out later that a former employee still has access to critical systems.

Either way, the result is the same: missed steps, last-minute exceptions, scattered approvals, and no clean record of what happened. This kind of reactive, fragmented offboarding has a lot of high-impact consequences. 

For example, in healthcare, if access revocation isn’t tracked properly, HIPAA auditors can flag it as a compliance violation. In one case, Gulf Coast Pain Consultants was fined $1.19 million after a former contractor accessed their EMR system three separate times post-termination and used PHI to generate fraudulent Medicare claims.

This guide outlines a step-by-step employee offboarding process built for IT teams who want to maintain clear records for auditing and improve collaboration with HR and other departments. 

TL;DR

• Risks of poor offboarding include security breaches, compliance failures, license waste, and lingering access in shared or unmanaged tools
• When an employee leaves an organization, the offboarding process should include access removal, data transfer, license recovery, and audit logging
• Plan for different exit types like resignations, terminations, role changes, and leaves—each requires a tailored approach
• Use tools like Stitchflow to detect hidden access and deprovision across disconnected or non-SSO apps

The risks of poor IT offboarding processes

Even a single missed step during offboarding can silently expose your organization to security breaches, compliance failures, and unnecessary costs. Here’s what poor offboarding actually looks like in practice.

Security gaps

Accounts in tools like GitHub, Salesforce, Zoom, or Asana often remain active after someone leaves—particularly in apps not federated through your IDP. These “orphaned” accounts can be exploited for unauthorized access, especially when tied to shared logins, functional accounts (like hello@acme.com), or contractors’ personal emails.

License waste

Without a structured offboarding process, paid seats in tools like Adobe, Figma, or Slack are rarely reclaimed. IT teams often find duplicate licenses tied to former employees months later, wasting thousands per year, especially in SaaS-heavy orgs.

In fact, one Stitchflow customer discovered $160K+ in annual license waste from unused seats. Another found they were still paying for 50+ licenses for ex-employees after renewals were already locked in.

Compliance and audit failures

Frameworks like SOC 2, ISO 27001, SOX, and GDPR mandate timely and documented offboarding. If you can’t prove that non-SSO tools were covered or that shared inboxes were reassigned, you’re at risk of control failures or audit delays. Auditors (and IT leadership) want clear answers to:

What systems did this user access?

During a SOC 2 audit, the reviewer may ask for a list of all systems a recently terminated employee could access, including SaaS tools not managed via SSO. If you can’t produce a complete inventory tied to that user, it’s flagged as a lack of access governance.

When was their access fully revoked?

In an ISO 27001 assessment, auditors expect a clear timeline: termination date, last login, and date of final deprovisioning. If access was only removed from the IDP but not from tools like GitHub, HubSpot, or shared folders, that’s logged as a nonconformity.

Who approved any access exceptions?

Under GDPR, retaining access (e.g., to email or Zoom) after termination is only allowed with a documented, legitimate reason—usually reviewed by legal or HR. If you can’t show who approved the exception and for how long, it opens the door to privacy violations.

⚠️ These risks don’t just sit in silos. Together, they drain time, budget, and trust:

• 1 FTE per 500 employees is tied up manually cleaning up access after departures
• 20%+ of SaaS licenses stay active and unused, costing thousands in waste
• 53% of breaches involve orphaned accounts left behind during offboarding
• 5+ hours a week on manual audit-related tasks

How to offboard an employee: Step-by-step guide

This guide isn’t about just creating a checklist of offboarding tasks—it’s about creating a process that can help you turn offboarding into a secure and repeatable system. This means building in the right workflows at every stage: before departure, during deprovisioning, and post-offboarding.

Set up cross-departmental workflows

You’ve probably seen the memes, but it’s surprisingly common for IT to find out someone left only when they walk past an empty desk weeks later. But offboarding isn’t just an IT task—it’s a shared responsibility across HR, IT, and the employee’s team. 

HR might confirm the departure, but without looping in the manager for a full list of tools and timelines, or IT to revoke access and recover assets, offboarding becomes fragmented.

Clear coordination upfront can turn last-minute scrambles into a repeatable, compliant process. Here’s how you can do that— 

Start with HR

As soon as a departure is confirmed, HR should trigger the offboarding workflow—ideally through the HRIS or by generating a ticket in your ITSM. Avoid last-minute Slack pings. If Slack is part of the culture, use a bot to post a confirmation when the ticket is created, not as the trigger itself.

🎯 Pro tip: Automate the trigger using tools like Zapier. Use your HRIS to auto-create an offboarding ticket in IT’s system and send a Slack notification once it’s logged.

Loop in the manager

The employee’s direct manager (or department lead) needs to flag all role-specific tools, shared folders, and lingering access—especially for shadow IT. They should also note if limited access is needed post-departure (like for handoff support), and for how long. This avoids surprise exceptions mid-process.

🎯 Pro tip: Have each team maintain an approved list of tools, especially AI, that may be purchased outside IT. Require managers to sign off on these during onboarding, so there’s a clear list ready to hand off during offboarding.

IT closes the loop

IT handles the actual deprovisioning—system access, license recovery, and account shutdown. But it’s not just about SSO. They should validate that disconnected apps, shared logins, and department-owned tools aren’t left open. Use a centralized IT offboarding checklist to confirm everything’s covered—and log it for audit readiness.

🎯Pro tip: Use free tools like Stitchflow’s OffboardIT to create custom offboarding checklists based on department, role, and systems used. Then, export the checklist and attach it to your ITSM ticket for tracking. It reduces missed steps and gives you a clean record for compliance tracking.

Check exit type and risk level

Not all departures carry the same urgency—or risk. A planned resignation with a 3-week notice looks very different from a same-day termination or a high-privilege admin leaving with little context. The goal here is to tier your employee offboarding process by urgency and exposure. 

Here’s what to align on:

• Is this voluntary or involuntary? Involuntary exits usually require immediate revocation of access, sometimes midday. Voluntary ones often allow a phased approach.
• When is the last working day? If they're sticking around to help with transition, some access may need to stay active temporarily (with sign-off).
• What’s the sensitivity of the role? Anyone with admin access, customer data access, or financial authority should be flagged for high-risk workflows, with an extra layer of confirmation and logging.
• Are they being offboarded remotely? Remote exits raise more variables, especially when it comes to hardware retrieval and unmonitored personal devices.

💡 Last working day vs. last access day

Just because someone is “working until next Friday” doesn’t mean they need access to everything until then. A departing sales rep might need CRM access to wrap deals, but shouldn’t retain admin-level data exports. What you need is an “access tapering” plan based on role sensitivity. For example:

• Day 0 to two days before exit: Employee retains normal access for transition work
• The day before the last day: Remove admin rights and sensitive permissions
• Final day: Fully deactivate accounts and reassign shared assets

Audit the employee’s full app and system access

Even when HR triggers offboarding and managers fill out their part, gaps remain. Because people often don’t know—or forget—all the tools someone used. And if access is tied to a personal email or outside SSO, it can easily slip through. This is where IT steps in to validate the full access footprint, beyond what’s been reported.

Why this matters:

• Orphaned accounts in tools like Canva, Trello, Notion, or vendor portals often fly under the radar.
• Shadow IT (especially tools signed up with a personal email) won't show up in your identity provider.
• Shared logins for team calendars, social tools, or AI platforms need separate tracking.

What to do:

Start by identifying the full range of tools the employee had access to—including disconnected or manually provisioned apps that may not show up in your IDP.

• Use an app discovery tool or SaaS asset management platform like Stitchflow that can uncover both federated and non-federated access—including accounts tied to personal emails or unmanaged domains
• Cross-reference login activity and usage to catch accounts that are still active but forgotten—especially those not part of your automated offboarding flow
• For tools without SCIM or direct integrations, generate a list for manual follow-up or create deprovisioning tasks in your ITSM system

Finally, centralize all findings in your offboarding ticket or checklist to ensure every action is logged and traceable. 

Backup data and transfer ownership

Once access is revoked, recovering files or identifying data owners becomes exponentially harder. This step is to ensure business continuity, especially in collaborative or customer-facing roles.

This step is about backing up files, transferring ownership, and reviewing key systems for anything the employee might still control, especially if they’ve been around a while or used personal emails in tools. To start, here are some areas to focus on:

Shared drives and cloud folders

Don’t assume everything’s in shared folders. Long-tenured employees or contractors often keep strategy docs, contracts, or finance files in unshared folders.

What to do:

• Transfer ownership of files from Google Drive, OneDrive, or Dropbox to a manager’s or teammate’s account
• Reassign collaborative folder ownership to avoid shared access breaks
• Review personal folders for sensitive documents that shouldn’t disappear

✅ You can use Google Admin’s transfer utility to reassign ownership before deletion. Set a retention window (e.g., 30–90 days) to catch anything missed.

Email accounts and inboxes

Email accounts often hold vendor logins, contract history, or customer conversations. Left unmanaged, you risk broken workflows—or worse, data leakage.

What to do:

• Export or archive emails based on your retention policy
• Audit inbox rules for risky behavior, like forwarding to personal accounts
• If the inbox is active post-departure, convert it to a shared inbox (which typically doesn't incur a license fee in platforms like Microsoft 365 or Google Workspace) so others can monitor it without burning a seat

SaaS tools and document ownership

Tools like Notion, GitHub, Asana, Figma, and Confluence often house mission-critical work, including live docs, code, and customer-facing assets.

What to do:

• Reassign file or repo ownership before removing access
• Update team permissions and admin roles
• Remove personal email invites (common with external users) that may retain access post-deactivation

💡Reassign ownership in platforms like your CRM, ERP, and help desks before deactivating accounts. While the employee’s department typically owns this step, IT should still verify it’s done—and check for lingering sequences, deals, or support tickets tied to the departing user. 

Deprovision users

Start with your identity provider (like Okta or Azure AD). This should be your first step in revoking access—disabling SSO-connected apps, system accounts, and internal tools. But in most orgs, that’s not the full picture. Even with centralized identity, users often have access to tools that aren't connected to your IDP:

• Manually-invited apps like Notion, Airtable, or Trello
• Shared credentials for tools like social platforms or analytics dashboards
• Department-owned software added with a credit card—often never registered with IT

This means to fully deprovision users, you need to go beyond what your IDP can see. One way to approach this gap is by using a tool like Stitchflow, which helps IT teams:

• Surface hidden accounts in disconnected tools like Notion, Airtable, or GitHub—even if they weren’t provisioned through Okta or Azure AD
• Detect shadow IT and personal email invites, using identity stitching to link alias logins and unmanaged access back to the real user
• Track app usage activity to flag accounts that are still active, idle, or orphaned, and prioritize what needs action
• Trigger app-by-app remediation by automatically generating ITSM tickets or allowing 1-click exports for tools requiring manual steps
• Log every action in a centralized audit trail, giving IT verifiable proof that deprovisioning was complete, even across non-SCIM apps
   

Reclaim paid licenses 

In most organizations, SaaS spend grows faster than it's cleaned up. Without an intentional license recovery process, unused accounts quietly pile up—especially in tools with seat-based pricing. 

When Turing first used Stitchflow to automate offboarding, they uncovered over 150 unused licenses, saving more than $60,000 in annual software costs. 

Here’s what you can do:

• Identify active licenses: Use a SaaS user management tool or internal tracker to see which tools the user was licensed for, especially in high-cost apps like design, CRM, or analytics platforms.
• Reassign or remove immediately: Some tools let you transfer seats to another user, while others require you to manually revoke access. In some cases, you can downgrade to a lower plan if you stay within user limits.
• Watch for duplicate or hidden assignments: In tools with multiple workspaces (e.g., Slack, Zoom), users may hold more than one paid seat. Clean these up during offboarding.
• Keep a record: Track what licenses were reclaimed, when, and from whom. This not only helps during audits but also supports license forecasting and finance reconciliation.

🎯Pro tip: Pair deprovisioning with license recovery: once an account is disabled, reclaim the license in the same workflow. 

Keep records for audits

Offboarding doesn’t end when access is revoked—you need proof it happened. Keeping detailed records helps you stay audit-ready, especially in regulated industries or during SOC 2/ISO 27001 reviews. Here are some things you can track:

• Who was offboarded and when
• Which systems were deprovisioned, including disconnected apps or shared logins
• What data or licenses were recovered
• Who signed off at each step—HR, IT, manager

Auditors often pick users at random to review, and they’ll expect to see clear, time-stamped proof of deprovisioning across all systems. If even one step is missing, like a non-SCIM app with no record of access removal, it can create compliance issues. 

This gets trickier with shared accounts or complex setups:

• If a user owned shared inboxes, dashboards, or folders, you’ll need to show who took over, as auditors also look for disruption
• If you're running multiple identity systems (M&A, hybrid IT, regional domains), centralized logs are a must so you can prove access was removed everywhere

That’s why automation is so valuable during offboarding—it not only reduces manual effort but logs every action for audit and accountability. 

For example, in Stitchflow, every deprovisioning step is automatically time-stamped, plus approvals from IT, HR, or managers are tracked and stored—giving you a clear audit trail of who signed off, when, and on what.

Set up post-offboarding protocols

Offboarding doesn’t stop at deactivation. You need safeguards in place for what happens after, to protect against access gaps and operational disruption. You can start by deciding what to disable and what to delete—super important if accounts hold valuable data or are tied to active workflows.

Start by disabling accounts when access logs must be preserved, email forwarding or inbox delegation is needed, or the account is tied to ongoing automations or workflows. Once that’s done, you can delete them.

🎯 Pro tip: Label accounts as “pending deletion” in your ITSM tool to ensure they’re tracked for follow-up, and don’t end up lingering forever.

Finally, watch for post-exit access by employees. Former users can still access systems through shared logins, personal email invites, or tools missed during offboarding. Set up alerts for login attempts from deactivated accounts, rotate credentials on shared platforms, and audit for guest access tied to ex-employees.

📚Also read: 5 offboarding mistakes that haunt IT Admins (based on real stories)

How to adjust employee offboarding procedures by exit type

In early 2025, 2.87 billion profiles were leaked from X/Twitter and surfaced on Breach Forums. The data included internal metadata and was likely compiled by merging older breaches, with speculation that a disgruntled ex-employee from the Musk-era layoffs was behind it.

It’s a reminder that not all exits are the same—layoffs, resignations, and terminations each carry different requirements and risks. Your offboarding process document should adapt accordingly.

Employee offboarding process for voluntary resignation

Most resignations come with notice, giving time to plan. But that doesn’t mean access cleanup should wait until the last day—it’s about preparing for a smooth transition without loose ends. You can follow your regular employee offboarding workflows for this.

Employee offboarding process for involuntary terminations

These require immediate action with minimal notice. The goal is to prevent any post-departure access or data movement while preserving a defensible audit trail. Access should be revoked immediately—ideally through your IDP (e.g., Okta). 

Here are some other ways to minimize risk:

• Pre-monitor for red flags like inbox forwarding or large file exports
• Remove access to email, cloud platforms, and financial systems
• Rotate passwords for shared tools

Employee offboarding process for internal role change

Here, you clean up old access before assigning new permissions to avoid license waste and ensure compliance. Some things you can do are:

• Remove access to tools, groups, or data no longer relevant
• Reassign ownership of shared folders, dashboards, or automations
• Make access review part of your promotion or internal mobility checklist

Employee offboarding process for temporary leave 

These are short breaks like sabbaticals and parental leave. Here, the goal is to pause activity without disrupting ownership or losing critical data. 

• Disable login while keeping data and ownership intact
• Revoke active sessions (Google, GitHub, etc.)
• Document temporary changes and ensure access is easily restorable upon return

Bonus: How to handle offboarding during M&A transitions

These transitions introduce some of the most complex offboarding scenarios—and the highest risk. When orgs merge or split, they often inherit:

• Multiple identity systems (e.g., Okta, Azure AD, Google Workspace)
• Conflicting email domains (e.g., @acquiree.com, @legacybrand.io)
• Unknown or duplicate accounts in disconnected SaaS tools
• Entire departments managing apps manually or outside IT’s view

In such cases of vast identity sprawl, offboarding becomes a high-risk blind spot:

• Users may retain access through old domains or manual accounts not covered by the current IDP
• Shared accounts, personal email invites, or shadow tools often go unnoticed
• Audit trails are fragmented, making it hard to prove who had access or when it was revoked

To close these gaps, IT needs tools that unify fragmented identities and surface hidden access. That means connecting the dots across old domains, duplicate accounts, shadow tools, and apps no one officially tracks. 

🔍 For example, a departing employee shows up in Okta under jane.doe@acquiree.com—but Stitchflow also links them to a personal Gmail used in Airtable, an old contractor login to Salesforce, and shared access to a marketing inbox from a legacy brand domain. With this consolidated view, you can trigger revocation steps across all those apps.

Automate employee offboarding with Stitchflow

Offboarding isn’t once-and-done; it’s full of edge cases, blind spots, and tools outside your IDP. Stitchflow helps IT teams automate employee offboarding across every app, account, and access path—no matter how large or complex the stack.

• Handle same-day terminations: Flag every tool the user touched—even those not connected to Okta—to ensure nothing is missed
  Clean up after role changes: Identify access that should be removed before assigning new permissions to prevent creep
• De-provision across multiple domains: Link accounts, aliases, and legacy domains to fully offboard users from merged or acquired systems
• Eliminate unused licenses: Detect seats still tied to former employees and reduce spend without digging through spreadsheets
• Log every action for audits: Capture time-stamped records of what was deprovisioned, when, and by whom

Get a personalized demo and see how Stitchflow deprovisions users across every app, flags shadow access, and keeps you audit-ready.