Fifty-nine percent of organisations have experienced a data breach caused by a former employee (Ponemon Institute). Sixty-three percent of ex-employees retained active access to organisational data after their departure (Wing Security). Ninety-one percent of IT professionals say former employees still have some form of active access post-departure (Beyond Identity). These are not edge-case statistics — they are the predictable result of offboarding treated as an afterthought.
The scale of the problem compounds with every SaaS application added to the stack. The average organisation now has 29 SaaS applications per employee (BetterCloud). Each one is a potential access point that must be found, reviewed, and revoked — not just the primary directory account.
Offboarding is not just an IT problem. It involves final pay compliance, benefits termination, COBRA notification, legal documentation, knowledge transfer, and asset recovery. Done incorrectly, it creates legal exposure, security incidents, and operational gaps that persist long after the employee has left. Done correctly, it is a structured, evidence-producing process that closes every door — on time, in order, with a complete audit trail.
This guide is a department-by-department offboarding checklist covering IT, HR, legal and compliance, knowledge transfer, and asset recovery — for voluntary, involuntary, and contractor departures.
Why Offboarding Is a High-Stakes Process
Former employee access is one of the most consistent and preventable causes of data breaches. The risk is not hypothetical — 59% of organisations in the Ponemon Institute study reported a breach involving former employee access. The mechanism is simple: an employee with access to customer data, source code, or administrative systems leaves the organisation. Their accounts remain active — either because the offboarding process was incomplete, because a system was overlooked, or because access was revoked from the primary directory but downstream SaaS applications were not updated. Days or weeks later, the former employee (or an attacker who compromised their still-active credentials) accesses systems they no longer have authorisation to use.
The IBM Cost of Insider Threats report puts the average cost of an insider threat incident at $15.38 million annually for organisations with more than 30 incidents per year. Former employees account for a significant share of insider incidents — and unlike malicious outsiders, they know exactly where the sensitive data lives, which systems are most valuable, and how to navigate the environment without triggering obvious alerts.
Offboarding errors — incorrect final pay calculations, missed COBRA notification deadlines, improper handling of termination documentation — create legal exposure that is entirely avoidable with a structured process. Employment law violations are expensive and reputationally damaging, and they are almost always the result of process failures, not deliberate non-compliance. A missed COBRA deadline generates $110 per day per beneficiary in penalties. A botched release agreement for an employee over 40 can void the waiver entirely.
Voluntary vs Involuntary Offboarding: What Changes
The offboarding process differs significantly based on whether the departure is voluntary (resignation) or involuntary (termination or layoff). The underlying checklist categories are the same — IT, HR, legal, knowledge transfer, asset recovery — but the timing, sequencing, and legal obligations diverge sharply.
| Element | Voluntary (Resignation) | Involuntary (Termination / Layoff) |
|---|---|---|
| Notice period | Typically 2–4 weeks | None (or statutory minimum) |
| IT access during notice | Scoped down; sensitive systems reviewed at notice receipt | Revoked at notification moment |
| Final day access revocation | Executed on final day with employee present | Executed simultaneously with notification |
| Knowledge transfer | Structured handover possible | Limited or no handover — documentation critical |
| Final pay | Standard payroll cycle (jurisdiction-dependent) | Immediate or next business day (jurisdiction-dependent) |
| WARN Act / statutory notice | Not applicable | May apply for mass layoffs (US) / statutory redundancy (UK) |
| OWBPA (employees 40+) | Not applicable | 21-day review period + 7-day revocation for releases |
| Documentation | Resignation acceptance, standard exit docs | Termination letter, legal review, release agreement if applicable |
| Exit interview | Typically conducted | Conducted if safe/appropriate |
| Risk profile | Data exfiltration during notice period | Access revocation latency; legal compliance |
Both departure types use the same underlying offboarding checklist structure — the difference is timing and sequencing. A conditional offboarding checklist branches at the first question ("Is this departure voluntary or involuntary?") and adjusts the IT access timeline, legal documentation steps, and knowledge transfer approach accordingly. The sections below describe the full checklist for both types, with notes on how timing differs where relevant.
IT Offboarding Checklist
IT offboarding is the most security-critical component of the entire process. Every step must be completed with documented evidence of completion — not because it is administratively convenient, but because SOC 2 CC6.2/CC6.3, ISO 27001 A.6.5, and the HIPAA Termination Procedures standard all require it. See also the new hire IT setup checklist for the corresponding provisioning process that creates the access records you'll need to revoke here.
Disable the identity provider account
The first and most important step. Disabling the account in the identity provider (Okta, Azure AD, Google Workspace) cascades access revocation to all SSO-integrated applications simultaneously. For involuntary terminations: execute at the moment of notification. For voluntary departures: execute at end of business on the final day — not the morning after. Do not wait for IT to be available the following day. The account must be disabled before the employee leaves the building, or closes their laptop for the last time for remote employees. Verify the disable status in the IdP console immediately and record the timestamp.
Revoke application access for non-SSO systems
SSO integration does not cover every application. After disabling the IdP account, review the application inventory and manually revoke access for systems that authenticate independently: legacy applications not integrated with SSO, personal productivity tools with separate accounts (certain project management tools, design tools, communication platforms), direct database access, and VPN credentials. This step requires an accurate application access inventory for each employee — ideally maintained in the HRIS or a dedicated identity governance tool. Every application must be explicitly checked, not assumed to be covered by IdP cascading.
Rotate shared credentials and API keys
If the departing employee had access to any shared credentials — shared admin passwords, team API keys, service accounts — rotate those credentials immediately. This step is commonly skipped and is the most frequent cause of post-departure access incidents. The departing employee knows those credentials. Even with their personal account disabled, shared credentials they memorised remain a risk. Audit the password vault for any shared credentials the employee had access to and rotate all of them. Do not rely on the employee's integrity or their departure being amicable.
Transfer data and email
Preserve the departing employee's email — forward to manager or successor, set an out-of-office reply — before disabling the account. Export and archive any data in the employee's drives, shared files, or project spaces that the organisation needs to retain. For regulated industries, follow the applicable data retention policy. Do not permanently delete any data until the retention period has elapsed and any pending legal holds have been reviewed. For organisations subject to HIPAA, review whether any PHI is stored in personal drives or email and handle per the HIPAA Termination Procedure requirements.
Revoke physical and remote access
Deactivate badge access. Remove from building access control lists. Revoke VPN certificates. If the employee has physical keys, retrieve them. For remote employees: confirm the VPN certificate revocation and verify the MDM-managed device is no longer enrolled — or has been wiped. Physical access revocation is frequently treated as a lower priority than IT system access, but an employee who has had their digital access revoked and still has a building key or active badge can still represent a physical security risk.
MDM device management — remote wipe if device not returned
If the device is not returned within the agreed timeframe, initiate a remote wipe via MDM (Jamf, Intune). If the device is returned, verify it has been wiped before reallocating — do not assume a returned device is clean. Update the device inventory to reflect the return or the wipe. For organisations issuing BYOD devices with MDM profiles, confirm the MDM profile has been removed from any personal devices the employee enrolled during their tenure.
Audit log the full access revocation
Document the completion of each revocation step with timestamps — which systems were reviewed, when access was revoked, and by whom. For SOC 2 CC6.2/CC6.3, ISO 27001 A.6.5, and HIPAA Termination Procedures, this documentation is the compliance evidence. A timestamped checklist completion record serves this purpose directly — each task marked complete in a structured checklist tool produces an audit-ready record without any additional documentation effort.
Verify at 24 hours post-departure
24 hours after the departure, run a secondary check: attempt a login to the primary corporate systems using the former employee's credentials to confirm revocation worked, review the IdP for any remaining active sessions, and check the application access inventory for any systems flagged for manual review that have not yet been confirmed revoked. This verification step is the control that catches the gaps — systems that were overlooked, revocations that didn't cascade correctly, or sessions that were active at the time of account disable and remained open.
Automate IT Access Revocation with CheckFlow
CheckFlow's offboarding checklist ensures every access revocation step is documented, timestamped, and verified — creating the evidence trail that SOC 2, ISO 27001, and HIPAA auditors require.
Browse HR TemplatesHR Offboarding Checklist
Process the formal resignation or issue termination documentation
For resignations: confirm receipt in writing, specifying the agreed final date. For terminations: prepare the termination letter specifying the departure date, reason (in jurisdictions where required), and any severance arrangement. Have the documentation reviewed by legal counsel before delivery, particularly for involuntary terminations involving employees over 40 or those with employment contracts. The documentation creates the formal record of the departure date — which triggers COBRA notification deadlines, final pay obligations, and benefits termination.
Calculate and confirm final pay
Calculate final pay including: base pay through the final date, accrued and unused vacation or PTO (whether paid out depends on jurisdiction and company policy — review both), any commission or bonus earned but not yet paid (review plan documents for the applicable terms), and any severance package if applicable. In California, final pay for involuntary terminations is due on the day of termination. In most other US states, it is due on the next regular payday or within a statutory maximum (typically 30 days). Confirm the applicable deadline and process accordingly — a missed final pay deadline generates waiting time penalties in many jurisdictions.
Administer benefits termination and COBRA notification
Most employer-sponsored benefits (health, dental, vision) end on the last day of employment or the last day of the month in which employment ends, depending on plan design. COBRA notification must be sent to the employee and covered dependents within 44 days of the qualifying event. The COBRA notice must include the right to elect continuation coverage, the election period (60 days), the applicable premium amounts, and the premium due date. Failure to provide timely COBRA notification creates penalties of $110 per day per qualified beneficiary. See the COBRA and Benefits Administration section for the full timeline and penalty detail.
Conduct the exit interview
Schedule the exit interview before the final day — not on the last day itself, when logistics and emotions compete for attention. Use a structured format. Treat exit interview data as business intelligence: track themes over time and share aggregated findings with senior leadership quarterly. See the Exit Interview Best Practices section below for the full framework.
Complete HR records and update systems
Update the HRIS to reflect the departure date, departure type, and re-hire eligibility. Archive the employment record per the applicable retention policy — commonly 3–7 years after departure, depending on jurisdiction and the documents involved. Notify payroll, benefits, and any other HR systems that are not automatically integrated with the HRIS. Remove the former employee from any active performance cycles, compensation reviews, or succession planning tools that are managed outside the HRIS.
Legal and Compliance Checklist
Remind the employee of post-employment obligations
Confirm in writing that the employee understands their continuing obligations: non-disclosure agreement terms and duration, return of confidential information, any non-solicitation provisions (clients, employees), and any non-compete provisions where enforceable. Have the employee sign an acknowledgement. This is particularly important for employees in product development, sales, or customer-facing roles who may have access to trade secrets or customer relationships. The written acknowledgement becomes part of the employment record.
Review and execute release agreements where applicable
For involuntary terminations involving severance, a release of claims is typically required in exchange for the severance payment. For employees over 40, the OWBPA requires at least 21 days to consider the agreement, written advice to consult an attorney, and 7 days after signing during which the employee may revoke. Prepare the release with legal counsel review. Do not request a same-day signature from an employee over 40 on a release — it voids the waiver of age discrimination claims and exposes the organisation to ADEA liability.
Confirm data handling for employee personal data
Under GDPR (EU employees) and similar privacy laws, document what personal data the organisation holds for the former employee, the legal basis for retention, and the retention schedule. Delete data that is no longer needed and no longer has a legal basis for retention. Issue a data access or deletion notice response if the former employee submits a subject access request. This step is part of a well-structured compliance programme for any organisation handling personal data at scale.
Check for pending litigation holds
Before archiving or deleting any employee data, confirm with legal counsel whether any litigation hold applies to this employee's data. Deleting data subject to a litigation hold — even inadvertently — is a serious legal risk that can result in sanctions, adverse inference instructions, or spoliation findings. A simple pre-deletion confirmation step in the offboarding checklist prevents this entirely.
Knowledge Transfer Checklist
Document ongoing projects and responsibilities
Have the departing employee document all active projects: current status, key stakeholders, next steps, blockers, and outstanding commitments. The documentation should be specific enough for a successor to pick up immediately — not a high-level summary. For involuntary terminations where a notice period is not possible, the manager must reconstruct this documentation from project tools, email, and conversations with the departing employee's collaborators in the 48 hours following the departure. The gap between what an employee knows and what is written down is almost always larger than managers expect until the employee is gone.
Transfer client, vendor, and partner relationships
Identify all external relationships — clients, vendors, partners — the departing employee owns or manages. Introduce the successor or interim contact via email before the last day. For key client relationships, a senior stakeholder should participate in the introduction to signal continuity. Notify the client's primary contact of the change before the departure — being notified after the fact, by the client calling a disconnected number or sending email to an inactive inbox, is a relationship risk that is entirely preventable with a single proactive communication.
Transfer system credentials and configuration knowledge
Any system-specific knowledge that exists only in the departing employee's head — configuration decisions, undocumented workarounds, system admin credentials that haven't been rotated — must be extracted and documented before departure. This is most critical for IT, engineering, and operations roles. Use the exit interview period to conduct a structured knowledge-dump session for high-risk roles. An employee who has been the sole administrator of a production system for three years carries institutional knowledge that cannot be recovered from documentation if it was never written down.
Reassign tasks, tickets, and scheduled items
Review and reassign all open tickets, tasks, scheduled reports, recurring calendar items, and automated processes owned by the departing employee. An automation job running under a departing employee's service account will break the moment their credentials are revoked — find and reassign these before the departure date. Check the project management tool, ticketing system, CRM, and any scheduled reporting tools for items assigned to the departing employee that need to be transitioned before the final day.
Asset Recovery Checklist
Retrieve company-issued hardware
On or before the final day: laptop, monitor, docking station, peripherals, mobile phone, tablet, and any specialised equipment. Provide a prepaid shipping label for remote employees — do not ask remote employees to ship at their own expense or to arrange their own courier. Set a clear return deadline (typically 5–7 business days post-departure for remote employees). Update the asset inventory immediately upon receipt. Do not reallocate hardware before confirming it has been wiped.
Physical access items and credentials
Retrieve: building access badge, physical keys, parking passes, employee ID cards, and any physical security tokens (YubiKeys, RSA tokens). Update building access control systems immediately — the badge deactivation should happen simultaneously with or before IT access revocation for in-office employees. A deactivated network account paired with an active building badge is still a physical access risk.
Corporate credit cards and purchasing accounts
Cancel or freeze the departing employee's corporate credit card on the last day. Review and reconcile the last 30 days of expenses before closing the account — catch any outstanding reimbursements owed to the employee, and identify any personal charges on the corporate card that require recovery. Notify any subscription or recurring charge that was billed to the employee's corporate card — these are frequently missed and continue billing against a cancelled card, generating failed payment issues and service disruptions.
Uniforms, branded materials, and specialised equipment
Retrieve any organisation-issued uniforms, branded merchandise, or specialised tools. For roles with specialised equipment — medical devices, construction tools, laboratory equipment, camera or AV gear — conduct a formal inventory check on or before the final day. Specialised equipment is both high-value and often difficult to replace quickly, making timely recovery on departure day important rather than optional.
Offboarding Contractors and Vendors
Contractor offboarding is frequently less structured than employee offboarding — and the security gap is proportionally larger. Contractors often retain access after their engagement ends because there is no termination event in the HRIS to trigger the standard offboarding process. They may have been provisioned directly in individual applications rather than via the central IdP. Their departure may not have a formal final date — the engagement simply stops being active, and nobody updates the access inventory.
The contractor-specific steps that the standard employee offboarding checklist does not automatically cover: identify all applications and systems the contractor was granted direct access to (not via IdP SSO, which is the normal path for employees). Revoke each independently. Review and rotate any credentials or API keys the contractor generated or used during the engagement. Confirm that any data, code, or deliverables created during the engagement have been appropriately transferred to the organisation. Ensure the contractor's BAA — if applicable for healthcare contractors handling PHI — captures the data return and destruction obligations. Confirm that any NDA and IP assignment provisions in the contractor agreement have been fulfilled before closing out the engagement.
For contractors, access revocation should occur at contract end date — not after a grace period. A contractor whose engagement ended two weeks ago and who still has active access is a security and compliance risk regardless of the original trust level. Build the offboarding trigger into the contractor engagement lifecycle: when a contract end date is set, a contractor offboarding checklist should be scheduled to launch automatically one week before that date.
Offboarding Employees with Privileged Access
Employees with privileged access are those who hold system administrator credentials, infrastructure access (cloud platforms, network equipment, servers), database admin rights, source code repository admin or direct production deployment access, financial system admin, or HR and people data admin. In most organisations, 5–15% of employees have some form of privileged access — but a departing privileged user represents a disproportionate security risk that requires additional steps beyond standard access revocation.
Before the departure: audit all privileged accounts the employee holds — check the IdP for group memberships, the cloud platform for IAM roles, and the infrastructure for any local admin accounts that exist outside the directory. Identify all shared credentials and service accounts the employee has access to. Review the audit logs from the final 30 days for any privileged actions that require investigation before the employee leaves.
On the day of departure: revoke privileged access simultaneously with or before general access revocation. Rotate every shared credential and API key the employee had access to — the full audit from the pre-departure step is the input list for this rotation. Do not allow a privileged user's general access to expire while their privileged access remains active; the sequence must be simultaneous or privileged-first.
After departure: verify privileged access revocation in each system independently. IdP group removal does not guarantee revocation in systems with local admin accounts — each privileged system must be checked independently. Confirm that scheduled tasks, automation jobs, and infrastructure-as-code pipelines do not reference the departed employee's credentials. Reassign CI/CD pipelines, monitoring alert escalations, and auto-scaling configurations that were configured under the employee's account. A pipeline that references a revoked credential will fail silently at the next scheduled run — find these before they fail in production.
COBRA and Benefits Administration
COBRA (Consolidated Omnibus Budget Reconciliation Act) gives employees and their covered dependents the right to continue group health coverage for up to 18 months following a qualifying event — including termination of employment and reduction in hours. The employer, or a third-party COBRA administrator, is responsible for sending the required election notice within the statutory window.
The COBRA timeline has two segments. The qualifying event must be reported to the health plan within 30 days. The health plan then has 14 days to send the COBRA election notice to the qualified beneficiary — for a total maximum window of 44 days from the qualifying event to the election notice. The qualified beneficiary then has 60 days to elect COBRA coverage. The COBRA election notice must include the right to elect continuation coverage, the election period, the applicable premium amounts (which may be up to 102% of the full premium), and the premium due date.
The penalty for missing the 44-day window is $110 per day per qualified beneficiary. For a terminated employee with a spouse and one dependent child — three beneficiaries — a 30-day delay in sending the notice generates $9,900 in penalties. This is not a theoretical exposure: COBRA notification failures are one of the most common HR compliance violations, and they are almost always caused by process failure rather than deliberate non-compliance. Automate COBRA notification triggering from the HRIS — the qualifying event should automatically create a task with a hard deadline that prevents the window from being missed.
Other benefits that require attention on departure: FSA and HSA balances — determine what happens to remaining funds per plan documents, as this varies significantly between plan types. Life insurance and disability — confirm that conversion rights are communicated to the departing employee within the required timeframe. Retirement plan — provide information on rollover options, distribution rules, and vesting status. Stock options and equity — confirm the vesting cutoff date, the post-departure exercise window (which varies dramatically between plans and can be as short as 90 days), and any clawback provisions per the equity plan document. The equity exercise window in particular is frequently not communicated clearly on departure, creating avoidable disputes with former employees.
Exit Interview Best Practices
An exit interview conducted well is a source of genuine organisational feedback — the departing employee has context that current employees rarely share. They have nothing to lose by being honest, and the information they provide about management quality, team dynamics, workload, compensation competitiveness, and career development gaps is the kind of feedback that rarely surfaces in engagement surveys. An exit interview conducted poorly — or not at all — wastes the last opportunity to understand why people leave.
Conduct the interview 1–3 days before the final day, not on the last day itself. The last day is consumed by logistics, equipment returns, farewell conversations, and emotional closure — it is not conducive to a thoughtful conversation about organisational feedback. Use a neutral interviewer: HR or a skip-level manager is better than the direct manager, who the employee may be leaving specifically because of. A departing employee who had a difficult relationship with their manager will not be candid in an interview conducted by that manager.
Use a structured format with consistent questions: reasons for leaving, what the organisation could have done differently to retain them, what aspects of the role were most and least satisfying, what they would change about the team or processes, and whether they would recommend the organisation as an employer. Consistent questions across all exit interviews make the responses comparable and aggregatable — the goal is patterns, not individual anecdotes.
Treat exit interview responses as data, not as individual feedback to act on immediately. Categorise reasons for departure — compensation, management, career growth, workload, culture — and track trends over time by department, tenure, and role level. Share aggregated findings with senior leadership quarterly. Individual responses should be treated as confidential. The value is in identifying systemic patterns: if 60% of departures in a department over a 12-month period cite the same manager as a factor, that is actionable data. If one departing employee mentions it once, it is anecdote.
Common Offboarding Failures (and How to Avoid Them)
Failure 1: IT access revocation is incomplete. The IdP account is disabled, but 12 applications that authenticate independently remain active. This is the most dangerous failure mode — and the most common, given the average 29 SaaS applications per employee. Fix: maintain an accurate, role-based application access inventory. The offboarding checklist explicitly lists every application with access to revoke, not just "disable the IdP account." Generic instructions produce generic coverage; specific application lists produce complete coverage.
Failure 2: Shared credentials are not rotated. The former employee's personal account is disabled, but they have the shared admin password for the production database memorised. Fix: audit shared credentials access for every departing employee and rotate all of them — not just the ones IT staff remember they used frequently. The audit must be comprehensive; selective rotation based on memory is not a control.
Failure 3: COBRA notification is late. HR is occupied with the departure logistics and the COBRA notice goes out on day 45 instead of day 44. The penalty starts accumulating immediately. Fix: automate COBRA notification triggering from the HRIS. The qualifying event should automatically create a task with a hard deadline — not a reminder to someone's calendar that can be missed or rescheduled.
Failure 4: Knowledge transfer is skipped for involuntary departures. The manager assumes that because the termination was involuntary, there's nothing to document. Three weeks later, a client calls about an active project that nobody knows the status of. Fix: for involuntary departures, the manager must own the knowledge reconstruction process — reviewing project tools, email history, and client accounts in the 48 hours following the departure. The documentation gap is the manager's responsibility once the employee is gone.
Failure 5: Offboarding contractors is treated as optional. Contractors are provisioned in individual systems without an IdP account, so there's no "disable account" trigger. Their access lives in eight separate applications and is never reviewed. Fix: include contractors in the same application access inventory as employees. Offboarding the contractor means revoking each application access independently — and that list only exists if contractor access was tracked at provisioning time.
Failure 6: No 30-day post-departure access audit. Access revocation is marked complete on the final day, but no one checks whether the revocation actually worked, or whether any access was added between the notice date and the departure. Fix: schedule a 24-hour verification check for IT access revocation confirmation, and a 30-day audit for any previously privileged users. The verification step is what turns "we think we revoked it" into "we confirmed we revoked it."
Failure 7: Exit interview is skipped or conducted by the wrong person. The direct manager conducts the exit interview, the departing employee is diplomatically vague, and the organisation learns nothing. Fix: route exit interviews to HR or a neutral third party. Use a structured question format. Review aggregated results quarterly — and do something with the data, or the exercise quickly becomes known as performative rather than genuine.
Failure 8: No documented completion record. The offboarding happened, but there's no evidence that each step was completed, by whom, and when. A compliance audit or litigation discovery request surfaces the gap. Fix: run offboarding as a tracked checklist — every step has a completion record with a timestamp and the responsible person's name. The completion record is the compliance evidence; without it, the process might as well not have happened from an audit perspective.
Build an Offboarding Process That Works Every Time
Stop running offboarding from memory and email threads. CheckFlow gives every departure a structured, trackable, evidence-producing process — for employees, contractors, and vendors.
Start Free TrialFree HR Offboarding Templates
CheckFlow's Employee Offboarding Template follows the structure in this guide — IT access revocation, HR documentation, asset recovery, and benefits administration — with task assignment, completion tracking, and timestamped records for each departure. Adapt it for voluntary, involuntary, and contractor offboarding. Click the card to view the full template.
Frequently Asked Questions
A complete employee offboarding checklist covers five categories: IT (immediate account deactivation, access revocation across all systems, device retrieval, data preservation), HR (final pay processing, benefits termination and COBRA notification, separation documentation, reference policy), legal and compliance (IP and confidentiality agreement reminders, non-compete review, employment records retention), knowledge transfer (documentation of ongoing projects, handover to successor or team, customer/vendor contact transition), and people (exit interview, equipment return logistics, farewell communication). The specific tasks within each category depend on departure type (voluntary vs. involuntary), the employee's role and system access level, and jurisdiction-specific legal requirements. A best-practice offboarding checklist is structured, timestamped, and tracked to completion — not a mental checklist or an email thread.
For involuntary terminations, IT access should be revoked at the moment the employee is notified — simultaneously with the notification if possible, and no later than end of business on the same day. For voluntary departures with a notice period, access revocation should be staged: general corporate access remains active during the notice period, but access to sensitive systems (financial systems, customer data, privileged infrastructure access) should be reviewed and scoped down at the start of the notice period, with complete revocation on the final day. The Ponemon Institute found that 59% of organisations surveyed had experienced a data breach caused by a former employee — and Wing Security found that 63% of ex-employees retained active access to data after their departure. Immediate access revocation on the last day, verified and documented, is the security minimum standard.
Legal requirements for offboarding vary by jurisdiction and departure type. In the US, COBRA notification must be sent within 44 days of the loss of health coverage. The WARN Act requires 60 days' advance written notice for mass layoffs (100+ employees) or plant closings. OWBPA (Older Workers Benefit Protection Act) governs release agreements for employees over 40 — they must have at least 21 days to consider the agreement and 7 days to revoke it after signing. Final paycheck timing varies by state: California requires same-day payment for involuntary terminations; other states allow up to 30 days. ERISA governs pension plan notification requirements. Outside the US, requirements vary significantly — the UK requires statutory redundancy pay after 2 years' service, and GDPR governs the handling of employee personal data during and after employment.
Employees with privileged access (admin credentials, infrastructure access, source code repository admin, cloud platform admin) require additional offboarding steps beyond standard access revocation. Before revocation: audit the employee's admin access to identify all privileged accounts they hold, rotate any shared credentials they had access to (shared admin passwords, API keys, service account credentials), and review recent privileged activity for anything that requires investigation. On the final day: revoke all privileged access simultaneously with general access — do not allow a privileged user's general access to expire while their privileged access remains active. After revocation: verify revocation in each privileged system independently, review and re-approve any automation or scheduled tasks running under their credentials, and change any API keys or service account credentials associated with their identity.
Voluntary offboarding (resignation) involves an employee who is leaving on their own initiative, typically with a notice period. This allows time for knowledge transfer, gradual handover, and staged access review. The primary risks are data exfiltration during the notice period and incomplete knowledge transfer. Involuntary offboarding (termination, layoff) is initiated by the employer and typically involves immediate separation. The primary risks are access revocation latency (systems that aren't immediately locked) and legal exposure from improper handling of the termination. Involuntary offboarding requires stricter immediate action on IT access, more careful adherence to legal notice and payment requirements, and more detailed documentation of the process. The offboarding checklist should branch based on departure type — the same checklist should not be used for both without conditional sections.