IT offboarding documentation should show what access was removed, what data was preserved, what equipment was recovered, and who verified completion.
Why Offboarding Documentation Matters
Employee departures create immediate security, operational, legal, and equipment-management requirements. A verbal request or simple account disablement does not prove that every application, device, session, delegation, license, and data responsibility was addressed.
A complete offboarding record protects the organization and supports later questions about mailbox access, file ownership, returned equipment, administrator changes, and retained information.
Begin With an Approved Offboarding Notice
The notice should identify the employee, manager, department, employment type, final working date, access-removal time, departure type, device location, and special instructions.
Record who approved the timing. Immediate termination, planned resignation, retirement, contractor completion, and extended leave may require different actions.
Identify Every Account
Use the systems inventory, single sign-on platform, password manager, license records, department application list, and manager review to identify accounts.
- Email and productivity platform
- Business applications
- Financial and payroll systems
- Remote access
- Password manager
- Social-media and website accounts
- Vendor portals
- Phone and communication systems
- Building and physical-access systems
- Local device accounts
Do not rely only on the primary directory
Applications purchased by departments or managed by vendors may not be connected to central identity systems.
Document Access-Removal Timing
Record the exact time access should be disabled and who is responsible. Coordinate with human resources and the manager so the action matches the employment decision.
For a planned transition, some access may remain active while ownership is transferred. For a high-risk or immediate departure, access may need to be removed before the employee is notified.
Disable or Remove Accounts
Record the action taken for each system: disabled, suspended, deleted, archived, converted, transferred, or left temporarily active with approval.
Do not delete accounts until retention, data transfer, legal, audit, and application requirements have been reviewed.
Revoke Sessions and Authentication Methods
Disabling an account may not immediately end every active session. Document session revocation, token removal, password reset, multifactor authentication method removal, security-key recovery, application-password removal, and connected application review.
Record the completion time and administrator who performed the action.
Remove Administrator and Privileged Access
Review cloud administrator roles, local administrator rights, application administration, domain and website access, firewall and network administration, backup administration, password-vault access, and vendor portals.
Update emergency contacts and shared administrative records so the former employee is not still listed as the owner or recovery contact.
Administrator access requires separate verification
Confirm the actual privileged-role list after removal rather than assuming that disabling one primary account removed every administrative identity.
Review Delegated and Shared Access
Document shared mailbox delegation, calendar access, shared drives, SharePoint sites, Teams, Google Groups, phone queues, distribution groups, security groups, and application roles.
Remove the employee and identify any resources the employee owned or managed.
Transfer Email and Calendar Responsibilities
Record mailbox disposition, forwarding or delegation approval, automatic replies, retention, manager access, calendar ownership, and communication to customers or vendors.
Forwarding should have an owner, business purpose, review date, and expiration. Do not leave permanent forwarding active without review.
Transfer Files and Document Ownership
Identify files stored in personal cloud drives, local devices, shared locations, and line-of-business applications. Record the approved recipient and transfer method.
Do not assume that files in a personal workspace automatically remain discoverable or accessible after deletion of the account.
Transfer Application and Workflow Ownership
Record ownership changes for forms, automations, dashboards, reports, integrations, service accounts, shared calendars, websites, marketing platforms, and vendor relationships.
Test critical workflows after ownership changes. Some automations stop when the original owner is disabled or loses a license.
Recover Licenses and Subscriptions
Record each license removed, reassigned, retained temporarily, or canceled. Include mobile service, software subscriptions, project tools, security products, and vendor-managed licenses.
Confirm the effect of license removal on data and retention before making the change.
Identify and Recover Equipment
Use the asset inventory to create the return list. Record:
- Laptop, desktop, phone, or tablet
- Serial number and asset tag
- Monitor, dock, charger, headset, and accessories
- Security keys, badges, and physical keys
- Condition
- Return date and recipient
- Shipping tracking for remote returns
- Missing or damaged items
Secure Returned Devices
Document receipt, condition, storage location, account restrictions, and whether the device requires investigation or data preservation.
Do not wipe the device before business data, legal holds, security incidents, and investigative needs are reviewed.
Preserve Business Data
Record what data was preserved, where it was stored, who approved the transfer, retention period, and access restrictions.
When a departure is connected to an investigation, dispute, or security incident, obtain appropriate legal and incident-response guidance.
Update Directories and Contact Information
Remove or update the employee in directories, websites, organizational charts, contact pages, call routing, emergency lists, vendor contacts, distribution lists, and documentation ownership.
Review public-facing information so customers and partners are not directed to an inactive person.
Update Vendor and Contract Records
Remove the employee as an authorized contact, billing contact, administrator, contract owner, or support requester. Add the replacement owner and verify that renewal notices will reach an active employee.
Document Final Verification
Use system reports, exports, role lists, device records, and tests to verify completion. The person who performs the offboarding can complete the checklist, while a manager or second reviewer verifies high-risk access.
Record unresolved items and obtain approval for temporary exceptions.
Retain Evidence Appropriately
Keep approvals, completion records, device receipts, access reports, data-transfer records, and exception decisions according to the organization’s retention and privacy requirements.
Restrict the offboarding record because it may contain employment and security information.
Conduct a Post-Offboarding Review
For privileged employees, contractors with broad access, or complex departures, review sign-in activity, forwarding, application tokens, service accounts, vendor access, and ownership changes after the initial offboarding.
Use lessons learned to improve the role inventory and procedure.
Offboarding Documentation Checklist
- Receive the approved departure notice and timing.
- Identify all accounts, roles, applications, and devices.
- Disable or remove access at the approved time.
- Revoke sessions, tokens, and authentication methods.
- Remove administrator and delegated access.
- Transfer email, files, workflows, and ownership.
- Recover licenses and subscriptions.
- Recover, inspect, and secure equipment.
- Preserve required business data.
- Update directories, vendors, and documentation owners.
- Verify completion with evidence.
- Record exceptions and post-offboarding review.
Frequently Asked Questions
Is disabling the main account enough?
No. Review sessions, tokens, local accounts, applications, vendor portals, administrator roles, devices, shared access, data, and licenses.
When should an account be deleted?
Only after retention, transfer, legal, security, application, and recovery requirements have been reviewed and approved.
Who verifies offboarding?
The technical owner should verify system completion, while the manager, human-resources owner, or security owner confirms business and risk requirements.
When Professional Support Helps
Professional support can build the system inventory, create the offboarding workflow, identify hidden access, document evidence requirements, and coordinate account, data, license, and equipment actions.
Need help applying this?
Build clear, reliable IT documentation.
J3 Systems Group LLC can inventory systems, document procedures, organize technical records, and establish a sustainable review process.