(678) 534-8776

121 Perimeter Center West, Suite 251, Atlanta, GA 30346

Office manager reviewing an IT offboarding checklist for a departing employee

IT Offboarding Checklist for Small Businesses

“`html

IT Offboarding Checklist for Small Businesses

An IT offboarding checklist helps a small business remove a departing employee’s access, recover company devices, protect business data, and document every completed step.

For office managers, offboarding can become stressful when accounts, laptops, cloud apps, shared files, and passwords are managed in different places. Missing one system may leave the former employee with access to email, customer records, financial tools, or internal documents.

A clear process helps Atlanta businesses complete each departure in a consistent way. It also gives human resources, managers, and IT support teams a shared record of what was removed, returned, transferred, and secured.

IT offboarding is the process of removing a departing employee’s technology access, securing company information, transferring business files, and collecting or remotely protecting company devices.

What should an IT offboarding checklist include?

A complete checklist should cover every account, device, application, file, password, and access method connected to the employee. It should also identify who is responsible for each task and when it must be completed.

Most small businesses should include the following items:

  • Confirm the employee’s final working date and time.
  • Create a list of accounts, applications, and systems the employee can access.
  • Transfer important email, files, contacts, and business records.
  • Disable account sign-ins and active sessions.
  • Remove the employee from shared groups, applications, and password tools.
  • Collect company laptops, phones, access cards, and other equipment.
  • Secure or remotely manage devices that cannot be returned immediately.
  • Document every action and the person who completed it.

The exact process depends on the employee’s role. A receptionist may have access to email, scheduling, and phone systems. A finance employee may also use banking portals, accounting software, payroll systems, and sensitive financial folders.

When should employee IT offboarding begin?

IT offboarding should begin as soon as the departure is approved, even when the employee will continue working for several days. Early planning gives the business time to identify access, transfer data, and arrange the return of equipment.

The employee’s actual access should normally be removed according to the timing approved by management and human resources. For some departures, access may remain active through the final workday. For higher-risk or immediate departures, accounts may need to be disabled at a specific time.

Before the final day

Use the time before departure to prepare the account list, identify data that must be transferred, and confirm which devices need to be returned.

  • Confirm the departure schedule with management or human resources.
  • Review the employee’s role and technology access.
  • Identify a manager or replacement who should receive files and email.
  • Arrange device collection or return shipping.
  • Prepare any account changes that must happen at a specific time.

On the final day

Complete the time-sensitive steps that prevent continued access after employment ends.

  • Disable or suspend the primary work account.
  • Sign the user out of active cloud sessions.
  • Remove remote access and virtual private network permissions.
  • Recover company equipment and physical access items.
  • Change shared passwords the employee may know.

After the departure

Review the environment again after access has been removed. This final check can uncover licenses, shared folders, integrations, or application permissions that were missed.

  • Confirm that email and file transfers were completed.
  • Remove unused software licenses.
  • Review application ownership and automated workflows.
  • Prepare returned devices for the next employee.
  • Store the completed offboarding record.

How do you complete employee IT offboarding step by step?

The safest approach is to follow the same documented sequence for every employee. Each step should have an owner, a deadline, and a completion record.

1. Confirm the departure details

Start by confirming the employee’s name, department, manager, final day, final working time, and whether the departure is planned or immediate.

Office managers should avoid sending vague requests such as “remove access today.” IT needs a clear cutoff time and approval from the appropriate manager or human resources contact.

2. Build an inventory of accounts and permissions

List every system the employee used. Do not stop with the primary email account.

The account inventory may include:

  • Microsoft 365 or Google Workspace
  • Customer relationship management software
  • Accounting, payroll, or banking platforms
  • Cloud storage and file-sharing tools
  • Project management and communication apps
  • Industry-specific applications
  • Remote access and virtual private network tools
  • Phone, voicemail, and messaging systems
  • Website, social media, and marketing platforms
  • Password managers and shared credentials
  • Building access, alarm, and security systems

A common mistake is relying on memory. An employee who has worked for the company for several years may have access to tools that are no longer part of the standard onboarding list.

3. Decide who should receive business data

Before deleting or changing an account, identify the person responsible for the employee’s files, email, contacts, calendar events, and application records.

For example, an Atlanta law firm may need to transfer client documents and active case communications to another attorney or administrator. A construction company may need to move project files, vendor contacts, and job-site records to a project manager.

Data retention needs should be reviewed with management, legal counsel, or a compliance professional when required. IT should not make business or legal retention decisions without direction.

4. Disable sign-in access and active sessions

Disabling an account is an important first step, but the process may also need to end active sessions on computers, phones, browsers, and cloud applications.

Depending on the platform, IT may need to:

  • Block new sign-ins.
  • Revoke existing sessions and authentication tokens.
  • Reset the account password.
  • Remove registered multifactor authentication methods.
  • Remove personal phone numbers or recovery email addresses.
  • Disable remote desktop and virtual private network access.

These steps help prevent a saved browser session or connected mobile application from continuing to access company information.

5. Review forwarding, delegation, and shared mailboxes

Check whether the employee created automatic forwarding rules, mailbox delegates, shared inbox permissions, or application connections.

The business may also need a temporary automatic reply that directs customers and vendors to another employee. Any forwarding or mailbox access should have an approved owner and an end date.

6. Remove access to groups and business applications

Remove the employee from email groups, shared drives, project teams, security groups, distribution lists, and third-party applications.

Review applications that use the employee’s email address as the account owner. Ownership may need to be transferred before the license is removed. This is especially important for billing accounts, website tools, cloud services, and automated workflows.

7. Change shared passwords and access codes

Any password known by more than one person should be reviewed when an employee leaves. This may include vendor portals, office Wi-Fi, alarm codes, social media accounts, or shared administrative logins.

A business password manager can make this process easier by keeping credentials in controlled company vaults instead of spreadsheets, emails, or personal browser accounts.

8. Collect and secure company equipment

Collect every company-owned device and accessory assigned to the employee. Record the condition and return status of each item.

  • Laptop or desktop computer
  • Mobile phone or tablet
  • Chargers, docking stations, and monitors
  • Security keys and authentication tokens
  • External drives and removable media
  • Building badges, keys, and access cards
  • Company credit cards or payment devices

Returned computers should be reviewed by IT before being reassigned. Business files may need to be preserved, and the device should be securely prepared for the next user.

9. Recover software licenses and subscriptions

Remove licenses that are no longer needed or assign them to a replacement employee. This can help the business avoid paying for unused email accounts, phone extensions, cloud storage, security tools, and industry applications.

Do not remove a license before confirming that needed data has been transferred or preserved.

10. Document and verify the completed process

Record the date, time, responsible person, and status of each task. A second person should review the checklist for employees who had administrative, financial, or highly sensitive access.

The final record gives the business a clear answer when management asks whether access was removed, equipment was returned, or files were transferred.

How should a small business manage employee devices?

To manage employee devices correctly, the business should maintain an accurate inventory, assign each device to a user, apply security settings, and keep remote management controls in place throughout the device’s life.

This makes offboarding easier because IT can identify which laptop or phone belongs to the departing employee and take action when the device is not returned immediately.

For company-owned devices

Company-owned computers and phones should be enrolled in an endpoint or device management system when possible. This can help IT monitor device status, apply updates, enforce security settings, and protect business information.

When an employee leaves, the business may be able to lock the device, remove company access, or securely erase managed information, depending on the platform and previous configuration.

For personal devices used for work

Personal devices require a clear bring-your-own-device policy. The policy should explain what company information may be stored, which security controls are required, and what happens to business access when employment ends.

IT should remove company accounts, managed applications, certificates, and remote access without deleting the employee’s personal photos or files. The available options depend on how the device and applications were configured before offboarding.

For remote employees

Remote employees should receive clear return instructions, a shipping label, a list of assigned equipment, and a deadline. The business should track the shipment and keep management controls active until the device is received and reviewed.

Device management should begin when equipment is purchased, not when an employee announces a departure.

What are the most common IT offboarding mistakes?

Most offboarding mistakes happen because the process is informal, rushed, or divided between teams that do not share the same checklist.

Deleting an account too early

Deleting an account before transferring files or email can make business records harder to recover. Suspending access first may give the company time to review and preserve what it needs.

Only disabling the email account

Email is only one part of an employee’s access. The employee may still have active logins for cloud storage, accounting software, customer systems, websites, remote access tools, or shared passwords.

Forgetting mobile devices and saved sessions

Changing a password may not immediately close every active session. IT should review connected devices, authentication methods, and application sessions.

Leaving shared passwords unchanged

A former employee may still know shared credentials even after the personal account is disabled. Shared passwords and access codes should be changed or removed from the former employee’s password vault.

Failing to assign ownership

Files, scheduled reports, websites, vendor accounts, and automated workflows may stop working when the original owner is removed. Ownership should be transferred before the account is closed.

Keeping unused accounts active

Inactive accounts can create unnecessary costs and access risk. They may also make it harder for office managers to understand who still has permission to use company systems.

How can managed IT improve the offboarding process?

A managed IT provider can create a repeatable offboarding process, maintain device and account records, complete technical changes, and verify that access has been removed.

This gives office managers one place to submit the departure details instead of contacting several software vendors or trying to remember where each account is managed.

Depending on the business environment, offboarding support may include:

  • Microsoft 365 and Google Workspace administration
  • Endpoint and mobile device management
  • Account and software license removal
  • Email, file, and calendar transfers
  • Remote access and network permission changes
  • Line-of-business application support
  • Cybersecurity reviews for high-risk accounts
  • Device collection, preparation, and reassignment
  • Written IT policies and procedures

Proactive support also improves onboarding. When account ownership, device assignments, software licenses, and permissions are documented from the employee’s first day, they are easier to remove on the last day.

A reusable IT offboarding checklist for office managers

Office managers can use the following list as a starting point. It should be adjusted for the company’s applications, policies, departments, and risk profile.

Employee information

  • Employee name confirmed
  • Job title and department confirmed
  • Manager confirmed
  • Final date and access cutoff time confirmed
  • Planned or immediate departure identified

Accounts and access

  • Primary work account disabled
  • Active cloud sessions revoked
  • Multifactor authentication methods removed
  • Remote access disabled
  • Email groups and shared folders reviewed
  • Third-party applications disabled or reassigned
  • Shared passwords changed
  • Building and alarm access removed

Data and communication

  • Email transferred or preserved
  • Files transferred to the approved owner
  • Calendar events reassigned
  • Business contacts transferred
  • Automatic reply approved and configured
  • Forwarding reviewed and documented

Devices and equipment

  • Laptop or desktop returned
  • Phone or tablet returned
  • Chargers and accessories returned
  • Security keys and storage devices returned
  • Device condition recorded
  • Returned equipment reviewed by IT
  • Device prepared for storage or reassignment

Final verification

  • Unused licenses removed or reassigned
  • Application ownership transferred
  • Completed checklist reviewed
  • Management notified of completion
  • Offboarding record securely stored

Frequently asked questions about IT offboarding

Should a small business delete a former employee’s email account?

Not immediately. The business may need to preserve or transfer email, files, contacts, and calendar information before deleting the account. The right retention period depends on company policy and any legal or industry requirements.

How quickly should employee access be removed?

Access should be removed at the cutoff time approved by management and human resources. Immediate or higher-risk departures may require accounts and sessions to be disabled as soon as the employee is notified.

What happens if a remote employee does not return a laptop?

IT should keep management controls active and may be able to lock or protect the device remotely. Management should follow the company’s equipment return policy and seek appropriate legal guidance when needed.

Who should be responsible for employee offboarding?

Human resources or management should approve the departure details, while IT completes the technical tasks. Office managers often coordinate the checklist, device return, data ownership, and final confirmation.

Can an MSP manage employee devices and account removal?

Yes. An MSP can help maintain account and device records, disable access, transfer data, recover licenses, secure company equipment, and document each completed task.

Create a safer and more consistent departure process

A reliable offboarding process protects more than an employee’s email account. It helps the business control access to customer information, financial tools, shared files, internal systems, and company devices.

For office managers, the most important step is consistency. Use one checklist, assign clear responsibilities, record completion, and review the process whenever the company adds a new application or changes its device policy.

To learn more about how trueITpros can help your business with IT offboarding, contact us.



Related Content

To learn more about how trueITpros can help your company with Managed IT Services in Atlanta, contact us at www.trueitpros.com/contact

“`

Read More: