“`html
IT Offboarding Checklist for Small Businesses
An IT offboarding checklist helps a small business remove a departing employee’s access, recover company devices, protect business data, and document every completed step.
For office managers, offboarding can become stressful when accounts, laptops, cloud apps, shared files, and passwords are managed in different places. Missing one system may leave the former employee with access to email, customer records, financial tools, or internal documents.
A clear process helps Atlanta businesses complete each departure in a consistent way. It also gives human resources, managers, and IT support teams a shared record of what was removed, returned, transferred, and secured.
IT offboarding is the process of removing a departing employee’s technology access, securing company information, transferring business files, and collecting or remotely protecting company devices.
What should an IT offboarding checklist include?
A complete checklist should cover every account, device, application, file, password, and access method connected to the employee. It should also identify who is responsible for each task and when it must be completed.
Most small businesses should include the following items:
- Confirm the employee’s final working date and time.
- Create a list of accounts, applications, and systems the employee can access.
- Transfer important email, files, contacts, and business records.
- Disable account sign-ins and active sessions.
- Remove the employee from shared groups, applications, and password tools.
- Collect company laptops, phones, access cards, and other equipment.
- Secure or remotely manage devices that cannot be returned immediately.
- Document every action and the person who completed it.
The exact process depends on the employee’s role. A receptionist may have access to email, scheduling, and phone systems. A finance employee may also use banking portals, accounting software, payroll systems, and sensitive financial folders.
When should employee IT offboarding begin?
IT offboarding should begin as soon as the departure is approved, even when the employee will continue working for several days. Early planning gives the business time to identify access, transfer data, and arrange the return of equipment.
The employee’s actual access should normally be removed according to the timing approved by management and human resources. For some departures, access may remain active through the final workday. For higher-risk or immediate departures, accounts may need to be disabled at a specific time.
Before the final day
Use the time before departure to prepare the account list, identify data that must be transferred, and confirm which devices need to be returned.
- Confirm the departure schedule with management or human resources.
- Review the employee’s role and technology access.
- Identify a manager or replacement who should receive files and email.
- Arrange device collection or return shipping.
- Prepare any account changes that must happen at a specific time.
On the final day
Complete the time-sensitive steps that prevent continued access after employment ends.
- Disable or suspend the primary work account.
- Sign the user out of active cloud sessions.
- Remove remote access and virtual private network permissions.
- Recover company equipment and physical access items.
- Change shared passwords the employee may know.
After the departure
Review the environment again after access has been removed. This final check can uncover licenses, shared folders, integrations, or application permissions that were missed.
- Confirm that email and file transfers were completed.
- Remove unused software licenses.
- Review application ownership and automated workflows.
- Prepare returned devices for the next employee.
- Store the completed offboarding record.
How do you complete employee IT offboarding step by step?
The safest approach is to follow the same documented sequence for every employee. Each step should have an owner, a deadline, and a completion record.
1. Confirm the departure details
Start by confirming the employee’s name, department, manager, final day, final working time, and whether the departure is planned or immediate.
Office managers should avoid sending vague requests such as “remove access today.” IT needs a clear cutoff time and approval from the appropriate manager or human resources contact.
2. Build an inventory of accounts and permissions
List every system the employee used. Do not stop with the primary email account.
The account inventory may include:
- Microsoft 365 or Google Workspace
- Customer relationship management software
- Accounting, payroll, or banking platforms
- Cloud storage and file-sharing tools
- Project management and communication apps
- Industry-specific applications
- Remote access and virtual private network tools
- Phone, voicemail, and messaging systems
- Website, social media, and marketing platforms
- Password managers and shared credentials
- Building access, alarm, and security systems
A common mistake is relying on memory. An employee who has worked for the company for several years may have access to tools that are no longer part of the standard onboarding list.
3. Decide who should receive business data
Before deleting or changing an account, identify the person responsible for the employee’s files, email, contacts, calendar events, and application records.
For example, an Atlanta law firm may need to transfer client documents and active case communications to another attorney or administrator. A construction company may need to move project files, vendor contacts, and job-site records to a project manager.
Data retention needs should be reviewed with management, legal counsel, or a compliance professional when required. IT should not make business or legal retention decisions without direction.
4. Disable sign-in access and active sessions
Disabling an account is an important first step, but the process may also need to end active sessions on computers, phones, browsers, and cloud applications.
Depending on the platform, IT may need to:
- Block new sign-ins.
- Revoke existing sessions and authentication tokens.
- Reset the account password.
- Remove registered multifactor authentication methods.
- Remove personal phone numbers or recovery email addresses.
- Disable remote desktop and virtual private network access.
These steps help prevent a saved browser session or connected mobile application from continuing to access company information.
5. Review forwarding, delegation, and shared mailboxes
Check whether the employee created automatic forwarding rules, mailbox delegates, shared inbox permissions, or application connections.
The business may also need a temporary automatic reply that directs customers and vendors to another employee. Any forwarding or mailbox access should have an approved owner and an end date.
6. Remove access to groups and business applications
Remove the employee from email groups, shared drives, project teams, security groups, distribution lists, and third-party applications.
Review applications that use the employee’s email address as the account owner. Ownership may need to be transferred before the license is removed. This is especially important for billing accounts, website tools, cloud services, and automated workflows.
7. Change shared passwords and access codes
Any password known by more than one person should be reviewed when an employee leaves. This may include vendor portals, office Wi-Fi, alarm codes, social media accounts, or shared administrative logins.
A business password manager can make this process easier by keeping credentials in controlled company vaults instead of spreadsheets, emails, or personal browser accounts.
8. Collect and secure company equipment
Collect every company-owned device and accessory assigned to the employee. Record the condition and return status of each item.
- Laptop or desktop computer
- Mobile phone or tablet
- Chargers, docking stations, and monitors
- Security keys and authentication tokens
- External drives and removable media
- Building badges, keys, and access cards
- Company credit cards or payment devices
Returned computers should be reviewed by IT before being reassigned. Business files may need to be preserved, and the device should be securely prepared for the next user.
9. Recover software licenses and subscriptions
Remove licenses that are no longer needed or assign them to a replacement employee. This can help the business avoid paying for unused email accounts, phone extensions, cloud storage, security tools, and industry applications.
Do not remove a license before confirming that needed data has been transferred or preserved.
10. Document and verify the completed process
Record the date, time, responsible person, and status of each task. A second person should review the checklist for employees who had administrative, financial, or highly sensitive access.
The final record gives the business a clear answer when management asks whether access was removed, equipment was returned, or files were transferred.
How should a small business manage employee devices?
To manage employee devices correctly, the business should maintain an accurate inventory, assign each device to a user, apply security settings, and keep remote management controls in place throughout the device’s life.
This makes offboarding easier because IT can identify which laptop or phone belongs to the departing employee and take action when the device is not returned immediately.
For company-owned devices
Company-owned computers and phones should be enrolled in an endpoint or device management system when possible. This can help IT monitor device status, apply updates, enforce security settings, and protect business information.
When an employee leaves, the business may be able to lock the device, remove company access, or securely erase managed information, depending on the platform and previous configuration.
For personal devices used for work
Personal devices require a clear bring-your-own-device policy. The policy should explain what company information may be stored, which security controls are required, and what happens to business access when employment ends.
IT should remove company accounts, managed applications, certificates, and remote access without deleting the employee’s personal photos or files. The available options depend on how the device and applications were configured before offboarding.
For remote employees
Remote employees should receive clear return instructions, a shipping label, a list of assigned equipment, and a deadline. The business should track the shipment and keep management controls active until the device is received and reviewed.
Device management should begin when equipment is purchased, not when an employee announces a departure.
What are the most common IT offboarding mistakes?
Most offboarding mistakes happen because the process is informal, rushed, or divided between teams that do not share the same checklist.
Deleting an account too early
Deleting an account before transferring files or email can make business records harder to recover. Suspending access first may give the company time to review and preserve what it needs.
Only disabling the email account
Email is only one part of an employee’s access. The employee may still have active logins for cloud storage, accounting software, customer systems, websites, remote access tools, or shared passwords.
Forgetting mobile devices and saved sessions
Changing a password may not immediately close every active session. IT should review connected devices, authentication methods, and application sessions.
Leaving shared passwords unchanged
A former employee may still know shared credentials even after the personal account is disabled. Shared passwords and access codes should be changed or removed from the former employee’s password vault.
Failing to assign ownership
Files, scheduled reports, websites, vendor accounts, and automated workflows may stop working when the original owner is removed. Ownership should be transferred before the account is closed.
Keeping unused accounts active
Inactive accounts can create unnecessary costs and access risk. They may also make it harder for office managers to understand who still has permission to use company systems.
How can managed IT improve the offboarding process?
A managed IT provider can create a repeatable offboarding process, maintain device and account records, complete technical changes, and verify that access has been removed.
This gives office managers one place to submit the departure details instead of contacting several software vendors or trying to remember where each account is managed.
Depending on the business environment, offboarding support may include:
- Microsoft 365 and Google Workspace administration
- Endpoint and mobile device management
- Account and software license removal
- Email, file, and calendar transfers
- Remote access and network permission changes
- Line-of-business application support
- Cybersecurity reviews for high-risk accounts
- Device collection, preparation, and reassignment
- Written IT policies and procedures
Proactive support also improves onboarding. When account ownership, device assignments, software licenses, and permissions are documented from the employee’s first day, they are easier to remove on the last day.
A reusable IT offboarding checklist for office managers
Office managers can use the following list as a starting point. It should be adjusted for the company’s applications, policies, departments, and risk profile.
Employee information
- Employee name confirmed
- Job title and department confirmed
- Manager confirmed
- Final date and access cutoff time confirmed
- Planned or immediate departure identified
Accounts and access
- Primary work account disabled
- Active cloud sessions revoked
- Multifactor authentication methods removed
- Remote access disabled
- Email groups and shared folders reviewed
- Third-party applications disabled or reassigned
- Shared passwords changed
- Building and alarm access removed
Data and communication
- Email transferred or preserved
- Files transferred to the approved owner
- Calendar events reassigned
- Business contacts transferred
- Automatic reply approved and configured
- Forwarding reviewed and documented
Devices and equipment
- Laptop or desktop returned
- Phone or tablet returned
- Chargers and accessories returned
- Security keys and storage devices returned
- Device condition recorded
- Returned equipment reviewed by IT
- Device prepared for storage or reassignment
Final verification
- Unused licenses removed or reassigned
- Application ownership transferred
- Completed checklist reviewed
- Management notified of completion
- Offboarding record securely stored
Frequently asked questions about IT offboarding
Should a small business delete a former employee’s email account?
Not immediately. The business may need to preserve or transfer email, files, contacts, and calendar information before deleting the account. The right retention period depends on company policy and any legal or industry requirements.
How quickly should employee access be removed?
Access should be removed at the cutoff time approved by management and human resources. Immediate or higher-risk departures may require accounts and sessions to be disabled as soon as the employee is notified.
What happens if a remote employee does not return a laptop?
IT should keep management controls active and may be able to lock or protect the device remotely. Management should follow the company’s equipment return policy and seek appropriate legal guidance when needed.
Who should be responsible for employee offboarding?
Human resources or management should approve the departure details, while IT completes the technical tasks. Office managers often coordinate the checklist, device return, data ownership, and final confirmation.
Can an MSP manage employee devices and account removal?
Yes. An MSP can help maintain account and device records, disable access, transfer data, recover licenses, secure company equipment, and document each completed task.
Create a safer and more consistent departure process
A reliable offboarding process protects more than an employee’s email account. It helps the business control access to customer information, financial tools, shared files, internal systems, and company devices.
For office managers, the most important step is consistency. Use one checklist, assign clear responsibilities, record completion, and review the process whenever the company adds a new application or changes its device policy.
To learn more about how trueITpros can help your business with IT offboarding, contact us.
Related Content
- Why Email Security Matters for Atlanta SMBs
- What is a Managed IT Service Provider (MSP) & How Can It Help Your Business?
To learn more about how trueITpros can help your company with Managed IT Services in Atlanta, contact us at www.trueitpros.com/contact
“`



