The IT Offboarding Checklist Most SA Businesses Get Wrong

When someone resigns, most South African businesses focus on the handover, the exit interview and the leaving function. The IT side gets a quick "disable their email" and a thumbs up. That's where the trouble starts.

A former employee with active access to your client files, accounting system or shared mailbox is one of the biggest — and most overlooked — security risks your business carries. It doesn't matter whether they left on good terms or stormed out at month-end. If their accounts are still live a week later, you've got a problem you can't see.

Here's the practical offboarding checklist we wish more business owners and office managers had on file before they need it.

Why Offboarding Goes Wrong in the First Place

In most SMBs, IT offboarding gets handled by whoever has time — usually an office manager juggling payroll, the part-time IT person who only comes in on Tuesdays, or the staff member's direct manager guessing at passwords. Nobody owns the full picture.

The result is predictable:

• Email accounts stay active for weeks because nobody wants to lose the inbox.
• Microsoft 365 licences keep billing because nobody told finance.
• Shared drive access remains open because the person's name is on five folders.
• Personal devices still sync company data because BYOD was never properly set up.
• The ex-employee's WhatsApp Business number, MailChimp login or CIPC portal access never gets transferred.

Three months later, you discover a former staff member still has access to your Dropbox. Or worse, a competitor does — because the ex-employee shared the link before they left.

The Same-Day Checklist (Within 1 Hour of Last Day)

This is the non-negotiable list. Everything here should be done on the employee's final working day, ideally before they walk out the door.

Identity and access

• Disable (don't delete) their primary user account in Microsoft 365 or Google Workspace.
• Reset their password so any cached sessions can't be reused.
• Revoke active sessions across all devices — this forces an immediate sign-out from phones, laptops and browsers.
• Disable multi-factor authentication tokens linked to their personal phone.
• Remove them from any privileged or admin groups first, before standard user disabling.

Email

• Convert their mailbox to a shared mailbox (in Microsoft 365 this frees the licence while preserving the inbox).
• Set up an auto-reply directing senders to the right colleague.
• Forward incoming mail to their manager for a defined handover period — usually 30 to 60 days.

Devices

• Collect the company laptop, phone and any access cards or tokens.
• If they used a personal device, remotely wipe company data using Intune or your mobile device management tool.
• Make sure the device is encrypted before it gets reissued to the next person.

If this sounds like a lot to coordinate manually, it is. This is exactly where proactive monitoring and a managed identity setup earn their keep — the checklist runs as a documented process, not a frantic scramble.

The Week-One Checklist

Some things you can't do on the last day because you need the person around to hand them over. Build a clear list with the employee in their final week:

• Document every system, portal and SaaS tool they log into. Yes, including the random ones — the courier portal, the SARS eFiling profile, the medical aid broker site, the design tool nobody else uses.
• Transfer ownership of shared documents, OneDrive files and Teams channels to a named successor.
• Reassign any automated workflows, Power Automate flows or scheduled reports they own.
• Update DNS, domain registrar and hosting account contact details if their email was listed.
• Change shared passwords for any system that doesn't support individual accounts (most businesses still have a few of these — banking tokens, that one legacy accounting login, the office alarm code).

A password manager makes this last point dramatically easier. If your team is still emailing passwords to each other or keeping them in a spreadsheet, that's a separate conversation worth having as part of broader cyber security services.

The Often-Missed List

These are the items that catch businesses out months after someone has left:

• Bank and payment platforms. FNB, Standard Bank, Nedbank and the payment gateways all need user removal — not just authoriser changes.
• SARS eFiling and CIPC. Practitioner access carries on until someone explicitly removes it.
• Industry portals. Medical aid schemes, Law Society portals, the LPC, FSCA platforms — all have their own user lists.
• Social media and marketing tools. LinkedIn company page admins, Facebook Business Manager, Google Ads, Google Business Profile.
• Personal phone numbers tied to MFA. If their cell number was the recovery method for a company account, change it.
• VPN and remote access. Especially if you have older infrastructure where VPN accounts sit separately from your domain accounts.
• Building access. Biometrics, fingerprint readers, alarm codes, parking remotes.

Build the Process Once, Use It Every Time

The goal isn't a heroic effort every time someone resigns. It's a documented process that runs the same way whether it's a junior bookkeeper or a senior partner walking out.

Three things make this work in practice:

1. A single offboarding checklist kept somewhere everyone can find it (not on the ex-IT person's laptop).
2. One accountable owner for executing it — usually the office manager, with IT handling the technical steps.
3. A 30-day review to catch anything missed, including licence costs you're still paying for a mailbox that should have been converted.

Done right, offboarding takes about an hour of focused work and saves you from the slow-burn risks that don't show up until something breaks — a data leak, a POPIA query from a client, or a payroll bill that shows you're still paying for three users who left last quarter.

If staff turnover is creeping up and your IT process hasn't kept pace, this is one of the easier things to fix with the right managed IT support partner. We'd rather help you build the checklist now than help you investigate a leak later — book a free consultation and we'll walk through what good offboarding looks like for your setup.