Overview
Employee Offboarding Access Deprovisioning is the process of removing a departing employee’s access to systems, applications, and physical assets to prevent unauthorized use. It ensures logical and physical access is revoked promptly and consistently in alignment with SOC 2 CC6.1 and CC6.2.
Step-by-Step Process
Receive termination notification
The IT Manager receives a termination or departure notification from HR, including the employee name, role, and effective termination date. This notification may be initiated via BambooHR, email, or a ticketing system. The output is a confirmed offboarding trigger with a defined deprovisioning date and time.
Role: IT Manager
Confirm systems and access scope
The IT Manager reviews the employee’s role and identifies all systems requiring access removal, including SSO, email, internal tools, and physical access. This review is performed using HR records and identity provider group memberships. The output is a complete list of systems to be deprovisioned.
Role: IT Manager
Disable identity provider access
The IT Manager disables or deactivates the user account in the primary identity provider to prevent further authentication. This step ensures immediate revocation of SSO-based access. The output is a disabled identity account with a recorded timestamp.
Role: IT Manager
Revoke application and email access
The IT Manager removes access to email, cloud applications, and internal systems not fully controlled by SSO if applicable. This includes removing group memberships and licenses. The output is confirmation that all application access has been revoked.
Role: IT Manager
Recover or disable physical access
If applicable, the IT Manager coordinates with Facilities to deactivate badge access and recover company-owned devices. This step ensures physical access to offices and assets is terminated. The output is confirmation of badge deactivation and asset recovery status.
Role: IT Manager
Document deprovisioning actions
The IT Manager records the actions taken, including systems accessed, dates, and times of deactivation. Documentation is stored in the ticketing system or offboarding log. The output is a completed offboarding record.
Role: IT Manager
Review and close offboarding record
The IT Manager reviews the offboarding record for completeness and confirms all required actions are completed. Any exceptions are noted and resolved. The output is a closed and approved offboarding record.
Role: IT Manager
What You Need Before Starting
- HR termination notice with employee name and effective date
- Access to identity provider admin console (e.g., Okta)
- Access to Google Workspace admin console
- Employee role and department information from HR system
Evidence Your Auditor Expects
- BambooHR termination record showing employee status changed to Terminated with effective date
- Okta system log screenshot showing user deactivated with timestamp
- Google Workspace Admin audit log showing user suspended or deleted with date and time
- Completed offboarding checklist or ticket dated and approved by IT Manager
How This Looks In Your Tools
Okta
Log in to the Okta Admin Console and navigate to Directory > People. Search for the departing employee and open their user profile. Verify the user’s status and assigned groups before proceeding.
Click the Deactivate button on the user profile page and confirm the action when prompted. This immediately prevents authentication via Okta SSO. After deactivation, review the System Log under Reports > System Log and filter by the user to confirm the deactivation event and timestamp.
Google Workspace
Log in to the Google Admin console and navigate to Directory > Users. Locate the departing employee and open their user account details. Review assigned licenses and group memberships for completeness.
Click Suspend User or Delete User depending on company policy, then confirm the action. Navigate to Reports > Audit Log > User Accounts and filter by the user’s email address to capture the suspension or deletion event with date and time.
BambooHR
Log in to BambooHR and navigate to the employee’s profile using the Directory. Select Job > Status and update the employee status to Terminated, ensuring the termination date is accurate.
Confirm that the termination workflow is completed and any offboarding tasks assigned to IT are marked as done. Use the employee’s History or Reports section to export or screenshot the termination record showing the effective date for audit evidence.
Common Audit Findings
- Delayed access removal after termination
- This occurs when IT is not promptly notified of employee departures. Prevent this by enforcing automated HR-to-IT notifications and requiring same-day deprovisioning for all terminations.
- Incomplete application access revocation
- This happens when offboarding focuses only on SSO and ignores standalone tools. Maintain a system inventory mapped to roles and review it during every offboarding.
- Lack of evidence for deprovisioning actions
- Auditors flag missing logs or screenshots when actions are not documented. Require IT to retain dated system logs or screenshots for each offboarding event.
- Physical access not revoked
- Badge or facility access may be overlooked if Facilities is not involved. Prevent this by including Facilities confirmation as a required step in the offboarding checklist.