The Hidden Cost of a Bad Offboarding Process
When someone leaves your company, the immediate priorities are obvious: collect the laptop, revoke email access, hand off projects. But what about the AWS account they were the sole admin for? The vendor contract they signed last quarter? The three SaaS tools billed to their corporate card?
These are orphaned assets, and they are far more common than most teams realize. A 2024 survey by Zylo found that the average mid-size company has 40% more SaaS subscriptions than IT is aware of. When the person who set up those subscriptions walks out the door, you are left paying for tools nobody manages, contracts nobody reviews, and hardware nobody can locate.
The financial impact adds up quickly. Orphaned SaaS licenses alone cost companies an average of $135,000 per year in wasted spend, according to Gartner estimates. But the cost goes beyond money. Orphaned assets create security gaps, compliance blind spots, and operational confusion that can take months to untangle.
The fix is not complicated. It is a reliable, repeatable offboarding process backed by accurate ownership records.
Why Offboarding Goes Wrong
Most offboarding failures stem from the same root causes:
No single source of truth. HR knows about the employee. IT knows about some of their hardware. Finance knows about some of the tools. Nobody has a complete picture of everything that person owned or managed.
Tribal knowledge. The departing employee is often the only person who knows they are the billing contact for a critical vendor, or that they hold the only admin credentials for a staging environment.
Reactive instead of proactive. Teams only discover orphaned assets when something breaks: a renewal payment fails, an audit flags an unmanaged tool, or a contractor loses access to a system nobody thought to transition.
No ownership transfer workflow. Even when someone knows an asset needs a new owner, there is no standard process for making the handoff. The task gets added to a shared doc, assigned in Slack, and eventually forgotten.
The Complete IT Offboarding Checklist
Use this checklist for every departure, whether it is a resignation, termination, or contractor engagement ending. The key is to run through it systematically, not from memory.
Hardware and Physical Assets
- Collect all company-issued laptops, monitors, and peripherals
- Retrieve mobile devices (phones, tablets, hotspots)
- Collect access badges, keys, and security tokens (YubiKeys, RSA fobs)
- Check for any company hardware at the employee's home office
- Update your asset inventory to reflect the return and reassign or retire each item
- Wipe and re-image returned devices before reissuing
SaaS and Cloud Accounts
- Identify every SaaS tool the employee was an admin or sole user for
- Transfer ownership of shared accounts (Google Workspace groups, Slack channels, Notion workspaces)
- Reassign billing contact on tools paid with their corporate card or personal payment method
- Revoke SSO access and deactivate the user in your identity provider
- Check for standalone accounts created outside SSO (shadow IT)
- Review API keys, service accounts, and tokens created by the employee and rotate or reassign them
Contracts and Vendor Relationships
- Identify any vendor contracts where the employee is the named contact or signatory
- Reassign contract ownership and notify the vendor of the new point of contact
- Check for upcoming renewal dates on those contracts and ensure someone is responsible for the review
- Transfer any negotiation history or vendor relationship context to the new owner
Access and Security
- Disable their Active Directory or identity provider account
- Revoke VPN access and remove any saved Wi-Fi credentials
- Remove them from shared password vaults (1Password, Bitwarden, LastPass)
- Rotate any shared credentials they had access to
- Review their access to sensitive systems (production databases, financial systems, customer data) and confirm all access is removed
- Remove them from GitHub organizations, cloud provider IAM roles, and CI/CD pipelines
Data and Knowledge Transfer
- Transfer ownership of critical documents and shared drives
- Archive their email or set up forwarding for a defined period (check with legal first)
- Ensure project documentation is up to date and accessible to the team
- Conduct a knowledge transfer session before their last day covering any undocumented processes
Financial and Administrative
- Remove them as an authorized purchaser on company accounts
- Cancel or reassign any corporate credit cards
- Remove them from expense reporting tools
- Update any insurance policies or benefit-related accounts
Common Mistakes That Create Orphaned Assets
Even teams with a checklist make these errors:
Focusing only on IT-provisioned tools. The biggest blind spot is shadow IT. Employees sign up for tools on their own, pay with personal cards for reimbursement, or use free tiers that never show up in procurement systems. If you only revoke access to tools you provisioned, you will miss the tools they provisioned themselves.
Deleting accounts instead of transferring them. When you delete a user account in a SaaS tool, you often lose their data, configurations, and history. Transfer ownership first, then deactivate.
Waiting until the last day. Offboarding should start the moment a departure is confirmed, not on the employee's final afternoon. For critical roles, you need a week or more to map out everything they own and plan transfers.
Treating offboarding as a one-time event. The checklist should be run on a schedule even without departures. Quarterly ownership audits catch assets that have drifted into an unowned state due to role changes, team reorganizations, or simple neglect.
Making Offboarding Systematic Instead of Ad-Hoc
The difference between companies that handle offboarding well and those that do not comes down to one thing: whether ownership is recorded before someone leaves.
If you wait until departure day to figure out what someone owns, you are already behind. The offboarding process should be the easy part. The hard part, and the part that actually prevents orphaned assets, is maintaining accurate ownership records continuously.
This means every asset, tool, contract, and account should have a clearly assigned owner at all times. When ownership is recorded as part of daily operations, offboarding becomes a straightforward query: show me everything this person owns, and let me reassign it.
Start with a single register. Whether it is a spreadsheet for a small team or a dedicated tool like OwndUp for a growing one, the important thing is that ownership is centralized. If hardware lives in one system, SaaS licenses in another, and contracts in a third, the offboarding checklist becomes a scavenger hunt.
Make ownership transfers a first-class workflow. Transferring an asset should be as deliberate as assigning it. The new owner should acknowledge the transfer, and the history should be recorded. This is where spreadsheets start to break down and purpose-built tools earn their value: they provide audit trails, notifications, and accountability that a shared Google Sheet cannot.
Automate what you can. Sync your ownership records with your identity provider. When an employee's status changes to "offboarded" in your HR system, trigger a review of everything they own. Tools like OwndUp can flag assets that need reassignment the moment an ownership gap appears.
Practical Takeaways
- Run the full checklist for every departure, not just for senior employees or engineers. Non-technical staff often own vendor relationships and contracts that are just as critical.
- Start building ownership records now, before the next person leaves. Backfilling during a rushed offboarding is how things get missed.
- Audit ownership quarterly. People change roles, teams reorganize, and assets accumulate. A quarterly review prevents drift.
- Measure your offboarding completeness. Track how many assets required reassignment per departure and how many were discovered after the fact. If the "after the fact" number is not trending toward zero, your process has gaps.
- Treat offboarding as a security event. Involve your security team, not just IT and HR. Access revocation is not just an operational task; it is a risk management activity.
The goal is not a perfect checklist. The goal is a system where every asset in your organization always has a clear owner, so that when someone leaves, the transition is already half done.