To the untrained eye, terminations may seem like a straightforward process; in reality, managing this process is more like herding cats. The offboarding process varies from company to company, involves multiple departments, relies on strong lines of communication, and requires accountability from the parties involved.
At a high level, the termination process consists of the following components:
- Documenting the termination policy and procedures
- Maintaining a personnel roster
- Communicating terminations to relevant stakeholders
- Completing termination checklists
- Issuing termination letters
- Conducting exit interviews
- Removing systems access
- Managing asset returns
- Processing termination records (removing personnel from payroll and benefits)
- Administering final pay
While these steps are inherent and prescriptive in nature, during my 10 years as an auditor I have been continually asked “Why does my termination process keep failing?” Whether the problem is an incomplete personnel listing, unclear roles and responsibilities, or siloed controls, the solution is always an interdepartmental collaboration.
So what are the biggest offboarding roadblocks and how can cross-functional collaboration fix these?
The Employee and Contractor Listing is Incomplete
While maintaining a personnel roster may sound simple in theory, companies often do not have a comprehensive list of the employees and contractors in their organization. But why does this matter? The answer is that you can’t properly terminate personnel if you don’t know who’s in your environment to start.
If you asked each department for a list of current employees, HR may point to an HRIS listing, IT may point to a ticketing population, Legal may point to the contracts, Payroll may point to pay statements, and Recruiting may point to a manually maintained listing. Already you may notice a lack of consensus about the source of truth for an employee and contractor listing.
Below are some considerations for these different methods.
- HRIS Systems: Some HRIS and payroll systems are not designed to maintain a list of contractors. These may not have the necessary fields for contractor-specific data, or conversely, require entry of data that is only applicable to full-time employees. For example, the system may not have a field for contractor classification (1099, W2, etc.) required for payment and tax considerations.
- Ticketing Population: If an employee or contractor does not require a workstation or system access (think consultant, auditor, photographer, etc.), IT or HR may not create a ticket for their onboarding.
- Contracts: Service contracts that utilize flat-fee pricing often do not specify the number or identity of the contractors providing services; staffing is usually addressed by the service provider after the contract has been signed. This creates the risk of shared emails and system access by contractors.
- Inventory of Pay Statements: While the payroll team maintains a list of employees and contractors being paid, this may not capture all personnel. Examples include personnel performing work pro bono, personnel on LOA / sabbatical, etc.
- Manually-Maintained Listing: While this simple approach may meet recruiting needs, this method is prone to human error.
So which source of truth is the best? As each department plays a different role in the termination process and requires different types of information to be documented, senior management should set up a meeting with the relevant stakeholders (Legal, Human Resources, Information Technology, Compliance, etc.) to discuss their business processes and data entry needs before deciding where to maintain a personnel listing. At a minimum, the listing should be kept in a systematic record-keeping system.
Stakeholders Are Not Aware of Their Responsibilities
How many departments should be involved in the termination process? Two? Three at most? You may be surprised to learn that several groups, including Legal, HR, People Managers, IT, and even Corporate Communications should be involved.
Legal
As part of the contractor management process, Legal should require each vendor or service organization to provide them with the list of the contractors that will be providing services. This provides the company with insight into the contractors that will be accessing their environment. Legal should also notify HR of contracts that are expiring (and therefore contractors who no longer require system access). Legal can facilitate this process by notifying HR directly of new or terminating contractors or by providing IT with contract end dates so they can proactively set up offboarding tickets.
Human Resources
HR is responsible for creating and documenting a robust termination policy that guides each team on how to perform their part of the offboarding process. As part of their day-to-day operations, HR is also responsible for several parts of the termination process, including entering employee and contractor termination information into the HRIS in a timely manner, completing termination checklists, issuing termination letters, ending payroll and benefits, notifying IT of terminations, and in some cases, creating offboarding tickets.
People Managers
Managers must inform HR, and in some cases, IT, of employees and contractors who are being terminated. If HR and IT are not aware that personnel are terminating until on or after their termination date, they will not receive the appropriate lead time to perform offboarding procedures. Specific to contractors, People Managers must relay each contractor’s termination date to HR. One common downfall of contractor management is that if the contractor’s supervisor does not indicate a termination date or estimated termination date, HR can not enter this into the tracking system, which may cause a delay in revoking the contractor’s systems access.
Communications
The communications team is responsible for relaying termination responsibilities to People Managers and other responsible personnel via emails, company-wide meetings, or the company intranet.
Information Technology
IT personnel are responsible for addressing offboarding tickets, removing systems access, wiping workstations, managing asset returns, and performing other IT-related offboarding tasks. While IT must address some of the more critical aspects of offboarding like deprovisioning access and collecting company property, this team relies on the other teams (Communications, Legal, HR, People Managers, Comms) to get them to this point.
While each department is responsible for specific tasks, relaying information and moving the offboarding process through the workflow(s) requires lots of cross-functional collaboration. For instance, if company policy requires that each terminated personnel’s system access is removed within 48 hours, a People Manager, HR Personnel, and in some cases Legal Personnel) must work together to create documentation and relay termination information before the IT personnel can start revoking access.
Understanding the Risks of Inappropriate Access
So what are the risks of a terminated user retaining access? And what are the consequences of a broken access control? Suppose a disgruntled employee retains access to critical systems. In that case, they may utilize this access to change configurations, delete or alter data, push through changes, grant inappropriate access to others, or a multitude of other malicious actions. If an employee who has left the company on good terms retains inappropriate access, they still may log in to critical systems and make accidental changes. In both instances, the retention of access for a terminated user may cause deficiencies in your audits or non-compliance with regulatory requirements.
Termination Controls are Siloed
Although senior leadership may be tempted to split out controls by department, these often require execution by multiple participants. Below are examples of expectation versus reality when it comes to who needs to execute controls.
- Termination Policy Creation
- Expectation: HR is solely responsible for documenting the termination process.
- Reality: All termination process stakeholders (Legal, HR, IT, Compliance, Payroll, etc.) should contribute to updating the termination policy to relay their processes.
- Inventory of Employees and Contractors
- Expectation: HR should choose an HRIS and be responsible for ensuring all users are input into this system and their start and termination dates are accurate.
- Reality: As employees and contractors can enter the organization’s environment and circumvent certain onboarding processes, HR relies on Recruiting, Legal, and People Managers to identify all users who are current personnel, as well as those who require termination.
- Offboarding Tickets
-
-
- Expectation: Only one department is responsible for updating offboarding tickets.
- Reality: Depending on the type of information that must be captured, such as termination reason, forwarding address, access removal, asset return, etc, multiple department representatives may use the same ticket to document their part of the termination process.
-
- Access Deprovisioning
-
- Expectation: IT is primarily responsible for the timely removal of employee and contractor systems access.
- Reality: IT is dependent on several upstream processes by People Managers, Legal, HR, and Internal Communications to provide them with termination information. Additionally, IT may not be the primary owner of some of the company’s business systems, and additional system owners may be required to remove terminated users’ access.
- Asset Returns
-
- Expectation: IT is the only department involved in collecting company property.
- Reality: IT relies on HR to provide them with the terminated employee/contractor’s forwarding information to send them a mailing package for their asset(s). If an employee does not return an asset(s) for a certain amount of time, IT may also need Legal to send a formal letter to the terminated individual.
As you can see from these example termination controls, more departments are involved in each process than you may think. When my clients ask me why their termination control(s) keeps breaking, I walk them through the nuances of each of these controls and point out the different departments that need to communicate and perform their part of the process. I also emphasize the importance of these departments taking accountability for their responsibilities and performing their tasks in a timely fashion.
I have seen some scenarios in which a regimented information security team will use a tool or script to monitor terminated users that have not had their access removed timely. They must “herd cats” by reaching out to the appropriate HR personnel, IT personnel, People Manager, or System Owner to validate that the termination is legitimate and to request access be removed immediately. While this detective control is a good second line of defense, this is a big time commitment for the information security team and still does not guarantee that inappropriate access is removed within the appropriate timeframe.
Conclusion
Interdepartmental collaboration is a key part of establishing effective termination controls. By communicating cross-functionally to understand the nuances of the termination process, organizations can mitigate risks, increase security, and prevent terminated personnel from retaining inappropriate action. Having a robust termination process and controls not only supports SOC 2 compliance, but also can build trust with clients and stakeholders by demonstrating commitment to safeguarding data and systems for clients.
Our team at Linford and Company possesses considerable expertise in helping businesses develop and refine their termination policies and procedures. We would be happy to discuss how our services could benefit your organization. Please feel free to reach out to us.
Helen has 10 years of experience in audit, cybersecurity, and data privacy and has worked in public accounting as well as industry. She started out her career at Deloitte managing audit readiness assessments, Sarbanes-Oxley 404 audits, and SOC 1 & 2 audits. More recently she worked as a Director of Cybersecurity Compliance at an Ed-tech start-up, Guild, and specialized in building out and maturing their audit, risk, and partner support programs. Between 2015 and 2023, Helen sat on the ISACA Denver chapter board of directors and taught CISA prep courses. She is a certified information systems auditor (CISA), a certified information privacy technologist (CIPT), and a certified risk & information systems control (CRISC) professional.