When someone leaves, are their accounts disabled the same day?
Demonstrate that all user accounts for terminated employees are consistently disabled on the same day as their termination date, with no gaps in enforcement.
Description
What this control does
This control requires that all user accounts associated with a terminated employee be disabled on the same calendar day as their departure. It typically involves coordination between Human Resources and IT operations, often automated through HR information system (HRIS) integrations that trigger provisioning workflows. Immediate account disablement prevents unauthorized access to systems, data, and resources by individuals who no longer have a legitimate business need, reducing the window of opportunity for insider threats or accidental exposure.
Control objective
What auditing this proves
Demonstrate that all user accounts for terminated employees are consistently disabled on the same day as their termination date, with no gaps in enforcement.
Associated risks
Risks this control addresses
- Terminated employees retaining access to production systems and exfiltrating sensitive data after their departure
- Former staff accessing customer records, financial data, or intellectual property during a multi-day delay between termination and account disablement
- Disgruntled ex-employees modifying or deleting critical business data in retaliation if accounts remain active
- Credential sharing by former employees with unauthorized third parties who exploit active accounts for malicious purposes
- Violation of compliance obligations under SOC 2, ISO 27001, HIPAA, or PCI DSS due to failure to revoke access promptly
- Privilege escalation attacks using abandoned high-privilege accounts that remain enabled weeks or months after termination
- Audit findings and regulatory penalties resulting from documented instances of delayed account revocation
Testing procedure
How an auditor verifies this control
- Obtain a list of all employee terminations from HR for the past twelve months, including termination dates and employee identifiers.
- Request access logs, identity and access management (IAM) system records, or Active Directory audit logs showing account disable timestamps for each terminated employee.
- Select a representative sample of at least 25 terminations spanning different business units, job roles, and time periods within the audit scope.
- For each sampled termination, compare the termination date from HR records against the account disable date in the IAM system or directory service logs.
- Document any instances where account disablement occurred after the termination date, noting the duration of delay in days.
- Review automated provisioning workflows, HR integration configurations, and termination checklists to confirm same-day disablement is the defined standard.
- Interview IT operations and HR personnel to validate the process for handling same-day terminations, emergency terminations, and weekend/holiday departures.
- Verify that compensating controls exist for edge cases, such as manual override procedures or temporary access restrictions pending full disablement.