Employee Offboarding and SaaS: The $50,000 Mistake Most Companies Make

Why Offboarding Creates SaaS Waste

The reason offboarding creates persistent SaaS waste is structural. When an employee leaves, the HR and IT offboarding process focuses on the most urgent security tasks: disabling email, revoking VPN access, collecting hardware, and processing final payroll. These are time-sensitive and well-understood.

Software seat deprovisioning is different. It is rarely urgent - a disabled account with no active user is not an immediate security risk in most cases. It requires knowledge of which tools the employee had access to. And it requires action in each individual tool's admin console - which can mean logging in to 15 to 30 different platforms to remove a single employee.

The result is predictable: teams deprovision the obvious, centrally managed tools (email, Slack, the core CRM) and leave the rest. The employee's accounts in less visible tools persist, billing continues, and within a year of typical company attrition, you have accumulated dozens of ghost accounts paying for nothing.

How to Calculate Your Offboarding SaaS Waste

To estimate your current offboarding waste, you need two pieces of data: your list of former employees from the past 12 months, and your active user lists for each major SaaS tool.

Step 1: Get Your Departure List

From HR, pull a list of all employees who left the company in the past 12 months. Include their email address and departure date. If your HR system does not have this readily available, check your payroll records - terminated employees should have a final pay date.

Step 2: Cross-Reference Against Active User Lists

For each major SaaS tool in your stack (focus on the 10 to 15 highest-cost tools first), pull the list of active users and their email addresses. Cross-reference against your departure list. Any former employee who still appears in an active user list is a ghost account - a seat you are paying for that nobody uses.

Step 3: Calculate the Annual Waste

For each ghost account you find, note the cost per seat per month. Multiply by the number of months since the employee's departure date. This is the amount already wasted. Multiply by 12 to project the forward-looking annual cost if the accounts are not cancelled.

Most companies who do this calculation for the first time find the number is surprising. A 100-person technology company with 15% annual turnover typically finds $30,000 to $80,000 in active ghost accounts on first audit.

Building a Proper Offboarding Checklist for Software

The fix for offboarding-driven SaaS waste is a comprehensive software deprovisioning checklist that is completed as part of every employee exit. The checklist has three tiers:

Tier 1: Day-of-Departure Actions (Within 24 Hours)

• Disable primary email account and set out-of-office reply
• Revoke SSO/identity provider access (this automatically disables any SSO-connected tools)
• Disable VPN access and company device management enrollment
• Transfer ownership of critical documents, shared drives, and repos
• Change passwords for any shared accounts the employee managed

Tier 2: Within 48 Hours - High-Cost Seat Deprovisioning

• CRM (Salesforce, HubSpot) - reassign open deals, remove seat
• Project management (Asana, Jira, Monday.com) - reassign tasks, remove user
• Design tools (Figma, Adobe Creative Cloud) - transfer files, remove seat
• Marketing automation (Marketo, Pardot) - remove access
• Analytics and BI tools (Tableau, Looker, Mixpanel) - remove access

Tier 3: Within 2 Weeks - Full Software Audit

This tier covers tools that are harder to discover but important to catch. Have the departing employee's manager review any tools they know the person used. Search your expense records for charges the employee submitted for software. Check your SSO audit log for any apps the employee authenticated with that were not in your standard list.

Automation Approaches for Offboarding

Manual offboarding checklists work when they are followed - but they require consistent execution across every manager and HR team member involved in an exit. Automation reduces the dependency on human consistency.

Identity Provider Integration

The most powerful automation is connecting your offboarding process to your identity provider (Okta, Azure AD, Google Workspace). When an employee is deprovisioned in the identity provider, any SaaS tool that uses SSO is automatically deprovisioned as well. This is not a complete solution - it only covers SSO-connected tools, which may be 40 to 60% of your total stack - but it handles the most important tools automatically.

HRIS Workflow Triggers

Modern HRIS platforms (Rippling, BambooHR, Workday) can trigger automated workflows when an employee is marked as terminated. These workflows can automatically create deprovisioning tasks, notify tool owners, and track completion. Setting up these workflows requires initial configuration but reduces ongoing execution to monitoring rather than manual action.

Continuous Monitoring with SubScrub

For the gap that identity providers and HRIS workflows do not cover, SubScrub provides continuous monitoring that flags active seats belonging to former employees. By cross-referencing your HR termination data with software billing and user lists, SubScrub surfaces ghost accounts as they accumulate - preventing the problem from building up over months or years before an audit catches it.