What is an access and offboarding audit?
An access and offboarding audit is a fixed-fee review of every person, app, and automation that can reach your business systems. It answers three questions with evidence: who has access, what has access, and whether each of them still should. The deliverable is a findings report your team can approve and act on.
What VXSec checks
- Stale users: ex-employees, finished contractors, and dormant accounts that can still sign in or hold licenses.
- Admin role sprawl: super admins, delegated admins, and privileged roles measured against actual jobs.
- External sharing: files, folders, and drives shared outside the organization or to anyone with the link.
- File ownership: documents and drives owned by departed users or the wrong departments.
- Shared inbox access: delegates, forwarding rules, and send-as permissions nobody remembers granting.
- OAuth and connected apps: third-party grants to mail, files, calendars, and CRMs, including abandoned tools.
- Contractors and vendors: external accounts, guest access, and client-side access held by your team.
- Automation ownership: Zapier, Make, and n8n workflows, service accounts, and API keys with unclear owners.
- AI tools and app access: assistants, agents, meeting bots, and extensions connected to business data.
- Offboarding gaps: what your current departure process misses, written up as a repeatable checklist.
Who needs this?
Teams of roughly 20 to 150 people running Google Workspace or Microsoft 365 alongside tools like Slack, Shopify, HubSpot, GitHub, Zapier, Make, n8n, and AI assistants. The strongest fit is any team that has had staff or contractor turnover without a documented offboarding process, and agencies that hold access to client systems.
What you get
Every finding with evidence, risk level, recommended action, effort, owner, and dependencies.
The themes that matter, what is urgent, what can wait, and what needs approval, in plain language.
Quick wins separated from approval-needed changes, ready to hand to your team, an MSP, or VXSec.
A repeatable departure checklist for your actual stack, so the same debt does not rebuild.
Findings can be mapped to CIS-style baseline controls where applicable. The audit is not a compliance certification and does not claim to be one.
How it runs
- Scope check (15 minutes): systems, team size, access model, fixed fee, and timeline confirmed in writing.
- Read-only inventory: users, roles, shares, grants, automations, and AI tools listed with evidence.
- Report and walkthrough: findings reviewed together so decisions get made, not deferred.
- Optional next step: approved fixes implemented in a Cleanup Sprint.
Get the full access picture in about two weeks
The scope check confirms systems and team size and gives you a fixed fee. The audit itself is read-only, so there is no risk to production systems.
Book a 15-minute scope check