1. Users and accounts
- List all users and sort by last sign-in. Investigate anything over 60 days.
- Match every account to a current employee or contractor. Flag the rest.
- Check suspended accounts: they still own files and consume attention. Decide their end state.
- Review contractor and vendor accounts: expiry date, sponsor, and whether either still applies.
2. Admin roles
- List Super Admins. Most teams under 150 people need two: one daily owner, one break-glass.
- Review delegated admin roles against what each person's job actually requires.
- Confirm every admin account has 2-Step Verification enforced, not just enabled.
3. Groups
- Review group membership against current teams. Groups drive access; stale membership is stale access.
- Check who can join, post to, and view each group. "Anyone on the internet" settings surface in odd places.
- Reassign groups owned by departed users.
4. Shared drives and file ownership
- List shared drives and their managers. Every drive needs a current, named manager.
- Find business-critical folders living in personal My Drive instead of shared drives. That is a departure risk.
- Identify files owned by suspended or departed accounts and transfer ownership.
5. External sharing
- Check the domain-level sharing setting: can users share externally, and to anywhere?
- Review files shared to anyone with the link, especially with edit access.
- Review sharing to personal Gmail addresses of current staff, a common shadow-access pattern.
6. Third-party app access
- Open the app access control report and list every third-party app with OAuth grants.
- Flag apps with mail, Drive, or admin scopes that nobody recognizes or that belong to cancelled tools.
- Decide your baseline: allowlist trusted apps, or at minimum review high-scope grants quarterly.
7. Offboarding hooks
- Confirm a written departure checklist exists for Workspace. If not, start from the Offboarding Gap Checklist.
- Check the last three departures against it. Gaps found here are gaps for every future exit too.
If this took more than one session: that usually means the structure is the problem, not the review. Role-based access through Groups, department-based shared drives, and provisioning workflows make the next review take an hour. That structural work is what the Google Workspace audit and a Cleanup Sprint deliver.
Want the audit version, with evidence?
VXSec runs these checks against your actual environment, read-only, and returns a findings report with owners and a sequenced fix list.
Book a 15-minute scope check