IT Onboarding · Access Security · Staff Management

Every Employee You Hire or Lose Is a Technology Event. Is Your Accounting Firm Handling It Safely?

IT Onboarding Offboarding Access Security Accounting Firms 🕐 7–9 min read
Mentor Onboarding new employee

The Technology Moment You’re Probably Not Prepared For

Hiring a new staff member at your accounting firm is exciting. It represents growth and the ability to serve more clients. The interview process went well, the references checked out, the start date is set. You’re focused on the training plan and the introduction to the team. What often isn’t ready — what in many small firms is being scrambled together the Friday before Monday’s start date — is the technology. The computer that needs to be set up. The Microsoft 365 account that needs to be created and licensed. The accounting software that needs to be installed. The file permissions that determine what the new employee can and can’t see on the server.

When that scramble happens, the new employee’s first experience of your firm is disorganization. The message, unintentional but real, is that you weren’t prepared for them. And in a professional services environment where the quality of your operations is part of your brand promise, a chaotic first day creates doubt at the exact moment you want to be creating confidence.

The Offboarding Problem Most Accounting Firms Don’t Take Seriously Enough

If the onboarding technology gap is an operational problem, the offboarding technology gap is a security problem. When an employee leaves — whether on good terms or bad — their access to your systems needs to be revoked promptly, completely, and verifiably. In a Microsoft 365 environment, ‘access’ means a lot of things: email, SharePoint files, OneDrive storage, Teams channels, licensing for applications, any third-party apps connected to their M365 account. A former employee whose account hasn’t been properly deprovisioned still has access to all of it — potentially including current client files and business-sensitive documents.

In the professional services context, this isn’t just an IT oversight. It’s a potential ethics and liability issue. Client financial records accessible to someone who no longer works for you represent a genuine risk. The FTC Safeguards Rule’s requirement for access controls specifically includes timely revocation of access for departed employees.

Graham's Take

I’ve onboarded new clients where we’ve discovered former employees with active M365 accounts two years after their departure. In some cases, those accounts had been receiving client emails the whole time — forwarded by filters nobody knew existed. The fix is simple once you know it’s a problem. The issue is that most firms never look.

— Graham Pearson, MBA · Ma3SP Technology · Goshen, Indiana

The Security Principle Behind Access Management

The cybersecurity principle governing this area is called ‘least privilege’ — the idea that every user should have access to exactly what they need to do their job, and no more. An entry-level bookkeeper shouldn’t have access to partner-level client files. A tax preparer shouldn’t have administrative access to your billing system. Least privilege limits the potential damage from both insider threats and external attacks. If a staff member’s account is compromised through phishing, the attacker’s access is bounded by what that account could do.

What a Structured IT Onboarding Process Looks Like

A well-run IT onboarding for a new hire should be triggered before the start date and completed before the employee walks in the door on day one. The checklist includes creating the Microsoft 365 account with the appropriate license, configuring security settings including MFA enrollment, setting file and SharePoint permissions based on the employee’s role, installing and licensing required accounting software, and documenting the new account and its access level. On day one, the employee sits down at a fully configured workstation, logs in to a system that works, and spends their first day learning the firm’s processes — not watching IT troubleshoot their setup.

The Offboarding Checklist That Protects Your Firm

Offboarding should be equally systematic. When an employee departs, the IT offboarding checklist includes disabling the Microsoft 365 account immediately upon departure, transferring ownership of files or email threads the role requires continuity for, preserving the account’s data per your firm’s retention policy before eventual deletion, revoking access to all third-party applications, and retrieving any firm-owned devices. The timing matters: access revocation should happen on the departure date — not the following week when someone gets around to it. Ma3SP handles this entire process. HR notifies us of a new hire or departure, and we handle the IT side — no scramble, no waiting, no gaps.

📅 Free · No Obligation · 30 Seconds to Book

Stop Dealing With This On Your Own.

Book your free 12-point Cybersecurity & Technology Health Checkup. You get a plain-language report on exactly where your business stands — no pitch, no pressure, no obligation.

Book Your Free IT Checkup ma3sp.technology/it-checkup Or call us directly: 574.903.7119  ·  Mon–Fri 8AM–6PM · Sat 8AM–2PM