Ideally, your organization should have standard procedures to remove employee access to the organization’s virtual environment upon termination, including banking, remote access to software and files, debit or credit card information, and various websites. However, there may be other changes at the organization that would necessitate removing or reducing access, such as demotions, transfers to different offices or departments, changes in how information is stored, etc.
A good control to help manage IT access – secondary to the standard procedures – would be to periodically view the access rights for this information and make any changes as necessary. This could be accomplished with a recurring calendar reminder and documented with a simple memo.