Grant Closeout IT Procedures
Grant closeout IT procedures govern the systematic handling of technology assets, data, and access rights when donor-funded projects reach completion. These procedures ensure compliance with donor data retention requirements, proper disposition of grant-purchased equipment, and orderly termination of project-specific system access while preserving audit trails and organisational knowledge.
The IT closeout process begins 90 days before the grant end date and concludes within 30 days after final financial reporting. This timeline allows sufficient time for data archiving, asset disposition decisions, and coordination with finance and programme teams on donor compliance requirements.
Prerequisites
Before initiating grant closeout IT procedures, confirm the following requirements are satisfied:
| Requirement | Detail | Source |
|---|---|---|
| Grant end date confirmed | Final project end date from signed agreement or no-cost extension | Grants management team |
| Closeout timeline received | Finance team’s closeout schedule including reporting deadlines | Finance department |
| Asset register extracted | List of all IT assets purchased under this grant | Asset management system |
| Staff list confirmed | All personnel charged to the grant, including departure dates | HR and project manager |
| Donor requirements documented | Specific IT/data requirements from grant agreement | Grant agreement, donor guidelines |
| Data inventory completed | Catalogue of all project data, locations, and classifications | Project team with IT support |
| Successor arrangements clarified | Whether project continues under new funding, transfers to partner, or terminates | Programme leadership |
Obtain written confirmation from the grants management team that closeout has been authorised. Premature closeout actions create compliance risks; delayed closeout actions result in unnecessary costs and potential data retention violations.
Timeline coordination
IT closeout must align with financial closeout. Asset disposition affects depreciation schedules, and data retention affects audit readiness. Coordinate all IT closeout actions with the finance team’s closeout calendar.
Procedure
Grant closeout proceeds through five phases: data handling, system access termination, asset disposition, documentation, and final verification. Each phase has dependencies on previous phases and coordination requirements with other departments.
+---------------------------------------------------------------------------+| GRANT CLOSEOUT TIMELINE |+---------------------------------------------------------------------------+| || Day -90 Day -60 Day -30 Day 0 Day +30 || | | | | | || v v v v v || +---------+ +---------+ +---------+ +---------+ +---------+ || |Initiate | | Archive | |Terminate| | Grant | | Final | || |& Plan | | Data | |Access | | Ends | | Verify | || +---------+ +---------+ +---------+ +---------+ +---------+ || | | | | | || | Asset | Staff | Final | Audit | || | inventory | offboard | backups | ready | || | review | begins | | | || |+---------------------------------------------------------------------------+Figure 1: Grant closeout timeline showing IT activities relative to grant end date
Phase 1: Initiation and planning
Initiation establishes the closeout scope and identifies all IT components requiring action. This phase runs from day -90 to day -75.
Request the grant agreement and any amendments from the grants management team. Extract all IT-related provisions including:
- Equipment purchase and disposition clauses
- Data retention requirements (duration and format)
- Reporting requirements for IT assets
- Transfer or return obligations
- Intellectual property provisions affecting software or data
Document these requirements in the closeout plan as binding constraints.
Generate the asset report for this grant from the asset management system. Filter by funding source code and verify against original purchase records. The report must include:
Asset ID | Description | Purchase Date | Cost | Location | Current User | ConditionReconcile discrepancies between the asset register and physical inventory before proceeding. Missing assets require incident documentation regardless of value.
Compile the complete data inventory in collaboration with the project team. For each data repository, record:
- Repository name and location (server path, cloud service, application)
- Data classification (per organisational data classification scheme)
- Approximate volume (GB/TB)
- Contains personal data (yes/no, with categories if yes)
- Contains donor-reportable data (yes/no)
- Retention requirement source (donor clause, legal requirement, organisational policy)
- Recommended disposition (archive, delete, transfer)
Project data commonly resides in 5-15 distinct locations including shared drives, cloud storage, email, project management tools, data collection platforms, and local devices.
Identify all system access granted specifically for this project. Query the identity provider for:
- Users with project-specific group memberships
- Service accounts created for project integrations
- External collaborator accounts (partner staff, consultants)
- Application-specific roles tied to the project
Cross-reference with HR records to identify staff departing at project end versus staff continuing on other projects.
Schedule the closeout planning meeting with:
- Project manager
- Grants manager
- Finance representative
- HR representative (if staff departures involved)
- IT closeout lead
Use the meeting to confirm the closeout timeline, assign responsibilities for each phase, and resolve any conflicts between donor requirements and organisational capacity.
Phase 2: Data handling
Data handling ensures project information is retained according to requirements, transferred where appropriate, and securely deleted when no longer needed. This phase runs from day -75 to day -30.
Determine the retention period for each data category by applying the most restrictive requirement from:
- Grant agreement explicit terms
- Donor standard terms (if not specified in agreement)
- Regulatory requirements (GDPR, sector-specific)
- Organisational retention policy
Common donor retention requirements:
Donor type Standard retention Notes USAID 3 years after final expenditure report May extend if audit pending FCDO 7 years from programme end Includes all financial records EU 5 years from final payment 7 years for infrastructure projects UN agencies 7 years minimum Agency-specific variations exist Private foundations Per agreement, commonly 5-7 years Check each agreement When the grant agreement is silent on retention, apply the donor’s standard terms. When no donor requirement exists, apply organisational policy.
Execute data archiving for all data requiring long-term retention. The archive must satisfy these criteria:
- Immutable storage (write-once or versioned with deletion protection)
- Encryption at rest using AES-256 or equivalent
- Geographic redundancy (minimum two locations)
- Documented retrieval procedure
- Retention period enforcement (automatic or procedural)
Create the archive structure:
/archive/grants/[grant-reference]/├── programme-data/│ ├── beneficiary-records/│ ├── activity-reports/│ └── monitoring-data/├── financial-records/│ ├── transactions/│ └── supporting-docs/├── correspondence/└── metadata/├── manifest.json└── retention-policy.txtThe manifest file records: archive date, source locations, file counts, total size, classification level, retention expiry date, and authorised accessor list.
Execute data transfer for data being handed to successor projects, partner organisations, or donors. Before transfer:
- Confirm the data sharing agreement covers this transfer
- Verify recipient’s data protection capabilities match data classification
- Remove data not authorised for transfer (staff personal data, third-party confidential data)
- Generate transfer manifest listing all items
- Obtain recipient acknowledgment
For transfers to partners with lower technical capacity, consider providing data on encrypted physical media rather than electronic transfer. Include decryption credentials via separate secure channel.
Execute secure deletion for data not subject to retention requirements and not being transferred. Secure deletion means:
- For cloud storage: use provider’s secure delete function, verify retention policies do not preserve deleted items
- For on-premises storage: overwrite or cryptographic erasure depending on media type
- For SaaS applications: use in-app deletion, verify backup retention periods, request written confirmation from vendor if required
- For email: delete from mailboxes and purge from recoverable items; archive anything subject to retention before deletion
Document all deletions with timestamps, data descriptions, deletion method, and operator identity.
Handle personal data according to data subject rights and legal requirements. Project closure does not automatically authorise deletion of personal data if retention obligations exist. Conversely, project closure does not extend the legal basis for processing personal data beyond original purposes.
For beneficiary data:
- Retain for audit purposes per donor requirements
- Do not retain for purposes beyond original consent/legal basis
- Apply pseudonymisation or anonymisation where full identification is no longer required
- Update privacy notices if data controller responsibilities transfer
Document all personal data disposition decisions for GDPR accountability.
Deletion timing
Do not delete any data until the final financial report has been submitted and acknowledged. Audit queries may require access to supporting data. Premature deletion creates compliance violations that cannot be remedied.
Phase 3: System access termination
System access termination removes project-specific access rights while preserving access needed for ongoing organisational roles. This phase runs from day -45 to day 0, coordinated with HR offboarding for departing staff.
Categorise all users with project access into disposition groups:
Category User type Access action Timing A Staff departing organisation Full offboarding Per departure date B Staff continuing, no project role Remove project access only Day -7 C External collaborators Account termination Day -14 D Service accounts Disable after final data operations Day 0 E System administrators Remove project-specific privileges Day +7 Category A users follow standard offboarding procedures with enhanced attention to project data handover. Category B users require careful separation of project access from organisational access.
For Category A (departing staff), coordinate with HR on departure timeline and initiate standard offboarding procedures. Ensure project-specific handover occurs before departure:
- Passwords and credentials for project-specific services
- Documentation of project-specific configurations
- Data locations and access methods
- Vendor contacts and account information
- Pending issues or unfinished work
Complete knowledge transfer before the final working day. Last-day handovers fail.
For Category B (continuing staff), remove project-specific access without disrupting other access:
- Remove from project security groups/distribution lists
- Revoke project application roles
- Remove from project file shares and cloud folders
- Update any shared credentials (rotate if shared with departing staff)
- Communicate changes to affected users with rationale
Execute 7 days before grant end to allow issue identification while project team remains available.
For Category C (external collaborators), terminate accounts entirely unless other active projects require continued access:
- Disable accounts 14 days before grant end
- Allow 7-day window for data retrieval requests
- Delete accounts 7 days before grant end
- Notify external users of termination with adequate notice
- Provide export of any personal data they created
Document all external account terminations for audit trail.
For Category D (service accounts), disable after final data operations are complete:
- Identify all automated processes, integrations, and scheduled tasks
- Ensure final backups and data exports complete successfully
- Disable service accounts on grant end date
- Delete service accounts 30 days after grant end (allows for unexpected needs)
- Rotate any credentials that were shared across projects
Test that dependent systems fail gracefully when service accounts are disabled.
For Category E (administrators), remove project-specific administrative privileges 7 days after grant end:
- Remove from project administration groups
- Revoke delegated permissions for project systems
- Maintain standard IT administrative access
- Ensure closeout documentation is complete before removing access
Phase 4: Asset disposition
Asset disposition determines the final destination of equipment purchased with grant funds. Donor agreements commonly restrict disposition options; organisational policy governs when donor terms are silent. This phase runs from day -60 to day +14.
+------------------------------------------------------------------------------------+| ASSET DISPOSITION DECISION |+------------------------------------------------------------------------------------+| || Asset disposition entry || | || v || +-----------------+-----------------+ || | Donor requires return | || | or specifies disposition? | || +-----------------+-----------------+ || | || +----------+----------+ || | | || YES NO || | | || v v || +-----------------------+ +-----------------------+ || | Follow donor | | Asset value | || | requirements | | > threshold? | || | exactly | | (usually $5,000) | || +-----------------------+ +-----------+-----------+ || | || +---------+---------+ || | | || YES NO || | | || v v || +-------------------+ +-------------------+ || | Obtain donor | | Apply | || | approval for | | organisational | || | disposition | | policy | || +---------+---------+ +---------+---------+ || | | || +-------------+-------------+ | || | | | | || v v v | || +-----------+ +-----------+ +-----------+ | || | Return | | Transfer | | Keep | | || | Donor | | Partner | | Org | | || +-----------+ +-----------+ +-----------+ | || | || +--------------+--------------+ || | | | || v v v || +-----------+ +-----------+ +-----------+ || | Keep | | Transfer | | General | || | Org | | Partner | | Disposal | || +-----------+ +-----------+ +-----------+ || |+------------------------------------------------------------------------------------+Figure 2: Asset disposition decision tree based on donor requirements and value thresholds
Review grant agreement asset provisions. Common disposition frameworks:
US Government grants (USAID, State, CDC): Equipment with acquisition cost over $5,000 requires written disposition instructions from the awarding agency. Options typically include: continued use on other federal projects, transfer to another federal recipient, return to federal government, or sale with proceeds returned. Equipment under $5,000 may be retained without approval.
UK Government grants (FCDO): Assets generally remain with the implementing organisation unless the agreement specifies otherwise. Transfer to partner organisations or successor projects is common. Disposal of high-value assets may require notification.
EU grants: Durability obligations may require maintaining assets in project use for a specified period (commonly 5 years for infrastructure). Equipment purchased with EU funds may require prior approval for disposition.
Private foundations: Requirements vary significantly. Review each agreement.
For assets requiring donor approval, submit disposition requests at least 60 days before grant end:
ASSET DISPOSITION REQUESTGrant Reference: [number]Grant End Date: [date]Asset Details:- Description: [item]- Asset ID: [number]- Acquisition Date: [date]- Acquisition Cost: [amount]- Current Condition: [good/fair/poor]- Current Location: [location]- Current User: [name/role]Requested Disposition: [return/transfer/retain/sell/dispose]Justification: [explanation]If transfer/retain: Proposed use: [description]If sell: Estimated fair market value: [amount]Submitted by: [name]Date: [date]Track request status and follow up if no response within 30 days.
For assets to be returned to donor, coordinate logistics:
- Confirm shipping address and contact
- Wipe all organisational data from devices
- Reset devices to factory configuration where possible
- Package securely for transport
- Obtain shipping confirmation and receipt acknowledgment
- Retain proof of return for audit file
For assets to be transferred to partner organisations:
- Confirm donor approval if required
- Execute transfer agreement documenting:
- Asset details and condition
- Transfer date
- Acknowledgment of receipt
- Any continuing obligations (maintenance, return conditions)
- Wipe organisational data, provide clean installation if applicable
- Update asset register to reflect transfer
- Retain signed transfer documentation
For assets to be retained for organisational use:
- Confirm donor approval if required
- Reallocate in asset management system (change funding source, cost centre)
- Reassign to new user or pool
- Update configuration for new use context
- Remove project-specific data, accounts, and configurations
- Document retention decision and approval
For assets to be disposed:
- Confirm donor approval if required
- Follow organisational disposal procedures including:
- Secure data destruction (certificate required for storage devices)
- Environmental compliance for electronics disposal
- Donation to qualified organisations if appropriate
- Sale with proceeds handled per donor requirements
- Document disposal method, date, and any proceeds
Update the asset register to reflect all dispositions. Final asset report for the grant should show:
Asset ID Description Acquisition cost Disposition Date Evidence reference IT-2021-0142 Laptop Dell Latitude 5520 $1,200 Retained - reassigned 2024-03-15 Internal memo ref IT-2021-0143 Projector Epson EB-X51 $650 Transferred to Partner X 2024-03-10 Transfer agreement IT-2022-0089 Server Dell PowerEdge R450 $8,500 Returned to donor 2024-03-20 Shipping receipt
Phase 5: Documentation and verification
Documentation creates the audit trail demonstrating compliance with donor requirements and organisational policies. This phase runs from day -14 to day +30.
Compile the IT closeout file containing:
- Closeout plan (from Phase 1)
- Data handling documentation:
- Archive manifest and location details
- Transfer records with recipient acknowledgments
- Deletion certificates with timestamps and methods
- Personal data disposition register
- Access termination records:
- User disposition list with action dates
- External account termination notices
- Service account inventory and status
- Asset disposition documentation:
- Final asset inventory
- Donor disposition requests and approvals
- Transfer agreements
- Disposal certificates
- Return shipping receipts
- Exceptions register with approvals
Execute final backup of all retained project data before archive migration:
Terminal window # Example backup verificationrestic backup /project/[grant-ref]/ --tag "final-closeout"restic checkrestic snapshots --tag "final-closeout"Verify backup integrity before confirming archive migration complete. Retain backup for 30 days after archive confirmation as recovery option.
Generate the IT closeout summary report for inclusion in the grant closeout package:
IT CLOSEOUT SUMMARY REPORTGrant Reference: [number]Grant Period: [start] to [end]IT Closeout Period: [start] to [completion date]IT Closeout Lead: [name]DATA HANDLINGArchived: [X] repositories, [Y] GB, retention until [date]Transferred: [X] datasets to [recipients]Deleted: [X] repositories, [Y] GBArchive Location: [location reference]ACCESS TERMINATIONStaff offboarded: [X]Project access removed: [X]External accounts terminated: [X]Service accounts disabled: [X]ASSET DISPOSITIONTotal assets on grant: [X] items, $[total value]- Retained: [X] items, $[value]- Transferred: [X] items, $[value]- Returned to donor: [X] items, $[value]- Disposed: [X] items, $[value]EXCEPTIONS[List any items not completed per standard procedures with explanation]CERTIFICATIONI certify that IT closeout procedures have been completed in accordancewith donor requirements and organisational policies.Signature: _________________ Date: _________IT Closeout LeadConduct final verification 30 days after grant end:
- Confirm all user access terminated (test login attempts)
- Verify archived data accessible and intact
- Confirm deleted data irrecoverable
- Validate asset register accuracy
- Test archive retrieval procedure
Document verification results. Any failures require immediate remediation.
Transfer closeout documentation to grants management for the official grant file. IT retains copies per organisational records retention policy.
Verification
Successful grant closeout completion is confirmed when all of the following conditions are satisfied:
| Verification item | Method | Pass criteria |
|---|---|---|
| Data archiving complete | Access archive, verify contents against manifest | All listed items present, checksums match |
| Data deletion confirmed | Attempt to access deleted locations | Access denied, no recoverable data |
| Staff access terminated | Query identity provider for project group membership | Zero members in project groups |
| External accounts removed | Search directory for external collaborator accounts | No active accounts found |
| Service accounts disabled | Attempt authentication with service credentials | Authentication fails |
| Assets reconciled | Compare final inventory to closeout report | 100% of assets accounted with evidence |
| Documentation complete | Review closeout file against checklist | All required documents present |
| Archive retrieval tested | Execute retrieval procedure for sample data | Data retrieved within expected timeframe |
Verification must be performed by someone other than the closeout lead to ensure independent confirmation.
Troubleshooting
| Issue | Symptom | Cause | Resolution |
|---|---|---|---|
| Missing assets | Physical inventory count differs from register | Unrecorded transfers, theft, or loss | Document discrepancy, file incident report, notify grants management |
| Donor requirements unclear | Grant agreement silent on IT/data provisions | Agreement predates standard IT clauses | Request clarification from donor in writing before proceeding |
| Staff departed before handover | Critical knowledge not transferred | Departure timeline compressed, inadequate planning | Reconstruct from documentation, contact departed staff if possible |
| Cannot access project data | Authentication failures to project systems | Access already revoked prematurely | Use administrative access to recover, review revocation sequence |
| Archive storage insufficient | Archive migration fails due to capacity | Underestimated data volume | Expand storage allocation, prioritise highest-retention data |
| Donor approval delayed | Disposition deadline passing without response | Donor internal processes, unanswered requests | Escalate through grants management, document attempts |
| Personal data retention conflict | Donor requires retention beyond GDPR basis | Conflicting legal requirements | Seek legal guidance, document decision rationale |
| Partner refuses transfer acknowledgment | Partner organisation unwilling to sign | Liability concerns, capacity issues | Negotiate acceptable terms, consider alternative disposition |
| Service account dependencies unknown | Disabling account breaks unknown systems | Inadequate documentation of integrations | Enable account temporarily, trace dependencies, update documentation |
| Financial closeout timeline conflict | Finance requires data IT has deleted | Misaligned closeout schedules | Recover from backup if available, coordinate timelines for future closeouts |
| Audit query after closeout | Auditor requests data from archived grant | Normal audit process | Execute archive retrieval procedure, provide requested data |
| Encryption key unavailable | Cannot access archived encrypted data | Key management failure | Check key escrow, hardware security modules; if unrecoverable, document incident |
| Vendor data deletion unverified | SaaS provider cannot confirm deletion | Provider process limitations | Request written statement of deletion policy, accept residual risk if compliant |
| Beneficiary data subject request | Individual requests data after project closure | GDPR right of access | Retrieve from archive, respond within regulatory timeframe |
See also
- Technology Handover -for structured handover of systems and knowledge
- Data Retention and Records -for organisational retention requirements
- Donor IT Requirements -for donor-specific IT compliance
- User Offboarding -for standard offboarding procedures
- Data Archiving -for archiving procedures and standards
- Disposal and Decommissioning -for asset disposal procedures