This is not only an information security best practice, but it may also be required for regulatory compliance.
Let's first deal with the information security side of the issue. Inactive user IDs can come back and haunt you in the form of vengeful system access by former users. An ex-employee is considered an insider because his or her user ID may still be active, meaning it's still possible to access your systems. A former employee who leaves on bad terms may be even more likely to wreak havoc on your network than a current employee, but instead of showing up in your logs as a hostile intruder, the attacker will merely be listed among the current users.
Keeping old user IDs active for auditing purposes is also foolish. Access management systems like Active Directory (AD) can be used for tracking and logging historic activity of a user ID without having to keep an account active. There are also forensics tools that do the same.
As for compliance, regulations like Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) all require regular auditing of access controls and reporting of active accounts. Auditors and regulators won't be happy if they find stale, mistaken or otherwise extraneous user IDs that are not attached to current employees when combing through your reports.
So what you describe, besides not being a best practice, could also land your company into a lot of regulatory trouble.
For more information:
This was first published in June 2007