Re: So how long...
As far as user accounts are concerned, where I'm at, we are bound by HR's decisions.
In all cases that I can remember, the command
$ mc authorize mod <user> /flag=disable/pass=<arglebargle>
was issued roughly in sync with the door closing behind him/her, after which HR could (and sometimes would) take their own sweet time asking for the account to actually be deleted.
If HR is stupid enough to object to that*, just point to the ICT department's task description, which should include "taking all required steps to prevent unauthorized access", or words along those lines.
* as the request comes in to delete the user's accounts you just answer "done", not "done already a week ago".