... change the passwords for any userids he would have had (if you know them all). If he would have had root et al, that means changing that, too. I imagine this is probably fairly obvious. Can't help shortening the virtual legwork, though.
Depending on how well you know said employee, said computer room and whether or not you must do this after he becomes an ex-employee, I'd start on entry points and obvious boxes. In other words, if there's a dial-in authentication system, revoke his access on that first. If he would have had access to a router, change that early. Etc etc. Hmm. Servers providing stuff like NIS should be next.
Wade, who hopes he's not being too obvious.