To return to the original question quickly the problem is more one of procedure than anything else. As is often the case in large oragnisations there is a procedure for the creation of user accounts but there is none for the deleation of accounts when the employee leaves. The IT departement is right in saying that for them the person is still in the company as they have not recieved a demand to delete the account. Of course it is up to the IT departement in to decide on how is wants to managed its user base. As for the reasons giving for keeping the accounts that just translates into :
"We are too lazy to tidy up our mess."
I have seen in a couple of places a risk managment departement. Normally it deals with all the different types of security risks in the Corporation from IT security to phsyical risks to fraud. Normally it is not only independant but also placed on a higher level on the organigrame than most other departements.