Maybe just help me understand more specifically as I drill down into this. You noted in your opening remarks on system access that there were instances where it was granted but people didn't need it or no longer needed it. It seems to me that it ought not be a complicated matter for systems management that strict requirements are put in place, department to department, to ensure that this is not the case.
Why would that be the case, and why haven't departments come along on this? What should they be doing to address it?