Obviously, I was pleased to see some immediate action in that the entities we raised these concerns with were taking them very seriously.
This really comes down to every department making sure that when a new employee is onboarded and given access to IT systems, a good evaluation is done around what access they need to carry out their functions. Also, you need ongoing monitoring. Every year, you should reassess whether those make sense. You should revoke access when an individual transfers to another department or is terminated.
While those processes are in many of the departments we audit, they're not always operating effectively. It's just better vigilance, I think, on a daily basis by IT folks across the government.