When we found that there were weaknesses in these access controls, it actually caused us to change our audit approach. We felt that we couldn't rely on a lot of the IT-dependent controls. We had to do different procedures.
We also carried out extra work. We found that nothing came to our attention in that extra work to see that data had been changed inappropriately or that there was a data breach. However, it's important for the government to deal with these issues and make sure that employees only have the access they need to do their jobs.