You are an information system auditor of HDA Inc. You recently discovered that several employees have gained access to confidential data even though their job profile does not require this access. As an IS auditor, what is your BEST recommendation in this situation?