One thing that every company should look at is the effect called "Accumulated Permissions". This is often caused by individuals within a company moving from one department to another. The knowledge worker has permissions to do job A, and when they are promoted, or transferred into a new role (job B), the permissions to create, read, update, and/or delete information concerning job A might not be removed.
If a person works for an organization long enough, they can accumulate quite a large quantity of technically unnecessary permissions. This obviously creates a potential for abuse from such accumulated permissions, if they belong to a disgruntled, malicious, or unscrupulous employee. Even when under the control of the most loyal and trustworthy employee, such accumulation of permissions are still a danger to the organization because of accidental use of permissions no longer expected to be active, or in the event of an account compromise by someone who means the organization harm.
A yearly, or quarterly, manual review of all roles within an organization, and the actual permissions associated with each account is the only fool-proof way of handling Accumulated Permissions. Such a review requires a joint effort between managers, data owners, data custodians, and information security professionals.
Information Security Companies such as CyberCede Corporation, can assist an organization with internal permission reviews.