Technical staff working around the enterprise conducting unsupervised IT activity, often outside normal hours, can also be a worrying sign, both from a risk and a cost perspective. Not every company is large enough to have a full IT department that might spot such issues through system audit trails. This is more common in smaller organizations where some are working more to help themselves than to help the organization that is paying for their IT equipment and the software they use.
ACTION: Do the IT security staff look and think further than just password expiry issues? Make sure that someone is on the lookout for data-theft, IPR theft, time theft (people spending all day on Facebook, etc.), or simple theft of IT assets. Make sure you have a proper asset register and IT audit system in place.