The greatest concern for an IT risk practitioner when an employee transfers to another department is that unnecessary access permissions have not been removed. Unnecessary access permissions are the access rights or privileges that are no longer needed, relevant, or appropriate for the employee’s new role or responsibility. If these access permissions are not removed, they may pose a significant security risk, as the employee may be able to access, modify, or delete sensitive or critical data and systems that are not related to their current function. This may result in data leakage, fraud, sabotage, or compliance violations. The other options are not as concerning as unnecessary access permissions, as they are related to the organizational, operational, or knowledge aspects of the employee transfer, not the security or risk aspects of the employee transfer. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.