During a privileged access review, an IS auditor observes many help desk employees have privileges within systems not required for their job functions. Implementing which of the following would have prevented this situation?

A. Separation of duties
B. Multi-factor authentication
C. Least privilege access
D. Privileged access reviews