overlapping controls among different regulations 1805



  • I am new to this forum.
    I research what should be collected from logs to control compliance with regulations such as SOX, HIPAA, GLBA, PCI, etc. These regulations overlap by requiring control on users behaviour, accesses and changes.
    However, these overlaps are very general. I consider the control of Separation of Duties (SoD) one way to achieve these overlapping requirements. The questions are:
    1- do you agree with me about SoD?
    2- do you see any other broad principle(s) apart from SoD?
    3- the 4-eyes principle (a single person should not control a critical process on its own) is a sub-set of SoD called an operation-based SoD. The ideal situation would be to monitor all types of SoD (e.g. object-based, static, dynamic) however I believe there should be a balance between the granularity of monitoring and the cost involved on it. The question: what is the level of control that organizations should have to proof compliance with these external regulations?
    4- are there any other principles at the level of the 4-eyes principle which could be considered as guidelines for monitoring?



    1. I think that SoD is one of the most logical approaches to avoid fraud and spot errors at an early stage.
    2. Another broad approach I am fond of is high- level reviews and monitoring by Mangement. This allows for them to take more responsibility for the process and keeps employees on their toes. It also covers the ‘tone at the top’ concept by showing a serious interest in what is going on within an organisation.
      3 and 4) I am not that familiar with the 4 -eyes principal. it sounds like another term for SoD - but I would agree, that there always needs to be some sort of balance between monitoring and cost.
      If you are not already familiar with the COSO concepts, I would recommend that you read them as they supply many alternatives in order to cover off each concept. Their recent small companies guidance supplies recommendations as to how to approach a lack of segregation of duties issue due to a small team of employees.


  • Hi and welcome to the forums 🙂 Below are some ideas:
    1- do you agree with me about SoD?
    Yes, as SoD provides ‘checks and balances’ so that an employee cannot do one-stop shopping when it comes to fraud. Each of these regulatory requirements ‘stands on it’s own’. While some commonality exists, you have to ensure SOX, HIPAA, and all other regulations are fully met. Laying out compliancy requirements in a matrix format might still help with this process.
    2- do you see any other broad principle(s) apart from SoD?

    1. The best practices in IT security are required in each of these
    2. Autonomy levels (approval hierarchy for financial transactions that are larger than the norm) are beneficial
    3. Documentation is required for each regulatory requirement
    4. Policies, procedures, and standards all help in ensuring folks know their roles and responsiblities.
    5. Change Control and Change Management - to formally capture and communicate IT or major business changes to key recipients
      3- the 4-eyes principle (a single person should not control a critical process on its own) is a sub-set of SoD called an operation-based SoD. The ideal situation would be to monitor all types of SoD (e.g. object-based, static, dynamic) however I believe there should be a balance between the granularity of monitoring and the cost involved on it. The question: what is the level of control that organizations should have to proof compliance with these external regulations?
      Hopefully, well written guidelines and standards can help control costs. I believe that good planning and an investment in training help make a difference in doing it effectively and efficiently.
      4- are there any other principles at the level of the 4-eyes principle which could be considered as guidelines for monitoring?
      Internal Audit (IA) can help ascertain controls are they conduct departmental or special audits. They can help promote the need to take workflow and compliancy needs seriously. Also, when management backs the process, it puts it in everyone’s best interest to succeed.


  • Thanks for the feedbacks.
    As advised, could you pinpoint to me COSO documentation/publication which can help identifying common controls, please?



  • Hi - This thread has info related to COSO representing many preferable financial controls … If you need to the complete set of standards, this will need to be purchased. Still some of the links shared can provide general info and executive summaries. Also, COBIT represents the recommended IT based framework.
    Info on obtaining COSO
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1799
    More on COSO, COBIT, and SOX
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1516



  • YOu can also go to their website
    COSO.org (sorry I cannot get a hyperlink on it).
    Unfortunately their guidance has to be purchased - but it is well worth it. As an external auditor is unlikely to argue any control that is compliant with COSO guidance and recommendations.


Log in to reply