Cross-departmental checks

1) What are cross-departmental checks

Cross-departmental validation is the joint verification of processes and controls that pass through several functions (for example, Product → Engineering → SecOps → Legal/DPO → Payments → Support → Marketing). The goal is to confirm that the end-to-end script is running correctly, the policy requirements are met, and the audit-ready evidence.

• detection of "butt" risks and SoD conflicts;
• unified interpretation of requirements and elimination of "gray areas" of responsibility;
• speeding up CAPAs and preventing retries.

2) When to start (triggers)

New/changed regulatory requirements or jurisdictions.
Significant releases/migrations (architecture, payments, data).
Incidents (information security/privacy/payments) and post-mortems.
Preparation for external audit/certification.
Regular calendar (quarter/half year) by high-risk domains.

3) Scripts (end-to-end) - what to check

• Privacy/DSAR: subject request → export/delete → notification → logging.
• Access management: request → right to update → provisioning → admin log → re-cert.
• Chargeback: trigger → evidence collection → response to fraud CAPA → provider.
• Advertising campaign: approval of materials → targeting → tracking of refusals/consents → archive of evidence.
• Safety incident: detection → isolation → Legal Hold → notices → post-mortem → CAPA.
• Retention/deletion of data: launch of TTL → confirmation of destruction of sub-processors → reporting.

4) Roles and RACI

(R — Responsible; A — Accountable; C — Consulted; I — Informed)

5) Methodology: how to conduct

Walkthrough: a demonstration of the end-to-end case "from politics to logs."

ToD (Test of Design) - check the availability and quality of control statements, roles, procedures, metrics.
ToE (Test of Operating Effectiveness): verification of control stability in the period (sampling for 30-90 days).
Reform: an independent repetition of the operation (for example, DSAR export, revocation of access, payment steps).
Negative testing: attempts to bypass control (SoD, limits, secret scan).

6) Sampling and stratification

Risk-based: more n for critical jurisdictions/roles/payment methods.
Stratification: by region, customer type, channel (web/app), time of day/load.
Combinations: random + target (threshold boundaries, edge cases).

• Critical: n ≥ 25 per domain + key step reperforms.
• High: n ≥ 15; Medium: n ≥ 8; Low: n ≥ 5.

7) Dependency and SoD management

Dependency matrix: services, vendors, keys, data, roles.
Separation of duties rule (SoD): prohibition of combining Upruv and critical actions in one person.
Change freeze during critical circuit tests or clear versioning.

8) Evidence and immutability

All artifacts (uploads, configs, screencasts, reports) are stored in WORM/Object Lock with hash receipts.
Chain of Custody: who/when/why collected/read evidence.
Time synchronization and trace IDs (trace_id, request_id).
Binds each step to a Control Statement and a metric.

9) Integration with CAPA and re-audit

For each finding - CAPA (Corrective/Preventive, terms, owner, compensatory measures).
Mandatory re-audit in 30-90 days for critical cases.
Updating policy-/assurance-as-code: CCM rules, CI/CD gates, metric thresholds.

10) Metrics and KRI

Coverage Rate:% of key end-to-end scenarios tested per quarter.
First-Pass Close: proportion of checks without critical findings.
On-time CAPA:% completion of measures on time (by severity).
Repeat Findings (12 months): trend of repetitions by domain/jurisdiction.
Controls Pass Rate: The proportion of green CCM rules associated with the script.
Evidence Completeness (100% target for Critical/High).
SoD Violations: Identified/Resolved Conflicts of Duty.
Vendor Mirror SLA: confirmation of mirror measures from critical providers.

11) Dashboards (minimum)

Scenario Pipeline: Planned → In Progress → Findings → CAPA → Re-audit.
Cross-Domain Heatmap: risks/findings by function (IAM, Privacy, Payments, Marketing, Support).
Dependency Map: nodes/vendors/controls, "red" zones.
Evidence Readiness: presence of WORM/hashes/screencasts by case.
CAPA & Drift: status of measures, observation of drift 30-90 days.

12) SOP (standard procedures)

SOP-1: Planning

Define high-risk topics → select 2-4 end-to-end scenarios per quarter → assign owners → agree on a calendar and freeze windows.

SOP-2: Conduct

Kick-off → walkthrough → ToD/ToE → reform → negative testing → evidence collection → daily sync updates.

SOP-3: Report and Solutions

Criteria → Fact → Impact → Recommendation Framework → Close/Extend/Escalate → Report and Metrics Publication.

SOP-4: CAPA and follow-up

Record CAPA in GRC → compensatory measures (if necessary) → deadlines and RACI → execution dashboard.

SOP-5: Re-audit and surveillance

After 30-90 days - resampling and sanity-check → updating JMA rules/policies → closing the cycle.

13) Artifact patterns

13. 1 Inspection plan (one-pager)

Scenario, Objectives, Jurisdictions

Inspection Controls/Policies

Samples and methods

Risks/dependencies/SoD

Timeline, roles, communication channels

13. 2 Card finding

Criterion (policy/control) → Actual → Impact → Recommendation

Severity, residual risk

Evidence (links/hashes)

CAPAs: measures, owner, due, KPIs, compensating controls

13. 3 Evidence pack

1. Policies/Standards/SOPs (versions, diffuses)

2. Log/config samples (CSV/JSON, hash receipts)

3. Screencasts/screenshots with timestamps

4. JMA/Metrics and Test Reports

5. Final report and decisions of the Committee

14) Communications and culture

Single channel (portal/GRC) with request numbering and response SLAs.
"One voice" on external sessions/audits, scripts of complex issues.
No charges: Focus on processes and preventing replays.
Sharing best practices and patterns, an internal case library.

15) Antipatterns

Checking "within the department" without end-to-end tracing.
"Paper" proofs without logs/hashes/WORM.
No binding to control statements/metrics (immeasurability).
Ignoring SoD and dependence on one person.
CAPA without preventive/compensatory measures, without re-audit.
One-time checks without calendar and prioritization by risk.

16) Maturity model (M0-M4)

M0 Ad-hoc: occasional checks, no method/metrics.
M1 Planned quarterly calendar, basic templates and roles.
M2 Managed: risk-based sampling, WORM-evidence, dashboards, CAPA linking.
M3 Integrated: policy-/assurance-as-code, CI/CD gates, automatic reports.
M4 Continuous Assurance: predictive KRIs, recommendation scenarios, continuous sanity-checks, and drift monitoring.

17) Related wiki articles

Re-audits and follow-up

Remediation Plans (CAPAs)

Continuous Compliance Monitoring (CCM)

Policy and compliance repository

Legal Update Tracking/Regulatory Change Alerts

Logging and Audit Trail

External audits by external auditors

Partner Compliance Guide

Total

Cross-departmental checks turn the "interfaces" between functions from a risk area into a control area: end-to-end scenarios, measurable controls, unchangeable evidence and a closed loop CAPA → re-audit. This approach makes compliance predictable, speeds up external audits, and reduces the likelihood of repeat violations.