Ponemon Institute issued a report that brings up the most common inadequancies of ensuring proper access to systems and date.
http://www.darkreading.com/document.asp?doc_id=131038
Some report findings:
1) Reliance on Manual Processes – Audit and compliance (A&E) staff monitor and test controls by depending almost exclusively on reports generated by others rather than software tools
2) Lack of Centralized Control – No clear ownership of compliance oversight or processes around reporting on and monitoring user access as well as fragmentation of data and distribution of responsibility are issues.
3) Poor Communication and Collaboration – A&E staff do not collaborate with departments that share IT compliance responsibility. Other departments have a poor understanding of risk management and compliance.
4) Inattention to Business Risk – Most organizations do not focus their compliance resources or efforts on risk and most say they do not have the necessary information to quantify risk
