Anyone Have Problem Resolution/Management Controls? 1876



  • First off, thanks to everyone contributing to these forums, you provide a much needed source of inofrmation.
    How many of you have Problem Resolution/Management as an IT Process Area that you have key controls for in your SOX 404 processes? I have a new external auditor that is insisting that we add a process for this (i.e. problem resolution controls for user issues in the ERP system) with key controls or she’ll more than likely put a design deficiency down. I explained that I’ve gone through SOX audits with 4 different companies, passed, and never had a deficiency for not having Problem Resolution/Management controls in place. Does anyone here have these types of key controls in place, or has anyone been dinged for not having them? Any input/insight would be greatly appreciated.



  • Hi and welcome to the forums 🙂
    I voted YES … although we don’t call it ‘Problem Resolution/Management’ … However, we have highly formalized ’ Incident Tracking and Resolution systems ', ’ Change Management ', and ’ Software Change Controls '. I see all 3 of these blending in to provide an overall foundation for Problem Resolution Management.
    SOX 404 mandates the best practices in security and IT controls for financial systems (e.g., it should encompass all systems for uniformity and so that the weakest link is not compromised from a security perspective).
    If you have the framework of ‘Incident Tracking and Resolution systems’, ‘Change Management’, and ‘Software Change Controls’ in your company maybe working with the auditor and users to blend these into a good problem tracking system would be valuable not only in better meeting SOX related goals in this area. Also, user requested changes and ideas would be formalized, so that they wouldn’t be lost which adds value to the process.
    The COBIT 4.0 standards in particular document acceptable IT practices that the big 4 audit firms like, so these may be of help. I’m an IT professional, so I may also not be interpreting what is required properly either 🙂



  • I also voted yes and I’m in agreement with Harry.
    We also don’t call it ‘Problem Resolution’, but we do have a system that keeps track of system issues, system changes/updates, and access controls. Unfortunately, we’ve bundled all of these into separate individual trackers (instead of one that can do it all) within Lotus Notes. There are certainly other ways to circumvent the requirements, but sometimes you have to make due with what you have.
    It’s been even more fun attempting to ‘force’ users to use the new system.



  • I voted no.
    Problem management means managing frequently occuring incidents, tracking the root cause and possible mitigation. It includes managing a knowledge base of such incidents too.Though its directly feeds to change management and configuration management frequently, having controls at these levels makes having problem management as a key control redundant.
    If you have good controls around change and configuration management you dont need Problem management as a key control. You can reason that with the external auditor.Many times problem management is an integral part of the incident management/service management and its bundled with them as a key control. This sounds fine but I wont think it as key control on its own.
    I would also disagree that SOX404 mandates the best practices in security and IT controls. Though I wish its so but its hardly the case.
    Calvin[/b]



  • Problem management means managing frequently occuring incidents, tracking the root cause and possible mitigation. It includes managing a knowledge base of such incidents too.Though its directly feeds to change management and configuration management frequently, having controls at these levels makes having problem management as a key control redundant.
    Thanks for clarifications on this 🙂 Our automated Service Desk (aka Help Desk) incident reporting software does provide root cause analysis, KB, and other advanced features that are part of a true Problem Management system.


Log in to reply