This article provides an overview of SOX 404 control Manage Operations.

The typical SOX 404 IT controls for Manage Operations are outlined below.

Description: Systems are adequately maintained through standard procedures and processes, vendor management, monitoring, vulnerability management and facilities management.

Control Objective: A documented process exists and is enforced to perform approved operational procedures, manage outsourced IT services, monitor IT infrastructure and manage environments and facilities.

Typical Evidence:

  1. The process describes the patching strategy.
  2. There is a documented process for applying patches.
  3. The process defines when patching will occur.
  4. The process demonstrates that patches are reviewed before implementation.

For more information please contact Morland-Austin at