This article provides an overview of SOX 404 control Manage Changes.

The typical SOX 404 IT controls for Manage Changes are often divided by change type (emergency, standard etc.) and by system tier (application, database, server, network etc.) however the basic documentation required is the same.

Description: A documented change management approval process exists and is enforced.

Control Objective: Changes cannot be made to the production environment without following the appropriate process and gaining approval.

Typical Evidence:

  1. There is a documented change management process in place.
  2. The process defines/uses change types and categories.
  3. The process defines the actors involved in change process.
  4. The document includes a list of approvers for each type of change.
  5. There is adequate segregation of duties.
  6. The process defines pre and post deployment testing.

For more information please contact Morland-Austin at