Audit Article, IT Audit Article, Security Article, Integrated Audit Article, Technical Article, IT Audit

Performing an Audit of an 
Incident Management System

By: Mitchell H. Levine, CISA
Audit Serve, Inc.

Traditional audits of incident management systems focused on determining whether proper routing occurred of problems through level 1 support, proper categorizing of the problem, and escalation to management when problems were not addressed in a timely manner.

When performing an audit of an incident management system, the first question which must be asked is who are the submitters of the problems?

The submitters of problems could be external customers, internal employees, and business partners. The other related question is whether the company has a single point of entry for the submission of problems or are there many points of submission based on the organization’s structure.


Problem management or incident management systems has changed in the last few years. Companies are rolling out web-based systems for customer access which allows them to help themselves. These systems include solution-based responses based on specific symptoms being entered by the customer. These systems are also being used by the Level 1 support to provide immediate solutions for customers calling in. These systems reach a mature state when they are continuously being updated based on problems which are being resolved.

Audit question: Does a knowledge-based system exist of resolutions for specific problems?

Audit Compliance Test: Perform review of a knowledge-based system and determine whether it sufficiently covers all areas being covered by the incident management system.

During the analysis stage of the problem, a determination is made of whether it is a defect which requires a software change. Once this determination is made a process must exist to route the information to the software development group in order for them to perform the additional analysis required to validate whether it is a defect. Once the software development group claims ownership of the problem a process must be put in place to provide information to the incident management system of the status of the defect and the stage it is in its fix life cycle.

Audit questions:

(1) Does the incident management system route problems to the software development system used to track defects?

(2) Does the defect tracking system provide updates to the problem management system for the various stage transitions?

(3) Is there a method to systematically trace a bug through the incident management and defect tracking system?

For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.


AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.