Automated governance: Signals of change and the risk agenda

A shift towards a DevOps impacts the people, process and technology providing an opportunity to improve the existing change management controls.

Lavin Chainani

Lavin Chainani

Managing Director Advisory, Technology Risk, KPMG US

+1 410-949-8834

Nicole Lauer

Nicole Lauer

Principal, Technology Risk Management, KPMG US

+1 410-949-8949

Chief Audit Executives (CAEs) continuously assess how to deliver on their objectives to maintain trust of shareholders and stakeholders. This includes considering signals of change in risks faced by their organization and, in turn, changing the focus of the internal audit plan if needed. Our complementary series, On the CAE agenda, provides a full view of top risks.

Signals of change

To help streamline the development process from concept to delivery, organizations have begun a secondary shift in methodology from Agile towards a DevOps model. DevOps, which takes its name from software development and IT operations, is commonly considered a natural evolution of the Agile movement. DevOps practices impact the people, process, and technology associated with the Agile change management process and provides an opportunity to improve the existing change management controls.

Risk considerations

  • Design requirements may change throughout the product development lifecycle resulting in frequent and continuous design changes without revisiting security or control requirements. 
  • High levels of autonomy across business units and teams may lead to inconsistent approaches to meeting control objectives, resulting in the objectives not being met.
  • Lack of documentation of key control activities and dependencies on “soft” controls may lead to compliance challenges. 
  • As development infrastructure scales itself, the intersection of large, cross-functional teams and complex solutions raises considerable security risks and requires careful management.