Auditors and related practitioners are always learning and prepared to pivot as new technologies and modes of software delivery are introduced. Although DevOps is not new, determining methods to ensure the enterprise’s governance system is in line with DevOps concepts and practices may not always be straightforward. Developing a strategy to evaluate the inclusion and alignment of DevOps processes with the overall enterprise governance system is a challenge for enterprises and auditors. ISACA now has a solution!
Common methods of governing and evaluating the software development lifecycle and associated supporting continuous delivery, improvement and monitoring processes require enhancement and extension. In 2021, ISACA published COBIT® 2019 Focus Area: DevOps, which provides COBIT objectives that practitioners should consider when evaluating the effectiveness of an enterprise’s governance system over DevOps practices and supporting tools. Some of the topics included in the publication are:
- relationship between DevOps lifecycle phases and governance and management objectives
- relevant DevOps statements for applicable governance and management objectives
- relationship between the seven COBIT components and DevOps concepts.
The new COBIT for DevOps Audit Program serves as companion guidance to assist audit practitioners and other stakeholders in evaluating the DevOps-specific activities associated with COBIT practices. These activities leverage concepts and guidance that DevOps teams can adopt—and which practitioners in risk and assurance can consider—to help ensure that the benefits of DevOps are realized while the potential risk is mitigated.
The test steps associated with these activities are suggested to help auditors and other practitioners begin to plan, tailor and execute an evaluation of the enterprise’s governance system over DevOps practices. It’s important to note that the test steps included in this audit program provide guidance focused on the COBIT objectives that have relevance to DevOps for the four management domains (( Align, Plan and Organize (APO), Build, Acquire and Implement (BAI), Deliver, Service and Support (DSS) and Monitor, Evaluate and Assess (MEA)).
This audit program, in alignment with the overall COBIT® framework, is intended to be open and flexible to allow for practitioner customization to best meet the assessment needs of the enterprise.