IT Audit How to successfully conduct an IT audit in DevOps - Part 1. Understanding the DevOps environment

23-03-04

본문



In your IT audit work, you're likely to encounter more organizations in DevOps environments than you think. 


DevOps is here to deliver value to customers faster and more efficiently, and many organizations are already utilizing it.

The unfortunate thing is that we often audit organizations in DevOps environments by taking the ITGC methodology for organizations that follow traditional development processes and fitting it into a mold.

To use a food analogy, if you cook with ingredients that don't fit the recipe, the food won't taste like what you expect.


So what happens when you take an audit methodology that doesn't fit your organization's environment? 

If you apply a traditional audit methodology to a traditional organization, you're bound to identify a lot of deficiencies.


To understand why I'm writing this article, let's start with the purpose of an IT audit.

Why do we have IT audits?


# The purpose of an IT audit

When I say IT audit, I'm not referring to an IT audit as part of an accounting audit, which is often covered in this blog, but rather a broader IT audit that includes security audits and more.

The purpose of an IT audit is to assess the effectiveness of an organization's IT controls and processes and provide assurance that the organization is managing IT risks appropriately. 


IT auditors are responsible for independently assessing the design and operation of IT controls, identifying potential weaknesses and areas for improvement, and recommending improvements to management to mitigate IT-related risks. 

From a business perspective, an IT audit ensures that an organization's IT systems and processes are aligned with business objectives, that regulatory requirements are being met, and that IT risks are being managed appropriately.

 

Perhaps most importantly, it's about the bottom line for the people in the organization and the people in the communities it serves.

The reason I say this, which is so obvious, is that you should approach your DevOps environment from this perspective.


# DevOps environments

DevOps is already a popular term in many different industries.

From the word go, it's a combination of development teams (Dev) and IT operations teams (Ops), and it spans the phases from development planning, through the build, test, and release phases, to operations and monitoring. 

The basic principles of DevOps emerged to deliver value to customers faster and more efficiently, and it's driven by iteratively listening to customer feedback to deliver better service.

After all, it's about being agile in the marketplace to serve your customers better and faster than your competitors, and it can be a survival strategy for companies.


This phenomenon is mostly seen in industries that require frequent development of software, such as the e-commerce industry.

DevOps ensures short release cycles with frequent deployment principles for collaboration, automation, communication, and continuous improvement, whereas development and operations teams used to work in silos with poor collaboration and communication, resulting in slow deployment. It is characterized by the fact that development and operations teams work together to manage the entire process of software development, deployment, operation, and maintenance, and use automation, continuous integration, and deployment to handle software development and deployment quickly and reliably, resulting in fast deployment, reliability, flexibility, and automation.


c2512e97f089a93e35a8410ca5a66096_1677890923_2943.JPG
Source: https://www.tatvasoft.com/blog/devops-best-practices/ 



# The rise of cloud computing

The rapid development of cloud computing has played a large role in the adoption of DevOps environments by many organizations today. 

DevOps and cloud environments go hand in hand, with cloud computing technologies providing scalable infrastructure, automation tools, and APIs that are optimized for the principles of DevOps. 

The major cloud platforms Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) offer a variety of services that can be leveraged to build, deploy, and manage applications in a DevOps environment. 


c2512e97f089a93e35a8410ca5a66096_1677890940_4027.JPG
Source: 
https://aws.amazon.com/ko/blogs/devops/choosing-ci-cd-aws-services-bighat-biosciences/



For example, there are cloud-based tools commonly used for containerization, orchestration, and coded infrastructure, which are key components of DevOps. 

As such, cloud technologies are often adopted by DevOps organizations.


In my experience, if an organization is using the cloud to manage business-critical services and infrastructure areas, it is most likely a DevOps environment.


If you've read this far, let me ask you a question.


Does it make sense to take a traditional audit methodology and hold it to the same standard in a DevOps environment?

You need to recognize DevOps as a survival strategy for your organization and think about how you can mitigate IT risk while maintaining the status quo.


Now that you have a better understanding of DevOps, let's get more practical in the next article.