Success Story: DevOps Controls Transformation
SCENARIO
A client approached us to assist with the remediation of nearly two dozen significant control deficiencies identified by their external auditors that they had been struggling to resolve.
ISSUES
The client's IT organization operates in a DevOps environment and allows developers full administrative access to production systems. The CIO insists its DevOps model cannot be abandoned as its speed and flexibility enables the organization to evolve its technology rapidly and is considered a significant competitive advantage. However, the IT organization's lack of segregation of duties was of concern to the client's "Big 4" audit team who hadn't seen the DevOps model effectively implemented in a production SOX environment. In addition, there were several other deficiencies identified related to inappropriate access, an ineffective termination process, and ineffective user access reviews. Compounding the challenges facing the organization was an aggressive timeline driven by the client's desire to resolve these issues and demonstrate to their auditors the risks had been addressed by year-end.
SOLUTIONS
Infina's Controls Transformation and Remediation helps accelerate control redesign and remediation to deliver a robust control environment that meets the financial, operational, regulatory and/or technical requirements of an organization.
Our team began quickly analyzing the client's control environment and the deficiencies identified by the external auditor to understand the key issues and determine probable root cause. Understanding the client's unique implementation of their DevOps model, Infina worked closely with the organization's management to collaboratively lead the planning, technical and functional controls design, implementation and validation of revised controls. The new and revised controls seamlessly interface with existing processes and tools leaving intact the team's ability to rapidly evolve their systems and technology while also providing the necessary tools to ensure risks were addressed.
RESULTS
Infina helped to massively accelerate the remediation process and ensure delivery of the client's control environment enhancements with phenomenal results. The external auditor's own independent evaluation confirmed there were no significant deficiencies at year-end. And yes, developers still had administrative access to production systems.