You’re tech savvy, have an unreasonable love for developing integrated systems, and you’re one of the few go-to people your company trusts to implement changes across business-critical applications. It goes without saying that you know your stuff. That is why you did your due diligence and implemented a proven process to mitigate risk and ensure the compliance of the application change process – and yet your company’s last IT audit found multiple low- to mid-level deficiencies that have you wondering what went wrong?
Now you find yourself in a reactive position – one that you are not entirely comfortable with. You have to go before the audit committee and explain the root cause for these deficiencies, along with what mitigating steps needed to correct these issues. Only you’re struggling to figure out exactly what piece of the puzzle you missed. You dotted your i’s and crossed your t’s – or so you thought, until you read the auditor’s findings and realized that there was this a whole other piece of the puzzle that your application change process was missing – and it’s called IT governance.
Compliance is definitely a key initiative, but it’s not the whole picture. It’s no longer enough to simply demonstrate compliance, your organization also needs to establish governance around IT processes and to ensure they are aligned with the business objectives that are driving these initiatives.
While the auditor may have noted a deficiency in your application change management process, it may not necessarily be your fault. Besides, how can you be expected to move your application forward and pass audit, when a major piece of the puzzle is missing?
Governance should start at the top with your company’s board of directors and executive management. It’s up to them to define the IT general controls and set the tone for governance and the mechanism for enforcing it. That’s why it’s crucial for the executive team to establish a framework for governance — preferably one that creates organizational transparency and sets clear expectations and accountability for application stakeholders.
However, that doesn’t always happen. Lapses in top-down communication are all too common, and as a result application owners and IT managers like you are left in the dark when auditors come knocking. It also leaves you unable to gage how well you doing at meeting the business’s control practices and where you are with your application change process.
This is where the COBIT5 framework can help. It enables you to demonstrate the value of IT to the business and better align your application change process and controls with the goals of your key stakeholders – all while enabling you to achieve compliance and mitigate risk through proper governance.
To see how governance completes the puzzle, we’ve created this step-by-step checklist that will enable you to build a strong foundation for application change management that adheres to COBIT5 control practices.