Impact of CI/CD on Audit and Compliance

Continuous Integration and (especially) Continuous Delivery concepts involve substantial automation of traditionally manual tasks, including builds, code reviews, all kinds of testing, environment creation/maintenance, deployment and monitoring. While this is great at reducing cycle time, improving consistency, and driving better quality, it can pose some challenges to audit and compliance efforts at your organization.

Most standards, controls, policies, and procedures that govern IT interactions are designed to monitor and track the behaviors of people, not necessarily automated processes. Furthermore, they typically rely on attestations (approvals, signoffs, affirmations, etc.) from a person that demonstrate that something did or did not happen. Whether or not the “something” actually did or did not happen isn’t as important to auditors.

Extensive automation obviates the need for many of these attestations, replacing them with hard evidence (typically logs) as to what did or did not take place. This rubs against audit procedures because it fundamentally changes the evidence auditors review at audit time. Getting your auditors at a local (IT), corporate, and external level to buy-in to and understand the impact of DevOps is critical to smoothing the journey to continuous delivery bliss.

In this talk, we’ll explore some of the common pitfalls you are likely to encounter as you adopt CI/CD concepts and how to approach them. Specifically, we’ll look at change management (CR) processes, common “human” control concepts and their automated equivalents, and the kinds of documentation changes you will likely see.



Dan Petit

Dan Petit has been deep in the development world for most of his working life, serving as a developer, consultant, architect, and technical leader for a wide-variety of companies in the aerospace, ...