Rethinking IT governance: Designing a framework for mitigating risk and fostering internal control in a DevOps environment

Olivia Helene Plant*, Jos van Hillegersberg, Adina Aldea

*Corresponding author for this work

Research output: Contribution to journalArticleAcademicpeer-review

9 Citations (Scopus)
132 Downloads (Pure)


An increasing amount of companies is transforming their IT departments towards cross-functional teams which are responsible for both development and operation of software and use automation to speed up their delivery process. This novel approach, which is commonly known as “DevOps”, promises many benefits such as increased speed and frequency of deployment. However, companies using DevOps are often struggling with demonstrating control of their software delivery processes to IT auditing parties, due to the decentralized decision-making structures and high degree of automation in DevOps teams. The research at hand presents a framework which aims to provide guidance to organizations in mitigating and governing risks in IT teams and departments that make use of the DevOps paradigm. We have adopted a design science research approach, building on a literature review and semi-structured interviews with seventeen employees from nine Dutch companies that are in different stages of their DevOps transition. The results suggest that two main factors which influence how departments design their DevOps environment are risk appetite and the DevOps maturity. We furthermore find that companies in practice often use a mixture of traditional, manual IT controls and the automated controls suggested in literature. Based on these insights, a situational control framework is designed which suggests suitable risk mitigation practices.
Original languageEnglish
Article number100560
JournalInternational journal of accounting information systems
Early online date9 Apr 2022
Publication statusPublished - Jun 2022


  • DevOps
  • Risk management
  • Internal control
  • IT audit
  • Agile
  • UT-Hybrid-D


Dive into the research topics of 'Rethinking IT governance: Designing a framework for mitigating risk and fostering internal control in a DevOps environment'. Together they form a unique fingerprint.

Cite this