Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Bringing auditors to a DevOps World

Key requirements for effectively implementing Automated Governance

The paradigm shift towards Secure DevOps is beginning to help many IT organizations assist in optimizing for both speed of delivery and security of their products. With this newfound agility, teams can provide value to the business as well as the consumer with less risk. However, as we have discussed in our last blog detailing the potential benefits for DevOps Automated Governance, Security and Engineering teams are continuing to enhance and improve CI/CD pipelines with new security tooling, but Technology Risk and Internal Audit teams sometimes struggle to keep pace and help ensure compliance with incompatible controls.

The compliance processes developers are typically asked to adhere to may be perceived as unnecessary hurdles that add complexity to already time-sensitive assignments. When security requirements end up being dictated by Compliance teams and are dissociated from good security posture, development practices start shifting away from the goal of reducing risk towards focusing on passing the next audit in a form of “security theater”.

If we are able to connect the mindset of Secure DevOps and “shift-left” with the application of Automated Governance practices, we can streamline compliance processes within organizations without compromising on the protection of software from external threats. This is one of the first opportunities that allows teams from the often siloed CISO (Chief Information Security Officer), CIO (Chief Information Officer), and IA (Internal Audit) organizations to work together towards a unified vision of continuous security by design.

1.Telemetry from various sources of security information across the software development lifecycle (SDLC) are collected into a single data repository. One of the most natural places to start is in the CI/CD pipeline, including but not limited to static code scans (SAST), secrets scanning, software composition analysis and SBOM generation. Later other data can be captured from external origins such as source code management platforms like GitHub.Parties from the CIO, CISO, and Internal Audit teams can see the same “sheet of music” of what controls are exercised and how well application teams are performing in near real time.
2That data repository where the telemetry is captured is tamper-proof because hashes are computed and stored for telemetry events; any changes to the data would result in a new hash value that doesn’t match the original.Leaders can have a trustworthy record of the security events that took place.
3The software build process is halted (“breaking the build”) in real time when our agreed upon security requirements are not met.We prevent software from making it to production that don’t meet our standards for quality.

The key to achieving this confluence of ideas begins with automating attestation or the evidence that a software artifact has passed a defined control. While some organizations have traditionally felt comfortable with the reliability of manually performing and reviewing attestation, this often unreliable and generally painstaking task is no longer sufficient to mitigate the risk of a security breach and does not scale. Our primary stakeholder teams must begin adopting automation in this process to help ensure that compliance and security requirements are consistently implemented throughout the CI/CD pipeline. If these controls can be built into the development environment by leveraging existing application security tooling, compliance can be achieved with minimal friction for Engineering teams.

To begin the journey towards Automated Governance, teams should consider the following short-term and long-term activities:


  • Identify the risks in the current development process that you would like to mitigate
  • Review your existing CI/CD pipeline for opportunities to introduce automated control testing and attestation
  • Collaborate with Technology Risk and Internal Audit teams to align on expectations


  • Build or leverage an existing approach for capturing machine-generated and digitally signed attestations in an immutable repository
  • Evaluate your inventory of controls and prioritize them for implementation
  • Include the controls leveraged inside of your pipeline and automatically generated attestations in the SBOMs (Software Bill of Materials) of your applications
  • Implement gates at all points of the CI/CD pipeline that that can break the delivery process if an exception to the associated control is identified

Explore more

Cyber security in the new reality

Working together to respond to the challenges.

Read more

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.