No rocket science needed here but a well implemented organization using a framework/toolkit that is adapted to your organisation and allows for the necessary control & audit to support your business.

There is however not ONE framework fits all approach. It is better to make a combination of several and select the parts that support your business, not only your IT. Also remember that what is good for the company next door might not be the optimal structure for your business. CoBIT, ValIT, GxP, ITIL, ... all can help to build your toolkit.

IT compliance and therefore also IT audit are only a part of business GRC (Governance Risk Compliance). As such, it should be implemented only in areas where they support value creation and protection. Another element to take into account is that a big bang or all-or-nothing approach is not required. It will not only delay implementation but increase the risk of misalignment.

Start with the analysis of one or two key value drivers. Evaluate the compliance risk and take it from there. For companies operating in heavily regulated environments, like pharma, adherence to such frameworks are

You already have a structured and well controlled environment? Then ask the persons who are accountable how often the processes and controls are evaluated for effectiveness. Efficiency is also important but it is a non-issue if it's no longer the right things that have been put into place because of a change in the value chain.

At Sundari-Experts, we help companies to setup or improve IT processes and KPI's based on their own value drivers.