On the other hand, what organizations must actively guard against is implementing controls on an ad hoc basis due to various regulatory requirements. This approach will cause costs to skyrocket and ultimately may create an unsustainable control environment. It is possible to put controls in place that add value, but it is virtually impossible to do so without proper planning and oversight.
For organizations embarking on controls and that don't know where to start, I recommend using COBIT for the governance framework, identifying what is important from the framework and then leveraging best practices from the Information Technology Infrastructure Library (ITIL) to accomplish those goals. If there is one control area to focus on heavily to start, I'd recommend that organizations begin with change management.
We witnessed the temporary death of processes as the delusion of speed swept through organizations in the past 15 years. Now, the winds of change have shifted. The need to meet regulatory requirements, not to mention implement sound business practices, are pushing IT governance and controls to the forefront of board discussions once again. IT must work with the various stakeholders to ensure that proper planning is performed to create a positive control environment that adds value to the organization.
Gaining real benefits from controls are absolutely possible and something all organizations must strive for.