The Board and IT Governance
IT governance is a hotly debated topic which has been on IT management’s agenda for many years. King III is the first time IT governance has been brought to the board in code form. It is clear, IT governance is the responsibility of the board.
King III Chapter 5 “The governance of information technology” consists of 7 principles, covering several themes.
Board Responsibilities:
By far the most tangible impact of Chapter 5, is the following principle:
5.4. The board should monitor and evaluate significant IT investments and expenditure.
This principle in conjunction with the new Companies Act has brought the IT agenda solidly to the board table. The King III Report refers to “IT value delivery” and IT being suitably “aligned” with the company’s objectives.
The compliance of listed companies and public entities to King III should ensure that we see directors being held personally accountable for the large IT project losses we have come to expect.
Information and Information Security:
Second only to this principle is the emphasis on information management. King III makes it clear – the board is responsible for the company’s information management:
> Ensuring that all personal information is identified and managed appropriately;
> Ensuring that systems are in place for the management of information – “which should include information security, information management and information privacy”; and
> Ensuring that an information security strategy is used to guide the implementation of an “Information Security Management System” by management.
Other board responsibilities include:
> Ensuring that the company takes full advantage of the use of IT;
> Ensuring that the intellectual property built into IT is protected;
> Ensuring that the company embraces the principles of IT governance; and
> Ensuring that the company is compliant with respect to IT laws and applicable rules, codes and standards.
Independent assurance:
With respect to ensuring that what is required is in fact in place, the board should:
> “Receive independent assurance on the effectiveness of the IT internal controls”; and
> In the case of outsourced IT services, “obtain independent assurance on the IT governance and controls” supporting such services.
Governance Instruments:
The board should ensure the following are in place and effective:
> IT charter
> IT policies
> IT governance framework
> IT internal control framework
> IT strategy
> Information security strategy
Governance Structure:
King III places the board as primarily responsible for the governance of IT, but notes several other supporting roles and responsibilities:
> An IT steering committee to assist the board;
> A Chief Information Officer responsible for the management of IT, appointed by the Chief Executive Officer;
> The risk committee to ensure that IT risks are adequately addressed and controls assured; and
> The audit committee to “consider IT as it relates to financial reporting and the going concern of the company.”
An important and expected principle is that IT should participate and integrate with the company’s risk management.
Management responsibilities:
King III notes that management should:
> Provide to the board a regular demonstration that the company has “adequate business resilience arrangements in place for disaster recovery”;
> Implement the board’s information security strategy; and
> Implement that required for the IT governance framework.
GovN applies King III with pertinent theory and governance instruments all wrapped in a tailored, low-impact initiation process.
Want to know more?
NOTE: The comments in this page are to be read within the context of the candor legal notices which can be found at this web site. The Institute of Directors in Southern Africa’s ownership of the copyright in the publications “King Report on Governance for South Africa 2009” and “King Code of Governance for South Africa 2009” is hereby acknowledged.
