South Africa
Click the 'X' in the top right corner to close this window.
Chapter 5: The governance of information technology
Overview
Chapter
King III recognises that information technology (IT) has become an integral part of doing business today, as it is fundamental to the support, sustainability and growth of organisations. IT cuts across all aspects, components and processes in business and is therefore not only an operational enabler for a company, but an important strategic asset which can be leveraged to create opportunities and to gain competitive advantage.
05
As well as being a strategic asset to the company, IT also presents organisations with significant risks. The strategic asset of IT and its related risks and constraints should be well governed and controlled to ensure that IT supports the strategic objectives of the organisation.
King III stipulates that in exercising their duty of care, directors should ensure that prudent and reasonable steps have been taken with respect to IT governance.
Key provisions of the Report - click here
(Click on the arrows to expand section)
The requirement to disclose how the board has satisfied itself that IT governance is effective will need to be positively evidenced. Due care and diligence will need to be exercised and disclosed.
This due care and diligence is achieved through:
This due care and diligence is achieved through:
- An IT governance framework, which includes:
- Decision structures for IT decisions
- Accountability structures for IT
- IT governance processes
- IT reporting structures
- IT policies and standards
- IT compliance
- IT controls and risk mitigation
- Information security management practices
- Business and disaster recovery
- Information technology strategy as part of the strategic business planning process
- Project management practices
- IT benefits realisation processes
- IT value and performance measurement processes
- IT acquisition and disposal processes
- IT strategy
- Understanding the current state of IT governance and determining improvements required in an IT governance plan
- Effective IT governance practices through the application of recognised frameworks, methodologies, continuous assessments and monitoring
- Reporting on the state and initiatives of IT governance and IT in general to the board
- Ensuring that the board receives adequate assurance on the efficiency and effectiveness of the IT and IT governance processes and on the management of specific IT-related issues
- Disclosing how satisfied the board is with the effectiveness of IT governance.
Corporate governance now requires active consideration of IT governance. Due to the critical nature of IT in enabling business processes, and the intellectual property and other information resources that are exposed through technology channels, IT governance is an essential component in ensuring the efficient and secure operation of the business.
While King III sets out principles, the challenge is to implement them in a practical way. A combination of the most relevant best practices can be utilised to achieve this and a significant number of authoritative and globally relevant guidelines is already available. Any well-run and formalised IT environment should already have such practices in place. The task will now be to report on these and make them understandable to the board.
It is recommended that organisations start by performing a current state assessment against King III and determining areas for improvement. This should be translated into an improvement programme, which should be presented and approved by the board. Subsequent progress against it should be on the board’s agenda, in addition to reporting on the general state of IT and IT governance.
While King III may appear daunting to some, it offers tangible benefits that extend well beyond proving compliance. These include:
While King III sets out principles, the challenge is to implement them in a practical way. A combination of the most relevant best practices can be utilised to achieve this and a significant number of authoritative and globally relevant guidelines is already available. Any well-run and formalised IT environment should already have such practices in place. The task will now be to report on these and make them understandable to the board.
It is recommended that organisations start by performing a current state assessment against King III and determining areas for improvement. This should be translated into an improvement programme, which should be presented and approved by the board. Subsequent progress against it should be on the board’s agenda, in addition to reporting on the general state of IT and IT governance.
While King III may appear daunting to some, it offers tangible benefits that extend well beyond proving compliance. These include:
- Clarified decision-making and accountability
- Improved understanding of overall IT costs and their input to ROI cases
- Improved risk management, security, efficiency and effectiveness of IT and making this visible (i.e. IT will deliver value)
- Enhancement and protection of reputation and image
- Positioning of IT as a business partner and clarifying IT’s role in the business
- Improved and more professional relationships with key IT partners (vendors and suppliers)
- Improved responsiveness to market challenges and opportunities
- Clear identification of whether an IT service or project supports ‘business as usual’ or is intended to provide future added value
- A focus on performance improvement that will lead to the attainment of best practices
- Avoidance of unnecessary expenditure as spending can be demonstrably matched to business goals
- Enabling an integrated approach to meeting external legal and regulatory requirements.
- Do we understand how IT decisions are taken and who is accountable?
- Do we have an IT governance framework in place which defines and supports decision models, governance structures, accountability and governance processes?
- Is IT involved in strategic business decisions and planning?
- Is the investment in IT understood?
- Is our intellectual property, company and client information properly protected?
- How do we ensure compliance of IT with laws, rules, codes, standards and regulations?
- How is the value delivered by IT measured?
- Is the approach towards IT risks facing the organisation clear? (Risk avoidance vs. risk taking)
- Is the board regularly briefed on IT risks to which the enterprise is exposed?
- Is IT a regular item on the agenda of the board and is it addressed in a structured manner?
- Does the board have a clear view on the major IT investments from a risk and return perspective?
- Does the board obtain regular progress reports on major IT projects?
- Is the board getting independent assurance on the achievement of IT objectives and the containment of IT risks?
PwC has invested substantially in IT governance solutions both locally and globally. Our methodologies, experience and hands-on expertise ensure that we can accelerate and reduce the cost of your King III IT governance programme.
PwC can support you by:
- Providing an assessment of your current IT governance arrangements against King III and other best practices such as ITIL, CobiT, ISO 38500, ISO 17799, Val IT
- Supporting you in determining the King III principles to apply within your organisation
- Developing an IT governance implementation programme aligned to King III requirements and implementing the required IT governance improvements
- Supporting the implementation of improvements in IT governance by utilising PwC’s proprietary ICT governance framework and methodologies.
Contacts
- Angeli Hoekstra
- Director
- Johannesburg
- Tel: +27 11 797 4162
- Binesh Rajkaran
- Director
- Durban
- Tel: +27 31 250 3777
- Rudolph Laubscher
- Associate Director
- Bloemfontein
- Tel: +27 51 503 4100
Of further interest
Email to a colleague
Print-friendly version