For the first time in corporate governance in SA, the strategic role of IT has been highlighted in the recently released King III code, says an auditing house.
Angeli Hoekstra, IT governance global leader at PricewaterhouseCoopers, says King III is "the first instance that IT governance has been afforded such status".
King III is the shorter name for the latest update of good governance codes developed by a group headed by judge Meryvn King. The draft was released earlier this year and the final version was released this month.
Hoekstra says "because IT is so pervasive in business today, its importance has now been elevated to board and risk and audit committee levels. King III recognises IT as an integral part of the business and a strategic corporate asset that also carries some significant risks. It, therefore, needs to be well governed and controlled to ensure that IT supports the strategic objectives of the organisation."
She highlights some fundamental changes that will occur in corporate IT, as a result of King III. "IT will now get the dedicated attention of the board, and IT decisions, accountability, policies, standards, controls, procedures and reporting will have to become far more formalised and embedded in an organisation. A proper IT governance framework becomes essential, as the board will have to demonstrate how it has fulfilled all of these new responsibilities."
Chapter five in the code - on the Governance of Information Technology - contains seven principles and 48 accompanying recommendations for companies to follow with regard to IT governance.
The first of these principles makes the board responsible for IT governance. Hoekstra says that, previously, this responsibility would have fallen on the CIO or CFO, and would not necessarily have been reported on at board meetings.
Aligning IT
Another principle is that IT must be aligned with the company`s overall business strategy, including its sustainability objectives. Hoekstra says the board must consider "green" issues and the sustainability impact of technology.
"Issues to consider include procurement; for example, is equipment energy-saving; how to reuse equipment or dispose of it effectively; and minimising wastage, for example, by reducing excessive printing," she notes.
King III recommends that the board should delegate IT responsibility to management, such as appointing a CIO, although the board remains accountable. The code also recommends that the risk and audit committees assist the board in carrying out its IT responsibilities. The risk committee considers the broad risk implications of IT, while the audit committee has a narrower focus that relates to financial reporting and going concern issues.
She adds that another principle is that the board should monitor and evaluate significant IT investment and expenditure, and ensure value delivery of IT. Hoekstra says this means that, besides understanding the IT expenditures by, for example, an IT chart of account and project benefits tracking systems, it should also include understanding the value of the different IT functions, which is far more difficult to measure.
Watching risk
King III has a strong focus on risk management, and requires that IT risk management forms part of the overall risk management strategy of the business.
Hoekstra concludes that, while these added board responsibilities may appear daunting, they do carry significant benefits beyond mere compliance. "There will be a greater understanding of IT costs and how they impact return on investment, and unnecessary expenditure will be avoided."
She adds that "IT spend outside of that which aims to provide general business support will have to add convincing value. IT decision-making and accountability will be clarified, relationships with key IT partners should improve, and IT performance should naturally move closer to international best practice."
Related stories:
The king is coming
A ahead of governance curve
Share
