The committee aimed to produce a framework to keep South African corporate governance at the forefront internationally, with IT Governance taking a prominent role.
Here is the PricewaterhouseCoopers King 3 information, including access to the report itself.
Corporate governance in South Africa follows the approach common to listed companies in the United Kingdom as well as across the Commonwealth and through the EU, which is to have a code of principles and practices on a 'Comply or Explain' basis, whereby listed companies are expected to comply, or to provide an explanation of why they have not complied, with each of the principles.
IT Governance in King III
King III brings IT governance clearly into the corporate governance arena and says:
"Information systems were used as enablers to business, but have now become pervasive in the sense that they are built into the strategy of the business. The pervasiveness of IT in business today mandates the governance of IT as a corporate imperative.
In most companies, IT has become an integral part of the business and is fundamental to support, sustain and grow the business. Not only is IT an operational enabler for a company, it is an important strategic asset to create opportunities and to gain competitive advantage. Companies have made, and continue to make a significant investment in IT.
Virtually all components, aspects and processes of a company include some form of automation. This has resulted in companies relying enormously on IT systems.
Further, the emergence and evolution of the internet, ecommerce, on-line trading and electronic communication have also enabled companies to conduct business electronically and perform transactions instantly. These developments bring about significant risks and should be well governed and controlled.
We, therefore, deal with IT governance in detail in King III for the first time. The IT governance chapter (Chapter 5) is focused on providing the most salient aspects of IT governance for directors. Due to the broad and ever-evolving nature of the discipline of IT governance, the chapter does not try to be the definitive text on this subject but rather to create a greater degree of awareness at director level.
There is no doubt that the complexity of IT systems does create operational risks and when one outsources IT services, for instance, this has the potential to increase risk because confidential information is outside the company.
Consideration has to be given to the integrity and availability of the functioning of the system; possession of the system; authenticity of system information; and assurance that the system is usable and useful. Concerns include unauthorized use, access, disclosure, disruption or changes to the information system.
In exercising their duty of care, directors should ensure that prudent and reasonable steps have been taken in regard to IT governance. To address this by legislation alone is not the answer. International guidelines have been developed through organisations such as ITGI and ISACA® (COBIT® and Val IT), the ISO authorities (e.g. ISO38500) and various other organisations such as OCEG.
These may be used as a framework or audit for the adequacy of the company’s information governance for instance, but it is not possible to have ‘one size fits all’. However, companies should keep abreast of the rapidly expanding regulatory requirements pertaining to information.”