The first challenge for most organisations in applying the King III Code of Governance for South Africa to the governance of information and technology is to identify what are the essential requirements.
The King III Code states that the methodologies used for the Sarbanes‐Oxley Act, “with all of its statutory requirements for rigorous internal controls – has not prevented the collapse of many of the leading names in US banking and finance”.
The approach adopted by many organisations to address the requirements of Sarbanes‐Oxley has not produced the improvement in risk management and internal controls expected. The King III code states that the compliance‐based approach that many of the current methodologies and tools use add little value to governance. "Merely assessing compliance with existing procedures and processes without an evaluation of whether or not the procedures or processes are an adequate control is a waste of time and resources."
Doing only what is required – Essential IT Governance
Companies are required to rethink their approach and adopt more effective and sustainable methods for governing information and technology. While the 7 principles and 24 practices of King III define a rigorous framework for governing information and technology, the over‐riding requirement is that commonsense must prevail.
The essence of the King III Code for the corporate governance of information technology can be distilled into 34 essential requirements applicable to both small and large organisations. When fulfilled, this will result in the King III Code being applied effectively and efficiently.
Streamlining the Implementation of King III
Companies are expected to respond to a wide range of requirements specified in the King III Code while at the same time being mindful that two of the cornerstones of IT governance are resource optimisation and the delivery of value to the business.
Without a well structured and streamlined approach companies are likely to do both more than is necessary and not enough when applying the King III Code for the governance of information and related technology.
As much as it is often the expressed intention to “do only the minimum” in applying King III, this is illogical. The more that management apply the King III Code the better management will be able to control the delivery of value, and the more the company’s stakeholders will receive real benefits.
What should be done?
To minimise the risk of managers doing more than is necessary, the IT Governance Network has developed a methodology to assist companies efficiently and effectively fulfil the King III requirements. Careful attention has been given to what is the essence of King III. The 140 IT‐related items specified in King III have been mapped to 34 essential requirements. Templates and supporting procedures have been developed to assist IT management address the essential requirements of King III.
In determining what is essential to fulfil the King III requirements consideration was given to how governance differs from management, and that good governance is essentially about effective leadership, accountability, decision‐making and being focused strategically.
The 34 Essential Requirements for Governing IT
Governing information technology requires a combination of tasks and processes at the strategic, tactical and operational levels within the organisation and across the business and IT operations. The 34 essential requirements of the King III code include:
- IT governance charter
- IT governance framework
- Accountability framework.
Internal control framework for the purpose of better:
- Strategic alignment of IT with the business
- Delivery of value from investments in IT
- IT resource optimisation
- IT risk management
- Managing and reporting IT performance.