King III address IT governance

The ballooning costs of installing IT systems, coupled with the need to ensure information security and system integrity, means a company’s board must be directly involved in IT governance, says Mervyn King.
The Institute of Directors Wednesday issued the third “Draft King Report on Corporate Governance in South Africa” (King III), which has been compiled by the committee headed by King for the past 17 years.
The first reports, issued in 1992 and 2002, did not deal with the issue of IT governance, because as King stated at the time: “Directors know very little about IT and have no idea how to deal with it.”
However, speaking to ITWeb, King said the world has moved on rapidly since then and the issue of IT governance is a very real risk that companies have to deal with.
Significant risk
King says the risks involved in IT governance have become significant, as IT systems have become integral to a company’s strategy and business. It also includes the involvement of outside parties such as service providers.
He also states the advancement in IT systems, such as mobile phones, adds another dimension to the risk, as these devices could be used to facilitate unlawful activities such as insider trading.
The risk associated with using outside parties, such as service providers, also means information may be leaving the company.
“When dealing with a service provider, companies must be aware they are dealing with another organisation that may not have the same level of governance or ethics as they do,” King says.
The draft report states: “There is no doubt that there are operational risks when one has a service provider, because confidential information leaves the company. In IT governance one seeks confidentiality; integrity and availability of the functioning system; possession of the system, authenticity of system information; and assurance that the system is usable and useful.”
CIOs to the board
King says company boards that have had little understanding of IT systems and their associated costs have had to rely on expert advisors, who are now being appointed as chief information officers (CIOs).
“It is a good thing that CIOs are appointed to the board as they become directors with the same responsibilities as the other directors.”
Be careful   “When dealing with a service provider, companies must be aware they are dealing with another organisation that may not have the same level of governance or ethics as they do.”
King notes that a company’s risk committee, which should then report directly to the board, should deal with IT governance. If such a committee does not exist, then the audit committee should assume this role.
The draft report says concerns that must be considered are unauthorised use, access, disclosure, disruption or changes to the information system.
In exercising their duty of care, the draft report states, directors should ensure prudent and reasonable steps have been taken in regard to IT governance.
“Legislation is not the answer. International guidelines such as Cobit [Control Objectives for Information and related Technology] or ITIL [Information Technology Infrastructure Library] may be used as a check or audit for the adequacy of the company’s information security, but it is not possible to have ‘one size fits all’,” the report says.
It also advocates the use of “green” IT, meaning that IT systems, services and products used should have as small an environmental impact as possible.