◄BACK
Our service offering:
Our services aim to assist your company or organisation with the implementation of structures (e.g. Data Governance Office "DGO", Information Governance Office, Enterprise Content Management "ECM", etc.) that will facilitate Information Governance in terms of King III, and more specifically Chapter 5 thereof.
The make-up of these structures consist of aspects related to:
* Information Manangement;
* Information Security;
* Privacy;
* Records Management;
* Steering Committees;
* Departmental or Business Unit input;
* Regulatory Complaince (Information and ICT);
* Policy and Programme development;
* IT governance Charters; and
* Awareness and Training.
Please contact us to arrange a meeting
Background:
Information Governance forms an integral part of Corporate Governance and the King Code of Governance for South Africa developed by the King Committee on Governance, is widely accepted as the underlying guideline for good corporate governance in South Africa.
King IV is the latest version of the Code and was released in 2016 and became effective as of April 2017. It must be read in conjunction with the Companies Act no 71 of 2008. Where its predecessor King III provided the option of apply or explain, King IV dictates or assumes, apply and explain.
Another significant difference between versions III and IV is the expansion from IT Governance to Technology AND Information Governance. This was a welcome reprieve as Information Governance is much wider than IT Governance.
Some key King IV Technology and Information recommended practice are detailed below:
The Governing Body should exercise ongoing oversight of the management of information and in particular oversee that it results in:
- The protection of privacy of personal information
- Compliance with relevant laws
- An information architecture that supports confidentiality, integrity and availability of information
- The continual monitoring of security of information
- Proactive monitoring of intelligence to identify incidents, including cyber attacks and adverse social media events
It is however also useful to study the requirements in terms of King IV's predecessor, King III, as this recommended practice still holds value.
Chapter 5 of King III deals specifically with IT Governance. In a world where hard copies still make up a bulk of all information, it was always our opinion that this chapter should have been interpreted to include Information Governance.
The King III IT requirements are:
5.1.1 The board should assume the responsibility for the governance of IT and place it on the board agenda.
5.1.2 The board should ensure that an IT charter and policies are established and implemented.
5.1.3 The board should ensure promotion of an ethical IT governance culture and awareness and of a common IT language.
5.1.4 The board should ensure that an IT internal control framework is adopted and implemented.
5.1.5 The board should receive independent assurance on the effectiveness of the IT internal controls.
5.2.1 The board should ensure that the IT strategy is integrated with the company’s strategic and business processes.
5.2.2 The board should ensure that there is a process in place to identity and exploit opportunities to improve the performance and sustainability of the company through the use of IT
5.3.1 Management should be responsible for the implementation of the structures, processes and mechanisms for the IT governance framework.
5.3.2 The board may appoint an IT steering committee of similar function to assist with its governance of IT.
5.3.3 The CEO should appoint a Chief Information Officer responsible for the management of IT.
5.3.4 The CIO should be a suitably qualified and experienced person who should have access and interact regularly on strategic IT matters with the board and/or appropriate board committee and executive management
5.4.1 The board should oversee the value delivery of IT and monitor the return on investment from significant IT projects.
5.4.2 The board should ensure that intellectual property contained in information systems are protected.
5.4.3 The board should obtain independent assurance on the IT governance and controls supporting outsourced IT services.
5.5.1 Management should regularly demonstrate to the board that the company has adequate business resilience arrangements in place for disaster recovery.
5.5.2 The board should ensure that the company complies with IT laws and that IT related rules, codes and standards are considered.
5.6.1 The board should ensure that there are systems in place for the management of information which should include information security, information management and information privacy.
5.6.2 The board should ensure that all personal information is treated by the company as an important business asset and is identified.
5.6.3 The board should ensure that an Information Security Management System is developed and implemented.
5.6.4 The board should approve the information security strategy and delegate and empower management to implement the strategy.
5.7.1 The risk committee should ensure that IT risks are adequately addressed.
5.7.2 The risk committee should obtain appropriate assurance that controls are in place and effective in addressing IT risks.
5.7.3 The audit committee should consider IT as it relates to financial reporting and the going concern of the company.
5.7.4 The audit committee should consider the use of technology to improve audit coverage and efficiency.
.