There are many definitions of corporate governance. Simply put, corporate governance is doing what is right, decent, honest and proper in order to hold a balance between, on the one hand, economic and social goals and, on the other hand between the goals of individuals and the community. The aim of corporate governance is to align, as nearly as possible, the interest of individuals, corporations and society. This basically is the definition of corporate governance by Sir Adrian Cadbury in his world famous corporate governance overview, 1999 (a report for the World Bank).
What is corporate governance?
Stripped of all of its frills, corporate governance is nothing else but “governing properly“: doing the right thing. It flows from this (i) that it is essential that the company does the right thing insofar as IT is concerned and (ii) that some companies are simply better governed than others. This entails ensuring that the IT department is run competently and efficiently, by professional persons who are rated among the best in their field.
Corporate governance encompasses complying with applicable law, implementing best practices and managing risks.
Corporate governance in South Africa
Corporate Governance in South Africa was first institutionalised by the publication of the King Report on Corporate Governance in November 1994 following the formation of the King Committee on corporate governance which was formed in 1992 under the auspices of the Institute of Directors to consider corporate governance (which was becoming of increasing interest around the world) in the context of South Africa.
This was followed by the King Report on Corporate Governance for South Africa – 2002 which was prepared by the King Committee on corporate governance (“the King Report”). It was released during or about March 2002.
It is important to understand what is meant by what has come to be known as the King Report. The King Committee decided to issue their Report as a work of reference with aspirational recommendations from which the Code evolved.
The Code is known as the Code of Corporate Practices and Conduct and is contained in the Report. With effect from March 01, 2002 the new Code replaced the old Code which was contained in the King Report 1994.
So there is the Report which is a work of reference and then there is the Code which is self regulatory but is binding on companies listed on the Johannesburg Securities Exchange (JSE) by virtue of a requirement of the JSE that listed companies must comply with the Code in order to maintain their listing. Listed companies are required to state annually that they are complying with the Code and if they do not do so then they run the risk of their listing being suspended.
Any company listed on the JSE, its directors must, annually, state in writing that the group complies with the Code. As stated above, the failure to do so could result in the suspension of the listing of the company which would, of course, be a disastrous consequence. In addition, the directors, officers and managers of the company could be held both civilly and criminally liable if it is found that they have acted outside of their fiduciary duties and have failed to comply with their duty of care and skill. It is important, however, to note that there is no third party verification of the disclosed information.
Self-regulation and statutory compliance
It is perhaps important to explain the difference between self-regulation and statutory compliance. Where there is self-regulation then parties voluntarily agree to particular rules and regulations. Where these rules and regulations are contained in a statute (such as the Sarbanes-Oxley Act (SOX) in the United States of America) entities are obliged to comply with the rules and obligations by law. Unlike the United States of America, South Africa does not have any “corporate governance legislation”. However, the new Companies Bill which will replace in due course the existing Companies Act, Act No 61 or 1973, as amended, does contain a chapter which legislates for corporate governance.
As stated above, the Code is not binding by statute but is self-regulatory subject to the fact that, inter alia, the JSE Securities Exchange obliges listed companies to comply with same in order to maintain their listing (i.e. there is no offence committed for non-compliance).
Corporate Governance and IT
The attention to corporate governance raises the question whether IT used for supporting business processes is adequately controlled. This has led to an increase in attention for so-called “IT Governance” in many organisations. Because IT is an integral part of business operations, IT Governance is an integral part of corporate governance.
Section 5, Chapter 4 of the Report deals with information technology. It is stated inter alia that “while technology developments can help improve governance, they have also brought increased risks and challenges that need to be addressed so that management can discharge its governance responsibilities”. It is also stated that “responsible management needs to demonstrate adequate knowledge of modern IT-enabled systems”. The Report further deals with the importance of IT as a powerful enabler for making information available to stakeholders. It specifically mentions e-mail as a “highly effective means of sharing information”. The King Report also mentions various issues that have to be considered and it specifically mentions the “implications for audit and information integrity … access of all stakeholders to electronic information”. From this we can see how important information technology is because otherwise the King Committee would not have specifically devoted an entire chapter to same. At the end of the chapter they set out their recommendations and one of the most important statements in their three recommendations is that Boards need to ensure that the necessary skills are in place to ensure that their responsibilities in respect of internal control systems are adequately discharged. Adequate training of staff is essential in support of King II requirements.
The importance of properly governing IT is to be found in section 2 of the Code which deals with (a) responsibility for; and (b) application and reporting in respect of, Risk Management. It is made clear, in that section, that the Board is responsible for the total process of risk management, as well as for forming its own opinion on the effectiveness of the process. Management is accountable to the Board for designing, implementing and monitoring the process of risk management and integrating it into the day-to-day activities of the company.
Management reporting and the use of experts
Because of the importance of Management reporting to the risk committee (audit/risk committee) and the Board on the state of affairs of IT in the company, the use by management of an expert is recommended. The role of the expert is to conduct a due diligence of the company’s IT systems and to recommend to the company what in the IT department should be eliminated, what should be improved, what should be introduced and finally what is in order and must be maintained.
The use of an expert is also linked to one of the difficult issues in corporate governance, namely, how does one measure compliance? The determination is very subjective and it is therefore imperative that the best of breed experts are employed in order to satisfy the company that there has been adequate compliance.