IT Governance forms part of Corporate Governance and is dealt with in “King III″. King III comprises:
- the King Report on Governance for South Africa (2009); and
- the King Code of Governance Principles for South Africa (2009).
King III applies to all companies regardless of whether in the public, private sectors or non-profit sectors.
What are the legal requirements in King III? King III requires that:
- companies must comply with all applicable laws. It specifically mentions “applicable IT laws“. The risks of non-compliance with IT laws must be identified, assessed and responded to through the companies risk management process;
- must consider adherence to applicable IT rules, codes and standards;
- companies understand the context of the law, and how other applicable laws interact with it.
- the board must take the necessary steps to ensure the identification of the laws, rules, codes and standards applicable to the company;
- when considering these laws, that IT related laws be considered;
- companies must include IT legal risks as part of the companies risk management activities. (IT legal risk arises from the possession, ownership and operational use of technology that may result in the company becoming a party to legal proceedings);
- the board further consider how IT could be used to aid the company in its managing of risk and its compliance with laws, rules, code and standards;
- management develop a compliance policy;
- the company’s procedures and control frameworkincorporate compliance with relevant laws, rules, codes and standards;
- the company’s code of conduct incorporate compliance with relevant laws, rules, codes and standards to entrench a culture of compliance.