mauritz kloppers independent advisor forum... · acquire and implement • identify automated...

Mauritz KloppersIndependent Advisor

BackgroundBackground

King III code of GovernanceKing III code of GovernanceGood Governance and Effective LeadershipLeadership

SustainabilitySustainability of BusinessSustainabilitySustainability of Business

Corporate CitizenshipCitizenship

Companies Act no 71 of 2008

© Institute of Directors Southern Africa


King III applies to ALLALL entities regardless of the mannerKing III applies to ALLALL entities regardless of the manner and form of incorporation (Public, Private, Non-profit Sectors)Sectors)

King III code comes into effect on 1 March 20101 March 2010King III code comes into effect on 1 March 20101 March 2010

i f 2008 b iCompanies Act no 71 of 2008 becomes operative on 1 July 2010



King III is based on Apply or ExplainApply or Explain principleKing III is based on Apply or Explain Apply or Explain principle

USA – Sarbanes-Oxley (SOX) is based on “Comply or Else”

56 countries in Commonwealth and 27 states in EU uses56 countries in Commonwealth and 27 states in EU uses “comply or explain” basis


King III Code requirementsKing III Code requirements2.1 The board should act as the focal point for and custodian of corporate governancep p g

2.2 The board should appreciate that strategy, risk, performance and sustainability are inseparable

2 3 The board should provide effective leadership based on ethical foundation2.3 The board should provide effective leadership based on ethical foundation

2.4 The board should ensure that the company is as is seen to be a responsible corporate citizen

2 5 Th b d h ld h h ’ hi d ff i l2.5 The board should ensure that the company’s ethics are managed effectively

2.6 The board should ensure that the company has an effective and independent audit committee

2.7 The board should be responsible for the governance of risk

2.8 The board should be responsible for information technology (IT) governance

2.9 The board should ensure that the company complies with applicable laws and2.9 The board should ensure that the company complies with applicable laws and considers adherence to non-binding rules, codes and standards

2.10 The board should ensure that there is a effective risk-based internal audit

2 11 The board should appreciate that stakeholders’ perceptions affect the comp2.11 The board should appreciate that stakeholders perceptions affect the comp…….


King III Code requirementsKing III Code requirements2.1 The board should act as the focal point for and custodian of corporate governancep p g

2.2 The board should appreciate that strategy, risk, performance and sustainability are inseparable

2 3 The board should provide effective leadership based on ethical foundation2.3 The board should provide effective leadership based on ethical foundation

2.4 The board should ensure that the company is as is seen to be a responsible corporate citizen

2 5 Th b d h ld h h ’ hi d ff i l2.5 The board should ensure that the company’s ethics are managed effectively

2.6 The board should ensure that the company has an effective and independent audit committee

2.7 The board should be responsible for the governance of risk

2.8 The board should be responsible for information technology (IT) governance

2.9 The board should ensure that the company complies with applicable laws and

2.8 The board should be responsible for information technology (IT) governance2.9 The board should ensure that the company complies with applicable laws and

considers adherence to non-binding rules, codes and standards

2.10 The board should ensure that there is a effective risk-based internal audit

2 11 The board should appreciate that stakeholders’ perceptions affect the comp2.11 The board should appreciate that stakeholders perceptions affect the comp…….


King III Code IT requirementsKing III Code IT requirements

5 1 IT Governance5.1. IT Governance

5.2. Business IT Alignment

5 3 IT O i ti5.3. IT Organisation

5.4. IT Investments

5.5. IT Risk Management

5.6. Information as an Asset

5.7. Involvement in Risk and Audit Committees



5 1 IT Governance5.1. IT GovernanceEstablish and Maintain an IT Charter

Adopt and implement an IT Internal Control FrameworkAdopt and implement an IT Internal Control Framework

Receive Independent Assurance Reviews

5 2 B i IT Ali t5.2. Business IT Alignment

5.3. IT Organisation

5.4. IT Investments







5.2. Business IT AlignmentIT t t h ld b i t t d ith ’ t t i dIT strategy should be integrated with company’s strategic and business processes

5 3 IT Organisation5.3. IT Organisation

5.4. IT Investments

k5.5. IT Risk Management







5 3 IT O i ti5.3. IT OrganisationAppoint an IT Steering Committee reporting to the board

( )Appoint a Chief Information Officer (CIO) responsible for the management of IT

5 4 IT I t t5.4. IT Investments









5.4. IT InvestmentsValue Delivery of IT (Return on Investments)

Protection of Intellectual Property

Obtain Independent assurance review









5.4. IT Investments

5.5. IT Risk ManagementBusiness Resilience and Disaster Recovery

Company comply to IT laws, codes and standards








5.4. IT Investments


5.6. Information as an AssetTreat Information as Company Assets (Manage, privacy)

Information Security Management







5.4. IT Investments



5.7. Involvement in Risk and Audit CommitteesIT Risks must be addressed in Risk Committee

IT’s involvement in Financial Reporting


Enterprise ArchitectureEnterprise Architecture

PreliminaryPreliminary

AArchitecture

VisionB

B iH

Architecture Business Architecture

Architecture Change

Management

CInformation &

Systems

GImplementation Governance

Requirements Management

DTechnology Architecture

FMigration Planning

EOpportunities & Solutions

g

© The Open Group

EnterpriseEnterprise ArchitectureArchitecture

PreliminaryPreliminary

AArchitecture

VisionB

B iH

Architecture Business Architecture

Architecture Change

Management

CInformation &

Systems

GImplementation Governance

Requirements Management

DTechnology Architecture

FMigration Planning

EOpportunities & Solutions

g

© The Open Group


Enterprise Architecture Competency

• Principles• Standards• Frameworks• Skills and Resources

© The Open Group


Business Architecture

Business ModelBusiness Model• Vision and Mission• Business Strategic Objectives

l i i k• Value Proposition to Target Market• Strengths (Differentiation)• Opportunities (New

Markets/Products)• Threats (Market Forces)

© The Open Group


Systems & Info ArchitectureOperating Model

C d t V l Ch i• Core and support Value Chain• Business Services• Business Processes

• Information required • Information Referenced• Information Produced

• Organisation StructureOrganisation Structure• Internal Controls (RACI)• External Access to Information

© The Open Group


Technology Architecture

• Application Software Portfolio• Database platforms• Data warehouse / MIS / BI• Knowledge / Collaboration• Operating Environment

(standards)(standards)• Hardware and Network

• Dev / QA / Prod / DRP• Dev / QA / Prod / DRP• Desktops and Datacentres

© The Open Group


Opportunities and SolutionsCompare to what is currently there• Technology Lifecycle • What do I sweat more• What do I retire• What do I acquire

© The Open Group


Migration PlanningIT Strategy

IT R d ( d d )• IT Roadmap (Medium and Long term)

• Sequence of events• Investment Plan• Risks• Resource requirements

© The Open Group


Implementation GovernanceExecuting the Strategy

Wired into CobiT:• Acquire and Implement• Delivery and Service• Monitor and Reporting

© The Open Group


Change ManagementManage adjustments to the t tstrategy

Impact Analysis• Business Strategies• Priorities• Investment• Resourcing• Risks

© The Open Group

King III and Enterprise ArchitectureKing III and Enterprise Architecture

5.1. IT Governance

5.1.2. The Board should ensure that an IT Charter and Policies are established and implemented

5 1 3 Th b d h ld5.1.3. The board should ensure promotion of an ethical IT Governance culture and awareness and of a common IT LanguageIT Language

© The Open Group


i li5.2. Business IT Alignment

5.2.1. The board should ensure that the IT strategy in integrated with the company’s strategic and business processes.

5.2.2. The board should ensure that there is a process in place to identify and exploit opportunities to improve theexploit opportunities to improve the performance and sustainability of the company through the use of IT

© The Open Group


i i5.3. IT Organisation

5.3.1. Management should be responsible for the structures, processes, and mechanisms for the IT governance framework

© The Open Group


5.4. IT Investments

5.4.1. The board should oversee the value delivery of IT and monitor the return on investment from significant IT projects

5.4.2. The board should ensure that intellectual property contained in information systems are protectedinformation systems are protected.

© The Open Group


i k5.5. IT Risk Management

5.5.1. Management should regularly demonstrate to the board that the company has adequate resilience arrangements in place for disaster recovery.

5.5.2. The board should ensure that the company complies with IT laws codescompany complies with IT laws, codes and standards are considered.

© The Open Group


f i5.6. Information Management

5.6.1. The board should ensure that there are systems in place for the management of information which should include information security and i f i iinformation privacy.

5.6.2. The board should ensure that all personal information is treated by thepersonal information is treated by the company as an important business asset and is identified.

5.6.3. The board should ensure than an Information Security Management System is developed and implemented

© The Open Group

System is developed and implemented


i i h i k d di5.7. Integration with Risk and Audit Committees

5.7.1. The risk committee should ensure that IT risks are adequately addressed

5.7.3. The audit committee should consider IT as it related to financial reporting and going concern of the company.

© The Open Group

CobiTCobiT Control FrameworkControl Framework

Planning and Organising

Acquire and Implement

Delivery and Service

Monitor and Report

© IT Governance Institute

CobiTCobiT Control FrameworkControl FrameworkPlanning and Organising• IT Planning & Strategy• Define Information Architecture• Determine Technology Direction• Define IT Organisation / Processes



• Manage IT Investments• Communicate Aims and Direction• Manage IT Human Resources• Quality Management• Risk Management• Manage Projects Portfolio


Monitor and Report


CobiTCobiT Control FrameworkControl FrameworkAcquire and Implement• Identify Automated Solutions• Acquire and Maintain Software• Acquire and maintain Technology Infrastructure• Enable operations and use



• Procure IT Resources• Change Management• Install & accredit Solutions and Changes


Monitor and Report




Acquire and ImplementDelivery and ServiceDelivery and Service

• Define & manage Service Levels• Manage third-party services• Manage performance and capacity• Ens re contin o s ser ice


Monitor and Report

• Ensure continuous service• Ensure system security• Identify & allocate costs• Educate and train users• Manage service desk and incidents• Manage service desk and incidents• Manage configuration• Manage problems• Manage Data• Manage physical environment• Manage physical environment• Manage Operations





Monitor and ReportingMonitor and Reporting• Monitor and Evaluate IT Performance• Monitor & evaluate Internal Controls• Ensure regulatory requirements

id G kDelivery and

ServiceMonitor and

Report

• Provide IT Governance Framework


SummarySummary

Mauritz KloppersMauritz Kloppers082 45 45 [email protected]

mauritz kloppers independent advisor forum... · acquire and implement • identify automated...

Documents