mauritz kloppers independent advisor forum... · acquire and implement • identify automated...
TRANSCRIPT
Mauritz KloppersIndependent Advisor
BackgroundBackground
King III code of GovernanceKing III code of GovernanceGood Governance and Effective LeadershipLeadership
SustainabilitySustainability of BusinessSustainabilitySustainability of Business
Corporate CitizenshipCitizenship
Companies Act no 71 of 2008
© Institute of Directors Southern Africa
BackgroundBackground
King III applies to ALLALL entities regardless of the mannerKing III applies to ALLALL entities regardless of the manner and form of incorporation (Public, Private, Non-profit Sectors)Sectors)
King III code comes into effect on 1 March 20101 March 2010King III code comes into effect on 1 March 20101 March 2010
i f 2008 b iCompanies Act no 71 of 2008 becomes operative on 1 July 2010
© Institute of Directors Southern Africa
BackgroundBackground
King III is based on Apply or ExplainApply or Explain principleKing III is based on Apply or Explain Apply or Explain principle
USA – Sarbanes-Oxley (SOX) is based on “Comply or Else”
56 countries in Commonwealth and 27 states in EU uses56 countries in Commonwealth and 27 states in EU uses “comply or explain” basis
© Institute of Directors Southern Africa
King III Code requirementsKing III Code requirements2.1 The board should act as the focal point for and custodian of corporate governancep p g
2.2 The board should appreciate that strategy, risk, performance and sustainability are inseparable
2 3 The board should provide effective leadership based on ethical foundation2.3 The board should provide effective leadership based on ethical foundation
2.4 The board should ensure that the company is as is seen to be a responsible corporate citizen
2 5 Th b d h ld h h ’ hi d ff i l2.5 The board should ensure that the company’s ethics are managed effectively
2.6 The board should ensure that the company has an effective and independent audit committee
2.7 The board should be responsible for the governance of risk
2.8 The board should be responsible for information technology (IT) governance
2.9 The board should ensure that the company complies with applicable laws and2.9 The board should ensure that the company complies with applicable laws and considers adherence to non-binding rules, codes and standards
2.10 The board should ensure that there is a effective risk-based internal audit
2 11 The board should appreciate that stakeholders’ perceptions affect the comp2.11 The board should appreciate that stakeholders perceptions affect the comp…….
© Institute of Directors Southern Africa
King III Code requirementsKing III Code requirements2.1 The board should act as the focal point for and custodian of corporate governancep p g
2.2 The board should appreciate that strategy, risk, performance and sustainability are inseparable
2 3 The board should provide effective leadership based on ethical foundation2.3 The board should provide effective leadership based on ethical foundation
2.4 The board should ensure that the company is as is seen to be a responsible corporate citizen
2 5 Th b d h ld h h ’ hi d ff i l2.5 The board should ensure that the company’s ethics are managed effectively
2.6 The board should ensure that the company has an effective and independent audit committee
2.7 The board should be responsible for the governance of risk
2.8 The board should be responsible for information technology (IT) governance
2.9 The board should ensure that the company complies with applicable laws and
2.8 The board should be responsible for information technology (IT) governance2.9 The board should ensure that the company complies with applicable laws and
considers adherence to non-binding rules, codes and standards
2.10 The board should ensure that there is a effective risk-based internal audit
2 11 The board should appreciate that stakeholders’ perceptions affect the comp2.11 The board should appreciate that stakeholders perceptions affect the comp…….
© Institute of Directors Southern Africa
King III Code IT requirementsKing III Code IT requirements
5 1 IT Governance5.1. IT Governance
5.2. Business IT Alignment
5 3 IT O i ti5.3. IT Organisation
5.4. IT Investments
5.5. IT Risk Management
5.6. Information as an Asset
5.7. Involvement in Risk and Audit Committees
© Institute of Directors Southern Africa
King III Code IT requirementsKing III Code IT requirements
5 1 IT Governance5.1. IT GovernanceEstablish and Maintain an IT Charter
Adopt and implement an IT Internal Control FrameworkAdopt and implement an IT Internal Control Framework
Receive Independent Assurance Reviews
5 2 B i IT Ali t5.2. Business IT Alignment
5.3. IT Organisation
5.4. IT Investments
5.5. IT Risk Management
5.6. Information as an Asset
5.7. Involvement in Risk and Audit Committees
© Institute of Directors Southern Africa
King III Code IT requirementsKing III Code IT requirements
5 1 IT Governance5.1. IT Governance
5.2. Business IT AlignmentIT t t h ld b i t t d ith ’ t t i dIT strategy should be integrated with company’s strategic and business processes
5 3 IT Organisation5.3. IT Organisation
5.4. IT Investments
k5.5. IT Risk Management
5.6. Information as an Asset
5.7. Involvement in Risk and Audit Committees
© Institute of Directors Southern Africa
King III Code IT requirementsKing III Code IT requirements
5 1 IT Governance5.1. IT Governance
5.2. Business IT Alignment
5 3 IT O i ti5.3. IT OrganisationAppoint an IT Steering Committee reporting to the board
( )Appoint a Chief Information Officer (CIO) responsible for the management of IT
5 4 IT I t t5.4. IT Investments
5.5. IT Risk Management
5.6. Information as an Asset
5.7. Involvement in Risk and Audit Committees
© Institute of Directors Southern Africa
King III Code IT requirementsKing III Code IT requirements
5 1 IT Governance5.1. IT Governance
5.2. Business IT Alignment
5 3 IT O i ti5.3. IT Organisation
5.4. IT InvestmentsValue Delivery of IT (Return on Investments)
Protection of Intellectual Property
Obtain Independent assurance review
5.5. IT Risk Management
5.6. Information as an Asset
5.7. Involvement in Risk and Audit Committees
© Institute of Directors Southern Africa
King III Code IT requirementsKing III Code IT requirements
5 1 IT Governance5.1. IT Governance
5.2. Business IT Alignment
5 3 IT O i ti5.3. IT Organisation
5.4. IT Investments
5.5. IT Risk ManagementBusiness Resilience and Disaster Recovery
Company comply to IT laws, codes and standards
5.6. Information as an Asset
5.7. Involvement in Risk and Audit Committees
© Institute of Directors Southern Africa
King III Code IT requirementsKing III Code IT requirements
5 1 IT Governance5.1. IT Governance
5.2. Business IT Alignment
5 3 IT O i ti5.3. IT Organisation
5.4. IT Investments
5.5. IT Risk Management
5.6. Information as an AssetTreat Information as Company Assets (Manage, privacy)
Information Security Management
5.7. Involvement in Risk and Audit Committees
© Institute of Directors Southern Africa
King III Code IT requirementsKing III Code IT requirements
5 1 IT Governance5.1. IT Governance
5.2. Business IT Alignment
5 3 IT O i ti5.3. IT Organisation
5.4. IT Investments
5.5. IT Risk Management
5.6. Information as an Asset
5.7. Involvement in Risk and Audit CommitteesIT Risks must be addressed in Risk Committee
IT’s involvement in Financial Reporting
© Institute of Directors Southern Africa
Enterprise ArchitectureEnterprise Architecture
PreliminaryPreliminary
AArchitecture
VisionB
B iH
Architecture Business Architecture
Architecture Change
Management
CInformation &
Systems
GImplementation Governance
Requirements Management
DTechnology Architecture
FMigration Planning
EOpportunities & Solutions
g
© The Open Group
EnterpriseEnterprise ArchitectureArchitecture
PreliminaryPreliminary
AArchitecture
VisionB
B iH
Architecture Business Architecture
Architecture Change
Management
CInformation &
Systems
GImplementation Governance
Requirements Management
DTechnology Architecture
FMigration Planning
EOpportunities & Solutions
g
© The Open Group
Enterprise ArchitectureEnterprise Architecture
Enterprise Architecture Competency
• Principles• Standards• Frameworks• Skills and Resources
© The Open Group
Enterprise ArchitectureEnterprise Architecture
Business Architecture
Business ModelBusiness Model• Vision and Mission• Business Strategic Objectives
l i i k• Value Proposition to Target Market• Strengths (Differentiation)• Opportunities (New
Markets/Products)• Threats (Market Forces)
© The Open Group
Enterprise ArchitectureEnterprise Architecture
Systems & Info ArchitectureOperating Model
C d t V l Ch i• Core and support Value Chain• Business Services• Business Processes
• Information required • Information Referenced• Information Produced
• Organisation StructureOrganisation Structure• Internal Controls (RACI)• External Access to Information
© The Open Group
Enterprise ArchitectureEnterprise Architecture
Technology Architecture
• Application Software Portfolio• Database platforms• Data warehouse / MIS / BI• Knowledge / Collaboration• Operating Environment
(standards)(standards)• Hardware and Network
• Dev / QA / Prod / DRP• Dev / QA / Prod / DRP• Desktops and Datacentres
© The Open Group
Enterprise ArchitectureEnterprise Architecture
Opportunities and SolutionsCompare to what is currently there• Technology Lifecycle • What do I sweat more• What do I retire• What do I acquire
© The Open Group
Enterprise ArchitectureEnterprise Architecture
Migration PlanningIT Strategy
IT R d ( d d )• IT Roadmap (Medium and Long term)
• Sequence of events• Investment Plan• Risks• Resource requirements
© The Open Group
Enterprise ArchitectureEnterprise Architecture
Implementation GovernanceExecuting the Strategy
Wired into CobiT:• Acquire and Implement• Delivery and Service• Monitor and Reporting
© The Open Group
Enterprise ArchitectureEnterprise Architecture
Change ManagementManage adjustments to the t tstrategy
Impact Analysis• Business Strategies• Priorities• Investment• Resourcing• Risks
© The Open Group
King III and Enterprise ArchitectureKing III and Enterprise Architecture
5.1. IT Governance
5.1.2. The Board should ensure that an IT Charter and Policies are established and implemented
5 1 3 Th b d h ld5.1.3. The board should ensure promotion of an ethical IT Governance culture and awareness and of a common IT LanguageIT Language
© The Open Group
King III and Enterprise ArchitectureKing III and Enterprise Architecture
i li5.2. Business IT Alignment
5.2.1. The board should ensure that the IT strategy in integrated with the company’s strategic and business processes.
5.2.2. The board should ensure that there is a process in place to identify and exploit opportunities to improve theexploit opportunities to improve the performance and sustainability of the company through the use of IT
© The Open Group
King III and Enterprise ArchitectureKing III and Enterprise Architecture
i i5.3. IT Organisation
5.3.1. Management should be responsible for the structures, processes, and mechanisms for the IT governance framework
© The Open Group
King III and Enterprise ArchitectureKing III and Enterprise Architecture
5.4. IT Investments
5.4.1. The board should oversee the value delivery of IT and monitor the return on investment from significant IT projects
5.4.2. The board should ensure that intellectual property contained in information systems are protectedinformation systems are protected.
© The Open Group
King III and Enterprise ArchitectureKing III and Enterprise Architecture
i k5.5. IT Risk Management
5.5.1. Management should regularly demonstrate to the board that the company has adequate resilience arrangements in place for disaster recovery.
5.5.2. The board should ensure that the company complies with IT laws codescompany complies with IT laws, codes and standards are considered.
© The Open Group
King III and Enterprise ArchitectureKing III and Enterprise Architecture
f i5.6. Information Management
5.6.1. The board should ensure that there are systems in place for the management of information which should include information security and i f i iinformation privacy.
5.6.2. The board should ensure that all personal information is treated by thepersonal information is treated by the company as an important business asset and is identified.
5.6.3. The board should ensure than an Information Security Management System is developed and implemented
© The Open Group
System is developed and implemented
King III and Enterprise ArchitectureKing III and Enterprise Architecture
i i h i k d di5.7. Integration with Risk and Audit Committees
5.7.1. The risk committee should ensure that IT risks are adequately addressed
5.7.3. The audit committee should consider IT as it related to financial reporting and going concern of the company.
© The Open Group
CobiTCobiT Control FrameworkControl Framework
Planning and Organising
Acquire and Implement
Delivery and Service
Monitor and Report
© IT Governance Institute
CobiTCobiT Control FrameworkControl FrameworkPlanning and Organising• IT Planning & Strategy• Define Information Architecture• Determine Technology Direction• Define IT Organisation / Processes
Planning and Organising
Acquire and Implement
• Manage IT Investments• Communicate Aims and Direction• Manage IT Human Resources• Quality Management• Risk Management• Manage Projects Portfolio
Delivery and Service
Monitor and Report
© IT Governance Institute
CobiTCobiT Control FrameworkControl FrameworkAcquire and Implement• Identify Automated Solutions• Acquire and Maintain Software• Acquire and maintain Technology Infrastructure• Enable operations and use
Planning and Organising
Acquire and Implement
• Procure IT Resources• Change Management• Install & accredit Solutions and Changes
Delivery and Service
Monitor and Report
© IT Governance Institute
CobiTCobiT Control FrameworkControl Framework
Planning and Organising
Acquire and ImplementDelivery and ServiceDelivery and Service
• Define & manage Service Levels• Manage third-party services• Manage performance and capacity• Ens re contin o s ser ice
Delivery and Service
Monitor and Report
• Ensure continuous service• Ensure system security• Identify & allocate costs• Educate and train users• Manage service desk and incidents• Manage service desk and incidents• Manage configuration• Manage problems• Manage Data• Manage physical environment• Manage physical environment• Manage Operations
© IT Governance Institute
CobiTCobiT Control FrameworkControl Framework
Planning and Organising
Acquire and Implement
Monitor and ReportingMonitor and Reporting• Monitor and Evaluate IT Performance• Monitor & evaluate Internal Controls• Ensure regulatory requirements
id G kDelivery and
ServiceMonitor and
Report
• Provide IT Governance Framework
© IT Governance Institute
SummarySummary
Mauritz KloppersMauritz Kloppers082 45 45 [email protected]
Mauritz KloppersMauritz Kloppers082 45 45 [email protected]
Mauritz KloppersMauritz Kloppers082 45 45 [email protected]