IT Charter and IT Governance Framework



Similar documents
IT Governance Charter

SABPP IT GOVERNANCE COMMITTEE TERMS OF REFERENCE

WEST COAST DISTRICT MUNICIPALITY IT GOVERNANCE FRAMEWORK IT CHARTER

JOE MOROLONG LOCAL MUNICIPALITY IT GOVERNANCE FRAMEWORK

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

IT Governance Regulatory. P.K.Patel AGM, MoF

KING III CORPORATE GOVERNANCE COMPLIANCE REGISTER

IT Governance. What is it and how to audit it. 21 April 2009

Public Service Corporate Governance of Information and Communication Technology Policy Framework

IT Governance: framework and case study. 22 September 2010

Guideline for Roles & Responsibilities in Information Asset Management

Board Risk & Compliance Committee Charter

Gobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI

Corporate Governance Framework June 2015

Practical Approaches to Achieving Sustainable IT Governance

HUMAN RESOURCES COMMITTEE OF THE BOARD OF DIRECTORS OF THE TORONTO-DOMINION BANK CHARTER

Application of King III Corporate Governance Principles

S11 - Implementing IT Governance An Introduction Debra Mallette

Explanation where the company has partially applied or not applied King III principles

Asset Management Policy

GOVERNANCE OF INFORMATION TECHNOLOGY IN HIGHER EDUCATION

Measuring IT Governance Maturity Evidences from using regulation framework in the Republic Croatia

Beyond Mandates: Getting to Sustainable IT Governance Best Practices. Steve Romero PMP, CISSP, CPM IT Governance Evangelist

Canada Media Fund/Fonds des médias du Canada

Council Meeting Agenda 27/07/15

Information governance strategy

Hunter Hall International Limited

CITY OF HOUSTON. Executive Order. Information Technology (IT) Governance

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Chief Information Security Officer

BOARD OF DIRECTORS MANDATE

Recommendation for IT Governance Using the COBIT 4.1 Framework

ASSESSMENT OF THE IT GOVERNANCE PERCEPTION WITHIN THE ROMANIAN BUSINESS ENVIRONMENT

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

Financial Services Guidance Note Outsourcing

Application of King III Corporate Governance Principles

The Compliance Universe

INTERNAL AUDIT FRAMEWORK

European Investment Bank. Charter for Internal Audit

EQT HOLDINGS LIMITED BOARD CHARTER (ACN )

Information Security Program CHARTER

Audit, Risk Management and Compliance Committee Charter

THE BOARD SUBSCRIBES TO ETHICAL LEADERSHIP, BUSINESS SUSTAINABILITY, STAKEHOLDER INCLUSIVITY AND SOUND VALUES OF GOOD CORPORATE GOVERNANCE.

Maximizing Your IT Value with Well-Aligned Governance August 3, 2012

Based on 2008 Survey of 255 Non-IT CEOs/Executives

RISK MANAGEMENT FRAMEWORK OKHAHLAMBA LOCAL MUNICIPALITYITY

QUICK GUIDE TO CORPORATE GOVERNANCE AND KING III

INTEGRATED SILICON SOLUTION, INC. CORPORATE GOVERNANCE PRINCIPLES. Effective January 9, 2015

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

RISK MANAGEMENT POLICY

the role of the head of internal audit in public service organisations 2010

Business Continuity & Crisis Management

Operations. Group Standard. Business Operations process forms the core of all our business activities

GARMIN LTD. CORPORATE GOVERNANCE GUIDELINES

Corporate Governance Guidelines

IT Governance isn t one thing, it s everything. Steve Romero PMP, CISSP, CCP

Clarius Group Risk Management Policy and Framework

Compliance Policy AGL Energy Limited

INFORMATION &COMMUNICATIONS TECHNOLOGY GOVERNANCE FRAMEWORK FOR MKHAMBATHINI LOCAL MUNICIPALITY

Risk Management Policy and Framework

CISM (Certified Information Security Manager) Document version:

Introduction to ISACA and ITGI By Georges Ataya, International Vice President, ISACA

Confident in our Future, Risk Management Policy Statement and Strategy

Internal Audit Terms of Reference

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Crosswalk Between Current and New PMP Task Classifications

KING III COMPLIANCE REGISTER 2015

Position Description

Chayuth Singtongthumrongkul

Sample risk committee charter

Gladstone Ports Corporation Limited

A Guide to Corporate Governance for QFC Authorised Firms

QUALITY AND INTEGRATED GOVERNANCE BUSINESS UNIT. Clinical Effectiveness Strategy (Clinical Audit/Research)

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

ASAE s Job Task Analysis Strategic Level Competencies

CINTAS CORPORATION. Corporate Governance Guidelines. As Revised Through March 18, 2014

Documents and Policies Pertaining to Corporate Governance

A. Title 44, United States Code, Chapter 35, Coordination of Federal Information Policy

FIRST REPUBLIC BANK DIRECTORS ENTERPRISE RISK MANAGEMENT COMMITTEE CHARTER

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

Handbook for municipal finance officers Performance management Section J

Effective Internal Audit in the Financial Services Sector

COTT CORPORATION CORPORATE GOVERNANCE GUIDELINES INTRODUCTION

Domain 5 Information Security Governance and Risk Management

OECD GUIDELINES FOR PENSION FUND GOVERNANCE

GREAT PLAINS ENERGY INCORPORATED BOARD OF DIRECTORS CORPORATE GOVERNANCE GUIDELINES. Amended: December 9, 2014

Research Management Framework

CORPORATE GOVERNANCE GUIDELINES WD 40 COMPANY

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Sample Career Development Roadmap

Policy (Board Approved)

Risk Management Policy

COBIT 4.1 TABLE OF CONTENTS

Transcription:

IT Charter and IT Governance Framework Status: Custodian: Approved Director: Information Technology Date approved: 2013-12-04 Implementation date: 2013-12-05 Decision number: SAQA 02102/13 Due for review: 2016-12-03 File Number: File Reference: 1

IT CHARTER AND IT GOVERNANCE FRAMEWORK 1. BASIS OF THE CHARTER AND THE FRAMEWORK SAQA has adopted King III as a Governance Framework, which therefore also applies to the Information Technology environment. In addition, the 5 key elements of IT Governance as per COBIT (Control Objectives for Information and related Technology) are adopted for SAQA s IT Governance Framework. Furthermore, King III recommends that the Board establish an IT Charter. This IT Charter should outline the decision-making rights and accountability framework for IT governance that will enable the desirable culture in the use of IT within the company. This document will serve as the IT Charter for SAQA. In addition, King III allows the Board to delegate to management or to other Board committees the responsibility for the implementation and monitoring of IT governance. This document clarifies delegated responsibilities. Moreover, the Public Service Corporate Governance of Information and Communication Technology Policy Framework (CGICTPF) requires that SAQA has an approved IT Governance Framework as well as an approved IT Charter. The key elements are as follows: 1.1 The 7 principles of King III 1. The Board should be responsible for Information Technology (IT) Governance The board should assume the responsibility for the governance of IT and place it on the board agenda The board should ensure that an IT charter and policies are established and implemented. The board should ensure the promotion of an ethical IT governance culture and awareness and of a common IT language. The board should ensure that an IT internal control framework is adopted and implemented. The board should receive independent assurance on the effectiveness of the IT internal controls. 2. IT should be aligned with the performance and sustainability objectives of the organisation The board should ensure that the IT strategy is integrated with the company s strategic and business processes. The board should ensure that there is a process in place to identify and exploit opportunities to improve the performance and sustainability of the company through the use of IT. File Reference: 2

3. The board should delegate to management the responsibility for the implementation of an IT governance framework: Management should be responsible for the implementation of the structures, processes and mechanisms for the IT governance framework. The board may appoint an IT steering committee of similar function to assist with its governance of IT. The CEO should appoint a Chief Information Officer (CIO) responsible for the management of IT. The CIO should be a suitably qualified and experienced person who should have access and interact regularly on strategic IT matters with the board and/or appropriate board committee and Executive management. 4. The board should monitor and evaluate significant IT investments and expenditure: The board should oversee the value delivery of IT and monitor the return on investment from significant IT projects. The board should ensure that Intellectual Property (IP) contained in information systems is protected. The board should obtain independent assurance on the IT governance and controls supporting outsourced IT services. 5. IT should form an integral part of the company s risk management: Sub-Principle: Management should regularly demonstrate to the Board that the company has adequate business resilience arrangements in place for disaster recovery. 6. The board should ensure that information assets are managed effectively: The board should ensure that there are systems in place for the management of information which should include information security, information management and information privacy. The board should ensure that all personal information is treated by the company as an important business asset and is identified. The board should ensure that an Information Security Management System is developed and implemented. The board should approve the information security strategy and delegate and empower management to implement the strategy. 7. A risk committee and audit committee should assist the Board in carrying out its IT responsibilities: The risk committee should ensure that IT risks are adequately addressed. The risk committee should obtain appropriate assurance that controls are in place and effective in addressing IT risks. The audit committee should consider IT as it relates to financial reporting and the going concern of the company. The audit committee should consider the use of technology to improve audit coverage and efficiency. File Reference: 3

1.2 The 5 key elements of COBIT 1. Strategic alignment focuses on ensuring the linkage of business and IT plans, defining, maintaining and validating the IT value proposition, and aligning IT operations with enterprise operations. 2. Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT. 3. Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. 4. Risk management requires risk awareness by senior organisational officers, a clear understanding of the enterprise s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation. 5. Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. The coverage of these frameworks is depicted in the following illustration: BOARD LEVEL MANAGEMENT LEVEL King III coverage Entire Organisation IT OPERATIONAL LEVEL COBIT coverage 2. DESIRABLE CULTURE IN THE USE OF IT The Board defines the desirable culture in the use of IT hereunder. The decision making rights and accountability framework defined in the remainder of the document is designed to achieve these 10 objectives. 1. The activities and functions of the IT strategy are aligned to the business strategy. Opportunities to improve the use of IT within SAQA are identified and exploited. 2. The optimal investment is made in IT, costs are managed, and the return on investment is measured. 3. Synergies between IT initiatives are enabled and IT choices are in the best interest of the organisation as a whole, and not only, those of individual business units. File Reference: 4

4. IT resources are sourced optimally and legitimately, keeping core capabilities in-house. Assurance is obtained on the controls over significant outsourced IT services. 5. IT risks are identified and adequately addressed. Assurance is obtained to ensure that an IT control framework is in place to address IT risks. 6. Information, IT assets and intellectual property contained in IT systems are protected and effectively managed and used. 7. IT has adequate business resilience arrangements in place for disaster recovery. 8. Information Management is a joint IT and business responsibility. 9. IT use conforms to IT related laws and related rules, codes and standards are considered. 10. IT use is sustainable with respect to the environment. 3. KEY RESPONSIBILITIES IT Governance should be applied at all three levels (Strategic, Tactical and Operational) of an organisation and the responsibilities at each of these levels will be as indicated below: LEVEL Strategic/Board /Board Committee level Tactical/I&IT Steering committee Operational/IT management and staff level TYPE OF RESPONSIBILITY Evaluate, Direct, Monitor, and Mitigate Risks Plan, check, supervise Detailed activities The key committees of the IT Governance Framework are: The SAQA Board, the I&IT Committee and the Audit and Risk Committee at strategic level The I&IT Steering committee (special function of EMM) at Tactical level and The IT Directorate at operational level. The Information Technology Governance Institute (ITGI) provides the following guideline in terms of the authority and membership of an IT Strategy Committee (I & IT Committee in SAQA s case) and an I&IT Steering Committee: I & IT Committee Authority Advises the Board and Management on IT Strategy. Is delegated by the Board to provide input to the strategy and prepare its approval. Focuses on current and future strategic issues. I&IT Steering Committee Assists the Executive in the delivery of the IT Strategy. Oversees the day-to-day management of IT service delivery and IT projects. Oversees major projects, IT costs, IT resource allocation Focuses on implementation. Membership Board members and specialist non- Board members Sponsoring executive (Directors in SAQA). The IT Director Key advisors as required (from service providers, IT technical staff, audit, finance and legal) File Reference: 5

The three key ingredients that are needed for proper IT Governance at Strategic, Tactical and Operation level are: Structures Processes and Communication of information. These Key Ingredients will be covered at SAQA by the various committees as follows: SAQA S STRUCTURES: LEVEL GOVERNING BODY ROLES AND RESPONSIBILITIES Representation at Strategic level SAQA Board As per the 7 Principles of King III in Section 1.1 above I & IT Committee Refer to the Terms of Reference of the I & IT Committee Representation at Tactical level I&IT Steering committee special function of the Executive Management Meeting (EMM) Representation at Operational level IT related management committees Refer to the Terms of Reference of the EMM Normal day-to-day management of IT and ensuring compliance with the principles of King III SAQA S PROCESSES: LEVEL Representation at Strategic level REQUIREMENTS IN TERMS OF POLICIES The I & IT committee should consider all IT Policies and if suitable recommend these to the SAQA Board for approval The SAQA Board should approve all IT Policies Representation at Tactical level The IT Steering committee (EMM) should review all policies, procedures, standards and principles and provide feedback to IT Management regarding any enhancements required and make recommendations to the I & IT Committee on these REQUIREMENTS IN TERMS OF IT GOVERNANCE METHODOLOGIES, FRAMEWORKS, TOOLS, TECHNOLOGIES AND SYSTEMS TO ADOPT King III, the 5 key elements of IT Governance as per COBIT, this IT Governance Framework and the Terms of Reference of the I& IT Committee King III, the 5 key elements of IT Governance as per COBIT, this IT Governance Framework and the Terms of Reference of the I& IT Committee Support and recommend King III and the 5 key elements of IT Governance as per COBIT as the IT Governance methodologies to adopt File Reference: 6

LEVEL Representation at Operational level REQUIREMENTS IN TERMS OF POLICIES IT Management should develop, enhance and implement all policies, procedures, standards and principles REQUIREMENTS IN TERMS OF IT GOVERNANCE METHODOLOGIES, FRAMEWORKS, TOOLS, TECHNOLOGIES AND SYSTEMS TO ADOPT IT management, with support from the IT Steering, I & IT Committees and Board, should ensure compliance with King III requirements or that there is motivation for areas that do not comply. IT management should also use the 5 key elements of COBIT as guide to manage and report on. COMMUNICATION AND INFORMATION: The IT Governance related information to be communicated to the structures is as follows: LEVEL Representation at Strategic level : SAQA Board Representation at Strategic level : I&IT Committee Representation at Tactical level Representation at Operational level REQUIREMENTS Consider high level feedback to the Board from the I&IT Committee on IT Governance only. King III requires IT Governance to be an agenda item at Board level and since the I & IT Committee is a committee of the Board, the following topics should be covered by the I & IT Committee: Which of the 7 principles of King III are being complied with; and for those not yet being complied with, what progress is made to comply or explain why compliance is not feasible Reporting on the 5 key elements of IT Governance as per COBIT namely: - Is there Strategic alignment - Is IT value being delivered; - Are IT resources adequately managed; - Are the IT risks managed; and - IT performance measurement reports. The IT Steering Committee needs to collect, collate, evaluate and summarise the information necessary to report on the above to the I & IT Committee. The IT Steering Committee can also request independent reports from the Auditors or 3rd parties in this regard. IT Management needs to work towards achieving the 7 principles of King III and to ensure the following as per COBIT: It remains Strategically aligned with File Reference: 7

LEVEL REQUIREMENTS business; It delivers IT value; Its IT resources are adequately managed; It identifies and closely manages its IT risks and It obtains IT performance reports that show adequate performance. IT Management should report on all these matters to the IT Steering Committee. 4. IT Projects In addition to its other duties, IT Projects will be a standing item on the Agenda for meetings of the I&IT Committee. In particular, the committee will carry out the following responsibilities in this regard: Ensure that appropriate project management principles and frameworks are applied to all significant projects. Ensure that effective review processes are performed by independent experts on all business critical projects. Oversee the portfolio of IT projects and monitor investment outcomes and realisation of benefits. 5. Governance, Risk and compliance Committee SAQA will not formally establish A Governance, Risk and Compliance Committee, since the functions of such a committee is split between SAQA s I&IT Committee and SAQA s Risk and Audit Committee. These committees wil carry out the following responsibilities: Ensure the implementation of the IT Charter, including the defined IT governance structures. Maintain the IT Charter. Receive and act upon direction from the Audit and Risk Committee relating to IT governance. Ensure that an IT internal control framework is implemented. Ensure that IT principles, policies, procedures and standards are defined and implemented. Approval of IT principles, policies, procedures and standards. Ensure the promotion of an ethical IT governance culture and awareness of a common IT language. Ensure that SAQA has adequate business resilience arrangements in place for IT disaster recovery. Ensure that appropriate processes are followed for the identification, assessment and management of IT risks as part of the enterprise wide risk management framework. Ensure compliance with relevant IT laws and related rules, codes and standards. Ensure that a process is established for legal review of IT contracts. Receive and act upon the minutes of the I&IT Steering Committee and the Specification Committee. Ensure that IT financial governance (e.g. sign-off levels, budget principles such as depreciation rules) is adhered to within IT. Ensure the corporate sustainability strategy is supported by IT strategies. Obtain assurance on the IT governance and controls supporting significant outsourced IT services. Receive and act upon independent IT audit reports. File Reference: 8

Provide a board report on IT to the Audit and Risk Committee meetings to assure the Board that their responsibilities relating to King III have been implemented in terms of the following: o Value derived from IT, measured against IT performance criteria; o IT risks; o IT security and continuity, including data privacy; o IT projects; o IT cost and major investments; o IT strategy and progress on IT strategy plan; and o IT governance and control. 6. BOARD RESPONSIBILITIES The Board retains the following responsibilities for IT governance. 6.1 SAQA Audit and Risk Committee The Committee will carry out the following responsibilities: Direct and control IT through the establishment of an IT governance framework, embedded in this IT Charter. Receive and act upon the board report on IT developed by the I&IT Committee and the Audit and Risk Committee to assure the board that their responsibilities relating to King III have sufficiently been implemented. Submit the board report on IT, or summaries thereof, to the SAQA Board. Obtain appropriate assurance that controls are in place and effective in addressing IT risks. Ensure that IT risks are identified, assessed and mitigated through an IT control framework. Consider IT as it relates to financial reporting and the going concern of the company. Consider the use of technology to improve audit coverage and efficiency. 6.2 SAQA Board The SAQA Board will retain accountability for IT governance. The Committee will carry out the following responsibilities: Understand the strategic importance of IT, assume responsibility for the governance of IT and place it on the board agenda. Receive and act upon board level IT reporting received from the Audit and Risk Committee. Satisfy itself that its responsibilities relating to King III have sufficiently been implemented 7. APPROVAL This Charter and Governance Framework was recommended for approval to the SAQA Board by the SAQA I&IT Committee and the SAQA Audit and Risk Committee, and was approved by the SAQA Board. File Reference: 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information