India continues to ride the wave of success in the business world, making giant strides in the field of economic development powered by a unique strength in information technology. This unprecedented growth in business has spawned the growth of many corporate entities that have accessed the markets for sating their never-ending need for capital. This is obliged gleefully by the burgeoning prosperous middle class and the increasingly attracted, funds-rich foreign institutional investors. The market capitalization of the Indian stock markets nearly doubled the closing highs at the end of 2005, when compared to the highs at the beginning of 2004. This development, coupled with the global trend of increased regulatory focus on corporate entities using public funds for their functioning (e.g., the US Sarbanes-Oxley Act of 2002), has forced the Securities and Exchange Board of India (SEBI), the Indian regulatory body, to lay down the benchmark for corporate governance.
Every company that wants to list its shares on the stock exchanges in India must enter into a listing agreement with the concerned stock exchange. Clause 49 of the Listing Agreement lays down the reporting requirements for a company. SEBI is entrusted with the task of ensuring compliance with regulatory requirements by companies whose shares are listed on the stock exchanges in India. On 29 October 2004, Clause 49 of the Listing Agreement was amended via Circular No. SEBI/CFD/DIL/CG/1/200412/10, to include clauses to ensure corporate governance in listed companies.
The amended clause was originally to go into effect on 31 March 2005. Due to lack of preparedness on the part of the listed companies, this was extended until 31 December 2005.
Major Requirements of Clause 49
Clause 49 of the Listing Agreement has introduced a slew of requirements aimed at strengthening corporate governance. The highlights of the requirements are:
- Half the board of directors must be independent directors.
- The board must lay down a code of conduct for all board members and senior management, and must record an annual affirmation.
- The audit committee has oversight of the financial reporting process and the disclosure of its financial information to ensure that the financial statement is correct, sufficient and credible.
- The company must lay down procedures to inform the board about the risk assessment and minimization procedures, which shall be periodically reviewed to ensure that executive management controls risk through a properly defined framework.
- A management discussion and analysis report must form part of the annual report to the shareholders, which must include discussion on matters such as internal controls and their adequacy.
- The chief executive officer (CEO) and chief financial officer (CFO) must certify to the board that they accept responsibility for establishing and maintaining internal controls, that they have evaluated the effectiveness of the company’s internal control systems, and that they have disclosed to the auditors and the audit committee deficiencies in the design or operation of internal controls and the steps they have taken or propose to take to rectify these deficiencies.
- The CEO and CFO must indicate to the auditors and the audit committee the significant changes in internal control during the year, instances of significant fraud of which they have become aware and the involvement of management or employees with a significant role in the company’s internal control system.
- The company’s annual report must have a separate section on corporate governance, including a detailed compliance report on corporate governance that highlights noncompliance with any mandatory requirement (as detailed in annexure 1C of the circular) with reasons for and the extent to which the nonmandatory requirements (as detailed in annexure 1D of the circular) have been adopted.
- The company must submit a quarterly compliance report to stock exchanges within 15 days from the close of the quarter that is duly signed by the compliance officer or CEO in the format specified in annexure 1B of the circular.
- The company must obtain a certificate from either the auditors or practicing company secretaries regarding compliance of conditions of corporate governance. Very often, academic and business circles are agog with comparisons between the Sarbanes-Oxley Act and the amended Clause 49 of the Listing Agreement. However, there are important differences between the two measures (see figure 1).
Impact of Clause 49 on IT Governance
Most Indian corporate entities have witnessed a heavy penetration of IT in the running of business processes. Corporate majors have gone in for massive state-of-the-art enterprise resource planning (ERP) implementations across their geographically dispersed business locations, reaping in the bargain online recording of transactions and availability of information at the click of the mouse. Major ERP vendors have come out with India-specific versions to service their expanding Indian clientele. Adding momentum to this development is the increasing offshore (and often intercontinental) acquisitions of business units by most of the top business houses over the last year, in services and manufacturing verticals. The cumulative impact of all these developments boils down to the fact that the road to corporate governance definitely lies through achieving IT governance. Many of the Indian corporate entities have started recognizing the importance of having a chief information officer (CIO) working independently and reporting directly to the board of directors, in place of the traditional reporting structure of working under and reporting to the CFO. This has lent a sense of urgency to giving the IT function its rightful place in the management scheme of things.
A Suggested Approach to IT Governance
Now, the question that arises is how to go about achieving IT governance, which contributes to achieving overall corporate governance. One approach follows:
- Laying the foundation—Before trying to arrive at a strategy for achieving IT governance, it is important to understand the evolution of IT in the Indian context. For a long time, the IT function was looked upon as an enabler rather than the driver of business processes, which it is increasingly viewed as today. Therefore, the IT function had been long deprived of an independent visage in the corporate scheme of things and had traditionally been appended as a secondary role below another function, depending on its relative primacy among the traditional functions that drive business. However, that has been changing in recent times. Consequently, any strategy for achieving IT governance must acknowledge this paradigm shift in the role of IT.
For any strategy to succeed, the correlation of the strategy with the reality on the ground has to be ensured. Accordingly, the following factors should be afforded paramount importance:
- The extent of IT’s penetration in business processes
- The extent to which internal controls have been configured in the IT infrastructure
- The competence of those charged with governance in appreciating the role of IT (in terms of capabilities as well as limitations) in administering management-prescribed internal controls
- The appropriate placement of IT in the corporate reporting structure
- Management’s long-term vision for corporate governance and the perceived role for IT in realizing the vision
- Preparing the blueprint—After the previously mentioned factors have been measured and determined, the blueprint should be prepared and put up for discussion among the stakeholders who are charged with corporate governance, as well as the people involved in manning the key checkposts of the internal control system. This will ensure appropriate buyin of the strategy by all those concerned, which is vital for the success of the strategy. The outcome of this process will be a high-level strategy plan for achieving the end objective—an IT governance blueprint for achieving corporate governance. The blueprint should clearly identify the subprocesses that cumulatively contribute to the processes that will finally deliver the objective. This is also the occasion for the stakeholders to take responsibility for the deliverables pertaining to their processes, which should ideally include the identification of the key goal indicators (that will determine the end result of the processes) and the corresponding key performance indicators (that will help measure the progress of the processes, including their status at any given point of time).
- Actualizing the blueprint—Once the blueprint has been set, measures should be adopted to translate the approach into action. This will start with mapping the existing controls, undertaking a gap analysis of what is required to be achieved and zeroing in on the obstacles to achieving the objective. After the remedial and corrective measures for making up the deficiencies and gaps are put in place, the process heads have to put in monitoring mechanisms to ensure that the process remains on track throughout the reporting period. The design of the monitoring mechanisms should also encompass criteria to measure the performance of the controls, the periodicity of the measurement and the procedure for reporting to those charged with governance. The process should logically include an iterative process for analysis of the performance of the controls and self-correction mechanisms where there are slippages and underperformance. The key goal indicators should invariably be tagged to the specific reporting points for mandatory and nonmandatory requirements as detailed in annexures 1C and 1D of the circular.
- Maintaining the blueprint—This is the most important, and easily the most overlooked, aspect in many governance initiatives. After the initial endeavor, most of the governance initiatives forget the important fundamental requirement of revisiting the blueprint for changes in environment. This is especially important, considering the dynamism of the IT environment that is so characteristic of the key driver of business processes today. There should be continuous monitoring of the impact of changes in the IT environment, and consequent amendments should be enacted to ensure the continued relevance of the blueprint. Any reticence in this key area will increasingly render the blueprint obsolete, calling into question the very framework selected to ensure IT governance and, by extension, corporate governance. To guarantee the continued relevance of the blueprint, linkages with change management mechanisms should be ensured, with the active involvement of all stakeholders. Such activity will also help the entity ascertain its status at a given point in time and the distance remaining to reach the final destination.
The entire strategy can be represented pictorially as a set of logically interlinked processes (see figure 2).
The amendment to Clause 49 of the Listing Agreement has been the topic of elaborate discussion in the Indian corporate scene. The difficulties in achieving compliance prompted many apex chambers of commerce to appeal for an extension of the extended deadline of 31 December 2005, without success.
In this scenario, the upgraded Control Objectives for Information and related Technology (COBIT) 4.0 framework came at the right time. The upgraded framework gives practical guidance for each of the phases of the suggested approach discussed in this article (see figure 3). If corporate India seizes this regulatory requirement (Clause 49) as an opportunity to refine and fine-tune IT processes, the regulatory requirement will serve the purpose of the regulators, ushering in much-needed corporate governance in letter as well as in spirit.
Sree Krishna Rao, CISA, CA, CISSP, CEH, CCNA
is a manager in the systems and process assurance division of PricewaterhouseCoopers in Bangalore, India. He invites comments at email@example.com.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.