ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > The Absence of IT Governance Codes

The Absence of IT Governance Codes

Steven De Haes, Ph.D., Anant Joshi, Ph.D., Tim Huygh and Salvi Jansen
| Published: 7/17/2017 3:03 PM | Category: Government-Regulatory | Permalink | Email this Post | Comments (3)

In recent years, board-level supervision in information technology matters has become a key IT governance topic. It is often assumed that national corporate governance codes can guide board members to design and potentially improve their IT governance practices. At the Antwerp Management School (AMS), we conducted a study to understand what IT governance-related guidelines are included in national corporate governance codes.

We selected 15 national corporate governance codes to study. These codes were selected based on income level and geographic dispersion across different continents. Surprisingly, we found that most national corporate governance codes do not include key IT governance topics. There is hardly any IT governance information incorporated in the codes at all. The only exception we found was the South African corporate governance code, King III, which contains an entire chapter on IT governance-related guidelines. We also note that the committee responsible for drafting the South African corporate governance code recently finalized King IV, in which IT-related matters assume an even more prominent role. Based on our findings, we conclude that:

  • Corporate governance committees responsible for drafting corporate governance codes worldwide that are willing to recognize the value of IT governance can certainly benefit from looking at the South African corporate governance codes.
  • Additionally, we suggest that board members who are already complying with their existing national corporate governance codes refer to the King III guidelines to explore more concrete guidelines on IT governance.

This study was performed by researchers at AMS around an industry-sponsored research project on board-level IT governance. The research project focused on the need for boards to extend their governance accountability from a mono-focus on finance and legal as proxy to corporate governance. This extended accountability should include technology and provide digital leadership and organizational capabilities to ensure that the enterprise’s IT department sustains and extends the enterprise’s strategies and objectives. We discovered that board members are increasingly seeking guidance on how they can expand their IT governance accountability within the board and also in an appropriate modus vivendi with executive management. More information, including intermediary results, can be found on the AMS website.

Read Steven De Haes, Anant Joshi, Tim Huygh and Salvi Jansen’s recent Journal article:
Exploring How Corporate Governance Codes Address IT Governance,” ISACA Journal, vol. 4, 2017.


That's true but I'm afraid your research values are optimistic ..

... Yet, it appears that enterprise technology governance competence remains the ‘elephant in the boardroom’ for more than 80% of boards of directors ...

I mean apart from new digital company like Amazon, Google, Facebook and very few others no boards of directors really got the mess of their 'digital' organization .. hope things will change soon as it is not only a question to audit IT controls in place or less it is "mainly" a question of reduction of systems and applications each company manage not properly and with high costs. Companies should simplify processes and systems in order to apply consistent monitoring of IT controls, reducing and preventing malware attacks, applying patches and checking seriously hw and sw EOL technologies (IT Asset Management). In other words, before security & governance a Company must apply "simplicity" in their business and technology model. This is the first level of defence ..
Claudio.prf at 7/18/2017 11:56 AM

Re: The Absence of IT Governance Codes

Hi Claudio,

It is true that research indicates that IT remains the elephant in the boardroom. Nevertheless, I would be interested to see the state of this in South African companies.

Our research group is currently making efforts in a research project that is aimed at developing the board-level IT governance capability in organizations.
Tim303 at 7/19/2017 3:49 AM

Governance competence

Given the strategic value of IT to an organization, Boards should have more Directors that have a science, engineering, or technology background. I don't have any data to support my assumption that most Board members have a business, economics, or legal background. While that is important, I would suggest having someone on the Board with technology background will most likely improve enterprise technology governance.
david ho at 7/19/2017 11:02 AM