Analysing information technology governance disclosure of the top 40 JSE listed companies
Abstract
Information Technology (IT) forms part of risk governance in accordance with King III, which assists in identifying and addressing IT-related risks. Identifying and addressing IT-related risks has become more important than ever in today’s competitive market environment. IT is a fast-developing industry that is continually subjected to significant changes and renewal. These continuous changes cause risks that have implications on the nature and effectiveness of both internal and external controls, which in turn impacts auditing. Specific and effective controls are therefore needed to mitigate the risks.
The nature and extent of the risks of internal controls vary depending on the characteristics and nature of the information system used by the entity. Entities are faced with different IT-related risks therefore IT-related risks are governed differently. Even though these IT-related risks are governed differently, IT still forms an integral part of the company’s risk management. Countries have different regulations that regulates IT governance disclosures; the King III report, as well as international regulations such as International Organisation for Standardisation (ISO’s), Sarbanes-Oxley Act (SOX) and International Standards on Auditing (ISA 315).
There appears to be a lack of guidelines that clarify the IT-related risks, and the extent thereof, that need to be disclosed in accordance with King III. Currently, the top 40 JSE listed companies are not fully compliant with the IT governance disclosure as required by King III. This study discusses the IT governance and disclosure requirements set out by the King III report and compares these requirements with the international requirements set out by the ISO’S, SOX and ISA 315.
The empirical review was conducted to determine to what extent the top 40 JSE listed companies comply with the IT risk governance disclosure in accordance with the King III report. The results were obtained by reviewing the, online published, top 40 JSE listed companies’ annual reports. The top 40 JSE listed companies were used as the basis of the study as these companies are required to comply with King III’s requirements.
The results that were obtained from the empirical review revealed that most top 40 JSE listed companies do not comply with the IT governance requirements of King III report.
The differences between King III, ISO’s, SOX and ISA 315 were determined by means of comparison. This was done in an attempt to clarify the IT governance disclosure of King III. The results led to recommendations made to King III in order to promote improved adherence for all South African companies.