REPORT OF THE ICT GOVERNANCE COMMITTEE FOR THE AUDIT COMMITTEE INCOMMITTEE MEETING
30 SEPTEMBER 2015
1. INTRODUCTION
We are pleased to present our report for the 2nd Quarter of financial year 2015/2016 which
includes the months of June to September 2015.
Information and Communication Technology (ICT) is playing an ever-increasing role as a
strategic enabler of public service delivery. This importance is emphasised by the King III
Report [7], the Presidential Review Commission (PRC) report of 1998, the findings of the
Auditor General (AG), and the Corporate Governance of ICT Policy Framework (CGICTPF)
on the state of Information and Communications Technology in government and state
entities. King IV is also under development and will present challenges and opportunities for
organisations as far as corporate governance is concerned and in particular, ICT
governance.
The pervasiveness of Information Technology (IT) and the business need to stay connected
and share information mandates not only the governance of ICT a corporate imperative but
the security of organizational networks and protection of organization's information from
harm and adverse conditions. Cyber-attacks are a regular occurrence so much that the
global risk of cyber-attacks is so high that the World Economic Forum in 2015 rated it as one
of the Top Ten risks in terms of both likelihood and impact. Yet computer networks security
was never really considered to be a Board matter until recently when cyber security
breaches became a reality. The ICT Governance Committee of the Mpumalanga Legislature
moved with the times and thus made ICT Security an agenda item that needed to be
considered regularly.
The purpose of this report is to give the Audit Committee, the Secretary and the Honourable
Speaker a background of the work of the ICT Governance Committee and to report on how
Quarter 2 ICT Governance Committee Report (2015/2016)
Page 1 of 5
the Committee had discharged its responsibilities in line with universally accepted principles
of directors’ duty of care, that of ensuring that prudent and reasonable steps are taken
regarding IT and associated risks.
2. BACKGROUND
ICT governance can be defined as the set of processes, systems, governing structures that
support an effective and efficient management of IT resources to facilitate the achievement
of an organization’s strategic objectives and to ensure IT delivers value to the business and
that prudent and reasonable steps are taken regarding IT risks. IT governance is divided into
five main focus areas, strategic alignment, value delivery, risk management, resource
management and performance management, all driven by stakeholder value (see Figure 1).
.
www.itgi.org
www.itgi.org
RESOURCE
MANAGEMENT
Figure 1 - IT Governance Knowledge Areas1
Strategic alignment focuses on ensuring the linkage between business and IT plans;
defining, maintaining and validating the IT value proposition; and aligning IT operations with
the enterprise operations. Value delivery is about executing the value proposition and
ensuring that IT delivers the promised benefits against the strategy. Risk management is
about addressing the safeguarding of IT assets, disaster recovery and continuity of
operations. Resource management covers the optimal investment, use and allocation of IT
resources and capabilities. Performance measurement, tracking project delivery and
1
www.isaca.org
Quarter 2 ICT Governance Committee Report (2015/2016)
Page 2 of 5
monitoring IT services, using balanced scorecards that translate strategy into action to
achieve goals measurable beyond conventional accounting, measuring those relationships
and knowledge-based assets necessary to compete in the information age: customer focus,
process efficiency and the ability to learn and grow. The Corporate Governance of ICT
Policy Framework (CGICTPF) is based on these knowledge areas, as well as principles
found in the King III Code, ISO/IEC 38500 (family of standards for IT Governance) and
COBIT 5 (an internationally recognised framework for IT governance). The CGICTPF
stipulates certain governance practices for a government entity's Executive Authority, the
Head of Department, the Risk and Audit Committee, the Executive Management and the IT
Department.
The Mpumalanga Legislature was one of the few entities to form an ICT Governance
Committee as part of its governance and oversight structures and in that respect they are
pioneers in their own right. At that time the CGICTPF was still not conceptualised and so
King III, COBIT 5 and ISO 385000 standards became the guiding principles. The formation
of the IT Implementation Committee (ITIC) a year or two later assisted in differentiating
between a) the corporate governance of IT and the b) governance of IT.
3. NUMBER OF MEETINGS HELD
The ICT Governance Committee held no meeting in the quarter:

The ICT Governance Committee Report was presented to the Audit Committee on 31
August 2015, a transition period with the new Action Senior Manager: Information
Technology appointed.
4. MATTERS TO BE BROUGHT TO THE ATTENTION OF THE AUDIT COMMITTEE AND
THE EXECUTIVE AUTHORITY
The following matters are brought to the attention of the Audit Committee and the Executive
Authority:
Corporate Governance of Information and Communication Technology Framework
The CGICT Policy Framework was approved by Cabinet and the National Assembly and has
not been approved by the Secretariat for implementation. The ISM Forum of the Legislative
Sector has developed the Legislative Sector Corporate Governance of ICT Framework
(LSCGICTPF). The Mpumalanga Legislature has also developed the IT Governance
Quarter 2 ICT Governance Committee Report (2015/2016)
Page 3 of 5
Handbook. Once all these documents are approved, the Committee will monitor and report
on their implementation.
The effectiveness of IT controls
IT controls are designed to provide assurance that assets are safe guarded and that the
confidentiality, and integrity, and availability of information are assured under all
circumstances. The Committee, together with the Acting Senior Manager: Information
Technology is working on a holistic approach of reporting on IT security matters.
IT Risk Management
Another important principle of King III is IT risks management and its inclusion in Enterprise
Risk Management. The IT Risk Action Plan and the IT Audit Action Plan are being revised in
line with the Committee recommendations.
Business Continuity
Business continuity enables the business to carry on their normal duties in case of any
disaster. The ICT Business Continuity Plan will be done as part of the implementation of the
CGICTPF and the Chief Risk Officer has been asked to lead the process.
Disaster Recovery Planning
The Disaster Recovery Solution and Architecture are being revised in line with the Business
Continuity Strategy and Plans.
ICT Strategy
The IT Strategy has been completed and in the process of finalising handover issues and
signoff. The Committee will then monitor the implementation of the strategy.
5. CONCLUSION
The approval and adoption of the ICT Governance Framework for the Legislative and the
ICT Strategy need to be concluded so as implementation can be monitored.
Quarter 2 ICT Governance Committee Report (2015/2016)
Page 4 of 5
Q2 was a period where an evaluation of the Information Technology activities and its
projects was done in order to map the way forward. It was also a transitioning period with the
new management defining the roadmap to address the inherent challenges.
The Secretary and his team are to be commended for tackling the problems head on and
developing strategies for addressing the challenges.
ANNA BADIMO
ICT GOVERNANCE COMMITTEE CHAIRPERSON
Signed: 30/09/15
Quarter 2 ICT Governance Committee Report (2015/2016)
Page 5 of 5