Governance relates to management, policies, procedures, and decisions for a given area of enterprise responsibility.Hence IT related assets should be governed in way that it will of profitability to the company in order to achieve its goals and objectives.

1. CORPORATE ICT GOVERNANCE.
1
Governance relates to management, policies, procedures, and decisions for a given area of
enterprise responsibility (e.g., corporate operations, IT services). For example, corporate
governance entails how the boards direct a corporation, and the regulations, policies and
procedures that apply to that direction.
IT governance is a subset discipline of corporate governance that is focused on IT systems and
their performance and risk management.
Corporate Governance is the set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction ensuring that the objectives
are achieved ascertaining that risks are managed appropriately and ensuring that the enterprise’s
resources are used responsibly. Or they are the procedures and processes according to which an
organization is directed and controlled.
Corporate Governance of ICT it is the system by which the current and the future use of ICT is
directed and controlled.
Corporate Governance of ICT involves evaluating and directing the use of ICT to support the
organization and monitoring this use to achieve plans. It includes the strategy and policies for
using ICT within an organization.
IT Governance focuses on:
 IT principles – clarifying the institutional role of IT
 IT investment and prioritization – choosing which initiatives to fund and how much to
spend
 IT architecture – defining integration and standardization requirements
 IT infrastructure – determining and enabling shared services
 Business application needs – specifying the business need for purchased or internally
developed IT applications
ICT Governance Benefits.
If the Corporate Governance of ICT is effectively implemented and maintained , the following
benefits will be realized:
i. Improved achievement of Public Service-wide and departmental strategic goals
ii. Improved effective public service delivery through ICT-enabled access to government
information and services
iii. Improved ICT enablement of business
iv. Improved delivery of ICT service quality
v. Improved stakeholder communication
vi. Continuous improvement of business and ICT alignment
vii. Improved trust between ICT, the business and citizens
viii. Increased alignment of investment towards strategic goals.
ix. Improved return on ICT-enabled investment

2. CORPORATE ICT GOVERNANCE.
2
x. ICT risks managed in line with the priorities and appetite of the Public Service and the
department
xi. Appropriate security measures to protect the departmental and employee information
xii. Improved management of business-related ICT projects
xiii. Improved management of information as it is managed on the same level as other
resources such as people, finance and material in the Public Service
xiv. ICT pro-actively recognizes opportunities and guides departments and the Public Service
in timeous adoption of appropriate technology
xv. Improved ICT ability to learn and agility to adapt to changing circumstances, and
xvi. ICT executed in line with legislative and regulatory requirements.
Monitoring of controls and risks.
Risk monitoring is the process of keeping track of identified risks, ensuring that risk response
plans are implemented, evaluating the effectiveness of risk responses, monitoring residual risks,
and identifying new risks. The purpose of monitoring is to determine whether:
 Risk responses have been implemented.
 Risk responses were effective (or new responses are needed).
 Project assumptions are still valid.
 Any risk triggers have occurred.
 Risk exposure has changed.
 Policies and procedures are being followed-
 Any new risks have emerged.
Monitor and Control Risks
Inputs Tools Outputs
1. Risk register
2. Project management plan
3. Work performance
information
4. Performance reports
1. Risk reassessment
2. Risk audits
3. Variance and trend analysis
4. Technical performance
measurement
5. Reserve analysis
6. Status meetings
1. Risk register updates
2. OPA updates
3. Change requests
4. Project management plan
updates
5. Project document updates
Four Key Inputs for Monitor and Control Risks:
1. Risk Register: Provides the list of identified risks, risk owners, agreed responses, risk triggers
(symptoms and warning signs), residual and secondary risks, watch list of low priority risks, and
planned reserves-
2. ICT Management Plan: Contains the risk management plan which assigns people, risk owners,
and the resources needed to carry out risk monitoring activities.
3. Work Performance Information: The status of the work is a major input to risk monitoring
and control. Performance reports give insights into whether risks are occurring and whether
response plans need to be implemented. Specific status of interest includes:

3. CORPORATE ICT GOVERNANCE.
3
 Deliverable status
 Schedule progress
 Costs incurred
4. Performance Reports: These reports analyze the work performance information just mentioned
to create status reports and forecasts using various methods such as earned value.
Six Key Tools for Monitor and Control Risks:
1. Risk Reassessment: The ICT team should regularly check for new risks as well as
"reassessing" previously identified risks. At least three possible scenarios should be considered:
a) new risks may have emerged and a new response plan must be devised, b) if a previously
identified risk actually occurs, the effectiveness of the response plan should be evaluated for
lessons learned, and c) if a risk does not occur, it should be officially closed out in the risk
register.
2. Risk Audits: Evaluate and document the effectiveness of risk responses as well as the
effectiveness of the processes being used. Risk audits may be incorporated into the agenda of
regularly scheduled status meetings or may be scheduled as separate events.
3. Variance and Trend Analysis: Used to monitor overall project performance. These analyses
are used to forecast future project performance and to determine if deviations from the plan are
being caused by risks or opportunities.
4. Technical Performance Measurement: Using the results of testing, prototyping, and other
techniques to determine whether planned technical achievements are being met. As with trend
analysis, this information is also used to forecast the degree of technical success on the project.
5. Reserve Analysis: Compares the remaining reserves to the remaining risk to determine whether
the remaining reserve is adequate to complete the project.
6. Status Meetings: Risk management should be a regular agenda item at the regular team
meetings.
Five Key Outputs for Monitor and Control Risks:
1. Risk RegisterUpdates: Records the outcomes of risk monitoring activities such as risk
reassessment and risk audits. Also records which risk events have actually occurred and whether
the responses were effective.
2. Organizational Process Assets Updates: Includes risk plan templates, the risk register, the risk
breakdown structure, and lessons learned.
3. Change Requests: When contingency plans are implemented, it is sometimes necessary to
change the project management plan. A classic example is the addition of extra money, time, or
resources for contingency purposes. These change requests may lead to recommended corrective
actions or recommended preventive actions.
Corrective actions may include contingency plans (devised at the time a risk event is identified
and used later if the risk actually occurs) and workarounds (passive acceptance of a risk where
no action is taken until or unless the risk event actually occurs). The major distinction is that
workaround responses are not planned in advance.
4. ICT Management Plan Updates: Again, if approved changes have an effect on risk
information or processes, the project management plan should be revised accordingly.
5. Project Document Updates: Documents that may be updated include:
 Assumptions log updates
 Technical documentation updates

4. CORPORATE ICT GOVERNANCE.
4
IT Audit
ISACA (the Information Systems Audit and Control Association) is a global professional
organization dedicated to audit, control and security of information systems. The key ISACA
qualification for IT auditors is CISA (Certified Information Systems Auditor).
An information technology (IT) audit or information systems (IS) audit is an
examination of the controls within an entity's information technology infrastructure.
These reviews may be performed in conjunction with a financial statement audit, internal
audit, or other form of attestation engagement.
An IT audit is the process of collecting and evaluating evidence of an organisation's
information systems, practices, and operations. Obtained evidence evaluation can ensure
whether the organisation's information systems safeguard assets, maintains data
integrity, and is operating effectively and efficiently to achieve the organisation's goals
or objectives
Here are three types of reports; however, a SOC 2 & 3 report provide more information about the
security, availability and data safeguards that a service organization has employed, such as what
would be needed within a Cloud platform.
Types of Reports:
There are three types of reports; however (Service Organization Controls) a SOC 2 & 3 report
provide more information about the security, availability and data safeguards that a service
organisation has employed, such as what would be needed within a Cloud platform.
Types of Reports:
 A SOC 1 Report provides information to clients on the internal controls that affect your
organization’s financial statements.
 A SOC 2 Report provides information on non-financial controls that affect data
security, privacy, availability, confidentially and processing integrity. The report verifies
the application and implementation of controls.
 A SOC 3 Report provides information on non-financial controls and verifies whether
the controls that were applied and implemented are effective in achieving their
objective
How do internal audits add value to security governance?
There are various ways in which auditing helps in assurance purposes:
 Internal control assessment
Systems audits are designed to assess the full scope of the organization’s financial
and performance control systems and to identify deficiencies and recommend

5. CORPORATE ICT GOVERNANCE.
5
corrective actions (IIA, 2006). Audits achieved through the implementation of proper
IT controls mitigates IT risk and increases operational efficiency and effectiveness.
 Process standardization
Audits have the capability of creating a culture of change management which can
transform low and medium-performing organizations into high performers, delivering
more value to the business with less risk.
 Risk mitigation
Internal auditors are not just internal watchdogs but play an important role in
assurance and consulting activity. Audit departments offer a variety of other services
such as risk-based audit (identifying risks in various business processes) and pre-
implementation review (participating in systems development or reviewing
development stages).
 Training
Auditors also add value through educating employees about the benefits of certain
security measures in an organization. These involve self assessment (workshop
administration, collecting data to address
Outsourcing of IS controls and impact on outsiders
The institute of internal auditors (IIA) and Information Systems Audit and control Association
(ISACA) have established a common set of guidelines for risk assessment in case of outside
vendors. Impact of outsourcing services outside the organization requires a tab on the vendors
operations as well, since the vendor can provide a potential gateway for security breaches.
IT Outsourcing: The Reasons, Risks and Rewards
In this the 3 R's of outsourcing: Reasons, Risks and Rewards, specifically as they relate to
information technology (IT). And, as a bonus, we'll provide some tips to help you manage
successful relationships with your IT service providers (whether they are full-time staff, or
outsourced).
The Reasons
According to the Outsourcing Institute's Outsourcing Index 2000, there are many reasons why
companies outsource. Here are some of the top reasons:
1. Reduce and control operating costs. When you outsource, you eliminate the costs
associated with hiring an employee, such as management oversight, training, health
insurance, employment taxes, retirement plans etc.
2. Improve company focus. Outsourcing lets you focus on your core competencies while
another company focuses on theirs.
3. Gain access to exceptional capabilities. Your return on investment is so much greater
when you outsource information technology to a firm that specializes in the areas you
need. Instead of just the knowledge of one person, you benefit from the collective

6. CORPORATE ICT GOVERNANCE.
6
experience of a team of IT professionals. Outsourced IT companies usually require their
IT staff to have proper industry training and certifications as well.
4. Free internal resources for other purposes. You may have someone in your office that
is pretty good with computers or accounting, but most likely these were not the jobs he or
she was hired to do. If they are spending time taking care of these things, who is doing
what they were hired to do? Outsourcing allows you to retain employees for their highest
and best use, rather than wasting their time on things that may take them longer than
someone who is trained in these specific areas.
5. Resources are not available internally. On the flip side, maybe you don't have anyone
in your company who can manage your IT needs, and hiring a new employee is not in the
budget. Outsourcing can be a feasible alternative, both for the interim and for the long-
term.
6. Maximize restructuring benefits. When you are restructuring your company to improve
costs, quality, service, or speed, your non-core business functions may get pushed aside.
They still need to be handled, however, and outsourcing is an optimal way to do this.
Don't sabotage your restructuring efforts by failing to keep up with non-core needs.
7. Function difficult to manage or out of control. This is definitely a scenario when
outsourcing to experts can make a big difference. But don't make the mistake of thinking
you can forget about the problem now that it's being "handled." You still need to be
involved even after control is regained.
8. Make capital funds available. By outsourcing non-core business functions, you can
spend your capital funds on items that are directly related to your product or your
customers.
9. Reduce Risk. Keeping up with technology required to run your business is expensive and
time consuming. Because professional outsourced IT providers work with multiple
clients and need to keep up on industry best practices, they typically know what is right
and what is not. This kind of knowledge and experience dramatically reduces your risk of
implementing a costly wrong decision.
The Risks
According to Yvonne Lederer Anotucci in an article "The Merits and Demerits of IT
Outsourcing, business owners who consider outsourcing IT functions need to be aware of the
following risks:
1. Some IT functions are not easily outsourced. IT affects an entire organization; from the
simple tasks employees do everyday to the complex automated aspects. Be sure the
outside vendor is qualified to take care of your greatest needs.
2. Control may be lost. Critics argue that an outside vendor will never be as effective as a
full-time employee who is under the same management as other employees. Other
concerns include confidentiality of data and disaster recovery. However, a supervisor that
is knowledgeable in managing an IT staff member will usually be required.
3. Employee morale may be affected. This is particularly true if you will be laying off
employees to replace their job functions with an outsourced firm. Other employees may
wonder if their job is at risk, too.

7. CORPORATE ICT GOVERNANCE.
7
4. You may get "locked in." If the vendor does not document their work on your network
and system, or if you've had to purchase their proprietary software, you may feel like you
can't go anywhere else or take back your network. Many outsourced companies require
you to sign a year to year contract which limits flexibility.
The Rewards
According to Anotucci, who provided the list of risks outlined above, there are many rewards
you can expect when you outsource your company's IT functions as well:
1. Access to the latest and greatest in technology. You may have noticed how rapidly
software and hardware becomes obsolete in this industry. How is one staff person going
to keep up-to-date with everything? Outsourcing gives you the benefit of having more
than just one IT professional. And since it's the core competency of the company, they
can give you sound advice to put your IT dollars to work for you.
2. Cost savings. Outsourcing your IT services provides financial benefits such as leaner
overhead, bulk purchasing and leasing options for hardware and software, and software
licenses, as well as potential compliance with government regulations.
3. High quality of staff. Since it's their core competency, outsourced IT vendors look to
hire staff with specific qualifications and certifications. You may not know what to look
for if you're hiring someone to be on staff full-time, so you may hire the wrong person for
the job.
4. Flexibility. Vendors have multiple resources available to them, while internal staff may
have limited resources and capabilities.
5. Job security and burnout reduction for regular employees. Using an outsourced IT
company removes the burden from your staff who has taken on more than he or she was
hired for because "someone needs to do it." You will establish a better relationship with
your employees when you let them do what they do best and what they were hired to do.
IT Governance processes operateat three levels:
 Information Systems Executive Committee (ISEC) – provides oversight of the
governance process.
 Information Systems Steering Committee (ISSC) – operates as the strategic enterprise
level committee for IT Governance.
 Other Committees and Working Groups
The following are other committees that are established to deal with ICT matters.
a) ICT strategic committee:-this committee should conceptualize and oversee the
corporate governance of ICT and the strategic alignment of ICT to the core business of
the departments.
b) ICT steering committee:-this committee shall coordinate and oversee the planning,
implementation and execution of the corporate governance of ICT and strategic
alignment of ICT to the business of the department and monitor the implementation
thereof.

8. CORPORATE ICT GOVERNANCE.
8
c) ICT Operation committee:-this committee shall keep track of the day to day ICT
service management elements as well as reporting on a monthly basis to the ICT steering
committee on the implementation of the ICT implementation plan.
ICT compliance with professionalstandards and codes.
In recognition of the importance of the Governance of ICT, a number of internationally
recognized frameworks and standards, such as King III Code, ISO/IEC 38500, COBIT,
Sarbanes-Oxley Act (SOX), CMM (the Capability Maturity Model) and ITIL (Information
Technology Infrastructure Library) have been developed to provide context for the
institutionalization of the Corporate Governance of ICT.
1. The King III Code:
The most commonly accepted Corporate Governance Framework that is valid for the
Public Service and was used to inform the Corporate Governance of ICT principles and
practices in this document and to establish the relationship between Corporate
Governance of and Governance of ICT.
IT Governance Principles in King III
i. The board should be responsible for information technology (IT) governance
ii. IT should be aligned with the performance and sustainability objectives of the company
iii. The board should delegate to management the responsibility for the implementation of an
IT governance framework
iv. The board should monitor and evaluate significant IT investments and expenditure
v. IT should form an integral part of the company’s risk management
vi. The board should ensure that information assets are managed effectively
vii. A risk committee and audit committee should assist the board in carrying out its IT
responsibilities
2. ISO/IEC 38500 (International Organization for Standardization and the
International Electrotechnical Commission.
Is an international standard created to guide corporate governance of information
technology (IT). The standard provides broad guidelines and a framework of practices for
IT oversight within an organization. The purpose of ISO/IEC 38500 is to make IT
governance a critical component of corporate governance.
Provides guiding principles for directors of organizations (including owners, board
members, directors, partners, senior executives, or others) on the effective, efficient, and
acceptable use of IT within their organizations.
This standard is applicable to all organizations, which include public and private
companies, government entities and not-for-profit organizations. The standard is

9. CORPORATE ICT GOVERNANCE.
9
applicable to organizations of all sizes from the smallest to the largest, regardless of the
extent of their IT usage.
The standard's six principles for IT governance are:
1. Establish responsibilities.
2. Plan to best support the organization.
3. Acquire validly.
4. Ensure performance when required.
5. Ensure conformance with rules.
6. Ensure respect for human factors.
3. COBIT (Control Objectives for Information and Related Technology)
Is a framework created by InformationSystemsAuditand Control Association (ISACA) for
information technology (IT) management and IT governance It is a supporting toolset
that allows managers to bridge the gap between control requirements, technical issues
and business risks. Or is a framework for developing, implementing, monitoring and
improving information technology (IT) governance and management practices.
COBIT 5 is based on five key principles for governance and management of enterprise IT:
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance from Management
4. Sarbanes-Oxley Act, commonly known as SOX, is a US federal law intended to
improve the management and accounting practices. SOX contains 11 titles that describe
specific mandates and requirements for financial reporting:
1) Public Company Accounting Oversight Board
2) Auditor Independence
3) Corporate Responsibility
4) Enhanced Financial Disclosures
5) Analyst Conflicts of Interest, and others. For the purpose of IT governance, SOX 404
is most important – it is concerned with IT operational control processes and change
management. A great deal of information about SOX can be found at the SOX site
5. ITIL (Information Technology Infrastructure Library) is a set of concepts and technique
for managing IT infrastructure, development, and operations.

10. CORPORATE ICT GOVERNANCE.
10
ITIL originated in the UK and is published in a series of books that cover a wide range of
IT management topics. The latest version of ITIL v3, published in May 2007, comprises
5 key volumes:
i. Service Strategy.
ii. Service Design.
iii. Service Transition.
iv. Service Operation.
v. Continual Service Improvement.
NB: As compared to COBIT, ITIL is more oriented towards technologies and
technical checklists.
Conclusion:
Now that you have seen the risks and rewards associated with ICT governance as per the
standards and IT outsourcing the IT function of your business, there is a lot to think about.
Whether you choose to outsource or hire internally and apply the ICT governance standards, one
thing is certain, you must know how to manage successful working relationships with your IT
service providers. Let's face it, they're not always the easiest people in the world to understand
and deal with, right? Here are some tips:
i. Clearly form and communicate the goals and objectives of your project or business
relationship.
ii. Have a strategic vision and plan for your project or relationship.
iii. Select the right vendor or new hire through research and references.
iv. Insist on a contract or plan that includes all the expectations of the relationship, especially
the financial aspect.
v. Keep open communication with all affected individuals/groups.
vi. Rally support and involvement from decision makers involved.