Governance element	Principle/s	Summary recommendation/s	Difference to King II
Chapter 5. The governance of information technology
	5.1. The board should be responsible for information technology (IT) governance	IT has an important role to play in many organisations and should be directed and controlled effectively by the board through the establishment of an IT governance framework. The IT governance framework supports effective and efficient management and decision making around the utilisation of IT resources to facilitate the achievement of the company’s objectives and the management of IT-related risk. It includes a charter, policies, decision-making structures, accountability framework, IT reporting and an IT internal control framework.	Was not part of King II
	5.2. IT should be aligned with the performance and sustainability objectives of the company	IT should be exploited in a way that most effectively supports and enables the business strategy, delivers value and improves performance. The board should ensure that the IT strategy is integrated into the company’s strategic and business processes and that IT adds value.	Was not part of King II
	5.3. The board should delegate to management the responsibility for the implementation of an IT governance framework	Responsibility for the implementation of IT governance should be assigned to the CIO, as appointed by the CEO. The CIO should act as an intermediary between the board and management on IT-related issues and should be the bridge between IT and business. IT should report to the board on the performance of the IT function.	Was not part of King II
	5.4. The board should monitor and evaluate significant IT investments and expenditure	Value delivery and return on investment of IT should be monitored by the board. The board should ensure that the information and intellectual property contained in the information systems are protected. The board should require independent assurance over IT governance controls supporting outsourced IT services. The board is responsible for ensuring good governance principles are in place for the acquisition and disposal of IT goods and services. IT management should ensure good project management principles are applied.	Was not part of King II
	5.5. IT should form an integral part of the company’s risk management	The board should ensure that IT risk is considered as part of the company’s risk management activities. IT risk management should include disaster recovery planning, IT legal risks, compliance to laws, rules, codes and standards. The board should evaluate how IT can be used to aid the company in managing its risk and compliance requirements.	Was not part of King II
	5.6. The board should ensure that information assets are managed effectively	The board should ensure that processes have been established to ensure a formal information security management system is in place to ensure: The confidentiality, integrity and availability of information That company information is adequately protected That personal and sensitive information has been identified and is protected according to relevant laws and regulations.	Was not part of King II
	5.7. A risk committee and audit committee should assist the board in carrying out its IT responsibilities	The risk committee should measure and understand the company’s overall exposure to IT risks and ensure proper processes are in place to manage these. IT as it relates to financial reporting and the status of the company as a going concern should be the responsibility of the audit committee.	Was not part of King II