CGF ARTICLES, OPINIONS & EDITORIALS

Integrated Reporting: A technical ISO challenge? (2012-06-26)

February 19, 2015  3942  3942   

Needless to say, there is now more than ever before a critical need for boards and their executive management to understand why IT governance has become such a key component for their risk management discussions at board level.  Simply put; without a robust IT governance strategy and framework, an organisation is going to find it almost impossible to collate the necessary information it requires for the purposes of producing this important report.

Unlike years gone by, the debate that suggested that information technology (IT) was merely a ‘business enabler’ is clearly redundant; IT has in fact become the backbone of business of almost any size.  And irrespective of what part of the world your organisation may be operating in, without a well thought through and efficient IT strategy, an organisation is pretty much doomed.

It is for these reasons -- amongst other -- that King III has paid particular attention to IT governance, and together with the board’s responsibility to govern their risks and risk management, it will be quite interesting to see how the organisation will produce a meaningful and concisely written Integrated Report.  The intention of the Integrated Report is to provide a holistic view of the manner in which the organisation has dealt with their financial reporting, as well their non-financial performance regarding social, environmental and other governance related matters.  Clearly where organisations have disregarded the value of IT, or where they have failed to use IT in a manner that optimises its ability to accurately collate information across all its entire supply chain; compiling the Integrated Report will become a nightmare and the information may be questionable if it has been extrapolated from its rank and file who rely on unstructured or haphazard information and reporting systems.         

It is also most likely that both informed institutional investors as well as any potential activists, will add further pressure upon organisations to deliver a report wherein accurate information is provided, and which will be used for their respective objectives and purpose.  Naturally in both cases, the organisation will most certainly not want to have an Integrated Report which is not produced on time, or contains ineffectual, inaccurate or misleading information.  Besides the likely backlash from the organisation’s stakeholders, the extent to which the information is misrepresented could also carry additional penalties and liability (joint and several) from the Companies Act ’08, specifically under the auspices of reckless behaviour.  Moreover, because the JSE -- through its Listings Requirements -- has made it compulsory for all listed companies to comply with King III and the Integrated Reporting requirements, further penalties could be imposed upon those organisations who do not comply.  To avoid the obvious consequences, organisations may begin to re-consider the importance – but critical role fulfilled by a decent and robust IT platform which includes an information security management system (ISMS) containing a set of policies concerned with information security and other IT related risks which are linked to ISO 27001.