Johannesburg — PROMINENT IT lawyer Reinhardt Buys has complained that the IT governance provisions in the third King report on corporate governance are "incomplete, confusing and disappointing".

Buys said yesterday the problems started with the random use of terms that were not defined in the report. He said that reference was made to "plans", "policies", "strategies", "frameworks" and "standards" without any definition of the terms.

Lindie Engelbrecht, CE of the Institute of Directors and convener of the chairmen of committees of the King 3 report, welcomed Buys's "constructive criticism" and confirmed no guidelines had been included in the report for the definition of such terms.

"We would have to include the definitions in practice notes issued to the report," Engelbrecht said.

It was the first time that IT governance had been included in the King code. Mervyn King, chairman of the King committee, said recently that the first report and second report, issued in 1992 and 2001 respectively, did not deal with IT governance as companies were unsure how to deal with the issue. However, globalisation had become a real issue and the risks involved in IT governance had become significant, he said.

Buys said that the US System Administration, Networking, and Security (SANS) security policy required clear definitions of IT governance provisions. The security policy is a project of the SANS Institute aimed at managing IT security policies for companies.

The security policy project defines a "policy" as a document that outlines specific, valid and enforceable requirements or rules that applied to everybody in a company. "If courts later refer to King 3 in order to determine director liability, clarity and certainty of the terms used are paramount," Buys said. "The King 3 report requires a section that defines terms in line with internationally accepted norms."

However, Engelbrecht said that no court would refer to the King code to determine the liability of directors. "It is a principle-based document," she explained. The courts would not determine whether the directors complied with their statutory duties with reference to the code, she said.

To further complicate matters the management of IT risks contained in the code was assigned to audit committees, Buys said. Given the pervasive nature of information technology in most companies, the board might wish the risk committee to oversee IT strategy, governance and risk management on its behalf, he said.

However, Engelbrecht said the report was clear that the management of financial reporting related to IT had been assigned to the audit committee. Non-financial issues could be addressed by the risk committee and an IT committee, she said.

Buys said references in King 3 to certain international standards and IT governance frameworks were also outdated and incorrect. For example, long-standing information security standard BS7799-1:1991, had been revised in July 2007. Engelbrecht welcomed this "constructive feedback".