Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

IT Governance Regulation
An Australian Perspective
By Wayne Jones, CISA

ustralia has traditionally relied on a principles-based

approach to corporate governance, employing a mix
of regulation, co-regulation and encouragement of
industry best practice. While it does not currently have specific
IT governance regulations, major company failures, growing
corporate governance requirements, increasingly complex and
interconnected IT environments, and the need for greater
levels of accountability and transparency have focussed
attention on regulatory and other responses for improving the
overall level of governance.
Given Australias largely unregulated IT governance
environment, the US Sarbanes-Oxley Act is emerging, by
default, as a benchmark standard. A number of Australian
companies have adopted the principles of this act in an attempt
to improve their corporate and IT governance standards.
In response to calls from industry, Standards Australia
International (SAI) has developed a suite of Australian
Standards on corporate governance.1 The Australian Stock
Exchange (ASX), through its Corporate Governance Council,
has issued guidelines, Principles of Good Corporate
Governance and Best Practice Recommendations,2 that
expound the core principles it believes underlie good corporate
governance.
In 2002, the government established a new information and
communications technology (ICT) governance framework to
supplement a single agency responsibility with a federated
approach where appropriate. The government defined a set of
governance principles for federal government agencies and
created the Information Management Strategy Committee
(IMSC), supported by the Chief Information Officer
Committee (CIOC),3 to oversee the framework and develop
policies, standards and guidelines where necessary.
Corporate governance has also been considered in the
Australian legislative process, with sections of a number of
current acts having direct and/or indirect implications for IT
governance. These acts are discussed in figure 1.
Development of specific IT standards to address matters
associated with corporate, project and operations governance
is currently being undertaken by SAI. As a key industry
stakeholder, the Australian Computer Society (ACS) has
established the Governance of ICT Committee to promote the
concept of good governance to the community and industry
and provide co-ordinated input to the development of these
standards.
Within Australia, recognition of the growing impact of
technology on organisational performance and the associated
risk profiles has led to an increased focus on the need for

Figure 1IT Governance-related

Legislation in Australia
Legislation
Privacy Act 1988 4

Corporate Law Economic

Reform Program (CLERP)
Act 2004 7

Description
Governs the protection and storage of
privacy and transborder flow of
personal data. Establishes a set of
Information Privacy Principles (IPP)5
and National Privacy Principles (NPP).6
Ensures that business regulation is
consistent with promoting a strong
and vibrant economy. Two key
principles underpinning the CLERP
initiative are the development of a
consistent regulatory and legislative
framework and improved international
harmonisation.

standardised IT governance arrangements. This is evidenced

by the increased support for the development of standards and
guidelines that specifically address the IT environment.

Endnotes
www.standards.com.au/catalogue/script/Details.asp?
DocN=AS964071607297
2
www.shareholder.com/visitors/dynamicdoc/document.cfm?
documentid=364&companyid=ASX
3
www.imsc.gov.au/
4
www.privacy.gov.au/act/privacyact/index.html
5
www.privacy.gov.au/publications/ipps.html
6
www.privacy.gov.au/publications/npps01.html
7
www.asic.gov.au/asic/asic_polprac.nsf/byheadline/CLERP
+9?openDocument
1

Wayne Jones, CISA

is executive director of IT audit at the Australian National
Audit Office in Canberra, Australian Capital Territory,
Australia. He leads the team involved in undertaking IT risk
and control assessment for Australian federal government
agencies. Wayne has been involved in information technology
and control for more than 25 years and is an active member of
ISACA. He serves as the Oceania representative on ISACAs
Governmental and Regulatory Agencies Board.
Disclaimer: The views expressed in this article are those of
the author rather than those of the Australian National Audit
Office.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005

IT Governance Regulation
A Latin American Perspective
By Leonidas Anzola, CISA
To understand the level of maturity of IT governance
regulation in Latin America, one needs to look at the way in
which new tendencies, methodologies and practices are adopted
and implemented in this region. Most organizations in Latin
America are exposed to trends that influence them to adopt new
practices; these could be summarized in the following manner:
Administrative policies of first-world companies, enforced
within their regional multinational offices
International stock market regulations in which Latin American
entities participate
The existence of far-sighted individuals who promote new
tendencies learned at conferences or during training abroad
In all of these cases there is a common factorthe adoption
and implementation of newer practices usually fall behind
leading regions by at least six months. Normally, the
implementation of regulatory policies is even further behind.
Another situation that affects the way practices are adopted
and implemented is the fact that many business managers and
members of the boards of directors of these entities are not
comfortable around technology yet. Therefore, technological
decisions and tendencies are still generally the domain and
responsibility of the technical staff. There is the need to
understand that technology is just setting a foothold in these
economies in which human labor is still cheaper to acquire than
technological solutions. All these circumstances affect the
implementation of IT governance regulation.
As some Latin American companies begin to comply with
best practices and regulations due to the mentioned influences, it
will create a bandwagon effect that will carry over to other
regional entities and government. As corporate governance, the
US Sarbanes-Oxley Act and the need to provide IT value to the
business issues arise, more Latin American organizations will
begin to pay attention, thus making IT governance and IT
governance regulation topics to examine.
Even after all these obstacles, some initial steps in IT
governance regulation are being taken in known, progressively
established countries in this region. Of course, this progress
varies depending on the country, making Argentina, Uruguay,
Paraguay and Costa Rica some of the most advanced in IT
governance regulation. Examples of such activity are: the
superintendent of banks of the Central Bank of Paraguay issued
a resolution making it mandatory for all banks and other
financial institutions in the country to adopt COBIT; the Uruguay
Central Bank adopted COBIT for the whole Uruguayan financial
market; and the Honorary Tribunal of Mendoza, Argentina,
adopted COBIT as the control framework for all entities that
provide accounts in the province of Mendoza. It is expected that
other countries, such as Mexico, Chile, Colombia and Panama,
will follow through accordingly in the implementation of IT
governance regulation, policies and practices. In summary, it can
be said that the level of maturity of IT governance regulation in
the Latin American region is in its initial stage, but it promises
to move forward rapidly.

Leonidas Anzola, CISA

has more than 20 years of experience in IT and
telecommunications and currently serves as vice president of
information systems at Banco General, a leading private bank
in the Republic of Panama. He has previously held
management and technical positions at BellSouth and the 106th
Signal Brigade, US Army, in Panama. He is a member of the
ISACA Governmental and Regulatory Agencies Board and the
Journal Editorial Committee. He welcomes comments at
lanzola@cableonda.net.

IT Governance Regulation
An Asian Perspective
By John Ho Chi
The term governance is well known in many parts of Asia,
as evidenced by the codes on corporate governance practices
that have been released in recent years by various countries in
the region. Some countries perform periodic reviews and update
their codes to ensure that they are aligned with leading practices.
While these codes assist organizations in the adoption of
corporate governance, there is little mention of IT governance.
Accordingly, the awareness of IT governance is not widespread
in the Asia region.
The awareness and use of COBIT is increasing in Asia.
For example, in the Union Bank of the Philippines, the CEO and
chairman has given his full commitment and support for COBIT
implementation, as have the Bank Negara Malaysia (Malaysias
central bank) and a number of large companies in the region.
The implementation of IT governance (where COBIT may be
used as a tool to achieve this) will need to take into account
cultural differences in Asia, according to Abdul Hamid,
international vice president of ISACA and ITGI.
He also said that among the domains in IT governance, risk
management appears to be top on the list of current priorities in
Asia, given the recognition that information security is
important. This is followed by resource management, where IT
outsourcing is the most topical issue. In the domain of value
delivery, most governments in Asia (e.g., India, Japan, Korea,
Singapore and Malaysia) are increasingly focused on
e-government initiatives in their respective countries.
This appears consistent with recent media coverage of the
topic and also the increase in the number of conferences and
workshops focusing on IT governance. An upcoming CIO
conference in March 2005, organized by the Institute of System
Science, National University of Singapore, features the theme
IT GovernancePractices, Opportunities and Challenges. The
keynote address will be delivered by Alex Siow, vice president
strategic relations, Starhub Ltd. The conference also features
Abdul Hamid.
DBS Bank, Singapores leading bank, with customers in
various countries in Asia, was featured as a case study by Peter
Weill and Jeanne R. Ross in their Harvard Business School
publication on IT governance. The case study cited that DBSs
IT investments are guided by a set of principles that include
governance, data and system ownership, and architecture.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005

Looking ahead, more companies will begin to recognize the

need and embrace the concept of governance with wider
adoption of local governance codes and reporting to
shareholders. In the adoption, IT governance plays an
important role given the reliance on and influence of IT. Its
relevance in Asia will depend on a number of drivers,
including its adoption in other parts of the global community.
Developments on governance in Asia:
China: On 19 November 2004, the Stock Exchange of Hong
Kong published a final report on its new Code on Corporate
Governance Practices.
China: On 28 October 2004, the Asian Business Dialog on
Corporate Governance 2004 was held in Shanghai, China.
Singapore: On 16 August 2002, following amendments to the
Singapore Companies Act on 8 July 2002, the Council on
Corporate Disclosure and Governance (CCDG) was formed.
Malaysia: In March 2000, the Finance Committee on
Corporate Governance issued the Malaysian Code on
Corporate Governance.

The Asian Roundtable on Corporate Governance was

organized to serve as a regional forum for structured policy
dialog on corporate governance. Established in
response to a G-7 mandate to the Organization for Economic
Cooperation and Development (OECD) and the World Bank to
encourage the implementation of the OECD Principles of
Corporate Governance (OECD principles), the roundtable
comprises senior policymakers, regulators and representatives
from stock exchanges, private sector bodies, multilateral
organizations and nongovernmental institutions.
John Ho Chi
is a principal at Ernst & Young. He also serves on the
ITGI Steering Committee and the National Trust Council,
IDA, Singapore.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.
Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 2, 2005