Australia has traditionally relied on a principles-basedapproach to corporate governance, employing a mixof regulation, co-regulation and encouragement of

industry best practice. While it does not currently have specificIT governance regulations, major company failures, growingcorporate governance requirements, increasingly complex andinterconnected IT environments, and the need for greaterlevels of accountability and transparency have focussedattention on regulatory and other responses for improving theoverall level of governance.

Given Australia’s largely unregulated IT governanceenvironment, the US Sarbanes-Oxley Act is emerging, bydefault, as a benchmark standard. A number of Australiancompanies have adopted the principles of this act in an attemptto improve their corporate and IT governance standards.

In response to calls from industry, Standards AustraliaInternational (SAI) has developed a suite of AustralianStandards on corporate governance.1 The Australian StockExchange (ASX), through its Corporate Governance Council,has issued guidelines, Principles of Good CorporateGovernance and Best Practice Recommendations,2 thatexpound the core principles it believes underlie good corporategovernance.

In 2002, the government established a new information andcommunications technology (ICT) governance framework tosupplement a single agency responsibility with a federatedapproach where appropriate. The government defined a set ofgovernance principles for federal government agencies andcreated the Information Management Strategy Committee(IMSC), supported by the Chief Information OfficerCommittee (CIOC),3 to oversee the framework and developpolicies, standards and guidelines where necessary.

Corporate governance has also been considered in theAustralian legislative process, with sections of a number ofcurrent acts having direct and/or indirect implications for ITgovernance. These acts are discussed in figure 1.

Development of specific IT standards to address mattersassociated with corporate, project and operations governanceis currently being undertaken by SAI. As a key industrystakeholder, the Australian Computer Society (ACS) hasestablished the Governance of ICT Committee to promote theconcept of good governance to the community and industryand provide co-ordinated input to the development of thesestandards.

Within Australia, recognition of the growing impact oftechnology on organisational performance and the associatedrisk profiles has led to an increased focus on the need for

standardised IT governance arrangements. This is evidencedby the increased support for the development of standards andguidelines that specifically address the IT environment.

Endnotes1 www.standards.com.au/catalogue/script/Details.asp?

DocN=AS9640716072972 www.shareholder.com/visitors/dynamicdoc/document.cfm?

documentid=364&companyid=ASX3 www.imsc.gov.au/4 www.privacy.gov.au/act/privacyact/index.html5 www.privacy.gov.au/publications/ipps.html6 www.privacy.gov.au/publications/npps01.html7 www.asic.gov.au/asic/asic_polprac.nsf/byheadline/CLERP

+9?openDocument

Wayne Jones, CISAis executive director of IT audit at the Australian NationalAudit Office in Canberra, Australian Capital Territory,Australia. He leads the team involved in undertaking IT riskand control assessment for Australian federal governmentagencies. Wayne has been involved in information technologyand control for more than 25 years and is an active member ofISACA. He serves as the Oceania representative on ISACA’sGovernmental and Regulatory Agencies Board.

Disclaimer: The views expressed in this article are those ofthe author rather than those of the Australian National AuditOffice.

I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 2 , 2 0 0 5

Copyright © 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

Legislation DescriptionPrivacy Act 1988 4 Governs the protection and storage of

privacy and transborder flow ofpersonal data. Establishes a set ofInformation Privacy Principles (IPP)5

and National Privacy Principles (NPP).6

Corporate Law Economic Ensures that business regulation isReform Program (CLERP) consistent with promoting a strongAct 2004 7 and vibrant economy. Two key

principles underpinning the CLERPinitiative are the development of aconsistent regulatory and legislativeframework and improved internationalharmonisation.

Figure 1—IT Governance-related Legislation in Australia

IT Governance Regulation—An Australian Perspective

By Wayne Jones, CISA

I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 2 , 2 0 0 5

IT Governance Regulation—A Latin American PerspectiveBy Leonidas Anzola, CISA

To understand the level of maturity of IT governanceregulation in Latin America, one needs to look at the way inwhich new tendencies, methodologies and practices are adoptedand implemented in this region. Most organizations in LatinAmerica are exposed to trends that influence them to adopt newpractices; these could be summarized in the following manner:• Administrative policies of first-world companies, enforced

within their regional multinational offices• International stock market regulations in which Latin American

entities participate• The existence of far-sighted individuals who promote new

tendencies learned at conferences or during training abroadIn all of these cases there is a common factor—the adoption

and implementation of newer practices usually fall behindleading regions by at least six months. Normally, theimplementation of regulatory policies is even further behind.

Another situation that affects the way practices are adoptedand implemented is the fact that many business managers andmembers of the boards of directors of these entities are notcomfortable around technology yet. Therefore, technologicaldecisions and tendencies are still generally the domain andresponsibility of the technical staff. There is the need tounderstand that technology is just setting a foothold in theseeconomies in which human labor is still cheaper to acquire thantechnological solutions. All these circumstances affect theimplementation of IT governance regulation.

As some Latin American companies begin to comply withbest practices and regulations due to the mentioned influences, itwill create a bandwagon effect that will carry over to otherregional entities and government. As corporate governance, theUS Sarbanes-Oxley Act and the need to provide IT value to thebusiness issues arise, more Latin American organizations willbegin to pay attention, thus making IT governance and ITgovernance regulation topics to examine.

Even after all these obstacles, some initial steps in ITgovernance regulation are being taken in known, progressivelyestablished countries in this region. Of course, this progressvaries depending on the country, making Argentina, Uruguay,Paraguay and Costa Rica some of the most advanced in ITgovernance regulation. Examples of such activity are: thesuperintendent of banks of the Central Bank of Paraguay issueda resolution making it mandatory for all banks and otherfinancial institutions in the country to adopt COBIT; the UruguayCentral Bank adopted COBIT for the whole Uruguayan financialmarket; and the Honorary Tribunal of Mendoza, Argentina,adopted COBIT as the control framework for all entities thatprovide accounts in the province of Mendoza. It is expected thatother countries, such as Mexico, Chile, Colombia and Panama,will follow through accordingly in the implementation of ITgovernance regulation, policies and practices. In summary, it canbe said that the level of maturity of IT governance regulation inthe Latin American region is in its initial stage, but it promisesto move forward rapidly.

Leonidas Anzola, CISAhas more than 20 years of experience in IT andtelecommunications and currently serves as vice president ofinformation systems at Banco General, a leading private bankin the Republic of Panama. He has previously heldmanagement and technical positions at BellSouth and the 106th

Signal Brigade, US Army, in Panama. He is a member of theISACA Governmental and Regulatory Agencies Board and theJournal Editorial Committee. He welcomes comments atlanzola@cableonda.net.

IT Governance Regulation—An Asian PerspectiveBy John Ho Chi

The term “governance” is well known in many parts of Asia,as evidenced by the codes on corporate governance practicesthat have been released in recent years by various countries inthe region. Some countries perform periodic reviews and updatetheir codes to ensure that they are aligned with leading practices.While these codes assist organizations in the adoption ofcorporate governance, there is little mention of IT governance.Accordingly, the awareness of IT governance is not widespreadin the Asia region.

“The awareness and use of COBIT is increasing in Asia. For example, in the Union Bank of the Philippines, the CEO andchairman has given his full commitment and support for COBITimplementation, as have the Bank Negara Malaysia (Malaysia’scentral bank) and a number of large companies in the region.The implementation of IT governance (where COBIT may beused as a tool to achieve this) will need to take into accountcultural differences in Asia,” according to Abdul Hamid,international vice president of ISACA and ITGI.

He also said that among the domains in IT governance, riskmanagement appears to be top on the list of current priorities inAsia, given the recognition that information security isimportant. This is followed by resource management, where IToutsourcing is the most topical issue. In the domain of valuedelivery, most governments in Asia (e.g., India, Japan, Korea,Singapore and Malaysia) are increasingly focused on e-government initiatives in their respective countries.

This appears consistent with recent media coverage of thetopic and also the increase in the number of conferences andworkshops focusing on IT governance. An upcoming CIOconference in March 2005, organized by the Institute of SystemScience, National University of Singapore, features the theme“IT Governance—Practices, Opportunities and Challenges.” Thekeynote address will be delivered by Alex Siow, vice presidentstrategic relations, Starhub Ltd. The conference also featuresAbdul Hamid.

DBS Bank, Singapore’s leading bank, with customers invarious countries in Asia, was featured as a case study by PeterWeill and Jeanne R. Ross in their Harvard Business Schoolpublication on IT governance. The case study cited that DBS’sIT investments are guided by a set of principles that includegovernance, data and system ownership, and architecture.

I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 2 , 2 0 0 5

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntaryorganization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Auditand Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journaldoes not attest to the originality of authors' content.

© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from theassociation. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articlesowned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of theassociation or the copyright owner is expressly prohibited.

www.isaca.org

Looking ahead, more companies will begin to recognize theneed and embrace the concept of governance with wideradoption of local governance codes and reporting toshareholders. In the adoption, IT governance plays animportant role given the reliance on and influence of IT. Itsrelevance in Asia will depend on a number of drivers,including its adoption in other parts of the global community.

Developments on governance in Asia:• China: On 19 November 2004, the Stock Exchange of Hong

Kong published a final report on its new “Code on CorporateGovernance Practices.”

• China: On 28 October 2004, the Asian Business Dialog onCorporate Governance 2004 was held in Shanghai, China.

• Singapore: On 16 August 2002, following amendments to theSingapore Companies Act on 8 July 2002, the Council onCorporate Disclosure and Governance (CCDG) was formed.

• Malaysia: In March 2000, the Finance Committee onCorporate Governance issued the Malaysian Code onCorporate Governance.

• The Asian Roundtable on Corporate Governance wasorganized to serve as a regional forum for structured policydialog on corporate governance. Established in response to a G-7 mandate to the Organization for EconomicCooperation and Development (OECD) and the World Bank toencourage the implementation of the OECD Principles ofCorporate Governance (OECD principles), the roundtablecomprises senior policymakers, regulators and representativesfrom stock exchanges, private sector bodies, multilateralorganizations and nongovernmental institutions.

John Ho Chi is a principal at Ernst & Young. He also serves on the ITGI Steering Committee and the National Trust Council,IDA, Singapore.