Abstract
Purpose
The purpose of the study is to explore the integration of facets of information technology (IT) governance at a professional council in South Africa with the view to develop a framework.
Design/methodology/approach
This critical emancipatory study used the Information Governance Initiative pinwheel to explore the architecture facet of information governance at the professional council, with a view to developing a framework for entrenching a culture of good corporate governance. Qualitative data was collected through interviews and document analysis. The study was a participatory action research project that involved collaboration between the researcher and study participants in defining and solving the problem through a needs assessment exercise.
Findings
The key findings report on the processes taken by a professional council in identifying and implementing the facets of information governance, that is, records management, IT, content management, data governance, information security, data privacy, risk management, regulatory compliance, long-term digital preservation and, even, business intelligence.
Research limitations/implications
The study was a participatory action research project that involved collaboration between the researcher and study participants in defining and solving the problem through a needs assessment exercise.
Practical implications
The study’s findings suggest that, with the right information governance policy in place, adopting the facets of information governance can be used to address concerns related to information integrity in the short and medium terms. As a long-term option for retaining data and information, it would have various drawbacks and would not, however, ensure the initial dependability of the information.
Originality/value
A framework for information governance to ensure that the professional organisation and board members adopt a tailored governance system is suggested.
Keywords
Citation
Chauke, T.A. and Ngoepe, M. (2024), "Integrating facets of information technology governance at a professional council in South Africa", Global Knowledge, Memory and Communication, Vol. ahead-of-print No. ahead-of-print. https://doi.org/10.1108/GKMC-08-2023-0270
Publisher
:Emerald Publishing Limited
Copyright © 2024, Tshepo Arnold Chauke and Mpho Ngoepe.
License
Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) license. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this license may be seen at http://creativecommons.org/licences/by/4.0/legalcode
1. Introduction and background
Information governance (IG) is a concept that refers to the governing of information in the digital era where information assumes a central role in an organisation (Brown and Toze, 2017; Khun, 2024). Information governance is a:
[...]“subset of corporate governance, and includes key concepts from records management, content management, Information Technology (IT) and data governance, information security, data privacy, risk management, litigation readiness, regulatory compliance, long-term digital preservation, and business intelligence” (Smallwood, 2014).
The success of information governance is key in ensuring timely, adequate, compliant information throughout business activities to make decisions for gaining competitiveness and improvement of organisational efficiency (Nguyen et al., 2014). Iles (2013) proposes information governance as a fuller and richer way that has a more holistic view of organisational information than of records management. Mullon and Ngoepe (2019) contend that information governance has not been effectively defined because different government agencies in South Africa regulate various facets or parts of information governance, including records management and information technology (IT) governance, to name just two. Information governance is frequently administered in disjointed silos and adds no value (Tumulak et al., 2024). Further cascading of this issue occurs at the organisational level, where several business units are in charge of various information governance components. This created a hole in the governance of information that, if filled, can ensure the organisation’s methods for gathering, storing, maintaining and disseminating information (Warwickshire County Council, 2018). This study explores the integration of facets of IT governance at a professional council.
A professional council is a statutory body established in terms of Section 2 of the Social Service Professions Act, No. 100 of 1978 (Republic of South Africa, 1978) as amended by Act No. 102 of 1998 (Republic of South Africa, 1998). The council guides and regulates the professions of social work and child youth care work in aspects pertaining to registration, education and training, professional conduct and ethical behaviour, ensuring continuing professional development and fostering compliance with professional standards (Information System Audit and Control Association, 2018a). A professional council started a digital transformation process to transform its business processes by implementing elements of information governance after experiencing difficulties caused by the lack of a coherent IT system design and the disparaged registration, finance, and external verification systems. To provide a framework for establishing a culture of sound corporate governance, this critical emancipatory study used the Information Governance Initiative pinwheel to examine the architecture facet of information governance at professional council. Qualitative data were collected through interviews and document analysis.
2. Problem statement
When a professional council eventually realised there was a need to transform from manual data processing to more integrated and technologically supported data systems, which can be used to support the integration of data across various organisations, such as communication with clients, which is fraught with challenges, a professional council defined the problem for this study (Brown and Toze, 2017). A professional council also had significant issues with its physical records. This was the situation because there was no one business unit in charge of the fragmented implementation of the information governance facets. Because of this, managers were unable to timely receive information for decision-making or to fulfil their obligations to report to the organisation’s board and stakeholders (Guetat and Dakhli, 2015).
A professional council recognises that information is its greatest asset, and migrating from manual to automated processes and solutions is a necessary step in achieving a seamless integration of solutions. As a result, a professional council participated in a comprehensive implementation of information governance facets across the organisation, alongside the researchers. The Information System Audit and Control Association – (ISACA) (2018b) contends that the enterprise as a whole should be the focus of enterprise information and technology governance and management, rather than just the organisation’s IT department. According to Moeller (2013), organisations work to reduce risks across their whole operations, but a professional council’s informal risk management procedures cannot be considered to be doing the same.
3. Purpose and objectives
The purpose of the study is to explore the integration of facets of IT governance at a professional council in South Africa with the view to develop a framework. The specific objectives are to:
determine information governance facets implemented by a professional council; and
suggest an information governance facets framework for a professional council.
4. Theoretical framework and literature review
The literature is organised in themes from the Information Governance Initiative pinwheel (see Figure 1). The information governance facets are represented on a pinwheel based on acceptance of information governance practitioners as depicted in Figure 1.
4.1 Facets of information governance
The first objective covers seven facets of information governance, namely, risk management, data management, records management, knowledge management, compliance, audit and business intelligence.
4.1.1 Risk management.
Risk management is a process of managing risks on a project including risk identification, analysis, response planning, response implementation and risk monitoring [Project Management Institute (PMI), 2017]. According to Aerts and Walton (2018), a good risk management “[…] provides the means for central management to effectively deal with uncertainty and associated opportunities, with ultimate goal of achieving the company’s objectives.”
Information System Audit and Control Association (2018a) places more emphasis on the integration of IT governance-related enterprise risk within the tolerance threshold set by management. According to Information System Audit and Control Association (2020), demonstrating comprehensive procedures for choosing and prioritising risk response enables management to distinguish, assess and choose appropriate responses.
The business security barrier that served as a defence mechanism for organisations that rely on traditional security measures has been breached by smart working through the usage of merged professional and personal digital lives (Polzonetti and Sagratella, 2018; Tumulak et al., 2024). Businesses are switching from having their own IT infrastructure to adopting cloud services, which increases the danger of becoming overly dependent on outside resources, a lack of privacy and data loss (Mosweu et al., 2019; Khun, 2024).
4.1.2 Data management.
Data management is regarded as the achievement and sustenance of “effective management of the enterprise data assets across the data life cycle, from creation through delivery, maintenance and archiving” (Information System Audit and Control Association, 2018a).
Public institutions have acquired and retained data embedded in paper records for decades, making it challenging for organisations to digitise historical documents to support data-driven decision-making (Brown and Toze, 2017). The computing hardware utilised to store data becomes inaccessible due to being outdated and non-supported software solutions (Borgman, 2003). Han et al. (2012) point out the difficulties faced by organisations that have amassed substantial amounts of data in their database systems known as big data. Gartner (2012) defines big data as “high-volume, high-velocity or high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight, decision making and process optimisation”.
Walker and Brown (2019) state that big data comprises three characteristics: volume, which is defined as a significant amount of data; velocity, which describes the speed at which data is created, transmitted and diversity, which describes the various sorts of data gathered. When an organisation attempts to use big data for corporate decision-making, there is a significant challenge in processing vast amounts of data (Tumulak et al., 2024). To support cognitive computing, which is used for large data exploration applications for help desk services such as automation, other academics have focused on “deep learning” to meet the same difficulty of computing machines to self-learn, unaided (Polzonetti and Sagratella, 2018).
Once data have been processed, the contents need to be described and organised in such a way that it facilitates access through metadata (Borgman, 2003). Metadata is “[…] the information and documentation which makes data understandable and shareable for users over time. Data remains usable, shareable and understandable as long as the metadata remains accessible” (International Standard Organization, 2015). When data are transferred between systems, data cleansing may occur. In this case, document plans should be used and all recorded content and its related metadata should be retained in the originating system until the cleansing process is complete and the dependability of the destination system has been controlled and secured (International Standard Organization, 2016; Yang, 2023).
4.1.3 Records management.
One issue with data growth is how it affects already-existing systems because of the high maintenance costs and poorly performing applications that result from such growth (Zikopoulos et al., 2013). The National Archives and Record Service, which regulates the transfer, erasure, destruction and disposal of records, is the custodian of the legislation that governs proper management and preservation of the archives of government agencies in South Africa (Republic of South Africa, 2001). Poole (2016) explains the process known as “digital curation”, which includes data curation, digital preservation and life cycle management of data assets. Every time records are converted from analogue to digital, they should be noted and shared with all concerned parties (International Standard Organization, 2016).
Data need to be kept for a certain amount of time and made accessible when needed because of regulatory and audit obligations (The Cabinet Office 2011c). Regulations such as the Sarbanes–Oxley (SOX) Act formally approve the archiving of business records, internal communications, emails and instant messaging (Valacich and Schneider, 2018). The International Standard Organization (2016) ensures that there is a suitable storage environment and media and that all data records should be stored in a way that protects them against unauthorised access, change, loss or destruction, including theft and disaster. Ngulube et al. (2017) reaffirm the requirement that an archives repository hold appropriate records that can be consulted to satisfy users’ requests. Information can be preserved digitally, but there are obstacles to overcome, such as outdated technology and proposed solutions, as well as the allegedly expensive migration, emulation and upkeep of digital museums (Borgman, 2003). Adopting cloud computing technology increases the likelihood of data availability and retention by backing up digitised data, information and records on several computing storage devices (Mosweu et al., 2019).
4.1.4 Knowledge management.
To support all the processes and enable informed decision-making, knowledge management necessitates the maintenance of relevant, current, validated and reliable knowledge (Information System Audit and Control Association, 2018a). Knowledge management (KM) is:
“Responsible for sharing perspectives, ideas, experience and information, and for ensuring that these are available in the right time. It enables informed decisions, and improves efficiency by reducing the need to rediscover knowledge” (Axelos, 2019).
Knowledge is an important instrument and ingredient for the beneficiary, which is described as information integrated with experience, skills, facts, intuition, experience, selection, principles and learning (Mládková, 2011).
According to Yiua et al. (2013) and Boisot (1999), knowledge is frequently integrated into organisational routines, procedures, practices and conventions in addition to documentation or repositories. This finding demonstrates how corporate culture, best practices, core competencies, skills or strategic visions are essential components of an organisation’s overall knowledge base.
Nonaka and Takeuchi (1995) propose the following knowledge management process:
Socialisation (from tacit knowledge to tacit knowledge).
Externalisation (from tacit to explicit knowledge).
Combination (from explicit knowledge to explicit knowledge).
Internalisation (from explicit knowledge to tacit knowledge).
As indicated in the previous paragraph, the organisational knowledge management theory identified socialisation, internalisation, externalisation and combination (SECI) as the four modes of interaction that facilitate knowledge management in an organisation (Maluleka, 2017).
The SECI theory was developed for the Japanese context and can be applied in any environment (Maluleka and Ngoepe, 2018). Grillitsch et al. (2006) recommend the harmonisation of knowledge-oriented programmes in an organisation and the steps to be undertaken below:
Executive management commitment.
Procedures organised for implementation.
Training and skills transfer to internal staff.
The collection and documentation of best practices and lessons learnt.
Interrogation and assessment of project meetings.
Stakeholders’ needs and documentation inputs were effected accordingly.
Implementation of IT infrastructure to support knowledge transfer.
Clear roles and responsibilities in meetings and for documentation.
Sharing of knowledge is done through human actions that have both tacit and explicit elements that are developed further through collaborative actions and interactions (Bettoni et al., 2006). Knowledge can be synthesised tacitly among individuals during collaborative activities (Becerra-Fernandez and Sabherwal, 2014). The challenge encountered in organisations is a lack of information sharing among employees and usage of knowledge management systems (Valacich and Schneider, 2018). Hafeez and Alghatas (2007) advocate for the creation of a virtual community of practice, whose purpose is to have an interest in the same topic over a longer period of time and who is engaged in an activity of sharing their opinions on a specific topic with the use of technology.
4.1.5 Compliance.
Information System Audit and Control Association (2018a) outlines that the enterprise should ensure compliance with external requirements. According to the European Union (2016) and Khun (2024), public entities, that collect data in accordance with a legal obligation, should process it in compliance with the data protection rules according to the purpose of the processing. There has been widespread non-compliance with regulatory and legal requirements in cloud data hosting services because of outdated and inadequate legislation or the lack thereof (Mosweu et al., 2019).
Corporate Governance requirements defined by the SOX Act and the King IV Code of Good Governance altered the way in which organisations report and audit [Aerts and Walton, 2018; Institute of Directors in Southern Africa (IODSA), 2016]. In South Africa, the Companies Act of 2008 requires that companies should always prevent human rights violations that might be linked to their daily operations (Gwanyanya, 2015). To provide compliance with the state and stakeholders, an organisation that is funded in terms of the Public Finance Management Act (PFMA) or through subscriptions from members, must be audited by the national auditing body, the Auditor-General of South Africa (Republic of South Africa, 2018). Furthermore, Republic of South Africa (2019) regulations have been established to cover investigations and corrective measures when a material irregularity is suspected. It is evident that poor IT governance mistakes can also have an effect on the outside world, harm one’s brand and result in financial losses as well as regulatory consequences (Omari, 2016).
4.1.6 Audit.
Assurance management aims to provide the organisation with assurance activities that will help it comply with standards, laws and the enterprise’s strategic goals (Information System Audit and Control Association, 2012). The executive management must establish an assurance framework to make sure they have the evidence they need to confirm the efficacy and efficiency of the internal control system and to give the board the necessary level of assurance through an audit committee (Republic of South Africa, 2012; Taiwo, 2024). Lack of defined roles between the customer, cloud service providers and auditors limits auditing operations in the context of cloud computing. The fact that the client’s data are held across various jurisdictions makes the situation worse because the owner loses control and confidence (Mosweu et al., 2019). In Figure 2, Abedian et al. (1998) propose the following activities that can give assurance.
4.1.7 Business intelligence.
Competitive organisations are considered complex entities where decisions are made through the use of different stakeholders through the use of insights from data analytics (Kubatko et al., 2024). Those decisions are made rationally based on the logic of using relevant information and direction to optimally execute the required task (Marwala, 2014). Axelos (2020) points out that the value of solutions, such as predictive analysis, is to project the future situation and enable proactive decision-making. The use of computing with high-speed processing power is needed to train deep algorithms. The insights that are gained ensure that a professional council can make informed decisions.
5. Methodology
This study is a participatory action research project that involved collaboration between researchers and study participants in defining and solving the problem through a needs assessment exercise (Creswell and Creswell, 2018). In this study, all three phases of participatory action research were followed, that is, the “look phase”: getting to know stakeholders so that the problem is defined on their terms and the problem definition is reflective of the community context; the “think phase”: interpretation and analysis of what was learned in the “Look phase”; and the “act phase”: planning, implementing and evaluating, based on information collected and interpreted in the other phases (Stringer, 2014). The current study made use of the qualitative research approach which involved the collection of data through interviews and document analysis (Bryman, 2016). This was considered the best approach to conducting the research involving collaboration between the researchers and study participants in defining and solving the problem. Data were analysed thematically with the use of ATLAS.ti 23 and presented in text. Eight participants were purposefully chosen because they were instrumental in the daily operations and critical to the seven facets of information governance in the professional council. The composition of participants is as follows: Risk and Audit Committee – Participant 4; Finance Committee – Participant 6; IT and Business Re-engineering Committee – Participant 3, while the remainder of the five participants were from the administration, Finance – Participant – 1; IT – Participant 2 and 5; Legal – Participant 7 and Registration – Participant 8 of the professional council.
6. Presentation of data
The results are presented according to seven facets of information governance, namely, business intelligence, risk management, data management, records management, knowledge management, compliance, audit and business intelligence. The quotations extracted from the document analysis are identified by the letter “D” followed by the number representing the document, that is D1 for document 01 and so forth is indicated in Appendix. Documents were sourced from public portals and internally with permission of the professional council.
6.1 Risk management
Risks were discovered as a result of interviews and document analysis. As a number of years ago, both the numbers and the content of a professional council’s current database have been called into question (D20). The organisation’s vulnerabilities were identified and managed. Meetings of the Business Re-engineering Committee and management meetings always include a discussion of risk management (D18, D19). The management must address the seven identified risks and report its progress to the IT and Business Re-engineering Committee on a quarterly basis (D16). Because there were pockets of data on people’s PCs and hard copies in archives rooms, data were not adequately handled (D20). Risks that have been noted include the statements below (D21):
“Management action plan to mitigate the risk of non-filing in archives room that were identified.
Non-compliance with section 13 of a professional council act and Section 40 of the Public Finance Management Act.
Lack of audit trail due to lack of adequate filing records.
Enhanced risk for fraud or errors.
Inability by the Council to support financial transactions reported on its annual financial statements.”
The question, “Did you address all IT-related risk?” was asked to participants and some of these responses are given below:
Risk register that addresses all IT risks are minimised, especially Finance and Registration and all risk. Review risks as they happen. Ensure that what IT needs to address the risks is catered for. (P1)
High, medium risks we address. If an application can run in the cloud, risk transferred to Microsoft O365 platform. (P2)
We were not made aware of risks. Working from the previous risks. Timeously inform councils of risks so that council can proactively mitigate them. Interface is critical for mitigate the state risks. (P3)
Yes, we are monitoring emerging risks daily. (P4)
The risk register was developed to monitor and reduce dangers that had been discovered. The risks were divided into operational and strategic categories for the council and management to address. The utilization of Microsoft Office 365 in the cloud helped to reduce some IT risks of non-availability of systems.
6.2 Data management
The data management facet results illustrated that there were inadequate internal control processes in place to maintain adequate supporting information and records by the council. Furthermore, the qualifications authority rejected any data it deemed to be inaccurate. The submissions file clean-up took more time. The database update and validation of data that could not be automatically cleansed have been put off. Additionally, a professional council team had to put up extra effort while waiting for their database to be confirmed with the South African population registry to have the master data amended. (D20).
The following responses were given to interview question “Is the information that you are processing well secured?”
Normally, information is kept onsite in the form of physical files for members in archiving room. Currently, the database rendering the system inefficient. (P1)
Database – frustration is access to data and develop our own reports. Users can input data themselves and staff can validate, verify and approve application. Our database is hosted in the cloud and seems as if they own our data. If additional reports are needed, you cannot create your own reports. (P3)
Furthermore, we can improve access by bridging the gap in information dissemination. Securing data is our first priority because we handle people's personal information. (P4)
Owing to the large quantity of postal returns from letters that were posted, data management issues were clearly present. The social service professionals failing to update records when changing addresses or jobs was the main issue. The following participant outlines that:
To mitigate the challenge of post office, wrong addresses, missing certificates and returned mail, the application form must be accompanied by all required documents that must be captured on the database so that client can be issued with a certificate and practice card. (P5)
Decision-making took longer than expected because organisational data were inefficient and not integrated. The concerned personnel found it frustrating that they could not access data and reports. Owing to inaccurate information, including practitioners’ addresses and personal information, the high return rate of mailed things was expensive.
6.3 Records management
The council has not yet given its approval to the proposed records management policy (D3). To handle knowledge management initiatives, a Professional Council Act was enacted with the following clauses.
The registrar shall maintain separate registers for social workers, student social workers, social auxiliary workers, and individuals practising other professions for which professional boards have been established and registered under this Act, and shall, subject to the provisions of this Act, record in the appropriate register the prescribed particulars in the prescribed manner with respect to each such social worker, student social worker and social auxiliary employee. (D1, D2).
6.4 Knowledge management
The majority of the employer’s explicit knowledge was preserved on computers, documents and other repositories. The MS Teams login instruction manual (D24), audit report (D25), ICT policy (D26), draft records management policy (D3), Professional Council Act (D1, D2) and related regulations are just a few of the extracts from the materials that were provided to the researcher. (D5, D6, D7).
The ICT policy provides clarity that “In addition to the requirements of paragraph 5.1.1, the Council ICT official, or in her or his absence, the staff member designated to have sufficient knowledge of ICT standards and requirements, shall review all requests for procurement of ICT equipment and software and make recommendations based on the required standards, compatibility with current systems and this policy.” (D26).
A professional council established guidelines for the storage of explicit knowledge. The usage of unapproved policy and the postponement of its approval are not enforceable. Interns got the opportunity to learn tacit knowledge specific to this organisation by following permanent personnel. (D18, D19).
6.5 Compliance
As required by the constitution, a professional council can give its annual reports to the South African Parliament. Through briefing meetings, this procedure enables the parliamentary Portfolio Committee on Social Development to examine professional council operations. The organisation must submit the records, the statement of accounts and the balance sheet in accordance with the laws, and those documents must be available for public examination at designated locations during designated times. (D1, D2).
The presentation to the parliament portfolio committee of Social Development on 31 October 2018 by the Department of Social Development (DSD) and professional council. A professional council highlighted concerns that the Department of Social Development did not consider it as one of its entities; rather, it is registered as a non-profit organisation. Even in presenting to parliamentary proceedings, it was clear that it is not considered a component of the Department of Social Development’s entities.
The DSD encountered a problem in that they had trouble getting a professional council to provide audited financial reports for presentation to Parliament (D28). To gather more data on external compliance, the ICT policy specifies regulatory compliance with regard to the storage and preservation of documents and email messages. (D26). The participants were asked regarding the topic. The following are some of the responses to the question: “How do you know whether you are compliant with all applicable regulations?”
It is difficult to provide assurance and at times you get complains from stakeholders. Yes, very transparent. Number of structures need to pass through. Bidding process to ensure transparent. Bid Evaluation Committee (BEC), Bid Adjudication Committee (BAC), then Exco and, lastly, the council to do approvals in investments. Lacking to ensure compliance. Having a person ensures that our lives are easy. Revise the policies to be compliant to the rule and regulations of the country. (P1)
Honestly, they are transparent. You need to explain everything depending on the amount required. (P2)
Designing the system around the regulations, block certain things that are not in regulation. Trust the new system. (P3)
The next facet presents the audit management.
6.6 Audit
The audit report revealed some shortcomings in organisational record keeping. Further to that, Section 5 of the finance policy states that the Registrar must ensure that (D25):
recordings of all invoices and receipts issued to registered professionals are kept;
all proper records of all payments and the fees payable are kept;
a report of reconciling of debtors and the status of debtors are presented to the Finance Committee and the Executive Committee on a monthly basis; and
a report tabling a yearly figure of debtors payable to the council is be included in the audited financial statements.
Some of the audit findings related to the following:
Inadequate internal control processes in place to maintain adequate supporting information and records by the council.
Critical positions remained vacant for extended time period, resulting in work overloads and inability to execute all mandates by council.
A professional council Act’s provision regarding bookkeeping and auditing states that “the council shall cause records to be kept in the prescribed manner of all moneys received and spent by it, of all its assets and liabilities and of all financial transactions entered into by it, and shall as soon as possible after the end of every financial year cause statements of account and a balance sheet to be prepared, showing the prescribed particulars in respect of that financial year”, is not being followed. (D1, D2).
To investigate assurance management in the organisation, the following question was asked: “How do you get assurance over IT?” The following were the responses:
There is segregated on IT systems according to divisions and audit trail of what is happening. They shared with us the service times (standard operating procedure). We now know or are assured that our problems will be worked on or the problem resolved. Their own assessment and changing our passwords. They do not let our password expires and advises on the procurement of IT infrastructure and trust what they are doing. Their performance is reviewed on quarterly basis. (P1)
Unfortunately, cannot give assurance since they get services from somewhere. (P2)
Assurance – do not know. Registrar with Finance manager – things signed off and not making sure that deliverables are met. (P3)
The assurance is that everything is working. Based on the agreements signed, we are able to pay the external providers. Yes, whatever I want to do on the system, I can get to do. (P7)
Separating roles ensured that transactions were carried out with checks and balances. According to one participant, the same could not be said for outsourced services. Service Level Agreements were signed to guarantee the delivery of services.
6.7 Business intelligence
An additional question was also posed to the interviewees to understand what are the innovative solutions that they might bring to improve the organisational IT environment. The following question was therefore asked: “How do you improve business agility through a more flexible IT environment?”
According to the participants, there is a need for the information systems revamped to respond to changing business needs. Example of participants comments:
The system to be revamped and be aligned to new technologies. We have done market benchmarking with other councils to see which systems are implemented and review what can be implemented. Have put a budget aside and come with a system with new functionalities; come with online applications and integrated with financial application. System responsive to the market we serve. (P1).
We are still in a process to secure agile system for the whole enterprise for better decision making […] (P8).
The benchmarking process conducted was part of the innovation components that can be included in the integrated online system. The organisation allocated a budget to the proposed system to include functionalities such as registration and other divisions.
7. Summary of findings
The summary is based on the first objective that was addressed in Sections 5.1, 5.2-5.7. The success of risk management is through the adoption of accountability structures. Lack of data management has led to decision-making delays. Non-approval of the records management policy has created a policy gap. What is encouraging was the establishment of guidelines for managing organisational knowledge. The professional council was found to be following all the statutory requirements on reporting on organisational. The challenges were encountered on outsourced services due to not having checks and balances. Finally, there were proposals to ensure that the professional council adopt a holistic approach in bringing innovations to the organisation.
8. The proposed facets of information governance framework
The last objective was to develop facets of the information governance framework at a professional council, which is based on the results and conclusions of the qualitative findings. The findings that have been given and the literature that has been evaluated have been compiled into the framework, which is shown in Figure 3.
The suggested facets of information governance framework will let board members and professional organisations adopt a custom governance system that would be created to meet their needs. According to the report, there is no framework for architectural alignment that directs an architectural aspect of facets of information governance.
8.1 Description of the facets of information governance framework
The facets information governance framework was based on the findings from the board and staff at a professional council in South Africa. The formulation of the facets of governance framework follows four design workflow stages, namely, understanding the facets of information governance at a professional council, determining of scope of the facets of information governance; refine the scope of the facets of information governance and concluding the facets of information governance. The above results in recommendations for prioritising governance and management objectives or related governance system components or for the adoption of specific variants of facets of information governance system components.
8.2 Understand the facets of information governance
To get clarity across four partially overlapping, interconnected, and complementary domains, namely; organisational strategy, organisational goals, IT risk profile and current IT governance issues – the organisation assesses its context, strategy and operating environment.
8.3 Determination of scope of the facets of information governance framework
Understanding the enterprise strategy produces values that are then converted into a list of prioritised governance elements to create a governance system that is specifically designed for the organisation. If this stage is completed successfully, the organisation will have a comprehensive understanding of its goals, strategy, risk profile and existing IT governance concerns.
8.4 Refine the scope of the governance system
This stage involves an information governance designer involved in:
doing a walkthrough on the design factors mentioned;
determining the applicability of each design factor; and
determining the potential values applicable to the organisation.
9. Implications of the study
The study’s findings suggest that, with the right information governance policy in place, adopting the facets of information governance can be used to address concerns related to information integrity in the short and medium terms. As a long-term option for retaining data and information, it would have various drawbacks and would not, however, ensure the initial dependability of the information (Tumulak et al., 2024).
10. Conclusion and recommendations
The study found that a professional council had not adopted several crucial information governance facets. A professional council would be able to access integrated information between business demands, information systems and technology based on open standards and worldwide interoperability in terms of business intelligence with the implementation of an enterprise architecture (Fahana and Azhari, 2018). Once an organisational strategic plan, operational plan and budget are approved, specific plans are designed to operationalise what needs to be achieved. Risk management should be used in the development of contingency plans for a high probability of occurrence and high impact. Information System Audit and Control Association (2018a) indicated that the organisation should coordinate and execute operational procedures required to deliver internal and outsourced IT governance services, such as, Standard Operating Procedures, databases and records and handling of organisational information. The records management policy should be approved and adopted. The benefits of the facets of information governance are realised when a professional council is audited according to Public Accounts auditing standards.
Organisations need to emphasise a holistic approach to facets of information governance that would translate into empowering a formal decision body, such as a board that would coordinate and integrate IT decision-making across the organisation and IT (De Haes et al., 2020). The organisation should manage the definition, acquisition and implementation of IT governance solutions and their integrations in organisational processes (Information System Audit and Control Association, 2018b). This domain assists in the early diagnosis of incidents and problems and ensures that the performance of IT services are available to the consumers (Gërvalla et al., 2018). Furthermore, this domain ensures the problems are classified and root causes analysed in order to effect permanent resolutions (Safwandi et al., 2022). The annual reports are components of the compliance facet that are used to report on the financial position of the organisation; its performance against predetermined objectives. One of the important oversight functions of Parliament is to consider a professional council’s annual reports. To perform this oversight function, they need assurance that the information in the annual report is credible. To this end, the annual report includes our auditor’s report, which provides assurance on the credibility of the financial statements and the annual performance report, as well as on the organisation’s compliance with legislation.
Figures
Figure 1.
Information Governance initiative pinwheel
Figure 2.
Planning, monitoring and reporting
Figure 3.
Proposed facets of Information governance framework
Document analysis listing
| Doc # | Document |
|---|---|
| D1 | Social Service Professions Act 110 of 1978 |
| D2 | Social Welfare Act 102 of 1998 |
| D3 | Professional council records management policy |
| D4 | Professional council Strategic Plan 2016 to 2021 |
| D5 | Regulations specialties in social work |
| D6 | PBSW – CPD standards and guidelines |
| D7 | Regulations regarding the registration of social auxiliary workers and the holding of disciplinary inquiries |
| D8 | Professional council departments processes |
| D9 | As-is Architecture document |
| D10 | Professional council general notices |
| D11 | Professional council organogram |
| D12 | Terms of reference of system development (part of bid document) |
| D13 | Budget 2021 |
| D14 | Assessment and configuration proposal |
| D15 | Hardware solution proposed |
| D16 | 2021 Annual Meeting calendar |
| D17 | Floor plan |
| D18 | Minutes - 9th IT Business Reengineering Committee meeting – 17 June 2019 |
| D19 | Minutes – 12th IT Business Reengineering Committee meeting – 29 April 2020 |
| D20 | Data verification |
| D21 | Operational IT risk register |
| D22 | IT and business reengineering strategy 2016 to 2021 |
| D23 | Data protection measures |
| D24 | Steps to connect to MS teams |
| D25 | Audit report |
| D26 | IT policy |
| D27 | Exploratory meeting minutes |
| D28 | Department of social development presentation to portfolio committee |
| D29 | Public finance management act |
| D30 | Department of social development strategic plan |
| D31 | Privacy of personal information act |
Source: Table by authors
Appendix.
References
Abedian, I., Strachan, B. and Ajam, T. (1998), Transformation in Action: Budgeting for Health Service Delivery, Juta and Company Ltd.
Aerts, W. and Walton, P. (2018), Global Financial Accounting and Reporting: principles and Analysis (Forth), Cengage Learning EMEA.
Axelos (2019), “ITIL foundation ITIL 4 edition (4th ed.)”, The Stationary Office, available at: www.axelos.com
Axelos (2020), “ITIL: drive stakeholder value”, The Stationary Office, Norwich, available at: www.axelos.com
Becerra-Fernandez, I. and Sabherwal, R. (2014), “Knowledge management: systems and processes: second edition”, In Knowledge Management: Systems and Processes: Second Edition, doi: 10.4324/9781315715117.
Bettoni, M., Andenmatten, S. and Mathieu, R. (2006), “Knowledge cooperation in online communities: a duality of participation and cultivation”, Proceedings of the European Conference on Knowledge Management, ECKM.
Boisot, M.H. (1999), “Knowledge assets securing competitive advantage in the information economy”, Oxford University Press, available at: www.oup.com
Borgman, C.L. (2003), From Gutenberg to the Global Information Infrastructure: Access to Information in the Networked World, In Book. Digital Libraries and Electronic Publishing.
Brown, D.C.G. and Toze, S. (2017), “Information governance in digitized public administration”, Canadian Public Administration, Vol. 60 No. 4, pp. 581-604, doi: 10.1111/capa.12227.
Bryman, A. (2016), “Social research methods (fifth)”, Oxford University Press, available at: www.oup.com
Creswell, J.W. and Creswell, J.D. (2018), “Research design: qualitative, quantitative, and mixed methods approaches”, SAGE Publications, Inc, 5th ed., SAGE Publications, Inc.
De Haes, S., Van Grembergen, W., Anant, J. and Huygh, T. (2020), “Enterprise governance of information technology”, Achieving Alignment and Value in Digital Organizations. In Enterprise Governance of Information Technology (Third), Springer.
Fahana, J. and Azhari, A. (2018), “TOGAF for designing the enterprise architecture of LAZISMU”, Bulletin of Social Informatics Theory and Application, Vol. 2 No. 2, pp. 58-64, doi: 10.31763/businta.v2i2.114.
Gartner (2012), “The importance of ‘big data’: a definition”, available at: www.gartner.com/id=2057415
Gërvalla, M., Preniqi, N. and Kopacek, P. (2018), “IT infrastructure library (ITIL) framework approach to IT governance”, IFAC-PapersOnLine, Vol. 51 No. 30, pp. 181-185, doi: 10.1016/j.ifacol.2018.11.283.
Grillitsch, W., Müller-Stingl, A. and Neumann, R. (2006), “Sharing project knowledge: Initiation, implementation and institutionalisation”, Proceedings of the European Conference on Knowledge Management, ECKM, January 2007, 184-191.
Guetat, S.B.A. and Dakhli, S.B.D. (2015), “The architecture facet of information governance: the case of urbanized information systems”, Procedia Computer Science, Vol. 64, pp. 1088-1098, doi: 10.1016/j.procs.2015.08.564.
Gwanyanya, M.G. (2015), “The South African companies act and the realisation of corporate human rights responsibilities”, Potchefstroom Electronic Law Journal, Vol. 18 No. 1, doi: 10.4314/pelj.v18i1.05.
Hafeez, K. and Alghatas, F. (2007), “Knowledge management in a virtual community of practice using discourse analysis”, Electronic Journal of Knowledge Management, Vol. 5 No. 1, pp. 29-42.
Han, J., Kamber, M. and Pei, J. (2012), “Data mining: Concepts and techniques”, Data Mining: Concepts and Techniques, doi: 10.1016/C2009-0-61819-5.
Iles, H. (2013), Information Governance: A Brief Introduction – New Zealand Focus, pp. 1-7, August, doi: 10.13140/2.1.2069.1847.
Information Governance Initiative (2018), “IGI state of the industry report”, available at: www.iginitiative.com/resources/the-state-of-information-governance-report-volume-iii/
Information System Audit and Control Association (2012), “A business framework for the governance and management of enterprise IT”, In Trust And Partnership, available at: www.linkd.in/ISACAOfficial
Information System Audit and Control Association (2018a), COBIT® 2019 Designing an, Information and Technology Governance Solution.
Information System Audit and Control Association (2018b), “COBIT 2019 framework: Governance and management objectives”, In COBIT® 2019 Framework, available at: www.isaca.org/resources/cobit
Information System Audit and Control Association (2020), “Risk IT framework”, In Exchange (Second, Issue 2), available at: www.isaca.org
Institute of Directors in Southern Africa (IODSA) (2016), “Report on corporate governance for South Africa 2016”, King IV Report on Corporate Governance for South Africa, 71 and 87-94.
International Standard Organization (2015), “ISO_IEC_11179-7_first_draft_WD_metadata_for_datasets”, pp 1-29.
International Standard Organization (2016), “ISO 15489-1:2016(en) information and documentation—records management–part 1: Concepts and principles. 2016”, 15-20.
Khun, J.L. (2024), “Building culture for sustaining information governance”, Creating and Sustaining an Information Governance Program, IGI Global, pp. 36-54.
Kubatko, O.V., Ozims, S.C. and Voronenko, V.I. (2024), “Influence of artificial intelligence on business decision-making”.
Maluleka, J.R. (2017), “Acquisition, transfer and preservation of indigenous knowledge by traditional healers in the Limpopo province of South Africa”, In UNISA Institutional Repository, (Vol. 01. University of South Africa.
Maluleka, J.R. and Ngoepe, M. (2018), “Turning mirrors into windows: Knowledge transfer among indigenous healers in Limpopo province of South Africa”, SA Journal of Information Management, Vol. 20 No. 1, pp. 1-7, doi: 10.4102/sajim.v20i1.918.
Marwala, T. (2014), “Artificial intelligence techniques for rational decision making”, Springer.
Mládková, L. (2011), “Knowledge management for knowledge workers”, The Electronic Journal of Knowledge Management, Vol. 9 No. 3, pp. 248-258, available at: www.ejkm.com.
Moeller, R.R. (2013), Executive’s Guide to IT Governance: improving Systems Processes with Service Management, COBIT, and ITIL, John Wiley and Sons Inc.
Mosweu, T., Luthuli, L. and Mosweu, O. (2019), “Implications of cloud-computing services in records management in Africa: Achilles heels of the digital era?”, SA Journal of Information Management, Vol. 21 No. 1, pp. 1-12, doi: 10.4102/sajim.v21i1.1069.
Mullon, P.A. and Ngoepe, M. (2019), “An integrated framework to elevate information governance to a national level in South Africa”, Records Management Journal, Vol. 29 Nos 1/2, pp. 103-116, doi: 10.1108/RMJ-09-2018-0030.
Ngulube, P., Ngoepe, M., Saurombe, N. and Chaterera, F. (2017), Towards A Uniform Strategy For Taking Archives To The People In South Africa, Vol. 36, p. 21.
Nguyen, C., Sargent, J., Stockdale, R. and Scheepers, H. (2014), “Towards a unified framework for governance and management of information”, Proceedings of the 25th Australasian Conference on Information Systems, ACIS 2014.
Nonaka, I. and Takeuchi, H. (1995), The Knowledge-Creating Company: How Japanese Companies Create the Dynamics of Innovation, Oxford University Press.
Omari, L.A. (2016), “IT governance evaluation: adapting and adopting the COBIT framework for public sector organisations [Queensland university of technology]”, available at: www.eprints.qut.edu.au/cgi/search/archive/thesis/?screen=Search&dataset=archive&title_merge=ALL&title=&creators_name_merge=ALL&creators_name=Omari&supervisors_name_merge=ALL&supervisors_name=&documents%2Fkeywords_merge=ALL&documents%2Fkeywords=&satisf
Polzonetti, A. and Sagratella, M. (2018), “Towards a data-driven enterprise: Effects on information, governance, infrastructures and security”, IEEE International Conference on Industrial Engineering and Engineering Management, 2017-Decem, 1480-1484, doi: 10.1109/IEEM.2017.8290139.
Poole, A.H. (2016), “The conceptual landscape of digital curation”, Journal of Documentation, Vol. 72 No. 5, doi: 10.1108/JD-10-2015-0123.
Project Management Institute (PMI) (2017), A Guide to the Project Management Body of Knowledge (PMBOK Guide) (Sixth), Project Management Institute, Inc, available at: www.pmi.org
Republic of South Africa (1978), “Social service professions act 110 of 1978”.
Republic of South Africa (1998), “Social work amendment act no. 102 of 1998”.
Republic of South Africa (2001), “National archives and records service of South Africa act”, Government Gazette, Vol. 13 No. 36 of 2001, p. 10.
Republic of South Africa (2012), “Public service corporate governance of information and communication technology policy framework (issue December)”, available at: www.dpsa.gov.za/dpsa2g/psictm_documents.asp
Republic of South Africa (2019), “2019 Estimates of national expenditure guidelines”.
Safwandi, S., Muthmainnah, M., Jannah, M. and Lubis, H.A. (2022), “Information technology governance audit using COBIT 5 of DSS domain (deliver, service, and support) framework at Malikussaleh university Lhokseumawe”, Journal of Renewable Energy, Electrical, and Computer Engineering, Vol. 2 No. 1, pp. 38-46, doi: 10.29103/jreece.v2i1.6633.
Smallwood, R.F. (2014), “Information governance: Concepts, strategies, and best practices”, In John Wiley and Sons, (Vol. 61, 1). John Wiley and Sons.
Stringer, E.T. (2014), Action Research (Forth), SAGE Publications, Inc.
Taiwo, K. (2024), “Information technology and governance: does E-governance aid budget transparency?”, Journal of Development Policy and Practice, p. 24551333241242195.
The Cabinet Office (2011c), “04 IT IL 2011 – service operation.pdf”, Second ed. Norwich: The Stationary Office, available at: www.cabinetoffice.co.uk
Tumulak, A., Tin, J. and Keshavjee, K. (2024), “Towards a unified framework for information and interoperability governance”, The Role of Digital Health Policy and Leadership, IOS Press, pp. 49-53.
Valacich, J. and Schneider, C. (2018), “Information systems today managing in the digital world (eighth)”, Pearson Education, Inc, available at: www.pearsonglobaleditions.com
Walker, R.S. and Brown, I. (2019), “Big data analytics adoption: a case study in a large South African telecommunications organisation”, SA Journal of Information Management, Vol. 21 No. 1, pp. 1-10, doi: 10.4102/sajim.v21i1.1079.
Warwickshire County Council (2018), “Information management governance framework (issue November 2018)”.
Yang, B. (2023), “Research on data governance system for information sharing and openness”, Applied Mathematics and Nonlinear Sciences, Vol. 9 No. 1, pp. 1-16.
Yiua, M., Sankatb, C. and Punc, K. (2013), “In search of the knowledge management practices in organisations: a review”, West Indian Journal of Engineering, Vol. 35 No. 2.
Zikopoulos, P.C., DeRoos, D., Parasuraman, K., Deutsch, T., Corrigan, D. and Giles, J. (2013), Harness the Power of Big Data: The IBM Big Data Platform, McGraw Hill.
Further reading
Ahmed, E. (2021), “Utilization of business intelligence tools among business intelligence users”, International Journal for Innovation Education and Research, Vol. 9 No. 6, pp. 237-253, doi: 10.31686/ijier.vol9.iss6.3172.
Ali, A. (2017), “Ransomware: a research and a personal case study of dealing with this nasty malware”, Issues in Informing Science and Information Technology, Vol. 14, pp. 087-099, doi: 10.28945/3707.
Andrew, S. (2020), “CNN: This map tracks the coronavirus in real time”, available at: www.edition.cnn.com/2020/01/29/health/coronavirus-map-real-time-tracking-trnd/index.html
Auditor-General of South Africa (2019), “Investigation and special audits regulations”, Vol. 110, p. 383
Buckl, S. and Schweda, C.M. (2013), “A systemic view on enterprise architecture management: State-of-the-art and outline of a building block-based approach to design organization-specific enterprise architecture management functions”, In A Systemic Perspective to Managing Complexity with Enterprise Architecture, doi: 10.4018/978-1-4666-4518-9.ch007.
De Bruyn, M. (2014), “The protection of personal information (POPI) Act – Impact on South Africa”, International Business and Economics Research Journal (IBER), Vol. 13 No. 6, p. 1315, doi: 10.19030/iber.v13i6.8922.
Gallagher (2020), “ARS technica: London to deploy live facial recognition to find wanted faces in a crowd”, available at: www.arstechnica.com/information-technology/2020/01/london-to-deploy-live-facial-recognition-to-find-wanted-faces-in-crowd/
General Data Protection Regulation (2016), available at: www.gdpr-info.eu/
Grother, P., Ngan, M. and Hanaoka, K. (2019), “Face recognition vendor test (FVRT): part 3, demographic effects”, doi: 10.6028/NIST.IR.8280.
Gwala, S. (2016), “Barriers to implementation of the (SA) national cybersecurity policy framework [University of Witwatersrand] ”, available at: www.wiredspace.wits.ac.za/handle/10539/23802 (accessed 13 May 2023).
Information System Audit and Control Association (2018c), “COBIT 2019 framework: Introduction and methodology”, In ISACA, doi: 10.1007/978-981-15-7650-8_1.
Jingyao, S., Chandel, S., Yunnan, Y. and Jingji, Z. (2020), “Securing a network : How effective using firewalls and VPNs are ? Securing a network : How effective using firewalls and VPNs are ?”, March 2019, doi: 10.1007/978-3-030-12385-7.
John Hopkins University (2020), “Center for systems science and engineering: 2019-nCoV global cases”, available at: www.coronavirus.jhu.edu/map.html
Motii, M. and Semma, A. (2017), “Towards a new approach to pooling COBIT 5 and ITIL V3 with ISO/IEC 27002 for better use of ITG in the Moroccan parliament”, International Journal of Computer Science Issues, Vol. 14 No. 3, pp. 49-58, doi: 10.20943/01201703.4958.
Motii, M. and Semma, A. (2019), “Esarbica journal”, SA Journal of Information Management, Vol. 21 No. 1, pp. 1-12, doi: 10.1016/j.jclepro.2018.07.047.
Ngoepe, M. and Ngulube, P. (2014), “The need for records management in the auditing process in the public sector in South Africa”, African Journal of Library Archives and Information Science, Vol. 24 No. 2.
Patino, R. (2009), “Intellectual property rights and research disclosure in the university environment: Preserving the commercialization option and optimizing market interest”, Journal of the American Association for Laboratory Animal Science: JAALAS, Vol. 48 No. 2, pp. 138-143.
Public Finance Management Act No. 1 of 1999, 32 2949 (1999).
QuickBooks Canada (2020), “Importance and benefits of standard operating procedures”, available at: www.quickbooks.intuit.com/ca/resources/business/importance-and-benefits-of-standard-operating-procedures/
Republic of South Africa (2009), “Government-Wide enterprise architecture (GWEA) framework”.
Republic of South Africa (2010), “National treasury framework for strategic plans and annual performance plans”, available at: www.treasury.gov.za
Republic of South Africa (2015a), “Public service operations management”, In Department of Public Service and Administration Republic of South Africa (Issue January).
Republic of South Africa (2015b), “The national cybersecurity policy framework (NCPF) for South Africa - 2015”, Government Gazette, Vol. 39475, pp. 1-30 , available at: www.gov.za/sites/www.gov.za/files/39475_gon609.pdf.
Republic of South Africa (2020a), “Department of postal and telecommunications: National cybersecurity hub”, available at: www.cybersecurityhub.gov.za/
Republic of South Africa (2020b), “Strategic plan 2020-2025”.
Sarno, R. and Herdiyanti, A. (2010), “A service portfolio for an enterprise resource planning”, International Journal of Computer Science and Network Security, Vol. 10 No. 3,
Shabalala, P.M. (2005), “Budget allocation and expenditure patterns of government with specific reference to government communication and information system (GCIS) for the period 1998 - 2001 (issue November)”.
Simoiu, C., Gates, C., Bonneau, J. and Goel, S. (2019), “A study of ransomware”, USENIX Symposium on Usable Privacy and Security (SOUPS), 1-16.
Social Service Professions Council of South Africa (1978), “Social service professions act 110 of 1978, 1978”.
Telesca, L., Rana, J. and Ion, M. (2007), “Challenges of interoperability issues for enterprise software and applications”, available at: www.cordis.europa.eu/pub/ist/docs/ict-ent-net/eivp-create_en.pdf
The Cabinet Office (2011a), 01 ITIL 2011 – Service Strategy.pdf, The Stationary Office.
The Cabinet Office (2011b), “04 ITIL 2011 – Service operation.pdf”, In TSO for the Office of Government Commerce, London (Second). The Stationary Office, available at: www.cabinetoffice.co.uk
The Ohio State University (2020), “Center for clinical and translational science: writing standard operating procedures”, available at: www.ccts.osu.edu/content/writing-standard-operating-procedures-sops
The Open Group (2009), “TOGAF version 9 the open group architecture framework (TOGAF)”, In The Open Group, (Vol. 37, 4). The Open Group Vol 37.
The Open Group (2018), The TOGAF® Standard, Version 9.2, The Open Group.
The Open Group (2019), Open Group Standard Open Data Format (O-DF), an Open Group Internet of Things (IoT) Standard, The Open Group.