The Board and IT Governance : A Replicative Study

The challenge of the corporate environment has been and remains one of competitive advantage. To address this challenge, information technology (IT) is playing an ever-increasing role. Nowadays it is not uncommon to find IT entrenched in all business processes in the corporate environment, as it has become pervasive in nature. With this high dependence on IT, literature is paying a renewed attention to those responsible for the well-being of the organisation, namely the board, and its role in providing proper governance over IT. Earlier research indicated that complete control over IT was lacking, since there was a general shortcoming of IT expertise or ability at board-level within the corporate environment. The question then that can rightfully be asked is whether any progress has taken place over the past few years in this regard. Hence, do boards today still lack IT expertise or ability in addressing their IT governance obligations in the corporate environment. Accordingly, this paper reports on a replicative study conducted in this area to answer this question. The results of this study suggest that certain progress has been witnessed, indicating that some improvement has taken place; nevertheless, much work still remains to be done in this area.


INTRODUCTION
Breakthroughs and advances in information technology 1 (IT) have shaped the very foundation of modern society and corporate life (Gallagher, 2010).In the corporate environment, organisations are today depending more on IT than ever before (Von Solms and Von Solms, 2008, p. iv).Nowadays, IT can be seen operating in virtually all business processes to the point that it is almost inseparable from the organisation itself (ISACA, 2012, p. 13).
For this reason, IT is today just as much a part of an organisation"s well-being as its economic prosperity, environmental sustainability and social responsibility or triple bottom line (Posthumus et al., 2010).Consequently, those responsible for organisational well-being, namely the board, should not only provide direction and control over the triple bottom line, but should now also broaden 1 Information systems and information technologies are inextricably linked (Dewett and Jones, 2001).Since it has become conventional to do so, for the rest of this paper information technology (IT) will be used to jointly refer to both.
their oversight to IT (Von Solms and Von Solms, 2008).This is commonly referred to as IT governance or the corporate governance of IT (Van Grembergen and De Haes, 2009).
Although boards are starting to realise the criticality of IT and are starting to get more involved in its governance, the literature still suggests that many have not yet achieved complete control over IT (Nolan and McFarlan, 2005).Earlier board-level IT governance research (Posthumus, 2009, pp. 93-100) set forth to determine why complete control was lacking by means of a qualitative content analysis.The research identified, at the time, that the cause could be attributed to the fact that there was a general lack of IT expertise or ability at board-level within the corporate environment.Therefore, expertise related to what should be done to strategically direct and control IT appropriately was deficient under board members.
The question then that can rightfully be asked is whether any progress has taken place over the past few years in this regard.Henceforth, do boards today still lack IT expertise or ability in addressing their IT governance obligations in the corporate environment.
Accordingly, the objective of this paper is to report on a replicative study, in line with the earlier board-level IT governance research, to answer this question.
The aforementioned research question and objective dictates the layout of this article.Firstly, a brief introduction to IT governance is provided.Secondly, the materials and methods used to perform the replicative study are introduced.Thirdly, the results emanating from this study are detailed.Fourthly, a discussion will ensue to offer insight into the data that was gathered and to draw inferences thereon.Finally, a conclusion will follow as an epilogue to the paper.

IT GOVERNANCE IT governance defined
Information is a critical business asset and forms the "lifeblood" of modern day organisations (Von Solms and Von Solms, 2008).Unfortunately, the investments organisations make to advance or improve their IT to offer this information have often seen disappointing results owing to a lack of appraisals and vision by boards (Devos et al., 2012).For these and other reasons, IT governance has become of critical importance (De Haes and Van Grembergen, 2008).
IT governance or, as it is often referred to, the corporate governance of IT, is a term that has been evolving rapidly and therefore the literature has provided many definitions over the last few years (Devos et al., 2012).A general definition of IT governance, given by the ISO/IEC 38500 (2008) standard, entails that it is the "system by which the current and future use of IT is directed and controlled".Furthermore, it "involves evaluating and directing the use of IT to support the organisation and monitoring this use to achieve plans" (ISO/IEC 38500, 2008, p. 3).
In line with corporate governance, it can be stated that the board is ultimately responsible for IT governance itself owing to the correlation between it and corporate governance.As Von Solms and Von Solms (2008, p. 11) indicate, IT governance is "the responsibility of the board" since "it is an integral part of enterprise (corporate) governance".
From the discussion above, it can be concluded that the board is ultimately responsible for IT governance and plays an essential role within its implementation and execution.To facilitate this, however, the board is required to have a sound level of IT ability.

Board-level IT ability
Board-level IT ability can be defined as the necessary Coertze and von Solms 3359 expertise required by the board to adequately address their IT governance obligations.Thereby, it refers to the board"s ability to ensure sound control and governance over IT.
Literature on IT governance proposes that boards can appropriate this ability or expertise from various sources.Three sources that have featured prominently in the literature are that of the following (adapted from Van Grembergen and De Haes, 2009, pp. 25-27): 1. IT leadership and the presence or role of the CIO -There should be a CIO or similar role in an organisation to articulate a vision for IT"s role in the business and ensure that managers throughout the organisation clearly understand this vision.

IT oversight (or similar) committee at board-level
-There should be a committee at board-level to ensure that IT is a regular agenda item for the board and that issues of relevance are reported to it.

IT expertise or experience amongst board members
-Board members should have some expertise in and experience of the value and risk of IT to guide them in making adequate IT decisions and investments.
Owing to the criticality of these three sources for this study, each will now be discussed individually to provide greater insight into their importance and/or necessity at board-level and how they contribute to board-level IT ability.

The role of the CIO
The role of the CIO has intensified tremendously over the past few years in relation to the increase in dependence on IT (Mair, 2012).Hence, modern day literature recommends that the CIO role should be present in most organisations and should be active in the IT governance and management domain (Institute of Directors in Southern Africa, 2009;ISACA, 2012).COBIT 5 (ISACA, 2012, p. 76) defines the CIO role, as it relates to IT, as "the most senior official of the organisation that is responsible for aligning IT and business strategies and accountable for planning, resourcing and managing the delivery of IT services and solutions to support business objectives".From this definition it becomes apparent that a CIO acts as a translator or link between the business and ITunderstanding the business strategy as set out by the board and identifying what is possible from an IT perspective (Donnelly, 2010, p. 6).Hence, the CIO removes the technicalities of IT and presents it to the board as a tool for achieving their strategic business objectives.
The CIO should have an unprecedented knowledge Corresponding author.E-mail: jacques.coertze@gmail.com,rossouw.vonsolms@nmmu.ac.za and skill set.It should, however, be noted that the CIO cannot perform this role alone and requires input from the board and assistance from the rest of the organisation (IT Governance Institute, 2008).Hence, much debate has taken place in the academic literature as to where in the organisational hierarchy the CIO role should be placed (Posthumus et al., 2010).Irrespective of where in the hierarchy the CIO role is placed, it should be filled in an organisation.Where a CIO role cannot be established, as a result of financial or other constraints, another executive with sufficient knowledge and an adequate skill set should be assigned these responsibilities (Posthumus et al., 2010).
The role of the CIO should not, however, be confused with that of a board-level IT committee.Although the CIO role is crucial for successful IT operations in the organisation, it remains the duty of the board and its supportive committees to ensure overall business and IT success.

IT oversight (or similar) committee
As board members often have a business management, financial, accounting or legal background, the issue of IT is often dealt with using board committees.Such committees enable board members to carry out their duties with greater ease, as each committee can be dedicated to a specific issue and can focus its attention on it (Institute of Directors in Southern Africa, 2009, pp. 46-47).
The King III report (Institute of Directors in Southern Africa, 2009), as supported by Nolan and McFarlan (2005), suggests the establishment of a dedicated IT oversight (or similar) committee to comprehensively evaluate and advise on IT matters.The aim of such a committee is to address strategic IT issues in detail.Thereby ensuring that IT is a standard topic on the board"s agenda and that the board receives all the information required to make informed decisions (Posthumus et al., 2010).Thus, the IT oversight committee becomes the custodian of IT in the organisation and ensures that all its dimensions are adequately investigated and reported on.An important point to consider though is that this committee performs a purely advisory role to the board, and therefore has no say on any final decisions reached by the board.
It may be worth mentioning that in some instances an audit or risk management committee in an organisation may address IT concerns.Although this can be the case, it should be noted that their IT mandate may be severely limited in nature (Posthumus and Von Solms, 2005).
Although the benefits that a board committee offers cannot be ignored, a cardinal sin of the board would be to assume that, in establishing such a committee, it avoids any accountability or responsibility.As the King III report (Institute of Directors in Southern Africa, 2009, p. 73) states, when establishing such a committee the board delegates its responsibility but still ultimately remains accountable.Hence, although an IT oversight committee may be established it remains essential that the board has some, if only limited, IT expertise or experience to guide it through IT decisions and during oversight.

IT experience/expertise of board members
Boards may come to rely quite heavily on the expertise and knowledge of an IT oversight or other committee to assist them with their IT governance duty.However, the ultimate accountability and decision making remains theirs alone (Institute of Directors in Southern Africa, 2009, p. 73).As a result, Monnoyer and Willmott (2005) state that "board committees are poor proxies for boards who can forge a clear agreement among their peers about IT investment choices and drive the conversations needed to make a tough trade-off".Thus, board involvement and leadership can achieve what IT governance implementations by themselves cannot (Van Grembergen and De Haes, 2009, p. 62).
Unfortunately, as Nolan and McFarlan (2005) state, boards often lack the fundamental IT knowledge needed to ensure such involvement and leadership, since board members are typically appointed for their financial and/or management expertise.Owing to this lack of fundamental IT knowledge or limited experience, situations may arise where boards may have to unwittingly sacrifice some of the control that it may exercise over IT (Monnoyer and Willmott, 2005;Posthumus and Von Solms, 2005).Therefore, gaining board IT expertise or experience could go a long way to facilitating informed decisions and forward-looking IT investments.For this reason, educating board members on IT issues and IT governance is essential and should be a prime practice strived for from the outset of IT governance implementation (Weill, 2004).As Benjamin Franklin said, "an investment in knowledge pays the best interest" (BrainyQuote, 2013).
This section has identified the importance of IT governance and how it relates to the board, in addition to discussing sources by which boards can obtain the necessary expertise or ability to properly control and govern IT.This knowledge was subsequently used to perform a replicative study to determine whether any progress has been witnessed in board-level IT expertise or ability in the corporate environment over the past few years.The following section offers more detail on the way in which this has taken form.

MATERIALS AND METHODS
The aim of this study was to perform a replicative analysis on board-level IT expertise or ability in the corporate environment.As identified, the three previously discussed sources contribute towards board-level IT ability.By determining if these sources are present within an organisation, it is possible to determine boardlevel IT expertise or ability maturity and subsequently conclude whether any progress has been made when analysing individual organisations.
However, a primary concern was where and how the data required to measure these sources in organisations should be captured.In line with an earlier study (Posthumus, 2009, pp. 93-100), the authors found that data related to these sources could be collected unobtrusively from the corporate websites and integrated reports of private or publicly listed organisations.This was resultant of the fact that they typically shared the required information freely and were publicly accessible.
Furthermore, the corporate websites and integrated reports were presented as texts, which made it feasible to make use of a process that resembles a qualitative content analysis for data collection purposes (Krippendorf, 2012).

Qualitative content analysis defined
Content analysis, originally intended to analyse hymns, newspapers and magazines among other things (Harwood and Garry, 2003), is now being used in a variety of research fields for both qualitative and quantitative approaches (Hsieh and Shannon, 2005).Until recently, the majority of research has focused on quantitative methods, where sampled or other probabilistically approached data is used to produce steadfast information for which the results can be proven without a doubt (Zhang and Wildemuth, 2009).Although this approach has produced highly reliable research results, it is not without its weaknesses (Morgan, 1993).Hence, qualitative approaches are nowadays used in many current studies to allow researchers to understand the social reality in a subjective yet scientific manner (Zhang and Wildemuth, 2009).
Qualitative content analysis can be defined as "a research method for the subjective interpretation of the content of text data through the systematic classification process of coding and identifying themes or patterns" (Hsieh andShannon, 2005, p. 1278).From this definition it becomes clear that qualitative content analysis aspires to allow a researcher to consult various texts and to make sense of them, by means of coding and pattern identification, allowing for replicable and valid inferences to be made.The purpose thereof to provide knowledge, new insights, a representation of facts and/or a practical guide to action (Krippendorf, 2012).
In addition, a qualitative content analysis is typically an indirect and often non-reactive method.Instead of consulting individuals from within the research field by means of questionnaires or interviews, existing material created for unrelated purposes is examined instead.Thus, such an analysis would be a prime unobtrusive investigation method (Robson, 1993).
These definitions thus offer great insight into how the qualitative content analysis method was used in the context of this paper.Various texts, in the form of organisational websites and integrated reports, was methodically explored to make logical, replicable and valid inferences on the current state of board-level IT expertise or ability in the corporate environment.However, it may prove even more insightful to explore the process that was followed in this regard further, as this may explain how the inferences were drawn.

Method(s) followed
In this paper, a method resembling a qualitative content analysis was used for data collection that is identical to one used in an earlier study (Posthumus, 2009, pp. 93-100).It is also closely correlated with the views of both Haysamen (1994) and Robson (1993).The reason being that the authors needed to ensure consistency with the earlier study to allow for a replicative analysis to be performed based on the results of the two time dispersed studies.
The earlier study performed by Posthumus (2009, pp.93-100) analysed sixty private or publicly listed organisations.These represented twenty well established or renowned organisations each from South Africa (SA), the United Kingdom (UK) and the United States of America (USA) trading on the Johannesburg, London and New York stock exchanges respectively.
UK and USA companies where chosen due to their established history and attention to IT governance.The UK, although not necessarily to the same degree as USA, have a long history of IT governance.Some of the first IT governance best practices and/or documents, such as the Cadbury (1993) report, originate from the UK.Similarly, USA companies appear much more prepared and alert to IT governance.This may be attributed due to the fact that many major corporate IT failures over the years have been USbased.These resulted in the introduction of US-based legislation such as Sarbanes-Oxley (US Congress, 2002), which have focussed significant attention on IT, its management and reporting.In contrast, SA companies have only recently turned their attention formally to IT governance with the publication of the King III report (Institute of Directors in Southern Africa, 2009).For comparison purposes, it thus makes sense to compare SA, a new IT governance contender, to two well established IT governance countries for maturity analysis purposes.
However, given the tough economic conditions and the time that has elapsed, three of these organisations have subsequently been acquisitioned, liquidated or dissolved.Thus, for the purpose of maintaining consistency and allowing for a valid replicative analysis to be made, the remaining fifty-seven of the original sixty organisations, originating from SA (20 organisations), the UK (18 organisations) and the USA (19 organisations) were analysed.These organisations trade in industries covering finance and banking, insurance, health care, technology and communications, food and beverages and other sectors.
Furthermore, to ensure reliability and consistency in the analysis, the authors also made use of the same categories and criteria established by the earlier study of Posthumus (2009, pp. 93-100).
Hence, once these fifty-seven organisations had been identified in this manner (see Appendix A), each of their corporate websites and integrated reports were once again examined and analysed for information.This information included the CVs of and general IT qualification or experience information on board members, information concerning board committees, in particular any IT-related committees and information pertaining to the presence of a CIO or similar role in the organisation.Thus, information relating to the three previously mentioned sources of board-level IT expertise or ability.
The research question of whether any progress has taken place over the past few years with regard to board-level IT expertise or ability facilitated the making of simple yes/no inferences.These inferences where made in terms of three specific criteria per organisation (see Appendix A and B): -examining the qualifications and previous work experience of board members, and searching for any IT qualifications or experience among them, -determining whether a chief information officer (CIO) or similar role was present and whether it operated at board-level, and -investigating the various board-level committees looking for the presence of an IT oversight (or similar) committee.
To determine whether a chief information officer (CIO) or similar role was present within each organisation, various search terms were used.In accordance with general naming conventions associated with the CIO role, these search terms included, but are not limited to: -chief information officer, -technology officer, -director of information services, -director of IT infrastructure and security, -director of information technology, and -vice president of information technology.
If the search term or role was present, a further analysis was subsequently performed to determine if the position operated or interacted at board-level.For this purpose, the board meeting attendance register was analysed in addition to the role description.
To investigate the presence of an IT oversight (or similar) committee, the charters of each organisation"s committees were investigated and compared to the description of an IT oversight committee.In the event that no such committee was present, the charter of the audit and/or risk management committees were also analysed to determine whether they provided satisfactorily and comprehensive IT oversight.
For each of these three sources or criterion, the study recorded the number of occurrences of information indicative of them for each organisation analysed.Subsequently, and in support of Huysamen (1994), this recorded information was used to perform an analysis resulting in the calculation of total occurrences taking the form of percentages for each criterion.These results, provided in the following section, were then used at the end of the method to subjectively gauge whether board-level IT expertise or ability have improved over the past few years.
Either a conventional hypothesis testing or an exploratory approach could have been used for the actual analysis.An exploratory approach was selected, as the authors wanted to explore the research domain without bias or any preconceptions, rather than confirm any prior hypothesises.Consequently, a number of interesting results were obtained.

RESULTS
From the data collection a number of results could be inferred that were similar to those of the earlier study (which will not be discussed in detail here).These results will now be discussed to offer insight into the current situation of board-level IT expertise or ability in SA, UK and USA organisations.

South Africa (SA)
Firstly, the results of the 2013 study on twenty SA private or publicly listed organisations will be presented.The analysis identified the following: -Only seven organisations (or 35%) of those analysed had some IT expertise or experience amongst board members; with very few of these having more than one board member with this expertise or experience.Furthermore, only 15% of the organisations had board members with actual IT-related qualifications.
-A significant eighteen organisations (or 90%) had the presence of a CIO or similar role.
-Only two organisations (or 10%) had the presence of a CIO or similar role at board-level.
-A total of eight organisations (or 40%) operated boardlevel IT oversight (or similar) committees.
Investigating the industry sectors within which these South African private and publicly listed organisations trade, a few additional results were obtained.These include the following: -The majority of IT expertise or experience amongst board members resides in the technology and communications, mining and oil sectors, with 67 and 50% respectively in each sector having such expertise or experience.
-Nearly all organisations had a CIO or similar role.The only two sectors showing discrepancies in this regard were those of health (67%), mining and oil (75%).
-The only two sectors showing a CIO or similar role at board-level were those of health (25%), food and beverages (33%).
-The majority of organisations with IT oversight (or similar) committees reside in the finance, health and insurance sectors with 75, 50 and 50% respectively in each sector having such a committee.

United Kingdom (UK)
The 2013 investigation of eighteen UK private or publicly listed organisations revealed the following: -Eleven organisations (or 61%) of those analysed had some IT expertise or experience amongst board members, with some having more than one board member with this expertise or experience.However, only 12% of the organisations had board members with actual ITrelated qualifications.
-A significant 16 organisations (or 89%) had a CIO or similar role.
-Only two organisations (or 11%) had a CIO or similar role at board-level.
-Unfortunately, no organisations (or 0%) had board-level IT oversight (or similar) committees.
In investigating the industry sectors within which these UK private or publicly listed organisations trade, a few additional results could again be obtained.These included the following: -The majority of IT expertise or experience amongst board members resides in the food, beverage, technology and communications sectors, with all the organisations (100%) in these sectors having such expertise or experience.
-Nearly all organisations had a CIO or similar role.The only two sectors showing discrepancies in this regard were those of health (67%), technology and communications (67%).
-The only two sectors having a CIO or similar role at board-level were those of technology and communications (33%), food and beverages (33%).

United States of America (USA)
The Board Member IT Experience publicly listed organisations identified the following: -Twelve organisations (or 63%) of those analysed had some IT expertise or experience amongst board members, with some having more than one board member with this expertise or experience.However, 37% of the organisations had board members with actual IT-related qualifications.
-Thirteen organisations (or 68%) had a CIO or similar role.
-Only three organisations (or 16%) had a CIO or similar role at board-level.
-A total of three organisations (or 16%) operated boardlevel IT oversight (or similar) committees.
In investigating the industry sectors in which these US private or publicly listed organisations trade, a few additional results were again obtained.These included the following: -The majority of IT expertise or experience amongst board members resides in the finance, technology and communications and other sectors, with all organisations (100%) in these sectors having such expertise or experience.
-The mining and oil sector had no CIO or similar role, while the technology and communications and other sectors showed the most presence (75% and 100% respectively) of this role.
-The only three sectors having a CIO or similar role at board-level were that of finance (33%), technology and communications (25%) and others (25%).
-The majority of organisations did not operate IT oversight (or similar) committees except the finance, technology and communications and other sectors with 33, 25 and 25% respectively in each sector having such a committee.
Having inferred these results from the data collection, the next step was to use them to determine whether any progress has been made over the past few years in board-level IT expertise or ability.This was done by comparing the outcome of this study to the conclusion(s) reached by Posthumus"s (2009, pp. 93-100) earlier study.Hence, the next step was to conduct an actual comparative analysis.The results of this will now be discussed.
Figure 1 illustrates how IT expertise or experience at board-level compares among private or publicly listed organisations in SA, UK and USA for this and the earlier study.Whilst Figure 2 shows a similar comparison, but this time illustrating how CIO presence at board-level compares across the organisations analysed for this and the earlier study.Figure 3 presents a comparison of IT oversight (or similar committee) occurrences among the organisations analysed for this and the earlier study.Finally, Figures 4, 5    per industry sectors.

The Current Environment
From the results SA recorded the lowest occurrence of board members with IT expertise or experience, whereas the UK and the USA currently show higher yet very similar percentages.This, therefore, suggests that seeking IT expertise or experience when appointing board members still remains low on average for all three countries.The finding for SA is especially significant since board members are nowadays required to become involved and participate far more in IT matters than ever before as a result of the King III report (Institute of Directors in Southern Africa, 2009).Hence, SA organisations may be steering towards troubled waters if this situation is not remedied.Unfortunately, although a CIO or similar role is often present at management level, this is not the case currently at board-level.The USA recorded the highest percentage, although it was still below average.Hence, to sum up it can be stated that the lack of presence of a CIO or similar role at board-level across all three countries is quite concerning.Nevertheless, it is debatable whether the CIO should operate at board or management level; many best practices suggest that board-level is more advisable.
The results also suggest that board-level IT oversight (or similar) committees are currently not a major occurrence in any of the three countries.A major finding was that none of the UK organisations listed any board-level IT oversight committees.Furthermore, SA showed most occurrences, perhaps suggesting that although board members in SA may have limited or no IT expertise or experience, IT committees are at least supporting them in some cases.It can thus be stated that the occurrence of board-level IT oversight (or similar) committees remains poor in all three countries.This should be of major concern, since these committees play an important role nowadays in terms of the dependence that organisations are placing on IT.In their defence, on their corporate website and/or in their integrated reports some organisations reported having an audit or risk committee addressing IT matters.However, again the scope of IT investigation by such committees is questionable at best (see the subsection on the IT oversight committee).

Replicative Progress
Looking specifically at the replicative significance of the results reported here, a clearly discernible improvement trend is visible concerning IT expertise or experience amongst board members.Both SA and the UK showed an increase of approximately 20% over the six year span, while the USA showed none.This therefore suggests that seeking IT expertise or experience whilst appointing board members is gaining some importance, although it still remains relatively low on average for all three countries.
The recent CyLab report (Westby, 2012) support these results, since it suggests that 37% of 108 analysed organisations considered IT expertise or experience as a vital aspect of the current appointing process of board members.Hence, suggesting that IT expertise is in fact becoming more desirable.
The CIO or similar role at board-level was also identified to have witnessed little improvement over the six year period.The improvement suggests that approximately only 5% of organisations in SA and the UK, beyond those of 2007, have identified the importance and are now making use of a CIO or similar role at boardlevel.
An interesting finding is that the USA has actually declined in this regard, showing a decrease of 15%.This reduction may be attributed to the financial constraints that resulted from the economic crisis or recession, which has plagued US organisations during the analysed time frame.This is supported by the annual Society of Information Management (SIM) survey (Luftman and Derksen, 2012).
The exact reliability and accuracy of the finding on the CIO role at board-level are difficult to establish.The importance that this role is starting to take on, however, is supported by Spencer Stuart (2009) and Mair (2012).Hence, suggesting that there might be some truth in the finding.
Board-level IT oversight (or similar) committees have also grown in importance in SA, with a 40% improvement being witnessed.This is perhaps indicative that the King III report (Institute of Directors in Southern Africa, 2009), and its support for such committees, may have increased in significance in the SA market.
A significant finding remains that the UK has not seen any improvement over the six year span and remains the Another discrepancy identified is that the number of organisations operating such committees in the USA has actually decreased by approximately 10%.The main reasons for this finding for USA organisations are again the economic crisis or recession (Luftman and Derksen, 2012).Consequently, this may have forced US organisations to re-evaluate their critical business functions and to place more emphasis on cost saving measures (Luftman and Ben-Zvi, 2010).
The recent CyLab report (Westby, 2012) again supports these results.It suggests that 23% of the 108 organisations that it analysed operated IT oversight (or similar) committees, thus showing an approximate 15% improvement over the 2010 report (Westby, 2010).This then suggests that board committees are starting to form around technology issues.
In summary, from the results of the study it can be suggested that the King III report (Institute of Directors in Southern Africa, 2009) has had a significant effect on board-level IT expertise or ability in SA organisations.This progress has allowed SA to narrow the gap between itself and the other two countries.In the case of IT oversight (or similar) committees, it too considerably exceeds the other two.Although promising, much work still remains to be done if the future of SA organisations is to be guaranteed and an acceptable board-level IT expertise or ability maturity is to be reached.
In contrast, the Sarbanes-Oxley Act (US Congress, 2002), which is legally binding, appears to have had a positive effect on US organisations prior to 2007.Unfortunately, little improvement has resulted in the subsequent six year period covered by this study.It is thus argued that US organisations have become somewhat stagnant or, in some regards, have even declined in respect of board-level IT expertise or ability maturity.This trend can most logically once again be attributed to the financial recession that has had a major influence on the business operations of organisations in the USA (Luftman and Derksen, 2012).
UK organisations, on the other hand, have shown some improvement and can even be considered to now be on a par with their US counterparts.Their biggest hurdle, however, still remains the fact that no IT oversight (or similar) committees are present at the moment.
It should be noted that every effort was made to ensure the consistency, reliability and accuracy of the results reported and the discussion given.Unfortunately a number of limitations resulting from the research method, process and criterion used can be reported that may have somewhat obscured the results and led to wrongful conclusions being drawn.

Limitations
The data collection process presented as part of the methodology of this paper was, in common with Posthumus"s (2009, pp. 93-100) methodology, a "once off" exercise.It merely represents a snapshot of the state of board-level IT expertise or ability maturity across South Africa, the United Kingdom and the United States of America.Thus the results of the replicative study may have been obscured because both studies merely focused on a specific point in time.
Another limitation also relates to the sample size of sixty and organisations that were used for each study.Accordingly, a larger sample size might certainly add more accuracy and certainty to the results in future.Unfortunately, the availability of information indicative of the three sources of board-level IT expertise or ability within an organisation is neither always shared openly nor accessible.Hence, the availability of this information limits the number of organisations that can be sampled.
It may also be worth mentioning that both studies involved analysing textual data from corporate websites and/or integrated reports per a qualitative content analysis technique.As any user of the internet knows, the truthfulness of most web based sources is questionable at best.Thus, a limitation of the research method used by both studies is that it depended entirely on the accuracy of the data presented on these websites and/or in these reports as well as the update frequency.
To conclude, it can thus be stated that the results of the replicative study are certainly to be acknowledged as having validity.They should, however, be considered within the context provided and may require some additional support by means of triangulation (Guion et al., 2011) if they are to be used to support future studies.Such triangulation, however, falls outside the scope of this paper, although it is highly recommended.

Conclusion
In the corporate environment dependence on IT has seen tremendous growth in the past decade (ISACA, 2012, p. 13).This has led to some believing that IT has become a mere commodity (Carr, 2003).Although this may ultimately be true, IT is nowadays playing an essential role in facilitating competitive and strategic advantages for organisations worldwide (Evans, 2003;IT Governance Institute, 2008, p. 7).
Unfortunately, many organisations have realised that because of failures and losses these advantages can only be acquired if IT is properly governed (Abraham, 2012).Thus, IT governance, a component of corporate governance and thus the duty of the board, has of late received much attention (Institute of Directors in Southern Africa, 2009;ISACA, 2012).
Regrettably, the literature suggests that many boards have not yet achieved adequate control over IT (Nolan and McFarlan, 2005).Of specific interest to this paper was the research performed by Posthumus (2009, pp. 93-100).The research indicated that complete control was lacking since there was, at the time of the study, a general lack of IT expertise or ability at board-level within the corporate environment in SA, UK and USA.
Thus, the question that could rightfully be asked was whether any progress had been witnessed within the corporate environment since this study was conducted.
To answer this question, this paper set out to present the results of a replicative study based on the earlier research performed by Posthumus.
Key results of the replicative study conclude that the King III report (Institute of Directors in Southern Africa, 2009) has had a positive effect on board-level IT expertise or ability in SA organisations over the six year span, in that: -the occurrence of IT oversight (or similar) committees in SA organisations has risen tremendously, with as much as 40% currently operating such committees -the IT expertise and/or experience amongst board members in SA is on the rise and it is expected to continue to do so -the importance of the CIO role in SA organisations has seen significant growth, with so much as 90% of companies indicating a CIO role in their managerial structure.Although this finding is very positive, it is interesting to note that few of these CIOs currently operate at boardlevel.
Collectively, this progress has allowed SA to narrow the gap between itself, the UK and the USA.
Meanwhile UK organisations have shown some improvement and are considered to now be on par with their US counterparts.On the other hand, US organisations appear to have met some resistance because of the economic conditions and consequently have stagnated or in some regards have even declined in respect of boardlevel IT expertise or ability.
In can thus be concluded that some progress has taken place within the corporate environment and organisations in South Africa are starting to experience improved board-level IT expertise or ability.Furthermore, boards today are both more involved and more active in addressing their IT governance duty, although much work still remains to be done in this area.
One concern that remains, however, is that IT expertise or ability at board-level is still quite low on average in all three countries.Few board members have IT qualifications or experience; similarly few organisations have a CIO or similar role at board-level and IT oversight (or similar) committees are still rare.The authors thus advocate that IT governance researchers should remain vigilant in their attempts to assist boards in adequately addressing their IT governance obligations.In particular, they should continue to provide boards with both theoretical and practical assistance to obtain the necessary board-level IT expertise or ability.Our Executive IT Steering Committee is mandated to improve the overall IT governance, while ensuring that future platforms will meet strategic needs and remain competitive.There are clear management processes for project approvals and the monitoring of the delivery of major IT projects.This committee is attended by a non-executive director, reports on items requiring Board attention including exceptions and delivery failures and also participates in strategy reviews with the Board.IT risk management is aligned to the principal risk framework under operational risk and the GACC and GRMC have oversight of select components of IT governance.Going forward in 2013, a Board IT Committee will be established.

Coded as:
Yes (Y) Yes (Y) Not Evident (NE)

Figure 1 .
Figure 1.Comparison of board-level IT experience in SA, UK and USA, 2007/2013.

Figure 3 .
Figure 3.Comparison of board-level IT oversight in SA, UK and USA, 2007/2013.

Figure 4 .
Figure 4. Comparison of board member IT experience per industry in SA, UK and USA, 2007/2013.

Figure 5 .
Figure 5.Comparison of CIO presence at board-level per industry in SA, UK and USA, 2007/2013.

Figure 6 .
Figure 6.Comparison of board-level IT oversight per industry in SA, UK and USA, 2007/2013.

level IT Oversight Comittees
and 6 show the former comparisons Figure 2. Comparison of CIO presence at board-level in SA, UK and USA, 2007/2013.

Table 4 .
Coding Criterion 3 Based on Web Data (Three Examples) Ensure that the Company's IT programs effectively support the Company's business objectives and strategies; Advise the Company's senior IT management team; and Advise the Board of Directors on IT-related matters.