A compliance framework for IT governance adoption and use by state-owned entities in South Africa

Abstract

IT governance adoption and use in the South African public sector is deemed critical to good public administration and is regulated by government through the Corporate Governance of ICT Policy Framework (CGICTPF). The CGICTPF was published in 2012 and is based on COBIT 5, ISO38500 and the King III Report. However, compliance with the CGICTPF has been poor; the Auditor-General of South Africa (AGSA) noted that a significant number of its auditees in the 2019"“20 financial year had weak IT governance controls. Therefore, the study sought to answer the research question: How should IT governance adoption and use be enhanced by state-owned entities in South Africa? This study took the form of an exploratory inquiry with pragmatism preferred as the appropriate paradigm because of its predisposition towards abductive reasoning and the use of mixed methods "“ both of which are the attendant research approaches in this study. Owing to the "how" research question, this study followed a multi-case-study research method. The data collection process included semi-structured interviews, a questionnaire and expert reviews; triangulation of data is also based on these. A thematic analysis of the qualitative data was conducted using Atlas.ti "“ a CAQDAS tool. The study shows that CGICTPF adoption and use is driven by strategic alignment and regulatory compliance. In addition, factors such as 1) IT governance competencies at the level of the board of directors, 2) top management support and longevity of tenure, 3) business process integration and data analytics, 4) the dynamic role of the chief information officer (CIO), 5) adequate government stakeholder support, and 6) organisational culture positively influence the adoption and use of the CGICTPF. A compliance framework is proposed which is based on the technology"“organisation"“environment (TOE) framework and the DeLone and McLean IS success model. The proposed framework highlights management competencies as a crucial element and seeks to assist practitioners to improve accountability and oversight.