skip to Main Content

The King IV Report and King Code (King IV) is an important instrument that governs the leadership of an organisation through principles of ethics and good governance. King IV is an extension of the King III report in that King IV has been revised in many aspects to align it with international best practice. King IV is often referred to as a Report. The instrument is structured like a report, and it includes a Code.

The King Code contains a set of principles and recommended practices that aims to achieve good governance outcomes. Collectively, King IV sets out what ethical and effective leadership is and more importantly, it deals with information and technology governance (or IT Governance) extensively.

The Institute of Directors in Southern Africa NPC (IoDSA) owns the copyright to all four of the King reports or codes on governance (including the latest version namely the King IV Report™) and owns various trademarks in relation to King IV (including King IV™, King IV Report™, King IV Report on Corporate Governance™ and King IV Code™). All of the IoDSA’s rights are reserved. All views are our own and we are not associated or endorsed in any way by the IoDSA.

King IV’s objectives are to:
  • create an ethical culture in organisations;
  • improve their performance and increase the value they create;
  • ensure there are adequate and effective controls in place;
  • build trust between all stakeholders;
  • ensure the organisation has a good reputation;
  • promote transparency and meaningful reporting to stakeholders.
The King Code is mandatory for listed companies on the JSE. However, as a best practice for corporate governance, non-listed companies and organisations are encouraged to apply the principles. Investors and potential clients view companies that apply the Code in a favourable light. Furthermore, because of the many merits of applying King IV, companies gain the confidence and trust of their investors and potential clients. Generally, King IV impacts the governing body of an organisation. The governing body is responsible for leading an organisation’s strategic objectives. Among these strategic objectives is good IT governance which the governing body must oversee.

It is worth noting that the governing body is referred to by various names, like the board, EXCO, the steering committee, compliance, or risk committee. The members have different titles, like executives, board members, directors, trustees, committee members or EXCO members.

The King Reports have undergone many changes since 1994. Although King IV is based on the underlying principles of the previous King Reports, it now emphasises stakeholder inclusion, IT governance and disclosure. Furthermore, when the Cybercrimes Bill was first introduced, it became important to address cyber risks in the new Code. This is what King IV achieves.
The purpose of this principle is to support the organisation to set and achieve its objectives. In simple terms, the King IV Code recommends that the governing body should:

  • assume responsibility for the governance of Information and Technology (IT) by setting the direction for how these should be approached;
  • approve policy to give effect to its set direction on the employment of IT;
  • delegate to management the responsibility to implement and execute effective IT management;
  • oversee the management of IT, including overseeing that:
    • any IT risks are identified and managed in terms of the organisation’s risk-management policy;
    • the organisation is resilient;
    • conduct proactive monitoring of IT intelligence to identify and respond to cyber-attacks;
    • the organisation complies with the relevant laws;
  • exercise ongoing oversight of the management of information to ensure it results in:
    • an information architecture that supports confidentiality and integrity;
    • the protection of privacy of personal information;
    • the continual monitoring of security of information;
  • exercise ongoing oversight of the management of technology to ensure it results in:
    • appropriate responses to developments in technology and the management of disruptive effects;
  • consider receiving periodic independent assurances on the organisation’s IT arrangements, including outsourced services

The governing body should govern compliance with applicable laws in a way that supports the organisation being ethical and a good corporate citizen by:

  • delegating to management responsibility for implementation and execution of effective compliance management;
  • exercising ongoing oversight of compliance and overseeing that:
    • the regulatory environment is continually monitored to ensure appropriate responses to changes and developments;
If you are a listed company, you must apply the King Code principles within your organisation. If a listed company does not apply the principles and explain how they applied it, the JSE can suspend the company’s listing.

King IV does not set out any compliance obligations for non-listed companies. There are no penalties or consequences for non-compliance. You can apply the principles to your organisation on a voluntary basis. However, non-listed companies are encouraged to align their practices with the principles of King IV in the spirit of being responsible corporate citizens.

Good governance and related laws

Part of Good IT Governance is that organisations should consider the impact of related laws. For example, there is a vast overlap between the principles of King IV and the Protection of Personal Information Act (POPIA). While King IV sets the standard for IT Governance, POPIA requires organisations to protect personal information of people. So, if a data breach occurs within an organisation, the heads of that organisation may be held liable for any harm that a person may suffer as a result of an organisation not protecting their personal information.

Whether you are a listed or non-listed company, your organisation should strive to align your IT Governance practices to be in line with King IV.’s products empower the governing body and IT teams to practice the principles of good IT governance.

Obtaining a CyberProfiler scan and implementing the remediation recommendations provided in its report can help your organisation:

  • ensure that IT risks are identified and managed;
  • highlight areas of potential concern which may require action;
  • be more resilient by proactively accessing risk exposure reports;
  • proactively monitor intelligence in relation to potential cyber-attacks;
  • comply with relevant laws, e.g., POPIA
  • ensure that it’s responsive to disruptive technologies emanating from new cyber threats; and
  • obtain independent periodic reviews of its potential IT vulnerabilities.

Implementing DMARC on your company’s email domain can help your organisation:

  • identify and manage IT risks related to spoofing by analysing the regular reports provided;
  • be more resilient by preventing you email domain from being compromised;
  • protect its information through sound information management;
  • ensure that data protection principles are adhered to;
  • boost trust with its customers by demonstrating the use of good technologies; and
  • ensure that it can respond to disruptive technologies emanating from new cyber threats.
  • The Institute of Directors in Southern Africa NPC (IoDSA) resources on King IV: Click here
  • King IV Code and IT Governance: Michalsons Blog
Back To Top
This site is registered on as a development site. Switch to a production site key to remove this banner.