Friday, December 23, 2011

Strategy for Handling Difficult People

The following strategy for handling difficult situations, people and projects, has worked in several cases:
1. Take a short walk outside of the location where the conflict has taken place.
2. Make silence your useful tool.
3. Use silence to envision happiness and success.
4. Breathe slowly and get rid of all your negative thoughts.
5. Allow only pleasant, happy and harmonious thoughts to fill your mind.
6. Think out a solution as regards the difficlult person and situation.
7. Work out a mutually-agreeed solution with the person(s) involved.

*Author’s Credentials

John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.


Profiles




Thursday, December 1, 2011

CORPORATE COMPLIANCE AUDIT PROGRAMS AND CHECKLISTS


CORPORATE COMPLIANCE AUDIT PROGRAMS AND CHECKLISTS

By John Kyriazoglou* (author’s credentials at the end of this document)

The following audit program and checklists are designed to be used my managers, auditors and compliance staff in the process of establishing, controlling, reviewing, assessing and auditing the corporate compliance area and its particular components (compliance policies and procedures, corporate policies and procedures, ethics aspects, etc.).

The following audit programs and checklists, as detailed in the following paragraphs, should reviewed and customized before they are used in any corporate environment:

1. Corporate governance and internal controls systems audit program,

2. Assessment of the compliance controls framework,

3. Corporate policies and procedures checklist,

4. Records management system checklist,

5. Financial management system checklist,

6. Corporate fraud management system checklist,

7. Internal audit checklist, and

8. Ethics management checklist



1 Corporate governance and internal controls system audit program

1. Assess Board and senior executive management responsibility for the oversight and monitoring of corporate governance and internal controls.

Consider: Board and senior management should ensure that policies, procedures and systems are current and well documented. Management should establish an effective system of internal controls. Corporate, compliance, risk management and internal controls should cover the IT environment as well as the other business functions. Board and senior management should adopt and enforce appropriate policies and procedures to manage compliance, all risks (enterprise, IT, investments, etc.), and should re-evaluate and improve these controls every year or two.





2. Assess senior executive management practices.

Consider: Reporting effectiveness to the Board of Directors. Periodic review and updating of policies, standards, procedures and practices. Instituting controls to ensure that management information and detailed data are reliable and the reporting cycle is adequate, and that operating procedures are efficient and effective. Regular review of compliance issues, risks, segregation of duties, personnel controls, information security, software development and acquisition, outsourcing, insurance issues, internal and external audit results, service level agreements and performance measurements including issues and corrective action plans, ensuring that procedures are in effect to assure continuity of business, etc.

3. Does the internal controls framework identify all the required control components?

Consider: Control environment, risk assessment control activities information and communication monitoring.

4. Do the key functions of internal controls relate to all critical elements of governance?

Consider: Definition and establishment of objectives, standards and procedures. Definition of management responsibilities. Measurement of inputs, outputs and performance in relation to objectives. Critical review of the whole process. Reporting of both financial and non-financial results, compliance and performance. Taking corrective action, as necessary.

5. Do internal controls contain all types of controls?

Consider: Preventive controls (e.g. division of duties, authorization levels), detective controls (e.g. stock verification, bank reconciliation), directive controls (e.g. policies, procedures, training).

6. Are there adequate and effective financial controls in place at the detailed level, as required?

7. Are there adequate and effective customer service controls in place at the detailed level, as required?

8. Are there adequate and effective production/manufacturing controls in place at the detailed level, as required?

9. Are there adequate and effective information and communications controls in place at the detailed level, as required?

10. Are there adequate and effective asset management controls in place at the detailed level, as required?

11. Are there adequate and effective sales management controls in place at the detailed level, as required?

12. Are there adequate and effective management reporting controls in place at the detailed level, as required?



13. Are there adequate and effective internal audit controls in place at the detailed level, as required?

14. Are there adequate and effective human resource management controls in place at the detailed level, as required?

15. Are there adequate and effective research and innovation controls in place at the detailed level, as required?

16. Is there a formal and well-established performance management system for all functions of the organization?

Consider: The performance management system should promote and accelerate the rate of successful changes, increase the predictive and early warning capabilities to management, provide a holistic perspective to the management of the organization, link to the reward and other incentive systems of the organization, link and align on an integrated mode to the objectives and measures of the other corporate levels of the organization, such as: division, department, business unit, process, function, project, teams, etc.

17. Are critical performance data shared across all levels of the organization?

18. Are strategic performance data reviewed at the appropriate levels of the organization, and actions taken as necessary?

19. Are the approved personnel empowered to have access to whatever critical performance data is required to make balanced decisions?

20. Is the accountability and follow-through process based on critical performance data?

21. Is the psychological resistance of staff (management, line staff, etc.) managed and resolved accordingly?

22. Is there an active audit committee in place?

23. Is there an internal audit function in place?

24. Is there a compliance function in place with all its constituent components (compliance officer, compliance committee, policies, procedures, action plan, etc.)?

25. Are corrective and improvement measures taken when performance issues and compliance breaches occur?



2. Assessment of the compliance controls framework

Assess the organizational structure to ensure that it is neither so simple that it cannot adequately monitor the entity’s activities nor so complex that it inhibits the flow of necessary information.

1. Does the compliance monitoring system of the organization cover all business functions?

2. What is the management’s attitude towards compliance with laws and regulations?

3. Does the management of the organization specify the level of competence needed for particular jobs, and translate the desired levels of competence into requisite knowledge, cultural characteristics and skills?

4. Does the Board or governing council provide an effective oversight function to ensure that the management of the organization does not override system controls?

5. Is the philosophy and operating style of management compliance-related?

6. Does the assignment of responsibility, delegation of authority and establishment of related policies and procedures provide a basis for effective accountability and control?

7. Are human resources policies the basis for recruiting and retaining competent people to enable the plans of the organization to be carried out and its goals and objectives to be achieved?

8. Does the Board, the senior executives and the management of the organization have a clear understanding of all strategic components, and convey the message that integrity and ethical values of the organization cannot and should not be compromised by anyone?

Consider: Clear understanding of the values, mission and vision, and performance targets of the organization. Full understanding of the general goals and specific objectives of the organization and how they fit in the framework of corporate strategy. Provision of adequate information for risk identification and resolution. Clear understanding of the role played by policies and procedures in achieving effective controls and compliance.



3. Corporate policies and procedures checklist

1. Have compliance rules, guidelines, policies and procedures been formally established and communicated to all levels and functions of the organization?

2. Is there an approved performance policy, system and evaluation process in place?

3. Is there an approved human resources management policy, set of procedures, a system and an evaluation process in place?

4. Is there an approved financial and cost management policy, and a set of related procedures in place?

5. Is there an approved asset management, disposition and protection system in place?

6. Is there an approved IT policy and a set of related procedures covering all areas, such as strategy, security, contingency planning and disaster recovery, information systems development and operation, database and data privacy protection, web services, etc.?

7. Is there an approved research and innovation system in place?

8. Is there a Management Reporting System (MRS) in place?

9. Is there a quality management system in place?

10. Is there a risk management system in operation?

11. Is there an ethics code and policy in place?

12. Is there a compliance policy in place?

13. Is there a corporate social responsibility policy in place?

14. Is there an anti-fraud policy in place?

4. Records management system Checklist

1. Have operational guidelines and manuals been formally established, communicated to all levels and functions of the organization, and used in every-day work by all personnel?

2. Does the record-keeping system (for both manual and computerized files, media and data) of the organization produce complete and accurate results?

3. Is there an adequate documentation and effective audit trail for all transactions and activities?



4. Is there an approved segregation of duties policy, and a set of related procedures in operation?

5. Is there an approved employee rotation policy for critical jobs/tasks in operation?

6. Have levels of authorization been defined for all levels of management and all transactions and activities?

7. Are adequate asset protection and disposition controls in operation?

8. Are effective financial and cost management controls in operation?

9. Is there an active security committee, policy and procedures (for all elements: data, plants, installations, offices, infrastructure, systems, records, files, etc.) in operation at all levels?

10. Is there an active performance and compliance management, measurement and exception reporting system in place?



5. Financial management system checklist

1. Does the organization have a system for recording and tracking commitments, obligations and expenditures, and reconciling financial data?

2. Does the organization have controls that prevent incurring obligations in excess of funds available within a budget cost category?

3. Does the organization have a mechanism to ensure that periodic audits of the financial management area are undertaken?

4. Does the organization adjust financial plans in the light of the actual operating budget?

5. Does the organization monitor the reliability and confidentiality of financial data used in mission critical budgetary decisions?

6. Does the organization guard against breaches in confidentiality and loss of budget data integrity?

7. Does the organization use an operating budget to control project funds?

8. Does the organization link strategic goals, objectives and operational performance targets to budget performance activities?



6. Corporate fraud management system checklist

1. Does the organization have, within the corporate ethics policy, a statement with respect to fraud?

Consider: fraud definition, fraud hot-line, applicability to all employees, management, Board members, external contractors, media communications procedure for a disciplinary interview, employee services termination procedure, obligations of employees during notice periods and upon termination of employment, complaints procedure, conflict resolution, insurance claims, police contacting issues, investigation of fraud and corruption, theft and threats policy, obligations of external contractors, investigating procedure by the use of external approved investigators or expert internal audit personnel, and the protection procedure for the information sources.

2. Who is responsible for the issue of this statement?

3. Has this policy statement been approved and ratified by the Board or other top management committee?

4. Is this statement widely publicized in the organization?

5. Is this statement reviewed and improved annually?

6. Is the policy statement linked to internal controls?

7. Who (manager, function, etc.) is responsible for ownership and administration of the fraud policy?

8. How are fraud risks monitored, e.g. through risk registers?

9. Is there a budget for investigative costs on potential fraud issues?

10. Does the organization specify roles and responsibilities within the fraud policy (e.g. for the audit committee, the Board, the HR function, a Fraud Liaison Officer, etc.)?

11. What is the procedure for reporting suspicions of fraud?

12. What guidance is provided on dealing with incoming mail (such as anonymous letters, e-mails, etc.)?

13. Who are the first points of contact for reporting suspected dishonesty?

14. Does the organization have a whistle-blowing policy, which sets out the principles for protection of employees when reporting suspicions?



15. Does the organization keep a register of fraud?

16. Who is responsible for maintenance of this register (e.g. a Fraud Officer)?

17. What are the access rights to the fraud register?

18. Is the fraud register held securely?

19. Who is responsible for the investigation (e.g. internal audit)?

20. Who oversees the investigation?

21. Do written reports have to be submitted and to whom?

22. Are employees suspended from work pending an investigation?

23. Are all reasonable means of recovering any identified loss pursued?



7. Internal audit checklist

1. Is there an internal audit department?

Consider: terms of reference, organization chart, independence, expertise in IT.

2. Is there an internal IT audit function?

Consider: IT audit plan, adequacy of resources, suitability of resources, including qualifications, experience, technical competence and training.

3. Is there an internal audit policy document?

Consider: standards regarding review objectives, work plan, documentation, conclusions, report format, manager review.

4. Are all compliance issues subject to independent review by an internal audit function?

Consider: involvement in reviewing system developments, existing systems, computer operations, security and control issues use of audit software, etc.







8. Ethics management checklist

1. Does a code of ethics exist for all personnel, including IT?

2. Has an anti-fraud policy and associated procedures been put into operation for the organization?

3. Are confidentiality statements signed by all IT personnel and all critical users?

4. Do explicit corporate rules cover issues, such as:

Personal use of computer services,

proprietary rights to computer programs,

proprietary rights to data,

confidentiality of passwords,

physical access to restricted areas,

management of visitors,

use of terminals,

personal use of media and supplies,

disclosure of privileged information,

maintenance of professional relationships,

reporting mechanism for conflict situations,

penalties and rewards for violators,

clear assignments of accountability,

controls over data and files,

Data Protection Act,

data classification system?

5. Is there a centralized ethics control function?

6. Are proper international ethics standards used in the design and implementation of the code of ethics of the organization?





7. Is there an ethics program and appointed staff in implementation or operation?

8. Have all staff undertaken, or are there schedules for, ethics training?



*Author’s Credentials

John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.


Profiles





Blogs

Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/







Wednesday, November 30, 2011

CORPORATE COMPLIANCE ACTION PLAN


CORPORATE COMPLIANCE ACTION PLAN



          By John Kyriazoglou* (author’s credentials at the end of this document)

A compliance program refers to an organization's management plan for conducting all of its activities within the frameworks of law, rules and regulations.

It usually concerns:

(a) Identifying the laws, rules and regulations that apply to the activities of the organization,

(b) Identifying business areas where the activities of the organization are at risk of breaching these laws, rules and regulations,

(c) Establishing and executing systems, policies and procedures to try to avoid, prevent and protect against such breaches,

(d) Assigning specific compliance-related responsibilities to managers and professional staff and incorporating all compliance activities within the regular business operations of the organization,

(e) Changing behavior of all participants (board, managers, staff, external parties, etc.) through communication, education, training and coaching where this is necessary,

(f) Monitoring and reporting all compliance-related issues, and

(g) Reviewing, auditing and improving the whole compliance program and effort.

This compliance program could be implemented by a compliance action plan as follows:

The conceptual model that may be used for crafting the compliance action plan and ensuring its completeness, to the best and practical way possible, is the ADDIE Model, which is the acronym for analysis, design, development, implementation and evaluation, and its corresponding phases. This model (see, for more details: http://en.wikipedia.org/wiki/ADDIE_Model) gives us, from a practical perspective, an added level of confidence that we have not forgotten any phases in developing and implementing a compliance program.





Phase 1: Analysis of Compliance Requirements and Needs

The objective of this phase is to analyze the compliance requirements and needs impacting the organization and prepare it to manage its activities and operations in a compliance-effective environment. The actions required to be executed to complete this phase are:

Action 1: Carry out the analysis of the compliance landscape of the organization and the statutes, laws and regulations affecting all functions of the business the organization is involved in and the countries or states (provinces) it operates in.

Action 2: Define the constituent elements required by the specific organization in terms of funds, people, management structure, policies, systems, procedures, documentation, facilities, techniques, methods and tools to be effectively employed to carry out and implement the whole compliance process.   

Action 3: Collect all compliance rules, regulations and standards affecting the organization.

Action 4: Carry out the analysis of the communication and training aspects and the readiness of the organization regarding compliance.

Action 5: Submit a report to the board of the analysis that includes a budget for the compliance process, and obtain approval and funds from the board for designing, development and operating a compliance program for the organization.



Phase 2: Design of the Compliance Function of the Organization

The objective of this phase is to design and set up an effective compliance program and a compliance officer and often a compliance committee who are responsible for collecting all relevant rules, regulations and standards applicable to the organization, organizing, developing, operating and monitoring the compliance program. The compliance officer and compliance committee must report directly to the organization’s governing body, and CEO, periodically and on an as-needed basis. The compliance officer must oversee the program, including making revisions as the company’s needs change, coordinating and participating in training and education for employees, independently investigating compliance matters and ensuring that any necessary corrective action is taken. The actions required to be executed to complete this phase are:

Action 1: Design the duties, roles and responsibilities of a Compliance Officer.

Action 2: Design the responsibilities of a Compliance Committee.

Action 3: Appoint the Compliance Officer.

Action 4: Establish the Compliance Committee.

Action 5. Design and issue a first draft of the Compliance Strategy and Program.

Action 6. Design, if required, the specifications of a computerized system to support the compliance process of the organization.

Action 7: Submit a report to the board of the design phase, making any required changes to the initial budget, and obtain approval and funds from the board for the execution of the next phase.



Phase 3: Development of Compliance Policies and Procedures

The objective of this phase is to carry out the development and distribution, by the compliance officer, of written compliance standards, systems, policies, procedures and practices to guide the organization and its employees on a day-to-day basis. These should include a code of conduct detailing the fundamental principles, values and framework for action within the organization, general corporate policies and procedures, a summary of critical laws, regulations and standards, and specific provisions for various administrative, production, customer service, sales, marketing, financial, information technology and other business functions within the organization, including any regulations that may apply to business units in other national jurisdictions. These should be easily understood by, and posted and communicated to, all affected employees, as well as participants in the activities of the organization. The actions required to be executed to complete this phase are:

Action 1. Develop and finalize the Compliance Program.

Action 2: Develop the corporate compliance policies, procedures, codes of conduct and the compliance records maintenance and retention system of the organization.

.

Action 3. Develop or obtain a ready-made software system, if required, to support the compliance process of the organization.

Action 4: Obtain board approval of all corporate compliance policies, procedures and codes of conduct.

Action 5: Distribute all compliance policies, procedures and codes of conduct to all staff and managers.

Action 6: Develop the compliance communication procedures.

Action 7: Develop the education and training plan and procedures for all compliance issues.



3. Implementation of Compliance Program

The objective of this phase is to fully implement the compliance program. It may not be enough to appoint a compliance officer and committee, even if they are excellent in carrying out their duties and roles. The compliance officer must create and maintain effective lines of communication with all employees. This should include a process, such as a hotline or other reporting system, to encourage questions and complaints and procedures to protect the confidentiality or reports and anonymity of the complainants and to protect employees against retaliation. The actions required to be executed to complete this phase are:

Action 1: Implement all Corporate Compliance Policies, Procedures, Compliance Codes of Conduct, as well as the compliance records maintenance and retention system.

Action 2. Implement, if required, the computerized system to support the compliance process of the organization.

Action 3: Run all awareness sessions with all business functions as regards the compliance policies and procedures of the organization.

Action 4: Implement the compliance reporting system, including a Hot Line for compliance issues.

Action 5: Execute the education and training plan for all compliance issues.

Action 6: Link compliance to management and employee performance.

Action 7: Enforce compliance standards through well-publicized disciplinary guidelines.



4. Evaluation and Improvement of Compliance Program

The objective of this phase is to assess the effectiveness of the Compliance Program of the organization. The compliance program must be evaluated periodically to assess its effectiveness as a whole, including how it performs in practice to monitor the operations of the organization on a day-to-day basis. If the same problems recur time and time again, specific actions must be undertaken and compliance requirements and needs must be addressed. Compliance policies, standards and practices are only effective if they have the commitment of the management of the organization, are clearly written and communicated to staff, and are interpreted by a compliance officer with the proper skills, dexterities and experience. In the event of a regulatory investigation or potential breach, complete documentation of all aspects of the company’s compliance program is necessary to demonstrate the good faith of the company and the specific program’s effectiveness. The actions required to be executed to complete this phase are:

Action 1: Monitor the execution of all Corporate Compliance Policies and Procedures by the designated officer and committee of the organization.

Action 2: Request auditing of Corporate Compliance Policies and Procedures by internal audit.

Action 3: Review all Corporate Compliance Policies and Procedures by external auditors, including subject experts.

Action 4: Develop correctives actions and execution of responses to detected offences.

Action 5: Evaluate the effectiveness of Corporate Compliance Policies and Procedures.

Action 6: Evaluate the effectiveness of Compliance Program.

Action 7: Improve all Corporate Compliance Policies and Procedures and Compliance Program.



*Author’s Credentials

John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.


Profiles





Blogs

Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/









Thursday, November 17, 2011

Free IT Audit Material (Worth £29.95)


Free IT Audit Material (Worth £29.95)

Announcement re: Free IT Audit Material (Worth £29.95)

Hi,

Please check out the following offer.

Buy book (1) before the end of November 2011 and receive a comprehensive set of customisable IT audit programmes and checklists (the addendum to this book-book 2) absolutely FREE - worth £29.95!

Book (1): 'IT Strategic & Operational Controls’

Author: John Kyriazoglou, Publisher: IT Governance Publishing

ISBN: 978-1-84928-061-7, Pages: 686, Format: Softcover, Date: 2 September 2010

Available at: www.itgovernance.co.uk/products/3066

For a full list  of contents  and a sample of what is contained in this book, please see: http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919

And follow to ‘Published Books/IT_CONTROLS_BOOK_Contents_Sample.PDF’.

Book (2): ‘ Addendum to IT Strategic & Operational Controls’

ISBN 978-1-84928-075-4. www.itgovernance.co.uk/products/3143

This separate volume contains Customisable IT audit programmes and checklists in word format.

For a full list of contents and a sample of what is contained in this book,


And follow to ‘Published Books/IT_CONTROLS_BOOK_Contents_Sample.PDF’.

Please disregard this message if you have received it twice.



Thank you for your kind support.



Sincerely,



John Kyriazoglou