Saturday, October 22, 2011

HOW TO AVOID INTERNAL BUSINESS FRAUD

HOW TO AVOID INTERNAL BUSINESS FRAUD

A question was recently put in a discussion group, ‘What can you do to keep your business from becoming the victim of internal fraud?’.

The simple answer ‘Don’t trust anyone (Don’t trust job applicants, Don’t trust employees Don’t trust your partners)’ was offered by one writer.

I think the issue is much more complicated than simply not trusting anyone! IF YOU PORTRAY ‘ NO TRUST’ to all your business partners, employees, customers, etc., without taking the proper measures, you will likely make everyone want to commit fraud and prove you right, in your working environment!  The desire for security is a key subconscious motivator in developing trusting relationships in an any organization.

Let us not forget that as Aristotle (384-322 BC), writing in the Rhetoric, suggested that Ethos, the Trust of a speaker by the listener, was based on the listener's perception of three characteristics of the speaker: the intelligence of the speaker (correctness of opinions, or competence), the character of the speaker (reliability - a competence factor, and honesty - a measure of intentions), and the goodwill of the speaker (fri3ndship, favorable intentions towards the listener).

 Furthermore, my opinion is that you do need a friendly and trustworthy working environment but it should be complemented by a Corporate Controls Framework with control mechanisms at five levels:  
1. Corporate Philosophy Controls (Vision Statement, Mission Statement, Values Statement, Corporate Ethics Policy, Corporate Social Responsibility Policy, Corporate Ethics Office, etc.),
2. Corporate Governance Controls (such as risk management, internal audit, compliance office,  security standards, Board of Directors Charter, Corporate Committees, Corporate Policies, Corporate Processes and Plans, etc.),

3. Strategic Management Controls (vision, mission, strategy, targets, Corporate Strategic Planning Committee, Strategic Plans, Strategic Budgets, Strategy Implementation Action Plans, etc.),
4. Monitoring and Review Controls, and

5. Operational Management Controls (administration procedures, HUMAN RESOURCE MANAGEMENT controls, etc.).
The primary purpose of human resource management controls is to enable and facilitate the management of the human resources of any organization. The main types of human resource controls are: Human Rights Policy, Benefits and Personnel Committee, Personnel Administration Procedures, Employee Management Policies and Procedures Handbook, Human Resource (HR) Systems, and Human Resource Performance Measures.

Some of the most typical HR systems are: HR Hiring and Dismissal System, HR Planning System, Personnel Career Development System, HR Performance Management System, Organizational Work Evaluation System, Benefits and Incentives System, HR Computerized Information System, and Personnel Administration Procedures (screening, employment contracts and job descriptions, supervision, human resource plans, authorization controls, segregation of duties, rotation of duties, vacation taking, adoption of professional ethical standards, and employee documentation).

In closing, we should all remember the following quotation of Ralph Waldo Emerson:
”Trust men and they will be true to you; treat them greatly, and they will show themselves great.”

John Kyriazoglou (jkyriazoglou@hotmail.com)

PROFILES of John Kyriazoglou:

http://www.icttf.org/profile/johnkyriazoglou
http://www.blogger.com/profile/15482029934015594259

BLOGS OF John Kyriazoglou
http://digital-society-and-economy.blogspot.com/
http://meliorate-your-life.blogspot.com/
http://helpandsupportgreece.blogspot.com/
http://corporatecontrols.blogspot.com/
http://johnkyriazoglou-works.blogspot.com/


 Αρχή φόρμας

Wednesday, October 19, 2011


Why are corporate controls needed in the present Digital Era


John KYRIAZOGLOU, M.S., B.A (Hon.), Management Consultant

Author of ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (www.itgovernance.co.uk),

And co-author of ‘CORPORATE CONTROLS’, to be published by www.theiic.org, by 12/2011

A question was recently put in a discussion group whether corporate controls were indeed necessary in the present DIGITAL SOCIETY and ECONOMY.



My comments follow:

We live, at least in most Western countries, in a post-industrial society, in the knowledge society, also known as the information society. The new life-style (modus vivendi, in the sociological vernacular) enforces upon all of us a new set of operational factors and transactional characteristics in our societal and human interactions, a new socio-economic operating mode (modus operandi in the sociological vernacular).

This set of social interactions is permeated and driven by several socio-technical factors and functional characteristics, such as:

(a)Globalization of markets,

(b)Liberalization of markets,

(c)Services economy,

(d)Lack of governance controls in international fiscal and financial markets, transactions and activities,

(e)Very fast developments in the fields of Information Technology, Communications, Biology, Medicine, Management, etc.,

(f) Information plurality, diffusion and potential information over-loading, Increase of the leverage and focus on the needs of customers, the so-called customer-focus approach in all dealings,

(g) Differentiation of the needs and increase of the expectations of better provision of services to citizens, the so-called citizen-based service approach in all public-sector exchanges and transactions, and

(h) Reduction and de-strengthening of the traditional government model of a large central organization to a model of organization based on a de-centralized approach.

All of these, interacting and inter-connected in different sets, make up a new social, economic, technological, moral and political framework, within which society, economy, enterprises, government, non-profit organizations, communities, citizens, etc., operate and function productively. 

New and more complicated roles are being created for the state (central administration, regional forms of government, local governments, etc.), for the business entities (small size, middle size, large size, conglomerate, international enterprises, etc.), and for organizations of the main public sector and related public regulatory authorities, with greater expectations for improved quality of life, and socio-economic advancement and development, in all industrial sectors and socio-economic environments.

The noted management guru Charles Handy supports the view that we must re-examine the basic principles that govern the running of enterprises and think from scratch of what is the basic objective of doing business.

At the level of organizations (private, public, non-profit, non-governmental, etc.) rapid changes are taking place on a continuous basis.  This is due to the impact of innovative approaches of researching and designing new products and services (e.g., via the Web), the tremendous effect of quick and accurate information provided by ITC (Information Technology and Communications) infrastructure and systems, and to the new asset evaluating models.

Traditionally, organizations (at least in the private, for-profit sector) valued only physical assets (buildings, land, vehicles, heavy equipment, installations, plants, etc.), sales inventories, and profits. Presently, technology know-how, good-will and brand names, computer systems and application software, office automated support tools (Excel spreadsheet applications, etc.), electronic commerce and electronic data  distribution services, etc., must also be added as valued assets to the balance sheet of organizations.

The model and the role of the classical state is also changing, within the framework of the European Union, as well as within the framework of the international environment, with the approach of electronic government, the model for citizen one-stop shop services, and the devolvement of authorities and responsibilities to the regional and local level (prefecture, wide metropolitan area governments, city level, community, neighborhood level), etc.

All these new and very quickly developed roles are required for:

(1) Quicker and more effective service (in relation to costs and benefits)

(2) Better management and more efficient use of global resources

(3) More proper (ethical, ecology-friendly) resource management by all industries, in all countries

(4) Continuous improvement in the quality of products and services provided, in social and citizen participation, in the commitment to democratic  institutions and customer services, for all stakeholders (people and  organizations)

(5) Minimization if not total reduction of social, public sector and business fraud and corruption

(6) Better understanding of what has gone wrong in private and public organizations and what must be done to get things right.

All of these may be implemented on the basis of strategy (organizational philosophy, external regulations, strategy, risk and change management, and performance measurement) and management controls (at the strategic and operational levels, a management information system, and the reporting, communications, audit , monitoring and review activities), i.e. the two complementary support pillars of a Corporate Controls Framework.

The socio-economic needs in the present DIGITAL SOCIETY and ECONOMY for the establishment and existence of a Corporate Controls Framework to cover both the historical context (i.e. conformance) and the future forward-looking view (i.e. performance) will be based on the major concept that for the achievement of all of the above, there exists a requirement for the design and implementation of a new operating model for private corporations and public organizations, consisting of:

(i) creation and implementation of strategic objectives,

(ii) best and most optimal use of resources (social, corporate),

(iii) measurement of produced and delivered goods, services and target achievements,

(iv) monitoring and improvement efforts on a timely and continuous basis, in other words on performance, and

(v) a set of strategic and operational controls which includes a Compliance Monitoring and Performance Management Systems for collecting performance data, monitoring, reviewing, and improving performance and compliance.

All of these are very critical and should be studied further and practical solutions proposed by think tanks, professional societies, scientists and researchers across the globe.

STRATEGIC AND OPERATIONAL CONTROLS

Strategic and Operational Controls

John KYRIAZOGLOU, M.S., B.A (Hon.), Management Consultant
Author of ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (www.itgovernance.co.uk),
And co-author of ‘CORPORATE CONTROLS’, to be published by www.theiic.org, by 12/2011

A question was recently put in a discussion group about the distinction between strategic and operational controls and how they interact in a corporate environment.

My comments follow:

Control is one of the managerial functions like planning, organizing, staffing and directing. It is an important function because it helps to check the errors and to take the corrective action so that deviation from standards are minimized and stated goals of the organization are achieved in desired manner. Control in management means setting standards, measuring actual performance and taking corrective action.
Management control in a corporate environment can be defined as a systematic effort by business management to compare performance to predetermined standards, plans, or objectives in order to determine whether performance is in line with these standards and presumably in order to take any remedial action required to see that human and other corporate resources are being used in the most effective and efficient way possible in achieving corporate objectives.
Planning is a process by which an organization's objectives and the methods to achieve the objectives are established, and controlling is a process which measures and directs the actual performance against the planned objectives of the organization. Thus, planning and control are often referred to as Siamese twins of management.

The direction for overall management control comes from the general strategic goals and strategic plans of the organization. General strategic plans are translated into specific performance measures such as share of the market, earnings, return on investment, budgets, customer satisfaction, etc. 
The process of strategic and operational control is to review and evaluate the performance of the system against these established norms. Rewards for meeting or exceeding standards may range from special recognition to salary increases or promotions. On the other hand, a failure to meet expectations may signal the need to reorganize (organizational control), change strategic direction or redesign (strategic control).

In contrast to strategic control, operational control serves to regulate the day-to-day output relative to schedules, specifications, and costs, by the formulation of policies and execution of corresponding procedures. Is the output of product or service the proper quality and is it available as scheduled? Are inventories of raw materials, goods-in-process, and finished products being purchased and produced in the desired quantities? Are the costs associated with the transformation process in line with cost estimates? Is the information needed in the transformation process available in the right form and at the right time? Is the energy resource being utilized efficiently?

The purpose of strategic control is to see that the specified function is achieved. The objective of operational control is to ensure that variations in daily output are maintained within prescribed limits. It is one thing to design a system that contains all of the elements of control, and quite another to make it operate true to the best objectives of design. Operating "in control" or "with plan" does not guarantee optimum performance.
Operational control systems are designed to ensure that day-to-day actions are consistent with established plans and objectives. It focuses on events in a recent period. Operational control systems are derived from the requirements of the management control system.

The differences between strategic and operational control are highlighted by reference to a set of main fundamental differences between strategic and operational management, as depicted next.
Strategic Management is very ambiguous, most complex, organization-wide, most critical to survival and has long-term implications. Operational Management on the contrary, is less ambiguous, les complex, specific to functions, less critical to survival and has short-term implications.

Strategic and operational controls are usually expressed by strategic and operational performance measures and by compliance measures.
Strategic and operational performance measures are designed and implemented by models such as the BSC. Compliance measures are designed and implemented by internal control frameworks, such as: COSO Framework, Sarbanes-Oxley Act, BIS Framework, etc.

Monday, October 17, 2011

CYBER DIPLOMACY

CYBER DIPLOMACY

A question was recently put in a BLOG, whether CYBER DIPLOMACY should be studied and pursued as a distinct activity.

I think that CYBER DIPLOMACY should be a field of study and a practice on its own.

The term ‘CYBER’ is referring to the science of cybernetics, and it is derived from the Greek verb ‘ΚΥΒΕΡΝΑΩ’ (‘Kybernao’), which means ‘TO STEER’ and which is the root of our present concept ‘TO GOVERN’. It describes both the idea of NAVIGATION through a space of  interconnected networks of computers and electronic data, and of CONTROLS which is achieved by manipulating those NETWORKS  and DATA.

The term ‘DIPLOMACY’ is referring to the art, methods and practice of conducting negotiations between representatives of groups, local or international organizations (e.g. U.N.), or sovereign (e.g. U.S.) or semi-sovereign states (Canadian Province, Australian States, etc.). It is derived from the Greek word DIPLOMA, which means ‘LICENCE’ or ‘CHART’ (originally defining a paper folded in a double manner).



Negotiation is a DIALOGUE between two or more parties, intended to reach an understanding, resolve point of difference, etc., and finally to produce an agreement upon a course of action to settle the issues to a satisfactory level for both parties.



In its current version DIPLOMACY pertains to the conduct of international relations through the interactive activities of NEGOTIATION of professional diplomats with regard to issues of trade, human rights, peace-making, war, economics, environment, trade, etc.



To these issues, it is prudent to add the CYBER ISSUES. And as Secretary of State Hillary Rodham Clinton proclaimed (February 15, 2011): “The Internet has become the public space of the 21st century…We all shape and are shaped by what happens there, all 2 billion of us and counting. And that presents a challenge. To maintain an Internet that delivers the greatest possible benefits to the world, we need to have a serious conversation about the principles that will guide us…”


Also as we all rely, more and more, on computers and the internet now (communications, email, cellphones, entertainment, car engine systems, airplane navigation control systems, online stores, credit cards, medical equipment, medical records, etc.), weak-technologically nations are at a big disadvantage vis-à-vis their strong-technologically nations

For all these reasons, and to resolve the most critical issues in today’s societies related to the CYBERSPACE and its best use, exploitation and control, CYBER DIPLOMACY should be instituted, both as a field of study as well as a set of activities to be carried out by the DIPLOMATS, in order to reach a more harmonic balance in the international activities of nations.


Performance Audit Questionnaire for a Board of Directors

Performance Audit Questionnaire for a Board of Directors

A question was recently put in a discussion group, whether there exists a simple, yet powerful tool for a quick assessment of the performance of a Board of Directors by Auditors.

One generic example I have used is noted below.
Performance audit questionnaire of the Board of Directors

Seq. No.
Description
1
Have the needs and requirements of the various stakeholders and members of the board of directors (BOD) been defined?
2
Are high levels of corporate ethics maintained?
3
Does the BOD ensure short-term financial stability?
4
Does the BOD ensure long-term financial stability ?
5
Does the BOD ensure long-term success of corporate and business-related changes?
6
Does the BOD ensure high level of corporate governance and accountability? 
7
Does the BOD supervise the setting up and operation of  an effective risk assessment and management system?
8
Does the BOD supervise the setting up and operation of  an effective crisis assessment and business continuity management system?
9
Does the BOD ensure that an effective internal audit and corporate compliance management system  is in place?
10
Does the BOD ensure that an effective corporate performance management system  is in place?
11
Does the BOD review and approve all business plans, organizational and restructuring plans and major investments? 
12
Does the BOD ensure that an effective corporate management system  is in place? 
13
Does the BOD ensure that an effective corporate management succession system  is in place (particularly for the senior positions of CEO, CFO, CTO, CIO, General Management of divisions, etc. )?  
14
Does the BOD ensure that an effective BOD skills- training  system  is in place?    
15
Does the BOD ensure that all IT systems, data centers, etc., are operated effectively and serve all critical business functions? 
16
Does the BOD ensure that an effective corporate management research and development system  is in place? 












Saturday, October 15, 2011

COMPLIANCE, ETHICS AND RISK MANAGEMENT


COMPLIANCE, ETHICS AND RISK MANAGEMENT

A question was recently put in a discussion group, whether COMPLIANCE is distinct from ETHICS and how they interact in a corporate environment.

I think COMPLIANCE has to do with meeting fully to all standards, rules and regulations, whether external or internal to the ORGANIZATION. The term comes from Latin (COM=TOGETHER), and Ancient Greek (PLERE=TO FULLFILL).
 
ETHICS provides the background in terms of moral character (good, evil, just, etc.), nature, disposition, habit and custom of a person to obey willingly or face the moral and other consequences if he or she does not. The term comes from Ancient Greek (ETHOS=Moral Character).

The question ‘If the person complies should he/she be also ethical?’ is irrelevant.

The question ‘If the person is ethical should he/she also comply?’ is also irrelevant.

The major philosophical question for managing organizations, to be resolved, however, is this: How to handle the case and to minimize if not avoid all-together, the possibility that the person (staff member, manager, executive, etc.) might easily damage and potentially destroy the organization, its stakeholders, customers and employees, etc., when that specific corporate person (staff member, manager, executive, etc.) who is complying fully with all rules and regulations and is or is not ethical, but WITH COMPLETE DISREGARD for the RISKS involved, makes the right decision on a strategic or operational transaction, issue or activity.

In other words we should see both COMPLIANCE and ETHICS co-existing within the GOVERNANCE FRAMEWORK which should also include RISK ASSESSMENT and RISK MANAGEMENT. 

Also we should ensure that all these mechanisms resolve to a satisfactory and beneficial level, to society, economy, community, organization and individuals concerned, the classical principal-agent problem.


Friday, October 14, 2011

ARTICLE: IT RISK EVALUATION

ARTICLE: IT RISK EVALUATION

This article describes a methodology to be used in offering concluding remarks to the management of an audited entity as to whether, for each objective assessed during an audit assignment, the situation is satisfactory, requires improvement or unsatisfactory. The aim is to provide a conceptual and practical framework to define and implement an evaluation method for Internal Audit assignments. The main uncertainties are identified and the objectives of Internal Audit are described, then we present an evaluation methodology for risk assessment. 

FOR MORE INFORMATION SEE: “IT Risk Evaluation”, Intelligent Risk Journal, Oct. 2011, Vol. 1: Issue 3, pp. 14-19, www.prmia.org/irisk


Saturday, October 8, 2011

IT PERFORMANCE MEASUREMENT


IT PERFORMANCE MEASUREMENT





John Kyriazoglou*, CICA, M.S, B.A(Honours), (jkyriazoglou@hotmail.com)

IT Consultant and Author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (www.itgovernance.co.uk)

                       

Very complex IT projects frequently fail either due to budget overruns, or due to implementation delays, or even due to mismatches of functional specifications and business expectations. If the designers and managers of IT projects succeed in overcoming these obstacles, then the IT project is put into productive use with the optimism to satisfy the multiple targets of its users and the strategic objectives of its leadership and the organization.



Also IT projects, frequently, during their productive operation, in their attempts to be aligned with corporate objectives, are faced with new challenges which many times change due to competitive forces, and due to a large set of threats that could both lead to undesirable developments.



This is why the most care possible and the prior organizational preparedness and implementation of well-thought out control plans and actions (broadly termed ‘corporate controls’) are required in advance, so that on the one hand the risks that will cause damages to the reputation, effectiveness, and profitability are minimized and, on the other hand the benefits accrued due to the IT project are maximized.



In almost all types of organizations, both private and public, corporate controls denote the set of policies, procedures, techniques, methods, and practices to manage and control their business operations. Within this corporate controls framework, Information Technology controls (or IT controls) are specific actions, usually specified by policies, procedures, practices, etc., performed by persons, hardware or software with the main objective to ensure that specific business objectives are met. The overall guiding aim of IT controls relate to the secure processing, confidentiality, integrity, and availability of data and the overall management of the IT function of the organizations.



IT General Controls are those controls that are applicable to all IT activities (systems, services, issues, processes, operations, etc.) and data for a given organization or IT systems environment. They include controls over such areas as the strategy for IT, systems development, data center operations, data base and data communications infrastructure, systems software support and maintenance, IT security, and ready-made application systems acquisition, development and maintenance.



IT Application controls are those controls that are appropriate for transaction processing by individual computerized subsystems, such as financial accounting, personnel administration, customer sales, inventory control, payroll or accounts payable, etc.



Both corporate and IT controls are most efficient and effective when they are monitored, reviewed and improved to deliver the expected results. This is the main objective of performance measurement and reporting system.

A performance measurement and reporting system is an integral part of the corporate performance management process and it provides feedback, relative to the specific objectives of an organization that increases the possibility of the organization in achieving the predefined strategic and operational goals efficiently and effectively. Performance measurement gains real value when it is used as the basis for timely decisions by management. In terms of the particular function the purpose of performance measures is to provide the basis for performance management, review and improvements of the area being examined. The purpose of performance measuring is not to know how the organization is performing but to enable it to perform better. The ultimate aim of implementing a performance measurement system is to improve the performance of the given organization. If management can get the performance measurement of the organization right, the performance data generated will tell management and stakeholders where the organization is and where it is heading.



Establishing the corporate performance management process includes:

Step1: formulating and setting up the performance measurement system (e.g., BSC at the corporate level, and IT BSC at the IT level, etc.),

Step 2: entering the performance data into the performance system,

Step 3: carrying out the required performance reports and analyses, and

Step 4: setting up a corporate awards system and linking it to performance.



A good performance system must communicate strategy, must measure performance in real time, must offer an integrated performance project management capability, and must acknowledge and enable emotional contracting with all staff, which is so vital for linking individual commitment and activity to the attainment of organizational plans and goals. Emotional contracting (also referred to as 'the psychological contract') is the crucial and powerful link between the organizational performance intent, and the motivations, values and aspirations of the people. This emotional contracting element is sometimes overlooked by organizations, and that is the reason that may explain why the people have failed to do what the organization expected and asked them to do.



Ensuring that the objectives of IT systems are achieved may be done by establishing, monitoring and reviewing the IT Performance and IT Compliance Measures. These measures ensure that the formulated IT plan has the required and expected performance, and to take the necessary improvement actions, as needed.



In the IT domain and its areas of IT organization, IT strategy, systems development, application operation, etc., the typical IT performance measures are indicated next.



These performance measures could be based on a mixed system with two components: Component 1 would be IT Strategic and Operational Performance Measures, possibly maintained by an IT-BSC (Information Technology-Balanced Scorecard) Measurement System, and Component 2 would be a Compliance Monitoring System for monitoring compliance to policies, procedures and related matters (e.g., budget issues).



Examples of these performance measures follow:



IT Strategic and Operational Performance Measures



IT Finance: Expenditures on maintenance vs. new development, Expenditures on preventative maintenance, Return on IT Investments,  IT Human Resource Management Turn-over ratios, Training per employee (amounts, hours),  etc. 



IT System Development: Functions developed worth to users, No. of lines coded / tested / changed, Number of Applications supporting critical business functions,  etc.



IT Operations: Timely delivery of reports to users, Average response time, Average availability time, Volume of data stored, Mean time between failures, etc.



IT Compliance Performance Measures 



IT Corporate procedures not documented and kept current, IT Corporate committee not established, IT Corporate committee not functioning, IT Personnel management controls not followed, IT procedures not followed, IT Budget not followed, IT Visitors not recorded, IT Problem solutions not recorded, Security incidents not recorded, etc.



The IT management of the company, may, depending on various aspects of the organization, analyze all this performance and compliance monitoring information to review, assess and improve the elements of the IT function and the given IT activities of the specific organization.



---------------------------------------------------------------------------------------------------------------

* For more detail information on IT Performance and related Controls, see the book:

'IT STRATEGIC AND OPERATIONAL CONTROLS'



PRINTED VERSION:                www.itgovernance.co.uk/products/3066

E-BOOK FORMAT VERSION:    www.itgovernance.co.uk/products/3067

CUSTOMISABLE IT AUDIT PROGRAMMES AND CHECKLISTS (WORD FORMAT): www.itgovernance.co.uk/products/3143



Author: John Kyriazoglou

Publisher: IT Governance Publishing

ISBN: 9781849280617

Pages: 686

Format: Softcover

Published date: 2 September 2010