Saturday, October 22, 2011

HOW TO AVOID INTERNAL BUSINESS FRAUD

HOW TO AVOID INTERNAL BUSINESS FRAUD

A question was recently put in a discussion group, ‘What can you do to keep your business from becoming the victim of internal fraud?’.

The simple answer ‘Don’t trust anyone (Don’t trust job applicants, Don’t trust employees Don’t trust your partners)’ was offered by one writer.

I think the issue is much more complicated than simply not trusting anyone! IF YOU PORTRAY ‘ NO TRUST’ to all your business partners, employees, customers, etc., without taking the proper measures, you will likely make everyone want to commit fraud and prove you right, in your working environment!  The desire for security is a key subconscious motivator in developing trusting relationships in an any organization.

Let us not forget that as Aristotle (384-322 BC), writing in the Rhetoric, suggested that Ethos, the Trust of a speaker by the listener, was based on the listener's perception of three characteristics of the speaker: the intelligence of the speaker (correctness of opinions, or competence), the character of the speaker (reliability - a competence factor, and honesty - a measure of intentions), and the goodwill of the speaker (fri3ndship, favorable intentions towards the listener).

 Furthermore, my opinion is that you do need a friendly and trustworthy working environment but it should be complemented by a Corporate Controls Framework with control mechanisms at five levels:  
1. Corporate Philosophy Controls (Vision Statement, Mission Statement, Values Statement, Corporate Ethics Policy, Corporate Social Responsibility Policy, Corporate Ethics Office, etc.),
2. Corporate Governance Controls (such as risk management, internal audit, compliance office,  security standards, Board of Directors Charter, Corporate Committees, Corporate Policies, Corporate Processes and Plans, etc.),

3. Strategic Management Controls (vision, mission, strategy, targets, Corporate Strategic Planning Committee, Strategic Plans, Strategic Budgets, Strategy Implementation Action Plans, etc.),
4. Monitoring and Review Controls, and

5. Operational Management Controls (administration procedures, HUMAN RESOURCE MANAGEMENT controls, etc.).
The primary purpose of human resource management controls is to enable and facilitate the management of the human resources of any organization. The main types of human resource controls are: Human Rights Policy, Benefits and Personnel Committee, Personnel Administration Procedures, Employee Management Policies and Procedures Handbook, Human Resource (HR) Systems, and Human Resource Performance Measures.

Some of the most typical HR systems are: HR Hiring and Dismissal System, HR Planning System, Personnel Career Development System, HR Performance Management System, Organizational Work Evaluation System, Benefits and Incentives System, HR Computerized Information System, and Personnel Administration Procedures (screening, employment contracts and job descriptions, supervision, human resource plans, authorization controls, segregation of duties, rotation of duties, vacation taking, adoption of professional ethical standards, and employee documentation).

In closing, we should all remember the following quotation of Ralph Waldo Emerson:
”Trust men and they will be true to you; treat them greatly, and they will show themselves great.”

John Kyriazoglou (jkyriazoglou@hotmail.com)

PROFILES of John Kyriazoglou:

http://www.icttf.org/profile/johnkyriazoglou
http://www.blogger.com/profile/15482029934015594259

BLOGS OF John Kyriazoglou
http://digital-society-and-economy.blogspot.com/
http://meliorate-your-life.blogspot.com/
http://helpandsupportgreece.blogspot.com/
http://corporatecontrols.blogspot.com/
http://johnkyriazoglou-works.blogspot.com/


 Αρχή φόρμας

Wednesday, October 19, 2011


Why are corporate controls needed in the present Digital Era


John KYRIAZOGLOU, M.S., B.A (Hon.), Management Consultant

Author of ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (www.itgovernance.co.uk),

And co-author of ‘CORPORATE CONTROLS’, to be published by www.theiic.org, by 12/2011

A question was recently put in a discussion group whether corporate controls were indeed necessary in the present DIGITAL SOCIETY and ECONOMY.



My comments follow:

We live, at least in most Western countries, in a post-industrial society, in the knowledge society, also known as the information society. The new life-style (modus vivendi, in the sociological vernacular) enforces upon all of us a new set of operational factors and transactional characteristics in our societal and human interactions, a new socio-economic operating mode (modus operandi in the sociological vernacular).

This set of social interactions is permeated and driven by several socio-technical factors and functional characteristics, such as:

(a)Globalization of markets,

(b)Liberalization of markets,

(c)Services economy,

(d)Lack of governance controls in international fiscal and financial markets, transactions and activities,

(e)Very fast developments in the fields of Information Technology, Communications, Biology, Medicine, Management, etc.,

(f) Information plurality, diffusion and potential information over-loading, Increase of the leverage and focus on the needs of customers, the so-called customer-focus approach in all dealings,

(g) Differentiation of the needs and increase of the expectations of better provision of services to citizens, the so-called citizen-based service approach in all public-sector exchanges and transactions, and

(h) Reduction and de-strengthening of the traditional government model of a large central organization to a model of organization based on a de-centralized approach.

All of these, interacting and inter-connected in different sets, make up a new social, economic, technological, moral and political framework, within which society, economy, enterprises, government, non-profit organizations, communities, citizens, etc., operate and function productively. 

New and more complicated roles are being created for the state (central administration, regional forms of government, local governments, etc.), for the business entities (small size, middle size, large size, conglomerate, international enterprises, etc.), and for organizations of the main public sector and related public regulatory authorities, with greater expectations for improved quality of life, and socio-economic advancement and development, in all industrial sectors and socio-economic environments.

The noted management guru Charles Handy supports the view that we must re-examine the basic principles that govern the running of enterprises and think from scratch of what is the basic objective of doing business.

At the level of organizations (private, public, non-profit, non-governmental, etc.) rapid changes are taking place on a continuous basis.  This is due to the impact of innovative approaches of researching and designing new products and services (e.g., via the Web), the tremendous effect of quick and accurate information provided by ITC (Information Technology and Communications) infrastructure and systems, and to the new asset evaluating models.

Traditionally, organizations (at least in the private, for-profit sector) valued only physical assets (buildings, land, vehicles, heavy equipment, installations, plants, etc.), sales inventories, and profits. Presently, technology know-how, good-will and brand names, computer systems and application software, office automated support tools (Excel spreadsheet applications, etc.), electronic commerce and electronic data  distribution services, etc., must also be added as valued assets to the balance sheet of organizations.

The model and the role of the classical state is also changing, within the framework of the European Union, as well as within the framework of the international environment, with the approach of electronic government, the model for citizen one-stop shop services, and the devolvement of authorities and responsibilities to the regional and local level (prefecture, wide metropolitan area governments, city level, community, neighborhood level), etc.

All these new and very quickly developed roles are required for:

(1) Quicker and more effective service (in relation to costs and benefits)

(2) Better management and more efficient use of global resources

(3) More proper (ethical, ecology-friendly) resource management by all industries, in all countries

(4) Continuous improvement in the quality of products and services provided, in social and citizen participation, in the commitment to democratic  institutions and customer services, for all stakeholders (people and  organizations)

(5) Minimization if not total reduction of social, public sector and business fraud and corruption

(6) Better understanding of what has gone wrong in private and public organizations and what must be done to get things right.

All of these may be implemented on the basis of strategy (organizational philosophy, external regulations, strategy, risk and change management, and performance measurement) and management controls (at the strategic and operational levels, a management information system, and the reporting, communications, audit , monitoring and review activities), i.e. the two complementary support pillars of a Corporate Controls Framework.

The socio-economic needs in the present DIGITAL SOCIETY and ECONOMY for the establishment and existence of a Corporate Controls Framework to cover both the historical context (i.e. conformance) and the future forward-looking view (i.e. performance) will be based on the major concept that for the achievement of all of the above, there exists a requirement for the design and implementation of a new operating model for private corporations and public organizations, consisting of:

(i) creation and implementation of strategic objectives,

(ii) best and most optimal use of resources (social, corporate),

(iii) measurement of produced and delivered goods, services and target achievements,

(iv) monitoring and improvement efforts on a timely and continuous basis, in other words on performance, and

(v) a set of strategic and operational controls which includes a Compliance Monitoring and Performance Management Systems for collecting performance data, monitoring, reviewing, and improving performance and compliance.

All of these are very critical and should be studied further and practical solutions proposed by think tanks, professional societies, scientists and researchers across the globe.

STRATEGIC AND OPERATIONAL CONTROLS

Strategic and Operational Controls

John KYRIAZOGLOU, M.S., B.A (Hon.), Management Consultant
Author of ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (www.itgovernance.co.uk),
And co-author of ‘CORPORATE CONTROLS’, to be published by www.theiic.org, by 12/2011

A question was recently put in a discussion group about the distinction between strategic and operational controls and how they interact in a corporate environment.

My comments follow:

Control is one of the managerial functions like planning, organizing, staffing and directing. It is an important function because it helps to check the errors and to take the corrective action so that deviation from standards are minimized and stated goals of the organization are achieved in desired manner. Control in management means setting standards, measuring actual performance and taking corrective action.
Management control in a corporate environment can be defined as a systematic effort by business management to compare performance to predetermined standards, plans, or objectives in order to determine whether performance is in line with these standards and presumably in order to take any remedial action required to see that human and other corporate resources are being used in the most effective and efficient way possible in achieving corporate objectives.
Planning is a process by which an organization's objectives and the methods to achieve the objectives are established, and controlling is a process which measures and directs the actual performance against the planned objectives of the organization. Thus, planning and control are often referred to as Siamese twins of management.

The direction for overall management control comes from the general strategic goals and strategic plans of the organization. General strategic plans are translated into specific performance measures such as share of the market, earnings, return on investment, budgets, customer satisfaction, etc. 
The process of strategic and operational control is to review and evaluate the performance of the system against these established norms. Rewards for meeting or exceeding standards may range from special recognition to salary increases or promotions. On the other hand, a failure to meet expectations may signal the need to reorganize (organizational control), change strategic direction or redesign (strategic control).

In contrast to strategic control, operational control serves to regulate the day-to-day output relative to schedules, specifications, and costs, by the formulation of policies and execution of corresponding procedures. Is the output of product or service the proper quality and is it available as scheduled? Are inventories of raw materials, goods-in-process, and finished products being purchased and produced in the desired quantities? Are the costs associated with the transformation process in line with cost estimates? Is the information needed in the transformation process available in the right form and at the right time? Is the energy resource being utilized efficiently?

The purpose of strategic control is to see that the specified function is achieved. The objective of operational control is to ensure that variations in daily output are maintained within prescribed limits. It is one thing to design a system that contains all of the elements of control, and quite another to make it operate true to the best objectives of design. Operating "in control" or "with plan" does not guarantee optimum performance.
Operational control systems are designed to ensure that day-to-day actions are consistent with established plans and objectives. It focuses on events in a recent period. Operational control systems are derived from the requirements of the management control system.

The differences between strategic and operational control are highlighted by reference to a set of main fundamental differences between strategic and operational management, as depicted next.
Strategic Management is very ambiguous, most complex, organization-wide, most critical to survival and has long-term implications. Operational Management on the contrary, is less ambiguous, les complex, specific to functions, less critical to survival and has short-term implications.

Strategic and operational controls are usually expressed by strategic and operational performance measures and by compliance measures.
Strategic and operational performance measures are designed and implemented by models such as the BSC. Compliance measures are designed and implemented by internal control frameworks, such as: COSO Framework, Sarbanes-Oxley Act, BIS Framework, etc.

Monday, October 17, 2011

CYBER DIPLOMACY

CYBER DIPLOMACY

A question was recently put in a BLOG, whether CYBER DIPLOMACY should be studied and pursued as a distinct activity.

I think that CYBER DIPLOMACY should be a field of study and a practice on its own.

The term ‘CYBER’ is referring to the science of cybernetics, and it is derived from the Greek verb ‘ΚΥΒΕΡΝΑΩ’ (‘Kybernao’), which means ‘TO STEER’ and which is the root of our present concept ‘TO GOVERN’. It describes both the idea of NAVIGATION through a space of  interconnected networks of computers and electronic data, and of CONTROLS which is achieved by manipulating those NETWORKS  and DATA.

The term ‘DIPLOMACY’ is referring to the art, methods and practice of conducting negotiations between representatives of groups, local or international organizations (e.g. U.N.), or sovereign (e.g. U.S.) or semi-sovereign states (Canadian Province, Australian States, etc.). It is derived from the Greek word DIPLOMA, which means ‘LICENCE’ or ‘CHART’ (originally defining a paper folded in a double manner).



Negotiation is a DIALOGUE between two or more parties, intended to reach an understanding, resolve point of difference, etc., and finally to produce an agreement upon a course of action to settle the issues to a satisfactory level for both parties.



In its current version DIPLOMACY pertains to the conduct of international relations through the interactive activities of NEGOTIATION of professional diplomats with regard to issues of trade, human rights, peace-making, war, economics, environment, trade, etc.



To these issues, it is prudent to add the CYBER ISSUES. And as Secretary of State Hillary Rodham Clinton proclaimed (February 15, 2011): “The Internet has become the public space of the 21st century…We all shape and are shaped by what happens there, all 2 billion of us and counting. And that presents a challenge. To maintain an Internet that delivers the greatest possible benefits to the world, we need to have a serious conversation about the principles that will guide us…”


Also as we all rely, more and more, on computers and the internet now (communications, email, cellphones, entertainment, car engine systems, airplane navigation control systems, online stores, credit cards, medical equipment, medical records, etc.), weak-technologically nations are at a big disadvantage vis-à-vis their strong-technologically nations

For all these reasons, and to resolve the most critical issues in today’s societies related to the CYBERSPACE and its best use, exploitation and control, CYBER DIPLOMACY should be instituted, both as a field of study as well as a set of activities to be carried out by the DIPLOMATS, in order to reach a more harmonic balance in the international activities of nations.


Performance Audit Questionnaire for a Board of Directors

Performance Audit Questionnaire for a Board of Directors

A question was recently put in a discussion group, whether there exists a simple, yet powerful tool for a quick assessment of the performance of a Board of Directors by Auditors.

One generic example I have used is noted below.
Performance audit questionnaire of the Board of Directors

Seq. No.
Description
1
Have the needs and requirements of the various stakeholders and members of the board of directors (BOD) been defined?
2
Are high levels of corporate ethics maintained?
3
Does the BOD ensure short-term financial stability?
4
Does the BOD ensure long-term financial stability ?
5
Does the BOD ensure long-term success of corporate and business-related changes?
6
Does the BOD ensure high level of corporate governance and accountability? 
7
Does the BOD supervise the setting up and operation of  an effective risk assessment and management system?
8
Does the BOD supervise the setting up and operation of  an effective crisis assessment and business continuity management system?
9
Does the BOD ensure that an effective internal audit and corporate compliance management system  is in place?
10
Does the BOD ensure that an effective corporate performance management system  is in place?
11
Does the BOD review and approve all business plans, organizational and restructuring plans and major investments? 
12
Does the BOD ensure that an effective corporate management system  is in place? 
13
Does the BOD ensure that an effective corporate management succession system  is in place (particularly for the senior positions of CEO, CFO, CTO, CIO, General Management of divisions, etc. )?  
14
Does the BOD ensure that an effective BOD skills- training  system  is in place?    
15
Does the BOD ensure that all IT systems, data centers, etc., are operated effectively and serve all critical business functions? 
16
Does the BOD ensure that an effective corporate management research and development system  is in place? 












Saturday, October 15, 2011

COMPLIANCE, ETHICS AND RISK MANAGEMENT


COMPLIANCE, ETHICS AND RISK MANAGEMENT

A question was recently put in a discussion group, whether COMPLIANCE is distinct from ETHICS and how they interact in a corporate environment.

I think COMPLIANCE has to do with meeting fully to all standards, rules and regulations, whether external or internal to the ORGANIZATION. The term comes from Latin (COM=TOGETHER), and Ancient Greek (PLERE=TO FULLFILL).
 
ETHICS provides the background in terms of moral character (good, evil, just, etc.), nature, disposition, habit and custom of a person to obey willingly or face the moral and other consequences if he or she does not. The term comes from Ancient Greek (ETHOS=Moral Character).

The question ‘If the person complies should he/she be also ethical?’ is irrelevant.

The question ‘If the person is ethical should he/she also comply?’ is also irrelevant.

The major philosophical question for managing organizations, to be resolved, however, is this: How to handle the case and to minimize if not avoid all-together, the possibility that the person (staff member, manager, executive, etc.) might easily damage and potentially destroy the organization, its stakeholders, customers and employees, etc., when that specific corporate person (staff member, manager, executive, etc.) who is complying fully with all rules and regulations and is or is not ethical, but WITH COMPLETE DISREGARD for the RISKS involved, makes the right decision on a strategic or operational transaction, issue or activity.

In other words we should see both COMPLIANCE and ETHICS co-existing within the GOVERNANCE FRAMEWORK which should also include RISK ASSESSMENT and RISK MANAGEMENT. 

Also we should ensure that all these mechanisms resolve to a satisfactory and beneficial level, to society, economy, community, organization and individuals concerned, the classical principal-agent problem.


Friday, October 14, 2011

ARTICLE: IT RISK EVALUATION

ARTICLE: IT RISK EVALUATION

This article describes a methodology to be used in offering concluding remarks to the management of an audited entity as to whether, for each objective assessed during an audit assignment, the situation is satisfactory, requires improvement or unsatisfactory. The aim is to provide a conceptual and practical framework to define and implement an evaluation method for Internal Audit assignments. The main uncertainties are identified and the objectives of Internal Audit are described, then we present an evaluation methodology for risk assessment. 

FOR MORE INFORMATION SEE: “IT Risk Evaluation”, Intelligent Risk Journal, Oct. 2011, Vol. 1: Issue 3, pp. 14-19, www.prmia.org/irisk