Business Management Controls-BookDocument Transcript
BUSINESS MANAGEMENT CONTROLS: A GUIDE (DETAIL CONTENTS) John Kyriazoglou, CICA, B.A (Hon-University of Toronto), Business Thinker, Consultant and Author of several books Editor-in-Chief for the Internal Controls Magazine (U.S.A.) Member of the Board of Directors of Voices of Hellenism Literary Society (U.S.A.) E-Mail: email@example.com Profile: http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919 Blog: http://businessmanagementcontrols.blogspot.com/ SSRN Free Publications: http://ssrn.com/author=1315434http://www.itgovernance.co.uk/shop/p-1238-business-management-controls.aspxThe book defines and identifies the various types of controls with specific examples (over 300 interms of: policies, procedures, management plans, etc.) in all core business functions, such as:governance, strategic, operational (finance, production, IT, data governance, business continuity,etc.) and compliance controls, describes various frameworks for designing and implementingthem (BSC, CAF, etc.), discusses the BSC approach in more detail, and presents examples ofcompliance and performance measures, the counterparts of strategic and operational controls inthe areas of finance, corporate governance, production, IT, etc. Also it includes specific casestudies of applying controls to mitigate fraud and other corporate risks. These are complementedby a set of example policies and audit programs that may be customized to suit the needs of anyorganization. A set of 21 practical „how to‟ recommendations are also offered to guide (possibly)the manager wishing to apply these controls in his or her corporate environment.
TESTIMONIALS(1) Dr. Marilyn M. Helms“Business Management Controls” is a practical guide and reference for the business person whoneeds to implement or improve business controls. The hands-on guide is clearly organized andarranged by functional business area. John Kyriazoglou has written a detailed overview ofcontrols in a complete, easy-to-follow format. This book is a great companion book to his 2010“IT Strategic and Operational Controls,” and extends his work and expertise beyond informationtechnology to the entire organization.As a professor of strategic management and a frequent consultant to entrepreneurial ventures andthose at various stages of new venture creation the book is a detailed reference for businesses atall stages but is particularly beneficial for those growing concerns who need to better organizeand control their many systems as well as for the mature business who wants to streamlinevarious operations for cost-containment and strategic positioning for the future.In the first part of the book, Kyriazoglou sets up the role of managers in setting controls to reachtheir goals and to ensure a company‟s longevity. The book considers both a firm‟s strategy aswell as its organizational structure in choosing and developing a control system. Of the functionsof management all business students learn – planning, organizing, leading, directing, andcontrolling – often control is an overlooked function. While not as popular in the academic andpopular-press business literature, in today‟s global economy with more pressures for compliance,cost management, and business continuity planning, control has taken on more importance toexecutives the world over.Kyriazoglou does a thorough job of clarifying the various controls an organization and itsleadership must consider – directive, preventive, detective, corrective, and compensatingcontrols. The book is a complete framework for internal controls as well as implementationapproaches. The manager must only decide the controls most appropriate for their organization,given its strategy and macro environment. One of the key benefits of the book is the variousrecommendations in various tables and textboxes throughout. They guide managers and suggestpractical options.For the entrepreneur just starting a company, Chapter Four provides detailed examples of awritten business strategy as well as clear goals and objectives to emulate or adapt. Oftenbusinesses do not allow proper time for planning and these steps are overlooked. Chapter Four isa concise review of the steps but more importantly, the questions to ask, in the strategicmanagement process.Financial and production controls provide detail explanations of the various financial statementsand budgeting process. Examples of measures to track and assess are included for the newmanager to consider or as a refresher or new viewpoint for the seasoned manager to consider.
Chapter Seven on IT Governance Controls illustrates Kyriazoglou‟s expertise in IT and hisvarious roles and responsibilities in the IT field. With today‟s emphasis on succession planning,sustainability, business continuity, and disaster planning, the section on Backup and DisasterRecovery Plans are especially helpful. The recommendations are clean and concise, forexample, “Recent IT research has shown that data volumes, e-mail traffic and other networktransactions grow in an increased mode every year. CIOs and board directors must be vigilantand implement the required IT and Information governance controls to ensure that theirorganizations are safe and secure in the new web-based environment.”The book continues with an additional chapter on business data management controls and evenrecommends various business record keeping systems and policies and procedures manuals.Suggestions including limiting the number of file formats used and use standard templates arehelpful for any business person who uses any electronic data.With his vast technical knowledge, Kyriazoglou doesn‟t neglect the human components andconsiders the human factors in applying business management controls. He separates these intohard and soft controls and the soft controls consider the tone at the top, the culture, the morale,and even integrity and ethical values.The third and fourth parts of this book, move to the implementation and auditing of variousbusiness controls and includes frameworks as well as a case study for review. The balancedscorecard method forms the basis for the third section considering financial as well as customerperspectives. He covers key tools of total quality management and other performanceframeworks and compares them for the reader.Planning is often easier than implementation and the implementation chapters are clear withaction steps highlighted for the reader to follow. The theme of business continuity planning alsoresonates throughout the book. As a recent victim of a tornado that devastated the SoutheastUnited States, I better understand the need for operational procedures in a disaster. Fewbusinesses devote the time to think about these issues, but with global climate change and a hostof other potential disasters, this book reminds us all of the importance of a business continuitymanagement process and backup and restore policies and procedures. Kyriazoglou evenprovides an example of a 10-step backup and restore policy to consider.The case study in Chapter 15 considers ways to use controls to mitigate fraud and other businessrisks and uses example from the Italian firm Parmalat as well as Lehman Brothers from the USalong with other business examples from around the world.The book concludes with the roles and responsibilities of participants in business managementcontrols as well as the various usual types of audits performed for management controls. Thechecklists, numbered lists and issues to consider are presented in a step-by-step format formanagers to follow. The book is complete but easy to follow without unnecessary detail.Managers have so little time and Kyriazoglou readily understands this with his lists, examples,and recommendations. For the reader who needs additional background or detail, he hasincluded links to websites for more information. Thus the book can be customized for the skills,needs, and expertise of the reader.The appendix is probably the most helpful part of the book.
For companies struggling to develop key policies for their employees and for compliancepostings and for corporate handbooks, the book includes a sample Privacy of Information Policy,an Information Sensitivity Policy, a statement of Security and Safety Controls for PersonalComputers, a Confidentiality Policy, a statement on Password Controls, a statement on BusinessManagement Controls for Laptops and Smart Devices, a Social Media Plan, and an EthicsPolicy. While all business know on an intuitive level they needs such statements and policiesposted and disseminated to all their global employees and units, few organizations take the timeto develop them because they are somewhat difficult to create from scratch and requirebackground research. This book has done the research for the manager and even indicates wherecustomization of the policies should occur. A manager or executive could easily copy and adaptthe policies very quickly for their organization using these handy templates. This book is indeeda Guide or almost a workbook that all business managers should follow. It reminds us of thevarious tasks all organizations must consider in the managerial function of control. However toomany overlook or forget these policies and often to their detriment. As the work of businesscontinues to evolve, controls are predicted to become even more critical in the future.Kyriazoglou has created a concise guide to eliminate much of the worry over controls and offersan action plan with steps and recommendations for the manager to follow.Dr. Marilyn M. HelmsSesquicentennial Chair and Professor of ManagementSchool of BusinessDalton State Collegee-mail: firstname.lastname@example.orgWebsite: www.daltonstate.edu/faculty-staff/mhelms(2) Richard Leblanc, PhDJohn Kyriazoglou‟sBusiness Management Controls: A Guide is easy to understand and at the same timerigorous. It is mandatory reading for the chief audit executive, internal control personnel, generalcounsel, assurance provider, external auditor, and, perhaps most importantly, audit committeemembers and board directors. Controls apply to any company, in any sector. This book is well organized,covers all controls, and has many practical appendices, tools, cases and takeaways. It is current andrelevant, covering emerging issues such as social media, cybercrime, privacy, mobile devices,confidentiality, passwords, espionage, business continuity and privacy, as well as all traditional businessand stakeholder processes and controls, including excellent chapters on fraud case studies and humanbehavior “soft” controls. The checklists and frameworks cover inception, design, all the way to controlimplementation and follow up. I have never seen such a comprehensive, yet easy to understand book ofthis nature. I intend for this to be mandatory reading for my students, and it should be for anyone withinternal control design responsibility or oversight. I highly recommend this practical book.Richard Leblanc, PhDAssociate Professor, Law, Governance & EthicsYork University, Toronto, Canada
This short guide outlines business management controls in four parts, 17 chapters, 21recommendations, over 260 controls (plans, frameworks, methodologies, policies, procedures,audit tools, job descriptions, terms of reference, etc.), and an appendix, in the following way:Part A: Establishing The Internal Controls EnvironmentThis part deals with aspects of the first level (Organize Level) of the proposed BusinessManagement Controls (BMC) Framework and the establishment of its major components:(a) Board, management and committee roles, structure and responsibilities,(b) Business functions and resources,(c) Standards, policies and procedures,(d) Governance, Risk and Compliance controls,(e) Corporate culture, vision, mission and values, and(f) Internal Controls Framework and Manual,in three chapters.Chapter 1: Business Management Controls Framework, paints the Controls Landscape forBusiness Management Controls by introducing the main concepts of business management controls anddescribing their main characteristics and aspects, in terms of: Role of managers, Choosing a control system,The role of control in management, Purpose of business management controls, etc., proposing aBusiness Management Controls Framework, and making a recommendation for the betterinstitution of Business Management Controls for companies.Recommendation 1: Create and implement a Controls Framework to satisfy your needs.Chapter 2: Enterprise Governance Controlsidentifies Enterprise Governance Controls bypresenting the main types of enterprise governance controls and describing their main characteristics and aspects,such as: Board and Executive Management Controls, Regulatory Controls, OrganizationalControls, Administration controls, etc., providing examples of governance performancemeasures and compliance indicators, and making a recommendation on better implementation ofenterprise governance controls for your company.Recommendation 2: Establish enough and current governance policies and procedures to satisfyyour needs.Chapter 3: Risk and Compliance Controlsdescribes the main types of Risk and ComplianceControls, such as: Risk Management Action Plan, Risk Register, Risk Officer, ComplianceProgram, Compliance Action Plan, etc., and Governance, Risk and Compliance (GRC)Information System, their performance measures and compliance indicators, and makes tworecommendations on better implementation of risk and compliance controls for your small, medium orlarge company.Recommendation 3: Establish strong and effective risk and compliance controls.Recommendation 4: Acquire and deploy a GRC Information System and a Dashboard.
Part B: Main Types of Strategic and Operational ControlsThis part deals with aspects of the Second Level (Envision) and Third Level (Govern) of theproposed Business Management Controls (BMC) Framework and the institution andimplementation of its major components that make up the main types of strategic and operationalcontrols of your company, such as:(a) Corporate culture, vision, mission and values,(b) Strategy, goals, objectives and targets,(c) Performance Framework and Management,(d) Governance, Risk and Compliance controls,(e) Operational controls (purchasing, finance, IT, data, security, fraud, etc., and(f) Personnel administration, including segregation of duties, compensating controls, etc.,in six chapters.Chapter 4: Strategic Management Controls, part of the Second Level (Envision) of theproposed Business Management Controls (BMC) Framework, describes Strategic ManagementControlsby introducing the main types of strategic management controls and analyzing their main characteristicsand aspects, in terms of the Strategic Management Process, etc., discussing the role of BusinessManagement Controls as regards Efficiency, Quality, Innovation, and Responsiveness toCustomers, providing examples of a Strategic Plan, a Business Strategy, performance measuresand compliance indicators, etc., and making a recommendation on better implementation ofstrategy for your company.Recommendation 5: Communicate a vision for your company and involve all your staff inimplementing your strategy.Chapter 5: Financial Management and Accounting Controls, part of the Third Level (Govern)of the proposed Business Management Controls (BMC) Framework, describes the mainFinancial and Accounting Controls and their characteristics, such as: Financial ManagementResponsibility Controls (CFO, Financial Manager, etc.), Computerized financial systems, BasicAccounting and Bookkeeping Procedures (for Chart of Accounts, General Ledger, Trial Balance,Financial Statements, Accounts Receivable, Accounts Payable, etc.), Segregation of FinanceDuties, Budget, etc., presents examples of financial performance measures and complianceindicators, and makes a recommendation on better implementation of financial controls for yoursmall, medium or large company.Recommendation 6: Protect your finances (cash, assets, payments, records, bank accounts, etc.)with the utmost care.Chapter 6: Customer Sales and Production Controls, part of the Third Level (Govern) of theproposed Business Management Controls (BMC) Framework, describes the main CustomerSales and Production Controls such as: Customer Sales Management Controls, PurchasingManagement Controls, Production Operations Policies and Procedures Manual, WarehouseManagement Controls, Project Management Controls, Manufacturing/Services ManagementControls, Standardization Controls, etc., presents examples of customer sales and productionperformance measures and compliance indicators, and makes three recommendations on betterimplementation of customer sales and production controls for any type and size of company.Recommendation 7: Make your customer your number 1 priority.
Recommendation 8: Execute excellent production policies and procedures to satisfy the needsand expectations of your customers.Recommendation 9: Establish effective purchasing procedures to avoid fraud.Chapter 7: IT Governance Controls, part of the Third Level (Govern) of the proposed BusinessManagement Controls (BMC) Framework, introduces the main types of IT Governance controls anddescribes their main characteristics, in terms of: IT Management Responsibility and AdministrationControls, IT Strategic and Security Controls, IT Systems Development and Operational Controls,IT Backup and Disaster Recovery Plan, Social Engineering Controls, Internet and E-mail Policy,etc., offers examples of IT Governance performance measures and compliance indicators, andmakes a recommendation on better implementation of IT Governance controls for your company.Recommendation 10: Be vigilant and proactive with all your IT resources, systems andnetworks.Chapter 8: Business Data Management Controls, part of the Third Level (Govern) of theproposed Business Management Controls (BMC) Framework, introduces the main types of businessdata management controls and describes their main characteristics and aspects, in terms of: Files, Documentsand Records Management Controls, Business Record Keeping Systems, Business DataAdministration Controls (Business Raw Data Retention Procedure, Business Data Register,Business Data Librarian, Data Quality Officer etc.), Data Quality Monitoring and ImprovementProcedure, Data cleansing controls, etc., presents examples of business data managementperformance measures and compliance indicators, and makes a recommendation on betterimplementation of business data management controls for your company.Recommendation 11: Establish effective policies and procedures to manage your business data.Chapter 9: Business Intelligence and Corporate Espionage Controls, part of the Third Level(Govern) of the proposed Business Management Controls (BMC) Framework, describes the maintypes of Business Intelligence and Espionage Controls and their main characteristics and aspects, in termsof: Business Intelligence Controls (Business Intelligence Data Manager, Business IntelligenceSystem Management Plan, Business Intelligence Policy), Corporate Anti-Espionage and Anti-Sabotage Manager, Corporate Espionage and Sabotage Controls Action Plan (Register patents,copyrights and trademarks, Business Data Classification, Business Intangible Assets Register,Security Controls, etc.), presents examples of Business Intelligence and Corporate EspionageControls performance measures and compliance indicators, and makes a recommendation onbetter implementation of Business Intelligence and Espionage Controls for your businessenvironment.Recommendation 12: Establish efficient mechanisms to give you excellent business informationand protect your intangible and property assets.Part C: Implementing Business Management ControlsThis part deals with all aspects of integrating the most crucial control components (of all levels)of the proposed Business Management Controls (BMC) Framework and the full execution andimplementation of the contained policies and procedures related to:(a) Board, management and committee roles, structure and responsibilities,(b) Performance of business functions and resources,(c) Standards, policies and procedures,
(d) Governance, Risk and Compliance(e) Corporate culture, vision, mission and values,(f) Strategy and Operations and(g) Internal Controls monitoring,in four chapters.Chapter 10: Business Performance Management Frameworks, describes frameworks fordesigning and implementing business management controls by introducing and describing the maintypes of Performance Management Frameworks, such as: BSC, TQM, EFQM, CAF, etc.,highlighting their main features with specific examples, comparing the four most commonframeworks, and making a recommendation on better implementation of a performancemanagement framework for the purposes of your company.Recommendation 13: Select and implement a performance management framework that suitsyour needs.Chapter 11: Implementing Business Management Controls, discusses the relevant issues inimplementing business management controls for companies by proposing a methodology forimplementing business management controls of three stages and 15 processes (Stage: 1.Organize your Company with 7 processes, Stage: 2. Craft and Execute your Strategy with 4processes and Stage: 3. Monitor, Review and Improve your Operations with 4 processes),describing the required action plans for implementing risk management, segregation of duties,compensating controls, compliance and enterprise governance monitoring, etc., analyzing thekey issues in implementing controls, and making a recommendation on better implementation ofyour business management controls.Recommendation 14: Implement your business management controls with due care and an openmind.Chapter 12: Roles and Responsibilities of Participants in Business Management Controlsdescribes the various corporate governance mechanisms as they relate to internal control, such as:Board of Directors, Auditing, Segregation of duties and functions, and Remuneration, analyzesthe roles and responsibilities of all participants in internal controls, such as: Managers, Board ofDirectors, Audit Committee, etc., and makes a recommendation on better implementation ofroles and responsibilities of all participants in internal controls for your company.Recommendation 15: Ensure the involvement of all participants (managers, board, etc.) inimplementing your business management controls.Chapter 13:Human Factors in Applying Business Management Controlsdescribes the main typesof soft controls relevant to business management controls, such as: tone at the top, understanding of theorganization by the board, culture, structure of reporting relationships, morale, integrity andethical values, operational philosophy, trust, ethical climate, etc., presents an approach toimplementing soft controls via the Soft Controls Action Plan, provides examples of performancemeasures and compliance indicators, and makes a recommendation on better implementation ofsoft controls for your small, medium or large company.Recommendation 16: Design good hard controls and implement them with effective softcontrols.
Part D: Enhancing Business OperationsThis part deals with aspects of enhancing your business operations, in terms of improvingbusiness continuity, mitigating your various corporate risks, and executing audit activities(Internal audits, Self-assessments, External audits, Regulatory audits, etc.), as the result of thefull implementation of the control components (of all levels) of the proposed BusinessManagement Controls (BMC) Framework and its governance, risk, compliance, strategic andoperational controls, policies and procedures contained in it, in three chapters.Chapter 14: Business and IT Continuity Management Controlsintroduces and describes the maincharacteristics and aspects of business and IT continuity controls, such as: Corporate Governance andBusiness Continuity, Business Continuity Issues Committee, etc., provides examples of abusiness continuity plan, an IT continuity plan, an IT Backup and Restore Policy, etc., andperformance measures and compliance indicators, and makes a recommendation on betterimplementation of business and IT continuity controls for your company.Recommendation 17: Prepare for disasters as they can be most devastating to your operations.Chapter 15: Case Studies: Applying Business Management Controls to Mitigate Fraud andOther Riskspresents the various risks in finance, purchasing and IT operations in organizations and describes howspecific business management controls may mitigate these risks, analyzes the data of actual case studies and depictsan approach whereby the risks that appeared in them could have been avoided by the application of specific businessmanagement controls, and makes a recommendation on better implementation of businessmanagement controls to guard your company against fraud and other risks.Recommendation 18: Develop and implement a minimum set of business management controlsto mitigate your risks.Chapter 16: Auditing Business Management Controlsdescribes the usual types of audit, the auditprocess and products, provides a set of audit programs and checklists, which could be used to review, evaluate andimprove business management controls, and makes a recommendation on better implementation ofinternal auditing for your company.Recommendation 19: Ensure that Internal Audit examines all your operations.Final ConclusionChapter 17: Final Conclusiondescribes the role and approach of managers in decision-making, analyzes thevarious corporate threats and propose a multi-level business operation model, also described as the BusinessManagement Controls Framework (see also chapter 1) which might protect your company against suchthreats while enabling it to achieve its objectives, presents a list of „red flags‟ that may provide a warningsign that your specific business entity is not doing well in terms of internal controls, and makes afinal recommendation on better implementation of business practices and business managementcontrols for your company.Recommendation 20: Implement your complete business management controls to add value toyour business by focusing on strategic, operational, risk, compliance and governanceperformance issues of your company.Recommendation 21: Your company success depends on your decisive actions.