BUSINESS MANAGEMENT CONTROLS:

A GUIDE(DETAIL CONTENTS)

John Kyriazoglou, CICA, B.A (Hon-University of Toronto),Business Thinker, Consultant and Author of several booksEditor-in-Chief for the Internal Controls Magazine (U.S.A.)

Member of the Board of Directors of Voices of Hellenism Literary Society (U.S.A.)E-Mail: jkyriazoglou@hotmail.com

Profile: http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919 Blog: http://businessmanagementcontrols.blogspot.com/ SSRN Free Publications: http://ssrn.com/author=1315434

http://www.itgovernance.co.uk/shop/p-1238-business-management-controls.aspx

The book defines and identifies the various types of controls with specific examples (over 300 in terms of: policies, procedures, management plans, etc.) in all core business functions, such as: governance, strategic, operational (finance, production, IT, data governance, business continuity, etc.) and compliance controls, describes various frameworks for designing and implementing them (BSC, CAF, etc.), discusses the BSC approach in more detail, and presents examples of compliance and performance measures, the counterparts of strategic and operational controls in the areas of finance, corporate governance, production, IT, etc. Also it includes specific case studies of applying controls to mitigate fraud and other corporate risks. These are complemented by a set of example policies and audit programs that may be customized to suit the needs of any organization. A set of 21 practical ‘how to’ recommendations are also offered to guide (possibly) the manager wishing to apply these controls in his or her corporate environment.

TESTIMONIALS

(1) Dr. Marilyn M. Helms

“Business Management Controls” is a practical guide and reference for the business person who needs to implement or improve business controls. The hands-on guide is clearly organized and arranged by functional business area. John Kyriazoglou has written a detailed overview of controls in a complete, easy-to-follow format. This book is a great companion book to his 2010 “IT Strategic and Operational Controls,” and extends his work and expertise beyond information technology to the entire organization.

As a professor of strategic management and a frequent consultant to entrepreneurial ventures and those at various stages of new venture creation the book is a detailed reference for businesses at all stages but is particularly beneficial for those growing concerns who need to better organize and control their many systems as well as for the mature business who wants to streamline various operations for cost-containment and strategic positioning for the future.

In the first part of the book, Kyriazoglou sets up the role of managers in setting controls to reach their goals and to ensure a company’s longevity. The book considers both a firm’s strategy as well as its organizational structure in choosing and developing a control system. Of the functions of management all business students learn – planning, organizing, leading, directing, and controlling – often control is an overlooked function. While not as popular in the academic and popular-press business literature, in today’s global economy with more pressures for compliance, cost management, and business continuity planning, control has taken on more importance to executives the world over.

Kyriazoglou does a thorough job of clarifying the various controls an organization and its leadership must consider – directive, preventive, detective, corrective, and compensating controls. The book is a complete framework for internal controls as well as implementation approaches. The manager must only decide the controls most appropriate for their organization, given its strategy and macro environment. One of the key benefits of the book is the various recommendations in various tables and textboxes throughout. They guide managers and suggest practical options.

For the entrepreneur just starting a company, Chapter Four provides detailed examples of a written business strategy as well as clear goals and objectives to emulate or adapt. Often businesses do not allow proper time for planning and these steps are overlooked. Chapter Four is a concise review of the steps but more importantly, the questions to ask, in the strategic management process.

Financial and production controls provide detail explanations of the various financial statements and budgeting process. Examples of measures to track and assess are included for the new manager to consider or as a refresher or new viewpoint for the seasoned manager to consider.

Chapter Seven on IT Governance Controls illustrates Kyriazoglou’s expertise in IT and his various roles and responsibilities in the IT field. With today’s emphasis on succession planning, sustainability, business continuity, and disaster planning, the section on Backup and Disaster Recovery Plans are especially helpful. The recommendations are clean and concise, for example, “Recent IT research has shown that data volumes, e-mail traffic and other network transactions grow in an increased mode every year. CIOs and board directors must be vigilant and implement the required IT and Information governance controls to ensure that their organizations are safe and secure in the new web-based environment.”

The book continues with an additional chapter on business data management controls and even recommends various business record keeping systems and policies and procedures manuals. Suggestions including limiting the number of file formats used and use standard templates are helpful for any business person who uses any electronic data.

With his vast technical knowledge, Kyriazoglou doesn’t neglect the human components and considers the human factors in applying business management controls. He separates these into hard and soft controls and the soft controls consider the tone at the top, the culture, the morale, and even integrity and ethical values.

The third and fourth parts of this book, move to the implementation and auditing of various business controls and includes frameworks as well as a case study for review. The balanced scorecard method forms the basis for the third section considering financial as well as customer perspectives. He covers key tools of total quality management and other performance frameworks and compares them for the reader.

Planning is often easier than implementation and the implementation chapters are clear with action steps highlighted for the reader to follow. The theme of business continuity planning also resonates throughout the book. As a recent victim of a tornado that devastated the Southeast United States, I better understand the need for operational procedures in a disaster. Few businesses devote the time to think about these issues, but with global climate change and a host of other potential disasters, this book reminds us all of the importance of a business continuity management process and backup and restore policies and procedures. Kyriazoglou even provides an example of a 10-step backup and restore policy to consider.

The case study in Chapter 15 considers ways to use controls to mitigate fraud and other business risks and uses example from the Italian firm Parmalat as well as Lehman Brothers from the US along with other business examples from around the world.

The book concludes with the roles and responsibilities of participants in business management controls as well as the various usual types of audits performed for management controls. The checklists, numbered lists and issues to consider are presented in a step-by-step format for managers to follow. The book is complete but easy to follow without unnecessary detail. Managers have so little time and Kyriazoglou readily understands this with his lists, examples, and recommendations. For the reader who needs additional background or detail, he has included links to websites for more information. Thus the book can be customized for the skills, needs, and expertise of the reader. The appendix is probably the most helpful part of the book.

For companies struggling to develop key policies for their employees and for compliance postings and for corporate handbooks, the book includes a sample Privacy of Information Policy, an Information Sensitivity Policy, a statement of Security and Safety Controls for Personal Computers, a Confidentiality Policy, a statement on Password Controls, a statement on Business Management Controls for Laptops and Smart Devices, a Social Media Plan, and an Ethics Policy. While all business know on an intuitive level they needs such statements and policies posted and disseminated to all their global employees and units, few organizations take the time to develop them because they are somewhat difficult to create from scratch and require background research. This book has done the research for the manager and even indicates where customization of the policies should occur. A manager or executive could easily copy and adapt the policies very quickly for their organization using these handy templates. This book is indeed a Guide or almost a workbook that all business managers should follow. It reminds us of the various tasks all organizations must consider in the managerial function of control. However too many overlook or forget these policies and often to their detriment. As the work of business continues to evolve, controls are predicted to become even more critical in the future. Kyriazoglou has created a concise guide to eliminate much of the worry over controls and offers an action plan with steps and recommendations for the manager to follow.

Dr. Marilyn M. HelmsSesquicentennial Chair and Professor of ManagementSchool of BusinessDalton State Collegee-mail:   mhelms@daltonstate.eduWebsite:  www.daltonstate.edu/faculty-staff/mhelms

(2) Richard Leblanc, PhD

John Kyriazoglou’s Business Management Controls: A Guide is easy to understand and at the same time rigorous. It is mandatory reading for the chief audit executive, internal control personnel, general counsel, assurance provider, external auditor, and, perhaps most importantly, audit committee members and board directors. Controls apply to any company, in any sector. This book is well organized, covers all controls, and has many practical appendices, tools, cases and takeaways. It is current and relevant, covering emerging issues such as social media, cybercrime, privacy, mobile devices, confidentiality, passwords, espionage, business continuity and privacy, as well as all traditional business and stakeholder processes and controls, including excellent chapters on fraud case studies and human behavior “soft” controls. The checklists and frameworks cover inception, design, all the way to control implementation and follow up. I have never seen such a comprehensive, yet easy to understand book of this nature. I intend for this to be mandatory reading for my students, and it should be for anyone with internal control design responsibility or oversight. I highly recommend this practical book.

Richard Leblanc, PhD

Associate Professor, Law, Governance & Ethics

York University, Toronto, Canada

This short guide outlines business management controls in four parts, 17 chapters, 21 recommendations, over 260 controls (plans, frameworks, methodologies, policies, procedures, audit tools, job descriptions, terms of reference, etc.), and an appendix, in the following way:

Part A: Establishing The Internal Controls Environment

This part deals with aspects of the first level (Organize Level) of the proposed Business Management Controls (BMC) Framework and the establishment of its major components: (a) Board, management and committee roles, structure and responsibilities, (b) Business functions and resources, (c) Standards, policies and procedures, (d) Governance, Risk and Compliance controls, (e) Corporate culture, vision, mission and values, and (f) Internal Controls Framework and Manual, in three chapters.

Chapter 1: Business Management Controls Framework, paints the Controls Landscape for Business Management Controls by introducing the main concepts of business management controls and describing their main characteristics and aspects, in terms of: Role of managers, Choosing a control system, The role of control in management, Purpose of business management controls, etc., proposing a Business Management Controls Framework, and making a recommendation for the better institution of Business Management Controls for companies.Recommendation 1: Create and implement a Controls Framework to satisfy your needs.

Chapter 2: Enterprise Governance Controls identifies Enterprise Governance Controls by presenting the main types of enterprise governance controls and describing their main characteristics and aspects, such as: Board and Executive Management Controls, Regulatory Controls, Organizational Controls, Administration controls, etc., providing examples of governance performance measures and compliance indicators, and making a recommendation on better implementation of enterprise governance controls for your company. Recommendation 2: Establish enough and current governance policies and procedures to satisfy your needs.

Chapter 3: Risk and Compliance Controls describes the main types of Risk and Compliance Controls, such as: Risk Management Action Plan, Risk Register, Risk Officer, Compliance Program, Compliance Action Plan, etc., and Governance, Risk and Compliance (GRC) Information System, their performance measures and compliance indicators, and makes two recommendations on better implementation of risk and compliance controls for your small, medium or large company.Recommendation 3: Establish strong and effective risk and compliance controls.Recommendation 4: Acquire and deploy a GRC Information System and a Dashboard.

Part B: Main Types of Strategic and Operational Controls

This part deals with aspects of the Second Level (Envision) and Third Level (Govern) of the proposed Business Management Controls (BMC) Framework and the institution and implementation of its major components that make up the main types of strategic and operational controls of your company, such as: (a) Corporate culture, vision, mission and values, (b) Strategy, goals, objectives and targets, (c) Performance Framework and Management, (d) Governance, Risk and Compliance controls, (e) Operational controls (purchasing, finance, IT, data, security, fraud, etc., and (f) Personnel administration, including segregation of duties, compensating controls, etc., in six chapters.

Chapter 4: Strategic Management Controls, part of the Second Level (Envision) of the proposed Business Management Controls (BMC) Framework, describes Strategic Management Controls by introducing the main types of strategic management controls and analyzing their main characteristics and aspects, in terms of the Strategic Management Process, etc., discussing the role of Business Management Controls as regards Efficiency, Quality, Innovation, and Responsiveness to Customers, providing examples of a Strategic Plan, a Business Strategy, performance measures and compliance indicators, etc., and making a recommendation on better implementation of strategy for your company. Recommendation 5: Communicate a vision for your company and involve all your staff in implementing your strategy.

Chapter 5: Financial Management and Accounting Controls, part of the Third Level (Govern) of the proposed Business Management Controls (BMC) Framework, describes the main Financial and Accounting Controls and their characteristics, such as: Financial Management Responsibility Controls (CFO, Financial Manager, etc.), Computerized financial systems, Basic Accounting and Bookkeeping Procedures (for Chart of Accounts, General Ledger, Trial Balance, Financial Statements, Accounts Receivable, Accounts Payable, etc.), Segregation of Finance Duties, Budget, etc., presents examples of financial performance measures and compliance indicators, and makes a recommendation on better implementation of financial controls for your small, medium or large company.Recommendation 6: Protect your finances (cash, assets, payments, records, bank accounts, etc.) with the utmost care.

Chapter 6: Customer Sales and Production Controls, part of the Third Level (Govern) of the proposed Business Management Controls (BMC) Framework, describes the main Customer Sales and Production Controls such as: Customer Sales Management Controls, Purchasing Management Controls, Production Operations Policies and Procedures Manual, Warehouse Management Controls, Project Management Controls, Manufacturing/Services Management Controls, Standardization Controls, etc., presents examples of customer sales and production performance measures and compliance indicators, and makes three recommendations on better implementation of customer sales and production controls for any type and size of company. Recommendation 7: Make your customer your number 1 priority.

Recommendation 8: Execute excellent production policies and procedures to satisfy the needs and expectations of your customers.Recommendation 9: Establish effective purchasing procedures to avoid fraud.

Chapter 7: IT Governance Controls, part of the Third Level (Govern) of the proposed Business Management Controls (BMC) Framework, introduces the main types of IT Governance controls and describes their main characteristics, in terms of: IT Management Responsibility and Administration Controls, IT Strategic and Security Controls, IT Systems Development and Operational Controls, IT Backup and Disaster Recovery Plan, Social Engineering Controls, Internet and E-mail Policy, etc., offers examples of IT Governance performance measures and compliance indicators, and makes a recommendation on better implementation of IT Governance controls for your company.Recommendation 10: Be vigilant and proactive with all your IT resources, systems and networks.

Chapter 8: Business Data Management Controls, part of the Third Level (Govern) of the proposed Business Management Controls (BMC) Framework, introduces the main types of business data management controls and describes their main characteristics and aspects, in terms of: Files, Documents and Records Management Controls, Business Record Keeping Systems, Business Data Administration Controls (Business Raw Data Retention Procedure, Business Data Register, Business Data Librarian, Data Quality Officer etc.), Data Quality Monitoring and Improvement Procedure, Data cleansing controls, etc., presents examples of business data management performance measures and compliance indicators, and makes a recommendation on better implementation of business data management controls for your company.Recommendation 11: Establish effective policies and procedures to manage your business data.

Chapter 9: Business Intelligence and Corporate Espionage Controls, part of the Third Level (Govern) of the proposed Business Management Controls (BMC) Framework, describes the main types of Business Intelligence and Espionage Controls and their main characteristics and aspects, in terms of: Business Intelligence Controls (Business Intelligence Data Manager, Business Intelligence System Management Plan, Business Intelligence Policy), Corporate Anti-Espionage and Anti-Sabotage Manager, Corporate Espionage and Sabotage Controls Action Plan (Register patents, copyrights and trademarks, Business Data Classification, Business Intangible Assets Register, Security Controls, etc.), presents examples of Business Intelligence and Corporate Espionage Controls performance measures and compliance indicators, and makes a recommendation on better implementation of Business Intelligence and Espionage Controls for your business environment.Recommendation 12: Establish efficient mechanisms to give you excellent business information and protect your intangible and property assets.

Part C: Implementing Business Management Controls

This part deals with all aspects of integrating the most crucial control components (of all levels) of the proposed Business Management Controls (BMC) Framework and the full execution and implementation of the contained policies and procedures related to: (a) Board, management and committee roles, structure and responsibilities, (b) Performance of business functions and resources, (c) Standards, policies and procedures,

(d) Governance, Risk and Compliance (e) Corporate culture, vision, mission and values, (f) Strategy and Operations and (g) Internal Controls monitoring, in four chapters.

Chapter 10: Business Performance Management Frameworks, describes frameworks for designing and implementing business management controls by introducing and describing the main types of Performance Management Frameworks, such as: BSC, TQM, EFQM, CAF, etc., highlighting their main features with specific examples, comparing the four most common frameworks, and making a recommendation on better implementation of a performance management framework for the purposes of your company.Recommendation 13: Select and implement a performance management framework that suits your needs.

Chapter 11: Implementing Business Management Controls, discusses the relevant issues in implementing business management controls for companies by proposing a methodology for implementing business management controls of three stages and 15 processes (Stage: 1. Organize your Company with 7 processes, Stage: 2. Craft and Execute your Strategy with 4 processes and Stage: 3. Monitor, Review and Improve your Operations with 4 processes), describing the required action plans for implementing risk management, segregation of duties, compensating controls, compliance and enterprise governance monitoring, etc., analyzing the key issues in implementing controls, and making a recommendation on better implementation of your business management controls.Recommendation 14: Implement your business management controls with due care and an open mind.

Chapter 12: Roles and Responsibilities of Participants in Business Management Controls describes the various corporate governance mechanisms as they relate to internal control, such as: Board of Directors, Auditing, Segregation of duties and functions, and Remuneration, analyzes the roles and responsibilities of all participants in internal controls, such as: Managers, Board of Directors, Audit Committee, etc., and makes a recommendation on better implementation of roles and responsibilities of all participants in internal controls for your company.Recommendation 15: Ensure the involvement of all participants (managers, board, etc.) in implementing your business management controls.

Chapter 13:Human Factors in Applying Business Management Controls describes the main types of soft controls relevant to business management controls, such as: tone at the top, understanding of the organization by the board, culture, structure of reporting relationships, morale, integrity and ethical values, operational philosophy, trust, ethical climate, etc., presents an approach to implementing soft controls via the Soft Controls Action Plan, provides examples of performance measures and compliance indicators, and makes a recommendation on better implementation of soft controls for your small, medium or large company.Recommendation 16: Design good hard controls and implement them with effective soft controls.

Part D: Enhancing Business Operations

This part deals with aspects of enhancing your business operations, in terms of improving business continuity, mitigating your various corporate risks, and executing audit activities (Internal audits, Self-assessments, External audits, Regulatory audits, etc.), as the result of the full implementation of the control components (of all levels) of the proposed Business Management Controls (BMC) Framework and its governance, risk, compliance, strategic and operational controls, policies and procedures contained in it, in three chapters.

Chapter 14: Business and IT Continuity Management Controls introduces and describes the main characteristics and aspects of business and IT continuity controls, such as: Corporate Governance and Business Continuity, Business Continuity Issues Committee, etc., provides examples of a business continuity plan, an IT continuity plan, an IT Backup and Restore Policy, etc., and performance measures and compliance indicators, and makes a recommendation on better implementation of business and IT continuity controls for your company.Recommendation 17: Prepare for disasters as they can be most devastating to your operations.

Chapter 15: Case Studies: Applying Business Management Controls to Mitigate Fraud and Other Risks presents the various risks in finance, purchasing and IT operations in organizations and describes how specific business management controls may mitigate these risks, analyzes the data of actual case studies and depicts an approach whereby the risks that appeared in them could have been avoided by the application of specific business management controls, and makes a recommendation on better implementation of business management controls to guard your company against fraud and other risks.Recommendation 18: Develop and implement a minimum set of business management controls to mitigate your risks.

Chapter 16: Auditing Business Management Controls describes the usual types of audit, the audit process and products, provides a set of audit programs and checklists, which could be used to review, evaluate and improve business management controls, and makes a recommendation on better implementation of internal auditing for your company.Recommendation 19: Ensure that Internal Audit examines all your operations.

Final Conclusion

Chapter 17: Final Conclusion describes the role and approach of managers in decision-making, analyzes the various corporate threats and propose a multi-level business operation model, also described as the Business Management Controls Framework (see also chapter 1) which might protect your company against such threats while enabling it to achieve its objectives, presents a list of ‘red flags’ that may provide a warning sign that your specific business entity is not doing well in terms of internal controls, and makes a final recommendation on better implementation of business practices and business management controls for your company.Recommendation 20: Implement your complete business management controls to add value to your business by focusing on strategic, operational, risk, compliance and governance performance issues of your company.Recommendation 21: Your company success depends on your decisive actions.