1 / 46

Internal Controls 101 and ARMICS

Internal Controls 101 and ARMICS. An Auditor’s Perspective Deane Hennett Director of Internal Audit, Old Dominion University. What We’re Going To Cover. Why Are We Here? What Internal Controls Are And Why You Want Them ERM and ARMICS – What’s New, What’s Different and What It Means

camdyn
Download Presentation

Internal Controls 101 and ARMICS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internal Controls 101 and ARMICS An Auditor’s Perspective Deane Hennett Director of Internal Audit, Old Dominion University

  2. What We’re Going To Cover • Why Are We Here? • What Internal Controls Are And Why You Want Them • ERM and ARMICS – What’s New, What’s Different and What It Means • Meeting the New Standards • Ideas For How To Go About It • Conclusions

  3. Why We’re Here • A Little About Me • Origination of this Session

  4. Definition of Internal Controls • Simple Definition • Help make sure things happen they way you want them to happen • Make sure bad or unexpected things don’t happen

  5. Definition of Internal Controls • More sophisticated definition: • An effective system of internal control: • Provides accountability for meeting program objectives, • Promotes operational efficiency, • Ensures the reliability of financial statements, • Ensures compliance with laws and regulations, and • Reduces the risk of asset loss due to fraud, waste, or abuse.

  6. Internal Controls • Internal controls are basically a tool for management to use in their everyday jobs. • Two types – hard controls and soft controls. • Examples of hard controls: • Authorizations • Comparisons and checks • Inventories • Monitoring Output

  7. Internal Controls • Examples of soft controls: • Management philosophy • Organizational structure • Communication • Competency of employees

  8. Internal Controls • Why do you want internal controls? • You can’t be everywhere at once • To give some reasonable assurance everything is OK. • As a deterrent • The 10-80-10 rule

  9. Internal Controls

  10. What Are You Required To Do Now Concerning Internal Control ? • Current CAPP 10305 • “Agencies are required to develop a formal program to evaluate the operating environment and ensure adequate internal controls are maintained over financial assets. All agencies and institutions must certify to (DOA) that agency management acknowledges its responsibility for internal control, and represents that a cost-effective system of internal control is in place and functioning to adequately safeguard the assets of the agency and reasonably assure the proper recording of the agency’s financial transactions. “

  11. Current Internal Control Requirements • What are you basing your current certification on? • Anything formal? • ARMICS provides standards to follow. • The current push for ARMICS and ERM is, in many respects, nothing more than putting more weight and detail into what everyone is ALREADY required to do.

  12. Current Internal Control Requirements • Why is DOA interested in controls? • How do you decide what controls you need? • Before you can have good controls, you have to understand what risks you have, in order to pick which controls you need. • The new Agency Risk Management standards are designed to help with that.

  13. What Is ERM? • Enterprise Risk Management is defined as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

  14. What Is ERM? • Put differently, ERM is a comprehensive and systematic program to identify, measure, prioritize, and respond to the risks associated with reaching organizational objectives. • The ERM framework emphasizes “soft control” activities. Traditionally, internal control systems focused on “hard” controls (such as physical or electronic controls). Soft controls are intangibles that management emphasizes to direct the organization.

  15. Description of ARMICS • Agency Risk Management and Internal Control Standards provide guidance for managing risk, maintaining accountability, and achieving strategic objectives. They also contain implementation and evaluation tools that can be tailored to meet each agency’s unique circumstances.

  16. Objectives of ARMICS • The new Standards include five objectives. • Strategic – high-level goals and objectives, aligned with and supporting the mission. • Operational – effective and efficient use of resources. • Reporting – integrity and reliability of reporting. • Compliance – compliance with applicable laws and regulations. • Stewardship – protection and conservation of assets.

  17. Why Are ERM and ARMICS Being Emphasized? • Scandals • Subsequent Legislation (SOX, etc.) • Trickle Down Of Expectations To Government • Virginia As A “Best Managed” State • Best Practices • Changes In University Environment

  18. Why Are ERM and ARMICS Needed? • Changes In University Environment • Commonwealth’s higher ed de-centralization initiatives - increased authority, scrutiny of performance and performance objectives • Increasing internal and external risks that can disrupt goals and objectives and create legal liabilities and public image crises • Increasing need for coordination and cooperation among departments and processes to reach university goals, and

  19. Why Are ERM and ARMICS Needed? • Dramatic rise in compliance concerns (new regulations and increased oversight) – a few of which include: • Virginia Information Technology Agency (VITA) standards and guidelines regarding computer systems and their security, • Privacy legislation such as FERPA, HIPAA and Gramm-Leach • Credit card acceptance regulations

  20. What Does It Mean? • The common thread to all of these changes is the need to assess the risks involved in the business environment in which an entity operates: not just at top management levels, but at component departmental levels as well. • To do any less in today’s environment accepts an unnecessary probability of problems and complications in our operations.

  21. What Does It Mean? • It has become important that all departments appropriately approach risk, compliance and controls for several reasons: • More sophisticated initiatives need multiple departments to integrate seamlessly • Many compliance issues are no longer the focus of a single lead department; in some cases, all areas must be in compliance or the entity as a whole is not. Environment is less tolerant.

  22. What Does It Mean? • Will require a different style of management in many of our departments, one in which a more formal assessment of risk and controls is included in day-to-day management. • Managing risk needs to be embedded in all management decisions and approaches in running depts or processes. • This will help prevent problems or non-compliance, and the need to remedy the situation after damage is done. • Many are not used to assessing risks in their organizations and designing controls to mitigate those risks.

  23. Benefits of ERM and ARMICS • Helps handle the challenges of assessing and managing risk efficiently, reaching goals and objectives, and ensuring compliance with various mandates with a manageable, centralized approach to risk management. • Maximizes the ability to meet challenges and help minimize overall work by not meeting each external challenge and requirement piecemeal. •  Used at the departmental level, promotes risk awareness, successful goal implementation, general compliance, helps eliminate the need for piecemeal risk assessments. • Help with audits.

  24. Implementing ARMICS • Per DOA, the action needed: • Each agency must plan and take systematic, proactive measures to • (a) plan, develop, and implement a comprehensive and cost effective risk management program to support its performance management program; • (b) assess the adequacy of internal controls in all agency services, operations, and activities; • (c) identify needed improvements;

  25. Implementing ARMICS • Per DOA, action needed (cont’d): • (d) take corresponding preventative and corrective actions; and • (e) report annually on internal control. • These steps should be integrated with the development, implementation, and monitoring of strategic plans, with specific links from each service objective in strategic plans to appropriate risk responses and control activities.

  26. Implementing ARMICS • Sounds overwhelming! • May not be as bad as you think! • Understood that the form of implementation may differ from institution to institution. • May already be doing many aspects of ARMICS that can be used. • To some degree, dovetails with 6-year budgeting.

  27. Meeting The Standards • Agency must demonstrate it has 8 risk management items established and functioning: • Internal Environment • Objective Setting • Event Identification • Risk Assessment • Risk Response • Control Activities • Information and Communication • Monitoring

  28. Meeting The Standards • Internal Environment – Includes: • Risk Management Philosophy • Risk Appetite • Board Oversight • Integrity and Ethical Values • Competence of Work Force • Assignment of Authority and Responsibility • Organizational Structure • Human Resources Development

  29. Meeting the Standards - How • Internal Environment - Some of the things you may already be doing or could do: • Statement or survey of risk attitudes and culture • Board bylaws and other mgt documents that indicate oversight • Code of ethics, handbooks, policies • EWPs and evaluations • Organization charts • Training programs

  30. Meeting The Standards • Objective Setting – Set operational, reporting and compliance objectives. Process should be in place to ensure objectives support and align with agency mission; objectives are consistent with risk appetite. • Event Identification – Identify potential internal and external events that could affect achievement of objectives.

  31. Meeting the Standards - How • Objective Setting – Examples: • Strategic Plans and awareness • Division and dept objectives and goals • Budgeting documentation and rationale • Event Identification – Examples: • Event inventories • Interviews and meetings • Questionnaires and surveys • Process flow analysis

  32. Meeting The Standards • Risk Assessment – Analyzing likelihood and impact of potential events on achieving objectives. • Should look at: • Inherent risk • Likelihood • Residual Risk

  33. Meeting the Standards - How • Risk Assessment – Examples: • Formal risk assessments already done by different areas • Departmental self assessments • Assessments as part of budgeting

  34. Meeting The Standards • Risk Response – How management chooses to respond to risk in accordance with risk tolerances. Four possible responses: • Avoidance • Reducing • Sharing • Acceptance

  35. Meeting the Standards - How • Risk Response – Examples: • Conscious actions taken as a result of risk assessments, etc. • Avoidance – closure, abandon initiative • Reducing – processes, mgt involvement, limits • Sharing – joint ventures, insurance, contracts • Acceptance – already conforms to risk tolerances

  36. Meeting the Standards • Control Activities – implemented to help ensure risk responses are completed. • Reviews • Direct Management • Performance Indicators • Segregation of Duties

  37. Meeting the Standards - How • Control Activities – Examples: • Documented in policies and procedures • Review of performance and reports • Documented in process flowcharts • Job assignments

  38. Meeting the Standards • Information and Communication – identifying and communicating information so that people carry out responsibilities. • Monitoring – assessing the existence, functioning and improvement of controls or risk management components. Happens through both management activity and separate evaluations.

  39. Meeting the Standards - How • Information and Communication – • How information is distributed and communicated • Meetings • Training and awareness programs • Organization of departments and processes

  40. Meeting the Standards - How • Monitoring – Examples • Management reviews of reports, limits, performance indicators, escalation triggers • Self assessments • Reviews by independent parties, such as internal or external auditors

  41. Implementation • Steps in implementing the standards: • Get top management commitment • Put together a representative team • Develop an implementation plan: • Assess your current status • What do you already have that can be used as is • What needs to be upgraded • What gaps exist

  42. Implementation • Implement ARM techniques and controls in “gap” areas • Risk assessments, new policies, new controls, etc. • Documentation for possible review • Test and monitor • Certify

  43. Conclusions • Internal controls are a tool for management to use in their everyday jobs. • Internal controls consist of hard and soft controls. • Before you can have good controls, you have to understand what risks you have, in order to pick which controls you need.

  44. Conclusions • The new Agency Risk Management standards are designed to help with that. • The current push for ARMICS and ERM is, in many respects, nothing more than putting more weight and detail into what everyone is ALREADY required to do. • ERM is a comprehensive and systematic program to identify, measure, prioritize, and respond to the risks associated with reaching organizational objectives.

  45. Conclusions • Long-run benefits in assessing and managing risk efficiently, reaching goals and objectives, and ensuring compliance with a manageable, centralized approach to risk management. • May not be as bad as you think! • Already doing many aspects of ARMICS that can be used. • Big change is a change in management philosophy

  46. Conclusions • Successfully dealing with ARMICS will require: • Top management commitment • An implementation plan • Involvement by many • Upgrading or creation of various policies or documentation tools • Monitoring techniques • Don’t think of it as another thing you’re “required” to do, but as a useful, long-run tool

More Related