420 likes | 586 Views
Commonwealth of Virginia Fiscal Fundamentals. Agency Risk Management & Internal Control Standards (ARMICS) Nutz and Boltz. ARMICS. 122 Page Document (Pages 3 – 36 Meat, the rest is tools to use) Comptroller’s Directive 1-07 Force of Law Based on the 1992 COSO Standards.
E N D
Commonwealth of Virginia Fiscal Fundamentals Agency Risk Management & Internal Control Standards (ARMICS)Nutz and Boltz
ARMICS • 122 Page Document (Pages 3 – 36 Meat, the rest is tools to use) • Comptroller’s Directive 1-07 • Force of Law • Based on the 1992 COSO Standards
Why do we need ARMICS? Financial managers never actually do the risk assessment well until after the accident happens. Why did the financial manager get run over crossing the road?
Two Components • Comptroller’s Directive 1-07 • Agency Risk Management and Internal Control Standards (ARMICS)
General Approach • Breakdown • Organize • Document
STEERING COMMITTEE • Stay out of the weeds • General Planning • Designate and delegate • REVIEW Output • Organize Process and Results • Documentation • Report Out
GENERAL CONCEPTS • Concurrent not linear progression • Corrective Action Plan (CAP) from the beginning – NOT the last step! • Flexibility • Open Mind toward improvements
DEFICIENCIES • No Control • Insufficient Control • Ineffective Control • Inefficient Control (Over control)
How difficult can it be? Genie in a Lamp An Agency Head was walking along a beach when he found a lamp. Upon rubbing the lamp a genie appeared who stated "I am the most powerful genie in the world. Because I am so powerful, I can grant you any wish you want, but only one wish. " The Agency Head pulled out a Virginia highway map showing all of the new roads, repairs, and bridges that were needed and said “I’d like all this work to be done in one year and not cost the State one penny." The genie responded, "Gee, I don't know. That’s a lot of new roads and repairs to be done. This is tough. I can patch all the pot holes, but this is beyond my limits." The Agency Head then said, "Well, my staff is working on ARMICS, could you help them implement this Directive?" Genie: "Uh, let me see that map again."
BREAKDOWN • Five (5) Components of Internal Control • Six (6) Project Teams / Task Forces
FIVE COMPONENTS • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring
SIX PROJECT TEAMS • Agency Level: Control Environment (Stage 1) • Agency Level: Risk Assessment and Control Activities (Stage 1 ONLY) • Process Level: Risk Assessment and Control Activities (Stage 2 ONLY) • Agency Level: Information & Communication (Stage 1) • Agency Level: Monitoring (Stage 1) • Corrective Action Plan (Stage 3)
Why Agency Level Assessments ? There once was an Agency Head who was interviewing candidates for the position of “Deputy Director." He decided to select the individual who could answer the question, "How much is 2+2?" The first candidate was an engineer. He pulled out a slide rule and showed that the answer was 4. The second candidate was a lawyer. He stated that, in the case of Svenson vs. the State, 2+2 was proven to be 4. The final candidate was an accountant. When asked what 2+2 equaled, the accountant did not respond immediately. He looked at the Agency Head, got out of his chair and went to see if anyone was listening at the door. Then he returned to the Agency Head and said, in a low voice, "Did you have some particular number in mind?"
INTERNAL CONTROL LIMITATIONS • Faulty Judgment • Human Error - Mistake • Collusion • Override of Controls (Power Play) • Acceptable Risk Gone Wrong – Control Costs Exceed the Benefits • Perfect Storm (Multiple small things come together)
GENERAL DOCUMENTS • Organization Charts • Unit Functional Statements • General Control Policies (HRO, IS, Ethics) • Strategic Plan (DPB or agency internal) • Code of Ethics • Control Self-Assessment (CSA) reviews • Internal Audit Risk Assessment • Anything else applicable to agency Mgmt.
GENERAL PROCESSES • Plan from Steering Committee • Assignment of personnel • Deadlines • Identify places of flexibility in the plan • Meet and know the key people • Other resources needed • Travel issues (if applicable) • Anything else
Control Environment The foundation on which everything rests: • The “tone” of the agency • Management’s philosophy • Integrity and ethics • Commitment to competence • Accountability • Policies and procedures
Attitude A group of accountants and a group of engineers were traveling by train to a meeting. The engineers bought one ticket each and watched dumbfounded as the accountants bought only one ticket for their group. Upon inquiring of the accountants as to how they intended to travel with one ticket, they were told to "watch and learn." When the conductor began his collection of the tickets, the accountants all crowded into one bathroom. When the conductor knocked on the door and said "Ticket please", one of the accountants handed him their ticket. The engineers, being quick to learn, purchased only one ticket for the return trip but watched in utter amazement as the accountants didn't purchase any tickets. When the conductor began to collect tickets, the engineers crowded into one bathroom and the accountants into another to await his arrival. After the doors closed, one of the accountants walked over to the bathroom where the engineers were waiting, knocked on the door, and said, "Ticket please!"
Control Environment • Review General Information • Interview Management • Modify Questionnaire – Key control points • Distribute to all • Analyze results - Strengths & Weaknesses • Test Controls • Report to Steering Committee & CAP Team
Risk Assessment • Risk Analysis as part of Decision Making • Inherent / Response / Residual • Cost / Benefit
Risk Assessment (Stage 1) - Process • Review General Information • Modify Questionnaire – Key control points • Distribute to all or target groups • Analyze results - Strengths & Weaknesses • Test Controls • Report to Steering Committee & CAP Team • Focus on Agency wide – Stay out of specific processes
Control Activities • Policies and Procedures • Information Systems – General Controls • Access • FOCUS: Accounting and Information Systems Areas
RA and CA (Stage 1) - Process • Review General Information • Modify Questionnaire – Key control points • Distribute to all or target groups • Analyze results - Strengths & Weaknesses • Test Controls • Report to Steering Committee & CAP Team • Focus on Agency wide – Stay out of specific processes
RA and CA (Stage 2)- Process • Determine Significant Fiscal Processes • CARS – ACTR0402 (Year End) • Financial Statement Directives • Amounts processed ($$$ and Transactions) • Processes Documentation • Narratives, Flow Chart, DFDs, combos, etc.) • Use Questionnaire – Key control points • Now we are into the weeds !
RA and CA (Stage 2) - Process • Evaluate Inherent Risk (High-Medium-Low) • List control activities (risk responses) • Evaluate Residual Risk (High-Medium-Low) • Analyze results - Recommendations • SWOT Analysis • Report to Steering Committee & CAP Team
RA and CA (Stage 2) - Process • Effectiveness Testing • Test Key Controls (Plan with Objectives) • Interviews • Document Sampling • Process walk through (single document) • Attribute Sample testing • Report to Steering Committee & CAP Team
Information and Communication • Review General Information • Interview Management • Modify Questionnaire – Key control points • Distribute to all • Analyze results - Strengths & Weaknesses • Test Key Controls • Report to Steering Committee & CAP Team
Monitoring • Review General Information • Interview Management • Modify Questionnaire – Key control points • Distribute to all • Analyze results - Strengths & Weaknesses • Test Key Controls • Report to Steering Committee & CAP Team
Corrective Action Plan (CAP) • Year-round activity (Quarterly reports) • DOA Submissions (Significant) • Classify risks (consistency) • Track deficiencies and corrections • See ARMICS for data elements • Testing
Corrective Action Plan (CAP) • Testing • Test Objective (Purpose) • Testing Criteria • Test Results • Conclusion • Agency Head Reporting
References The Comptroller’s Directive and Agency Risk Management & Internal Control Standards are available from http://www.doa.virginia.gov/ARMICS/ARMICS _main.cfm Commonwealth of Virginia Department of Accounts 41
Contacts armics@doa.virginia.gov 804-225-4366 – voice 804-225-4250 – facsimile Email-joe.kapelewski@doa.virginia.gov Commonwealth of Virginia Department of Accounts 42