1 / 42

Agency Risk Management & Internal Control Standards (ARMICS) Nutz and Boltz

Commonwealth of Virginia Fiscal Fundamentals. Agency Risk Management & Internal Control Standards (ARMICS) Nutz and Boltz. ARMICS. 122 Page Document (Pages 3 – 36 Meat, the rest is tools to use) Comptroller’s Directive 1-07 Force of Law Based on the 1992 COSO Standards.

malo
Télécharger la présentation

Agency Risk Management & Internal Control Standards (ARMICS) Nutz and Boltz

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Commonwealth of Virginia Fiscal Fundamentals Agency Risk Management & Internal Control Standards (ARMICS)Nutz and Boltz

  2. ARMICS • 122 Page Document (Pages 3 – 36 Meat, the rest is tools to use) • Comptroller’s Directive 1-07 • Force of Law • Based on the 1992 COSO Standards

  3. Why do we need ARMICS? Financial managers never actually do the risk assessment well until after the accident happens. Why did the financial manager get run over crossing the road?

  4. Two Components • Comptroller’s Directive 1-07 • Agency Risk Management and Internal Control Standards (ARMICS)

  5. General Approach • Breakdown • Organize • Document

  6. STEERING COMMITTEE • Stay out of the weeds • General Planning • Designate and delegate • REVIEW Output • Organize Process and Results • Documentation • Report Out

  7. GENERAL CONCEPTS • Concurrent not linear progression • Corrective Action Plan (CAP) from the beginning – NOT the last step! • Flexibility • Open Mind toward improvements

  8. DEFICIENCIES • No Control • Insufficient Control • Ineffective Control • Inefficient Control (Over control)

  9. Over Control ?

  10. How difficult can it be? Genie in a Lamp An Agency Head was walking along a beach when he found a lamp. Upon rubbing the lamp a genie appeared who stated "I am the most powerful genie in the world. Because I am so powerful, I can grant you any wish you want, but only one wish. " The Agency Head pulled out a Virginia highway map showing all of the new roads, repairs, and bridges that were needed and said “I’d like all this work to be done in one year and not cost the State one penny." The genie responded, "Gee, I don't know. That’s a lot of new roads and repairs to be done. This is tough. I can patch all the pot holes, but this is beyond my limits." The Agency Head then said, "Well, my staff is working on ARMICS, could you help them implement this Directive?" Genie: "Uh, let me see that map again."

  11. BREAKDOWN • Five (5) Components of Internal Control • Six (6) Project Teams / Task Forces

  12. FIVE COMPONENTS • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring

  13. SIX PROJECT TEAMS • Agency Level: Control Environment (Stage 1) • Agency Level: Risk Assessment and Control Activities (Stage 1 ONLY) • Process Level: Risk Assessment and Control Activities (Stage 2 ONLY) • Agency Level: Information & Communication (Stage 1) • Agency Level: Monitoring (Stage 1) • Corrective Action Plan (Stage 3)

  14. Why Agency Level Assessments ? There once was an Agency Head who was interviewing candidates for the position of “Deputy Director." He decided to select the individual who could answer the question, "How much is 2+2?" The first candidate was an engineer. He pulled out a slide rule and showed that the answer was 4. The second candidate was a lawyer. He stated that, in the case of Svenson vs. the State, 2+2 was proven to be 4. The final candidate was an accountant. When asked what 2+2 equaled, the accountant did not respond immediately. He looked at the Agency Head, got out of his chair and went to see if anyone was listening at the door. Then he returned to the Agency Head and said, in a low voice, "Did you have some particular number in mind?"

  15. Another Perspective

  16. INTERNAL CONTROL LIMITATIONS • Faulty Judgment • Human Error - Mistake • Collusion • Override of Controls (Power Play) • Acceptable Risk Gone Wrong – Control Costs Exceed the Benefits • Perfect Storm (Multiple small things come together)

  17. ARMICSGeneral Preparation

  18. GENERAL DOCUMENTS • Organization Charts • Unit Functional Statements • General Control Policies (HRO, IS, Ethics) • Strategic Plan (DPB or agency internal) • Code of Ethics • Control Self-Assessment (CSA) reviews • Internal Audit Risk Assessment • Anything else applicable to agency Mgmt.

  19. GENERAL PROCESSES • Plan from Steering Committee • Assignment of personnel • Deadlines • Identify places of flexibility in the plan • Meet and know the key people • Other resources needed • Travel issues (if applicable) • Anything else

  20. ARMICSControl Environment

  21. Control Environment The foundation on which everything rests: • The “tone” of the agency • Management’s philosophy • Integrity and ethics • Commitment to competence • Accountability • Policies and procedures

  22. Attitude A group of accountants and a group of engineers were traveling by train to a meeting. The engineers bought one ticket each and watched dumbfounded as the accountants bought only one ticket for their group. Upon inquiring of the accountants as to how they intended to travel with one ticket, they were told to "watch and learn." When the conductor began his collection of the tickets, the accountants all crowded into one bathroom. When the conductor knocked on the door and said "Ticket please", one of the accountants handed him their ticket. The engineers, being quick to learn, purchased only one ticket for the return trip but watched in utter amazement as the accountants didn't purchase any tickets. When the conductor began to collect tickets, the engineers crowded into one bathroom and the accountants into another to await his arrival. After the doors closed, one of the accountants walked over to the bathroom where the engineers were waiting, knocked on the door, and said, "Ticket please!"

  23. Control Environment • Review General Information • Interview Management • Modify Questionnaire – Key control points • Distribute to all • Analyze results - Strengths & Weaknesses • Test Controls • Report to Steering Committee & CAP Team

  24. ARMICSRisk Assessment (Stage 1)

  25. Risk Assessment • Risk Analysis as part of Decision Making • Inherent / Response / Residual • Cost / Benefit

  26. Risk Assessment (Stage 1) - Process • Review General Information • Modify Questionnaire – Key control points • Distribute to all or target groups • Analyze results - Strengths & Weaknesses • Test Controls • Report to Steering Committee & CAP Team • Focus on Agency wide – Stay out of specific processes

  27. ARMICSControl Activities (Stage 1)

  28. Control Activities • Policies and Procedures • Information Systems – General Controls • Access • FOCUS: Accounting and Information Systems Areas

  29. RA and CA (Stage 1) - Process • Review General Information • Modify Questionnaire – Key control points • Distribute to all or target groups • Analyze results - Strengths & Weaknesses • Test Controls • Report to Steering Committee & CAP Team • Focus on Agency wide – Stay out of specific processes

  30. ARMICSRisk Assessment andControl Activities (Stage 2)

  31. RA and CA (Stage 2)- Process • Determine Significant Fiscal Processes • CARS – ACTR0402 (Year End) • Financial Statement Directives • Amounts processed ($$$ and Transactions) • Processes Documentation • Narratives, Flow Chart, DFDs, combos, etc.) • Use Questionnaire – Key control points • Now we are into the weeds !

  32. RA and CA (Stage 2) - Process • Evaluate Inherent Risk (High-Medium-Low) • List control activities (risk responses) • Evaluate Residual Risk (High-Medium-Low) • Analyze results - Recommendations • SWOT Analysis • Report to Steering Committee & CAP Team

  33. RA and CA (Stage 2) - Process • Effectiveness Testing • Test Key Controls (Plan with Objectives) • Interviews • Document Sampling • Process walk through (single document) • Attribute Sample testing • Report to Steering Committee & CAP Team

  34. ARMICS Information and Communication

  35. Information and Communication • Review General Information • Interview Management • Modify Questionnaire – Key control points • Distribute to all • Analyze results - Strengths & Weaknesses • Test Key Controls • Report to Steering Committee & CAP Team

  36. ARMICS Monitoring

  37. Monitoring • Review General Information • Interview Management • Modify Questionnaire – Key control points • Distribute to all • Analyze results - Strengths & Weaknesses • Test Key Controls • Report to Steering Committee & CAP Team

  38. ARMICS CAP Corrective Action Plan

  39. Corrective Action Plan (CAP) • Year-round activity (Quarterly reports) • DOA Submissions (Significant) • Classify risks (consistency) • Track deficiencies and corrections • See ARMICS for data elements • Testing

  40. Corrective Action Plan (CAP) • Testing • Test Objective (Purpose) • Testing Criteria • Test Results • Conclusion • Agency Head Reporting

  41. References The Comptroller’s Directive and Agency Risk Management & Internal Control Standards are available from http://www.doa.virginia.gov/ARMICS/ARMICS _main.cfm Commonwealth of Virginia Department of Accounts 41

  42. Contacts armics@doa.virginia.gov 804-225-4366 – voice 804-225-4250 – facsimile Email-joe.kapelewski@doa.virginia.gov Commonwealth of Virginia Department of Accounts 42

More Related