Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal Controls 101 and ARMICS An Auditor’s Perspective Deane Hennett Director of Internal Audit, Old Dominion University.

Similar presentations


Presentation on theme: "Internal Controls 101 and ARMICS An Auditor’s Perspective Deane Hennett Director of Internal Audit, Old Dominion University."— Presentation transcript:

1 Internal Controls 101 and ARMICS An Auditor’s Perspective Deane Hennett Director of Internal Audit, Old Dominion University

2 What We’re Going To Cover Why Are We Here? Why Are We Here? What Internal Controls Are And Why You Want Them What Internal Controls Are And Why You Want Them ERM and ARMICS – What’s New, What’s Different and What It Means ERM and ARMICS – What’s New, What’s Different and What It Means Meeting the New Standards Meeting the New Standards Ideas For How To Go About It Ideas For How To Go About It Conclusions Conclusions

3 Why We’re Here A Little About Me A Little About Me Origination of this Session Origination of this Session

4 Definition of Internal Controls Simple Definition Simple Definition  Help make sure things happen they way you want them to happen  Make sure bad or unexpected things don’t happen

5 Definition of Internal Controls More sophisticated definition: More sophisticated definition:  An effective system of internal control:  Provides accountability for meeting program objectives,  Promotes operational efficiency,  Ensures the reliability of financial statements,  Ensures compliance with laws and regulations, and  Reduces the risk of asset loss due to fraud, waste, or abuse.

6 Internal Controls Internal controls are basically a tool for management to use in their everyday jobs. Internal controls are basically a tool for management to use in their everyday jobs. Two types – hard controls and soft controls. Two types – hard controls and soft controls. Examples of hard controls: Examples of hard controls:  Authorizations  Comparisons and checks  Inventories  Monitoring Output

7 Internal Controls Examples of soft controls: Examples of soft controls:  Management philosophy  Organizational structure  Communication  Competency of employees

8 Internal Controls Why do you want internal controls? Why do you want internal controls?  You can’t be everywhere at once  To give some reasonable assurance everything is OK.  As a deterrent  The rule

9 Internal Controls

10 What Are You Required To Do Now Concerning Internal Control ? Current CAPP Current CAPP  “Agencies are required to develop a formal program to evaluate the operating environment and ensure adequate internal controls are maintained over financial assets. All agencies and institutions must certify to (DOA) that agency management acknowledges its responsibility for internal control, and represents that a cost-effective system of internal control is in place and functioning to adequately safeguard the assets of the agency and reasonably assure the proper recording of the agency’s financial transactions. “

11 Current Internal Control Requirements What are you basing your current certification on? What are you basing your current certification on? Anything formal? Anything formal? ARMICS provides standards to follow. ARMICS provides standards to follow. The current push for ARMICS and ERM is, in many respects, nothing more than putting more weight and detail into what everyone is ALREADY required to do. The current push for ARMICS and ERM is, in many respects, nothing more than putting more weight and detail into what everyone is ALREADY required to do.

12 Current Internal Control Requirements Why is DOA interested in controls? Why is DOA interested in controls? How do you decide what controls you need? How do you decide what controls you need? Before you can have good controls, you have to understand what risks you have, in order to pick which controls you need. Before you can have good controls, you have to understand what risks you have, in order to pick which controls you need. The new Agency Risk Management standards are designed to help with that. The new Agency Risk Management standards are designed to help with that.

13 What Is ERM? Enterprise Risk Management is defined as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Enterprise Risk Management is defined as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

14 What Is ERM? Put differently, ERM is a comprehensive and systematic program to identify, measure, prioritize, and respond to the risks associated with reaching organizational objectives. Put differently, ERM is a comprehensive and systematic program to identify, measure, prioritize, and respond to the risks associated with reaching organizational objectives. The ERM framework emphasizes “soft control” activities. Traditionally, internal control systems focused on “hard” controls (such as physical or electronic controls). Soft controls are intangibles that management emphasizes to direct the organization. The ERM framework emphasizes “soft control” activities. Traditionally, internal control systems focused on “hard” controls (such as physical or electronic controls). Soft controls are intangibles that management emphasizes to direct the organization.

15 Description of ARMICS Agency Risk Management and Internal Control Standards provide guidance for managing risk, maintaining accountability, and achieving strategic objectives. They also contain implementation and evaluation tools that can be tailored to meet each agency’s unique circumstances. Agency Risk Management and Internal Control Standards provide guidance for managing risk, maintaining accountability, and achieving strategic objectives. They also contain implementation and evaluation tools that can be tailored to meet each agency’s unique circumstances.

16 Objectives of ARMICS The new Standards include five objectives. The new Standards include five objectives.  Strategic – high-level goals and objectives, aligned with and supporting the mission.  Operational – effective and efficient use of resources.  Reporting – integrity and reliability of reporting.  Compliance – compliance with applicable laws and regulations.  Stewardship – protection and conservation of assets.

17 Why Are ERM and ARMICS Being Emphasized? Scandals Scandals Subsequent Legislation (SOX, etc.) Subsequent Legislation (SOX, etc.) Trickle Down Of Expectations To Government Trickle Down Of Expectations To Government Virginia As A “Best Managed” State Virginia As A “Best Managed” State Best Practices Best Practices Changes In University Environment Changes In University Environment

18 Why Are ERM and ARMICS Needed? Changes In University Environment Changes In University Environment  Commonwealth’s higher ed de-centralization initiatives - increased authority, scrutiny of performance and performance objectives  Increasing internal and external risks that can disrupt goals and objectives and create legal liabilities and public image crises  Increasing need for coordination and cooperation among departments and processes to reach university goals, and

19 Why Are ERM and ARMICS Needed?  Dramatic rise in compliance concerns (new regulations and increased oversight) – a few of which include:  Virginia Information Technology Agency (VITA) standards and guidelines regarding computer systems and their security,  Privacy legislation such as FERPA, HIPAA and Gramm-Leach  Credit card acceptance regulations

20 What Does It Mean? The common thread to all of these changes is the need to assess the risks involved in the business environment in which an entity operates: not just at top management levels, but at component departmental levels as well. The common thread to all of these changes is the need to assess the risks involved in the business environment in which an entity operates: not just at top management levels, but at component departmental levels as well. To do any less in today’s environment accepts an unnecessary probability of problems and complications in our operations. To do any less in today’s environment accepts an unnecessary probability of problems and complications in our operations.

21 What Does It Mean? It has become important that all departments appropriately approach risk, compliance and controls for several reasons: It has become important that all departments appropriately approach risk, compliance and controls for several reasons:  More sophisticated initiatives need multiple departments to integrate seamlessly  Many compliance issues are no longer the focus of a single lead department; in some cases, all areas must be in compliance or the entity as a whole is not. Environment is less tolerant.

22 What Does It Mean? Will require a different style of management in many of our departments, one in which a more formal assessment of risk and controls is included in day-to-day management. Will require a different style of management in many of our departments, one in which a more formal assessment of risk and controls is included in day-to-day management. Managing risk needs to be embedded in all management decisions and approaches in running depts or processes. Managing risk needs to be embedded in all management decisions and approaches in running depts or processes. This will help prevent problems or non-compliance, and the need to remedy the situation after damage is done. This will help prevent problems or non-compliance, and the need to remedy the situation after damage is done. Many are not used to assessing risks in their organizations and designing controls to mitigate those risks. Many are not used to assessing risks in their organizations and designing controls to mitigate those risks.

23 Benefits of ERM and ARMICS Helps handle the challenges of assessing and managing risk efficiently, reaching goals and objectives, and ensuring compliance with various mandates with a manageable, centralized approach to risk management. Helps handle the challenges of assessing and managing risk efficiently, reaching goals and objectives, and ensuring compliance with various mandates with a manageable, centralized approach to risk management. Maximizes the ability to meet challenges and help minimize overall work by not meeting each external challenge and requirement piecemeal. Maximizes the ability to meet challenges and help minimize overall work by not meeting each external challenge and requirement piecemeal. Used at the departmental level, promotes risk awareness, successful goal implementation, general compliance, helps eliminate the need for piecemeal risk assessments. Used at the departmental level, promotes risk awareness, successful goal implementation, general compliance, helps eliminate the need for piecemeal risk assessments. Help with audits. Help with audits.

24 Implementing ARMICS Per DOA, the action needed: Per DOA, the action needed:  E ach agency must plan and take systematic, proactive measures to  (a) plan, develop, and implement a comprehensive and cost effective risk management program to support its performance management program;  (b) assess the adequacy of internal controls in all agency services, operations, and activities;  (c) identify needed improvements;

25 Implementing ARMICS Per DOA, action needed (cont’d): Per DOA, action needed (cont’d):  (d) take corresponding preventative and corrective actions; and  (e) report annually on internal control.  These steps should be integrated with the development, implementation, and monitoring of strategic plans, with specific links from each service objective in strategic plans to appropriate risk responses and control activities.

26 Implementing ARMICS Sounds overwhelming! Sounds overwhelming! May not be as bad as you think! May not be as bad as you think! Understood that the form of implementation may differ from institution to institution. Understood that the form of implementation may differ from institution to institution. May already be doing many aspects of ARMICS that can be used. May already be doing many aspects of ARMICS that can be used. To some degree, dovetails with 6-year budgeting. To some degree, dovetails with 6-year budgeting.

27 Meeting The Standards Agency must demonstrate it has 8 risk management items established and functioning: Agency must demonstrate it has 8 risk management items established and functioning:  Internal Environment  Objective Setting  Event Identification  Risk Assessment  Risk Response  Control Activities  Information and Communication  Monitoring

28 Meeting The Standards Internal Environment – Includes: Internal Environment – Includes:  Risk Management Philosophy  Risk Appetite  Board Oversight  Integrity and Ethical Values  Competence of Work Force  Assignment of Authority and Responsibility  Organizational Structure  Human Resources Development

29 Meeting the Standards - How Internal Environment - Some of the things you may already be doing or could do: Internal Environment - Some of the things you may already be doing or could do:  Statement or survey of risk attitudes and culture  Board bylaws and other mgt documents that indicate oversight  Code of ethics, handbooks, policies  EWPs and evaluations  Organization charts  Training programs

30 Meeting The Standards Objective Setting – Set operational, reporting and compliance objectives. Process should be in place to ensure objectives support and align with agency mission; objectives are consistent with risk appetite. Objective Setting – Set operational, reporting and compliance objectives. Process should be in place to ensure objectives support and align with agency mission; objectives are consistent with risk appetite. Event Identification – Identify potential internal and external events that could affect achievement of objectives. Event Identification – Identify potential internal and external events that could affect achievement of objectives.

31 Meeting the Standards - How Objective Setting – Examples: Objective Setting – Examples:  Strategic Plans and awareness  Division and dept objectives and goals  Budgeting documentation and rationale Event Identification – Examples: Event Identification – Examples:  Event inventories  Interviews and meetings  Questionnaires and surveys  Process flow analysis

32 Meeting The Standards Risk Assessment – Analyzing likelihood and impact of potential events on achieving objectives. Risk Assessment – Analyzing likelihood and impact of potential events on achieving objectives.  Should look at:  Inherent risk  Likelihood  Residual Risk

33 Meeting the Standards - How Risk Assessment – Examples: Risk Assessment – Examples:  Formal risk assessments already done by different areas  Departmental self assessments  Assessments as part of budgeting

34 Meeting The Standards Risk Response – How management chooses to respond to risk in accordance with risk tolerances. Four possible responses: Risk Response – How management chooses to respond to risk in accordance with risk tolerances. Four possible responses:  Avoidance  Reducing  Sharing  Acceptance

35 Meeting the Standards - How Risk Response – Examples: Risk Response – Examples:  Conscious actions taken as a result of risk assessments, etc.  Avoidance – closure, abandon initiative  Reducing – processes, mgt involvement, limits  Sharing – joint ventures, insurance, contracts  Acceptance – already conforms to risk tolerances

36 Meeting the Standards Control Activities – implemented to help ensure risk responses are completed. Control Activities – implemented to help ensure risk responses are completed.  Reviews  Direct Management  Performance Indicators  Segregation of Duties

37 Meeting the Standards - How Control Activities – Examples: Control Activities – Examples:  Documented in policies and procedures  Review of performance and reports  Documented in process flowcharts  Job assignments

38 Meeting the Standards Information and Communication – identifying and communicating information so that people carry out responsibilities. Information and Communication – identifying and communicating information so that people carry out responsibilities. Monitoring – assessing the existence, functioning and improvement of controls or risk management components. Happens through both management activity and separate evaluations. Monitoring – assessing the existence, functioning and improvement of controls or risk management components. Happens through both management activity and separate evaluations.

39 Meeting the Standards - How Information and Communication – Information and Communication –  How information is distributed and communicated  Meetings  Training and awareness programs  Organization of departments and processes

40 Meeting the Standards - How Monitoring – Examples Monitoring – Examples  Management reviews of reports, limits, performance indicators, escalation triggers  Self assessments  Reviews by independent parties, such as internal or external auditors

41 Implementation Steps in implementing the standards: Steps in implementing the standards:  Get top management commitment  Put together a representative team  Develop an implementation plan:  Assess your current status What do you already have that can be used as isWhat do you already have that can be used as is What needs to be upgradedWhat needs to be upgraded What gaps existWhat gaps exist

42 Implementation  Implement ARM techniques and controls in “gap” areas Risk assessments, new policies, new controls, etc.Risk assessments, new policies, new controls, etc.  Documentation for possible review  Test and monitor  Certify

43 Conclusions Internal controls are a tool for management to use in their everyday jobs. Internal controls are a tool for management to use in their everyday jobs. Internal controls consist of hard and soft controls. Internal controls consist of hard and soft controls. Before you can have good controls, you have to understand what risks you have, in order to pick which controls you need. Before you can have good controls, you have to understand what risks you have, in order to pick which controls you need.

44 Conclusions The new Agency Risk Management standards are designed to help with that. The new Agency Risk Management standards are designed to help with that. The current push for ARMICS and ERM is, in many respects, nothing more than putting more weight and detail into what everyone is ALREADY required to do. The current push for ARMICS and ERM is, in many respects, nothing more than putting more weight and detail into what everyone is ALREADY required to do. ERM is a comprehensive and systematic program to identify, measure, prioritize, and respond to the risks associated with reaching organizational objectives. ERM is a comprehensive and systematic program to identify, measure, prioritize, and respond to the risks associated with reaching organizational objectives.

45 Conclusions Long-run benefits in assessing and managing risk efficiently, reaching goals and objectives, and ensuring compliance with a manageable, centralized approach to risk management. Long-run benefits in assessing and managing risk efficiently, reaching goals and objectives, and ensuring compliance with a manageable, centralized approach to risk management. May not be as bad as you think! May not be as bad as you think! Already doing many aspects of ARMICS that can be used. Already doing many aspects of ARMICS that can be used. Big change is a change in management philosophy Big change is a change in management philosophy

46 Conclusions Successfully dealing with ARMICS will require: Successfully dealing with ARMICS will require:  Top management commitment  An implementation plan  Involvement by many  Upgrading or creation of various policies or documentation tools  Monitoring techniques  Don’t think of it as another thing you’re “required” to do, but as a useful, long-run tool


Download ppt "Internal Controls 101 and ARMICS An Auditor’s Perspective Deane Hennett Director of Internal Audit, Old Dominion University."

Similar presentations


Ads by Google