Presentation on theme: "Internal Controls 101 and ARMICS"— Presentation transcript:
1Internal Controls 101 and ARMICS An Auditor’s PerspectiveDeane HennettDirector of Internal Audit, Old Dominion University
2What We’re Going To Cover Why Are We Here?What Internal Controls Are And Why You Want ThemERM and ARMICS – What’s New, What’s Different and What It MeansMeeting the New StandardsIdeas For How To Go About ItConclusions
3Why We’re HereA Little About MeOrigination of this Session
4Definition of Internal Controls Simple DefinitionHelp make sure things happen they way you want them to happenMake sure bad or unexpected things don’t happen
5Definition of Internal Controls More sophisticated definition:An effective system of internal control:Provides accountability for meeting program objectives,Promotes operational efficiency,Ensures the reliability of financial statements,Ensures compliance with laws and regulations, andReduces the risk of asset loss due to fraud, waste, or abuse.
6Internal ControlsInternal controls are basically a tool for management to use in their everyday jobs.Two types – hard controls and soft controls.Examples of hard controls:AuthorizationsComparisons and checksInventoriesMonitoring Output
7Internal Controls Examples of soft controls: Management philosophy Organizational structureCommunicationCompetency of employees
8Internal Controls Why do you want internal controls? You can’t be everywhere at onceTo give some reasonable assurance everything is OK.As a deterrentThe rule
10What Are You Required To Do Now Concerning Internal Control ? Current CAPP 10305“Agencies are required to develop a formal program to evaluate the operating environment and ensure adequate internal controls are maintained over financial assets. All agencies and institutions must certify to (DOA) that agency management acknowledges its responsibility for internal control, and represents that a cost-effective system of internal control is in place and functioning to adequately safeguard the assets of the agency and reasonably assure the proper recording of the agency’s financial transactions. “
11Current Internal Control Requirements What are you basing your current certification on?Anything formal?ARMICS provides standards to follow.The current push for ARMICS and ERM is, in many respects, nothing more than putting more weight and detail into what everyone is ALREADY required to do.
12Current Internal Control Requirements Why is DOA interested in controls?How do you decide what controls you need?Before you can have good controls, you have to understand what risks you have, in order to pick which controls you need.The new Agency Risk Management standards are designed to help with that.
13What Is ERM?Enterprise Risk Management is defined as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
14What Is ERM?Put differently, ERM is a comprehensive and systematic program to identify, measure, prioritize, and respond to the risks associated with reaching organizational objectives.The ERM framework emphasizes “soft control” activities. Traditionally, internal control systems focused on “hard” controls (such as physical or electronic controls). Soft controls are intangibles that management emphasizes to direct the organization.
15Description of ARMICSAgency Risk Management and Internal Control Standards provide guidance for managing risk, maintaining accountability, and achieving strategic objectives. They also contain implementation and evaluation tools that can be tailored to meet each agency’s unique circumstances.
16Objectives of ARMICS The new Standards include five objectives. Strategic – high-level goals and objectives, aligned with and supporting the mission.Operational – effective and efficient use of resources.Reporting – integrity and reliability of reporting.Compliance – compliance with applicable laws and regulations.Stewardship – protection and conservation of assets.
17Why Are ERM and ARMICS Being Emphasized? ScandalsSubsequent Legislation (SOX, etc.)Trickle Down Of Expectations To GovernmentVirginia As A “Best Managed” StateBest PracticesChanges In University Environment
18Why Are ERM and ARMICS Needed? Changes In University EnvironmentCommonwealth’s higher ed de-centralization initiatives - increased authority, scrutiny of performance and performance objectivesIncreasing internal and external risks that can disrupt goals and objectives and create legal liabilities and public image crisesIncreasing need for coordination and cooperation among departments and processes to reach university goals, and
19Why Are ERM and ARMICS Needed? Dramatic rise in compliance concerns (new regulations and increased oversight) – a few of which include:Virginia Information Technology Agency (VITA) standards and guidelines regarding computer systems and their security,Privacy legislation such as FERPA, HIPAA and Gramm-LeachCredit card acceptance regulations
20What Does It Mean?The common thread to all of these changes is the need to assess the risks involved in the business environment in which an entity operates: not just at top management levels, but at component departmental levels as well.To do any less in today’s environment accepts an unnecessary probability of problems and complications in our operations.
21What Does It Mean?It has become important that all departments appropriately approach risk, compliance and controls for several reasons:More sophisticated initiatives need multiple departments to integrate seamlesslyMany compliance issues are no longer the focus of a single lead department; in some cases, all areas must be in compliance or the entity as a whole is not. Environment is less tolerant.
22What Does It Mean?Will require a different style of management in many of our departments, one in which a more formal assessment of risk and controls is included in day-to-day management.Managing risk needs to be embedded in all management decisions and approaches in running depts or processes.This will help prevent problems or non-compliance, and the need to remedy the situation after damage is done.Many are not used to assessing risks in their organizations and designing controls to mitigate those risks.
23Benefits of ERM and ARMICS Helps handle the challenges of assessing and managing risk efficiently, reaching goals and objectives, and ensuring compliance with various mandates with a manageable, centralized approach to risk management.Maximizes the ability to meet challenges and help minimize overall work by not meeting each external challenge and requirement piecemeal. Used at the departmental level, promotes risk awareness, successful goal implementation, general compliance, helps eliminate the need for piecemeal risk assessments.Help with audits.
24Implementing ARMICS Per DOA, the action needed: Each agency must plan and take systematic, proactive measures to(a) plan, develop, and implement a comprehensive and cost effective risk management program to support its performance management program;(b) assess the adequacy of internal controls in all agency services, operations, and activities;(c) identify needed improvements;
25Implementing ARMICS Per DOA, action needed (cont’d): (d) take corresponding preventative and corrective actions; and(e) report annually on internal control.These steps should be integrated with the development, implementation, and monitoring of strategic plans, with specific links from each service objective in strategic plans to appropriate risk responses and control activities.
26Implementing ARMICS Sounds overwhelming! May not be as bad as you think!Understood that the form of implementation may differ from institution to institution.May already be doing many aspects of ARMICS that can be used.To some degree, dovetails with 6-year budgeting.
27Meeting The StandardsAgency must demonstrate it has 8 risk management items established and functioning:Internal EnvironmentObjective SettingEvent IdentificationRisk AssessmentRisk ResponseControl ActivitiesInformation and CommunicationMonitoring
28Meeting The Standards Internal Environment – Includes: Risk Management PhilosophyRisk AppetiteBoard OversightIntegrity and Ethical ValuesCompetence of Work ForceAssignment of Authority and ResponsibilityOrganizational StructureHuman Resources Development
29Meeting the Standards - How Internal Environment - Some of the things you may already be doing or could do:Statement or survey of risk attitudes and cultureBoard bylaws and other mgt documents that indicate oversightCode of ethics, handbooks, policiesEWPs and evaluationsOrganization chartsTraining programs
30Meeting The StandardsObjective Setting – Set operational, reporting and compliance objectives. Process should be in place to ensure objectives support and align with agency mission; objectives are consistent with risk appetite.Event Identification – Identify potential internal and external events that could affect achievement of objectives.
31Meeting the Standards - How Objective Setting – Examples:Strategic Plans and awarenessDivision and dept objectives and goalsBudgeting documentation and rationaleEvent Identification – Examples:Event inventoriesInterviews and meetingsQuestionnaires and surveysProcess flow analysis
32Meeting The StandardsRisk Assessment – Analyzing likelihood and impact of potential events on achieving objectives.Should look at:Inherent riskLikelihoodResidual Risk
33Meeting the Standards - How Risk Assessment – Examples:Formal risk assessments already done by different areasDepartmental self assessmentsAssessments as part of budgeting
34Meeting The StandardsRisk Response – How management chooses to respond to risk in accordance with risk tolerances. Four possible responses:AvoidanceReducingSharingAcceptance
35Meeting the Standards - How Risk Response – Examples:Conscious actions taken as a result of risk assessments, etc.Avoidance – closure, abandon initiativeReducing – processes, mgt involvement, limitsSharing – joint ventures, insurance, contractsAcceptance – already conforms to risk tolerances
36Meeting the StandardsControl Activities – implemented to help ensure risk responses are completed.ReviewsDirect ManagementPerformance IndicatorsSegregation of Duties
37Meeting the Standards - How Control Activities – Examples:Documented in policies and proceduresReview of performance and reportsDocumented in process flowchartsJob assignments
38Meeting the StandardsInformation and Communication – identifying and communicating information so that people carry out responsibilities.Monitoring – assessing the existence, functioning and improvement of controls or risk management components. Happens through both management activity and separate evaluations.
39Meeting the Standards - How Information and Communication –How information is distributed and communicatedMeetingsTraining and awareness programsOrganization of departments and processes
40Meeting the Standards - How Monitoring – ExamplesManagement reviews of reports, limits, performance indicators, escalation triggersSelf assessmentsReviews by independent parties, such as internal or external auditors
41Implementation Steps in implementing the standards: Get top management commitmentPut together a representative teamDevelop an implementation plan:Assess your current statusWhat do you already have that can be used as isWhat needs to be upgradedWhat gaps exist
42Implementation Implement ARM techniques and controls in “gap” areas Risk assessments, new policies, new controls, etc.Documentation for possible reviewTest and monitorCertify
43ConclusionsInternal controls are a tool for management to use in their everyday jobs.Internal controls consist of hard and soft controls.Before you can have good controls, you have to understand what risks you have, in order to pick which controls you need.
44ConclusionsThe new Agency Risk Management standards are designed to help with that.The current push for ARMICS and ERM is, in many respects, nothing more than putting more weight and detail into what everyone is ALREADY required to do.ERM is a comprehensive and systematic program to identify, measure, prioritize, and respond to the risks associated with reaching organizational objectives.
45ConclusionsLong-run benefits in assessing and managing risk efficiently, reaching goals and objectives, and ensuring compliance with a manageable, centralized approach to risk management.May not be as bad as you think!Already doing many aspects of ARMICS that can be used.Big change is a change in management philosophy
46Conclusions Successfully dealing with ARMICS will require: Top management commitmentAn implementation planInvolvement by manyUpgrading or creation of various policies or documentation toolsMonitoring techniquesDon’t think of it as another thing you’re “required” to do, but as a useful, long-run tool