Agency Risk Management & Internal Control Standards (ARMICS)

2 VCU Controller’s Office: Council of Deans New Emphasis on Internal Controls The Sarbanes-Oxley Act of 2002 is now impacting the public sector The Sarbanes-Oxley Act of 2002 is now impacting the public sector Auditing profession has new standard related to internal controls - lowers the bar on internal control weaknesses reported by auditors. Auditing profession has new standard related to internal controls - lowers the bar on internal control weaknesses reported by auditors. Commonwealth of Virginia Comptroller has mandated internal control assessments at agencies and institutions – ARMICS Commonwealth of Virginia Comptroller has mandated internal control assessments at agencies and institutions – ARMICS

3 VCU Controller’s Office: Council of Deans Internal Control Internal Control “Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: “Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effective and efficient operations Effective and efficient operations Reliable financial reporting Reliable financial reporting Compliance with laws and regulations” Compliance with laws and regulations” A number of writers add “safeguarding assets”

4 VCU Controller’s Office: Council of Deans Responsibility for Internal Control – Not Just Accountants Governing Boards Governing Boards Executive Management (Agency Heads) Executive Management (Agency Heads) Senior and Line Management (including CFOs and Fiscal Officers) Senior and Line Management (including CFOs and Fiscal Officers) Supervisors and Staff Supervisors and Staff EVERYONE IS RESPONSIBLE! EVERYONE IS RESPONSIBLE!

5 VCU Controller’s Office: Council of Deans ARMICS Comptroller Directive 1-07 – issued 11/15/06 – 3 stages Comptroller Directive 1-07 – issued 11/15/06 – 3 stages Stage 1 – Agency-Level Internal Control Assessment - due September 30, 2007 Stage 1 – Agency-Level Internal Control Assessment - due September 30, 2007 Stage 2 – Process and Transaction-Level Internal Control Assessment - due March 31, 2008 Stage 2 – Process and Transaction-Level Internal Control Assessment - due March 31, 2008 Stage 3 – Corrective Action Plan - due June 30, 2008 Stage 3 – Corrective Action Plan - due June 30, 2008 Each stage requires certification by President and CFO as well as disclosure of deficiencies. Each stage requires certification by President and CFO as well as disclosure of deficiencies. After this initial review, ARMICS will be a continuing process. After this initial review, ARMICS will be a continuing process. Emphasis on: Emphasis on: Fiscal processes and financial statements Fiscal processes and financial statements Compliance with laws and regulations Compliance with laws and regulations Stewardship over assets Stewardship over assets VCU Controller’s Office will coordinate ARMICS. VCU Controller’s Office will coordinate ARMICS.

6 VCU Controller’s Office: Council of Deans Stage 1: Agency Level Controls Focus on Five Key Elements Control Environment - the foundation on which everything rests: Control Environment - the foundation on which everything rests: The “tone” of the agency The “tone” of the agency Management’s philosophy Management’s philosophy Integrity and ethics Integrity and ethics Commitment to competence Commitment to competence Accountability Accountability Policies and procedures Policies and procedures Control Environment Communication Information Monitoring Control Activities Risk Assessment

7 VCU Controller’s Office: Council of Deans Organizational Risk Risk assessment considers the extent to which potential events could affect the achievement of objectives. Major risk areas: Risk assessment considers the extent to which potential events could affect the achievement of objectives. Major risk areas: Financial Financial Legal liability Legal liability Regulatory compliance Regulatory compliance Organizational image Organizational image Organization-specific Organization-specific Data integrity and reliability Data integrity and reliability Confidentiality of data Confidentiality of data Safeguarding proprietary data Safeguarding proprietary data Contingency planning Contingency planning Operations Operations Control Environment Communication Information Monitoring Control Activities Risk Assessment

8 VCU Controller’s Office: Council of Deans Control Activities Clearly convey control responsibilities to employees. Ensure they understand. Clearly convey control responsibilities to employees. Ensure they understand. Hold employees personally accountable for assigned control activities. Hold employees personally accountable for assigned control activities. Do not tolerate management override of controls. Do not tolerate management override of controls. Make policies and procedures exceptions only when appropriate. Document exceptions thoroughly. Make policies and procedures exceptions only when appropriate. Document exceptions thoroughly. Control Environment Communication Information Monitoring Control Activities Risk Assessment

9 VCU Controller’s Office: Council of Deans Information and Communication Information is top down, bottom up, and across functional areas. Information is top down, bottom up, and across functional areas. Information is of high quality – useful, timely, relevant, accurate, user-friendly. Information is of high quality – useful, timely, relevant, accurate, user-friendly. Employee duties and control responsibilities are clearly communicated to them. Employee duties and control responsibilities are clearly communicated to them. Management is receptive to employee concerns, suggestions, and complaints. Management is receptive to employee concerns, suggestions, and complaints. Customer complaints go to the right level and get resolved appropriately. Customer complaints go to the right level and get resolved appropriately. Control Environment Communication Information Monitoring Control Activities Risk Assessment

10 VCU Controller’s Office: Council of Deans Monitoring Hold management and supervisors accountable for monitoring staff. Hold management and supervisors accountable for monitoring staff. Hold staff accountable for monitoring their own activities. Hold staff accountable for monitoring their own activities. Monitor both hard controls and the control environment. Monitor both hard controls and the control environment. Watch for behavioral “red flags.” Watch for behavioral “red flags.” Conduct independent control assessments. Conduct independent control assessments. Control Environment Communication Information Monitoring Control Activities Risk Assessment

11 VCU Controller’s Office: Council of Deans Agency Level Controls Oversight Team will address University level controls in Stage 1. Oversight Team will address University level controls in Stage 1. Identify / evaluate controls at University, executive, and school levels. Identify / evaluate controls at University, executive, and school levels. Identify areas for improvement. Identify areas for improvement. Evaluation of some controls will require surveys – includes management, employees with access to Banner systems, and employees with the corporate card: Evaluation of some controls will require surveys – includes management, employees with access to Banner systems, and employees with the corporate card: Ethics Ethics Management commitment to professional and technical competence Management commitment to professional and technical competence Organization structure Organization structure Assignment of authority and responsibility Assignment of authority and responsibility Human resource standards Human resource standards Information and communication Information and communication

12 VCU Controller’s Office: Council of Deans ARMICS Ethics Questions 1.The agency’s Code of Ethics and other policies regarding acceptable business practice, conflicts of interest, and expected standards of ethical and moral behavior are comprehensive and relevant and address matters of significance. 2.Employees fully and clearly understand what behavior is acceptable and unacceptable under the agency’s Code of Ethics and know what to do when they encounter improper behavior. 3.Management frequently and clearly communicates the importance of integrity and ethical behavior during staff meetings, one-on-one discussions, training and periodic written statements of compliance from key employees. 4.Management demonstrates a commitment to integrity and ethical behavior by example in their day-to-day activities. 5.Employees are generally inclined to do the “right thing” when faced with pressures to cut corners with regard to policies and procedures. 6.Management addresses and resolves violations of behavioral and ethical standards consistently, timely, and equitably in accordance with the provisions of the agency’s Code of Ethics. 7.The existence of the agency’s Code of Ethics and the consequences of its breach are an effective deterrent to unethical behavior. 8.Management strictly prohibits circumvention of established policies and procedures, except where specific guidance has been provided, and demonstrates commitment to this principle. 9.Performance targets are reasonable and realistic and do not create undue pressure on achievement of short-term results. 10.Ethics are woven into criteria used to evaluate individual or division’s performance. 11.Management reacts appropriately when receiving bad news from subordinates and divisions.

13 VCU Controller’s Office: Council of Deans Stage 2: Process Level Assessment Process/transaction level assessment: Process/transaction level assessment: Identify and document significant fiscal processes Identify and document significant fiscal processes Perform risk assessment Perform risk assessment Identify control activities Identify control activities Test effectiveness of control activities and document the results Test effectiveness of control activities and document the results Includes departmental activities as well as central units – from the initiation of a transaction to recording in Banner to the University’s financial statements. Includes departmental activities as well as central units – from the initiation of a transaction to recording in Banner to the University’s financial statements. Assurance Services will assist in the initial ARMICS evaluation and testing in several key areas. Assurance Services will assist in the initial ARMICS evaluation and testing in several key areas.

14 VCU Controller’s Office: Council of Deans Stage 3: Reporting Deficiencies Deficiencies must be disclosed to the State with March 2008 certification. Deficiencies must be disclosed to the State with March 2008 certification. Corrective action plan must submitted by June 2008 including: Corrective action plan must submitted by June 2008 including: Description of deficiency and when identified Description of deficiency and when identified Target date for completion of corrective action Target date for completion of corrective action Personnel responsible for monitoring progress Personnel responsible for monitoring progress Indicators/statistics used to monitor progress Indicators/statistics used to monitor progress Target to indicate deficiency corrected Target to indicate deficiency corrected State Department of Accounting (DOA) and the Auditor of Public Accounts (APA) are expected to review the documentation. State Department of Accounting (DOA) and the Auditor of Public Accounts (APA) are expected to review the documentation.

15 VCU Controller’s Office: Council of Deans ARMICS Affects All Areas of the University Management -- President, Vice Presidents, Deans, Department Head, Supervisors -- must set the tone and be committed to internal controls. Management -- President, Vice Presidents, Deans, Department Head, Supervisors -- must set the tone and be committed to internal controls. Employee responsibilities must be clear at all levels affecting financial systems – from departmental administrators to central offices. Employee responsibilities must be clear at all levels affecting financial systems – from departmental administrators to central offices. Departments must document procedures, ensure proper internal controls, and comply with established policies and procedures. Departments must document procedures, ensure proper internal controls, and comply with established policies and procedures. Central units must implement, review, and test controls. Central units must implement, review, and test controls.

16 VCU Controller’s Office: Council of Deans Next Steps Oversight Committee being established to assess Stage 1 -- agency control environment. Oversight Committee being established to assess Stage 1 -- agency control environment. Central units and Assurance Services will be documenting and assessing Stage 2 -- key financial processes; testing will begin this summer. Central units and Assurance Services will be documenting and assessing Stage 2 -- key financial processes; testing will begin this summer. Controller’s Office developing detail work plan, key dates, and training materials/tools for departments which will have to document their individual processes. Controller’s Office developing detail work plan, key dates, and training materials/tools for departments which will have to document their individual processes. Management should show its commitment for the ARMICS process. Remind employees of University documents setting the tone: Management should show its commitment for the ARMICS process. Remind employees of University documents setting the tone: University Code of Ethics University Code of Ethics Code of Conduct for Business Practices Code of Conduct for Business Practices Reporting Compliance Concerns Reporting Compliance Concerns Ensure that employees have the tools to perform their jobs. Ensure that employees have the tools to perform their jobs.