Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal Controls 101 and ARMICS

Similar presentations

Presentation on theme: "Internal Controls 101 and ARMICS"— Presentation transcript:

1 Internal Controls 101 and ARMICS
An Auditor’s Perspective Deane Hennett Director of Internal Audit, Old Dominion University

2 What We’re Going To Cover
Why Are We Here? What Internal Controls Are And Why You Want Them ERM and ARMICS – What’s New, What’s Different and What It Means Meeting the New Standards Ideas For How To Go About It Conclusions

3 Why We’re Here A Little About Me Origination of this Session

4 Definition of Internal Controls
Simple Definition Help make sure things happen they way you want them to happen Make sure bad or unexpected things don’t happen

5 Definition of Internal Controls
More sophisticated definition: An effective system of internal control: Provides accountability for meeting program objectives, Promotes operational efficiency, Ensures the reliability of financial statements, Ensures compliance with laws and regulations, and Reduces the risk of asset loss due to fraud, waste, or abuse.

6 Internal Controls Internal controls are basically a tool for management to use in their everyday jobs. Two types – hard controls and soft controls. Examples of hard controls: Authorizations Comparisons and checks Inventories Monitoring Output

7 Internal Controls Examples of soft controls: Management philosophy
Organizational structure Communication Competency of employees

8 Internal Controls Why do you want internal controls?
You can’t be everywhere at once To give some reasonable assurance everything is OK. As a deterrent The rule

9 Internal Controls

10 What Are You Required To Do Now Concerning Internal Control ?
Current CAPP 10305 “Agencies are required to develop a formal program to evaluate the operating environment and ensure adequate internal controls are maintained over financial assets. All agencies and institutions must certify to (DOA) that agency management acknowledges its responsibility for internal control, and represents that a cost-effective system of internal control is in place and functioning to adequately safeguard the assets of the agency and reasonably assure the proper recording of the agency’s financial transactions. “

11 Current Internal Control Requirements
What are you basing your current certification on? Anything formal? ARMICS provides standards to follow. The current push for ARMICS and ERM is, in many respects, nothing more than putting more weight and detail into what everyone is ALREADY required to do.

12 Current Internal Control Requirements
Why is DOA interested in controls? How do you decide what controls you need? Before you can have good controls, you have to understand what risks you have, in order to pick which controls you need. The new Agency Risk Management standards are designed to help with that.

13 What Is ERM? Enterprise Risk Management is defined as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

14 What Is ERM? Put differently, ERM is a comprehensive and systematic program to identify, measure, prioritize, and respond to the risks associated with reaching organizational objectives. The ERM framework emphasizes “soft control” activities. Traditionally, internal control systems focused on “hard” controls (such as physical or electronic controls). Soft controls are intangibles that management emphasizes to direct the organization.

15 Description of ARMICS Agency Risk Management and Internal Control Standards provide guidance for managing risk, maintaining accountability, and achieving strategic objectives. They also contain implementation and evaluation tools that can be tailored to meet each agency’s unique circumstances.

16 Objectives of ARMICS The new Standards include five objectives.
Strategic – high-level goals and objectives, aligned with and supporting the mission. Operational – effective and efficient use of resources. Reporting – integrity and reliability of reporting. Compliance – compliance with applicable laws and regulations. Stewardship – protection and conservation of assets.

17 Why Are ERM and ARMICS Being Emphasized?
Scandals Subsequent Legislation (SOX, etc.) Trickle Down Of Expectations To Government Virginia As A “Best Managed” State Best Practices Changes In University Environment

18 Why Are ERM and ARMICS Needed?
Changes In University Environment Commonwealth’s higher ed de-centralization initiatives - increased authority, scrutiny of performance and performance objectives Increasing internal and external risks that can disrupt goals and objectives and create legal liabilities and public image crises Increasing need for coordination and cooperation among departments and processes to reach university goals, and

19 Why Are ERM and ARMICS Needed?
Dramatic rise in compliance concerns (new regulations and increased oversight) – a few of which include: Virginia Information Technology Agency (VITA) standards and guidelines regarding computer systems and their security, Privacy legislation such as FERPA, HIPAA and Gramm-Leach Credit card acceptance regulations

20 What Does It Mean? The common thread to all of these changes is the need to assess the risks involved in the business environment in which an entity operates: not just at top management levels, but at component departmental levels as well. To do any less in today’s environment accepts an unnecessary probability of problems and complications in our operations.

21 What Does It Mean? It has become important that all departments appropriately approach risk, compliance and controls for several reasons: More sophisticated initiatives need multiple departments to integrate seamlessly Many compliance issues are no longer the focus of a single lead department; in some cases, all areas must be in compliance or the entity as a whole is not. Environment is less tolerant.

22 What Does It Mean? Will require a different style of management in many of our departments, one in which a more formal assessment of risk and controls is included in day-to-day management. Managing risk needs to be embedded in all management decisions and approaches in running depts or processes. This will help prevent problems or non-compliance, and the need to remedy the situation after damage is done. Many are not used to assessing risks in their organizations and designing controls to mitigate those risks.

23 Benefits of ERM and ARMICS
Helps handle the challenges of assessing and managing risk efficiently, reaching goals and objectives, and ensuring compliance with various mandates with a manageable, centralized approach to risk management. Maximizes the ability to meet challenges and help minimize overall work by not meeting each external challenge and requirement piecemeal.  Used at the departmental level, promotes risk awareness, successful goal implementation, general compliance, helps eliminate the need for piecemeal risk assessments. Help with audits.

24 Implementing ARMICS Per DOA, the action needed:
Each agency must plan and take systematic, proactive measures to (a) plan, develop, and implement a comprehensive and cost effective risk management program to support its performance management program; (b) assess the adequacy of internal controls in all agency services, operations, and activities; (c) identify needed improvements;

25 Implementing ARMICS Per DOA, action needed (cont’d):
(d) take corresponding preventative and corrective actions; and (e) report annually on internal control. These steps should be integrated with the development, implementation, and monitoring of strategic plans, with specific links from each service objective in strategic plans to appropriate risk responses and control activities.

26 Implementing ARMICS Sounds overwhelming!
May not be as bad as you think! Understood that the form of implementation may differ from institution to institution. May already be doing many aspects of ARMICS that can be used. To some degree, dovetails with 6-year budgeting.

27 Meeting The Standards Agency must demonstrate it has 8 risk management items established and functioning: Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring

28 Meeting The Standards Internal Environment – Includes:
Risk Management Philosophy Risk Appetite Board Oversight Integrity and Ethical Values Competence of Work Force Assignment of Authority and Responsibility Organizational Structure Human Resources Development

29 Meeting the Standards - How
Internal Environment - Some of the things you may already be doing or could do: Statement or survey of risk attitudes and culture Board bylaws and other mgt documents that indicate oversight Code of ethics, handbooks, policies EWPs and evaluations Organization charts Training programs

30 Meeting The Standards Objective Setting – Set operational, reporting and compliance objectives. Process should be in place to ensure objectives support and align with agency mission; objectives are consistent with risk appetite. Event Identification – Identify potential internal and external events that could affect achievement of objectives.

31 Meeting the Standards - How
Objective Setting – Examples: Strategic Plans and awareness Division and dept objectives and goals Budgeting documentation and rationale Event Identification – Examples: Event inventories Interviews and meetings Questionnaires and surveys Process flow analysis

32 Meeting The Standards Risk Assessment – Analyzing likelihood and impact of potential events on achieving objectives. Should look at: Inherent risk Likelihood Residual Risk

33 Meeting the Standards - How
Risk Assessment – Examples: Formal risk assessments already done by different areas Departmental self assessments Assessments as part of budgeting

34 Meeting The Standards Risk Response – How management chooses to respond to risk in accordance with risk tolerances. Four possible responses: Avoidance Reducing Sharing Acceptance

35 Meeting the Standards - How
Risk Response – Examples: Conscious actions taken as a result of risk assessments, etc. Avoidance – closure, abandon initiative Reducing – processes, mgt involvement, limits Sharing – joint ventures, insurance, contracts Acceptance – already conforms to risk tolerances

36 Meeting the Standards Control Activities – implemented to help ensure risk responses are completed. Reviews Direct Management Performance Indicators Segregation of Duties

37 Meeting the Standards - How
Control Activities – Examples: Documented in policies and procedures Review of performance and reports Documented in process flowcharts Job assignments

38 Meeting the Standards Information and Communication – identifying and communicating information so that people carry out responsibilities. Monitoring – assessing the existence, functioning and improvement of controls or risk management components. Happens through both management activity and separate evaluations.

39 Meeting the Standards - How
Information and Communication – How information is distributed and communicated Meetings Training and awareness programs Organization of departments and processes

40 Meeting the Standards - How
Monitoring – Examples Management reviews of reports, limits, performance indicators, escalation triggers Self assessments Reviews by independent parties, such as internal or external auditors

41 Implementation Steps in implementing the standards:
Get top management commitment Put together a representative team Develop an implementation plan: Assess your current status What do you already have that can be used as is What needs to be upgraded What gaps exist

42 Implementation Implement ARM techniques and controls in “gap” areas
Risk assessments, new policies, new controls, etc. Documentation for possible review Test and monitor Certify

43 Conclusions Internal controls are a tool for management to use in their everyday jobs. Internal controls consist of hard and soft controls. Before you can have good controls, you have to understand what risks you have, in order to pick which controls you need.

44 Conclusions The new Agency Risk Management standards are designed to help with that. The current push for ARMICS and ERM is, in many respects, nothing more than putting more weight and detail into what everyone is ALREADY required to do. ERM is a comprehensive and systematic program to identify, measure, prioritize, and respond to the risks associated with reaching organizational objectives.

45 Conclusions Long-run benefits in assessing and managing risk efficiently, reaching goals and objectives, and ensuring compliance with a manageable, centralized approach to risk management. May not be as bad as you think! Already doing many aspects of ARMICS that can be used. Big change is a change in management philosophy

46 Conclusions Successfully dealing with ARMICS will require:
Top management commitment An implementation plan Involvement by many Upgrading or creation of various policies or documentation tools Monitoring techniques Don’t think of it as another thing you’re “required” to do, but as a useful, long-run tool

Download ppt "Internal Controls 101 and ARMICS"

Similar presentations

Ads by Google