agency risk management & internal control standards (armics) nutz and boltz
Post on 04-Feb-2016
37 Views
Preview:
DESCRIPTION
TRANSCRIPT
Agency Risk Management & Agency Risk Management & Internal Control Standards Internal Control Standards
(ARMICS)(ARMICS)
Nutz and BoltzNutz and Boltz
Commonwealth of Virginia Fiscal FundamentalsCommonwealth of Virginia Fiscal Fundamentals
2 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
ARMICSARMICS
122 Page Document (Pages 3 – 36 122 Page Document (Pages 3 – 36 Meat, the rest is tools to use)Meat, the rest is tools to use)
Comptroller’s Directive 1-07Comptroller’s Directive 1-07
Force of LawForce of Law
Based on the 1992 COSO StandardsBased on the 1992 COSO Standards
3 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Why do we need ARMICS?Why do we need ARMICS?
Financial managers never actually do Financial managers never actually do the risk assessment well until after the the risk assessment well until after the accident happens.accident happens.
Why did the financial manager get run Why did the financial manager get run over crossing the road?over crossing the road?
4 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Two ComponentsTwo Components
Comptroller’s Directive 1-07Comptroller’s Directive 1-07
Agency Risk Management and Agency Risk Management and Internal Control Standards (ARMICS)Internal Control Standards (ARMICS)
5 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
General ApproachGeneral Approach
BreakdownBreakdown
OrganizeOrganize
DocumentDocument
6 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
STEERING COMMITTEESTEERING COMMITTEE
Stay out of the weedsStay out of the weeds General PlanningGeneral Planning Designate and delegateDesignate and delegate REVIEW OutputREVIEW Output Organize Process and ResultsOrganize Process and Results DocumentationDocumentation Report OutReport Out
7 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
GENERAL CONCEPTSGENERAL CONCEPTS
Concurrent not linear progressionConcurrent not linear progression
Corrective Action Plan (CAP) from the Corrective Action Plan (CAP) from the beginning – NOT the last step!beginning – NOT the last step!
FlexibilityFlexibility
Open Mind toward improvementsOpen Mind toward improvements
8 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
DEFICIENCIESDEFICIENCIES
No ControlNo Control
Insufficient ControlInsufficient Control
Ineffective ControlIneffective Control
Inefficient Control (Over control)Inefficient Control (Over control)
9 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Over Control ?Over Control ?
10 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
How difficult can it be?How difficult can it be?Genie in a Lamp Genie in a Lamp An Agency Head was walking along a beach when he An Agency Head was walking along a beach when he
found a lamp. Upon rubbing the lamp a genie found a lamp. Upon rubbing the lamp a genie appeared who stated "I am the most powerful genie in appeared who stated "I am the most powerful genie in the world. Because I am so powerful, I can grant you the world. Because I am so powerful, I can grant you any wish you want, but only one wish. any wish you want, but only one wish.
" The Agency Head pulled out a Virginia highway map " The Agency Head pulled out a Virginia highway map showing all of the new roads, repairs, and bridges that showing all of the new roads, repairs, and bridges that were needed and said “I’d like all this work to be done were needed and said “I’d like all this work to be done in one year and not cost the State one penny." in one year and not cost the State one penny."
The genie responded, "Gee, I don't know. That’s a lot of The genie responded, "Gee, I don't know. That’s a lot of new roads and repairs to be done. This is tough. I can new roads and repairs to be done. This is tough. I can patch all the pot holes, but this is beyond my limits." patch all the pot holes, but this is beyond my limits."
The Agency Head then said, "Well, my staff is working on The Agency Head then said, "Well, my staff is working on ARMICS, could you help them implement this ARMICS, could you help them implement this Directive?" Directive?"
Genie: "Uh, let me see that map again."Genie: "Uh, let me see that map again."
11 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
BREAKDOWNBREAKDOWN
Five (5) Components of Internal Five (5) Components of Internal ControlControl
Six (6) Project Teams / Task ForcesSix (6) Project Teams / Task Forces
12 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
FIVE COMPONENTSFIVE COMPONENTS
Control EnvironmentControl Environment Risk AssessmentRisk Assessment Control ActivitiesControl Activities Information and CommunicationInformation and Communication MonitoringMonitoring
13 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
SIX PROJECT TEAMSSIX PROJECT TEAMS Agency Level: Control Environment (Stage 1)Agency Level: Control Environment (Stage 1) Agency Level: Risk Assessment and Control Agency Level: Risk Assessment and Control
Activities (Stage 1 ONLY)Activities (Stage 1 ONLY) Process Level: Risk Assessment and Control Process Level: Risk Assessment and Control
Activities (Stage 2 ONLY)Activities (Stage 2 ONLY) Agency Level: Information & Communication Agency Level: Information & Communication
(Stage 1)(Stage 1) Agency Level: Monitoring (Stage 1)Agency Level: Monitoring (Stage 1) Corrective Action Plan (Stage 3)Corrective Action Plan (Stage 3)
14 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Why Agency Level Why Agency Level Assessments ?Assessments ?
There once was an Agency Head who was There once was an Agency Head who was interviewing candidates for the position of interviewing candidates for the position of “Deputy Director." He decided to select the “Deputy Director." He decided to select the individual who could answer the question, "How individual who could answer the question, "How much is 2+2?" The first candidate was an much is 2+2?" The first candidate was an engineer. He pulled out a slide rule and showed engineer. He pulled out a slide rule and showed that the answer was 4. The second candidate that the answer was 4. The second candidate was a lawyer. He stated that, in the case of was a lawyer. He stated that, in the case of Svenson vs. the State, 2+2 was proven to be 4. Svenson vs. the State, 2+2 was proven to be 4. The final candidate was an accountant. When The final candidate was an accountant. When asked what 2+2 equaled, the accountant did not asked what 2+2 equaled, the accountant did not respond immediately. He looked at the Agency respond immediately. He looked at the Agency Head, got out of his chair and went to see if Head, got out of his chair and went to see if anyone was listening at the door. Then he anyone was listening at the door. Then he returned to the Agency Head and said, in a low returned to the Agency Head and said, in a low voice, "Did you have some particular number in voice, "Did you have some particular number in mind?" mind?"
15 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Another PerspectiveAnother Perspective
16 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
INTERNAL CONTROL INTERNAL CONTROL LIMITATIONSLIMITATIONS
Faulty JudgmentFaulty Judgment Human Error - MistakeHuman Error - Mistake CollusionCollusion Override of Controls (Power Play) Override of Controls (Power Play) Acceptable Risk Gone Wrong – Acceptable Risk Gone Wrong –
Control Costs Exceed the BenefitsControl Costs Exceed the Benefits Perfect Storm (Multiple small things Perfect Storm (Multiple small things
come together)come together)
ARMICSARMICS
General PreparationGeneral Preparation
18 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
GENERAL DOCUMENTSGENERAL DOCUMENTS
Organization ChartsOrganization Charts Unit Functional StatementsUnit Functional Statements General Control Policies (HRO, IS, Ethics)General Control Policies (HRO, IS, Ethics) Strategic Plan (DPB or agency internal)Strategic Plan (DPB or agency internal) Code of EthicsCode of Ethics Control Self-Assessment (CSA) reviewsControl Self-Assessment (CSA) reviews Internal Audit Risk AssessmentInternal Audit Risk Assessment Anything else applicable to agency Anything else applicable to agency
Mgmt.Mgmt.
19 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
GENERAL PROCESSESGENERAL PROCESSES
Plan from Steering CommitteePlan from Steering Committee Assignment of personnelAssignment of personnel DeadlinesDeadlines Identify places of flexibility in the Identify places of flexibility in the
planplan Meet and know the key peopleMeet and know the key people Other resources neededOther resources needed Travel issues (if applicable)Travel issues (if applicable) Anything elseAnything else
ARMICSARMICS
Control EnvironmentControl Environment
21 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Control EnvironmentControl Environment
The foundation on which everything The foundation on which everything rests:rests:
The “tone” of the agencyThe “tone” of the agency Management’s philosophyManagement’s philosophy Integrity and ethicsIntegrity and ethics Commitment to competenceCommitment to competence AccountabilityAccountability Policies and proceduresPolicies and procedures
22 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
AttitudeAttitude
A group of accountants and a group of engineers were traveling A group of accountants and a group of engineers were traveling by train to a meeting. The engineers bought one ticket each by train to a meeting. The engineers bought one ticket each and watched dumbfounded as the accountants bought only and watched dumbfounded as the accountants bought only one ticket for their group. Upon inquiring of the accountants as one ticket for their group. Upon inquiring of the accountants as to how they intended to travel with one ticket, they were told to how they intended to travel with one ticket, they were told to "watch and learn." When the conductor began his collection to "watch and learn." When the conductor began his collection of the tickets, the accountants all crowded into one bathroom. of the tickets, the accountants all crowded into one bathroom. When the conductor knocked on the door and said "Ticket When the conductor knocked on the door and said "Ticket please", one of the accountants handed him their ticket. please", one of the accountants handed him their ticket.
The engineers, being quick to learn, purchased only one ticket for The engineers, being quick to learn, purchased only one ticket for the return trip but watched in utter amazement as the the return trip but watched in utter amazement as the accountants didn't purchase any tickets. When the conductor accountants didn't purchase any tickets. When the conductor began to collect tickets, the engineers crowded into one began to collect tickets, the engineers crowded into one bathroom and the accountants into another to await his bathroom and the accountants into another to await his arrival. After the doors closed, one of the accountants walked arrival. After the doors closed, one of the accountants walked over to the bathroom where the engineers were waiting, over to the bathroom where the engineers were waiting, knocked on the door, and said, "Ticket please!"knocked on the door, and said, "Ticket please!"
23 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Control EnvironmentControl Environment
Review General InformationReview General Information Interview ManagementInterview Management Modify Questionnaire – Key control pointsModify Questionnaire – Key control points Distribute to allDistribute to all Analyze results - Strengths & WeaknessesAnalyze results - Strengths & Weaknesses Test ControlsTest Controls Report to Steering Committee & CAP Report to Steering Committee & CAP
TeamTeam
ARMICSARMICS
Risk Assessment (Stage 1)Risk Assessment (Stage 1)
25 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Risk AssessmentRisk Assessment
Risk Analysis as part of Decision Risk Analysis as part of Decision MakingMaking
Inherent / Response / ResidualInherent / Response / Residual
Cost / BenefitCost / Benefit
26 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Risk Assessment (Stage 1) - Risk Assessment (Stage 1) - ProcessProcess
Review General InformationReview General Information Modify Questionnaire – Key control pointsModify Questionnaire – Key control points Distribute to all or target groupsDistribute to all or target groups Analyze results - Strengths & WeaknessesAnalyze results - Strengths & Weaknesses Test ControlsTest Controls Report to Steering Committee & CAP TeamReport to Steering Committee & CAP Team
Focus on Agency wide – Stay out of Focus on Agency wide – Stay out of specific processesspecific processes
ARMICSARMICS
Control Activities (Stage 1)Control Activities (Stage 1)
28 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Control ActivitiesControl Activities
Policies and ProceduresPolicies and Procedures
Information Systems – General ControlsInformation Systems – General Controls
AccessAccess
FOCUS: Accounting and Information FOCUS: Accounting and Information Systems AreasSystems Areas
29 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
RA and CA (Stage 1) - ProcessRA and CA (Stage 1) - Process
Review General InformationReview General Information Modify Questionnaire – Key control pointsModify Questionnaire – Key control points Distribute to all or target groupsDistribute to all or target groups Analyze results - Strengths & WeaknessesAnalyze results - Strengths & Weaknesses Test ControlsTest Controls Report to Steering Committee & CAP TeamReport to Steering Committee & CAP Team
Focus on Agency wide – Stay out of Focus on Agency wide – Stay out of specific processesspecific processes
ARMICSARMICS
Risk Assessment andRisk Assessment andControl Activities (Stage 2)Control Activities (Stage 2)
31 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
RA and CA (Stage 2)- ProcessRA and CA (Stage 2)- Process
Determine Significant Fiscal ProcessesDetermine Significant Fiscal Processes CARS – ACTR0402 (Year End)CARS – ACTR0402 (Year End) Financial Statement DirectivesFinancial Statement Directives Amounts processed ($$$ and Transactions)Amounts processed ($$$ and Transactions)
Processes Documentation Processes Documentation Narratives, Flow Chart, DFDs, combos, etc.)Narratives, Flow Chart, DFDs, combos, etc.)
Use Questionnaire – Key control pointsUse Questionnaire – Key control points
Now we are into the weeds !Now we are into the weeds !
32 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
RA and CA (Stage 2) - ProcessRA and CA (Stage 2) - Process Evaluate Inherent Risk (High-Medium-Evaluate Inherent Risk (High-Medium-
Low)Low) List control activities (risk responses)List control activities (risk responses) Evaluate Residual Risk (High-Medium-Evaluate Residual Risk (High-Medium-
Low)Low) Analyze results - RecommendationsAnalyze results - Recommendations SWOT AnalysisSWOT Analysis Report to Steering Committee & CAP Report to Steering Committee & CAP
TeamTeam
33 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
RA and CA (Stage 2) - ProcessRA and CA (Stage 2) - Process
Effectiveness TestingEffectiveness Testing Test Key Controls (Plan with Test Key Controls (Plan with
Objectives)Objectives) InterviewsInterviews Document SamplingDocument Sampling Process walk through (single document)Process walk through (single document) Attribute Sample testingAttribute Sample testing
Report to Steering Committee & CAP Report to Steering Committee & CAP TeamTeam
ARMICSARMICS
Information and Information and Communication Communication
35 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Information and Information and CommunicationCommunication
Review General InformationReview General Information Interview ManagementInterview Management Modify Questionnaire – Key control pointsModify Questionnaire – Key control points Distribute to allDistribute to all Analyze results - Strengths & WeaknessesAnalyze results - Strengths & Weaknesses Test Key ControlsTest Key Controls Report to Steering Committee & CAP Report to Steering Committee & CAP
TeamTeam
ARMICSARMICS
Monitoring Monitoring
37 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
MonitoringMonitoring
Review General InformationReview General Information Interview ManagementInterview Management Modify Questionnaire – Key control pointsModify Questionnaire – Key control points Distribute to allDistribute to all Analyze results - Strengths & WeaknessesAnalyze results - Strengths & Weaknesses Test Key ControlsTest Key Controls Report to Steering Committee & CAP Report to Steering Committee & CAP
TeamTeam
ARMICSARMICS
CAP CAP Corrective Action Plan Corrective Action Plan
39 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Corrective Action Plan (CAP)Corrective Action Plan (CAP) Year-round activity (Quarterly reports)Year-round activity (Quarterly reports)
DOA Submissions (Significant)DOA Submissions (Significant)
Classify risks (consistency)Classify risks (consistency)
Track deficiencies and correctionsTrack deficiencies and corrections See ARMICS for data elementsSee ARMICS for data elements
TestingTesting
40 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
Corrective Action Plan (CAP)Corrective Action Plan (CAP) TestingTesting
Test Objective (Purpose)Test Objective (Purpose)
Testing CriteriaTesting Criteria
Test ResultsTest Results
ConclusionConclusion
Agency Head ReportingAgency Head Reporting
41 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
ReferencesReferences
The Comptroller’s Directive and The Comptroller’s Directive and Agency Risk Management & Internal Agency Risk Management & Internal Control Standards are available from Control Standards are available from
http://www.doa.virginia.gov/ARMICShttp://www.doa.virginia.gov/ARMICS/ARMICS/ARMICS
_main.cfm_main.cfm
42 Department of Department of AccountsAccounts
Commonwealth of Commonwealth of VirginiaVirginia
ContactsContacts
armics@doa.virginia.govarmics@doa.virginia.gov804-225-4366 – voice804-225-4366 – voice804-225-4250 – facsimile804-225-4250 – facsimileEmail-Email-joe.kapelewski@doa.virginia.govjoe.kapelewski@doa.virginia.gov
top related