Agency Risk Management &Internal Control Standards(ARMICS)Agency Risk Management &Internal Control Standards(ARMICS)
2
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
New Emphasis on Internal ControlsNew Emphasis on Internal Controls
The Sarbanes-Oxley Act of 2002 is now impacting the public sectorThe Sarbanes-Oxley Act of 2002 is now impacting the public sector
Auditing profession has new standard related to internal controls -lowers the bar on internal control weaknesses reported by auditors.Auditing profession has new standard related to internal controls -lowers the bar on internal control weaknesses reported by auditors.
Commonwealth of Virginia Comptroller has mandated internalcontrol assessments at agencies and institutions – ARMICSCommonwealth of Virginia Comptroller has mandated internalcontrol assessments at agencies and institutions – ARMICS
3
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
Internal Control Internal Control
“Internal control is a process, effected by an entity’s board ofdirectors, management and other personnel, designed to providereasonable assurance regarding the achievement of objectives in thefollowing categories: “Internal control is a process, effected by an entity’s board ofdirectors, management and other personnel, designed to providereasonable assurance regarding the achievement of objectives in thefollowing categories:
Effective and efficient operations Effective and efficient operations
Reliable financial reporting Reliable financial reporting
Compliance with laws and regulations” Compliance with laws and regulations”
A number of writers add “safeguarding assets”A number of writers add “safeguarding assets”
4
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
Responsibility for Internal Control –Not Just AccountantsResponsibility for Internal Control –Not Just Accountants
Governing BoardsGoverning Boards
Executive Management (Agency Heads)Executive Management (Agency Heads)
Senior and Line Management (including CFOs and Fiscal Officers)Senior and Line Management (including CFOs and Fiscal Officers)
Supervisors and StaffSupervisors and Staff
EVERYONE IS RESPONSIBLE!EVERYONE IS RESPONSIBLE!
5
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
ARMICSARMICS
Comptroller Directive 1-07 – issued 11/15/06 – 3 stagesComptroller Directive 1-07 – issued 11/15/06 – 3 stages
Stage 1 – Agency-Level Internal Control Assessment - due September 30,2007Stage 1 – Agency-Level Internal Control Assessment - due September 30,2007
Stage 2 – Process and Transaction-Level Internal Control Assessment - dueMarch 31, 2008Stage 2 – Process and Transaction-Level Internal Control Assessment - dueMarch 31, 2008
Stage 3 – Corrective Action Plan - due June 30, 2008Stage 3 – Corrective Action Plan - due June 30, 2008
Each stage requires certification by President and CFO as well as disclosure ofdeficiencies.Each stage requires certification by President and CFO as well as disclosure ofdeficiencies.
After this initial review, ARMICS will be a continuing process.After this initial review, ARMICS will be a continuing process.
Emphasis on:Emphasis on:
Fiscal processes and financial statementsFiscal processes and financial statements
Compliance with laws and regulationsCompliance with laws and regulations
Stewardship over assetsStewardship over assets
VCU Controller’s Office will coordinate ARMICS.VCU Controller’s Office will coordinate ARMICS.
6
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
Stage 1: Agency Level ControlsFocus on Five Key ElementsStage 1: Agency Level ControlsFocus on Five Key Elements
Control Environment - thefoundation on which everythingrests:Control Environment - thefoundation on which everythingrests:
The “tone” of the agencyThe “tone” of the agency
Management’s philosophyManagement’s philosophy
Integrity and ethicsIntegrity and ethics
Commitment to competenceCommitment to competence
AccountabilityAccountability
Policies and proceduresPolicies and procedures
Control Environment
Communication
Information
Monitoring
Control
Activities
Risk
Assessment
7
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
Organizational RiskOrganizational Risk
Risk assessment considers theextent to which potential eventscould affect the achievement ofobjectives. Major risk areas:Risk assessment considers theextent to which potential eventscould affect the achievement ofobjectives. Major risk areas:
FinancialFinancial
Legal liabilityLegal liability
Regulatory complianceRegulatory compliance
Organizational imageOrganizational image
Organization-specificOrganization-specific
Data integrity and reliabilityData integrity and reliability
Confidentiality of dataConfidentiality of data
Safeguarding proprietary dataSafeguarding proprietary data
Contingency planningContingency planning
OperationsOperations
Control Environment
Communication
Information
Monitoring
Control
Activities
Risk
Assessment
8
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
Control ActivitiesControl Activities
Clearly convey controlresponsibilities to employees.Ensure they understand.Clearly convey controlresponsibilities to employees.Ensure they understand.
Hold employees personallyaccountable for assigned controlactivities.Hold employees personallyaccountable for assigned controlactivities.
Do not tolerate managementoverride of controls.Do not tolerate managementoverride of controls.
Make policies and proceduresexceptions only whenappropriate. Documentexceptions thoroughly.Make policies and proceduresexceptions only whenappropriate. Documentexceptions thoroughly.
Control Environment
Communication
Information
Monitoring
Control
Activities
Risk
Assessment
9
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
Information and CommunicationInformation and Communication
Information is top down, bottomup, and across functional areas.Information is top down, bottomup, and across functional areas.
Information is of high quality –useful, timely, relevant, accurate,user-friendly.Information is of high quality –useful, timely, relevant, accurate,user-friendly.
Employee duties and controlresponsibilities are clearlycommunicated to them.Employee duties and controlresponsibilities are clearlycommunicated to them.
Management is receptive toemployee concerns, suggestions,and complaints.Management is receptive toemployee concerns, suggestions,and complaints.
Customer complaints go to theright level and get resolvedappropriately.Customer complaints go to theright level and get resolvedappropriately.
Control Environment
Communication
Information
Monitoring
Control
Activities
Risk
Assessment
10
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
MonitoringMonitoring
Hold management andsupervisors accountablefor monitoring staff.Hold management andsupervisors accountablefor monitoring staff.
Hold staff accountable formonitoring their ownactivities.Hold staff accountable formonitoring their ownactivities.
Monitor both hardcontrols and the controlenvironment.Monitor both hardcontrols and the controlenvironment.
Watch for behavioral “redflags.”Watch for behavioral “redflags.”
Conduct independentcontrol assessments.Conduct independentcontrol assessments.
Control Environment
Communication
Information
Monitoring
Control
Activities
Risk
Assessment
11
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
Agency Level ControlsAgency Level Controls
Oversight Team will address University level controls inStage 1.Oversight Team will address University level controls inStage 1.
Identify / evaluate controls at University, executive, and school levels.Identify / evaluate controls at University, executive, and school levels.
Identify areas for improvement.Identify areas for improvement.
Evaluation of some controls will require surveys – includesmanagement, employees with access to Banner systems,and employees with the corporate card:Evaluation of some controls will require surveys – includesmanagement, employees with access to Banner systems,and employees with the corporate card:
EthicsEthics
Management commitment to professional and technical competenceManagement commitment to professional and technical competence
Organization structureOrganization structure
Assignment of authority and responsibilityAssignment of authority and responsibility
Human resource standardsHuman resource standards
Information and communicationInformation and communication
12
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
ARMICS Ethics QuestionsARMICS Ethics Questions
1.The agency’s Code of Ethics and other policies regarding acceptable business practice, conflicts ofinterest, and expected standards of ethical and moral behavior are comprehensive and relevantand address matters of significance.1.The agency’s Code of Ethics and other policies regarding acceptable business practice, conflicts ofinterest, and expected standards of ethical and moral behavior are comprehensive and relevantand address matters of significance.
2.Employees fully and clearly understand what behavior is acceptable and unacceptable under theagency’s Code of Ethics and know what to do when they encounter improper behavior.2.Employees fully and clearly understand what behavior is acceptable and unacceptable under theagency’s Code of Ethics and know what to do when they encounter improper behavior.
3.Management frequently and clearly communicates the importance of integrity and ethicalbehavior during staff meetings, one-on-one discussions, training and periodic written statementsof compliance from key employees.3.Management frequently and clearly communicates the importance of integrity and ethicalbehavior during staff meetings, one-on-one discussions, training and periodic written statementsof compliance from key employees.
4.Management demonstrates a commitment to integrity and ethical behavior by example in theirday-to-day activities.4.Management demonstrates a commitment to integrity and ethical behavior by example in theirday-to-day activities.
5.Employees are generally inclined to do the “right thing” when faced with pressures to cut cornerswith regard to policies and procedures.5.Employees are generally inclined to do the “right thing” when faced with pressures to cut cornerswith regard to policies and procedures.
6.Management addresses and resolves violations of behavioral and ethical standards consistently,timely, and equitably in accordance with the provisions of the agency’s Code of Ethics.6.Management addresses and resolves violations of behavioral and ethical standards consistently,timely, and equitably in accordance with the provisions of the agency’s Code of Ethics.
7.The existence of the agency’s Code of Ethics and the consequences of its breach are an effectivedeterrent to unethical behavior.7.The existence of the agency’s Code of Ethics and the consequences of its breach are an effectivedeterrent to unethical behavior.
8.Management strictly prohibits circumvention of established policies and procedures, except wherespecific guidance has been provided, and demonstrates commitment to this principle.8.Management strictly prohibits circumvention of established policies and procedures, except wherespecific guidance has been provided, and demonstrates commitment to this principle.
9.Performance targets are reasonable and realistic and do not create undue pressure onachievement of short-term results.9.Performance targets are reasonable and realistic and do not create undue pressure onachievement of short-term results.
10.Ethics are woven into criteria used to evaluate individual or division’s performance.10.Ethics are woven into criteria used to evaluate individual or division’s performance.
11.Management reacts appropriately when receiving bad news from subordinates and divisions.11.Management reacts appropriately when receiving bad news from subordinates and divisions.
13
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
Stage 2: Process Level AssessmentStage 2: Process Level Assessment
Process/transaction level assessment:Process/transaction level assessment:
Identify and document significant fiscal processesIdentify and document significant fiscal processes
Perform risk assessmentPerform risk assessment
Identify control activitiesIdentify control activities
Test effectiveness of control activities and document the resultsTest effectiveness of control activities and document the results
Includes departmental activities as well as central units – from theinitiation of a transaction to recording in Banner to the University’sfinancial statements.Includes departmental activities as well as central units – from theinitiation of a transaction to recording in Banner to the University’sfinancial statements.
Assurance Services will assist in the initial ARMICS evaluation andtesting in several key areas.Assurance Services will assist in the initial ARMICS evaluation andtesting in several key areas.
14
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
Stage 3: Reporting DeficienciesStage 3: Reporting Deficiencies
Deficiencies must be disclosed to the State with March 2008certification.Deficiencies must be disclosed to the State with March 2008certification.
Corrective action plan must submitted by June 2008 including:Corrective action plan must submitted by June 2008 including:
Description of deficiency and when identifiedDescription of deficiency and when identified
Target date for completion of corrective actionTarget date for completion of corrective action
Personnel responsible for monitoring progressPersonnel responsible for monitoring progress
Indicators/statistics used to monitor progressIndicators/statistics used to monitor progress
Target to indicate deficiency correctedTarget to indicate deficiency corrected
State Department of Accounting (DOA) and the Auditor of PublicAccounts (APA) are expected to review the documentation.State Department of Accounting (DOA) and the Auditor of PublicAccounts (APA) are expected to review the documentation.
15
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
ARMICS Affects All Areas of the UniversityARMICS Affects All Areas of the University
Management -- President, Vice Presidents, Deans, DepartmentHead, Supervisors -- must set the tone and be committed to internalcontrols.Management -- President, Vice Presidents, Deans, DepartmentHead, Supervisors -- must set the tone and be committed to internalcontrols.
Employee responsibilities must be clear at all levels affectingfinancial systems – from departmental administrators to centraloffices.Employee responsibilities must be clear at all levels affectingfinancial systems – from departmental administrators to centraloffices.
Departments must document procedures, ensure proper internalcontrols, and comply with established policies and procedures.Departments must document procedures, ensure proper internalcontrols, and comply with established policies and procedures.
Central units must implement, review, and test controls.Central units must implement, review, and test controls.
16
VCU Controller’s Office: Council of DeansVCU Controller’s Office: Council of Deans
Next StepsNext Steps
Oversight Committee being established to assess Stage 1 -- agencycontrol environment.Oversight Committee being established to assess Stage 1 -- agencycontrol environment.
Central units and Assurance Services will be documenting and assessingStage 2 -- key financial processes; testing will begin this summer.Central units and Assurance Services will be documenting and assessingStage 2 -- key financial processes; testing will begin this summer.
Controller’s Office developing detail work plan, key dates, and trainingmaterials/tools for departments which will have to document theirindividual processes.Controller’s Office developing detail work plan, key dates, and trainingmaterials/tools for departments which will have to document theirindividual processes.
Management should show its commitment for the ARMICS process.Remind employees of University documents setting the tone:Management should show its commitment for the ARMICS process.Remind employees of University documents setting the tone:
University Code of Ethics www.vcu.edu/president/ethics/index.htmlUniversity Code of Ethics www.vcu.edu/president/ethics/index.html
Code of Conduct for Business Practices www.finance.vcu.edu/pdfs/codeofconduct.pdfCode of Conduct for Business Practices www.finance.vcu.edu/pdfs/codeofconduct.pdf
Reporting Compliance Concerns www.toolkit.vcu.edu/ComplianceConcernsProcedure.pdfReporting Compliance Concerns www.toolkit.vcu.edu/ComplianceConcernsProcedure.pdf
Ensure that employees have the tools to perform their jobs.Ensure that employees have the tools to perform their jobs.