Agency Risk Management & Internal Control Standards (ARMICS) Nutz and Boltz Commonwealth of Virginia...

transcript

Agency Risk Management & Agency Risk Management & Internal Control Standards Internal Control Standards

(ARMICS)(ARMICS)

Nutz and BoltzNutz and Boltz

Commonwealth of Virginia Fiscal FundamentalsCommonwealth of Virginia Fiscal Fundamentals

2 Department of Department of AccountsAccounts

Commonwealth of Commonwealth of VirginiaVirginia

ARMICSARMICS

122 Page Document (Pages 3 – 36 122 Page Document (Pages 3 – 36 Meat, the rest is tools to use)Meat, the rest is tools to use)

Comptroller’s Directive 1-07Comptroller’s Directive 1-07

Force of LawForce of Law

Based on the 1992 COSO StandardsBased on the 1992 COSO Standards

Why do we need ARMICS?Why do we need ARMICS?

Financial managers never actually do Financial managers never actually do the risk assessment well until after the the risk assessment well until after the accident happens.accident happens.

Why did the financial manager get run Why did the financial manager get run over crossing the road?over crossing the road?

Two ComponentsTwo Components

Comptroller’s Directive 1-07Comptroller’s Directive 1-07

Agency Risk Management and Agency Risk Management and Internal Control Standards (ARMICS)Internal Control Standards (ARMICS)

General ApproachGeneral Approach

BreakdownBreakdown

OrganizeOrganize

DocumentDocument

STEERING COMMITTEESTEERING COMMITTEE

Stay out of the weedsStay out of the weeds General PlanningGeneral Planning Designate and delegateDesignate and delegate REVIEW OutputREVIEW Output Organize Process and ResultsOrganize Process and Results DocumentationDocumentation Report OutReport Out

GENERAL CONCEPTSGENERAL CONCEPTS

Concurrent not linear progressionConcurrent not linear progression

Corrective Action Plan (CAP) from the Corrective Action Plan (CAP) from the beginning – NOT the last step!beginning – NOT the last step!

FlexibilityFlexibility

Open Mind toward improvementsOpen Mind toward improvements

DEFICIENCIESDEFICIENCIES

No ControlNo Control

Insufficient ControlInsufficient Control

Ineffective ControlIneffective Control

Inefficient Control (Over control)Inefficient Control (Over control)

Over Control ?Over Control ?

How difficult can it be?How difficult can it be?Genie in a Lamp Genie in a Lamp An Agency Head was walking along a beach when he An Agency Head was walking along a beach when he

found a lamp. Upon rubbing the lamp a genie found a lamp. Upon rubbing the lamp a genie appeared who stated "I am the most powerful genie in appeared who stated "I am the most powerful genie in the world. Because I am so powerful, I can grant you the world. Because I am so powerful, I can grant you any wish you want, but only one wish. any wish you want, but only one wish.

" The Agency Head pulled out a Virginia highway map " The Agency Head pulled out a Virginia highway map showing all of the new roads, repairs, and bridges that showing all of the new roads, repairs, and bridges that were needed and said “I’d like all this work to be done were needed and said “I’d like all this work to be done in one year and not cost the State one penny." in one year and not cost the State one penny."

The genie responded, "Gee, I don't know. That’s a lot of The genie responded, "Gee, I don't know. That’s a lot of new roads and repairs to be done. This is tough. I can new roads and repairs to be done. This is tough. I can patch all the pot holes, but this is beyond my limits." patch all the pot holes, but this is beyond my limits."

The Agency Head then said, "Well, my staff is working on The Agency Head then said, "Well, my staff is working on ARMICS, could you help them implement this ARMICS, could you help them implement this Directive?" Directive?"

Genie: "Uh, let me see that map again."Genie: "Uh, let me see that map again."

BREAKDOWNBREAKDOWN

Five (5) Components of Internal Five (5) Components of Internal ControlControl

Six (6) Project Teams / Task ForcesSix (6) Project Teams / Task Forces

FIVE COMPONENTSFIVE COMPONENTS

Control EnvironmentControl Environment Risk AssessmentRisk Assessment Control ActivitiesControl Activities Information and CommunicationInformation and Communication MonitoringMonitoring

SIX PROJECT TEAMSSIX PROJECT TEAMS Agency Level: Control Environment (Stage 1)Agency Level: Control Environment (Stage 1) Agency Level: Risk Assessment and Control Agency Level: Risk Assessment and Control

Activities (Stage 1 ONLY)Activities (Stage 1 ONLY) Process Level: Risk Assessment and Control Process Level: Risk Assessment and Control

Activities (Stage 2 ONLY)Activities (Stage 2 ONLY) Agency Level: Information & Communication Agency Level: Information & Communication

(Stage 1)(Stage 1) Agency Level: Monitoring (Stage 1)Agency Level: Monitoring (Stage 1) Corrective Action Plan (Stage 3)Corrective Action Plan (Stage 3)

Why Agency Level Why Agency Level Assessments ?Assessments ?

There once was an Agency Head who was There once was an Agency Head who was interviewing candidates for the position of interviewing candidates for the position of “Deputy Director." He decided to select the “Deputy Director." He decided to select the individual who could answer the question, "How individual who could answer the question, "How much is 2+2?" The first candidate was an much is 2+2?" The first candidate was an engineer. He pulled out a slide rule and showed engineer. He pulled out a slide rule and showed that the answer was 4. The second candidate that the answer was 4. The second candidate was a lawyer. He stated that, in the case of was a lawyer. He stated that, in the case of Svenson vs. the State, 2+2 was proven to be 4. Svenson vs. the State, 2+2 was proven to be 4. The final candidate was an accountant. When The final candidate was an accountant. When asked what 2+2 equaled, the accountant did not asked what 2+2 equaled, the accountant did not respond immediately. He looked at the Agency respond immediately. He looked at the Agency Head, got out of his chair and went to see if Head, got out of his chair and went to see if anyone was listening at the door. Then he anyone was listening at the door. Then he returned to the Agency Head and said, in a low returned to the Agency Head and said, in a low voice, "Did you have some particular number in voice, "Did you have some particular number in mind?" mind?"

Another PerspectiveAnother Perspective

INTERNAL CONTROL INTERNAL CONTROL LIMITATIONSLIMITATIONS

Faulty JudgmentFaulty Judgment Human Error - MistakeHuman Error - Mistake CollusionCollusion Override of Controls (Power Play) Override of Controls (Power Play) Acceptable Risk Gone Wrong – Acceptable Risk Gone Wrong –

Control Costs Exceed the BenefitsControl Costs Exceed the Benefits Perfect Storm (Multiple small things Perfect Storm (Multiple small things

come together)come together)

ARMICSARMICS

General PreparationGeneral Preparation

GENERAL DOCUMENTSGENERAL DOCUMENTS

Organization ChartsOrganization Charts Unit Functional StatementsUnit Functional Statements General Control Policies (HRO, IS, Ethics)General Control Policies (HRO, IS, Ethics) Strategic Plan (DPB or agency internal)Strategic Plan (DPB or agency internal) Code of EthicsCode of Ethics Control Self-Assessment (CSA) reviewsControl Self-Assessment (CSA) reviews Internal Audit Risk AssessmentInternal Audit Risk Assessment Anything else applicable to agency Anything else applicable to agency

Mgmt.Mgmt.

GENERAL PROCESSESGENERAL PROCESSES

Plan from Steering CommitteePlan from Steering Committee Assignment of personnelAssignment of personnel DeadlinesDeadlines Identify places of flexibility in the Identify places of flexibility in the

planplan Meet and know the key peopleMeet and know the key people Other resources neededOther resources needed Travel issues (if applicable)Travel issues (if applicable) Anything elseAnything else

ARMICSARMICS

Control EnvironmentControl Environment

The foundation on which everything The foundation on which everything rests:rests:

The “tone” of the agencyThe “tone” of the agency Management’s philosophyManagement’s philosophy Integrity and ethicsIntegrity and ethics Commitment to competenceCommitment to competence AccountabilityAccountability Policies and proceduresPolicies and procedures

AttitudeAttitude

A group of accountants and a group of engineers were traveling A group of accountants and a group of engineers were traveling by train to a meeting. The engineers bought one ticket each by train to a meeting. The engineers bought one ticket each and watched dumbfounded as the accountants bought only and watched dumbfounded as the accountants bought only one ticket for their group. Upon inquiring of the accountants as one ticket for their group. Upon inquiring of the accountants as to how they intended to travel with one ticket, they were told to how they intended to travel with one ticket, they were told to "watch and learn." When the conductor began his collection to "watch and learn." When the conductor began his collection of the tickets, the accountants all crowded into one bathroom. of the tickets, the accountants all crowded into one bathroom. When the conductor knocked on the door and said "Ticket When the conductor knocked on the door and said "Ticket please", one of the accountants handed him their ticket. please", one of the accountants handed him their ticket.

The engineers, being quick to learn, purchased only one ticket for The engineers, being quick to learn, purchased only one ticket for the return trip but watched in utter amazement as the the return trip but watched in utter amazement as the accountants didn't purchase any tickets. When the conductor accountants didn't purchase any tickets. When the conductor began to collect tickets, the engineers crowded into one began to collect tickets, the engineers crowded into one bathroom and the accountants into another to await his bathroom and the accountants into another to await his arrival. After the doors closed, one of the accountants walked arrival. After the doors closed, one of the accountants walked over to the bathroom where the engineers were waiting, over to the bathroom where the engineers were waiting, knocked on the door, and said, "Ticket please!"knocked on the door, and said, "Ticket please!"

Review General InformationReview General Information Interview ManagementInterview Management Modify Questionnaire – Key control pointsModify Questionnaire – Key control points Distribute to allDistribute to all Analyze results - Strengths & WeaknessesAnalyze results - Strengths & Weaknesses Test ControlsTest Controls Report to Steering Committee & CAP Report to Steering Committee & CAP

TeamTeam

ARMICSARMICS

Risk Assessment (Stage 1)Risk Assessment (Stage 1)

Risk AssessmentRisk Assessment

Risk Analysis as part of Decision Risk Analysis as part of Decision MakingMaking

Inherent / Response / ResidualInherent / Response / Residual

Cost / BenefitCost / Benefit

Risk Assessment (Stage 1) - Risk Assessment (Stage 1) - ProcessProcess

Review General InformationReview General Information Modify Questionnaire – Key control pointsModify Questionnaire – Key control points Distribute to all or target groupsDistribute to all or target groups Analyze results - Strengths & WeaknessesAnalyze results - Strengths & Weaknesses Test ControlsTest Controls Report to Steering Committee & CAP TeamReport to Steering Committee & CAP Team

Focus on Agency wide – Stay out of Focus on Agency wide – Stay out of specific processesspecific processes

ARMICSARMICS

Control Activities (Stage 1)Control Activities (Stage 1)

Control ActivitiesControl Activities

Policies and ProceduresPolicies and Procedures

Information Systems – General ControlsInformation Systems – General Controls

AccessAccess

FOCUS: Accounting and Information FOCUS: Accounting and Information Systems AreasSystems Areas

RA and CA (Stage 1) - ProcessRA and CA (Stage 1) - Process

Review General InformationReview General Information Modify Questionnaire – Key control pointsModify Questionnaire – Key control points Distribute to all or target groupsDistribute to all or target groups Analyze results - Strengths & WeaknessesAnalyze results - Strengths & Weaknesses Test ControlsTest Controls Report to Steering Committee & CAP TeamReport to Steering Committee & CAP Team

Focus on Agency wide – Stay out of Focus on Agency wide – Stay out of specific processesspecific processes

ARMICSARMICS

Risk Assessment andRisk Assessment andControl Activities (Stage 2)Control Activities (Stage 2)

RA and CA (Stage 2)- ProcessRA and CA (Stage 2)- Process

Determine Significant Fiscal ProcessesDetermine Significant Fiscal Processes CARS – ACTR0402 (Year End)CARS – ACTR0402 (Year End) Financial Statement DirectivesFinancial Statement Directives Amounts processed ($$$ and Transactions)Amounts processed ($$$ and Transactions)

Processes Documentation Processes Documentation Narratives, Flow Chart, DFDs, combos, etc.)Narratives, Flow Chart, DFDs, combos, etc.)

Use Questionnaire – Key control pointsUse Questionnaire – Key control points

Now we are into the weeds !Now we are into the weeds !

RA and CA (Stage 2) - ProcessRA and CA (Stage 2) - Process Evaluate Inherent Risk (High-Medium-Evaluate Inherent Risk (High-Medium-

Low)Low) List control activities (risk responses)List control activities (risk responses) Evaluate Residual Risk (High-Medium-Evaluate Residual Risk (High-Medium-

Low)Low) Analyze results - RecommendationsAnalyze results - Recommendations SWOT AnalysisSWOT Analysis Report to Steering Committee & CAP Report to Steering Committee & CAP

TeamTeam

RA and CA (Stage 2) - ProcessRA and CA (Stage 2) - Process

Effectiveness TestingEffectiveness Testing Test Key Controls (Plan with Test Key Controls (Plan with

Objectives)Objectives) InterviewsInterviews Document SamplingDocument Sampling Process walk through (single document)Process walk through (single document) Attribute Sample testingAttribute Sample testing

Report to Steering Committee & CAP Report to Steering Committee & CAP TeamTeam

ARMICSARMICS

Information and Information and Communication Communication

Information and Information and CommunicationCommunication

Review General InformationReview General Information Interview ManagementInterview Management Modify Questionnaire – Key control pointsModify Questionnaire – Key control points Distribute to allDistribute to all Analyze results - Strengths & WeaknessesAnalyze results - Strengths & Weaknesses Test Key ControlsTest Key Controls Report to Steering Committee & CAP Report to Steering Committee & CAP

TeamTeam

ARMICSARMICS

Monitoring Monitoring

MonitoringMonitoring

Review General InformationReview General Information Interview ManagementInterview Management Modify Questionnaire – Key control pointsModify Questionnaire – Key control points Distribute to allDistribute to all Analyze results - Strengths & WeaknessesAnalyze results - Strengths & Weaknesses Test Key ControlsTest Key Controls Report to Steering Committee & CAP Report to Steering Committee & CAP

TeamTeam

ARMICSARMICS

CAP CAP Corrective Action Plan Corrective Action Plan

Corrective Action Plan (CAP)Corrective Action Plan (CAP) Year-round activity (Quarterly reports)Year-round activity (Quarterly reports)

DOA Submissions (Significant)DOA Submissions (Significant)

Classify risks (consistency)Classify risks (consistency)

Track deficiencies and correctionsTrack deficiencies and corrections See ARMICS for data elementsSee ARMICS for data elements

TestingTesting

Corrective Action Plan (CAP)Corrective Action Plan (CAP) TestingTesting

Test Objective (Purpose)Test Objective (Purpose)

Testing CriteriaTesting Criteria

Test ResultsTest Results

ConclusionConclusion

Agency Head ReportingAgency Head Reporting

ReferencesReferences

The Comptroller’s Directive and The Comptroller’s Directive and Agency Risk Management & Internal Agency Risk Management & Internal Control Standards are available from Control Standards are available from

http://www.doa.virginia.gov/ARMICShttp://www.doa.virginia.gov/ARMICS/ARMICS/ARMICS

_main.cfm_main.cfm

ContactsContacts

armics@doa.virginia.govarmics@doa.virginia.gov804-225-4366 – voice804-225-4366 – voice804-225-4250 – facsimile804-225-4250 – facsimileEmail-Email-joe.kapelewski@doa.virginia.govjoe.kapelewski@doa.virginia.gov

Agency Risk Management & Internal Control Standards (ARMICS) Nutz and Boltz Commonwealth of Virginia...

Documents