Internal Controls 101 and ARMICS An Auditor’s Perspective Deane Hennett Director of Internal...
46
Internal Controls 101 and ARMICS An Auditor’s Perspective An Auditor’s Perspective Deane Hennett Deane Hennett Director of Internal Audit, Old Director of Internal Audit, Old Dominion University Dominion University
-
Upload
cruz-lacock -
Category
Documents
-
view
215 -
download
0
Transcript of Internal Controls 101 and ARMICS An Auditor’s Perspective Deane Hennett Director of Internal...
Internal Controls 101 and ARMICS
An Auditor’s PerspectiveAn Auditor’s Perspective
Deane HennettDeane Hennett
Director of Internal Audit, Old Dominion Director of Internal Audit, Old Dominion UniversityUniversity
What We’re Going To Cover
Why Are We Here?Why Are We Here? What Internal Controls Are And Why You Want What Internal Controls Are And Why You Want
ThemThem ERM and ARMICS – What’s New, What’s ERM and ARMICS – What’s New, What’s
Different and What It MeansDifferent and What It Means Meeting the New StandardsMeeting the New Standards Ideas For How To Go About ItIdeas For How To Go About It ConclusionsConclusions
Why We’re Here
A Little About Me A Little About Me Origination of this SessionOrigination of this Session
Definition of Internal Controls
Simple DefinitionSimple Definition Help make sure things happen they way Help make sure things happen they way
you want them to happenyou want them to happen
Make sure bad or unexpected things Make sure bad or unexpected things don’t happendon’t happen
Definition of Internal Controls More sophisticated definition:More sophisticated definition:
An effective system of internal control:An effective system of internal control:Provides accountability for meeting program Provides accountability for meeting program
objectives,objectives,Promotes operational efficiency,Promotes operational efficiency,Ensures the reliability of financial statements,Ensures the reliability of financial statements,Ensures compliance with laws and Ensures compliance with laws and
regulations, andregulations, andReduces the risk of asset loss due to fraud, Reduces the risk of asset loss due to fraud,
waste, or abuse.waste, or abuse.
Internal Controls
Internal controls are basically a tool for Internal controls are basically a tool for management to use in their everyday jobs.management to use in their everyday jobs.
Two types – hard controls and soft controls.Two types – hard controls and soft controls.
Examples of hard controls:Examples of hard controls: AuthorizationsAuthorizations Comparisons and checksComparisons and checks InventoriesInventories Monitoring OutputMonitoring Output
Internal Controls
Examples of soft controls:Examples of soft controls: Management philosophyManagement philosophy Organizational structureOrganizational structure CommunicationCommunication Competency of employeesCompetency of employees
Internal Controls
Why do you want internal controls?Why do you want internal controls? You can’t be everywhere at onceYou can’t be everywhere at once To give some reasonable assurance To give some reasonable assurance
everything is OK.everything is OK. As a deterrentAs a deterrent
The 10-80-10 ruleThe 10-80-10 rule
Internal Controls
What Are You Required To Do Now Concerning Internal Control ?
Current CAPP 10305Current CAPP 10305 ““Agencies are required to develop a formal Agencies are required to develop a formal
program to evaluate the operating environment and program to evaluate the operating environment and ensure adequate internal controls are maintained ensure adequate internal controls are maintained over financial assets. All agencies and institutions over financial assets. All agencies and institutions must certify to (DOA) that agency management must certify to (DOA) that agency management acknowledges its responsibility for internal control, acknowledges its responsibility for internal control, and represents that a cost-effective system of and represents that a cost-effective system of internal control is in place and functioning to internal control is in place and functioning to adequately safeguard the assets of the agency and adequately safeguard the assets of the agency and reasonably assure the proper recording of the reasonably assure the proper recording of the agency’s financial transactions. “agency’s financial transactions. “
Current Internal Control Requirements What are you basing your current What are you basing your current
certification on?certification on? Anything formal?Anything formal? ARMICS provides standards to follow.ARMICS provides standards to follow. The current push for ARMICS and ERM is, The current push for ARMICS and ERM is,
in many respects, nothing more than putting in many respects, nothing more than putting more weight and detail into what everyone more weight and detail into what everyone is ALREADY required to do.is ALREADY required to do.
Current Internal Control Requirements Why is DOA interested in controls?Why is DOA interested in controls?
How do you decide what controls you need?How do you decide what controls you need?
Before you can have good controls, you Before you can have good controls, you have to understand what risks you have, in have to understand what risks you have, in order to pick which controls you need.order to pick which controls you need.
The new Agency Risk Management The new Agency Risk Management standards are designed to help with that.standards are designed to help with that.
What Is ERM?
Enterprise Risk Management Enterprise Risk Management is defined as is defined as ““a process, effected by an entity’s board of a process, effected by an entity’s board of directors, management and other personnel, directors, management and other personnel, applied in strategy setting and across the applied in strategy setting and across the enterprise, designed to identify potential enterprise, designed to identify potential events that may affect the entity, and manage events that may affect the entity, and manage risk to be within its risk appetite, to provide risk to be within its risk appetite, to provide reasonable assurance regarding the reasonable assurance regarding the achievement of entity objectives.”achievement of entity objectives.”
What Is ERM?
Put differently, ERM is a comprehensive Put differently, ERM is a comprehensive and systematic program to identify, and systematic program to identify, measure, prioritize, and respond to the measure, prioritize, and respond to the risks associated with reaching risks associated with reaching organizational objectives.organizational objectives.
The ERM framework emphasizes “soft control” The ERM framework emphasizes “soft control” activities. Traditionally, internal control systems activities. Traditionally, internal control systems focused on “hard” controls (such as physical or focused on “hard” controls (such as physical or electronic controls). Soft controls are intangibles that electronic controls). Soft controls are intangibles that management emphasizes to direct the organization.management emphasizes to direct the organization.
Description of ARMICS
Agency Risk Management and Internal Agency Risk Management and Internal Control Standards Control Standards provide guidance for provide guidance for managing risk, maintaining accountability, managing risk, maintaining accountability, and achieving strategic objectives. They and achieving strategic objectives. They also contain implementation and evaluation also contain implementation and evaluation tools that can be tailored to meet each tools that can be tailored to meet each agency’s unique circumstances.agency’s unique circumstances.
Objectives of ARMICS
The new The new Standards include Standards include five objectives.five objectives. StrategicStrategic – high-level goals and objectives, aligned – high-level goals and objectives, aligned
with and supporting the mission.with and supporting the mission. OperationalOperational – effective and efficient use of – effective and efficient use of
resources.resources. ReportingReporting – integrity and reliability of reporting. – integrity and reliability of reporting. ComplianceCompliance – compliance with applicable laws – compliance with applicable laws
and regulations.and regulations. StewardshipStewardship – protection and conservation of – protection and conservation of
assets.assets.
Why Are ERM and ARMICS Being Emphasized? ScandalsScandals Subsequent Legislation (SOX, etc.)Subsequent Legislation (SOX, etc.) Trickle Down Of Expectations To Trickle Down Of Expectations To
GovernmentGovernment Virginia As A “Best Managed” StateVirginia As A “Best Managed” State Best PracticesBest Practices Changes In University EnvironmentChanges In University Environment
Why Are ERM and ARMICS Needed? Changes In University EnvironmentChanges In University Environment
Commonwealth’s higher ed de-centralization Commonwealth’s higher ed de-centralization initiatives - increased authority, scrutiny of initiatives - increased authority, scrutiny of performance and performance objectives performance and performance objectives
Increasing internal and external risks that can Increasing internal and external risks that can disrupt goals and objectives and create legal disrupt goals and objectives and create legal liabilities and public image crisesliabilities and public image crises
Increasing need for coordination and cooperation Increasing need for coordination and cooperation among departments and processes to reach among departments and processes to reach university goals, anduniversity goals, and
Why Are ERM and ARMICS Needed?
DDramatic rise in compliance concerns (new ramatic rise in compliance concerns (new regulations and increased oversight) – a few of regulations and increased oversight) – a few of which include:which include:
Virginia Information Technology Agency Virginia Information Technology Agency (VITA) standards and guidelines regarding (VITA) standards and guidelines regarding computer systems and their security,computer systems and their security,
Privacy legislation such as FERPA, HIPAA Privacy legislation such as FERPA, HIPAA and Gramm-Leachand Gramm-Leach
Credit card acceptance regulationsCredit card acceptance regulations
What Does It Mean?
The common thread to all of these changes is the The common thread to all of these changes is the need to assess the risks involved in the business need to assess the risks involved in the business environment in which an entity operates: not just environment in which an entity operates: not just at top management levels, but at component at top management levels, but at component departmental levels as well. departmental levels as well.
To do any less in today’s environment accepts an To do any less in today’s environment accepts an unnecessary probability of problems and unnecessary probability of problems and complications in our operations. complications in our operations.
What Does It Mean?
ItIt has become important that all departments has become important that all departments appropriately approach risk, compliance and appropriately approach risk, compliance and controls for several reasons:controls for several reasons: More More sophisticated initiatives need multiple sophisticated initiatives need multiple
departments to integrate seamlesslydepartments to integrate seamlessly
Many compliance issues are no longer the focus Many compliance issues are no longer the focus of a single lead department; in some cases, all of a single lead department; in some cases, all areas must be in compliance or the entity as a areas must be in compliance or the entity as a whole is notwhole is not. Environment is less tolerant.. Environment is less tolerant.
What Does It Mean? Will require a different style of management in many of Will require a different style of management in many of
our departments, one in which a more formal assessment our departments, one in which a more formal assessment of risk and controls is included in day-to-day management. of risk and controls is included in day-to-day management.
Managing risk needs to be embedded in all management Managing risk needs to be embedded in all management decisions and approaches in running depts or processes. decisions and approaches in running depts or processes.
This will help prevent problems or non-compliance, and This will help prevent problems or non-compliance, and the need to remedy the situation after damage is done. the need to remedy the situation after damage is done.
Many are not used to assessing risks in their organizations Many are not used to assessing risks in their organizations and designing controls to mitigate those risks. and designing controls to mitigate those risks.
Benefits of ERM and ARMICS
Helps handle the challenges of assessing and managing Helps handle the challenges of assessing and managing risk efficiently, reaching goals and objectives, and risk efficiently, reaching goals and objectives, and ensuring compliance with various mandates with a ensuring compliance with various mandates with a manageable, centralized approach to risk management. manageable, centralized approach to risk management.
Maximizes the ability to meet challenges and help Maximizes the ability to meet challenges and help minimize overall work by not meeting each external minimize overall work by not meeting each external challenge and requirement piecemeal.challenge and requirement piecemeal.
Used at the departmental level, promotes risk awareness, Used at the departmental level, promotes risk awareness, successful goal implementation, general compliance, helps successful goal implementation, general compliance, helps eliminate the need for piecemeal risk assessments.eliminate the need for piecemeal risk assessments.
Help with audits.Help with audits.
Implementing ARMICS
Per DOA, the action needed:Per DOA, the action needed: EEach agency must plan and take systematic, ach agency must plan and take systematic,
proactive measures to proactive measures to (a) plan, develop, and implement a (a) plan, develop, and implement a
comprehensive and cost effective risk comprehensive and cost effective risk management program to support its management program to support its performance management program; performance management program;
(b) assess the adequacy of internal controls in (b) assess the adequacy of internal controls in all agency services, operations, and activities; all agency services, operations, and activities;
(c) identify needed improvements; (c) identify needed improvements;
Implementing ARMICS
Per DOA, action needed (cont’d):Per DOA, action needed (cont’d):(d) take corresponding preventative and (d) take corresponding preventative and
corrective actions; and corrective actions; and (e) report annually on internal control. (e) report annually on internal control.
These steps should be integrated with the These steps should be integrated with the development, implementation, and monitoring development, implementation, and monitoring of strategic plans, with specific links from each of strategic plans, with specific links from each service objective in strategic plans to service objective in strategic plans to appropriate risk responses and control appropriate risk responses and control activities.activities.
Implementing ARMICS
Sounds overwhelming!Sounds overwhelming! May not be as bad as you think!May not be as bad as you think! Understood that the form of implementation Understood that the form of implementation
may differ from institution to institution.may differ from institution to institution. May already be doing many aspects of May already be doing many aspects of
ARMICS that can be used.ARMICS that can be used. To some degree, dovetails with 6-year To some degree, dovetails with 6-year
budgeting.budgeting.
Meeting The Standards Agency must demonstrate it has 8 risk Agency must demonstrate it has 8 risk
management items established and functioning:management items established and functioning: Internal EnvironmentInternal Environment Objective SettingObjective Setting Event IdentificationEvent Identification Risk AssessmentRisk Assessment Risk ResponseRisk Response Control ActivitiesControl Activities Information and CommunicationInformation and Communication MonitoringMonitoring
Meeting The Standards
Internal EnvironmentInternal Environment – Includes: – Includes: Risk Management PhilosophyRisk Management Philosophy Risk AppetiteRisk Appetite Board OversightBoard Oversight Integrity and Ethical ValuesIntegrity and Ethical Values Competence of Work ForceCompetence of Work Force Assignment of Authority and ResponsibilityAssignment of Authority and Responsibility Organizational StructureOrganizational Structure Human Resources DevelopmentHuman Resources Development
Meeting the Standards - How
Internal EnvironmentInternal Environment - Some of the things you - Some of the things you may already be doing or could do:may already be doing or could do: Statement or survey of risk attitudes and cultureStatement or survey of risk attitudes and culture Board bylaws and other mgt documents that Board bylaws and other mgt documents that
indicate oversightindicate oversight Code of ethics, handbooks, policiesCode of ethics, handbooks, policies EWPs and evaluationsEWPs and evaluations Organization chartsOrganization charts Training programs Training programs
Meeting The Standards
Objective SettingObjective Setting – Set operational, – Set operational, reporting and compliance objectives. reporting and compliance objectives. Process should be in place to ensure Process should be in place to ensure objectives support and align with agency objectives support and align with agency mission; objectives are consistent with risk mission; objectives are consistent with risk appetite.appetite.
Event IdentificationEvent Identification – Identify potential – Identify potential internal and external events that could internal and external events that could affect achievement of objectives.affect achievement of objectives.
Meeting the Standards - How
Objective SettingObjective Setting – Examples: – Examples: Strategic Plans and awarenessStrategic Plans and awareness Division and dept objectives and goalsDivision and dept objectives and goals Budgeting documentation and rationaleBudgeting documentation and rationale
Event IdentificationEvent Identification – Examples: – Examples: Event inventoriesEvent inventories Interviews and meetingsInterviews and meetings Questionnaires and surveysQuestionnaires and surveys Process flow analysisProcess flow analysis
Meeting The Standards
Risk AssessmentRisk Assessment – Analyzing likelihood – Analyzing likelihood and impact of potential events on achieving and impact of potential events on achieving objectives.objectives. Should look at:Should look at:
Inherent riskInherent riskLikelihoodLikelihood
Residual RiskResidual Risk
Meeting the Standards - How
Risk AssessmentRisk Assessment – Examples: – Examples: Formal risk assessments already done by Formal risk assessments already done by
different areas different areas Departmental self assessmentsDepartmental self assessments Assessments as part of budgetingAssessments as part of budgeting
Meeting The Standards
Risk ResponseRisk Response – How management chooses – How management chooses to respond to risk in accordance with risk to respond to risk in accordance with risk tolerances. Four possible responses:tolerances. Four possible responses: AvoidanceAvoidance ReducingReducing SharingSharing AcceptanceAcceptance
Meeting the Standards - How
Risk ResponseRisk Response – Examples: – Examples: Conscious actions taken as a result of risk Conscious actions taken as a result of risk
assessments, etc.assessments, etc. AvoidanceAvoidance – closure, abandon initiative – closure, abandon initiative ReducingReducing – processes, mgt involvement, limits – processes, mgt involvement, limits SharingSharing – joint ventures, insurance, contracts – joint ventures, insurance, contracts AcceptanceAcceptance – already conforms to risk – already conforms to risk
tolerancestolerances
Meeting the Standards
Control ActivitiesControl Activities – implemented to help – implemented to help ensure risk responses are completed.ensure risk responses are completed. ReviewsReviews Direct ManagementDirect Management Performance IndicatorsPerformance Indicators Segregation of DutiesSegregation of Duties
Meeting the Standards - How
Control ActivitiesControl Activities – Examples: – Examples: Documented in policies and proceduresDocumented in policies and procedures Review of performance and reportsReview of performance and reports Documented in process flowchartsDocumented in process flowcharts Job assignmentsJob assignments
Meeting the Standards
Information and CommunicationInformation and Communication – – identifying and communicating information identifying and communicating information so that people carry out responsibilities.so that people carry out responsibilities.
MonitoringMonitoring – assessing the existence, – assessing the existence, functioning and improvement of controls or functioning and improvement of controls or risk management components. Happens risk management components. Happens through both management activity and through both management activity and separate evaluations.separate evaluations.
Meeting the Standards - How
Information and CommunicationInformation and Communication – – How information is distributed and How information is distributed and
communicatedcommunicated MeetingsMeetings Training and awareness programsTraining and awareness programs Organization of departments and Organization of departments and
processesprocesses
Meeting the Standards - How
MonitoringMonitoring – Examples – Examples Management reviews of reports, limits, Management reviews of reports, limits,
performance indicators, escalation performance indicators, escalation triggerstriggers
Self assessmentsSelf assessments Reviews by independent parties, such as Reviews by independent parties, such as
internal or external auditorsinternal or external auditors
Implementation
Steps in implementing the standards:Steps in implementing the standards: Get top management commitmentGet top management commitment Put together a representative teamPut together a representative team Develop an implementation plan:Develop an implementation plan:
Assess your current statusAssess your current status• What do you already have that can be What do you already have that can be
used as isused as is• What needs to be upgradedWhat needs to be upgraded• What gaps exist What gaps exist
Implementation
Implement ARM techniques and Implement ARM techniques and controls in “gap” areascontrols in “gap” areas
• Risk assessments, new policies, new Risk assessments, new policies, new controls, etc.controls, etc.
Documentation for possible review Documentation for possible review Test and monitorTest and monitorCertifyCertify
Conclusions
Internal controls are a tool for management Internal controls are a tool for management to use in their everyday jobs.to use in their everyday jobs.
Internal controls consist of hard and soft Internal controls consist of hard and soft controls.controls.
Before you can have good controls, you Before you can have good controls, you have to understand what risks you have, in have to understand what risks you have, in order to pick which controls you need.order to pick which controls you need.
Conclusions
The new Agency Risk Management standards are The new Agency Risk Management standards are designed to help with that.designed to help with that.
The current push for ARMICS and ERM is, in The current push for ARMICS and ERM is, in many respects, nothing more than putting more many respects, nothing more than putting more weight and detail into what everyone is weight and detail into what everyone is ALREADY required to do.ALREADY required to do.
ERM is a comprehensive and systematic ERM is a comprehensive and systematic program to identify, measure, prioritize, program to identify, measure, prioritize, and respond to the risks associated with and respond to the risks associated with reaching organizational objectives.reaching organizational objectives.
Conclusions
Long-run benefits in assessing and managing risk Long-run benefits in assessing and managing risk efficiently, reaching goals and objectives, and efficiently, reaching goals and objectives, and ensuring compliance with a manageable, ensuring compliance with a manageable, centralized approach to risk management.centralized approach to risk management.
May not be as bad as you think!May not be as bad as you think!
Already doing many aspects of ARMICS that can Already doing many aspects of ARMICS that can be used.be used.
Big change is a change in management philosophyBig change is a change in management philosophy
Conclusions Successfully dealing with ARMICS will require:Successfully dealing with ARMICS will require:
Top management commitmentTop management commitment An implementation planAn implementation plan Involvement by manyInvolvement by many Upgrading or creation of various policies or Upgrading or creation of various policies or
documentation toolsdocumentation tools Monitoring techniquesMonitoring techniques Don’t think of it as another thing you’re Don’t think of it as another thing you’re
“required” to do, but as a useful, long-run tool“required” to do, but as a useful, long-run tool
