Commonwealth of Virginia Fiscal Fundamentals
Download
Report
Transcript Commonwealth of Virginia Fiscal Fundamentals
Agency Risk Management &
Internal Control Standards
(ARMICS)
New Emphasis on Internal Controls
The Sarbanes-Oxley Act of 2002 is now impacting the public sector
Auditing profession has new standard related to internal controls lowers the bar on internal control weaknesses reported by auditors.
Commonwealth of Virginia Comptroller has mandated internal
control assessments at agencies and institutions – ARMICS
VCU Controller’s Office: Council of Deans
‹#
›
Internal Control
“Internal control is a process, effected by an entity’s board of
directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the
following categories:
Effective and efficient operations
Reliable financial reporting
Compliance with laws and regulations”
A number of writers add “safeguarding assets”
VCU Controller’s Office: Council of Deans
‹#
›
Responsibility for Internal Control –
Not Just Accountants
Governing Boards
Executive Management (Agency Heads)
Senior and Line Management (including CFOs and Fiscal Officers)
Supervisors and Staff
EVERYONE IS RESPONSIBLE!
VCU Controller’s Office: Council of Deans
‹#
›
ARMICS
Comptroller Directive 1-07 – issued 11/15/06 – 3 stages
Stage 2 – Process and Transaction-Level Internal Control Assessment - due
March 31, 2008
Stage 3 – Corrective Action Plan - due June 30, 2008
Each stage requires certification by President and CFO as well as disclosure of
deficiencies.
After this initial review, ARMICS will be a continuing process.
Emphasis on:
Stage 1 – Agency-Level Internal Control Assessment - due September 30,
2007
Fiscal processes and financial statements
Compliance with laws and regulations
Stewardship over assets
VCU Controller’s Office will coordinate ARMICS.
VCU Controller’s Office: Council of Deans
‹#
›
Stage 1: Agency Level Controls
Focus on Five Key Elements
Control Environment - the
foundation on which everything
rests:
The “tone” of the agency
Management’s philosophy
Integrity and ethics
Commitment to competence
Accountability
Policies and procedures
Monitoring
Control
Activities
Risk
Assessment
Control Environment
VCU Controller’s Office: Council of Deans
‹#
›
Organizational Risk
Risk assessment considers the
extent to which potential events
could affect the achievement of
objectives. Major risk areas:
Financial
Legal liability
Regulatory compliance
Organizational image
Organization-specific
Data integrity and reliability
Confidentiality of data
Safeguarding proprietary data
Contingency planning
Operations
VCU Controller’s Office: Council of Deans
Monitoring
Control
Activities
Risk
Assessment
Control Environment
‹#
›
Control Activities
Clearly convey control
responsibilities to employees.
Ensure they understand.
Hold employees personally
accountable for assigned control
activities.
Do not tolerate management
override of controls.
Make policies and procedures
exceptions only when
appropriate. Document
exceptions thoroughly.
VCU Controller’s Office: Council of Deans
Monitoring
Control
Activities
Risk
Assessment
Control Environment
‹#
›
Information and Communication
Information is top down, bottom
up, and across functional areas.
Information is of high quality –
useful, timely, relevant, accurate,
user-friendly.
Employee duties and control
responsibilities are clearly
communicated to them.
Management is receptive to
employee concerns, suggestions,
and complaints.
Customer complaints go to the
right level and get resolved
appropriately.
VCU Controller’s Office: Council of Deans
Monitoring
Control
Activities
Risk
Assessment
Control Environment
‹#
›
Monitoring
Hold management and
supervisors accountable
for monitoring staff.
Hold staff accountable for
monitoring their own
activities.
Monitor both hard
controls and the control
environment.
Watch for behavioral “red
flags.”
Conduct independent
control assessments.
VCU Controller’s Office: Council of Deans
Monitoring
Control
Activities
Risk
Assessment
Control Environment
‹#
›
Agency Level Controls
Oversight Team will address University level controls in
Stage 1.
Identify / evaluate controls at University, executive, and school levels.
Identify areas for improvement.
Evaluation of some controls will require surveys – includes
management, employees with access to Banner systems,
and employees with the corporate card:
Ethics
Management commitment to professional and technical competence
Organization structure
Assignment of authority and responsibility
Human resource standards
Information and communication
VCU Controller’s Office: Council of Deans
‹#
›
ARMICS Ethics Questions
1.
The agency’s Code of Ethics and other policies regarding acceptable business practice, conflicts of
interest, and expected standards of ethical and moral behavior are comprehensive and relevant
and address matters of significance.
2. Employees fully and clearly understand what behavior is acceptable and unacceptable under the
agency’s Code of Ethics and know what to do when they encounter improper behavior.
3. Management frequently and clearly communicates the importance of integrity and ethical
behavior during staff meetings, one-on-one discussions, training and periodic written statements
of compliance from key employees.
4. Management demonstrates a commitment to integrity and ethical behavior by example in their
day-to-day activities.
5. Employees are generally inclined to do the “right thing” when faced with pressures to cut corners
with regard to policies and procedures.
6. Management addresses and resolves violations of behavioral and ethical standards consistently,
timely, and equitably in accordance with the provisions of the agency’s Code of Ethics.
7. The existence of the agency’s Code of Ethics and the consequences of its breach are an effective
deterrent to unethical behavior.
8. Management strictly prohibits circumvention of established policies and procedures, except where
specific guidance has been provided, and demonstrates commitment to this principle.
9. Performance targets are reasonable and realistic and do not create undue pressure on
achievement of short-term results.
10. Ethics are woven into criteria used to evaluate individual or division’s performance.
11. Management reacts appropriately when receiving bad news from subordinates and divisions.
VCU Controller’s Office: Council of Deans
‹#
›
Stage 2: Process Level Assessment
Process/transaction level assessment:
Identify and document significant fiscal processes
Perform risk assessment
Identify control activities
Test effectiveness of control activities and document the results
Includes departmental activities as well as central units – from the
initiation of a transaction to recording in Banner to the University’s
financial statements.
Assurance Services will assist in the initial ARMICS evaluation and
testing in several key areas.
VCU Controller’s Office: Council of Deans
‹#
›
Stage 3: Reporting Deficiencies
Deficiencies must be disclosed to the State with March 2008
certification.
Corrective action plan must submitted by June 2008 including:
Description of deficiency and when identified
Target date for completion of corrective action
Personnel responsible for monitoring progress
Indicators/statistics used to monitor progress
Target to indicate deficiency corrected
State Department of Accounting (DOA) and the Auditor of Public
Accounts (APA) are expected to review the documentation.
VCU Controller’s Office: Council of Deans
‹#
›
ARMICS Affects All Areas of the University
Management -- President, Vice Presidents, Deans, Department
Head, Supervisors -- must set the tone and be committed to internal
controls.
Employee responsibilities must be clear at all levels affecting
financial systems – from departmental administrators to central
offices.
Departments must document procedures, ensure proper internal
controls, and comply with established policies and procedures.
Central units must implement, review, and test controls.
VCU Controller’s Office: Council of Deans
‹#
›
Next Steps
Oversight Committee being established to assess Stage 1 -- agency
control environment.
Central units and Assurance Services will be documenting and assessing
Stage 2 -- key financial processes; testing will begin this summer.
Controller’s Office developing detail work plan, key dates, and training
materials/tools for departments which will have to document their
individual processes.
Management should show its commitment for the ARMICS process.
Remind employees of University documents setting the tone:
University Code of Ethics www.vcu.edu/president/ethics/index.html
Code of Conduct for Business Practices www.finance.vcu.edu/pdfs/codeofconduct.pdf
Reporting Compliance Concerns www.toolkit.vcu.edu/ComplianceConcernsProcedure.pdf
Ensure that employees have the tools to perform their jobs.
VCU Controller’s Office: Council of Deans
‹#
›