Download presentation
Presentation is loading. Please wait.
Published byBuddy Barnett Modified over 9 years ago
1
ARMICS Randy Sherrod, Internal Audit Manager – Department of Behavioral Health and Developmental Services
2
We all know where the donuts are!!
3
What is ARMICS ARMICS is the Agency Risk Management and Internal Control Standards implemented by the Virginia Department of Accounts in 2007. ARMICS is the Agency Risk Management and Internal Control Standards implemented by the Virginia Department of Accounts in 2007. Every Agency of the Commonwealth must comply with these standards. Every Agency of the Commonwealth must comply with these standards. These standards help to maintain Virginia’s ranking as the Best Managed State. These standards help to maintain Virginia’s ranking as the Best Managed State.
4
What is ARMICS continued: ARMICS is meant to help agencies with their business practices. ARMICS is meant to help agencies with their business practices. ARMICS helps provide a framework for sound accounting and operational practices. ARMICS helps provide a framework for sound accounting and operational practices.
5
The Objectives of ARMICS To provide reasonable assurance of the integrity of all fiscal processes related to: Submission of transactions to the Commonwealth’s general ledger Submission of transactions to the Commonwealth’s general ledger Submission of deliverables required by financial statement directives Submission of deliverables required by financial statement directives Compliance with laws and regulations Compliance with laws and regulations Safeguarding and Stewardship over the Commonwealth’s assets Safeguarding and Stewardship over the Commonwealth’s assets
6
What we have done at DBHDS Internal Audit? July – September 2009 July – September 2009 –Facility and Central Office ARMICS Review by Internal Audit –Issued reports with recommendations for FY 20100 –Found that ARMICS work is being done. –Recommended that more testing be completed. –ARMICS Presentation to the Facility Finance Staff
7
Internal Controls Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: – –Effectiveness and efficiency of operations – –Reliability of financial reporting – –Compliance with applicable laws and regulations1
8
Internal Controls con’t Internal controls can be thought of as proactive measures to prevent inappropriate charges and to ensure compliance.2 Internal controls can be thought of as proactive measures to prevent inappropriate charges and to ensure compliance.2
9
4 Purposes of Internal Controls Promote orderly, economical, efficient and effective operations, and produce quality products and services consistent with the organization's mission. Safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud.5
10
4 Purposes of Internal Controlscont’d Promote adherence to laws, regulations, contracts and management directives. Develop and maintain reliable financial and management data, and accurately present that data in timely reports. 5
11
5 Components of Internal Controls: Control Environment Control Environment Risk Assessment Risk Assessment Control Activities Control Activities Information and Communication Information and Communication Monitoring Monitoring
12
Control Environment The internal control environment encompasses: The internal control environment encompasses: –the policies, processes and skills that exist within a department to ensure only valid financial transactions are recorded.2
13
Control Environment cont’d Control Environment includes: Control Environment includes: –Management Philosophy –Oversight by Agency’s Governing Board –Integrity and Ethical Values (Develop a code of Ethics) –Organizational Structure –Assignment of Authority and Responsibility –Work Force Competence –Human Resource Development
14
Risk Assessment An ongoing process of identifying, and analyzing potential risk events. The management of the risks to achieving the objectives of internal control. possible impact of these risks on the achievement of objectives.3 Determination of the possible impact of these risks on the achievement of objectives.3
15
Risk Assessment Cont’d Management must assess the risk of unexpected potential events and any expected events that could have a significant impact on the agency. Management must assess the risk of unexpected potential events and any expected events that could have a significant impact on the agency. All operational and control objectives throughout the organization should be identified.5 All operational and control objectives throughout the organization should be identified.5 Risk assessment should be done annually. Risk assessment should be done annually.
16
Control Activities The policies, procedures, techniques, and mechanisms that help ensure that management's response to reduce risks identified during the risk assessment process is carried out. Examples: 4 –Review and Approval –Verifications and Reconciliations –Security over assets –Segregation of duties
17
Control Activities continued: Develop and assess agency-level control activities applicable to: – –All significant fiscal processes – –Accounting administration – –The general ledger – –Information systems
18
Information and Communication “Information and Communication” involves identifying, capturing, and communicating relevant information in a form and timeframe that enables people to carry out their responsibilities. Effective communication occurs down, across, and up the agency. Effective communication occurs down, across, and up the agency. An effective information and communication process will assure that all personnel receive a clear message from top management that internal control responsibilities must be taken seriously. An effective information and communication process will assure that all personnel receive a clear message from top management that internal control responsibilities must be taken seriously.
19
Monitoring: Reviewing policies and procedures and updating them for any changes. Reviewing policies and procedures and updating them for any changes. Testing Testing Documentation of issues discovered during testing Documentation of issues discovered during testing Follow-up to ensure corrective actions have been taken Follow-up to ensure corrective actions have been taken
20
Keys to Strong Internal Controls Documenting the Policies and Procedures of your Organization. Documenting the Policies and Procedures of your Organization. Documenting the Internal Control strengths and weaknesses Documenting the Internal Control strengths and weaknesses Completing corrective actions for internal control weaknesses. Completing corrective actions for internal control weaknesses. Assessing Risk Assessing Risk Testing of Procedures and Controls Testing of Procedures and Controls
21
Documenting the Policies and Procedures What is done on a day to day basis What is done on a day to day basis Policies and Procedures should be complete and reviewed for changes annually Policies and Procedures should be complete and reviewed for changes annually This may identify areas that should be focused on for testing and it could identify process changes. This may identify areas that should be focused on for testing and it could identify process changes.
22
Documenting the Internal Controls ARMICS Internal Control Questionnaire ARMICS Internal Control Questionnaire –The questionnaires should be sent out again in FY 2010 –Review for completeness as well as internal control problems. From the Policies and Procedures as well as the Questionnaires, identify the internal controls as well as the weaknesses. From the Policies and Procedures as well as the Questionnaires, identify the internal controls as well as the weaknesses.
23
Internal Control Corrective Actions: If you identify an internal control weaknesses: If you identify an internal control weaknesses: –Prepare a plan to correct this weakness and document it in the policies and procedures –Give a time frame that this corrective action will be implemented –Document compensating controls if there are any
24
Assessing Risk The risk of control failures should be identified The risk of control failures should be identified Ensure that time is spent in the areas assessed as having a high risk. Ensure that time is spent in the areas assessed as having a high risk.
25
Testing Think like and Auditor Think like and Auditor –Focus on what could happen –Be observant –Look for control weaknesses –Test for compliance Review your policies and procedures Review your policies and procedures Know the applicable regulations Know the applicable regulations –Procurement, Commonwealth, Federal Regulations etc..
26
Testing continued: Areas to test: Areas to test: –Fiscal processes Payroll Payroll Accounts Payable Accounts Payable Cashiering Cashiering Revenue/Accounts Receivable Revenue/Accounts Receivable Reconciliations Reconciliations Financial Reporting Financial Reporting Fixed Assets Fixed Assets
27
Testing continued: Areas to test: Areas to test: –Other Processes Pharmacy Pharmacy Physical Security over your facility Physical Security over your facility IT Access controls IT Access controls
28
Examples of Testing Procedures – Payroll Trace employees from employee list or CIPPS 10 to P3 form (comp status change form approving employment) Trace employees from employee list or CIPPS 10 to P3 form (comp status change form approving employment) Payroll approval process Payroll approval process Review list of 1099’s created. Test to see if they should have been on Payroll. Review list of 1099’s created. Test to see if they should have been on Payroll. Related testwork – Look at I9’s Related testwork – Look at I9’s
29
Examples of Testing Procedures – Accounts Payable Look at who has access to setup vendors and process (release) payments. They should not be the same person. Look at who has access to setup vendors and process (release) payments. They should not be the same person. Review the vendor list for reasonableness Review the vendor list for reasonableness Test a sample of invoices paid during the year to see if they have been approved and have supporting documentation Test a sample of invoices paid during the year to see if they have been approved and have supporting documentation
30
Examples of Testing Procedures – Cashiering The person collecting the money should not be the same person entering the deposit into the system and making the deposit. The person collecting the money should not be the same person entering the deposit into the system and making the deposit. Test the reconciliations to see that they are approved and done correctly. Test the reconciliations to see that they are approved and done correctly. Segregation of duties is key here Segregation of duties is key here
31
Examples of Testing Procedures – Revenue/AR Review the AR list. Make sure that there are not old receivables on the list that should be written off. Review the AR list. Make sure that there are not old receivables on the list that should be written off. Cash management testing. Ensure that receipts are deposited timely. Cash management testing. Ensure that receipts are deposited timely. Ensure that the deposits are reconciled to the source documents and the accounting system. Ensure that the deposits are reconciled to the source documents and the accounting system.
32
Examples of Testing Procedures – Reconciliations The reconciliations between FMS and CARS as well as the bank reconciliations should be done monthly and approved. The reconciliations between FMS and CARS as well as the bank reconciliations should be done monthly and approved. The outstanding check list should not have checks over 180 days old on it. The outstanding check list should not have checks over 180 days old on it. The reconciling items should be cleared timely. The reconciling items should be cleared timely.
33
Examples of Testing Procedures – Financial Reporting Trace each number back to the support documentation. Trace each number back to the support documentation. Determine that there is an approval process for all financial reports. Determine that there is an approval process for all financial reports. Oversight of the process and support for the numbers is key in this area. Oversight of the process and support for the numbers is key in this area.
34
Examples of Testing Procedures – Fixed Assets Select a sample of assets purchased. Test to see that they were approved. Select a sample of assets purchased. Test to see that they were approved. The fixed asset list for your organization should be accurate and up to date. The fixed asset list for your organization should be accurate and up to date. Select a sample of assets from the list and find them on the “floor”. Select a sample of assets from the list and find them on the “floor”. Select a sample of assets from the “floor” and find them on the list. Select a sample of assets from the “floor” and find them on the list.
35
Examples of Testing Procedures – Pharmacy Document the process over pharmacy purchases. Document the process over pharmacy purchases. Test a sample of pharmacy purchases to see that they were approved. Test a sample of pharmacy purchases to see that they were approved. Determine whether the pharmacy is secure. Determine whether the pharmacy is secure. Select a sample of pharmacy inventory from the list and find them on the “floor”. Select a sample of pharmacy inventory from the list and find them on the “floor”. Select a sample from the “floor” and find them on the list. Select a sample from the “floor” and find them on the list.
36
Examples of Testing Procedures – Physical Security Observe to see whether employees lock their computers when they are away from their computers. Observe to see whether employees lock their computers when they are away from their computers. Review the access controls to the building. Review the access controls to the building. See if the layout of the cashiering office is reasonable as it relates to security. See if the layout of the cashiering office is reasonable as it relates to security.
37
Examples of Testing Procedures – IT Access Review the list of access levels for your accounting system. Determine if the access is reasonable. Review the list of access levels for your accounting system. Determine if the access is reasonable.
38
DOA Requirements A new CAPP Manual section on ARMICS will outline future requirements A new CAPP Manual section on ARMICS will outline future requirements –Should be out in FY 2010 June 30, 2010 June 30, 2010 –The same certification that was due June 30, 2009 is due this June 30 th.
39
Certification to DOA Same as the certification on June 30, 2009. Same as the certification on June 30, 2009. –Testing is mentioned on the certification. –List any significant weaknesses in internal controls. –A corrective action plan should be completed for these weaknesses.
40
Corrective Action Plan Summary description of the deficiency in internal control. Summary description of the deficiency in internal control. When the deficiency was identified. When the deficiency was identified. A target date for the completion of the corrective action. A target date for the completion of the corrective action. Agency personnel responsible for monitoring progress of the corrective action. Agency personnel responsible for monitoring progress of the corrective action.
41
Next Steps for Internal Audit’s review of ARMICS: Issue a combined audit report outlining what was found at the facilities and central office related to ARMICS. Issue a combined audit report outlining what was found at the facilities and central office related to ARMICS. Follow-up with the facilities and central office based on their individual reports. Follow-up with the facilities and central office based on their individual reports. Provide guidance for the future ARMICS work. Provide guidance for the future ARMICS work. Monitor the DOA requirements Monitor the DOA requirements
42
References: 1.University of California – “ 1.University of California – “UNDERSTANDING INTERNAL CONTROLS” - http://www.ucop.edu/ctlacct/under-ic.pdf http://www.ucop.edu/ctlacct/under-ic.pdf 2.University of Rochester - www.rochester.edu/adminfinance/.../Internal ControlEnvironment.doc 3.RSM McGladry – “A Success Story” http://www.mcgladrey.com/Resource_Center/ Newsletter_PDFs/Fundamentals/Fund_1stQ2 003.pdf 3.RSM McGladry – “A Success Story” http://www.mcgladrey.com/Resource_Center/ Newsletter_PDFs/Fundamentals/Fund_1stQ2 003.pdf
43
References cont’d 4.Office of Financial Management – State of Washington. http://www.ofm.wa.gov/policy/20.25.htm 4.Office of Financial Management – State of Washington. http://www.ofm.wa.gov/policy/20.25.htm http://www.ofm.wa.gov/policy/20.25.htm 5.Office of the New York State Comptroller “Standards for Internal Controls” http://www.osc.state.ny.us/agencies/ictf/do cs/intcontrol_stds.pdf 5.Office of the New York State Comptroller “Standards for Internal Controls” http://www.osc.state.ny.us/agencies/ictf/do cs/intcontrol_stds.pdf http://www.osc.state.ny.us/agencies/ictf/do
44
Questions???
45
Contact Information: ARMICS ARMICS –www.doa.virginia.gov click on the ARMICS link on the right hand side of the page www.doa.virginia.gov Randy Sherrod, CPA Randy Sherrod, CPA –DBHDS Internal Audit Manager –804-786-5839 –randy.sherrod@dbhds.virginia.gov
46
THANK YOU!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.