Upload
buddy-barnett
View
230
Download
0
Tags:
Embed Size (px)
Citation preview
ARMICSARMICSRandy Sherrod, Internal Audit Randy Sherrod, Internal Audit Manager – Department of Behavioral Manager – Department of Behavioral Health and Developmental ServicesHealth and Developmental Services
We all know where the donuts are!!
What is ARMICSWhat is ARMICS
ARMICS is the Agency Risk ARMICS is the Agency Risk Management and Internal Control Management and Internal Control Standards implemented by the Standards implemented by the Virginia Department of Accounts in Virginia Department of Accounts in 2007.2007.
Every Agency of the Commonwealth Every Agency of the Commonwealth must comply with these standards.must comply with these standards.
These standards help to maintain These standards help to maintain Virginia’s ranking as the Best Virginia’s ranking as the Best Managed StateManaged State. .
What is ARMICS What is ARMICS continued:continued: ARMICS is meant to help agencies ARMICS is meant to help agencies
with their business practices.with their business practices.
ARMICS helps provide a ARMICS helps provide a framework for sound accounting framework for sound accounting and operational practices. and operational practices.
TheThe Objectives of Objectives of ARMICSARMICSTo provide reasonable assurance of To provide reasonable assurance of
the integrity of all fiscal processes the integrity of all fiscal processes related to:related to:
Submission of transactions to the Submission of transactions to the Commonwealth’s general ledgerCommonwealth’s general ledger
Submission of deliverables required Submission of deliverables required by financial statement directivesby financial statement directives
Compliance with laws and Compliance with laws and regulationsregulations
Safeguarding and Stewardship over Safeguarding and Stewardship over the Commonwealth’s assetsthe Commonwealth’s assets
What we have done What we have done at DBHDS Internal at DBHDS Internal Audit?Audit? July – September 2009July – September 2009
– Facility and Central Office ARMICS Facility and Central Office ARMICS Review by Internal AuditReview by Internal Audit
– Issued reports with recommendations Issued reports with recommendations for FY 20100for FY 20100
– Found that ARMICS work is being Found that ARMICS work is being done.done.
– Recommended that more testing be Recommended that more testing be completed.completed.
– ARMICS Presentation to the Facility ARMICS Presentation to the Facility Finance StaffFinance Staff
Internal ControlsInternal Controls
Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories:– Effectiveness and efficiency of
operations– Reliability of financial reporting– Compliance with applicable laws
and regulations1
Internal Controls Internal Controls con’tcon’t Internal controls can be thought of Internal controls can be thought of
as proactive measures to prevent as proactive measures to prevent inappropriate charges and to inappropriate charges and to ensure compliance.ensure compliance.
22
4 Purposes of 4 Purposes of Internal ControlsInternal Controls
Promote orderly, economical, efficient and effective operations, and produce quality products and services consistent with the organization's mission.
Safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud.
5
4 Purposes of Internal 4 Purposes of Internal ControlsControls cont’d cont’d Promote adherence to laws,
regulations, contracts and management directives.
Develop and maintain reliable financial and management data, and accurately present that data in timely reports. 5
5 Components of 5 Components of Internal Controls:Internal Controls: Control EnvironmentControl Environment Risk AssessmentRisk Assessment Control ActivitiesControl Activities Information and CommunicationInformation and Communication MonitoringMonitoring
Control EnvironmentControl Environment
The internal control environment The internal control environment encompasses:encompasses:– the policies, processes and skills the policies, processes and skills
that exist within a department that exist within a department to ensure only valid financial to ensure only valid financial transactions are recorded.transactions are recorded.22
Control Environment Control Environment cont’dcont’d Control Environment includes:Control Environment includes:
– Management PhilosophyManagement Philosophy– Oversight by Agency’s Governing Oversight by Agency’s Governing
BoardBoard– Integrity and Ethical Values (Develop a Integrity and Ethical Values (Develop a
code of Ethics)code of Ethics)– Organizational StructureOrganizational Structure– Assignment of Authority and Assignment of Authority and
ResponsibilityResponsibility– Work Force CompetenceWork Force Competence– Human Resource DevelopmentHuman Resource Development
Risk AssessmentRisk Assessment
An ongoing process of identifying, and analyzing potential risk events.
The management of the risks to achieving the objectives of internal control.
Determination of the possible possible impact of these risks on the impact of these risks on the achievement of objectives.achievement of objectives. 33
Risk Assessment Risk Assessment Cont’dCont’d
Management must assess the risk of Management must assess the risk of unexpected potential events and any unexpected potential events and any expected events that could have a expected events that could have a significant impact on the agency.significant impact on the agency.
All operational and control objectives All operational and control objectives throughout the organization should be throughout the organization should be identified.identified. 55
Risk assessment should be done annually.Risk assessment should be done annually.
Control ActivitiesControl Activities
The policies, procedures, techniques, The policies, procedures, techniques, and mechanisms that help ensure that and mechanisms that help ensure that management's response to reduce management's response to reduce risks identified during the risk risks identified during the risk assessment process is carried out.assessment process is carried out. Examples:Examples: 44– Review and ApprovalReview and Approval– Verifications and ReconciliationsVerifications and Reconciliations– Security over assetsSecurity over assets– Segregation of dutiesSegregation of duties
Control Activities Control Activities continued:continued: Develop and assess agency-level
control activities applicable to:– All significant fiscal processes– Accounting administration – The general ledger– Information systems
Information and Information and CommunicationCommunication““Information and Communication” Information and Communication”
involves identifying, capturing, involves identifying, capturing, and communicating relevant and communicating relevant information in a form and information in a form and timeframe that enables people to timeframe that enables people to carry out their responsibilities.carry out their responsibilities.
Effective communication occurs Effective communication occurs down, across, and up the agency. down, across, and up the agency.
An effective information and An effective information and communication process will assure communication process will assure that all personnel receive a clear that all personnel receive a clear message from top management message from top management that internal control responsibilities that internal control responsibilities must be taken seriously.must be taken seriously.
Monitoring:Monitoring:
Reviewing policies and procedures Reviewing policies and procedures and updating them for any and updating them for any changes.changes.
TestingTesting
Documentation of issues Documentation of issues discovered during testingdiscovered during testing
Follow-up to ensure corrective Follow-up to ensure corrective actions have been taken actions have been taken
Keys to Strong Keys to Strong Internal ControlsInternal Controls Documenting the Policies and Documenting the Policies and
Procedures of your Organization.Procedures of your Organization. Documenting the Internal Control Documenting the Internal Control
strengths and weaknessesstrengths and weaknesses Completing corrective actions for Completing corrective actions for
internal control weaknesses.internal control weaknesses. Assessing RiskAssessing Risk Testing of Procedures and Testing of Procedures and
ControlsControls
Documenting the Documenting the Policies and Policies and ProceduresProcedures What is done on a day to day basisWhat is done on a day to day basis
Policies and Procedures should be Policies and Procedures should be complete and reviewed for complete and reviewed for changes annuallychanges annually
This may identify areas that This may identify areas that should be focused on for testing should be focused on for testing and it could identify process and it could identify process changes. changes.
Documenting the Documenting the Internal ControlsInternal Controls ARMICS Internal Control ARMICS Internal Control
QuestionnaireQuestionnaire– The questionnaires should be The questionnaires should be
sent out again in FY 2010sent out again in FY 2010– Review for completeness as well Review for completeness as well
as internal control problems.as internal control problems. From the Policies and Procedures From the Policies and Procedures
as well as the Questionnaires, as well as the Questionnaires, identify the internal controls as identify the internal controls as well as the weaknesses.well as the weaknesses.
Internal Control Internal Control Corrective Actions:Corrective Actions: If you identify an internal control If you identify an internal control
weaknesses:weaknesses:– Prepare a plan to correct this Prepare a plan to correct this
weakness and document it in the weakness and document it in the policies and procedurespolicies and procedures
– Give a time frame that this corrective Give a time frame that this corrective action will be implementedaction will be implemented
– Document compensating controls if Document compensating controls if there are anythere are any
Assessing RiskAssessing Risk
The risk of control failures should The risk of control failures should be identifiedbe identified
Ensure that time is spent in the Ensure that time is spent in the areas assessed as having a high areas assessed as having a high risk.risk.
TestingTesting
Think like and AuditorThink like and Auditor– Focus on what could happenFocus on what could happen– Be observantBe observant– Look for control weaknessesLook for control weaknesses– Test for complianceTest for compliance
Review your policies and Review your policies and proceduresprocedures
Know the applicable Know the applicable regulationsregulations– Procurement, Procurement, Commonwealth, Federal Commonwealth, Federal Regulations etc..Regulations etc..
Testing continued:Testing continued:
Areas to test:Areas to test:– Fiscal processesFiscal processes
PayrollPayroll Accounts PayableAccounts Payable CashieringCashiering Revenue/Accounts ReceivableRevenue/Accounts Receivable ReconciliationsReconciliations Financial ReportingFinancial Reporting Fixed AssetsFixed Assets
Testing continued:Testing continued:
Areas to test:Areas to test:– Other ProcessesOther Processes
PharmacyPharmacy
Physical Security over your Physical Security over your facilityfacility
IT Access controlsIT Access controls
Examples of Testing Examples of Testing Procedures – PayrollProcedures – Payroll Trace employees from employee Trace employees from employee
list or CIPPS 10 to P3 form (comp list or CIPPS 10 to P3 form (comp status change form approving status change form approving employment) employment)
Payroll approval processPayroll approval process Review list of 1099’s created. Test Review list of 1099’s created. Test
to see if they should have been on to see if they should have been on Payroll. Payroll.
Related testwork – Look at I9’sRelated testwork – Look at I9’s
Examples of Testing Examples of Testing Procedures – Accounts Procedures – Accounts PayablePayable Look at who has access to setup Look at who has access to setup
vendors and process (release) vendors and process (release) payments. They should not be the payments. They should not be the same person.same person.
Review the vendor list for Review the vendor list for reasonablenessreasonableness
Test a sample of invoices paid Test a sample of invoices paid during the year to see if they have during the year to see if they have been approved and have been approved and have supporting documentationsupporting documentation
Examples of Testing Examples of Testing Procedures – Procedures – CashieringCashiering The person collecting the money The person collecting the money
should not be the same person should not be the same person entering the deposit into the entering the deposit into the system and making the deposit. system and making the deposit.
Test the reconciliations to see that Test the reconciliations to see that they are approved and done they are approved and done correctly.correctly.
Segregation of duties is key hereSegregation of duties is key here
Examples of Testing Examples of Testing Procedures – Procedures – Revenue/ARRevenue/AR Review the AR list. Make sure that Review the AR list. Make sure that
there are not old receivables on the there are not old receivables on the list that should be written off.list that should be written off.
Cash management testing. Ensure Cash management testing. Ensure that receipts are deposited timely.that receipts are deposited timely.
Ensure that the deposits are Ensure that the deposits are reconciled to the source documents reconciled to the source documents and the accounting system.and the accounting system.
Examples of Testing Examples of Testing Procedures – Procedures – ReconciliationsReconciliations The reconciliations between FMS The reconciliations between FMS
and CARS as well as the bank and CARS as well as the bank reconciliations should be done reconciliations should be done monthly and approved. monthly and approved.
The outstanding check list should The outstanding check list should not have checks over 180 days old not have checks over 180 days old on it. on it.
The reconciling items should be The reconciling items should be cleared timely. cleared timely.
Examples of Testing Examples of Testing Procedures – Procedures – Financial ReportingFinancial Reporting Trace each number back to the Trace each number back to the
support documentation.support documentation. Determine that there is an Determine that there is an
approval process for all financial approval process for all financial reports. reports.
Oversight of the process and Oversight of the process and support for the numbers is key in support for the numbers is key in this area. this area.
Examples of Testing Examples of Testing Procedures – Fixed Procedures – Fixed AssetsAssets Select a sample of assets purchased. Select a sample of assets purchased.
Test to see that they were approved. Test to see that they were approved. The fixed asset list for your The fixed asset list for your
organization should be accurate and organization should be accurate and up to date. up to date.
Select a sample of assets from the Select a sample of assets from the list and find them on the “floor”.list and find them on the “floor”.
Select a sample of assets from the Select a sample of assets from the “floor” and find them on the list. “floor” and find them on the list.
Examples of Testing Examples of Testing Procedures – Procedures – PharmacyPharmacy Document the process over Document the process over
pharmacy purchases. pharmacy purchases. Test a sample of pharmacy Test a sample of pharmacy
purchases to see that they were purchases to see that they were approved. approved.
Determine whether the pharmacy is Determine whether the pharmacy is secure. secure.
Select a sample of pharmacy Select a sample of pharmacy inventory from the list and find inventory from the list and find them on the “floor”.them on the “floor”.
Select a sample from the “floor” Select a sample from the “floor” and find them on the list. and find them on the list.
Examples of Testing Examples of Testing Procedures – Procedures – Physical SecurityPhysical Security Observe to see whether employees Observe to see whether employees
lock their computers when they are lock their computers when they are away from their computers. away from their computers.
Review the access controls to the Review the access controls to the building. building.
See if the layout of the cashiering See if the layout of the cashiering office is reasonable as it relates to office is reasonable as it relates to security. security.
Examples of Testing Examples of Testing Procedures – IT Procedures – IT AccessAccess Review the list of access levels for Review the list of access levels for
your accounting system. your accounting system. Determine if the access is Determine if the access is reasonable.reasonable.
DOA RequirementsDOA Requirements
A new CAPP Manual section on A new CAPP Manual section on ARMICS will outline future ARMICS will outline future requirementsrequirements– Should be out in FY 2010Should be out in FY 2010
June 30, 2010June 30, 2010– The same certification that was The same certification that was
due June 30, 2009 is due this due June 30, 2009 is due this June 30June 30thth..
Certification to DOACertification to DOA
Same as the certification on June Same as the certification on June 30, 2009.30, 2009.– Testing is mentioned on the Testing is mentioned on the
certification.certification.– List any significant weaknesses List any significant weaknesses
in internal controls. in internal controls. – A corrective action plan should A corrective action plan should
be completed for these be completed for these weaknesses.weaknesses.
Corrective Action PlanCorrective Action Plan
Summary description of the Summary description of the deficiency in internal control.deficiency in internal control.
When the deficiency was identified.When the deficiency was identified. A target date for the completion of A target date for the completion of
the corrective action. the corrective action. Agency personnel responsible for Agency personnel responsible for
monitoring progress of the monitoring progress of the corrective action.corrective action.
Next Steps for Next Steps for Internal Audit’s Internal Audit’s review of ARMICS:review of ARMICS: Issue a combined audit report outlining Issue a combined audit report outlining
what was found at the facilities and what was found at the facilities and central office related to ARMICS.central office related to ARMICS.
Follow-up with the facilities and central Follow-up with the facilities and central office based on their individual reports.office based on their individual reports.
Provide guidance for the future ARMICS Provide guidance for the future ARMICS work. work.
Monitor the DOA requirementsMonitor the DOA requirements
References:References:
1.1. University of California – University of California – ““UNDERSTANDING INTERNAL CONTROLS” - http://www.ucop.edu/ctlacct/under-ic.pdf
2. University of Rochester - www.rochester.edu/adminfinance/.../InternalControlEnvironment.doc
3.3. RSM McGladry – “A Success RSM McGladry – “A Success Story” Story” http://www.mcgladrey.com/Resource_Center/http://www.mcgladrey.com/Resource_Center/Newsletter_PDFs/Fundamentals/Newsletter_PDFs/Fundamentals/Fund_1stQ2003.pdfFund_1stQ2003.pdf
References cont’dReferences cont’d
4.4. Office of Financial Office of Financial Management – Management – State of State of Washington.Washington. http://www.ofm.wa.gov/policy/20.25.htmhttp://www.ofm.wa.gov/policy/20.25.htm
5.5. Office of the New York State Office of the New York State Comptroller “Standards for Comptroller “Standards for Internal Controls” Internal Controls”
http://www.osc.state.ny.us/agencies/ictf/dohttp://www.osc.state.ny.us/agencies/ictf/docs/intcontrol_stds.pdfcs/intcontrol_stds.pdf
Questions???Questions???
Contact Information:Contact Information:
ARMICSARMICS– www.doa.virginia.govwww.doa.virginia.gov click on the click on the
ARMICS link on the right hand side of ARMICS link on the right hand side of the pagethe page
Randy Sherrod, CPARandy Sherrod, CPA– DBHDS Internal Audit ManagerDBHDS Internal Audit Manager– 804-786-5839804-786-5839– [email protected]@dbhds.virginia.gov
THANK YOU!THANK YOU!