ARMICSARMICSRandy Sherrod, Internal Audit Randy Sherrod, Internal Audit Manager – Department of Behavioral Manager – Department of Behavioral Health and Developmental ServicesHealth and Developmental Services

We all know where the donuts are!!

What is ARMICSWhat is ARMICS

ARMICS is the Agency Risk ARMICS is the Agency Risk Management and Internal Control Management and Internal Control Standards implemented by the Standards implemented by the Virginia Department of Accounts in Virginia Department of Accounts in 2007.2007.

Every Agency of the Commonwealth Every Agency of the Commonwealth must comply with these standards.must comply with these standards.

These standards help to maintain These standards help to maintain Virginia’s ranking as the Best Virginia’s ranking as the Best Managed StateManaged State. .

What is ARMICS What is ARMICS continued:continued: ARMICS is meant to help agencies ARMICS is meant to help agencies

with their business practices.with their business practices.

ARMICS helps provide a ARMICS helps provide a framework for sound accounting framework for sound accounting and operational practices. and operational practices.

TheThe Objectives of Objectives of ARMICSARMICSTo provide reasonable assurance of To provide reasonable assurance of

the integrity of all fiscal processes the integrity of all fiscal processes related to:related to:

Submission of transactions to the Submission of transactions to the Commonwealth’s general ledgerCommonwealth’s general ledger

Submission of deliverables required Submission of deliverables required by financial statement directivesby financial statement directives

Compliance with laws and Compliance with laws and regulationsregulations

Safeguarding and Stewardship over Safeguarding and Stewardship over the Commonwealth’s assetsthe Commonwealth’s assets

What we have done What we have done at DBHDS Internal at DBHDS Internal Audit?Audit? July – September 2009July – September 2009

– Facility and Central Office ARMICS Facility and Central Office ARMICS Review by Internal AuditReview by Internal Audit

– Issued reports with recommendations Issued reports with recommendations for FY 20100for FY 20100

– Found that ARMICS work is being Found that ARMICS work is being done.done.

– Recommended that more testing be Recommended that more testing be completed.completed.

– ARMICS Presentation to the Facility ARMICS Presentation to the Facility Finance StaffFinance Staff

Internal ControlsInternal Controls

Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories:– Effectiveness and efficiency of

operations– Reliability of financial reporting– Compliance with applicable laws

and regulations1

Internal Controls Internal Controls con’tcon’t Internal controls can be thought of Internal controls can be thought of

as proactive measures to prevent as proactive measures to prevent inappropriate charges and to inappropriate charges and to ensure compliance.ensure compliance.

22

4 Purposes of 4 Purposes of Internal ControlsInternal Controls

Promote orderly, economical, efficient and effective operations, and produce quality products and services consistent with the organization's mission.

Safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud.

5

4 Purposes of Internal 4 Purposes of Internal ControlsControls cont’d cont’d Promote adherence to laws,

regulations, contracts and management directives.

Develop and maintain reliable financial and management data, and accurately present that data in timely reports. 5

5 Components of 5 Components of Internal Controls:Internal Controls: Control EnvironmentControl Environment Risk AssessmentRisk Assessment Control ActivitiesControl Activities Information and CommunicationInformation and Communication MonitoringMonitoring

Control EnvironmentControl Environment

The internal control environment The internal control environment encompasses:encompasses:– the policies, processes and skills the policies, processes and skills

that exist within a department that exist within a department to ensure only valid financial to ensure only valid financial transactions are recorded.transactions are recorded.22

Control Environment Control Environment cont’dcont’d Control Environment includes:Control Environment includes:

– Management PhilosophyManagement Philosophy– Oversight by Agency’s Governing Oversight by Agency’s Governing

BoardBoard– Integrity and Ethical Values (Develop a Integrity and Ethical Values (Develop a

code of Ethics)code of Ethics)– Organizational StructureOrganizational Structure– Assignment of Authority and Assignment of Authority and

ResponsibilityResponsibility– Work Force CompetenceWork Force Competence– Human Resource DevelopmentHuman Resource Development

Risk AssessmentRisk Assessment

An ongoing process of identifying, and analyzing potential risk events.

The management of the risks to achieving the objectives of internal control.

Determination of the possible possible impact of these risks on the impact of these risks on the achievement of objectives.achievement of objectives. 33

Risk Assessment Risk Assessment Cont’dCont’d

Management must assess the risk of Management must assess the risk of unexpected potential events and any unexpected potential events and any expected events that could have a expected events that could have a significant impact on the agency.significant impact on the agency.

All operational and control objectives All operational and control objectives throughout the organization should be throughout the organization should be identified.identified. 55

Risk assessment should be done annually.Risk assessment should be done annually.

Control ActivitiesControl Activities

The policies, procedures, techniques, The policies, procedures, techniques, and mechanisms that help ensure that and mechanisms that help ensure that management's response to reduce management's response to reduce risks identified during the risk risks identified during the risk assessment process is carried out.assessment process is carried out. Examples:Examples: 44– Review and ApprovalReview and Approval– Verifications and ReconciliationsVerifications and Reconciliations– Security over assetsSecurity over assets– Segregation of dutiesSegregation of duties

Control Activities Control Activities continued:continued: Develop and assess agency-level

control activities applicable to:– All significant fiscal processes– Accounting administration – The general ledger– Information systems

Information and Information and CommunicationCommunication““Information and Communication” Information and Communication”

involves identifying, capturing, involves identifying, capturing, and communicating relevant and communicating relevant information in a form and information in a form and timeframe that enables people to timeframe that enables people to carry out their responsibilities.carry out their responsibilities.

Effective communication occurs Effective communication occurs down, across, and up the agency. down, across, and up the agency.

An effective information and An effective information and communication process will assure communication process will assure that all personnel receive a clear that all personnel receive a clear message from top management message from top management that internal control responsibilities that internal control responsibilities must be taken seriously.must be taken seriously.

Monitoring:Monitoring:

Reviewing policies and procedures Reviewing policies and procedures and updating them for any and updating them for any changes.changes.

TestingTesting

Documentation of issues Documentation of issues discovered during testingdiscovered during testing

Follow-up to ensure corrective Follow-up to ensure corrective actions have been taken actions have been taken

Keys to Strong Keys to Strong Internal ControlsInternal Controls Documenting the Policies and Documenting the Policies and

Procedures of your Organization.Procedures of your Organization. Documenting the Internal Control Documenting the Internal Control

strengths and weaknessesstrengths and weaknesses Completing corrective actions for Completing corrective actions for

internal control weaknesses.internal control weaknesses. Assessing RiskAssessing Risk Testing of Procedures and Testing of Procedures and

ControlsControls

Documenting the Documenting the Policies and Policies and ProceduresProcedures What is done on a day to day basisWhat is done on a day to day basis

Policies and Procedures should be Policies and Procedures should be complete and reviewed for complete and reviewed for changes annuallychanges annually

This may identify areas that This may identify areas that should be focused on for testing should be focused on for testing and it could identify process and it could identify process changes. changes.

Documenting the Documenting the Internal ControlsInternal Controls ARMICS Internal Control ARMICS Internal Control

QuestionnaireQuestionnaire– The questionnaires should be The questionnaires should be

sent out again in FY 2010sent out again in FY 2010– Review for completeness as well Review for completeness as well

as internal control problems.as internal control problems. From the Policies and Procedures From the Policies and Procedures

as well as the Questionnaires, as well as the Questionnaires, identify the internal controls as identify the internal controls as well as the weaknesses.well as the weaknesses.

Internal Control Internal Control Corrective Actions:Corrective Actions: If you identify an internal control If you identify an internal control

weaknesses:weaknesses:– Prepare a plan to correct this Prepare a plan to correct this

weakness and document it in the weakness and document it in the policies and procedurespolicies and procedures

– Give a time frame that this corrective Give a time frame that this corrective action will be implementedaction will be implemented

– Document compensating controls if Document compensating controls if there are anythere are any

Assessing RiskAssessing Risk

The risk of control failures should The risk of control failures should be identifiedbe identified

Ensure that time is spent in the Ensure that time is spent in the areas assessed as having a high areas assessed as having a high risk.risk.

TestingTesting

Think like and AuditorThink like and Auditor– Focus on what could happenFocus on what could happen– Be observantBe observant– Look for control weaknessesLook for control weaknesses– Test for complianceTest for compliance

Review your policies and Review your policies and proceduresprocedures

Know the applicable Know the applicable regulationsregulations– Procurement, Procurement, Commonwealth, Federal Commonwealth, Federal Regulations etc..Regulations etc..

Testing continued:Testing continued:

Areas to test:Areas to test:– Fiscal processesFiscal processes

PayrollPayroll Accounts PayableAccounts Payable CashieringCashiering Revenue/Accounts ReceivableRevenue/Accounts Receivable ReconciliationsReconciliations Financial ReportingFinancial Reporting Fixed AssetsFixed Assets

Testing continued:Testing continued:

Areas to test:Areas to test:– Other ProcessesOther Processes

PharmacyPharmacy

Physical Security over your Physical Security over your facilityfacility

IT Access controlsIT Access controls

Examples of Testing Examples of Testing Procedures – PayrollProcedures – Payroll Trace employees from employee Trace employees from employee

list or CIPPS 10 to P3 form (comp list or CIPPS 10 to P3 form (comp status change form approving status change form approving employment) employment)

Payroll approval processPayroll approval process Review list of 1099’s created. Test Review list of 1099’s created. Test

to see if they should have been on to see if they should have been on Payroll. Payroll.

Related testwork – Look at I9’sRelated testwork – Look at I9’s

Examples of Testing Examples of Testing Procedures – Accounts Procedures – Accounts PayablePayable Look at who has access to setup Look at who has access to setup

vendors and process (release) vendors and process (release) payments. They should not be the payments. They should not be the same person.same person.

Review the vendor list for Review the vendor list for reasonablenessreasonableness

Test a sample of invoices paid Test a sample of invoices paid during the year to see if they have during the year to see if they have been approved and have been approved and have supporting documentationsupporting documentation

Examples of Testing Examples of Testing Procedures – Procedures – CashieringCashiering The person collecting the money The person collecting the money

should not be the same person should not be the same person entering the deposit into the entering the deposit into the system and making the deposit. system and making the deposit.

Test the reconciliations to see that Test the reconciliations to see that they are approved and done they are approved and done correctly.correctly.

Segregation of duties is key hereSegregation of duties is key here

Examples of Testing Examples of Testing Procedures – Procedures – Revenue/ARRevenue/AR Review the AR list. Make sure that Review the AR list. Make sure that

there are not old receivables on the there are not old receivables on the list that should be written off.list that should be written off.

Cash management testing. Ensure Cash management testing. Ensure that receipts are deposited timely.that receipts are deposited timely.

Ensure that the deposits are Ensure that the deposits are reconciled to the source documents reconciled to the source documents and the accounting system.and the accounting system.

Examples of Testing Examples of Testing Procedures – Procedures – ReconciliationsReconciliations The reconciliations between FMS The reconciliations between FMS

and CARS as well as the bank and CARS as well as the bank reconciliations should be done reconciliations should be done monthly and approved. monthly and approved.

The outstanding check list should The outstanding check list should not have checks over 180 days old not have checks over 180 days old on it. on it.

The reconciling items should be The reconciling items should be cleared timely. cleared timely.

Examples of Testing Examples of Testing Procedures – Procedures – Financial ReportingFinancial Reporting Trace each number back to the Trace each number back to the

support documentation.support documentation. Determine that there is an Determine that there is an

approval process for all financial approval process for all financial reports. reports.

Oversight of the process and Oversight of the process and support for the numbers is key in support for the numbers is key in this area. this area.

Examples of Testing Examples of Testing Procedures – Fixed Procedures – Fixed AssetsAssets Select a sample of assets purchased. Select a sample of assets purchased.

Test to see that they were approved. Test to see that they were approved. The fixed asset list for your The fixed asset list for your

organization should be accurate and organization should be accurate and up to date. up to date.

Select a sample of assets from the Select a sample of assets from the list and find them on the “floor”.list and find them on the “floor”.

Select a sample of assets from the Select a sample of assets from the “floor” and find them on the list. “floor” and find them on the list.

Examples of Testing Examples of Testing Procedures – Procedures – PharmacyPharmacy Document the process over Document the process over

pharmacy purchases. pharmacy purchases. Test a sample of pharmacy Test a sample of pharmacy

purchases to see that they were purchases to see that they were approved. approved.

Determine whether the pharmacy is Determine whether the pharmacy is secure. secure.

Select a sample of pharmacy Select a sample of pharmacy inventory from the list and find inventory from the list and find them on the “floor”.them on the “floor”.

Select a sample from the “floor” Select a sample from the “floor” and find them on the list. and find them on the list.

Examples of Testing Examples of Testing Procedures – Procedures – Physical SecurityPhysical Security Observe to see whether employees Observe to see whether employees

lock their computers when they are lock their computers when they are away from their computers. away from their computers.

Review the access controls to the Review the access controls to the building. building.

See if the layout of the cashiering See if the layout of the cashiering office is reasonable as it relates to office is reasonable as it relates to security. security.

Examples of Testing Examples of Testing Procedures – IT Procedures – IT AccessAccess Review the list of access levels for Review the list of access levels for

your accounting system. your accounting system. Determine if the access is Determine if the access is reasonable.reasonable.

DOA RequirementsDOA Requirements

A new CAPP Manual section on A new CAPP Manual section on ARMICS will outline future ARMICS will outline future requirementsrequirements– Should be out in FY 2010Should be out in FY 2010

June 30, 2010June 30, 2010– The same certification that was The same certification that was

due June 30, 2009 is due this due June 30, 2009 is due this June 30June 30thth..

Certification to DOACertification to DOA

Same as the certification on June Same as the certification on June 30, 2009.30, 2009.– Testing is mentioned on the Testing is mentioned on the

certification.certification.– List any significant weaknesses List any significant weaknesses

in internal controls. in internal controls. – A corrective action plan should A corrective action plan should

be completed for these be completed for these weaknesses.weaknesses.

Corrective Action PlanCorrective Action Plan

Summary description of the Summary description of the deficiency in internal control.deficiency in internal control.

When the deficiency was identified.When the deficiency was identified. A target date for the completion of A target date for the completion of

the corrective action. the corrective action. Agency personnel responsible for Agency personnel responsible for

monitoring progress of the monitoring progress of the corrective action.corrective action.

Next Steps for Next Steps for Internal Audit’s Internal Audit’s review of ARMICS:review of ARMICS: Issue a combined audit report outlining Issue a combined audit report outlining

what was found at the facilities and what was found at the facilities and central office related to ARMICS.central office related to ARMICS.

Follow-up with the facilities and central Follow-up with the facilities and central office based on their individual reports.office based on their individual reports.

Provide guidance for the future ARMICS Provide guidance for the future ARMICS work. work.

Monitor the DOA requirementsMonitor the DOA requirements

References:References:

1.1. University of California – University of California – ““UNDERSTANDING INTERNAL CONTROLS” - http://www.ucop.edu/ctlacct/under-ic.pdf

2. University of Rochester - www.rochester.edu/adminfinance/.../InternalControlEnvironment.doc

3.3. RSM McGladry – “A Success RSM McGladry – “A Success Story” Story” http://www.mcgladrey.com/Resource_Center/http://www.mcgladrey.com/Resource_Center/Newsletter_PDFs/Fundamentals/Newsletter_PDFs/Fundamentals/Fund_1stQ2003.pdfFund_1stQ2003.pdf

References cont’dReferences cont’d

4.4. Office of Financial Office of Financial Management – Management – State of State of Washington.Washington. http://www.ofm.wa.gov/policy/20.25.htmhttp://www.ofm.wa.gov/policy/20.25.htm

5.5. Office of the New York State Office of the New York State Comptroller “Standards for Comptroller “Standards for Internal Controls” Internal Controls”

http://www.osc.state.ny.us/agencies/ictf/dohttp://www.osc.state.ny.us/agencies/ictf/docs/intcontrol_stds.pdfcs/intcontrol_stds.pdf

Questions???Questions???

Contact Information:Contact Information:

ARMICSARMICS– www.doa.virginia.govwww.doa.virginia.gov click on the click on the

ARMICS link on the right hand side of ARMICS link on the right hand side of the pagethe page

Randy Sherrod, CPARandy Sherrod, CPA– DBHDS Internal Audit ManagerDBHDS Internal Audit Manager– 804-786-5839804-786-5839– randy.sherrod@dbhds.virginia.govrandy.sherrod@dbhds.virginia.gov

THANK YOU!THANK YOU!