Photo by Karl Steinbrenner ARMICS Update: May 14, 2008 FOCUS

Photo by Karl Steinbrenner

ARMICS Update:May 14, 2008

FOCUS

May 14, 2008Accounting and Internal Control

Compliance Oversight Unit 2

ARMICS Update: FOCUS Presentation

Best Practices

Room for Improvement

Flexibility

Where do we go from here?



ARMICS Update: Best Practices

Written Plan– Approved by Agency Head / Board Chair

Written Internal Report– To Agency Head / Board Chair (Audit Committee)

Internal Quality Assurance Review– Good use of an Internal Audit function

Management– Designation of an Internal Control Officer / Manager



ARMICS Update: Best Practices

Survey Automation– Zoomerang, Survey Monkey, etc.

Survey Experts– Questionnaire modification, Statistical Analysis

– Source: Colleges and Universities

Documentation– Parallel Flowcharts and narratives w/ IC Identification



ARMICS Update: Room for Improvement

General: – Stage 1 Testing: Key controls that can be tested.

– Input, All levels when applicable – NOT just management– NOT just Finance / Fiscal

– Attitude: Process has a benefit other than getting DOA off my back

– Over-reliance on Exhibits as the only tool to identify risk – No customization




Stage 1: Customize Questionnaires– Corrections: Access and Security

– Federal Grants: Sub-grantee monitoring (Pass-thru)

– Colleges: Students – System Access - Security

– Shared Services Agreements – Split controls - MOU

– External Entities (Providing input services – Contracts)

– Avoid a Minimalist Approach (Underestimating Risks)




Stage 1: Control Environment– Ethics Programs not JUST a Code of Ethics

– Testing the effectiveness of Ethics Programs-- Random mini-exams (verbal or written)

– Ethics awareness program

– Awareness programs in general (Safety, Harassment, Sensitivity, Terrorism, etc.)

– Ethics and control responsibility in EWPs




Stage 1: Risk Assessment– External Risks (Data Flows and sources)

– Evaluate Risks – Impact & Likelihood

– Don’t forget SWOT (High Level)




Stage 1: Control Activities– Stage 1 VS Stage 2

– Example: General VS Application controls

– Good area for Stage 1 “Testing”




Stage 1: Information and Communication– Agency FOIA process

– Sensitive data, redaction, privacy restrictions

– Info. Security: Not just electronic – check your garbage

– Error 1: Release what should be restricted

– Error 2: Restrict what should be released – Perception VS Reality = Communication gaps

– Add Question on Hotline effectiveness




Stage 1: Monitoring– Special Monitoring

– Grant Pass Thrus (OMB Circular A-133)

– Audit CAPs

– Internal projects

– System Development

– NCAA




Stage 2: Identification of Significant Fiscal Processes– So far, so good

– Definition of Significant – Consistency




Stage 2: Documentation of Fiscal Processes

– The key is your flexibility




Stage 2: Identification of Internal Controls

– Steady as she goes




Stage 2: Testing of Key Internal Controls– Document, Document, Document




Stage 3: Corrective Action Plans– Include all elements listed in the ARMICS Manual



ARMICS Update: Flexibility

• Deferring SWOT until Strategic Planning

• Review after major operations change



ARMICS Update: The Future

One Certification per YearReplaces DOA-FR Year End CertificationUpdate only for processes done wellStage 1: Refresh and RefineStage 2: Update and RetestStage 3: Follow-up and Test from Prior Year

+ newAddresses Service Provider AgreementsConstant Improvement



Conclusion

Good First TryRoom for ImprovementVariance in Implementation – A Good Thing

“Forward, always forward, everywhere forward.” – Boniface Wimmer, OSB

“Don’t look back, you can never look back.” – Don Henley, The Boys of Summer

“Don't look back — something might be gaining on you.“

– Leroy “Satchel” Paige



Contact Information

Joseph A. Kapelewski, CGFM, CPA, [email protected]

Commonwealth of VirginiaDepartment of Accountswww.doa.virginia.govClick on ARMICS

mailto:[email protected]

http://www.doa.virginia.gov/

Documents

Photo by Karl Steinbrenner ARMICS Update: May 14, 2008 FOCUS