Baker Tilly

Loading...

Subscribe to newsletters
About Us
Careers
Client Portals
Pay Invoice
Locations
Industries
Services
Professionals
Legal & Privacy
CCPA Privacy
Contact Us
Request a Proposal

© 2024-2026 Baker Tilly US, LLP / Baker Tilly Advisory Group, LP

Baker Tilly US, LLP and Baker Tilly Advisory Group, LP and its subsidiary entities provide professional services through an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable laws, regulations and professional standards. Baker Tilly US, LLP is a licensed independent CPA firm that provides attest services to clients. Baker Tilly Advisory Group, LP and its subsidiary entities provide tax and business advisory services to their clients. Baker Tilly Advisory Group, LP and its subsidiary entities are not licensed CPA firms.

Baker Tilly Advisory Group, LP and Baker Tilly US, LLP are independent members of Baker Tilly International. Baker Tilly International Limited is an English company. Baker Tilly International provides no professional services to clients. Each member firm is a separate and independent legal entity and each describes itself as such. Baker Tilly Advisory Group, LP and Baker Tilly US, LLP are not Baker Tilly International’s agent and do not have the authority to bind Baker Tilly International or act on Baker Tilly International’s behalf. None of Baker Tilly International, Baker Tilly Advisory Group, LP, Baker Tilly US, LLP, nor any of the other member firms of Baker Tilly International has any liability for each other’s acts or omissions. The name Baker Tilly and its associated logo is used under license from Baker Tilly International Limited.

Glass panels forming geometrical shapes with a beautiful blue sky in the background

Article

State government internal control frameworks: Lessons from ARMICS

Nov. 14, 2025 · Authored by Christopher Kalafatis, Randy Sherrod, Peter Tsengas

Subscribe to newsletters

Share

Related sections

  • Government Services
  • Risk Advisory
  • Internal Audit
  • Public Sector Advisory

In today’s dynamic public sector environment, internal control frameworks are more than just compliance tools; they’re strategic assets. Whether you're managing fiscal operations, overseeing human resources or safeguarding information technology (IT) systems, a robust internal control framework can elevate your agency’s performance, accountability and resilience. In addition, a strong internal control framework can help limit the opportunity for fraud. One standout example is Virginia’s Agency Risk Management and Internal Control Standards (ARMICS), a program that offers a comprehensive blueprint for risk management and control evaluation across state agencies. 

Whether your agency works with state-mandated programs like ARMICS or is considering implementing an internal control framework for the very first time, we invite you to join us as we explore the benefits, challenges, and essential steps of implementing an internal control framework to transform your public sector governance. 

Why internal control frameworks matter 

Internal control frameworks are structured systems designed to ensure effective and efficient operations, reliable financial reporting and regulatory compliance. In the public sector, where transparency and stewardship are paramount, these frameworks serve as the backbone of impactful governance. 

Key benefits 
  • Structured framework for internal controls: Frameworks like ARMICS provide a clear methodology for identifying, assessing and mitigating risks. This structure promotes consistency across departments and aligns with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) principles. 
  • Enhanced accountability: By requiring documentation and regular evaluation of controls, agencies foster a culture of responsibility and transparency across all levels (staff and leadership). 
  • Strategic alignment: Internal controls help agencies align risk management with strategic objectives, improving decision-making and resource allocation. 
Christopher Kalafatis

Christopher Kalafatis

Principal

Randy Sherrod

Randy Sherrod

Director

Peter Tsengas

Peter Tsengas

Director

Related sections

  • Government Services
  • Risk Advisory
  • Internal Audit
  • Public Sector Advisory
abstract digital technology network image

Next up

State government IT security audits: Benefits, challenges and considerations of consolidated IT security organizations

Discover more
  • Continuous improvement: Annual certification processes ensure that controls remain relevant and effective, encouraging ongoing refinement. 

    • ARMICS: A case study in public sector control excellence 

    Virginia’s ARMICS program exemplifies how a state government can institutionalize risk management and internal controls. It mandates that agencies document significant fiscal processes, assess risks and test controls annually. The program’s structured approach offers a road map for other states and municipalities seeking to strengthen their internal control environments. 

    Core components of ARMICS 
    Woman signs contract with her advisor

    1. Process documentation

    Climbers move forward avoiding risks to reach their goal, the summit

    2. Risk assessment

    Audit committee meets to oversee the reporting and disclosure process of an organization

    3. Control testing

    laptop-2562325_1920

    4. Annual certification

    1. Process documentation

    Agencies must identify significant fiscal processes and document them using narratives or flowcharts. This includes outlining internal controls within each process.

    2. Risk assessment

    A comprehensive risk assessment involves questionnaires, interviews and a SWOT (strengths, weaknesses, opportunities, threats) analysis to identify vulnerabilities.

    3. Control testing

    Agencies test the design and operating effectiveness of controls, using sample sizes based on control frequency.

    4. Annual certification

    Agencies certify that their internal control systems are functioning effectively, reinforcing accountability.

    Challenges to implementation 

    While the benefits are clear, implementing an internal control framework, especially one modeled after ARMICS, comes with challenges. 

    1. Resource intensity 

    Documenting, assessing and testing controls requires time, effort and expertise. Smaller agencies may struggle to allocate dedicated personnel or provide adequate training. 

    2. Complexity and bureaucracy 

    There’s a risk that the framework becomes overly procedural, leading to “check-the-box” compliance rather than meaningful engagement. Agencies must guard against losing sight of the strategic value of controls. 

    3. Resistance to change 

    Cultural shifts toward accountability and documentation can be slow. Staff may be reluctant to adopt new processes or formalize existing ones. 

    4. Inconsistent implementation 

    The success of a framework depends heavily on leadership commitment and staff engagement. Without consistent interpretation and application of standards, effectiveness can vary widely across departments. 

    5. Innovation constraints 

    A strong focus on control can sometimes stifle innovation. Agencies must strike a balance between risk mitigation and agility, especially in fast-paced environments. 

    Building an effective framework: Steps to success 

    For agencies considering an ARMICS-like model, here’s a step-by-step guide to building a resilient internal control framework: 

    Begin by mapping out key fiscal operations, such as payroll, procurement and revenue collection. Documentation should include: 

    • Narratives or flowcharts detailing each process 
    • Identification of all internal controls within each process 
    • Evidence of how these processes were selected as significant 

    A thorough risk assessment should analyze potential events or conditions that could impact operations. Use a combination of: 

    • Risk questionnaires 
    • Interviews with process owners 
    • An agency-wide SWOT analysis 

    Common pitfalls to avoid include insufficient documentation, lack of agency-wide evaluation and outdated process narratives. 

    Controls should address all aspects of significant fiscal processes and aim to meet the following objectives: 

    • Effective and efficient operations 
    • Reliable financial reporting 
    • Compliance with laws and regulations 
    • Safeguarding of assets 

    Controls must be clearly described and assigned to specific owners, with frequency and testing procedures outlined. 

    Develop a master spreadsheet listing all controls and related risks, including: 

    • Control descriptions 
    • Control owners 
    • Control frequency 
    • Sample size for testing 
    • Testing procedures 

    Sample sizes should reflect control frequency. For example: 25 samples for daily controls, three for monthly, and two for quarterly. Document test results consistently and validate findings with management. 

    Any deficiencies identified during testing should be documented and discussed with management. Action plans should be developed to remediate issues and ensure future compliance. 

    Expand the framework to cover human resources (HR) and IT controls. These areas are critical to agency integrity and should be tested using similar procedures and sample sizes based on control frequency. 

    Agencies must assess the internal controls of third-party vendors performing significant fiscal functions. Review System and Organization Controls (SOC) reports or other documentation to identify potential risks to financial operations or compliance. 

    Final thoughts 

    Internal control frameworks are essential for public sector agencies striving for operational excellence, financial integrity and regulatory compliance. Programs like ARMICS demonstrate how a structured, consistent approach can yield significant benefits, from improved transparency to strategic alignment. 

    While implementation requires commitment and resources, the payoff is substantial. Agencies that invest in internal controls not only reduce risk but also build trust with stakeholders and position themselves for long-term success. 

    Whether you're starting from scratch or refining an existing framework, the principles of ARMICS offer a valuable guide. With experienced guidance, you can navigate the complexities and unlock the full potential of your internal control environment. 

    How Baker Tilly can help 

    At Baker Tilly, we understand the unique challenges faced by public sector organizations. Our dedicated public sector practice includes over 350 professionals serving more than 4,000 clients across 48 states. We’ve worked with state entities, municipalities, school districts, tribal governments, universities and more. We specialize in helping public sector agencies build and maintain robust internal control frameworks. Our services include: 

    • Risk assessments tailored to agency operations 
    • Control identification and documentation 
    • Control testing and validation 
    • Process documentation, including policy and procedure narratives and flowcharts 
    • Training for government employees on internal controls and their roles 

    We understand the unique challenges faced by public sector organizations and offer practical, scalable solutions to enhance governance and accountability. 

    Ready to take the next step?

    Let's talk.
    abstract digital technology network image

    Article

    State government IT security audits: Benefits, challenges and considerations of consolidated IT security organizations

    Discover how consolidated IT security models like VITA enhance cybersecurity, reduce costs and align with frameworks for public sector resilience.

    Explore more