Article
State government internal control frameworks: Lessons from ARMICS
Nov. 14, 2025 · Authored by Christopher Kalafatis, Randy Sherrod and Peter Tsengas
In today’s dynamic public sector environment, internal control frameworks are more than just compliance tools; they’re strategic assets. Whether you're managing fiscal operations, overseeing human resources or safeguarding information technology (IT) systems, a robust internal control framework can elevate your agency’s performance, accountability and resilience. In addition, a strong internal control framework can help limit the opportunity for fraud. One standout example is Virginia’s Agency Risk Management and Internal Control Standards (ARMICS), a program that offers a comprehensive blueprint for risk management and control evaluation across state agencies.
Whether your agency works with state-mandated programs like ARMICS or is considering implementing an internal control framework for the very first time, we invite you to join us as we explore the benefits, challenges, and essential steps of implementing an internal control framework to transform your public sector governance.
Why internal control frameworks matter
Internal control frameworks are structured systems designed to ensure effective and efficient operations, reliable financial reporting and regulatory compliance. In the public sector, where transparency and stewardship are paramount, these frameworks serve as the backbone of impactful governance.
Key benefits
- Structured framework for internal controls: Frameworks like ARMICS provide a clear methodology for identifying, assessing and mitigating risks. This structure promotes consistency across departments and aligns with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) principles.
- Enhanced accountability: By requiring documentation and regular evaluation of controls, agencies foster a culture of responsibility and transparency across all levels (staff and leadership).
- Strategic alignment: Internal controls help agencies align risk management with strategic objectives, improving decision-making and resource allocation.
- Continuous improvement: Annual certification processes ensure that controls remain relevant and effective, encouraging ongoing refinement.
ARMICS: A case study in public sector control excellence
Virginia’s ARMICS program exemplifies how a state government can institutionalize risk management and internal controls. It mandates that agencies document significant fiscal processes, assess risks and test controls annually. The program’s structured approach offers a road map for other states and municipalities seeking to strengthen their internal control environments.
Core components of ARMICS
1. Process documentation
Agencies must identify significant fiscal processes and document them using narratives or flowcharts. This includes outlining internal controls within each process.
2. Risk assessment
A comprehensive risk assessment involves questionnaires, interviews and a SWOT (strengths, weaknesses, opportunities, threats) analysis to identify vulnerabilities.
3. Control testing
Agencies test the design and operating effectiveness of controls, using sample sizes based on control frequency.
4. Annual certification
Agencies certify that their internal control systems are functioning effectively, reinforcing accountability.
Challenges to implementation
While the benefits are clear, implementing an internal control framework, especially one modeled after ARMICS, comes with challenges.
1. Resource intensity
Documenting, assessing and testing controls requires time, effort and expertise. Smaller agencies may struggle to allocate dedicated personnel or provide adequate training.
2. Complexity and bureaucracy
There’s a risk that the framework becomes overly procedural, leading to “check-the-box” compliance rather than meaningful engagement. Agencies must guard against losing sight of the strategic value of controls.
3. Resistance to change
Cultural shifts toward accountability and documentation can be slow. Staff may be reluctant to adopt new processes or formalize existing ones.
4. Inconsistent implementation
The success of a framework depends heavily on leadership commitment and staff engagement. Without consistent interpretation and application of standards, effectiveness can vary widely across departments.
5. Innovation constraints
A strong focus on control can sometimes stifle innovation. Agencies must strike a balance between risk mitigation and agility, especially in fast-paced environments.
Building an effective framework: Steps to success
For agencies considering an ARMICS-like model, here’s a step-by-step guide to building a resilient internal control framework:
Begin by mapping out key fiscal operations, such as payroll, procurement and revenue collection. Documentation should include:
- Narratives or flowcharts detailing each process
- Identification of all internal controls within each process
- Evidence of how these processes were selected as significant
A thorough risk assessment should analyze potential events or conditions that could impact operations. Use a combination of:
- Risk questionnaires
- Interviews with process owners
- An agency-wide SWOT analysis
Common pitfalls to avoid include insufficient documentation, lack of agency-wide evaluation and outdated process narratives.
Controls should address all aspects of significant fiscal processes and aim to meet the following objectives:
- Effective and efficient operations
- Reliable financial reporting
- Compliance with laws and regulations
- Safeguarding of assets
Controls must be clearly described and assigned to specific owners, with frequency and testing procedures outlined.
Develop a master spreadsheet listing all controls and related risks, including:
- Control descriptions
- Control owners
- Control frequency
- Sample size for testing
- Testing procedures
Sample sizes should reflect control frequency. For example: 25 samples for daily controls, three for monthly, and two for quarterly. Document test results consistently and validate findings with management.
Any deficiencies identified during testing should be documented and discussed with management. Action plans should be developed to remediate issues and ensure future compliance.
Expand the framework to cover human resources (HR) and IT controls. These areas are critical to agency integrity and should be tested using similar procedures and sample sizes based on control frequency.
Agencies must assess the internal controls of third-party vendors performing significant fiscal functions. Review System and Organization Controls (SOC) reports or other documentation to identify potential risks to financial operations or compliance.
Final thoughts
Internal control frameworks are essential for public sector agencies striving for operational excellence, financial integrity and regulatory compliance. Programs like ARMICS demonstrate how a structured, consistent approach can yield significant benefits, from improved transparency to strategic alignment.
While implementation requires commitment and resources, the payoff is substantial. Agencies that invest in internal controls not only reduce risk but also build trust with stakeholders and position themselves for long-term success.
Whether you're starting from scratch or refining an existing framework, the principles of ARMICS offer a valuable guide. With experienced guidance, you can navigate the complexities and unlock the full potential of your internal control environment.
How Baker Tilly can help
At Baker Tilly, we understand the unique challenges faced by public sector organizations. Our dedicated public sector practice includes over 350 professionals serving more than 4,000 clients across 48 states. We’ve worked with state entities, municipalities, school districts, Tribal governments, universities and more. We specialize in helping public sector agencies build and maintain robust internal control frameworks. Our services include:
- Risk assessments tailored to agency operations
- Control identification and documentation
- Control testing and validation
- Process documentation, including policy and procedure narratives and flowcharts
- Training for government employees on internal controls and their roles
We understand the unique challenges faced by public sector organizations and offer practical, scalable solutions to enhance governance and accountability.
Article
State government IT security audits: Benefits, challenges and considerations of consolidated IT security organizations
Discover how consolidated IT security models like VITA enhance cybersecurity, reduce costs and align with frameworks for public sector resilience.
Related sections
