Navigating the revised OMB Circular A-123
What are the new requirements for internal control?
At first glance, implementing the revised Circular’s requirements may pose challenges and seem like an additional compliance burden; however, implementation provides agency executives a framework that helps make strategic, risk-based decisions that can help enhance agency value.
In addition to the revised Circular’s ERM requirements, OMB has emphasized the operating effectiveness of an agency’s internal controls and how these help the agency achieve its operations, compliance and reporting objectives.
To help agencies substantiate the operating effectiveness of their systems of internal control, in addition to complying with appendices A–D of the circular, A-123 now requires agencies to:
- Conduct an evaluation of internal controls for each of the 17 Government Accountability Office (GAO) Green Book principles.
- Prepare a summary of internal control deficiencies to include specific GAO Green Book principles that an agency does not meet, but should meet, based on its mission and business.
- Provide a summary of the agency’s determination of whether each GAO Green Book internal control component and associated principle(s) are designed, implemented, and operating effectively. If an agency identifies internal control deficiencies within its system, it must assess the deficiencies’ severity when aggregated across all internal control components. If one or more internal control components are not operating effectively, the agency must report a material weakness and associated corrective action plan.
Although required in the previous iterations of A-123, via the Chief Financial Officer’s Council (CFOC) Implementing Guidance to A-123, this revised Circular places additional emphasis on effective entity-level controls (ELCs) and their role in establishing and maintaining an agency’s effective system of internal control. As such, agencies should consider the ELCs that align to all five components of internal control, not just the control activities component.
The table below summarizes the five internal control components and 17 principles that demonstrate compliance with each component, as defined in the GAO Green Book:
Information and communication
1. Demonstrates commitment to integrity and ethical values
6. Defines objectives and risk tolerances
10. Designs control activities
13. Uses relevant, quality information
16. Performs ongoing monitoring activities
Considerations for governance
ERM and its relationship to internal control can sometimes be nebulous, making it seem daunting and overwhelming to effectively implement. Internal control is a type of risk mitigation strategy and is, therefore, an integral component to ERM. However, strong ERM programs are much larger than just effective internal controls or OMB Circular A-123 Appendix A compliance. As such, one of the greatest potential pitfalls to effectively implementing an effective ERM program, and ultimately complying with A-123’s revised requirements, is failing to adequately establish, and consistently apply, the required governance needed to routinely identify, assess, manage, and monitor risk across an enterprise.
To effectively sustain compliance with the GAO Green Book and lay the foundation for broader ERM implementation and full A-123 compliance, agencies should consider their current governance structure and determine the appropriate stakeholders and senior-level sponsorship needed to help the agency achieve its operations, compliance, and report objectives–which often times reside outside of the chief financial officer’s (CFO) domain.
Considerations for service organizations
As part of demonstrating an effective system of internal control and demonstrating compliance with the GAO Green Book, A-123 provides additional details for federal managers to consider when managing the operations, compliance, and reporting risks inherent in user/service provider relationship. Specifically, A-123 (and the GAO Green Book) discusses:
- Management’s responsibility for the activities performed by third-party services organizations.
- Considerations for the level of oversight needed for service organizations based on the terms of service level agreements and the level of risk a service organization poses to an agency meeting its objectives.
- Management’s responsibility for establishing “user” controls to help mitigate the potential third-party risks to the “user” agency that could arise from service provider activities.
- Service organizations’ responsibilities to provide assurances to their customers and assistance to their customers in understanding the relationships between existing service provider- and user-side controls.
Considerations for mitigating fraud risk
The revised Circular requires agencies to establish internal controls to help mitigate fraud risk. These controls are to also be included in the agency’s risk profile. In addition, A-123 requires agencies to establish financial and administrative controls, through the agency risk profile, which include:
- Controls to address identified fraud risks around payroll, beneficiary payments, grants, large contracts, information technology and security, asset safeguards, purchase, travel, and fleet cards.
- Collecting and analyzing data from reporting mechanisms to help detect and monitor fraud trends as well as using data to continually improve fraud prevention controls and fraud response.
Considerations for internal control documentation
The revised Circular and the GAO Green Book provide documentation requirements needed to help substantiate an effective system of internal control. Although OMB and GAO allow for management to apply judgement in determining the extent of documentation needed, minimum documentation requirements include:
- Management’s assessment that was used to determine if a GAO Green Book principle is not relevant to the respective agency’s system of internal control.
- Internal control responsibilities for the organization via policy.
- Evaluation results and related documentation illustrating the results of ongoing monitoring and separate evaluations to identify internal control issues.
- Corrective actions plans and corrective action status.
The path forward
While adopting the revised OMB Circular A-123’s requirements may pose some challenges in the short term, this bigger-picture focus on ERM and the overall system of internal controls should position agencies to better balance strategy and operations with risk, which supports more value-added decision-making, further demonstrating stewardship of tax payer dollars. As agencies revise their A-123 programs in response to the revised Circular, they should thoroughly evaluate their current system of internal controls, identify areas needed to improve the design and strengthen the operating effectiveness of their current ELCs, and integrate ERM with current internal control programs to effectively manage risks across an agency.