Q and A: All about the New A-123
In September, Management Concepts presented a free webinar—Easy as A-123: What You Need to Know About the Update—highlighting the significant changes to OMB Circular A-123 Management’s Responsibility for Enterprise Risk Management and Internal Control. During the Q&A, there was time to answer only a few questions from agency staff, but many good ones were submitted. Below are answers to the most representative questions.
What is required for Enterprise Risk Management (ERM) in 2016?
Whereas A-123 is generally effective for 2016—except for some ERM deadlines in 2017—not much of anything could practically have been implemented during FY2016 and for FY2016 reporting. Here’s why: based on my observations over the years, agencies generally have collected and analyzed their internal control assessments by late August of each year. That schedule makes it next to impossible for agencies to have implemented the new requirements in A-123, which was issued in July. Even to implement all the new requirements for FY2017, agencies will likely have to begin right now.
Is the Internal Control Over Financial Reporting (ICOFR) statement required for the FY2016 statement of assurance?
While A-123 did not address this specifically, and I cannot speak officially to this, my guess is that agencies will still report their ICOFR statements. Check with your agency internal control program office.
Should the Green Book be updated to reflect changes to the new A-123?
Not really. The 2014 Green Book reflects the latest approach to internal control standards and the new A-123 recognizes that by putting more emphasis of following the revised Green Book.
Do the new requirements apply to government contractors?
No, Federally required internal control assessments have always applied only to executive branch agencies. However, any controls impacted or operated by contractors may need to be considered in management’s assessments of controls, there is no requirement in FMFIA or A-123 that contractors assess and report on internal controls.
Where can I find the CFO Council/Performance Improvement Council Playbook?
The ERM Playbook can be accessed at CFO.gov. From the CFO.gov home page, scroll down slightly, and you will see “Featured Initiatives.” Click on “ERM” and you will get a short write-up. On the write-up page you will see a column announcing the release of the ERM Playbook, with a “Read more” box at the bottom—click it and you will get a link to the Playbook.
What is your prediction on staffing?
In my opinion, most agencies were understaffed in terms of personnel assigned to work full-time and part-time on implementing the internal control assessment and reporting requirements. And that was before the greatly expanded mandates of the new A-123. At a minimum, for those agencies that do not currently have an ERM program, they will have to add resources to design and implement one. The amount of resources will depend on the emphasis an agency puts on ERM. (Hint: there may be great career opportunities for those who get involved in this area!)
Do the FMFIA and A-123 apply to legislative agencies?
No. Both the law and the circular are addressed to executive branch agencies. That being said, legislative branch agencies are free to adopt concepts and practices from laws and regulations applicable to executive branch agencies, and some do.
Is ERM expected to be evaluated at the assessable unit (AU) level, or is this to be determined?
This is a good question for which I do not have a clear answer, mainly because A-123, as I read it, is not totally clear. Generally speaking, the circular relates ERM to agency strategic objectives. But it also uses language that seems to push ERM farther down in an agency. While I suggest you consult OMB on this one, I will offer my view. The formal aspects of ERM are aimed at risks to implementing strategic objectives; most reporting by agencies to OMB will be from a strategic perspective. At the same time, risks to programs or operations at lower levels (say the AU level) can certainly affect accomplishment of strategic objectives. Therefore, while the formal requirements of an ERM program are aimed at higher levels, there is a direct relationship of risks at lower levels to higher ones. In that sense, ERM considerations include any risk at any level.
The new A-123 puts a lot of emphasis on documentation—what is the impact of that?
The impact of the new emphasis on documentation of internal control can be significant. Let me add some perspective here. Documentation that is accurate and complete of practically everything an agency plans, decides, and does is essential. That is just good management and has been a best practice for centuries. A good example is budgeting. Think of how difficult it would be to plan, make resource decisions, execute, and evaluate execution without effective documentation of all those aspects of budgeting. Since we do all those things—in fact, for everything we do—through our policies and procedures, it’s imperative that we have them well documented.
Likewise, when management analyzes risks to mission accomplishment, and all internal controls for effectiveness and efficiency, it must document those analyses. The Green Book has always stressed documenting everything as I just described. Now, OMB is simply emphasizing what has always been an internal control standard.