OMB A-123 2016 Update

Mark Reger Office of Federal Financial Management Office of Management and Budget

Management’s Responsibility for Internal Controls and Enterprise Risk Management

March 29, 2016

2

Evolution of Management Controls

CXO/Operations Support

• The Federal Managers Financial Integrity Act of 1982 (FMFIA) requires

• the General Accountability Office (GAO) to prescribe standards of internal control in the Federal Government, more commonly known as the Green Book.

• OMB to establish guidelines for agencies to evaluate their systems of internal control to determine FMFIA compliance, more commonly known as OMB Circular No. A-123, Management’s Responsibility for Internal Control.

• Between 1982 and 2004 OMB A-123 focused on “management controls” across all business lines and operations.

• In 2004, OMB A-123 focused on financial reporting and avoided “Sarbanes Oxley” legislation to require internal control audits in the Federal Government.

• Since 2004 • OMB A-123 has become known only as a financial reporting and compliance

requirement. • Private sector embraces Enterprise Risk Management

• Now the federal government moves towards ERM.

3

A-123 History

• 1981 – OMB First Issued Circular No. A-123, Internal Control Systems

• 1982 – OMB Issued Internal Control Guidelines and the Federal Managers Financial Integrity Act was enacted

• 1983 – OMB Issued an Updated Circular No. A-123, Internal Control Systems

• 1986 – OMB Updated A-123 to Require Management Control Plans to guide efforts

• 1995 – OMB updated A-123, Management Accountability and Control to reflect GPRA, CFO Act, IG Act

• 2004 – OMB updated A-123, Management’s Responsibility for Internal Control to reflect new internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002; added Appendix A, Internal Control Over Financial Reporting.

• 2005 - CFO Council Issued A-123 Appendix A Implementation Guide and OMB Required Appendix A Implementation Plans

• 2006-OMB First Issued A-123 Appendix B for Government Charge Cards and Appendix C for Improper payments (Appendix C updates 2006 to 2014)

• 2013 – OMB First Issued A-123 Appendix D for Compliance with the Federal Financial Management Improvement Act

• 2014 – OMB updated A-11, Preparation, Submission, and Execution of the Budget and includes Enterprise Risk Management and Internal Control

1980 1985 1990 1995 2000 2005 2010 2015

4

New A-123 Structure

OMB Circular 123/Appendix A Financial

Reporting

Appendix B, Charge Cards

Appendix C, Improper Payments

Appendix D, FFMIA

Compliance

OMB Circular A-123

Internal Control and Enterprise Risk Management

Appendix A, Reporting

Appendix B, Charge Cards

Appendix C, Improper Payments

Appendix D, FFMIA

Compliance

A-123 Today A-123 Tomorrow

Agency and Industry Input

5

• GAO Green Book Advisory Council, included CFO Council Representation (7/2013 to 9/2014)

• DOC, State, NSF, DOJ, DHS/IRS • Three Agency Workgroups (11/2013 to 3/2014)

• USDA, DOJ, Ed • CFO Council ERM Forum (April 2014) • CFO Council ERM Project (2/2014 to 2/2015)

• HHS, Ed • AGA Forum on Internal Control (9/2014) • President’s Management Council Briefing (5/2015) • Provided A-123 to Agencies for Comment (6/2015) • Partnership for Public Service ERM Event of

Excellence (6/2015, 9/2015) • CFO’s, CRO’s, GAO, Inspectors General

6

Assessing Internal Control

• Updated Integrated Internal Control Framework. Agencies need to integrate and coordinate risk management and internal control efforts across the enterprise and between management silos.

• Assessment of Entity Level Controls. Internal control at the entity level refers to the Green Book ‘s five components of internal control must be effectively designed, implemented, and operating, and operating together in an integrated manner, for an internal control system to be effective. The Green Book’s 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system.

• Updated Sources of Documentation. The agency head's assessment of internal control can be documented using a variety of information sources.

Green Book Components of Internal Control and Principles

7

Correcting Internal Control Deficiencies

• Corrective Action Options. All control deficiencies pose some level of risk to an organization. The risk level could be minimal or material, and is determined by management’s risk tolerance. There are a number of possible corrective action options which could include: – Acceptance – Avoidance – Risk mitigation – Transfer/sharing

• Corrective Action Requirements.

• Cooperative Audit Resolution and the Role of an Audit

Committee.

8

Reporting on Internal Control

• FMFIA Section 2, Internal Control Over Operations – FMFIA Section 2, Internal

Control Over Financial Reporting

• FMFIA Section 4, Financial System Conformance

• FFMIA, Section 803 (a) Requirements – Federal Financial Management

System Requirements; – Applicable accounting

standards; and – The USSGL at the transaction

level.

• Internal Control Over Operations (FMFIA Section 2)

• Internal Control Over Financial

Reporting and Compliance with the FFMIA – FMFIA Section 2, Internal

Control Over Financial Reporting

– FMFIA Section 4, Financial System Conformance

Assurance Statement Reporting Today

Assurance Statement Reporting Tomorrow

9

Moving From Compliance to Managing Risks

CXO/Operations Support

• Compliance with New GAO Internal Control Standards

• Treating Risk as only Negative • Heavy Emphasis on Financial

Reporting • Regarding Risk Management as

Separate • Check the Box on 3 Year A-123

Assessments

• Risk Based Approach with New Internal Control Standards

• Defining risk as both positive (e.g., taking on risk to improve government services) and negative

• Balanced Emphasis on Financial Reporting and Mission Support

• Integrating Risk Management and Internal Control

• Manage Risks Across Organizational Structures

Check the Box (A-123 Today)

Proactively Managing Risks (A-123 Tomorrow)

A-123: The Foundation for ERM

10

Strategic Decisions

(OMB A-11)

Budget Decisions (OMB A-11)

Program Management (OMB A-11)

Operational Control Objectives Reporting Control Objectives Compliance Control Objectives Risk Assessments

Cross Agency Priority Goals Agency Priority Goals Fed Stat

Policy President’s Budget Congressional Justification

Mission/Vision Goals Setting Objective Setting Strategic Reviews

CXO/Operations Support (OMB A-123)

Risks and Uncertainty

• Strategic • Operational • Reputational • Financial • Etc.

Relationship of Enterprise Risk Management to Internal Control

11

Governance

ERM

Internal Controls

• First Introduced in OMB Circular A-11, FY 2014

• A-123 and A-11 introduce an ERM Framework to support performance management and better guide internal controls

Source: COSO

Best Practices 1. ERM and A-123 should co-exist but not as stand-alone activities 2. Senior management buy-in of ERM value is essential 3. Implement a Risk Management Framework and phased ERM

Implementation approach 4. Establish an objective organizational accountability structure 5. Establish/leverage formal governing bodies where they exist 6. Establish a culture of risk reward 7. Make better use of data analytics 8. Quantify the impact of past risk events 9. Engage performance, strategic, risk management, budget activities

simultaneously 10. Document risk decisions and the rationale for managing risk

13

13

Next Steps: Enterprise Risk Management Playbook

CXO/Operations Support

I. Introduction II. Enterprise Risk Management Framework III. Enterprise Risk Management Governance Structure IV. Managing Risks On A Portfolio Basis Across An Agency V. Best Practices VI. Tools and Templates

Implementing an ERM Framework

14

• Drafted by the ERM Steering Committee

• Draft will be socialized with groups such as the Partnership for Public Service and the CXO Councils

• Provides a guide on where to get started with ERM

• Designed as reference to be used to develop tools, templates, and promote best practices

• Similar to OMB’s 2004 Internal Control Process and CFOC’s A-123 Implementation Guide Products

15

Next Steps: ERM Training

CXO/Operations Support

What is Enterprise Risk Management? What is a CRO and what are the roles and responsibilities of the CFO and other CXOs (i.e., good governance)? What does success look like? What are the best practices? How do I get started? How to build ERM into existing processes rather than add on?

Overview of ERM Standards. Comparisons between COSO and ISSO (not vs.). The link between ERM and Internal Control Standards. What are the tools and templates of ERM? Do I have to do it all at once, what’s a sample maturity model?

Strategic Foresight. What role do inspector generals play in ERM? What are the road rules for management engagement of inspector generals in ERM?

Enterprise Risk Management Model

16

Risk Environment/Context

Extended Enterprise

Administration Policy

State and Local Governments

Communicate and Learn

1. Establish Context

4. Develop Alternatives

2. Identify Risks

3. Analyze and Evaluate

5. Respond To Risks

6. Monitor and Review

OMB A-123, Appendix A, Internal Control Over Reporting

Coming Summer 2016

17

Source: COSO

External Financial Reporting

External Non-

Financial Reporting

Internal Financial Reporting

Internal Non-

Financial Reporting

• Internal Control Over Reporting Objectives

• Entity Level Controls • Reports to be included in the

assessment (e.g., USA Spending)

• Service Organizations • Fraud • Evaluating Control Deficiencies