OMB A-123 2016 Update Management s Responsibility for Internal Controls and Enterprise Risk Management March 29, 2016 Mark Reger Office of Federal Financial Management Office of Management and Budget
Evolution of Management Controls The Federal Managers Financial Integrity Act of 1982 (FMFIA) requires the General Accountability Office (GAO) to prescribe standards of internal control in the Federal Government, more commonly known as the Green Book. OMB to establish guidelines for agencies to evaluate their systems of internal control to determine FMFIA compliance, more commonly known as OMB Circular No. A-123, Management s Responsibility for Internal Control. Between 1982 and 2004 OMB A-123 focused on management controls across all business lines and operations. In 2004, OMB A-123 focused on financial reporting and avoided Sarbanes Oxley legislation to require internal control audits in the Federal Government. Since 2004 OMB A-123 has become known only as a financial reporting and compliance requirement. CXO/Operations Support Private sector embraces Enterprise Risk Management Now the federal government moves towards ERM. 2
A-123 History 1980 1985 1990 1995 2000 2005 2010 2015 1981 OMB First Issued Circular No. A-123, Internal Control Systems 1982 OMB Issued Internal Control Guidelines and the Federal Managers Financial Integrity Act was enacted 1983 OMB Issued an Updated Circular No. A-123, Internal Control Systems 1986 OMB Updated A-123 to Require Management Control Plans to guide efforts 1995 OMB updated A-123, Management Accountability and Control to reflect GPRA, CFO Act, IG Act 2004 OMB updated A-123, Management s Responsibility for Internal Control to reflect new internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley Act of 2002; added Appendix A, Internal Control Over Financial Reporting. 2005 - CFO Council Issued A-123 Appendix A Implementation Guide and OMB Required Appendix A Implementation Plans 2006-OMB First Issued A-123 Appendix B for Government Charge Cards and Appendix C for Improper payments (Appendix C updates 2006 to 2014) 2013 OMB First Issued A-123 Appendix D for Compliance with the Federal Financial Management Improvement Act 2014 OMB updated A-11, Preparation, Submission, and Execution of the Budget and includes Enterprise Risk Management and Internal Control 3
New A-123 Structure A-123 Today A-123 Tomorrow OMB Circular 123/Appendix A Financial Reporting OMB Circular A-123 Internal Control and Enterprise Risk Management Appendix B, Charge Cards Appendix A, Reporting Appendix C, Improper Payments Appendix D, FFMIA Compliance Appendix B, Charge Cards Appendix C, Improper Payments Appendix D, FFMIA Compliance 4
Agency and Industry Input GAO Green Book Advisory Council, included CFO Council Representation (7/2013 to 9/2014) DOC, State, NSF, DOJ, DHS/IRS Three Agency Workgroups (11/2013 to 3/2014) USDA, DOJ, Ed CFO Council ERM Forum (April 2014) CFO Council ERM Project (2/2014 to 2/2015) HHS, Ed AGA Forum on Internal Control (9/2014) President s Management Council Briefing (5/2015) Provided A-123 to Agencies for Comment (6/2015) Partnership for Public Service ERM Event of Excellence (6/2015, 9/2015) CFO s, CRO s, GAO, Inspectors General 5
Assessing Internal Control Updated Integrated Internal Control Framework. Agencies need to integrate and coordinate risk management and internal control efforts across the enterprise and between management silos. Assessment of Entity Level Controls. Internal control at the entity level refers to the Green Book s five components of internal control must be effectively designed, implemented, and operating, and operating together in an integrated manner, for an internal control system to be effective. The Green Book s 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. Updated Sources of Documentation. The agency head's assessment of internal control can be documented using a variety of information sources. Green Book Components of Internal Control and Principles 6
Correcting Internal Control Deficiencies Corrective Action Options. All control deficiencies pose some level of risk to an organization. The risk level could be minimal or material, and is determined by management s risk tolerance. There are a number of possible corrective action options which could include: Acceptance Avoidance Risk mitigation Transfer/sharing Corrective Action Requirements. Cooperative Audit Resolution and the Role of an Audit Committee. 7
Reporting on Internal Control Assurance Statement Reporting Today Assurance Statement Reporting Tomorrow FMFIA Section 2, Internal Control Over Operations FMFIA Section 2, Internal Control Over Financial Reporting FMFIA Section 4, Financial System Conformance FFMIA, Section 803 (a) Requirements Federal Financial Management System Requirements; Applicable accounting standards; and The USSGL at the transaction level. Internal Control Over Operations (FMFIA Section 2) Internal Control Over Financial Reporting and Compliance with the FFMIA FMFIA Section 2, Internal Control Over Financial Reporting FMFIA Section 4, Financial System Conformance 8
Moving From Compliance to Managing Risks Check the Box (A-123 Today) Compliance with New GAO Internal Control Standards Treating Risk as only Negative Heavy Emphasis on Financial Reporting CXO/Operations Support Regarding Risk Management as Separate Check the Box on 3 Year A-123 Assessments Proactively Managing Risks (A-123 Tomorrow) Risk Based Approach with New Internal Control Standards Defining risk as both positive (e.g., taking on risk to improve government services) and negative Balanced Emphasis on Financial Reporting and Mission Support Integrating Risk Management and Internal Control Manage Risks Across Organizational Structures 9
A-123: The Foundation for ERM Risks and Uncertainty Strategic Operational Reputational Financial Etc. Strategic Decisions (OMB A-11) Budget Decisions (OMB A-11) Mission/Vision Goals Setting Objective Setting Strategic Reviews Policy President s Budget Congressional Justification Program Management (OMB A-11) Cross Agency Priority Goals Agency Priority Goals Fed Stat CXO/Operations Support (OMB A-123) Operational Control Objectives Reporting Control Objectives Compliance Control Objectives Risk Assessments 10
Relationship of Enterprise Risk Management to Internal Control Governance ERM Internal Controls First Introduced in OMB Circular A-11, FY 2014 A-123 and A-11 introduce an ERM Framework to support performance management and better guide internal controls Source: COSO 11
Best Practices 1. ERM and A-123 should co-exist but not as stand-alone activities 2. Senior management buy-in of ERM value is essential 3. Implement a Risk Management Framework and phased ERM Implementation approach 4. Establish an objective organizational accountability structure 5. Establish/leverage formal governing bodies where they exist 6. Establish a culture of risk reward 7. Make better use of data analytics 8. Quantify the impact of past risk events 9. Engage performance, strategic, risk management, budget activities simultaneously 10. Document risk decisions and the rationale for managing risk 13
Next Steps: Enterprise Risk Management Playbook I. Introduction II. Enterprise Risk Management Framework III. Enterprise Risk Management Governance Structure IV. Managing Risks On A Portfolio Basis Across An Agency V. Best Practices VI. Tools and Templates CXO/Operations Support 13
Implementing an ERM Framework Drafted by the ERM Steering Committee Draft will be socialized with groups such as the Partnership for Public Service and the CXO Councils Provides a guide on where to get started with ERM Designed as reference to be used to develop tools, templates, and promote best practices Similar to OMB s 2004 Internal Control Process and CFOC s A- 123 Implementation Guide Products 14
Next Steps: ERM Training What is Enterprise Risk Management? What is a CRO and what are the roles and responsibilities of the CFO and other CXOs (i.e., good governance)? What does success look like? What are the best practices? Overview of ERM Standards. Comparisons between COSO and ISSO (not vs.). The link between ERM and Internal Control Standards. What are the tools and templates of ERM? How do I get started? Do I have to do it all at once, what s a How to build ERM into CXO/Operations existing sample maturity model? Support processes rather than add on? Strategic Foresight. What role do inspector generals play in ERM? What are the road rules for management engagement of inspector generals in ERM? 15
Enterprise Risk Management Model Risk Environment /Context State and Local Governments 1. Establish Context 6. Monitor and Review 2. Identify Risks Communicate and Learn 5. Respond To Risks 3. Analyze and Evaluate 4. Develop Alternatives Extended Enterprise Administration Policy 16
OMB A-123, Appendix A, Internal Control Over Reporting Coming Summer 2016 External Financial Reporting Internal Financial Reporting External Non- Financial Reporting Internal Non- Financial Reporting Internal Control Over Reporting Objectives Entity Level Controls Reports to be included in the assessment (e.g., USA Spending) Service Organizations Fraud Evaluating Control Deficiencies Source: COSO 17