OMB Circular A-123

Revised
July 15, 2016


OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control

Purpose: This Circular defines management's responsibilities for enterprise risk management (ERM) and internal control. The Circular provides updated implementation guidance to Federal managers to improve accountability and effectiveness of Federal programs as well as mission­support operations through implementation of ERM practices and by establishing, maintaining, and assessing internal control effectiveness. The Circular emphasizes the need to integrate and coordinate risk management and strong and effective internal control into existing business activities and as an integral part of managing an Agency.

Authority: This Circular is issued under the authority of the Federal Managers' Financial Integrity Act (FMFIA) of 1982 as codified in 31 U.S.C. 3512, and the Government Performance Results Act (GPRA) Modernization Act, Public Law 111-352.

Policy: Each Federal employee is responsible for safeguarding Federal assets and the efficient delivery of services to the public. Federal leaders and managers are responsible for establishing goals and objectives around operating environments, ensuring compliance with relevant laws and regulations, and managing both expected and unexpected or unanticipated events. They are responsible for implementing management practices that identify, assess, respond, and report on risks. Risk management practices must be forward-looking and designed to help leaders make better decisions, alleviate threats and to identify previously unknown opportunities to improve the efficiency and effectiveness of government operations. Management is also responsible for establishing and maintaining internal controls to achieve specific internal control objectives related to operations, reporting, and compliance. Management must consistently apply these internal control standards to meet the internal control principles and related components outlined in this circular and to assess and report on internal control effectiveness at least annually. Risk management practices must be taken into account when designing internal controls and assessing their effectiveness. Annually, agencies must develop a risk profile coordinated with their annual strategic reviews. Further, management must provide assurances on internal control effectiveness in its Agency Financial Report (AFR) or the Performance and Accountability Report (PAR). Information regarding identified material weaknesses and corrective actions should be included in any of the three preceding reports.

Requirements: Office of Management and Budget (OMB) Circular No. A-123 requires agencies to integrate risk management and internal control functions. The Circular also establishes an assessment process based on the Government Accountability Office's (GAO) Standards for Internal Control in the Federal Government (known as the Green Book) that management must implement in order to properly assess and improve internal controls over operations, reporting, and compliance. The primary compliance indicators that management must consider when implementing OMB Circular No. A-123, include:

  • Management is responsible for the establishment of a governance structure to effectively implement, direct and oversee implementation of the Circular and all the provisions of a robust process of risk management and internal control.
  • Implementation of the Circular should leverage existing offices or functions within the organization that currently monitor risks and the effectiveness of the organization's internal control.
  • Agencies should develop a maturity model approach [1] to the adoption of an ERM framework. For FY 2016, Agencies are encouraged to develop an approach to implement ERM. For FY 2017 and thereafter Agencies must continuously build risk identification capabilities into the framework to identify new or emerging risks, and/or changes in existing risks (See Section II.C. for additional details).
  • Management must evaluate the effectiveness of internal controls annually using GAO' s Standards for Internal Control in the Federal Government. (The Green Book) Throughout the Circular, the terms "Must" and "Will" denote a requirement that management will comply with in all cases. "Should," indicates a presumptively mandatory requirement except in circumstances where the requirement is not relevant for the Agency. "May" or "Could," indicate best practices that may be adopted at the discretion of management.

Effective Date: This Circular is effective upon publication. Appendices A, B, C, and D of OMB Circular No. A-123 remain in effect.

Applicability: This Circular is applicable to each executive agency. All other non-executive agencies of the Federal government are encouraged to adopt the Circular.

Inquiries: Further information concerning this Circular can be obtained from the Office of Federal Financial Management (202) 395-3993 or the Office of Performance and Personnel Management, (202) 395-5670 Office of Management and Budget, Washington, DC 20503.

Copies: Copies of this Circular may be obtained from www.whitehouse.gov/omb.


[1] See https://www.rims.org/resource-s/ERM/Pages/lliskMaturityModel.aspx for an example maturity model.

 

My Research Folders

You are not Logged in yet, Please login to see Your research folders.