OMB Circular A-123 — Enterprise Risk Management & Internal Controls

OMB Circular A-123 ("Management's Responsibility for Enterprise Risk Management and Internal Control") is the cornerstone of federal financial accountability and governance — the OMB directive that requires every executive branch agency to build and maintain systems of internal control and enterprise risk management, and to hold agency leadership personally accountable for their effectiveness. The circular implements the Federal Managers' Financial Integrity Act (FMFIA, 31 U.S.C. § 3512), which requires agency heads to annually assess and report on whether their internal controls are adequate. A-123 translates that statutory obligation into a detailed framework: what controls must exist, how they must be assessed, and what the agency head must say publicly about their adequacy.

The circular was substantially revised in 2016 to add Enterprise Risk Management (ERM) — a strategic risk framework that extends well beyond traditional financial controls. Where the prior version focused on protecting financial reporting accuracy and preventing fraud and waste, the 2016 revision requires agencies to identify and manage risks across their entire mission portfolio: strategic risks, operational risks, reputational risks, and financial risks. This shift reflects a recognition that the federal government's greatest vulnerabilities are often not in the accounting system but in program delivery, technology dependencies, workforce capacity, and strategic positioning. A-123 is now the governance framework for how agencies think about risk across everything they do.

Legal Authority

• 31 U.S.C. § 3512 — Federal Managers' Financial Integrity Act (FMFIA); requires agency heads to establish and maintain internal accounting and administrative controls; directs annual assessments and reports on whether controls meet standards prescribed by the Comptroller General; the primary statutory mandate that A-123 implements
• 31 U.S.C. § 3321 — CFO Act agency financial management requirements; requires agencies to produce reliable financial statements and maintain supporting internal controls
• 31 U.S.C. § 3801 — Improper payments requirements; requires agencies to identify, measure, and reduce improper payments; A-123's Appendix C addresses improper payment controls
• OMB Circular A-123 (1981, most recently revised July 2016) — OMB implementing guidance; establishes the ERM/internal control framework, assessment methodologies, documentation requirements, and the agency head's Statement of Assurance requirement

Key Mechanics

A-123 requires executive agencies to maintain four types of internal controls corresponding to the GAO Green Book (Government Accountability Office Standards for Internal Control in the Federal Government): (1) control environment (tone at the top, organizational structure, human capital policies); (2) risk assessment (identifying and analyzing risks to mission achievement); (3) control activities (policies and procedures that prevent or detect errors and fraud); and (4) information and communication (reliable financial and performance reporting). The 2016 revision added Enterprise Risk Management (ERM) — requiring agencies to maintain a risk profile covering strategic, operational, reputational, and financial risks, with quarterly risk reviews by senior leadership. Agency heads must annually submit a Statement of Assurance to OMB and Congress — a legally significant attestation that internal controls are effective (or disclosing material weaknesses if they are not). Material weaknesses in financial controls trigger remediation plans and reporting in the agency's Agency Financial Report (AFR). Appendix A addresses financial reporting controls (similar to Sarbanes-Oxley § 404 for federal agencies); Appendix B addresses improper payment review; Appendix C provides the ERM framework. Inspector General and GAO audits test compliance with A-123 requirements and report identified weaknesses.

Overview

The Two Pillars: Internal Controls and Enterprise Risk Management

Internal Controls

Internal controls are the policies, procedures, and activities that an agency puts in place to achieve its objectives reliably, protect assets, ensure accurate financial reporting, and comply with applicable laws and regulations. A-123 structures internal controls around the COSO Framework (Committee of Sponsoring Organizations of the Treadway Commission), the private-sector internal controls standard that has been adapted for government use:

Five components of internal control:

1. Control Environment: The tone at the top — agency leadership's commitment to integrity, accountability, and competent management. The control environment is the foundation; without it, other controls are easily circumvented.
2. Risk Assessment: Identifying and analyzing the risks that could prevent the agency from achieving its objectives, including fraud risks. Risk assessment is the link between internal controls and ERM.
3. Control Activities: The specific policies and procedures that mitigate identified risks — segregation of duties, access controls, reconciliations, approvals, and physical safeguards.
4. Information and Communication: The information systems and communication practices that support control operation — do the right people have the right information to perform their control responsibilities?
5. Monitoring: Ongoing activities and periodic evaluations that assess whether controls are operating effectively; findings must be communicated and corrective actions tracked.

Agencies must evaluate internal controls across three categories:

• Operations controls: ensuring that the agency uses resources efficiently and effectively to achieve its mission
• Financial reporting controls: ensuring the accuracy and completeness of financial statements and reports
• Compliance controls: ensuring adherence to laws, regulations, and agency policies

Enterprise Risk Management

The 2016 revision added ERM as a strategic overlay on top of traditional internal controls. ERM requires agency leadership — not just the CFO and IG, but the agency head and senior leadership team — to actively identify, assess, and manage risks that could affect the agency's ability to achieve its strategic objectives.

A-123's ERM framework requires agencies to:

1. Establish a governance structure: Designate an Enterprise Risk Officer (or equivalent role) and establish an Executive Risk Committee with representation from program, financial, legal, IT, and communications functions. Risk management cannot be siloed in the CFO's office; it must involve the leadership team.

2. Develop a risk profile: Identify the agency's key strategic and operational risks, assess their likelihood and potential impact, and document them in a risk register. The risk register must be updated at least annually and reviewed by the Executive Risk Committee.

3. Define risk appetite: The agency must articulate its risk tolerance — how much uncertainty it is willing to accept in pursuit of its mission objectives. Risk appetite statements should distinguish between areas where the agency accepts higher risk (innovation, new program design) and areas where it has very low tolerance (civil rights compliance, financial reporting accuracy).

4. Integrate risk into strategic planning and budget: The risk profile must inform the agency's strategic plan and budget decisions. Agencies should be able to show OMB how their budget requests address identified high risks.

5. Report on risk management maturity: OMB has developed a risk management maturity model with four levels (Initial → Defined → Integrated → Optimized). Agencies must assess their current maturity and identify targets for improvement.

The Management Assurance Statement

The most visible accountability mechanism in A-123 is the Management Assurance Statement — a formal declaration by the agency head, included in the annual Performance and Accountability Report (PAR) or Agency Financial Report (AFR), assessing whether the agency's internal controls are adequate and effective.

The statement must address:

• Whether the agency's internal controls over financial reporting (ICOFR) comply with the Federal Financial Management Improvement Act (FFMIA) requirements
• Whether the agency's operations, financial reporting, and compliance internal controls are effective
• Any material weaknesses identified, with corrective action plans and target resolution dates

A material weakness is a significant deficiency in internal controls that indicates a reasonable probability that a material misstatement of the financial statements could occur without being detected, or that a significant failure in achieving operational or compliance objectives could occur. Material weaknesses must be publicly disclosed in the assurance statement and tracked until resolved. Agencies with multiple unresolved material weaknesses face heightened OMB and congressional scrutiny, and repeated failures can affect appropriations and agency leadership.

The threshold is "reasonable assurance" — not absolute certainty. Agency heads are acknowledging that their control systems, while not perfect, are adequate to provide reasonable confidence in financial reporting, program operations, and compliance. An agency head who cannot provide reasonable assurance must disclose a material weakness.

Appendix A: Internal Controls Over Financial Reporting

Appendix A provides detailed guidance for assessing and reporting on internal controls over financial reporting (ICOFR) — the controls that ensure accurate, reliable financial statements. CFO Act agencies are subject to annual independent audits of their financial statements, and the auditors assess whether ICOFR is effective as part of that audit. A-123's Appendix A aligns agency self-assessment requirements with the auditors' framework, ensuring that agency management and external auditors are evaluating the same things.

Key Appendix A requirements:

• Agency CFOs must conduct a systematic assessment of ICOFR effectiveness using a documented risk-based approach
• The assessment must cover entity-level controls, process-level controls, and IT general controls
• Testing plans must be based on a risk assessment that identifies the most financially significant and highest-risk processes
• Deficiencies must be classified (control deficiency, significant deficiency, or material weakness) and corrective action plans developed

Appendix B: Improper Payments

Appendix B integrates the government-wide improper payments framework into A-123, implementing the Payment Integrity Information Act of 2019 (PIIA) and predecessor statutes. An improper payment is any payment that should not have been made or was made in the wrong amount — including payments to ineligible recipients, duplicate payments, and payments lacking sufficient documentation.

Agencies must:

1. Risk assessment: Annually assess all programs and activities to identify those that are susceptible to significant improper payments (PIIA defines "significant" as either (a) improper payments that exceeded both $10 million AND 1.5% of program outlays, or (b) improper payments exceeding $100 million regardless of percentage)
2. Improper payment estimation: For high-risk programs, estimate the actual rate and dollar amount of improper payments using statistically valid sampling
3. Set targets: Establish reduction targets for high-error programs and report annually on progress
4. Root cause analysis: Identify whether improper payments result from eligibility determination errors, documentation deficiencies, fraud, or other causes — the corrective strategy depends on the cause
5. Annual reporting: Report improper payment estimates, rates, and corrective action status in the PAR/AFR and on paymentaccuracy.gov

Government-wide improper payment estimates have historically ranged from $175–$250 billion annually, with Medicare and Medicaid accounting for the largest shares. OMB tracks agency compliance with PIIA requirements and works with the most noncompliant agencies on improvement plans.

Key Provisions

• Section I — Internal Control Framework: COSO-based five-component framework; three categories of controls (operations, financial reporting, compliance); agency head accountability
• Section II — Enterprise Risk Management: ERM governance structure requirements; risk profile and register; risk appetite statement; integration with strategic planning and budget
• Section III — Management Assurance Statement: annual written assessment by agency head in PAR/AFR; disclosure of material weaknesses; reasonable assurance standard
• Appendix A — ICOFR assessment process; CFO Act agency requirements; entity-level and process-level testing; auditor coordination
• Appendix B — Improper payments; PIIA compliance; risk assessment; estimation methodology; reduction targets; paymentaccuracy.gov reporting
• Three Lines Model: First line (program management owns risk), Second line (CFO, risk management, legal support), Third line (IG provides independent assurance)

How It Affects You

If you work at a federal agency: A-123 is not an abstract compliance exercise — it requires agency leadership to take personal, public responsibility for the adequacy of management controls. The agency head's annual assurance statement is a legal document; knowingly misrepresenting control effectiveness is a serious matter. Practically: the CFO's office leads the Appendix A ICOFR assessment, working with program offices to test controls; the agency's ERM function (often within the CFO or COO) leads the risk profile development; and the IG provides independent assessment. For program managers: if your program handles significant federal payments (benefits, grants, contractors), you are responsible for having adequate controls to prevent improper payments — including eligibility verification, documentation requirements, and supervisory review. Unresolved material weaknesses in your program follow your agency in OMB reviews and congressional hearings.

If you are a federal contractor or consultant providing financial management services: A-123 compliance creates sustained demand for internal controls advisory, ERM framework development, financial statement audit support, and improper payment root cause analysis. CFO Act agencies invest significantly in these services. Differentiate on COSO framework expertise, OMB A-123 policy fluency, and ability to translate risk assessments into actionable corrective plans. Appendix A testing engagements require knowledge of the Federal Financial Management Improvement Act (FFMIA), FASAB accounting standards, and the Treasury Financial Manual. Agencies facing audit findings or material weaknesses are the most urgent buyers.

If you are an Inspector General or oversight professional: A-123 defines the framework against which you assess management controls. The IG's annual independent assessment of ICOFR effectiveness (required by the CFO Act) is the primary external check on agency self-assessment. IG findings of significant deficiencies or material weaknesses that were not disclosed in the agency head's assurance statement — or that were disclosed but not corrected — are the basis for escalation to OMB and Congress. The ERM risk profile is now a document you should be requesting as part of IG oversight: does the agency's risk profile reflect what you've seen in your investigations and program evaluations?

If you are a researcher, journalist, or policy analyst: PAR/AFR documents for all CFO Act agencies are public and include the management assurance statements, identified material weaknesses, and improper payment data. These are the primary accountability documents for federal financial management. Paymentaccuracy.gov provides a government-wide dashboard of improper payment estimates by agency and program — the go-to source for improper payment analysis. GAO publishes annual high-risk reports that often cite A-123 control weaknesses. Comparing agency assurance statements over time reveals which agencies have persistent control problems and which are making progress.

State and Local Government Implications

A-123 directly governs federal agencies, not state or local governments. However, A-123's internal controls framework — particularly for programs where federal grants flow to states — establishes the standards federal agencies must enforce in overseeing state grantee compliance. When states receive federal grants for Medicaid, SNAP, or highway programs, the federal agency is responsible under A-123 for having adequate controls to prevent improper payments in those programs, including oversight of state eligibility determination processes. Federal agencies must design their grant oversight structures to satisfy A-123's requirements, which in turn shapes the audit requirements and reporting obligations imposed on state grant recipients.

Recent Developments

• 2016 — Major revision adding Enterprise Risk Management to the traditional internal controls framework; title changed to reflect the expanded scope; ERM governance requirements and risk appetite concepts introduced
• 2019 — Payment Integrity Information Act (PIIA) enacted, updating and strengthening improper payments requirements; A-123 Appendix B subsequently revised to implement PIIA
• 2021 — OMB updated A-123 ERM guidance to address COVID-era risk management lessons, including supply chain risks and continuity risks
• 2025 — DOGE-driven federal workforce reductions raised significant A-123 questions at several agencies: rapid personnel reductions affect control environments (segregation of duties, review and approval), and agencies are required to assess whether workforce changes have created new material weaknesses; several agency IGs have flagged this as an active risk area
• Ongoing — Government-wide improper payments remain a persistent challenge; CMS-administered Medicare and Medicaid and USDA/FNS-administered SNAP consistently account for the largest improper payment volumes; OMB tracks remediation progress through the annual PIIA compliance cycle