On July 15, 2016, the OMB revised Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control (the Circular), which was effective upon publication. While the Circular is specifically applicable to executive agencies of the federal government, it contains changes that may impact certain recipients of federal awards. This article focuses on the changes and how they may affect federal award recipients.
Which State and Local Governments or Other NonFederal Entities May be Affected by the Circular?
OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) requires nonfederal grant recipients to establish and maintain effective internal control over federal awards that provides reasonable assurance federal awards are managed in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. It states that the internal controls should be in compliance with guidance in either Standards for Internal Control in the Federal Government (the Green Book) or with COSO’s Internal Control-Integrated Framework. If the local government has elected to follow the Green Book, the Circular provides evaluation guidance for those internal control systems.
In addition, any entity receiving federal awards that is under the supervision of an oversight agency of the federal government that is not subject to the Uniform Guidance may be affected. The revision to the Circular adds requirements for executive agencies of the federal government to design and implement an Enterprise Risk Management (ERM) system. The Circular acknowledges that the federal government has a number of complex inter-dependencies with state and local governments and other recipients of federal funding. From an ERM perspective, these inter-dependencies impact the oversight agency’s risk management and give rise to certain additional risk. In other words, oversight agencies will need to evaluate the award recipient’s controls and consider their impact on the agency’s risk in specific areas.
What Are the Notable Changes In the Circular?
The addition of ERM to the Circular. ERM is the core concept comprising the changes to the Circular and is defined as a discipline that deals with identifying, assessing, and managing risks. The belief is that through adequate ERM, entities will focus internal controls on key points of failure to reduce or eliminate the potential for disruptive events.
The addition of requirements to manage privacy risks. In order to carry out the objectives of a federal award, recipients are sometimes in possession of personally identifiable information (PII), defined as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. It is incumbent on entities to perform an assessment to determine if their information systems contain PII or other information that can become PII, and if so, consider the risk that it could be compromised. Privacy programs must be developed and implemented to protect the information throughout its life cycle.
The addition of requirements to conduct acquisition assessments. The Circular reviews the elements of the OMB’s acquisition framework in relation to the Green Book and provides an illustrative table for comparing the concepts that are common to both and those that are required by the Green Book, but are not a part of the GAO’s acquisition framework.
Practical Consideration: A complete copy of the Circular can be obtained at the following website by clicking here.