OMB Circular A-123, Appendix A – Management of Reporting and Data Integrity Risk, helps agencies identify risks so they can develop solutions as early as possible, by providing guidelines on the mechanics and required documentation of internal controls for compliance. On June 6, 2018, the Office of Management and Budget released an update to A-123, Appendix A.
The goals of the update include:
- Improved data quality to reduce the burden on agencies, shifting from compliance activities to supporting high-quality data reporting that affects data-driven decisions, management analyses, and transparency.
- Risk analysis to effectively employ internal controls to only those reporting objectives where inaccurate, unreliable, or outstanding reporting would significantly affect an agency’s ability to accomplish its mission and performance goals or objectives.
- Management discretion to determine how and when to assess, test, document, and correct deficiencies to provide reasonable assurances over internal control over reporting (ICOR) objectives.
- Flexibility to determine which control activities are necessary to achieve reasonable assurances over internal controls and processes that support overall data quality contained in agency reports.
What’s still required?
Agencies must continue to present management assurances in the agency financial report (AFR) or performance and accountability report (PAR), along with a report on identified material weaknesses and corrective actions. In addition, agency management remains responsible for determining the materiality of internal control activities and whether these materiality thresholds align with the level of control activities needed to provide reasonable assurances.
The new A-123, Appendix A includes a number of important changes.
Enhanced focus on Data Accountability and Transparency Act (DATA) Act
The update creates a new requirement called the Data Quality Plan (DQP). This plan must be included in agencies’ existing annual assurance statement over ICOR beginning in fiscal year 2019 and continuing through the statement covering fiscal year 2021 at a minimum (or until agencies determine that they can provide reasonable assurances over the data quality controls that support achievement of the reporting objective in accordance with the DATA Act). The DQP must be reviewed and assessed annually for three years or until the agency determines that sufficient controls are in place to achieve the updated objective.
The DQP should consider the incremental risks to data quality in Federal spending data and any controls that would manage such risks in accordance with OMB Circular No. A-123. Quarterly certifications of data submitted by agency senior accountable officials should be based on the consideration of the DQP and the internal controls documented in their plan, as well as other existing controls that may be in place, in the annual assurance statement process.
The DQP should cover significant milestones and major decisions pertaining to:
- organizational structure and key processes providing internal controls for spending reporting
- management’s responsibility to supply quality data to meet the reporting objectives for the DATA Act in accordance with OMB Circular No. A-123
- testing plan and identification of high-risk reported data, including specific data the agency determines to be high-risk that are explicitly referenced by the DATA Act, confirmation that these data are linked through the inclusion of the award identifier in the agency’s financial system, and reported with plain English award descriptions
- actions taken to manage identified risks.
Increased scope from internal control over financial reporting to internal control over reporting
Broadening the reporting requirements provides emphasis between operations, reporting, and compliance internal control objectives. This requirement extends to both internal and external reporting.
Incorporation of enterprise risk management and internal control over reporting
A-123 has required agencies to integrate ERM processes and internal controls and to include consideration of ICOR in their annual assurance statement and process. Agency management should utilize their risk profiles and apply risk appetite and risk tolerance for internal controls assessment. Agencies should leverage risk analysis in their risk profiles across a portfolio view of objectives (strategic, operations, reporting and compliance objectives) to effectively employ internal controls. They should also identify and eliminate duplicative and unnecessary processes that do not address identify risks.
Leveraging existing functions within the organization to monitor andassess risk and improve data quality
The Appendix A update recommends ways for agencies to do more with the information they’re already gathering through independent verification and validation, service organization reviews, assessment of ICOFR, Data Reliability Assessments used in performance audits.
- Leverage what you are already using for internal control efforts and tweak your approach
- Determine how to mature your control efforts based on new technology, existing efforts, and data analytics
- Talk to other agencies and share ideas and approaches
- Ensure there is collaboration among and between OCFO, performance reporting offices, operational groups (HR, IT, etc..) and program groups.