What Is OMB Circular A-123 and Why Does It Matter for Federal Agencies?

If you work in or with federal agencies, you've almost certainly encountered references to OMB Circular A-123. It's one of those requirements that gets mentioned in every compliance conversation, but the practical implications aren't always clear — especially for organizations facing an assessment for the first time.

Having spent over 17 years conducting federal audits across four agencies — including OMB A-123 internal control assessments at the Small Business Administration — I've seen firsthand how preparation (or lack of it) makes the difference between a smooth assessment and a painful one. This guide breaks down what A-123 actually requires and how to prepare.

What Is OMB Circular A-123?

OMB Circular A-123, formally titled "Management's Responsibility for Enterprise Risk Management and Internal Control," is the Office of Management and Budget's directive that requires federal agency management to establish and maintain effective internal controls. It implements the requirements of the Federal Managers' Financial Integrity Act (FMFIA) of 1982.

In plain terms: A-123 says that agency leadership — not just auditors — is responsible for making sure their financial and operational processes are properly controlled, documented, and functioning as intended.

The COSO Framework Connection

A-123 assessments are built on the COSO Internal Control — Integrated Framework. COSO (the Committee of Sponsoring Organizations of the Treadway Commission) provides the structure through which internal controls are evaluated. The framework has five components:

1. Control Environment: The tone at the top. Does leadership demonstrate commitment to integrity and accountability? Are roles clearly defined?
2. Risk Assessment: Has the organization identified what could go wrong and evaluated the likelihood and impact of those risks?
3. Control Activities: Are there specific policies, procedures, and actions in place to address identified risks? This is where most of the day-to-day compliance work lives.
4. Information and Communication: Does relevant information flow to the right people at the right time? Are internal and external reporting channels working?
5. Monitoring Activities: Is someone checking that controls actually work? Are deficiencies identified and corrected?

Each of these five components has underlying principles — 17 in total — that assessors evaluate. A deficiency in any principle can result in findings that require corrective action.

What Does an A-123 Assessment Look Like in Practice?

From my experience conducting these assessments at the SBA using GAO Green Book standards, here's what the typical process involves:

Phase 1: Planning and Scoping

The assessment team identifies which business processes, financial systems, and operational areas are in scope. High-risk areas get more attention. At SBA, this included loan processing controls, grant management, and financial reporting processes.

Phase 2: Documentation Review

This is where organizations either shine or struggle. Assessors review policies, procedures, process narratives, and flowcharts. The question is simple: are your controls documented, and does the documentation reflect what actually happens? A common finding is that written procedures exist but don't match current practice — that's a control deficiency.

Phase 3: Testing

Assessors select transactions and test whether controls operated effectively during the period under review. This includes examining approvals, verifying segregation of duties, testing system access controls, and tracing transactions through the process. Testing can be attribute-based (did the control operate?) or substantive (is the output correct?).

Phase 4: Evaluation and Reporting

Findings are categorized by severity: control deficiencies, significant deficiencies, or material weaknesses. Material weaknesses must be reported in the agency's annual FMFIA assurance statement — which goes to OMB and Congress.

Who Needs to Care About A-123?

The obvious answer is federal agency management. But A-123 compliance increasingly matters to:

• Federal contractors: Agencies often flow internal control requirements down to contractors, especially for financial management and IT systems. If you're providing services to a federal agency, understanding A-123 helps you speak their language and anticipate their requirements.
• State and local governments receiving federal funds: While A-123 applies directly to federal agencies, organizations receiving federal grants or cooperative agreements are subject to similar internal control requirements under the Uniform Guidance (2 CFR 200).
• Auditors and consultants: If you're performing work under GAGAS (Government Auditing Standards), understanding the A-123 framework is essential for planning and conducting engagements.

How to Prepare for an A-123 Assessment

Based on years of conducting and reviewing these assessments, here's what separates organizations that do well from those that don't:

1. Document your controls before someone asks. Don't wait for the assessment team to arrive. Map your key processes, identify control points, and make sure written procedures are current.
2. Retain evidence of control execution. Approvals, reviews, reconciliations — if you can't prove it happened, it didn't happen from an auditor's perspective.
3. Test your own controls. Run through the COSO principles yourself. Can you demonstrate that each principle is present and functioning? Where are the gaps?
4. Address known issues proactively. If you know a process has a control gap, document a corrective action plan before the assessment. Assessors view proactive remediation very differently from discovered deficiencies.
5. Train your staff. Everyone involved in a process should understand their control responsibilities, not just management.

The Bottom Line

OMB A-123 compliance isn't optional for federal agencies, and the standards it establishes are increasingly relevant to any organization touching federal dollars. The good news is that the requirements aren't mysterious — they're structured, logical, and built on a well-established framework (COSO). The challenge is consistent execution and documentation.

If your organization is preparing for an A-123 assessment or looking to strengthen its internal control program, professional guidance from someone who has been on the assessor side of the table can save significant time and prevent material findings.

Zahid Syed is the CEO and Principal Consultant of Valley Financial Advisors, LLC. With 17+ years of federal auditing experience at CBP, SBA, VA, and the State Department, he specializes in OMB A-123 compliance assessments, GAGAS auditing, and COSO internal controls.