Article

Adapting with agility to OMB's revised A-123 guidelines

Learn the four steps that agencies can take to realign their approach to risk and internal controls without overhauling existing programs.

Summary

 

  • OMB’s March 2026 update to Circular A-123 refocuses internal controls on outcomes and leadership accountability.
  • The separation of risk management from assurance raises expectations for evidence based, fraud aware control design.
  • Credible assurance now depends on demonstrating measurable results in high-risk areas.

 

A reset to fundamentals

The U.S. Office of Management and Budget (OMB)’s Circular A‑123, "Management's Responsibility for Internal Control," has long provided context and structure for how agency leaders demonstrate that internal controls are working as intended. In March 2026, OMB released a revised version of the Circular, signaling a deliberate reset; reducing the emphasis on the number of measures and processes to achieve compliance, and increasing requirements to demonstrate their controls are achieving the intended outcomes. 

What makes this update significant isn’t the introduction of new requirements but the discipline it restores. The revised Circular narrows A‑123 back to its core purpose under the Federal Managers’ Financial Integrity Act (FMFIA), placing greater weight on leadership judgment in how agencies scope, assess, and stand behind internal control conclusions. 

 

What's changed and why it matters

The March 2026 revision doesn’t reinvent internal control requirements. Instead, it sharpens accountability, removes ambiguity, and clarifies how success is defined. Key shifts include: 

  • Reaffirming A‑123 as the authoritative policy for internal control under FMFIA 
  • Re-centering scope on internal control over operations, reporting, and compliance
  • Removing the formal enterprise risk management (ERM) framework from A‑123 and placing risk management with agency leadership
  • Clarifying that risk assessment informs control evaluation, but assurance depends on demonstrated control performance

Collectively, these changes move agencies away from documentation-heavy approaches and toward measurable, evidence-based assurance. 

 

What hasn't changed—but matters more now

Some agencies emphasized the process of developing risk inventories and governance artifacts without consistently validating whether controls were actually working. With OMB’s changes, ERM becomes a tool that supports strategic planning, decision-making, and performance management, rather than a prescribed compliance process. OMB reinforces expectations for real-world performance by clarifying that risk informs, but doesn’t substitute for, assurance.

The revision strengthens the emphasis on proactive risk identification—especially in areas such as fraud and improper payments—signaling higher expectations for prevention and early intervention.

ERM remains an important management capability, even though it’s no longer codified within A‑123.

 

What federal leaders will be expected to answer

For senior leaders, the revised Circular serves as both a policy update and a management signal. It shifts the conversation from whether internal control programs exist to whether leaders can confidently stand behind the results that those programs produce. 

Leaders will increasingly be expected to answer:

  • Where must we prove control effectiveness? Agencies should prioritize high-risk operational areas, such as cybersecurity, procurement, grants, and service provider oversight, using targeted, risk-informed reviews.
  • Can we defend our conclusions with evidence? Assurance must demonstrate that key controls, especially preventive and automated controls, operate effectively in practice.
  • Are we detecting and resolving issues early? Credible assurance depends on disciplined deficiency evaluation, transparent documentation, and corrective actions that are specific, time-bound, and tracked to resolution.

Maturity of preventive controls, automation, and fraud-aware design are now defined through the outcomes they produce, including earlier detection, fewer deficiencies, and effective remediation. 

 

How you can respond

Agencies can act now, without overhauling existing programs, by realigning focus through four practical steps: 

  1. Re-anchor programs to assurance. Confirm that A‑123 activities remain tightly scoped to internal control effectiveness. Programs that have expanded into adjacent compliance areas may benefit from deliberate refocusing.
  2. Let risk guide where you prove effectiveness. Use risk insights to prioritize high-impact areas for review and testing.
  3. Strengthen controls where they matter most. Evaluate whether key controls are preventing issues, accelerating detection, and reducing deficiencies, particularly through automation, front-end design, and fraud-informed practices.
  4. Reposition the Statement of Assurance as a leadership tool. Treat the annual Statement of Assurance not as a reporting requirement but as a reflection of informed judgment, accountability, and stewardship.

 

A sharper standard for assurance

The March 2026 revisions to OMB Circular A‑123 reset expectations by clarifying the distinction between risk management and internal control assurance. Agencies that respond deliberately will be better positioned to withstand oversight, strengthen accountability, and build trust. 

Internal control today isn’t about documenting process. It’s about consistently and credibly proving that controls work when it matters.

insight_image

Andreia Bodale, Director

RELATED SERVICES
RELATED INDUSTRIES
MORE ON THIS TOPIC

Let us guide you

Guidehouse is a global AI-led professional services firm delivering advisory, technology, and managed services to the commercial and government sectors. With an integrated business technology approach, Guidehouse drives efficiency and resilience in the healthcare, financial services, energy, infrastructure, and national security markets.

Stay ahead of the curve with our latest insights, expertly tailored to your industry.