Stronger public sector controls start with Circular A-123

Recent updates to OMB Circular A-123 — the federal mandate for fighting fraud, waste and abuse — raises the bar for internal controls, with financial managers now facing even more detailed requirements for roles, frameworks, control management, reporting and more.

Compliance with these updates is not a BandAid fix or tick-box exercise for verifying a system of internal controls. It represents a sea change to a more comprehensive, preventative, risk-informed approach.

For many agencies, the revised OMB Circular A-123 may appear at first to add more process to an already complex compliance environment. But the real opportunity is to use A-123 as a catalyst for a stronger system of internal controls and therefore better risk governance. By connecting controls, evidence, analytics, and performance reporting, agencies can give executives a clearer view of where risk is increasing, where controls are under pressure, and where leadership attention is needed to protect mission outcomes.

Here’s why A-123 compliance is effort well spent, even for public sector audit teams outside of the federal government, along with practical tips to get started.

Manual testing is not effective

Internal control activities like risk assessments, reconciliations and separation of duties are essential for public sector organizations to maintain their stewardship of public funds and minimize fraud, waste and abuse. Monitoring ensures that these control systems are working properly and keeping pace with changes in the landscape.

To do their job efficiently and effectively, control monitoring methods must keep up with the times as well, especially new technologies. Here’s where A-123 pinpoints an urgent need for change.

Traditionally, the monitoring and testing of internal controls has been a manual, fragmented and often-times limited endeavor, which is risky business for public sector audit teams.

When reviews are limited to point-in-time evaluations and managed via disparate spreadsheets, a number of dangerous vulnerabilities emerge. Faulty controls remain unfixed. Recurring risks remain unchecked. Suspicious claims slip through the cracks.

As a result, annual assessments, and even interim reviews, take time away from other valuable work. Leaders may lack visibility into the full risk picture. There’s even the potential for benefits and services to go to the wrong people while eligible beneficiaries go without.

“When testing is manual, teams get stuck chasing paper and gathering evidence instead of understanding what’s actually working. Your controls may look good at any point in time when they’re tested, but without continuous visibility, you don’t really know what’s happening the rest of the year.” – Jason Venner, Director, Diligent.

All of these scenarios can compromise regulatory compliance, impact organizational effectiveness and, perhaps most importantly, affect public trust.

A-123 updates make CCM the new standard

Continuous controls monitoring (CCM) transforms this picture for the better.

It provides visibility across space in time, expanding data collection across departments and programs and testing to 100% of transactions.

Exceptions are surfaced on an ongoing basis, not just during annual reviews, with a clear issues log and follow-up trail across reviews and programs.

The benefits are many, with A-123 compliance being front and center for federal financial managers audit teams. And the stakes high for getting it right.

“It is the responsibility of all Federal managers to effectively manage the internal control process to identify, prevent, reduce and eradicate risks,” the White House declares.

Timely takeaways for state, local government and higher ed

Stricter A-123 requirements, and oversight, affect state and local government and higher education, too.

Financial managers should prepare for increased attention on how they’re mitigating fraud risk. At the same time, those working with federal grants and contracts may face stronger demands for audit-ready evidence, along with more frequent audits, stricter monitoring of sub-recipients and terminations or claw-backs if milestones and requirements are not met.

Even though A-123 is written for federal agencies, leaders in state and local government or higher education can use in their own compliance work for internal controls, including the COSO framework, Standards for Internal Control in the Federal Government (the GAO Green Book) and any state-specific legislation.

Furthermore, A-123 guidelines are tailor-made for the challenges of all public sector financial management teams: limited staff capacity, sporadic visibility of risk, and time lost tracking issues and chasing evidence.

By making technology-powered CCM business as usual, A-123 compliance equips your team to answer key questions like the following:

• How effectively are you monitoring processes in high-risk areas like program eligibility and vendor spend?
• How strong is your documentation in critical areas like grant applications?
• Are you able to see control status across departments, from payroll and procurement to benefits and beyond?

By raising the bar on why a system of internal controls needs to be more efficient and effective, A-123 may provide the push many state, local and higher ed audit leaders need to move to modernized systems, like a centralized GRC platform enhanced with automation, AI and analytics.

In fact, updates to Circular A-123 are part of a broader trend, similar to what auditor professionals are seeing with more emphasis on analytics and technology use in updates to Generally Accepted Government Auditing Standards (GAGAS) and the IIA’s International Professional Practices Framework (IPPF).

Next steps for CCM success

With the revised OMB Circular A-123 increasing expectations for risk visibility, accountability, and efficient oversight, agencies need to move beyond periodic control reviews and toward a more connected model for continuous assurance.

A practical starting point includes:

1. Create a connected control foundation. Align A-123, GAO Green Book, FISMA, FMFIA, fraud risk, and other oversight requirements to a common control framework that reduces duplication and clarifies ownership.
2. Digitize evidence, testing, and issue management. Centralize evidence collection, control testing, corrective action plans, and management certifications so teams can track status, reduce manual effort, and improve accountability.
3. Turn control activity into risk intelligence. Use analytics and dashboards to identify exceptions, control failures, overdue remediation, and emerging risk patterns so leaders can act earlier and make better mission-focused decisions.

With this foundation, public sector financial managers are equipped to bring technology into the equation — and their operations.

How Diligent’s audit and analytics solutions help

Delivered through one FedRAMP-authorized platform, Diligent’s public sector solutions keep programs A-123 compliant and audit‑ready:

• Centralizing risks and controls across finance, operations, programs, and IT, ideally connected directly to department data sources and aligned with relevant frameworks like the Standards for Internal Controls in the Federal Government, the Uniform Guidance, NIST, the COSO framework, and, of course, A-123.
• Configuring continuous monitoring for key controls, defining testing ownership, frequency and procedures.
• Implementing repeatable analytics, enabling 100% testing in high-risk areas like duplicate payments, ineligible beneficiaries and suspicious vendors.
• Automating workflows to route exceptions to the right people and actions, while tracking status and progress.
• Equipping leaders with real-time dashboards for comprehensive visibility of control health, open issues, remediation status and fraud/waste/abuse trends, across departments and programs.

Bring A-123 principles and modern CCM to your internal controls and audit programs. Schedule a demo of Diligent Internal Controls solution today.