Why Your Internal Controls Fail A-123 Audits (And How to Write Ones That Pass Every Time)
The difference between controls that pass and those that fail isn't complexity but specificity. Today, I'm breaking down what makes a control audit-ready versus just "audit-sounding."
The Problem: Controls That Sound Good But Fail Audits
Here's a real example I see all the time that sounds professional but has fatal flaws:
"The budget analyst uploads the SF-132 into the financial system. The reviewer checks for completeness, accuracy, and validity and approves."
This control will fail every A-123 assessment. Here's why:
Three problems jump out immediately:
- Who's the reviewer? What's their job title? Where do they sit? Where do they belong in the organization?
- How exactly are they checking these things? It's unclear what they're doing except saying they're "checking."
- What documents are they using to verify? We know the analyst uploads information using the SF-132, but it never states what the reviewer uses.
This is where auditors and internal control assessors tear controls apart. It's just too general.
The Solution: The Five W Framework
Every audit-ready control needs to answer five questions: Who, What, When, Where, and Why?
WHO Performs Each Step?
Use specific job titles and business units. Be explicit. I wouldn't name particular individuals since those can change, but say "budget analyst from the budget shop." Unless you have multiple budget shops, that should be sufficient.
Critical consideration: Does this person have the right competence and authority? Do they have the technical skills, training, and experience needed?
WHAT Specific Actions Are They Taking?
What are they doing? Are they comparing? In our example, are they comparing the apportionment schedule to what was recorded in the system? Are they looking at the specific status of resources, budget authority, or specific restrictions like Cat A and Cat B spending?
The level of precision matters: Are they checking dollar-for-dollar, line-by-line, or just totals? Do you have dollar thresholds—like anything over $10,000 gets extra scrutiny? Or percentage thresholds? The more specific, the better.
Consider judgment levels: Is this a straightforward comparison with objective criteria, or does someone need to use significant judgment to determine if something looks reasonable?
Information Used in Control (IUC): Identify what data on your sources you use. This is critical for audit compliance.
Control type: Is this manual, automated, or hybrid? Is it preventive (stopping problems before they happen) or detective (catching issues after the fact)?
WHEN Does This Happen?
I don't love seeing "on a routine basis"—it's not specific enough. Is it monthly? Annually? Every time something happens?
In our budget example, you could say "as needed," but I'd ask you to clarify by saying "every time a new apportionment schedule comes from OMB." That's the real trigger.
WHERE Does This Occur?
Specify the system. What system are you conducting your control in? If it's in a financial system, it could be in the budget module. Be specific about the location.
WHY Do They Do This?
This is the part we often miss. If you're aware of the information processing objectives called out in the GAO Green Book, you have completeness, accuracy, and validity.
Why check for accuracy? We check for accuracy so the financial system has apportionment data that agrees with the SF-132 (the apportionment schedule).
Completeness means: Is everything in the financial system that should be there? Are all the apportionments recorded as intended? Since most agencies have multiple funds, are they making sure that particular fund is recorded? If doing a holistic review, are they ensuring all funds that should be in the system are there?
Validity: SF-132 schedules have an official copy from OMB certified by an OMB official. The reviewer can verify the approval stamp from OMB.
Strong Control Example
"The budget analyst receives the approved SF-132 from OMB and uploads all apportioned amounts into the financial system within 48 hours. The senior budget reviewer—who has budget system access and supervisory authority—then performs three verification steps using the SF-132:
First, they confirm accuracy by matching each dollar amount in the financial system to the corresponding line in the SF-132, with any variances over $1,000 requiring documented explanation.
Second, they confirm completeness by making sure all budget entries for the fund are uploaded to the system.
Third, they do a validity check by verifying that the SF-132 contains the official OMB approval signatures for the current fiscal year designation."
Notice how this version:
Specifies the exact document (SF-132)
Defines who does what
Explains exactly how each verification step happens
This is what makes a control audit-ready. Nobody is guessing what you're doing—you can explicitly explain your process.
Why This Matters for Your A-123 Assessment
Having controls this detailed will alleviate headaches as assessors review your controls. Assessors change year to year, and if you prefer not to repeat yourself, well-documented controls will help you along the way.
Strong internal controls aren't complicated—they just need to be detailed.
Your Action Plan
Remember these essentials:
Answer the five W's (who, what, when, where, why)
Specify your source documents
Detail your verification steps
Include precision thresholds
Confirm the operator has proper authority
Document whether it's manual, automated, preventive, or detective
Get the Complete Framework
Want to ensure your controls pass every A-123 assessment? I've created a comprehensive Control Design Checklist that covers all these elements and more. It includes sections on:
- Control objectives and risk mitigation
- Precision levels and thresholds
- Judgment requirements
- Operator competence standards
- Information processing objectives
- GAO Green Book compliance
