THE UNITED STATES OF AMERICA 1775
Headquarters
Department of the Army
Washington, DC
16 July 2024

*Army Regulation 11–2

Effective 16 August 2024

Army Programs

Risk Management and Internal Control Program

By Order of the Secretary of the Army:

RANDY A. GEORGE

General, United States Army

Chief of Staff

MARK F. AVERILL

Administrative Assistant to the

Secretary of the Army

History. This publication is a major revision. The portions affected by this revision are listed in the summary of change.

Authorities. This regulation implements DoDI 5010.40.

Applicability. This regulation applies to the Regular Army, the Army National Guard/Army National Guard of the United States, and the U.S. Army Reserve, unless otherwise stated.

Proponent and exception authority. The proponent of this publication is the Assistant Secretary of the Army (Financial Management and Comptroller). The proponent has the authority to approve exceptions or waivers to this publication that are consistent with controlling law and regulations. The proponent may delegate this approval authority, in writing, to a division chief within the proponent agency or its direct reporting unit or field operating agency in the grade of colonel or the civilian equivalent. Activities may request a waiver to this publication by providing justification that includes a full analysis of the expected benefits and must include formal review by the activity's senior legal officer. All waiver requests will be endorsed by the commander or senior leader of the requesting activity and forwarded through their higher headquarters to the policy proponent. Refer to AR 25–30 for specific requirements.

Army internal control process. This regulation contains internal control provisions and identifies key internal controls that must be evaluated (see appendix B).

Suggested improvements. Users are invited to send comments and suggested improvements on DA FormDA FormDepartment of the Army form 2028 (Recommended Changes to Publications and Blank Forms) directly to usarmy.pentagon.hqda-asa-fm.mbx.army-mngrs-internal-cntl-prog@army.mil. Committee management approval statement. AR 15–39 requires the proponent to justify establishing/continuing committee(s), coordinate draft publications, and coordinate changes in committee status with the Office of the Administrative Assistant to the Secretary of the Army, Special Programs Directorate at email usarmy.pentagon.hqda-hsa.mbx.committee-management@army.mil. Further, if it is determined that an established "group" identified within this regulation later takes on the characteristics of a committee as found in AR 15–39, then the proponent will follow AR 15–39 requirements for establishing and continuing the group as a committee.

Distribution. This regulation is available in electronic media only and is intended for the Regular Army, the Army National Guard/Army National Guard of the United States, and the U.S. Army Reserve.

*This regulation supersedes AR 11–2, dated 4 January 2010.

AR 11–2 • 16 July 2024

UNCLASSIFIED

See DA PamDA PamDepartment of the Army Pamphlets 11 – 2 for mandatory procedures.

Alternative Internal Control Evaluation Any existing management review process that meets the basic requirements of an internal control evalua- tion that assesses the key internal controls, evaluates the controls by testing them, and provides the re- quired documentation. These existing Management review processes may be unique to a specific func- tional area, or they may be generic, such as the Command Inspection Program or reviews by IR auditors.

Annual Statement of Assurance The ASOA represents the agency head’s informed judgement as to the overall adequacy and effective- ness of internal controls within the agency relating to operations, reporting, and compliance. Section 2 of FMFIA requires the head of each executive Agency annually submit to the President and the Congress intended objectives; and (2) a report on MW in the Agency’s control. The Army’s ASOA is required by OSDOSDOffice of the Secretary of Defense for consolidation into the DoD ASOA submission to Congress.

Army Audit Committee A committee or board of senior functional officials convened to advise the Under SECARMYSECARMYSecretary of the Army on risk and internal control matters, including the identification of risks and internal control weaknesses that merit the attention of Army leadership and reporting as MWs.

Assessable Unit Any organizational, functional, programmatic, or other applicable subdivision of an organization that al- lows for adequate IC analysis. An assessable unit’s functions include the documentation, identification, and insertion of controls associated with a specific sub-function in order to mitigate identified risk. The as- sessable unit is required to have an appointed and adequately trained assessable unit manager.

Assessable Unit Manager The government employee selected by appropriate functional leadership that is responsible for the Risk Management and Internal Control Program requirements of the assessable unit. The assessable unit manager must be a government employee, to prevent inherently governmental functions from being per- formed by contracted employees and possess an in-depth understanding of the processes and proce- dures of the assessable unit.

Brevity code A code word, which provides no security, that serves the sole purpose of shortening of messages rather than the concealment of their content.

Business Process A business process is a financial and non-financial functional area under control monitoring. Financial business processes are processes which trigger a financial event impacting the general ledger and finan- cial statements as defined in the Army’s Control Catalog https://www.usafmcom.army.mil/bps/. Non-finan- cial business processes are defined by the RO and affect the overall operations of the Army. Non-finan- cial business processes do not have a direct impact on the financial statements.

Control Deficiency A control deficiency is when the design or operation of a control does not allow management or employ- ees, in the normal course of performing their assigned functions, to satisfactorily accomplish their as- signed functions or inhibits the prevention or detection of misstatements on a timely basis.

Corrective Action Plan A written document that spells out the specific steps necessary to resolve a material weakness, including targeted milestones and completion dates. Corrective action plans for operational assessment material weaknesses are maintained with the Risk Management and Internal Control Program documentation. Corrective action plans for financial reporting and financial systems material weaknesses are maintained in the Financial Improvement Audit Readiness Planning Tool.

Enterprise Risk Management An effective agency-wide approach to addressing the full spectrum of the organization’s significant risks by considering the combined array of risks as an interrelated portfolio, rather than addressing risks only within silos. ERM provides an enterprise-wide, strategically aligned portfolio view of organizational challenges, and improved insight about how to prioritize and manage risks to mission delivery more effec- tively.

Entity Level Control ELCs are controls that have a pervasive effect on an entity’s internal control system and may pertain to multiple components. ELCs may include controls related to the entity’s risk assessment process, control environment, service organizations, management override, and monitoring.

Fraud Risk Management A sub-division of ERM. A framework that encompasses control activities to prevent, detect, and respond to fraud, with an emphasis on prevention, as well as structures and environmental factors that influence or help managers achieve their objective to mitigate fraud risks in all levels of the organization.

Head of Reporting Organization The person who is responsible for executing the RMIC Program within their respective organization by understanding and applying the GAO standards for internal control in the Federal Government and carry- ing out the RMIC Program within their respective organization.

Internal Control Administrator The individual designated by the SRO to administer the RMIC Program for the RO. The AUMs designate ICAs below the RO level.

Internal Control Evaluation A periodic, detailed assessment of key internal controls to determine whether they are operating as in- tended. This assessment must be based on the actual testing of key internal controls and must be sup- ported by documentation (that is, the individuals who conducted the evaluation, the date of the evaluation, the methods used to test the controls, any deficiencies detected, and the corrective action taken).

Internal Control Evaluation Certification A certification documented in DA FormDA FormDepartment of the Army form 11 – 2. This certification is signed by the AUM. This Form summa- rizes and document the completed internal control testing results. The DA FormDA FormDepartment of the Army form 11 – 2 should accompany each test plan, serving as the cover sheet to capture activities that occurred during testing.

Internal Control Evaluation Plan The written plan that describes how required internal control evaluations are conducted over a 5-year pe- riod. The ICEP is based on the risk assessment results and includes who will conduct the evaluation, when, and how. It covers the key internal controls HQDA functional proponents identified and communi- cates clearly to subordinate managers what areas are to be evaluated.

Internal Control Evaluator The individual(s) designated by the AUM to administer the internal control evaluation. This is not an inher- ently government role and must be independent of the function assessed.

Internal Controls The organization, policies, and procedures that help program and financial managers to achieve results and safeguard the integrity of their programs by reducing the risk of adverse activities. Internal controls include such things as the organizational structure itself (designating specific responsibilities and account- ability), formally defined procedures (for example, required certifications and reconciliations), checks and balances (for example, separation of duties), recurring reports and Management reviews, supervisory monitoring, and physical devices (for example, locks, and fences).

Key Internal Control Questionnaire Formally referred to as checklists. The Key Internal Control Questionnaire is used to guide evaluations of the effectiveness of the control. Responses to the questionnaire are provided only when substantial test- ing is conducted to support the responses and is part of the overall internal control evaluation package.

Key Internal Controls Those essential internal controls implemented and sustained in daily operations to ensure organizational effectiveness and compliance with legal requirements. Key controls must operate effectively to reduce the risk to an acceptable level.

Material Weakness A specific instance of a failure in a system of control or lack of control that would significantly impair fulfill- ment of agency’s mission, violate statutory or regulatory requirements, or significantly weaken safeguards against waste, loss, unauthorized use or misappropriation of funds, property, or other assets. The mate- rial weakness may present a major impact to the environment, safety, security, or readiness of the com- mand. For financial reporting, this would include a reportable condition or combination of reportable con- ditions that results in more than a remote likelihood that a material misstatement of the financial state- ments will not be prevented or detected.

Reasonable Assurance An informed judgment by management regarding the overall adequacy and effectiveness of ICs based upon available information that the systems of ICs are operating as intended according to 31 USCUSCUnited States Code 3512.

Reporting Organization The HQDA staff agencies, ACOMs, ASCCs, and DRUs. These are the organizations that submit ASOAs directly to ASA (FM&C)ASA (FM&C)Assistant Secretary of the Army for Financial Management and Comptroller for consolidation and submission to the SECARMYSECARMYSecretary of the Army.

Risk The probable or potential adverse effects from inadequate internal controls that may result in the loss of government resources through fraud, error, or mismanagement.

Risk Assessment The process of evaluating the risks in a functional area based on the key internal controls that are in place. Specifically, the risk assessment measures two qualities or attributes of the risk: need not exceed the benefits derived.

Senior Responsible Official Designated by the Head of the RO. The SRO has overall responsibility for ensuring the implementation of an effective RMIC Program within that organization.

Significant Deficiency A control deficiency or combination of control deficiencies, that in management’s judgment, represents significant deficiencies in the design or operation of ICs that could adversely affect the DoD and OSDOSDOffice of the Secretary of Defense Component’s ability to meet its IC objectives.

Test Plan A documented methodology used to evaluate the design or assess the effectiveness of the control’s oper- ation. A test plan provides detailed test procedures, test results, and includes supporting documentation to support the results.