AR 7-14 INTERNAL CONTROL SYSTEMS AND REPORTING REQUIREMENTS

Approved for Release: 2020/03/16 C06235327 UNCLASSIFIEDHAIU Date: 04/10/2007 (Handbooks may contain various dates) Category: 7 - Management OPR: CFO Title: AR 7-14 (1..tthki140) INTERNAL CONTROL SYSTEMS AND REPORTING REQUIREMENTS CL By: CL Reason: DECL On: DRV From: (b)(3) REVISION SUMMARY: 10 April 2007 This regulation supersedes AR 7-14, dated 12 July 2000. AR 7-14 is revised and retitled "Internal Control Systems and Reporting Requirements." This revision sets forth current Agency policy on the Automated Financial Systems (AFS Certification) information. Additionally, all references to AHB 7-14 within this regulation have been deleted, as AHB 7-14 has been rescinded and replaced by the AFS Certification Guidelines found on CIALink. OIG is required to review the Agency FMFIA report under the OMB guidance (OMB Bulletin 06- 03, August 2006) relating to the annual review of the Agency's Financial Statement. The OIG review under AR 7-14 is redundant and is therefore eliminated. Finally, Organizational titles have been updated to reflect the Agency's recent restructuring. Because this regulation was completely rewritten, boldfaced text has not been used to indicate revisions. 14. (UH-A-1440) INTERNAL CONTROL SYSTEMS AND REPORTING REQUIREMENTS (Uthtfee) SYNOPSIS. This regulation implements the Federal Managers' Financial Integrity Act of 1982 and its implementing guidance, Office of Management and Budget (OMB) Circular A-123. The regulation details the Agency's internal control program and establishes procedures for reviewing and reporting on the Agency's internal controls. a. (U) AUTHORITY. The Federal Managers' Financial Integrity Act of 1982; OMB Circular A-123, Management's Responsibility for Internal Control. b. (Ufttf15-0) GENERAL. The nature of the Agency's mission and the special trust Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 implicit in the grant of unique authorities to the Agency require Agency managers to establish strong internal controls (synonymous with "management controls") and continuously monitor and test those controls in order to ensure a high degree of disciplined compliance with them. c. (Uthk-W13) REPORTING REQUIREMENTS UNDER THE FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT OF 1982, 31 U.S.C. 3512(b) AND (c). (1) The Federal Managers' Financial Integrity Act of 1982 (FMFIA) requires the heads of executive agencies to establish and maintain internal controls in order to ensure the effectiveness and efficiency of Federal programs and operations. In addition, the Act requires agency managers to correct deficiencies in internal controls and holds agency managers accountable for their performance. (2) The FMFIA also requires the head of each executive agency to provide annually to the President and Congress a "Report on Internal Control Program" that states whether there is reasonable assurance that: (a) The agency's internal controls are achieving their intended objectives, noting any material weaknesses in the agency's internal controls (Section 2 of FMFIA); and (b) The agency's financial management systems conform to Government-wide requirements (Section 4 of FMFIA). d. (Uff-A1+143) THE AGENCY'S INTERNAL CONTROLS (1) Internal controls are the organizational structures, policies, and procedures that Agency managers establish in order to help them achieve the Agency's objectives for activities in their areas of responsibility. Internal controls include programmatic, operational, and administrative controls, as well as accounting and financial management controls. The objectives of internal controls are to reasonably assure: (a) Effectiveness and efficiency of operations; (b) Reliability of financial reporting; (c) Compliance with applicable laws and regulations; and (d) Safeguarding of assets. (2) The Agency's internal controls include the following: (a) The Agency's organizational structure, as codified in Series 1 of the Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 Agency's regulations ("Organization"), which establishes a series of checks and balances in management authority and clearly delineates Agency managers' areas of responsibility, thereby establishing accountability amongst Agency managers. (1) The Director of the Central Intelligence Agency (D/CIA) and the Deputy Director of the Central Intelligence Agency (DD/CIA) assign authority and responsibility to: the Associate Deputy Director of the CIA (ADD/CIA); the General Counsel; the Chief Financial Officer (CFO); the Procurement Executive; the Director of the National Clandestine Service (NCS); the Directors for Intelligence, Science and Technology, and Support; the Heads of Independent Offices; Operating Officials; the Chief of Human Resources; the Director, Office of Security; the Director of Finance; and the Chiefs of Stations and Bases (hereinafter referred to as "Agency managers"). (2) These officials are responsible for managing activities within their areas of responsibility and directing their subordinate officials in the specific methods and procedures to be used in discharging their responsibilities. All Agency managers are responsible for the proper function of internal controls within their areas of responsibility. (b) The Agency's regulatory system, which implements applicable Federal laws, regulations, and executive orders, and prescribes Agency policies and makes them binding upon all Agency employees. (c) The responsibility of each Agency employee, as outlined in AR 30- lc(7) and AR 7-1, Annex D, to report instances of fiscal impropriety or noncompliance with Federal laws, regulations, and executive orders. (d) The responsibility of the chief of each component, station, or base who receives a report from the Office of Inspector General (OIG) to: (1) Evaluate the findings and recommendations included in the OIG's report; (2) Determine the proper actions to be taken in order to respond to such findings and recommendations; and (3) Address the recommendations, and report actions taken to the Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 OIG either directly or through the appropriate Agency Headquarters component. (3) In accordance with OMB Circular A-123, Agency internal controls are evaluated against the following standards: (a) Control Environment. The organizational structure and culture created by management and employees to sustain organizational support for effective internal control, such as defining areas of authority and responsibility; appropriately delegating authority and responsibility throughout the agency; establishing a suitable hierarchy for reporting; supporting policies for hiring, training, evaluating, and counseling, advancing, compensating, and disciplining personnel; and upholding the need for personnel to possess and maintain the proper knowledge and skills to perform their assigned duties as well as understanding the importance of maintaining effective internal control within the agency. (b) Risk Assessment. The internal and external risks and vulnerabilities that may prevent the organization from meeting its objectives. (c) Control Activities. The policies, procedures, and mechanisms to help ensure that agency objectives are met, such as: proper segregation of duties; physical controls over assets; proper authorizations; and appropriate documentation and access to that documentation. (d) Information and Communication. The communication of relevant, reliable, and timely information to personnel at all levels within the organization and external to the agency. (e) Monitoring. The consistent process for monitoring the effectiveness of internal controls, including periodic reviews, reconciliations, or comparisons of data, that should occur as part of the regular assigned duties of personnel during the normal course of business. e. (UHAIU0) POLICY (1) It is Agency policy to administer a system of internal controls that meets the objectives detailed in Section d(1.) above. Accordingly, Agency managers will: (a) Establish mechanisms to document the risks associated with key areas of the programs, operations, and financial and support activities within their areas of responsibility, and delineate control techniques to be used to address those risks; Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 (b) Ensure the integrity of the internal controls that monitor the programs, operations, and financial and support activities within their areas of responsibility. Training will be an integral part of this responsibility; (c) Assess the adequacy of internal controls within their areas of responsibility by reviewing and reporting on selected activities, as outlined in the Agency's internal control plan; and (d) On a timely basis, take all actions that are necessary to correct � deficiencies that are found in the internal controls within their areas of responsibility. (2) The Agency implements this policy with regard to internal controls over accounting through its the financial management systems. (a) "Agency financial management systems" includes all Agency financial systems, both manual and automated, used for planning, budget formulation and execution, program and administrative accounting, and audit. This includes systems that are used to record and classify financial data, and report financial management information such as purchasing, property, and inventory information. (b) All Agency automated financial management systems are to be Automated Financial System (AFS) certified prior to being used for official Agency business. Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 f. (U74A-1440) IMPLEMENTATION OF THE FMFIA'S REPORTING REQUIREMENTS (2) The internal control plan provided annually by the CFO to Agency managers will detail the activities within the managers' areas of responsibility to be reviewed, instructions for assessing and reporting on internal controls within the managers' areas of responsibility, and the structure of the managers' assurance statements. Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 (3) Based on the guidance provided by the CFO, by 30 June of each fiscal year, each Agency manager will assess and report on the internal controls within the manager's respective area of responsibility and prepare an assurance statement certifying the effectiveness of the internal controls within that area of responsibility. The Agency manager's assurance statement must take one of the following forms: (a) Unqualified Statement of Assurance (no material weaknesses reported); (b) Qualified Statement of Assurance, considering the exceptions explicitly noted (one or more material weaknesses reported); or (c) Statement of No Assurance (no control processes in place or pervasive material weaknesses). Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 (10) If a material weakness is discovered by 30 June, but is corrected by 30 September, the responsible Agency manager's assurance statement must be revised to identify the material weakness and the corrective action that was taken. If a material weakness is discovered after 30 June, but prior to 30 September, the responsible Agency manager's assurance statement must be revised to include the subsequently identified material weakness. Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 Approved for Release: 2020/03/16 C06235327 (15) The D/CIA will submit the Agency's Report on Internal Control Program, which will include his signed statement of assurance for overall internal control within the Agency, to the President, Congress, and OMB by 15 November of each fiscal year. (16) Agency mangers are responsible for taking actions necessary to correct the material weaknesses within their respective areas of responsibility that have been cited in the Agency's Report on Internal Control Program. The ensuing audit or inspection report for any component in which a material weakness has been cited will comment on the status of corrective actions that have been proposed and the effectiveness of corrective actions that have been completed. Approved for Release: 2020/03/16 C06235327