https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN41485-AR_11-7-000-WEB-1.pdf
*This regulation supersedes AR 11–7, dated 29 March 2017.
AR 11–7 • 21 May 2025
UNCLASSIFIED
Headquarters
Department of the Army
Washington, DC
*Army Regulation 11–7
21 May 2025 Effective 21 June 2025
Army Programs
Internal Review Program
History. This publication is a major revision. The portions affected by this major revision are listed in the summary of change.
Authorities. This section contains no entries.
Applicability. This regulation applies to the Regular Army, the Army National Guard/Army National Guard of the United States, and
the U.S. Army Reserve, unless otherwise stated.
Proponent and exception authority. The proponent of this regulation is the Assistant Secretary of the Army (Financial Management
and Comptroller). The proponent has the authority to approve exceptions or waivers to this regulation that are consistent with control-
ling law and regulations. The proponent may delegate this approval authority, in writing, to a division chief within the proponent agency
or its direct reporting unit or field operating agency, in the grade of colonel or the civilian equivalent. Activities may request a waiver
to this regulation by providing justification that includes a full analysis of the expected benefits and must include formal review by the
activity’s senior legal officer. All waiver requests will be endorsed by the commander or senior leader of the requesting activity and
forwarded through their higher headquarters to the policy proponent. Refer to AR 25–30 for specific requirements.
Army internal control process. This regulation contains internal control provisions in accordance with AR 11–2 and identifies key
internal controls that must be evaluated (see appendix B).
Suggested improvements. Users are invited to send comments and suggested improvements on DA Form 2028 (Recommended
Changes to Publications and Blank Forms) directly to the Assistant Secretary of the Army (Financial Management and Comptroller)
(SAFM–FOI), 109 Army Pentagon, Washington, DC 20310–0109.
Distribution. This regulation is available in electronic media only and is intended for the Regular Army, the Army National Guard/Army
National Guard of the United States, and the U.S. Army Reserve.
SUMMARY of CHANGE
AR 11–7
Internal Review Program
This major revision, dated 21 May 2025—
• Clarifies the responsibilities for various entities with respect to the Army Internal Review Program (paras
1–6 through 1–11).
• Renames guidance from “The Internal Review Program” to “Internal Review Program Concept,
Objective, and General Requirements,” restructures the paragraphs within this chapter, and clarifies
the requirements described in the chapter (chap 2).
• Restructures the paragraphs (Internal Review Planning and Services) and expands the requirements
(chap 3).
• Renames guidance from “Internal Review Quality Assurance, Quality Control, and Peer Review” to
“Internal Review Quality Management and Peer Review,” restructures the paragraphs within this
chapter, and expands the requirements described in the chapter (chap 4).
• Eliminates guidance on Peer Review Assessment and Semiannual Reports (app B).
• Renames the internal control evaluation and expands the internal control evaluation test questions (app
B).
AR 11–7 • 21 May 2025 i
Contents (Listed by chapter and page number)
Summary of Change
Chapter 1
Introduction, page 1
Chapter 2
Internal Review Program Concept, Objective, and General Requirements, page 5
Chapter 3
Internal Review Planning and Services, page 10
Chapter 4
Internal Review Quality Management and Peer Review, page 18
Appendixes
A. References, page 25
B. Internal Control Evaluation, page 26
Glossary of Terms
AR 11–7 • 21 May 2025 1
Chapter 1
Introduction
Section I
General
1–1. Purpose
This regulation prescribes policies, roles, responsibilities, and standards for the Army Internal Review (IR)
Program within the Department of the Army (DA).
1–2. References, forms, and explanation of abbreviations
See appendix A. The abbreviations, brevity codes, and acronyms (ABCAs) used in this electronic publica-
tion are defined when you hover over them. All ABCAs are listed in the ABCA directory located at
https://armypubs.army.mil/.
1–3. Associated publications
This section contains no entries.
1–4. Responsibilities
Responsibilities are listed in section II of chapter 1.
1–5. Records management (recordkeeping) requirements
The records management requirement for all record numbers, associated forms, and reports required by
this publication are addressed in the Records Retention Schedule–Army (RRS–A). Detailed information
for all related record numbers, forms, and reports are located in Army Records Information Management
System (ARIMS)/RRS–A at https://www.arims.army.mil. If any record numbers, forms, and reports are not
current, addressed, and/or published correctly in ARIMS/RRS–A, see DA Pam 25–403 for guidance.
Section II
Responsibilities
1–6. Assistant Secretary of the Army (Financial Management and Comptroller)
The ASA (FM&C), who has been delegated authority by the Secretary of the Army (SECARMY) through
Army General Orders No. 2025–01 (AGO 2025–02) for implementation of the Army IR Program, will—
a. Serve as the Headquarters, Department of the Army (HQDA) proponent responsible for overseeing
the Army IR Program; however, ASA (FM&C) does not exercise direct command and control over individ-
ual IR offices, which report directly to local commanders at various commands throughout the Army.
b. Establish policy and oversight for the Army IR Program through the Deputy Assistant Secretary of
the Army (Financial Operations & Information), (DASA (FOI)), the ASA (FM&C) Director of Financial Op-
erations & Accounting (SAFM–FOA), and the ASA (FM&C) Director of Army Risk Management (SAFM–
FOA–M). The following specific responsibilities will be delegated to the Director of Army Risk Manage-
ment:
(1) Develop, promulgate, and oversee the implementation of policies and procedures for IR offices
throughout the Army.
(2) Interpret Generally Accepted Government Auditing Standards (GAGAS), Comptroller General of
the United States decisions, and Department of Defense (DoD) and DA policies as they relate to the
Army IR Program.
(3) Monitor the execution of the Army IR Program and IR office compliance with GAGAS, this regula-
tion, and other applicable DA/DoD policies.
(4) Develop standard metrics to measure the performance of IR offices throughout the Army and prom-
ulgate these metrics through the Army IR Annual Metrics Report or other mechanisms as directed by the
DASA (FOI).
AR 11–7 • 21 May 2025 2
(5) Assist and support effective execution of IR programs at Army commands (ACOMs), Army service
component commands (ASCCs), direct reporting units (DRUs), HQDA staff agencies, and other organiza-
tions within the Army where IR offices are established.
(6) Provide guidance and assistance to organizations reporting to HQDA on all matters relating to the
Army IR Program.
(7) Advise commanders and activity heads on maintaining adequately staffed IR offices with appropri-
ate grade structures.
(8) Maintain a roster of employees at IR offices throughout the Army and a repository of auditing tem-
plates and example audit programs to aid these IR offices in executing audits and similar engagements
within their respective commands.
(9) Provide general oversight of quality monitoring activities occurring within the Army’s IR offices and
summarize the results of these activities through the Army IR Annual Quality Assessment or other mecha-
nisms as directed by the DASA (FOI).
1–7. The Army Auditor General
The AAG reports to the SECARMY and is responsible for the operational performance of the U.S. Army
Audit Agency (USAAA). The Army Auditor General, in accordance with the functional responsibilities del-
egated by the SECARMY and codified in AR 36–2, exercises responsibility for the conduct of the audit
function in the Army and entities for which the Army provides resources. This responsibility is completely
separate and distinct from responsibilities pertaining to the Army IR Program, which is the responsibility of
the ASA (FM&C), as delegated by the SECARMY and codified in AR 11–7.
1–8. Chief, National Guard Bureau
The CNGB establishes policies and programs for employment in accordance with Title10, United States
Code, 10503 (32 USC 10503) and DoDD 5105.77. The CNGB, directly or by delegation to the Vice Chief
of the National Guard Bureau, oversees the direction and control of the U.S. Property and Fiscal Officers
(USPFOs) (that is, the independent Federal officials in each state) in accordance with 32 USC 708. The
CNGB will—
a. Ensure that state-level National Guard IR offices are organizationally aligned under and report di-
rectly to the USPFO.
b. Ensure that IR positions within National Guard IR offices meet National Guard Bureau (NGB) posi-
tion classification requirements for the GS–0511 Auditor professional job series and conform to standard-
ized Army civilian personnel position descriptions developed by NGB Manpower and Personnel (NGB–
J1).
c. Ensure each National Guard IR office develops an IR annual or biennial plan which is approved by
the USPFO prior to the beginning of the period covered by the plan.
1–9. Chief, Army Reserve and Commander, U.S. Army Reserve Command
The CAR and USARC will ensure Army Reserve IR offices are organizationally aligned as independent
activities which report directly to the commander, principal deputy commander, or chief of staff of their re-
spective commands. However, for administrative purposes, these offices will also be aligned to a USARC
Readiness Division IR office, with all USARC Readiness Division IR offices aligned under the Headquar-
ters USARC IR office.
1–10. Commanders and heads of Headquarters, Department of the Army activities
Within the context of this regulation, the term “commander” refers to the principal commanding officer or
organization head who has ultimate responsibility for and authority over a command, HQDA organization,
U.S. Property and Fiscal Office (USPFO), or other activity within the Army where an IR office exists or
could potentially be established. Commanders of ACOMs, ASCCs, DRUs; heads of HQDA activities; U.S.
Property and Fiscal Officers (USPFOs); and commanders of other commands/activities within the Army
where IR offices exist or could potentially be established will—
a. Establish and adequately resource IR offices as part of the command and control process to miti-
gate risk and ensure the accomplishment of local command missions.
b. Ensure IR offices are organizationally aligned as independent activities which report directly to the
commander, principal deputy commander, or Chief of Staff of their respective command,
AR 11–7 • 21 May 2025 3
installation/garrison, division, district, or activity. As an independent office, the IR office will not be aligned
under another functional directorate or staff section within the command.
c. Ensure all IR auditor positions (to include IR director/chief positions) are designated as and meet the
Office of Personnel Management (OPM) position classification requirements for the General Schedule
(GS–0511) Auditor professional job series and conform to standardized Army civilian personnel position
descriptions developed by ASA (FM&C).
d. Ensure each local IR office develops an IR annual or biennial plan and submits this plan to the activ-
ity commander, deputy commander, or chief of staff for review and approval.
e. Ensure functional directors, division chiefs, and subordinate activities within the command are given
an opportunity to provide input to the command's IR annual or biennial plan prior to the time of its ap-
proval.
f. Ensure functional directors, division chiefs, and subordinate activities fully cooperate with all IR en-
gagements and provide timely responses to all inquiries in support of these engagements in accordance
with DoDI 7600.02.
g. Ensure IR auditors are granted timely, full, and unrestricted access to all personnel, facilities, rec-
ords, reports, information systems/databases (read-only), documents, and other information/materials
(subject to security clearance requirements) needed in connection with an audit, attestation, investigation,
inquiry, or other IR service.
h. Adjudicate and resolve disagreements between IR offices, subordinate commanders, and functional
directors involving IR report results and associated recommendations.
i. Ensure the local IR office is included in any staff officer orientation briefings and/or training sessions
held within the command to ensure new members of the command understand the IR office’s function
and its availability to assist new staff members in mitigating risk and accomplishing their respective mis-
sions.
j. Ensure the local IR office is provided a working environment which affords sufficient privacy to allow
the performance of work which is of a sensitive nature. Ensure, at a minimum, that IR offices have access
to team rooms or conference rooms for private meetings and telephone conversations as well as lockable
file cabinets or other secure storage arrangements.
k. Ensure the local IR office is designated as an assessable unit for the purposes of the command’s
local Risk Management and Internal Control (RMIC) Program if the IR office resides within an ACOM
headquarters and/or if the IR office oversees a significant number of additional IR offices within subordi-
nate command echelons.
1–11. Internal review directors and chiefs
Within the context of this regulation, the term “IR directors and chiefs” refers to all personnel who have
been designated primary responsibility for an IR office, including IR officials who work in an IR office con-
sisting of a single person. IR directors and chiefs at all Army activities will—
a. Serve as the principal advisor to the commander on internal control and audit matters.
b. Direct, manage, and execute the full range of IR services prescribed in this regulation consistent
with the needs of the command and other supported activities.
c. Ensure IR services are provided in accordance with GAGAS, this regulation, and other appropriate
DoD/DA policies and regulations.
d. Establish and maintain a risk assessment file to use as a basis for determining which functions and
business processes exist within the command and are therefore subject to audit/examination in addition
to the risk levels associated with these functions and business processes.
e. Develop a flexible IR annual or biennial plan identifying audits, attestations, and nonaudit services
the IR office anticipates conducting within the upcoming 1 to 2 years based on command staff input and
an assessment of the risks outlined in the risk assessment file described in paragraph 1–11d which are
most relevant to the command. The annual or biennial plan must be approved by the commander, deputy
commander, or chief of staff. For National Guard IR offices, the plan must be approved by the USPFO.
f. Ensure that Army special access programs (SAPs) are adequately considered and prioritized in the
command’s IR annual or biennial plan if these programs are a significant component of the command's
overall mission. In situations where SAPs are a significant component of the command’s overall mission,
at least one member of the IR staff should be cleared for access to the command’s SAP.
g. Provide a copy of the signed IR annual or biennial plan to the organization inspection program coor-
dinator, in accordance with AR 1–201.
AR 11–7 • 21 May 2025 4
h. Perform special IR engagements as directed by ASA (FM&C). These special engagements may in-
clude, but are not limited to, providing support to audits of programs or business processes executed
through more than one ACOM/activity, performing internal control testing of financially-relevant business
processes, and providing support to multi-location audits initiated by USAAA. ASA (FM&C) will coordinate
all proposed special engagements of this nature with the commands where IR support is being requested
prior to initiating or directing the special engagement.
i. Provide technical advice, assistance, and consultation on internal controls to the local commander
and assessable unit managers, as necessary.
j. During the course of audits and other IR engagements, evaluate the effectiveness of internal con-
trols, the adequacy of internal control evaluations, and the effectiveness of actions taken to correct mate-
rial weaknesses relating to the subject matter which is being evaluated.
k. In accordance with AR 11–2, ensure the command considers internal control weaknesses identified
during IR audits and external audits when preparing the commander’s annual statement of assurance
(ASOA) for the RMIC Program.
l. If aligned at the headquarters of a reporting organization (RO) for the purposes of the RMIC Pro-
gram, perform an independent evaluation of the commander’s ASOA and provide the commander an as-
sessment of its thoroughness, validity, and compliance with current ASA (FM&C) ASOA guidance prior to
the time the ASOA is approved and submitted to ASA (FM&C) for consideration.
m. Elevate information obtained during the course of audits and other IR engagements which may
have relevance to other commands and activities across the Army through appropriate command report-
ing channels to the ASA (FM&C) proponent office for the IR Program for consideration.
n. Serve as the commander’s principal liaison official responsible for coordination with external audit
organizations such as the USAAA, the U.S. Department of Defense Office of the Inspector General (DoD
OIG) Audit, and the Government Accountability Office (GAO), by performing the following functions:
(1) Advise and assist the commander on audits, attestations, and related services conducted by
USAAA, DoD OIG Audit, GAO, and other external oversight organizations which have an impact on the
command. Under normal circumstances, IR offices will serve as the principal command adviser for audits
and attestations, while command Inspector General (IG) offices will serve as the principal command ad-
viser for IG inspections and evaluations. In certain special situations, such as when an IR office exists
within a command and an IG office does not, IR offices may additionally assume coordination roles with
other oversight organizations which are normally performed by command IG offices.
(2) Coordinate with the external audit agency, the USAAA Audit Coordination and Followup Office
(ACFO), and appropriate HQDA staff elements as necessary to assist the command with understanding
audit objectives, sites, milestones, and other information involving ongoing or proposed audits.
(3) Arrange entrance conferences, in-process review (IPR) discussions, and exit conferences for exter-
nal audits and facilitate the attendance of both officials from the external audit organization and officials
within the local command whose functions are affected by the external audit.
(4) Ensure the command provides timely, adequate, accurate, responsive, and coordinated comments
to draft audit findings and recommendations.
(5) Oversee the proper tracking, follow-up, and closeout of external audit recommendations.
o. Establish and maintain an audit recommendation tracking system and an effective follow-up system
for both internal and external audit recommendations. Within this tracking system, track, follow up on, and
facilitate closure of all internal and external audit recommendations affecting the local command.
p. Conduct follow-up engagements of external audit recommendations affecting the local command to
determine whether or not the actions taken by management were sufficient to eliminate the deficiencies
identified in the audit report which these recommendations pertain to.
q. Provide proper career development and professional training opportunities for all subordinate IR
personnel.
r. Ensure that assigned IR personnel complete sufficient professional training (or equivalent qualifying
activities) to comply with the continuing professional education (CPE) requirements prescribed by
GAGAS. Where appropriate, ensure an additional skill identifier is awarded to military auditors who are
qualified as auditors or accountants.
s. Ensure all IR auditors obtain DoD Financial Management (FM) Certification and meet the require-
ments for continuing education and training (CET) set forth in the DoD FM Certification program.
t. Ensure the IR office maintains a current standard operating procedure (SOP) document which sup-
plements the guidance found in GAGAS and this regulation.
AR 11–7 • 21 May 2025 5
u. Ensure all IR work products are appropriately classified and marked prior to distribution in accord-
ance with AR 380–5.
v. Ensure the IR office retains and safeguards reports, audit programs, working papers, and other sup-
porting documents pertaining to IR audits and other IR engagements for at least 6 years after implemen-
tation of all recommendations resulting from the engagement.
w. Establish an internal quality management program in accordance with GAGAS and this regulation
which evaluates the quality and level of service provided by the IR office and IR offices at subordinate
command echelons.
x. In accordance with GAGAS, ensure the local IR office undergoes an external peer review no less
frequently than once every 3 years.
y. Submit Army IR annual metrics reports, Army IR annual quality assessments, and other requested
information through appropriate command reporting channels to the ASA (FM&C) proponent office for the
IR Program for consideration on a periodic or ad-hoc basis, as directed.
Chapter 2
Internal Review Program Concept, Objective, and General Requirements
2–1. Internal review program concept and objective
a. The fundamental tenet of Army management philosophy is that commanders at all levels are re-
sponsible for accomplishing command missions and for maintaining effective stewardship of command
resources. Commanders are responsible for ensuring the command complies with all applicable laws, pol-
icies, procedures, and regulations; achieving program objectives; and ensuring the propriety, legality, reli-
ability, and accuracy of their actions.
b. IR is an independent and objective assurance activity within the command designed to add value
and improve command or supported activity operations through audits, attestations, and related services.
The objective of the Army IR Program is to provide commanders and their staffs with a full range of
timely, professional assurance services which support local decision makers and help to ensure effective
stewardship of resources.
c. The IR Program is a key component of the commander’s system of command and control designed
to mitigate risk and assure the effectiveness and efficiency of command operations. IR helps command-
ers accomplish their mission objectives by applying a systematic, disciplined approach toward evaluating
local organizations, programs, and business processes as part of the command's overall effort to improve
the effectiveness of risk management, control, and command oversight.
d. The IR program must be flexible to meet the immediate needs of commanders. IR offices address
these needs by assessing relevant risks within the local command and offering timely assurance services,
including audits, attestation engagements, and nonaudit services. IR leverages a combination of auditing
expertise, objectivity, local knowledge, technology, and responsiveness to the commander to assess local
programs and activities and make recommendations for improvement.
2–2. Internal review office organizational alignment and reporting relationships
a. IR offices are an integral part of the commander’s personal staff and/or special staff management
team which is functionally aligned as an independent office along with the IG and other special staff ele-
ments.
b. IR offices will be organizationally aligned as independent activities which report directly to the com-
mander, principal deputy commander, or chief of staff of their respective command, installation/garrison,
division, district, or activity. As an independent office, the IR office will not be aligned under another func-
tional directorate or staff section within the command.
c. State-level National Guard IR offices will be organizationally aligned under and report directly to the
USPFO. USPFOs are agents of the Secretaries of the Army and Air Force, through the CNGB, who are
liable and directly responsible for the management of all Federal funds and property in the possession of
the National Guard for the States, Territories, or District of Columbia for which a USPFO is assigned.
d. The commander, principal deputy commander, chief of staff, or USPFO within a given command or
state are the only officials who may serve as the rating official for an IR director or chief.
e. The IR director or chief should be aligned as both a personal and special staff officer, and he or she
should work closely with other special staff elements to achieve a complementary effort.
AR 11–7 • 21 May 2025 6
f. As a member of the commander’s personal staff, the IR director or chief will have direct access to
the commander whenever required.
g. IR offices must comply with all policies, directives, instructions, manuals, and procedures issued or
established by the ASA (FM&C) proponent office for the IR Program which do not conflict with GAGAS or
other controlling Army or DoD policy (if a conflict arises among these sources of guidance, GAGAS will
take precedence).
h. The extent to which IR resources within a particular ACOM, ASCC, or DRU are centralized within
the headquarters element of the ACOM, ASCC, and DRU may vary substantially from command to com-
mand. In cases where IR offices are decentralized and report to local commanders instead of to the IR
directors within the headquarters element of the ACOM, ASCC, DRU the IR offices fall under, the IR of-
fices should primarily perform assignments which are deemed to be of value to the local commander they
report to while still remaining responsive to directives from the IR office within their higher headquarters.
i. Subject to the restrictions described in paragraph 2–2h, IR offices must comply with all local policies,
directives, instructions, manuals, and procedures issued or established by the IR office within their higher
headquarters which do not conflict with GAGAS, this regulation, ASA (FM&C) policy directives, or other
controlling Army or DoD policy. National Guard IR offices must comply with all policies, directives, instruc-
tions, manuals, and procedures issued or established by the NGB which do not conflict with GAGAS, this
regulation, ASA (FM&C) policy directives, or other controlling Army or DoD policy.
2–3. Internal review office staffing
a. Resourcing for command IR offices should be commensurate with the size and scope of the com-
mand the IR office supports and the scope of the responsibilities which have been assigned to the IR of-
fice; resourcing should also be informed by the size of other special staff elements within the command.
Staffing should be based on senior leader priorities and be sufficient to allow the IR office to effectively
support command assurance and audit readiness requirements. National Guard IR offices should be re-
sourced and staffed at a level which is no less than the average level within the Joint Force Headquarters
for their respective States.
b. Commanders should reevaluate the resourcing for their IR offices on a periodic basis to ensure
these offices are sufficiently resourced to meet the requirements described in paragraph 2–3a. Proposed
changes to IR resources and IR office grade structure should be coordinated with the command’s ACOM,
ASCC, or DRU headquarters IR director prior to implementation.
c. The staff of each IR office will primarily consist of qualified professional personnel in the Auditor and
Supervisory Auditor job series. The following additional requirements apply:
(1) Commands are required to use standardized IR position descriptions (PDs) developed by ASA
(FM&C) for all IR Auditor and Supervisory Auditor positions within the command unless granted an excep-
tion by the ASA (FM&C) proponent office for the IR Program; IR offices must coordinate and submit any
requests for exceptions of this nature through the IR office within their command’s higher headquarters,
as applicable. National Guard IR offices are required to use standardized IR PDs developed by NGB–J1.
(2) Commands are required to establish and maintain the grade levels of IR personnel in accordance
with the standardized IR PDs developed by ASA (FM&C) unless granted an exception by the ASA
(FM&C) proponent office for the IR Program; IR offices must coordinate and submit any requests for ex-
ceptions of this nature through the IR office within their command's higher headquarters, as applicable.
National Guard IR offices are required to establish and maintain the grade levels of IR personnel in ac-
cordance with the standardized IR PDs developed by NGB–J1.
(3) The grade structure of IR offices should be informed by the grade structure of other special staff
elements within the command while also taking into consideration the specialized knowledge and experi-
ence necessary to effectively manage an audit organization.
d. IR directors and chiefs may temporarily augment the local IR staff with military or civilian specialists
to meet special technical requirements associated with individual IR engagements. Such specialists may
include industrial engineers, system analysts, management analysts, statisticians, or other personnel with
special skills the full-time IR office staff does not possess itself but requires to complete a particular en-
gagement. In exercising their discretion to augment IR staff, IR directors and chiefs will ensure compli-
ance with GAGAS provisions involving the use of specialists.
e. IR directors and chiefs may temporarily augment or supplement the local IR staff using contractors
to meet special mission requirements, including support for local financial auditability efforts. When this
occurs, the IR office will perform contract oversight as required by the cognizant contracting officer.
AR 11–7 • 21 May 2025 7
2–4. Ethical principles for internal review personnel
IR personnel are required to abide by the following ethical principles which are identified in GAGAS and
to ensure these principles guide all of the work they conduct:
a. The Public Interest.
(1) The public interest is defined as the collective well-being of the community of people and entities
that the auditors serve. Observing integrity, objectivity, and independence in discharging their profes-
sional responsibilities helps auditors serve the public interest and honor the public trust. The principle of
the public interest is fundamental to the responsibilities of auditors and critical in the government environ-
ment.
(2) A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This
responsibility is critical when auditing in the government environment. IR offices should aid their respec-
tive commands in helping to ensure accountability for public resources, which is fundamental to serving
the public interest.
b. Integrity.
(1) Public confidence in government is maintained and strengthened by auditors performing their pro-
fessional responsibilities with integrity. The concept of integrity requires auditors to perform their work with
an attitude that is objective, fact-based, nonpartisan, and nonideological with regard to audited entities
and users of audit reports. Within the constraints of applicable confidentiality laws, regulations, and poli-
cies, IR office communications with audited entities, commanders, and the individuals requesting IR en-
gagements are expected to be honest, candid, and constructive.
(2) Making decisions consistent with the public interest of the program or activity under audit is an im-
portant part of the principle of integrity. In discharging their professional responsibilities, IR personnel may
encounter conflicting pressures from management of the audited entity, their command group, and other
stakeholders in the engagements they conduct. In some circumstances, IR personnel may also encounter
pressures to inappropriately achieve personal or organizational gain. In resolving these conflicts and
pressures, acting with integrity means that IR personnel place priority on their responsibilities to the public
interest.
c. Objectivity. Auditors’ objectivity in discharging their professional responsibilities is the basis for the
credibility of the auditing profession in the government sector. Objectivity includes independence of mind
and appearance when conducting engagements, maintaining an attitude of impartiality, having intellectual
honesty, and being free of conflicts of interest. Maintaining objectivity includes a continuing assessment
of relationships with audited entities and other stakeholders in the context of the IR office’s responsibility
to the public. The concepts of objectivity and independence are closely related, and independence impair-
ments are likely to affect auditors’ objectivity.
d. Proper use of Government information, resources, and positions.
(1) IR personnel must use government information, resources, and positions only for official purposes
and not for their own personal gain or in a manner contrary to law or detrimental to the legitimate interests
of the audited entity, the IR office, the command, and the Army as a whole. This principle includes the
proper handling of sensitive or classified information or resources.
(2) Accountability to the public for the proper use and prudent management of government resources
is an essential element of an auditor's responsibilities. The public expects for government auditors to help
protect and conserve government resources and to ensure they are used appropriately for authorized ac-
tivities.
(3) IR personnel must not misuse their positions for financial gain or other benefits and must refrain
from actions which could be perceived by an objective third party with knowledge of the relevant infor-
mation as improperly benefiting their personal financial interests or those of an immediate or close family
member, a general partner, or an entity for which the auditor is affiliated with or negotiating with for future
employment.
e. Professional behavior. IR personnel must comply with all relevant legal, regulatory, and profes-
sional obligations and avoid any conduct which could bring discredit to their work, including actions which
would cause an objective third party with knowledge of the relevant information to conclude that the work
was professionally deficient. IR personnel must put forth an honest effort in performing their duties in ac-
cordance with relevant technical and professional standards.
AR 11–7 • 21 May 2025 8
2–5. Training of internal review personnel
a. IR personnel must receive proper training to maintain the knowledge and skills required to operate
an effective IR Program as required by this regulation. IR directors and chiefs will ensure IR personnel
earn CPE/CET credit hours sufficient to comply with the following:
(1) GAGAS continuing education requirements.
(2) DoD FM certification requirements.
(3) Requirements associated with maintaining professional certifications (for example, Certified Public
Accountant (CPA), Certified Internal Auditor, and Certified Defense Financial Manager), if applicable.
b. As the functional proponent for the Comptroller civilian career program (CP 11), ASA (FM&C) will
provide professional training guidelines and opportunities to all IR personnel.
c. IR personnel are encouraged to obtain professional certifications. Expenses for obtaining profes-
sional certifications may be reimbursable by local commands. IR directors and chiefs will follow estab-
lished OPM policies in granting IR personnel excused absences to obtain professional certifications.
2–6. Local internal review policies and procedures
a. IR offices will maintain a current SOP document which supplements the guidance found in GAGAS
and this regulation.
b. IR office SOP documents will describe, at a minimum, the specific procedures personnel within the
IR office should follow when providing each type of IR service the office currently performs or expects to
perform in the future for its respective command or other supported activities.
c. IR office SOP documents will describe the specific quality monitoring procedures personnel within
the IR office should follow to ensure the IR office's functions are performed in accordance with GAGAS,
this regulation, and other pertinent DoD and DA regulations.
2–7. Liaison relationships with external oversight organizations
IR offices are responsible for serving as command audit focal point and for establishing and maintaining
liaison relationships with external audit, inspection, and investigative organizations whose missions im-
pact command operations, including the following:
a. Government Accountability Office. The GAO is a federal agency of the legislative branch of the U.S.
Government which performs audits, evaluations, and surveys of governmental organizations and func-
tions as directed by Congress.
b. Department of Defense Inspector General. The DoD OIG may initiate, conduct, and supervise au-
dits within the DoD which have been requested by the Secretary of Defense or which the IG considers
appropriate.
c. U.S. Army Audit Agency. Operating under the authority of the Army Auditor General, the USAAA is
the DA’s central audit organization. The USAAA furnishes audit services to organizations at all levels
throughout the Army.
d. U.S. Army Criminal Investigation Division. USACID conducts sensitive or special interest investiga-
tions as directed by the SECARMY or the Chief of Staff Army; provides criminal investigative support, in-
cluding forensic support, to all Army elements; and conducts and controls all Army investigations of fraud,
serious crimes, less serious crimes, and other crimes arising in Army procurement activities. USACID
works closely with both USAAA and local IR offices.
2–8. Organizational inspection program coordination requirements
a. One of the principles of inspections outlined in AR 1–201 is to ensure the coordination of all inspec-
tion and evaluation efforts so that inspections are not performed randomly but are instead performed as
part of a larger, coordinated plan which allows inspected organizations to maximize training and opera-
tional time while minimizing the amount of time spent on inspections.
b. While IR offices do not normally serve as the Organizational Inspection Program (OIP) coordinator
for their respective commands, IR offices will support the OIP by doing the following:
(1) Provide a signed copy of the IR annual or biennial plan to the local OIP coordinator once it has
been approved by the commander so the OIP coordinator can incorporate the plan's engagements into
the overall OIP and, if necessary, work with the IR office to consolidate and/or coordinate inspection ef-
forts.
(2) Inform the local OIP coordinator of additions and deletions to the IR annual or biennial plan which
occur as the plan is being executed.
AR 11–7 • 21 May 2025 9
2–9. Risk management and internal control program requirements
a. IR engagements and external audits both frequently involve an evaluation of internal controls asso-
ciated with the business processes these engagements pertain to.
b. IR offices will support the local RMIC Program by providing the command Internal Control Adminis-
trator (ICA) periodic updates on IR engagements and external audits affecting the command and related
findings involving internal controls which are in place at the command.
c. IR offices which reside within an ACOM headquarters and/or which oversee a significant number of
additional IR offices within subordinate command echelons should be designated as assessable units for
the purposes of their local command RMIC Programs.
d. All IR offices must ensure their operations and key controls are adequately described in the Risk As-
sessment and Internal Control Evaluation Plan for their local command RMIC Program and that these key
controls are tested periodically and documented in accordance with current ASA (FM&C) ASOA guid-
ance. At a minimum, each IR office must formally evaluate the following four key control areas described
in appendix B of this regulation on a periodic basis:
(1) Internal auditing, attestations, and related services.
(2) External audit liaison and audit follow-up services.
(3) Competence and CPE.
(4) Quality management and peer review.
e. Absent unusual circumstances, IR offices should not serve as the ICA for their respective com-
mands or otherwise participate in the general administration of their command RMIC Programs. Com-
mands which require their IR offices to serve as the command ICA due to the command's unique circum-
stances must submit a request for a waiver to this general prohibition to the ASA (FM&C) proponent office
for the IR Program for consideration.
2–10. Installation status report requirements
All Army IR offices are exempt from reporting into the Installation Status Report with the exception of
those offices falling under U.S. Army Installation Management Command (IMCOM).
2–11. Army internal review reporting and data call requirements
IR offices must promptly comply with reporting requirements, data call requests, and related instructions
originating from ASA (FM&C), including the following:
a. The Army IR Annual Metrics Report.
b. The Army IR Annual Quality Assessment.
c. Periodic data call requests to update the Army IR Roster.
d. Any additional data call requests and reporting requirements which are developed by ASA (FM&C)
after the time of this regulation's publication.
2–12. Document retention requirements
IR offices must retain and safeguard documentation generated through the course of their respective op-
erations in an electronic format in accordance with the following guidelines:
a. IR offices must retain all reports, planning documents, working papers, and other supporting docu-
ments pertaining to IR audits and other IR engagements for at least 6 years after implementation of all
recommendations resulting from the engagement.
b. IR offices must retain all external audit liaison and follow-up documentation for external audits, at-
testations, surveys, and other engagements performed by USAAA, DoD OIG, GAO, and other external
oversight organizations which involve their respective commands for at least 6 years after the closure of
all recommendations generated through these engagements which were addressed to the local command
the IR office falls under.
c. IR offices must retain documentation pertaining to their local quality management activities for at
least 6 years after the time this documentation is generated. Documentation of this nature may include
any of the following:
(1) Quality management risk assessments;
(2) Documentation of quality monitoring and remediation activities;
(3) Documentation supporting the IR office's periodic evaluation of its system of quality management;
and
AR 11–7 • 21 May 2025 10
(4) Any additional documentation the IR office generates to help document its system of quality man-
agement.
d. IR offices which are the subject of a peer review must retain and safeguard the peer review report
and documentation pertaining to any related corrective actions for at least 6 years after implementation of
all recommendations resulting from the peer review engagement.
e. IR offices must retain all reports involving their respective operations submitted to ASA (FM&C)
and/or to the IR office within their command's higher headquarters for at least 6 years after the time these
reports are submitted. Reports of this nature may include any of the following:
(1) The Army IR Annual Metrics Report;
(2) The Army IR Annual Quality Assessment;
(3) Any additional reports which are developed by ASA (FM&C) after the time of this regulation’s publi-
cation; and
(4) Local reports developed by the specific ACOM, ASCC, or DRU the IR office falls under.
f. In addition to complying with the requirements specified above, IR offices must also adhere to appli-
cable laws and regulations governing records retention within the Federal government, DoD, and the
Army.
Chapter 3
Internal Review Planning and Services
3–1. Internal review planning process
a. All IR offices will prepare an IR annual or biennial plan identifying audits, attestations, and nonaudit
services the IR office anticipates conducting within the upcoming one to 2 years based on command staff
input and an assessment of the risks which are most relevant to the command. The IR annual or biennial
plan should focus on the following:
(1) Responding to valid requests for services from the local commander and other senior officials
within the command.
(2) Addressing the priority needs of the commander and command staff.
(3) Performing special IR engagements directed by ASA (FM&C) (see para 1-11h).
(4) Maximizing assurance coverage of high-risk business processes and mission activities.
(5) Making effective and efficient use of IR resources.
(6) Ensuring the IR office fulfills its external audit liaison, financial auditability, and audit follow-up re-
sponsibilities, as applicable.
(7) Ensuring the IR office fulfills any applicable statutory or regulatory requirements.
b. When determining which engagements to include in the IR annual or biennial plan, IR offices should
prioritize engagements which focus on high-risk business processes and mission activities which are
likely to provide the greatest benefit to the command. The following additional specific requirements ap-
ply:
(1) All IR offices will establish and maintain a risk assessment file to use as a basis for determining
which functions and business processes exist within the command and are therefore subject to audit/ex-
amination in addition to the risk levels associated with these functions and business processes.
(2) IR offices will use the risk assessments completed by Assessable Unit Managers as part of the
command's ASOA for the command RMIC Program as the basis for IR risk assessment files (see AR 11–
2 and DA Pam 11–2 for details).
(3) While IR offices should consider the risk assessments completed as part of the command's ASOA
when developing their IR risk assessment files, they are also responsible for independently assessing the
risks associated with command programs and business processes when developing these files.
(4) In situations where SAPs are a significant component of the command's overall mission, IR direc-
tors and chiefs will ensure that SAPs are adequately considered and prioritized in the command’s IR an-
nual or biennial plan and that at least one member of the IR staff is cleared for access to the command’s
SAP.
c. IR directors and chiefs must ensure that functional directors, division chiefs, and subordinate activi-
ties within the command are given an opportunity to provide input to the command's IR annual or biennial
plan prior to the time of its approval.
d. IR directors and chiefs must ensure that the IR annual or biennial plan is approved by the com-
mander, deputy commander, or chief of staff prior to the beginning of the time period covered by the plan.
AR 11–7 • 21 May 2025 11
For National Guard IR offices, the IR director or chief must ensure the plan is approved by the USPFO
prior to the beginning of the time period covered by the plan.
e. Due to the dynamic nature of the Army operating environment, IR annual and biennial plans must be
flexible enough to allow for higher priority, unscheduled work to supersede previously scheduled engage-
ments which are determined to be less critical as the plan is being executed.
f. IR annual or biennial plans for IMCOM IR offices should consider requirements from all tenant com-
mands on supported garrisons which do not possess their own IR offices. The following additional specific
requirements apply:
(1) Tenant commands with IR authorizations should fill these positions as expeditiously as possible to
avoid placing an undue burden on IMCOM IR offices.
(2) IMCOM IR offices should coordinate each audit request it receives from a tenant command with the
tenant command’s headquarters IR office to ensure the command headquarters has visibility of the audit
and its potential impact on the command.
g. IR annual and biennial plans do not need to adhere to a particular format so long as they comply
with the requirements specified in paragraphs 3–1a through 3–1f of this regulation.
3–2. Internal review services
a. IR offices are capable of providing a broad assortment of assurance services for their respective
commands. Commanders may use IR resources in any role consistent with the concepts and policies
contained within this regulation.
b. In determining the specific types of services to provide in response to local command assurance
needs, IR directors and chiefs should evaluate, among other considerations, the desired level of assur-
ance, the amount of time and manpower required to complete the work, and how the results of the work
will be used.
c. Services provided by IR offices may include, but are not limited to, the following:
(1) Performance audits (including follow-up audits).
(2) Attestation engagements.
(3) Internal control testing engagements.
(4) Investigative services (including investigations of potential Antideficiency Act (ADA) violations).
(5) Validation of Corrective Action Plan (CAP) implementation for deficiencies involving the command's
programs and business processes.
(6) Independent evaluation of the commander’s ASOA for thoroughness, validity, and compliance with
current ASA (FM&C) ASOA guidance.
(7) Other nonaudit services which involve the evaluation of command programs and business pro-
cesses.
(8) Serving as command audit focal point, performing external audit liaison services with entities such
as USAAA, DoD OIG, and GAO, and performing audit follow-up services.
(9) Serving as command financial audit focal point for the external audit of the Army's financial state-
ments and performing liaison actions with the Independent Public Accountant (IPA) responsible for per-
forming this audit.
d. The scope of work performed by IR offices may encompass all aspects of management, internal
controls, programs, functions, transactions, records, systems, and documents. In accordance with DODI
7600.02, IR personnel will be entitled to full and unrestricted access to all personnel, facilities, records,
reports, information systems/databases (read-only), documents, and other information/materials (subject
to security clearance requirements) needed in connection with an audit, attestation, investigation, inquiry,
or other IR service. Only the local commander may restrict IR personnel's access to an area under the
commander’s control; when this happens, the IR office must do the following:
(1) Document the reason for the restriction and the impact the restriction has on the IR office’s ability to
effectively address the engagement's objectives in the engagement case file; and
(2) Report the access restriction in accordance with the reporting procedures outlined in DoDI 7600.02.
e. Both independence impairments and scope limitations can potentially impact on IR office’s ability to
form valid conclusions when evaluating a program or business process. IR engagement reports will
clearly disclose any independence impairments or scope restrictions and provide an explanation of the
impact these restrictions have on the IR office’s ability to render a valid opinion on the program or busi-
ness process they are evaluating.
AR 11–7 • 21 May 2025 12
f. Reports generated by local IR offices and all supporting documents will be considered part of the
command/management deliberative process; as such, these documents are only available for release
outside the command when authorized by the commander or when provided under a Freedom of Infor-
mation Act (FOIA) release request approved by the command Staff Judge Advocate’s office and the com-
mand’s FOIA officer, if appropriate.
3–3. Audits and attestation engagements
a. GAGAS covers the following specific types of engagements, which are frequently referred to as
“GAGAS engagements”:
(1) Financial audits. Financial audits provide independent assessments of whether entities’ reported
financial information (for example, financial condition, results, and use of resources) is presented fairly, in
all material respects, in accordance with recognized criteria. Financial audits conducted in accordance
with GAGAS include financial statement audits and other related financial audits.
(2) Attestation engagements. Attestation engagements can cover a broad range of financial or nonfi-
nancial objectives about the subject matter or assertion depending on the users’ needs. In an attestation
engagement, the subject matter or an assertion by a party other than the auditors is measured or evalu-
ated in accordance with suitable criteria. The work the auditors perform and the level of assurance asso-
ciated with the report vary based on the type of attestation engagement. The three types of attestation
engagements are as follows:
(a) Examination. An auditor obtains reasonable assurance by obtaining sufficient, appropriate evi-
dence about the measurement or evaluation of subject matter against criteria in order to be able to draw
reasonable conclusions on which to base the auditor’s opinion about whether the subject matter is in ac-
cordance with (or based on) the criteria or the assertion is fairly stated, in all material respects. The audi-
tor obtains the same level of assurance in an examination as in a financial statement audit.
(b) Review. An auditor obtains limited assurance by obtaining sufficient, appropriate review evidence
about the measurement or evaluation of subject matter against criteria in order to express a conclusion
about whether any material modification should be made to the subject matter in order for it to be in ac-
cordance with (or based on) the criteria or to the assertion in order for it to be fairly stated. Review-level
work does not include reporting on internal control or compliance with provisions of laws, regulations,
contracts, and grant agreements. The auditor obtains the same level of assurance in a review engage-
ment as in a review of financial statements.
(c) Agreed-upon procedures engagement. An auditor performs specific procedures on subject matter
or an assertion and reports the findings without providing an opinion or a conclusion on it. The specified
parties to the engagement agree upon and are responsible for the sufficiency of the procedures for their
purposes. The specified parties are the intended users to whom use of the report is limited.
(3) Performance audits. Performance audits provide objective analysis, findings, and conclusions to
assist management and those charged with governance and oversight with, among other things, improv-
ing program performance and operations, reducing costs, facilitating decision making by parties responsi-
ble for overseeing or initiating corrective action, and contributing to public accountability.
b. IR offices typically conduct performance audits on a frequent basis and attestation engagements on
a more occasional basis. Absent unusual circumstances, IR offices do not typically conduct financial au-
dits.
c. IR directors and chiefs will ensure that all audits and attestation engagements undertaken by the IR
office are conducted in accordance with GAGAS and ensure the IR office complies with the following spe-
cific GAGAS requirements:
(1) Independence.
(a) All IR engagement team members must be free both in mind and appearance from personal, exter-
nal, and organizational impairments to independence so that their opinions, conclusions, judgments, and
recommendations will be impartial and viewed as being impartial by knowledgeable third parties.
(b) IR directors and chiefs will ensure the IR office applies the GAGAS conceptual framework for inde-
pendence at the IR office, engagement team, and individual auditor levels (as applicable) to identify
threats to independence, evaluate the significance of the threats identified, both individually and in the ag-
gregate, and apply safeguards as necessary to eliminate the threats or reduce them to an acceptable
level.
(c) Prior to commencing work on any GAGAS engagement, the IR director or chief must ensure that
each member of the IR engagement team completes a written independence statement confirming
AR 11–7 • 21 May 2025 13
his/her independence or documenting any potential independence impairments. If any potential independ-
ence impairments are identified, the IR director or chief must apply any necessary safeguards to eliminate
identified threat(s) or reduce them to an acceptable level prior to commencing work on the engagement.
(2) Professional Judgment.
(a) IR directors and chiefs will ensure that IR engagement team members exercise professional judg-
ment in planning, performing, and reporting on GAGAS engagements, to include exercising reasonable
care and professional skepticism.
(b) IR directors and chiefs will ensure that IR engagement team members exercise good faith, integrity,
and objectivity when gathering evidence and evaluating its sufficiency and appropriateness for the pur-
poses of GAGAS engagements.
(3) Competence.
(a) IR directors and chiefs will ensure that IR engagement team members, before commencing work
on a GAGAS engagement, collectively possess the competence needed to address the engagement ob-
jectives and perform their work in accordance with GAGAS.
(b) IR directors and chiefs will ensure that IR engagement team members, before commencing work
on a GAGAS engagement, individually possess the competence necessary to effectively execute the
roles they have been assigned.
(4) Supervision :
(a) While GAGAS requires audit organizations to ensure proper supervision of the audit staff, it also
states that the nature and extent of the auditors’ supervision and the review of audit work may vary de-
pending on a number of factors, such as the size of the audit organization, the significance of the work,
and the experience of the auditors. In addition, GAGAS states that when an audit organization consists of
a single auditor, the requirement for an engagement team member to review work performed by other
team members may be achieved through alternative procedures.
(b) To the extent practicable, IR directors and chiefs will ensure supervisory review is performed and
documented for all work products the IR office generates while conducting GAGAS engagements, includ-
ing, but not limited to, audit programs, working papers, and audit reports.
(c) To the extent possible, IR auditors who work within an IR office which consists of a single person
must ensure all work products they generate while conducting GAGAS engagements are reviewed by an
auditor or supervisory auditor employed by the IR office within their command's higher headquarters or by
another external IR office which is not located within a command echelon subordinate to the IR office
whose work products are being reviewed.
(d) IR directors and chiefs at ACOM, ASCC, or DRU headquarters IR offices will assist IR offices within
subordinate command echelons which consist of a single auditor by managing the assignment of supervi-
sory reviews of the work products these offices produce.
(e) In circumstances where an IR office consisting of a single auditor is unable to secure third party re-
view of its work products, the IR office must implement alternative procedures to ensure these work prod-
ucts comply with GAGAS, this regulation, other pertinent DoD and DA regulations, and the IR office’s lo-
cal policies and procedures. These alternative procedures may include, but are not limited to, the comple-
tion of quality control checklists designed to ensure that work products and engagement case files as a
whole comply with and contain all of the elements required by GAGAS, this regulation, other pertinent
DoD and DA regulations, and the IR office's local policies and procedures. Alternative procedures of this
nature must be approved by the IR office within the ACOM, ASCC, or DRU headquarters the one-person
IR office implementing these procedures normally reports through, as applicable.
d. When conducting performance audits, IR auditors will—
(1) Comply with GAGAS, the Institute of Internal Auditors Global Internal Audit Standards, this regula-
tion, and other applicable DoD and Army policies and regulations (if a conflict arises among these
sources of published guidance, GAGAS will take precedence);
(2) Create a written audit program which clearly defines the audit's objective(s), scope, and methodol-
ogy, to include specific audit steps necessary to address each audit objective;
(3) Identify prior and ongoing audits, ongoing investigations, and ongoing legal proceedings pertinent
to the audit objectives and determine the impact any such audits, investigations, and legal proceedings
have on the audit which is being conducted by the IR office prior to the time that field work is initiated;
(4) Perform a written fraud risk assessment, audit risk assessment, and data reliability assessment
prior to the initiation of any additional audit field work;
(5) Form written conclusions addressing each of the stated audit objectives;
AR 11–7 • 21 May 2025 14
(6) Ensure all conclusions are predicated on a methodical evaluation of documentation and data
against objective criteria (that is, specific requirements or measures) which is documented in the working
papers which are included in the audit case file;
(7) Provide management and those charged with governance recommendations, as appropriate, to
improve the effectiveness of a program or business process, reduce costs, facilitate decision making,
and/or contribute to public accountability; and
(8) Issue a draft report containing the audit's objectives, conclusions, scope, methodology, detailed re-
sults, and recommendations to management and those charged with governance and provide these offi-
cials the opportunity to provide written responses to the draft report prior to evaluating these responses
and incorporating them into the final report which the IR office issues for the audit.
e. When conducting attestation engagements, IR auditors will comply with GAGAS, American Institute
of Certified Public Accountants’ (AICPA) Statements on Standards for Attestation Engagements (SSAE),
this regulation, and other applicable DoD and Army policies and regulations (if a conflict arises among
these sources of published guidance, GAGAS will take precedence).
f. When conducting performance audits and attestation engagements, IR auditors will ensure that the
engagement reports for these engagements are appropriately classified and marked prior to distribution in
accordance with AR 380–5.
g. When IR auditors complete a performance audit in accordance with GAGAS, they must include the
following unmodified GAGAS compliance statement in the audit report indicating that they performed the
audit in accordance with GAGAS: “We conducted this performance audit in accordance with generally ac-
cepted government auditing standards. These standards require that we plan and perform the audit to ob-
tain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based
on the audit objectives. We believe that the evidence we obtained during this audit provides a reasonable
basis for our findings and conclusions based on the audit objectives. Our office is independent per the
GAGAS requirements for internal auditors.”
h. When IR auditors complete an attestation engagement in accordance with GAGAS, they should in-
clude an unmodified GAGAS compliance statement in the engagement report indicating that they per-
formed the engagement in accordance with GAGAS.
i. When IR auditors complete an audit or attestation engagement which does not fully comply with
GAGAS, they should include a modified GAGAS compliance statement indicating one of the following:
(1) The auditors conducted the engagement in accordance with GAGAS, except for specific applicable
requirements which were not followed, or
(2) Because of the significance of the departure(s) from the requirements, the auditors were unable to
and did not conduct the engagement in accordance with GAGAS.
3–4. Nonaudit Services
a. As described in paragraph 3–3a, the specific types of engagements covered by GAGAS include fi-
nancial audits, attestation engagements, and performance audits. GAGAS generally refers to other types
of engagements and services which auditing entities may perform for their respective organizations or cli-
ents as “nonaudit services.”
b. While GAGAS does not establish standards governing the manner in which nonaudit services are
conducted, it does include several general requirements relating to nonaudit services which Federal gov-
ernment auditing entities are bound to comply with, including the following:
(1) Before agreeing to provide a nonaudit service to an audited entity, auditors should determine
whether providing such a service would create a threat to independence, either by itself or in aggregate
with other nonaudit services provided, with respect to any GAGAS engagement they conduct.
(2) Auditors providing nonaudit services to audited entities should obtain agreement from audited entity
management that audited entity management performs the following functions in connection with the non-
audit services:
(a) Assumes all management responsibilities;
(b) Oversees the services, by designating an individual, preferably within senior management, who
possesses suitable skill, knowledge, or experience;
(c) Evaluates the adequacy and results of the services provided; and
(d) Accepts responsibility for the results of the services.
AR 11–7 • 21 May 2025 15
(3) In connection with nonaudit services, auditors should establish and document their understanding
with the audited entity’s management or those charged with governance, as appropriate, regarding the
following:
(a) The objectives of the nonaudit service.
(b) The services to be provided.
(c) The audited entity’s acceptance of its responsibilities described in paragraph 3–4b(2).
(d) The auditors’ responsibilities.
(e) Any limitations on the provision of nonaudit services.
(4) Auditors should conclude that management responsibilities that the auditors perform for an audited
entity are impairments to independence. If the auditors were to assume management responsibilities for
an audited entity, the management participation threats created would be so significant that no safe-
guards could reduce them to an acceptable level.
c. Nonaudit services frequently provided by IR offices include the following:
(1) Internal control testing engagements.
(a) Internal control testing engagements involve the test of design and/or operating effectiveness of
key internal controls which have been implemented within the command.
(b) When performed as a nonaudit service instead of as part of an audit or attestation engagement,
internal control testing engagements will typically be more limited in scope and have less stringent docu-
mentation requirements than performance audits.
(c) When performing internal control testing engagements as a nonaudit service, IR auditors will en-
sure the objectives, scope, methodology, and results of the engagement, as well as any applicable rec-
ommendations for management, are documented in a written report or DA Form 11–2 (Internal Control
Evaluation Certification) and supported by sufficient supporting documentation to allow an independent
party to understand how the auditors arrived at the conclusions described in the results section of the re-
port. The written report documenting an internal control testing engagement does not need to be formal in
nature so long as it contains all of the aforementioned elements.
(2) Investigative services.
(a) Commanders may appoint an IR auditor as investigating officer (IO) for a preliminary or formal po-
tential ADA violation investigation or for another type of investigation directed under AR 15–6. All IR audi-
tors who are appointed as an IO will consult with their servicing Staff Judge Advocate prior to commenc-
ing an investigation.
(b) IR auditors who are directed to conduct an investigation will comply with all instructions included in
the appointment memorandum which the commander issues to appoint them as IO.
(c) IR auditors who are appointed as IOs for potential ADA investigations will conduct these investiga-
tions in accordance with DoD Financial Management Regulation (DoDFMR) 7000.14–R, Volume 14 and
the HQDA ADA Investigation Manual.
(d) IR auditors who are directed to conduct an investigation under the auspices of AR 15–6 will con-
duct the investigation in accordance with AR 15–6.
(3) Validations of corrective action plan implementation.
(a) Commands frequently develop and implement CAPs in response to audit findings and recommen-
dations or self-identified Material Weaknesses or Significant Deficiencies reported through the RMIC Pro-
gram.
(b) Commanders may direct IR offices to perform independent validations of CAP implementation to
ensure implementation was effective in eliminating the deficiencies the CAP was designed to address.
(c) When performed as a nonaudit service instead of as an audit or attestation engagement, CAP vali-
dation engagements will typically be more limited in scope and have less stringent documentation re-
quirements than performance audits.
(d) When performing CAP validation engagements as a nonaudit service, IR auditors will ensure the
objectives, scope, methodology, results, and conclusion of the engagement, as well as any applicable
recommendations for management, are documented in a written report and supported by sufficient sup-
porting documentation to allow an independent party to understand how the auditors arrived at the con-
clusions described in the report. The written report documenting a CAP validation engagement does not
need to be formal in nature so long as it contains all of the aforementioned elements.
(4) Evaluations of command programs and business processes.
AR 11–7 • 21 May 2025 16
(a) While IR offices frequently evaluate programs and business processes through performance audits,
they may also perform more informal evaluations of programs and business processes as a nonaudit ser-
vice.
(b) When performed as a nonaudit service, evaluations of programs and business processes will typi-
cally be more limited in scope and have less stringent documentation requirements than performance au-
dits.
(c) When performing evaluations of command programs and business processes as a nonaudit ser-
vice, IR auditors will ensure the objectives, scope, methodology, results, and conclusion of the engage-
ment, as well as any applicable recommendations for management, are documented in a written report
and supported by sufficient supporting documentation to allow an independent party to understand how
the auditors arrived at the conclusions described in the report. The written report documenting the evalua-
tion of a command program or business process does not need to be formal in nature so long as it con-
tains all of the aforementioned elements.
(5) Independent evaluation of the commander’s annual statement of assurance.
(a) Commands throughout the Army are responsible for compiling an ASOA which documents relevant
organizational risks and internal control activities which occurred within the command during the most re-
cently completed annual reporting period. Once a commander has endorsed the ASOA for his/her com-
mand, the command submits the completed command ASOA to its higher headquarters or to ASA
(FM&C), as appropriate, so it can be used to aid ASA (FM&C) in compiling the consolidated ASOA for the
Army as a whole.
(b) Except in situations where doing so would result in an impairment of an IR office’s independence,
IR offices which are aligned at the headquarters of an RO are required to evaluate the commander's
ASOA for thoroughness, validity, and compliance with current ASA (FM&C) ASOA guidance prior to the
time the ASOA is approved and submitted to ASA (FM&C) for consideration.
(c) While IR offices may perform the independent evaluation of the command ASOA as an audit or at-
testation engagement, IR offices more frequently perform this type of evaluation as a nonaudit service
due to time and resource constraints.
(d) The independent evaluation of the command ASOA should include an examination of all ASOA Ap-
pendices to ensure they comply with the format and instructions promulgated through the annual ASA
(FM&C) ASOA guidance. If practicable, the independent evaluation should also include an examination of
completed DA Form 11–2 internal control evaluation certifications and related supporting documentation
for a sample of internal control evaluations reported in the ASOA to verify that these evaluations were
performed properly.
(e) When performing the independent evaluation of the command ASOA as a nonaudit service, IR au-
ditors will ensure the objectives, scope, methodology, results, and conclusion of the engagement, as well
as any applicable recommendations for management, are documented in a written report and supported
by sufficient supporting documentation to allow an independent party to understand how the auditors ar-
rived at the conclusions described in the report. The written report documenting the independent evalua-
tion of the command ASOA does not need to be formal in nature so long as it contains all of the afore-
mentioned elements.
(6) External audit liaison and audit follow-up services.
(a) IR offices will serve as the audit focal points within their respective commands responsible for
providing assistance to USAAA, DoD OIG, GAO, and other external oversight organizations; coordinating
audit activity within the command; assisting with the command reply process; and managing the com-
mand audit follow-up program. More detailed information on audit focal point responsibilities is contained
in AR 36–2.
(b) IR offices will actively monitor and coordinate all actions relating to audits, attestations, surveys,
and other engagements performed by USAAA, DoD OIG, GAO, and other external oversight organiza-
tions which involve their respective commands.
(c) IR offices will coordinate with the external audit agency, the USAAA ACFO, and appropriate HQDA
staff elements as necessary to assist the command with understanding audit objectives, sites, milestones,
and other information involving ongoing or proposed audits.
(d) IR offices will help to arrange entrance conferences, IPR discussions, and exit conferences for ex-
ternal audits and facilitate the attendance of both officials from the external audit organization and officials
within the local command whose functions are affected by the external audit.
AR 11–7 • 21 May 2025 17
(e) IR offices will advise and assist responsible functional managers within the command in preparing
command responses to draft reports for external audits affecting the command and work to ensure the
command provides adequate, accurate, responsive, and coordinated comments on all draft audit recom-
mendations involving the command within the suspense timeframes established by the external audit or-
ganization.
(f) IR offices will aid their respective commands in establishing a command audit follow-up program to
ensure the command takes prompt and effective corrective action to implement agreed-upon recommen-
dations addressed to the command through reports issued by IR, USAAA, DoD OIG, GAO, and other
oversight organizations.
(g) IR directors and chiefs will ensure the command audit follow-up program for their respective com-
mands provides an effective method of doing each of the following:
1. Tracking the implementation status of corrective actions until completion;
2. Reporting the current implementation status of corrective actions (including resulting potential mone-
tary benefits) to higher levels of management, the USAAA ACFO, and external audit organizations;
3. Verifying that implemented corrective actions and related internal controls were effective in eliminat-
ing the deficiencies identified in the audit report they pertain to; and
4. Periodically evaluating the adequacy and effectiveness of the overall program.
(h) IR offices will maintain an audit recommendation tracking system which contains sufficient data ele-
ments to allow the IR office to provide commanders and their staffs with periodic updates on the status of
corrective actions, identify justified and unjustified extensions to agreed-upon target implementation
dates, and, when feasible, provide commanders a description of the effects that delayed corrective ac-
tions or failure to take corrective action will have on the command and the Army as a whole.
(i) IR auditors will actively coordinate with local command officials, the USAAA ACFO, and external au-
dit agencies as necessary to provide status updates on outstanding external audit recommendations and
to facilitate the timely closure of these recommendations.
(j) IR offices may perform follow-up audits or similar types of engagements to determine whether im-
plemented corrective actions and related internal controls were effective in eliminating the deficiencies
identified in the internal or external audit reports they pertain to. Follow-up audits are a type of perfor-
mance audit which must be completed in accordance with GAGAS. However, IR offices may also elect to
perform follow-up engagements as attestation engagements or as nonaudit services; when completing
follow-up engagements as attestations or nonaudit services, IR offices must ensure the engagements
comply with GAGAS requirements for attestation engagements or nonaudit services, as applicable.
(7) External financial audit liaison services.
(a) Commanders may designate their IR office as the command Financial Audit Readiness Cell or fo-
cal point responsible for coordinating all command actions involving the external IPA audit of the Army's
financial statements.
(b) IR offices which serve as the Financial Audit Readiness Cell or focal point for their respective com-
mands will actively monitor and coordinate all actions relating to the external IPA audit of the Army's fi-
nancial statements which involve their respective commands.
(c) IR offices which serve as the Financial Audit Readiness Cell or focal point for their respective com-
mands will follow all directives and instructions which ASA (FM&C) issues involving the external IPA audit
of the Army's financial statements.
d. IR offices may perform additional types of nonaudit services for their respective commands beyond
the specific services described in paragraph 3–4c, so long as these services are not prohibited by
GAGAS or this regulation and the IR office adheres to the general requirements pertaining to nonaudit
services specified in paragraph 3–4b.
3–5. Restrictions on the performance of internal review services
a. In order to help ensure the independence of the IR office, IR personnel may not serve in operational
roles outside of the IR organization. The following additional specific guidelines apply:
(1) IR personnel may serve in an advisory role for command programs by providing advice on the es-
tablishment of automated systems, participating on process action teams, participating on interview pan-
els, and/or providing advice and assistance on the command’s internal control process, so long as inde-
pendence is maintained in accordance with GAGAS.
AR 11–7 • 21 May 2025 18
(2) IR personnel may not develop or maintain financial records when participating as team members
on process action teams; this is because the IR office may be requested to validate project expenditures
and/or projected savings at a later point in time.
(3) The role of IR offices with regard to the RMIC Program will be consistent with the responsibilities
delineated elsewhere in this regulation and in AR 11–2.
(4) IR auditors must refrain from assessing specific operations for which they were previously respon-
sible as this may impair independence or objectivity in fact or appearance.
(5) If an IR director or chief determines that an impairment to an IR auditor’s independence may exist
or be inferred with regard to a particular engagement, the IR director or chief must either implement safe-
guards sufficient to effectively mitigate the independence impairment in accordance with the GAGAS
Conceptual Framework for Independence, terminate the engagement entirely, or document the independ-
ence impairment and departure from GAGAS in the report which is used to document the results of the
engagement.
b. IR offices should refrain from performing audits or attestation engagements involving programs or
business processes the IR office has previously provided consulting/advisory services for due to the po-
tential impairment providing such services may have on the IR office’s independence.
c. IR offices will not provide or supervise ongoing monitoring procedures over the command’s system
of internal control because providing this type of service creates a management participation threat to in-
dependence which is so significant that no safeguards could reduce it to an acceptable level.
d. Under normal circumstances, IR offices will not perform recurring audits of appropriated or nonap-
propriated fund functions or activities. However, if directed to do so by the local commander, IR offices
may perform recurring evaluations of these functions as a nonaudit service. IR offices may also perform
non-recurring audits of these functions as necessary.
e. IR offices will not perform recurring audits or other recurring evaluations of nonappropriated fund
instrumentalities (NAFIs). Normally, disinterested officers or IPAs (with approval by The Army Auditor
General) will perform audits or evaluations of these funds.
f. IR personnel will not perform recurring audits or other recurring evaluations of private organizations,
regardless of whether or not these organizations have a formal or informal affiliation with the U.S. Army,
the DoD, or the U.S. Federal Government. Appropriated funds are not legally available to be used for this
purpose.
g. IR offices may perform audits or other evaluations of NAFIs, unit informal funds, and appropriated
funds when warranted by special circumstances, such as when the commander believes there are indica-
tions of fraud, misappropriation of funds, or misappropriation of other assets. IR offices will conduct NAFI
audits and evaluations in accordance with AR 215–1 and for the chaplain corps, AR 165–1.
Chapter 4
Internal Review Quality Management and Peer Review
4–1. Quality management within internal review offices
a. IR directors and chiefs will design, implement, and operate a system of quality management which
provides reasonable assurance that the IR office and its personnel do the following:
(1) Fulfill their responsibilities in accordance with professional standards and applicable laws and regu-
lations.
(2) Perform and report on engagements in accordance with such standards and requirements.
b. IR directors and chiefs will ensure the IR office’s system of quality management incorporates all key
requirements specified in GAGAS, this regulation, other pertinent DoD and DA regulations, and the IR of-
fice's local policies and procedures.
c. Each IR office’s system of quality management must include the design and implementation of a
quality management risk assessment process that establishes quality objectives, identifies and assesses
quality risks, and designs and implements responses to address these quality risks.
d. Each IR office’s quality management risk assessment process must incorporate the following quality
objectives which are specified in GAGAS:
(1) Governance and leadership:
(a) The audit organization demonstrates a commitment to quality through a culture that exists through-
out the audit organization.
(b) Leadership is responsible and accountable for quality.
AR 11–7 • 21 May 2025 19
(c) Leadership demonstrates a commitment to quality through its actions and behaviors.
(d) The organizational structure and assignment of roles, responsibilities, and authority are appropriate
to enable the design, implementation, and operation of the audit organization’s system of quality manage-
ment.
(e) Resource needs are planned for, obtained, allocated, and assigned in a manner consistent with the
audit organization’s commitment to quality.
(2) Independence, legal, and ethical requirements:
(a) The audit organization and its personnel understand the independence and legal and ethical re-
quirements to which the audit organization and its engagements are subject and fulfill their responsibilities
in relation to these requirements.
(b) Service providers who are subject to the independence and legal and ethical requirements to which
the audit organization and its engagements are subject understand and fulfill their responsibilities in rela-
tion to the independence and legal and ethical requirements that apply to them.
(3) Acceptance, initiation, and continuance of engagements: The audit organization accepts, initiates,
and continues engagements only if it:
(a) Complies with professional standards, independence requirements, and applicable legal and ethi-
cal requirements;
(b) Acts within its legal mandate or authority; and
(c) Has the capabilities, including time and resources, to do so.
(4) Engagement performance:
(a) Engagement teams understand and fulfill their responsibilities in connection to engagements, in-
cluding the overall responsibility of an engagement partner or director for managing and achieving quality
on the engagement and being sufficiently and appropriately involved throughout the engagement.
(b) The nature, timing, and extent of direction and supervision of engagement teams and review of the
work performed are appropriate based on the nature and circumstances of the engagements and the re-
sources assigned or made available to the engagement team.
(c) Engagement teams exercise appropriate professional judgment, which includes exercising reason-
able care and professional skepticism.
(d) Consultation on difficult or contentious matters is undertaken and, as appropriate, documented.
Conclusions agreed to from the consultation are implemented and, as appropriate, documented.
(e) Differences of opinion within the engagement team, or between the engagement team and individu-
als performing activities within the audit organization’s system of quality management, are brought to the
attention of officials at the appropriate level of the audit organization; resolved; and, as appropriate, docu-
mented.
(f) Engagement documentation of the work performed, results obtained, and conclusions reached is
assembled on a timely basis and is appropriately maintained and retained to meet the needs of the audit
organization and comply with professional standards, independence requirements, and applicable legal
and ethical requirements.
(g) Audit procedures and audit reports are appropriate in the context of the engagement objectives.
(5) Resources:
(a) Personnel are hired, developed, and retained who have the competence and capabilities to con-
sistently perform quality engagements and carry out responsibilities related to the operation of the audit
organization’s system of quality management.
(b) Personnel develop and maintain the appropriate competence to perform their roles and are held
accountable or recognized for doing so through timely evaluation, compensation, promotion, and/or other
incentives.
(c) Auditors who are performing work in accordance with GAGAS meet the CPE requirements.
(d) The audit organization has sufficient resources to consistently perform quality engagements and
enable the operation of the audit organization’s system of quality management.
(e) Individuals assigned to engagements or to perform activities within the system of quality manage-
ment have appropriate competence and capabilities, including sufficient time, to perform their duties.
(f) Appropriate technological and intellectual resources are obtained or developed, implemented, main-
tained, and used to enable the operation of the audit organization’s system of quality management and
the performance of engagements.
(g) Human, technological, or intellectual resources from service providers are appropriate for use in the
audit organization’s system of quality management and in performing engagements.
AR 11–7 • 21 May 2025 20
(6) Information and communication:
(a) The audit organization’s information system identifies, captures, processes, and maintains relevant
and reliable information that supports the system of quality management.
(b) Relevant and reliable information is communicated to personnel and engagement teams to enable
them to understand and carry out their responsibilities within the system of quality management or en-
gagements.
(c) Personnel and engagement teams communicate relevant and reliable information to the audit or-
ganization when performing activities within the system of quality management or engagements.
(d) Relevant and reliable information is communicated to external parties.
e. Each IR office’s quality management risk assessment process should also incorporate any addi-
tional quality objectives the IR director or chief considers necessary to achieve the objective of the IR of-
fice’s system of quality management.
f. Each IR office’s quality management risk assessment process must include the identification and as-
sessment of quality risks. A quality risk is defined as a risk that has a reasonable possibility of both occur-
ring and adversely affecting the achievement of one or more of the IR office's quality objectives (either
individually or in combination with other risks).
g. Each IR office’s quality management risk assessment process must include the design and imple-
mentation of responses to address the quality risks the IR office has identified. Responses within this con-
text are defined as the policies and procedures that the IR office designs and implements to address one
or more quality risks.
h. IR offices may perform quality management risk assessments at specific periodic intervals, to re-
spond to deficiencies in the system of quality management identified through quality monitoring activities,
and/or as necessary to respond to changes in the nature and circumstances of the IR office or its engage-
ments.
i. IR offices must document each periodic or ad-hoc quality management risk assessment they conduct
in writing, either as part of the IR office’s Army IR Annual Quality Assessment or through a separate docu-
ment designed to capture information relating to the quality management risk assessment. Documenta-
tion of quality management risk assessments must include, at a minimum, the following:
(1) The IR office’s quality objectives, which are prescribed through GAGAS and specified in paragraph
4–1d of this regulation.
(2) A description of the quality risks the IR office has identified which may potentially impact the ability
of the IR office to achieve one or more of its quality objectives.
(3) A description of the responses the IR office has designed and implemented to address the quality
risks it has identified. The IR office's description of its responses must include an explanation of how
these responses address the quality risks the IR office has identified.
j. IR directors and chiefs will ensure the IR office’s system of quality management and related quality
monitoring and external peer review requirements are described in the IR office's local SOP document. In
addition, IR directors and chiefs must ensure the IR office’s local SOP document identifies the official(s)
within the IR office who are assigned overall responsibility/accountability and operational responsibility for
the IR office's system of quality management.
k. IR offices must perform, at a minimum, the following activities as part of their efforts to ensure the
quality of the engagements they conduct:
(1) Prior to issuing the final report for a GAGAS engagement, IR directors and chiefs will inspect docu-
mentation present in the engagement case file to ensure that all aspects of the engagement were con-
ducted in accordance with GAGAS, this regulation, and local policies and procedures the IR office has
established. This inspection will be conducted and documented using either the Council of the Inspectors
General on Integrity and Efficiency (CIGIE) peer review checklist applicable to the specific type of GAGAS
engagement which is being evaluated or a locally-developed checklist designed to ensure GAGAS en-
gagements are supported by sufficient documentation to demonstrate that these engagements were com-
pleted in accordance with GAGAS.
(2) Prior to releasing the final report for a performance audit, IR directors and chiefs will ensure the fol-
lowing documentation is present in the audit case file:
(a) The audit program for the engagement.
(b) The announcement memorandum for the engagement.
(c) Documentation relating to the engagement's entrance conference, including briefing charts, a writ-
ten summary of the entrance conference, or both.
AR 11–7 • 21 May 2025 21
(d) One or more working papers describing the extent to which prior or ongoing audits, ongoing investi-
gations, and ongoing legal proceedings exist and affect the objectives of the current audit.
(e) One or more working papers documenting the fraud risk assessment, audit risk assessment, and
data reliability assessment which were performed for the audit.
(f) One or more working papers and sufficient supporting documentation to effectively address each
audit objective and support the conclusions the IR office developed with respect to the audit objective.
(g) Documentation relating to each IPR which was conducted during the course of the engagement,
including briefing charts, a written summary of the IPR, or both.
(h) The draft report for the engagement.
(i) Management comments submitted in response to the draft report for the engagement.
(j) Documentation relating to the engagement's exit conference, including briefing charts, a written
summary of the exit conference, or both.
(k) The final report for the engagement.
(l) The completed CIGIE peer review checklist for performance audits or locally-developed checklist
which was used to inspect the documentation in the audit case file and ensure the engagement was con-
ducted in accordance with GAGAS.
(3) Prior to issuing the final report for an attestation engagement, IR directors and chiefs will ensure
sufficient documentation is present in the engagement case file to demonstrate full compliance with
GAGAS and to adequately support all results included in the engagement report.
(4) Prior to issuing the report for any of the following types of nonaudit services, IR directors and chiefs
will ensure sufficient documentation is present in the engagement case file to allow an independent party
to understand how the auditors arrived at the conclusions described in the report:
(a) Internal control testing engagements.
(b) Investigations.
(c) Validations of CAP implementation.
(d) Evaluations of command programs or business processes.
(e) Independent evaluation of the commander's ASOA.
4–2. Monitoring of quality within internal review offices
a. IR directors and chiefs will design and perform quality monitoring and remediation activities which
are sufficient to:
(1) Provide relevant, reliable, and timely information about the design, implementation, and operation
of the IR office's system of quality management.
(2) Ensure the IR office takes appropriate actions in response to identified deficiencies to effectively
remediate these deficiencies in a timely manner.
(3) Enable the IR office to assess its compliance with professional standards, this regulation, and local
policies and procedures the office has established to address quality risks.
b. IR directors and chiefs will ensure the following:
(1) Individuals assigned to perform quality monitoring and remediation activities are able to do so ob-
jectively; and
(2) Individuals assigned to perform quality monitoring and remediation activities have sufficient compe-
tence, authority, and time to perform the monitoring and remediation activities they have been assigned.
c. Quality monitoring activities may include the following:
(1) Assessing the appropriateness of the IR office’s local SOP document and any additional local guid-
ance or training aids the office has developed;
(2) Evaluating new developments in professional standards and applicable legal and regulatory re-
quirements and how they are reflected in the IR office's local SOP document and any additional local
guidance or training aids the office has developed;
(3) Reviewing written affirmation of compliance with the IR office's local policies and procedures involv-
ing independence;
(4) Inspecting and evaluating engagement documentation and reports for a selection of the IR office’s
engagements;
(5) Assessing the effectiveness of staff training;
(6) Evaluating decisions related to acceptance and continuance of specific engagements/services and
the IR office's relationships with audited entities;
AR 11–7 • 21 May 2025 22
(7) Assessing the extent to which the IR office's personnel understand the IR office’s quality manage-
ment policies and procedures and the implementation thereof; and
(8) Performing any of the quality monitoring activities described above for one or more IR offices at
lower command echelons who normally report through the IR office which is performing the quality moni-
toring activities.
d. IR directors and chiefs must ensure their respective IR offices generate and retain the following doc-
umentation relating to the IR office's quality monitoring activities:
(1) Evidence of the quality monitoring activities performed within the IR office;
(2) A written evaluation of any findings, deficiencies, and related underlying causes which are identified
through the IR office's quality monitoring activities;
(3) A written description of remedial actions the IR office has taken to address identified deficiencies,
including an evaluation of the design and implementation of these remedial actions; and
(4) Any internal communications pertaining to quality monitoring and remediation activities occurring
within the IR office.
e. IR directors and chiefs will ensure the official assigned responsibility and accountability for the IR
office’s system of quality management evaluates the system of quality management at least once annu-
ally and, based on this evaluation, concludes and documents one of the following:
(1) The system of quality management provides the IR office with reasonable assurance that the ob-
jective of the system of quality management is being achieved.
(2) Except for matters related to identified deficiencies that have a severe but not pervasive effect on
its design, implementation, and operation, the system of quality management provides the IR office with
reasonable assurance that the objective of the system of quality management is being achieved.
(3) The system of quality management does not provide the IR office with reasonable assurance that
the objective of the system of quality management is being achieved.
f. When evaluating and concluding on the IR office’s system of quality management, the official as-
signed responsibility and accountability for the IR office’s system of quality management should consider
the following:
(1) The IR office’s quality management risk assessment process, including its quality objectives, qual-
ity risks, and responses and the extent to which the IR office’s responses effectively address its quality
risks; and
(2) The results of the IR office's quality monitoring and remediation process.
g. IR offices must document each periodic evaluation they conduct of their respective systems of qual-
ity management in writing, either as part of the IR office's Army IR Annual Quality Assessment or through
a separate document designed to capture information relating to the IR office's evaluation of its system of
quality management. Each written periodic evaluation of an IR office's system of quality management
must include, at a minimum, the following information:
(1) An explanation of the number and type of engagements the IR office performed during the period
of review covered by the evaluation.
(2) A description of the specific quality monitoring activities the IR office completed to ensure the en-
gagements performed during the period of review were performed in accordance with GAGAS and the IR
office's local standard operating procedures.
(3) A description of the results of the IR office's quality monitoring activities, to include any deficiencies
or other issues which were identified as a result of these activities.
(4) A description of any planned or completed corrective actions which were identified as a result of the
IR office's quality monitoring activities.
(5) A description of key quality monitoring activities completed by any lower command echelon IR of-
fices who report through the IR office who is preparing the written evaluation along with a description of
the types of issues identified as a result of these quality monitoring activities.
(6) The conclusion the official assigned responsibility and accountability for the IR office’s system of
quality management reached as a result of the evaluation, as described in paragraph 4–2e.
h. IR offices must provide a copy of each written evaluation they conduct of their respective systems of
quality management to the IR office within their command’s higher headquarters for examination and, as
applicable, inclusion in the higher headquarters IR office’s evaluation of its own system of quality man-
agement. IR offices at the ACOM, ASCC, and DRU headquarters echelon level will submit a copy of each
written evaluation they conduct of their respective systems of quality management to the IR office within
the ASA (FM&C) Risk Management Directorate for consideration.
AR 11–7 • 21 May 2025 23
4–3. External peer review of internal review offices
a. Each IR office which conducts audits and attestation engagements in accordance with GAGAS must
obtain an external peer review conducted by an auditing entity outside the IR office at least once every 3
years; in addition, IR offices at the ACOM, ASCC, and DRU level may require for subordinate command
echelon IR offices who report through their office to obtain an external peer review of this nature even if
they have not recently conducted any audits or attestation engagements in accordance with GAGAS. The
peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the
period under review:
(1) The IR office’s system of quality control was suitably designed; and
(2) The IR office is complying with its quality control system so that it has reasonable assurance that it
is performing and reporting in conformity with professional standards and applicable legal and regulatory
requirements in all material respects.
b. IR directors and chiefs at ACOM, ASCC, or DRU headquarters IR offices will assist IR offices within
subordinate command echelons to obtain external peer reviews as required by GAGAS and this regula-
tion.
c. The peer review of an IR office may be conducted by the IR office within the reviewed IR office's
higher headquarters or by another external IR office which is not located within a command echelon sub-
ordinate to the command the reviewed IR office works within. IR offices within higher command echelons
may refer to their peer reviews of lower command echelon IR offices as quality assurance and assistance
reviews, special assistance visits, or another locally-developed name, so long as these peer reviews meet
all of the requirements for external peer reviews specified in GAGAS and this regulation.
d. IR offices are not permitted to perform a peer review of the IR office which conducted the most re-
cent peer review of their own office.
e. Peer reviews of the entire Army IR Program conducted by DoD OIG or another auditing entity do not
satisfy the peer review requirement for individual IR offices which were not directly evaluated during the
peer review.
f. An IR office which conducts a peer review of another IR office external to its own chain of command
must enter into a written agreement with the IR office which is being reviewed prior to initiating work on
the peer review. An IR office which conducts a peer review of a subordinate echelon IR office must either
enter into a written agreement with the subordinate echelon IR office or issue a peer review announce-
ment memorandum prior to initiating work on the peer review; IR offices are permitted to use a consoli-
dated written agreement or announcement memorandum which applies to multiple subordinate echelon
IR offices, so long as the agreement or announcement memorandum contains detailed information on
each individual peer review which it is intended to pertain to.
g. When determining the scope of a peer review of an external or subordinate echelon IR office, the IR
office conducting the peer review will select engagements which represent a reasonable cross section of
all types of work the reviewed IR office has performed during the period of review which are subject to the
reviewed IR office's system of quality control and the quality monitoring requirements described in
GAGAS and this regulation. If the reviewed IR office has completed one or more GAGAS engagements
during the period of review, the peer review must include an evaluation of at least one of these engage-
ments.
h. An IR office which conducts a peer review of an external or subordinate echelon IR office will con-
duct the peer review in accordance with the most current version of the CIGIE “Guide for Conducting
Peer Reviews of Audit Organizations of Federal Offices of Inspector General" and the most current ver-
sion of the following CIGIE peer review checklists:
(1) Policies and procedures.
(2) Independence, Competence and Continuing Professional Education, and Quality Control and Peer
Review.
(3) Checklists pertinent to the specific engagement types the IR office has completed during the period
of review.
i. An IR office which conducts a peer review of an external or subordinate echelon IR office may con-
duct a “modified” peer review of the IR office as defined by the CIGIE “Guide for Conducting Peer Re-
views of Audit Organizations of Federal Offices of Inspector General” if the reviewed IR office has not per-
formed any GAGAS engagements since the last time a peer review was performed of the office.
j. An IR office which conducts a standard peer review of an external or subordinate echelon IR office
will ensure the scope of the peer review includes, at a minimum, the following elements:
AR 11–7 • 21 May 2025 24
(1) Evaluation of the reviewed IR office’s design of, and compliance with, quality control and related
policies and procedures.
(2) Consideration of the adequacy and results of the audit organization’s internal monitoring proce-
dures.
(3) Review of audit reports, audit project files, and related documentation for audits which are selected
for review.
(4) Review of attestation engagement reports, attestation engagement project files, and related docu-
mentation for attestation engagements which are selected for review (if applicable).
(5) Review of documentation relating to any terminated engagements which are selected for review (if
applicable).
(6) Review of reports and related findings and recommendations from prior peer reviews which were
performed of the IR office.
(7) Review of other documents necessary for assessing the IR office's compliance with standards,
such as documentation of independence, CPE training records, and relevant human resource manage-
ment files.
(8) Interviews with selected personnel working in various roles within the IR office (as applicable) to
assess their understanding of and compliance with relevant quality control policies and procedures.
k. An IR office which conducts a standard peer review of an external or subordinate echelon IR office
will document the results of the peer review in a report containing, at a minimum, the following:
(1) A description of the scope of the peer review, including any limitations (if applicable).
(2) A rating of "Pass," "Pass With Deficiencies," or "Fail," concluding on whether the IR office's system
of quality control was adequately designed and complied with during the period of review and whether or
not this system is sufficient to provide the office with reasonable assurance that it conformed to profes-
sional standards and applicable legal and regulatory requirements.
(3) Specification of the professional standards and applicable legal and regulatory requirements to
which the reviewed IR office is being held.
(4) A statement that the peer review was conducted in accordance with GAGAS peer review require-
ments.
(5) A detailed description of the findings, conclusions, and recommendations related to any deficien-
cies or significant deficiencies identified during the peer review.
l. An IR office which is subject to peer review and receives a peer review report with a peer review rat-
ing of "Pass With Deficiencies" or "Fail" must issue a written response which addresses the deficiencies
or significant deficiencies and related recommendations identified in the report. This written response
must describe the specific corrective actions the IR office has planned or already taken with respect to
each deficiency or significant deficiency described in the peer review report along with target implementa-
tion dates for any corrective actions which have not yet been completed.
m. An IR office which conducts a peer review of an external or subordinate echelon IR office must re-
tain and safeguard the peer review report and all related work products and documentation which were
relied upon during the peer review for at least 6 years after implementation of all recommendations result-
ing from the peer review engagement.
n. An IR office which is the subject of a peer review must retain and safeguard the peer review report
and documentation pertaining to any related corrective actions for at least 6 years after implementation of
all recommendations resulting from the peer review engagement.
AR 11–7 • 21 May 2025 25
Appendix A
References
Section I
Required Publications
Unless otherwise stated, Department of the Army publications are available on the Army Publishing Direc-
torate website at https://armypubs.army.mil/.
AICPA Statement on Standards for Attestation Engagements (SSAE) 18
Attestation Standards: Clarification and Recodification (Cited in para 3–3e.) (Available at
https://us.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/ssae-no-
18.pdf.)
AR 11–2
Risk Management and Internal Control Program (Cited in title page.)
AR 36–2
Audit Services in the Department of the Army (Cited in para 1–7.)
CIGIE Guide for Conducting Peer Reviews of Audit Organizations of Federal Offices of Inspector
General (Cited in para 4–3h.) (Available at https://www.ignet.gov/sites/default/files/files/2020cigieaudit-
peerreviewguidemarch2020v2.)
GAO–24–106786
Government Auditing Standards (GAGAS) (Cited in para 1–6b(2).) (Available at https://www.gao.gov/as-
sets/d24106786.pdf.)
Section II
Prescribed Forms
This section contains no entries.
AR 11–7 • 21 May 2025 26
Appendix B
Internal Control Evaluation
B–1. Function
The function covered by this evaluation is the Army IR Program.
B–2. Purpose
The purpose of this evaluation is to assist IR directors/chiefs and other IR personnel in evaluating the key
internal controls outlined below. It is not intended to cover all controls.
B–3. Instructions
a. IR offices must formally evaluate the following key control areas on a periodic basis according to the
timeframes specified in AR 11–2 and the IR offices’ local RA/ICEPs:
(1) Internal auditing, attestations, and related services.
(2) External audit liaison and audit follow-up services.
(3) Competence and CPE.
(4) Quality management and peer review.
b. IR directors and chiefs must certify that evaluations of key controls have been conducted using DA
Form 11–2 (Internal Control Evaluation Certification).
c. The evaluation test questions outlined in paragraph B–4 are grouped according to the key control
areas listed in paragraph B–3a and are intended as a starting point which may be supplemented with ad-
ditional test questions developed locally within each individual IR office.
d. Answers to the evaluation test questions must be based on the actual testing of key internal controls
(for example, inquiry, observation, examination/inspection, or reperformance). Answers that indicate defi-
ciencies must be explained and addressed with proposed corrective actions designed to correct the iden-
tified deficiencies.
B–4. Test questions
a. Internal auditing, attestations, and related services:
(1) Is the local IR office organizationally aligned as an independent activity which reports directly to the
commander, principal deputy commander, or Chief of Staff of its respective command, installation/garri-
son, division, district, or activity?
(2) Has the local IR office established and maintained a risk assessment file to use as a basis for de-
termining which functions and business processes exist within the command and are therefore subject to
audit/examination in addition to the risk levels associated with these functions and business processes?
(3) Has the local IR office prepared an IR annual or biennial plan identifying audits, attestations, and
nonaudit services the IR office anticipates conducting within the upcoming year based on command staff
input and an assessment of the risks which are most relevant to the command?
(4) Does the IR office maintain a current SOP document which supplements the guidance found in
GAGAS and this regulation?
(5) Does the IR office retain and safeguard reports, planning documents, working papers, and other
supporting documents pertaining to IR audits and other IR engagements for at least 6 years after imple-
mentation of all recommendations resulting from the engagement?
(6) Does the IR office retain and safeguard all reports involving the IR office’s operations it has submit-
ted to ASA (FM&C) and/or to the IR office within its command's higher headquarters for at least 6 years
after the time these reports were submitted?
b. External audit liaison and audit follow-up services:
(1) Has the local IR office established and maintained an audit recommendation tracking system and
an effective follow-up system for both internal and external audit recommendations?
(2) Does the IR office retain and safeguard all external audit liaison and follow-up documentation for
external audits, attestations, surveys, and other engagements performed by USAAA, DoD OIG, GAO,
and other external oversight organizations which involve their respective command for at least 6 years
after the closure of all recommendations generated through these engagements which were addressed to
the command?
c. Competence and CPE:
AR 11–7 • 21 May 2025 27
(1) Have all IR personnel completed, every 2 years, at least 80 hours of CPE that directly enhances
the individual's professional proficiency? Are at least 24 of the 80 hours of CPE directly related to the indi-
vidual's assigned duties? Are at least 20 of the 80 hours completed in any 1 year of the 2-year period?
(2) Have all IR personnel obtained DoD FM certification and met the requirements for CET set forth in
the DoD FM Certification program?
d. Quality management and peer review:
(1) Has the IR office designed and implemented a system of quality management designed to provide
reasonable assurance that the IR office and its personnel fulfill their responsibilities and perform and re-
port on engagements in accordance with professional standards and applicable laws and regulations?
(2) Has the official assigned responsibility and accountability for the IR office's system of quality man-
agement evaluated the system of quality management at least once within the past year in accordance
with paragraph 4–2e of this regulation?
(3) Does the IR office retain and safeguard documentation pertaining to their local quality management
activities for at least six years after the time this documentation is generated?
(4) Has the IR office undergone an external peer review within the past 3 years?
(5) Does the IR office retain and safeguard the peer review report and documentation pertaining to any
related corrective actions for each external peer review engagement the IR office has been the subject of
for at least 6 years after implementation of all recommendations resulting from the peer review engage-
ment?
B–5. Supersession
This evaluation replaces the evaluation previously published in AR 11–7, dated 29 March 2017.
B–6. Comments
Help make this a better tool for evaluating internal controls. Submit comments to the Assistant Secretary
of the Army (Financial Management and Comptroller (SAFM–FOI)), 109 Army Pentagon, Washington, DC
20310–0109.
AR 11–7 • 21 May 2025 28
Glossary of Terms
This section contains no entries.
UNCLASSIFIED PIN 000279–000