Appendix G to Part 518 - Internal Control Review Checklist

Task: Army Information Management.

Subtask: Records Management.

This Checklist: Freedom of Information Act Program.

Organization:

Action Officer:

Reviewer:

Date Completed:

Assessable Unit: The specific managers responsible for using this checklist (e.g., at applicable FOA, MACOM, SIO, and TOE division headquarters) will be designated by the cognizant headquarters’ staff functional principal. The responsible principal and mandatory schedule for using the checklist will be shown in the annual updated Management Control Plan

Event Cycle 1: Establish and Implement a Freedom of Information Act Program.

Risk: If the prescribed policies, procedures, and responsibilities of the Freedom of Information Act Program are not followed the public would not have the ability to obtain access to and release of Army records.

Control Objective: To ensure that prescribed policies, procedures, and responsibilities contained in 5 U.S.C. 552 are followed to allow access and release of Army records to the public.

Control Technique: The document used to accomplish the control objective is AR 25-55, The Department of the Army Freedom of Information Act Program.

1. Ensure that a Freedom of Information Act Program is established and implemented.

2. Appoint an individual with Freedom of Information Act responsibilities and ensure designation of appropriate staff to assist him/her.

3. Appoint an individual with Operations Security (OPSEC) responsibilities, if required.

1. Is a Freedom of Information Act Program established and implemented in your organization?

2. Is an individual appointed Freedom of Information Act Responsibilities?

3. Is an individual appointed OPSEC responsibilities, if required?

4. Is DA Form 4948-R, Freedom of Information Act (FOIA)/Operations

5. Does DA Form 4948-R contain the current name and office telephone number of the FOIA/OPSEC advisor?

6. Are provisions of AR 25-55 concerning the protection of OPSEC sensitive information regularly brought to the attention of managers responsible for responding to FOIA requests and those responsible for control of Army records?

7. Are rules governing “For Official Use Only” information understood and properly applied by functional proponents?

8. Are names and duty addresses of Army personnel (civilian and military) assigned to units that are sensitive, routinely deplorable, or stationed in foreign territories being denied or forwarded to the proper initial denial authority (IDA) for denial?

9. Is the format contained in AR 25-55, used when preparing the annual FOIA report?

10. Is the worksheet contained in AR 25-55 used when preparing the annual FOIA report?

11. Is the input for the annual FOIA report forwarded to the Army Freedom of Information and Privacy Act Division, Information Systems Command by the second week of each January?

Cycle 2: Processing FOIA Requests.

Risk: Failure to process FOIA requests correctly and release non-exempt Army records to the public could subject the Department of the Army or individuals to litigation.

Control Objective: FOIA requests are processed correctly.

1. Ensure FOIA requests are logged into a formal control system.

2. Ensure FOIA requests are answered promptly and correctly.

3. Ensure Army records are withheld only when fall under the purview of one or more of the nine FOIA exemptions.

4. Ensure FOIA requests are denied by properly delegated/designated IDAs.

5. Ensure all appeals are forwarded to the Office of the Army General Counsel.

1. Are FOIA requests logged into a formal control system?

2. Are all FOIA requests date and time stamped upon receipt?

3. Is the 10 working day time limit met when replying to FOIA requests?

4. When more than 10 working days are required to respond, is the FOIA requester informed, explaining the circumstances requiring the delay and provided an approximate date for completion?

5. Are Army records withheld only when they fall under one or more of the nine FOIA exemptions?

6. Is the FOIA requester informed when a FOIA request is referred to another Army activity or organization?

7. Do denial letters contain the name and title or position of the official who made the denial determination; explain the basis for the denial determination; cite the exemptions on which the denial is based; and advise the FOIA requester of his or her right to appeal the denial within 60 days to the Secretary of the Army (Office of the Army General Counsel)?

8. Is the FOIA requester informed of the appellate procedures when an IDA denies a record in whole or in part?

9. Is the Chief of Legislative Liaison notified of all releases of information to members of Congress or staffs of congressional committees?

10. Are FOIA requests denied only by properly delegated/designated IDAs?

11. Is the servicing Judge Advocate consulted prior to forwarding a FOIA request to an IDA for action?

12. Are the following items included when forwarding a FOIA request to an IDA for a determination of releasability?

a. A copy of the legal review provided by the local legal advisor?

b. The original copy of the FOIA request?

c. Copies of the requested information indicating portions recommended for withholding?

d. A copy of the acknowledgement of receipt to the requester?

e. A telephone point of contact?

f. The recommended FOIA exemption?

g. Any recommendation to deny a request in whole or in part?

13. Are all FOIA appeals forward to the Office of the General Counsel for a decision with a copy of denied and released records?

14. Is a copy of the FOIA denial letter included when forwarding appeals to the Office of the General Counsel?

15. Is DD Form 2086-R, Record of Freedom of Information (FOI) Processing Cost, used to record costs associated with the processing of a FOIA request?

16. Is DD Form 2086-1-R, Record of Freedom of Information (FOI) Processing Cost for Technical Data, used to record costs associated with the processing of a FOIA request for technical data?

17. Is the FOIA requester notified when charges will exceed $250.00?

18. Are fees collected at the time the requester is provided the records?

19. Are commercial requesters charged for all search, review, and duplication costs?

20. Are educational institutions, noncommercial scientific institutions, or news media charged for duplication only, in excess of 100 pages, if more than 100 pages of records are requested?

21. Are the first 2 hours of search time, and the first 100 pages of duplication provided without charge to all “other” category requesters?

22. Are FOIA fees collected and delivered to the servicing finance and accounting office within 30 calendar days after receipt?

23. Are FOIA fees collected for technical data retained by the organization providing the technical data?

Event Cycle 3: Records Management.

Risk: Valuable records needed for court actions are destroyed or cannot be located.

Control Objective: Records containing “For Official Use Only” information are correctly marked and FOIA requests are properly maintained throughout their life cycle.

Control Technique: Ensure the prescribed policies and procedures are followed during the life cycle of information.

1. Are unclassified documents containing “For Official Use Only” information marked “FOR OFFICIAL USE ONLY” in bold letters at least 3/16 of an inch high at the bottom of the outside of the front cover (if any), on the first page, and on the outside of the back cover (if any)?

2. Are individual pages containing both “For Official Use Only” and classified information marked at the top and bottom with the highest security classification of information appearing on the page?

3. Are photographs, films, tapes, slides, and microform containing “For Official Use Only” information so marked “For Official Use Only” to ensure recipient or viewer is aware of the information therein?

4. Is “For Official Use Only” material transmitted outside the Department of the Army properly marked “This document contains information EXEMPT FROM MANDATORY DISCLOSURE under the FOIA. Exemption * * * applies”?

5. Are permanently bound volumes of “For Official Use Only” information so marked on the outside of the front and back covers, title page, and first and last page?

6. Is DA Label 87 (For Official Use Only Cover Sheet) affixed to “For Official Use Only” documents when removed from a file cabinet?

7. Do electrically transmitted messages contain the abbreviation “FOUO” before the beginning of the text?

8. Are “For Official Use Only” records stored properly during nonduty hours?

9. Are FOIA records maintained and disposed of in accordance with AR 25-400-2, The Modern Army Recordkeeping System (MARKS)?

1. Explain rationale for YES responses or provide cross-reference where rationale can be found. For NO responses, cross-reference to where corrective action plans can be found. If response is NA, explain rationale.

I have reviewed this subtask within my organization and have supplemented the prescribed internal control review checklist when warranted by unique environmental circumstances. The controls prescribed in this checklist, as amended, are in place and operational for my organization (except for the weaknesses described in the attached plan, which includes schedules for correcting the weaknesses).