|
|
|
|
|
|
|
|
|
Audit and Governance Committee
|
8 November 2023 |
|
Report of the Director of Governance |
|
Publication of Internal Audit Reports
Summary
1. To provide the Committee with a greater understanding of the reasons for exempting Internal Audit (“IA”) reports from publication.
Background
2. This report was requested by the Audit and Governance (“A&G”) Committee in order that they could better understand the reasons for exempting internal audit reports from publication.
3. It has always been, and will continue to be, the case the members of A&G have received copies of all completed IA reports for their consideration, sent under cover of confidential e-mail; this practice will not change. However, in recent years it has become common practice in York for IA reports to be published in full as part of the meeting agenda and papers.
4. Members have previously heard that this practice is not universal across Councils. For the purposes of the preparation of this report, contact has been made with the following Councils, and their approach included in Annex 1 to this report:
a. Northumberland County Council;
b. Newcastle City Council;
c. North Tyneside Council;
d. Gateshead Council;
e. South Tyneside Council;
f. Sunderland Council;
g. Durham County Council;
h. Darlington Borough Council;
i. Stockton Borough Council;
j. Middlesbrough Borough Council;
k. Hartlepool Borough Council;
l. Redcar and Cleveland Borough Council;
m. North Yorkshire Council;
n. West Yorkshire Combined Authority;
o. Leeds City Council;
p. Bradford City Council;
q. Wakefield Borough Council;
r. Kirklees Borough Council; and
s. Calderdale Borough Council.
Purpose of Internal Audit
5. In order to appreciate the rationale for exempting IA reports from publication and general dissemination, it is perhaps helpful to understand the purpose of the Council’s IA service.
6. The Chartered Institute of Internal Auditors notes that “The role of internal audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are operating effectively.” It goes on to state that the objectives of IA are to “evaluate and improve the effectiveness of governance, risk management and control processes. This provides members of the boards and senior management with assurance that helps them fulfil their duties to the organisation and its stakeholders.”
7. CIPFA defines the IA function as “… an independent appraisal function established by the management of an organisation for the review of the internal control system as a service to the organisation. It objectively examines, evaluates and reports on the adequacy of internal control as a contribution to the proper, economic, efficient and effective use of resources”.
8. It is therefore clear that the role of IA is to provide advice and guidance to the senior management and the Committee on the effectiveness of internal procedures, and to recommend any potential improvements to those procedures. Crucial to such advice and guidance is the identification and highlighting of any weaknesses.
Exempting Information
9. The provisions relating to the exempting of information are found in section 100I, and Schedule 12A, of the Local Government Act 1972. Section 100I(1) provides:
“In relation to principal councils in England, the descriptions of information which are, for the purposes of this Part, exempt information are those for the time being specified in Part I of Schedule 12A to this Act, but subject to any qualifications contained in Part II of that Schedule; and Part III has effect for the interpretation of Parts 1 to 3 of that Schedule.”
10. The exemptions contained in Part I of Schedule 12A are:
1. Information relating to any individual.
2. Information which is likely to reveal the identity of an individual.
3. Information relating to the financial or business affairs of any particular person (including the authority holding that information).
4. Information relating to any consultations or negotiations, or contemplated consultations or negotiations, in connection with any labour relations matter arising between the authority or a Minister of the Crown and employees of, or office holders under, the authority.
5. Information in respect of which a claim to legal professional privilege could be maintained in legal proceedings.
6. Information which reveals that the authority proposes—
(a) To give under any enactment a notice under or by virtue of which requirements are imposed on a person, or;
(b) To make an order or direction under any enactment.
7. Information relating to any action taken or to be taken in connection with the prevention, investigation or prosecution of crime.
11. Members will note that, in respect of all IA reports, exemption 3 applies. In addition, depending on the nature of the Internal Audit report, exemptions 1, 2, 5, and 7 may also be engaged.
12. The principal qualification under Part 2 of Schedule 12A is found under paragraph 10, which provides:
“Information which—
(a) falls within any of paragraphs 1 to 7 above; and
(b) is not prevented from being exempt by virtue of paragraph 8 or 9 above,
is exempt information if and so long, as in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.” (Paragraphs 8 and 9 are not relevant to Internal Audit reports).
13. This is referred to as the ‘public interest test’ and forms the basis of the resolution which the Committee must pass before excluding the press and public from any meeting.
14. It is important, when considering the public interest test, that the appropriate basis for the decision is used. As noted by the Information Commissioner’s Office in relation to the public interest test under the Freedom of Information Act 2000:
“The public interest here means the public good, it is not:
· What is of interest to the public; or
· The private interests of the requester (unless those private interests reflect what is the general public good, eg holding public authorities to account).”
This was perhaps best summed up by Lord Wilberforce in British Steel Corp v Granada Television Ltd [1981] AC 1096 at 1168: “There is a wide difference between what is interesting to the public and what it is in the public interest to make known”. Thus, “public interest” relates to a broader concept than ‘is a member, or are members, of the public interested in this information’; rather, the question is “is the publication of the information in the public good”.
Difficulties with Disclosure
15. Members will understand, from the context and information above, that part of the role of IA is to highlight failings in practice and procedure, and to propose solutions to those failings in order to remedy the identified issues.
16. Members will be acutely aware that reports highlighting security issues (whether they be physical or digital) are extremely sensitive, and the ventilating of such issues in the public domain is likely to increase the risk of such issues being exploited rather than serve to protect the council from such exploitation.
17. Equally, even where such failings are not present, the effectiveness of IA reports relies on the openness and candour of the officers with whom they interact; unfortunately, it is the case that human nature dictates that some officers, knowing that the subject of an IA report will be published, can be reluctant to engage fully with IA, or to agree to the contents of, and recommendations in, a report.
18. It is crucial to bear in mind that IA reports are not generally commissioned to be either disciplinary or investigatory reports; rather, they are meant to be supportive to the organisation and forward looking. In other words, helping the organisation to evaluate risks and make improvements to the control environment. They are not intended to be critical of individuals, but inevitably there is a human sensitivity around actual or perceived public criticism.
19. In order to ensure that the best possible outcome for the Council, there is an acknowledged need for corporate ‘thinking space’, as noted by the Information Commissioner’s Office in its guidance on the application of Regulation 12(4)(e) of the Environmental Information Regulations 2004 (Internal Communications), which provides:
“The EIR do not provide a definition of what constitutes an internal communication. Neither does the European Directive 2003/4/EC on public access to environmental information, from which the EIR are derived. This guidance explains how case law has helped to establish what type of information is covered by the exception.
The underlying rationale behind the exception is that public authorities should have the necessary space to think in private. The original European Commission proposal for the Directive COM(2000)0402 explained the rationale as follows:
“It should also be acknowledged that public authorities should have the necessary space to think in private. To this end, public authorities will be entitled to refuse access if the request concerns … internal communications.”
However, the exception is drafted to cover all internal communications, not just those actually reflecting internal thinking.
The exception has no direct equivalent in the Freedom of Information Act 2000 (FOIA). Arguments about protecting a private thinking space will be similar to those made under section 35 of FOIA: formulation of government policy, and section 36 of FOIA: prejudice to effective conduct of government affairs.”
20. Similarly, there is a need for the Committee to have ‘space’ to consider IA reports, and to monitor improvements which are being made, without fear that those improvements are less than might have been achieved had the report not been published.
Common Practice
21. As noted above, as part of the preparation of this report, a number of other local authorities were contacted to seek information on practice in this area. The Monitoring Officers for the 19 authorities mentioned above were all asked whether their authority:
· Published their internal audit reports in full;
· Published their internal audit reports but redact them;
· Published their internal audit reports as exempt items, following the exclusion of the press and public;
· Didn’t publish their internal audit reports and instead summarised them in a covering report; or
· Did something else entirely.
22. None of those authorities who responded indicated that they published their IA reports in full, or that they published redacted versions of their IA reports. This consensus accords with the experience of both the Monitoring Officer at his previous authorities, and with the IA service and their experience with their current and previous authorities.
23. Practice varied across authorities, with some producing a summary report covering the assurance levels from completed audits, and some not even sharing their IA reports with Members. There is no single route for the Committee to consider IA reports, although it is clear that the publication of such reports is not an accepted practice elsewhere. It is, therefore, suggested that the Council’s ‘default’ position should be to cease the publication of IA reports.
Implications
Financial – None directly arising from this report.
Human Resources (HR) – None directly arising from this report.
Equalities – None directly arising from this report.
Legal – None directly arising from this report.
Crime and Disorder, Information Technology and Property – None directly arising from this report.
Recommendations
24. It is recommended that Members:
a) Note the contents of the report; and
b) Agree that, rather than publishing IA reports, the Council’s IA provider includes details in its report of assurance levels for completed reports.
Reasons for the Recommendation
25. To assist the Monitoring Officer in his consideration of the review of the Constitution, and to provide guidance to the Assistant Director of Policy and Strategy in relation to the cultural change programme recommended by the LGA.
Options
26. Members may choose to support the recommendation to change how IA assurance levels are presented to the Committee, or may propose an alternative option.
|
Author and Chief Officer responsible for the report:
|
Bryn Roberts, Director of Governance and Monitoring Officer
|
|||||
|
|
Report Approved |
X |
Date |
17 October 2023 |
||
|
|
|
|
|
|||
|
|
||||||
|
Wards Affected: List wards or tick box to indicate all |
All |
X |
||||
|
For further information please contact the author of the report |
||||||
Background Papers:
· None
Annexes:
· None