Internal affairs, by Sumita Shah

17 Mar 05
The Freedom of Information Act brings greater transparency about public sector spending and decision-making. But there are some grey areas, such as internal audit and fraud investigations, where disclosure would be inappropriate, argues Sumita Shah

18 March 2005

The Freedom of Information Act brings greater transparency about public sector spending and decision-making. But there are some grey areas, such as internal audit and fraud investigations, where disclosure would be inappropriate, argues Sumita Shah

The era of freedom of information is now upon us, and we all have the ability to access data held by public bodies throughout the UK. Already there have been requests ranging from the fallout from 'Black Wednesday' to Tony Blair's dinner guests at Chequers and the case for war in Iraq.

So, how is it working out in practice? The government introduced this legislation in 2000, but did it really think through all the consequences fully before putting the provisions into place? There are questions as to whether public bodies have understood the implications and whether they have the necessary infrastructure to deal with these requests. In addition, will the Act support transparency or just create more red tape for public bodies, with additional costs if they are to comply with requests within the very tight timescale of 20 working days?

Most would agree with and support the need for transparency and the wider public benefits that the Freedom of Information Act brings about. We should be able to see how key decisions are made in relation to how our money is spent. But there are potential areas where the provisions might jeopardise the integrity and quality of the service being provided and the processes being followed.

Let's take, for example, a local authority with an in-house internal audit function. This provides a crucial service to the authority in carrying out risk assessments, investigations and reviews of key areas within the authority. At all stages of the audit cycle, internal auditors will document their work, including details of the areas that are being reviewed, internal controls and control weaknesses, audit processes, methodology, initial judgements (which could include their gut feelings) and their draft and final reports.

Should all these documents be open to the public? Or, if such information were available more widely, could it not seriously undermine the authority's key systems and subject them to potential abuse, infiltration and/or sabotage?

This raises the question of whether the government has gone too far in seeking to make information available more generally. The Act even requires public bodies to disclose information they hold but did not generate. This includes information that might have been provided to them in confidence without any contemplation of future possible disclosure.

Further, the Act allows retrospective application. Therefore, a request can be made for information dating back over a number of years. If the public body still has the information in its possession, it is required to make this available. Have public bodies considered aspects of information that have been provided in confidence or that might be considered commercially sensitive? Section 41 of the Act provides an exemption for the former. However, it then goes on to suggest that: 'The common law of confidence itself provides that in certain circumstances a duty of confidence does not arise having regard to the public interest.'

Of course, there are exemptions available and the Act distinguishes between two types – absolute and qualified. Absolute exemptions apply as of right, and include situations where information is subject to national security or parliamentary privilege, where it is already available via another route (such as the publication scheme) or where another statute prohibits the disclosure of the information (such as the Data Protection Act).

Qualified exemptions include, among others, investigations and law enforcement (sections 30 & 31), audit functions (section 33) and the effective conduct of public affairs (section 36). But these do not necessarily apply to the internal audit provision. Determining whether an exemption applies or not involves using a 'public interest' test before information can be legitimately withheld.

Then the holders of information need to consider whether they wish to take advantage of an exemption and then, in all the circumstances of the case, whether the public interest in withholding the information outweighs the public interest in disclosing it. To further add to the complications, the exemptions apply to information, not documents, so time must be spent filtering out the truly exempt information.

To be able to assess a request and determine whether or not it complies with the Act, the public authority is going to have to operate a robust information-handling system, clearly recording all the information that it holds and ensuring that it is maintained and kept up to date. To comply with requests within 20 working days, public bodies will need to have a system to log and track each request. As each request is dealt with, an audit trail will need to be maintained which records the outcome of the decision and the reasons for disclosure or non-disclosure.

And who is going to make these judgements about which information can be disclosed and which falls under an exemption category? Each public body should have designated key people to deal with these requests. They will need to be fully trained in all provisions of the Act, the available exemptions and how they apply, the public interest and prejudice tests, the complaints and the appeals process.

The information commissioner has powers to investigate complaints where information is not being disclosed and to assess compliance as part of any investigation. He has made it clear that: 'Public bodies have had nearly four years to prepare for FoI and they must be able to hit the ground running when it comes into force. Ignorance or lack of preparation time are not excuses that we will be able to accept.'

But what guidance has been made available to public bodies in interpreting this Act and helping them to prepare? Inevitably, until requests start to come in, even the information commissioner's own guidance to his assessors lacks complete information about the various functions of the different types of public bodies in existence. This means those bodies will have to spend considerable time explaining the merits of each decision. This will be a learning process for the commissioner's staff as well as public organisations.

And it could get worse. In the future, other bodies could be designated. For example, as external auditors, only the National Audit Office and the Audit Commission have been designated as public bodies. But, in the future, firms acting as external auditors of public authorities could be included.

As well as providing an opinion on the financial statements, auditors of public authorities perform a stewardship role, which is fundamental in ensuring the proper use of public funds and for achieving value for money. They therefore provide an extremely valuable public interest function, which needs to be considered when assessing the impact of the Act on them and the scope of the audit exemption in section 33 of the Act.

There are a number of key areas inherent in the performance of an audit where it would be inappropriate for auditors to disclose information as it could undermine the integrity and quality of the audit process. For example, explaining the techniques used to select samples might allow the audited body to circumvent the audit process next year, or might reveal weaknesses in systems that could aid a fraudulent benefit claimant. Care will be needed in applying the various exemptions.

There's even talk about the possible designation of bodies involved in regulating accountants practising in the three main regulated areas – audit, insolvency and investment business. There are valid reasons why these bodies should have transparent overall procedures and processes for regulation of accountants. But how would information in relation to detailed investigations be of wider public interest and benefit? It might be useful information for complainants with axes to grind, but disclosing such sensitive and confidential information would seek only to undermine the integrity and quality of the very processes that the government has sought to put into place through these bodies in the first place.

The question then is whether the Act really supports transparency or is going to create even more bureaucracy and paperwork within public bodies. And who will bear the cost for all this additional administration? Presumably, it will be the taxpayer ultimately. More needs to be done to make sure that the Act is made to work properly in areas that it was intended to and to avoid the 'creep' of going too far where there are good and valid reasons not to.

Sumita Shah is a CIPFA member who is technical manager (public sector) at the Audit and Assurance Faculty of the Institute of Chartered Accountants in England and Wales.  She leads theICAEW's  working group, which includes representation from CIPFA, the Audit Commission, the National Audit Office and external audit suppliers, set up to develop guidance for auditors on the Freedom of Information Act. However, the views expressed in this article are her own