Search This Blog

Friday, September 23, 2011

FOI access to internal audit reports

WikiMedia Commons-John Groseclose
Linton Besser in the Sydney Morning Herald has written in the last week about internal audit reports obtained from the Department of Agriculture Fisheries and Forests, the Department of Infrastructure and Transport and the Department of Broadband, Communications and the Digital Economy all released in full or part in response to freedom of information applications. There may be more to come:
"A Fairfax Media investigation has obtained access to hundreds of pages of internal government audit reports that have exposed systemic weaknesses in the financial controls exercised by Commonwealth agencies. Such flaws are widely recognised as corruption risks for governments, but there is no agency specifically charged with investigating graft in Australia's largest civil service."
Besser reports today on the Government announcement that $700,000 is to be spent on a ''National Anti-Corruption Plan." A parliamentary integrity commissioner by September 2011 was part of the Government -Greens deal a year ago but is yet to transpire.

The release of internal audit reports raises some interesting FOI issues. The reforms of last year have narrowed the scope for what amounted to broad class exemption claims for these types of documents. As to what makes news once information of this kind is released, good reports unfortunately don't cut it. And a snapshot in time of the situation in an agency two or three years ago won't necessarily convey the full or current picture.

Besser's access to internal audit reports is probably behind  the call by the Institute of Internal Auditors (IIA)  for a specific conditional FOI exemption for internal audit reports. The IIA claims the threat of disclosure of audit findings could compromise audits of governance and risk management. Stephanie Koehn of the Institute said:
".. we are concerned the release of internal audit reports would seriously undermine public sector governance and the long term integrity of public administration.” She said in order to report effectively and accurately, internal auditors relied on the candour of Departmental staff. She said the IIA was concerned that if information identifying a Department’s specific risks and weaknesses was released early then the Department’s staff may be less forthright with the auditors.
Internal audit is about evaluation and improvement in efficiency and effectiveness of business processes. Some reports will contain what could be regarded as sensitive information, for example the existence of system weaknesses that haven’t been addressed but could be exploited if widely known, gaps in security systems etc. Reports are always likely to identify some shortcomings or areas for improvement. The sensitivity of  a report will depend on content, the effect of disclosure and context- the lapse of time since completion for example. As Besser has highlighted audit reports also address issues concerning standards of public administration and use of public money, matters where the public interest in transparency and accountability is strong.

A special FOI exemption for internal audit reports would not seem justified. If FOI disclosure and the impact on candour is the problem, agencies need to do more to reinforce the need and purpose for honest, complete and accurate responses to questions raised by auditors. Do reports usually name names in any event?

As to the current law, in addition to a raft of absolute exemptions some of which for example law enforcement and public safety may apply in particular circumstances, the FOI act includes a number of conditional exemptions that may be relevant to some content of an  internal audit report. They involve balancing the public interest  in disclosure and non disclosure.The most relevant is Section 47E which conditionally exempts a document where disclosure would, or could reasonably be expected to, prejudice or have a substantial adverse effect on certain listed agency operations.

There are four separate grounds for this conditional exemption:
(a) disclosure could, or be reasonably expected to, prejudice the effectiveness of procedures or methods for the conduct of tests, examinations or audits by an agency
(b) disclosure could, or be reasonably expected to, prejudice the attainment of the objects of particular tests, examinations or audits conducted or to be conducted by an agency
(c) disclosure would have a substantial adverse effect on the management or assessment of personnel by the Commonwealth or by an agency or
(d) disclosure would have a substantial adverse effect on the proper and efficient conduct of the operations of an agency.
A conditional exemption can only be claimed if, in addition, disclosure on balance would be contrary to the public interest. In the case of reports or parts of reports released to Besser  agencies either decided (a) to (d) were not arguable, or if one or more were, that the public interest favoured disclosure.

Perhaps the Australian Information Commissioner’s guidelines regarding s 47E(d) (to which an agency must have regard in reaching a decision on access) had some influence on decisions: 

6.111 The predicted effect must bear on the agency’s ‘proper and efficient’ operations, that is, the agency is undertaking its expected activities in an expected manner. Where disclosure of the documents reveals unlawful activities or inefficiencies, this element of the conditional exemption will not be met and the public interest factors of accountability and transparency are further weighted towards disclosure.

Particularly since last November's amendments to the FOI act link new objects - that include "increasing scrutiny, discussion, comment and review of the Government's activities"-to the public interest considerations in favour of disclosure.

 DAFF hasn't to date posted the internal audit reports released on its Disclosure Log but both the Innovation and DBCDE reports and perhaps others (I haven't looked) are available.

Internal audit reports provide a snapshot at a a moment in time. A report that everything is fine or needs little improvement is not going to make the news, unfortunately, but proactive publication or posting on the Disclosure Log will get such information out to some who may be interested.   A report even a couple of years old can reveal information of continuing significance in terms of standards of administration.  But these reports don't reveal what happened after the event and whether identified shortcomings have been rectified. Agencies could do themselves a favour by providing additional information that puts a released report in proper context.

On the Herald reports ,the headline on the DAFF story about audits completed in 2008 and 2009 was "Fraud probe targets top bureaucrats." Headline writers love the present tense.The Department's response to the story published the next day was:
A department spokeswoman said on Monday fraud was taken very seriously at the federal agency but pointed out there had been no investigations as such, only investigations into allegations. "There has been no fraud probe into the department," she said in a statement on Monday.
Similarly the Herald article on DBSDE, "Auditors raise probity queries at broadband overseer", was about audits undertaken by KPMG in 2009. If you get beyond the headline to the last paragraph, in respect of at least one of the audits:
A department spokeswoman said KPMG had subsequently confirmed their recommendations had been implemented, including ''increased guidance associated with procurement planning … [and] the need for appropriate risk assessment''.

No comments:

Post a Comment