Guidance

Protocol for Sharing Internal Audit Reports

Published 29 September 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/protocol-for-sharing-internal-audit-reports/protocol-for-sharing-internal-audit-reports

1. Purpose of this protocol

This document addresses the recommendation (No. 58) made by Lord Maude in his 2020 review of the Government functions, to create a protocol for sharing Internal Audit reports across Government. Recommendation 58, which was welcomed by the Government, states: ‘The custom whereby internal audit reports are confidential to the line entity should be discontinued. A sharing protocol should be developed and agreed setting out how and under what circumstances internal audit reports should be shared by the head of GIAA with ministers and senior officials in the HM Treasury and Cabinet Office, having first discussed the issues of concern with the Permanent Secretary and Minister in charge of the department’.

After a short description of the purpose of Internal Audit within departments and the background to information sharing in government, this document describes the protocol for sharing Internal Audit reports. We focus on the exceptional circumstances under which such a report can be shared (the “when”); “who” can share or raise a request for sharing such a report; and “what” can be shared

2. Internal Audit in Government

All government organisations are required by the good governance code to have an Internal Audit function. The role of Internal Audit is to support individual departments, and therefore government overall, in fulfilling their respective objectives by having tight financial and other controls, effective systems of governance, meaningful and active risk management and a focus on securing value for money. Internal audit has a critical role to play in supporting the transformation of financial management and the exercise of appropriate controls over public spending. Internal Audit’s range of services are designed to help Accounting Officers manage public money effectively by improving their systems of governance, risk management and internal control. To provide these services to an optimum degree of effectiveness requires a high level of confidence and trust between Internal Audit and individual Accounting Officers.

Essentially, Internal Audit is an integral part of an organisation, whoever provides the service. It delivers independent, objective and systematic assurance and consulting activity, which is designed to add value to and improve an organisation’s performance and reputation by completing risk-based audit reviews and by providing advice and insight. In the government context, the Head of Internal Audit for the relevant organisation is directly accountable to the Accounting Officer of that organisation and has a strong relationship with members of the Audit and Risk Assurance Committee. As a result, internal audit reports are not currently shared outside the “customer” department or between government organisations without the express permission of the Accounting Officer or their representative, and then only on rare occasions.

The work of Internal Audit is both bound and enriched by a framework of professional and ethical standards. For example, the Public Sector Internal Audit Standards (PSIAS), which are mandated by HM Treasury for use in Government and based on the International Professional Practices Framework (IPPF), require that professional: “Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so”. In terms of its Code of Ethics, the profession is required to operate with integrity, be objective, ensure confidentiality to the customer and be competent.

Current professional and ethical standards neither preclude nor require the sharing of Internal Audit reports. However, for the profession to be able to comply fully with the governing standards and Code of Ethics, and thereby retain its vital independence as an objective provider of assurance and advice, any information sharing needs be done at the request, and with the agreement, of a departmental Accounting Officer as the person best placed to understand the context and make an informed decision.

The Government Internal Audit Agency operates its services by government, for government so the confidential and trusting relationship developed with Accounting Officers and other senior leaders within a Department is integral to gaining the unfettered access that delivers the required level of value and insights in areas of greatest challenge and risk. Consequently, any requirement to share reports needs to be finely balanced, in order to deliver the collective benefits to the public of understanding common areas of risk across government, but without undermining or compromising the quality of an independent Internal Audit service or the trust-based relationship with an Accounting Officer. We are sure that Accounting Officers and the Chairs of Audit and Risk Assurance Committees will be keen for this protocol to be regularly reviewed to ensure it is being complied with and that the quality and depth of Internal Audit work is not compromised.

3. Background to information sharing in Government

The familiar and well-tested principles for managing public resources include standards of Openness, Accountability, Transparency and Objectivity. It is accepted that all individual departments, led by their Principal Accounting Officer, have “considerable freedom about how they organise, direct and manage the resources at their disposal”1. Increasingly, though, these same departments will need to work collaboratively with each other, and with other partners across Government, to deliver policy commitments that transcend departmental boundaries and deliver a common purpose – as can be seen, for example, in relation to managing the COVID pandemic and vaccine roll-out, exiting the European Union, taking action on climate change and the focus on levelling-up. Such collaboration is even more effective when it is undertaken in a genuine spirit of curiosity about what can be learned from others, a clear desire to foster an environment of continuous improvement and not censure, and with an openness and objectivity about sharing information when it is appropriate to do so. Departments already share significant volumes of information about many topical issues on a regular basis, through informal or more organised networks, and through routine second line of defence activity. This protocol is intended 1 Managing Public Money (HM Treasury) 1.5.1 5 to supplement such normal business activity with a framework which covers those rare circumstances when it might become necessary for an Internal Audit report to be shared.

Managing Public Money is punctuated with strong reminders that Accounting Officers not only have individual responsibilities in relation to the operation of their own department, but also have clear duties to ensure good government at the macro level – thereby supporting the Exchequer as a whole. Accounting Officers are encouraged to learn from experience and use feedback (from Internal Audit and other external sources) to improve performance, to draw out and propagate lessons to support continuous improvement for the common good and to disclose serious, unforeseen events and risks, and we might add here, particularly when those risks cross departmental boundaries and have an impact outside their department or organisation.

Ideally, a protocol to share Internal Audit reports would be grounded in a central government framework for sharing information between appropriate organisations. Such an overarching framework does not yet exist. In terms of governing principles and language, we can, helpfully, look for instruction at the very many local agreements in place between two or more organisations, but these tend to relate to sharing personal confidential information (and are therefore subject to very strict GDPR and data protection rules) or pertain to sharing information between statutory bodies, where that distribution is enshrined in the governing statute or regulation. Whilst we can point to no primary or secondary legislation to require an Accounting Officer to share an Internal Audit report outside their department, we can appeal to the principles of transparency, continuous improvement and a strong desire to work for the common good, to support the dispassionate and objective sharing of relevant information.

Within this protocol, sharing Internal Audit reports will primarily be instigated by Accounting Officers themselves when they realise (or are prompted by their Internal Auditors, senior officials or non-executives to take notice) that a report includes information of such import to the rest of government, that sharing is not only necessary, but objectively beneficial. Recipients may include other Accounting Officers, Ministers, and senior officials in both the Cabinet Office and HM Treasury. There will also be instances where Ministers and senior officials will request the release of a report if they become aware of a situation that would warrant the wider sharing of information, or because they have been asked to approve a policy, business case, large-scale procurement or payment of a grant etc., and a relevant report would provide helpful context prior to giving or withholding that approval. Such a request would not be made by way of “keeping score” or for the purposes of censure, but so that the requestor can understand and learn from the experiences of the sharing department and take appropriate and timely action if required. References to the Government Internal Audit Agency (GIAA) should be taken in the context of the wider Internal Audit (IA) function across the whole of government, regardless of who provides the internal audit service.

The sharing protocol should only be used in exceptional circumstances. The vast majority of reports produced by Internal Audit in each financial year support individual Accounting Officers with internal improvements in governance, risk management and control in their departments and need not be routinely shared. In addition, the Government Internal Audit Agency (GIAA) already uses its trusted relationship with Accounting Officers and departments to provide cross-government insight and thought leadership for the wider benefit of government and to give assurance to the Treasury and Cabinet Office. We intend to significantly increase and develop this offer in 2022-23 and future years. Our new Insights Hub will work in tandem with our Data Analytics Team to lead the planning, delivery, and reporting of/engagement with all our cross-Government assurance activity, including the identification of risks, analysis of annual opinions, and consequent sharing of good practice. This activity will continue to be the main method of providing the wealth of information and insight that will support and add value to the work of individual departments and government overall.

4. Recommendation from the Maude report – the why?

Specifically, then, this document responds to Lord Maude’s Recommendation 58 by setting out the parameters of a protocol for sharing Internal Audit reports across Government. For Ministers, the central purpose of this Recommendation is to improve transparency and ensure a direct line of accountability for taxpayer funding, particularly when difficult lessons need to be shared, and to increase the flow of information across Government, especially towards the Cabinet Office and HM Treasury. The aim is to strengthen the insight derived from individual Government departments and Arm’s Length Bodies and to enhance and improve decision-making across Government. However, whilst accepting the importance of transparency, we believe that this protocol will have a greater likelihood of success if it is seen as a collaborative tool to encourage continuous improvement, and not as a means for the centre of government to censure individual departments or “keep score”.

Recommendation 58 also states that the Chief Executive of the Government Internal Audit Agency (GIAA), as Head of Government Internal Audit, should be responsible for identifying and sharing reports. Whilst the GIAA and its senior leaders will have a critical role to play in ensuring the appropriate sharing of Internal Audit reports in certain circumstances, the primary decision to share a report will lie with an Accounting Officer, acting objectively in a spirit of collaboration for the good of a wider purpose beyond the boundary of their department. It is also essential that the Department’s officials should be able to provide relevant context to any report that is to be shared, for example by means of a covering paper to a report.

5. Internal Audit sharing protocol – the when, who and what

This protocol sets out a number of principles to underpin the sharing of Internal Audit reports, focusing on the circumstances under which this can be done (the “when”); “who” can share or raise a request for sharing; and a consideration of “what” can be shared. Before passing to the detail, a number of over-arching assumptions are relevant:

  • The sharing of an Internal Audit report under this protocol will only occur in exceptional circumstances. If all the criteria set out in this protocol are met, it is expected that a relevant Internal Audit report will be shared as requested, though the final decision always rests with the Principal Accounting Officer.
  • All parties recognise the respective responsibilities and independence of other parties to the protocol, but also recognise the importance of collaboration for the wider good.
  • Where it is appropriate to do so, the parties (including their nominated officials) will agree to share information lawfully, fairly, in a transparent manner using processes that are effective, efficient and clearly understood.
  • All parties recognise the need to maintain public confidence in government.

Those who have access to the shared reports, and the information contained within, shall ensure that such information is:

  • Used fairly, lawfully and transparently.
  • Used for specified, explicit purposes.
  • Used in a way that is adequate, relevant and limited only to what is necessary.
  • Inclusive of any necessary redactions to protect personal identities, commercially sensitive information, safeguarding issues etc. The Accounting officer will have the final decision on what is shared on a case-by-case basis.
  • Accurate and up to date.
  • Shared on the understanding that the information contained within the report is timebound and will probably require wider context from the relevant department.
  • Retained for no longer than necessary – a destruction timeline will need to be agreed.
  • Handled in a way that ensures appropriate and secure storage, protecting against unauthorised access, loss or sharing the information wider than the audience agreed.
  • Shared in good faith, notwithstanding that the Accounting Officer must be fully aware of the potential risk of sharing the information.

When an Internal Audit report can be shared

Starting from a basis of the criteria applicable to the Major Project Review Group, the following principles act as a guide for when the sharing of an Internal Audit report will be appropriate. This list is intended to be illustrative not exhaustive:

  • The internal audit report could relate to a project or programme that exceeds a Delegated Authority Limit or which sets a potentially expensive precedent.
  • A report might expose pressures in a project or programme that could lead to a breach in a Department’s Expenditure Limit, administration cost limit or Estimates provision, or otherwise pose risks to public sector finances.
  • Similarly, a report might expose contractual commitments to significant levels of spending in future years, for which plans have not yet been set or agreed. Equally, a project might set an unintended precedent, or it could be highly innovative (and therefore carry substantial risk).
  • Sharing a report would help support strategic decision-making across Government e.g., in relation to a key business case or commercial decision that impacts more than one department or function.
  • Sharing an internal audit report gives insight about a significant or material decision made in a single department. This could highlight either good practice or lessons to be learned/practice to be avoided.
  • The report relates to an issue or policy which is to be delivered by multiple departments (e.g. pandemic response or levelling up) and the findings of a report in one department indicate that there could be issues of concern elsewhere or that sharing good practice will be beneficial to wider government and/or the public.
  • To flag and help manage significant risks across wider Government, e.g., a report might identify the risk of a fundamental flaw with a cross-government IT system, so it would be shared in the interests of business continuity and the integrity of the national infrastructure.
  • Matters of significant National Interest or state emergency that require the insights from internal audit to be shared.

Who can make a request under this protocol?

In all cases when an Internal Audit Report is shared, there should be a clear reason why the information is needed and an explanation of the purpose for which it will be used. When one or more of the circumstances described in paragraph 17 above are met, then the following parties to the Protocol can request that a report is shared under its terms:

The Permanent Secretary/Principal Accounting Officer (PAO) of a Department or other senior official to whom authority to share information has been delegated by the PAO – i.e. officials holding an Internal Audit report. This may include the Accounting Officers of ALBs with the permission of the Department’s Principal Accounting Officer.

A PAO would invoke the protocol when they realise (or are prompted by one of their senior officials, non-executives or their Internal Auditors to take notice) that a report includes information of such import to the rest of government, that sharing is not only necessary, but objectively beneficial. The report may be shared with other Principal Accounting Officers, Ministers, and senior officials in both the Cabinet Office and HM Treasury.

Direct request from Ministers and/or the most senior officials in HM Treasury and the Cabinet Office and/or the Principal Accounting Officer of a different department (i.e. to the one sharing the Internal Audit report). A list of officials who can make a request under this protocol is attached at Annex A. In this case, the protocol would be invoked by the relevant requestor writing to the Principal Accounting Officer of the department holding the required report asking for it to be shared. This will be straightforward in a situation where the requestor knows that a relevant Internal Audit report exists. In other cases, the potential requestor would first need to contact GIAA to determine if a report on a particular subject-matter had been produced, and for which department, and then, having established this, would contact the relevant Principal Accounting Officer. In all cases, any request to a PAO should be copied to 9 the Chief Executive of the Government Internal Audit Agency (or their nominated official) via the dedicated mailbox, and should outline:

  • Details of the person/office requesting the copy of the report.
  • The key reason/s why it is being requested and what the report will be used for (based on the criteria listed in paragraph 17).
  • How the report is to be used, shared and stored.
  • Who, apart from the requestor, will have access to the report?
  • Any wider audience with whom the requestor proposes to share the report. A report should not be shared more widely than the audience specified in the request without further explicit agreement from the Accounting Officer who has agreed to share it. The requestor should never share a report with the public.
  • The timeline in which the report should be shared.
  • The length of time the document will be held before destruction.

In respect of these first two categories of requestor, the most straightforward way to ensure that the relevant Internal Audit report is shared correctly, is for the Accounting Officer (AO), having either decided to share a relevant report themselves, or having received and agreed to a request to share a report, to write to the Chief Executive of the Government Internal Audit Agency (or another senior official within GIAA nominated by the Chief Executive) via a dedicated mailbox, requesting that the report is shared by GIAA with one or more named individuals or with a specified group (e.g. all Principal Accounting Officers or members of the Civil Service Board). The sharing AO will be responsible for providing any covering paper/contextual briefing, and for redacting any part of the report that is not suitable for release e.g. because it contains personal confidential information relating to one or more individuals, or where it might be considered prejudicial or contrary to law to disclose such information. GIAA would confirm release of the report to the requestor in writing. No more than seven working days should elapse between the making of a request and the release of a relevant report to the requestor.

In both of these two scenarios, the Accounting Officer who “owns” the Internal Audit report has the final say as to whether or not an Internal Audit report should be shared.

GIAA will keep a central record of all the Internal Audit reports that are shared under this protocol and for what purpose. In both these instances, GIAA would not themselves instigate the sharing of a report; they would only facilitate sharing with the express agreement of the relevant Accounting Officer.

Consequently, in all instances when a report is shared, both the Principal Accounting Officer who “owns” the Internal Audit report and the Chief Executive of the GIAA must keep each other informed, being open and transparent about what is being shared, with whom, and with the purpose fully set out in a supporting rationale. When considering sharing an Internal Audit report, the Accounting Officer must consider any regulatory or data protection risks inherent in sharing that information outside the boundaries of their department. There will be some situations where a report cannot be shared, e.g. because of:

  • Departmental or national security implications.
  • Legislative or regulatory prohibitions or requirements e.g. where GDPR, Freedom of Information or Data Protection legislation impedes the request.

Each request will be considered separately on its own merits on a case-by-case basis. The release of any report must be in the full knowledge of the potential risk to the Accounting Officer and their Department in doing so. This principle equally applies to any reports that are shared following a Freedom of Information request. All relevant parties should be kept informed of any internal audit reports or equivalent that have been shared.

In exceptional circumstances, the Head of the Government Internal Audit Function (the GIAA Chief Executive) may decide that an internal audit report(s) should be shared, for example to inform critical cross departmental decision-making, to escalate a serious concern or risk or to prevent harm or serious financial or commercial loss, first consulting the relevant Accounting Officer. The list of potential circumstances is not exhaustive. Any decision to share must be undertaken in line with the principles described in this protocol. The Head of Government Internal Audit will be clear and transparent with the Accounting Officer as to the reason and justification for sharing. In all such cases, the Head of Government Internal Audit will notify the relevant Principal Accounting Officer that there is, in their view, a compelling reason to share an Internal Audit Report with a named individual or group of individuals, and then give that Accounting Officer a reasonable opportunity to share the report themselves along with relevant contextual material. The Head of Government Internal Audit would propose a reasonable time, usually no longer than seven working days, for the report to be shared, but this might vary according to the nature and urgency of the circumstances. However, as is the case with the first two instances in paragraph 18, the Accounting Officer who “owns” the Internal Audit report always has the final say as to whether or not an Internal Audit report should be shared.

Form of report to be shared – the what?

The default position is that when the principles of this sharing protocol are met, the complete relevant Internal Audit report will be shared with the individual or group that has requested it. This embraces the spirit of Lord Maude’s recommendation and promotes cross-Government collaboration and a focus on continuous improvement. It is easier to facilitate sharing a full report, as this removes the need to create summaries etc. which would be an inefficient use of resource. The sharing department would be expected to provide a covering paper and any other relevant contextual information.

There may be circumstances where parts of report will need to be redacted, for example to protect named individuals or other personal confidential data, commercially sensitive information, or to prevent safeguarding risks etc. These will need to be considered by the Accounting Officer on a case-by-case basis. The Accounting Officer should also take into account the impact of exposing sensitive, novel and contentious issues or matters which may unduly prejudice the public’s confidence in government.

In exceptional circumstances where the Head of Government Internal Audit proposes that a report should be shared, and the Accounting Officer agrees, the same considerations will apply.

To support the use of this protocol, a process guide is attached at Annex B.

6. The Principal Accounting Officer’s veto

There will be circumstances in which a Principal Accounting Officer does not agree to share a relevant Internal Audit report in accordance with the terms of this Protocol. In line with the principles of Managing Public Money, the ultimate decision on whether or not to share rests with the Principal Accounting Officer, not least because they are the only one who can defend their decision to Parliament and the NAO. In cases where an Accounting Officer exercises their right to veto the sharing of an Internal Audit report, they should notify GIAA of their decision using the dedicated mailbox: GIAA.IAProfession@giaa.gov.uk.

7. Conclusion

Sharing Internal Audit reports in the way described by this protocol is new for government. There is no underlying statute or regulation to compel a report to be shared. Rather, there is an appeal to Accounting Officers in particular, set in the context of the well-understood principles of Managing Public Money, to approach the protocol in a spirit of curiosity and collaboration, and of wanting to share good practice in order to encourage a cross-government approach to continuous improvement. This protocol envisages a number of relatively narrow occasions when the protocol can be invoked, though it is likely that the body of examples will build over time through use. It is also drafted very much from a perspective that respects and holds firm to the trusted relationship between an individual Accounting Officer and their independent internal audit provider, and which values the professional standards and ethical code that underpins that relationship.

However, there will be instances where sharing an Internal Audit report is the right thing to do simply because there is a compelling moral reason or issue of national interest, or the information it contains impacts more than the department for which it was drafted in the first place or it affects a decision to be made in respect of a department. Sharing for the common good, to improve government overall, should not undermine trust, and neither should it attract criticism.

Government Internal Audit Agency

September 2022

Annex A: Schedule of officials who can make a request under this protocol

  • Permanent Secretaries/Principal Accounting Officers – Departments of State/Non-Ministerial Departments
  • The Cabinet Secretary
  • Cabinet Office Permanent Secretary/Civil Service Chief Operating Officer
  • DG Public Spending, HM Treasury
  • Director of Public Bodies, Cabinet Office
  • Heads of Function
  • Parliamentary Private Secretary to Cabinet Office Ministers
  • Parliamentary Private Secretary to HM Treasury Ministers
  • The Head of the Internal Audit Function for Government (the GIAA CEO)

Protocol for Sharing Internal Audit Reports

Annex B: Process Guide

September 2022

Introduction

This Process Guide is intended to complement the Protocol for Sharing Internal Audit Reports. The Protocol was approved by the Civil Service Board and was adopted for use from April 2022.

Paragraph references relate to the Protocol document.

As a general principle, no more than seven working days should elapse between the making of a request and the release of a specified report to the intended recipients.

All correspondence with the Government Internal Audit Agency in relation to the operation of this Protocol should be sent to the dedicated mailbox: GIAA.IAProfession@giaa.gov.uk.

The Protocol is only intended for use within Government by specified Ministers and Officials [as set out in Annex A] provided the parameters detailed in the document are met. A member of the public or other person or entity inside or outside Government cannot make a request under the Protocol.

In all cases, GIAA will keep a central record of which Internal Audit report is being shared under the protocol, to whom, and for what purpose. This information will be used to evaluate the use and effectiveness of the Protocol and will support regular reviews by the Civil Service Board.

How to Request an Internal Audit Report

Scenario 1: A Principal Accounting Officer wants to share a report [Para. 18(1)]

A Principal Accounting Officer who wants to share an Internal Audit report should write to the Chief Executive of the Government Internal Audit Agency (GIAA) using the dedicated mailbox: GIAA.IAProfession@giaa.gov.uk requesting that a specified report is shared with a named individual or a group, and setting out the key reasons why the report is being shared having regard to the circumstances set out in paragraph 17.

GIAA will release the specified report to the designated recipients, notifying the ‘sharing’ Accounting Officer that the report has been shared, and will keep a record of the request.

Scenario 2: A Minister or official specified in Annex A requests a report [Para 18(2)]

A requestor may need to check with the Government Internal Audit Agency whether a report on a particular subject has been produced (and for which department) and can do so by making a request via the dedicated mailbox: GIAA.IAProfession@giaa.gov.uk.

Once a requestor knows that a specific Internal Audit Report exists, they will write to the Principal Accounting Officer who “owns” the report, asking for it to be shared. The request should be copied to GIAA using the mailbox: GIAA.IAProfession@giaa.gov.uk The requestor will outline:

  • Details of the person/office requesting the report.
  • A summary of the reason(s) for requesting the report (having regard to paragraph 17).
  • How the report is to be used, shared and stored.
  • Who, apart from the requestor, will have access to the report; and
  • The length of time the document will be held before destruction.

In deciding whether or not to share, the Accounting Officer who “owns” the report will consider any regulatory or data protection risks inherent in sharing it.

If the Accounting Officer agrees to release the report, they will write to the GIAA Chief Executive via the mailbox (GIAA.IAProfession@giaa.gov.uk) asking for the report to be shared with the designated recipient. At the same time, they will provide any necessary covering paper and/or contextual briefing and will redact any part of the report not suitable for release.

GIAA will confirm to the Accounting Officer when the report has been shared and will maintain a record or requests made and reports shared under the Protocol.

The Accounting Officer’s veto

There will be circumstances in which a Principal Accounting Officer does not agree to share a relevant Internal Audit report in accordance with the terms of this Protocol. In line with the principles of Managing Public Money, the ultimate decision on whether or not to share rests with the Principal Accounting Officer, not least because they are the only one who can defend their decision to Parliament and the NAO. In cases where an Accounting Officer exercise their right to veto the sharing of an Internal Audit report, they should notify GIAA of their decision using the dedicated mailbox: GIAA.IAProfession@giaa.gov.uk.

In the event of a Freedom of Information (FOI) Request involving GIAA material

In the event of a request for information involving potential release of any GIAA-related information, including Internal Audit Reports, please contact correspondence@giaa.gov.uk for advice, providing details of the request and the GIAA information held. A response will be provided within three working days.

Back to top