Skip to main content
Blog Post

FOIA Update: Legal and Policy Guidance: Status of Internal Audit Reports Under the Freedom of Information Act

FOIA Update
Vol. I, No. 3

Legal and Policy Guidance

Status of Internal Audit Reports Under the Freedom of Information Act

Agency personnel often conduct both internal and external audits. Generally, agency personnel conduct internal audits for management purposes, to evaluate the efficiency, economy, effectiveness, financial aspects, or other features of an agency program.

External audits are conducted for contract or grant administration, tax administration, and/or law enforcement. The guidance here pertains largely to internal audits.(1)


The general rule under FOIA is that "any person" is entitled to have access to any "agency record" upon request unless it is exempt under one of the nine exemptions in subsection (b). The requester must give a reasonable description of the records he or she wants to see, but a general description is adequate if that is all the requester can provide and the agency is capable of identifying the records he or she wants. "Agency record" is a statutory term which generally covers any record which belongs to an agency, including records on computer tapes,

Even when a record contains exempt information, the other portions of the record must usually be released. Requests for existing agency records that are made in "accordance with published rules" of the agency must either be honored, or if denied in whole or part, the denial must be based on exemptions. If an agency withholds records from a requester, a lawsuit may be brought under the Freedom of Information Act. The government bears the burden of proving that the records are exempt, and the judge may personally examine the records being sued for.


An agency may voluntarily release even exempt records (sometimes called a "discretionary release") unless release is prohibited by some other law. The Privacy Act is an example of such a law. That Act generally applies only to records that are part of "systems" of records within the meaning of that Act, while the Freedom of Information Act applies to all agency records.

Voluntary disclosure of an exempt record to one person does not bar an agency from withholding the same or similar records from another person if there is a reasonable basis for the difference in treatment. However, if the second person is situated similarly to the first one, denying access on the second request would be unfair, discriminatory, or an abuse of discretion. Thus, an audit report or a draft audit report containing exempt matter might properly be shown to a former agency employee to whose work the report pertained, to obtain his comments, without extending similar access to the world. Generally, equal treatment of requesters is preferable even in those cases where it may not be mandatory.


A discretionary release to a member of Congress or to a state, local or foreign official in the interest of furthering cooperative performance of functions does not usually compel release to the world. A congressional committee or subcommittee with jurisdiction over the subject matter or the General Accounting Office cannot be denied access to any agency record on the basis of an exemption. Subsection (c) of the Freedom of Information Act states explicitly "This section is not authority to withhold information from Congress.(2)


To determine whether any given record is or is not exempt under the Freedom of Information Act, agencies should look at more than just what category the record falls into. Checking the actual contents of the record and the circumstances and purposes of its creation, acquisition or use will sometimes show the record is quite different from what its title suggests.


Audit reports are likely to be exempt from release, at least in part, by the "deliberative privilege" of the fifth exemption. That exemption applies generally to privileged communications within the Executive Branch.

The purpose of the deliberative privilege exemption is to encourage candid communications within the government to aid decision-making. Without protection government advisors might be inhibited in expressing their honest opinions and recommendations for fear of outside criticism or pressures. Also, decisionmakers might be inhibited from inviting candid advice. But a record that is protected by the deliberative privilege may lose that protection if it is "adopted" or incorporated by reference in a decision document.

Generally, the courts have concluded that internal documents of a factual nature, and facts that may be separated from the rest of the document, are not protected by the deliberative privilege, unless the factual material is inextricably intertwined with opinions, recommendations, or policy-making process.(3)

The question whether the factual parts of a particular document are covered by the fifth exemption may be very difficult and uncertain even for experts on Freedom of Information law. However, if the factual material in an internal document is not protected under the fifth exemption, it may sometimes be covered by some other exemption.


Another exemption that may cover the factual portions of an internal audit report is exemption six. The sixth exemption is designed to protect individual privacy, and covers most matter in an individual's medical and personnel files as well as similar information of a personal and private nature. For example, exemption six may protect an individual's home address and other aspects of his or her private life. It may also protect information about an individual's personal history in school or work, particularly if such information could be prejudicial to the individual.

Whether particular information about an individual is covered by exemption six is often a close question. It cannot be resolved just by considering whether the majority of people would prefer to limit circulation of that type of information about themselves. The Attorney General's "Blue Book" on the 1974 FOI Amendments discussed this question in the context of exemption 7(C) and suggested that privacy is involved in "information about an individual which he could reasonably assert an option to withhold from the public at large because of its intimacy or its possible adverse effects upon himself or his family."(4)

A further question under exemption six is whether the invasion of privacy for disclosure would be "clearly unwarranted." That depends on whether there is a public interest favoring release of the information which outweighs the privacy interest.

If an audit report containing facts protected under the sixth exemption is sought under the Act, the solution would ordinarily be to delete the name and other identifying information of the individual. Or, if the requester knows or is likely to discover the identity of such individual despite deletion, the solution is to delete the privacy information itself before releasing the report.


The seventh exemption, which was amended in 1974, is designed to protect "investigatory records compiled for law enforcement purposes" if their disclosure would result in a type of harm specified in clauses (A) through (F) of the exemption. The term "law enforcement" is narrower than "executing the laws" or "carrying out the laws," as "law enforcement" is activity which is targeted against violations of law.

Thus, the seventh exemption does not include investigations that were basically conducted for improving the management, efficiency, or the quality of government operations. This means that the seventh exemption would usually not cover reports of internal audits.

To be "for law enforcement purposes" an investigation (with the exception of background personnel security investigations) must be directed against possible violations of law having some sanction, e.g., criminal prosecution, injunction, civil penalty, suspension of a license, etc. An internal audit initiated for normal management purposes may be converted into an investigation for law enforcement purposes if indications of fraud or other illegal conduct are found and are investigated further. To disclose an internal audit report to an employee or other person who is suspected of fraud or illegality may tend to weaken the government's ability to invoke the seventh exemption, as one of the purposes of the seventh exemption is to prevent premature disclosure of the government's case to a prospective defendant. For an analysis of the amended seventh exemption including clauses (A) through (F), see the Attorney General's "Blue Book" on the 1974 FOI Amendments, pp. 4-13.


Protection of facts in an internal audit report is somewhat less likely under either the second or fourth exemptions. The second exemption is for matters "related solely to the internal personnel rules and practices of an agency." The courts have said this applies to minor internal administrative matters in which there is no significant public interest. For example, an internal audit report might contain information about lunch hour arrangements, parking rules, methods of collecting attendance and leave information, filing procedures, time needed to go to the copying machine, etc., to which exemption two might apply.

The second exemption also has a bearing on whether manuals of instructions to auditing personnel can be withheld under the Act. There are court decisions going in both directions on the question whether certain manuals for the guidance of auditors in IRS, DOD, and other agencies are covered. In general, they are likely to be withholdable under exemption two only to the extent that disclosure would materially prejudice auditing when it is conducted for law enforcement. When exemption two is used to protect internal instructions on sensitive techniques for law enforcement work or the like, it is known as "high-2." Interpretations of law or of regulations in such manuals are generally not withholdable. Audit reports themselves, as distinguished from manuals for auditors, are unlikely to contain "high-2" material.

The fourth exemption, for confidential business information, is chiefly designed to protect businesses from competitive injury through disclosure of trade secrets and other confidential commercial or financial information which these businesses submitted to the government. Exemption four does not apply to governmentally-generated information even where the information relates to and would adversely affect a business firm. But it does protect government-prepared reports to the extent they restate protected information from the business firm.

Exemption four materials are more likely to be found in an external rather than an internal audit report. Sometimes information which was commercially confidential when submitted is no longer so when a request for the record containing it is received, because time or events have taken away the information's potential for injuring the submitter's competitive position.


If an internal audit report contains facts given in confidence by an employee so that release of the facts would breach the confidence of the employee, there may nevertheless be real difficulty in finding a legal basis (an exemption) to withhold such facts. If the facts relate to the employee himself, access sought by others may be deniable under exemption six, as discussed above. Where the facts do not relate to the employee except that he or she is the source of such facts, privacy may still justify withholding his or her identity if disclosure would result in injury, harassment or similar adverse effects. If the source furnished the facts as part of a selective or argumentative presentation of recommendations or views on a question of what the agency should do, the deliberate privilege under exemption five may apply.

In cases in which an audit had taken on the aspects of a law enforcement investigation as discussed above, information from an employee given in confidence, at least to the extent the information would tend to reveal his or her identity, would be protected under the seventh exemption, clause (D). However, in the unlikely event that an internal audit report is filed and retrieved in such a manner as to be part of a "system" of records under the Privacy Act, a request from the individual who is a subject of the report can be denied, as to the parts of the report which pertain to him or her, only if Privacy Act exemptions as well as FOIA exemptions apply.


The thrust of FOIA is toward disclosure. Compliance with the Act is monitored by the Courts, Congressional committees, the Justice Department, the press, various public interest groups, and others. Requests under the Act must be processed promptly, in accordance with the time limits provided in the 1974 amendments and with agency regulations. Although it is sometimes wise to consult informally with those who are the subject of audits to assist in making a determination of the applicability of an exemption, or of the current desirability of voluntarily releasing despite the exemption, it is not necessary to obtain the approval of the audited organization before a report is released.


1. This guidance is a restatement of a May 16, 1980, memorandum from Department of Justice--Office of Information Law and Policy, to all federal agencies.

2. For a recent comprehensive discussion of discretionary releases and of Congressional access under FOIA, see the OILP letter of May 29, 1980, to the FTC, which will be publicly available.

3. On the question whether to use the deliberative privilege in particular cases, see "Policy Guidance--When to Assert the Deliberative Privilege under FOIA Exemption Five" in FOIA Update, Vol. I, No. 1, Autumn 1979, issued by DOJ-OILP, pp. 3-5, summarizing our nine-page memorandum of June 6, 1979, on the same subject.

4. Attorney General's Memorandum on the 1974 Amendments to the Freedom of Information Act, February, 1975, at 9-10.

Go to: FOIA Update Home Page

Updated August 13, 2014