Folkestone & Hythe District Council Credit Card Audit Hidden Behind Criminal Investigation FOI Exemption
shepwayvox
Folkestone & Hythe District Council’s own auditors found weaknesses in corporate credit card controls. When the full report was requested, the council confirmed it held it — then withheld it under the Freedom of Information Act exemption for investigations and proceedings.
Folkestone & Hythe District Council has confirmed it holds the full internal audit report into its corporate credit cards.
It has also confirmed the public can’t see it.
The reason matters.
The council didn’t just say the report was sensitive. It didn’t simply redact names, signatures, card numbers or personal data. It withheld the full purchase-card audit report and management action under section 30(1) of the Freedom of Information Act 2000.
That is the exemption for investigations and proceedings conducted by public authorities.
In the council’s own refusal notice, section 30(1) is described as applying to information held “at any time for the purpose of conducting an investigation” which the council has a legal duty to undertake. The council then says the exempted information is the full internal audit report and management action.
That is the story.
The council is saying this material is investigation material. Whether that investigation is live, recently concluded or being relied on because the information was held for that purpose at some point is now the obvious question. But the council’s chosen exemption makes one thing plain: this is no longer just a routine audit report being kept in the cupboard because it’s awkward.
The purchase-card audit was given “reasonable assurance”. That sounds comforting, but it’s not a clean bill of health. In the council’s audit definitions, reasonable assurance means the system is generally sound, but issues, non-compliance or scope for improvement were found which may put objectives at risk.
For purchase cards, auditors recorded nine recommendations: five medium priority and four low priority. No critical or high-priority recommendations were reported publicly.
At the time of the audit, the council had 21 active corporate credit cards, with three more approved and awaiting issue from the bank. The report said corporate credit cards should only be used where there’s no other practical or acceptable payment method. Wherever possible, spending should go through the normal purchase order and creditor payment process.
The auditors found some controls were in place. Cardholders were issued guidance, spending was authorised and reconciled, receipts or invoices were attached, and VAT was “being treated correctly in the main”.
Then came the weaknesses.
The audit said the council’s card request and review processes could be strengthened to improve management controls and record keeping. It said resilience in the team managing corporate credit cards and monthly reconciliations should be improved. It said better evidence to support cash-withdrawal spending “must be introduced”. It also said irrecoverable VAT through corporate credit cards should be monitored so it didn’t become regular or material.
That isn’t proof of wrongdoing. It’s proof that auditors found enough to require improvements in the controls around public spending cards.
What the FOI response revealed
The Freedom of Information request asked for the material behind the public summary: policies, approval rules, limits, reconciliation controls, resilience documents, cash-withdrawal records, VAT monitoring, the full audit report and follow-up evidence.
It expressly didn’t ask for cardholder names, signatures, personal contact details or card numbers. The council was invited to redact personal data and release the rest.
It said card limits vary by business need and are agreed by the chief finance officer or deputy. Requests for extra cardholders must be approved by a line manager, chief officer and/or finance chief or deputy. Reviews are completed on request through starter, mover and leaver procedures.
It said monthly reconciliations are undertaken and issues are escalated to line managers or chief officers if required.
But on resilience, the answer was stark. The council said it held no internal risk assessments, management notes or meeting minutes identifying risks about insufficient resilience in the purchase-card process.
So the public record now says this: auditors found resilience needed improving, but the council says it holds no risk assessment, notes or minutes about that resilience risk.
That isn’t reassuring. It’s a gap.
The cash withdrawals
The council also disclosed three cash withdrawals made through corporate credit cards during the period covered by the request.
They were £100 on 6 August 2024, £250 on 8 October 2025 and £250 on 14 January 2026. All three were recorded against Housing Advice and Prevention. Each was listed as supported by a receipt.
The total was £600.
That isn’t a huge amount, and it shouldn’t be exaggerated. The issue is not the size of the cash withdrawals. The issue is the control around them.
The audit summary said improved evidence for cash-withdrawal expenditure “must be introduced”. That wording matters. It means the evidence base wasn’t strong enough.
Residents are entitled to know how cash withdrawals are approved, what counts as a permitted reason, what evidence is kept, and whether the council can show clear budget-holder sign-off.
These are dull questions. Good. Dull questions are how public money is protected before something goes wrong.
The VAT answer didn’t close the issue
The request also asked for irrecoverable VAT from purchase-card transactions, broken down by month or accounting period, along with any monitoring logs, reports or reviews.
The council replied that it doesn’t have enough spend on procurement cards to exceed partial exemption thresholds.
That may answer one VAT point. It doesn’t obviously provide the requested monthly breakdown or monitoring records.
Again, the audit finding is the key. Auditors said irrecoverable VAT through corporate credit cards should be monitored so it didn’t become regular or material. That means the issue was considered worth watching.
The withheld report
The full internal audit report is where the story sharpens.
The council confirmed it holds the full purchase-card audit report, including recommendations, management responses, the agreed action plan, responsible officers by job title and implementation dates.
Then it refused the whole thing under section 30(1).
That is not a general secrecy clause. It is an investigations exemption.
The council also said disclosure would prejudice future audits, inhibit candour, weaken assurance processes and potentially compromise confidential employment and contractual information.
Some of that may justify redactions. Names can be removed. Personal information can be withheld. Sensitive employment or contractual detail can be protected if the law allows it.
But that is not the same as withholding the entire audit report under section 30(1) while giving the public almost no explanation of the investigation being relied upon.
The council has not said which limb of section 30(1) it is using. It has not explained what investigation the purchase-card report relates to. It has not said whether the investigation is live or complete. It has not explained why redaction would not be enough.
That is the central accountability issue.
No follow-up report yet
The council also said it held no follow-up audit reports, progress updates or closure evidence for the purchase-card recommendations.
It said no follow-up reports had been completed, although officers had been adhering to the recommendations in the action plan since mid-2025. A review is expected in summer 2026.
That leaves residents with a thin public record.
The public audit summary says there were weaknesses. The full report and action plan are withheld. The follow-up evidence does not yet exist. And the refusal relies on an investigations exemption.
The question now
This is not a story claiming fraud. It is not a story pretending £600 of cash withdrawals proves misconduct. It does not.
It is a story about public money controls, nine audit recommendations, missing follow-up evidence and a full report withheld under the FOI exemption for investigations and potential criminal proceedings.
The council’s use of section 30(1) makes clear that, in its own legal position, the withheld purchase-card audit material is connected to an investigation it says it has a legal duty to conduct.
So the question is simple.
What investigation?
Residents do not need names, signatures, card numbers or personal data. They need to know whether the controls around public spending cards are working, whether the audit recommendations are being implemented, and why the full report has been withheld under an investigations exemption.
Until the council explains that properly, “reasonable assurance” is doing a lot of work.
Seen something the public should know about? Send tips, documents or concerns to TheShepwayVoxTeam(at)proton(dot)me. You can contact us in confidence, speak off the record in the first instance, and help us follow the evidence where it leads.
