CONFIDENTIALITY OF INFORMATION
The nature of internal audit work requires that, to the extent permitted by
law, we have unrestricted access to all sources of information, property, and
personnel at the University. Because we often work with sensitive matters or
information that is not subject to public disclosure, we must take careful precautions
to maintain the confidentiality of these items.
Our correspondence (including audit reports) and working papers are generally
classified as public information. We should not include items in our working
papers or communications that are protected by privacy laws or that could result
in legal liability for the University or the individual who prepared the document.
Information that we obtain and documents that we prepare must not be given
to anyone other than individuals within the University who have a need to know
or the State Auditor’s staff except with the specific approval of the Director
of Internal Audit. Unauthorized disclosure of confidential information from
the personnel files can result in disciplinary action.
While we may be compelled to provide copies of items from our working papers,
we should refer requests for other information to the office that is responsible
for those records, for example, Employee Records is responsible for personnel
information. Subpoenas, other court orders, and requests under the Freedom of
Information Act, should be referred to the University Counsel.
Federal and state privacy laws require that many types of information be protected
from public disclosure. Penalties range from a possible misdemeanor conviction
and fine for the individual who made the disclosure to loss of all funds the
University receives from the US Department of Education until we can show voluntarily
compliance with privacy laws.
Confidential information includes, but is not limited to:
- social security number;
- certain information from an individual’s personnel file;
- medical records;
- student records;
- library users’ records.
We should never include social security numbers in our working papers that
leave our possession. If our audit procedures involve the review of confidential
records, we should document the results of the review in a way that protects
the privacy of the individual involved. For example, when scheduling the results
of a review of financial aid or student health records, we should use a code
number or initials to identify the records tested.
While we sometimes work with the State Auditor and SLED when conducting misuse
reviews, we can not provide them with certain pieces of information without
a court order or written consent of the individual involved. University Counsel
should approve requests for such information before it can be released.
In some projects, we may review information that is not specifically protected
by privacy laws but is propriety or sensitive. Examples include records relating
to research in process, contract negotiations, employee benefits, or past due
accounts. We should handle these items in the same manner as confidential information
[Back to Table of Contents]