AD100 Handling and Distributing Confidential Internal Audit Reports and Other Documents (Formerly FN19)

Contents:

• Purpose
• Scope
• Definition of Terms
• Policy
• Sanctions
• Further Information

PURPOSE

To establish policy for the proper manner in which Confidential Internal Audit Reports and Confidential Other Internal Audit Documents can be distributed, as well as limiting such distribution to unauthorized external and internal parties.

SCOPE

This policy applies to all University academic and administrative units and locations. It applies to all uses of marked or unmarked Confidential Internal Audit Reports or Confidential Other Internal Audit Documents regardless of the format in which such information resides.

DEFINITION OF TERMS

Confidential Internal Audit Reports- The final signed original report or signed photocopy of such report that communicates the results of an audit, special investigation or other procedures undertaken by the University's Internal Audit Department as a result of a financial hotline report, information received directly from an individual in a manner other than the financial hotline alleging impropriety and/or fraud, and standard audit procedures performed by Internal Audit that uncover a fraudulent act or other impropriety with respect to statutes or regulations. Also, other Internal Audit Reports that may contain sensitive information in the judgment of the Director of Internal Audit could be identified and labeled as a Confidential Internal Audit Report. All Confidential Internal Audit Reports must be clearly stamped "CONFIDENTIAL" on each and every page.

Confidential Other Internal Audit Documents- Any documents, either hard copy or electronic, that were used and retained as a work paper by Internal Audit or other correspondence, either hard copy or electronic, retained in support of work performed in connection with the issuance of a Confidential Internal Audit Report is considered confidential for purposes of this policy.

POLICY

Any Confidential Internal Audit Reports or Confidential Other Internal Audit Documents, as both are defined under "Definition of Terms", shall not be distributed to anyone outside the University, unless otherwise authorized by the Senior Vice President for Finance & Business, the President of the University and/or the Chair of the Committee on Audit and Risk of the University's Board of Trustees. Such authorization should be done in consultation with the Director of Internal Audit and should only be given under unusual and special circumstances clearly warranting such disclosure, such as for the purpose of providing assistance in a criminal investigation. Such authorization will be given either in a written memo or letter or in an electronic format via an email.

Internal University distribution of the Confidential Internal Audit Report shall be limited as stated within the report itself. Similar to the external distribution policy mentioned above, Confidential Other Internal Audit Documents shall not be distributed to anyone within the University other than those involved in the audit procedures, unless otherwise authorized by the Senior Vice President for Finance & Business, the President of the University and/or the Chair of the Committee on Audit and Risk of the University's Board of Trustees. As noted above, such authorization should be done in consultation with the Director of Internal Audit and there should be either printed or electronic evidence of the authorization.

SANCTIONS

Violation of this Policy may result in initiation of legal action by the University and appropriate disciplinary action, which may include dismissal.

FURTHER INFORMATION

For questions, additional detail, or to request changes to this policy, please contact the Office of Internal Audit.

Most Recent Changes:

• January 23, 2020 - Policy moved from Financial section (FN19) to Administrative section. Policy Steward chaged to the Vice President for Administration.

Revision History (and effective dates):

• November 8, 2018 - Subject Matter Expert added.
• September 13, 2018 - Editorial changes to remove redundant Date Approved, Date Published, and Effective Date information.
• September 27, 2013 - Editorial changes. Addition of policy steward information, in the event that there are questions or requests for changes to the policy.
• August 20, 2012 - Editorial change in paragraphs 1 and 2 of the "Policy" section, changing the reference to "the Chair of the Subcommittee on Audit of the University's Board of Trustees" to "the Chair of the Committee on Audit and Risk of the University's Board of Trustees." Additionally, removed references to the Corporate Controller regarding authorization, to now read "Such authorization should be done in consultation with the Director of Internal Audit {removed Corporate Controller} and should only be given under unusual and special circumstances ......in a criminal investigation."
• September 4, 2008 - Editorial change in paragraph 2 of the "Policy" section, changing the reference to "the Chair of the University Board of Trustees' Subcommittee on Audit" to "the Chair of the Subcommittee on Audit of the University's Board of Trustees."
• November 29, 2006 - New Policy.