Internal Audit Polices and Procedures
Chapter 17 - Confidentiality of Information
The nature of internal audit work requires that, to the extent permitted by law, we have unrestricted access to all sources of information, property, and personnel at the University. Because we often work with sensitive matters or information that is not subject to public disclosure, we must take careful precautions to maintain the confidentiality of these items.
Our correspondence (including audit reports) and working papers are generally classified as public information. We should not include items in our working papers or communications that are protected by privacy laws or that could result in legal liability for the University or the individual who prepared the document. Our communications with the University Counsel’s Office are confidential.
Information that we obtain and documents that we prepare must not be given to anyone other than individuals within the University who have a need to know or the State Auditor’s staff except with the specific approval of the Director of Internal Audit or the Chancellor. Unauthorized disclosure of confidential information from personnel files is a misdemeanor and can result in disciplinary action.
While we may be compelled to provide copies of items from our working papers, we should refer requests for other information to the office that is responsible for those records, for example, Employee Records is responsible for personnel information. Subpoenas, other court orders, and requests under the Public Records Act, should be referred to the senior University Counsel.
The following information from personnel records is public information and may be included in the working papers or written communications. An employee’s:
Students’ addresses, major, and other "directory information" may also be public information.
Employees’ and students’ names are public information but should not be used in documents we prepare if the name will be linked to or displayed with potentially confidential information, such as an evaluation of an employee’s performance. As a rule, we should structure a document so that the results of work performed is clear but not include anything that makes information personally identifiable.
Federal and state privacy laws require that many types of information be protected from public disclosure. Penalties range from a possible misdemeanor conviction and fine for the individual who made the disclosure to loss of all funds the University receives from the US Department of Education until we can show voluntarily compliance with privacy laws.
Confidential information includes, but is not limited to:
We should never include social security numbers in our working papers. If our audit procedures involve the review of confidential records we, should document the results of the review in a way that protects the privacy of the individual involved. For example, when scheduling the results of a review of financial aid or student health records, we should use a code number or initials to identify the records tested. We should also expunge names and social security numbers from copies of documents that are included in the working papers.
While we sometimes work with the State Bureau of Investigation when conducting misuse reviews, we can not provide them with certain pieces of information without a court order or written consent of the individual involved. NCGS §126-24.5 states that information from personnel files not specifically designated as public "shall not be divulged for purposes of assisting in a criminal prosecution, nor for the purposes of assisting in a tax investigation."
Also see Section 13, "Misuse Investigations."
In some projects, we may review information that is not specifically protected by privacy laws but is proprietary or sensitive. Examples include records relating to research in process, contract negotiations, employee benefits, or past due accounts. We should handle these items in the same manner as confidential information.
|Return to Home Page||Table of Contents|