General University Reference Utility
To establish policy for the proper manner in which Confidential Internal Audit Reports and Confidential Other Internal Audit Documents can be distributed, as well as limiting such distribution to unauthorized external and internal parties.
This policy applies to all University academic and administrative units and locations. It applies to all uses of marked or unmarked Confidential Internal Audit Reports or Confidential Other Internal Audit Documents regardless of the format in which such information resides.
Confidential Internal Audit Reports- The final signed original report or signed photocopy of such report that communicates the results of an audit, special investigation or other procedures undertaken by the University's Internal Audit Department as a result of a financial hotline report, information received directly from an individual in a manner other than the financial hotline alleging impropriety and/or fraud, and standard audit procedures performed by Internal Audit that uncover a fraudulent act or other impropriety with respect to statutes or regulations. Also, other Internal Audit Reports that may contain sensitive information in the judgment of the Director of Internal Audit could be identified and labeled as a Confidential Internal Audit Report. All Confidential Internal Audit Reports must be clearly stamped "CONFIDENTIAL" on each and every page.
Confidential Other Internal Audit Documents- Any documents, either hard copy or electronic, that were used and retained as a work paper by Internal Audit or other correspondence, either hard copy or electronic, retained in support of work performed in connection with the issuance of a Confidential Internal Audit Report is considered confidential for purposes of this policy.
Any Confidential Internal Audit Reports or Confidential Other Internal Audit Documents, as both are defined under "Definition of Terms", shall not be distributed to anyone outside the University, unless otherwise authorized by the Senior Vice President for Finance & Business, the President of the University and/or the Chair of the Committee on Audit and Risk of the University's Board of Trustees. Such authorization should be done in consultation with the Director of Internal Audit and should only be given under unusual and special circumstances clearly warranting such disclosure, such as for the purpose of providing assistance in a criminal investigation. Such authorization will be given either in a written memo or letter or in an electronic format via an email.
Internal University distribution of the Confidential Internal Audit Report shall be limited as stated within the report itself. Similar to the external distribution policy mentioned above, Confidential Other Internal Audit Documents shall not be distributed to anyone within the University other than those involved in the audit procedures, unless otherwise authorized by the Senior Vice President for Finance & Business, the President of the University and/or the Chair of the Committee on Audit and Risk of the University's Board of Trustees. As noted above, such authorization should be done in consultation with the Director of Internal Audit and there should be either printed or electronic evidence of the authorization.
Violation of this Policy may result in initiation of legal action by the University and appropriate disciplinary action, which may include dismissal.
For questions, additional detail, or to request changes to this policy, please contact the Office of Internal Audit.
Most Recent Changes:
Revision History (and effective dates):