Audit Notification Policy
Policy Summary
Information must not be provided to any person claiming to be an auditor (whether internal or external) unless the department to be audited or the individual from whom the information is requested has a working relationship with that auditor, or until the auditor’s identity and the propriety of the audit have been confirmed. This ensures the protection of confidential and other sensitive university information. In addition, departments and individuals must report all proposed audits to the Office of Ethics, Compliance, and Risk for the purpose of centralized tracking.
Who is Governed by this Policy
- Staff
- Faculty
Policy
Responsibility for Security of Information
Through the normal course of business the university generates and collects a significant amount of confidential and other sensitive information about current and former faculty, staff, students and patients, as well as about university operations. Access to and disclosure of such information must be appropriate, necessary, and for a clearly defined purpose. All members of the university community are responsible for safeguarding such information, for preventing its inadvertent disclosure, and for protecting the privacy of individuals and the integrity and reputation of the university.
Audit Verification and Notification Required
Information must not be provided to any person claiming to be an auditor unless the department to be audited or the individual from whom the information is requested has established a working relationship with that auditor. If the department or individual does not have a working relationship with the auditor, or if an auditor arrives unannounced, notify the Office of Ethics, Compliance, and Risk immediately. The Office of Ethics, Compliance, and Risk maintains a list of all audits being performed at the university and will help to identify all internal and external auditors and verify the propriety of the proposed audit, as necessary. When appropriate, the Office of Ethics, Compliance, and Risk will notify and work with the Office of the Senior Vice President and General Counsel and/or the Office of the University Controller in this regard. Once the propriety of the audit is confirmed, the department should make every effort to provide the requested information.
In addition to the foregoing, departments and individuals must report all proposed audits to the Compliance and Privacy Office for the purpose of centralized tracking.
Definitions
Auditors: Individuals who request to review and/or audit university records. Auditors include, but are not limited to auditors who are university employees or agents such as the audit companies the university contracts with for internal and external audits and auditors who are not university employees or agents such as District of Columbia auditors, sales tax auditors, or federal agency auditors.
Related Information
- Cybersecurity Risk Policy
- Personal Information and Privacy Policy
- Privacy of Student Records (FERPA) Policy
- Procedures Governing Summonses, Subpoenas, Lawsuits, Notices, and Letters from Lawyers
- Personal Information and Privacy Policy
Contacts
| Contact | Phone Number | Email Address |
|---|---|---|
| The Office of Ethics, Compliance, and Risk | 202-994-3386 | [email protected] |
Responsible University Official: Associate Vice President, Ethics, Compliance, and Risk
Responsible Office: Office of Ethics, Compliance, and Risk
Noncompliance with this policy can be reported through this website.