confidentiality of workpapers and draft audit reports · · 2013-10-21no past or present grand...

Confidentiality of Workpapers and Draft Audit Reports 1

TOPIC: Confidentiality of Workpapers and Draft Audit Reports OFFICE: Auditor STATE: OK DATE: 09/26/12 QUESTION / ISSUE: Regarding open records requests for public information, do your state laws provide an exemption, as privileged and confidential information, for the following: 1. State auditor’s workpapers 2. State auditor draft reports Please provide a separate response for each, and include a link to the relevant state statute.

State Comments Alabama In Alabama our workpapers including the draft report are protected by statute.

See Code of Alabama 1975. Section 41-5-21 shown below:

Section 41-5-21 Examiners to make sworn reports of audits. The examiners shall make a sworn report of their findings within a reasonable time after an audit is completed. The Chief Examiner shall certify one copy of each report to the circuit judge of the county in which the office examined is located. The judge shall refer to the report in his next oral charge to the grand jury. The report shall be entered in full upon the minutes of the court. Such reports shall be public records and prima facie evidence of what they charge. Working papers used in the preparation of such reports shall be subject to and treated as being under the provisions of Section 12-16-216 and shall be subject to review by a court of competent jurisdiction only. One copy of each report shall be certified to the Governor. (Acts 1947, No. 351, p. 231, §18; Acts 1992, No. 92-625, p. 1481, §1.)

The Code of Alabama 1975, Section 12-16-216 referred to in the Code Section above is shown below.

Section 12-16-216

Grand juror, witness, etc., prohibited from revealing, disclosing, etc., form, nature, etc., of physical evidence or questions asked; no person to directly, indirectly, etc., by any means, obtain information as to physical evidence or questions asked; exception as to state prosecutions.

No past or present grand juror, past or present grand jury witness or grand jury reporter or stenographer shall willfully at any time, directly or indirectly, conditionally or unconditionally, by any means whatever, reveal, disclose or divulge or endeavor to reveal, disclose or divulge or cause to be revealed, disclosed or divulged, any knowledge of the form, nature or content of any physical evidence presented to any grand jury of this state or any knowledge of the form, nature or content of any question propounded to any person within or before any grand jury or any comment made by any person in response thereto or any other evidence, testimony or conversation occurring or taken therein. Nor shall any person at any time directly or indirectly, conditionally or unconditionally, by any means whatever, corruptly or with intent to influence a grand juror or other person authorized by law to attend a grand jury, or by threats of harm to person or property, or by force applied to person or property or by threatening letter or communication, or by offer of reward, remuneration, gift, benefit or thing of value of whatever nature and kind, obtain or endeavor to obtain any knowledge of the form, nature or content of any physical evidence


State Comments presented to any grand jury of this state, or any knowledge of the form, nature or content of any question propounded to any person within or before any grand jury, or any knowledge of the form, nature or content of any answer or comment made by any person in response thereto, or any other evidence, testimony, or conversation occurring or taken therein.

Provided however, the State of Alabama shall not be precluded from using the testimony of a grand jury witness to impeach that witness's testimony in the trial of a criminal case, nor shall the State of Alabama be precluded from using grand jury testimony to prosecute a perjury warrant or indictment, nor shall the State of Alabama be precluded from using grand jury testimony in any manner otherwise permitted by law. Further, provided however, that grand jury evidence and testimony may be presented to grand juries of other circuits and jurisdictions upon the issuance of a proper grand jury subpoena.

(Acts 1979, No. 79-457, p. 745, §3.)Arizona Arizona’s law states that working papers and other audit files maintained by the

auditor general are not public records and are exempt from title 39, chapter 1 (open public records). The information contained in such working papers and audit files prepared pursuant to a specific audit is not subject to disclosure, except to the attorney general and to any county attorney in connection with an investigation made or action taken in the course of their official duties. The law does not specifically refer to draft reports; however, the Arizona Attorney General has opined that drafts of performance audit reports are not public records. We also consider and treat our financial audit drafts as working papers and similarly not subject to disclosure. The link to the relevant state statute is: http://www.azleg.gov/FormatDocument.asp?inDoc=/ars/41/01279-05.htm&Title=41&DocType=ARS

Arkansas Below is the AR Code section that addresses draft reports – note that it makes final reports available for inspection:

§ 10-4-417. Presentation and filing of audit reports

(a) All audit reports prepared by the Division of Legislative Audit and any audit report required to be filed with the Legislative Auditor or the Division of Legislative Audit shall be presented to the Legislative Joint Auditing Committee or a standing committee thereof. (b) Copies of all audit reports prepared by the Division of Legislative Audit, and any audit report required to be filed with the Legislative Auditor or the division shall be presented on the website of the division in a manner suitable for downloading and printing. (c) All final reports shall be open to public inspection after presentation to the Legislative Joint Auditing Committee or after being approved for early release by the cochairs of the Legislative Joint Auditing Committee. (d)(1) The governing body and executive official of an entity of the state or political subdivision of the state shall receive a copy of the entity's audit report prior to presentation to the Legislative Joint Auditing Committee. (2) Until the reports are presented to the Legislative Joint Auditing Committee or approved for early release by the cochairs of the Legislative Joint Auditing Committee, the reports are not considered public information and are not open to public inspection.


State Comments (e) The exemption from public inspection under subsections (c) and (d) of this section applies to all reports in the custody or possession of any person before presentation of the report to the Legislative Joint Auditing Committee or approval for early release, regardless of the actual physical location of the report. And here is the Code section that addresses workpapers:

§ 10-4-422. Records --Public inspection (a) The Legislative Auditor shall keep, or cause to be kept, a complete, accurate, and adequate set of fiscal transactions of the Division of Legislative Audit. (b) The Legislative Auditor shall also keep paper, digital, or electronic copies of all audit reports, examinations, investigations, and any other reports or releases issued by the Legislative Auditor. (c)(1) All working papers, including communications, notes, memoranda, preliminary drafts of audit reports, and other data gathered in the preparation of audit reports by the division are exempt from all provisions of the Freedom of Information Act of 1967, § 25-19-101 et seq., and are not to be considered public documents for purposes of inspection or copying under the Freedom of Information Act of 1967, § 25-19-101 et seq., or any other law of the State of Arkansas, except as provided in this subsection. (2) After any audit report has been presented to members of the Legislative Joint Auditing Committee, the audit report and copies of any documents contained in the working papers of the division shall be open to public inspection, except documents specifically exempted from disclosure under the Freedom of Information Act of 1967, § 25-19-101 et seq., unsubstantiated allegations obtained in complying with the provisions of the American Institute of Certified Public Accountants' Statement on Auditing Standards Number 99 or other professional guidelines regarding the detection of fraud, and documents which disclose auditing procedures and techniques as defined in subdivision (c)(3) of this section. (3) As used in this subsection: (A) “Audit program” means the instructions and guidelines formulated by the division to inform its accountants about the examination procedures to be followed in the course of examining records and accounts to verify their accuracy, including verifications that the examination procedures have been followed; and (B) “Documents which disclose auditing procedures and techniques” includes: (i) Internal control questionnaires consisting of the checklist of accounting and administrative procedures employed by the Division of Legislative Audit in the course of performing an audit; and (ii) An audit program. We also have confidentiality laws regarding callers to our fraud hotline.

Colorado State law in Colorado protects the confidentiality of our work papers and draft reports. Specifically, the draft report remains confidential until released by our Legislative Audit Committee (LAC). (Our LAC meets most months to release audit reports and hear our presentations about them and the agencies' responses.) In addition, our work papers remain confidential unless released by the LAC. Occasionally, we get requests to release some of our work papers but, to date, the LAC has always voted not to release the work papers. I've provided the relevant statutory language below. If you want to look at the statutes directly, here's a link: http://www.lexisnexis.com/hottopics/Colorado/ 2-3-103. Duties of state auditor - definitions (2) The state auditor shall prepare for the committee reports and recommendations


State Comments on the postaudits conducted, and, under the direction of the committee, he shall prepare an annual report to contain, among other things, copies of or the substance of audit reports on the various departments, institutions, and agencies as well as a summary of recommendations made in regard thereto. All reports shall be open to public inspection except for that portion of any report containing recommendations, comments, and any narrative statements which is released only upon the approval of a majority vote of the committee. (3) The state auditor shall keep a complete and accurate set of records on the fiscal transactions of the state auditor's office, and shall also keep a complete file of copies of all audit reports, including work papers, and copies of examinations, investigations, and any other reports or materials issued by the state auditor, the state auditor's staff, or by the committee. The work papers of the office of the state auditor shall be open to public inspection only upon approval of a majority of the members of the committee. Only the specific work papers that the committee votes to approve for disclosure shall be open to public inspection. Work papers that have not been specifically approved for disclosure by a majority vote of the committee shall remain confidential. Under no circumstances shall the work papers be open to public inspection prior to the completed report being filed with the committee. 2-3-103.7. Disclosure of reports before filing (1) Any state employee or other individual acting in an oversight role as a member of a committee, board, or commission who willfully and knowingly discloses the contents of any report prepared by or at the direction of the state auditor's office prior to the release of such report by a majority vote of the committee as provided in section 2-3-103 (2) is guilty of a misdemeanor and, upon conviction thereof, shall be punished by a fine of not more than five hundred dollars. (2) This section shall not apply to necessary communication of employees of the state auditor's office or employees of any person contracting to provide services for the state auditor's office with those persons necessary to complete the audit report or with other state agencies involved with comparable reports.

Connecticut We regard both our draft reports and relevant workpapers to be not open under freedom of information laws, based on the statute CGS 1-210(b)(2). We can choose to release drafts and workpapers, but we are not required to do so. http://www.cga.ct.gov/current/pub/chap014.htm#Sec1-210.htm

Georgia Work Papers: Working papers are deemed to be privileged and confidential information while an audit is in progress. Upon report issuance, the working papers then become open records. Georgia’s open record laws provide for exceptions, such as records containing public employee’s home address, home telephone number, day and month of birth date, social security numbers, and medical information. Draft Reports: If copies of draft reports are maintained as a part of the working papers then they would be available for inspection under Georgia’s open record laws upon report issuance. There is no requirement that draft reports be maintained. This would be up to the discretion of the auditor. Link to State Statutes: The Official Code of Georgia Annotated can be found by going to the Georgia General Assembly’s website, http://www.legis.ga.gov/en-US/default.aspx.


State Comments Pertinent code sections can be found at: O.C.G.A. 50-6-9 (State Auditor statutes pertaining to working papers and draft reports) O.C.G.A. 50-18-70 through 77 (Georgia’s statutes pertaining to Inspection of Public Records) O.C.G.A. 50-18-72 (Statutes dealing with exceptions to public disclosure)

Guam In reference to the information requested, Guam OPA’s enabling act does provide an exemption, as privileged and confidential information for both working papers and draft reports. Below is the Guam Code Annotated citation. 1 Guam Code Annotated § 1909.1. Confidentiality of Investigations.

a. Except pursuant to a subpoena issued by a court of competent jurisdiction for good cause shown, or the powers afforded I Liheslaturan Guåhan [the Legislature] under Legislative Investigative Powers, 2 GCA Chapter 3, the Public Auditor shall not be required to disclose any working papers. For the purposes of this Section, >working papers=means the notes, internal memoranda and records of work performed by the Public Auditor on audits and other investigations made pursuant to this Chapter, including any and all project evidence collected and developed by the Public Auditor.

b. Information received by the Public Auditor alleging criminal activity or alleging wrongful use of government funds or property is privileged. Neither the Public Auditor nor any person employed by the Public Auditor shall disclose the identity of the person providing that information, unless such failure to disclose infringes upon the Constitutional rights of the accused. Nor shall the Public Auditor, nor any person employed by the Public Auditor, be required to produce any records, documentary evidence, opinions or decisions relative to such privileged communication or information: (i) in connection with any criminal case, criminal proceeding or any administrative hearing of whatever nature, or (ii) by way of any discovery procedure.

c. Any person arrested or charged with a criminal offense may petition the Court for an in camera inspection of the records of a privileged communication or information received by the Public Auditor, and which is material to the criminal charge brought against the person. The petition shall allege facts showing that such records would: (i) provide evidence favorable to the accused; (ii) be relative to the issue of guilt; and (iii) cause a deprivation of a constitutional right if such communication or information is not disclosed. If on the basis of such criteria, the Court determines that the person is entitled to all or any part of such records, it may order its production and disclosure to the degree necessary, protecting to the extent possible, the identity of the person who has informed the Public Auditor of such matter.

d. Disclosure of a privileged communication or privileged information in violation of this Section shall be a felony of the third degree.

SOURCE: Added by P.L. 26-76:58.

Illinois The Illinois State Auditing Act [30 ILCS 5/3-11] specifically provides that: "All records, files, work papers and other material maintained by the Auditor General shall be available for public inspection, except as otherwise provided by regulation or to the extent that information contained therein is made confidential or


State Comments privileged by law. The Auditor General shall adopt regulations governing the availability to the public and agencies of the records, files, work papers and other material that he maintains. Such regulations may bar the public disclosure of materials during the conduct of a post audit, investigation, special study or review pertaining to such materials or whenever the information contained in such materials is of a confidential nature according to standards established in those regulations. Notwithstanding any regulation of the Auditor General, the Commission may order that a document, paper, file, record, work paper or other material be disclosed to the Commission or to the public. All reports issued by the Auditor General shall be maintained permanently as a public record in the office of the Auditor General.” An unofficial version of the Illinois statutes can be accessed at www.ilga.gov. The Illinois Auditor General has adopted regulations governing the availability of information and those regulations are published in the Illinois Administrative Code. The following excerpted sections are pertinent to your question: Section 420.620 General Provisions a) AVAILABILITY OF INFORMATION. Except as provided in Section 420.630 of this Part, all information maintained by the Office of the Auditor General shall be public information and shall be available to the public as provided by this Subpart. Section 420.630 Confidential Information a) Statutory. All information maintained by the office that was confidential by or pursuant to law when secured by the Auditor General shall be maintained in accordance with Section 6-1 of the Illinois State Auditing Act [30 ILCS 5/6-1] and other applicable law. b) Information Related to Current Work. 1) Information not otherwise confidential, but acquired or developed as part of an ongoing audit, attestation engagement, investigation, study, or inquiry shall be classified confidential until the conclusion of the audit, attestation engagement, investigation, study, or inquiry to which the information pertains. The Auditor General may release the information only to: A) persons or entities named in the audit, attestation engagement, investigation, study, or inquiry to which the information pertains; B) governmental agencies with whom the Auditor General is jointly conducting or co-operating on an audit or attestation engagement, to the extent necessary for the conduct of the audit or attestation engagement; C) prosecutorial offices, government agencies with investigatory powers and sworn law enforcement agencies if approved by the Auditor General but subject to subsection (b)(3) of this Section; and


State Comments D) current or potential contractors, but only on a need to know basis, for specific audit or engagement purposes. 2) The issuance of the final report shall establish the conclusion of the audit, attestation engagement, investigation, study, or inquiry that is the subject of the report, and all information acquired or developed as part of the audit, attestation engagement, investigation, study, or inquiry and classified confidential by operation of this subsection (b) shall at that time become public information, unless the Auditor General provides otherwise pursuant to subsection (c) or Section 420.640(h) of this Part. 3) Prosecutorial offices, government agencies with investigatory powers and law enforcement agencies shall not obtain through, or in conjunction with, the Office of the Auditor General, data, information, or evidence that the prosecutorial office, government agency with investigatory powers or law enforcement agency could not lawfully obtain through its own authorities. These regulations can be accessed on the internet at: http://www.ilga.gov/commission/jcar/admincode/074/07400420sections.html. In summary, in Illinois the Auditor General's workpapers are public documents following the release of the audit to which the workpapers pertain. Information in those workpapers that is confidential or privileged by law is expurgated before the audit release.

Iowa Our workpapers and draft audit reports are confidential under section 11.42 of the Code of Iowa, which can be found at: https://www.legis.iowa.gov/DOCS/ACO/IC/LINC/Section.11.42.pdf

Kansas In Kansas, workpapers are confidential until the audit report is issued (unless the workpaper contains confidential information, in which case it remains confidential) K.S.A. 45-221 (20) Draft reports are confidential until they are issued. (K.S.A. 46-1128)

Kentucky These two items are covered under the same statute in Kentucky. The law attached has two highlighted sections that relate to exclusions from the open record laws for draft documents and preliminary recommendations. Kentucky Attorney General Opinions (OAG 78-816 and others) have opined that these exclusions pertain to audit working papers and draft reports. I have attached the most recent information that I’m aware of issued by the Kentucky Attorney General (10-ORD-164) that also upholds this for your information.

Maryland 1. State auditor’s workpapers – Under the provisions of State law (State Government Article, 2-1226 of the Annotated Code of Maryland, see link below), information that an employee or authorized representative of the Office of Legislative Audits obtains during an examination generally is confidential and may not be disclosed except to another employee or representative of the Office. There are two exceptions under which the Legislative Auditor may disclose information obtained during an examination only to the following: (1) another employee of the Department of Legislative Services with the approval of the Executive Director: (2) federal, State, or local officials, or their auditors, who provide evidence to the Legislative Auditor that they are performing investigations, studies, or audits and who justify the need for the specific information requested.

http://www.lexisnexis.com/hottopics/mdcode/ (You’ll need to “drill down” to SGA


State Comments Title 2, Subtitle 12)

2. State auditor draft reports – Draft reports are issued in order to obtain agency

responses as required by generally accepted government auditing standards. There are no separate legal provisions that specifically addresses the confidentiality of draft audit reports; such drafts are covered by the general provisions of SGA Section 2-1226 referenced above. State Government Article 2-1224 provides that the Legislative Auditor shall submit a report to the Joint Audit Committee (of the MD General Assembly) upon the completion of each examination and that the report shall include the response of the audited entity, subject to procedures approved by the Joint Audit Committee. The Policy on Agency Responses Issued by the Office of Legislative Audits approved by the Joint Audit Committee requires that the Office of Legislative Audits and the agency under examination shall keep the audit report confidential until distributed by the Office at which time the document is available to the public (generally three business days after the report is distributed to the audited agency and other officials established in law).

Massachusetts The Massachusetts Office of the State Auditor (OSA) relies on the following exemption in section 7(26)(d) of chapter 4 of the General Laws – http://www.malegislature.gov/Laws/GeneralLaws/PartI/TitleI/Chapter4/Section7 -- as grounds for exempting workpapers and draft reports prior to their issuance:

(d) inter-agency or intra-agency memoranda or letters relating to policy positions being developed by the agency; but this subclause shall not apply to reasonably completed factual studies or reports on which the development of such policy positions has been or may be based;

Once an audit report is issued, however, that exemption does not apply. In many cases, OSA has relied on another exemption – exemption (b) -- to redact or withhold workpapers that might identify information that would interfere with our ability to audit, or which would reveal the identify of the auditors assigned to a particular project:

(b) related solely to internal personnel rules and practices of the government unit, provided however, that such records shall be withheld only to the extent that proper performance of necessary governmental functions requires such withholding;

In rare instance, in which an audit leads to an investigation by law enforcement, OSA relies on exemption (f) to withhold such papers:

(f) investigatory materials necessarily compiled out of the public view by law enforcement or other investigatory officials the disclosure of which materials would probably so prejudice the possibility of effective law enforcement that such disclosure would not be in the public interest

Minnesota (state auditor)

1. State auditor's workpapers – Data relating to an audit are protected nonpublic data until the final report of the audit has been published. Once an OSA audit is issued, work papers are public. https://www.revisor.mn.gov/statutes/?id=6.715 (The reference to Section 609.456 in the statute applies to investigations).

2. State auditor draft reports – Data relating to an audit are protected nonpublic data until the final report of the audit has been published (see subd 5). https://www.revisor.mn.gov/statutes/?id=6.715

Missouri At the Office of State Auditor, our audit working papers and draft audit reports are


State Comments considered confidential information based on the following statutory sections available at the Web site http://moga.mo.gov/:

Examiners--oath and bond. 29.070. Every examiner appointed by the state auditor shall, before entering upon the duties of his appointment, take and file in the office of the secretary of state an oath to support the constitution of the state, to faithfully demean himself in office, to make fair and impartial examinations, and that he will not accept as presents or emoluments any pay, directly or indirectly, for the discharge of any act in the line of his duty other than the remuneration fixed and accorded to him by law, and that he will not reveal the condition of any office examined by him or any information secured in the course of any examination of any office to anyone except the state auditor, and every examiner shall enter into a bond, payable to the state of Missouri, in the sum of ten thousand dollars, to be approved by the state auditor and deposited in the office of the state treasurer conditioned that he will faithfully perform his duties as such examiner, and in case any such examiner shall knowingly report any officer as being a defaulter or as not being a defaulter, and knowing the same to be otherwise, and any person be injured thereby, such person shall have a right of action on such bond for his injuries; such action shall be brought in the name of the state and at the relation of the injured party. Examiners--violation of oath--penalty. 29.080. For any violation of his oath of office or of any duty imposed upon him by this chapter, any examiner shall be guilty of a felony, and upon conviction shall be punished by imprisonment in the penitentiary for a term not exceeding five years, or by a fine not less than one hundred dollars or by imprisonment in the county jail for not less than one nor more than twelve months, or by both such fine and imprisonment.

The Missouri Sunshine (open records) Law does not specifically address work products of the Office of State Auditor; see Chapter 610 of the Missouri Revised Statutes available at the Web site referred to above.

Montana The following is our office policy on the release of working papers (we consider our draft reports as working papers). This doesn’t assure that we won’t be taken to court for release of our information but at least we have ground to stand on until pressured. Following policy is better than having no basis at all… Release of Working Papers 5.31 Working papers, both hard copy and electronic, are considered internal documents that are not appropriate for external distribution. The organization and method in which working papers are retained provides context for the information contained in the documents. Working papers, without proper context, could provide misleading or inaccurate information to an unfamiliar reader. Audit Working Papers Requests 5.32 All requests for working papers will go through our legal counsel. If a member of the public requests information, you may provide a contact at the agency rather than be a conduit for dissemination of information outside of an audit. If a request is for audit analysis, the auditor and legal counsel will discuss whether it is privileged under this policy or not. 5.33 Section 37-50-402, MCA, (1) “Except by permission of the client, person, or firm engaging a certified or licensed public accountant or an employee of the accountant or by permission of the heirs, successors, or personal representatives of the client, person, or firm and except for the expression of opinions on financial


State Comments statements, a certified public accountant, licensed public accountant, or employee may not be required to disclose or divulge or voluntarily disclose or divulge information that the certified or licensed accountant or an employee may have relative to and in connection with any professional services as a public accountant. The information derived from or as a result of professional services is considered confidential and privileged. (emphasis added)” (2) “The provisions of this section do not apply to the testimony or documents of a public accountant furnished pursuant to a subpoena in a court of competent jurisdiction, pursuant to a board proceeding, or in the process of any board-approved practice review program.” 5.34 Until audit conclusions are culminated and concurred, information derived while conducting our professional audit services under Title 5, MCA, is considered privileged.

Nebraska State auditor’s workpapers – Our work papers are not public information per statute. Nebraska Revised Statute 84-311. Reports and working papers; disclosure status; penalty.

(1) All final audit reports issued by the Auditor of Public Accounts shall be maintained permanently as a public record in the office of the Auditor of Public Accounts. Working papers and other audit files maintained by the Auditor of Public Accounts are not public records and are exempt from sections 84-712 to 84-712.05. The information contained in working papers and audit files prepared pursuant to a specific audit is not subject to disclosure except to a county attorney or the Attorney General in connection with an investigation made or action taken in the course of the attorney's official duties or to the Legislative Performance Audit Committee in the course of the committee's official duties and pursuant to the requirements of subdivision (16) of section 50-1205 or subdivision (5) of section 84-304. Public entities being audited and the federal agencies that have made grants to public entities being audited shall also have access to the relevant working papers and audit files. For purposes of this subsection, working papers means those documents containing evidence to support the auditor's findings, opinions, conclusions, and judgments and includes the collection of evidence prepared or obtained by the auditor during the audit. The Auditor of Public Accounts may make the working papers available for purposes of an external quality control review as required by generally accepted government auditing standards. However, any reports made from such external quality control review shall not make public any information which would be considered confidential under this section when in the possession of the Auditor of Public Accounts.

(2) If the Auditor of Public Accounts or any employee of the Auditor of Public Accounts knowingly divulges or makes known in any manner not permitted by law any record, document, or information, the disclosure of which is restricted by law, he or she is subject to the same penalties provided in section 84-712.09.

State auditor draft reports – We consider our drafts to be work papers and thus fall under the above Statute.

Nevada The statute providing for the confidentiality of working papers in Nevada is shown below, and can also be found at this link: http://www.leg.state.nv.us/Division/Legal/LawLibrary/NRS/NRS-218G.html#NRS218GSec130 We consider the draft report to be a component of the working papers.


State Comments NRS 218G.130 Retention of audit reports and other documents; confidentiality and destruction of working papers from audits; exceptions. 1. The Legislative Auditor shall keep or cause to be kept a complete file of copies of all reports of audits, examinations, investigations and all other reports or releases issued by the Legislative Auditor. 2. All working papers from an audit are confidential and may be destroyed by the Legislative Auditor 5 years after the report is issued, except that the Legislative Auditor: (a) Shall release such working papers when subpoenaed by a court or when required to do so pursuant to NRS 239.0115; or (b) May make such working papers available for inspection by an authorized representative of any other governmental entity for a matter officially before the authorized representative or by any other person authorized by the Legislative Commission.

New Hampshire Our audit work papers, including drafts of audit reports, are confidential and are not public records by statute. The following is a link to the statute – Revised Statutes Annotated (RSA) 14:31-a, II: http://www.gencourt.state.nh.us/rsa/html/I/14/14-31-a.htm

North Carolina State law makes our workpapers confidential unless a superior court judge orders that access is necessary to the proper administration of justice. We consider draft reports to be audit workpapers.

Ohio Pursuant to Ohio Revised Code 117.26 and policies of the Auditor of State, draft audit reports and audit work papers are not public records until the report is released. http://codes.ohio.gov/orc/117.26 Pursuant to Ohio Revised Code 4701.19 (B) the work papers of an audit conducted by an Independent Public Accountant are not public records; even in the possession of the Auditor of State. http://codes.ohio.gov/orc/4701.19

Oregon In the 2011 Legislative Session we just managed to establish the confidentiality of our workpapers and draft report until the audit is provided to the agency for its response. This was not easy and it required considerable discussion with representatives of the news industry. Here is the language: "(36) Any document or other information related to an audit of a public body, as defined in ORS 174.109, that is in the custody of an auditor or audit organization operating under nationally recognized government auditing standards, until the auditor or audit organization issues a final audit report in accordance with those standards or the audit is abandoned. This exemption does not prohibit disclosure of a draft audit report that is provided to the audited entity for the entity’s response to the audit findings." You can find our records confidentiality laws at 192.501 here: http://www.leg.state.or.us/ors/192.html We also have confidentiality laws regarding callers to our fraud hotline.

Pennsylvania In Pennsylvania, there is an exemption for both work papers and draft audit reports. The source for both is Section 67.708(b)(17) of the Right-to-Know Law (65 P.S. 67.708(b)(17)).

South Carolina Audit working papers and draft reports are not subject to public disclosure. Below is the citation from the South Carolina State law. SECTION 11-7-35. Access to records and facilities of state and private agencies


State Comments receiving appropriated state monies; confidentiality. In order to carry out his duties, the State Auditor and his assistants or designees must have access to all records and facilities of every state agency during normal operating hours. The State Auditor and his assistants or designees shall have access to all relevant records and facilities of a private organization receiving appropriated state monies, relating to the management and expenditures of these state monies, during the organization's normal operating hours. In the performance of his official duties, the State Auditor and his assistants or designees are subject to the statutory provisions and penalties regarding the confidentiality of records of the agency or organization under review. All audit working papers and memoranda of the State Auditor, except final audit reports, are confidential and not subject to public disclosure.

Tennessee Under Tennessee law, all records made or received pursuant to law or ordinance, or in connection with the transaction of official business by any government agency are open for public inspection, unless made exempt from disclosure. Tenn. Code Ann. § 10-7-503. In Tennessee, the audit working papers of the Comptroller of the Treasury, and state, county and local government internal audit staffs are made exempt from disclosure by Tenn. Code Ann. § 10-7-504(a)(22). “Audit working papers” includes, but is not limited to, auditee records, intra-agency and interagency communications, draft reports, schedules, notes, memoranda and all other records relating to an audit or investigation. (Emphasis added). The protection afforded under this statute makes the records confidential, but does not grant them privileged status. Therefore, the audit working papers are discoverable in relevant criminal, civil, or administrative proceedings.

Utah Both questions 1 & 2 apply to the following Utah Code sections: 67-3-1 (14) http://le.utah.gov/~code/TITLE67/htm/67_03_000100.htm 63G-2-305 (9) (b) and (e) http://le.utah.gov/~code/TITLE63G/htm/63G02_030500.htm 63G-2-305 (15) http://le.utah.gov/~code/TITLE63G/htm/63G02_030500.htm 63G-2-204 (2)(b) http://le.utah.gov/~code/TITLE63G/htm/63G02_020400.htm

Vermont 1. Vermont state law does not provide a specific exemption for audit workpapers. 2. Vermont state law does not provide a specific exemption for draft reports. However, Vermont state law (3 VSA 318) requires that agencies have a records management program. The Vermont State Auditor’s Office has adopted general schedules (various types of records) promulgated by the state’s archivist. Per the guidelines in these schedules, the only draft reports that we maintain are the draft report provided to management for comment and the drafts used for referencing purposes.

Wisconsin Regarding workpapers: During the course of an audit, our workpapers are confidential as provided for in s. 13.94, Wis. Stats., which includes: “The bureau shall be strictly nonpartisan and shall at all times observe the confidential nature of any audit currently being performed.” However, once an audit is completed and our report issued, our workpapers are open records unless they contain confidential information, in which case a Wisconsin Attorney General’s opinion specified that the Audit Bureau may keep these records confidential, too. In addition, we would apply the “balancing test” to decide whether other information should be kept confidential. The “balancing test” is a test that Wisconsin governments use to decide if the harm in disclosing the information outweighs the right for the public to have access to such information. For example, we would apply the balancing test if someone requested access to our review of IT security issues that could discuss weaknesses in access to


State Comments confidential data. Here is a link to a short discussion of the balancing test that I found on the Internet: http://www.uwsa.edu/gc-off/deskbook/wprl.htm Regarding draft reports, our policy is to exclude the drafts from our workpapers and destroy them before the final report is issued. Therefore, there should not be any available in the event an open records request is made. While s. 16.61(2)(b)5, Wis. Stats., specifies that “Drafts” are not public records and, therefore, not subject to public records requests, there is some precedent that if a draft is circulated outside of a state agency, it could become a public record.

Wyoming Only the published report is public. http://legisweb.state.wy.us/statutes/statutes.aspx?file=titles/Title9/T9CH1AR5.htm 9-1-512. Reports required by law not open for public examination; exceptions; forms for reports. The director of the state department of audit shall receive and place on file in his office all reports required by law. None of the reports, except as provided by W.S. 9-1-507(k) and the published statement of banks and public offices, are public records or open for public inspection. The state banking commissioner may furnish to the federal reserve bank and its examiners copies of all reports and information pertaining to the condition of the state bank members of the federal reserve system. He may furnish to the federal deposit insurance corporation copies of all reports and information pertaining to the condition of state banks in which the corporation is interested. The state banking commissioner may share examination and other reports with other bank supervisory agencies as authorized by W.S. 13-2-807 and 13-9-316. The director of the state department of audit shall prescribe and distribute the forms for all reports his office is required by law to make.

61.878 Certain public records exempted from inspection except on order of court -- Restriction of state employees to inspect personnel files prohibited.

(1) The following public records are excluded from the application of KRS 61.870 to 61.884 and shall be subject to inspection only upon order of a court of competent jurisdiction, except that no court shall authorize the inspection by any party of any materials pertaining to civil litigation beyond that which is provided by the Rules of Civil Procedure governing pretrial discovery: (a) Public records containing information of a personal nature where the public

disclosure thereof would constitute a clearly unwarranted invasion of personal privacy;

(b) Records confidentially disclosed to an agency and compiled and maintained for scientific research. This exemption shall not, however, apply to records the disclosure or publication of which is directed by another statute;

(c) 1. Upon and after July 15, 1992, records confidentially disclosed to an agency or required by an agency to be disclosed to it, generally recognized as confidential or proprietary, which if openly disclosed would permit an unfair commercial advantage to competitors of the entity that disclosed the records;

2. Upon and after July 15, 1992, records confidentially disclosed to an agency or required by an agency to be disclosed to it, generally recognized as confidential or proprietary, which are compiled and maintained: a. In conjunction with an application for or the administration of a

loan or grant; b. In conjunction with an application for or the administration of

assessments, incentives, inducements, and tax credits as described in KRS Chapter 154;

c. In conjunction with the regulation of commercial enterprise, including mineral exploration records, unpatented, secret commercially valuable plans, appliances, formulae, or processes, which are used for the making, preparing, compounding, treating, or processing of articles or materials which are trade commodities obtained from a person; or

d. For the grant or review of a license to do business. 3. The exemptions provided for in subparagraphs 1. and 2. of this

paragraph shall not apply to records the disclosure or publication of which is directed by another statute;

(d) Public records pertaining to a prospective location of a business or industry where no previous public disclosure has been made of the business' or industry's interest in locating in, relocating within or expanding within the Commonwealth. This exemption shall not include those records pertaining to application to agencies for permits or licenses necessary to do business or to expand business operations within the state, except as provided in paragraph

KENTUCKY

(c) of this subsection; (e) Public records which are developed by an agency in conjunction with the

regulation or supervision of financial institutions, including but not limited to, banks, savings and loan associations, and credit unions, which disclose the agency's internal examining or audit criteria and related analytical methods;

(f) The contents of real estate appraisals, engineering or feasibility estimates and evaluations made by or for a public agency relative to acquisition of property, until such time as all of the property has been acquired. The law of eminent domain shall not be affected by this provision;

(g) Test questions, scoring keys, and other examination data used to administer a licensing examination, examination for employment, or academic examination before the exam is given or if it is to be given again;

(h) Records of law enforcement agencies or agencies involved in administrative adjudication that were compiled in the process of detecting and investigating statutory or regulatory violations if the disclosure of the information would harm the agency by revealing the identity of informants not otherwise known or by premature release of information to be used in a prospective law enforcement action or administrative adjudication. Unless exempted by other provisions of KRS 61.870 to 61.884, public records exempted under this provision shall be open after enforcement action is completed or a decision is made to take no action; however, records or information compiled and maintained by county attorneys or Commonwealth's attorneys pertaining to criminal investigations or criminal litigation shall be exempted from the provisions of KRS 61.870 to 61.884 and shall remain exempted after enforcement action, including litigation, is completed or a decision is made to take no action. The exemptions provided by this subsection shall not be used by the custodian of the records to delay or impede the exercise of rights granted by KRS 61.870 to 61.884;

(i) Preliminary drafts, notes, correspondence with private individuals, other than correspondence which is intended to give notice of final action of a public agency;

(j) Preliminary recommendations, and preliminary memoranda in which opinions are expressed or policies formulated or recommended;

(k) All public records or information the disclosure of which is prohibited by federal law or regulation;

(l) Public records or information the disclosure of which is prohibited or restricted or otherwise made confidential by enactment of the General Assembly;

(m) 1. Public records the disclosure of which would have a reasonable likelihood of threatening the public safety by exposing a vulnerability in preventing, protecting against, mitigating, or responding to a terrorist act and limited to: a. Criticality lists resulting from consequence assessments;

KENTUCKY

ecarlin

Highlight

ecarlin

Highlight

b. Vulnerability assessments; c. Antiterrorism protective measures and plans; d. Counterterrorism measures and plans; e. Security and response needs assessments; f. Infrastructure records that expose a vulnerability referred to in this

subparagraph through the disclosure of the location, configuration, or security of critical systems, including public utility critical systems. These critical systems shall include but not be limited to information technology, communication, electrical, fire suppression, ventilation, water, wastewater, sewage, and gas systems;

g. The following records when their disclosure will expose a vulnerability referred to in this subparagraph: detailed drawings, schematics, maps, or specifications of structural elements, floor plans, and operating, utility, or security systems of any building or facility owned, occupied, leased, or maintained by a public agency; and

h. Records when their disclosure will expose a vulnerability referred to in this subparagraph and that describe the exact physical location of hazardous chemical, radiological, or biological materials.

2. As used in this paragraph, "terrorist act" means a criminal act intended to: a. Intimidate or coerce a public agency or all or part of the civilian

population; b. Disrupt a system identified in subparagraph 1.f. of this paragraph;

or c. Cause massive destruction to a building or facility owned,

occupied, leased, or maintained by a public agency. 3. On the same day that a public agency denies a request to inspect a public

record for a reason identified in this paragraph, that public agency shall forward a copy of the written denial of the request, referred to in KRS 61.880(1), to the executive director of the Office for Security Coordination and the Attorney General.

4. Nothing in this paragraph shall affect the obligations of a public agency with respect to disclosure and availability of public records under state environmental, health, and safety programs.

5. The exemption established in this paragraph shall not apply when a member of the Kentucky General Assembly seeks to inspect a public record identified in this paragraph under the Open Records Law; and

(n) Public or private records, including books, papers, maps, photographs, cards, tapes, discs, diskettes, recordings, software, or other documentation regardless

KENTUCKY

of physical form or characteristics, having historic, literary, artistic, or commemorative value accepted by the archivist of a public university, museum, or government depository from a donor or depositor other than a public agency. This exemption shall apply to the extent that nondisclosure is requested in writing by the donor or depositor of such records, but shall not apply to records the disclosure or publication of which is mandated by another statute or by federal law.

(2) No exemption in this section shall be construed to prohibit disclosure of statistical information not descriptive of any readily identifiable person.

(3) No exemption in this section shall be construed to deny, abridge, or impede the right of a public agency employee, including university employees, an applicant for employment, or an eligible on a register to inspect and to copy any record including preliminary and other supporting documentation that relates to him. The records shall include, but not be limited to, work plans, job performance, demotions, evaluations, promotions, compensation, classification, reallocation, transfers, lay-offs, disciplinary actions, examination scores, and preliminary and other supporting documentation. A public agency employee, including university employees, applicant, or eligible shall not have the right to inspect or to copy any examination or any documents relating to ongoing criminal or administrative investigations by an agency.

(4) If any public record contains material which is not excepted under this section, the public agency shall separate the excepted and make the nonexcepted material available for examination.

(5) The provisions of this section shall in no way prohibit or limit the exchange of public records or the sharing of information between public agencies when the exchange is serving a legitimate governmental need or is necessary in the performance of a legitimate government function.

Effective: June 20 2005 History: Amended 2005 Ky. Acts ch. 45, sec. 6, effective June 20, 2005; and ch. 93,

sec. 3, effective March 16, 2005. -- Amended 1994 Ky. Acts ch. 262, sec. 5, effective July 15, 1994; and ch. 450, sec. 34, effective July 15, 1994. – Amended 1992 Ky. Acts ch. 163, sec. 5, effective July 14, 1992. -- Amended 1986 Ky. Acts ch. 494, sec. 24, effective July 15, 1986. -- Created 1976 Ky. Acts ch. 273, sec. 5.

Legislative Research Commission Note (6/20/2005). The Office of the Kentucky Attorney General requested that amendments in 2005 Ky. Acts ch. 45, sec. 6 and ch. 93, sec. 3, to the arrangement of the paragraphs of subsection (1) of this section be changed. The change was requested "in the interest of preventing confusion to the public and public agencies" and was made by the Statute Reviser under the authority of KRS 7.136.

Legislative Research Commission Note (6/20/2005). This section was amended by 2005 Ky. Acts chs. 45 and 93, which do not appear to be in conflict and have been codified together.

2012-2014 Budget Reference. See State/Executive Branch Budget, 2012 Ky. Acts ch. 144, Pt. I, M, 9, (2) at 1142.

KENTUCKY

10-ORD-164

August 20, 2010

In re: Lexington Herald-Leader/Lexington-Fayette Urban County Government

Summary: Because questionnaires containing allegations of fraud constituted auditor work papers, excluded from public inspection even after a final audit report was released, by KRS 325.420(3), KRS 325.440(1), 200 KAR 1:30 Sections 7 and 8, and the Government Auditing Standards, “Yellow Book,” issued by the General Accounting Office and incorporated into 200 KAR 1:30 at Section 12, Lexington-Fayette Urban County Government did not violate Open Records Act in denying request for those records.

Open Records Decision

This matter having been presented to the Attorney General in an open records appeal, and the Attorney General being sufficiently advised, we find that the Lexington-Fayette Urban County Government did not violate the Open Records Act in partially denying Lexington Herald-Leader reporter Linda Blackford’s April 29, 2010, seven part request for records that included “all fraud or risk assessment reports” returned to LFUCG’s external auditor, Mountjoy & Bressler, LLP, by LFUCG employees from 2006 to 2010. Although LFUCG provided barely sufficient support for its position by briefly referencing “industry standards,” it is apparent that the 2008 questionnaire retained by Mountjoy was Mountjoy’s work paper within the express meaning of KRS 325.420(3) and 200 KAR 1:300 Section 7, as well as Government Auditing Standard (GAGAS) 2.12, incorporated into 200 KAR 1:300 at Section 12. We concur with LFUCG in its view that the 2008 questionnaire was not a public

KENTUCKY

10-ORD-164 Page 2

record, notwithstanding the fact that it owed its existence to the contractual agreement between Mountjoy and LFUCG, because it was the “property of the licensee” (Mountjoy). KRS 325.420(3). Notwithstanding the fact that Mountjoy provided LFUCG’s Director of Internal Audit with a copy of the 2009 questionnaire “to satisfy the requirements of [LFUCG’s] Statement on Auditing Standards,” that questionnaire, although its nonpublic character was altered after it was “owned, used, and possessed” by LFUCG, was nevertheless subject to the same statutory and regulatory restrictions on access as its 2008 equivalent, all of which were incorporated into the Open Records Act by KRS 61.878(1)(l),1 as well as KRS 61.878(1)(i) and (j). By letter dated May 14, 2010,2 LFUCG notified the Herald-Leader that LFUCG was not the custodian of the reports, or questionnaires, to which Ms. Blackford’s request referred. The disputed records’ custodian was, instead, Mountjoy & Bressler, and “industry standard” required the firm to accord the records confidential treatment. Alternatively, LFUCG argued, the returned questionnaires constituted preliminary records, within the meaning of KRS 61.878(1)(i) and (j), insofar as they were “work papers gathered by the auditor for completion in the audit report.” On June 4, 2010, the Herald-Leader initiated this appeal, asserting that the questionnaires are “nothing more or less than a report of internal fraud made by an employee” and that existing authority mandates that “complaints which initially spawn an investigation may not be excluded from inspection because the public has a right to know what complaints have been made and the final action taken . . . .” Citing OAG 91-160. In correspondence directed to this office following submission of the Herald-Leader’s appeal, Terry Sellars, an attorney retained by LFUCG “to give independent legal advice regarding whether [LFUCG] may allow third parties to inspect a Fraud Risk Assessment Questionnaire prepared by a LFUCG management employee,” elaborated on the advice he provided to his client. By way of background, he explained:

1 KRS 61.878(1)(l) authorizes public agencies to withhold “[p]ublic records or information the disclosure of which is prohibited or restricted or otherwise made confidential by enactment of the General Assembly.” 2 LFUCG originally responded on May 4, 2010, explaining that additional time was needed to gather the requested records. The Herald-Leader did not object to this delay.

KENTUCKY

10-ORD-164 Page 3

Mountjoy & Bressler, LLP, was LFUCG’s external auditor of its financial statements in 2008 and 2009. In the audit agreement, LFUCG agreed to cooperate in the audit by “making all financial records and related information available” to Mountjoy & Bressler and, more particularly, agreed that its management employees would inform Mountjoy & Bressler of “all known or suspected fraud or illegal acts affecting the government . . .” The agreement also provided that all ‘audit documentation for this engagement is the property of Mountjoy & Bressler, LLP and constitutes confidential information.’ Mountjoy & Bressler sent LFUCG management employees an email on June 15, 2009 stating as part of its ‘audit procedures’ it was required to make inquiries of Government personnel regarding risks of fraud in the Government. The email attached a Fraud Risk Assessment form, a ‘brief questionnaire which is designed to gather and document information regarding the nature and likelihood of fraudulent activities in the Government.’ The email assured employees that ‘responses will be confidential and only used as part of our audit analysis.’ (Footnotes omitted.)

Mr. Sellars indicated that a management employee returned the questionnaire to Mountjoy in 2008, reporting possible fraud. Mountjoy investigated “and found no evidence that LFUCG’s financial statements were materially misstated due to fraud.” The same employee reported the same possible fraud during the 2009 audit, and Mountjoy “consulted with LFUCG’s management . . . ‘solely as a precautionary matter to satisfy the requirements of their Statement on Auditing Standards.’” LFUCG’s Director of Internal Audit reviewed the questionnaire, conducted a “preliminary review,” and notified the employee that LFUCG “agreed with Mountjoy’s . . . opinion that there was no credible evidence that a fraudulent act has occurred . . . .” Mr. Sellars identified the record in dispute as “a copy of the [questionnaire] retained by [LFUCG’s] Office of Internal Audit . . . .” He did not indicate whether LFUCG maintained copies of the 2008 and 2009 questionnaires or the 2009 questionnaire only or provide an explanation of “industry standard” or legal authorities supporting it.

KENTUCKY

10-ORD-164 Page 4 In an opinion issued shortly after the Open Records Law was enacted, the Attorney General determined that the Auditor of Public Accounts could withhold his work papers under authority of KRS 61.878(1)(i) and (j), formerly codified as KRS 61.878(1)(g) and (h). OAG 78-816. Then as now, those exceptions authorized nondisclosure of:

Preliminary drafts, notes, correspondence with private individuals other than correspondence which is intended to give notice of final action of a public agency.

Preliminary recommendations, and preliminary memoranda in which opinions are expressed or policies formulated or recommended.

At page 1 of OAG 78-816, we distinguished between the completed audit report and work papers generated by an auditor or his staff, observing:

[W]hen the complete [audit] report is made, such work papers would be exempted from the right of public inspection under KRS 61.878(1)[(i) and (j)], relating to preliminary drafts, notes, recommendations, memoranda, etc. Such preliminary drafts, notes, etc., are simply part of the tools which a public officer or employee uses in carrying out his statutory functions. See OAG 78-626. The public has a right to inspect a complete public action, namely, the completed report. The work papers are merely the informal and trial and error approach to the problem in the inchoate period leading up to the formulation of the completed report. Thus, there are logical and compelling reasons for their exclusion as expressed in KRS 61.878. During the work period temporary conclusions written down and involving possible bad conduct of officers or employees might, at the later formulation of the complete report, prove to be erroneous or inaccurate.

Accord, OAG 79-470 (Auditor of Public Accounts properly withheld working papers generated in a review of overpayments to Jefferson County Public Schools’ bus drivers). We recognized one exception to the general rule of nondisclosure of auditor work papers in OAG 78-816. That exception was for

KENTUCKY

10-ORD-164 Page 5

“documents obtained [from] outside of [an auditor’s] office which were public records when [the auditor] got them.” The confidentiality of the state auditor’s work papers is therefore well established and is reflected in administrative regulation at 45 KAR 1:060 Section 1 defining “confidential information” as “originals, copies, and recordings of all work papers, documents, notes, and other written or unwritten information related to the official business of the Office of the Auditor of Public Accounts.”3

OAG 78-816 was directed to the Auditor of Public Accounts. In subsequent opinions/decisions the Attorney General extended the analysis in OAG 78-816 to external auditors. 95-ORD-156 (City of Louisville properly denied request for interview transcripts, tapes, and completed interview questionnaires generated by Coopers & Lybrand in their audit of the city’s Revenue Commission); 98-ORD-17 (Jefferson County Sheriff properly denied request for supporting documentation used in the preparation of audits performed on his office). This appeal presents our first opportunity to critically analyze the public’s right of access to the work papers of an external auditor. Chapter 325 of the Kentucky Revised Statutes governs the practice of accountancy in the Commonwealth of Kentucky, establishing a State Board of Accountancy to grant, revoke, suspend, or refuse to renew or issue licenses and to proceed against licensees suspected of violating provisions of that Chapter. KRS 325.420 and 325.440 speak directly to ownership of records and confidentiality of information obtained in the practice of accounting. KRS 325.420 provides:

(1) Upon request and reasonable notice, the licensee shall furnish to his client or former client any accounting or other records belonging to the client that were provided to the licensee by or on behalf of the client.

(2) Upon request, reasonable notice, and payment for services

previously provided, a licensee shall furnish to his client or former client a copy of a tax return, report, or other document, any of which was previously issued to or for the

3 Enabling legislation for these regulations is found at KRS 43.075.

KENTUCKY

10-ORD-164 Page 6

client or a copy of the licensee's working papers if the working papers include records that would ordinarily constitute part of the client's records and are not otherwise available to the client. These working papers shall include, but are not limited to, adjusting, closing, combining, or consolidating journal entries and information normally contained in books of original entry and general ledgers.

(3) Except as provided in subsection (1) of this section or pursuant to

an agreement entered into between a licensee and his client, all statements, records, schedules, working papers, and memoranda prepared by a licensee to or in the course of providing services to a client shall be the property of the licensee.

(Emphasis added.) With respect to the confidentiality of these records, KRS 325.440 provides, in relevant part:

(1) A licensee shall not, without the consent of his client, disclose any confidential information pertaining to his client obtained in the course of performing professional services.

Pursuant to its authority to adopt “rules of professional conduct appropriate to establish and maintain a high standard of integrity and dignity in the profession of public accounting,”4 the Board has promulgated 200 KAR 1:300 Section 7 and 8, affirmatively establishing a licensee’s duty to “comply with the requirements of KRS 325.440 relating to the disclosure of confidential client information” and “KRS 325.420 relating to the ownership of accountant’s working papers – client records.” Additionally, the Board has incorporated by reference into its regulations, inter alia, the (Generally Accepted) Government Auditing Standards (GAGAS), “Yellow Book,” issued by the General Accounting Office. The first standard that appears in GAGAS, 1.01, recognizes that:

Auditing is essential to government accountability to the public. Audits and attestation engagements provide an independent,

4 KRS 325.240.

KENTUCKY

10-ORD-164 Page 7

objective, nonpartisan assessment of the stewardship, performance, or cost of government policies, programs, or operations, depending upon the type and scope of the audit.

The standard that immediately follows declares:

The concept of accountability for use of public resources and government authority is key to our nation’s governing processes. Government officials entrusted with public resources are responsible for carrying out public functions legally, effectively, efficiently, economically, ethically, and equitably. Government managers are responsible for providing reliable, useful, and timely information for accountability of government programs and their operations . . . Legislators, government officials, and the public need to know whether (1) government manages public resources and uses its authority properly and in compliance with laws and regulations; (2) government programs are achieving their objectives and desired outcomes; (3) government services are provided effectively, efficiently, economically, ethically, and equitably; and (4) government managers are held accountable for their use of public resources.

Significantly, “GAGAS incorporate the AICPA [American Institute of Certified Public Accountants] field work and reporting standards and the related Statements on Auditing Standards (SAS)5 unless specifically excluded or modified by GAGAS.” As LFUCG’s external financial auditor, Mountjoy was bound to conduct its work in accordance with ethical principles found at 2.05 of GAGAS that include both “the public interest” (2.06) and “proper use of government information, resources, and position” (2.12). The latter standard recognizes that:

In the government environment, the public’s right to the transparency of government information has to be balanced with

5 We will examine in greater depth SAS No. 99, the standard that produced the records in dispute in this appeal, below.

KENTUCKY

10-ORD-164 Page 8

the proper use of that information. In addition, many government programs are subject to laws and regulations dealing with the disclosure of information. To accomplish this balance, exercising discretion in the use of information acquired in the course of auditors’ duties is an important part in achieving this goal. Improperly disclosing any such information to third parties is not an acceptable practice.

GAGAS addresses, in considerable depth, the scope of an auditor’s responsibility to detect fraud and illegal acts that have a material effect on financial statements and to determine whether “those charged with governance are adequately informed about fraud and illegal acts.” 5.15, et seq. In October 2002, the Auditing Standards Board of the American Institute of Certified Public Accountants issued Statement on Auditing Standard No. 99: Consideration of Fraud in a Financial Statement Audit. SAS No. 99 was prompted by the Enron and other accounting scandals and became effective for audits of financial statements for periods beginning on or after December 15, 2002. It is aimed at identifying risks of material misstatements due to fraud by, among other things, requiring an auditor to gather information from management, internal audit personnel, and others within the audited entity. A key feature of this information gathering process, as we understand it, is the need to insure confidential reporting of fraud under conditions that preclude employee retaliation. It was under this standard, and these conditions, that Mountjoy circulated its Fraud Risk Assessment to LFUCG management employees in 2008 and 2009, assuring the recipients that their “responses will be confidential and only used as part of our audit analysis.”6

6 In its supplemental response, LFUCG indicated that in its audit agreement with Mountjoy:

LFUCG agreed generally to cooperate in the audit by “making all financial records and related information available” to Mountjoy & Bressler and, more particularly, agreed that its management employees would inform Mountjoy & Bressler of “all known or suspected fraud or illegal acts affecting the government . . .” The agreement also provided that all “audit documentation for this engagement is the property of Mountjoy & Bressler LLP and constitutes confidential information.”

With reference to its internal auditing practices, LFUCG explained:

KENTUCKY

10-ORD-164 Page 9

As noted, Mountjoy retained the only copy of the 2008 questionnaire but transmitted a copy to LFUCG’s Department of Internal Audit “to satisfy the requirements of [LFUCG’s] Statement on Auditing Standards.” As a result, the 2009 questionnaire assumed the character of a public record, within the meaning of KRS 61.870(2), because it was “owned, used, and possessed” by a public agency. Notwithstanding this fact, the 2009 questionnaire retained its protected status as a work paper, not of Mountjoy, but of the Department of Internal Audit. As noted, the Department is an independent body within LFUCG that is subject to the referenced statutes, regulations, and audit standard as well the Institute of Internal Auditor’s Code of Ethics and Standards adopted by the Internal Audit Board that supervises it per LFUCG Ordinance No. 63-2002.7

Clearly, the 2008 questionnaire is not now, nor was it ever, a public record as defined at KRS 61.870(2). Ownership of the 2008 questionnaire was and is vested in Mountjoy & Bressler under the referenced legal authorities. While there is a temptation to treat the 2009 questionnaire that became a public record when Mountjoy transmitted it to LFUCG’s Department of Internal Audit as a “complaint that spawned an investigation ending in the decision to take no action,” we believe this argument oversimplifies the question. Mountjoy’s purpose in securing the information in the questionnaire was to identify risks of material misstatement in LFUCG’s financial statements owing to fraud, not to

Prior to 2002, LFUCG’s internal auditors were supervised by the Urban County Council. Since 2002 they have been independent, in their internal audit function, of both the Council and the Mayor’s Office and are supervised by LFUCG’s Internal Audit Board, which was created in 2002 by Ordinance No. 63-2002. The Board has adopted a Charter which provides that the Office shall comply with the requirements of the Institute of Internal Auditors (IIA) Code of Ethics and Standards. The IIA Code of Ethics expressly provides that:

Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

(Footnotes omitted.) 7 Certainly, it is more than a coincidence that the creation of an independent department within LFUCG to conduct internal audits, free from the influence of the Mayor or the Council, coincides with the issuance of SAS No. 99.

KENTUCKY

10-ORD-164 Page 10 conduct an investigation into allegations of fraud for the purpose of imposing disciplinary action or determining that no disciplinary action was warranted. Such an inquiry would have greatly exceeded the scope of its engagement. By the same token, the review conducted by LFUCG’s Department of Internal Audit, with which the 2009 questionnaire was shared, was aimed at determining if there was credible evidence of a fraudulent act, not to initiate and pursue an investigation and take action thereupon. Its analysis of the questionnaire was substantially equivalent to the analysis conducted by Mountjoy. As such, it remained a work paper excluded from disclosure as a preliminary note or a memorandum in which opinions were expressed and not a complaint that spawned an investigation. Accord OAG 78-816; OAG 79-470; 95-ORD-156; 98-ORD-17. While this office recognizes the strongly substantiated public interest supporting disclosure of records reflecting allegations of governmental fraud, and how those allegations are addressed, we find that with respect to the records in dispute, records obtained under an auditing standard that attempts to strike a balance between the importance of exposing fraud and promoting candor among employees capable of exposing fraud, the public’s right to know must yield to the need for confidentiality. Our conclusion is not altered by the fact that LFUCG subsequently waivered from its original position that the questionnaires are exempt from inspection. We examine the propriety of the denial on the date the decision was made, not on the basis of subsequent events. 06-ORD-260. Consistent with the position set forth above, we affirm LFUCG’s denial of the questionnaires containing allegations of fraud circulated by its external auditor, Mountjoy & Bressler, LLP, in 2008 and 2009. A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceeding.

KENTUCKY

10-ORD-164 Page 11 Jack Conway Attorney General Amye L. Bensenhaver Assistant Attorney General #216 Distributed to: Thomas W. Miller Terry Sellars

KENTUCKY