State University of New York
Office of the University Auditor
Guidance on Office of the State Comptroller Audits
Access to Records, Files, and Other Information
April 16, 2008
The State Constitution and State Finance Law provide the Office of the State Comptroller (OSC) with the statutory authority to conduct audits of State agencies including SUNY. This includes pre-audit of payments and post-audit of financial and operating matters. As part of the audit, the Comptroller's staff will require access to records, files, and other information needed to complete their work. SUNY staff should be cooperative and generally provide OSC staff with the requested records, files, and other information. While most of the requests for information will be routine, there are certain requests that may need to be reviewed on a case-by-case basis.
Providing Information within the Scope of the Audit - The requested records, files, and other information should be within the defined scope of the audit. If there is uncertainty, staff should request that OSC clarify the request in relation to the scope of the audit. If questions still remain, consider contacting University Counsel or the University Auditor. Any such contact should be made in a timely manner to ensure questions are adequately resolved and the audit can proceed on schedule.
Availability of Information - SUNY staff are generally not expected or required to develop reports or information for the OSC auditors. If the report or information is readily available, then it can be provided, as appropriate. However, this is not to say it would be inappropriate to generate a report from a computer file or provide a download of electronic information to the auditors. OSC expects that any information provided is contemporaneous with the transactions. Any changes made to the information, after the request was made by OSC, should be clearly marked and communicated to the OSC auditors.
Information Withheld - There may be certain circumstances where the OSC auditors may inadvertently ask for information that SUNY staff should not provide. Such information would include any attorney-client privileged materials.
Confidential or Personally Identifiable Information - Some of the information requested may include confidential or personally identifiable information about employees, patients, students or their parents. In general, SUNY is permitted to provide personally identifiable information from student education records to OSC in its capacity as a State education official conducting an audit or evaluation of any federally funded or State supported education program. Nevertheless, SUNY staff and the OSC auditors should limit any such information to the elements that are essential to the audit. For example, in certain cases social security numbers and credit card numbers could be excluded or redacted from any information provided to the auditors. Sensitivity is necessary even though OSC has procedures to secure the information. In addition, there are legal requirements specifying the information must be secured. For example, the Family Educational Rights and Privacy Act (FERPA) requires that State auditors must not disclose to third parties personally identifiable information about students or their parents, and such information shall be destroyed when it is no longer needed to complete the audit.
If you have concerns about the appropriateness of any request for data, please contact University Counsel or the University Auditor.