Reporting Confidential or Sensitive Information
Requirements: Reporting Confidential or Sensitive Information
If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary.
When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented.
When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports.
Application Guidance: Reporting Confidential or Sensitive Information
If the report refers to the omitted information, the reference may be general and not specific. If the omitted information is not necessary to meet the audit objectives, the report need not refer to its omission.
Certain information may be classified or may otherwise be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate, classified, or limited use report containing such information and distribute the report only to persons authorized by law or regulation to receive it.
Additional circumstances associated with public safety, privacy, or security concerns could justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that misuse of this information could cause. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors’ recommendations. In some instances, it may be appropriate to issue both a publicly available report with the sensitive information excluded and a limited use report. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate omitting certain information. Considering the broad public interest in the program or activity under audit assists auditors when deciding whether to exclude certain information from publicly available reports.
In cases described in paragraph 9.63, auditors may communicate general information in a written report and communicate detailed information orally. Auditors may consult with legal counsel regarding applicable public records laws.