Audits of sensitive topics require different methods and interactions to be successful. Workpapers pose a particular challenge for auditors, as sometimes they will handle information that should either kept confidential or described in ways that respect the dignity of clients or victims. Auditors must maneuver through these situations while trying to abide by the public expectation that their work will create a more transparent and accountable government.
I won’t presume to have the answers for you since much of this territory is governed by differing state laws. Nonetheless, you may see some strategies in this section that could apply, should you encounter sensitive situations.
As I said, laws vary and I was surprised by a local government auditor who told me all his workpapers were confidential under state law. And when asked, he said, “Yes, forever.” That troubled me because an auditor really shouldn’t advocate for accountability and transparency when the basis for his or her conclusions is held in secrecy. I think auditors need to be accountable too.
One might argue that peer reviews assure the public that the work is conducted properly, but does not satisfy the broader gauges of accountability. A peer review determines whether the work meets Standards, but does not address other important factors such as the worthiness of topics chosen or the efficiency of work performed.
In Oregon there is a presumption that government should be as transparent and accountable as possible. There were no laws regarding the confidentiality of workpapers. When dealing with confidential data in an audit, we relied upon the laws regarding that agency’s data when asked to show our workpapers. Generally, the request was from reporters and we directed them back to the agency to request the data. The agency was better prepared to cite the law and defend the relevant confidentiality laws than we were.
We could ask for whatever data we felt we needed for our audit. Sometimes the auditors surprised me—for example, with a request to examine the personnel files of agency managers—but the director always granted those requests. (We didn’t include them in our workpapers but it gave us a general sense of the effort put into the evaluations.)
The Health Insurance Portability and Accountability Act was adopted and we abided by those new requirements in managing and using health information. Family Educational Rights and Privacy Act for student data was a different matter. The data could not be used by outside organizations, like performance auditors, even if all the reporting was aggregated to protect individual student performance. Universities and education agencies resisted our requests, stating that auditors could not obtain the data for performance audits. We had difficulty obtaining the number of students enrolled in individual college classes. The federal government loosened restrictions for auditors in about 2011. I heard it was a very contentious change. In addition to wanting to preserve student confidentiality, academics made the argument that someone without an educational background could not possibly produce anything of value with the data. I’ve encountered similar defenses from police chiefs, social service managers, and other professionals, yet still produced audits that showed how they could improve service delivery. Later, I was impressed with the process established by the Washington State Auditor’s Office to comply with the same federal privacy laws we had to navigate.
As I said, the general expectation in Oregon was transparency, which occasionally caused problems with our audits. After the audit was released, we were able to provide access to inquiring reporters or members of the public, once we did a quick last look for anything confidential in the workpapers.
We ran into problems when reporters learned we were working on an audit and began asking for access to the audit’s workpapers while it was underway. No law protected our work in progress, and we could only try to negotiate with the reporter to wait for the audit. In one early instance in Portland I remember, the city auditor mistook a reporter for a staff auditor and asked how the draft of the fire bureau audit was going. Of course, we got a request for the draft that same day. We also issued our annual audit schedule, which made it easy for reporters to track our activities and pounce when they thought the time was right, though few did.
As a local government auditor, I tried to get the legislature to change the law to protect audit documentation, but failed time and again. Then, when I was state auditor, I had the support of my elected boss to take another run at it. We could present the recent example of a reporter who asked, quite nicely, to see the workpapers of an audit underway, asked again a month later, and indicated that she would continue doing so until we completed it.
I met with two representatives of the stakeholders on a draft bill. One was a highly respected lawyer who regularly filed appeals on behalf of newspapers and succeeded in getting public documents. The other was the lobbyist representing the newspaper, television, and radio interests. He was a man who knew how to tell a story and I would have enjoyed a whiskey—or several—with him just to hear his tales. (That kind of personality probably made him a good lobbyist.) The lawyer said the bill, as proposed, was unconstitutional. He said we had no legal standing to keep our workpapers confidential. I argued that until our work had undergone a thorough quality control review, nobody could depend upon raw workpapers for an accurate understanding of what we found. The lobbyist said that his clients had no interest in publishing incorrect information and would be willing to wait until that review was complete.
This was a surprise to me because I thought they were entirely against the bill. I realized that this was the point for negotiation. I was willing to work with them, since I didn’t support permanent confidentiality. I made the case that the key quality check was the agency review. This made them suspicious because they both asked whether the agency could change the audit results. I explained that any alterations to the draft required additional verifiable facts from the agency. That discussion draft, as we called it, was updated with the added references for every change.
They wanted to be able to see the changes to ensure that we didn’t just acquiesce to agency pressure. They wanted to know if both drafts were preserved in our workpapers and I gave them that assurance. I explained that we then sent the response draft, as we called it, to the agency for their written response.
Once we had the agency response, I said, the audit was complete. No, they said, your audit is complete when you send it to the agency for their response. That’s when your workpapers should be made public. The agency response is outside your control. I made arguments about the “complete package” and our “ownership” of the audit release, but it was clear that they were not budging. In the back of my mind, I also believed that only a lucky reporter would know about the audit and ask for access during that two-week window when the agency was preparing a response.
We revised the bill and I testified in support at a committee hearing. When I was done, the committee chair looked to the lobbyist and asked if he was okay with it. The chair got a nod, and then asked for a motion to vote approval. All these legislators depended upon the endorsements of their local news organizations to get elected and didn’t want to risk their wrath. It was easily approved by the legislature.
This encouraged me to also do some housekeeping of the state whistleblower law. Part of that cleanup was adding a section that protected whistleblowers in local governments which had established systems for collecting whistleblower complaints. Statute protected state whistleblowers, but not whistleblowers in local government.
At the state we had a whistleblower phone line and kept those files and investigations separate from our audit files. It raised the question in my mind of how we address situations when our auditors, in the course of an audit, encounter someone who fears retaliation if they want to report problems.
I proposed to our auditors that when they sense reluctance to answer a question, they ask the person if they are fearful that their information will result in retaliation and whether they wish to report something confidentially. If the person says yes, I told the auditors to flip to a fresh page, write on top “Whistleblower Report” and get the information. They would then bring that information back to the office and file it as a Whistleblower Report, where it could remain confidential. With this information, the auditors could go about seeking independent information to determine the legitimacy of the claim, without including the original information in their workpapers. While I did not test this in court, Oregon’s statutes appear to protect people in these circumstances.
It is worth mentioning a related problem one of my compatriots encountered. Suzanne Flynn, when she was the Multnomah County Auditor, had completed an audit and the reporter wished to see the workpapers. In his news story he inserted a frank quote directly out of the workpapers as if the employee had said it to him. After reading the story, Suzanne called and expressed her anger with him. The auditors had written up the interview and put the employee’s comment in quote marks because it was a vivid description, though they chose not to use it in the audit report. Her concern was that a candid comment to auditors shouldn’t be publicly reported by someone else because it could dissuade others from speaking with us.
I share this fear, and ironically, so do reporters. This fear is why reporters never reveal their anonymous sources, a protection that is rarely available to auditors. The easiest solution is to avoid putting anything in the workpapers that shouldn’t be in a newspaper, but that is a difficult standard to keep in mind. Next easiest is to avoid quote marks. If the auditors later decide to use the phrase in the report, those quote marks can be added, and if this practice is understood in your office, they should be able to overcome the hurdle of the internal quality control review.
As auditors, we have exceptional access to information, some of it highly sensitive. If an agency is reluctant to share its files, I feel it is our duty to insist for one very important reason. Those files often reveal the services and circumstances of the agency’s clients which can be used to judge agency performance.
We also need to ensure that we preserve the confidentiality of those files. At the state, we protected the confidential data sets by storing them on encrypted servers, with highly restricted VPN access. We feared that if we ever erred, or got hacked, agencies could deny us access in the future unless we accepted the most onerous conditions. For our workpapers, we only included the summary tables from calculations with reference to the source data on the servers. In the rare cases we needed specific information for the workpapers, we stripped out any personal identifiers.
As we press for transparency and accountability, in some situations auditors need to toe the line between being non-transparent to protect data and people and issuing audits that reveal problems and advocate for better government.
