116-40.7. Internal auditors.
(a) Internal auditors within The University of North Carolina and its constituent institutions shall provide independent reviews and analyses of various functions and programs within The University of North Carolina that will provide management information to promote accountability, integrity, and efficiency within The University of North Carolina.
(b) An internal auditor shall have access to any records, data, or other information of The University of North Carolina or the relevant constituent institution that the internal auditor believes necessary to carry out the internal auditor's duties.
(c) An internal auditor shall maintain, for 10 years, a complete file of all audit reports and reports of other examinations, investigations, surveys, and reviews issued under the internal auditor's authority. Audit work papers and other evidence and related supportive material directly pertaining to the work of that auditor's office shall be retained in accordance with Chapter 132 of the General Statutes. To promote cooperation and avoid unnecessary duplication of audit effort, audit work papers related to issued audit reports shall be, unless otherwise prohibited by law, made available for inspection by duly authorized representatives of the State and federal governments in connection with some matter officially before them. Except as otherwise provided in this subsection, or upon subpoena issued by a duly authorized court or court official, audit work papers shall be kept confidential and shall not be open to examination or inspection under G.S. 132-6 until completion of the audit report that is based on the working paper. Audit reports and the working papers on which they are based shall be public records subject to examination and inspection to the extent that they do not include information that, under State law, is confidential and exempt from Chapter 132 of the General Statutes or would compromise the security systems of The University of North Carolina. At the time that audit working papers are made available for public examination or inspection, the custodian of the audit working paper may redact the name and personally identifying information of a person who has initiated an allegation of (i) a violation of State or federal law or rule or regulation; (ii) fraud; (iii) misappropriation of State resources; (iv) substantial and specific danger to the public health and safety; or (v) gross mismanagement, gross waste of monies, or gross abuse of authority, if that person requests that the person's name and personally identifying information be kept confidential.