When the department requires an audit under this section, it may accept an audit performed in the previous 12 months when it meets standards in the data sharing agreement and is performed by an auditor that meets independent third-party auditor qualifications.

For recipients receiving lists:

(1) Audit procedures must test for the presence of required policies and administrative, technical, or physical controls to reasonably conclude the controls are effective and in use by the recipient.

(2) Audit reports must provide documentation on the procedures, and the results of such procedures, used to determine whether controls align with requirements in the data sharing agreement.

For recipients receiving individual records of protected personal information, audit reports must demonstrate reasonable procedures were used to conclude each recipient is compliant with requirements in the data sharing agreement.