(a) The state auditor is entitled to obtain from the department criminal history record information for purposes of:
(1) performing risk assessment in devising the annual audit plan; or
(2) performing an investigation under Chapter 321 of specified acts or allegations of impropriety, malfeasance, or nonfeasance.
(b) The department and the state auditor shall enter into an agreement providing the state auditor with electronic access to the information that includes appropriate safeguards against unauthorized disclosure of the information.

(c) Except as provided by Subsection (d), information obtained by the state auditor under Subsection (a) may not be released or disclosed to any person except on court order or with the consent of the person who is the subject of the criminal history record information.
(d) If, in the judgment of the state auditor, information obtained under Subsection (a) indicates a substantial risk to the interests of the state, the state auditor shall report the information to the legislative audit committee and to the administrative head of the affected agency. The reports are audit working papers of the state auditor.
(e) The state auditor shall destroy information obtained under Subsection (a) when the information is no longer needed for audit purposes or to support audit findings.