2701 Internal Control Policy

The University Comptroller, as Chief Accounting Officer, has the fiduciary responsibility for the accounting records of the University and the ultimate responsibility for the adequacy and effectiveness of the overall system of internal control. In order to meet these responsibilities within the University’s decentralized operating environment, the responsibility for a variety of controls must be delegated to the various operating entities of the University. Therefore, the schools, service and resource centers, central administrative departments, auxiliary enterprises, subsidiaries, and the University of Pennsylvania Health System are required to:

1. Construct and maintain books, records and accounts which, in reasonable detail, accurately and fairly reflect transactions and dispositions of assets for their respective operating units

2. Establish and maintain a system of administrative control which promotes operational efficiency and effectiveness, and ensures adherence to University policies and procedures. These controls include, but are not limited to, budgets, schedules, job assignment and monitoring sheets, policy and procedure manuals, organization charts, job descriptions, employee training programs and various quality controls.

3. Establish and maintain an adequate system of internal accounting control sufficient to provide reasonable assurance that:

   1. 1. Transactions are executed in accordance with University management’s general or specific authorization;
      2. Transactions are recorded as necessary (a) to permit the preparation of financial statements in conformity with generally accepted accounting principles and the University’s financial and accounting policies, and (b) to maintain accountability for University assets;
      3. Access to assets is permitted only in accordance with management’s general or specific authorization; and
      4. The recorded accountability for assets is compared with existing assets at reasonable intervals and appropriate action is taken with respect to any differences.

The University’s internal control policy is categorized by accounting cycles, which outline the control standards to be achieved within each cycle by an adequate system of internal control, regardless of whether processing is manual or automated.

Accounting cycles are groupings of transactions based upon the type of activity which those transactions represent. These accounting cycles are defined below. Internal control standards pertaining to these cycles are issued as addenda to this policy (see 2701.1 through 2701.5).

1. Payments Cycle: Transaction flows pertaining to expenditures and payments, and related controls over ordering and receipt of purchases, accounts payable and cash disbursements (see 2701.1).
2. Conversion Cycle: Transaction flows pertaining to the production of goods or services, and related controls over such activities as inventory transfers and charges to production for labor and overhead (see 2701.2).
3. Revenue Cycle: Transaction flows pertaining to revenue generating and collection functions, and related controls over such activities as sales orders, delivery of goods and cash collection (see 2701.3).
4. Time Cycle: Not strictly related to transaction flows, this cycle includes events caused by the passage of time, controls that are applied only periodically, certain custodial activities and the financial reporting process (see 2701.4).
5. Integrity Cycle: In a computer-supported environment, a fifth accounting cycle, known as the integrity cycle, is applicable. This cycle includes controls over the creation, implementation, security and use of computer programs, controls over computer center operations and controls over the security of data files. These are referred to as integrity controls (see 2701.5).

Management is responsible, in both the central and decentralized operating units, for establishing, maintaining and promoting effective business practices and effective internal controls. Such systems of internal control will vary from activity to activity depending upon the operating environment, including the size of the entity, its diversity of operations and the degree of centralization of financial and administrative management.

While there may be practical limitations to the implementation of some internal controls, each business function throughout the University must establish and maintain a system of controls which meets the minimum requirements as established by the University’s Internal Control Policy. A properly functioning system of controls improves the efficiency and effectiveness of operations, contributes to safeguarding University assets and identifies and discourages irregularities, such as questionable or illegal payments and practices, conflict of interest activities and other diversions of University assets.

Internal control systems must be documented. The nature and extent of documentation will depend upon the operating environment of each business function, and may take various forms including, but not limited to:

1. Written policies and procedures.
2. Formalized reporting responsibilities within the activity and descriptions of authority and responsibility. These may be in the form of organization charts, job descriptions and/or narratives.
3. Control objectives and control techniques which contribute to the achievement of those objectives (such as those stated on internal control questionnaires).
4. Flowcharts of systems with the identification of key control points.
5. Support for decisions regarding the implementation of controls, preferably in a cost-benefit format.

Each University officer, with support from their business administrator and/or financial administrator, is responsible for the application of this policy and the design, development, implementation, documentation and maintenance of a system of internal controls within their area of responsibility. Additionally, unless otherwise specifically stated in the policy, all personnel engaged in activities affecting the adequacy of controls are subject to the provisions of this policy.

Internal control standards are issued as addenda to this policy to aid in its implementation (see 2701.1 through 2701.5). These standards present standard control objectives which, when met, provide reasonable assurance of maintaining an adequate system of accounting control over the various cycle activities and transactions. Comments and recommendations from any operating unit regarding this control policy and the internal control standards shall be directed to the University Comptroller.

The Internal Audit Department of the University of Pennsylvania has the responsibility to review and measure the effectiveness of the controls established within the framework of this policy as they relate to the University’s accounting, financial and operating systems. The purposes of these reviews are to:

1. Ascertain the reliability and integrity of accounting, financial and operating information and the means of generating and reporting that information.
2. Ensure that systems comply with University policies, objectives, standards and procedures, and with federal, state and local laws and regulations.
3. Evaluate computer-based systems in production, in development or undergoing change; and evaluate the systems development process and computer operations.
4. Evaluate the adequacy of methods used to safeguard University assets.

The Internal Audit Department assists management by furnishing impartial, independent analyses, appraisals, recommendations and pertinent comments in written reports to the dean, vice president or the person responsible for the entity under review, as well as the Executive Vice President, Vice President Finance and Treasurer, Comptroller and the University’s external auditors.