To communicate the University's objectives and to establish standards for the design and operation of the University's system of internal control. The reliability which the University can place upon its financial records is dependent upon the effectiveness of the procedures and controls which are adopted to ensure that the results of transaction processing are reflected accurately, consistently and completely in those records. Controls must ensure also that assets are not exposed to unauthorized access and use. Management has the responsibility to establish and maintain an adequate system of internal control and to furnish to the Trustees of the University, governmental agencies, University creditors and other constituencies reliable financial information on a timely basis. An adequate system of internal control is necessary for management to discharge these responsibilities.
June, 2020Responsible Office
The University Comptroller, as Chief Accounting Officer, has the fiduciary responsibility for the accounting records of the University and the ultimate responsibility for the adequacy and effectiveness of the overall system of internal control. In order to meet these responsibilities within the University’s decentralized operating environment, the responsibility for a variety of controls must be delegated to the various operating entities of the University. Therefore, the schools, service and resource centers, central administrative departments, auxiliary enterprises, subsidiaries, the Clinical Practices of the University of Pennsylvania (CPUP) and the Hospital of the University of Pennsylvania (HUP) are required to:
Construct and maintain books, records and accounts which, in reasonable detail, accurately and fairly reflect transactions and dispositions of assets for their respective operating units
Establish and maintain a system of administrative control which promotes operational efficiency and effectiveness, and ensures adherence to University policies and procedures. These controls include, but are not limited to, budgets, schedules, job assignment and monitoring sheets, policy and procedure manuals, organization charts, job descriptions, employee training programs and various quality controls.
Establish and maintain an adequate system of internal accounting control sufficient to provide reasonable assurance that:
The University’s internal control policy is categorized by accounting cycles, which outline the control standards to be achieved within each cycle by an adequate system of internal control, regardless of whether processing is manual or automated.
Accounting cycles are groupings of transactions based upon the type of activity which those transactions represent. These accounting cycles are defined below. Internal control standards pertaining to these cycles are issued as addenda to this policy (see 2701.1 through 2701.5).
Management is responsible, in both the central and decentralized operating units, for establishing, maintaining and promoting effective business practices and effective internal controls. Such systems of internal control will vary from activity to activity depending upon the operating environment, including the size of the entity, its diversity of operations and the degree of centralization of financial and administrative management.
While there may be practical limitations to the implementation of some internal controls, each business function throughout the University must establish and maintain a system of controls which meets the minimum requirements as established by the University’s Internal Control Policy. A properly functioning system of controls improves the efficiency and effectiveness of operations, contributes to safeguarding University assets and identifies and discourages irregularities, such as questionable or illegal payments and practices, conflict of interest activities and other diversions of University assets.
Internal control systems must be documented. The nature and extent of documentation will depend upon the operating environment of each business function, and may take various forms including, but not limited to:
Each University officer, with support from his/her business administrator and/or financial administrator, is responsible for the application of this policy and the design, development, implementation, documentation and maintenance of a system of internal controls within his/her area of responsibility. Additionally, unless otherwise specifically stated in the policy, all personnel engaged in activities affecting the adequacy of controls are subject to the provisions of this policy.
Internal control standards are issued as addenda to this policy to aid in its implementation (see 2701.1 through 2701.5). These standards present standard control objectives which, when met, provide reasonable assurance of maintaining an adequate system of accounting control over the various cycle activities and transactions. Comments and recommendations from any operating unit regarding this control policy and the internal control standards shall be directed to the University Comptroller.
The Internal Audit Department of the University of Pennsylvania has the responsibility to review and measure the effectiveness of the controls established within the framework of this policy as they relate to the University’s accounting, financial and operating systems. The purposes of these reviews are to:
The Internal Audit Department assists management by furnishing impartial, independent analyses, appraisals, recommendations and pertinent comments in written reports to the dean, vice president or the person responsible for the entity under review, as well as the Executive Vice President, Vice President Finance and Treasurer, Comptroller and the University’s external auditors.