2702 Internal Audit

Document purpose

It is the policy of the University of Pennsylvania to support an internal audit function within the University and University of Pennsylvania Health System to provide independent appraisal services to management and the Board of Trustees to assist them in the effective discharge of their governance and oversight responsibilities. As such, the Office of Audit, Compliance and Privacy has been established under the direction of the Associate Vice President for Audit, Compliance and Privacy who reports directly to the Board of Trustees through the Trustee Committee on Audit and Compliance. Both University and Health System management and the Board of Trustees have approved the role of the Office of Audit, Compliance and Privacy as described in this statement.

effective

December, 1986

revised

May, 2006

Reviewed

April, 2020

Responsible Office

Audit, Compliance & Privacy

Approval

EVP

Objectives

It is the responsibility of management to establish and maintain a system of internal controls designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.  

The Office of Audit, Compliance and Privacy is responsible for appraising controls, activities, operations, or transactions in order to ensure compliance with applicable policies, laws and regulations and for evaluating the effectiveness of controls in operations, compliance and financial reporting of the University’s and Health System’s departments and units. The Office of Audit, Compliance and Privacy assists management by furnishing impartial, independent analyses, appraisals, recommendations and pertinent comments on the activities reviewed.  

Scope

To attain its objectives, the Office of Audit, Compliance and Privacy:  

  1. Provides a program of financial, operational, information technology, and compliance audits. The program is guided by a risk-based audit planning model that incorporates collaboration with the independent accountants and management.  

  2. Provides through the Compliance and Privacy functions, oversight, monitoring and awareness training, independently and in consultation with other central administrative service units, Schools and Centers, as appropriate. In addition, the Compliance and Privacy functions operate as a resource to coordinate and monitor Schools and Centers’ and Health System compliance initiatives.  

  3. Reviews and evaluates accounting, financial and operating systems to ensure that they comply with University and/or Health System policies, objectives, standards and procedures, and with federal, state and local laws and regulations.  

  4. Reviews and evaluates computer-based systems in production, in development, or undergoing change.  

  5. Reviews and evaluates the systems development process and computer operations.  

  6. Reviews and evaluates the adequacy of measures to safeguard assets from loss.  

The Office of Audit, Compliance and Privacy has the authority to recommend improvements and to monitor the implementation of its recommendations. It has free, unlimited and unrestricted access to all books, records, files, property and personnel of the University and the Health System, including the schools, service and resource centers, central administrative departments, auxiliary enterprises, subsidiaries, the Clinical Practices (CPUP) and the Hospital (HUP), Pennsylvania Hospital, Penn Presbyterian Medical Center, and Clinical Care Associates. The Office of Audit, Compliance and Privacy is a staff function and as such does not exercise direct authority over other persons.  

Audit Reports

The Office of Audit, Compliance and Privacy communicates to senior and operating management in the form of written reports, consultation, or advice. Written reports include both recommendations and management responses itemizing specific actions taken or planned to mitigate identified risks and to ensure that operational objectives are achieved. Management responses to the audit report are required within thirty (30) days from the report date. Outcomes are also communicated to the Trustee Committee on Audit and Compliance and the Penn Medicine Committee on Audit and Compliance.  

Professional Standards

To satisfy its objectives, the Audit function subscribes to the Code of Ethics, Statement of Responsibilities, and Standards for the Professional Practice of Internal Auditing stated by the Institute of Internal Auditors.