2702 Internal Audit

Document purpose

It is the policy of the University of Pennsylvania to support an internal audit function within the University and University of Pennsylvania Health System to provide independent, objective assurance and advisory services to management and the Board of Trustees to assist them in fulfilling their fiduciary governance and oversight responsibilities and to add value and improve operations and the internal control environment. The Office of Audit, Compliance and Privacy (OACP) has been established under the direction of the Vice President (VP) for Audit, Compliance and Privacy and reports functionally to the Trustee Committee on Audit and Compliance and the Penn Medicine Audit and Compliance Committee. The VP of OACP has full and free access to the Chair of the Board, the Board of Trustees, and the full Committees. Both University and Health System management and the Board of Trustees have approved the role of the Office of Audit, Compliance and Privacy as described in this policy and outlined in the OACP departmental charter.


December, 1986


April, 2024


April, 2024

Responsible Office

Audit, Compliance & Privacy




It is the responsibility of management to establish and maintain a system of internal controls designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.  

The Office of Audit, Compliance and Privacy is responsible for appraising controls, activities, operations, or transactions in order to ensure compliance with applicable policies, laws, and regulations and for evaluating the effectiveness of controls in operations, compliance, and financial reporting of the University’s and Health System’s departments and units. The Office of Audit, Compliance and Privacy assists management by furnishing impartial, independent analyses, appraisals, recommendations, and pertinent comments on the activities reviewed.  


To attain its objectives, the Office of Audit, Compliance and Privacy:  

  1. Provides a program of financial, operational, information technology, and compliance audits. The program is guided by a risk-based audit planning model that incorporates collaboration with the independent accountants and management.  

  2. Provides through the Compliance and Privacy functions, oversight, monitoring, and awareness training, independently and in consultation with other central administrative service units, Schools, and Centers, as appropriate. In addition, the Compliance and Privacy functions operate as a resource to coordinate and monitor Schools and Centers’ and Health System compliance initiatives.  

  3. Reviews and evaluates accounting, financial and operating systems to ensure that they comply with University and/or Health System policies, objectives, standards and procedures, and with federal, state and local laws and regulations.  

  4. Reviews and evaluates computer-based systems in production, in development, or undergoing change.  

  5. Reviews and evaluates the systems development process and computer operations.  

  6. Reviews and evaluates the adequacy of measures to safeguard assets from loss.  

The Office of Audit, Compliance and Privacy has the authority to recommend improvements and to monitor the implementation of its recommendations. It has free, unlimited, and unrestricted access to all books, records, files, property, and personnel of the University and the Health System, including the schools, service and resource centers, central administrative departments, auxiliary enterprises, subsidiaries, and all Health System entities. The Office of Audit, Compliance and Privacy is a staff function and as such does not exercise direct authority over other persons.  

Audit Reports

The Office of Audit, Compliance and Privacy communicates to senior and operating management in the form of written reports, consultation, or advice. Written reports include both observations and management action plans detailing specific actions planned or taken to mitigate identified risks and to ensure that operational objectives are achieved. Management responses to the audit report are required within thirty (30) days from the report date. Outcomes are also communicated to the Trustee Committee on Audit and Compliance and the Penn Medicine Committee on Audit and Compliance.  

Professional Standards

To satisfy its objectives, the Audit function subscribes to the Code of Ethics, Statement of Responsibilities, and Standards for the Professional Practice of Internal Auditing stated by the Institute of Internal Auditors.