The audit process is broken down into three distinct components, Risk Assessment, Project-Based Work, and Ongoing Monitoring.

Risk Assessment

OACP, through dialogues with management, completes a risk assessment process for the University and Penn Medicine organizations which culminates in the development of the annual Internal Audit Work Plan. The risk assessment process employed is based on a top down risk based methodology that evaluates risks in people, process, and technology. The annual Internal Audit Work Plan is submitted to the Trustee Audit and Compliance Committees for review and approval but is flexible and adjusted as needed. Risks continue to be monitored and evaluated throughout the year with appropriate adjustments to the Audit Work Plan as necessary.

Project-Based Work

Internal Audit projects are generally broken down into four phases, Planning, Fieldwork, Reporting, and Wrap Up. Our process is flexible to allow for the application of professional judgment based on the individual projects. Additionally information is provided for the steps under each phase to help you gain a better understanding of the process.


  • Audit Research — The audit team performs research on the individual projects by reviewing any past audit work performed in the unit and available literature on the subject of the audit. Planning can also include introductory meetings with pertinent staff to better understand the unit’s goals, objectives and processes, discuss audit objectives, timelines, and other important information that can ease the internal audit process. Planning results in the development of the final audit scope and objectives.
  • Notification — Once the audit’s scope and objectives are finalized a formal notification letter is sent to the unit to initiate the audit process.


  • Opening Meeting — The opening meeting is the formal initiation of the audit work and we ask that senior management and the appropriate administrative staff of the unit participate. During this meeting we will discuss the scope and objectives of the audit and explore any concerns that management might have. We will also discuss potential timing issues (e.g. vacations, grant submission deadlines, external accreditation reviews, etc.) as we coordinate to establish preliminary timelines.
  • Fieldwork Performance — Internal Audit staff will meet with the unit’s staff to understand and document their functions and operations. Most frequently this involves reviewing existing “As-Is” processes with a focus on evaluating the related internal controls to determine whether they are suitably designed. Testing will be performed to determine the effectiveness of the controls and the efficiency of processes will be evaluated. As a result of this process, the audit staff will identify strengths, weaknesses and the related observations all of which will be thoroughly discussed with management.
  • Communication — The audit staff will communicate the status of the audit to the designated members of the unit’s management throughout the audit on a bi-weekly basis. At this time we will also communicate any issues identified, validate the findings, and partner with management to develop suitable solutions.
  • Fieldwork Exit Meeting — The audit team will use this opportunity to review the results of the audit with the client management team and discuss management’s action plans. This is also an opportunity to discuss how the audit was executed as we seek to continuously improve the delivery of our services.


  • Draft Report — Upon completion of fieldwork, the results of the audit will be compiled, presented, and discussed with client management.
  • Management Response — In accordance with University Policy 2702 – Internal Audit, client management is required to provide responses to the audit findings detailing the action plans to be implemented to resolve the issues identified along with expected completion dates.
  • Report Distribution — Final reports include an executive summary of the results of the audit, background information on the unit being audited, and the detailed audit findings which include observations, recommendations, and management’s action plans. Reports are addressed to client management and copies are provided to senior University and Health System administrators and the external auditors. Audit outcomes are also communicated to the Trustee Committee on Audit and Compliance and the Penn Medicine Committee on Audit and Compliance.


  • Client Surveys — Web-based audit surveys are distributed shortly after the final report to solicit feedback about the audit. This feedback is important to us as we seek to continuously improve our service delivery.
  • Engagement Performance Reviews — Each auditors’ performance is evaluated by the Audit Manager to ensure ongoing growth and continuous improvement.

Ongoing Monitoring

Internal Audit monitors risks throughout the year and adjusts the Audit Work Plan accordingly. For completed audit projects, Internal Audit monitors management’s progress in implementing action plans to address the issues identified through the audits by soliciting updates on the status of all open audit observations three times per year. Depending on the nature/severity of the issue, additional procedures including interviewing staff, performing tests, or reviewing new procedures and policies may be performed to verify the effectiveness of the implemented action. Results are reported to the University and Penn Medicine Audit Committees.

Additionally, we also utilize the feedback from client surveys and the lessons learned on individual audits to foster an environment of continuous improvement. We focus specifically on improving our processes and professional competencies for the benefit of our clients.