Who does Internal Audit report to?

Internal Audit has been established under the direction of the Associate Vice President for Audit, Compliance and Privacy who reports directly to the Board of Trustees through the Trustee Committee on Audit and Compliance. Both University and Health System management and the Board of Trustees have approved the role of the Office of Audit, Compliance and Privacy.

What is the authority of the Office of Internal Audit?

Internal Audit has the authority to recommend improvements and to monitor the implementation of its recommendations. In accordance with University Policy 2702 – Internal Audit, it has free, unlimited and unrestricted access to all books, records, files, property and personnel of the University and the Health System, including the schools, service and resource centers, central administrative departments, auxiliary enterprises, subsidiaries, the Clinical Practices (CPUP) and the Hospital of the University of Pennsylvania (HUP), Pennsylvania Hospital, Penn Presbyterian Medical Center, and Clinical Care Associates. The Office of Audit, Compliance and Privacy is a staff function and as such does not exercise direct authority over other persons.

Who is responsible for internal controls?

Management is responsible for establishing, maintaining and promoting effective business practices and effective internal controls. However, virtually all employees play some role in effecting control. Systems of internal control will vary from activity to activity depending upon the operating environment, including the size of the entity, its diversity of operations and the degree of centralization of financial and administrative management.

While there may be practical limitations to the implementation of some internal controls, each business function throughout the University must establish and maintain a system of controls which meets the minimum requirements as established by the University’s Internal Control Policy. A properly functioning system of controls improves the efficiency and effectiveness of operations, contributes to safeguarding University assets and identifies and discourages irregularities, such as questionable or illegal payments and practices, conflict of interest activities and other diversions of University assets.

Are internal controls foolproof?

No. Making internal controls infallible would be cost prohibitive and make business processes unreasonably cumbersome. Internal controls are designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations. Even well designed controls are susceptible to collusion and the failure of supervisors to enforce or monitor the controls.

What is the difference between internal and external auditors?

Internal auditors are employees of the University of Pennsylvania and our objectives are determined by professional standards, the Board of Trustees and Management. Our primary clients are management and the Board. Internal Audit’s scope of work is comprehensive and serves the organization by helping it accomplish its objectives and improve operations, risk management, internal controls, and governance processes. We are concerned with all aspects of the organization, both financial and non-financial, and focus on future events as a result of our continuous review and evaluation of controls and processes.

“External auditor” most frequently refers to the independent accounting firm hired to provide an independent opinion on the organization’s financial statements, annually. Their approach is historical in nature, as they assess whether the statements conform with generally accepted accounting principles, whether they fairly present the financial position of the organization, whether the results of operations for a given period of time are accurately represented, and whether the financial statements have been materially affected. Other external auditors could include governmental auditors who focus primarily on compliance with federal regulations and award terms.

How are audits selected?

Audits are generally selected through an annual risk assessment process. Our risk assessment includes factors such as:

  • Size and complexity of operation
  • Change in business environment and ethical climate
  • Pressure on management to meet objectives

An annual audit workplan is developed, based on this risk assessment and consultation with management and the Trustees Committee on Audit and Compliance. The workplan defines the areas to be audited.

Can I request an audit?

Yes! We will consider all requests from management; however, our ability to accept the project is dependent upon the risk/urgency of the request as compared to currently scheduled audits, staffing levels/workload, and other potential factors. If we cannot fulfill your request, it will likely be added to a listing of projects under consideration for next fiscal year’s workplan.

What should I expect when I’m being audited?

First and foremost you can expect courtesy and professionalism in all of your interactions with Internal Audit. We will notify the head of the unit being audited that the audit has been included on the annual work plan and will coordinate to schedule the timing of the audit. You can expect regular communications throughout the audit to keep you informed regarding the project’s overall progress, barriers or delays, potential issues identified, and open items. The audit will be executed in a spirit of partnership. Remember, we’re here to help you not “get” you. We’ll make an objective assessment of your operations, and share ideas for best practices. Finally we’ll provide a report which includes recommendations for improving internal controls, processes and procedures, performance, and risk management.

What happens when Internal Audit identifies a deficiency or non-compliance?

We will fully explore the issue and will typically develop an observation for inclusion in the final audit report. All issues will be fully vetted with the unit’s management and we’ll coordinate with the appropriate personnel to develop a recommendation best suited for the unit’s individual needs.

Who receives the audit report?

An audit report is addressed to the head of the organization being audited (e.g. the Dean, Vice President, etc.) and the appropriate administrators (e.g. Department Chair, Center Director, etc.). Copies are provided to the Executive Vice President or Provost, the Vice President of Finance, the University Comptroller, other administrative executives depending on the nature of the audit (e.g., the Vice Provost for Research, the Vice President for Information Systems and Computing, etc.), and PricewaterhouseCoopers, our external auditors. The Audit Committee of the Board of Trustees is also provided with summaries of the outcomes for all completed audits.

What can I do if I become aware of illegal or questionable activities?

As a member of the Penn community, you are encouraged to raise questions and concerns, particularly if you suspect violations of policies or legal requirements. The Office of Audit, Compliance and Privacy provides 2 methods for confidentially reporting such issues: