Operational Audit at Penn is composed of the University Audit Team and the Penn Medicine Audit Team. In general, we are responsible for determining whether appropriate operational and financial internal controls are in place and operating properly throughout the institution’s operating units. The goal of every audit we perform is to provide a beneficial service to our clients by identifying opportunities to enhance control processes and introduce efficiencies into your operations. Operational Audit routinely consults with Compliance, Privacy, and other subject matter experts as necessary to ensure the comprehensive delivery of quality services. We are committed to delivering our services in an independent, objective, and professional manner. Typical services provided by the Operational Audit Teams include the following:
Types of Audits
Operational/Controls Audits
Provide an unbiased evaluation of processes, systems and operations and determine whether internal controls are in place and operating effectively to mitigate risks and ensure that organizational goals and objectives are met.
Compliance Audits
Asses a unit’s adherence to applicable laws, regulations, policies and/or procedures. These would include adherence to the University’s internal policies and procedures as well as external requirements from federal, state, or local agencies.
Integrated Audits
Combine an operational/controls audit of an area with an information technology assessment of the systems and infrastructure that support the unit. An integrated audit can assess the effectiveness of the coordination between the information systems and the business activities to support defined goals and objectives.
Special Requests/Advisory Services
The nature and scope of these services are developed collaboratively with client management and are intended to add value and improve the unit’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include providing advice and guidance pertaining to various administrative and compliance matters, advising on process redesign and the incorporation of internal controls into new systems and processes, etc.
Pre-Implementation Reviews
Generally involve both the Operational and IT Audit teams during which we review the overall project management of the project, as well as assist in the design and deployment of effective internal controls for key business processes and ensure the implementation of sound security controls. These projects seek to determine whether:
- The new system meets the functional requirements of the business
- Project tasks are defined in sufficient detail which identifies all of the components of the project
- Adequate testing is being performed to ensure that the system functions as intended
- The data conversion strategy ensures that all data is migrated to the new system with integrity
Post-Implementation Reviews
Evaluate the effectiveness of the system development after the system has been in production for a period of time (at least 6 months). The review results are provided to strengthen the system as well as system development procedures. The objectives are to determine whether the system does what it was designed to do, for example:
- The new system supports the user as required in an effective and efficient manner
- The system successfully delivered the expected functionality, performance, and benefit
- Life-cycle development activities that produced the system were effective.
Fraud Investigations
Independent evaluations of allegations generally focused on improper activities including misuse or theft of university resources, fraud, financial irregularities, and unethical behavior or actions. During investigations we seek to confirm a loss/fraudulent act occurred, determine the amount of the loss, identify the control weaknesses that allowed the loss to occur, assist the unit by recommending corrective measures to prevent recurrences, and assist Human Resource, Public Safety, and the Office of General Counsel in the resolution of the case.