Consultative and Advisory Services

Types of Consultative and Advisory Services

• Act as in-house consultants on internal control matters.
• Provide a business perspective on how to manage operations effectively.
• Provide guidance on control aspects of new technologies, procedures and implementations.
• Provide advisory services for reengineering.
• Facilitate interactive work sessions within the Penn community, training employees to identify and reduce business risk.

Business Process Review (BPR)

Definition

BPR assesses the performance of administrative and financial processes. BPR considers process effectiveness and efficiency, including the presence of appropriate controls, to mitigate business risk.

BPR identifies opportunities for improvement, highlights areas of risk or control deficiency, and suggests “best practices” to spur University-wide performance.

The BPR team partners with the client, who becomes a valuable contributor in the risk identification process.

Administrative and financial processes: Payroll, Human Resources, Procurement and Payables, Travel and Entertainment Reimbursement, Grants Management, Planning and Budgeting, Gifts and Development, Tuition and Fees, Billing and Collecting, Other Revenue, Capital Expenditures, Fixed Asset Handling, and Account Management.

Business Risk: Strategic, operational, financial, compliance and reputational risk.

Justification for Business Process Review

The University will manage its human, financial, and physical resources effectively and efficiently to achieve its strategic goals.

This is the expectation for which each operation will be measured and held accountable. Business processes drive the utilization of our resources.

• Ongoing changes create a dynamic business environment at Penn
• Ongoing changes: re-engineered core business processes, technological enhancements to financial systems, greater decentralization of fiscal stewardship to departmental business administrators
• BPR:
  • Assesses the performance and capability of administrative and financial processes
  • Addresses market and economic trends, which are creating an increased emphasis on value, cost containment and efficiencies
  • Pinpoints areas of risk, recommends process, managerial and organizational improvements, and suggests “best practices”

BPR Adds Value

• Provides the School/Center with:
• Understanding of the effectiveness of key processes and an action plan for process improvements, including better controls
• Business Risk Assessment, including recommendations to mitigate risks
• Resource to determine employee accountability
• Help in exercising leadership roles and responsibilities for accounting for operations
• Benchmark best practices

back to top

Integrated Internal Control Framework

About IICF
Integrated Internal Control Framework asserts
Integrated Internal Control Framework Implementation
Survey

About IICF

Inherent to any organizational environment is business risk that can interfere with the accomplishment of the organization’s business objectives. Vital to the success of every organization is the identification and sensible mitigation of business risk.

The Office of Audit, Compliance and Privacy (OACP) has adapted from COSO [See Publication “Internal Control - Integrated Framework (Executive Summary)”] a model for assessing and mitigating business risk -- Integrated Internal Control Framework. The Trustees of the University of Pennsylvania have strongly endorsed the implementation of this model. The President, Executive Vice President, and CEO Penn Medicine are committed to the successful widespread implementation of the Integrated Internal Control Framework.

IICF Presentation

(Presentation is © Copyright 2002 Trustees of the University of Pennsylvania)

Integrated Internal Control Framework asserts:

• Business risk is much broader than financial risk. Business risk encompasses strategic, operational, financial, compliance, and reputational risk.
• Every individual in the organization need be responsible for identifying and mitigating business risk.

These assertions under gird the OACP mission

The Office of Audit, Compliance and Privacy applies the concepts of the Integrated Internal Control Framework in the approach to every audit and compliance initiative and project. In addition, we educate the Penn community on the application of IICF concepts through awareness presentations and facilitated work sessions. In these sessions, Audit, Compliance and Privacy guides key personnel in assessing business risk in their organizational units and developing action plans to mitigate identified risks.

Contact us to explore how IICF can help your organizational unit identify and mitigate the business risk that can impede the achievement of your business objectives.

Integrated Internal Control Framework Implementation

Implementation Process

Survey

1. CE* - Alignment: Organizational unit’s objectives are aligned generally with Penn objectives.
2. CE - Infrastructure: You have the authority, tools, and support to perform your job.
3. CE - Competencies: You continue to develop your competencies (knowledge, skills) to perform your job in a changing environment.
4. CE - Feedback: You receive feedback and coaching that help you develop professionally.
5. CE - Integrity: Integrity and high ethical standards are practiced in organizational unit.
6. CE - Compliance: Compliance with laws, regulations, and policies is expected.
7. RA* - Objectives: You understand the organizational unit’s objectives.
8. RA - Identification: Possible risks are identified, assessed and prioritized.
9. RA - Mitigation: Strategies to reduce risks are implemented.
10. RA - Frequency: Risk assessment is performed regularly.
11. RA - Participation: Input from across the organizational unit is used in risk assessment.
12. CA* - Security (people): Security measures have been provided to protect personnel.
13. CA - Security (equipment & data): Equipment and confidential data are secured.
14. CA - Guidelines: Guidelines (e.g., policies, operating procedures) are established.
15. CA - Disaster recovery: Disaster recovery/business resumption plans have been established and tested.
16. I&C* - Usefulness: Operational information is sufficient, timely and useful.
17. I&C - Key information: Other essential information (overall performance, major initiatives, business plans, new legislation and regulations) is communicated.
18. I&C - Reporting issues: You can report concerns (including improprieties) without fear of retribution.
19. I&C - Staff suggestions: Staff suggestions for improvement are considered.
20. M* - Control environment: Reports of control environment breakdown (non-compliance, poor human resource practices, unethical practices, complaints, etc.) are addressed.
21. M - Risk assessment methodology: Strategies implemented to reduce risk are monitored for effectiveness.
22. M - Internal control system: Key documents (financial and operating reports, reconciliations, etc.) are reviewed.
23. M - Information and communication systems: Information and communication systems are monitored for effectiveness, considering changing environment.

* CE - Control Environment; RA - Risk Assessment; CA - Control Acitivity; I&C - Information and Communication; M - Monitoring

Notes:

• Assertions should be concise and very straightforward, to minimize confusion of several interpretations. Use terms and language familiar to the organizational unit, so that the assertions have meaning for the participants. In addition, writing relevant examples will help illuminate the intention of the assertions.
• Participants should respond to each assertion from the participant’s perspective about the participant’s organizational unit.
• Criteria should be identified to apply to the assertions.
• Sample criteria:
  

Effectiveness	Significance
1. Strongly Disagree	1. Unimportant
2. Disagree	2. Important
3. Agree	3. Critical
4. Strongly Agree

back to top

Investigations

What is an investigation?

When will a loss/fraud investigation occur?

Roles & Responsibilities

Reporting

What is an investigation?

An investigation encompasses a review of an operational area specifically looking for fraudulent transactions. Loss/fraud investigations are conducted to confirm a loss/fraudulent act occurred, to determine the amount of the loss, to identify control weaknesses, to assist the unit by recommending corrective measures to prevent recurrences, and to assist Risk Management in filing appropriate claims with insurance and law enforcement agencies.

When will a loss/fraud investigation occur?

The investigative audit seeks to determine if the University's controls function to promote efficient and effective processes and provide reasonable assurance that errors and irregularities will be detected during the normal course of operations.

In case of suspected financial irregularities, misuse of systems or other University assets, or other malfeasant situation, Audit, Compliance and Privacy may conduct a specialized audit tailored to the circumstances. When investigative audits are emergency situations, they receive priority in scheduling.

Roles & Responsibilities

The Associate Vice President for Audit, Compliance and Privacy or designee has the primary responsibility for the investigation of all cases of misappropriation, fraud, and other misuse of University and Penn Medicine assets. The Associate Vice President or designee is available and receptive to relevant information concerning suspected fraudulent activities on a confidential basis. All audits will be conducted in a thoroughly professional manner.

The Associate Vice President for Audit, Compliance and Privacy or designee shall consult with and coordinate the investigative activities with other University and/or Health System offices as appropriate. All University and Health System employees are expected to cooperate fully with and provide support to the Audit , Compliance, and Privacy team as requested during such investigations and reviews.

The Office of Audit, Compliance and Privacy will be given free, unlimited, and unrestricted access to all books, records, files, property, and to all personnel of the University and Health System during such investigations. The Associate Vice President for Audit, Compliance and Privacy shall have the authority, after consultation with the Executive Vice President of the University, the Executive Vice President for the Health System when applicable, and with the Provost when a member of the faculty is thought to be involved to fulfill specific responsibilities outlined in Human Resource Policy 002: Safeguarding University Assets.

Reporting

The results of investigations by the Office of Audit, Compliance and Privacy will be disclosed only to those who have a legitimate need to know such results in order to perform their duties.

The Office of Audit, Compliance and Privacy shall report the results of the investigation and/or audit to the Senior Vice President and General Counsel and the Executive Vice President of the University; the Executive Vice President of for the Health System when applicable, and to the Provost when a member of the faculty was involved. The Associate Vice President shall report all cases of fraud to the President. Copies of all investigation and/or audit reports shall be sent concurrently to the senior official responsible for the area.

All documented cases of fraud shall be reported to the Trustees Committee on Audit and Compliance by the Associate Vice President for Audit, Compliance and Privacy.

To meet requirements of granting agencies or other external funding sources, the Associate Vice President for Audit, Compliance and Privacy shall, as appropriate, report information concerning misappropriations to granting agencies or other external funding sources. Such reports will be coordinated with Office of the General Counsel and appropriate members of management.

Information concerning misappropriations may be released to the news media only as authorized by the President of the University.