The
Trustees of the University of Pennsylvania maintain an institution–wide
internal audit and compliance function as an integral component
of the governance structure. This function is chartered to
provide a program of continuous assessments of the effectiveness
of the internal control and compliance environment. Through
its annual program of risk-based audits and compliance assessments,
the Office of Audit, Compliance and Privacy provides insight
on the mitigation of business risk to assist the Board of
Trustees and management in fulfilling their roles of governing
the University of Pennsylvania. In 1997, the Trustee Committee
on Audit and Compliance adopted the Integrated Internal Control
Framework (IICF), an adaptation of COSO (Committee of Sponsoring
Organizations of the Treadway Commission), for utilization
as the foundation of the internal control and compliance environment.
IICF is a Framework for assessing and mitigating business
risk (strategic, operational, financial, compliance and reputational).
Mission
The
Office of Audit, Compliance and Privacy serves as a proactive
business partner with University of Pennsylvania and Penn
Medicine management to upgrade business processes, controls,
compliance mechanisms and technologies to:
Anticipate and aggressively
manage business risks;
Ensure strong stewardship and
management accountability at all levels;
Ensure the integrity of operational
and financial information.
Audit,
Compliance, and Privacy serves the University of Pennsylvania
and Penn Medicine by upholding the highest professional standards;
recruiting, training and developing future managers for the
institution; providing high quality, cost effective audit
and management services; and communicating value-added outcomes
to the Board of Trustees and senior management.
Responsibilities
within Organization
The
Associate Vice President for the Office of Audit, Compliance
and Privacy, reports functionally to the Chair of the Board
of Trustees, the Chair of the University Trustee Committee
on Audit and Compliance, the Chair of the Penn Medicine Committee
on Audit and Compliance, the President, the Executive Vice
President for Health Services and the UPHS CEO, and administratively
to the Executive Vice President. The Associate Vice President
is responsible for leading and managing the development and
execution of institutional-wide audit, compliance and privacy
plans that focus on assessing and enhancing internal control
and compliance infrastructures that support and advance the
University of Pennsylvania’s core mission of research,
teaching and patient care.
Scope of Authority
The
Office of Audit, Compliance and Privacy provides institutional-wide
services to all entities and subsidiaries of the University
of Pennsylvania and Penn Medicine, including all schools,
responsibility centers, central administrative departments,
auxiliary enterprises, the Hospital of the University of Pennsylvania,
Pennsylvania Hospital, Presbyterian Medical Center, Clinical
Practices of the University of Pennsylvania, and Clinical
Care Associates. Consequently, the Office of Audit, Compliance
and Privacy has authority to act with respect to the above-mentioned
entities and subsidiaries of the University of Pennsylvania.
In carrying out their duties and responsibilities, all Audit,
Compliance and Privacy personnel have unlimited and unrestricted
access to all data, books, records, files, property, and personnel
of the University of Pennsylvania and Penn Medicine. The Office
of Audit, Compliance and Privacy is a staff function and as
such does not exercise direct authority over other persons.
Reporting
The
Office of Audit, Compliance and Privacy communicates to senior
and operating management in the form of written reports, consultation,
or advice. Written reports include both recommendations and
management comments itemizing specific actions taken or planned
to mitigate identified risks and to ensure that operational
objectives are achieved. These outcomes are also communicated
to the Trustee Committee on Audit and Compliance and the Penn
Medicine Committee on Audit and Compliance, as appropriate.
Professional Standards
and Ethics
Audit and compliance activities shall be performed according
to appropriate professional standards, including but not limited
to, generally accepted auditing standards as advocated by
the Institute of Internal Auditors in Standards for the Professional
Practice of Internal Auditing, the General Accounting Office
in Standards for Audits of Governmental Organizations Programs
Activities and Functions, and the American Institute of Certified
Public Accountants in Statement on Auditing Standards. Members
of the Office of Audit, Compliance and Privacy have the responsibility
to maintain exemplary ethics, integrity and objectivity in
the performance of their duties.
