Auditing in Public Institutions Suport de Curs

8/12/2019 Auditing in Public Institutions Suport de Curs

1/111

Aceast carte a ost realizat n cadrul Activitii nr. 8 denumitRealizarea de materiale i instrumente didactice i de nvare pen-

tru programele de masterat n administraia public din proiect-ul Creterea calitii programelor de masterat n administraiepublic, Contract POSDRU/86/1. 2/S/60072, proiect conanatdin Fondul Social European prin Programul Operaional Sectorialpentru Dezvoltarea Resurselor Umane 2007-2013, Axa prioritar 1Educaia i ormarea pro esional n sprijinul creterii economicei dezvoltrii societii bazate pe cunoatere, Domeniul major deintervenie 1. 2 Calitate n nvmntul superior.

AUDITING

IN PUBLIC INSTITUTIONS


2/111

Cornelia Felicia Macarie Auditing in Public Institutions

Copyright Cornelia Felicia MacarieCopyright Universitatea Babe-Bolyai, Cluj-Napoca, 2013 pentru ediiaprezent.

Toate drepturile rezervate, inclusiv dreptul de a reproduce fragmente dincarte.

Descrierea CIP a Bibliotecii Naionale a RomnieiMACARIE, FELICIA CORNELIA

Auditing in public institutions / Macarie FeliciaCornelia. - Bucureti: Tritonic Books, 2013Bibliogr.ISBN 978-606-8536-13-2

657.633336.148

Coperta: NICOLAE URSRedactor: SERGIO RAMIREZComanda nr. UBB56 / aprilie 2013

Bun de tipar: mai 2013 Tiprit n Romnia

All rights reserved. No part of this book may be reproduced ortransmitted in any form or by any means without wr itten permission ofthe author.

AUDITING

IN PUBLIC INSTITUTIONS

Cornelia Felicia Macarie


3/111

Table of Contents

CHAP ER 1Te concept o internal auditing 91.1. Te emergence and evolution o internal auditing 91.2. Denition o internal auditing 131.3. Functions, objectives and scope o public internal

auditing 20 1.3.1. Functions o internal auditing 21 1.3.2. Objectives and scope o internal auditing in the

public sector 23 1.3.3. ypology o internal auditing 24 1.3.3.1. System audit 25 1.3.3.2. Per ormance audit 26

1.3.3.3. Compliance Audit 29

CHAP ER 2Internal Auditing in the Public Sector in Romania 312.1. Legislative ramework 31 2.1.1. Te organization o internal auditing 33 2.1.2. Conducting internal audit activities 39 2.1.3. Te pro ession o internal auditor 432.2. Te normative ramework 46 2.2.1. Te normative ramework or assurance activities 46 2.2.1.1. Te application o the general rules o

public internal auditing 47


4/111

2.2.1.2. Methodological norms regarding theinternal audit missions 48

2.2.1.3. Te procedural guide 62 2.2.1.4. Internal audit charter 62 2.2.2. Normative ramework or the consulting activity 632.3. Procedural ramework 70

CHAP ER 3

Te Standardization o Internal Audit 733.1. Te International Organization o Internal Auditing 733.2. Te International Pro essional Practices Framework 81 3.2.1. Te Ethical Code o Internal Auditors 83 3.2.2. Te International Standards or the

Pro essional Practice o Internal Auditing 92 3.2.2.1. Attribute Standards 92 3.2.2.2. Te Per ormance Standards 95 3.2.2.3. Implementation standards 96 3.2.3. Practice Advisory 97 3.2.4. Practice Guides 993.3. Te Responsibility o Internal Auditors 101

CHAP ER 4Planning internal audit in the public sector 1034.1. Te regulation o internal audit planning 1034.2. Te process o internal audit planning 107

CHAP ER 5Risk management 1155.1. Implementation o risk management 1155.2. Risk based internal auditing 1185.3. Relation between risk management and

internal auditing 121

5.4. Corporate governance 124

CHAP ER 6Te relationship between internal and external audit 1296.1. Te need or pro essional collaboration between internal auditors 1296.2. Te terms o a possible cooperation protocol

between the external and internal audit in the

public sector 131

CHAP ER 7Case Study - Te Audit Mission HE AUDI REGARDING

HE ADMINIS RA ION OF ORGANIZA ION MODELPA RIMONY (adapted rom udorica, 2009) 135Annex 178Glossary 209

Bibliography: 216


5/111

Chapter 1

The concept of internal auditing

1.1. Emergence and evolution of internal auditing1.2. Denition of internal auditing1.3. Functions, objectives and scope of internal auditing in the public sector

1.1. The emergence and evolution of internal auditing

Te concept o audit originates in the Latin verb audio, audire,audivi, auditum whose translation is to hear , to listen. Te processthis concept covers is not new even though in the past differentdesignations have been used to describe it. Te current under-standing o auditing can be traced back to the events during the

Great Depression in the United States. Back in 1929 the listing oAmerican companies to the stock market depended on an externalassessment made by audit pro essionals, which incurred high coststo companies already affected by the recession. Te certicationo the nancial situation and assessment o accounts and balancesheets were carried out by independent External Audit Offices. Ingeneral, they per ormed several preparatory procedures/activitiessuch as:

the inventory o patrimony; the verication o analytic and synthetic accounts; the verication o the account balance and its structure; the verication o justicatory documents; and


6/111

10 | Cornelia Felicia MACARIE AUDITING IN PUBLIC INSTITUTIONS |11

the verication o the correctness and exactness o scal ob-ligations.

Because these activities were time consuming and expen-sive, companies started to create their own internal audit struc-tures. Teir unction was to implement the initial and preparatorytasks in order or the External Audit Offices to ocus solely on thecertication o the nancial situations and supervision o compa-nies activities.

In the afermath o the economic crisis, the companies main-tained the newly established internal auditing structures whichgradually expanded their scope and modied and diversied theirobjectives. In time, the idea o auditing as a necessary unction andarea o activity within the company has taken root. Because theemergence o internal auditing can be traced back to the activity oaccount certication, it would be long associated with its nancialand accounting background.

Te emergence o auditing within organizations and therecognition o its importance resulted in the new pro ession o in-ternal auditor and urther issues about pro essional association andstandardization o activities were raised. Consequently, in 1941 in

Orlando, Florida, the Institute o Internal Auditors (IIA) was set upand gradually enjoyed international recognition. Te UK, France,Sweden, Norway, Denmark and other states soon became membersand nowadays over 90 national institutes and members in over 120countries are affiliated with the Institute.

In Romania internal auditing emerged relatively late and wasassociated with the concept o internal control, which is why nowa-days the distinction between the two concepts is difficult to make.Tis situation can be explained by the adoption o Law 672/2002on Internal Public Auditing which required public institutions toorganize internal audit structures. Te institutions complied withthis law by trans erring the employees that worked in internal con-

trol to the newly established audit departments and there ore setthe conditions or con using internal auditing with control. Un-

ortunately, this con usion is perpetuated by their Senior Manage-ment who do not use the internal audit unction thoroughly andact upon auditors recommendations due to a limited understand-ing o their importance or improving organizational per ormance.Overall, such an approach undermines the unction o auditingwithin the organization.

Te pro ession o internal auditor has evolved and adapted tonew circumstances and different organizational needs. While theinitial ocus o internal auditing was on nancial and accountingaspects, its current objectives are the identication o risks andevaluation o control and management systems in organizations.

Internal auditing takes place within a globally recognizedramework that is continuously adapted to the legislative particu-

larities o each country according to the rules and organizationalculture o the various elds o activity and auditees. aken into ac-count the rhythm o global changes the pro ession o internal audi-tor has to adapt to, the Board o Administration o the IIA set up in2006 the International Committee or Coordination and a Working

Group or revising the Pro essional Practices Framework and IIAnorms. Te group ocused its efforts on the revision o the scope othe Framework and improvement o the transparency and consist-ence o the norm creation, revision and publication processes. Teend result was the adoption o the new International Pro essionalPractices Framework (IPPF) and restructuring o the Pro essionalPractices Council which coordinates the approval and publicationo IPPF norms, as specied in the 2007 Declaration on the missiono the Council.

Generally, a ramework represents a structured model o inte-grating knowledge and norms. As a coherent system, a ramework

acilitates the development, interpretation and consistent imple-


7/111


mentation o concepts, methodologies and techniques specic toa pro ession. Te specic purpose o the IPPF is to organize thenorms authorized by IIA so that they can be accessed easily and ontime and, at the same time, strengthen the position o the Instituteas a global standardization body. Due to its role in providing guid-ance on the current audit practice and exploring urther develop-ment o standards, the IPPF assists practitioners and other stake-holders to respond to the booming market o high-quality internal

audit services.As a conceptual ramework organizing the norms adopted by

IIA, the scope o the IPPF has been restricted to the norms adoptedby the international technical committees o IIA ollowing stand-ard procedures.

A trustworthy, global guidance-setting body, Te IIA providesor internal audit pro essionals all around the world authoritative

guidance organized in the International Pro essional PracticesFramework as mandatory and strongly recommended guidance(IIA, 2007).

Con ormance with the principles set orth in mandatoryguidance is required and essential or the pro essional prac-

tice o internal auditing.Mandatory guidance is developed ol-lowing an established due diligence process, which includesa period o public exposure or stakeholder input. Te threemandatory elements o the IPPF are the Denition o InternalAuditing, the Code o Ethics, and the International Standards

or the Pro essional Practice o Internal Auditing (Standards). Strongly recommended guidance is endorsed by Te IIA througha ormal approval processes. It describes practices or effective im-plementation o Te IIAs Denition o Internal Auditing, Code oEthics, and Standards. Te three strongly recommended elementso the IPPF are Position Papers, Practice Advisories, and PracticeGuides.

Element DenitionDenition The Denition of Internal Auditing states the fundamental purpose, nature,

and scope of internal auditing.Code of Ethics The Code of Ethics states the principles and expectations governing

behavior of individuals and organizations in the conduct of internal audit-ing. It describes the minimum requirements for conduct, and behavioralexpectations rather than specic activities.

InternationalStandards

Standards are principle-focused and provide a framework for performingand promoting internal auditing. The Standards are mandatory require-ments consisting of:1. Statements of basic requirements for the professional practice ofinternal auditing and for evaluating the effectiveness of its performance.

The requirements are internationally applicable at organizational andindividual levels.2. Interpretations, which clarify terms or concepts within the statements.It is necessary to consider bo th the statements and their interpretations tounderstand and apply the Standards correctly. The Standards employ termsthat have been given specic meanings that are included in the Glossary.

Position Papers Position Papers assist a wide range of interested parties, including thosenot in the internal audit profession, in understanding signicant govern-ance, risk, or control issues and delineating related roles and responsibili-ties of internal auditing.

Practice Advisories Practice Advisories assist internal auditors in applying the Denition ofInternal Auditing, the Code of Ethics, and the Standards and promotinggood practices. Practice Advisories address internal auditings approach,methodologies, and consideration, but not detail processes or procedures.They include practices relating to: international, country, or industry-spe-cic issues; specic types of engagements; and legal or regulatory issues.

Practice Guides Practice Guides provide detailed guidance for conducting internal auditactivities. They include detailed processes and procedures, such as tools andtechniques, programs, and step-by-step approaches, as well as examplesof deliverables.

Internal auditors are required to know and comply with the IIAnorms as a guarantee o their pro essionalism in their interactionswith organizations and regulatory bodies. Te pro ession o auditoris intimately related to the internalization o the norms comprisedin the ramework.

1.2. Denition of internal auditing

Internal auditing as a unction o the organization has evolvedthrough a process o successive trans ormations due to changes inthe economic and legislative context and new managerial needs.While this trans ormative period coincided with changes in the


8/111


meaning o the concept o internal auditing, nowadays its deni-tion is a compulsory norm imposed by the IPPF.

In 1999 the IIA in the US provided a denition ollowing a largestudy conducted by 800 students coordinated by auditors in theAustralian universities: Internal Auditing is an independent andobjective activity which provides assurances to organizations re-garding their degree o control over operations, makes recommen-dations or enhancing the operations, and brings an added value to

the organization. It helps an organization accomplish its objectivesby evaluating through a systematic and methodical approach itsrisk management, control and management processes and makingproposals to enhance them.

Te new IPPF adopted in 2007 by IIA denes internal audit-ing as an independent, objective assurance and consulting activitydesigned to add value and improve an organizations operations. Ithelps an organization accomplish its objectives by bringing a sys-tematic, disciplined approach to evaluate and improve the effec-tiveness o risk management, control, and governance processes.(IIA, 2007)

Article 2 o Law 672/2002 on Public Internal Auditing in Ro-

mania denes auditing in similar terms as a unctionally inde-pendent, objective assurance and consulting activity designed toadd value and enhance the activities o public institutions; it helpsthe public organization to achieve its objectives through a system-atic and methodical approach and to evaluate and improve the e -ciency and efficacy o risk management, control and governanceprocesses.

Tese denitions delineate the activities presupposed by the in-ternal auditing unction and its main characteristics: (1) provisiono consulting services to management, (2) constructive support toemployees, and (3) the independence and objectivity o internalauditors.

a. Consulting services to managementTe main responsibilities o management are prediction, or-

ganization, coordination, and control. In ullling these tasks, themanagerial team needs the consulting and advice that internal au-ditors can provide regarding the effectiveness o internal controland the main r isks acing the organization.

Te support provided to management in the area o internalcontrol helps managers to take decisions which enhance and opti-

mize the control unction o management. Internal control is themain activity o internal auditors that has an impact on all o theother organizational unctions (Renard, 2003, p. 23).

Whereas in its early days internal auditing mainly covered nan-cial and accounting activities, it currently covers all processes and unc-tions within an organization, including research and development,production, sales, human resources. While internal auditors role is toadvice, assist and recommend ways o action to managers at all hierar-chical levels, they cannot decide. Te decision belongs to managers asinternal audit is just a means through which they are in ormed aboutthe effectiveness o internal control under their responsibility.

In providing advice to management, the credibility o internal

auditors is enhanced by the ollowing characteristics: they work based on internationally recognized norms which

provides them with a degree o autonomy within the organi-zation;

they are guided by a set o good practices which enhancesthe authority o their advice;

they have working procedures that have been validated bygeneral practice which ensures their effectiveness;

hey know and belong to the organization and this in-depthexperience enhances their competence and credibility; and

they are independent o the processes and activities they au-dit which guarantees their objectivity.


9/111


b. Support for employees without making value judgmentsInternal audit activities must contribute to ensuring an efficient

control process and enhancing the per ormance o the organiza-tion. During an internal audit engagement auditors must identi ythe weaknesses o the internal control system and correctly iden-ti y the related risks which they subsequently must report to therelevant managers. In order to complete these tasks, internal au-ditors must cooperate with the employees involved in the audited

activities as the latter have the most accurate in ormation about thesubsystems in which they work.

Internal auditors can not penalize employees or the risks orinternal control deciencies they identi y as that alls within theresponsibility o the management. Te auditors recommend adjust-ments in the mechanisms o internal control, but do not ormulate judgments on the per ormance o employees. During an engage-ment, auditors can only provide advice and support to employees in view o the recommendations they are to make in the audit report.

While internal auditors can identi y redundant, inefficient ac-tivities or a aulty control system, they cannot reprimand employ-ees or propose sanctions or employees because: (1) the objective

o internal auditing is not to judge the competences o the humanresources, (2) those involved in activities cannot discuss the resultso auditing and i such discussions arise, they must take place in apositive manner, and (3) auditors must be aware that weaknesses inthe process can have causes that do not depend solely on employ-ees, but on the budget size, human resources selection, in ormati-zation o activities.

c. Independence and objectivityTe independence and objectivity o internal auditors are de-

ned in the pro essional norms o internal auditing and more pre-cisely, the Qualication Standard 1100 Independence and Objec-

tivity whereby internal auditing must be independent and internalauditors must be objective when carrying out their activities.

Internal auditors are independent when they ulll their tasksreely and objectively. Independence allows internal auditors to as-

sess impartially and without prejudices. Tere are two aspects oindependence covered by standards: the independence o the auditdepartment which requires its subordination to the highest hierar-chic level and the independence o internal auditors guaranteed by

their non-involvement in the activities and processes they audit.Te chie audit executive should report to a level within the organi-zation that allows the internal auditors to ulll their responsibili-ties.

Te ollowing conditions are necessary to ensure auditors in-dependence:

1. internal auditors should benet rom the support o themanagement in order to secure the cooperation o all actorsand accomplish their tasks smoothly;

2. internal auditors should report to a hierarchic level whichcan en orce their independence;

3. internal auditors should report unctionally to the Senior

Management and directly communicate with the Board othe organization;

4. direct communication entails regular attendance o theBoards meetings on issues related to audit, nancial report-ing, control and management; and

5. independence is enhanced when the Board intervenes inappointing and replacing the Chie Audit Executive.

Internal auditing should be ree o any intervention targetingits scope, the implementation o activities and communicationo results. Sometimes internal auditors are asked to explain theimportance o the documents they require in their activities anddepending on the case they have to assess whether this demand


10/111


is justied. Te presence o signicant irregularities might hinderthe establishment o a normal cooperation relation between audi-tor and the engagement client and the head o internal audit is re-quired to issue a judgment depending on circumstances.

Individual objectivity is ensured i internal auditors have an im-partial, unbiased attitude and avoid conicts o interests. Objectiv-ity is dened as a mental attitude o independence that auditorsshould maintain in per orming internal audit activities. Internal

auditors should not be unduly inuenced by others in orming judgments.

Te objectivity o internal auditing is ensured when several re-quirements are met:

auditors are condent about the outcome o their workand they are not constrained to make compromises as toits quality. Internal auditors should not be orced into situ-ations where they would eel unable to make objective pro-

essional judgments; appointments to the team shall be such as to avoid any con-

ict o interest or lack o impartiality. Te Chie Audit Ex-ecutive should be in ormed o any conicts o interest that

may affect the independence o auditors. It is recommendedto have a regular rotation o internal auditors within theteam;

the results o audit activities should be examined be ore thecommunication o the auditing conclusions;

internal auditors should not accept money or gifs rom anemployee, customer, supplier or partner because it is againstthe code o ethics and rules o conduct. Such a behavior willraise serious doubts about the auditors objectivity in bothongoing and uture missions. Te auditor should immedi-ately report any situation in which they were offered moneyor gifs to their supervisor; and

internal auditing adopts a principled commitment wherebyconicts o interest or any activity that could result in a pos-sible conict o interest are avoided.

I the objectivity or independence o internal auditors is im-paired, the details o the impairment should be disclosed to rel-evant stakeholders. Internal auditors should report to the chieaudit executive the existence or likelihood o a conict o interestor impartiality. In such cases, the head o internal audit must re-

place the respective auditors. Limiting the scope o activity is oneo the restrictions that can be imposed to internal auditors whichprevents them rom planning and achieving the objectives o in-ternal audit. Limitations o this type may, among other things,re er to:

the areas o applicability dened in the Charter; internal auditors access to records, personnel and physical

assets necessary during engagements; the approved plan o auditing activities; the implementation o engagement procedures; and the approved budget and human resources. Such restrictions should be communicated, pre erably in writ-

ing, to the Board.Internal auditors should avoid assessing specic operations or

which they were previously responsible. Objectivity is presumed tobe impaired i an internal auditor provides assurance services oran activity or which the internal auditor had responsibility withinthe previous year. At the time o the communication o the out-come o the audit engagement, this potential damage to objectivitymust be taken into account.

Internal auditors should not be assigned operational responsi-bilities. I internal auditors are occasionally assigned tasks unre-lated to audit activities, it must be clearly stated that they no longerper orm internal audit tasks.


11/111


12/111


designed to add value and improve the governance, risk manage-ment and control processes o the organization, without auditorsassuming management responsibility. Examples include expertise,advice, acilitation and training. (IIA, 2007, p. 14)

Consulting services are advisory and generally per ormed atthe specic request o the client. Te nature and scope o the con-sulting engagement are subject to prior agreement with the client.Consulting services generally involve two parties: (1) the person or

group offering the advice - the internal auditor, and (2) the personor group seeking and receiving the advice - the engagement client.When per orming consulting services, the internal auditor shouldmaintain objectivity and not assume management responsibility(IIA, 2007, p. 7).

The assurance functionAssurance is a unction o internal auditing whereby internal

auditors identi y the risks in the processes and activities within theorganization, including the control and management processes.Assurance represents an objective examination o evidence in or-der to provide an independent assessment on risk management

and control processes. (Ghita, Popescu, 2006, p. 116)Assurance services involve the internal auditors objective as-

sessment o evidence to provide an independent opinion or con-clusion regarding a process, system or other subject matter. Tenature and scope o the assurance engagement are determined bythe internal auditor. Tere are generally three parties involved inassurance services: (1) the person or group directly involved withthe process, system or other subject matter - the process owner, (2)the person or group making the assessment - the internal auditor,and (3) the person or group using the assessment - the user (IIA,2007, p. 7).

1.3.2. Objectives and scope of internal auditing in the public sector

Article 3 o Law 672/2002 on Internal Auditing in the PublicSector, amended and republished in the Official Gazette no. 856 o5 December 2011, sets out the overall objective and scope o publicinternal audit. Te overall objective o internal auditing in publicorganizations is to improve their management through:

a. assurance activities that objectively examine evidence inorder to provide public organizations with an independentassessment o risk management, control and governanceprocesses;

b. consulting activities designed to add value and improve theprocesses o governance in public entities without internalauditors assuming management responsibilities.

Te scope o internal audit includes all activities through whichpublic entities achieve their objectives, including the evaluation othe system o managerial control. Te specic objectives o publicinternal auditing are:

a. objective assurance and consulting designed to improve thesystems and activities o public institutions;

b. support or the achievement o the objectives o the public

institution through a systematic and methodical approach;c. evaluation o risk management and control systems;d. support to the manager o the public organization to iden-

ti y and assess signicant risks and improve the risk man-agement systems; and

e. evaluation o the efficiency and effectiveness and continuousimprovement o the control system o the public organiza-tion. Te assessment o the relevance and effectiveness o in-ternal control is based on the results o the risk assessment.

Internal audit activities are intended to identi y signicant risksand deciencies in the internal control procedures. Internal audit-ing comprises the analysis o process and activities, an assessment


13/111


o the degree to which outcomes correspond to objectives and thecon ormity o existing regulations.

Te evaluation o the control system requires the use o adequatecriteria. Te audit determines the extent to which the manager othe public organization had dened adequate assessment criteria andwhether the objectives were achieved. I these criteria were appropri-ate, they can be also used by auditors in the evaluation o the internalcontrol system. I the criteria are inadequate, the audit department,

together with the management o the public organization, will designadequate criteria or evaluating the control system.

Te scope o internal auditing covers:a. nancial activities undertaken by the public institution rom

the earmarking o unds to their use by nal beneciaries,including unds rom external assistance;

b. the collection o public revenue, including the authorizationand establishment o tax liabilities and revenue raising a-cilities;

c. the management o public assets and the sale, pledge, ces-sion or lease o goods in the private/public property o thegovernment or territorial-administrative units; and

d. the systems o nancial management and control, includingaccounting and the I related systems.

Te Ministry o Finance and the Chamber o Financial Audi-tors o Romania are required by art. 3 (3) o Law 672/2002 to designa Common Framework comprising the specic objectives o inter-nal auditing in the economic entities in the public sector.

1.3.3. Typology of internal auditing

Article 14 o Law 672/2002 established the ollowing types oauditing:

a. system audit re ers to the in-depth assessment o the man-agement and internal control systems in order to determine

whether they operate efficiently and effectively, identi y pos-sible deciencies and make recommendations or their cor-rection;

b. per ormance audit examines whether the criteria that wereestablished or the implementation o activities and ull-ment o objectives are relevant or the evaluation o resultsand assesses whether the results are consistent with the objectives; and

c. compliance audit examines the organizations adherence andcompliance with all principles, procedural and methodo-logical rules in spending public money.

1.3.3.1. System audit

System audit includes both the compliance and per ormanceaudit. Tis type o internal auditing provides an independent as-surance on the economic efficiency and effectiveness o the systemsthat were designed, implemented and controlled by the manage-ment, i.e. the degree to which they correspond to best practices.

When carrying out system auditing activities, internal auditorsmust ocus on the ollowing elements:

the achievement o objectives, goals, targets and compli-ance with the quality and per ormance standards previouslyagreed upon;

the compliance with both the internal policies, plans, reg-ulations, procedures and the external obligations and re-quirements;

the reliability, clarity, completeness and use ulness o in or-mation related to nancial, operational and management as-pects and reliability o records and justicatory documents;

the regularity o transactions and ethical behavior; the economic efficiency o acquisitions, resources utiliza-

tion and operations; and


14/111


the protection o the assets rom loss, waste and raud.

1.3.3.2. Performance auditPublic sector per ormance is a relative concept whose measure-

ment can be achieved in several ways (OECD, 1994): comparison with a set o results obtained in prior periods; comparison o the organizations results with results o similar

organizations or organizations providing similar services; comparison o results and objectives; and comparing the potential o the organization to its actual

programmes and plans o action.Te main objective o a per ormance audit is to examine the

impact that the ulllment o objectives and implementation oquality standards can have when the criteria o efficiency and e -

ectiveness are met. Tis type o audit assesses the managerial andoperational per ormance o public organizations and the efficiencyand efficacy o the utilization o the nancial, material, human andin ormation resources.

Tere are two types o per ormance audit:a. management audit; and

b. operational audit.Te management audit analyses the ormal process o decision

making and communication o decisions to stakeholders in all rel-evant areas o activity (Oprean, Popa, Lenghel, 2007, p. 102). Terole o this type o auditing is to advise and make recommenda-tions to the management team regarding:

working procedures which must be modied, introduced orremoved;

human resources management (job description, organiza-tional chart, regulations, etc.); and

elements o the strategy requiring to be updated, adapted,linked to different unctions o the organization.

Te operational audit examines the risks and threats in differ-ent areas o activity and makes recommendations to eliminate de-ciencies and enhance internal control in order to enable the organi-zation to achieve its objectives and per ormance criteria (Oprean,Popa, Lenghel, 2007, p. 102). Te use o the concept o operationalaudit has provoked much controversy. Some authors contend that(Arens, Loebbecke, 2003, p. 919) the concept o managerial auditis more appropriate than operational audit as it also includes the

assessment o internal control mechanisms and a test o their effec-tiveness. Other authors (Cosserat, 2000, p. 87) do not make thesedistinctions and consider both concepts to have the same meaning.Our opinion is that the operational audit examines the efficiencyand effectiveness o any activity o the organization, including in-ternal control, provided that the purpose o auditing is to providein ormation underlying decisions that aim at enhancing the organ-izational per ormance.

Be ore auditing, auditors identi y, depending on the organiza-tional component, the specic criteria to be used when assessingeffectiveness and efficiency. Te most requently used criteria are:

1. historical results

One way o assessing current results is by using criteria derivedrom the results o prior periods and audit reports. However, these

criteria can not provide accurate in ormation about the quality othe present situation, but only an overview o the evolution o theorganization.

2. re erence indicatorsBecause the organizations that are undergoing an operational

audit are not unique, pro essionals can use in ormation about thework o other internal or external entities as benchmarks. Whilein the case o internal entities data is easily accessible and avail-able, the collection o data rom external entities is acilitated by therequirements or transparency and access to in ormation in pub-


15/111


lic organizations. In the case o public institutions subordinate tohigher hierarchical structures, the relevant benchmarks can be provided by the latter to all subordinate organizations in the territory.

3. technical standardsIn some operational audit engagements, the specic evaluation

criteria are dened based on technical standards relevant to the or-ganization. For example, when auditing the medical laboratory oa hospital and assessing the quality o the results obtained, audi-

tors will have to use the appropriate technical standards or testingthe medical equipment. While setting criteria based on technicalstandards can be time consuming, expensive and requiring the involvement o external specialists, it is a necessary activity justiedby the need to prevent any type o organizational risks.

4. discussions and agreementsI establishing objective criteria is likely to be difficult and ex-

pensive, auditors can also discuss with the management and thenal beneciaries o the audit report to agree on a set o criteria.Discussions are concluded in an agreement which shall be attachedto the audit report.

Te operational audit can take three orms (Arens, Loebbecke,

2003, p. 914), namely: unctional auditing that tests one or more unctions o the

organization such as: services provision, the acquisition ogoods and services, public marketing, staff and remunera-tion, payments and accounting, research, control, etc. Tistype o audit enables a unctional specialization o auditors,which increases their pro essionalism, but can also createproblems in cases where unctions are interdependent. Inthose situations, using an audit team is recommended;

organizational auditing approaches the organization and itsparts (branches, departments, decentralized units, etc.) withan emphasis on the effectiveness and efficiency o unction

interaction. In this type o auditing the organizational chartand the coordination o activities, jobs, unctions are o ut-most importance; and

special auditing engagement can be required by managerswhen they notice a problem, identi y certain risks or wantto assess the effectiveness and efficiency o certain decisions,usually those taken under risky or uncertain circumstances.For example, a special audit can be requested to analyze the

causes o the increase in the number o average day o hos-pitalization in a certain section o a hospital, to make rec-ommendations to reduce the number o traffic accidents ina particular area o a city or investigate cases o corruptionthat might appear in public procurement in a city hall, etc.

1.3.3.3. Compliance AuditTe main objective o this type o auditing is to ensure the com-

pliance o procedures and operations with the internal norms andregulations, on the one hand, and the legal requirements, on theother hand. Te scope o the compliance audit includes the opera-tions and transactions carried out by the organization. Tis type o

auditing establishes whether: the decisions and policies adopted by management are re-

spected; the operations are conducted in con ormity with the proce-

dure manuals; the contract stipulations are respected; the scal regulations and external restrictions are en orced; the in ormation in documents is accurate and exact; the security o the patrimony assets is ensured; the working conditions are adequate; the nancial and accounting entries comply with legal stip-

ulations;


16/111

30 | Cornelia Felicia MACARIE

the control system is unctional; and there are risks in the management and control systems.

Chapter 2.

Internal Auditing in the Public Sector in Romania

2.1. Legislative framework2.2. Normative framework2.3. Procedural framework

2.1. Legislative framework

Public Internal Audit in Romania is regulated by Law 672/2002,published in the Official Gazette no. 856 o 5 December 2011, sub-sequently amended and supplemented by:

Government Ordinance (GO) no. 37/2004 amending andsupplementing Regulation no. 91 o 31 January 2004, ap-

proved by Law 106/2004, published in the Official Gazette,Part 1, no 332 o 16 April 2004;

Government Emergency Ordinance (GEO) no. 35/2009 oncertain nancial decisions regarding the cost o human re-sources in the public sector, published in the Official Ga-zette, Part 1, no. 249 o 14 April 2009, approved by Law no.260/2009 published in the Official Gazette, Part 1, no. 484o 13 July 2009;

Law 329/2009 on the reorganization o certain public insti-tutions, rationalization o public spending, support or thebusiness environment and compliance with the rameworkagreements concluded with the European Commission and


17/111


International Monetary Fund, published in the Official Ga-zette, Part 1, no. 761 o 9 November 2009, as amended andsupplemented;

Framework Law 284/2010 on the single remunerationscheme or employees in the public sector, published in theOfficial Gazette, Part 1, no 877 o 28 December 2010, asamended.

In 2011 Law 672/2002 was amended by Law 191/2011, published

in the Official Gazette, Part 1, no. 780 o 3 November 2011. Follow-ing these modications, the Law 672/2002 was republished in theOfficial Gazette, Part 1 no. 856 o 5 December 2011 and the textswere renumbered. Law 672/2002 on Public Internal Audit and GO37/2004 regulate internal audit in public entities as an independ-ent, objective unctional activity evaluating the collection and use opublic money and the administration o public patrimony. Article2 o Law 672/2002 denes the public entity as a public authority;public institution; national company; company where the state ora territorial administrative unit is a majority shareholder with legalpersonality; entity nanced more than 50% rom public unds.

Article 3(1) o Law 672/2002 stipulates that the general objec-

tive o public internal audit is the enhancement o the managemento public organizations which can be achieved through:

a. assurance activities which objectively examine evidence inorder to provide an independent assessment o risk man-agement, control and governance processes to the publicand the management o the public organization; and

b. consulting activities which add value and improve the gov-ernance processes in public entities without the internal au-ditor assuming managerial responsibilities.

Article 3(2) o the same Law stipulates the scope o internalaudit involves all the activities o the public institutions throughwhich they achieve their objectives.

2.1.1. The organization of internal auditing

Structurally, internal auditing is organized as ollows:a. Te Committee or Public Internal Auditing (CPIA);b. Te Central Unit or the Harmonization o Public Internal

Auditing (CUHPIA);c. Internal Audit Committees;d. Internal Audit Departments in public organizations.

a. Te Committee or Public Internal Auditing (CPIA) existsalong the Central Unit or Harmonization o Public Internal Auditing(CUHPIA) and is a consultative body whose purpose is to dene thestrategy and improve the internal audit activity in the public sector.

CPIA has 11 members whose selection is regulated by the Or-der o the Minister o Finance. Its membership is composed o thePresident o the Chamber o Financial Auditors o Romania, twopro essors specialized in internal auditing, three specialists withhigh credentials in this eld, the General Director o CUHPIA,three experts rom related areas o work (accounting, legal, I )and one representative o local public authorities. With the excep-tion o the General Director, the CPIA members cannot be part o

the Ministry o Finance. Te process o nomination is determinedthrough the rules approved by the Government Decision 235/2003.CPIA is headed by a President elected with the simple majority oits members or a period o three years. Te President convenes themeetings o the Committee. Te Internal Regulations o CPIA areapproved in a plenary session with a majority vote. Its technicalsecretariat is provided by CUHPIA. Te Minister o Finance candischarge the Committee members only at the specic request othe President in conditions stipulated by the law, which providesthe Committee with a relatively high level o stability.

According to Article 6 o Law 672/2002 CPIA has the ollowingmain responsibilities:


18/111


to discuss the strategic development plans in public internalauditing and provide an authoritative opinion on the direc-tion o its development;

to debate and issue an opinion on the normative act devel-oped by CUHPIA;

to discuss and approve the annual report on public internalaudit and the presentation o this report to the Government;

to approve the plan o internal audit engagements that are o

national interest and have cross-sectoral implications; to debate and issue an opinion on the reports o internal

audit o national interest with cross-sectoral implications; to analyze the importance o the recommendations made

by internal auditors in cases where there is a divergence oopinion between them and the manager o the public or-ganization, and to issue an opinion about the consequenceso non-compliance with auditors recommendations;

to analyze the cooperation agreements between internaland external auditors regarding the denition and use o theconcepts in the eld, exchanges o results and the commonpro essional training o auditors; and

to approve the appointment and dismissal o the Directoro CUHPIA.

b. Te Central Unit or the Harmonization o Public InternalAuditing (CUHPIA) was established within the Ministry o Fi-nance, in direct subordination to the Minister and is divided alongspecialization services. CUHPIA is headed by a General Directorappointed by the Minister o Finances ollowing the approval byCPIA. Te General Director is a civil servant and should have ex-cellent pro essional qualications and competence in accountingand/or audit and meet the requirements o the Ethical Code o In-ternal Auditors as stipulated in article 7(3) o Law 672/2002.

Te main role and responsibilities o CUHPIA are: to develop and apply a unied strategy o public internal

auditing and monitor the activity at the national level; to develop a normative ramework in public internal auditing; to develop and implement harmonized procedures and

methodologies based on international standards, includinginternal audit manuals;

to develop methodologies or risk management; to elaborate the Ethical Code o Internal Auditors; to approve the methodological norms in specic areas o

activity in the eld o public internal auditing, including thenorms o the internal audit departments organized at thelevel o associative structures;

to develop the reporting system o the internal audit resultsand elaborate the annual report based on the audit reportsreceived;

to conduct internal audit engagements o national interestwith cross-sectoral implications;

to veri y the compliance with norms, regulations, the Ethi-cal Code by the internal audit departments, including those

organized at the level o the associative structures; to evaluate their activity and take the necessary corrective

measures in cooperation with the manager o the public or-ganization;

to establish the general ramework o the cooperation agree-ment to carry out the internal activity in local public institu-tions;

to support local public institutions and associative struc-tures in the implementation o the cooperation system tocarry out the internal audit activity;

to establish the knowledge, skills and competences individ-uals must have in order to carry out internal audit activities;


19/111


to coordinate the recruitment system, the national systemo certication and continuous pro essional training o in-ternal auditors;

to approve the appointment/dismissal o the heads o inter-nal audit departments in public institutions;

to cooperate with the Court o Auditors to ensure the co-ordination o the internal and external audit activities andincrease their efficiency and cooperate with other authori-

ties and public institutions in Romania; and to cooperate with public authorities that have nancial con-

trol responsibilities in other states, including with the Euro-pean Commission.

c. Internal Audit Committees are established within centralpublic institutions that run during one nancial year a budget omore than 2 billion RON in order to increase the efficiency o inter-nal auditing. Te Committee comprises 5 to 7 members appointedby the head o the central public institution and its membership in-cludes: (1) two-three internal auditors with a minimum experienceo ve years; (2) two-three pro essionals with a minimum experi-

ence o ve years in a eld relevant or the activity o the respectiveinstitution; and (3) the head o the internal audit department. Teinternal auditors in the Internal Audit Committee work in otherpublic institutions that are not subordinated or coordinated by therespective public organization. Te pro essionals in the Committeeare working in the central public organization, but they do not as-sume management positions.

Te Committee is headed by a president elected by a simple majority or a three-year term which can be renewed once; the head othe internal audit department cannot act as a president. Te InternalRegulations o the Committee are approved in a plenary session bya simple majority. Its technical secretariat is ensured by the internal

audit department o the central public institution. Upon the requesto the head o the central public organization, the President o theInternal Audit Committee will attend the top management meet-ings to express the Committees opinion on the topics under debate.

According to article 10 o Law 672/2002, the main responsibili-ties o the Internal Audit Committee are:

to debate and approve the multi-annual and annual plan orthe internal audit activity;

to analyze and express an opinion on the recommendationsmade by internal auditors, including on - those that werenot accepted by the head o the central public organization;

to approve the Charter o Public Internal Auditing; to review and propose measures regarding breaches o the

Ethical Code o Internal Auditors; to assess and approve the Annual Report o public internal

auditing activities; and to approve the cooperation agreements with other public

institutions.

d. Internal Audit Departments are organized in public insti-

tutions by the manager or the Board that has the responsibility toestablish the organizational and unctional ramework required orthe internal audit activity.

Local public entities that cooperate or ensuring internal audit-ing can use the capacity o the audit department that is constitutedwithin the organizing entity or at the level o the associative struc-ture. Local public entities that did not establish their own audit de-partment or did not conclude cooperation agreements can contractthe services o certied auditors. In the case o small public institu-tions that are not subordinated to other public entities, the publicinternal auditing is restricted to compliance audit and is carried outby the audit departments o the Ministry o Finance.


20/111


For those central public institutions whose managers are pri-mary credit controllers and oversee a budget until 5 million RONand have not established an internal audit department, the auditactivity is carried out by the Ministry o Finance, through CUH-PIA, based on a cooperation protocol. Te head o the public en-tity subordinate or under the coordination o another public en-tity establishes and maintains a unctional department o internalauditing with the agreement o the superior public entity. In case

it doesnt secure this agreement, the latters internal audit depart-ment must carry out the audit activities or the subordinate publicinstitution.

Te internal audit department is established under the directmanagement o the public entity and should not be involved in thedesign o the internal control procedures and the implementationo activities to be audited. Te head o the internal audit depart-ment is appointed and dismissed by the head o the entity/associa-tive structure with the approval o CUHPIA; or the subordinatepublic entities, the appointment/dismissal is made with the ap-proval o the hierarchically superior public entity. Te head o theinternal audit department is responsible or the organization and

implementation o internal audit activities.Te size o the Internal Audit Department is determined ac-

cording to the volume o activity and the magnitude o associatedrisks o the particular institution. Te costs o the internal auditcarried out within the cooperation ramework, especially the hu-man resources costs (remuneration, contributions), are distributedamong the entities having signed the cooperation agreement de-pending on the number o days worked by auditors. Te other ma-terial costs, unless the parties agree otherwise, are to be covered bythe organizing entity or associative structure.

Te unction o internal auditor is incompatible with the pur-suit o this career or prot or rewards.

According to article 13 o Law 672/2002, internal audit depart-ments have the ollowing responsibilities:

to draw up methodological norms specic to the public or-ganization in which it carries out activities;

to develop the multi-annual plan o public internal audit,usually over a three-year period, and the annual auditingplan;

to carry out internal audit activities to assess whether the

nancial management and control systems are transparent,effective, efficient and comply with existing laws and regula-tions;

to in orm CUHPIA about the auditors recommendationsthat were not accepted by the head o the public institutionand provide advice about their consequences;

to periodically report its ndings, conclusions and recom-mendations as a result o its auditing;

to prepare the annual report o internal audit activity; to immediately in orm the head o the public entity and the

internal control responsible about any irregularities anddamage identied;

to veri y the compliance with norms, instructions and theEthical Code o Internal Auditors and take the necessarycorrective measures together with the head o the publicinstitution.

2.1.2. Conducting internal audit activities

Internal auditing in public institutions is the responsibility o theinternal audit departments which assess whether the managementand internal control systems are transparent, efficient, effective,and in compliance with laws and regulations. Te scope o internalauditing covers all the activities carried out in a public institution,including the activities o those entities subordinate or under the


21/111


coordination o other public institutions. Te internal audit depart-ment audit, at least once every three years, the ollowing:

the nancial activities rom the moment the public undsare earmarked until their utilization by the nal beneciar-ies, including those unds available through external assis-tance;

payments made according to budget and legal stipulations,including payments rom EU unds;

the administration o patrimony and the sale, lease or rentalo goods in the private property o the state or the territorialadministrative unit;

the lease or rental o goods in the public property o the stateor the territorial administrative units;

the ormation o public revenues and establishment o ac-counts receivable and the advantages offered upon their col-lection;

the allocation o budgetary credits; the accounting system and its effectiveness; the decision making system; the management and control systems and the risks associ-

ated with these systems; and the I systems.

Te internal audit engagements are made according to a workprogramme or plan. Te multi-annual and annual auditing plansare prepared by the internal audit departments afer the evalua-tion o the risk level o different structures, activities, programmes/projects or operations. In this process, the suggestions o the heado the public organization, the recommendations o the RomanianCourt o Auditors and the European Commission should be takeninto account. Tose activities posing a high level o risk should beaudited on a yearly basis.

Te projects or the multi-annual and annual plans o the localpublic entities that manage their audit though external cooperationare centralized and included in the audit plans o the organizingpublic entity or the associative structure.

Te multi-annual and annual plans in those organizations car-rying out activities through service provision contracts are elabo-rated and approved by the head o the organization. Te heads opublic institutions approve annually the internal audit plan.

Auditors in the internal audit departments conduct, with theapproval o the head o the organization, ad-hoc, exceptional en-gagements that are not covered by the audit plans.

In their audit engagements, internal auditors are authorizedby an order issued by the head o the internal audit department.Trough this order the head nominates the auditing team andclearly stipulates the purpose, objectives, type and duration o theauthorized activities.

Te Internal Audit Department shall noti y the department orstructure to be audited 15 days in advance. Te notication, includ-ing the Charter o internal audit in the public sector, shall includein ormation about the purpose, main objectives and duration o

the engagement.Tere are different types o internal audit engagement:a. system auditing represents an in-depth assessment o the

management and internal control systems in order to de-termine whether they operate efficiently and effectively,identi y possible deciencies and make recommendations

or their correction;b. per ormance auditing examines whether the criteria that

were established or the implementation o activities andulllment o objectives are relevant or the evaluation o

results and assesses whether the results are consistent withthe objectives;


22/111


c. compliance auditing examines the organizations adherenceand compliance with all principles, procedural and meth-odological rules in spending public money.

Internal auditors have access to all data and in ormation, in-cluding those in electronic ormat, they consider relevant orachieving the objectives o their mission. Te management and ex-ecution personnel in the audited structure must provide the docu-ments and in ormation requested within the set deadlines and all

the support to assure that the audit takes place in the best possibleconditions. Internal auditors may request data, in ormation, cop-ies o documents, con ormity certicates rom physical and juridi-cal persons in connection to the audited structure and they arerequired to respond to these requests in due time. Also, internalauditors can make nancial and accounting assessments in order to veri y the legality and con ormity o the internal control activitiesthese physical and legal persons underwent.

In order to protect the nancial interests o the EU, the author-ized representatives o the European Commission and the Europe-an Court o Auditors are granted similar rights o those o internalauditors. o prove their identity and position, the representatives

must have a written authorization and an accompanying documentstating the object and purpose o the control or on-site inspection.

I the need or specialist/expert knowledge in the execution othe audit arises, the head o the internal audit department can de-cide to contract external experts and consultants.

At the end o each audit mission, the auditors prepare a reportcomprising the general ramework, objectives, ndings, conclu-sions and recommendations. Te report is accompanied by the jus-ticatory documents. Te draf o the report is sent to the auditedstructure which can transmit its comments in maximum 15 days.Within 10 days rom the receipt o these comments, the internalaudit department organizes the conciliation meeting with the au-

ditee to analyze the ndings and conclusions and advance towardsthe acceptance o the proposed recommendations. Te head o theinternal audit department shall transmit the nal draf o the inter-nal audit report, together with the results o the conciliation meet-ing, or review and approval to the ollowing persons dependingon the case:

1. the head o the public entity that approved the mission;2. the head o the local public entity that manages its auditing

through external cooperation without in orming other ju-ridical or physical persons, except as provided by law, aboutdata, deeds or situations discovered during the audit mis-sion; and

3. the head o the small public institution.Afer approval the recommendations in the internal audit re-

port shall be communicated to the auditee which is required to in-orm the internal audit department about the method and timeline

o their implementation. Te head o the department then in ormsCUHPIA or the hierarchically superior body about the recommen-dations that were not approved. Tese recommendations will beaccompanied by the supporting documents. Also, the department

assesses and reports about the progress made in the implementa-tion o recommendations to CUHPIA or the hierarchically supe-rior body.

2.1.3. The profession of internal auditor

Te internal auditors who are civil servants are subject to thelegal stipulations on incompatibilities and rights and obligationsaccording to Law 188/1999 on the Statute o Civil Servants, repub-lished and amended, and Law 672/2002 republished.

Te appointment or dismissal o internal auditors is made bythe head o the public institutions or the managing board, with theapproval o the head o the internal audit department. According


23/111


to the Pro essional Standard approved or internal auditors, theirpro essional background and general ramework o competencescover at least the ollowing areas: internal auditing, risk manage-ment, internal control and governance, management, accounting,public nances, in ormation technology, and law.

Te recognition o internal auditors pro essional competencesis made based on:

the match between the courses taken during the undergrad-

uate and graduate studies, as revealed by transcripts and na-tionally recognized diplomas, and the areas covered by thegeneral ramework o competences; and

i the auditors background is not covered by these areas,they must complete the pro essional training by graduat-ing relevant programmes organized by accredited institu-tions.

Te certicate o attestation is issued i all the ollowing condi-tions have been met:

a. the auditor has the required pro essional background;b. the auditor has a pro essional experience o minimum one

year; and

c. pro essional integrity conrmed by two recommendationso internal auditors or specialists with a minimum experi-ence o 5 years in the public sector.

Te internal auditors with an internal audit certicate issuedby internationally recognized institutions in the eld, such as theInstitute o Internal Auditors in the USA, the French Institute oAudit and Internal Control, the Institute o Internal Auditors in theUK and Ireland, have their pro essional competences recognized atthe national level.

Te certicate o attestation loses its validity when:a. the internal auditor did not carry out internal audit activi-

ties in the last 5 years; and

b. the internal auditor did not attend pro essional trainingcourses in the context o the continuous pro essional train-ing programme.

Te recruitment process and the rights and obligations o theinternal auditors that are not civil servants must comply with theinternal regulations o each public institution and the stipulationso the Law 672/2002. Te physical persons requesting a certicateo attestation will be subjected to the same conditions regarding is-

suance and duration o validity as those applied to internal auditorsin public institutions.

Internal auditors should discharge their duties objectively andindependently, with pro essionalism and integrity, according toLaw 672/2001 and the rules and procedures o internal auditing.Tey are not to be sanctioned or demoted or their actions under-taken in good aith to achieve tasks within their mandate. Internalauditors shall not disclose any data, acts or situations ound duringor in connection to their missions.

It is the responsibility o internal auditors to protect the docu-ments associated with the internal auditing conducted at a publicinstitution. Te responsibility or the actions taken afer analyzing

the audit reports belongs to the management.Internal auditors should comply with the Ethical Code o

the Internal Auditor. Also, they are required to improve theirknowledge, skills and values as part o continuous pro ession-al training, even a ter obtaining the certi icate o attestation,through:

a. participation in courses and seminars on topics that allwithin the areas o the pro essional competence rameworkor relevant or the activity o the public institution;

b. individual studies on topics approved by the head o the in-ternal audit department; and

c. pro essional publications.


24/111


Te continuous pro essional training, which is the responsibilityo the head o the internal audit department and o the public in-stitution, is organized or a period o minimum 15 days every year.Internal auditors are required to submit every ve years reports re-garding the organization o these trainings to the body having is-sued the certicate. On this basis the validity assessment is decided.

Spouses, relatives and in-laws, up to the ourth degree, includingthe head o the public institution, can not be internal auditors within

the same entity. Internal auditors can not be appointed to conduct in-ternal audit missions in an institution i they are spouses, relatives or in-laws, up to the ourth degree, o the manager or members o the board.

Internal auditors should not be involved at all in undertakingactivities or implementing the internal control systems that theycould potentially audit. Auditors that have responsibilities in theimplementation o programmes nanced totally or partially by theEuropean Union should not be involved in their auditing. Also, au-ditors should only be assigned audit missions in areas o activitywhere they previously held positions only afer the lapse o threeyears. Internal auditors ound in any o the situations mentionedabove are required to immediately noti y, in writing, the head o

the public institution and o the internal audit department.

2.2. The normative framework

In addition to the legislative ramework, internal auditing isregulated by a normative ramework or the assurance and consult-ing activities.

2.2.1. The normative framework for assurance activities

Te general normative ramework or the audit activity o as-suring the management o a public entity as to the effectiveness othe internal control system is comprised o :

Order o the Minister o Finance 38/2003 or the approval othe General Norms regarding the accuracy o public inter-nal auditing known as the Internal Auditing Manual;

Order o the Minister o Finance 252/2004 or the approval othe Ethical Code o Internal Auditors which repealed Order880/2002 adopting the Ethical Code o Internal Auditors;

Order o the Minister o Finance 423/2004 that amends andsupplements the Order 38/2003 on the General Norms re-

garding the activities o public internal auditing.Te internal audit structures rom public institutions have de-

veloped their own general norms on the basis o the general meth-odological norms as required by law.

General Norms are structured in ve parts: Part I - Te application o the general rules o public internal

auditing Part II - Te methodological rules regarding the internal audit

missions Part III - Te procedural guide Part IV - Te internal auditing charter Part V - Glossary

2.2.1.1. The application of the general rules of public internal auditingTis rst part o the methodological rules has the ollowing

structure:a. General provisions where internal auditing in the public

sector and the types o internal audit are dened;b. Internal audit structures in Romania which discusses in de-

tail the organization o the internal audit in Romania andthe responsibilities o every structure; and

c. Rules applicable to the internal audit department and in-ternal auditors. Tis section provides detailed in ormationabout the ollowing norms:


25/111


Qualication norms which are comprised o : (1) TeCharter o Internal Audit and the Ethical Code o Inter-nal Auditors, (2) Independence and Objectivity, (3) Pro-

essional competence and integrity, and (4) Enhance-ment o quality; and

Operational rules o internal auditing.

2.2.1.2. Methodological norms regarding the internal audit missions

Tis section describes the methods and tools used in conduct-ing internal audit assignments according with the General scheme(Figure 1) which provides a holistic perspective over the internalaudit process. Te lef side o the graph presents the stages o inter-nal auditing and the relevant procedures, while the right side pre-sents the results obtained and the corresponding documentation.

An internal audit mission involves the ollowing steps:Step 1 Preparation or the internal audit assignment. Te ol-

lowing procedures (P) are to be undertaken at this stage:P01-P03 Te initiation o auditing which requires the prepa-

ration o the documents:P01 Te order o authorization is adopted by the head o the in-

ternal audit department based on the annual plan approved by themanager o the public institution. Te order represents the man-date granted to internal auditors to start the activities and com-prises the division o tasks among internal auditors.

P02 Te declaration o independence whereby internal auditorsinvolved in the mission guarantee to maintain their independencethroughout their engagement.

P03 Te notice o initiation through which the Department oInternal Auditing in orms the auditee 15 days in advance about thepurpose, main objectives, duration o the mission and the plannedon-site interventions whose schedule will be decided by commonagreement.

P04 Collecting and processing the in ormation. Tis pro-cedure requires that internal auditors collect general in ormationabout the structure to be audited. Te in ormation must be relevant

or the achievement o the ollowing objectives:a. the identication o the main elements o the socio-eco-

nomic and institutional context in which the institution un-dertakes its activities;

b. acquiring knowledge about the entity/structure that will be

audited in respect to its working methods and the hierarchiclevels;

c. the identication o the strengths and weaknesses and con-trol systems o the structure/entities to be audited;

d. the identication and assessment o signicant risks; ande. the identication o those pieces o evidence necessary to

achieve the objectives o control and the selection o the ad-equate investigative techniques.


26/111


In ormation processing consists o :1. the analysis o the entity to be audited and its activities (hu-

man resources chart, internal regulations, job description,the circuit/ow o documents);

2. the analysis o the normative ramework;3. the analysis o those elements susceptible to prevent the re-

alization o the audit assignments;

4. the analysis o the results o the previous audit missions; and5. the analysis o the external in ormation concerning the en-

tity to be audited.At this stage auditors should draf the Checklist o the objects

o Auditing. Te objects o auditing represent the basic activitieso the audited domain whose characteristics can be dened theo-retically and compared against the reality. Teir identication takesplace in 3 stages:

1. the denition in detail o every activity and process start-ing with its initiation and ending with its recording (auditcycle);

2. the agreement o the conditions every operation has to meetrom the point o view o the specic controls and the cor-

responding risks to be avoided; and3. the identication o those operating procedures necessary or

the institution to achieve its objective and minimize risks.

P05 Risk analysis

Risk represents any event, action, situation or behavior thatmight have a negative impact upon the capacity o the public entity

to achieve its objectives. Tere are several risk categories:a. Organizational risks: lack o precise responsibilities, de-

cient organization o human resources, insufficient and outo date documentation;

b. Operational risks: ailure to register activities in the ac-counting system, improper archiving o justicatory docu-ments, lack o control over the operations having a highlevel o risk;

c. Financial risks: unsecured payments, undetected nancialoperations posing signicant risks; and

d. Risk generated by legislative, structural, managerial chang-es, etc.


27/111


Te components o risk are: the probability o occurrence andthe level o impact measured by the gravity and duration o its con-sequences.

Risk analysis, as one o the main procedures in internal audit-ing, has the ollowing objectives:

to identi y the dangers in the entity undergoing an audit; to identi y whether the internal control or other procedures

in the public entity can prevent, eliminate or minimize risks;

and to evaluate the structure and evolution o the internal control.Te stages o risk analysis are:1. the analysis o the activities o the entity;2. the identication and assessment o inherent risks with an

impact over the nancial operations;3. the verication and assessment o internal controls, internal

control procedures; and4. the assessment, measurement and classication in groups o

risk o the weaknesses identied. Internal auditors shouldincorporate in the identication and assessment o signi-cant risks those risks discovered during previous assign-

ments.Te criteria used or the measurement o the risk occurrence

are the vulnerability o the entity and internal control assessment.Te risk occurrence probability varies rom impossibility to cer-titude on a three-level scale: low probability, medium probabilityand high probability.

a. Te vulnerability o the entity o make an assessment, the auditor will take into considera-

tion all actors that might have an impact upon vulnerability, suchas the human resources, the complexity o processing operations,the available technical means. Te vulnerability is assessed on threelevels: low, average and high.

b. Internal control assessmentTis assessment is based on an analysis o the quality o internal

control on three levels: proper, insufficient serious shortcomings.Te level o the impact re ers to the effects o risk occurrence andcan be expressed on a scale with three values: low, moderate andhigh.

In a risk analysis, internal auditors comply with the ollowingprocedures:

1. they identi y the operations and objects that will be auditedand their interdependences and establish the scope o theanalysis;

2. they identi y the threats and inherent risks associated withthese operations and activities by establishing their nancialimpact;

3. they establish the criteria or risk analysis. It is recommend-ed that internal auditors use the ollowing criteria: internalcontrol assessment, quantitative and qualitative assessment;

4. they establish the risk level or each criterion using a scale o values on three levels as ollows:

d1) or the internal control assessment: appropriate in-

ternal control - level 1; inadequate internal control - lev-el 2; decient internal control - level 3;

d2) or the quantitative assessment: low nancial impactlow - level 1; average nancial impact level 2; impor-tant nancial impact - level 3;

d3) or the qualitative assessment: low vulnerability -level 1; average vulnerability - level 2; high vulnerability- level 3;

5. they establish the total score or the criterion used ( ). Eachcriterion is assigned a weight actor and risk level. Te resulto the multiplication represents the score o that particularcriterion. Afer adding all the scores, one obtains the total


28/111


risk value o a particular operation/activity. otal risk scoreis obtained by using the ormula:

= P(i) x N(i)Where: 1 = 1 ... n P(i) = the risk weight or each criterion; N(i) = the risk level or each criterion used or = N1 x N2 x .... x N (i), where

N= the risk or each criterion used.

6. they classi y risks based on the obtained scores in low risk,medium risk, high risk;

7. they rank the operations and activities to be audited andcreate a table o strengths and weaknesses. Te latter sum-marizes the outcome o the assessment o each activity ana-lyzed and allows risk prioritization to guide internal audit-ing and decide the audit topics in detail. Te lef side o thetable displays the outcome o the risk analysis, while theright side presents the auditors opinions and comments.

P06 Establishing in detail the theme of the internal audit missionTe detailed theme comprises all areas and objects o auditing se-

lected, is approved by the head o the internal public department andcirculated to the management team in the public institution duringthe opening meeting. Based on the detailed theme, the internal au-dit programme, an internal working document, is adopted. Te pro-gramme comprises the specic actions to be undertaken by auditorsaccording to each objective in the detailed theme and the division otasks in the team. Te purpose o the internal audit programme is:

to assure the head o the internal audit department that allaspects related to the objectives o the audit mission havebeen taken into account;

to establish the way in which tasks are allocated and activi-ties planned.

Te preliminary programme o on-site interventions is createdbased on the internal audit programme and presents in detail theactivities that internal auditors propose themselves to carry out, in-cluding the studies, measurements, tests, the collection and assess-ment o evidence, and the schedule o these activities.

P07 The opening meeting

Te opening meeting takes place at the institution that will beaudited, with the participation o auditors and the personnel o thepublic institution. Te agenda o the meeting should comprise:

the introduction o internal auditors; the presentation o the objectives o the audit mission; the establishment o the reporting deadlines o the assess-

ment stages; the presentation o the detailed theme; the calendar o the meetings; and ensuring the material conditions required or carrying out

the internal audit mission.Te institution that is undergoing the audit can request the post-

ponement o the engagement on relevant grounds. Te postpone-ment should be discussed within the internal audit department anda notice should be sent to the head o the public institution.

Te date o the opening meeting, the name o the participants,the important aspects o the discussion should be recorded in theminutes o the opening meeting. Te internal audit departmentshould noti y the entity to be audited about the schedule o the on-site verications and provide the Internal Audit Charter.


29/111


Step 2 On site interventions (eld work)Te eld work includes the collection, analysis and assessment

o documents. It presupposes the ollowing steps:1. the knowledge o the system, processes and procedures un-

der investigation;2. interviewing the personnel;3. verication o the accounting entries;4. the analysis o data and in ormation;

5. the assessment o efficiency and effectiveness o internalcontrol;

6. conducting tests; and7. assessing the way in which the corrective measures pro-

posed in the previous audit mission were implemented.Te main techniques used by internal auditors are:a. comparison: conrmation o the identity o a piece o in or-

mation by using more sources;b. examination: the detection o errors and irregularities;c. re-computation or the verication o the mathematical cal-

culations;d. conrmation: requesting in ormation rom two or more in-

dependent sources;e. agreement: the process o matching two distinct categories

o records;. guaranteeing: assessing the accuracy o the registered trans-

actions by examining every item registered and its justica-tory documents; and

g. ollow up: the verication o procedures rom justicatorydocuments to items recorded. Te purpose o ollow up is toassess whether the real transactions were recorded.

Te main instruments used in internal auditing are:1. Te questionnaire comprising the questions asked by inter-

nal auditors. Tere are several types o questionnaire: the

acknowledgement questionnaire (questions about the socio-economic context, internal organization, activities); the in-ternal control questionnaire (serves as a guide or internalauditors in identi ying the dys unctions and their causes);the check list questionnaire (establishing the conditionsthat every area undergoing audit should meet; it comprisesa set o standard questions about the dened objectives, re-sponsibilities, nancial, technical means, available human

resources)2. Te auditing ow chart which establishes the circuit o the

in ormation, the responsibilities and attributions, the justi-catory documentation and the reconstitution o the opera-tions rom the total sum to the individual details

3. Te internal audit ndings orms that are used to presentthe outcome and conclusions o the audit engagement.

P08 Te orm identication and analysis of problems is lledout or every dys unction detected. It includes its summary, causesand consequences and recommendations. Te orm must be ap-proved by the coordinator o the audit mission, conrmed by therepresentatives o the entity that was audited and supervised by the

head o the internal audit department.P09 Te orm ascertainment and reporting of irregularities is

lled out i internal auditors ascertain the existence or likelihoodo irregularities. It is immediately orwarded to the head o inter-nal department who will in orm within 3 days the manager o thepublic institution and the authorized control structure to continue verications.

Te internal audit records contain in ormation which linksthe audit task, on-site intervention and the internal audit report.Te records are then used by internal auditors to ormulate theirconclusions. ypes o internal audit records:

a. the permanent record comprises the ollowing sections:


30/111


Section A- Internal audit report and annexes: authorization order; independence declaration; reports (intermediary, nal, summary o recommendations); the ormidentication and analysis o problems; the ormascertainment and reporting o irregularities; and audit programme.Section B- Administrative: the notice regarding the initiation o the internal audit mis-

sion; the minutes o the opening meeting; the minutes o the reconciliation meeting; the minutes o the closing meeting; and the correspondence with the public institution undergoing

auditing.Section C- Te documentation o the internal audit mission: internal strategies; rules, regulations and applicable laws; work procedures; materials about the entity/structure undergoing auditing

(debts, responsibilities, number o employees, job descrip-tion, organizational graph, nature and location o account-ing entries);

nancial in ormation; previous internal audit reports; in ormation regarding key positions/the ux o operations; and the risk analysis documentation.Section D- Supervising and revising the internal audit mission

and its results: revision o internal audit reports; and internal auditors response to the revision o the internal au-

dit report.

b. the working document records comprises photocopies andextracts o the justicatory documents. Te le is indexedby assigning letters and numbers or every section/objectivein the audit programme. Te index must be clear and easyto ollow.

P10 Te review o working documents shall be carried out byinternal auditors be ore the internal audit report to ensure that theworking documents are prepared appropriately.

Te internal audit records are the property o the public institu-tion and are condential. Tey shall be kept until the implementa-tion o the recommendations in the internal audit report and sub-sequently archived according to the existing regulations.

P11 Te closing meeting is organized to enable internal audi-tors to express their opinion, present the nal recommendations inthe report and agree on a calendar or implementing the recom-mendations.

Step 3 The internal audit reportTe proc

Auditing in Public Institutions Suport de Curs

Documents

Transcript of Auditing in Public Institutions Suport de Curs