Entity Management Responsibility in Implementing the Internal Audit Recommendations

Nicoleta Ardeleanu (Trifu)¹; Isabela-Raluca Bogasiu (Anton)²

Abstract: The public entities in Romania, in the last 20 years, have known a change of concept between the financial management control organized over the financial-accounting operations and the internal public audit exercised over all general and specific objectives, those forecast. The object of the research is the reporting of the results and the opinion of the audit, of the way of implementing the recommendations formulated towards the internal control instruments adopted at the level of the public entity.

Keywords: internal audit; counseling activity; internal control

JEL Classification: M42

1. Introduction

In Romania, during the planned economy, the entities were accustomed to a periodic control system for performing a background control of the activity.

The internal audit appeared relatively late and was associated with the concept of internal control together with Law no. 672/2002 on public internal audit, the public entities being obliged to organize the internal public audit department in the organizational structure.

According to Law no. 672/2002 regarding the internal public audit in Romania, republished, “the internal public audit is defined as the functionally independent activity, and objective, insurance and counseling, designed to add value and improve the activities of the public entity; helps the public entity to achieve its objectives, through a systemic and methodical approach, evaluates and improves the efficiency and effectiveness of risk management, control and governance processes”.

The internal audit evolved and the company accepted the role of this activity, so the auditors felt the need to organize and standardize their practical activities (Ghiţă, 2009).

The internal auditor is the competent, independent person who gathers and analyzes evidence on quantifiable information in order to determine its correspondence with well-established criteria and to report it (Arens & Loebbecke, 1991).

2. Research Study

The public entities in Romania, in the last 20 years have known a change of concept between the organized financial control over the financial-accounting operations and the internal public audit exercised over all general and specific objectives, their evaluation tools and the expected results in accordance with those forecast.

The object of the research is the reporting of the results and the opinion of the audit, of the way of implementing the recommendations formulated towards the internal control instruments adopted at the level of the public entity.

The scientific approach aims to analyze the relationship of audit with the management of public entities (Ghiţă, 2009; Boţa, 2009), the role of audit in the control system of the entity (Arens & Loebbecke, 1991; Renard, 2002; Ghiţă, 2008), as well as the interdependence between the audited fields and the level of risks (Dumbravă & Sfetcu, 2014)

3. Research Methodology

The main methods used in the research that formed the basis of this study were documentation, observation, deductive and inductive reasoning, analysis, synthesis, statistical methods, and qualitative methods.

The main categories of documentation sources were obtained based on bibliographic documentation.

4. The Main Identified Risks of the Entity and the Evaluation of the Internal Control System

Although management control and internal audit are two different notions, in contemporary society confusion is frequently created. First of all, the financial management control and the internal audit are complementary. The financial management control cannot function without a minimum guarantee regarding the quality of the received information, and the verification of the quality of the information belongs to the internal audit. The 2 activities will maintain their independence and objectivity. At the request of the management and the audit, the financial management control will examine the execution of the annual investment and development budgets and programs, and the internal audit will verify the accuracy of the information provided by the financial management control.

Thus, the management control and the internal audit cooperate without overlapping, their purpose being the fulfillment of the entity's objectives in conditions of legality, economy, efficiency and effectiveness.

If at the beginning, the internal audit focused on financial-accounting issues, now the audit objectives were focused on identifying the main risks of the entity and evaluating the internal control system.

The identification and assessment of risks at the level of the audited entity is performed by the internal auditor for each category of economic operations subject to audit. The elements considered by the internal auditor can be:

• the risks identified by those responsible for their own activities;

• plans for reducing / limiting the consequences generated by risks;

• risk register.

The internal auditors consider that the responsibility for the elaboration of the risk register belongs to the head/coordinator of each functional component, and by centralizing all the identified risks, the appointed person in charge will elaborate the “Risk Register of the entity” and will ensure its updating, at least annually. Examples of risks identified at the level of public entities: incorrect use of financial, human, material and technical resources, incorrect processing of financial information, incorrect processing of management decisions, fraud, error.

In the following we present the stages of risk identification and assessment at the level of the entity:

Table on risk monitoring at the level of the public entity

IDENTIFYING RISKS

- Permanent process carried out by the persons involved in achieving the specific objectives.

- Risks are associated with the objectives / activities carried out.

RISK ASSESSMENT

-Identification of internal factors: specificity, complexity of the activity, staff training, changes in the structure of the organization.

- Identification of external factors: legislative changes, socio-economic changes.

- Hierarchy of risks by assessing the probability of occurrence of the risk and its impact of depreciation or failure to meet specific objectives.

RISK MANAGEMENT

- Stage 1 - Acceptance of risks: risks are accepted without taking action

- Stage 2 - Risk control in order to be treated

- Stage 3- Transfer of risks, in case of financial or patrimonial risks

- Stage 4 - Elimination of activities (these are risks that can only be eliminated or reduced by eliminating / reducing activities.

- Stage 5 - Opportunities - Identification of internal control measures associated with the identified risks.

RISK MONITORING AND REPORTING

Permanent process carried out by the persons involved in achieving the specific objectives.

The risks associated with the specific objectives/activities carried out are reported to the internal control monitoring commission, periodically, taking into account: - persistence of risk; - the probability of new risks; - changes in the impact on specific objectives.

(own conception)

5. The Responsibility of the Management of the Public Entity in Implementing the Internal Audit Recommendations

From the evaluation of the internal control system, the internal audit is an important function in the strategic management of the entity. A planning of audit engagements will be constructed taking into account the specific objectives and resources of the entity in relation to the areas of audit and significant risks (Dumbravă & Sfetcu, 2014).

In the literature there are authors who consider that the use of the word “activity” to define internal audit, instead of the term “function” places its manager on a subordinate position, taking into account that an activity is more elementary than a function (Renard, 2002).

The internal audit is an adjunct to the external audit, the exercise of the internal audit function will lead to the external auditor's assessment of the quality of the regularity, and the accurate picture of the financial statements. The internal audit will be approached according to risks with the same methods, techniques and procedures, whatever the sector or area of activity based on specific methodologies.

Internal audit is the highest component of internal control, and provides assurance on the functionality of the internal control system based on professional standards.

The internal auditors during their mission notice and signal different dysfunctions in the activities carried out in the cart of the entity.

An adequate compliance audit will detect malfunctions in all activities of the public entity before they lead to major negative consequences. It should be mentioned that t is not the responsibility of the audit department to solve the problems found. This responsibility belongs to the audited structures. The internal auditors formulate an opinion on the malfunctions found and possibly suggest a solution, but the involvement of the audit in the works of the audited structure should be avoided, for the following reason:

The independence and objectivity of the internal auditor will be affected if he is directly involved in the financial and patrimonial management decisions.

The management of the public entity will build an adequate internal audit structure, essential in achieving the specific mission, purpose and objectives, by:

• ensuring and maintaining a high level of competence to enable it to understand the importance of developing, implementing and maintaining effective internal controls;

• organizing and exercising independently the internal audit function, the head of the public internal audit department will report directly to the management on the findings, consequences and recommendations made.

• approving the specific objectives of the internal audit.

• implementation of the recommendations formulated by the internal auditors in their entirety and the established term.

The proper functioning of the internal control system will help the management of the entity to achieve the desired results through the efficient management of public resources. The internal control will give assurances, within reasonable limits, that the objectives of the unit are fulfilled by following the following directions of action:

• compliance with legal regulations, own procedures and professional standards;

• the use of material, financial and informational resources in conditions of economy, efficiency and effectiveness;

• promoting the continuous professional training of own human resources and the evaluation of professional competencies based on individual performance indicators;

• certification of the information presented in the financial statements.

The existence of an efficient internal control system, of a risk management policy creates the premises for capitalizing on the internal audit function within the public entity. i

The responsibilities of management and internal audit for an efficient internal control will be concise, delimited and built according to the professional standards, ultimately leading to the achevement of the specific objectives of the entity, in conditions of efficiency and effectiveness.

Figure 1. Management and internal audit responsibilities for effective internal control

(own conception)

A possible internal control monitoring model can be applied by the entity's management by completing the questionnaire, as follows:

Self-Assessment Questionnaire for Internal Control

Organizing its own internal control framework:

- the risks associated with the entity's specific objectives have been identified and assessed?

- the control objectives for risk management have been identified?

- the control policies and procedures have been developed to meet the control objectives?

- the personal integrity, professional integrity and ethical values has been ensured?

- an adequate level of qualification has been ensured that leads to performance and efficiency?

- the added value of internal controls has been ensured for the fulfillment of responsibilities?

Implementation of internal control:

- does the internal control work at the level of each structure within the public entity?

- does the internal control work in accordance with the internal control standards?

- the control practices are applied that apply the principles of efficiency and effectiveness?

- is there a continuous monitoring of the application of internal control practices through management plans?

Implementation of internal audit:

- is there a delimitation of the internal audit compared to the internal control?

- the internal audit function is an integral part of the internal control?

- is a functional internal audit structure set up at the level of the public entity?

- was the independence of the internal audit structure within the public entity ensured?

- is a value-added monitoring system organized on the entity's specific objectives regarding the implementation of internal audit recommendations?

(own conception)

From those presented, the internal audit at the level of the public entity fulfills the following 3 important functions:

- provides advice to the management of the public entity: internal auditors have the role of advising, assisting, recommending, providing decision support at each hierarchical level, without making decisions, the decision belongs to management, internal audit gives assurance on the functioning and effectiveness of internal control;

- helps employees: the role of internal auditors is to identify the weaknesses of the internal control system and the associated risks and not to establish guilt or sanction. The internal audit reports will not mention the guilty persons, and only the identified dysfunctions and risks, the remedial decisions, the sanctioning and the removal of the risks, are the responsibility of the management.

- independence and objectivity of the internal auditor: in carrying out the audit activity the auditor must judge impartially, without prejudice, to avoid conflicts of interest. The position of the audit department within the entity is essential - distinctly under the direct subordination of the head of the entity.

6. Conclusions

Implementing an adequate control system and ensuring that internal control policies are compliant to achieve the general and specific objectives of the public entity are the responsibilities of management, and providing assurance to management on the functionality and adequacy of the internal control system belongs to internal audit.

The added value of the internal audit does not materialize through the findings, recommendations and conclusions, another important aspect would be much more important: the receptivity of the audited structure to risks and their consequences on the objectives of the public entity. For this reason, the internal audit should ensure the transparency of the information and contribute to the efficiency of the public entity’s strategies.

7. Reference

Arens, A. & Loebbecke, J. (1991). Auditing an integrated approach. 5^th edition. Ed. Prentice-Hall.

Boţa, Avram C. (2009). Auditul intern al societăţilor comerciale/ Internal audit of companies. Cluj Napoca: Ed. Risoprint.

Dumbravă, P. & Sfetcu, M. (2014). Asigurarea eficienţei activităţii entităţilor publice pe baza recomandărilor auditorilor publici interni/Ensuring the efficiency of the activity of public entities based on the recommendations of internal public auditors. Revista Audit Financiar/Financial Audit Journal, no. 12.

Ghiţă, M. (2009). Guvernanţa corporativă şi auditul intern/Corporate governance and internal audit. Bucharest: Editura Tehnică-Info.

Renard, J. (2002). Theorie et practique de l’audit interne/Theory and practice of internal audit. Paris: Editura d’Organisation.

*** Legea nr. 672/2002 privind auditul public intern/Law no. 672/2002 regarding the internal public audit.