Internal Audit and Management

of Operational and Financial Risks

Marius Daniel Moscu1

Abstract: Companies that have the obligation to audit the financial statements, as well as those who wish to do so on their own initiative, have the obligation to set up an internal audit service. Internal auditors may have a considerable influence on the operational efficiency and effectiveness of the entity, as well as on treasury and profit flows. Internal auditors carry out an important part of financial audit work, similar to those performed by independent external auditors. Many of the concepts and methods of financial audit also apply to internal audit audits. Internal auditors devote their entire working time to a single economic entity. Consequently, their knowledge of the entity's operations and internal control mechanisms are far more profound than those obtained by external financial auditors. Internal audit includes the examination and assessment of the adequacy and effectiveness of the entity's internal control system, as well as the assessment of the quality of the tasks assigned to each employee.

Keywords internal audit; internal control; financial audit; governance; fraud

Internal Audit

The term audit is derived from the Latin word “hearing”, which meant obedience. As an action taken to listen, then to analyze and finally, to indicate some possible solutions, the audit allows the contribution of reasoned and independent reasoning. Thus, according to the IIA “Internal audit is an independent activity of objective assurance and counseling, designed to add value and lead to the improvement of the activities of the organization, which it supports in achieving its objectives. It helps the organization in achieving its objectives through a systematic and disciplined approach in the evaluation and improvement of the efficiency of risk management, control and governance processes. Internal audit is - as defined by CAFR by decision 48/2014, modified by decision 73/2014 – “an independent activity of objective assurance and counseling, designed to add value and improve the operations of an organization. Helps an organization in achieving its objectives through a systematic and methodical approach that evaluates and improves the efficiency of the risk management, control and governance process.

ISA 610 also defines internal audit as “an evaluation activity within an entity, an activity that represents a service performed in favor of the entity. Its functions include, among other things, examining, evaluating and monitoring the adequacy and efficiency of accounting and internal control systems.

The internal audit has a relatively recent appearance. It appeared in an incipient form during the economic crisis of 1929 in the US, the crisis that affected all the companies. In this context it became necessary to reduce the fiscal burden and to carry out a thorough analysis of the phenomenon within each companies.

As most of them had already outsourced these services to specialized audit offices, it was necessary for these companies to have people in the staff hired to prepare the preliminary works for auditing the financial statements.

In this context, the internal auditors - named in this way due to the fact that they were employees of the respective company - appeared and had as main attributions the preparations necessary for the audit mission of the respective offices.

As a result of the creation of this internal service within each company, the main objective has been achieved, namely the reduction of taxes due to the state.

Lionel Stoleru compared, of course, the internal audit with the internal ear, the seat of the human body balance. The audit does not have to ensure balance, but only to check if the necessary conditions are met to maintain it, to control the disorder, to adapt to changes, to evaluate the degree of security and the risks.

Auditing is the process by which competent, independent persons collect and evaluate evidence to form an opinion on the degree of correspondence between the observed and certain predetermined criteria - Wanda Wallace, Auditing. “PC World Romania 6/95 p. 48.” The paper «Internal control procedures and financial audit» [appeared] in the publishing house Gestiunea. “Fd; v. and auditor (from non-audit; cf. audit).

Internal audit is an occupation that over the years has been redefined due to constantly changing needs, moving audit objectives from financial-accounting problems to identifying risks and evaluating internal control.

The internal audit activity will be able to achieve its purpose only if there is an efficient, well-organized internal control system, based on specific procedures.

From this point of view, the internal audit offers the certainty that the operations performed and the decisions taken are under control and in this way contribute to the achievement of the entity's objectives.

Types of Internal Audit

According to the literature there are several types of audit.

A. From the point of view of the objective and scope of the audit, there are:

- the compliance or legality audit includes the attestation of the responsibility of the financial statements of the entities, supposing the examination and evaluation of the financial records and the expression of opinions on the financial statements.

- the financial attestation audit, which consists in expressing an opinion on the financial reports and in providing credibility on the financial statements.

In most cases, the attestation audit and the compliance audit are carried out concurrently and are called regularity audit or legislative audit.

- the audit of the performance or of the results is synonymous with the expression “value for money '' and represents an objective and systematic examination of the reality for evaluating the performance of a program or an activity.

B. Depending on how the audit activity is organized, the types of audit are defined. There are:

-Internal Audit

- External audit.

C. Based on the moment when the audit is performed, the distinction is made between the preventive audit and the subsequent audit.

Preventive audit represents an examination of the administrative or financial operations prior to their actual performance, having the possibility of discovering the premises for generating an injury.

The subsequent audit represents an analysis of the administrative and / or financial operations after their performance. The overall objective of the internal audit is to provide a reasonable assurance that the entity's objectives will be achieved.

The internal audit activity is carried out on the basis of the provisions contained in the specialized standards. Thus, by standard, understanding a professional opinion promulgated by the Internal Audit Standardization Council, which describes the requirements for carrying out a wide range of internal audit activities and for evaluating the internal audit results.

The objectives of the internal audit International Internal Audit Standards set the following objectives within internal audit missions:

1. Objectives for improving the governance process:

a) Promoting an adequate ethical conduct and the corresponding values within the organization;

b) Ensuring effective performance management within the organization and assuming responsibility;

c) Communication of risk and control information to the appropriate structures in the organization;

d) Coordination of activities and communication of information between the board of directors, internal and external auditors and management of the entity.

2. Objectives for evaluating risk management and internal control:

a) Meeting the strategic objectives of the organization;

b) Reliability and integrity of financial and operational information;

c) Effectiveness and efficiency of operations and operational programs;

d) Protection of assets;

e) Compliance with laws, regulations, policies, procedures and contracts.

3. Objectives pursued during the counseling missions:

a) Evaluating the effectiveness of risk management, control and governance processes;

b) Improving the risk management processes within the organization through a systematic and methodical approach.

The objectives pursued within the internal audit missions can be adapted to the entities that have organized the internal audit activity according to the specific applicable regulations (such as credit institutions, financial institutions, etc.).

Internal audit benefits from:

The objective of the professional rules for the practice of internal audit covers the following aspects:

The structure of professional rules in the field of internal audit is as follows:

Fundamental principles that are included in the Code of ethics of the profession of internal auditor are the following:

The purpose of these standards is to address the following issues:

1) to outline the basic principles that represent the practice of internal audit as it should be;

2) to provide a general framework for realizing and supporting a wide range of internal audit activities that generate added value;

3) to function as a frame of reference on the basis of which the results of the internal audit are evaluated;

4) to stimulate the improvement of the processes and operations of the organization.

In the case of companies, the main objectives of the internal audit are:

- the compliance of the activities of the audited economic agent with the policies, the programs, its management and with the legal provisions;

- evaluation of the adequacy and application of the financial and non-financial controls arranged and performed by the management of the economic agent in order to increase the efficiency of the activity;

- estimating the adequacy of the financial and non-financial data / information intended for the management to know the reality within the economic apparatus;

- protecting the balance sheet and off-balance sheet assets and identifying the methods of preventing fraud and loss of any kind.

In their activity, the internal auditors are subject to the rules of organization, exercise and implementation:

a) rules of organization: refers to the characteristics of the economic agents and the persons who carry out internal audit activities, namely: independence and objectivity; professional competence and responsibility; quality assurance and compliance;

b) rules of exercise: they describe the nature of the internal audit activities and provide quality criteria on the basis of which their execution can be evaluated;

c) implementing rules are elaborated according to the specific types of commitments.

In order for the internal audit activity to be productive, all the principles must be applied in terms of effectiveness. and the failure to use one of these principles can demonstrate that the activity of internal audit was not as effective as it should have been.

Internal audit should have the role of enhancing and protecting organizational value by offering assurance, counseling and deep knowledge based on objective principles based on risk '', respectively:

For a good management of risk management, the entity must benefit from an adequate internal control service.

The internal audit and management of the company must form a true symbiosis, since they have the same objectives - the main one being the efficiency of the administration and management of the company.

The most important role of the internal audit is to assist the staff of the audited body in fulfilling its responsibilities, offering the management assurance that the policies, procedures and controls carried out in order to avoid human errors and to combat frauds or wrong actions, act effectively.

 The internal auditor has the role of objectively assessing the internal control system, making a professional analysis of it and giving reasonable assurances regarding its proper functioning. The assurance given by the auditor is the basis of the governance of the company.

The schematic, the audit mission, can be presented as follows:

The document based on which the office, the service or the internal audit department is born is the Audit Card, which mainly fulfills the function of presentation and knowledge for the other compartments of the entity. This document is approved by the Board of the entity.

Internal audit engagements are commonly accepted as being part of a pre-established schedule, with many goals.

The main purpose of the audit plan is the inherent risks of the business, both internal and external. It includes both the objectives to be reached and their deadlines. The ultimate aim is to make the performance of the company an upward trend, without risks. or with acceptable risks. In this respect, the provisions of “International Standards for Professional Practice of Internal Audit” are applicable.

The audit plan is compulsory, as stipulated by the Operating Norm 2010 - Planning, respectively: “The audit leader must establish a risk-based plan to determine the priorities of the internal audit activity, which is in line with the organization's objectives”. The most important features of the plan are:

- the exhaustive content, that is to say, it must include all the topics, functions, processes, and auditable services that will be audited at a given time.

- multiannual planning and global risk analysis to meet multi-year planning (three to five years).

The periodicity at which the audit is performed depends on the degree of risk, high or low of the auditable object. Thus, some processes or services may be subject to the annual audit, while others may be audited every two or three years.

In order to be able to establish this periodicity, it is necessary that the internal audit has all the tools and techniques that can give it the possibility to form and issue an opinion, using its professional reasoning regarding the risk level of that one. area.

The method used to measure risk will be a simple and easy to apply.

An important and compulsory document at the same time - according to the Operating Norm number 2040 - is the Internal Audit Manual, which will be used by the entity and will show how the organization and rules exist within the internal audit department.

The internal audit manual will include, at the same time, the assignment of tasks, the areas for each mention, the working hours, provisions regarding the auditors' travels, the payment of expenses incurred, etc.

All internal audit missions will end with the preparation of an audit file, the content of which will consist of the most important working documents.

There will be two types of documents in the audit files:

- some that have a descriptive character: analysis of positions, organizational charts, risk tables, charts of reports, circuit of documents, etc.

- some with explanatory character: worksheets such as interviews, questionnaires, comparative tables, adjustment sheets, determination of test results, etc.

The two types of documents will be filed / presented in a certain order, the internal audit having defined an ordering norm, specific to each entity.

The internal audit mission is finalized by an audit report, addressed to the governance of the respective entity. It contains in detail the recommendations of the internal auditors regarding the findings made and which are presented during the closing session.

Internal Control

The activity of internal control represents the most important attribute of the management of the company, by which it is aware of the course of events, processes and actions carried out within the company.

Or in other words, the internal control is “a function of the management that ensures the knowledge and improvement of the way of management of the patrimony and of orientation, organization and development of the activity of production, distribution, commercialization, promotion etc.

The knowledge by the interested factors of the way of conducting economic activities under conditions of legality and free initiative is a requirement of the modern management of the enterprise.

Regarding the internal control, we can mention that it can take several forms, depending on what it reflects with priority from the economic-social activity, respectively we have:

Internal control is a means of preventing illicit facts and situations, identifying deficiencies and deficiencies and establishing the measures needed to restore legality and compliance.

The object of the control is to find and have solutions, to solve the errors, the deviations from the laws and the specific norms - including internal, the deficiencies and the deficiencies found, both those of economic nature, technical or of another nature and to avoid them. in the future.

Through the internal control function, the entity management assesses the extent to which it has achieved its objectives, ascertains the deviations from them, analyzes the causes that determined the deviations and arranges the corrective measures that are required.

Specifically, the manager establishes for each group of activities a series of functions, programs or forms of internal control meant to limit and maintain the associated risks within the limits of the risk appetite accepted by the entity.

These forms of exercise of control may be:

Internal control activities must be correlated with the specific risks that are constantly evolving and that are specific to each entity, according to its object of activity.

The emphasis should be placed on the control activities with a preventive character, in order to be able to ensure the correct functioning of the system and to prevent the occurrence of deviations due to error or fraud.

Internal control, as well as internal audit, can operate at the maximum parameters only if they have all the necessary support from the governance of the entity, without any restrictions or restrictions of action.

In these conditions, the internal audit mission can be carried out normally, the collected audit evidence can be analyzed properly, and the audit reports prepared according to the applicable standards and norms will be conclusive and useful.

In order to exercise the established attributions, the internal auditor must benefit appropriately, cumulatively:


What is the risk?

The risk represents the possibility of an event that affects the achievement of the objectives. It is measured in terms of impact and probability.

The impact represents what will actually happen in an entity if the risk materializes. It may be financial, material losses, loss of customer confidence in the quality of products / services, etc.

Probability is the possibility that a risk may occur. Some risks are obviously more likely than others.

Within an entity there are several categories of risks, of which we note - the operational risks; - financial risks;

The analysis of these risks is an important element of the internal audit process, being done during the planning period of the annual audit activity, for the elaboration of the audit plan and during the preparation of the internal public audit mission, in order to elaborate the audit program of the mission. The risk is measured according to the consequences generated and the probability of occurrence.

In order to assess the vulnerability of the entity, the internal auditors consider the multitude of factors that relate to the auditable sector.

The risk analysis is done when preparing the audit mission and the mission program and which involves going through some stages, such as:

The activities carried out by the entities may be subject to various risks. The governance of the company is responsible for identifying these risks and for removing them by introducing a set of internal controls.

The main objective of the internal audit activity is the assessment and optimization of risk management, internal controls and governance. For this purpose, the existence of appropriate, sufficient and adequate procedures for risk management are analyzed and evaluated. To this end, the internal auditor supports the management of the entity by identifying deficiencies and by the recommendations it makes for correcting or removing them.

Operational Risk

Operational risk is the risk of recording direct or indirect financial losses as a result of:

Operational risk is defined as the risk of loss generated by inadequate or failed internal processes, persons and systems or generated by external events” - Bassel Committee

In order to manage the operational risk, the entities must have policies regarding the management of the operational risk and take into account at least the following types of events producing the operational risk:

a) internal fraud;

b) external fraud;

c) the conditions related to the hiring of personnel and the safety of the workplace;

d) bad practices related to clientele, products and activities;

e) endangering tangible assets;

f) the treatment applied to the clients and the commercial counterparties, as well as the faulty processing of the data related to them operational = the risk of recording direct financial losses

Financial Risk

The financial risk characterizes the variability of the net profit, under the influence of the financial structure of the company. The borrowed capital, by their size and by the systematic support of some related financial expenses (interest, commissions), entails a variability of the net profit, an increase of the financial risk. The financial risk is determined by the financing policy of the company through equity or loans and which forms the entity's capital.

Equity does not involve any expense, while borrowed capital implies the existence of financial costs, in the form of interest.

The indebtedness, by the level of the expenses that it supposes, leads to the existence of financial risks with influences in the results of the entity.

These risks are based on the level of turnover, which must have such a size, so as to cover the expenses generated. Let's not forget the following fact, that is, the higher the degree in which the entity borrows, the more a risk is generated. or, in other words, the higher the degree of indebtedness, the higher the level of activity of the entity to cover the total expenses and implicitly the financial risk will be higher.

In order to prevent the consequences that may appear as a result of the existing financial risk, the entities must calculate with objectivity and ensure a profitability threshold, structured as a confidence interval and not as an indicator with an anti-calculation value.

Among the biggest risks, if not the biggest one, an entity may face, is the RISK OF FRAUD. Regardless of whether it is an external fraud or an internal fraud, the risk remains high.

ISA 240 (revised) defines fraud as “an intentional act committed by one or more persons in the management, those charged with governance, employees or third parties, which involves the use of a scam to gain an unfair or illegal advantage. '' .

We note that fraud can be committed both for the benefit of the entity and to its detriment, both by its own staff and by persons outside it.

Referring to fraud, the specialized studies speak of the percentages 10-80-10 or in free translation:

Example of fraud:

The techniques used by the auditor in investigating fraud are similar to any audit mission, obtaining evidence consisting of files, documents, correspondents, recordings on video cameras, etc.

In the investigation of frauds, the auditor can use both the personnel of the entity and of personnel outside it.

Completion of the investigation will establish what internal controls did not work as such should have led to the occurrence of the fraud.

Within the entity there must be its own policies and procedures that establish the responsibilities for fraud detection, prevention and investigation.


Risk management. Operational risks - Calin M. Rangu

Financial Audit-Accountant-concepts, methodology, regulations, practical cases, 4th edition, revised and improved-Munteanu V. (coordinator), Munteanu R., Zuca M., Zamfir M., Burlacu M.Niculae M., Moscu M., - University Ed. 2017

Financial-Accounting Control at enterprises and Public Institutions. Theory and Practice, concepts, methodology, regulations, practical cases - Munteanu V. (coordinator), Munteanu R., Tanta A Copcinschi L., Luschi C.-University Ed. 2014

Internal Audit. Economic Entities-M Boulescu-Ed. Foundation Romania of Maine-2007

Guide on Implementation of International Internal Auditing Standards-CAFR -2015

Internal audit and fraud-CAFR

International standards for professional practice of internal audit-IIA 2016

Internal Audit Report - University of Art and Design, Cluj Napoca-2009

The characteristics of Internal Audit-drd.15 Razvan Ghita

Synthesize “ Audit course '' - Lecturer PhD student Deaconu Petre.Internal audit - Raluca Vasilescu

1 Hagiu & Moscu Full Expert Finance SRL, Romania, Corresponding author: