Companies required to implement internal audit function but which fail to do so risk fines of up to 100,000 lei

Many Romanian companies are risking fines and other penalties for failing to comply with the legislation on establishing an internal audit function, a requirement that became mandatory beginning with the 2018 financial year, warn consultants from TPA Romania, a leading company in Central and Eastern Europe specialised in auditing, accounting, tax consulting and legal consulting.

Although the legislation requires this function be implemented by companies whose annual financial statements are subject to statutory auditing, many organisation are yet to comply with the law, thereby risking fines of between 50,000 and 100,000 lei.

“An internal audit is a ‘health check’ for an organisation. Internal auditors verify whether everything is working correctly, identify risks and provide solutions for improvements so as  to make the company safer and more efficient. However, there are some companies failing to do this. Some of these, on account of not being informed, are not fully aware of their legal obligations. Another aspect is that of cost, with many firms viewing an internal audit as an expense rather than an investment. Another factor is a lack of specialists or a dedicated structure,” explains Sorana Cernea, Managing Partner at TPA Romania.

Under current legislation, regardless of their area business, companies are obliged to implement an internal audit function if, at balance sheet date, they exceed the limits of two of the following three criteria: total assets of 16 million lei, nett turnover of 32 million lei and average number of employees of 50. In addition, public interest entities, such as credit institutions, insurance companies and companies whose securities are admitted for trading on a regulated market, are also obliged to implement an internal audit function, regardless of whether or not they meet the aforementioned criteria. Failure to meet this obligation will attract fines of between 50,000 and 100,000 lei.

The Authority for the Public Oversight of Statutory Auditing (ASPAAS), which is subordinated to the Ministry of Finance and is able to instigate investigations into whether these legal requirements have been implemented, has requested that starting in 2024 financial auditors include in their annual reports information on companies who have failed to implement an obligatory internal audit function.

“So far, the fines foreseen to be imposed by ASPAAS have been of limited impact. In regulated industries – banking or insurance, for example – the risk of applying fines has resulted in increased compliance, but many companies in other sectors prefer to run the risk of penalties than to implement an internal audit function. This is probably down to the perception that the internal auditor only ‘looks for mistakes’, although really what they are doing is looking for ways to make improvements and providing recommendations for the optimisation of the company’s work processes. A well-structured internal audit protects the company in the long term, and a lack of one can lead to fraud, financial loss, fines and legal problems,” explains Laura Colceriu, Internal Audit Manager at TPA Romania.

TPA Romania’s consultants have identified various non-conformities in small and medium-sized companies, such as a lack of an internal audit structure, insufficient independence of the internal auditors, a superficial or non-existent audit plan, as well as failure to comply with professional standards. The main challenges faced by companies when implementing an internal audit function include the recruitment and retention of certified internal auditors, the integration of the internal audit function into the organisational culture, cost and resistance to change among management and employees.

“There exists the false perception that an audit ‘punishes’, whereas in fact an internal audit supports the company. Employees and managers may perceive an audit as an external control, not a means of support, and therefore be reluctant to allocate a budget to this activity. Non-compliance always costs more than compliance,” explains Sorana Cernea.

What steps should a company take to set up an internal audit function and avoid penalties? Firstly, it should ask whether it needs to conduct an internal audit. Is the company obliged to do so by law? If it is not obliged to do so, it should ask itself whether and how beneficial an internal audit would be in assessing risk management. Then it should look at whether it would be better to employ an internal auditor or to outsource this function to a specialised firm. After that it will need to define the objectives of an internal audit, draw up a multiannual audit plan including the periodic verification and revision of critical processes, and, last but not least, ensure the independence of the auditors, because an internal auditor who reports directly to management may at some point be influenced.

“Internal auditing helps companies identify and reduce risks (fraud, error, inefficient processes), optimising costs and eliminating financial losses. It is also a supporting factor that helps improve the efficiency of processes by identifying areas for optimisation. Similarly, this function ensures compliance with the legal and tax regulations and can help a company avoid certain penalties. What’s more, by providing information and objective and well-documented reports, an internal audit helps improve the strategic decision making process, protect the firm’s reputation by preventing litigation and, last but not least, boost confidence among and investors and partners,” concludes Sorana Cernea.