Law 162/2017 of 06 July 2017 sets out penalties for failure to comply with internal audit and audit committee requirements, namely for:
- Failure to organize and perform the internal audit activity by entities whose financial statements are subject to statutory audit;
- Lack of an audit committee within public-interest entities.
Law 162/2017 implements in the national law some European Union requirements enacted by Directive 2014/56/CE and the European Regulation no. 537/2014.
Article 65 of Law 162/2017 on the statutory audit of annual financial statements and consolidated annual statements provides the following:
(1) Each public-interest entity shall have an audit committee, according to the law.
(7) The entities whose annual financial statements are subject to statutory audits shall organize and ensure the accomplishment of internal audit activities in accordance with the legal framework.
The administrative liability is treated in Article 44:
(1) The following are misdemeanor offences:
b) non-compliance by the audited entities with art. 62 (2) and art. 65 (1) and (7);
(2) The misdemeanor offences under (1) shall be subject to the following:
b) as provided under (b), with a fine from 50,000 lei to 100,000 lei.
The organization and performance of internal audit
All entities which fulfil the requirements for statutory auditing of financial statements are subject to Article 65 of Law 162/2017 and, according to point (7), have an obligation to organize and perform the internal audit activity.
According to the Mandatory rules adopted by the Chamber of Financial Auditors of Romania, internal audit is defined as follows:
- „is an independent and objective activity which provides an entity with assurance as to the degree of control on its operations, guides that entity in order to improve its operations and provides added value”
- „helps this organization to reach its objectives by systematically and methodically assessing its risk management, control and governance processes and by submitting proposals to enhance their effectiveness”
The legal framework on the organizing of internal audit activities is established by the Decision no. 56 of 13 November 2015 approving the Guidelines on the implementation of internal audit international standards.
Thus, according to the Guidelines, the internal audit structure can be organized as a separate department operating within the company, or can be outsourced (entirely or in part). Moreover, these Guidelines set out the implementation requirements of the Mandatory Rules from the International Framework of Professional Practice issued by the Global Institute of Internal Auditors
Moreover, the Decision of the CAFR Council no. 111 of 06 December 2017 adopted the Mandatory Rules from the International Framework of internal audit professional practice, 2017 edition (IPPF 2017), issued by the Institute of Internal Auditors (Global II).
„The mandatory rules provide the legal framework of internal audit activity and shall entirely apply to internal audit missions other than internal audit for public sector, coordinated by financial auditors, members of the Chamber of Financial auditors of Romania who are active financial auditors.”
According to GED 75/1999, article 23, the persons responsible with organizing the internal audit activity, coordinating the engagements and signing the internal audit reports must be active financial auditors.
As far as the public interest institutions are concerned, they are defined both under Law 162/2017 and Law no. 82/1991 (Accounting Law).
Thus, they have an obligation under Law 162/2017 to set up an audit committee whose members, features and tasks are described under Article 65.