INTERNAL AUDIT-ACTUALITIES AND CHALLENGES

Internal auditing plays an important part in the management of corporations, but it has also proved necessary in the more general framework of public interest entities, especially listed entities, given the importance of their activity in society. The different activities that internal auditors perform lead to the creation of added value in the entity in which they operate. In Romania, this activity is relatively recent and it involves certain organising and exercising particularities. The internal auditor profession has globally faced the same challenges all the other professions face in regards to the digitalization of the economy.


Introduction
In Romania, internal auditing appeared 20 years ago and it is still in a process of assimilation and transition. It could not have been otherwise, because the internal audit profession developed after the Second World War, along with the development of the management, at a time in which in Romania such a thing could not have existed. The Institute of Internal Auditors (IIA), the first professional body of internal auditors, was established in 1941 in Florida, USA, when the construction of modern internal audit is considered to have begun. The roots of this profession are found in the activity of verifying the quality of cereals offered on the market, but its real growth has occurred along with the development of corporations and their need for controls in large geographical areas and whithin thousands of employees. In 1941, Victor Brink published the first major book on internal auditing, based on his doctoral studies. In the same year, John Thurston, internal auditor of the North American Company in New York, together with Robert Milne (his former colleague in the internal audit subcommittee of the association between the Edison Electric Institute and the American Gas Association) got in touch with Brink and created the nucleus and the organizing committee that contacted a small group of internal audit practitioners. They formed together the basis for the establishment of this professional body in America. This is one of the many examples of a professional body that was set up through the free initiative of those who practiced the internal audit activity and wanted to have a forum to represent their interests.
In 1941, the year of its establishment, there were only 24 members. After the first year of activity, there were already 104 members. It reached 3700 members in 1957, of which 20% were from outside the USA, thus the institute acquired international value. Today, The Institute of Internal Auditors has over 200,000 members worldwide. In 2004 it was established the Romanian Association of Internal Auditors (AAIR), which in 2007 was recognized by The Institute of Internal Auditors (IIA).

Current coordinates of the internal audit
Today, internal auditing is perceived at the same time as as a function of an entity, as an activity or as a professional mission. According to the institute's definition, the internal audit activity refers to a department, team of consultants or other practitioners that provide independent, objective assurance and consulting services designed to add value and improve an organization's operations. Internal auditing work helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.  According to the professional doctrine, in an entity there are three lines of defense in the activity of risk management and control. Various risks and inefficient control areas can be seen in all entities; their coordinates are constantly and rapidly changing, so these issues must be covered by more activities and more specialists whithin the entity. (IIA, 2020) The first line of defense is at the level of operational management. Managers at this level are responsible for the operational activity of the entity, for risk management and for the implementation of corrective actions for deficiencies in processes and controls. Operational management maintains an effective internal control and conducts risk and control procedures on an ongoing basis. The second line of defense consists of risk management and compliance functions. This line generally includes the following: a risk management function, which assists and monitors the implementation of effective practices by the operational management and assists in defining risk exposure as well as the existence of a risk reporting system throughout entity; a compliance function, which monitors various specific risks, such as non-compliance with the legislation and a control function that monitors financial risks and financial reporting. Internal audit is the third line of defense. Internal auditors provide the senior management of an entity with comprehensive and detailed assurance based on the highest level of independence and objectivity within the entity. The high level of independence does not apply in the second line of defense. Internal auditing provides assurance on the effectiveness of governance, risk management and internal control, including how the first and second lines of defense achieve risk management and control objectives. The entity's board of directors is responsible for organizing the internal audit activity. This activity emerged and developed as a necessity because managers needed their own tool for direct and independent information. Globally, the attitudes towards internal auditing are different, depending on many factors. International, regional or state organizations have gradually established, for certain categories of entities, the obligation to organize internal auditing. Generally, the most concise definition of internal auditing is that it adds value to the entity. Let's see what is the meaning behind this definition. The responsibilities of the internal audit depend on its structure and resources. Internal auditors provide an inside look at the entity's strategic risks and advise the board of directors based on their expertise, knowledge of controls and overall perspective on the entity.
It is not the responsibility of internal auditors to identify and assess the entity's risks, but they do assess the significant risks to validate the procedures by which the entity's management identifies and responds to risks. At the same time, internal auditors evaluate the controls that take place in the entity. The control system is organized at the level of the executive management and it reports to it. The auditors evaluate the efficiency and effectiveness of the internal control system and assure both the executive management and the board of directors that this control is adequate to respond to the risks affecting the organization. Internal auditors also ensure the correctness of the financial statements. They make sure that the information meets the quality requirements of the financial information. Internal auditors know in detail the objectives of the entity, so they can validate whether the operations, in their entirety, are efficienct and effective. Internal auditors are accredited professionals, so they accept and apply the provisions of the Code of Ethics in which the key references are principles such as integrity, objectivity, confidentiality and competence. They promote ethics and reveal incorrect or illegal behavior. Internal auditors also review the entity's processes and procedures closely and assess whether the way they are organized helps the entity achieve its goals. An equally important activity of internal auditors is to assess how the entity complies with the applicable legal provisions, regulations and contractual provisions; they ensure that the entity's management properly addresses these factors. All cases of noncompliance are reported to the board of directors, together with an estimation of the impact that these non-compliances have on the entity. Entities own tangible property, human resources and intellectual property. These types of property are evaluated and measures are taken against any form of depreciation. Internal auditors assess whether all measures to protect against depreciations such as theft, disasters, illegal activities or other forms of loss are appropriate. They report any deficiencies to the administration and make recommendations. Fraud is one of the increasing dangers that is constantly present and that affects all the structures of the entity. It is highly important that internal auditors have access to all information about the entity and have the authority to investigate all matters they deem necessary. At the end of their assignments, internal auditors report their findings and make recommendations on the measures that need to be taken to correct the deficiencies.
Internal auditors are part of a well-established profession in terms of the skills and competencies that they constantly develop through a continuing training programme for professional development . In order to effectively fulfill their role, internal auditors must anticipate the problems that the entity will face and the need to come up with solutions for them. They must also have a flair for business, think critically and be good communicators, listen carefully, speak intelligently and write clearly. Given their diverse role and responsibilities, internal auditors add significant value to the entity. They are the eyes and ears of the board of directors. They are also mediators and stakeholder representatives inside and outside the entity, experts in risk and control, efficiency specialists in emergency checks and troubleshooting.

Internal auditing in Romania
The basic reference can be found in Law no. 31/1990 on Companies in it's up to date form, which in Section IV on "Financial Audit, Internal Audit and Auditors"provides the following: Art. 160 (2)Companies whose annual financial statements are subject to financial audit, according to the law or to the shareholders' decision, shall organise the internal audit according to the norms issued by the Romanian Chamber of Financial Auditors.

Art. 163 (2)(...)The method and procedure of reporting of the internal auditors shall be established according to the rules elaborated by the Romanian Chamber of Financial Auditors.
(5) The censors or, as applicable, the internal auditors shall notify the members of the board of directors on the irregularities in administration and the infringements of the legal provisions and of the constitutive act; the more important cases shall be brought to the knowledge of the general meeting. Art. 164 1 (3) In case of companies where internal auditors were appointed, according to the law, any shareholder shall be entitled to report on the facts which they deem as requiring verification. The internal auditors shall take them into account in drawing up the report to the board of directors, or to the supervisory board, respectively. In case the complaint is made by the shareholders representing, individually or together, at least 5% of the share capital or a lower quota, if provided by the constitutive act, the internal auditors shall be bound to check the facts complained about, and in case they are confirmed, they shall be written down in a report that shall be communicated to the board of directors, or to the supervisory board, respectively, and made available to the general meeting; in this case, the board of directors or the supervisory board, respectively, shall be bound to convene the general meeting.
Having the above legal provisions as reference, we present the following two findings that we consider necessary. First of all, the Romanian legislature established that the financial auditors are in charge of the internal audit activity. Financial auditors are members of the Romanian Chamber of Financial Auditors which is responsible for the elaboration of norms regarding the organization of the internal auditors' activity and their reporting method. Secondly, by assimilating tasks that are usually the responsibility of the auditors, the legislator has established responsibilities for internal auditors that go beyond the standardized professional framework.

Art. 23
Those responsible for organizing the internal audit activity, coordinating the works / commitments and signing the internal audit reports must have the quality of financial auditor. As a result of these legal responsibilities, the Romanian Chamber of Financial Auditors adopted by Decision no. 111/2017, the obligatory norms from the International Professional Practices Framework, 2017 edition, issued by the International Institute of Internal Auditors (IIA) and translated into Romanian by the Romanian Association of Internal Auditors (AAIR), which include: Fundamental principles for the professional practice of internal auditing; Definition of the internal audit; Code of ethics; International standards for the professional practice of internal audit. Also, in 2019, the Chamber published the second edition of the Guide on implementation of international internal auditing standards, developed together with the Romanian Association of Internal Auditors, a useful guide for financial auditors who perform internal audit missions.

Perspectives over internal auditing in the digital era
The process of continuous digitization of the economy presents both challenges and opportunities for internal auditing and for the audit profession in general, especially in big data analysis (Alles, 2015;Constantiou & Kallinikos, 2015;Syed, Gillela & Venugopal, 2013), artificial intelligence (AI ) (Nowak, Lukowicz, & Horodecki, 2018) and blockchain technology (White, 2017). For the internal audit to work to the maximum benefit of companies, it must adapt to changes affecting modern business and be prepared to use digital technology. The development of technology leads to innovation in all sectors. The internet of Things, blockchains, wireless devices, big data are innovative approaches based on new technologies that lead to new risks. With the development of new technologies, companies are exposed to new risks, and risk management specialists should help companies to ensure the effectiveness of control processes and procedures, without slowing down the pace of innovation development. Advanced technologies require fundamental changes in the audit methodology. Blockchain technology is a decentralized database that chronologically stores information about transactions of any kind (Dai & Vasarhelyi, 2017;). The database is available to each member of the network, called a node, which holds an identical copy and validates each new transaction, called a block. Through this need for decentralized validation, subsequent unilateral changes to the database are supposed to be impossible, so the blockchain is mainly considered an anti-fraud method (Cai & Zhu, 2016), even if successful hacks have already existed in the past. Because everyone can read the database, the process is also transparent. The complex algorithms underlying blockchain technology and the adaptive nature of artificial intelligence can bring significant benefits through a fundamental restructuring of business processes, but these technologies also create an environment in which securing guarantees should become an integral part of transaction processing. Moreover, the lack of standardization in such areas leads to a divergence of principles and recommendations. In order to adapt to the new conditions, the internal audit needs to review its methodology, focusing on a more operational, continuous or real-time type of audit. Companies need to invest more in training, resources, tools and standardization. The audit area is undergoing major changes under the influence of the digitalization of all business processes. Blockchain technology is likely to revolutionize the field of auditing when it gains critical mass and becomes a common tool for accounting and analysis. A key feature of this technology is a more transparent way of reflecting transactions, which will allow auditing routine operations in real time by default, as well as obtaining a more complete picture of all transactions and identifying unfair actions. Blockchain is a technology that, under certain conditions, improves transparency and trust. Like any other automation tool, it could free financial managers from a range of routine, time-consuming tasks and allow them to focus on more strategic and creative tasks so they can find new ways to add value to the business. However, the accounting of operations is not necessarily a reliable reflection of the financial position and operational activities of a company. Firstly, the object of any accounting system is data, and if it is initially insecure, the blockchain will not solve this problem. Human touch in the interpretation of data and operation models will continue to be required. The introduction of technology in internal audit missions, as well as the need to analyze a large volume of data, have transformed the profession of an internal auditor. Technology and data analysis is still not widely used; there is significant room for development in order to benefit from everything that these innovations offer (KPMG, 2019). With the reduction of data storage costs, the volume of data has increased exponentially in recent decades (Breur, 2016). Similarly, the speed of data generation has increased rapidly. Data generated from various sources, for various purposes and without a consistent form, can include numbers, text, images, audio, videos and many other types of information. Therefore, big data is stored in an unstructured way. This is especially true for socializing data (Warren, Moffitt & Byrnes, 2015). Big data analysis is a new processing model that makes sense of massive, fast and unstructured data and their transformation into valuable knowledge (Constantiou & Kallinikos, 2015). More than a simple technological trend, it can be said that the big data era paves the way for new ways of understanding the world and business decision-making (ISACA, 2013). From a technical point of view, big data refers to data sets whose size, diversity of format and speed of generation exceed the processing capacities of traditional IT infrastructures (IIA, 2013), which is a challenge that must be overcome. The main objective of Big Data Analytics is to contribute to better decision making by companies (ISACA, 2013). By transferring this concept in the context of supervision, it can be said that the application of the same statistical methods and analytical techniques to audit activities -which some authors call Audit Analytics -aims to transpose so that auditors can make a better decision about the audited entities. To be more specific, it becomes possible to understand and quantify risks, test controls and evaluate business processes in a fast and efficient way (PWC, 2013). With the emergence of big data, the main challenge for internal auditing will be the iresult interpretation. Krahel and Titera (2015) argue that digital auditing is considered to be less intrusive by both auditors and audited companies. Big data analysis can improve the relevance of auditor functions tin terms of data collection and reconciliation. In the same line of thinking, Lombardi et. al (2014Lombardi et. al ( , 2015 concludes that digitalization is changing the audit landscape and will revolutionize the way audit is conducted. Moreover, Dinesh and Juvanna (2017) emphasize that companies need to consider cybersecurity risks by using software in order to ensure corporate security and privacy and to minimize risks. According to Porter and Heppelmann (2014), competition and increasing pressure to provide their clients with relevant and reliable information are the main factors that determine audit firms to digitize their processes. In order to remain competitive, audit firms must evolve their business models and service offerings by purchasing innovative technologies to propose digital solutions (Van Den Broek & Van Veenstra, 2018). New technologies are changing the way auditing is conducted by eliminating repetitive tasks. They allow auditors to save a huge amount of time when performing certain procedures (Manita, Elommal, Baudierc & Hikkerova, 2020). Internal auditing can make use of new technologies for auditing by extracting data automatically, easily and analyzing it through algorithms. In addition, digitization significantly reduces audit costs by developing real-time dashboards that can be supported by audit firms to better monitor audit quality. These tools can alert companies in real time if problems are detected. Artificial intelligence, robotics and analytics now offer the possibility of significant progress in terms of audit quality. Internal auditing will only be able to meet these expectations if it starts to make use of innovative technologies in its activities. Auditors should use flexible methodologies to respond to new risks and technologies, in order to monitor the skills and tools needed to achieve more substantial results. Thus, in order to respond to the new challenges, KPMG has established a series of directionsthat highlight the areas on which internal auditing should focus so that it can effectively add value throughout the organization and maximize its influence on the company (Table 1 ). -encouraging the use of data and data analysis to help assess the constantly developing risk environment Cybersecurity -avoiding the costly consequences of data breaches, such as investigations, legal fines, covering customer losses, remedial efforts, loss of time and focus of the executives and the rest of the workers, and potential loss of customers and business; -avoiding reputational damage to the organization, especially with regard to lost customer data; -evaluating the implementation of the revised security models of the technology, such as multi-layered defenses, improved detection methods and encryption of data leaving the network; -reviewing the organization's IT security assessment, processes and controls for the protection of intellectual property, the use of industry standards guidelines and recommendations for improvements;

Emerging technologies
-planning the adoption and implementation of cloud storage systems as an alternative to traditional computing methods; -assessing of the use of existing and emerging technological systems of the system in relation to industry standards; -taking into account the governance and controls needed for the digital workforce and related initiatives.

Data analysis and continuous auditing
-continuous risk management in real time; -increasing the overall efficiency of audits (frequency, field, etc.); -taking a "deeper dive" into key risk areas by analyzing key data; -facilitating the early detection of possible frauds, errors and abuses; -using the advantages of singleplatform ERP systems -assistance in the creation of automatic extraction, transformation and loading (ETL) processes, together with the analyses and dashboards generated by the system, monitored by the company according to the specified risk criteria; -evaluating the conformity of the strategic objectives and the company's objectives with the risk management practices; monitoring and prioritizing strategic objectives and risks on an ongoing basis; -the use of data analysis has activated audit programs designed to verify the analysis of basic data and to report risks at the enterprise level; -implementation of automated audit focused on the analysis of root causes and on the managements' responses to risks, including business anomalies and triggering events; Source: Elaboration after KPMG internal audit (2017) The use of innovations in the audit mission will increase operational efficiency, cost efficiency, control and information quality. These innovations will represent the basis of the decisions made by professionals, reducing the number of errors. Data integration and data analysis within compatible technologies, as well as audit tools and techniques at all stages of the audit mission (risk assessment, planning, execution and reporting), add value to the company's internal processes and reduce risks (KPMG, 2019).

Conclusions
Internal auditing is in a continuous process of assimilation and adaptation to the current reporting requirements. It represents an important resource and it offers the company an integrated picture of the risk profile. It anticipates new and emerging risks, and helps critical risks to be managed effectively. The internal audit must be able to quickly assess the impact of the digitization process and master each new innovative solution to understand how it will affect the company's risk profile. Administration boards want to be aware of the risks associated with new technologies and the methods available to manage those risks. The internal audit is expected consultations on the use of new technologies by companies and recommendations which will contribute to increasing the level of technological innovations within the company.