Procedure

of elaboration of the program of control based on risk as a part of complex control on site in the
banks related to accounting aspects.

1. Main considerations.
1.1. This procedure is aimed on elaboration of a program of control on site based on the
identification and evaluation of the risks implied by an inadequate bookkeeping of economic-
financial operations carried out by the banks, as well as by distorted application of the
normative acts in force.

1.2. Present procedure facilitates the allocation of supervision resources inherent to the
accounting aspects, ensuring rational and efficient use of resources through focusing
attention during the control on site on banks’ operations depending on their risk profile.

2. Identification and evaluation of the risks.

2.1. Identification of the risks is carried out directly during the process of control on site by
the experts of DBFA that have to:
- observe significant and uncertain cases that can generate risks for the bank;
- define implied risks related to bank’s operations/processes, if they exist;
- determine the probability of risk appearance;
- examine whether such risks have been identified during other controls (internal audit,
external audit, or previous controls of NBM), carried out on the bank’s
operations/processes;
- estimate the impact of exposition to risks and to determine the level of awareness of
bank’s management and office workers.

2.2. The evaluation of operations/processes from the perspective of risk implies an active
process of exchange of information and resources between bank officers and responsible
persons from the economic-financial domain of the bank and experts of the Department
Budget, Finance and Accounting during the process of control on site. Risk evaluation is
carried out depending on the operations/processes of the bank.

2.3. The evaluation of operations/processes from the perspective of risk implies the
examination of history of the problem identified by tracing it out during other controls;
analysis and synthesis of the factors that have generated the appearance of the doubtful
aspects (inexistence of internal regulation, inadequate awareness or absence of awareness
related to existent problems); estimation of the impact on activity / financial reports of the
bank subject to control, as well as the category of the risks generated by the identified
deficiency . On systematization of the identified risks, the professional judgments of experts
will prevail on notification of probable impact of the identified risks.

2.4. Main categories of the risks, that are required to be quantified by the experts of the
Department Budget, Finance and Accounting with the aim of elaboration of the program of
control on site are the following:
- financial risk – is identified in case when the possibility of an impact on financial reports
of the bank is notified as a result of an operation/process of the bank’s activity.
- operational risk - is identified in cases when processes of activity are not carried out in
an adequate manner and the objectives of the internal control of the bank inherent to its
operation/processes are not achieved;
 - legal risk - – is identified in case when the non-respecting of the law and normative acts
in force is notified , as well as non-respecting of the contract provisions that cannot be
realized or have not been documented in a correct way.

2.5. The evaluation of operations/processes from the perspective of the risk requires
systematization that will be effected by the experts of the Department Budget, Finance and
Accounting as in accordance with the annex 1.

2.6. The determination of level of the risk is aimed on estimation of weak points, found and
assessed by the experts of the Department Budget, Finance and Accounting, in order to
appreciate the level of the risk inherent to each operation separately. The obtained results will be
systematized by the utilization of the following estimations.

The weight of risk The level of risk Accounting situation

0 Absence of risk good
≥ 20% Low level of risk satisfying
(20% - 50%) Medium level of risk requires improving
≤ 50% High level of risk unsatisfying

2.8. In order to ensure the veracity of quantification of the risk level identified during the process
of control on site related to analyzed operations / processes of activity, the estimated levels of
risk are adjusted by applying the respective coefficients, according to annex 2.

2.9. The control is finalized by the systematization of obtained results, by the notification of the
infringements and/or the errors, found during the complex control of the bank.

3. Systematization of the data with the aim of elaboration of annual program of the control
on site.

3.1. In the end of the year, on the base of results of control carried out in all banks, the
Department Budget, Finance and Accounting, according to data from the internal data base,
determines the individual level (on the bank’s level) and the global level (on the level of banking
system) of the risk, implied in implementation of every operation / process of activity, that have
been subjected to control.

3.2. The individual level of the risk is determined in division for every bank, taking in
consideration the results obtained following the complex control on site. Depending on extension
of individual risk, the periodicity of verification of the respective operation will be estimated in
the following way:
a. in the case when the absence of risk was determined, the respective operation / process
will be subjected to a control once at 4 years;
b. in the case when the low level of risk was determined, the respective operation / process
will be subjected to a control once at 3 years;
c. in the case when the medium level of risk was determined, the respective operation /
process will be subjected to a control once at 2 years;
d. in the case when the high level of risk was determined, the respective operation / process
will be subjected to control annually;

3.3 The evaluation of the global level of risk is carried out on the level of operation/process of
activity and the results of evaluation will imply the following:
a. in case when the concentration of risks for each operation separately is till 50 % in the total of
banks subjected to control – the given operation will be subjected to control over the whole
banking system, at least once at 2 consecutive years;
b. in case when the concentration of risks for every operation separately is more than 50 % in
the total of banks subjected to control – the given operation will be subjected to exhaustive
control annually in all banks.

3.4. In case when the situation described in p.3.3. b) appears, the Department Budget, Finance
and Accounting carries out a detailed research related to factors that have generated the
excessive concentrate of risks, in the view of estimation of the reasons of the appearance of the
respective situation, and, if it is necessary, will initiate the elaboration of the package of
measures that are considered to be necessary.

4. Final provisions.

4.1. Annually before the date of December, 25th the Department Budget, Finance and Accounting
will present for approval by the Vice-president that governs Department Budget, Finance and
Accounting, the Program of control within the complex control on site in authorized banks, for
the following year, that will underlie the elaboration of individual programs of control on site, in
division for each bank.
Subsequently, program of control on site in division for each bank is issued basing on service
note of the Department of Bank Regulation and Supervision, that establishes the period and the
bank subjected to complex control of financial activity and is approved by the Vice-president
that governs the Department Budget, Finance, Accounting.

4.2. Department Budget, Finance, Accounting may, in case of identification of some vulnerable
aspects afferent to the operations / processes during the year, complete the programs of
individual control with additional subjects, that will be subjected to control.

4.3. Provisions of these procedures will be applied upon the implementation of complex controls
on site starting with 01.01.2007.
 Annex 1

Analyses and evaluation of risk depending on banking operations

Indicators Internal External Audit of Impact on Internal Financial Operational Legal Problem
audit Audit NBM financial regulations risk risk risk awareness TOTAL
reports
Operations
10 10 10 20 10 10 10 10 10 -
Operation 1
...................
Operation 2
 Annex nr. 2
I. List of coefficients applied upon the evaluation of normative acts afferent to the regulation of bookkeeping
Coefficients
Nr. Elaboration
Type of activity subjected to control
o/o and Consistency Accordance
approval
Elaboration and approval of Accounting Policy and internal
1 0.6 0.2 0.2
normative acts
2 Use of documents used in the bookkeeping of internal operations 0.3 0.5 0.2
Opening, modification and closing of bank accounts to the holders
3 0.6 0.2 0.2
of accounts
4 System of internal control 0.3 0.4 0.3
II. List of coefficients applied on the evaluation of subprocesses inherent to the operations / processes subjected
to control
Coefficients
Nr. Initiation of Finalization
Type of activity subjected to control Further
o/o the of the
Implemental
operation operation
Operations of purchase/sale of foreign currency and daily
5 0.4 0.4 0.2
reevaluation of balances of foreign exchange accounts

Operations of deposit acceptance, correct registration in accounts

6 0.5 0.2 0.3
of interest-related expenses and implemented control procedures

Operations with material and non-material assets, material goods,

7 their reevaluation, inventorying of patrimony and registration of 0.4 0.2 0.4
accounting entries related to its results
Transactions carried out in/from bank accounts that exceed the
8 0.4 0.3 0.3
amount of 1 mln. Lei
Establishment of provisions related to the stocks, claims and
9 0.3 0.4 0.3
obligations.
10 Operations of rapid transfer of monetary means v0.4 0.3 0.3
Cash operations; operations related to the expedition of cash
11 surpluses; encashment of the cash surpluses and provision of 0.3 0.4 0.3
subsidiaries’ vault
12 Operations with securities; sale/purchase REPO agreements 0.4 0.3 0.3
13 Operations related to financial leasing 0.4 0.3 0.3
14 Operations related to operational leasing 0.4 0.3 0.3
Operations of loans extension, operations related to taking under
15 0.3 0.4 0.3
possession and realization of the pledge
16 Operations with bank cards 0.4 0.3 0.3
Operations related to establishment, increasing and reduction of
17 0.4 0.3 0.3
statutory capital and implemented control procedures
Operations related to the remuneration of bank’s personnel and
18 other temporarily employed persons and procedures of 0.4 0.3 0.3
implemented control
Operations related to the bookkeeping of assets and liabilities in
19 0.4 0.3 0.3
off-balance sheet accounts
Verification of the correctness of drawing up and issue of excerpt
20 0.4 0.2 0.4
from account
21 Operations related to distribution of non-distributed profit 0.4 0.3 0.3
Operations related to the payment of dividends including those that
22 0.3 0.3 0.4
are paid in advance
Operations related to the bookkeeping of warranties and
23 0.4 0.2 0.4
assignments issued by the bank
Operations related to obtained loans, including those through
24 0.4 0.2 0.4
credit line
 Operations related to determination of the net income, calculation
25 0.4 0.2 0.4
and payment of the income tax
26 Operations with LVSTO 0.4 0.2 0.4