What is an internal audit and its value to a company?

People first associate the word "audit" with balance sheets and income statements, in other words, a financial audit. It's much less common for them to think of an internal audit, the content and nature of which is completely different from a financial audit. As an internal auditor, I have often had to explain what an internal auditor is and does, and why and who needs internal auditors like me in the first place.

According to the definition, an internal audit is an activity/operation that adds assurance and value to a company, the content and scope of which varies due to the nature and field of activity of each individual company. There are areas where an internal audit is mandatory, but regardless of this, for many companies, internal audit is primarily an internal tool, with which it is possible to identify risks and bottlenecks related to the company's activities and, by being aware of them, to improve the company's internal processes. The internal auditor is independent of the other work of the organization, which is why the internal audit often exposes hitherto unnoticed weaknesses in the company's operations and offers options for solutions based on best practices and the auditor's experience.

What is the difference between internal audit and financial audit?

Unlike a financial audit, a company's executive orders the internal audit for the sake of the company's performance, and the result of the audit is for the organization's internal use. As a result of the internal audit, an action plan is prepared, to make some processes at the company more efficient and/or more customer-friendly. In addition, there is no fixed time frame or mandatory period for conducting an internal audit; it is done at a time convenient for the company.

A financial audit mainly involves numbers and financial indicators, while the main tools of the internal auditor are laws, internal procedure rules and the like. The subjects of internal audits are not tied to specific frameworks, and internal audits do not usually extend to financial statements, balance sheets and such. The types of checks are different for almost every audit. Another distinction is that internal auditors must be creative in their work, because each internal audit analyses a different process or field in the company.

What might an internal audit be ordered for?

To illustrate the varied nature of internal audits, here's some sample internal audit contracts that have crossed our team’s desk. Due to Grant Thornton Baltic's long-term experience and the topics that are currently salient, the range of our audits is extremely wide. For example, in light of the latest changes to legislation, we have conducted internal audits of Virtual Asset Service Providers, these being companies that offer wallet and exchange services for various cryptocurrencies. Our audits for crypto companies are mainly in the field of anti-money laundering (AML) and combating the financing of terrorism (CFT). Another type of audit that is common for us is the creditworthiness assessment audit, which we do for financial sector credit companies. I will explain in a little more detail what the purpose of these audits is.

• The creditworthiness assessment audit checks whether the credit provider has followed the principle of responsible lending to consumers. We check whether, before granting loans to customers, the credit provider has done proper verification and taken into account the customer's financial behaviour, income, consumption habits, the amount of already existing loans and financial obligations, and the repayment of existing loan. We also check whether the company's internal rules in this field are in line with the Creditors and Intermediaries Act and the guidelines and good practices of supervisory authorities.
• We have also conducted AML/CFT audits mainly for companies operating in the financial sector. During the audit, we assess the compliance of the company's internal anti-money laundering regulations with the Money Laundering and Terrorist Financing Prevention Act and the guidelines of supervisory authorities, namely the Financial Intelligence Unit and the Financial Supervision and Resolution Authority. In addition, we analyse whether the internal rules established in the company are implemented in practice. To do this, we compile a sample of the company's customers and analyse the fulfilment of due diligence measures.

While these two topics of internal audit come up very frequently and are required especially for companies in the financial sector, we naturally also conduct internal audits of organizations operating in other fields. Examples of processes we analyse and verify:

• whether all operations related to the organization's construction activities are properly documented and archived;
• whether the process of insuring the loan collateral works efficiently and whether information about insuring the collateral is easy to find and manage;
• whether the expectations of the top management have been met in the management of the units (as a result of the analysis, we identified the main problem areas in the organization of managerial work and made suggestions for improvement);
• whether an organization should use training impact evaluation systems and methodology, and if so, what kind. We also advised an organization on developing a training impact assessment system: to do this, we analysed the current and desired situation and recommended the most suitable impact assessment model;
• risks associated with financial payments related to the organization's processes;
• the effectiveness of the organization of a procurement system and compliance with procurement procedures in practice;
• whether public procurements have been organized in compliance with law – among other things, we assessed whether the conclusion and amendment of related contracts complied with legislation;
• traffic insurance claim process. We made suggestions for raising the efficacy of the process;
• whether the established internal rules regarding the protections and custody of customer assets correspond to the current regulations. We also evaluated whether the procedures described in the internal procedure rules were being followed;
• whether the management and oversight system at an institution responsible for the implementation of foreign aid is effective. The focus of the audit was on sufficient description and segregation of duties.

For a company executive, the efficient functioning and success of the organization is key. However, behind an effective and efficient company is the awareness of the company's risks and opportunities and the effective management of these risks and opportunities, in which the internal auditor plays a major role. As can be seen from the aforementioned internal audit practices, the independent perspective an internal auditor brings is beneficial in any field. In short, an internal audit is a company's secret weapon, yielding an objective assessment of the efficiency of the company's operation, raising awareness of the operating risks and thereby further improving operations.