Internal audit

Frequently asked questions for internal auditors

Kai Paalberg
insight featured image

In their work, internal auditors often come across a situation where clients want to have an internal audit done in their organization, but since they have no previous contact with an internal audit service, they have a number of questions.

Here, I highlight the main questions we were asked and the answers given to them, so that you can get an initial overview of what an internal audit is, how we conduct it, and what happens to the results of the internal auditor's work.

1. What is the scope and purpose of internal auditing? 

The scope of internal auditing varies depending on the organization’s needs, but generally includes evaluating the effectiveness of internal controls, risk management, and governance. The purpose is to provide independent assurance that the organization’s risk management, governance, and internal control processes are functioning effectively.

2. If there is a desire to permanently engage internal audit services, how are the audit topics determined, and how is the internal auditor’s work plan developed? 

The internal auditor focuses on higher-risk areas and topics within the organization. The work plan, including audit topics, is based on the results of risk assessments within the organization. Input from the highest governing body (such as the board) and management is also essential. The work plan includes both assurance engagements (audits) and advisory work.

3. Is a long-term cooperation agreement necessary for ordering internal audit services? 

No, it is not necessary. Internal audit services can be ordered for specific audits or advisory work without a long-term contract.

4. How do you ensure independence and impartiality when conducting audits? 

Internal auditors must act in the organization’s best interest, maintaining independence and impartiality to ensure effective and reliable internal audits. If the internal auditor is an employee of the organization, they typically report to the highest level (e.g., the board). This ensures that their work is not influenced by conflicts of interest or reporting relationships. When the internal auditor is an external service provider, independence is ensured through a contractual agreement. 

Impartiality means that internal auditors should not audit their own work or be directly involved in the process being audited. External service providers further enhance impartiality by not participating in the organization’s day-to-day operations.

5. What is the audit process from start to finish?

The audit begins with the planning phase, where the auditor collaborates with the organization to clarify the area(s) to be audited, the audit scope and objectives, collects initial information about the audited area, and develops an audit program. The program includes planned audit procedures and an indicative schedule.

The next stage is the audit execution, during which the auditor gathers and analyzes various documents and data related to the area, conducts interviews with organization employees, and performs various tests and controls.

Based on the audit procedures, the auditor compiles a report describing findings and conclusions, along with recommendations for improving or enhancing the audited process or area.

Over time, the internal auditor monitors the implementation of the organization’s action plan based on the audit recommendations to ensure their adoption.

6. What do internal auditors typically look for during audits, and what areas do they focus on?

Internal auditors primarily focus on identifying problem areas related to the organization’s internal policies, such as non-compliance with regulations. They also assess whether employees actually follow internal procedures, ensuring alignment with documented processes. Additionally, internal auditors seek to identify process inefficiencies, inaccuracies in information and reports, and opportunities for improvement in management practices. In advisory work, their focus can vary widely, including risk management consultation, employee surveys, and identifying best practices.

7. How are audit findings reported and to whom? 

Audit findings are typically reported in an audit report, which includes the auditor’s overall conclusion regarding compliance with established audit objectives, detailed descriptions of identified findings, and recommendations for improving the situation. The referenced report is initially presented to the responsible individuals within the audited area for their comments. In these comments, they can indicate whether they agree with the audit findings and specify the improvement actions and their planned implementation timeline. The comments provided by responsible individuals are then included in the final report, which is usually submitted to management and the audit committee or board.

8. What happens if a significant issue requiring immediate improvement is identified during the audit? 

If a critical issue that requires immediate action to prevent potential harm is discovered, it is promptly communicated to management and, if applicable, the audit committee. The auditor collaborates with management to identify the root causes of the problem and recommend corrective measures.

9. How can internal audit add value to our organization?

Internal audit adds value by providing practical improvement suggestions, offering assurance on the effectiveness of risk management and control processes, and providing insights and recommendations to enhance organizational efficiency. The best results are achieved when there is good collaboration between the internal auditor and the organization, mutual appreciation for the auditor’s work, and trustful communication. Organizational leadership plays a crucial role in promoting the importance of internal audit and fostering a cooperative relationship.

10. What qualifications and experience do you have in internal auditing? 

Each auditor has specialization and experience in their respective fields. Generally, experienced internal auditors hold certifications such as Certified Internal Auditor (CIA) or Certified Government Auditing Professional (CGAP).

In the Grant Thornton Baltic OÜ internal audit team, we have internal auditors with a qualifications of certified internal auditor and public sector entity’s internal auditor. Our team members hold both CGAP and CIA certifications, and we also have an auditor with a sworn auditor qualification. Additionally, our employees have completed external quality assessor and ISO quality management system lead auditor trainings.

11. How do you ensure the confidentiality of information during the audit? 

As internal auditors, we adhere to an ethical code that requires maintaining the confidentiality of information obtained during our work. We also follow strict security protocols to protect data, including personal data.

12. What do we need to prepare for the audit? 

From the audit client, we expect to receive various documents related to the audited areas, such as internal regulations, policies, procedure descriptions, reviews, analyses, reports, and other relevant materials. Additionally, the client should ensure that key personnel are available to meet with the auditor and respond to their inquiries.

13. How long does an average audit typically last? 

The duration of an audit depends on its scope, so there is no one-size-fits-all answer. However, we recommend considering a timeframe of 1 to 3 months, which includes planning, execution, and reporting stages.

14. How much does an audit cost? 

The cost of a specific audit depends on the scope and objectives of the audit, as well as the time required for the necessary audit procedures. To provide a precise price quote, we assess the audit’s time commitment and typically present a binding offer to the client.

If you have any further questions about internal audits, feel free to contact us by phone +372 626 0500 or by e-mail at