A bank operating in Estonia once had a slogan proclaiming, “Saving brings peace of mind!” To paraphrase this, a marketing campaign could be set up for another important area saying, “Internal audits bring peace of mind!” And it’s true: internal audits provide managers with the assurance that everything in their organisation is going as planned, and that everything possible is being done to mitigate risks to the achievement of objectives.

Since the first half of the 2000s, when Rimess started performing internal audits, the range of classic internal audit services has not changed. It gains an overview of the business processes of companies and public sector institutions, assesses risks and analyses internal control systems, and enables institutions and companies to outsource the services of an internal auditor. Estonia’s accession to the European Union placed audits of projects supported by the EU Structural Funds on the agenda, as well as internal audits of the bodies that distribute EU funds.

It is no secret that the ever-increasing number of rules has created a need for internal audits in an increasing number of organisations. In 2016, Grant Thornton Baltic bought Interna OÜ, the only company in Estonia specialising in internal audits and providing internal audits and training under the name siseaudiitor.ee, in order to take a decent bite out of market growth. The acquisition of Interna allowed Grant Thornton Baltic to satisfy market demand more smoothly.

The area of business risk services, led by Kai Paalberg, is growing rapidly as the business environment becomes more and more rule-intensive and risks are becoming increasingly diverse.

Kai Paalberg, who joined Grant Thornton Baltic as Head of Business Risk Services in 2019, says the trend in recent years has been an increase in client numbers due to a variety of laws and regulations. These oblige more and more organisations to carry out internal audits to make sure they are operating in line with the law. “Most of our clients come from the highly regulated financial sector,” says Paalberg. “The area of personal data protection is also so complex that organisations need advice to keep up with all the nuances. On our business risk services team, which has five employees, one specialist focusses on this area.”

In some ways, the work of an internal auditor can be compared to that of a doctor: if you start looking for disease or problems, you usually find something. “For example, when auditing processes or contracts, we almost always find a bottleneck that poses a risk to a company’s operations,” Paalberg explains. “It’s our job to highlight the risks, but it’s up to the management to decide whether to implement the recommendations that internal auditors make.”

Just as doctors are familiar with patients who want to get well but are not prepared to do anything for their own good, internal auditors see managers who are not interested in taking advice on board. Paalberg says that there are situations where an internal auditor is hired just for the sake of it, because it is required by law, but people don’t want to contribute anything themselves. “This doesn’t motivate us, because we want to make a positive difference in organisations,” Paalberg says. However, in addition to helping organisations, the risk management team at Grant Thornton Baltic is also motivated by the goal of becoming the best conductors of internal audits in Estonia and the first one clients think to contact when they need an internal auditor.