19 May 2017 - 8:00
IIA holds seminar on risk assessment process
The Institute of Internal Auditors Qatar (IIA) recently held a seminar on “Similarities and differences between Internal Audit & Enterprise Risk Management (ERM) Risk Assessment process” at Oryx Rotana Hotel.
“The month of May is celebrated globally as internal audit awareness month to advocate the importance of profession and to promote value it delivers. This seminar was a unique event. The topic was conceived to understand perspectives of risk assessment from ERM and Internal Audit points of view. It was entirely novel, very rich in contents and profound in deliberations. Both speakers coordinated and brought huge research value for probably not much-delved subject,” said Sundaresan Rajeswar, Director of the Board of the IIA Qatar
The speakers were Hatem Elsafty is Partner at Mazars Qatar leading the Governance Risk and Internal Control practice. Alfa Falconi works as Strategic risk expert in designing, auditing, and monitoring the effectiveness of the Risk Management Framework at Qatar Rail.
Both ERM and IA have the different view, objectives, and perspective of the risk assessment process. Although they follow the similar concept, framework and to assess risks, they are differences in some aspects of risk categories, how to evaluate controls impacting risk, and which risk levels to focus on, and others.
The speakers used the COSO risk management framework as the foundation to explain and focus on the risk assessment process for both IA and ERM.
Culture in the Middle East limits the number of professionals working in the ERM function, which impacts its ability to perform a detailed evaluation of controls (which is critical to assess the risks appropriately) therefore, they stop at challenging the design of controls and not checking the operational effectiveness. While evaluating the adequacy of the system of internal controls is an integral part of an IA risk assessment process.
Hatem and Alfa believe that the best audit universe is the risk universe, as it will give assurance on the completeness of all the auditable entities identified even if the management did not define a particular function or business process.