OPERATIONS AUDITING OPERATIONS AUDITING

BY: GROUP 1
RISK
ASSESSMENT
RISKS ASSESSMENT

RISK ASSESMENT
OVERVIEW
"A chain is only strong as it's weakest link"
CHAPTER 3
RISKS ASSESSMENT

RISK ASSESMENT
OVERVIEW
What is THEORY OF CONSTRAINTS?

is a management philosophy developed by Eliyahu M.

Goldratt that focuses on identifying and managing the most
critical limiting factor (constraint) that prevents an
organization from achieving its goals. It is based on the idea
that every system has at least one bottleneck that
determines its overall performance.
CHAPTER 3
CHAPTER 3 RISKS ASSESSMENT

RISK
ASSESSMENTS
RISKS ASSESSMENT

RISK ASSESMENT
INTRODUCTION
What is Risk Assessment?
Is the process of identifying, measuring, and analyzing risks relevant to
a program or process. This assessment is systematic, iterative, and
subject to both quantitative and qualitative inputs and factors.
CHAPTER 3
RISKS ASSESSMENT
RISK ASSESMENT
INTRODUCTION
External Auditing Internal Auditing

Assesses risks that could lead

to material misstatements in Evaluates and improves risk
financial statements. management, internal
controls, and governance.

Focused—primarily on Use risk-based Broad—covers operational,

financial reporting and approaches to financial, compliance, and
fraud risks. auditing strategic risks.

Focuses on financial reporting Ensure compliance

Identifies and mitigates risks
risks and ensuring compliance with regulations and
across all business functions.
with standards. policies

Ensures financial reporting Helps management comply

complies with external with internal policies and
regulations (GAAP, IFRS). laws
CHAPTER 3
RISKS ASSESSMENT

RISK
ASSESSMENT

Step 1. Identification of Relevant Risks

The key aspect of any risk assessment 
Internal Auditors must be doing sufficient planning and research so
they have familiarity about the activities involved.
Useful to include in the risk identification exercise people with an
extensive knowledge of the program or process that will be
analyzed
Prepared list from COSO, ISO, Information Technology
Infrastructure Library (ITIL), CVNET, and others can be utilized in
assessing risks
CHAPTER 3
 RISK
ASSESSMENT Step 1. Identification of Relevant Risks

OPERATIONAL RISKS TYPES

NATURAL
CAPACITY STRATEGIC COMPLIANCE ENVIRONMENT POLITICAL

• Failing to maintain • Energy supply • Changes in legislation

• Inability to produce as beneficial relationships with •Failure to meet external
disruption or regulation due to
many units as required customers’ requirements (e.g., laws
• Damage from fire, government changes
• Process generating • Computer system’s and regulations)
water, or natural • Social unrest triggered
excessive amounts of inability to support the • Failure to meet internal
disasters (e.g., floods, by changes in
waste operating unit’s needs standard operating
earthquakes, hurricanes, government
• Producing too many • Manufacturing lines being procedure (SOP)
and tornadoes)
defective parts (i.e., unable to keep pace with requirements
• Inability to secure
error rate) sales growth • Failure to meet
needed resources (e.g.,
• Delivering ordered • Lack of funding to finance combined requirements
water and minerals)
goods or services past business expansion (e.g., contracts)
• Dependency on
the promised date • Knowledge drain due to
employee turnover carbon-based sources of
• Inability to provide
• Failure to respond to energy
high quality service to
changing customer • Business interruption
every customer
preferences caused by disease
RISKS ASSESSMENT
RISK
ASSESSMENT Step 1. Identification of Relevant Risks

INTERNAL CONSTRAINTS

EQUIPMENT POLICIES
The types of equipment available and the Written and unwritten policies can prevent
ways they are used limit the ability of the the process from producing more of higher
process to produce more high quality quality goods and services.
goods and deliver services

PEOPLE
Lack of skilled and motivated workers limits
the productive capacity of any PROCESS.
Attitudes and other mental models
CHAPTER 3
RISKS ASSESSMENT
RISK
ASSESSMENT
Step 2. Measurement of Risks
The measurement process can be either subjective or quantitative,
and either driven by facts or not
Quite often, risks are measure using a three-point scale of high–
medium–low
This can also be done using a five-point scale, with likelihood
measures of rare–unlikely–possible–likely–almost certain. Impact
measure may include insignificant–minor–moderate–major–
catastrophic.
Using these measures, the impact of the risk, if it were to
materialize(1), and the likelihood of the risk, if it were to occur(2), are
rated
CHAPTER 3
RISKS ASSESSMENT
RISK
ASSESSMENT Step 2. Measurement of Risks
RATING OF RISKS

THE IMPACT OF THE RISK, IF IT WERE THE LIKELIHOOD OF THE RISK, IF IT

TO MATERIALIZE WERE TO OCCUR
CHAPTER 3
RISKS ASSESSMENT
RISK
ASSESSMENT Step 2. Measurement of Risks
CHAPTER 3
RISKS ASSESSMENT
RISK
ASSESSMENT Step 2. Measurement of Risks
More Detailed Approach
CHAPTER 3
RISKS ASSESSMENT
RISK
ASSESSMENT Step 3: Analyzing Risks

The Risk Matrix

The risk matrix is a widely used and highly effective tool to record and analyze the objectives,
risks, and controls in the program or process that is being audited as defined in the scope definition.
The risk matrix is an essential ingredient when conducting risk-based audits, as they provide
a means to capture and analyze these items.
CHAPTER 3

PAGE 15
RISKS ASSESSMENT

ASSESSING RISKS
AND CONTROL TYPES
RISKS ASSESSMENT

A process that is often done iteratively.

It starts by identifying possible dangers and analyzing what could
happen if those dangers occur.
Focuses on identifying and understanding risks
It’s the process of figuring out what could go wrong, how likely it is,
and what the impact would be.
CHAPTER 3
CONDUCT OF RISK
ASSESSMENT
Identifying, evaluating, and prioritizing
potential risks to a process
Look for weaknesses (vulnerabilities) that VULNERABILITIES
would make an asset susceptible to
damage or loss from hazard
The degree to which people, property,
resources, systems, and cultural, economic,
environmental, and social activity is
susceptible to harm degradation, or
destruction on being exposed to a hostile
agent or factor.
 OBJECTIVES SCENARIO
BASED BASED COMMON RISK RISK CHARTING
CHECKING
Identify events that Create different Combination of
Use a
may hinder the ability scenarios or above approaches
prefabricated list
of the organization alternative ways of consists listing
to achieve its of common risks resources at risk and
achieving objects
objectives partially or and determine how in your industry or the threats to those
completely. forces interact. area of scope. resources.

Identify and list potential risks

RISK IDENTIFICATION that could impact a project,

process, or organization.
ORGANIZATIONAL
HAZARDS
RISKS ASSESSMENT

ASSESSING RISKS
AND CONTROL TYPES
RISKS MITIGATION

A strategy to prepare for and lessen the effects of threats faced by a business.
Takes steps to reduce the negative effects of threats and disasters on business
continuity.
This could involve;
Taking preventive actions
Creating backup plans
CHAPTER 3

PAGE 09
Relationships of Hazards, Risk and Organizational Impact
IMPORTANCE OF CSA
CONTROL SELF-ASSESSMENT (CSA)

A technique that involves managers and

teams directly in business units or CONTENT OF
processes to assess the organization's QUESTIONNAIRES
risk management and control.
1. Identify the main activities in their
Consists of questionnaires and form
processes.
completed by process owners 2. List objectives, risks, and controls.
3. Recognize who performs key
tasks and controls.
4. Highlight major challenges in
their areas.
RISKS ASSESSMENT

BUSINESS ACTIVITIES
&THEIR RISK IMPLICATIONS
ASSEMBLE-TO-ORDER MAKE-TO-STOCK (MTS)

Products are manufactured in advance, but not Products are manufactured based on demand forecasts.
assembled until a customer order is received. Accurate This approach allows for faster delivery but carries the risk
demand forecasting is crucial to avoid overproduction or of overproduction if demand forecasts are inaccurate.
stockouts of components.

MAKE-TO-ORDER (MTO) BOTTLENECK

Manufacturing starts only after a customer order is It refers to a point in a process where there is limited
received. This approach eliminates the risk of producing productive capacity and the flow slows down.
unsold inventory but can lead to longer lead times.
CHAPTER 3
RISKS ASSESSMENT

BUSINESS ACTIVITIES
&THEIR RISK IMPLICATIONS
COLLABORATIVE INVENTORY MANAGEMENT CYCLE TIME

This involves cooperation between buyers and suppliers The total time it takes for a product or service to move
to optimize inventory levels and reduce costs. It often through the entire supply chain, from the initial order to
includes sharing forecasts, implementing joint planning delivery to the customer.
processes, and coordinating deliveries.

CONSIGNMENT DISTRIBUTION CENTER BYPASS OR DROP SHIP

Supplier retains ownership of the goods until they are Products are shipped directly from the manufacturer to
sold by the customer. the retailer or end user, bypassing the traditional
distribution center.
CHAPTER 3
RISKS ASSESSMENT

BUSINESS ACTIVITIES
&THEIR RISK IMPLICATIONS
ELECTRONIC DATA INTERCHANGE (EDI) INVENTORY

The electronic exchange of standardized data between It refers to the stock of raw materials, work-in-progress,
businesses. Unauthorized access, data breaches, and and finished goods held by an organization to meet
transmission errors can compromise sensitive future demand.
information.
CHAPTER 3
 F
RISKS ASSESSMENT

C INCREASED GROWTH IN ASIA AND OTHER

H GOVERNMENT INVOLVEMENT

U
OUTSOURCING DEVELOPING COUNTRIES

A
T
IMPROVED CUSTOMER

L GLOBAL SOURCING
ANALYTICS
GEO-POLITICAL RISKS

L
U
E
N
MARGIN
COMPRESSION
DATA CAPTURE AND TRANSFER
CAPABILITIES
CORRUPTION

R
G
E
E TECHNOLOGY ENVIRONMENTAL INITIATIVES

S
CHAPTER 3
RISKS ASSESSMENT

This chapter emphasizes the critical role of risk assessment in audit planning,
execution, and reporting. It underscores the necessity of identifying and analyzing
risks systematically to ensure organizations can mitigate potential threats and
capitalize on opportunities effectively. It highlights the importance of using both
quantitative and qualitative measures to assess risks and determine their likelihood
and impact. Internal auditors play a key role in guiding organizations through risk
assessments, helping define audit strategies, and ensuring alignment with strategic
objectives. Ultimately, risk assessments provide valuable insights that aid in decision-
making, allowing organizations to either maintain their current course or adapt to
mitigate identified risks.

CONCLUSION
CHAPTER 3