It is helpful to analyze the risks that are considered by internal auditors into three main categories. These are:
- Operational risk. These are the risks that the operating activities of an entity may be disrupted, either intentionally or inadvertently and in error. Employees may formulate mistakes, and do something wrong or forget to do something. Machines may break down. There may be reduced security measures, poor supervision, weak management or an ineffective organization structure. Operational risk refers to anything that might go wrong with operational activities.
- Financial risk. These are the risks of what may happen if there are changes in the financial environment, such as interest rates, taxation law or exchange rates. Financial risk also includes credit risk, which is the risk of non-payment or late payment by customers.
- Compliance risk. These are risks that the entity may fail to comply with relevant rules and regulations, resulting in penalties being imposed by regulatory authorities or fines being paid to aggrieved parties. Examples of compliance risk vary according to the nature of a company’s activities: they may include the risks of non-compliance with health and safety law, anti-pollution law, employment law, and so on.