|Risk Based Internal Auditing|
|Microsoft Access database|
Please read the following. Instructions on downloading the database are at the end.
The database is intended as an example to show how a risk and audit database can be compiled. It should not be used without modifying it to fit the needs and actual risks of the organisation. It will not be supported by www.internalaudit.biz.
What to do first
Read the two books available, free, from www.internalaudit.biz about risk based internal auditing. If you are not familiar with Microsoft’s Access database program, you will need to gain a basic understanding, at least.
Why the database was constructed
The purpose of the
database is to record the risks of an almshouse (housing) charity (58
homes) of which I am a trustee. The charity was established in 1704,
although the current homes were built in 1926, and later, on a site
outside Nottingham, UK. The charity provides homes for single people and
married couples who are over 65 and on housing benefit.
Although the charity
is relatively small, it has to produce accounts for publication and
declare it has determined its risks. Thus the trustees have to determine
risks, not only because we have a duty of care to the residents but
because the law requires it.
The charity drew up
its original list of risks in 2001 and updated it annually. After 5
years, we needed to have a major re-examination and set up a more formal
How the database was constructed
The database is built around the record of a risk. There are four main sections:
All these details are in one database table. This does result in some duplication if one control manages several risks. However, I have worked with a commercial database which puts risks, controls and assurance in different tables and found the matching of them to be confusing. For a small organisation, I believe this database structure to be the best.
Other details about the construction of the database (for example: tables, reports, macros) are outlined in the database.
My ‘brand’ of
risk based internal auditing advocates the use of processes. Processes
are the activities which need to take place to achieve the objectives of
the organisation. It’s not essential to use them but I believe they
put the risks into a structure and help eliminate risks which are
similar. Processes themselves have an objective, and it is this
objective which is threatened by the risks.
The important point to make about processes is that they are the theoretical tasks required to achieve the objectives of the organisation, not the actual systems. The other point to make is that risks come first. If you don’t have a process to link to the risk, your list of processes is incomplete.
How the database was populated with risks and processes
The 2001 risks of the
charity were structured into headings (for example: staff, the site,
reputation) but before setting up a ‘risk workshop’ I wanted to look
at the processes involved in fulfilling the objectives of our almshouse
charity. There is one book which provides suggested standards: ‘The
Standards of Almshouse Management’ published by the Almshouses
Association. I used the standards to prompt me for the risks
inherent in operating almshouses and used the structure of the standards
to define the processes (for example; governance, administration, health
and safety). By linking each risk to a process helped me to define each
risk and prevent ‘duplicates’. If you wish to carry out
‘audits’, by looking at the management of several risks, grouping
them together in processes helps.
I also added in risks
from the Charity Commission’s website.
I reworded some (the wording of some risks is poor). This does result in
some duplication. I also input the risks the charity had previously
identified, but these are not in the version of the database on the web.
How you can use the database
Whatever type of
organisation you are, you will need to determine the risks which hinder
the achievement of your objectives. If you are a housing charity, the
risks set up in the database will help you, although they will be
incomplete for your organisation. If you are not a housing charity,
delete all the records and input your own risks. You will need to decide
on the hierarchy of processes which deliver the objectives of your
You will also need to
amend the database structure, adding fields for data which you wish to
record. You will probably want to set up more reports.
Having determined your risks and processes, input the processes and set up the other data required, through the input data/setup input form. You can then input your risks. Note that, as you click into each field, a description of that field appears in the bottom left-hand corner of the screen.
Whatever you need to do, you are on your own. www.internalaudit.biz cannot support you!
Downloading the database
The database can be downloaded by clicking the hyperlink below. You should save the file before running it. As the database is large (about 7 MB), I have compressed it using 'Winzip', which produces a file of around 800KB. If you cannot 'de-compress' the file, an evaluation copy of Winzip can be downloaded here.
|©David M Griffiths||
12 May 2006