What is Risk Based Internal Auditing? RBIA Audit programs  RBIA Example database
Home 1 RBIA Introduction 2 RBIA Compiling an RAU  3 RBIA Implementation  4 RBIA Audit Manual RBIA Audit programs  COSO Audit program auditnet.org users Internal auditing Links introduction

Risk based internal auditing

Microsoft Access database for a small housing charity

Please read the following. Instructions on downloading the database are at the end.


WARNING: The database has a fault which means that new records cannot be added.

The database is intended as an example to show how a risk and audit database can be compiled. It should not be used without modifying it to fit the needs and actual risks of the organization. It will not be supported by www.internalaudit.biz.

What to do first

Read the books available, free, from www.internalaudit.biz about risk based internal auditing. If you are not familiar with Microsoft’s Access database program, you will need to gain a basic understanding, at least.

Why the database was constructed

The purpose of the database is to record the risks of an almshouse (housing) charity (58 homes) of which I was a trustee. The charity was established in 1704, although the current homes were built in 1926, and later, on a site outside Nottingham, UK. The charity provides homes for single people and married couples who are over 65 and on housing benefit.

Although the charity is relatively small, it has to produce accounts for publication and declare it has determined its risks. Thus the trustees have to determine risks, not only because they have a duty of care to the residents but because the law requires it.

The charity drew up its original list of risks in 2001 and updated it annually. After 5 years, we needed to have a major re-examination and set up a more formal structure.

How the database was constructed

The database is built around the record of a risk. There are four main sections:

Risk identification - includes details of the risk, the objective it threatens, any legislation which caused the risk or instructs how it should be managed, and the consequences of the risk.

Risk assessment - scoring the consequence and likelihood for the risk, before (inherent risk) and after (residual risk) controls.

Risk management - how the risk is to be brought down to an acceptable level or not, if that is applicable.

Risk assurance - what checking has been carried out, or will be carried out, to make sure that the risk is being managed as intended.

All these details are in one database table. This does result in some duplication if one control manages several risks. However, I have worked with a commercial database which puts risks, controls and assurance in different tables and found the matching of them to be confusing. For a small organization, I believe this database structure to be the best.

Other details about the construction of the database (for example: tables, reports, macros) are outlined in the database.

The database is structured around ‘processes’. Processes are the activities which need to take place to achieve the objectives of the organization. It’s not essential to use them but I believe they put the risks into a structure and help eliminate risks which are similar. Processes might be considered as objectives and I will be changing the terminology when I update the database.

The important point to make about processes is that they are the theoretical tasks required to achieve the objectives of the organization, not the actual systems. The other point to make is that risks come first. If you don’t have a process to link to the risk, your list of processes is incomplete.

How the database was populated with risks and processes

The 2001 risks of the charity were structured into headings (for example: staff, the site, reputation) but before setting up a ‘risk workshop’ I wanted to look at the processes involved in fulfilling the objectives of our almshouse charity. There is one book which provides suggested standards: ‘The Standards of Almshouse Management’ published by the Almshouses Association. I used the standards to prompt me for the risks inherent in operating almshouses and used the structure of the standards to define the processes (for example; governance, administration, health and safety). By linking each risk to a process helped me to define each risk and prevent ‘duplicates’. If you wish to carry out ‘audits’, by looking at the management of several risks, grouping them together in processes helps.

I also added in risks from the Charity Commission’s website. I reworded some (the wording of some risks is poor). This does result in some duplication. I also input the risks the charity had previously identified, but these are not in the version of the database on the web.

How you can use the database

Whatever type of organization you are, you will need to determine the risks which hinder the achievement of your objectives. If you are a housing charity, the risks set up in the database will help you, although they will be incomplete for your organization. If you are not a housing charity, delete all the records and input your own risks. You will need to decide on the hierarchy of the objectives of your organization.

You will also need to amend the database structure, adding fields for data which you wish to record. You will probably want to set up more reports.

Having determined your risks and processes, input the processes and set up the other data required, through the input data/setup input form. You can then input your risks. Note that, as you click into each field, a description of that field appears in the bottom left-hand corner of the screen.

Whatever you need to do, you are on your own. www.internalaudit.biz cannot support you!

Downloading the database

The database can be downloaded by clicking the hyperlink below. You should save the file before running it. As the database is large (about 7 MB), I have compressed it using WinZIP, which produces a file of around 800 KB. If you cannot  'de-compress' the file, an evaluation copy of WinZIP can be downloaded here.

Download database (zip file)