Risk based internal auditing
Please read the following. Instructions on downloading the database are at the end.
WARNING: The database has a fault which means that new records cannot be added.
The database is intended as an example to show how a risk and audit database can be compiled. It should not be used without modifying it to fit the needs and actual risks of the organization. It will not be supported by www.internalaudit.biz.
What to do first
Read the books available, free, from www.internalaudit.biz about risk based internal auditing. If you are not familiar with Microsoft’s Access database program, you will need to gain a basic understanding, at least.
Why the database was constructed
The purpose of the database is to record the risks of an almshouse (housing) charity (58 homes) of which I was a trustee. The charity was established in 1704, although the current homes were built in 1926, and later, on a site outside Nottingham, UK. The charity provides homes for single people and married couples who are over 65 and on housing benefit.
Although the charity is relatively small, it has to produce accounts for publication and declare it has determined its risks. Thus the trustees have to determine risks, not only because they have a duty of care to the residents but because the law requires it.
The charity drew up its original list of risks in 2001 and updated it annually. After 5 years, we needed to have a major re-
How the database was constructed
The database is built around the record of a risk. There are four main sections:
Risk identification -
Risk assessment -
Risk management -
Risk assurance -
All these details are in one database table. This does result in some duplication if one control manages several risks. However, I have worked with a commercial database which puts risks, controls and assurance in different tables and found the matching of them to be confusing. For a small organization, I believe this database structure to be the best.
Other details about the construction of the database (for example: tables, reports, macros) are outlined in the database.
The database is structured around ‘processes’. Processes are the activities which need to take place to achieve the objectives of the organization. It’s not essential to use them but I believe they put the risks into a structure and help eliminate risks which are similar. Processes might be considered as objectives and I will be changing the terminology when I update the database.
The important point to make about processes is that they are the theoretical tasks required to achieve the objectives of the organization, not the actual systems. The other point to make is that risks come first. If you don’t have a process to link to the risk, your list of processes is incomplete.
How the database was populated with risks and processes
The 2001 risks of the charity were structured into headings (for example: staff, the site, reputation) but before setting up a ‘risk workshop’ I wanted to look at the processes involved in fulfilling the objectives of our almshouse charity. There is one book which provides suggested standards: ‘The Standards of Almshouse Management’ published by the Almshouses Association. I used the standards to prompt me for the risks inherent in operating almshouses and used the structure of the standards to define the processes (for example; governance, administration, health and safety). By linking each risk to a process helped me to define each risk and prevent ‘duplicates’. If you wish to carry out ‘audits’, by looking at the management of several risks, grouping them together in processes helps.
I also added in risks from the Charity Commission’s website. I reworded some (the wording of some risks is poor). This does result in some duplication. I also input the risks the charity had previously identified, but these are not in the version of the database on the web.
How you can use the database
Whatever type of organization you are, you will need to determine the risks which hinder the achievement of your objectives. If you are a housing charity, the risks set up in the database will help you, although they will be incomplete for your organization. If you are not a housing charity, delete all the records and input your own risks. You will need to decide on the hierarchy of the objectives of your organization.
You will also need to amend the database structure, adding fields for data which you wish to record. You will probably want to set up more reports.
Having determined your risks and processes, input the processes and set up the other data required, through the input data/setup input form. You can then input your risks. Note that, as you click into each field, a description of that field appears in the bottom left-
Whatever you need to do, you are on your own. www.internalaudit.biz cannot support you!
Downloading the database
The database can be downloaded by clicking the hyperlink below. You should save the file before running it. As the database is large (about 7 MB), I have compressed it using WinZIP, which produces a file of around 800 KB. If you cannot 'de-