What were once a strict series of tests have become a more fluid, risk-based approach, meaning academy trust audit committees have been left trying to assess what level of measures should be in place for their trust. This approach, despite all the guidance provided, affords significant flexibility between schools, making it difficult for audit committees to be reassured that any internal scrutiny work carried out is sufficient. So, here are the things to consider to ensure your internal scrutiny programme is adequate.
Why is getting your internal scrutiny programme right so important?
In a word: risk!
It’s the trustees’ responsibility to protect the trust against risk. And an effective internal scrutiny programme should provide the board with the reassurance they need – that information, systems, and controls are working effectively, giving assurance that what you think is happening within your organisation is in fact taking place. Things can go wrong when the risks on the trust’s risk register are not reviewed regularly as risk levels can change.
For example, there are high-risk areas such as IT and cybersecurity where there are multiple risks including cyber-fraud, GDPR breaches and safeguarding issues. It’s important to obtain assurance that these risks are being controlled. Likewise, academy trusts set policies on schemes of delegation and financial procedures to protect against fraudulent or inappropriate payments and so assurance is important to make sure that these procedures are being properly applied.
Much of this assurance can be provided to trustees by the academy’s management team. Internal scrutiny provides an extra layer of assurance, where trustees want to obtain an independent perspective on a key risk area, reassurance that the controls described by management are really in place, or just to reassure themselves that the controls in a particular area are in line with sector best practice.
How much internal scrutiny should you do?
There’s no set amount of internal scrutiny required by the ESFA. However, the sector has moved away from the old approach of one person coming in two or three times a year for a day to check up on key financial processes. The type of internal scrutiny that the ESFA now requires involves a greater level of input, and is not a ‘tick-the-box’ exercise. We’re seeing these practices start to align with the established internal scrutiny requirements within the further and higher education sectors, where a >£20m annual income institution will usually have upwards of 20 days allocated for internal assurance. Currently, however, the volume of internal scrutiny work carried out in the academy sector is more variable as trustees seek the right balance for their trust.
What are the ESFA internal scrutiny guidelines?
There are certain ‘musts’ that trustees need to review to satisfy themselves that they are compliant with the Academies Financial Handbook (the Academy Trust Handbook from September 2021) including for internal scrutiny (section three). The trustees, with the aid of the accounting officer, need to ensure they are running a well-reviewed operation in terms of the financial and non-financial procedures, while ensuring protection of academy assets.
According to the Academies Financial Handbook, the audit committee (or equivalent) needs to satisfy the following areas to make sure they are compliant:
- Ensure there is an internal assurance reviewer in place who is independent and has the expertise to provide the assurance needed.
- Identify and evaluate risks with reference to its risk register – the areas it will review and modify each year (as necessary) as new risk areas arise.
- Establish an audit and risk committee appointed by the board (N.B. over £50m must have a dedicated audit and risk committee, those who fall below this threshold can combine this with another committee), who direct the programme of events while considering the current risk needs of the academy.
How should academy trusts go about choosing internal security topics?
Each year trustees should focus on areas they want to review, with reference to the academy risk register. This should vary year-on-year and can cover a wide variety of areas. Traditionally this process has focused on the core financial controls and processes and, while they shouldn’t be forgotten about, some factors to consider are:
- How often you review core financial controls (it’s becoming less common to do this more than once a year)?
- Should you review all core financial controls every year during visits (e.g. payroll expenditure, non-payroll expenditure, income, balance sheet controls) or set up a cyclical ‘deep dive’ review of individual areas?
- And should MATs cover every school during visits or a sample of schools (this may depend on the level of reliance on head office checks vs. internal scrutiny checks).
However, academy trusts shouldn’t stop once they have reviewed core financial controls, as these aren’t the only risks on the register.
Independent checks by thorough internal scrutiny give a level of comfort that can’t always be achieved by other means. The trustees therefore need to determine where some independent assurance would add weight to the assurances provided by management. This could be due to the high level of risk, the need for external expertise, or due to the need for independent checks on management.
Topics for internal assurance often arise naturally through trustees’ discussion of risk. But it can also be useful to have a more formal process in place as not all suggestions need to be trustee driven. The auditor and the management team may prepare suggestions of a programme of internal scrutiny; however, the programme is often checking up on management and is designed to provide assurance to the trustees, so they need to have control and oversight of the plan. The ESFA provide some further examples of suggested areas of coverage in their Internal scrutiny in academy trusts (Annex 2) good practice guide.
Committee best practice overview
A common approach to internal scrutiny best practice is to establish a Board Assurance Framework, bringing clarity to where the trust is obtaining assurance. This involves identifying and listing out all the key areas where the trustees require assurance, and should be closely linked to the risk register. Once these areas are identified, the sources of assurance and timing of assurance can be documented. Sources of assurance include internal scrutiny, but can also be obtained from management and other sources such as benchmark data or other external checks.
It’s also helpful to think in 3-5 year cycles. If controls are reviewed thoroughly, they often do not require review every year. It can therefore be helpful to think through what coverage you will get over a 3-5 year period so that all of the key areas of concern are covered.
The useful checklist below can help you make sure the academy trust is getting the most out of internal scrutiny.
- Have you got a register of risks that’s reviewed and updated regularly?
- Does your risk register give details of sources of assurance for risk?
- Has the committee discussed sources of assurance?
- Does the committee review an annual plan for internal assurance?
- Is the committee satisfied that the plan is adequate to provide it with adequate assurance?
- Does the committee review the outcomes from internal scrutiny?
- Does the committee make an annual assessment of the assurance gained during the year?
- Does the committee receive a log of internal scrutiny and external audit recommendations and scrutinise whether the issues have been adequately closed?
Further advice and support
If you’re looking for further advice and support when setting your academy trust’s internal scrutiny programme, then please don’t hesitate to get in touch. At Buzzacott, our knowledge of the academy sector is what sets us apart, and this experience allows us to support management and trustee boards to set an effective programme of internal scrutiny that provides the required levels of assurance, while not being overly onerous on your time
You might also like: Digital skills learnt during pandemic have set kids up for life, says report