Internal Scrutiny for Academy Trusts - Tips on how it should work for your Trust

The Academy Trust Handbook (ATH) requires all Academy Trusts to have a programme of internal scrutiny. Internal scrutiny provides independent assurance to Members and Trustees on whether the financial and non-financial controls and risk management procedures at the Trust are operating effectively.

So, what does this actually mean for your Trust?

When considering the work to be undertaken by an internal scrutiny service, this should cover both financial areas (such as income, expenditure, procurement and payroll) and non-financial areas such as:

• external governance reviews,
• HR processes,
• GDPR,
• risk management,
• cyber security,
• health and safety, and
• the ATH “musts” including, website compliance and business continuity planning.

The work completed by your internal scrutiny provider should be risk based and cover at least some of the higher risk areas identified in the Academy Trust’s Risk Register. The number of reviews undertaken in the year can vary, based on the size and complexity of the Trust but should provide good coverage of the key risks.

The ESFA recommends that your internal scrutiny service is provided with direct access to the Chair of the Audit Committee (or equivalent) by phone, email and virtually, and should have the contact details of the Chair of the Finance Committee, the Chair of Trustees and the Clerk (your “Governance Professional”). The purpose of this is to allow any concerns regarding the Trust to be raised confidentially by Trustees and for feedback or further review to be provided by an independent source – your internal scrutiny provider.

When Academy Trusts look to appoint a provider of internal scrutiny, consideration should be given to the qualification, ability and track record of the providers in question. This is the first step towards meeting the requirements of the ATH.

Making the most of internal scrutiny planning

Internal scrutiny plans should follow a risk based approach, taking into account the concerns of the Audit Committee and advice from the internal scrutiny provider. As such, the internal scrutiny provider can suggest areas of coverage based on internal scrutiny trends, changes to the external business environment and the Risk Register. Essentially, it is the responsibility of the Audit Committee to steer and agree the internal scrutiny plan but it is worth noting that this should be a dynamic process; areas to be reviewed within the plan will change based on the prevailing risk environment.

Monitoring internal scrutiny delivery and what to expect

Once an internal scrutiny plan is in place and has been formally approved by the Audit Committee, the internal scrutiny provider should issue Terms of Reference detailing the scope of agreed areas for review. These should be agreed with the Audit Committee and key personnel from the area under review to ensure the scope of work is appropriate.

Following completion of the fieldwork, an internal scrutiny report summarising the findings, opinion on the control environment and any recommendations agreed with management, should be received and scrutinised by the Audit Committee. The report should be reported by representatives of the internal scrutiny service to the Audit Committee to ensure any comments or queries can be answered. It is best practice for the internal scrutiny provider to attend each Audit Committee for this, whereby the provider can share sector insights and advice on areas of risk management and control as required.

The Audit Committee should ideally have a permanent agenda item to spend five minutes alone with the service providers without any members of staff (as the other education sector areas already do). This allows for any concerns with the risk framework and in delivering the service, including potential fraud, to be raised and discussed without the influence of members of staff.

An annual internal scrutiny report covering the reviews undertaken in the year (and a follow up of any previous recommendations), should be provided and presented to the Audit Committee. This must be submitted to the ESFA by the Trust, alongside the annual statements.

How to get the best service from an internal scrutiny provider

Internal scrutiny providers should be geared towards making useful recommendations and being able to add value to their service through sharing best practice advice, templates for use by the Trust, sector benchmarking and training. You should assess the performance of the provider in light of the reports and service received in year.

To ensure you are getting the most from your internal scrutiny provider, good communication is key. As mentioned above, your internal scrutiny provider should have direct access to the Audit Committee Chair and be invited to attend Audit Committees where any of their reports (including the annual plan, annual report and individual reports) are submitted. Additionally, to ensure the areas of scrutiny provide appropriate coverage, do not hesitate to engage with your internal scrutiny provider throughout the year to share any concerns, potential risks or to ask for advice. This is what we are there for and how the service should work for you.

Your key internal scrutiny contacts for Academy Trusts at Price Bailey are:

Dawn Turner, Senior Internal Auditor, ACCA CIA ([email protected])

If you have any questions regarding anything mentioned in this blog, you can contact Tom Meeks, Partner and Head of Price Bailey’s Academies Team or Dawn Turner using the form below.