The ESFA released updated guidance on Internal Scrutiny in Academies on 30 November 2021. This good practice guide provides guidance for trustees, accounting officers, and chief financial officers in academy trusts and aims to provide suggestions as to how they can implement internal scrutiny arrangements that meet the requirements of the Academies Financial Handbook (AFH).
The guidance helps Trustees to discharge their responsibilities for ensuring effective stewardship and oversight of their organisation, as well as an adequate governance and control environment, and to provide them with a medium for self-reflection. The guide covers the following key areas:
Options for delivering the service
Trustees will need to decide the level of internal scrutiny work required that provides appropriate coverage for their size and complexity. The guidance sets out four options in the way that the service can be delivered:
- employing an in-house internal auditor
- a bought-in internal audit service from a firm, other organisation or individual with professional indemnity insurance
- the appointment of a non-employed trustee
- a peer review performed by the CFO, from another academy trust. The trust should satisfy itself that the trust supplying the reviewer has a good standard of financial management and governance, and should minute the basis for its decision. The peer reviewer should be independent of the trust.
Planning
During our recent academy audits we have noted that the scope of the internal audit work in many academies still focuses mainly on the financial areas and so the scope of the work performed is not as wide as recommended in the ESFA guidance. The trustees should discuss the areas of concern or focus and then prepare a written remit as to what areas should be covered together with an outline of the work to be carried out. A plan covering several years could be considered to ensure all key areas of risk are adequately covered.
Areas of work to consider
In addition to the financial control systems which have traditionally been covered by these visits, consideration should be given to reviewing other key areas including:
- Financial governance and oversight
- Risk management
- Fraud
- IT systems and cyber security
Where an area is very specialist or technical, trustees may wish to consider employing a subject-matter expert to perform the review.
Reporting
Looking at the documentation of these internal audit visits, we have observed that the reports are often brief and lack detail of the work that has been carried out. We recommend that details of the work performed is clearly documented so the trustees can understand what work has been performed, what period of time was covered by the visit/testing and what conclusions have been reached as a result of the work. Any recommendations for improvement should be clearly reported and then followed up on subsequent visits.
Reviewing
The trustees should review the reports received during the year to identify the areas for improvement and ensure the necessary actions are taken. At the end of the year the reports should then be referred back to the original plan to ensure all key areas have been covered and consider what areas should be covered in subsequent years.
We recommend that all trustees review this guidance and use this as a basis for future work. A link to this guidance is provided here.