The Academies Financial Handbook has, for some time, included a requirement for Academies to have some form of internal scrutiny over their financial and other controls. In the early days of the academy program there was a very prescriptive program of tests for a Responsible Officer to follow and report on.
In recent years the requirement has evolved and today the Education & Skills Funding Agency (ESFA) require trusts to identify on a risk basis, areas of financial and other controls that should be reviewed each year to respond to the changing needs and circumstances of their specific organisations.
So what is Internal Scrutiny?
Internal scrutiny is a process that should be designed to provide independent assurance to the Board and Audit Committee that internal controls and risk management are operating effectively. The process should help a trust to improve and maintain good levels of:
- Risk management
- Internal control
What Academy Trusts does this affect?
All Academy Trusts must have internal scrutiny, regardless of size. Of course, the approach taken will vary between Academy Trusts and each Trust must adopt the most suitable approach for them.
How to approach Internal Scrutiny work
Create a plan for the trusts internal scrutiny work which details:
- the objective
- the timing and scope of the work
- reporting lines
Internal scrutiny is linked with risk management and the Academy Trust’s risk register is the key starting point to develop a programme of work. All Academy Trusts must have a risk register that is reviewed and updated regularly by the Board and Audit Committee.
Examples of key risk areas for academies are detailed below.
- Validity of funding claims
- Recognition of public funds
- Use of public funds
- Tendering and procurement
- Transactions with related/connected parties
- Electronic / online systems
- Security of assets
- Data security
The audit committee should identify the areas of work that are to be addressed by the internal scrutiny programme. Not all risk areas will be covered on every review, but if there are any changes within an area (e.g. a change in staff) this could change the risk profile meaning on the next visit this might need to be covered by the programme.
The programme can take place as frequently as the Board requires. The audit committee should meet at least three times a year and so it seems sensible that most internal scrutiny programs will involve at least three visits per year but this will of course very much depend upon the individual circumstances of each trust.
The factors that the internal scrutineer should take into account whilst performing their reviews should include:
- Complexity of the system
- Potential fraud risks
- Strength of management controls
- Evidencing data processing has been carried out in accordance with documented procedures
Who can provide an internal scrutiny service?
- An in-house internal auditor who should be a member of a relevant professional body.
- Outsourced service provided by an external auditor who has the relevant qualifications and experience.
- The Academy Trust might feel it is appropriate to outsource individual areas of the internal scrutiny process to experts within that particular area, e.g. an accountant might not be the most appropriate person to review the trusts IT systems if this is deemed to be an area of high risk.
- Non-employed trustee with appropriate experience.
- Peer review performed by the finance team of another Academy Trust. The Academy Trust must be satisfied that the reviewer has a good standard of financial management and have qualifications in finance as well as appropriate internal audit experience.
Reporting the findings of Internal Scrutiny to Trustees
The internal scrutineer should report the findings of the programme to the Audit Committee on a regular basis, who in turn should ensure all trustees are made aware of the findings.
The report should detail the areas covered, the work carried out and should include any weaknesses found, with recommendations for improvements.
Reporting the findings of Internal Scrutiny to the ESFA
The Academies Financial Handbook also requires Academy Trusts to submit an annual report along with the annual accounts that summarises the work and findings of the internal scrutineer. This report should include:
- Areas reviewed
- Key findings
Issues with non-compliance
Failure to comply with the internal scrutiny requirements and having effective internal controls could result in potential regularity issues that would need to be reported in the external auditor’s report.
How can McCabe Ford Williams help?
Here at McCabe Ford Williams, we can offer independent internal scrutiny services for our clients. Please contact myself or fellow partner Ashley Phillips on 01795 479111 if you would like to explore how McCabe Ford Williams can assist.