Under the Department for Education's Academy Trust Handbook, all academy trusts are required to maintain effective oversight and monitoring of their internal controls. A key part of this requirement is the establishment of a robust programme of internal scrutiny, designed to provide independent assurance to the board that systems, controls, and risk management procedures are operating effectively.

The resulting annual internal scrutiny report also plays an important role in assuring the Department for Education (DfE) that academy trusts are meeting their compliance obligations.

What should internal scrutiny cover?

The Academy Trust Handbook explains that internal scrutiny work must focus on:

  • Evaluating the suitability of, and level of compliance with, financial and non-financial controls. This includes assessing whether procedures are effective and efficient, and checking whether agreed controls and processes have been followed.
  • Offering advice and insight to the board on how to address weaknesses in financial and non-financial controls. In this way, internal scrutiny can act as a catalyst for improvement, without diluting management’s responsibility for the day-to-day running of the trust.
  • Ensuring all categories of risk are adequately identified, reported and managed.

Internal scrutiny vs internal audit

A common misconception is that internal scrutiny is the same as internal audit. In reality, internal scrutiny is broader in scope. While internal audit typically focuses on financial controls, internal scrutiny encompasses a wider range of assurance activities across both financial and operational areas.

Independence is a fundamental principle of internal scrutiny. This is achieved through clear reporting lines, with the internal scrutineer reporting directly to the audit and risk committee.

One of the audit and risk committee’s core responsibilities is to maintain oversight of the risk management and internal control framework. This includes reviewing the robustness of the trust’s systems and assessing their application in practice through the internal scrutiny programme.

Each year, the audit and risk committee should review and approve a risk-based programme of internal scrutiny to ensure that systems and controls are appropriate and operating effectively. It is the committee’s responsibility, as delegated by the trust board, to appoint and instruct the internal scrutineer, receive and review updates on the annual programme, and report progress and recommendations to the board regularly and at year-end. This forms a critical part of the trust’s reporting requirements.

The planning of the internal scrutiny programme must be a risk-based exercise involving the trust board, the audit and risk committee and the internal scrutineer, with input from the trust’s CEO and CFO where appropriate. Each trust will have a distinct risk profile, and the programme should be informed by the trust’s risk register, which is owned by the board and supported by the audit and risk committee.

The risk review process is iterative, with findings from the internal scrutiny programme feeding back into and refining the risk register over time.

An internal scrutiny programme will have the financial control system as a core element and will include the evaluation of controls and some testing of controls by a sample of transactions. The audit and risk committee should however commission representatives from a variety of internal scrutiny organisations to review other key areas such as financial governance and oversight, financial efficiency, strategic financial planning, IT systems, cyber security, health and safety and estates management. 

Additionally, academy trusts might consider less obvious topics such as organisational culture, management information, anti-fraud, safeguarding, HR systems, or succession planning. 

As a result, it is often necessary to engage subject-matter experts across a range of disciplines. Any financial or non-financial system that impacts the effective operation of the trust may be included within the scope of the internal scrutiny programme, depending on the trust’s risk profile.

What areas should be reviewed?

While financial controls remain a core focus, a comprehensive internal scrutiny programme should extend beyond finance. Areas for review may include:

  • financial control systems
  • financial governance and oversight
  • financial efficiency
  • financial planning
  • IT systems
  • cyber security
  • health and safety
  • estates management
  • safeguarding
  • efficiency of HR systems
  • succession planning.

Most trusts appoint a single internal scrutiny provider to support their risk management programme. However, given the breadth of areas that should be covered, it is unlikely that one provider will have all the necessary expertise.

Do trusts need more than one internal scrutiny provider?

Many trusts appoint a single internal scrutiny provider. However, given the breadth of areas that should be reviewed, it is unlikely that one provider will have expertise across all disciplines.

To deliver a truly effective risk assurance programme, trusts should consider engaging multiple specialists across areas such as:

  • finance
  • IT
  • HR
  • estates management
  • construction
  • education
  • special educational needs.

This multi-disciplinary approach helps ensure a more thorough and informed evaluation of risks and controls.

The next steps

If you require any help or support in developing your risk management programme, please contact your local UHY academy adviser who will be able to provide you with the help and guidance required.

Let's talk! Send an enquiry to your local UHY expert.

Get in touch