Guidance

Internal scrutiny in academy trusts

Updated 16 December 2024

Applies to England

This content was last updated on 14 February 2024.


1. Who is this good practice guide for?

1.1    This good practice guide is for trustees, audit and risk committees, accounting officers, chief financial officers (CFOs) and anyone undertaking internal scrutiny in, or on behalf of, academy trusts.

1.2    It provides suggestions and good practice for implementing internal scrutiny or internal audit (references to scrutiny / scrutineer in this guide should be also taken to be audit / auditor, as appropriate, where a trust appoints an internal auditor) which meets the requirements in the academy trust handbook (ATH). It also helps trustees maintain effective stewardship and oversight, and an adequate governance and control environment. The guide does not replace or modify any of the handbook’s requirements.

2. What is internal scrutiny?

2.1    Under the ATH all trusts must ensure effective oversight and monitoring of their internal controls. In support of this, a programme of internal scrutiny must be established to provide independent assurance to the board that its systems, controls and risk management procedures are operating effectively. This programme and the resulting annual internal scrutiny report also helps assure ESFA that trusts’ controls are operating as they should.

2.2    Summary findings from ESFA’s assurance programme are made available here.

2.3    The ATH explains that internal scrutiny work must focus on:

  • evaluating the suitability of, and level of compliance with, financial and non-financial controls. This includes assessing whether procedures are effective and efficient, and checking whether agreed controls and procedures have been followed
  • offering advice and insight to the board on how to address weaknesses in financial and non-financial controls. In this way they can act as a catalyst for improvement, but without diluting management’s responsibility for the day to day running of the trust
  • ensuring all categories of risk are adequately identified, reported, and managed.

2.4    The internal scrutineer(s) can:

  • give assurance
  • help the trust improve governance, risk and control arrangements
  • provide comfort that the trust is doing the right things in the right way.

2.5    The trust may decide to appoint more than one internal scrutineer to provide specific expertise across the range of financial and non-financial systems and controls in the programme it establishes.

2.6    An independent scrutineer not only helps the trust ensure it complies with the ATH, but also contributes to the development of an effective governance and accountability framework. This will help management ensure that its priorities are delivered.

2.7    The approach taken to internal scrutiny will vary from trust to trust, with trust size and relative complexity being factors.

3. Is internal scrutiny the same as internal audit?

3.1    Whilst this guide uses the term internal scrutiny, trusts may be more familiar with the term internal audit. Internal scrutiny will take the form of a wide portfolio of assurance activity which will focus on both financial and non-financial parts of the control framework. One of these forms of activity may be internal audit.

4. How do we decide the most suitable option to deliver internal scrutiny?

4.1    The ATH suggests 4 options open to trusts to deliver internal scrutiny, but trusts may choose alternative options more appropriate to their circumstances. The options in the ATH are:

  • an in-house internal auditor
  • a bought-in internal audit service
  • the appointment of a non-employed trustee
  • an independent peer review by the CFO from another academy trust

4.2    Factors for the audit and risk committee to consider when determining suitability include:

  • the size of the trust, and the scale, diversity and complexity of its activities
  • the complexity of the internal scrutiny area being reviewed
  • any required specialist knowledge or expertise
  • the scrutineer’s knowledge of the sector
  • whether they are governed by professional code of ethics and standards
  • value for money

4.3    To ensure those carrying out the programme of internal scrutiny work are suitably qualified and/or experienced the ATH states:

  • auditors should be members of a relevant professional body.
  • trustees and peer reviewers should have qualifications in finance, accounting or audit and appropriate internal audit experience.

4.4    Trusts should work towards this position where it is not already the case.

4.5    Trusts must confirm in their governance statement, accompanying their annual accounts, which of the internal scrutiny options it has applied and why.

4.6    Under the Financial Reporting Council’s Ethical Standard for Auditors, to minimise threats to objectivity and independence, a firm providing external audit to an entity cannot also provide internal audit services to it.

5. What is the role of the audit and risk committee in internal scrutiny?

5.1    Independence in internal scrutiny is achieved by establishing appropriate reporting lines whereby the scrutineers report directly to an audit and risk committee. Illustrative terms of reference for the audit and risk committee of an academy trust are set out at Annex 1.

5.2    One of the audit and risk committee’s core responsibilities is to maintain oversight of the risk management and internal control framework, examine the robustness of the framework and assess its application in practice through the internal scrutiny programme.

5.3    Each year, the committee reviews and approves a risk-based programme of internal scrutiny to ensure systems and controls are appropriate and operating effectively. It is the audit and risk committee’s responsibility, delegated to them by the trust board, to select and instruct the internal scrutineer(s), receive and review updates on the annual programme, and update the board on progress and recommendations regularly, and at year-end. This is a critical element of the trust’s reporting requirements.

5.4    Given the breadth of assurance that the audit and risk committee will be considering, membership should include a suitable mix of skills and experience to examine assurance reports and provide sufficient challenge. Ideally members of the committee will collectively have relevant experience in risk management, finance and assurance. Ultimately, though, the abilities of the membership will reflect the needs of the trust, extending as far as is possible to expertise in each relevant financial and non-financial area. Audit and risk committees will be most effective when the membership is prepared to support, challenge, and highlight concerns to the board.

5.5    Audit and risk committees should meet at least three times a year to monitor the internal scrutiny programme, as well as fulfil their other roles. Meetings should be timed to follow visits so interim findings can be discussed.

5.6    The committee will want to assess and advise on the implications of the result of the internal scrutiny reviews, and on plans to address weakness if relevant and ensure continuous improvement of the system of internal control.

5.7    The committee will also consult with the accounting officer as the outcome of the internal scrutiny programme may impact on the accounting officer’s statement of regularity in the trust’s annual accounts.

5.8    Additionally, the committee can ensure appropriate liaison between the internal scrutineer and external auditor, with the work of the former providing evidence to assist the latter in forming their audit opinion, so potentially reducing the cost of the external audit.

6.1    The planning of the programme of internal scrutiny must be a risk-based exercise between the trust board, the audit and risk committee and the internal scrutineer, with input as required from the trust’s CEO and CFO. Each trust will have a distinct risk profile. The programme of internal scrutiny will be informed by the trust’s risk register, which is owned by the trust board, with advice from the audit and risk committee. The risk review process is iterative and the findings of the programme of internal scrutiny in turn inform the risk register. Risk scores are influenced by internal scrutiny work and risks are updated accordingly. For further guidance on risk management, please read the ESFA’s good practice guide on academy trust risk management.

7. What is the coverage of internal scrutiny?

7.1    An internal scrutiny programme will have financial control systems as a core element and will include the evaluation of controls and some testing of controls by a sample of transactions.

7.2    The audit and risk committee may commission their scrutineers to review other key areas such as financial governance and oversight, financial efficiency, strategic financial planning, IT systems, cyber security, health and safety and estates management. Additionally, they might consider less obvious topics such as organisational culture, management information, anti-fraud, safeguarding, HR systems, or succession planning. Sometimes it may be necessary to work with subject-matter experts in such areas.

7.3    Any financial or non-financial system that impacts on the effective operation of a trust may be included in scope of the review programme if decided by the audit and risk committee.

8. What should the internal scrutineer look at?

8.1    This will be influenced by the risk profile of the trust, the current position of financial and non-financial controls and the concerns of the audit and risk committee. The internal scrutineer may want to break down the organisation by each area of operation and then assess the risk of each by considering several factors, for example:

  • monetary value (income and expenditure)
  • volume of transactions
  • complexity of the system
  • sensitivity of the system
  • stability of the system
  • changes in senior management/strategic roles, for example AO, CFO
  • potential fraud risks
  • the strength of management controls
  • whether work has been carried out on that system recently.

8.2    The process is a form of risk assessment which results in a list of potential scrutiny areas along with their respective scores. These can then ranked, with those having the highest scores usually warranting inclusion in the programme more frequently than those with a low score. The volume and frequency of review will depend on the budget/resources available for internal scrutiny.

8.3    The schedule of potential work is developed under the oversight of the audit and risk committee which will consider, challenge and sign it off. The schedule should take the form of an annual plan, which should include, for each review, a high-level scope, resource inputs, and timing. For larger trusts the annual plan may form part of a three-year plan, so that there is appropriate coverage of the trust over a review cycle.

8.4    A suggestion for the business systems and processes that might fall within scope is set out at Annex 2. Each of these systems and processes can impact the outcomes for pupils, albeit sometimes indirectly.

9. Frequency of internal scrutiny visits

9.1    Whilst the ATH does not stipulate how often visits should occur, the audit and risk committee will want to ensure the frequency and length of visits allows for the internal scrutineer(s) to obtain appropriate coverage for the trust’s size and complexity. There should be consideration of previous matters arising, external audit findings, individual context, and other sources of assurance that the trust has commissioned. Larger trusts may adopt an internal scrutiny cycle over two/three years to ensure appropriate coverage of the trust.

9.2    Trusts should also consider whether:

  • they are a newly established trust
  • there has been a change in senior management
  • they are taking on new academies.

9.3    Visits should be timed to feed into audit and risk committee meetings where interim findings can be discussed. It would therefore be appropriate for visits to be evenly spread throughout the year.

10. Reporting the findings of the programme

10.1    As set out in the ATH, the internal scrutineer will report back on their work to the audit and risk committee in the form of individual reports, enabling the committee to consider each report when it meets, as well as an annual summary report and, for larger trusts progress reports, summarising, for example, progress against plan and results / findings.

10.2    The trust must submit a copy of the annual report to ESFA by 31 December each year. This will summarise the areas reviewed, key findings, recommendations, management response and overall conclusions. Preparing this summary report during the autumn term, at the same time as the external auditor’s report, will enable the audit and risk committee to form a holistic picture and the trust to coordinate the returns required by the ESFA. It will also provide the accounting officer with key evidence to enable them to sign off their statement on regularity, propriety and compliance and the board with information for its annual governance statement, both of which are submitted to ESFA with the audited accounts, see Annex 3.

10.3    Where the academy trust has used more than one individual or organisation to deliver its internal scrutiny work, who have each produced a summary report, the trust will need to submit the reports to ESFA simultaneously as a single submission – for example as one pdf document.

10.4    Examples of documents submitted to ESFA in lieu of an annual internal scrutiny report, which are non-compliant, include:

  • an extract copied from the trust’s governance statement, taken directly from its annual accounts
  • an extract from the external auditor’s management letter
  • minutes from a committee meeting.

Annex 1 – Suggested terms of reference for the audit and risk committee of an academy trust

1. Responsibilities

  • to maintain an oversight of the academy trust’s financial, governance, risk management and internal control systems
  • to report findings regularly and annually to the trust board and the accounting officer as a critical element of the trust’s annual reporting requirements.

2. Authority

  • the audit and risk committee is a committee of the academy trust board and is authorised to investigate any activity within its terms of reference or specifically delegated to it by the board
  • the audit and risk committee is authorised to
    • request any information it requires from any employee, external audit, internal scrutiny, or other assurance provider
    • obtain outside legal or independent professional advice it considers necessary, normally in consultation with the accounting officer and/or the trust board.

3. Composition

  • the membership of the committee will comprise a minimum of [x] trustees
  • employees of the trust should not be audit and risk committee members, but the accounting officer and chief financial officer should attend to provide information and participate in discussions
  • the chair of trustees should not be chair of the audit and risk committee
  • where the finance committee and audit and risk committee are separate, the chair should not be the same
  • where the audit and risk committee is combined with another committee, employees should not participate as members when audit matters are discussed
  • until otherwise determined by the board of trustees, a quorum shall consist of [x] members of the committee
  • at least one member of the audit and risk committee should have recent or relevant accountancy, or audit assurance, experience
  • any trustee may attend a meeting of the audit and risk committee, including those who are not members of the audit and risk committee.

4. Reporting

The audit and risk committee will:

  • report back to the trust board regularly every term
  • provide an annual summary report provided by the internal scrutineer and areas reviewed by internal scrutiny covering key findings, recommendations, and conclusions.

5. Coverage

The Audit and Risk Committee will cover the following areas:

General

  • advise the board on the effectiveness and resources of the external/internal auditors or scrutineers to provide a basis for their reappointment, dismissal, retendering, or remuneration. Considerations may include:
    • the scrutineer’s sector expertise
    • their understanding of the trust and its activities
    • whether the audit process allows issues to be raised on a timely basis at the appropriate level
    • the quality of scrutineer comments and recommendations in relation to key areas
    • where relevant the personal authority, knowledge and integrity of audit partners and their staff to interact effectively with, and robustly challenge, the trust’s managers
    • the scrutineer’s use of technology
  • ensure there is co-ordination between internal scrutiny and external audit and any other review bodies that are relevant
  • consider the reports of the scrutineers and, when appropriate, advise the Trust Board of material control issues
  • encourage a culture within the trust whereby each individual feels that he or she has a part to play in guarding the probity of the trust, and is able to take any concerns or worries to an appropriate member of the management team or in exceptional circumstances directly to the board of trustees
  • provide minutes of all audit and risk committee meetings for review at board meetings.

Risk

  • oversee the annual review of the trust’s risk register and conduct a review of the risk register at each meeting
  • monitor the effectiveness of risk management policy and processes
  • review any risks to the academy trust’s systems of internal control and agree a programme of work to address, and provide assurance on, those risks to the trust board as appropriate
  • review, monitor and assess periodically major aspects of risk such as:
    • damage to the trust’s reputation
    • loss of funds
    • changes in government policy
    • risks to standards, systems and controls that may arise from expansion.

External audit

  • review the external auditor’s plan each year
  • review the annual report and accounts
  • review the auditor’s findings and actions taken by the trust’s SLT in response to those findings
  • undertake the annual review of the effectiveness of the external auditor and recommend to the members whether to reappoint the external auditor
  • produce an annual report of the committee’s conclusions to advise the board of trustees and members.

Internal scrutiny

  • take delegated responsibility on behalf of the board of trustees for examining and reviewing all systems and methods of control both financial and otherwise including risk analysis and risk management; and for ensuring the trust is complying with the overall requirements for internal scrutiny, as specified in the academy trust handbook
  • conduct a regular review of the risk register
  • review/agree an annual programme of internal scrutiny, which is objective and independent, covering systems, controls, transactions, and risks.
  • advise the trustees on the adequacy and effectiveness of the trust’s systems of internal control, governance, and risk management processes,

  • review the scrutineer’s findings and actions taken by the trust’s SLT in response to those findings

  • consider the appropriateness of executive action following internal scrutiny reviews and to advise the board on any additional or alternative steps to be taken
  • oversee the annual review of the trust’s risk register
  • undertake the annual review of the effectiveness of the internal scrutineer and decide whether to reappoint the internal scrutineer.

Other responsibilities

  • consider appropriate actions following any serious incidents, including fraud, which are reportable to the Education and Skills Funding Agency or would have a major financial or reputational risk to the trust
  • ensure that all significant losses have been properly notified and investigated as required by the ATH
  • undertake regular reviews of the committee’s effectiveness including benchmarking against best practice.

Annex 2 – Suggested areas of coverage for internal scrutiny

This list is not exhaustive. The audit and risk committee, alongside the internal scrutineer, should develop a cyclical programme of work tailored to the trust and its risks. The areas selected for coverage will be influenced by:

  • whether changes have occurred in the trust’s structures, reporting processes or business systems
  • the nature of risks, changes to risks and emerging risks
  • any increase in the number of unexplained or unacceptable events
  • previous internal and external audit scope, findings and recommendations
  • findings from ESFA assurance work and other publications

Governance and management structures and oversight

Trusts need governance and management structures and procedures appropriate to their size and characteristics. A review of these areas could feature in the programme of internal scrutiny. Review could include, but might not be limited to, financial oversight, the suitability of and compliance with financial regulations incorporating a scheme of delegation, financial policies, systems and procedures, board and committee terms of reference and delegated responsibilities, governance recruitment and selection, reviews of governance (whether self-assessment or external), codes of conduct for members, trustees and governors and effectiveness of working relationships.

Estates management, health and safety

Trusts need to ensure they are managing their school estate effectively by maintaining it in a safe working condition in compliance with their legal duties. Trusts should have a clear understanding of the condition of all buildings in the estate and the costs and priority of any works needed. This can be achieved by having an up-to-date condition survey in place and documents such as an estate vision, estate strategy and asset management plan can support strategic planning. Good Estate Management for Schools guide (GEMS) sets out best practice, including strategic estate management, managing resources, prioritising maintenance and health and safety compliance.

Strategic financial planning, efficiency, funding, and budgets

Internal scrutiny could consider:

  • reviewing the effectiveness of the trust’s approach to strategic financial planning and budget development
  • use of Integrated Curriculum and Financial Planning (ICFP) both in general and specifically within the budget development process
  • whether budget assumptions, including projected pupil numbers, staff establishment, projected salary increases and increments have been reviewed and scrutinised by trustees
  • whether the expected economies of scale arising from any merging and updating of back-office functions are being realised
  • whether there is tension between the need for efficiency and operational autonomy of constituent academies in a trust with multiple academies
  • whether there is a gap between the trust’s educational aspirations and its financial means, including the funding challenge, and whether this is addressed through the multi-year budget process.

Cash and banking

Ineffective monitoring of cash and bank balances is a key risk to any organisation. Cashflow forecasting needs to be accurate, and the trust needs to be able to ensure that it retains an appropriate level of balances to withstand any short-term variations or interruptions to income. Cash itself frequently represents a security risk, and the systems for safe storage, collection, banking and reconciliation need to be effective and secure.

The scrutineer may test a number of transactions and the controls and procedures around the transaction, such as:

  • whether the trust has a cash/treasury management policy, and it is being followed
  • reviewing the trust’s cash forecasting process to ensure it is effective and accurate
  • reviewing the trust’s financial procedures for the receipt and banking of income to ensure that they are adequate, and the trust is adhering to them.
  • checking a sample of income (grant and non-grant) from source records to verify that the income has been correctly accounted for.
  • checking what action has been taken for any overdue income, appropriate authorisation and procedures for writing off any bad debts
  • ensuring that monthly bank reconciliations have been carried out and reviewed, including reviewing validity of reconciling items
  • controls and procedures around the administration of the trust’s bank account(s) including review and approval of all cheque signatories and online banking users, the opening, management of, and access to, bank accounts.

Monthly financial closedown

Monthly closedown will follow a set procedure and the scrutineer may want to test a number of the relevant steps, including:

  • review that monthly bank reconciliations have been carried out, including validity of reconciling items,
  • review of the purchase ledger control account reconciliation and/or creditors list against invoices received
  • review of the sales ledger control account reconciliation and/or debtors list against invoices issued
  • review of the accruals schedule against costs committed but not yet invoiced
  • checks of petty cash balances and supporting vouchers
  • review of any budget virements and adjusting journals for reasonableness and authorisation
  • review of any write-offs of debt or other losses for reasonableness and proper authorisation

Management accounts and related information

Internal scrutiny could include a review of the trust’s controls for producing management accounting information and ensuring its consistency with underlying accounting records, pupil data and census returns, and submissions to DfE/ESFA.

Ensuring management accounts are compliant with ATH requirements, are properly supported by narrative and explanations for significant variances from budget and are subject to appropriate review and challenge by management and the trustees’ finance committee could also for a part of the programme of internal scrutiny.

Procurement

There are a range of operational checks which could provide trusts with assurance over its procurement and payment systems. The following list is not exhaustive:

  • review scheme of delegation and approvals and authorisation levels
  • check compliance with the Find a Tender service and Public Contract Regulations 2015
  • check of a sample of purchase orders to delivery notes and invoices to ensure that documentation is complete, has been appropriately checked and authorised
  • check of a sample of payments back to invoices, purchase orders and delivery notes to confirm they are legitimate purchases
  • review statements from suppliers to ensure they are being checked, investigate any disputed invoices
  • review contracts, ensuring proper tendering procedures exist and are being followed
  • review purchases associated with capital projects
  • check purchase of any other capital assets (e.g. desk computers, interactive whiteboards, kitchen equipment) for physical existence

As poor procurement and contract management procedures could result in trusts paying too much for goods and services, or for services they do not need, value for money audits can also be used to test accepted practice – for example, the use of DfE’s Buying for schools resources, and other frameworks and collaborative procurement approaches.

Related party transactions

The ATH sets out obligations for trusts in relation to related party transactions and conflicts of interest. Transactions with related parties can throw up a range of technical and ethical challenges including conflicts of interest. The internal scrutiny process can help trusts be confident they are complying with statutory and contractual requirements including those set out in the ATH relating to approval and disclosure.

Human resources

Ineffective HR systems can lead to low morale and productivity and high staff turnover. Effective systems mean staff are properly skilled and can focus on their proper role. Scrutiny could consider the suitability of, and compliance with, the trust’s HR policies, systems and procedures, such as recruitment, pre-employment checks, employment contracts, induction, performance management, training and mental health and well-being across the trust.

Payroll

Payroll accounts for the vast majority of the trust’s expenditure and so ought to feature in any programme of testing. For example:

  • review of a sample of starters, leavers and salary increases to ensure they are properly authorised, and payroll / personnel data is recorded completely and accurately
  • review of the monthly payroll to ensure that any changes and salary payments have been appropriately authorised
  • a reconciliation of payroll to HR records to ensure that leavers and allowances are not paid beyond the appropriate dates
  • a check of statutory and non-statutory deductions from pay
  • review of a sample of expense claims to ensure there is appropriate documentation to support the claim and that it is appropriately authorised

Induction and training

The effectiveness of the trust’s approach to staff training could be included in the internal scrutiny cycle. Training for new staff, both at induction and ongoing, is important in ensuring that staff are aware of the trust’s policies and procedures and understand their responsibilities in adhering to them. Reviews could consider the suitability of documentation and records such as checklists for use at induction and initial training, and whether appropriate refresher training is being provided in critical areas including financial procedures, fraud awareness, whistleblowing, safeguarding, cyber security and scam emails.

Safeguarding

All trusts should have effective policies, protocols, procedures, and documentation in place to ensure compliance with safeguarding requirements and Keeping children safe in education (KCSiE). Specialist skills may be required to provide assurance in this area.

Whistleblowing

Internal scrutiny could consider the suitability of the trust’s whistleblowing policies and procedures, including whether they have been approved by the board, and that staff induction and regular training includes whistleblowing. The scrutineer could review any incidents and investigations to check that correct procedures were followed in accordance with policy, including that whistleblowers were protected.

Fraud and theft

Fraud can be costly and cause reputational damage, and the threat is constant. All trusts need to have preventative controls in place, as well as a fraud risk assessment and counter fraud plan. Low-level fraud may be hard to detect, and one-off checks may be an effective deterrent.

The internal scrutineer could review fraud policies, systems and procedures, anti-fraud awareness, and training for those staff with particular financial roles and responsibilities. They could review any fraud, theft or bribery incidents, and support trustees and management with investigations, if required. A review of whether reporting to the ESFA has been completed in accordance with ATH requirements could also be included.

IT systems, cyber security/risk mitigation, data management and protection

Impacts of breaches and loss of IT systems can be extremely significant, costly, take management time to resolve, have reputational damage, and impact on pupil learning and staff morale.

  • Cyber security - IT systems could be assessed for their resilience in terms of exposure to cyber security risks. Checks could include reviewing the trust’s cyber policies and cyber incident response plan, cyber risk management, checks for compliance with DfE’s Risk Protection Arrangement (RPA) conditions, or those of the trust’s insurance provider including the level of cover, use of specialist IT providers, and review of the application of DfE’s digital standards and other national guidance, for example from the National Cyber Security Centre.

    Trusts hold large amounts of highly sensitive personal data on pupils, parents and staff. Education is regarded by some hackers as a soft target because systems, firewalls and security protocols may be less robust. It is essential that systems, protections, backups and other mitigations including acceptable use policies and agreements and training are in place. Good data is the foundation of effective decision making.

  • Data protection (e.g. GDPR compliance), and procedures for sharing of personal data, is also likely to be a key issue, including managing the risk of accidental data release. Trusts should have checking, approval and authorisation systems in place to ensure that only required data is shared and that secure systems are used. Checks may also be required on third parties with whom data is shared, for example school information management system providers, pupil data and progress analytical providers, HR providers and payroll providers.

    Specialist skills may be required to provide assurance in these areas.

Business continuity plans/disaster recovery

Trusts will want to have adequate plans in place to ensure business continuity and recovery of key systems in the event of any disruption. Internal scrutiny can play a part in the regular review of these plans to ensure they reflect current circumstances and anticipated risks.

Risk protection arrangement and Insurance

Assessing how the trust manages its RPA membership and/or commercial insurance may help in identifying whether it has the correct level of cover for its circumstances, and whether there are other risks which could be insured against. Checks could also include specific risk areas such as vehicle insurance for minibuses, and policies for employees’ private cars when used for trust business.

Environmental, social and governance (ESG) issues, including sustainability

Trusts may wish to review their ESG credentials, including how they measure up against best practice as well as compliance with any legal and regulatory requirements.

Annex 3 – Suggested format for an annual internal scrutiny report

To be prepared by the internal scrutineer for the audit and risk committee.

Executive summary - provide an overall view/opinion on the systems and controls reviewed in the year’s internal scrutiny programme, including any non-compliance and/or gaps identified.   

Introduction - for example summarise the role of the scrutineer under the ATH including their responsibility for preparing an annual summary report.

Approach taken by the scrutineer - this could:

  • explain how the areas for review were identified and agreed - i.e. assessment of risks via the audit and risk committee
  • set out when the internal scrutiny sessions took place
  • summarise the approach - including the extent of discussion versus testing
  • state who was consulted
  • define the classification of opinions (for example, excellent/good/requires improvement, red/amber/green or fully compliant/partially compliant/not compliant))

Assessment of the work commissioned (not exhaustive list)

  • Item 1 (e.g. payroll)
    • Overall opinion
    • Recommendations (high/medium/low priority)
    • Management response
  • Item 2 (e.g. procurement)
    • Overall opinion
    • Recommendations (H/M/L)
    • Management response
  • Item 3 (e.g. budgeting)

    • Overall opinion
    • Recommendations (H/M/L)
    • Management response
  • Item 4 (e.g. GDPR)
    • Overall opinion
    • Recommendations (H/M/L)
    • Management response

Follow up reviews – describe the status of recommendations carried forward from previous years.    

Overall opinion on the governance and control environment, based on entirety of the scrutiny programme (current level of confidence in effectiveness of internal control, overall). Using the agreed ranking – for example, excellent/good/requires improvement.

Fraud – any fraud identified/reported

Cost of work – scrutineer days used, and overall cost (if charged) as agreed at start of programme.

Forward look – for example identify any emerging risks and summarise how and when the internal scrutiny programme for next year will be set.

Annex 4 – Suggested coverage for appointment of internal scrutineer

Below are some suggested principles for setting out the coverage for the appointment of an internal scrutineer. The option the trust has chosen to undertake their internal scrutiny (i.e. in-house or external appointment) will determine the extent of the document. Where a trust makes an external appointment, the contract / engagement is likely to incorporate standardised terms of business.

If an external appointment, terms of appointment and date – The length of appointment and the date services will commence.

Responsibilities of the trust – To provide prompt access to all relevant documentation on request. For management to make reasonable time available for full support of the reviews. To provide a clear governance / accountability / reporting framework which supports the independence of the scrutineer.

Responsibilities of the internal scrutineer – To carry out work and/or services according to the key objectives and deliverables of the review and provide a plan, regular updates and reports during the year and an annual summary report.

Key objectives and deliverables of the engagement – A summary of the work to be carried out and timescales. What is not in scope.

Other services – Any other services to be included as part of this letter of engagement.

Serious weaknesses, including fraud and malpractice – How these will be treated, for example by reporting immediately to the Audit and Risk Committee.

Privacy statement – Data protection act/General data protection regulation obligations and how data will be treated. Confidentiality and freedom of information obligations.

If an external appointment, fees/expenses and terms of termination/cancellation – Fees for the work and the trust’s right to terminate the agreement and consequences for doing so. Invoicing arrangements.

Signature and date