Guidance

The scope of work of audit committees and internal auditors in college corporations

Updated 9 October 2024

Applies to England

1. Who is this good practice guide for?

This good practice guide provides guidance for:

  • governors
  • CEOs
  • principals
  • governance professionals
  • finance directors

It aims to provide them with guidance as to how they can implement audit committee arrangements that meet the requirements of the post-16 audit code of practice (P16ACOP) and also enable them to better discharge their responsibilities for the effective stewardship and oversight of their organisation.

College internal and external auditors may also find this guidance helpful in the context of the delivery of their audit services.

2. What is the status of this good practice guide?

The main audit and assurance requirements for college corporations are set out in the P16ACOP. This guidance does not replace or modify any of those requirements. Rather it aims to provide suggestions regarding good practice. The P16ACOP is subject to annual review by the ESFA and so users should always ensure that they are referring to the most up-to-date requirements.

3. The role of an audit committee

The core role of audit committee is to scrutinise the robustness of the control framework and to assess its application in practice. The corporation entrusts this control framework to management; it is their executive role to maintain and act within it. It is the governing body’s role through its delegation to the audit committee to ensure this happens.

All college corporations are required by their funding agreement with ESFA to have an audit committee. ESFA does not limit the scope of work of a corporation’s audit committee, but it does set out certain requirements in the P16ACOP. This details what the terms of reference for audit committees must include and summarises its key responsibilities.

Audit committees should meet at least three times a year, or else they must provide an explanation of the reason for this in their annual report. Equally important as these regular meetings is that the committee provides robust and fair challenge. Audit committees will be most effective when they include members who are prepared to support, challenge, and warn governors, and ask the right questions at the right time.

Given the breadth of assurance which the audit committee will be considering, it should ensure itself that its membership is suitably diverse, skilled and experienced to scrutinise assurance reports and provide sufficient challenge.

The audit committee must assess and provide the corporation with an opinion on the adequacy and effectiveness of the corporation’s assurance arrangements, framework of governance, risk management and control processes (including any subcontracting arrangements) for the effective and efficient use of resources, solvency, and the safeguarding of assets. These matters must be covered in the audit committee’s annual report.

The audit committee must provide independent assurance to the board that its financial and non-financial controls, and risk management procedures, are operating effectively. The committee helps the corporation improve governance and provides comfort to the board of governors that the leadership is doing the right things in the right way. The audit committee may have a role in investigating complaints of wrongdoing and the audit committee chair plays an important role as an independent party in the oversight of investigation of certain matters such as suspected internal fraud.

The college’s statement of corporate governance and internal control must include a statement from the audit committee which draws upon the work set out in its annual report and the work of internal audit, where in place, and which concludes on the effectiveness of the college’s governance, risk management and internal control framework. These statements are a key part of the college’s assurance framework.

All corporations must have an effective governance and accountability framework. The committee will generally commission an internal auditor to contribute to the development of this framework. Each year, the committee should review and approve a risk-based programme of work to ensure systems and controls are appropriate and operating effectively. Such reviews should include documenting, evaluating and testing controls. Its work should help the board ensure that its priorities are delivered efficiently and effectively by management.

The committee has responsibility for advising the corporation on the appointment, reappointment, dismissal, adequacy and remuneration of the external auditor, reporting accountant, internal auditor (or other similar assurance solution) and any other external assurance providers. The committee must also monitor the implementation of recommendations of audit and assurance providers.

4. Committee papers

The quality of the information provided to the audit committee must be fit for purpose. In planning for a committee meeting, the chair especially should be very clear as to why a matter is on the agenda, what the executive management’s insights and recommendations are and what decisions the committee is being asked to make.

The committee members, through the chair, should make clear their expectations in terms of the information to be included in the meeting pack. Meeting packs comprising a very large number of papers and lots of information do not guarantee effective governance and assurance, and may even weaken them, if the key issues are buried in a mass of detail. The chair needs to consider the needs of the committee members, accept or reject what is being provided and accept any deviation or obfuscation.

Papers should include an executive summary in the core paper, with the detail in the annexes, so that committee members are able to understand and provide feedback on the issues. Graphics and charts may be particularly useful for financial analysis, to aid understanding and facilitate clarity of thought. The paper should be accompanied by a cover sheet, setting out its purpose and the action required of the committee.

The audit committee will be well-served in relation to these considerations when supported by a skilled and experienced clerk/governance professional.

5. Risk management

Each corporation will have a distinct risk profile, and the programme of work commissioned by the audit committee should be informed by the corporation’s risk register. Executive management has a role in terms of risk identification, assessment and the implementation of control and mitigation measures, but ultimate responsibility for the risk register and risk management lies with the board, drawing on advice provided by the audit committee. The annual programme of work, commissioned by the audit committee, must be based on the board’s own assessment of priorities and should reflect the board’s risk appetite. The risk monitoring process is iterative and ongoing as the findings of the programme of work will inform the risk register and vice versa.

The audit committee should ensure that the corporation’s risk identification, measurement and management processes are operating efficiently. When assessing the scope of the annual programme of work, consideration may be given to drawing on sector wide knowledge and insights in addition to the college’s own identified risks.

It must be noted that, where an annual opinion has been commissioned from the internal audit provider, they will also need to be satisfied that the depth and breadth of coverage is sufficient to underpin such an opinion in accordance with their own risk management procedures.

A risk-based approach should be taken when planning the work programme of the audit committee. The board is ultimately accountable for the work carried out. However, it delegates aspects of the planning to the audit committee, with input from executive management and, where applicable, the internal auditor.

The audit committee must ask itself whether it feels suitably assured over all the areas within the scope of the opinion that it is required to include in its annual report in order to fulfil its role and provide suitable onwards assurance to the corporation.

6. Value for money

Corporations must secure value for money (VFM), being a responsibility of the corporation as a whole and the delivery of VFM being a matter for the executive leadership. However, the corporation may rely on the audit committee to provide it with assurance that VFM is being delivered. In any event, VFM is an issue that the audit committee may wish to examine and, if so, should satisfy itself that effective arrangements are in place to secure VFM. The audit committee should also provide an opinion on the corporation’s arrangements securing VFM, which should be included in its annual report.

The aim of VFM should be the optimal use of resources by the corporation, and in assessing it, the audit committee needs to examine its three elements:

  • economy: minimising the cost of resources used or required (inputs) – spending less
  • efficiency: the relationship between the output from goods or services and the resources to produce them – spending well
  • effectiveness: the relationship between the intended and actual results of public spending (outcomes) – spending wisely

In its Handbook for Members of Audit Committees, the Committee for University Chairs has provided a framework for audit committees operating in the higher education sector. This includes at Part 11 guidance for audit committees on VFM which could, with some adjustments, be used by the audit committee of a college corporation to develop its own approach to the issue.

7. How the audit committee can work with internal audit

College corporations have overwhelmingly concluded that the obligations of an audit committee can best be discharged when an internal auditor delivers and reports on a programme of work. Corporations may also commission independent specialists to carry out reviews in areas where their expertise is required. This provides an additional layer of independence and the corporation benefits from constructive feedback and support.

If the committee chooses not to appoint an internal auditor, it must be satisfied that any alternative must be suitably resourced and equipped to meet this need. Regardless of whether this work is performed by an internal auditor or alternative assurance provider, the collective and individual responsibilities of governors do not change and therefore, they must assure themselves as to the adequacy and effectiveness of financial and non-financial controls in some suitable manner.

Where alternative assurance providers are used it is important to ensure that the results of their work feed back into the audit committee, in the same way as any internal or external audit reports.

Corporations should note the Financial Reporting Council’s Revised Ethical Standard, which was issued in December 2019. This states that an accountancy firm cannot provide both external and internal audit services to the same client. Colleges must ensure that where they employ an internal auditor, separate firms / organisations are engaged to cover this work and the statutory audit.

8. What should the internal audit programme cover?

An internal audit programme should take a holistic view of the corporation with all aspects and systems, financial and non-financial, being in scope, although financial control systems and learner data are likely to be at the core of the programme. It will normally include the evaluation and testing of controls on a sample basis. It may also include data analytics to enable coverage of the entirety of a given dataset. It would also be usual to examine the effectiveness of financial governance and oversight by the board and risk driven topics such as organisational culture, management information, and/or business continuity arrangements. Internal auditors may also review the corporation’s processes for data accuracy and learner records as well as IT systems (including cyber security).

For learner records, cyber security and other specialist areas such as academic matters it may be valuable to work with subject-matter experts. These may be sourced through the internal audit provider, or through separate subject matter experts.

Any system that impacts on the effective operation of a corporation may be included in scope of the review programme, as determined by the audit committee. They may choose to review specific policies, systems and operations. They should identify how well risks are managed, whether effective processes are in place and whether agreed procedures are being followed. The testing may also identify areas where efficiencies or changes should be made.

The areas of testing to be covered will be shaped by the risk profile of the corporation, the maturity of financial and other systems and the concerns of the audit committee. The work of internal audit should cover both “business as usual” elements as well as emerging high risk areas, and may be cyclical, prioritising higher risk areas but also ensuring that all systems are assessed as to whether coverage is merited on a regular basis. For example, a corporation may assess that core strategic systems are assessed every year, but that a three-year cycle will ensure that all systems are considered with sufficient regularity to determine whether coverage is required or whether alternative assurances (including internal assurances as part of a well developed Board Assurance Framework) are in place.

If the corporation uses a Board Assurance Framework (BAF), the audit committee may draw on it to support its work by providing a structured means of identifying and mapping the main sources of assurance available to and received by the corporation and coordinating them to best effect. This provides a framework for the committee to focus on strategic and reputational risks rather than just the operational issues.

If a corporation contracts with an internal audit provider or has an in-house internal auditor, the work programme should be informed by an audit needs assessment (ANA) in accordance with the methodology of the internal audit provider or in-house internal auditor. An ANA involves breaking down the corporation’s activities by function or business system and then scoring the risk of each by consideration of several factors, such as (but not limited to):

  • whether achievement of strategic priorities is put at risk if the function or business system is not delivering as expected
  • monetary value (income and expenditure)
  • volume of transactions
  • complexity of the system
  • sensitivity of the system
  • stability of the system
  • potential fraud risks
  • the strength of management controls (and the extent to which controls are deemed to reduce the level of inherent risk)
  • whether work has been carried out on that system recently (and what the outcome of any recent work was)

The ANA is a form of risk management, which results in a list of potential audit areas along with their respective risk scores. These are then ranked with the highest scoring systems at the top. Those with high scores usually warrant inclusion in the programme every year (where they are within the control of the corporation to at least some extent), whereas those with lower scores may only feature, say, every third year. The schedule of potential work is then presented to the audit committee for consideration, challenge and approval.

Examples of the business systems and processes that might fall within the scope of an ANA for a college corporation is set out in Annex A, though this is not exhaustive because the risk profile of each corporation is different.

For some colleges such a structured approach may be challenging given the finite number of audit days available. When this is the case then the audit work plan may be developed on the basis of key organisational risks, prior year assurances, other sources of assurance and the business critical nature of key systems and processes.

9. Reporting the findings of the programme

The audit committee must provide the board with an opinion on the adequacy and effectiveness of the corporation’s assurance arrangements, framework of governance, risk management and control processes (including any subcontracting arrangements) for the effective and efficient use of resources, solvency, and the safeguarding of assets. The corporation must then submit an annual report to ESFA, summarising the areas reviewed, key findings, recommendations and conclusions of the audit committee and management action taken by 31 December each year. ESFA has not established a set format for such a report, but a model audit committee annual report following the requirements of the P16ACOP is provided at Annex B for corporations to consider, along with suggested minimum content for an internal audit annual report, where in place, at Annex C.

In corporations where an internal audit service is established, the internal auditor should provide the audit committee with an annual report, drawing on the reports produced throughout the year, during the autumn term at the same time as the external auditor’s report. This will enable the audit committee to form a holistic view. It will also provide the accounting officer with key evidence to enable them to approve their statement on regularity, propriety and compliance, and the board with information for its statement of responsibilities of the members of the corporation, all of which are submitted to ESFA with the audited accounts.

10. Working with external audit

The audit committee must advise the corporation on the appointment, reappointment, dismissal and remuneration of the external auditor.

The audit committee should also assess the expertise and resources, effectiveness and independence of the external auditors regularly. This review process aims to improve audit quality and the relationship with the external auditors. It also provides a basis upon which the audit committee can make decisions about reappointment to the corporation.

Considerations might include:

  • whether the external auditor is a member of a suitable professional body
  • the independence and objectivity of the audit partner and senior audit staff
  • sector and specialist technical expertise
  • whether the audit process allows issues to be raised on a timely basis at the appropriate level
  • understanding of the corporation and its activities
  • the quality and nature of the audit product on offer and its suitability to the college corporations’ systems and processes, as well as the auditors’ plans to improve future audit quality, and how the audit firm will use this to add value to the corporation
  • quality of comments and recommendations in relation to internal controls and other key areas
  • the personal authority, knowledge and integrity of audit partners and staff to interact effectively with and robustly challenge management

A report of the audit committee’s conclusions should be made to the board of governors annually, prior to the re-appointment of the incumbent auditors or the commencement of the tendering process.

The audit committee should ensure that the external audit is put out to tender when appropriate, balancing the need to ensure value for money and a quality audit product with the cost of the tender process and a possible period of adjustment where a newly-appointed firm builds its knowledge of the corporation. Under the P16ACOP, corporations should ensure they put the external audit service out to tender at least every five years so that this balance is achieved. Colleges must ensure there is a policy in place for regular retendering of the external audit service, which should consider the quality of the service on offer as well as the price.

11. Acknowledgements

Special thanks to:

  • Association of Colleges
  • Sixth Form Colleges Association
  • Haines Watts
  • RSM
  • Scrutton Bland

Annex A: suggested areas of work for an audit committee

This schedule of suggested review areas is not intended to be exhaustive and is focused on core areas, rather than specific risk driven areas that will vary more across corporations. The audit committee, with input from the executive management, governance professional and assurance providers, should ensure that a cyclical programme of work tailored to the corporation and its risks is developed.

The committee must be able to fulfil its remit and provide suitable assurance surrounding governance, risk management and financial and non-financial controls.

Risk management

Does the corporation have a well-developed approach to risk management? Is it more than a box-ticking exercise?

Learner recruitment

Learner numbers drive corporation income. Does the corporation have a plan to recruit learners? What is its marketing strategy?

Learner data

Given the importance of learner data to the income of most corporations, and the risks to income when data is inaccurate, audit committees should seriously consider obtaining their own assurance over learner data. The ESFA has published guidance on Individualised Learner Record (ILR) data integrity, which includes information on funding rules and how to ensure the integrity of the ILR data, which will be beneficial to college audit committees and internal auditors.

Income from other sources

Colleges may consider that income other than ILR generated income is also a high-risk area, particularly if there are any processes involving cash. Poor internal controls over income could also result in clawbacks if any grant related conditions have not been met.

The audit committee may consider testing the completeness and accuracy of income to ensure processes are robust in this area.

Procurement

Poor contract management will result in corporations paying too much for goods and services, paying for services they do not need and conflicts of interest not being managed. There are numerous appropriate operational checks which the auditor could undertake.

Monthly financial closedown

Monthly closedown will follow a set procedure and the auditor may test a number of the relevant steps.

Payroll and HR

Ineffective HR systems can lead to low morale and productivity. Effective systems mean staff are properly skilled and can focus on their proper role. Recruitment and training also warrant attention. Payroll will account for the vast majority of the corporation’s expenditure and so ought to feature in any programme of testing.

Cash and bank management

Ineffective monitoring of liquidity and cash and bank balances is a key risk to any business. Cash forecasting needs to be accurate, and a corporation needs to be able to ensure that it retains an appropriate level of liquid or near liquid balances to withstand any short-term interruptions to incoming income. Cash itself frequently represents a security risk, and the systems for safe storage, collection, banking and reconciliation need to be effective and secure. Does the corporation have a treasury management policy and is it being followed?

Asset management

Does the business have an effective asset management system that provides for all assets to be recorded, held securely, used appropriately and, when their useful life had ended, disposed of appropriately? Is there an asset register? Are assets appropriately valued and depreciated? Is fraud risk in this area suitably managed?

Estates and core contracts

The corporation should have an estates strategy that supports its strategic business planning. Is there a senior member of staff responsible for estate and are estates matters monitored effectively by the board or a sub-committee? Are buildings secure and well-maintained? Does the corporation know the value of its estate and are there any under-utilised parts that should be disposed of? Does the corporation run more than one campus and are there opportunities for consolidation?

Capital projects can be expensive and complex. Consideration should be given to disaster recovery, business continuity and PFI issues and well as health and safety, fire prevention, asbestos, legionella and so on.

The quality of the estate is a key aspect of the learner experience; along with the quality of support services such as cleaning, catering and security. Large scale contracting does present both an internal and external fraud risk, which should be suitably considered. Significant opportunities may exist to improve learner experience or achieve better value for money.

Health and safety

Are there identifiable individuals with responsibility for health and safety? Does the board receive regular reports? Is there a governor with lead responsibility? Is there a programme of training and awareness?

Efficiency and budgets

Internal auditors may want to consider whether there is a gap between the corporation’s educational aspirations and its financial means, and whether this is addressed through the multi-year budget process? Are budgets properly prepared and reviewed / challenged by management and the finance committee and also consistent with the corporation’s business plan, projected learner numbers, human resources and other data? Have the expected economies of scale arising from other operational financial decisions such as merging and updating “back office” functions been realised?

Governance structures

Corporations need governance arrangements and processes appropriate to their size and structure. These must be regularly reviewed and should include board and committee, executive and operational structures so that the audit committee can ensure the framework in place for the board to deliver robust challenge to management is fit for purpose.

College governing bodies are required to conduct annual governance self-assessments and must have an external governance review at least once every three years which is based on their adopted governance code.

What information does corporation and committees receive to inform their role of scrutiny and challenge? Is this information sufficient? Is it of the right quality? Is it consistent with wider audit findings? How do they monitor progress against strategic objectives? Does information enable them to hold management to account?

Fraud, corruption, theft, bribery and whistleblowing

Fraud can be costly and embarrassing, and the threat is constant and dynamic. All corporations need to have preventative controls in place, but low-level fraud may be hard to detect, and one-off checks may be an effective deterrent. The corporation should keep itself up to date on emerging fraud risks, for example those related to cybercrime. The policy on gifts and hospitality should be kept up to date and the gift register reviewed.

The accounting officer has overall accountability for managing the risk of fraud. The P16ACOP sets out the minimum expectations of counter fraud and corporations and audit committees should be looking to ensure there are robust and pro-active counter fraud measures in place to reasonably manage the risk of fraud and protect public funds. Fraud can arise in many forms; controls should be proportionate to the risk and sufficient action should be taken in response to any suspicions of fraud to reinforce an anti-fraud culture.

Following all cases of fraud, the organisational response and suitability of pro-active measures should be considered by the audit committee.

Whistleblowing is an important element of the response to risks of fraud, corruption, theft, and bribery. The policy on whistleblowing should be kept up to date and made readily available to all staff.

The Regulatory framework

The regulatory framework for corporations is both complex and dynamic. Corporations are the stewards of significant personal data which needs to be protected. Colleges that are registered with the Office for Students have additional regulatory requirements. Is the college governance professional up to date in the advice they are giving the board?

Safeguarding

Corporations must have effective policies, protocols, procedures and documentation in place. Failure in these areas can be highly destructive of a corporation’s reputation. Specialist skills may be required to provide assurance in some aspects of this area; however, compliance with underlying core controls supporting effective safeguarding such as those surrounding staff recruitment, single central record, student induction, campus security, health, safety and well-being and student support are all valuable areas which should be considered as part of assurance plans.

Management information and reports

Internal auditors may review the corporation’s management information to ensure information supplied is consistent with the underlying accounting and other records and internal management reports, including:

  • management accounts
  • financial reports to board
  • performance reports – objectives and targets, analysis of KPIs
  • returns to the DfE/ESFA, such as individualised learner records

Testing could include ensuring that management accounts are properly supported by explanations for significant variances from budget and are subject to appropriate review and challenge by management and the finance committee.

Auditors may want to test that communications with the board are timely and complete so that they can make informed decisions when required.

Environmental, social and corporate governance

Corporations are increasingly considering environmental, social and governance related matters. For example, internal audit has a role in supporting colleges in becoming more sustainable and to better understand risks and opportunities related to climate change.

The College Accounts Direction encourages colleges to include disclosures in relation to carbon emissions in their financial statements. Internal audit may focus on metrics such as these, in additional to broader considerations in relation to analysis on the impact of climate change on the college. How the college secures engagement of its students as citizens of the future is also an area for consideration.

Audit committees could consider how ESG is incorporated into the corporation’s long-term strategy.

IT systems

IT systems should be assessed for their resilience in terms of exposure to cyber security risks. This may benefit from being the subject of a specialist review.

Cyber security is a growing risk and audit committees should scrutinise the corporation’s cyber security arrangements, covering both the capacity to predict and prevent attacks, as well as whether there are robust and rapid response plans in place.

The audit committee may wish to consider obtaining assurance in respect of:

  • the governance and controls in place – especially in the light of any reportable incidents
  • potential threats and system weaknesses
  • management capacity and resource to address cyber security risks
  • the incident response plan and whether it is tested and ready to be deployed
  • whether the workforce has been briefed and trained about cyber security.

Physical and environmental controls for the IT hardware estate also merit coverage, along with IT/ Digital strategy.

Business continuity and recovery of key systems such as ILR should also feature. Data protection (e.g., GDPR compliance) is also likely to be a key issue.

Subsidiaries and joint ventures

  • Is there adequate transparency in relation to commercial activity conducted by subsidiaries and joint ventures of corporations?
  • Are profits from commercial activities transferred to the corporation to support its core business?
  • Is the subsidiary contributing to the surpluses of the corporation?
  • Do they expose the corporation to unacceptable levels of risk?

Student focused reviews

Student satisfaction and retention drive both income and may be reflective of reputation. Attendance and progress monitoring are also key sources of management information.

Follow up

The audit committee must ensure that the recommendations arising from audit or other review activities are suitably implemented by management; accepted recommendations must be supported by an agreed action plan and target date. Actions must be owned by management and the audit committee must monitor and scrutinise management’s reported progress against planned dates, paying particular attention to any slippage. Recommendations only improve risk management, governance and internal control arrangements, if and when, they are actually implemented.

Annex B: suggested format for annual audit committee report

  • Executive summary (including overall opinion)
  • Introduction
  • A summary of the work undertaken by the committee during the year
  • Any significant issues arising up to the date of preparation of the report
  • Significant issues arising, including any significant matters of internal control included in the reports of audit and assurance providers
  • The committee’s opinion on the adequacy and effectiveness of the corporation’s assurance arrangements, framework for safeguarding, framework of governance, risk management and control processes for the effective and efficient use of resources, solvency, and the safeguarding of assets
  • Overall opinion on entirety of audit/ assurance programme (whether the committee is satisfied that it has sufficient assurance to enable it to provide its opinion and its assessment of its current level of confidence in overall effectiveness of internal control)
  • Other issues (e.g., value for money)
  • Cost of work (e.g., internal auditor days used)
  • Forward look for next year
  • Horizon scanning (emerging issues)
  • The committee’s view of its own effectiveness and how it has fulfilled its terms of reference, including details of the composition of the audit committee and the number of meetings held in the year and attendance rates for each member

Auditors

Firm Engagement began Engagement ends
Internal auditors Jaggers and Buzfuz Associates 01/08/2016 31/07/2021
External auditors Jarndyce and Heep LLP 01/08/2017 31/07/2021

Annex C: suggested minimum content for annual internal audit report

  • Executive summary (including overall opinion where this has been commissioned from the internal audit provider)
  • Introduction
  • Approach to work and standards
  • Classification of opinions (that is, the way in which levels of confidence in respect of each business system reviewed and overall are described)
  • Overall assurance opinion (including overall opinion where this has been commissioned from the internal audit provider)
  • Assessment of the work undertaken
  • Summary of work undertaken (tabulated):

    • Item 1 (e.g., payroll)
    • Overall opinion
    • Recommendations (H/M/L)
    • Management response

    • Item 2 (e.g., procurement)
    • Overall opinion
    • Recommendations (H/M/L)
    • Management response

    • Item 3 (e.g., budgeting)
    • Overall opinion
    • Recommendations (H/M/L)
    • Management response

    • Item 4 (e.g., non-financial example, such as GDPR)
    • Overall opinion
    • Recommendations (H/M/L)
    • Management response

  • Follow up reviews of earlier work including any previous recommendations which have not been addressed