Part 3: Internal scrutiny

The need for academy trusts to conduct checks to ensure systems are effective and compliant.

3.1 Purpose of internal scrutiny

3.1 All academy trusts must have a programme of internal scrutiny to provide independent assurance to the board that its financial and non-financial controls, and risk management procedures are operating effectively.

3.2 - 3.3 Approach

3.2 Internal scrutiny must focus on:

  • evaluating the suitability of, and level of compliance with, financial and non-financial controls
  • offering advice and insight to the board on how to address weaknesses in financial and non-financial controls
  • ensuring all categories of risk are being adequately identified, reported and managed

3.3 The trust must identify on a risk-basis (with reference to its risk register) the areas it will review each year.

3.4 Working with other assurance providers

3.4 Internal scrutiny should take account of output from other assurance procedures to inform the programme of work - for example external audit and ESFA reviews.

3.5 Independence and objectivity

3.5 Independence in internal scrutiny must be achieved by establishing appropriate reporting lines, whereby those carrying out checks report directly to a committee of the board, which in turn provides assurance to the trustees.

3.6 - 3.13 Directing internal scrutiny - the audit and risk committee

Requirement for a committee

3.6 The academy trust must establish an audit and risk committee, appointed by the board.

  • Trusts with an annual revenue income over £50 million must have a dedicated audit and risk committee.
  • Other trusts must either have a dedicated audit and risk committee or can combine it with another committee, such as finance

3.7 The audit and risk committee should meet at least 3 times a year.

Remit of the committee in relation to internal scrutiny

3.8 The audit and risk committee must:

  • oversee and approve the trust’s programme of internal scrutiny
  • ensure that risks are being addressed appropriately
  • report to the board on the adequacy of the trust’s internal control framework, including financial and non-financial controls and management of risks

Membership of the committee

3.9 Employees of the trust should not be audit and risk committee members, but the accounting officer and chief financial officer should attend to provide information and participate in discussions.

3.10 The chair of trustees should not be chair of the audit and risk committee. Where the finance committee and audit and risk committee are separate, the chair should not be the same.

3.11 Where the audit and risk committee is combined with another committee, employees should not participate as members when audit matters are discussed.

Operating the committee

3.12 The committee must:

  • have written terms of reference
  • agree a programme of work annually to deliver internal scrutiny that provides coverage across the year, agree who will perform the work and consider their reports and the trust’s progress in addressing recommendations
  • review the ratings and responses on the risk register to inform the programme of work
  • have access to the external auditor, as well as their internal scrutineers

3.13 Oversight must ensure information submitted to DfE and ESFA that affects funding is accurate and complies with funding criteria.

Find out more in HM Treasury’s audit committee handbook.

3.14 - 3.20 Delivering internal scrutiny

Principles

3.14 Internal scrutiny must:

  • be independent and objective – for example it must not be performed by members of the senior leadership or finance team
  • be conducted by someone suitably qualified and experienced and able to draw on technical expertise, as required
  • be timely, with the programme of work spread appropriately over the year so higher risk areas are reviewed in good time
  • include regular updates to the audit and risk committee by the internal scrutineers carrying out the programme of work, incorporating:
    • a report of the work to each audit and risk committee meeting
    • an annual summary report to the audit and risk committee for each year ended 31 August outlining the areas reviewed, key findings, recommendations and conclusions, to help the committee consider actions and assess year on year progress

3.15 Whilst the audit and risk committee is responsible for overseeing the internal scrutiny, the findings must also be made available to all trustees promptly.

Options

3.16 All trusts must deliver internal scrutiny in the way most appropriate to its circumstances. Options include any combination of:

  • an in-house internal auditor
  • a bought-in internal audit service
  • the appointment of a non-employed trustee
  • an independent peer review by the chief financial officer from another academy trust

Trusts with an annual revenue income over £50 million should (and from 1 September 2025 must) deliver internal scrutiny using any combination of the following:

  • an in-house internal auditor
  • a bought-in internal audit service

All trusts, regardless of income levels, may also use other individuals or organisations where specialist non-financial knowledge is required.

3.17 To ensure those carrying out the programme of internal scrutiny work are suitably qualified and/or experienced:

  • auditors should be members of a relevant professional body
  • trustees and peer reviewers performing the work should have appropriate qualifications and/or experience relevant to the area being reviewed

Trusts should work towards this position where it is not already the case.

3.18 The trust must keep its approach to internal scrutiny under review. If it changes in size, complexity or risk profile, it should consider whether its approach remains suitable.

External reporting and transparency

3.19 The trust must confirm in its governance statement, accompanying its annual accounts, which of the internal scrutiny options it has applied and why. The outcome of the work must also inform the accounting officer’s statement of regularity in the annual accounts.

3.20 The trust must submit its internal scrutiny summary report to ESFA by 31 December each year when it submits its audited annual accounts. The trust must also provide ESFA with any other internal scrutiny reports, if requested.

Find out more in ESFA’s internal scrutiny good practice guide, which:

  • describes both financial and non-financial areas that internal scrutiny could cover, and
  • provides a suggested structure for an internal scrutiny annual report

Further information on internal audit is available at the Chartered Institute of Internal Auditors.