Funding Advisory Hub

Bishop Fleming Funding Advisory Service

Our Funding Advisory Hub, curates insights and expertise together in one place, to assist your company in raising finance.

Technology, Media and Telecommunications

Technology, Media and Telecommunications advert

Our dedicated Technology team can support your business locally, nationally, and internationally.

  • Owner Managed Businesses
    Specialised accounting and advisory services tailored to owner-managed business clients.
  • Family Business
    Proactive advice and support to help family businesses grow and protect their future.
  • Private Equity Backing
    Meeting the diverse needs of businesses involved in private equity transactions.
  • Private Client
    Practical advice on all aspects of your individual and personal tax and financial needs.
  • Public Sector and Education
    Comprehensive advisory services for public sector, local government and education organisations.

The expanding role of the Audit and Risk Committee in Academy Trusts

16th November 2021

Why have an Audit & Risk Committee?

Well, partly because you’re told to have one! But if the purpose of the Committee is clear and it is consequently used effectively, it can be a real help in providing checks and challenge to make sure everything is as ok as it seems, and if not, to monitor how effective the response is. In other words, the Committee plays a key role in ensuring that:

  1. Everything that needs to be done actually is in practice;

AND

  1. It’s done as well as we think / it needs to be too.

The Academy Trust Handbook requires that all Academy Trusts must establish an Audit & Risk Committee. This can either be a formal, separate Committee (mandatory if your Trust has income over £50m, but all Trusts can establish a separate, dedicated Committee if they wish), or a Committee that clearly includes the role and business of an Audit & Risk Committee for smaller Trusts. One problem many Trusts find with this latter structure though is that when combined with eg Finance Committee, you need to be able to clearly demonstrate which “hat” the Committee is wearing at any given point, and equally that the Committee has properly fulfilled the role of the Audit and Risk Committee along with all the other existing business. As the role of the A&R Committee continues to expand, this is arguably becoming harder to achieve in practice without several 5 hour meetings…

The Committee are the “custodians of the risk management process”. What do I mean by that? I mean that they are not responsible for identifying and managing the risks – that is ultimately Trust Board (but is in practice informed by the executive management team). The Committee instead is there to make sure the process for managing these risks is working in practice, and to collate and report the results of management and external scrutiny/assurance.

I always come back to my “2 key questions” for risk and assurance:

  1. Do I know the risks faced by my Academy Trust (or school, if you’re a Head or LGB)

and

  1. How (or where) am I assured / what evidence have I been given that shows that we are properly mitigating those risks in practice?

 

The Committee has a key part to play in answering both, but particularly the second, question. It’s there to be the funnel through which assurances can be collected, reported and reviewed, and fed up to main board.

At this point it’s useful to see what the Handbook has to say about risk management, and the resulting role of the Committee:

The Handbook on Risk Management:

  • The Trust must manage risks to ensure its effective operation and must maintain a risk register:
  • Overall responsibility for risk management, including ultimate oversight of the risk register, must be retained by the board of Trustees, drawing on advice provided to it by the audit and risk Committee.
  • Other Committees may also input into the management of risk at the discretion of the board.
  • Aside from any review by individual Committees, the board itself must review the risk register at least annually.
  • Risks management covers the full operations and activities of the Trust, not only financial risks.

The Handbook on the Audit and Risk Committee:

  • The academy Trust must establish an audit and risk Committee, appointed by the board.
    • Trusts with an annual income over £50 million must have a dedicated audit and risk Committee.
    • Other Trusts must either have a dedicated audit and risk Committee or can combine it with another Committee, such as finance.
  • The audit and risk Committee should meet at least three times a year.
  • The audit and risk Committee must:
    • oversee and approve the Trust’s programme of internal scrutiny
    • ensure that risks are being addressed appropriately through internal scrutiny
    • report to the board on the adequacy of the Trust’s internal control framework, including financial and non-financial controls and management of risks.
  • The Committee must:
    • agree a programme of work annually to deliver internal scrutiny that provides coverage across the year, and consider reports at each meeting from those carrying out the programme of work
    • review the ratings and responses on the risk register to inform the programme of work, ensuring checks are modified as appropriate each year
    • consider progress in addressing recommendations
    • consider outputs from other assurance activities by third parties including ESFA financial management and governance reviews, funding audits and investigations
    • In Trusts with multiple academies, the Committee’s oversight must extend to the financial and non-financial controls and risks at constituent academies.
    • Oversight must ensure information submitted to DfE and ESFA that affects funding, including pupil number returns and funding claims (for both revenue and capital grants) completed by the Trust and (for Trusts with multiple academies) by constituent academies, is accurate and in compliance with funding criteria.

 

So what does all this mean?

The Handbook is simply reiterating the key aim of an audit and risk Committee - to obtain an important, and (more) independent and objective view on risk, control and governance at the Trust. As we discussed above, this in turn enables more visible and helpful oversight of how well things are working (or not…)

The role of the Committee has expanded over recent years in line with the ESFA’s more explicit requirement for all Trusts, and Trustees, to have greater oversight over both risks facing the Trust AND how effectively the Trust is currently addressing them. As above, this includes all risks facing the Trust – not just financial.

As a result, to pick up the phrasing we started with, the Committee become the custodians of the risk management process – ensuring there is a process firstly, and then that it operates effectively throughout the Trust, with its outputs properly reviewed, utilised and acted upon.

The role of the Committee in this regard therefore becomes very much a balance of support and challenge/scrutiny. The Committee, as part of its increased oversight as above, calls upon management and other sources of assurance – internal audit for example – as it needs to so that it can answer both of the “2 key questions”, particularly “How do we really know that everything is as it appears / is being reported to us?”

 

So how should a Committee work with internal audit to help fulfil their role and help with risk management?

In short, Trusts are asked first to review their process for identifying and managing risk, and then ask themselves what this is telling them. Where are you ok? Conversely, where do you have problems? Do you know? And what are you going to do to address them (or to check they have been addressed)?

This, then, is how to best use your internal scrutiny / auditors. Help them answer your unknowns. You probably know that your financial controls are working well in general, so instead of asking internal audit to spend all their time confirming that, get them to look at something else for you. Internal audit can (and should) still do a small check that key financial controls are operating as well as you think, especially to be able to report that to Committee/board. But not spending all of their time in the finance office releases them to be used across the Trust helping you address other risks.

 

So, with that in mind, how best do you use your internal auditors? What sort of things can they do for you?

This conversation must start with an opportunity to review what you need and want. Yes, what you want - it’s not wrong to “want” internal audit! It should very much be a joint, two way conversation with the internal auditors (or three way, with management as well) about how best to help you clarify your views on your existing (and emerging) risks, as well as knowledge of what works well and what not so well.

So your conversation will probably start with your risk register, but you’ve got to also look and understand at what the register is telling you about what’s currently (you think) ok, and what most definitely isn’t ok, to be of any value to you. Use this assessment to then ask if any of these areas internal audit can help review.

In terms of internal audit “stepping out of the finance office” to help you review non-financial risks, here are some example of non-financial areas internal audit may be able to help you review. In many cases, this can simply take the form of helping YOU identify how YOU can know the area is working well:

  • Human resources - Performance monitoring and management, recruitment and selection, mental health and wellbeing, absence management;
  • IT general controls – backup and disaster recovery, logical access controls and user account management, control over mobile/portable devices (phones, iPads, laptops), cyber security – especially the often forgotten “human” defence, as the majority of cyber threats succeed because of human action or error);
  • Contract management – maintenance of contracts register, performance monitoring to make sure you’re getting what you’re contracted and paying for;
  • Estates management / preventative and reactive maintenance; and
  • Health and Safety or Safeguarding – assessment of processes used by the Trust for local and Trust wide compliance (ie complementing not duplicating any work of specialists in these areas).

Other good ways to use your internal auditors include:

  • To Follow up / validate that you have completed key actions – for example, internal audit recommendations, external audit management letter points, critical and other actions resulting from Health and Safety inspections, actions included in improvement plans, plus any other set of internally generated actions. In so doing, the management team can provide the board with assurance that the actions have been completed, and where relevant, the related risk no longer poses a threat.
  • Carrying out more bespoke specific advisory reviews to help you answer particular questions, for example to demonstrate regulatory or contractual compliance in practice, or focusing on the efficiency or effectiveness of one of your functions or services;
  • Helping set-up or tailor your risk register/maps, facilitating risk workshops and training for boards and audit Committees;
  • Providing wider governance advisory reviews, including reviews of effectiveness, structure, reporting, culture and accountability, as well as tailored training for your board, audit / finance Committee and management team.

Internal audit can (and should) do much more than just “tick” your financial controls. They can help you look at nearly all other areas of Trust operations. They can help you answer questions you don’t know the answer to, and provide potential solutions for problems you already know you have. They can provide advice, guidance and early warnings of coming changes, and how best you can adapt to meet these. They can also make you better and stronger, even if you are already strong. And give you some assurance that you are as strong as you think you are (or equally, that you’re not!)

Some final Risk Management takeaways:

  • Keep it simple - and so make it useful rather than a chore;
  • Remember that the key goals of the risk register are just to prompt proper discussion and identify any required action;
  • Make sure you focus as much on the assurances as the risk itself – how do you really know it’s ok?
  • And on what the assurance is telling you – and therefore what you should do as a result – and how this will be achieved – and how you as a Committee will know it has been achieved (and the risk is properly mitigated)?
  • Use existing KPIs and other outcome measures as sources of assurance – don’t reinvent the wheel, as you probably have a lot of the answers somewhere already – just need to link up to the register;
  • Although a key part of the process (and the Handbook says you must have one), just completing a risk register and looking at it once a year doesn’t mean you’re managing risks. Managing risk in practice requires continual review, discussion, challenge, action and subsequent monitoring.
  • Finally, remember that Trusts are already good at managing risk in practice (keeping children safe whilst providing a high quality education). Just make sure the register allows you to demonstrate this too.

And internal audit:

  • Check that your risk register is up to date and therefore a good place to start a conversation about the most helpful internal audit focus this year (and how much / little you need as a result);
  • Arrange a planning meeting with your internal auditors now for later this term, even if your visits are not planned until Spring/Summer, to “start” the conversation for the year.
Visit our Education Knowledge Hub

Keep up to date

Key contacts

Related insights

Academies and public sector procurement priorities

15th November 2021
Academy Trusts have to follow Procurement Policy Note 05/21: National Procurement Policy Statement, which was issued in June 2021 and which took immediate effect.
Read more

The Academy Audit Committee and Climate Change Risk

15th November 2021
Government departments are central to responding to climate change. Public-funded bodies, including schools and academy trusts, have their part to play in achieving net zero.
Read more

Climate Change within the Education Sector

15th November 2021
Schools have demonstrated their role as a key player in supporting society through the pandemic but can they now do the same for climate change?
Read more

Related sectors