How best to make your Internal Audit service work for you

Internal audit is just concerned with finances, isn’t it? You’d be forgiven for thinking so, for until recently, the requirements for internal assurance/scrutiny and indeed wider risk management was firmly seated in the financial control section of the Academies Financial Handbook. Most trusts simply had the equivalent of the “Responsible Officer” (RO) financial controls checklist completed over the course of the year as their internal assurance.

It’s only over the last couple of years, following related direction from Lord Agnew, that the handbook has made the requirement for trusts to be aware of ALL their risks (financial and non-financial alike) more explicit. Internal scrutiny requirements have evolved alongside this, with the handbook providing greater clarity on the expectations for trusts to use their internal scrutiny to meet these wider risk management responsibilities.

The key question is: How do you know that all those other, non-financial risks are not waiting to bite you? Part of the answer should come from the trust itself – key management should be able to provide some comfort and assurance regarding this. However, in some cases, independent validation of this is wanted, or indeed the trust simply does not know if the risk is waiting to pounce. In these cases, Internal Audit can help you answer the question.
We will be covering the evolving risk management requirements in a similar bulletin in a few months’ time, with a focus very much on making this simple, practical, and useful to trusts. But risk management and internal scrutiny are intrinsically linked, and it’s useful to understand the context to then properly direct your “internal scrutineer”. 

 
To summarise the handbook’s requirements:

• Internal scrutiny is a process that provides independent assurance to the board that its financial and other controls, and risk management procedures, are operating effectively. 
• As a minimum, it involves a series of tests to ensure systems are effective and compliant but goes beyond mere transaction checking.
• The AFH does not require trusts to have a full internal audit function, but they must select from 4 distinct internal scrutiny processes of which a separate, bought in internal audit service is just one (the others being employing an in-house person or team, appointing a non-employed trustee, or peer review from an independent CFO from another trust).
• The programme of internal scrutiny should be informed by the trust’s risk register, which should be owned by executive management and overseen by the audit committee. 
• You should identify how well risks are managed, whether effective processes are in place and whether agreed procedures are being followed.  You should also identify areas where efficiencies or change should be made. This will naturally direct your internal scrutiny work – use your internal auditors to help answer these questions if you don’t know.
• The risk process is iterative and ongoing as the findings of the programme of internal scrutiny in turn inform the risk register. 
• Risk scores of issues rise and fall as the result of the internal scrutiny work, new risks are added, and older ones are relegated. 
• So, the planning of the programme of internal scrutiny must be a risk-based joint enterprise between executive management, the audit committee and the internal scrutineer.

So, in short, trusts are asked to review their process for identifying and managing risk, AND THEN look at what this tells them. Where are you ok? Conversely, where do you have problems? Do you know?

This then is how to best use your internal scrutiny / auditors. Help them answer your unknowns. You probably know that your financial controls are working well in general, so instead of asking internal audit to spend all their time confirming that, get them to look at something else for you. We can (and should) still do a small check that key financial controls are operating as well as you think, especially be able to report that to committee/board. But not spending all our time in the finance office releases us to be used across the trust helping you address other risks.

So, with that in mind, how best do you use your internal auditors? What sort of things can they do for you? 

As the key message from the AFH is to use your internal auditors to help you “complete your assurance jigsaw”, you will need to include reviews in areas other than finance. For many trusts this will be something relatively new.  
There is, though, no “one size fits all” internal audit plan. A single school trust will clearly not want (or need) to commission as many internal audit days as a more complex MAT. The SAT may only require a handful of audit days to help complete their “jigsaw”. Conversely, depending on the size, devolved nature and complexity, a MAT could need anything from 5 audit days up to 25-30 to give sufficient coverage. But in both cases, the prime focus is the same - to ensure that you’ve got the most out of your available budget for internal audit, that you’ve directed them to the right areas to help answer the questions you most need them to, and they have consequently made as much a difference to your trust as they were able to over the course of the year.

The “questions” that internal audit can answer for you can be:

• The more traditional – are our financial controls operating as well as we think they are?

But they can also be driven by other risk areas:

• Are we appointing the best staff we can? How do we know this? (ie does our recruitment and interview process lead to this? Is it also legally compliant?)
• Have we got enough staff? How many do other similar trusts have in academic, other classroom based and support functions? What would we do if staff leave? Could we cover and replace? Is there a different answer to this depending on whether it’s teaching or support staff? Senior or more junior? 
• Does everyone in all our schools understand their safeguarding responsibilities? How do we know this for sure? 
• With particular regard to our COVID19 response, do all staff understand their part to play, dependent on role? Have we effectively communicated this to children, parents, the local community, other stakeholders as required so that everyone understands our approach and procedures? How quickly are we able to change something if needed? What could cause us the biggest problem or impact with the shortest notice? 

These are just a flavour of the wide range of questions that boards and senior management teams ask themselves on a regular basis – it’s all just part of managing the trust / school. Internal audit can help by reviewing these areas to provide you with confidence that everyone does know what they are meant to do, and if they do, it will be effective. 
An example (but certainly not exhaustive) list of potential areas of coverage your auditors can look at for you, to help you answer questions like those above, and provide assurance against the related risk(s) on your risk register include:

Financial Areas:

• Budgets and forecasting
• Income & debtors – core / other / commercial, including cash and bank
• Payroll
• Non-pay Expenditure – purchase to pay system – procurement and creditors
• Capital expenditure
• Fixed Assets
• General Ledger / Month end processes
• Anti-fraud, bribery and corruption arrangements
• Vat and tax arrangements

Governance:

• Accountability Framework
• Risk management and assurance framework
• Scheme of delegation
• Evidence of compliance with Annex C – The Musts (either direct validation that you comply, or providing assurance to Audit Committee regarding the process that you have followed to assure yourself that you have evidence to demonstrate compliance with each aspect)
• Related / Connected Parties and register of interests
• Website compliance

Sector specific areas:

• Safeguarding
• Prevent duty
• Pupil Premium
• Onboarding process for new schools
• Learner journey – interaction with the trust from the learner’s point of view
• Pre 16 Pupil Record – census checks, free school meals

Other non-financial areas:

• Human resources - Performance monitoring and management, recruitment and selection, mental health and wellbeing, absence management, 
• IT general controls – backup and disaster recovery, logical access controls and user account management, licensing, anti-virus / OS patching and updates, control over mobile/portable devices (phones, iPads, laptops)
• Data Governance – processes for identification, maintenance and safe storage/transport of data
• Contract management – maintenance of contracts register, performance monitoring
• Complaints management including proactive learning from / link to trust training
• Estates management / preventative and reactive maintenance
• Health and Safety – assessment of processes used by the trust for local and trust wide compliance
• Vehicles

 
Also, to complement the above, depending on the size of the trust, you may also ask your internal auditors to undertake a series of specific local school visits. This can be to review evidence of the a) local understanding of, and b) demonstrable compliance in practice with, trust policies and procedures at a local school level, particularly for key functions delegated to schools locally rather than operated at a central level. This can also be especially useful for schools joining or having recently joined the trust.

Other good ways to use your internal auditors include:

• To Follow up / validate that you have completed key actions – for example, internal audit recommendations, external audit management letter points, critical and other actions resulting from Health and Safety inspections, actions included in improvement plans, plus any other set of internally generated actions. In so doing, the management team can provide the board with assurance that the actions have been completed, and where relevant, the related risk no longer poses a threat.
• Carrying out more bespoke specific advisory reviews to help you answer particular questions, for example to demonstrate regulatory or contractual compliance in practice, or focussing on the efficiency or effectiveness of one of your functions or services;
• Helping set-up or tailor your risk register/maps, facilitating risk workshops and training for boards and audit committees;
• Providing wider governance advisory reviews, including reviews of effectiveness, structure, reporting, culture and accountability, as well as tailored training for your board, audit / finance committee and management team. 

To end, and to draw together the main messages from above, here are a few key questions for you to ask yourselves (or boards / audit / finance committees as appropriate) regarding your internal audit service, to ensure that going forward you’re making sure that it’s something done WITH/FOR you, rather than TO you.

1. Do you use your risk register when deciding what areas would be best for internal audit to help you review?
2. Do you know what assurances you get from other external sources (for example, health and safety and safeguarding specialists) that mean there is less point in internal audit looking at these so as not to duplicate (unless validation of actions arising from these is required)?
3. Do internal audit look at non-financial areas as well as financial? If not, what assurances do you have regarding how well these non-financial areas are operating? Can you use internal audit to look at any of these areas in future?
4. Do you know the likely outcomes of audits before they are reviewed? Is this because your own internal assurances are accurate and operating well, or because internal audit have looked at the same areas repeatedly? In either case, should you direct internal audit to other areas you are less clear on for their next audit?
5. Is it clear from the internal audit reports you receive what is working well? Which areas are not working quite so well? What the potential recommendations are to improve them?
6. Do you track and report the implementation of all of your actions, be they from internal audit, external audit, other external sources or internally generated?
7. Can you pick up the phone to your internal auditors to ask them questions?
8. Are your internal auditors proactive in raising sector developments with you that you need to be aware of? Are these then also potentially considered to form part of the audit plan?
9. If you had one more day of audit, what would you use it on? What’s just missed off the existing priority list?
10. To close the circle, do the results of internal audits inform an update to the risk register?