You are here:
Audit and risk committee: choosing the best approach to internal scrutiny
Your trust has 4 main options for who carries out your internal scrutiny. Assess the options and choose the best one for your trust, and learn how to review the effectiveness of your approach.
Updates to this article
Your trust is now required to appoint an audit and risk committee (see section 3.6) - in the 2019 handbook, this was the audit committee.
What's meant by internal scrutiny
Internal scrutiny is the process of checking that your financial (and other) controls and risk management procedures are effective. According to the AFH 2020 (section 3.2), this should cover:
- Evaluating whether your financial and other controls are compliant and suitable - checks include whether procedures are well designed, and whether they've been followed (by checking transactions)
- Advice to the board on how to address weaknesses in your controls and procedures
- Making sure all categories of risk are adequately identified, reported on and managed
As an audit and risk committee, your role is to oversee the person or people who carry out this work. However, you won't do this work yourself. You'll set the programme of work they follow, and receive reports.
You must agree as a committee who will perform this work for your trust. There are different approaches you can take, which we've set out below.
The options you can choose between
There are 4 main options for how your trust can deliver internal scrutiny (you can also use a combination of the following):
- Employing an in-house internal auditor
- Buying in an internal audit service (this must be a different audit firm than the firm performing your external audit - more on this in the grey box below)
- Appointing a non-employed trustee to do the role
- A peer review from a chief financial officer (CFO) or other finance member of staff from another trust
In addition to using any one or any combination of the above options, the AFH 2020 also permits you as a trust to use other individuals or organisations where 'specialist non-financial knowledge' is required.
This is outlined in sections 3.17 and 3.18 of the AFH 2020.
If you choose an internal audit service
A firm can't provide your trust with both internal and external audit services
This is covered in the Financial Reporting Council's revised Ethical Standard. As part of transitional arrangements, any existing audit engagements at 15 March 2020 can conclude.
Whether you're employing someone in-house or buying the service in, they should be members of a 'relevant professional body'. The Education and Skills Funding Agency's (ESFA's) guidance on internal scrutiny options gives these examples:
- A member of the Chartered Institute of Internal Auditors
- An accountancy institute that's a member of the Consultative Committee of Accountancy Bodies
- An accountancy institute that's a member of the Chartered Institute of Management Accountants
Mention of them here doesn't constitute endorsement of any one body in particular by The Key.
If you choose a non-employed trustee or peer reviewer
They should have qualifications in finance, accounting or audit, and 'appropriate internal audit experience'. Membership of any of the bodies mentioned above would cover this, but it can also be someone who has another finance or business qualification.
There's not a checklist of qualifications they can have to be qualified for this, it's about you being satisfied that they have appropriate experience and a good standard of financial management. If you do go for a peer review, you should minute the basis for your decision.
If you use other individuals or organisations with specialist non-financial knowledge (see the 'options' section above)
The AFH 2020 doesn't explain what 'specialist non-financial knowledge' you might find relevant for internal scrutiny. As above, you should be satisfied that these individuals or organisations have the appropriate experience and qualifications to demonstrate their expertise in their area of specialism.
Their findings, recommendations and conclusions should be made part of the summary document that your trust submits to the ESFA by 31 December each year (as outlined in section 3.23 of the AFH 2020).
Factors for making the choice
Generally speaking, size and complexity will be the biggest influence on what you choose. Larger trusts will probably need to go for one of the internal audit services, rather than trustee or peer review (though there's no set size where this becomes the case).
The ESFA has a table of potential pros and cons for each, but to summarise:
- In-house or bought-in internal audit services will be underpinned by professional standards and ethics, and mean external auditors can place better reliance on their work - but these will bring costs and if in-house, may mean they're less independent. As mentioned above, the revised Ethical Standard no longer permits the same firm to carry out both your internal and external audits, though existing arrangements as of 15 March 2020 may conclude - potential conflicts of interest could be a factor in these existing arrangements
- Trustee or peer reviews have no costs, and potentially better insight into your trust (or academy trust processes more generally), but can lack the same rigour and be more time-consuming. There's also a potential lack of independence here, too, if you go for the trustee route
Where the cost may be worth it
Though the trustee or peer review options are low cost, they aren't necessarily the best value if they take more time or don't provide the scrutiny you need. The ESFA suggest thinking about the following as factors that make investment in in-house or bought-in internal audit worthwhile:
- The scale, diversity and complexity of your activities
- Your number of employees - as this number increases, so does the likelihood you'll need one of the paid-for audit services
- Changes to how you operate - if your structure, systems or processes change, you're more likely to need internal audit services
- The nature of your risks, and if they change (or if new ones emerge)
- An increasing number of 'unexplained or unacceptable' events
Reviewing your approach
You must keep your chosen approach under review - particularly if your trust changes in size, complexity or risk profile. The following resources can help you review the performance of your chosen approach, to inform your trust's decision going forward.
The Chartered Institute of Internal Auditors has a set of questions for evaluating the effectiveness of internal audit (click 'Download this guidance as a PDF link' and see annex 4 of their guidance).
HM Treasury has a framework for assessing the quality of internal audit services. You might not find that every section applies, as it isn't trust-specific, but it will give you a good steer on the types of questions you can ask to review the performance of your internal audit (the questionnaire in chapter 5 on 'Impact', may be particularly useful for trusts).
The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.