Audit and risk committee: choosing the best approach to internal scrutiny

What's meant by internal scrutiny

Internal scrutiny is the process of checking that your financial (and other) controls and risk management procedures are effective. According to the AFH 2020 (section 3.2), this should cover:

• Evaluating whether your financial and other controls are compliant and suitable - checks include whether procedures are well designed, and whether they've been followed (by checking transactions)
• Advice to the board on how to address weaknesses in your controls and procedures
• Making sure all categories of risk are adequately identified, reported on and managed

As an audit and risk committee, your role is to oversee the person or people who carry out this work. However, you won't do this work yourself. You'll set the programme of work they follow, and receive reports. 

You must agree as a committee who will perform this work for your trust. There are different approaches you can take, which we've set out below. 

The options you can choose between

There are 4 main options for how your trust can deliver internal scrutiny (you can also use a combination of the following):

• Employing an in-house internal auditor
• Buying in an internal audit service (this must be a different audit firm than the firm performing your external audit - more on this in the grey box below)
• Appointing a non-employed trustee to do the role
• A peer review from a chief financial officer (CFO) or other finance member of staff from another trust

In addition to using any one or any combination of the above options, the AFH 2020 also permits you as a trust to use other individuals or organisations where 'specialist non-financial knowledge' is required. 

This is outlined in sections 3.17 and 3.18 of the AFH 2020. 

If you choose an internal audit service

Whether you're employing someone in-house or buying the service in, they should be members of a 'relevant professional body'. The Education and Skills Funding Agency's (ESFA's) guidance on internal scrutiny options gives these examples:

• A member of the Chartered Institute of Internal Auditors
• An accountancy institute that's a member of the Consultative Committee of Accountancy Bodies
• An accountancy institute that's a member of the Chartered Institute of Management Accountants

Mention of them here doesn't constitute endorsement of any one body in particular by The Key.

If you choose a non-employed trustee or peer reviewer

They should have qualifications in finance, accounting or audit, and 'appropriate internal audit experience'. Membership of any of the bodies mentioned above would cover this, but it can also be someone who has another finance or business qualification.

There's not a checklist of qualifications they can have to be qualified for this, it's about you being satisfied that they have appropriate experience and a good standard of financial management. If you do go for a peer review, you should minute the basis for your decision. 

If you use other individuals or organisations with specialist non-financial knowledge (see the 'options' section above)

The AFH 2020 doesn't explain what 'specialist non-financial knowledge' you might find relevant for internal scrutiny. As above, you should be satisfied that these individuals or organisations have the appropriate experience and qualifications to demonstrate their expertise in their area of specialism.

Their findings, recommendations and conclusions should be made part of the summary document that your trust submits to the ESFA by 31 December each year (as outlined in section 3.23 of the AFH 2020).

Factors for making the choice

Generally speaking, size and complexity will be the biggest influence on what you choose. Larger trusts will probably need to go for one of the internal audit services, rather than trustee or peer review (though there's no set size where this becomes the case).

The ESFA has a table of potential pros and cons for each, but to summarise:

• In-house or bought-in internal audit services will be underpinned by professional standards and ethics, and mean external auditors can place better reliance on their work - but these will bring costs and if in-house, may mean they're less independent. As mentioned above, the revised Ethical Standard no longer permits the same firm to carry out both your internal and external audits, though existing arrangements as of 15 March 2020 may conclude - potential conflicts of interest could be a factor in these existing arrangements
• Trustee or peer reviews have no costs, and potentially better insight into your trust (or academy trust processes more generally), but can lack the same rigour and be more time-consuming. There's also a potential lack of independence here, too, if you go for the trustee route

Where the cost may be worth it

Though the trustee or peer review options are low cost, they aren't necessarily the best value if they take more time or don't provide the scrutiny you need. The ESFA suggest thinking about the following as factors that make investment in in-house or bought-in internal audit worthwhile:

• The scale, diversity and complexity of your activities
• Your number of employees - as this number increases, so does the likelihood you'll need one of the paid-for audit services
• Changes to how you operate - if your structure, systems or processes change, you're more likely to need internal audit services
• The nature of your risks, and if they change (or if new ones emerge)
• An increasing number of 'unexplained or unacceptable' events

Reviewing your approach

You must keep your chosen approach under review - particularly if your trust changes in size, complexity or risk profile. The following resources can help you review the performance of your chosen approach, to inform your trust's decision going forward.

The Chartered Institute of Internal Auditors has a set of questions for evaluating the effectiveness of internal audit (click 'Download this guidance as a PDF link' and see annex 4 of their guidance).

HM Treasury has a framework for assessing the quality of internal audit services. You might not find that every section applies, as it isn't trust-specific, but it will give you a good steer on the types of questions you can ask to review the performance of your internal audit (the questionnaire in chapter 5 on 'Impact', may be particularly useful for trusts).