Academy Risk Assurance: current best practice and priorities

Follow us on twitter: @LeoraCruddas @CSTvoice

www.CSTUK.org.uk The Voice of School Trusts

2

Internal Audit: current importance

• Governance assurance regarding executive planning and implementation of full school opening during Covid 19 Pandemic.

• Prioritising risk assessment and controls for the unusual year ahead from September 2020.

• Increased ESFA interest (see further changes in AFH 2020) in scrutinising effectiveness of internal audit functions in MATs: it takes time to build that function, especially if effective controls are included in the risk management process.

www.CSTUK.or© 2 0 2 0 C S T g.uk

3

Risk Management: importance of systematic controls in risk register using the three lines of defence model

The Institute of Internal Auditors (IIA) published a global position paper in 2013, titled: The Three Lines of Defence in Effective Risk Management and Control.

The concept has remained sufficiently important that a further position paper was published in June 2017 by the Chartered Institute of Internal Auditors, titled The Three Lines of Defence.

www.CSTUK.or© 2 0 2 0 C S T g.uk

4

First line of defence: daily operational management (executive)

The first line of defence in the 3LOD functions is who owns and manages risks. The professionals comprising this group are responsible for the implementation of corrective measures to address process and control damages.

Operational management ensures internal control of risks. Managers identify, assess, control and mitigate risks and ensure that necessary procedures and policies to deal with risks are incorporated and practised in the day-to-day operations of the organisations. They make sure that these procedures and policies are consistent with the objectives of the organisation and which preserves and protects its interest.

There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequate processes, and unexpected events. www.CSTUK.or© 2 0 2 0 C S T g.uk

5

Second line of defence – risk management and compliance (executive)The first line of defence may seem enough to deal effectively with risks. However, a second defence is required to support the first line of defence and monitor their actions.

The second line may include a few or more of the following responsibilities:

• Support for policies and define roles and responsibilities.• Risk management frameworks.• Assistance in the development of processes and controls for risks and issues

management.• Train and guide staff on the risk management process.• Monitor the sufficiency of internal control, correctness and completeness of

reporting, laws and regulations compliance, and timely mitigation of damages.

www.CSTUK.or© 2 0 2 0 C S T g.uk

6

Third line of defence: internal audit (not executive)

The third line of defence is internal audit which provides the Board and senior management with comprehensive assurance based on the highest level of independence and objectivity.

This high level of independence is not available in the second line of defence.

Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defence achieve risk management and control objectives.

All three lines should exist in some form at every Trust, regardless of size or complexity. Risk management normally is strongest when there are three separate and clearly identified lines of defence.

www.CSTUK.or© 2 0 2 0 C S T g.uk

7

Role of internal audit (IA)

The 2017 position paper states that the following is important related to IA:

• Management remains responsible for risk management. Typically the CEO and CFO should have ownership of risk in reporting to the board.

• Internal audit should not manage any of the risks on behalf of management, nor should it be classed as a risk owner (e.g. on risk registers).

• Internal audit should provide advice, challenge and support to management’s decision making, as opposed to taking risk management decisions themselves.

• The nature of internal audit’s responsibilities should be documented in the internal audit charter or terms of reference and approved by the audit committee.

www.CSTUK.or© 2 0 2 0 C S T g.uk

8

AFH 2020 – Risk Management Key Points

2.38 Overall responsibility for risk management, including ultimate oversight of the risk register, must be retained by the board of trustees, drawing on advice provided to it by the audit and risk committee.

2.38 Risks management covers the full operations and activities of the trust, not only financial risks2.39 The trust’s management of risks must include contingency and business continuity planning. 2.42 The trust must cooperate with risk management auditors and risk managers, and implement reasonable risk management audit recommendations made to them.

www.CSTUK.or© 2 0 2 0 C S T g.uk

9

AFH 2020 – Internal Scrutiny Key Points (1)

3.2 Internal scrutiny must focus on…ensuring all categories of risk are being adequately identified, reported and managed.

3.3 The trust must identify on a risk-basis (with reference to its risk register) the areas it will review each year, modifying its checks accordingly.

3.13 In trusts with multiple academies, the committee’s oversight must extend to the financial and non-financial controls and risks at constituent academies.

3.14 Oversight must ensure information submitted to DfE and ESFA that affects funding… by constituent academies, is accurate and in compliance with funding criteria.

www.CSTUK.or© 2 0 2 0 C S T g.uk

10

AFH 2020 – Internal Scrutiny Key Points (2)

3.20 Trusts should note that the Financial Reporting Council’s revised Ethical Standard states that a firm providing external audit to an entity shall not also provide internal audit services to it.

3.23 The trust must submit its annual summary report of the areas reviewed, key findings, recommendations and conclusions (as presented to the audit and risk committee under section 3.15 by the person(s) or organisation(s) carrying out the programme of work) to ESFA by 31 December each.

www.CSTUK.or© 2 0 2 0 C S T g.uk

11

Risk Management for the 20-21 Academy Year

1. First trustee meeting to decide key risks rather than leave it to audit committee this year. In particular continue to watch:

• Student wellbeing and claims, notably re cyber security and safeguarding.

• Curriculum and quality: content and measurement.

2. However, ensure audit committee is actually a risk assurance committee with sufficient, robust members. Strongly advised to have a separate committee even in medium sized trusts. Check the reporting line is strong to the Trust Board.

3. Ensure risk register includes adequate control mechanisms, in particular effective internal audit function.

4. Monitor risk appetite and well as risk management: there are opportunities ahead as well as challenges!

www.CSTUK.or© 2 0 2 0 C S T g.uk

12

Find out more about:

• How the trustees must ensure effective risk-based internal scrutiny.

• Management of risk: principles and concepts including HM Treasury’s suggested structure for a risk register

• Risk management in ESFA’s good practice guide.

www.CSTUK.or© 2 0 2 0 C S T g.uk

13

Find out more about:

• HM Treasury’s audit committee handbook.

• ESFA’s internal scrutiny good practice guide, which describes both financial and non-financial areas that internal scrutiny could cover, and provides a suggested structure for an internal scrutiny annual report.

• internal audit from the Chartered Institute of Internal Auditors.

www.CSTUK.or© 2 0 2 0 C S T g.uk

14

AFH 2020 detail – purpose of internal scrutiny

3.1 All academy trusts must have a programme of internal scrutiny to provide independent assurance to the board that its financial and non-financial controls and risk management procedures are operating effectively.

3.2 Internal scrutiny must focus on:

• evaluating the suitability of, and level of compliance with, financial and nonfinancial controls. This includes assessing whether procedures are designed effectively and efficiently, and checking whether agreed procedures have been followed

• offering advice and insight to the board on how to address weaknesses in financial and non-financial controls, acting as a catalyst for improvement, but without diluting management’s responsibility for day to day running of the trust

• ensuring all categories of risk are being adequately identified, reported and managed.

www.CSTUK.or© 2 0 2 0 C S T g.uk

15

AFH 2020 detail – purpose of internal scrutiny

3.3 The trust must identify on a risk-basis (with reference to its risk register) the areas it will review each year, modifying its checks accordingly. For example, this may involve greater scrutiny where procedures or systems have changed.

Working with other assurance providers

3.4 Internal scrutiny should take account of output from other assurance procedures to inform the programme of work. For example, it should have regard to recommendations from the trust’s external auditors as described in their management letter, and from relevant reviews undertaken by ESFA.

Independence and objectivity

3.5 Independence in internal scrutiny must be achieved by establishing appropriate reporting lines whereby those carrying out checks report directly to a committee of the board, which in turn provides assurance to the trustees.

www.CSTUK.or© 2 0 2 0 C S T g.uk

16

FH 2020 detail: Oversight of risk and the risk register

2.38 The trust must manage risks to ensure its effective operation and must maintain a risk register:

• Overall responsibility for risk management, including ultimate oversight of the risk register, must be retained by the board of trustees, drawing on advice provided to it by the audit and risk committee.

• Other committees may also input into the management of risk at the discretion of the board.

• Aside from any review by individual committees, the board itself must review the risk register at least annually.

• Risks management covers the full operations and activities of the trust, not only financial risks

2.39 The trust’s management of risks must include contingency and business continuity planning. www.CSTUK.or© 2 0 2 0 C S T g.uk

17

AFH 2020 – detail risk protection

2.40 The academy trust must have adequate insurance cover in compliance with its legal obligations or be a member of the academies risk protection arrangement (RPA). Not all risks are covered in the RPA.

2.41 The trust should consider the RPA unless commercial insurance provides better value for money. If the trust is not an RPA member, it should determine its own level of commercial insurance to include buildings and contents, business continuity, employers’ and public liability insurance and other cover required.

2.42 The trust must cooperate with risk management auditors and risk managers, and implement reasonable risk management audit recommendations made to them.

Find out more about the risk protection arrangement.

www.CSTUK.or© 2 0 2 0 C S T g.uk

18

AFH 2020 detail – the audit and risk committee

The AFH has quite extensive guidance on the audit and risk committee

• Requirement for a committee [3.6 – 3.7]

• Remit of the committee in relation to internal scrutiny [3.8]

• Membership of the committee [3.9 - 3.11]

• Operating the committee [3.12 – 3.14]

Find out more in HM Treasury’s audit committee handbook.

www.CSTUK.or© 2 0 2 0 C S T g.uk

19

AFH 2020 detail – principles of internal scrutiny

• Be independent and objective – for example it must not be performed by the trust’s own accounting officer, chief financial officer or finance team

• Be conducted by someone suitably qualified and experienced and able to draw on technical expertise as required

• Be covered by a scheme of work, driven and agreed by the audit and risk committee, and informed by risk

• Be timely, with the programme of work spread appropriately over the year so higher risk areas are reviewed in good time

• Include regular updates to the audit and risk committee - a report of the work to each audit and risk committee meeting with recommendations where appropriate to enhance financial and non-financial controls and risk management

• An annual summary report to the audit and risk committee for each year ended 31 August outlining the areas reviewed, key findings, recommendations and conclusions.

www.CSTUK.or© 2 0 2 0 C S T g.uk

20

AFH 2020 detail– options for internal scrutiny

• Employing an in-house internal auditor

• A bought-in internal audit service from a firm, other organisation or individual with professional indemnity insurance

• The appointment of a non-employed trustee

• A peer review by the chief financial officer from another academy trust. The trust should satisfy itself that the trust supplying the reviewer has a good standard of financial management and governance and should minute the basis for its decision. The peer reviewer should be independent of the trust.

3.2.1 The trust must keep its approach to internal scrutiny under review. If it changes in size, complexity or risk profile, it should consider whether its approach remains suitable

www.CSTUK.or© 2 0 2 0 C S T g.uk

21

AFH 2020 detail – external reporting and transparency• 3.22 The trust must confirm in its governance statement, accompanying its annual

accounts, which of the internal scrutiny options it has applied and why. The outcome of the work must also inform the accounting officer’s statement of regularity in the annual accounts.

• 3.23 The trust must submit its annual summary report of the areas reviewed, key findings, recommendations and conclusions (as presented to the audit and risk committee under section 3.15 by the person(s) or organisation(s) carrying out the programme of work) to ESFA by 31 December each year when it submits its audited annual accounts. If the trust uses additional individuals or organisations where specialist non-financial knowledge in required, as permitted under paragraph 3.18, it should reflect their findings, recommendations and conclusions as part of the summary document submitted to ESFA. The trust must also provide ESFA with any other internal scrutiny reports if requested.

www.CSTUK.or© 2 0 2 0 C S T g.uk

22

Thank youwww.cstuk.org.uk@CSTvoice