7 steps to effective Internal Scrutiny (part 1)

Internal scrutiny can be so much more than a tick box exercise to meet a regulatory requirement. With the right people and a strong plan in place, internal scrutiny becomes an effective tool which provides reassurance, unbiased advice and strategic recommendations for your organisation.

Here at Keystone Knowledge, we believe that there are seven steps to create an effective internal scrutiny programme: 

• Appoint - choose an internal scrutiny partner
• Assess risk - link your annual scrutiny to your risk register
• Audit plan - plan your internal scrutiny visits
• Audit - work with your IS partner during the audit
• Analyse - review the audit findings
• Action - complete the actions from the audit
• Assess impact - assess the impacts of the actions

In this blog we're going to consider what to think about when appointing an internal scrutiny partner, linking your annual scrutiny to your risk register and planning your internal scrutiny visit.

Appointing an internal scrutiny partner

Appointing the right internal scrutiny partner is the first step towards ensuring your school or trust is fully benefitting from the internal scrutiny that is being carried out.

In line with the Academy Trust Handbook¹, your internal scrutiny must:

• Evaluate and assess a wide range of both financial and non-financial controls for suitability and compliance
• Provide you with advice and insight on how to make improvements and address any weaknesses found
• Encompass all categories of risk and ensure they are being identified, managed and reported on

It is therefore imperative that your internal scrutiny partner has the qualifications and experience to scrutinise and evaluate a wide range of risk mitigation processes and procedures. But it is the independent advice and insight provided by your provider that can have the most impact on the effectiveness of your internal scrutiny. This is why many trusts eschew the option of recruiting an employee to carry out internal scrutiny and choose instead to appoint an external partner.

As someone independent of the function(s) they have reviewed, your internal scrutiny partner should present you with more than a tick-list concluding if the procedures they have scrutinised are suitable and whether the processes in place are being complied with. They should understand how your processes fit together and provide you with recommendations for improvement based on a holistic view of the school under consideration or more widely across a group of schools in a trust.

To achieve this, your internal scrutiny partner needs to understand how education settings work, and to spend time in your school or trust. Whilst some internal scrutiny can be carried out remotely, it is important that your chosen advisor spends some time on your site(s) so that they can make recommendations that are suitable to your individual setting, adding value to your internal scrutiny process and increasing its effectiveness.

Your internal scrutiny partner should also be able to help you meet the requirements of the ATH listed above, by proactively helping you to plan your internal scrutiny programme and ensure that all different areas of risk are audited and reported on appropriately to your board and the DfE.

Linking your internal scrutiny to your risk register

The aim of internal scrutiny is to provide assurance that risk mitigation processes and management are effective. ESFA guidence² lists internal scrutiny as the 'third line of defence' against risk, the first being operational risk management, second the board overseeing the risk management framework and fourth and final, external audit.

An internal scrutiny programme should therefore be directed by your audit and risk committee, with reference to your risk register. Once risks have been identified, a rolling programme can be developed which ensures core and critical risk controls related to these risks are reviewed regularly.

For example, it would be sensible to build 3-year programme which, over the three year cycle, examines both financial and non-financial elements of your operations. In this way, it is possible to review financial operations annually and to cover the other areas identified by your audit committee. These should include HR processes, data protection and cyber security, risks arising from governance controls, inventory and asset management arrangements along with estates and safeguarding controls. Remember - an effective programme of internal scrutiny focusses on the requirements of your trust and this is ensured by reference to your risk register and the guidance of your audit and risk committee.

Once you see that internal scrutiny is a cyclical part of the improvement process, you can create a culture where recommendations following reviews help build a stronger trust. To achieve this, findings and recommendations from your internal scrutiny should not only be presented to the risk and audit committee and board, but should also feed back into your risk register, with risk categorisation being updated according to findings.

Planning your visit

Planning and preparation for your internal scrutiny audit can help the process run effectively and efficiently.

A planning conversation with your internal scrutiny partner in the weeks before their visit, establishing which systems they will require access to, which paperwork they need to see and which team members they need to meet, is time well spent for both parties.

Reassure your team that your internal scrutiny provider is reviewing systems and practices as a partner to the trust as part of an ongoing improvement relationship - they are not there to 'catch anyone out.' A helpful metaphor for internal scrutiny visits is to liken them to hiring a physical trainer or a sports coach; whilst they will look at what you are doing and tell you how to go it better, they work for you and, ultimately, have your best interests at heart.

In part two of this blog we'll look at steps 5 – 7 for effective internal scrutiny, after an audit has taken place.

Keystone Knowledge's team of school experts are here to help you plan your internal scrutiny and make it an effective tool for your school or trust. Find out more here.

¹Academy Trust Handbook - Part 3: Internal scrutiny - Guidance - GOV.UK (www.gov.uk)

² Academy trust risk management - GOV.UK (www.gov.uk)