Sam CoutinhoAccountant Sam Coutinho reports on why internal audit should be a priority since charities are becoming ever more complex. Yet internal audit budgets are being cut significantly or even eliminated

In the schools sector, only academies are required to ensure independent checking of financial controls, systems, transactions and risks. Although there is no requirement for independent schools to do the same, there is some good practice in the academy sector to draw upon that could help the sector to manage risk better.

The responsibility

Governors are responsible for ensuring there are systems and controls to safeguard the assets of the school. ‘The essential trustee’ (CC3) sets out that one of the key responsibilities of governors is to manage the resources of the charity responsibly. Specific reference is made to managing risks and ensuring the best use of resources which is imperative in this current climate.

The governors are ultimately responsible for the charity and are responsible for safeguarding the assets of the school. To do this they need to ensure there are adequate systems and internal controls in place. For the majority of schools, this assurance is mainly gained at the time of the external audit where the auditors will provide their true and fair opinion on the financial statements and issue their management letter, setting out any weaknesses and recommendations to strengthen the processes. That said, the external can only provide limited assurance on the financial systems regarding the income, expenditure, assets and liabilities of the school. There is often a misunderstanding with governors regarding the scope of the external audit and the opinion being given.

Ready for autumn

It is also important to note that school audits are generally performed in the autumn, soon after the financial year-end and the accounts will be signed, if not before Christmas, within the first quarter of the calendar year. Therefore, for the remaining year it’s unlikely the financial systems and controls will be reviewed again unless there’s a problem. This means that even if reliance is being placed on external audit for most of the year, there is no checking of controls.

Unlike external audit, internal audit not only ensures systems and controls are operating as intended, but that they are the best way of achieving the objectives.

Here are three ways internal audit can add value:

• Working smarter: it has never been more critical for schools to ensure they are operating as efficiently and effectively as possible. Financial models are being challenged for many reasons, ranging from teachers’ pensions to political uncertainty and now Covid-19. At this time, we should not be taking comfort that systems are operating as expected but challenging ourselves on whether they could be operating more efficiently with fewer resources.

• Identifying risk: schools will have systems and processes that have been in place for many years and if not connected to the statutory audit may never have been reviewed. Internal audit can be a good way to review working practices, not only to ensure they are working, but to identify potential risk areas for the school. Schools have started to use internal audit to review areas such as safeguarding compliance, effectiveness of risk management, and the strength of governance, including board effectiveness.

Introducing an internal audit programme should be something that is considered seriously, as an effective audit plan will cover a wide range of areas that are often not considered as part of the external audit and are fundamental to the success and sometimes survival of the school.

How to review risk management

Most charities and schools will have a risk management process which follows the Charity Commission guidance and reporting requirements, which means risks are identified, assessed, managed, controlled and reported. While this could be considered to be an effective risk management process, it does not mean that the school has effective risk management. Effective risk management will identify the major risks that can break the school and ensure those charged with governance are focusing on the right risks and the strategy to manage them. It will also mean that risk management is truly embedded in the school and not reviewed once a year before the statement is made in the governors’ annual report.

How effective is risk management?

I have set out below three areas that should be considered in reviewing the effectiveness of your risk management.

INSERT TABLE p41

• Identification of risk and the appropriate controls: identifying risks can help to investigate what can go wrong. Understanding the cause of the risk will help to explain why things go wrong, how they can go wrong and when they can go wrong.

Why does it matter? By understanding the risk to this extent, the charity is able to ensure there is a ‘risk action plan’ that addresses preventing the risk event happening in the first place and limiting its impact. “It is unlikely that a risk register will explain any impact on the school itself; rather it will assign an impact rating. Often, however, the controls are insufficient to manage the risks properly. For most charities the major risks on an organisation will require more than two or three bullet points in the risk register’s controls box.

While it’s impractical to look at every risk in this level of detail, it’s important for the five to ten major risks that could break your organisation.

• Classification of risks: classifying risks so that they align with the organisation’s objectives and operations will ensure more relevant and embedded risk management.

The majority of schools follow the Charity Commission guidance ‘Charities and risk management’ (CC26) which was published in 2010 and updated in 2017. The guidance is simple and easy to follow, and suggests categorising risks into governance, operational, finance, environmental and external, and law and regulation compliance risks, but notes there are other risk classification models that could be used.

As schools have become more complex, with both the internal and external environments changing, it may be that this classification system may not be the most helpful. The purpose of the classification system is to help identify risks and then categorise them alongside similar or related risks. This should lead to more effective risk management.

While it would not be beneficial to start reorganising comprehensive risk registers that have been established for many years, it would be a valuable exercise to review your strategy and business objectives to ensure key areas that could have a significant impact on the success of the charity are represented separately. Areas that are often lost within the volume of the register are IT risks, the risk of fraud, risks associated with major capital development projects and strategic risks.

• Identification of risks that will truly break the school: engaging governors with risk can be a challenge and reviewing a 30-page spreadsheet is never That said, governors need to know risk is being managed properly and that for the major risks there is a strategy to manage them which is being implemented and monitored. The way risks are reported to governors needs to be reviewed. They also need to be part of the risk identification process regarding strategic, governance and external risks.

Sam Coutinho is the principal of Sam Coutinho Consulting.