If your trustees are asking what the Academy Trust Handbook internal scrutiny requirements mean in day to day practice, you are not alone. Most boards understand the principle: you need a programme of internal scrutiny that provides independent assurance over financial and non financial controls. The part that causes headaches is delivery. What should be in scope? How do you protect independence in a busy trust where everyone wears more than one hat? What does “good” reporting look like at audit and risk committee level? And how do you evidence that assurance is strong enough to support the governance statement and year end accountability cycle?
The 2025 Handbook is clear that every trust must have a programme of internal scrutiny that provides independent assurance to the board that controls and risk management procedures are operating effectively. It also sets out how internal scrutiny should be directed and overseen through an audit and risk committee, plus how findings must be reported and submitted each year. (GOV.UK)
In this article, I am going to translate the requirement into an operating model you can run with confidence. The aim is practical: something that stands up in committee papers, supports a strong governance narrative, and gives trustees a reliable view of where your control environment is strong and where it needs attention.
What the Handbook requires, in plain English
The Handbook states that all academy trusts must have a programme of internal scrutiny that provides independent assurance to the board about financial and non financial controls and risk management. It goes on to say the programme must be risk based with reference to the trust’s risk register, and should take account of other sources of assurance such as external audit and DfE reviews. (GOV.UK)
Those lines matter because they tell you what internal scrutiny is for. It exists to help trustees understand whether the controls they rely on actually work in practice, across the trust. The clearest way to judge whether your programme is doing its job is to listen to the quality of trustee conversation it produces.
When internal scrutiny is working well, the audit and risk committee spends time discussing what the findings mean for risk, capacity, training, and decision making. When it is weak, discussion tends to drift into process detail, reassurance language, or retrospective explanation.
A useful mental model for trustees is that internal scrutiny is part of the trust’s “assurance map”. It helps trustees answer a deceptively simple question: can we reasonably rely on our systems and controls when we make decisions, sign declarations, and commit public money?
Independence is about reporting lines, not just who you pay
Independence is the most common sticking point I see. The Handbook requires independence to be achieved through appropriate reporting lines, where the people carrying out checks report directly to a committee of the board, which then provides assurance to trustees. It also gives a practical example: internal scrutiny must not be performed by members of the senior leadership or finance team. (GOV.UK)
That is a useful boundary, but independence is bigger than job titles. Independence is also about whether the person doing the work can challenge management, report the uncomfortable point clearly, and be heard by trustees without the message being filtered.
The Handbook sets out delivery options and allows trusts to choose what suits their circumstances: in house internal auditor, bought in internal audit service, a non employed trustee, or an independent peer review by a CFO from another trust. Larger trusts with annual revenue income over £50 million must deliver internal scrutiny using an in house internal auditor and or a bought in internal audit service. (GOV.UK)
So what does “good” independence look like in reality?
It usually includes a clear engagement structure approved by the audit and risk committee, a defined scope signed off before fieldwork starts, and direct access from the scrutineer to the committee chair if something serious emerges. It also includes a sensible approach to conflicts of interest. If the scrutineer owns, operates, or designed the process being reviewed, trustees should assume the assurance will be weaker, even if everyone is acting with integrity.
One point that catches trusts out during procurement is the relationship with external audit. The DfE good practice guide highlights that, under the Financial Reporting Council Ethical Standard, a firm providing external audit cannot also provide internal audit services to the same entity, because of threats to objectivity and independence. (GOV.UK) That does not prevent you from buying other support from your audit firm, but it does mean internal audit style services are a red line in many cases. It is worth checking early, so you do not waste time tendering an option you cannot use.
The audit and risk committee is the engine room for assurance
The Handbook requires every trust to establish an audit and risk committee appointed by the board. It also sets expectations about frequency and basic operating discipline, including meeting at least three times a year, having written terms of reference, agreeing a programme of work annually, and having access to internal scrutineers and the external auditor. (GOV.UK)
It also includes membership expectations that trusts should treat as non negotiable. Employees should not be committee members (though the accounting officer and CFO should attend), the chair of trustees should not chair the audit and risk committee, and where audit and risk is combined with another committee, employees should not participate as members when audit matters are discussed. (GOV.UK)
These requirements are not there for tidiness. They protect challenge. Internal scrutiny works when trustees have the space to ask hard questions and follow them through. A confident committee chair will keep pulling discussion back to three themes:
First, what does the finding tell us about risk? Second, what are we doing about it, and how will we know it has genuinely improved? Third, what does this mean for future scrutiny coverage?
The DfE good practice guide reinforces the committee’s role in selecting and instructing internal scrutineers, reviewing progress against plan, and updating the board regularly and at year end. It also makes a helpful observation: committees are most effective when members are prepared to support, challenge, and highlight concerns to the board. (GOV.UK)
That is a polite way of saying that passive receipt of reports does not produce assurance. Trustees do not need to become auditors, but they do need to be willing to interrogate evidence and insist on follow up.
Building a risk led internal scrutiny plan that feels real
The Handbook is explicit that the trust must identify on a risk basis, with reference to its risk register, the areas it will review each year. (GOV.UK) The good practice guide adds detail on how trusts can think about coverage and risk assessment, including the practical reality that your programme will always have financial controls as a core, but can and should extend into wider business systems that affect outcomes for pupils, sometimes indirectly. (GOV.UK)
In strong trusts, the plan is not a list of “usual suspects”. It is a story about the trust’s current risk profile.
A trust growing through expansion might weight reviews towards onboarding controls, due diligence, delegation, and consistency of financial governance across academies. A trust that has had staffing turnover in central finance might focus on reconciliations, payroll controls, and approval routes. A trust implementing new MIS or finance systems might prioritise access controls, data quality, and cyber resilience. The good practice guide explicitly flags areas such as IT systems, cyber security, health and safety, estates management, organisational culture, anti fraud, safeguarding, HR systems, and succession planning as potential areas of review. (GOV.UK)
In my experience, the difference between a credible plan and a thin plan is the link back to risk. If you cannot point to a risk, an incident, a strategic change, a regulatory pressure, or a known weakness, trustees will struggle to explain why that review deserved time and resource.
A practical approach that works for many trusts is to build the plan in two layers. Layer one covers core financial controls that trustees would expect to see reviewed regularly. Layer two rotates around emerging risks and trust specific vulnerabilities. That structure keeps assurance balanced and avoids a programme that never looks beyond finance.
What “good” reporting looks like, without drowning trustees in detail
The Handbook requires regular updates to the audit and risk committee, including a report to each committee meeting and an annual summary report for each year ended 31 August. Findings must also be made available to all trustees promptly. (GOV.UK)
The good practice guide is clear about what that annual report should do. It should summarise areas reviewed, key findings, recommendations, management response and overall conclusions. It also suggests preparing the summary during the autumn term alongside external audit reporting, so the committee can form a holistic picture and the accounting officer has evidence for the statement of regularity and the board has information for the governance statement. (GOV.UK)
There is also a compliance warning that is worth taking seriously. The good practice guide gives examples of documents that are not compliant as substitutes for the annual internal scrutiny report, including extracts copied from the governance statement, extracts from the external auditor’s management letter, or committee minutes. (GOV.UK) If your trust has been tempted to treat the annual report as an “upload exercise”, that section is a clear signal to stop and reset.
For committee reporting during the year, I encourage a format that is consistent enough to allow comparison over time, but short enough that trustees actually read it. Reports should make the scope and evidence base easy to grasp, explain what testing was done, and show what the finding means for risk. Trustees should be able to distinguish between “paper compliance” and “operational compliance”, because the latter is what protects the trust when things go wrong.
Just as important is action tracking. Trustees do not gain assurance from a long list of recommendations. They gain assurance when actions are implemented, embedded, and then re tested where appropriate. If your tracker treats closure as “policy written” or “training delivered”, you will often find the same weaknesses reappear a year later. Closure should be tied to evidence that the control now operates as expected.
The annual summary report and the 31 December submission cycle
The Handbook requires trusts to submit the internal scrutiny summary report to the DfE by 31 December each year when the audited annual accounts are submitted, and to provide other internal scrutiny reports if requested. (GOV.UK)
The accounts direction for 2024 to 2025 also sets out that trusts must submit audited accounts, the external auditor’s findings report, and an annual internal scrutiny report by 31 December 2025, and publish accounts by 31 January 2026. (GOV.UK) The wider DfE financial returns guidance echoes that deadline and lists an annual internal scrutiny report among the documents required by 31 December. (GOV.UK)
The practical point here is timing. If your programme is back loaded into late spring and summer, you can end up writing the annual report with limited follow up, and trustees are left trying to draw conclusions while actions are still half done. A healthier rhythm spreads reviews through the year, schedules follow up in time for autumn term reporting, and gives the committee a genuine year end picture.
Common gaps that put trusts at risk
When internal scrutiny feels weak, it is usually because one or more of the foundations is missing.
Sometimes the plan exists but it is not anchored in the risk register, so trustees cannot show why work was prioritised. Sometimes independence is blurred, with reviews delivered too close to the teams that operate the controls. Sometimes the committee receives reports but has no disciplined way to monitor action closure, so issues drift. And often, reporting focuses heavily on finance while governance, data, estates, and compliance controls receive minimal attention, despite being areas where serious incidents can occur.
The good practice guide is helpful here because it broadens the conversation beyond finance. It speaks about cyber and data protection, business continuity, insurance and risk protection arrangements, and even environmental, social and governance considerations as areas trusts may wish to review. (GOV.UK) You do not need to cover everything every year, but trustees should feel confident that the programme reflects the trust’s real risk profile, not the comfort zone of the delivery team.
A 90 day implementation roadmap that trustees can recognise
If your trust needs to strengthen compliance with the Academy Trust Handbook internal scrutiny requirements, the quickest wins tend to come from governance clarity and reporting discipline, rather than trying to commission lots of reviews immediately.
In the first month, focus on structure. Confirm the audit and risk committee’s terms of reference, meeting schedule, and reporting expectations. Put in place an action tracker that captures owner, due date, and evidence required for closure. Agree how reports will be shared with the full board promptly, not just the committee.
In the second month, move to a risk led plan. Use the risk register as your anchor, then select a small number of reviews that matter, ideally one core financial area and one non financial area linked to your current risk profile. Agree scope and testing approach before fieldwork begins, so the committee knows what assurance it will receive.
In the third month, run follow up as a standard part of the cycle. Choose one area where recommendations are already in progress and ask the scrutineer to test whether controls are now operating effectively. Trustees learn a lot from follow up work, because it reveals whether improvement is embedded or superficial.
By day 90, trustees should be able to explain the programme confidently: why the work was chosen, what was tested, what was found, and how the trust knows actions have reduced risk.
Making internal scrutiny part of how the trust runs
The Handbook says internal scrutiny should take account of output from other assurance procedures, including external audit and DfE reviews. (GOV.UK) In practical terms, this is how you avoid duplication and keep the programme proportionate. If external audit has tested a control heavily, internal scrutiny can focus elsewhere, or test the operational reality behind the control, such as compliance at academy level or consistency across the trust.
Internal scrutiny also works best when it connects to everyday trust rhythms: budget setting, procurement cycles, policy reviews, estates planning, and data returns. If a review lands after decisions have already been made, it becomes retrospective commentary. If it lands before key decisions, it becomes assurance that informs judgement.
How internalscrutiny.co.uk can help
internalscrutiny.co.uk supports trusts that want a practical, Handbook aligned programme that produces clear assurance and useful governance conversation. We help boards design risk led annual plans, deliver independent internal scrutiny across finance, governance and compliance, and provide board ready reporting and action tracking that makes follow up meaningful.
You can map requirements to delivery through our Academy Trust Handbook compliance page, review our internal scrutiny service model, or schedule planning via Book Audit.
Sources
Checked on 24 February 2026.
- GOV.UK, Academy trust handbook 2025: effective from 1 September 2025 (published 25 June 2025, updated 22 October 2025): https://www.gov.uk/government/publications/academy-trust-handbook/academy-trust-handbook-2025-effective-from-1-september-2025 (GOV.UK)
- GOV.UK, Internal scrutiny in academy trusts (published 14 February 2024): https://www.gov.uk/government/publications/internal-scrutiny-in-academy-trusts/internal-scrutiny-in-academy-trusts (GOV.UK)
- GOV.UK, Academies accounts direction 2024 to 2025 (published 31 March 2025): https://assets.publishing.service.gov.uk/media/67e2ae6f148bef6fa4cfdac4/Academies_accounts_direction_2024_to_2025.pdf (GOV.UK)
- GOV.UK, Academies financial returns (updated 7 August 2025): https://www.gov.uk/guidance/academies-financial-returns (GOV.UK)