Common internal scrutiny findings in academy trusts are rarely surprising. Most of us can predict the headlines before fieldwork starts: a procurement trail that is thinner than it should be, payroll changes that lack a clear audit trail, and governance records that are technically “there” but not consistently current or easy to evidence when challenged. Trusts of very different sizes can end up with remarkably similar findings, because the underlying pressures are similar too. People are busy, schools are varied, and central teams are often stretched trying to standardise process without crushing local autonomy.
The Academy Trust Handbook (ATH) expects trusts to have a programme of internal scrutiny that provides independent assurance over financial and non-financial controls and risk management procedures. It also expects internal scrutiny to evaluate suitability of controls and compliance with them, and to offer advice and insight to the board on how to address weaknesses. (gov.uk) The internal scrutiny good practice guide reinforces that this is meant to be a risk-based, board-usable assurance process, not a file-checking exercise. (gov.uk)
So when procurement, payroll and governance findings keep recurring, it is worth treating that as a signal about the control environment, not a criticism of individuals. Repetition tends to point to one of two things. Either the control design does not fit real workflow, so people bypass it under pressure, or the follow-up discipline is not strong enough to confirm that fixes have genuinely landed.
This blog sets out the most common finding themes in procurement, payroll and governance reviews, explains why they recur, and offers a practical 0-30-60-90 day remediation model that aims for verified closure rather than optimistic status updates.
Why findings recur even when policies exist
Trusts often have decent policies. In fact, many policies are well written, technically compliant, and approved on time. The gap appears between “policy exists” and “control operates”.
A few patterns show up repeatedly.
The first is that controls are documented but not embedded. A procurement policy might say three quotes are required over a threshold, but the template people use day to day does not capture the reasoning, and the filing approach means evidence gets lost across inboxes and shared drives.
The second is ownership drift. Controls that sit across teams, such as HR to payroll reconciliation, or contract management between operations and finance, often end up being “everyone’s job”, which becomes nobody’s job when deadlines bite.
The third is that approvals happen, but evidence does not. Many trusts are making sensible decisions, but they are not consistently recording the decision, the delegated authority route, the value-for-money rationale, or the conflict management steps. That becomes a governance vulnerability later, because internal scrutiny can only assure what it can evidence.
The fourth is follow-up weakness. A finding is raised, an action is marked complete, and everyone moves on. The trust then discovers, at the next review, that the old behaviour has returned because the fix was not anchored into routine process. This is one reason the internal scrutiny good practice guide stresses planning, reporting and follow-up as a joined-up governance activity rather than standalone visits. (gov.uk)
In my view, recurring findings should be treated as a maturity signal. They are telling you where the trust needs either simpler controls, clearer ownership, or stronger second-line checking.
Procurement: the finding themes that keep coming back
Procurement findings tend to frustrate trusts because they often feel like “paperwork issues”. In practice, procurement is one of the clearest windows into trust culture. It shows whether people consistently pause to evidence value for money, whether conflicts are handled properly, and whether delegated authority is being followed when decisions are made at speed.
A typical cluster of procurement findings includes weak value-for-money evidence, missing quotation or tender trails at higher spend levels, inconsistent approval evidence against delegated authority rules, and limited contract monitoring once a supplier is appointed. These are not abstract compliance points. They drive three real risks: overspend, challenge from stakeholders, and avoidable irregularity concerns.
Related parties and conflicts are also a common flashpoint. The DfE has separate guidance on managing conflicts of interests, related party relationships and related party transactions, which sets out good practice principles for handling these situations. (gov.uk) Even where a trust believes it is acting properly, poor documentation of the conflict management process can quickly undermine confidence.
What tends to make procurement findings recur is that the “control” is often spread across multiple steps: specification, competition, approval, ordering, receipt, payment, and contract management. If any one of those steps is weak, the file looks incomplete. Trusts then respond by asking for “more documentation”, which sometimes makes things worse because people feel overburdened and revert to shortcuts.
A better approach is to standardise evidence expectations for a small set of high-risk procurement moments. If you can reliably evidence the decision points, you will usually reduce repeat findings quickly.
In practice, that often means having a short, standard procurement evidence pack for higher value purchases, and insisting it captures a small set of essentials: the value-for-money rationale, the route to market or quotation approach, the approval route with delegated authority, and any conflicts declared and managed. It should be easy to complete and easy to store centrally.
Contract management is another repeat issue. Trusts often do the hard work at procurement stage, then fail to record performance monitoring, renewal decisions, or contract variations. When internal scrutiny returns later, the trust can show how it appointed a supplier, but not how it managed the relationship. That gap is avoidable, but it needs a light-touch routine, not a large new process.
Payroll: why small control gaps become big assurance issues
Payroll is a high-impact domain because small errors scale quickly. A single weak control, repeated across multiple starters and changes, can create financial loss, staff mistrust, and time-consuming corrections. It also attracts governance attention because payroll controls underpin regularity and proper use of funds.
Common payroll findings include inconsistent starter and leaver processing, insufficient evidence of authorisation for payroll changes, weak reconciliation between HR records and payroll outputs, delayed resolution of payroll exceptions, and limited independent review of key controls.
These findings usually recur for one of three reasons.
First, the joiner and leaver process spans roles. HR, school administration, IT access, and payroll each touch the process, and trusts often struggle to make ownership explicit. When a leaver is processed late, it is rarely because someone chose to ignore the process. It is because the handover point was unclear or the trigger was missed.
Second, payroll change authorisation can become informal. In busy periods, changes are agreed in conversation, or via email chains, and then input to the payroll system. Internal scrutiny then asks for evidence of approval and finds it scattered. The trust may have made the right change for the right reason, but it cannot prove it consistently.
Third, reconciliation is often treated as optional. A trust might reconcile payroll totals at a high level, but not reconcile changes back to HR records, contracts, or pay awards. That leaves the trust exposed to overpayments, underpayments, and delayed corrections.
A strong practical control response is usually built around clarity and repetition. One standard payroll change form or workflow, used for all changes, can improve audit trail quality quickly. A monthly exception review, with named reviewer and documented outcomes, can reduce recurring errors. Segregation matters too. Where one person inputs changes and also “checks” the output, assurance will remain weak. Trusts do not always have the luxury of perfect segregation, but they can usually introduce an independent review step for the highest risk changes.
Follow-up matters in payroll because one good month is not enough. If internal scrutiny tests one pay cycle and declares closure, the trust can still fall back into poor habits the next month. The more convincing approach is to confirm control operation over several pay cycles, especially after peak recruitment periods.
Governance: transparency, records, and the basics that boards are judged on
Governance findings are often dismissed as administrative, until they are not. When governance records are incomplete, outdated, or inconsistent, it becomes harder for trustees to demonstrate oversight and harder for leaders to defend decisions under challenge.
The DfE governance guide emphasises the board’s role in accountability and assurance, and it explicitly links effective risk management and assurance to the trust’s governance approach. (gov.uk) The ATH reinforces this through expectations about audit and risk committee oversight and the trust’s internal control framework. (gov.uk)
Common governance-related findings include interests declarations not being updated promptly, governance records that do not match what is happening in practice, minutes that do not clearly capture challenge or decisions, and weak oversight of overdue internal scrutiny actions.
Website publication duties can also appear here, because the website is often where governance transparency is tested publicly. When trustee details, interests, or required documents are outdated online, it becomes a visible indicator of governance discipline.
What makes governance findings recur is that governance is often run on goodwill and memory. Someone remembers to chase declarations, someone remembers to update the website, someone remembers to tidy minutes after a meeting. When that “someone” changes role, the control disappears. The trusts that reduce repeat governance findings are the ones that systemise a few basics: a termly governance compliance check, a clear owner for publication updates, and an action tracker that is actively used by the audit and risk committee.
The root causes that sit underneath all three areas
Procurement, payroll and governance can look like separate workstreams, but the recurring themes often share the same root causes.
Control design is not matched to operational reality. People bypass steps because the steps are too slow or too complex for the pace they work at.
Accountability is unclear, especially where a control crosses functions. If nobody can say who owns “the last mile” of evidence, it will remain inconsistent.
Training is inconsistent, particularly when roles change. Processes that rely on tacit knowledge are fragile.
Evidence standards are weak. Trusts accept “done” without asking, “how do we know, and where is the proof”.
Independent re-testing is limited, so closure is based on hope rather than confirmation.
If you address these root causes, the repeat findings usually reduce without needing a dramatic overhaul.
A 0-30-60-90 remediation model that aims for verified closure
The biggest practical improvement you can make is to separate “completed” from “verified closed”. That single distinction changes behaviour, because it forces you to define what proof looks like.
A 0-30-60-90 model works well because it creates urgency, but still allows time for behaviour change to embed before you make an assurance judgement.
Day 0: Triage and containment Day 0 is not a meeting for reassurance. It is where you assign a named owner, agree the risk rating, and decide what must happen immediately to prevent the issue worsening. For procurement, that might mean pausing a contract award until conflict checks are documented. For payroll, it might mean implementing a temporary independent review step for changes before the next pay run. For governance, it might mean updating interests declarations and agreeing a timetable for ongoing checks.
By Day 30: Stabilise the control By this point, you are looking for visible control improvements, not perfection. The best 30-day actions are the ones that make it easier for staff to do the right thing. That often means a simplified evidence pack for procurement decisions, a standard payroll change workflow, and a clear governance checklist with owners.
By Day 60: Embed and prove operation Day 60 is where you start collecting evidence that the new approach is operating routinely. For procurement, you might sample several purchases and check that the evidence pack is completed and stored centrally. For payroll, you might confirm authorisations and reconciliation are happening consistently across multiple pay cycles. For governance, you might check that declarations, minutes, and publication updates are being maintained without chasing.
If a high-risk finding is still drifting by Day 60, that is usually the moment for escalation. It may indicate capacity constraints, a system limitation, or leadership attention being pulled elsewhere. Governance needs sight of that reality, not a softened update.
By Day 90: Independent re-test and closure decision Day 90 is the assurance point. Someone independent of the day-to-day process should re-test the control and confirm whether closure is justified. Where full closure is not possible, the trust should record the residual risk position and any interim controls in place.
This model aligns well with the wider assurance expectations in the ATH and the internal scrutiny good practice guide, because it reinforces follow-up discipline and supports committee oversight that is based on evidence. (gov.uk)
Closure evidence that trustees can rely on
Trustees do not need a huge evidence library, but they do need confidence that closure claims are real. A practical closure framework usually includes:
A clear statement of what changed and how it reduces risk.
Evidence attached or linked, such as a completed procurement pack, payroll authorisation trail, reconciliation record, or governance compliance check output.
The name of the person who verified closure, and the date of verification.
A residual risk note where the issue cannot be fully closed yet, with an interim control plan.
One habit that works well is a short end-of-term “closure quality” review. Pick a small sample of actions marked closed that term and check whether the control is still operating. If it is not, you have discovered a pattern early, before it becomes the next year’s recurring finding.
Using recurring findings to improve next year’s internal scrutiny programme
Recurring themes should shape your next internal scrutiny plan. If procurement evidence is repeatedly weak, you may need a more focused review of delegated authority and contract management rather than another broad procurement compliance check. If payroll issues cluster around starters and leavers, you may need a joiners and leavers thematic review across HR, payroll, and IT access controls. If governance findings recur, a termly governance controls review can be a smart investment because it protects trustee assurance across multiple domains.
The internal scrutiny good practice guide describes the relationship between the risk register and internal scrutiny as iterative, with findings informing risk scoring and updates. (gov.uk) That same iterative approach should apply to programme design. When a theme repeats, the programme needs to change, not just the wording of the recommendation.
How internalscrutiny.co.uk can help
internalscrutiny.co.uk supports trusts in turning recurring procurement, payroll and governance findings into measurable control improvement. We focus on root-cause clarity, action quality, and verified closure evidence that trustees can use with confidence. That includes targeted review work, practical remediation planning, follow-up testing, and committee-ready reporting that distinguishes “completed” from “verified closed”.
You can align this with our bespoke audit support, governance Q&A resources in FAQ, or immediate intervention planning through Book Audit.
Sources
Checked on 24 February 2026.
- GOV.UK, Academy trust handbook 2025: effective from 1 September 2025 (updated 22 October 2025), including internal scrutiny expectations and the trust control framework. (GOV.UK)
- GOV.UK, Internal scrutiny in academy trusts (good practice guide, published 14 February 2024), including planning, reporting and follow-up expectations. (GOV.UK)
- GOV.UK, Academy trusts: governance guide (published 19 November 2025), including governance expectations on assurance and risk management. (GOV.UK)
- GOV.UK, Managing conflicts of interests, related party relationships and related party transactions: good practice guide (published 1 September 2025), relevant to procurement integrity and documentation. (GOV.UK)