Trustee evidence for internal scrutiny is about proving, calmly and clearly, that the board’s assurance is real. Not performative. Not based on good intentions. Real assurance is current, evidence-backed, and useful for decision-making.
Most academy trust boards do not need to see every test sheet or every sample item. Trustees are not there to re-perform the work. They are there to govern. But they do need enough evidence to show that internal scrutiny is risk-led, independent, properly overseen, and followed through until control weaknesses are genuinely addressed.
The Academy Trust Handbook is explicit that trusts must have sound internal control, risk management and assurance processes using a tiered approach that includes internal scrutiny overseen by an audit and risk committee. (GOV.UK) That is the baseline expectation. The hard part is turning it into a set of board-level artefacts and habits that stand up to challenge, survive leadership change, and actually improve the control environment across schools.
This guide focuses on what trustees should require, what “good evidence” looks like in practice, and how to structure board packs so oversight feels confident rather than frantic.
Start with the trust’s control story, not the scrutiny reports
Boards often fall into a trap: internal scrutiny is treated as a series of individual reports, and governance becomes a discussion about each report in isolation. That creates noise. Trustees end up debating details, and the bigger questions drift.
A better approach is to treat internal scrutiny as part of the trust’s overall control story. The Handbook sets out what internal scrutiny must focus on: evaluating suitability and compliance with financial and non-financial controls, offering advice and insight on how to address weaknesses, and ensuring all categories of risk are adequately identified, reported and managed. (GOV.UK)
If that is the purpose, trustees need evidence that answers three board-level questions.
Are we looking in the right places, at the right time, for the right reasons?
Do we trust the findings, because the work is independent and evidence-based?
Are weaknesses being fixed in a way that reduces risk, rather than generating action plans that look busy?
Once trustees organise their evidence expectations around those questions, internal scrutiny becomes easier to govern.
The minimum evidence trustees should be able to point to
When someone asks a board, “How do you know your internal controls are working?”, trustees should not have to rely on personal confidence or informal updates. They should be able to point to a small set of documents and routines that show the assurance chain is intact.
The Academy Trust Handbook provides helpful structure here. It requires the trust to identify, on a risk basis and with reference to the risk register, the areas it will review each year. It also sets out audit and risk committee duties, including overseeing and approving the programme, ensuring risks are addressed appropriately, and reporting to the board on the adequacy of the internal control framework. (GOV.UK)
In practical terms, trustees should expect evidence in five areas:
- Planning evidence that shows why the programme looks the way it does
- Delivery evidence that shows what was tested, what was found, and how reliable the findings are
- Follow-up evidence that shows whether actions are genuinely closed, with proof
- Oversight evidence that shows challenge, decisions, and escalation where needed
- Year-end synthesis evidence that draws a defensible assurance conclusion for the year
That sounds like a list, but it is really a story: plan, do, learn, fix, and report.
Planning evidence: what trustees should see before the year starts
A risk-led plan is more than a timetable. It is a set of choices, and trustees should be able to see the logic behind those choices.
The audit and risk committee is expected to review and approve a risk-based programme of internal scrutiny each year, monitor updates, and update the board on progress and recommendations regularly and at year-end. (GOV.UK) So the planning evidence should not feel like a management document that trustees simply “note”. It should be something the committee genuinely owns.
In a strong trust, the planning pack is usually short and readable, and it includes:
- a clear link to the risk register, showing which risks are being tested and why
- the rationale for timing, especially where higher-risk areas are scheduled early
- clarity on who will deliver the work and how independence is protected
- an explanation of how internal scrutiny will take account of other assurance work, such as external audit and DfE reviews, so effort is not duplicated
The aim is confidence, not perfection. Trustees do not need to see an over-engineered scoring model. They need to see that the programme is based on risk and reality, not habit.
Independence evidence: what proves the work is objective
Independence is one of those words everyone agrees with, but trusts sometimes struggle to evidence it cleanly, especially where capacity is tight.
The Handbook states that independence must be achieved through appropriate reporting lines, with those carrying out checks reporting directly to a committee of the board, and it also states internal scrutiny must be independent and objective and must not be performed by members of the senior leadership or finance team. (GOV.UK)
So what should trustees actually hold as evidence?
Not a statement saying “the work is independent”. Evidence that the operating model makes it independent.
That usually includes terms of reference for the audit and risk committee, a clear appointment route for the internal scrutineer or provider, and committee access to the scrutineer without management filtering. It also includes an obvious conflict check. Trustees should be able to see that the reviewer is not testing a process they own, and that ratings and conclusions are not rewritten in “safer” language before they reach governance.
A simple practical indicator is who controls the agenda. If internal scrutiny reporting is always introduced and summarised by management, with no direct questions to the scrutineer, independence can start to feel theoretical. If the scrutineer is present, can speak freely, and can be challenged directly by trustees, independence is easier to defend.
Delivery evidence: what makes reports board-usable
Trustees often receive reports that are technically fine but governance-poor. They might be long, detailed, and full of sensible recommendations, yet still leave the board unsure what matters most.
The Handbook requires regular updates to the audit and risk committee, including a report of the work to each committee meeting. It also requires an annual summary report for each year ended 31 August outlining areas reviewed, key findings, recommendations and conclusions, to support action and year-on-year progress. (GOV.UK)
That requirement tells you what “good” looks like: clarity on scope, findings, actions, and conclusions that allow trustees to track improvement over time.
In practice, trustees should expect each review report to answer four questions, plainly:
What did you test and why that area?
What did you find that increases or reduces risk?
What actions are required, by when, and who owns them?
How will we know the actions have worked?
If any of those questions are not answered, trustees cannot govern effectively, and the work will feel like paperwork rather than assurance.
Follow-up evidence: where boards either build confidence or lose it
Most boards I work with are comfortable discussing findings. Where confidence collapses is follow-up. Actions remain open for months, status updates become optimistic, and repeat findings appear next year with slightly different wording.
The internal scrutiny good practice guide is clear that the audit and risk committee should assess and advise on the implications of scrutiny results and ensure continuous improvement of the system of internal control. (GOV.UK) That does not happen without disciplined follow-up.
Boards do not need a complicated tracker. They need a truthful one.
A strong action tracker distinguishes between:
- completed (the owner says it is done)
- verified closed (someone independent has checked evidence and is satisfied risk has reduced)
That distinction is one of the quickest ways to improve trustee assurance. It stops the quiet drift into status-only reporting.
For higher-risk actions, trustees should expect to see closure evidence attached or linked, a clear description of what changed, and a verification note that explains what was checked. If closure cannot be fully evidenced yet, the report should say so and describe the interim control in place.
Oversight evidence: how trustees demonstrate challenge and decision-making
It is easy to say “the committee challenged robustly”. It is harder to evidence it.
Evidence of oversight usually comes from committee papers and minutes, but boards sometimes forget that minutes need to capture the substance of challenge, not only the fact that a report was received. If minutes show repeated receipt of updates with no clear decisions, it becomes difficult to demonstrate active oversight.
The audit and risk committee’s responsibility includes reporting to the board on the adequacy of the internal control framework. (GOV.UK) To do that credibly, trustees need to show that when significant weaknesses appeared, governance responded.
In practice, that means evidence of:
- follow-up being requested where risk is high
- deadlines being tightened or escalations agreed where actions drift
- scope being re-prioritised when the risk profile changes
- capacity and resourcing decisions being made when weaknesses are structural, not incidental
A useful trick is to include a short “decisions required” section in each termly pack. It keeps the meeting focused on governance, and it makes minute-taking cleaner.
What a strong board pack looks like, without drowning trustees in detail
The best board packs feel calm. They do not try to include everything. They make it obvious what trustees need to look at and what needs a decision.
A governance-friendly pack usually includes:
- progress against the annual programme, with changes explained
- the top findings by risk, written in plain language
- overdue high-risk actions, with owners and revised dates
- a short trend view showing recurring themes across schools or functions
- any escalation triggers that have been met and proposed responses
You can carry supporting detail in appendices, but the main pack should be readable in one sitting. Trustees should not have to work hard to identify the trust’s biggest unresolved control risks.
A quick “evidence map” trustees can use
| Stage | What trustees should be able to evidence | What often goes wrong |
|---|---|---|
| Planning | Risk-linked annual plan approved by committee, with clear rationale | Plan repeats last year’s topics without risk logic |
| Delivery | Reports show scope, testing approach, clear findings and actions | Reports are descriptive, with unclear risk implications |
| Follow-up | Action tracker distinguishes completed from verified closed | Closure is status-based, with limited evidence |
| Oversight | Minutes show challenge, decisions, and escalation | Minutes show receipt only, with no governance response |
| Year-end | Annual summary gives a defensible assurance conclusion and priorities | Annual summary lists activity but avoids judgement |
This is not a bureaucratic checklist. It is a way for trustees to protect their time and ensure the essentials are covered.
Termly challenge questions that improve oversight quality
Trustees often ask, “What should we be challenging?” The answer is not to ask more questions. It is to ask a small number of questions repeatedly, so trends become visible and accountability stays sharp.
Here are six that work well in most trusts:
- Does this term’s scrutiny work cover our highest current risks, or have we drifted into comfortable topics?
- Which high-risk actions are still open, and what is stopping closure?
- What evidence do we have that closed actions have reduced risk in practice?
- Where are findings recurring, and what is the root cause behind the recurrence?
- Do we need to re-prioritise the programme due to emerging risk or change?
- What decisions do you need from us to remove barriers, such as capacity or systems issues?
These questions link directly to the committee’s oversight role and keep the focus on risk reduction rather than report acceptance.
Escalation triggers that trustees should agree in advance
Escalation works best when it is pre-agreed. It avoids awkward debates about whether something is “serious enough” when everyone is already under pressure.
Practical escalation triggers often include:
- a high-risk action overdue beyond an agreed tolerance
- a repeat high-risk finding in the same control area
- a management response that does not address root cause
- a significant control failure that affects compliance, transparency, or funding-related submissions
The Handbook expects the audit and risk committee to ensure risks are being addressed appropriately. (GOV.UK) Pre-agreed triggers support that, because the response is not personal. It is procedural.
Year-end evidence: what trustees need for the annual summary and regularity
Year-end reporting is where trustee evidence is tested. It is also where weak follow-up becomes painfully visible.
The Handbook requires an annual summary report for the year ended 31 August, and the internal scrutiny summary report must be submitted to DfE by 31 December alongside audited accounts. (GOV.UK) Trustees should expect the annual summary to do more than list reviews. It should make a defensible statement about assurance, including where assurance is strong, where it is limited, and why.
The internal scrutiny good practice guide also notes that the audit and risk committee should consult with the accounting officer because the outcome of internal scrutiny may impact the accounting officer’s statement of regularity in the annual accounts. (GOV.UK) That is a subtle but important point. Year-end assurance is not only a governance narrative. It links to formal statements within the accounts, and trustees should be confident that what they are signing off is consistent with the evidence.
If there are unresolved high-risk issues at year-end, trustees should expect clear disclosure of the limitation and an explanation of what interim controls are in place. Boards sometimes fear that acknowledging limited assurance looks bad. In practice, it often looks more credible than overstating confidence.
Evidence resilience: can your assurance survive change?
One of the simplest tests of a board’s evidence quality is resilience. Could a new trustee join the committee and, using the pack, identify the top unresolved risks, the actions in flight, and the quality of closure evidence without needing a private briefing?
If the answer is no, the reporting architecture needs improvement, even if the reviews themselves are strong. Trusts sometimes become over-dependent on a small number of people who “hold the story” in their head. Good governance systems do not rely on that.
The Academy trusts governance guide explains that “must” and “should” language is used to distinguish legal and regulatory requirements from minimum good practice, and it frames high-quality governance as sustainable and effective rather than personality-driven. (GOV.UK) Resilient assurance reporting is part of that sustainability.
How internalscrutiny.co.uk can help
At internalscrutiny.co.uk, we help trustees and audit and risk committees build evidence frameworks that support effective challenge and defensible assurance conclusions. That includes board pack design, reporting structures that make risks and actions easy to see, and follow-up models that distinguish completion from verified closure.
You can align trustee assurance activity via our Academy Trust Handbook compliance page, our internal scrutiny service, or direct planning through Book Audit.
Sources
Checked on 24 February 2026.
- GOV.UK, Academy trust handbook 2025: effective from 1 September 2025