Internal scrutiny questions answered

Internal scrutiny is independent assurance over your trust's controls, risk management and governance. It helps trustees confirm systems are effective and identifies where controls need strengthening.

No. External audit focuses on annual accounts opinion, while internal scrutiny is a risk-led programme across finance, operations, compliance and governance during the year.

Reports should be presented to the audit and risk committee and trustees, with clear actions for executive leaders and named owners for follow-up.

There is no fixed national number. The trust should agree a risk-led programme that provides enough coverage and depth for effective assurance during the year.

Yes. Single academy trusts can apply the same risk-based internal scrutiny approach with proportionate scope and reporting to trustees.

Evidence usually includes policy documentation, system reports, reconciliations, approvals, committee papers, training records and samples of transactions or controls.

High-quality scrutiny is independent, risk-led, evidence-based, clearly reported and followed by practical action plans with tracked completion.

It provides objective evidence on control effectiveness and progress against risks, helping trustees discharge financial oversight and governance responsibilities.

Yes. The strongest programmes start from your trust risk register, current pressure points and known control vulnerabilities.

Yes. Governance scope can include board skills, declarations of interest, committee terms of reference and decision-making controls.

The committee approves the plan, receives reports, monitors actions and gives trustees confidence that control weaknesses are addressed.

Reviews test register completeness, declaration timeliness, policy compliance and evidence that procurement decisions were managed appropriately.

Yes. Sector specialists can share anonymised good practice patterns and highlight practical improvements seen in comparable trusts.

Actions should be logged with owner, deadline and status. Progress should be reviewed termly and escalated where implementation is delayed.

Plan approval should happen before delivery starts, typically early in the financial year after risk review and committee discussion.

Trusts need an annual summary of internal scrutiny activity and findings for trustees. It should cover work delivered, key findings and action progress.

Both. Reviews should test policy existence, sign-off and whether controls are operating in day-to-day practice.

At least termly for core statutory items, with immediate rechecks after major staffing or governance updates.

Yes. Delivery should align to governance cadence so findings can inform committee discussions and trustee decisions promptly.

High-risk actions should usually have immediate controls, with formal resolution deadlines set and monitored by executive owners and committee oversight.

Yes. Mid-year control testing and action follow-up reduce year-end surprises and strengthen accounts and governance evidence quality.

Our 2025-26 remote internal scrutiny day rate is £775, including reporting to trustees.

Yes. Multi-day packages include discount tiers and bundled termly reporting plus annual summary output.

Yes. Remote, on-site and hybrid models are available. On-site visits are charged separately from remote package rates.

Standard scope spans finance controls, payroll, governance, policy compliance, IT, cyber, website compliance, curriculum efficiency and safeguarding/data areas.

Yes. Scope can be prioritised to your highest-risk areas, with a bespoke plan agreed at planning stage.

Yes. Remote attendance for trustee or committee reporting is included where required within agreed packages.

Some specialist reviews can carry additional costs when niche expertise or expanded fieldwork is required.

We review trust context, risk register priorities, prior findings and governance cadence, then agree practical scope and timings.

Remote reviews use secure document requests, system evidence, interviews and sample testing with scheduled checkpoints.

Timing depends on scope complexity, data readiness and trust size, but most modules run over a defined window with clear milestones.

Yes. Draft discussion and clearance meetings are used to validate evidence and finalise practical recommendations.

Final reports include scope, method, findings, risk assessment, strengths, recommendations, owners and suggested implementation timescales.

Yes. Programmes are commonly structured in termly phases to support timely committee oversight and action tracking.

Book an audit planning call, share key trust context and risk priorities, and we can draft a scoped plan for governance approval.

Yes. Cyber modules can assess governance controls, operational security practices and priority remediation actions.

Yes. Reviews can test policy coverage, DPIA process quality, subject access response processes and practical compliance controls.

Safeguarding audits can include SCR quality, governance oversight, policy implementation and evidence of practice against current expectations.

Yes. Scope can include access control, visitor management, alarm monitoring and lockdown response process readiness.

Yes. We can structure integrated assurance reporting where cyber, GDPR and safeguarding controls overlap operationally.

We work with controlled evidence handling, least-access sharing and clear retention boundaries in line with agreed engagement terms.

Yes. We offer modular and bespoke scopes when targeted assurance is required in a specific control domain.

Common bespoke requests include estates controls, curriculum planning assurance, SEND income usage, VAT, fixed assets and quality assurance process reviews.

Scope is designed from risk context, governance priorities and intended decision outcomes, then documented in a clear internal scrutiny plan.

Yes. We can combine curriculum, operations and finance controls when risks span multiple leadership domains.

Yes. Where specialist expertise is required, trusted sector associates are engaged to ensure robust technical review quality.

Yes. Programmes can be revised when risk exposure changes, for example after incidents, leadership change or major structural updates.

After planning and governance approval, bespoke modules can be scheduled quickly depending on evidence readiness and specialist availability.

Yes. Bespoke reviews still produce structured evidence and recommendations suitable for audit committee and trustee oversight.

MYAUDIT.school is used to register, book audits and track compliance progress across all schools and reporting periods in one place.

Yes. Registration is free and gives trusts a starting point for structured audit and compliance tracking workflows.

Yes. The platform is designed to support trust-wide visibility across multiple schools and timelines.

Yes. You can use the platform for planning, booking and progress tracking alongside delivered scrutiny services.

Most trusts allocate ownership to central finance or governance leadership, with role-based access across operational contributors.

Yes. Centralising actions and status supports clearer evidence trails ahead of committee reporting and annual assurance cycles.

Use the register free link, create your trust account, and then book your first audit or setup your compliance tracking baseline.