Thursday, August 30, 2012

Academies, Responsible Officers and risks: getting the basics right

Tomorrow is the last working day of August. So the long-promised revised Academies Financial Handbook must be quite imminent as it is due this month for the new financial year. When it does arrive on the DfE website, academies and free schools will need to do some thinking about their assurance arrangements.

In the past academies were given somewhat ambiguous and vague advice on who could be appointed as the Responsible Officer (RO) to give assurance to Governing Bodies on internal financial control. That led to a range of approaches – good practice and not-so-good. Given the rhetoric around freedom as well as common sense, the new Handbook will doubtless formalise that flexibility.

In terms of what ROs did, there was more direction if not prescription. The RO was given a list of Suggested System Control Checks to be done on a quarterly basis (in practice for many academies, termly basis). These will, I suspect, go out the window. What will be in their place?

If the RO is to evolve into something resembling internal audit, the RO’s work will be driven by the risk register. That makes sense - the assurance function for control and risk should be informed by the risk register.

But maybe there is a hitch? Many academies – not only new ones – have in place risk registers that look remarkably like the one in the 2006 Academies Financial Handbook. Using a template is a useful aid but organisations have to think about their own specific risks – not simply the generic ones. They need to rigorously review and objectively assess risks. How many do that?

ROs need to start their work with some attention to risk registers. If ROs have knowledge, understanding and experience when it comes to risk management – as well as common sense – they will add real value as well as ensure that their own testing driven by the risk register addresses real risks.

If academies and their ROs can get their risk registers in shape, they can then progress onto assurance mapping. But that will have to be another blog post.


No comments: