EFA asks academy principals and boards to think about fraud

Today the chief executive of the Education Funding Agency sent a letter to accounting officers (i.e. principals) at all academies in England. It reminded them of the requirements in relation to fraud, connected parties and special payments.

The letter included an annex setting out questions for principals and trustees to consider in order to minimise the risk of fraud or irregularity:

• Authority – Do you have a written scheme of delegation, approved by the trustees, so that individuals are clear about their levels of financial authority?
• Purchasing – Are you confident you are procuring all goods and services in an open, competitive and transparent way?
• Payroll – Do you have robust controls for payroll including checks that payments are for the right amounts and paid to bona fide employees?
• Oversight – Do you ensure that financial reports are produced that fairly reflect the activity at the trust, that they are properly reconciled at least monthly and are shared regularly with the trustees for formal review?
• Cash management – Are your bank accounts reconciled at least monthly?
• Assets – Is all of the trust’s property under proper control and measures in place to prevent loss or misuse?
• Segregation – Do you have appropriate separation of responsibility in your finance team? And are you providing proper management support to your finance staff to help them to operate in a role where they are well-placed to provide you with a “first line of defence” in terms of upholding propriety, regularity and value for money in the use of public funds?
• Records – Do you have robust procedures for recording, documenting, evidencing and monitoring information and especially the reasons for entering into major spending commitments?
• Scrutiny and audit – Do you have properly constituted arrangements for internal review (such as a responsible officer or internal auditor) to give you and trustees a further safeguard that the trust’s financial systems and controls are operating effectively and efficiently? Does the trust debate, and agree how to act upon, recommendations arising both from these internal reviews and from the work of its external auditors?
• Risk – Do you have an effective process for identifying and responding to the major risks that the trust faces?

These are all basic and sensible measures.

Next month I will be talking about fraud risk at the EdExec Live conference. I will be explaining what more academies can do to protect themselves from fraudsters both inside and outside their organisations.

Fraud in schools - some thoughts on the DfE's risk indicator checklist for academies

Allegations, fraud, corruption and bad behaviour have been in the news. A knighted Headteacher was convicted of false accounting and narrowly missed a custodial sentence for false accounting. A free school was being investigated after allegations of irregularities. Derby University was forced to strongly deny claims that it falsified official statistics on graduate employment.

Also this week Times Higher Education carried an article about a Transparency International report which warned financial pressures could impact on ethical standards. Global Corruption Report: Education noted:

The very structure and culture of colleges and universities, as well as the current constraints under which many…operate, can create conditions that facilitate fraud.

This makes it timely to look at the recently published guidance from the Department for Education (DfE ) on fraud. Last month the Education Funding Agency at the DfE issued Fraud Indicators: A checklist for academies (download here).

The Fraud Indicators checklist details “generic” indicators including “personal and organisational motives for fraud, possible weakness of internal controls, transactional indicators and possible methods of committing and concealing fraud”. The DfE suggest that the checklist “may be helpful for use as a checklist where concerns exists that fraudulent activity may be taking place”.

It would be easy to mock the section headed Personal Motives – many organisations would show a red flag on fraud indicators such as “personnel believe they receive inadequate compensation and/or rewards”, “disgruntled employee”, “recent failure associated with specific individual” and “personal animosity or professional jealousy”. Nevertheless these soap opera indicators do highlight that in the fraud triangle motivation and rationalisation sit with opportunity.

Under the heading of Organisational Motives, how many of us have known organisations “experiencing financial difficulty”, burdened by “under unusually tight time deadlines to achieve level of outputs” or having “suffered disappointment/reverses/consequences of bad decisions”.  Still the checklist is right to point to the problems which arise from an all-powerful head and governance which lacks clarity and direction. How many schools are dominated by Heads with Maxwell-sized egos.

Flippancy aside, this is all useful stuff. However, as with all self-assessments, they are treated most seriously by those who are least in need of reflection and criticism.

The checklist sets out what poor policies, procedures and practices look like. The document is fairly comprehensive. One area where the checklist says little is audit. It notes that critical audit reports and obfuscating auditees are fraud indicators. But what about where managers do not put in place robust internal audit arrangements and/or where governors let weak internal audit arrangements persist. The Principal’s PA or a governor without the time and skills to be an internal auditor is never enough.

Also it is worth noting that the checklist focuses on fraud risks internal to academies. There are plenty of external risks – and organisations tend to pay more attention to them (even if, not enough).

So what is my conclusion? If you are a manager, governor, internal or external auditor, spend some time working through the Fraud Indicators: A checklist for academies. If enough academies do treat fraud risks more seriously, academy assets and public funds will be better safeguarded as will the reputation of the sector.

Academies and audit committees: where to start with terms of reference

The Academies Financial Handbook issued last week by the Department for Education nudges Academy Trusts (ATs) towards audit committees but allows other committees to incorporate the role of an audit committee into their remits.

The Handbook states:

All ATs must establish either an audit committee or a committee which fulfils the functions of an audit committee (ie it could be an addition to the terms of reference to an existing committee, other than the finance committee, and have an overlapping or fully integrated membership).

The apparent block on combined finance and audit committees may pose a challenge to some ATs. It will not be a surprise who are familiar with audit codes of practice in the college sector.

The audit code of practice introduced for colleges in 2004 (pdf) offers a useful template for setting out the role of an audit committee. Below I have modified its terms of reference to suit an AT:

The Audit Committee will consider matters relating to internal control and auditors. In particular the Committee is to:

• advise the governing body on the adequacy and effectiveness of the Academy Trust’s systems of internal control and its arrangements for risk management, control and governance processes, and securing economy, efficiency and effectiveness (value for money) ;
• review the statement on internal control and make appropriate recommendations to the governing body;
• advise the governing body on the appointment, reappointment, dismissal and remuneration of auditors (both external auditors and internal audit);
• monitor the effectiveness of auditors, including the use of auditor performance indicators;
• ensure effective coordination between auditors;
• ensure that additional services undertaken by the auditors is compatible with the audit independence and objectivity;
• agree the work programme of internal audit including the checking of financial controls, systems, transactions and risks;
• consider the reports of the auditors and, when appropriate, advise the governing body of material controls issues;
• monitor the implementation of agreed audit recommendations;
• ensure that all allegations of fraud and irregularity are appropriately investigated and controls weaknesses addressed;
• recommend the annual financial statements to the governing body for approval
• review the committee’s membership and effectiveness on a annual basis to ensure that it has appropriate skills and relevant experience.

This wording assumes that the Academy Trust refers to its assurance function as internal audit rather than a Responsible Officer. The wording can be tweaked on this and other Academy Trust specifics. Otherwise it can be adopted for a standalone committee or inserted into the terms of reference for another committee.

Internal control and audit committees - the new Academies Financial Handbook

In the past there was a degree of ambiguity about whether academies had to have an audit committee. The 2006 Academies Financial Handbook itself did not require one but it included, as an appendix, a document which did. The 2012 Academies Financial Handbook (AFH) clarifies the situation.

The AFH states the role of the audit committee:

The committee must review the risks to internal financial control at the [academy trust] and must agree a programme of work that will address these risks, inform the statement of internal control and, so far as is possible, provide assurance to the external auditors.

 
The AFH clearly requires that academy trusts (which, of course, includes free schools) must establish “either an audit committee or a committee which fulfils the functions of an audit committee”. Some trusts by virtue of size or nature are expected to have a separately constituted audit committee (i.e. one which does not also function as a finance committee).

Every [academy trust] must have in place a process for independent checking of financial controls, systems, transactions and risks.

Ideally this process should be driven by an audit committee appointed by Governors, but EFA recognises that this may not be a practical position for every [academy trust], especially the smaller ones or ones where there is a limited pool of potential governors to provide the necessary direction. So, EFA has provided for a system which allows some flexibility as to how any particular [academy trust] discharges these requirements.

 All [academy trusts] must establish either an audit committee or a committee which fulfils the functions of an audit committee (i.e. it could be an addition to the terms of reference to an existing committee and have an overlapping or fully integrated membership). The decision will be for Governors and should reflect the size and complexity of the organisation.

EFA's expectations are that that:

All [academy trusts] that are a multi-academy federation must have a dedicated audit committee;

All [academy trusts] with an income of over £10m or capitalised asset value of over £30m should consider having a dedicated audit committee;

All other [academy trusts] may have a dedicated audit committee.

The new Academies Financial Handbook (AFH) moves beyond internal financial controls and risks to internal control more broadly. This makes sense: while financial viability is vital so are other objectives –

The AFH states:

The [academy trust] should have in place sound internal control and risk management processes.

While the AFH talks of internal control and risk, strangely the AFH section on internal control is narrowly focused on matters such as producing annual accounts, preparing contingency plans, obtaining insurance etc.

These things all matter. But tinternal financial control falls short of the concept of internal control developed by the Turnbull Committee for listed companies and adopted by the Treasury for the public sector over a decade ago. "Turnbull" required:

An internal control system encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together:

facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company's objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud, and ensuring that liabilities are identified and managed;

help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation;

help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business.

If you plug in academy in place of company, that is highly relevant to good governance and management. It is also far more wide-ranging than contingency plans and insurance policies. It is about staff and pupil safety, academic performance, inspection grades, legal compliance, equality and diversity, and many other objectives.

So what should academies be doing if they should be thinking about controls and risks beyond the financial?

Academies need to ensure that audit committee review not only the risks to internal financial control but also the risks to delivery of all critical objectives. In performing that review, they should be directing the Responsible Officer or the internal auditor (or whatever the assurance function is called) to evaluate controls and test controls in those critical areas. At new academies with immature financial processes, much of the work will be around payroll and purchasing. As academies get better established, non-financial systems will get more attention and financial ones less.

The path from local authority control to independence has been trod before. In the 1990s over 400 further education colleges went that way. Many survived. Some lived on within merged institutions. A few merged or closed after failure – sometimes in scandal. For those of us working with colleges then and now, there were lots of interesting case studies and good practice and not-so-good practice.

Audit committees and internal audit contributing (or not) to internal control were part of the reason why colleges succeeded (or not).

"Turnbull" was an issue for colleges then. Now it should be a challenge for academies. Taking the AFH and going further – rigorous review of both financial and non-financial risks with audit committees pushing that agenda.

Audits and risks: the new Funding Agreement for sixth form colleges

The Education Funding Agency’s new Funding Agreement for sixth form colleges is a strange beast. It is clearly a slimmed down version of the 2006 Learning and Skills Council’s variant. But in slopping parts off, there seem to be some strange and perhaps unintended consequences.
In the 2006 Financial Memorandum colleges were instructed:

The College must ensure that it has an effective policy of risk management (including appropriate insurance arrangements). The College’s risk management arrangements should consider the key principles given in LSC guidance.

In a far more uncertain and hazardous environment, the 2012 Agreement does not utter a word to sixth form colleges on risk management. As established and largely mature organisations, I would hope they will carry on managing risks and enhance their arrangements.

While the words on risk management are omitted from the 2012 Agreement, oddly the wording on internal remains unchanged. So where the 2006 Memorandum states:

The governing body shall appoint an audit committee and arrange to provide for internal and financial statements audit, including regularity audit, in accordance with the LSC’s Audit Code of Practice and any other directions drawn up and published by the LSC in consultation with colleges. Any mandatory requirements under the LSC Audit Code of Practice shall be a condition of funding under this financial memorandum.

The 2012 Agreement states:

The Governing Body shall appoint an audit committee and arrange to provide for internal and financial statements audit, including regularity audit, in accordance with the Joint Audit Code of Practice and any other directions drawn up and published by the EFA in consultation with SFC. Any mandatory requirements under the Joint Audit Code of Practice shall be a condition of funding under this Funding Agreement.

Some mistake surely?

Only today, the Education Funding Agency reminded sixth form colleges that they did not have to make provisions for internal audit from August 2012. (Of course, any sensible college will await the Agency’s guidance before making use of this new flexibility.)

PAC on academies: some thoughts on governance and regulation

Today is a big-ish day for education policy. At 11.30am Michael Gove published his Education Bill although the contents are previewed in parts of the media. Until then we can read about the cross-party Public Accounts Committee report on the Academies programme.

The parliamentary PAC report expresses concern over financial control in the academies sector. Unfortunately the headlines have overlooked the good news in the report’s Executive Summary:
sponsored academies… have performed impressively to date, achieving rapid academic improvements and raising aspirations in some of the most deprived areas in the country. In many cases this has been achieved through high-quality leadership, a relentless focus on standards, and innovative approaches to learning and to the school timetable.

However, the Summary goes on to make serious criticisms:

Many academies have inadequate financial controls and governance to assure the proper use of public money, and the Department and Agency have not been sufficiently rigorous in requiring compliance with guidance. In developing a new financial handbook and governance framework, the Agency should make it compulsory for all academies – sponsored and converter – to comply with basic standards of governance and financial management. This should include segregation of key roles and responsibilities, and timely submission of annual accounts.

Academies will have to consider and act on the concerns raised in relation to governance:

We heard evidence of non-separation of roles, for example the chair of the governing body also being the chair of the finance committee, the responsible officer also chairing the governing body, and the responsible officer also chairing the finance committee. All of these roles should be clearly separated. There was further evidence of a shortfall in financial assurance and challenge owing to academies not having audit committees – against Departmental recommendations and Charity Commission good practice. We also heard that not all academy finance directors are CCAB-qualified accountants, again counter to recommendations in the Academies Financial Handbook.

Quite a few academies may not like all or some of these criticisms. It is a fair point that academies may struggle to arrange their governance structures with a standalone audit committee when so many claim that they have difficulty recruiting one governor who is an accountant or auditor. If academies do not move on these issues, they will find that they are censured by the YPLA auditors.

Even without the PAC report, there was a strong case for academies to review and strengthen their governance and financial management. They are high-profile and publicly funded organisations with their reputations at risk if they do not demonstrate compliance with high standards of governance.

(I should declare an interest: I work with academies and provide Responsible Officer services – the quasi internal audit of basic financial controls mandated by the Academies Financial Handbook.)

The report touches on the nature of regulation for the academies sector:

In future [sic] there must be greater clarity about what is required as opposed to what is recommended. Too much in the current framework is permissive, and there is insufficient mandated practice to prevent individual academies adopting practices which do not comply with basic standards of good financial management and governance.

I would agree that there is a need for a clearer distinction between “must” and “should”, particularly in the Academies Financial Handbook. However, I believe that academies should be encouraged and cajoled individually and collectively to raise their standards of governance so that regulatory input can be focused rather than broad-brush and heavy-handed. For a long time I have argued for a code of governance agreed by and for the academies sector leveling-up standards with a “comply or explain” approach. It works in other sectors.

Strangely the report is out-of-date on one issue before it is published when it states:

From January 2011, all academy trusts became exempt charities. This means that the Secretary of State for Education has replaced the Charity Commission in the role of Principal Regulator, and academy trusts submit their accounts to the Department only

Due to delays, the Charity Commission is - for now – the Principal Regulator. Hopefully, when there is a new Principal Regulator (presumably the YPLA and then its successor the EFA), they will use the right mix of regulation, self-regulation and governance to strengthen internal financial control across the academies sector.

Is fraud rocketing? Even if it isn’t, what should you do about it?

Last week Public Finance was reporting that levels of fraud rocketed during 2010. There is plenty of media coverage of fraud. This week I joined in tweeting a link to a
blog about Portsmouth University and MacIntyre Hudson’s survey of public sector fraud.

It is worth emphasising that the Public Finance’s report was based on KPMG’s Fraud Barometer which tracks fraud cases in UK Crown Courts. So detected fraud is “soaring” – is actual fraud up?

Recessions, credit crunches, austerity, etc have a tendency to expose financial chicanery. Just ask Max Madoff. I am sure that Bob Maxwell would agree.

To borrow a great quote from Warren Buffett and use it in a different context:

It's only when the tide goes out that you learn who's been swimming naked.

Of course, total – detected and undetected – fraud may be up too – in line with media coverage. For example, some of the squeezed middle may resort to white collar crime in hard times. Media coverage may even have a copycat effect – MPs are not the only ones who may be susceptible to the feeling that if colleagues’ snouts are in the trough, they should no be missing out. Experts point to need, opportunity and justification driving fraud - "others doing it" offers a self-justification for some.

Organisations should treat the fraud threat seriously. They should ensure that internal audit allocate sufficient days to fraud detection using IT tools as well as addressing fraud risks as an integral part of other audit reviews.