Overall, the ACOP has been widely updated to reflect the devolution of adult funding. For example, requirement for the external auditor to notify ‘significant fraud or major weakness or breakdown in the accounting or other control framework’ to the ESFA is now extended to require notification to ‘the relevant devolved authority’ as well.
Under Regularity, an additional test has been introduced when a corporation considers whether a transaction is ‘regular and proper’ – this is:
• if a transaction could provide a personal benefit to an employee or trustee, has this been independently and appropriately authorised?
This may require a change to the Financial Regulations to adequately assess personal benefit if this was not previously covered. The Financial Regulations should also be reviewed in light of new questions under Annex C for the safeguarding of assets in relation to the disposal of large fixed assets and the arrangements for approval, and the requirement to have an ‘appropriate policy in place for approving long term development expenditure’.
Annex C covers concerns arising from regularity, and the ‘management’ section has been extended to include a further area of concern which is:
• weaknesses in systems and controls reported by internal audit
Audit committees need to ensure that recommendations raised by the internal audit provider are adequately tracked by management to enable intervention where progress falls short of expectations, and this tracking and progress are reported to the audit committee. Such a management tool could be used to record recommendations made by the external auditors and any other providers of assurance, giving a comprehensive action tracker allowing the audit committee to have sufficient oversight of implementation or recommendations.
Annex C also contains some extra questions, for example concerning related parties where the register of interests is extended to cover:
• Other persons/entities which are defined by the standard as related parties, such as close family members?
Procurement processes must now refer to the register of interests to identify potential related parties in order that appropriate authorisation can be obtained. It is essential that Registers of Interest (governors and staff) are constantly reviewed and updated in the same way as the risk register should be, and that there is transparency and accountability.
The External Audit report is now required, under the Office for Students Accounts Direction, to have an opinion on whether funds received have been properly applied in accordance the relevant terms and conditions and/or legislative requirements.
The Regularity Self-Assessment Questionnaire includes a new question as to whether the risk register addresses fraud risks. Therefore, when reviewing your risk register for 2020/21, making sure that the risks of fraud are proportionately represented, is worth discussing at the audit committee meetings.
The recent Ney report – ‘the independent review of college financial oversight’ states that ‘it would be helpful if the existing guidance on the role of Audit was expanded to provide stronger direction on the areas of potential concern which Audit Committees should give particular focus, eg risk management and the Committee assisting the board to articulate its risk appetite’. The recommendations also include a suggestion that the Audit Code be updated to require external auditors to present their regularity findings and opinion to the Chair and the whole board, rather than just to the Audit Committee. Given the usual late publication in the year of the Audit Code, it may be prudent of Audit Committees to consider taking any necessary actions in the upcoming year in order to meet such potential changes in next year’s Audit Code.
A full report on essential points and implications of the revised Audit Code of Practice, as detailed by RSM (provider of audit, tax and consulting services), can be downloaded below.