1 16

SP-3197-Scrutton Bland-A4-Education-16pp-RGB-FINAL

scruttonbland.co.uk

News and Views for FE colleges and the higher education sector

Contents

Welcome to the Winter 2022 edition of our Education newsletter

 3 Welcome to the Winter 2022 edition of our Education newsletter

 10 FE Colleges : updates to the new

subcontracting requirements

 4 Client Risk Registers

 12 Shaping

Welcome to our Education newsletter, aimed at FE colleges and higher education institutions, and intended to help them support their understanding of the challenges they currently face. Our theme for this issue is risk and assurance, and we have a number of articles to help explain some of the ‘why do you do that’ questions that we are asked. T he regulations relating to the One of the greatest, and fastest growing business-critical risks is from cyber risk. The threats from cyber-crime have increased in number and sophistication in recent years, and the issue needs to be on the radar of every educational organisation. We examine the current cybersecurity risks and suggest some strategies that FE colleges and universities can do to protect themselves. Our Education team works with a range of academies, colleges, trusts and universities to support their management teams and boards in identifying governance issues and risks and delivering targeted solutions and advice. Please don’t hesitate to get in touch with us if you have a specific issue you’d like to discuss or would like to find out more about how we can help your organisation. education sector rarely remain still, and there have been some big changes announced in the past few months. Steven Burgess, Audit

Your Board for Success : how a board effectiveness review may help

 6 Can it be choice and not chance ?

Director, looks at the Charities Act 2022 and the forthcoming Companies House Reform, to evaluate the impact these modifications will have, and to flag up some of the more significant points for educational institutions to note. Tim O’Connor, Audit Partner, has been working with educational bodies for many years, and has a wealth of experience in understanding how they operate, and the difficulties they face. He looks at the Office for Students’ latest attempt to drive the equality of opportunity in the higher education sector, and whether their utopian vision of ‘continuation, completion and employability’ may overlook the disparity of opportunity for young people within the state school system. A risk register is a key part of an organisation’s toolbox, and, fairly obviously, can be used to identify the most pressing risks. But it’s important to understand how their use can be maximised to deliver greater benefits. Paul Goddard, Risk & Assurance Partner, looks at some of the most common risks for educational organisations and the consequences for them which may affect their long-term reputation and recruitment prospects.

 8 Cybersecurity – an ever-increasing risk

 14 A new Charities Act and changes to the Companies Act

Independent board effectiveness reviews are increasingly being recognised as an effective means of evaluating a board’s performance and can quickly be incorporated into an organisation’s quality cycle. We look at some of the key metrics that an independent reviewer would look for, and the questions that might be raised as part of that process. Finally, as FE College managers and administrators will be aware, the Education and Skills Funding Agency requirements for subcontracting and the audit process surrounding this have been significantly updated for the 2022-23 academic year. Bethan Pritchard, Risk & Assurance Auditor, gives an insight into the changes, and looks at the new focus on accountability and reporting, which, she says, will mean much more detailed evidence may be needed, with a greater emphasis placed on a continuous formal review.

On behalf of myself and the team, can I send you my best wishes, and a happy and productive 2023.

Best wishes,

Paul Goddard

16 Meet the Team

Paul Goddard

2 | SCRUTTON BLAND | E D U C A T I O N

E D U C A T I O N | SCRUTTON BLAND | 3

R isk registers can be a useful resource for internal auditors. They can give us clear insight into the risks prevalent in our auditing environment. As most of our clients exist within the same field, that of education, we can use this information to identify the most pressing risks within the field. While it is important not to neglect risks which may not have been highlighted, we can give our clients greater assurance by addressing the issues they have already self-identified as being the biggest impact to them collectively. Depending on how thoroughly these are completed they can also give us insight as to the reasons behind why potential gaps or risks exist and the controls already in place to mitigate them and their impacts. By looking at the information held in these registers we can also identify upcoming risks which we may not have focused attention on previously. In short, we can use these risk registers as guides to the major concerns of our clients and help tailor our support to make the biggest influence to the achievement of their objectives. It is important to remember that risk registers are individual documents for use by our clients. As such they are not created for comparison. There are no rules which the Risk Registers must abide by which creates a varied spectrum. From the twenty-one which we looked at we were able to see that there is a vast array of information which can be included. Though there were no specifics that all clients in our sample contained we can still extract useful information. Most of the clients do subscribe to rating their risks as low, medium, or high, though for some there is more of a sliding scale including additional subcategories in between, and in one case that we looked at risks were given no ratings.

Client Risk Registers

The next most frequently appearing risk was Staff Recruitment, the failure to be able to hire the appropriate staff for the positions. This is something which has often been reflected in conversations with clients during audits, with them struggling to appeal to the best candidates. This risk appeared in eighteen out of twenty-one registers we compared. IT security was a high risk, appearing on seventeen of the twenty-one registers. Dangers of cyber attacks were registered in a variety of manners and their entry on the risk register often listed various outcomes from cyber attacks such as data from learners being leaked and the reputational damage this might cause, as well as listing related causes such as not having the available income to maintain and update necessary IT equipment to ensure that they are protected against cyber-attacks. Learner recruitment also featured prominently, appearing in sixteen risk registers. It should be pointed out that even though this risk did not appear the most times out of the most common risks it was rated as a high risk the greatest number of times. As learner funding is the biggest income for our clients these number directly affect their economic survival. This is made even more complicated as the funding received from learners is received the year after the learner has enrolled so over enrolment can be an issue as the client may not be able to provide full services to a significantly increased number of learners. The final most common risk from the twenty-one registers is Ofsted, appearing on sixteen of the risk registers. Ofsted rating can have huge consequences for our clients affecting their long-term reputation and ability to encourage learners to apply. From these comparisons we can see the areas which most concern our clients. What we do with this information is important. While we should not allow data such as this to blind us to other areas and try and consider risks that our clients may not have been aware of or seen the dangers in, we can use this information to guide us to audits which we can consider planning for the future. We can use clients’ own Risk Registers to assist in justifying why certain audits might be of greater benefit to them, or why they may wish to consider a more thorough audit in certain areas. We can ensure that we are not allowing high risk areas to go uncovered helping our clients create more robust controls against these risks, as well testing the controls they have in place to ensure they are fit for purpose, and help to develop long-term solutions to have real impact on the ability of our clients to deliver their services and meet their goals.

The major risks facing FE and HE institutions today

The Average number of risks per register was 27.8, these can be broken down in the below fashion.

The number of risks input into the registers differed vastly. The lowest number of risks entered on any of these registers being 4 and the most being 73. The way in which clients rate their risks is also vastly different with three clients not labelling any risks as high, two not rating any as medium and eight not rating any as low. From this information it may not seem as if there is much to compare across these registers, but we were able to identify five top risks that are affecting our clients. The top risk faced by all our clients was Finance, specifically failing to be able to generate adequate funding. Out of twenty-one registers this risk was mentioned in every count.

4 | SCRUTTON BLAND | E D U C A T I O N

E D U C A T I O N | SCRUTTON BLAND | 5

In my twenty years auditing HE providers there has always been a key focus by the regulators on widening participation. The desire to attract talented people from underrepresented groups, no matter what their social or economic background, is a positive one but it has proved to be a tough nut to crack. T he current Director for Fair Access and Participation at the OfS, John Blake, is trying to find new ways to make progress in this area, with the consultation on his proposals closing on 10 November. One of his key proposals is to introduce an Equality of Opportunity Risk Register, which would be regularly updated and would need the engagement of the whole sector. Also coming from John Blake’s office has been a change in emphasis on how to monitor providers’ access and participation plans. He wants a clear focus on evaluation (evaluation, evaluation as everything considered important has to be said three times now) and judging providers on outcomes. This seems like an eminently sensible approach as worrying about what is being spent should never have been the focus. Value for money has never been only about cost and the value is always in the lives that have been improved.

Can it be choice and not chance ?

Tim O’Connor reflects on the Office for Students’ latest attempt to drive the equality of opportunity in the higher education sector.

As an auditor, I love a risk register, but my concern with this approach is that the sector is a broad and diverse one. Such a critical and hard to resolve area absolutely needs engagement across the providers, so it must therefore be relevant and even more importantly beneficial to all providers. One of the key issues, selective universities having little engagement with disadvantaged students, is a problem for those institutions and not the wider sector. The lack of non-traditional routes into Higher Education is a charge that cannot be levied against the post-92 Universities, who have innovated by necessity. The issue of different attainment across different schools and different pupils within them should be a concern relevant to all. However, it seems a much larger problem for which the HE sector can play a small part, but there is surely much greater action needed around policy and funding to really start changing outcomes. Greater engagement and coordinated working between schools and universities is to be encouraged and can only be beneficial, but will this really fix some of the stark attainment gaps? It also ignores the work that many universities are already carrying out in trying to access students who traditionally would not have considered university. Perhaps ensuring some of this best practice is not just shared but also adopted across the sector would also be a catalyst for positive change. The declared intention is for the Equality of Opportunity risk register to inform providers’ objectives in setting and reviewing their Access and Participation Plans. This is to be welcomed as a group effort is required, but these providers are also competitors, vying for precious student numbers. Driving change into the Universities that have historically not struggled to recruit will be much more difficult and I do not see collegial pressure really making a significant difference.

Alongside working on the Equality of Opportunity there is also continuing concerns around quality and ensuring that widening participation is not just about recruitment numbers. A key metric of quality being adopted by OfS is around, continuation, completion and employability. So beyond just attracting underrepresented students to the provider, it is important that they complete their course and that this changes their life options through further study or improved employment opportunities. These students should not be being lured to university by a lower quality product, they should receive a return on their investment through a quality degree or degree apprenticeship that enables them through the next stage of their lives. I cannot disagree with this as an intention and it must be the goal that all providers are working towards. I worry that this is a utopian vision that ignores the wide disparity of opportunity for young people in the state school system and I would again question how much of an impact Higher Education providers can really have in the wider educational arena. Quality and the value obtained from the tuition fees paid should not be dumbed down, but there must be an acknowledgement of value added through the higher education process. This value added has the potential to be transformational, begin to change the access opportunities across underrepresented groups and let talent develop. We will see what 2023 brings and how the evolution of the Access and Participation Plans for 2024-25 is impacted by this approach. I hope that for the key items on the equality of opportunity risk register that the OfS find a sledgehammer to finally crack this difficult to open nut.

6 | SCRUTTON BLAND | E D U C A T I O N

E D U C A T I O N | SCRUTTON BLAND | 7

Cybersecurity – an ever-increasing risk

Cybersecurity and data security continues to pose a business-critical risk within the education sector. The threat from cyber crime has become more dangerous, with a startling increase in ransomware attacks, in part a direct result of hackers taking advantage of the developing “ransomware-as-a-service” industry. Hackers are also moving into the more ominous area of so- called “killware” to put pressure on organisations to pay up.

The ability of even low-skilled hackers to purchase and deploy sophisticated off-the-shelf attacks should be on every organisations’ radar. Every day, this issue becomes more rather than less important, and this is clearly an emerging area of risk.

Keep your Board informed Organisations need to ensure that their Boards have a strong understanding of cybersecurity risks, noting that the risks are often transferred in part through the use of outsourced providers and cyber insurance. Board-level engagement is key and an awareness of cyber threats should be raised at Board level, with efforts made to report using a jargon free approach. Assurance is also needed that organisations are well-protected by strong cyber defences and regular up-to-date training. It is recognised that whilst third party providers can provide an effective solution to deliver these services, there are inherent risks associated with the use of third parties. This year has seen a shift to hackers targeting third-party suppliers with less mature security systems, noting that responsibility remains with the organisation that owns the data. This risk extends to cloud service providers. Cyber crime often involves attacks, such as phishing emails, that may lead to a hacker defrauding an organisation. Pure cybercrime, or cyber dependent crime, on the other hand, entails hacking to steal or ransom data, with technologies now enabling more sophisticated attacks to combine several elements in one infringement.

Has hybrid working increased the risk? The pandemic may have weakened many organisations’ cyber defences. Hybrid working practices now enable staff to work from home and remotely, meaning the culture around data security may have also deteriorated, with online communication becoming the norm. The use of spoof emails continues to be a regularly tactic employed by cyber criminals, and we will have all seen both convincing and blatantly fishy phishing emails. This risk needs to be continually managed through training and alerts so that people throughout the organisation become alert to the latest tricks that are being used. The most effective IT policies and standards will not mitigate those instances where people fail to follow the required cyber defence practice, and it is vital to create and monitor a robust security culture within an organisation. Ensuring that these cyber security policies have been practically implemented and well communicated to staff, that software patches are applied in a timely way, and reviewing which staff have access to systems is critical.

What can education organisations do to protect themselves? The completion of regular data breach simulations and tabletop exercises can make sure that systems designed to contain breaches work and are effective, and that everyone concerned knows their roles and responsibilities. That exercise can include ensuring there is redundancy in the system, so that if a key member of the response team is unavailable it does not stop the remediation process.

8 | SCRUTTON BLAND | E D U C A T I O N

E D U C A T I O N | SCRUTTON BLAND | 9

FE Colleges : updates to the new subcontracting requirements As you will be aware the EFSA requirements for subcontracting and the audit process surrounding this have been significantly updated for the 2022-23 academic year.

As auditors, we will endeavour to make this transition as smooth and easy as possible for everyone involved. Much of the information that is now required as evidence has changed. A full list of all information now necessary for these audits can be found on the government website.

What has changed? The new auditing process is divided into ten categories, with various set requirements needing to be adopted to ensure compliance with the new standard. The overarching goal of the new requirements is to reduce subcontracting provision and ensure that any subcontracting which continues is subject to robust checks and oversight by the provider. The first of the ten categories for subcontracting is ‘pre-award activities’. This establishes the foundation for any subcontracting which takes place. As with previous years a rationale is required to describe why the provider (the FE college) is seeking to subcontract and must include at least one of the specific aims listed by the

ESFA. This could be to provide education to a marginalised group or to provide a required skill set which the local community needs, but which cannot be delivered by the main provider. This now also requires more of the activities to be evidenced than was previously mandatory, with the rationale now being broken down into detail, for example, pre-qualification questionnaires are not only required but also justification of the questions asked within it, and a management plan must be in place before contracts can be awarded. The contract award and the management, people and administration categories all focus on the contract management team. While in previous years members of the team’s skill set may have been looked into, the new updates

require a focus not just on the staff having these skills but also how the team is run, what policies they have in place, and how they report and review them, as well as how they store and manage their information. This gives a clearer picture of the team’s regular activities rather than a brief overview of whether they are appropriate for the position. The ‘managing relationships’ and ‘managing performance’ subsections relate to how the subcontractor is monitored by the main provider. While in previous years this may have been required in a non-specific way, in the updated audit process this has been formalised to include agreed objectives which must be met and reported against.

The new ‘payments and incentives’ category will now require providers to evidence the payment and budget process. Previously it was necessary to evidence that the costs of the subcontracting process were set and that these costs had been checked for value for money, but the latest update takes this further, needing costs to be continuously monitored and demonstrated against a set budget. Risk management has also seen an update. Previously, contingency plans were necessary to be in place if there were issues regarding the subcontractor. However, in the new update this requirement has been tightened, and now requires risk assessment for all risks to not only be identified but also monitored throughout the relationship. Contractual ‘non-performance’ issues also now need to be monitored by the

contract manager, whereas previously it was the subcontractor who needed to inform the provider of any changes in these areas. Evidence and analysis The ESFA has always defined what elements should be covered within a subcontracting agreement. However it now requires the provider to also analyse their subcontracting activity, and to make and show evidence for moving towards reducing this within a 3-year period. While evidence of training and the sharing of documentation has been required in previous years, there is a new requirement for these activities to be formalised and to relate to specific goals, including wider governance initiatives.

Overall, the new ESFA rules are geared towards a policy of a clear reduction of subcontracting for FE colleges, generally making sure that any which needs to remain is thoroughly monitored in a formal setting with much greater accountability put on the contract management team. This formal monitoring must be set up the subcontract, and also in the routine management and review of the process on a more detailed and oriented level. Many subcontracting elements remain the same in their foundation and will seem familiar to providers, but the new focus on accountability and reporting will mean much more detailed evidence may need to be viewed by the auditors with greater emphasis placed on a continuous formal review across the relationship.

1 0 | SCRUTTON BLAND | E D U C A T I O N

E D U C A T I O N | SCRUTTON BLAND | 1 1

Shaping your board for success

An effective board of an organisation defines its purpose and sets a strategy to deliver it, underpinned by the values and behaviours that shape its culture and the way it conducts its business.

One way of enhancing the impact of a board is commission an independent board effectiveness review. This will provide independent feedback to you, reviewing the performance of your board, evaluating what works well and highlighting areas for development.

What are the benefits of an independent board effectiveness review? A regular board evaluation from an independent body help boards to improve both their own performance and the performance of the wider organisation. Having an independent reviewer can bring greater objectivity and fresh insights to the board’s processes and can help the board identify any issues that it might need to address. It can also provide some reassurance to stakeholders that the board takes its responsibilities seriously. Who needs to have an independent board effectiveness review? In a number of sectors this assessment has become a requirement, and in others, there is now a clear expectation that an independent governance review should form part of your organisation’s quality cycle. It is an increasingly popular practice that supports your board that underpins the continuing need to develop good governance practice. It is highly recommended for charities and not for profit organisations and is looked on favourably by grant awarding bodies and regulatory authorities.

What will an independent reviewer be looking for? Our reviews are tailored to each client and would usually include an evaluation of the board’s:-

Engagement and voice - how board engagement with internal and external stakeholders is achieved. Are relations with key stakeholders productive and supported by open and regular communication?

Skills and capacity – how board member skills and capacity is reviewed, induction delivered and appointments to the board made

Risk and agility – the level to which the risk framework has been developed as an enabler for the organisation

Culture and behaviour – how the board takes the lead for setting the organisations structure

Impact and reach – how the board measures their collective and individual contributions

Responsibilities, approval and standards – how the board formally accepts its legal duties on appointment and ensures that all statutory responsibilities are approved by the board.

Purpose and leadership – how the strategic direction is set and progress monitored, aligning strategic decisions with the agreed strategy

Our specialist team can draw on a wealth of experience in both the public and private sectors to review board effectiveness review. We can help your board to make sure your organisation is operating most effectively and are proactive in suggesting meaningful improvements. For more information on evaluating and developing your board’s effectiveness, please get in touch with our Risk and Assurance team.

Structures and business flow – how well the board structure is working, the delegation to supporting committees, and clarity over the annual cycle of business, Do managers regularly report on key outcomes and targets, and does the board receive early warnings of problems that may adversely affect these?

1 2 | SCRUTTON BLAND | E D U C A T I O N

E D U C A T I O N | SCRUTTON BLAND | 1 3

A new Charities Act and changes to the Companies Act There have been some significant changes announced during 2022 which may well impact on Further and Higher Education clients, as exempt charities, and any subsidiary companies they may have.

Charities Act 2022 The first which came out with relatively little fanfare was the Charities Act 2022. Whilst much of the content of this Act is mostly of interest to Charity Lawyers there were a couple of interesting points which may be of relevance: •

Companies House Reform As a result of the ongoing Corporate

It is now possible to make payments to Trustees for goods supplied. We have moved from a position of no payments being made to trustees, to payments for services other than as a trustee to now being able to pay them for goods too. This seems to go against the Charity Commission’s general concern over conflicts of interest and appears an odd change. Charities will still need to ensure that the appropriate safeguards are put in place over such payments and the relevant disclosures are made in the financial statements. The Trustees’ are now able to make ‘moral’ payments at levels capped based on income. The example given on this is when a legacy has been received but the charity is aware that the donor had changed their mind without changing their will. This does not seem to be a power that will be regularly exercised, but a clear document trail should be produced when such payments are made.

The relaxation of what Trustees can do when fundraising generates more income than was required, capped at levels of excess. This situation would arise when fundraising for a specific project would mean that funds would be restricted to that project. We would always recommend that when doing such fundraising that the appeal is kept quite broad to enable the utilisation of funds, but if that has not been done then this does provide a limited but sensible solution. Changes to align the ability to make changes to purposes across various charity types (unincorporated and incorporated charities).

Filing deadline not shortened as previous consulted on, but new Companies Act will include facility to make this easier in the future; Small companies will have to file full accounts, no longer abridged or filleted versions. So Directors’ Report and Profit and Loss account will be on the public record; Micro companies must file a Profit and Loss account but can still take exemption from Directors Report;

Companies House will also be getting some new and increased powers to enable it to drive transparency and accuracy of information as follows:

Transparency review being carried out by the government in a bid to fight organised crime a White Paper was issued in February 2022 in respect of Companies House Reform. This will require a new Companies Act before the changes come into force, so the timing of implementation is not yet clear, but the most significant points to note are:

Greater control and ability to challenge information on the register;

Greater powers in respect of identity verification;

Greater power to share data (HMRC/Law Enforcement);

As a result of the above there will be improved privacy protections; and

Dormant companies must file eligibility statement each year; and

Ban on corporate directors (almost, with some very rare exceptions).

The main Act for Charity accounting remains the 2011 Act and there is a 2016 Act which deals with issues around fundraising, so I suspect we may be due a consolidating Act at some point to bring this all within one piece of legislation.

All companies must file digitally with tagged accounts (as with HMRC).

1 4 | SCRUTTON BLAND | E D U C A T I O N

E D U C A T I O N | SCRUTTON BLAND | 1 5

Meet the Team We have a long-standing association with the education sector, and our specialists have a thorough understanding of the opportunities and challenges it currently faces.

We seek to build long term and trusted relationships with our educational clients, and to fully understand their organisations in order to provide bespoke and targeted advice.

Get in touch with a member of the team to see how they can help you.

Paul Goddard Risk & Assurance Partner paul.goddard @scruttonbland.co.uk 01473 945842

Leisyen Cox Risk & Assurance Senior Manager leisyen.cox @scruttonbland.co.uk 01473 945843 Bethan Pritchard Risk & Assurance Auditor bethan.pritchard @scruttonbland.co.uk 01473 945885

Tim O’Connor Audit Partner tim.oconnor @scruttonbland.co.uk 01206 417225

Steven Burgess Audit Director steven.burgess @scruttonbland.co.uk 01473 945870

0330 058 6559 scruttonbland.co.uk

@scruttonbland

Scrutton Bland Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Our FCA registered number is 828934. 0758/12/2022/MKTG

Page 1 Page 2-3 Page 4-5 Page 6-7 Page 8-9 Page 10-11 Page 12-13 Page 14-15 Page 16

www.scruttonbland.co.uk

Made with FlippingBook Learn more on our blog