Skip to main content

Audit approach

Last updated on 11 February 2026
Hertfordshire County Councilby Shared Internal Audit Service

The Council have commissioned the Shared Internal Audit Service (SIAS) to create and run an audit plan for all of Hertfordshire’s Maintained Schools. As part of our role, SIAS create a Schools Audit Strategy each year, which is agreed with Children’s Services. This page outlines our approach to creating and enacting this plan for the current financial year.

Definition of Internal Audit adopted by the Global Internal Audit Standards (GIAS):

Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Purpose of auditing schools

Our job as internal auditors is to provide an independent view of the governor oversight, risk management and financial processes in place at your school. Our aim is to support the school and to provide assurance to the Senior Leadership Team and Governors that the school are following best practice. Audits are also required to provide assurance to officers of the Council that schools have robust arrangements in place to meet the requirements set by the DfE, the Local Authority, or through wider legislation (e.g. GDPR). The Section 151 Officer is required to confirm that the Council have a system of audit for schools that gives adequate assurance over their standards of financial management and the regularity and propriety of their spending.

School Audit Strategy (2026/27)

The development of the Schools Audit Strategy for 2026/27 is currently underway and will be presented to the Audit Committee for approval in March 2026. Once approved, information on the strategy and the audit themes will be shared. Each year, SIAS produces a Schools Audit Strategy that sets out the three themed audit reviews scheduled to take place during the financial year.

Audit approach

The audit themes are selected in conjunction with Children’s Services and are designed to review a variety of topics across all Schools in Hertfordshire. The process for preparing the themes and carrying out the audits in schools is as follows:

1. Preparing the theme

  • Discussions are held with Children’s Services at Hertfordshire County Council to decide on the three topics that make up the Audit Strategy. Audits may extend to non-financial areas, for example Safe Recruitment.
  • As the Schools Audit Strategy includes a requirement to annually establish the effectiveness of financial control, risk management and governance arrangements, the three audit themes are chosen to encompass each element.
  • Once the audit themes have been approved by Children’s Services Board, SIAS create the audit plan, which focusses on the biggest risks to Schools and The Council within each theme. These risks are the basis for the testing that we will complete at each school.

2. Selecting schools

A selection of schools is made for each audit theme. The selection criteria are as follows:

  • the first schools to be selected are those that have been least recently audited. This is to ensure that all schools are audited over an audit cycle (currently around nine years).
  • the remaining schools are randomly selected from those Schools that have not been audited in the past three years. We try to ensure that there is a fair distribution of schools across the County within each audit theme.

3. Booking process

Once selected for an audit theme, a SIAS auditor will contact the school to explain the purpose of the audit and agree timeframes for conducting the fieldwork. This will usually include agreeing an initial meeting with the headteacher or relevant member of staff to discuss what processes the school has in place in relation to the audit theme.

  • The auditor will call the school to confirm the date of the audit with the school, and determine whether they want an in-person or remote visit.
  • The school will receive a confirmation email including a booking letter outlining further details of the audit, and a list of documents required from the school as part of the audit visit.
  • If in-person, some documentation may need to be sent in advance of the visit, through the secure file transfer platform HertsFX (the auditor can explain how this works if required).
  • If done remotely, all documents will need to be shared with the auditor by an agreed date.

4. The audit

In-person audit:

  • Upon arrival at the School, the auditor will have an initial discussion with the Headteacher, and any other relevant staff members, to explain the audit process in more detail. This is especially important if the School have not received an audit visit in a long time.
  • The auditor will then spend the majority of the day within the School to review the required evidence.
  • The auditor will need to ask questions to relevant staff members in order to fully establish the process in place at the School. These questions are not designed to mislead, but to understand the School’s approach to the areas being audited.
  • At the end of the visit the auditor will have a closing meeting with the Headteacher. This is used to describe the initial findings from the audit and allows for the school to provide extra information or clarity over a particular area. This meeting is usually held between the Auditor and the Headteacher, but other members staff or Governors are welcome if the Headteacher thinks this would be useful.

Remote Audit:

  • A timeframe will have been agreed between the auditor and Headteacher for when they would be available for meetings.
  • The auditor will complete testing on the documents during this time
  • Once the auditor has compiled queries during their testing, they may set up meetings to consult with the Headteacher or another person, such as the chair of governors or school business manager, who may be able to provide answers.

5. The report

The audit report records the elements of good practice, and areas of improvement highlighted from the audit visit. The report has five main sections:

  • Overall assurance level - as part of our report, we give an assurance opinion that provides our overall assessment on the robustness of the control environment in order to achieve the key objectives that have been audited. This is supported by the executive summary and summary of testing results (see below). It is important to note that the overall opinion assesses the overall risk to the School, and is not an average of the individual risks to the control areas reviewed.
  • Executive summary - this is a descriptive element of the report, which provides a summary of system strengths demonstrated at the school and areas for improvement where processes could be enhanced. This section also includes the objective of the audit, the key risk, the overall assurance level, the assurance areas and a summary of the recommendations identified during testing.
  • Summary of testing results – this is a table that outlines each control area reviewed as part of the audit and any matters raised with reference to associated findings or advisory actions within the report. Control areas are the major components within each assurance area, where controls operate to manage risk. Assurance areas are the different sections that are covered as part of the overall audit.
  • Recommendations – where findings are identified from our audit testing, recommendations may be raised as part of the audit process and can be included in the report in either the management action plan, or as advisory actions.
    • If advisory actions are included in the report, these are findings that do not require a formal response from the School, as we deem them to be low risk areas. However, these are included for the School to consider and take appropriate actions as required.
    • The management action plan is a table at the end of the report that outlines the finding, root cause and the associated recommendation where best practice has not been followed.
  • Definitions – at the bottom of every report, appendix A outlines the definitions for each of the assurance levels, and the priority rating of the recommendations (critical, high, medium, low). Appendix B outlines the definitions for each category of root cause and associated icons. The draft report will be sent to the Headteacher for review, and a response to any findings made. Once the draft report has been agreed by the School, a final report is sent to the Chair of Governors and relevant sub-committees, with the responses to the recommendations included.

6. School Response to Recommendations

Where an audit report includes a recommendation, the School must provide a response setting out the actions it will take to address the finding, who will be responsible for carrying out those actions, and the expected completion timeframes. When issuing the draft report, the auditor will request that all management responses are completed and returned within two weeks. If the draft report, including the required management responses, is not returned within the specified timeframe, the auditor may follow up by contacting the School’s Chair of Governors to help progress the response.

7. Follow up process

If the school have received an overall limited assurance level from the audit, or a critical/high-priority recommendation within their report, SIAS will contact the school as part of an annual follow up cycle to ensure that the recommendations have been effectively implemented. The schools audit follow up annual review is normally scheduled for the Autumn term.

Last updated on 11 February 2026