Internal Audit Services

2.1 This brief is for the provision of internal audit services to deliver third line assurance within the Trust's overall Board Assurance Framework. 2.2 The Framework assumes up to three internal audits per calendar year, organised around a five year planning cycle. The focus of internal audits will be reviewed and refined annually by Trustees, informed by the Trust's risk profile. 2.3 It is expected that: - persistent high risk areas will be subject to annual scrutiny, particularly in areas where risks are constantly evolving. It is expected that cyber security will fall into this category. This means that potential providers must be able to demonstrate competence to audit in this area, either directly or via a partner. - at least one audit each year will focus on an aspect of financial or HR management, as the areas carrying the highest ongoing risk to the Trust. - other areas will be audited on a five yearly cycle. An example plan is set out in the accompanying Board Assurance Framework. Whilst this plan provides starting assumptions for each year's scrutiny schedule, Trustees may adjust it in light of changing risk profiles. In some circumstances, this could mean combining the audit time available to conduct (say) one deeper audit into a particular business area rather than two short audits in different areas. For reasons of budget and practicality, it is expected that proposed annual cyber security audits will focus on specific areas of cyber risk such as: patch/vulnerability management; access controls; incident management planning and response; resilience planning; staff training and testing. 2.4 Providers will be expected to: - work with the Chief Operating Officer to produce an annual audit schedule for approval by Trustees in December of each year. (The audit period for each year will be 1 Jan - 31 Dec) - produce written scope of works for each intended audit and work with the NSAT business lead for relevant areas to request and gather the audit material needed (including arranging any meetings/visits where relevant). - produce written reports for each audit undertaken and the annual scrutiny summary report for the Trust's Annual Report and Accounts. - attend the Audit & Risk Committee at least annually to report directly to Trustees on recent audit reports. These dates will be booked at the start of each year. 2.5 The overall approach will be informed by the Trust's Risk Management Policy (attached to this brief). The Trust maintains its risk register via the "Every" online system. The Trust will take a risk-based approach to setting the scope for each audit. 2.6 On a day to day basis, internal auditors will work with the Trust's Chief Operating Officer and/or Chief Finance Officer to facilitate audit processes. Audit reports will be to Trustees (and the Chair of the Audit & Risk committee in particular). 2.7 The Trust's annual budget for internal audit is £11k (exc VAT). The contract for will be for three years (1 January 2026 - 31 December2028), cancellable with the provision of six months' notice on either side. 3. Response 3.1 Responses are sought from potential partners to this brief. Written responses should include: - details of experience of undertaking internal audit/scrutiny in general, with reference to any experience in the academy sector in particular. - an outline of proposed audit methodologies. - the experience and/or qualifications of lead personnel who may be undertaking audits (including how specialist expertise will be secured to meet the range of audit requirements in the Trust's likely internal audit cycle). - examples of reporting format, including the form of recommendation. - any proposals for tracking and closing recommendations from audits. - names and contact details of two client referees able to provide information about their experience of working with the provider. 3.2 Responses should provide a fixed annual cost for the duration of the three year contract with a description of what is included. Any potential additional charges should be referenced.