Academies Financial Handbook 2018 Published

Academies Financial Handbook 2018 Published

What you need to know about the changes

The new Academies Financial Handbook 2018 entered into force on 1 September 2018 and applies to transactions and operations after that date. The Funding Agreement with Department for Education requires academy trusts to comply with the terms of the Handbook. Failure to comply could trigger a Financial Management & Governance Review or a Financial Notice to Improve.

The key changes of emphasis in this edition are:

  • More emphasis on the critical role of the Board and the Chair of trustees in ensuring high standards of governance
  • More detailed requirements about regular and clear financial reporting to the Board
  • Greater scrutiny of transactions with related parties (i.e. trustees, senior managers, their family members or businesses in which they have an interest) and any subsidiary companies of the Trust.
  • Tightening the rules around setting of executive pay following recent media stories about excessive pay.

Turning to the specifics, the key changes are as follows:

  • 2.1.2 – If a Board meets less than 6 times a year, it must describe in its governance statement accompanying annual report and accounts how it maintained effective oversight of funds with fewer meetings.
  • 2.3.2 – The Trust must submit to ESFA a budget forecast return by 21 May and a 3 year budget forecast by 30 July. In setting the budget, the Trust board should have regard to latest DfE guidance including these key metrics to check:
  1. Staff pay as percentage of total expenditure
  2. Average teacher cost
  3. Pupil-to-teacher ratio (PTR)
  4. Class sizes
  5. Teacher contact ratio
  6. Proportion of budget spent on the leadership team
  7. 3 to 5 year budget projections
  8. Spend per pupil for non-pay expenditure lines compared to similar schools
  9. School improvement plan priorities and the relative cost of options
  10. List of contracts with costs and renewal dates
  • 2.3.3 – Budget monitoring – the Trust must prepare management accounts every month setting out its financial performance and position, comprising budget variance reports and cashflow forecasts with sufficient information to manage cash, debtors and creditors.
  • Management accounts must also be shared with the Chair of trustees every month.. and with other trustees six times a year. The Board must ensure that appropriate action is being taken to maintain financial viability.. including addressing variances between budget and actuals.
  • The Trust must select key financial performance indicators and measure its performance against them, including an analysis in its annual report. The Accounts Direction for 2017/18 listed some examples:

“Key financial performance indicators and, where appropriate, an analysis using other key performance indicators including information relating to environmental and employee matters. For example. this could include, but may not be limited to, Ofsted inspection outcomes, examination / key stage results, pupil attendance data and pupil recruitment data, in addition to financial and investment performance. It could be presented as both achievements against objectives for the current accounting period, and as trends over time.”

  • 2.3.6 – The Trust must have an investment policy to manage and track its financial exposure and ensure value for money – and it must be reviewed regularly. A Trust must exercise care and skill in investment decisions and take professional advice, ensure that exposure to investment products is tightly controlled: security of funds must take precedence over revenue maximisation.
  • 2.4.4 Executive Pay – the Board must ensure there is a process for determining executive pay which is agreed in advance and documented. Levels of pay must be defensible relative to the public sector market and the documentation setting out the rationale must be retained. There is a presumption that non-teaching pay should not increase at faster rate than teacher’s pay.
  • Transactions with related parties – no member, trustee, local governor, employee or related individual or organisation may use their connection to the Trust for personal gain. There are no payments to any trustee, unless permitted by the Articles or the Charity Commission and permitted by the Secretary of State. This will apply if payments are made to a business entity which employs the trustee, is owned by the trustee or in which trustee holds a controlling interest. The ‘at cost’ requirement must be complied with for payments over £2500- the payee must provide evidence that services have been provided ‘at cost’ i.e. without a profit element. This issue recently came to prominence in the media after an investigation by Panorama into the affairs of Bright Tribe academy trust.
  • 3.10.4 – All transactions with related-parties after 1 April 2019 will need to be reported to ESFA using online form. ESFA prior approval will be required if the contract exceeds £20k (or cumulatively with other contracts it would breach that limit). (NB this excludes payments under a contract of employment through Trust payroll).

The Academies Financial Handbook 2018 is amplified by the Academies Accounts Direction. Whilst most of this is a technical document, there are four significant changes to flag:

  • There is now clear guidance that purchases of alcohol or excessive gifts with academy funds are examples of irregular expenditure (para 9.1.22).
  • There is a new requirement to include information on trade union facility time to comply with the Trade Union (Facility Time Publication Requirements) Regulations 2017. This requirement only applies where trusts have more than 49 full-time equivalent employees throughout any seven months during the reporting period.
  • Financial statements will need to include information on:
    • The number of employees who were relevant union officials during the period
    • The number of employees and their percentage of time spent on facility time
    • The percentage of pay bill spent on facility time
    • Details of paid trade union activities
  • Accounts must also now include a section dedicated to the Trust’s fundraising practices, to comply with the Charities (Protection and Social Investment) Act 2016. This requires details about:
    • The Trust’s approach to fundraising
    • Details of any work with, and oversight of, professional fundraisers and commercial partners
    • Confirmation that fundraising conforms to recognised standards
    • Details of the monitoring of fundraising carried out by agents
    • Any complaints received
    • How the public, including vulnerable people are protected, from unreasonably intrusive or persistent fundraising approaches.
  • Apprenticeship levy costs should be included as part of social security costs note to accounts. Where apprenticeship levy-funded training is received in year, this should be recognised as notional income and notional expenditure. The 10-per-cent top-up funding provided by the government should also be recognised in this manner. (para 8.13)

If you have any questions about any aspect of academy governance please get in touch.

Mark Johnson is an independent legal and governance specialist working with academy trusts, schools and not for profits to help them flourish. He serves as the company secretary of 2 MATs in Cheshire and independent audit committee member of a large MAT in Manchester. elderflowerlegal.co.uk 

Relentless Focus on Good Governance in Academies Continues

Good Governance in Academies is Key Focus for DfE

Over the Summer the Department for Education quietly published some documents which show the focus on good governance in academies remains a key priority. The first document was the widely expected new edition of the Academies Financial Handbook which applies from 1 September. Secondly, the Education and Skills Funding Agency (the new name for the EFA) published three financial management and governance reviews into multi academy trusts. These highlight case studies of where things can go wrong. In case you missed them, here we summarise the key points to be aware of.

Academies Financial Handbook

It is a requirement of all Academy Trusts’ Funding Agreements that the Academies Financial Handbook (’AFH’) is complied with, in particular the list of ‘must haves’ in Annex C. The new AFH applies as from 1 September 2017. The main changes in this new edition concern governance and financial control.

Governance

  • There is an emphasis on greater clarity about the roles of members, trustees and salaried employees

There must be clear separation between the roles of member, trustees and executive (paid) managers. For example, employees of the Trust must not be appointed as members, unless permitted by the Articles of Association. The current model articles do not allow members to be employees, but some older versions do. Trusts with older articles may wish to consider revising their articles to reflect best practice.

In addition, the DfE’s preference is that no other employees, other than the Senior Executive Leader, should serve as a trustee. This helps to ensure there are clear lines of accountability through the Senior Executive Leader. Older Articles may talk about no more than one third of trustees being employees. Again, Trusts may wish to adopt this change in line with best practice.

  • Trusts are reminded that the overarching seven Nolan principles of public life apply to everyone holding office in an Academy trust (selflessness, integrity, objectivity, accountability, openness, honesty and leadership).
  • Annual letters to Trusts’ Accounting Officers/CEOs from the ESFA’s accounting officer must be discussed by the Board and appropriate action taken

The ESFA sends letters to Trusts’ Accounting Officers/CEOs from time to time which cover issues pertinent to their role and ESFA reviews. The letter must now be shared with members, trustees, Chief Financial Officer and other members of the senior leadership team. It must be discussed by the Board of trustees.  This discussion should be clearly documented in the Trust board minutes. All “Dear Accounting Officer” letters can be found on the DfE website here.

  • Improving efficiency and value for money in academy trusts

Where the ESFA have concerns about a Trust’s financial management, but not enough to issue a Financial Notice to Improve (FNtI), they may require the Trust to work with an expert in school financial health and efficiency to support the Trust and identify where improvements can be made. They may also prescribe this as a condition of a FNtI.

  • There is an emphasis on the importance of addressing skills gaps on the Board at key transition points such as growth periods. Trusts are recommended to use the DfE’s competency framework for governance to determine skills gaps in the Board (see more here)
  • Trusts should consider the key features of effective governance in the DfE’s Governance Handbook when assessing their effectiveness

Boards should be looking to implement these as part of their annual assessment of their effectiveness and skill-set, as well as minuting these discussions.

  • Edubase must be kept up to date with details of changes to Trustees and members within 14 days

Recent ESFA reports have highlighted that some Trusts are not keeping their records up to date of who are members and trustees promptly following either appointments or resignations. This applies to both Edubase and Companies House records. Someone should be given specific responsibility to complete this task, usually the Company Secretary.

  • Appointment of auditors must be approved by the members, not just the trustees

The Board of trustees may believe they are responsible for the appointment of auditors. However, this is only the case where the Companies Act permits trustees to appoint them e.g. in the Trust’s first accounting period. Thereafter the members must approve the appointment, usually at an AGM.

Financial Control

  • a new section on executive pay states that Boards must ensure their decisions on levels of pay follow a robust evidence-based process and reflect the roles and responsibilities of individuals

The decisions should be backed up with supporting evidence and secure records kept–such as confidential appendices to minutes.

  • Repercussive transactions’ as well as ‘novel or contentious transactions’ now require ESFA approval

Repercussive transactions are those which are likely to cause pressure on other trusts to take a similar approach and hence have wider financial implications for the academies sector.

  • Clarification that the non-statutory/non-contractual element of a severance payment limit of £50,000 is based on the gross amount before any deductions for tax etc.

This is a welcome technical clarification. The full new Handbook can be viewed here.

Financial Management and Governance Reviews

The ESFA can initiate a Financial Management and Governance review at an academy trust following a complaint, or on its own initiative, either at random or as part of its new routine assurance activities. There have been 25 such reviews conducted since 2013. The typical remit of a review is:

  • to assess the financial controls and management in a Trust to see if they are compliant with the AFH and Funding Agreement
  • to assess the adequacy and effectiveness of governance, risk management and internal controls
  • to assess propriety, regularity and value for money

The ESFA’s policy is to publish their findings to inform public debate and scrutiny. The academy trust is usually given 5 working days to comment on the report before it is published. Three such reports were published over the Summer.

The first review concerns the DRB Ignite MAT. The review was instigated following a complaint about a leasing arrangement for whiteboards at one of their schools. However, the remit soon expanded to cover scrutiny of wider governance arrangements in the MAT.  The key findings of the review were:

  • There was a lack of separation of the roles of members, trustees and executive managers. The Accounting officer was a member as well as being a director. The Accounting Officer was not on the Trust’s payroll and the role had rotated among the directors three times. There was no written agreement in place setting out the role and responsibilities of the Accounting officer – in breach of the Academies Financial Handbook. The AFH requires that the role be allocated to a Single Executive Leader, who is accountable for the use of public money. The CFO role was contracted out to another group company and the Trust board did not have any independent directors with accountancy experience or qualifications. This created a risk of inadequate oversight and challenge. The named member of the trust was a company which had since become dormant, thereby breaching the Articles of Association.
  • The trust was using related commercial companies and connected parties to provide 83% of its central functions and expenditure without following a proper procurement process. Remember that delivery of services by related parties can only be ‘at cost’ (see below) and a contract for services or goods may need to advertised and comply with EU procurement rules if over a threshold of £164,176 (unless it can be argued that by their nature the services fall under the Light Touch Regime in which case a higher threshold of £589,148 may apply). The ESFA was not satisfied that adequate procedures were in place to manage conflicts of interest between the Trust and connected companies. The same people sat on the Trust board and the boards of group companies providing the services. Directors were approving invoices from their own group companies for payment. This was potentially a breach of Companies Act duties and charity law, as well as the AFH.
  • The award of a contract for smartboards at one of the trust’s primary schools to a group company did not follow best practice and could not demonstrate value for money
  • The trust had failed to keep EduBase updated with details of members and trustees within 14 days.
  • There was no central of register of contracts, making it difficult to coordinate the re-tendering to drive value for money
  • There was a failure to publish details of business and pecuniary interests of trustees on the website and failure to keep adequate minutes of trustee meetings.

The Trust was ordered to undertake a review of its governance arrangements and carry out urgent corrective actions.

The second review was published on 28 June and concerned the Rodillian MAT. The investigation was triggered by complaints about the Accounting Officer staying at a luxury hotel several nights a week, despite living within travelling distance of the schools. The review quickly broadened in scope and found other issues which are documented in the ESFA report:

  • The Accounting Officer had been reimbursed for hotel accommodation – although there was no policy on approved subsistence and travel in place to measure the reasonableness of this and no evidence of Board approval for the expenditure
  • The trust had rented a flat for the Accounting Officer – although the benefit was not documented – this should have been regarded as a novel or contentious payment and ‘ex gratia’ benefit for which ESFA approval was required
  • The Trust had awarded a contract worth £1.45m for alternative education for students excluded from mainstream provision without following a competitive tendering procedure. Although the contract was for 5 years, the liability in the accounts was only shown as a 3 year commitment.
  • The Trust did not have an up to date financial procedures manual in place
  • There were no proper procedures for authorising payments to suppliers
  • The Trust had entered into supposed ‘operating leases’ of smart boards which were in fact ‘finance leases’ (which require prior approval from ESFA).
  • The Trust Chair was paid for consultancy services – as the Chair was also a member this is not allowed and would have required prior consent from the Charity Commission.

The third review concerned Enquire Learning Trust. According to the report, similar themes came to light:

  • Senior managers were employed ‘off payroll’ through limited companies
  • There was lack of skills and oversight of managers by the Trust Board
  • The role and responsibilities of the Accounting Officer were not documented in a contract
  • The financial reports presented to the board were inadequate and did not give trustees a picture of the overall consolidated financial position of the trust. There was no 3-5 year consolidated forecast.
  • Two significant related party transactions in 2015/16 were not disclosed
  • Financial controls over purchasing, including the use of corporate credit cards were inadequate. The lack of segregation of duties and independent oversight of purchasing and payment arrangements increased the risk of inappropriate expenditure.
  • Trust officers had claimed irregular payments for valuations of trust premises in connection with a scheme to transfer the Trust premises into their personal pension funds and lease it back to the Trust
  • There was no central asset register to keep track of valuable items such as laptops issued to staff
  • There was no audit committee or independent Responsible Officer to carry out assurance checks

Lessons to be learned

A complaint can be triggered by a disgruntled employee or governor – once the process starts it can be very resource intensive to manage and the scope of the inquiry can quickly widen.

  • Understanding the separation of roles between members, trustees and executive managers is absolutely critical. A clear Scheme of Delegation, Code of Conduct, policies and procedures are your first line of defence in demonstrating compliance. Be clear about who your members are and keep the register up to date so it is clear who actually holds the voting rights. Make sure they are involved in relevant key decisions and due process is followed.
  • Remember the ‘at cost’ requirement if awarding contracts to a ‘connected party’. An individual or company can supply good and/or services up to £2,500, cumulatively, in any financial year which can include profit; however, beyond £2,500, all transactions must be ‘at cost’ without profit. Where ‘at cost’ is triggered, a statement of assurance is required from the supplier to support the arrangement, which the Accounting Officer must review to ensure that there are no issues with the transaction. ‘Connected parties’ include members, trustees, sponsors (as well as their family members and business associates).
  • Develop a set of Standing Orders and Financial Regulations which set out the requirements for obtaining competitive quotes, authorisations for expenditure, delegated limits and the limited circumstances in which this can be waived. Remember that contracts with a value in excess of £164,176 may be subject to EU competitive tendering rules.
  • Be very careful about awarding contracts to ‘connected parties’. These will almost always be spotted during the external audit and will be flagged up in your annual accounts attracting further scrutiny. The Articles of Association will usually set out the process which must be followed to properly authorise such a transaction – any trustees with an interest in the contract must declare this and must withdraw from the meeting.
  • Develop a set of policies on subsistence and accommodation expenses, gifts and hospitality so that everyone knows where the boundaries are.
  • “Off payroll arrangements” – whilst there may be the odd time such arrangement is appropriate, for standard roles payments should be on-payroll, which also helps ensure that the individual is meeting their tax obligations.
  • Make sure that novel and contentious issues go to the Board for discussion and that decisions and the justification for them are properly minuted.
  • Understand the difference between finance leases and operating leases . Under an operating lease all risks and rewards related to asset ownership remain with the lessor for the leased asset. In this type of lease, the asset is returned by the lessee after using it for lease term agreed upon. The ownership of the asset remains with the lessor. However, under a finance lease the risks and rewards related to ownership of asset leased are transferred to the lessee. The lessee usually has an option to acquire ownership at the end of the lease by making a further payment. In accounting terms, this is usually treated like a loan.
  • If these Trusts had had an effective Audit Committee providing oversight and challenge, these situations could probably have been avoided. As one review commented: “Audit Committee functions should be established in such a way as to achieve internal scrutiny that delivers objective and independent assurance. Where the Responsible Officer function is provided by [a group company] it cannot be shown to be independent and hence is in breach of the Academies Financial Handbook”. See more on the role of an Audit Committee.
  • It is always good practice to take a step back before entering into any unusual transactions and consider the wider implications. Could this transaction attract adverse media coverage? Is it outside our normal business activity? If we enter into the transaction and another academy trust hears of this, will it impact upon the wider sector? Whilst this  comes down to judgement and perception, it may be safest to consult with ESFA before performing the transaction rather than being criticised later for making the wrong decision.
  • Consider undertaking a governance review facilitated by an external provider to check your house is in order and that you are following best practice. We offer a fixed price service GovernanceCHECK360.

 


Mark Johnson is an independent solicitor and chartered company secretary helping academy trusts, schools, colleges and not for profits to stay compliant, manage risks and plan for success. Contact us today for a no-obligation chat or check out our website at elderflowerlegal.co.uk or call 01625 260577.  Find out for more details of our service packages here.
If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

Data Protection – Everything You Need to Know Part 2

Data Protection – Everything You Need to Know But Were Afraid to Ask – Part 2

‘It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public.’- Prof Clay Shirky, NYU.

In Part 1, I outlined how the protection of personal data has become a critical risk area for business, not-for-profits and charities as the regulator, the Information Commissioner’s Office (ICO), takes a tougher stance on enforcement of the rules.  A series of high profile incidents have heightened public concern about privacy and the misuse of personal data. Now organisations will need to prepare for even more stringent rules: in spite of Brexit, the new EU-wide General Data Protection Regulation (GDPR) will still come into force on 25 May 2018.  In Part 2, I explain what will change when the GDPR comes into force from 25 May 2018.

What will change under the GDPR in 2018?

The GDPR will introduce a series of explicit rights for individuals in respect of their personal data, some of which are new, and some are enhancements of the existing position:

  • Right to access data (to be told whether personal data are being processed and access a copy)
  • Right to erasure (if consent is withdrawn, or there is no legal basis for holding the data individuals may request erasure)
  • Right to portability (the right to require data to be transferred to another data controller in a machine readable format)
  • Right to rectification – an individual’s right to have inaccuracies corrected or include a supplementary statement
  • Right to restrict processing – data to be held in limbo while any disputes are resolved
  • Right to be informed – i.e. to be told what information is being processed and for what purpose
  • Right to object – the right to stop personal data being processed by withdrawing consent or some other legal basis.

The key changes

  • The definition of ‘personal data’ will be widened to include IP addresses, genetic and biometric data.
  • Organisations will need to keep proper records of their data processing activities and make these available to the regulator if requested.
  • Data processors (as well as data controllers) have direct obligations for the first time. These include an obligation to: maintain a written record of processing activities carried out on behalf of each controller; designate a Data Protection Officer where required; appoint a representative (when not established in the EU) in certain circumstances; and notify the controller without undue delay on becoming aware of a data breach. How data protection matters are addressed in supply and other commercial agreements will need to be reviewed – especially the allocation of liability for data breaches.
  • The £10 fee for accessing records will be abolished and the time limit for dealing with a request to access or correct a record will be shortened from 40 days to 1 month. Extensions of up to 2 months may be allowed if the request is complex. Requests may be refused if they are ‘manifestly unfounded or excessive’
  • The right to request erasure of data has been strengthened. Under current rules the erasure can be requested if processing it causes unwarranted and substantial damage or distress. There will be specific circumstances where erasure can be requested e.g. the individual withdraws consent to processing, or the data was unlawfully processed in the first place. There will be very limited grounds to refuse to erase, e.g. to comply with a legal obligation in performing a public interest task or for public health purposes.
  • New right to ‘data portability’ – individuals will be allowed to obtain and re-use their personal data for their own purposes across different services (e.g. for use on a price comparison site). Organisations must provide the data free of charge in a machine readable format e.g. a .csv file within 1 month of a request.
  • There will be significantly harsher penalties for data breaches – the current limit of £500,000 will increase to 20 million euros or 4% of an organisation’s global turnover, whichever is greater
  • An explicit right for individuals affected by a breach of the rules by a data controller or a data processor to bring a claim for compensation which need not be for financial loss, it could cover personal distress and anxiety.
  • Special rules will apply to children’s personal data – privacy notices must be child-friendly. Before offering online services to children under 16 (most likely set at under 13 in the UK), parent or guardian’s permission will be required (except for online counselling and preventative services). (Note this does not affect the existing law for offline transactions where the capacity of the child may be relevant).
  • New privacy notices will be required which provide information about retention periods for data, the rights of the data subject, the right to withdraw consent, the right to complain to the ICO, whether it is a statutory or contractual requirement to provide the data, and whether any of the data will be used for automated decision-making about the individual.
  • There are potentially onerous new obligations on accountability and information governance. There is an explicit duty to put in place appropriate organisational measures to demonstrate compliance with the rules, which could include data protection policies, staff training, internal audits of data held and processing activities, privacy impact assessments when implementing new technologies or activities, reviews of internal HR policies and regular reviews of security arrangements. If your organisation has more than 250 employees there will be a more onerous duty to maintain records of processing activities. These records may be called for by the ICO as part of an investigation and may form an important part of your defence to any enforcement action.
  • Mandatory duty to appoint a Data Protection Officer for public authorities or organisations which undertake large scale monitoring of individuals or large scale processing of ‘sensitive personal data’. Note it is the scale of the processing, not the size of the organisation that matters. The DPO’s role is to (a) inform and advise the organisation and its employees about their data protection obligations, monitor compliance with data protection laws, conduct internal audits, train staff and coordinate data protection activities, be the first point of contact with ICO and supervisory bodies, as well as customers and suppliers whose data is being processed. The DPO is expected to report directly to the Board and must be given adequate resources and authority to perform their role. The role does not necessarily have to be an employee- it can be contracted out.
  • Duty to report data breaches to the ICO where it is likely to result in a risk to the rights and freedoms of individual affected; also a duty to notify the individuals affected if there is a high risk to their rights and freedoms. Notification must be made within 72 hours. The notification must detail the number of individuals and records involved, a description of the likely consequences of the data breach and the measures to be taken to (a) deal with the breach and (b) mitigate possible adverse effects. Failing to notify a breach can result in a fine of up to 10 million euros or 2% of the organisation’s global turnover!

What do we need to do to prepare for GDPR?

  • Ensure Board members and management are aware of the new duties and are taking active steps to prepare, including securing resources and budgets required.
  • Designate a Data Protection Officer to take responsibility for compliance and decide where this role will sit within your organisation’s overall governance structure.
  • Review all policies and procedures which are relevant to data protection and privacy.
  • Conduct information audit and privacy impact assessments – understand what personal data your organisation holds, where it comes from and with whom you share it; identify the legal basis for processing the information, document your findings. Is there a clear audit trail showing how and when individuals gave their consent to processing of their personal data and opted into marketing communications?
  • Review your privacy notices- see examples of good practice here
  • Take extra care if you are collecting information about children – bear in mind the new requirement to obtain parent or guardian’s consent to processing data about children in most cases.
  • Prepare to deal with subject access requests within the shorter time period of 1 month
  • When contracting out work to third parties (e.g. payroll providers, HR consultants, fulfilment houses)- check what measures they have in place to ensure compliance with the new duties – are they signed up to any certification schemes or codes of conduct? Ensure you have appropriate contractual clauses in place to protect your organisation against their failures.
  • Have robust procedures for detecting and investigating data breaches and internal reporting so that notification ca