Part 5: Assurance
Assurance arrangements and how they apply to independent training providers.
5.1. This section outlines assurance arrangements and how they apply to independent training providers (ITPs), depending on the funding group they fall within.
| More than £8 million | More than £1 million up to £8 million | More than £100,000 up to £1 million | Up to £100,000 |
|---|---|---|---|
| Required | Recommended | Discretionary | Discretionary |
5.2. To have, and follow, a formalised internal review process which ensures that the ITP’s policies, procedures, and controls relating to financial management and governance are robust, effective and up to date.
5.3. The approach an ITP could use might vary dependent on the size, scale and type of funded contracts/income they have, but could range from an annual review of key policies to a full internal audit of relevant processes, policies and programmes of work.
5.4. Having internal audit would provide DfE/ESFA with additional confidence that an ITP can effectively deliver allocated funds. Internal audit could be carried out by an independent in-house function or by a bought-in internal audit service.
5.5. Where internal audit is undertaken, it should:
- be independent and objective – for example it should not be performed by a member of the finance team or by anyone with a controlling influence over the organisation
- be conducted by suitably experienced and, where appropriate, qualified individuals, able to draw on technical expertise, as required
- be timely, with the programme of work spread appropriately over the year, so higher risk areas are reviewed in good time
- evaluate the suitability and effectiveness of, and level of compliance with, financial and other controls, including the ITP’s oversight of any sub-contracted delivery
- offer advice and insight to the management team of the organisation on how to address weaknesses in financial and other controls, acting as a catalyst for improvement, but without diluting management’s responsibility for the day to day running of the organisation
- ensure all categories of risk are adequately identified, reported, and managed
- identify on a risk-basis (with reference to its risk register, where appropriate) the areas it will review each year, modifying checks accordingly. For example, this may involve greater scrutiny where procedures or systems have changed
- take account of other assurance arrangements and procedures to inform the programme of work. For example, it should have regard to any recommendations from external auditors and from any reports produced by ESFA as part of their programme of assurance activity
| More than £8 million | More than £1 million up to £8 million | More than £100,000 up to £1 million | Up to £100,000 |
|---|---|---|---|
| Required | Required | Discretionary | Discretionary |
5.6. To appoint an external auditor to provide an opinion on whether the ITP’s annual accounts are a true and fair view of its financial performance and position, even if not a statutory requirement for the ITP. This might be an audit of group level accounts if there are no separate subsidiary accounts. This is effective for accounting periods commencing on or after 1 August 2025.
5.7. Many ITPs are already required to appoint external auditors under the Companies Act 2006, Charities Act 2011 or Limited Liability Partnership Audit and Accounts Regulations 2008.
5.8. ITPs must note any areas for improvement identified by the external auditor and have a plan to implement and monitor the recommended improvements. ITPs with an audit and risk committee (or equivalent) should ensure the committee holds the management team to account in relation to improvements identified.
| More than £8 million | More than £1 million up to £8 million | More than £100,000 up to £1 million | Up to £100,000 |
|---|---|---|---|
| Required | Recommended | Discretionary | Discretionary |
5.9. To submit management letters provided by external auditors (where appointed) to DfE/ESFA, using submission methods determined by DfE/ESFA. Control risks for wider group structures, which are unrelated to DfE/ESFA-funded delivery, may be redacted. Access to management letters will enable ESFA to work with ITPs to mitigate risks and protect funds and learning delivery.
5.10. Management letters will outline and rank control risks, if any, identified by the external auditors and make recommendations to the ITP.
5.11. ESFA will continue to perform its regular programme of assurance activity relating to ITPs. This includes funding audits, sampled on a random and risk basis, as well as financial health assessments. This handbook helps ITPs establish processes which will enhance the likelihood of positive assurance outcomes from those audits and assessments.
5.12. ITPs receive funding under contracts for services with DfE/ESFA. These require providers to comply with funding rules, maintain individualised learner records (ILRs) and submit ILR data and other returns to DfE/ESFA to support their funding claims. They also provide for DfE/ESFA to conduct funding assurance and other ad hoc reviews.
5.13. ESFA obtains direct assurance over providers’ funding through ILR data returns. ESFA conducts a programme of funding monitoring and data validation, which involves data analysis and identifying providers’ ILR data anomalies. ESFA informs providers of the ILR data anomalies and explains how to correct any errors. ESFA also obtains direct assurance through a programme of funding assurance reviews (funding audits).
5.14. In addition to the direct assurance performed by ESFA, mayoral combined authorities (MCAs)/Greater London Authority (GLA) may adopt their own processes for assurance on the funding they give to ITPs.
5.15. Providers may sub-contract the delivery of ESFA-funded learning, provided they comply with the sub-contracting requirements set out in ESFA’s funding rules and in the Assurance reviews of the subcontracting standard for post-16 providers.