The ESFA Academies Financial Handbook (AFH) cosigns a range of difficult obligations for trusts to comply with. Included within Section 2.2, is the need for trusts to establish robust control frameworks whilst having sound internal control, risk management and assurance processes for reducing the risk of fraud or theft. The following article distils the lawful requirements for trusts to demonstrate effective financial management of their information technology - now one of the largest areas of discretionary spending after staffing, buildings and facilities.
With new requirements arising from the Data Protection Act 2018, the governance framework for managing IT in trusts has become increasingly complex. The updated Act introduces additional obligations in the management of risk, audit and compliance relating to the configuration, administration and security of IT systems. Elizabeth Denham, the Information Commissioner has stated, “boards [senior management / trustees / governors] need to ensure that internal controls and systems work effectively to meet legal requirements.” The effectiveness of these internal controls is particularly significant in the preventing breaches of data protection law through non-compliant IT systems. IT Systems compliance is a complex undertaking and having the right assurance is imperative:
"9ine's technical audit of our schools has provided the trust executive team with a measurable, independent and objective assessment of our technology estate, enabling us to prioritise our resources where needed, manage risks and demonstrate our compliance obligations." Brooke Weston Trust
“Ensure budget forecasts are compiled accurately, based on realistic assumptions including any provision being made to sustain capital assets, and reflective of lessons learned from previous years” EFH 2018, Annex C: Schedule of requirements (the ‘musts’)
An accurate IT budget for a trust is divided into costs for central services, costs associated for each school, and then split into operational and capital costs. Operational costs should be relatively easy to predict on the assumption that cost codes are accurate and invoices have been allocated correctly over previous years. Replacement capital costs are based on an accurate asset inventory of all IT devices, systems, services and takes into consideration end of life information. By ignoring end of life information, you are inadvertently non-compliant with data protection law.
Trust boards need to have the confidence in submitting accurate 3 year budget forecast returns, as designated by the ESFA in Section 2.3.2 of the AFH 2018. Without having a measurable, data driven, volume based and technically feasible information technology budget, supported by an appropriate IT strategy, it’s difficult to believe that this is possible. Adding coherence to the budget requires all schools in a trust to follow the same approach and format. Importantly, accurate asset information for IT equipment at each school is only realistic if the system configuration at each school is adequately in place.
As part of 9ine’s service to trusts, we provide trust leaders and their boards with the support and assurance required to accurately forecast OPEX and CAPEX budgets for information technology.
IT Operational Management
The occurrence of an IT risk, or incident, poses significant financial risk. Common issues can include a critical equipment failure which is not under warranty, corruption of system configuration files, successful phishing attacks which corrupt files, or storage failure leading to loss of data and systems. Each of these will have a significant financial cost attached to them. The Data Protection Act 2018 requires organisations to have assessed each of these risks and take mitigating actions proportionate to the resources available to the organisation. Likewise, the ESFA 2018 requires these risks to be identified and managed.
The Data Protection Act 2018 also requires trusts to have determined how employee data will be processed and to have assessed the privacy implications such as with storage and access. You can read more about organisation’s legal duties to their employees here in our previous blog here.
"Tudor Grange Academies Trust appointed 9ine in assessing our IT services requirements, the creation of service management specification and the procurement of a managed service for the trust of (initially) seven schools. Key to the success of the process was 9ine's understanding of the technology service needs for the trust and the development of a IT service structure that would meet the needs of our staff and learners. Throughout the process 9ine were at hand to offer support and guidance; and following the recommendation of a preferred bidder, 9ine were superb in managing the contract through to financial close." Tudor Grange Academies Trust
Fraud & Cyber Security
The handbook emphasises in Section 2.2, the need for sound internal control principles to reduce the risk of fraud or theft. Over the past 12 months, we have seen a marked increase in fraud relating to cyber security breaches in our UK schools. Interestingly, one in ten reportable data protection breaches to the ICO in Q4 2018, from organisations in the Education sector, related to cyber security incidents. In recent instances of fraud within schools, through either ransomware or other, the malicious antagonist has compromised the IT account of an individual who is part of the finance or business function.
Working with 9ine
Our expertise in working with trusts is driven through our focus and commitment to research and development in the areas of IT systems development, IT management, cyber security, data protection and safeguarding. In providing independent and objective support, we empower trust leadership and boards with the tools and information required to make informed and objective decisions. For an introduction to our trust services, please get in touch.