Internal Audit - Principal

Annual Registration – Data Protection

As each school is deemed to be a separate entity of the Education Authority by the Information Commissioner, each is required to be registered under the Data Protection Act 1998.  In most cases you (the Principal) will be the nominated Data Controller for the school and the cost of registration is £35, renewable annually.    

  • Go to the website:    
  • Click on the icon ‘Search the register’ on the right hand side of the screen (coloured pale blue)   
  • Click on the icon ‘Search the register’         
  • Key-in your postcode   

If you know your school is not yet registered, please ensure that this is arranged immediately as it is an offence to hold and process personal data without having an entry in the register maintained by the Information Commissioner and failure to register annually could result in prosecution.

To register on-line please follow the instructions below:   

  • Go to the website    
  • Click on the icon ‘Register or renew’ on the right-hand side of the screen (coloured pale yellow)     
  • Click on the icon ‘Register now’     
  • Follow the instructions  

Alternatively you can phone the Information Commissioner’s office at 0303 123 1113. Staff there will guide you through the registration process and post the completed questionnaire to the school for your final completion, verification and signature.

Principals who have previously registered their school with the Information Commissioner recommend completing the registration by telephone rather than on-line as it is an easier and less cumbersome process.

New Data Protection (GDPR) Legislation from May 2018 - #EAThinkData

The UK government announced that it will implement General Data Protection Regulation (GDPR) from 25 May 2018.

The new legislation, intends to strengthen and unify data protection for all individuals within the European Union (EU).  While the principles are similar to those in the Data Protection Act 1988, there are some additional requirements that schools need to be aware of. 

A new ‘EA Think Data’ program, launched in September, will assist schools in preparing for GDPR. EA think data will include materials, advice and communications from the ICO on what schools need to do to comply with data protection law from May 2018. 

Freedom of Information

An increasing number of schools are receiving requests from members of the public for information under the Freedom of Information Act.  The Education Authority has provided guidance to assist schools in responding to such requests and this can be accessed here.  Click on ‘FOI and DPA Advice for Schools’ and then Click on ‘Schools In Northern Ireland Definition Document’.

Under the terms of this legislation public authorities, including schools, are required to respond to Freedom of Information requests as soon as possible, and not later than 20 working days after receiving the request.  This requirement has been extended by a statutory instrument to 60 working days to allow schools sufficient time to deal with requests received during the months of July and August.

Theft - Security of Cash

Over the last year there has been a marked increase in the number of thefts of cash at schools.  You should ensure that all school income and personal belongings are held securely at all times and especially during events where the school is open to members of the public. Also, regular and timely lodgements should be made to the bank, building society or post office to help reduce the risk of cash being stolen from the school.

Reporting of Thefts

Schools continue to be targeted by individuals pilfering items such as heating oil, lead on roofs, cash and laptops.

The Department of Education’s ‘Guidance on Financial and Management Arrangements for Controlled and Maintained Schools Funded Under The Common Funding Scheme’ states at paragraph 6.18 ‘Whenever any matter arises which involves or is thought to involve irregularities concerning cash, stores, property or other assets of the ELB*, the Board of Governors or Principal shall forthwith notify the Chief Executive who shall take such steps as are considered necessary by way of investigation and report’.  It is very pleasing to see that many schools have contacted the Education Authority and PSNI when such incidents occur. 

*Education Authority.


Phishing is the fraudulent act of emailing a person in order to obtain their personal/financial information such as passwords and credit card or bank account details.  These emails often include a link to a bogus website encouraging you to enter your personal details.

Do not give out private information (such as bank account details, passwords and pin numbers), reply to text messages, download attachments or click on any links in emails if you are not sure they are genuine.  Do not cut and paste a link from the message into your web browser – phishers can make links look like they go to a genuine site, but then actually take you to a look-alike site.

If you have reservations about the authenticity of the information received, contact the organisation using a phone number you know to be genuine, or open a new internet browser session and type in the company’s correct web address yourself.  Using and maintaining up-to-date anti-virus software and a firewall can also help.

‘Fraud: Spot it, Stop it!’

Unfortunately the level of resources available in the school can be impacted by fraud.  These are some of the indicators that your school may be at risk of fraud:

Personal Motives  

  • Expensive lifestyle in comparison to their salary    
  • Personal problems (gambling, alcohol, drugs, debt etc)    
  • Conflict of interests (personal and business relationships)  
  • Disgruntled employee, who believe they receive inadequate compensation and/or rewards (recognition, job security, vacations, promotions etc).    

 Possible Methods of Committing/Concealing Fraud   

  • Members of staff not taking leave or an insistence on doing the job alone   
  • Annoyance at questions  
  • Unreasonable explanations to questions asked    
  • Missing documents    
  • Documents written in pencil, altered or using false signatories/incorrect person signing  
  • Records maintained are inadequate, not updated or reconciled    
  • Teeming and Lading (allocating one payee’s money to another in order to make the books balance to hide a shortfall or theft)    
  • Manipulating school meals income records by transferring free meal entitlements of absent pupils to paying pupils. 

Everyone has the responsibility to report suspected or actual fraud in accordance with the Department of Education’s ‘Guidance on Financial and Management Arrangements for Controlled and Maintained Schools Funded under the Common Funding Scheme’ 2005.

Assistance For School Secretaries

In most schools the school secretary receives, records and lodges monies belonging to the Education Authority and the school.  A secretary’s role is crucial to the effective and efficient running of the school and ideally to protect their integrity and reputation it is advisable, where feasible, that the responsibility for these duties should be segregated.  It is acknowledged that particularly in a small primary school this may not be possible, and therefore you, as Principal should endeavour to have a more proactive role in monitoring the income received, recording and lodging of all monies.  Internal Audit is willing to provide advice and assistance, if requested.

Income - School Private Fund & Education Authority Accounts

The incidence of fraud against school private fund accounts continues to be a matter of concern for both the Education Authority and the Northern Ireland Audit Office.  It is important that you actively manage the operation of all private fund accounts to prevent the potential loss and misuse of such funds.

This can be achieved by ensuring that cash handling procedures are adhered to at all times.  Only authorised persons should have access to cheque books and cash and, where appropriate, receipts should be issued for income received e.g. school trips.  All private fund transactions should be recorded on a written or computerised ledger.  Should you require assistance in developing these systems please contact Internal Audit.

Particular attention should be made to all cash income that comes into your school in respect of:

  • Milk and meals    
  • Charity/fundraiser events  
  • Sales of DVDs for pantomimes or Christmas concerts    
  • Ticket sales for school concerts    
  • School trips. 
  • Records for the above should identify each individual payee and the amount given.  These records should be kept for 7 years in accordance with the Department of Education’s ‘Disposal Schedule for Schools’.  It is good practice, if feasible to have 2 people counting income, particularly during school events when there may be large sums of money. Information on how much money was raised and how it was spent should be included in the Annual Report and presented to parents at the AGM. 

As Principal you are responsible for private fund money, so it is important that you make regular inspections to confirm income, expenditure and current balances in each of these accounts.  You should also ensure that you have access to all bank statements associated with these accounts and complete regular bank reconciliations.  Independent annual audits should also be completed on each private fund account and these should be presented to the Board of Governors together with the Audit Certificate and a Statement of Income and Expenditure for approval.

Engagement of Individuals to Provide Services – Income Tax and National Insurance Implications

Schools that pay individuals by cash or school fund cheque for providing services could be mistakenly perceived as trying to assist or be complicit in avoiding the payment of income tax and national insurance. Paying individuals in cash, as opposed to using the Education Authority’s payroll system, is in breach of HMRC guidelines, potentially resulting in prosecution and/or fines.

‘Cash/Cheque’ payments for services provided should only be issued to those individuals who produce evidence that they are self-employed, and responsible for paying their own income tax and national insurance to HMRC.

Newcomer Guidelines

In order to receive funding for Newcomer children for the first 3 years the Department’s newcomer designation pro-forma must be completed for each child requiring this assistance.

From the 4th year onwards an additional Common European Framework Assessment must also be completed by schools to assess the appropriateness of entitlement of ongoing funding.

The completed newcomer designation pro-forma should be forwarded to the school a pupil transfers to, to enable accurate and complete newcomer details to be recorded.

Payment of Copyright Licensing

A number of organisations contact schools seeking payments in respect of copyright licences.  Should you receive a request of this nature, you should only issue payment if you are satisfied that the licence is required.  If you have any doubts you should contact the licensing body to get the appropriate clarification required.

Use of Facilities

An official UF1 form should always be issued for completion by an applicant/organisation wishing to use school facilities. Charges for each applicant/organisation should be considered by the Board of Governors and set to give full cost recovery, or at least the minimum return required to cover overheads e.g. caretaker’s salary and utility costs. 

The completed UF1 form should then be sent to the Education Authority to enable invoices to be issued and outstanding debts to be pursued, if required. Charges established should be subject to an annual review by the Board of Governors.

If income (either by cash/cheque) is received from an applicant/organisation for the use of facilities at school, it should be lodged to the school’s private fund account and a cheque written and forwarded to the Education Authority.

Use and Maintenance of E-mail Address

To protect school data, official school email accounts should be used at all times e.g. info@, or Under no circumstances should other email accounts be used to share data relating to the school.  Remember it is crucial to manage the ‘Inbox’ by regularly archiving emails and maintaining sufficient space to allow new emails to be received.

School Laptops

Laptops, tablets and smart phones are portable and highly desirable devices.  As a result, this type of device is at greater risk of theft, both for the device itself and for any data that may be held on it.  It is therefore important to ensure that staff are reminded of the following:

  • Guidance regarding devices used and their security should be adhered to at all time    
  • Laptops, tablets and mobile devices should not be left in full view in a vehicle even for a short period of time; they should be locked in the boot.  Furthermore they should not be left in a vehicle overnight  
  • A password or pin code must be used in order to protect information held on laptops and mobile device    
  • School related data should only be held on laptops for the specific time required and should be removed when it is no longer needed   
  • Backup copies of school related data should be made and copies stored very securely    
  • Personal data should not be stored or processed on any school laptop or external memory device.   

Additionally you should ensure that staff are either trained or given written guidance in respect of handling, storage and secure disposal of personal or sensitive data. 

Monitoring of LMS Expenditure (Extended Schools, Shared Education)

At this time of reduced funding a significant concern for you is keeping within budget, therefore regularly monitoring of income going in and the expenditure going out of your LMS budget is essential.  To appropriately do this, you should be aware of all the sources of income available to you including those from LMS and any other external funders or ear-marked budgets e.g. DSD, Extended Schools and Shared Education.  It is imperative that you maintain control of the expenditure from each of these funding streams to ensure this remains within the funds allocated and that LMS monies are not used to subsidise any overspends from other funding streams. It is also recommended that you retain invoices for each funding source in separate folders to facilitate your reconciliation of each.

It is also important for you to check the income and expenditure recorded on the detailed transaction reports (DTRs) to confirm they are accurate and appropriate, as human errors can occur.

To fulfil the financial responsibilities delegated to you by the Board of Governors you should present the up-to-date financial position of the school as a standing agenda item at each meeting of the Board of Governors . 

Compliance with Attendance Procedures for Teachers & Non-Teaching Staff In Schools

To help to achieve the Department of Education’s RAP target for Teacher Absence (5 days), the Board of Governors should comply with the guidance set out in the TNC 2008/2 (amended) ‘Teacher Attendance Procedure’. Additionally the ‘Managing Attendance at Work’ policy for non-teaching staff should also be adopted.  

In summary the Principal should ensure that:

  • they meet with each member of staff who returns to work following a period of sickness absence.  This meeting should be documented and retained at the school    
  • members of staff complete a Self-Certification Certificate to cover the first 7 days of any absence through sickness  
  • contact is maintained with members of staff during illnesses    
  • sick pay is effectively monitored and verified using the monthly finance reports
  • responsibility for health, welfare and attendance is designated to a governor
  • Board of Governors receive regular reports on teachers’ and non-teaching sickness absences    
  • attendance management is a standing agenda item at each Board of Governor meeting timely referrals are made to the Occupational Health when appropriate.  

Salaries & Wages

Schools are now submitting electronic time-sheets to the Education Authority to enable salaries and wages to be paid to staff. It is essential that when time-sheets are submitted a copy is also printed, signed and dated and retained for 7 years by the school in accordance with the Department of Education’s ‘Disposal Schedule for Schools’.

Last updated: 03/02/2020