School governance risk: what 'unsure' answers on security audits reveal

By Daryll Holland | Head of Technology and Information Security, Alii

This is the third piece in Alii's Fraud and Security Risk in Schools series, following the release of our survey report and the on-demand webinar that unpacked it. If you're catching up, the short version is this: we surveyed 553 school leaders across Australia, New Zealand, the UK and the US, and the findings say fraud and security risk in schools is no longer something leaders can treat as isolated or occasional. 75.4% reported a confirmed or suspected fraud attempt. 11.4% had paid a fraudulent invoice. But the finding that says the most isn't about attacks at all. It's about how many leaders couldn't say with confidence what protections were in place before one ever happened.

You can download the full report for the complete findings. This piece picks up one thread specifically: what it means when the honest answer to a governance question is "unsure."

There is one word in the survey data that deserves more attention than it usually gets: unsure.

It appears in several places. 37.4% of respondents to our Fraud and Security Risk in Schools survey said they were unsure when their last security audit occurred, 23.7% were unsure about monitoring systems, and 34.2% were unsure whether a designated fraud or data protection owner exists. At the same time, only 15% said recovery plans are regularly tested.

Those numbers tell an important story.

They do not necessarily mean schools have no audits, no monitoring or no ownership. In some cases the controls may exist, the monitoring may sit with IT or a service provider, and the audit may have happened, but not in a way that is visible to the people responding to the survey.

From a governance point of view, though, that distinction only goes so far.

If leaders cannot clearly say what controls exist, when they were last reviewed and who owns the risk, the organisation has a visibility problem, and visibility problems become governance problems very quickly.

Why unsure is not a neutral answer

In most operational settings, unsure sounds harmless. It can feel like a gap in memory or a small reporting issue. In governance, it is more consequential.

If a Board or executive team cannot answer basic questions about audits, monitoring or ownership, it becomes harder to judge maturity, track improvement, justify investment or prove due diligence. It also becomes harder to respond well when something does go wrong, because uncertainty at the reporting level often reflects uncertainty in the operating model underneath.

This is why the report treats unsure as a risk signal, not just an information gap.

The issue is not only whether a control technically exists. It is whether leadership can see it, understand it and rely on it.

There is a big difference between having controls and being able to prove they are working.

What the data suggests

Start with audit recency. More than a third of respondents were unsure when the last security audit occurred. Even if some of those audits happened on schedule, the fact that so many leaders could not say when matters. A control that leadership cannot confidently describe is not doing much to strengthen confidence or accountability.

Then look at ownership. 34.2% were unsure whether a designated fraud or data protection owner exists. This is one of the clearest findings in the whole report because ownership is foundational. If a school cannot name who coordinates fraud prevention and data protection responsibilities, it becomes very easy for risk to sit across finance, IT, operations and leadership without anyone holding the full picture.

Then there is recovery. Many schools expressed some level of confidence in their recovery posture, but only 15% regularly test recovery plans. That gap between confidence and validation is exactly the kind of gap governance should be designed to surface.

These are not minor administrative oversights. They are indicators that oversight is uneven.

What this means for Boards and executive teams

Boards do not need to run controls day to day, and executive teams do not need to inspect every process personally. But they do need a level of visibility that lets them ask sound questions, track improvement and make informed resourcing decisions.

In practice, that means being able to answer a few basics without hesitation.

When was the last security audit and what did it cover? What monitoring do we have, and who reviews alerts? Who owns fraud prevention coordination? Who owns data protection responsibilities? When did we last test recovery in a meaningful way? What changed as a result?

If those questions do not have clear answers, that is not a reason to panic. It is a reason to tighten reporting and ownership.

Governance questions Boards should be able to answer without hesitation

When was our last security audit, and what did it cover?
If the answer is unclear, that's a reporting gap, not just a records gap.

Who owns fraud prevention coordination?
Not which department. A named person or role.

Who owns data protection responsibilities?
Often assumed to sit with IT. It should sit with someone who can name it.

When did we last test our recovery plan, and what changed as a result?
Confidence without testing is not the same as readiness.

The cost of weak visibility

When governance visibility is weak, even good work becomes harder to rely on.

IT may be monitoring the right things, but leadership may not know what is covered or how issues escalate. Finance may have strong payment controls, but no shared reporting on incidents or near misses. A recovery plan may exist, but remain untested and disconnected from decision rights, communications and broader incident response.

Weak visibility also slows improvement. If you cannot see what is happening clearly, it is hard to prioritise. Budget decisions become harder, recommendations from audits may drift, and the organisation ends up relying on assumptions rather than evidence.

That is uncomfortable in normal periods. It is much worse during an incident.

What stronger governance looks like

The good news is that this problem is solvable without dramatic upheaval.

Stronger governance usually starts with a small number of practical moves. Name owners clearly. Even if responsibilities are split across several functions, people should know who coordinates what. Set a reporting rhythm so audit cadence, monitoring coverage, training status, incident trends and recovery testing appear in a form leaders can actually use. Make validation visible, because a plan is more credible when people can see that it has been exercised, reviewed and improved. Reduce uncertainty in the basics, because if a school cannot currently answer who owns what or when something was last tested, that becomes a priority in itself.

These are simple moves, but they change the quality of discussion. Governance becomes less about general concern and more about visible discipline.

Where Alii fits

For a Board, the hardest part of governance is rarely the control itself. It is being able to show, to people who were not in the room when a decision was made, that the control existed, was followed and can be reviewed on request. That is what a Board pack or an external auditor actually needs, and it is exactly what gets lost when evidence lives in someone's inbox or memory rather than a system record.

That is the specific gap workflow visibility closes for governance purposes. When approvals, audit trails and exception handling are captured automatically as part of the workflow rather than reconstructed after the fact, a Board is no longer relying on someone's recollection of what happened. There is a record leadership can point to, independent of who was in the room.

That does not resolve every governance question on its own. But it changes "we believe this is under control" into something a Board can actually stand behind.

Why this matters now

The survey does not show a sector asleep to risk. It shows a sector that is aware of the threat but uneven in how clearly that awareness is translated into ownership, monitoring and validation.

That is why unsure matters.

It points to the places where leaders may need sharper reporting, clearer pathways and more disciplined follow-through. In that sense, unsure is useful because it tells you where confidence may be running ahead of evidence.

Good governance does not require perfection. It requires visibility.

If school leaders can see what exists, who owns it and how well it is working, they are in a much stronger position to improve. If they cannot, the first task is not more awareness. It is clearer line of sight.

Next steps

If this raised more questions than it answered, that's the point. The full report has the complete findings across all 553 respondents. The webinar walks through what Daryll and Carolyn are seeing on the ground in school finance and operations teams right now. And if you want to talk through where your own school or district sits against these numbers, a governance review is the fastest way to find out.

Download the report
Watch the webinar
Explore Alii for Education
Get in touch

Get started with Alii

With solutions suited to your organisation and a range of industry leading integrations, Alii ensures your team is in safe hands.