Certificates of Assurance: Annex 2

INTERNAL CONTROL CHECKLIST

 

The contents of the internal control checklist are as follows:

Section

1

Risk Management

2

Business Planning

3

Major Investment

4

Project Management

5

Financial Management

6

Fraud

7

Procurement

8

Human Resources

9

Equality

10

Information

11

Health & Safety

12

Sponsored Bodies

13

Compliance

14

Review

15

Other

ISSUE

RESPONSE

DETAILS, INCLUDING REVIEW WORK YOU HAVE CARRIED OUT TO VERIFY RESPONSE (MANDATORY)

GUIDANCE NOTE (WHERE APPLICABLE)

1. Risk Management

1.1 Do you have in place processes that seek to identify and record key business risks (linked to business objectives and targets) on an on-going basis?

Yes/No

 

This relates to the use of a structured process to manage business risk in line with the SPFM. This will be one that ensures the right people are involved in the process, and that each stage in the process is being actively recorded and managed. It will also be one that revisits the issues periodically to ensure that the assessments reflect current risks. An example of a structured process would be the maintenance of risk registers at divisional / branch / project level as considered appropriate.

(Guidance on the SG Approach to Risk Management is available on the Intranet. Information to help with this can be found in the Delivery Essentials. General guidance is through Risk Management on the SPFM.)

1.2 Is there a systematic approach to identify and prioritise risks and match them with effective resources?

Yes/No

 

 

1.3 Is risk management actively supported and promoted by branch heads and team leaders?

Yes/No

 

 

1.4 Do you receive reports on the management of key risks and control actions taken?

Yes/No

 

 

1.5 Has appropriate consideration been given to business continuity and disaster recovery for key systems (including ICT) upon which your operations depend?

Yes/No

 

Local response to the possible loss of corporate functions (e.g. SCOTS, SEAS, EASEbuy, accommodation) might be considered in the context of divisional risk management procedures. Where local systems are in operation, including but not exclusively ICT systems, the Division has a responsibility to ensure that consideration has been given to continuity and recovery e.g. back-up discs. Out-stations may have arrangements with local businesses in event of loss of facilities.

(ISIS guidance on Business Continuity is available on the Intranet.)

2. Business Planning

2.1 Does your area have clear business objectives and outcomes which clearly contribute to the achievement of higher level objectives and outcomes, including your divisional plan, and have they been translated into measurable targets against which performance and progress are measured?

Yes/No

 

Your business objectives / SMART targets should be reflected in the Divisional Plan and performance appraisal forms at all levels.

Plans should be linked to the Business Strategy through the Directorate Planning process.

2.2 Have new and/or radically changed work programmes been referred to Finance, Procurement and/or Internal Audit for advice?

Yes/No

 

New initiatives or spend, or changed systems should normally be discussed with Finance, Procurement and Internal Audit colleagues before proposals are finalised.

In terms of undertaking change, the Improvement Framework is one of the main mechanisms underpinning the Scottish Government’s approach to Public Service Reform. Further guidance can be provided through the Leading Improvement Team.

(Guidance on the Role of Finance is available on the Intranet. General guidance on Procurement and Internal Audit is available in the SPFM.)

2.3 In developing targets, does the area identify performance measures which take account of inputs, outputs and outcomes?

Yes/No

 

This question seeks to find out if the relationship between inputs, outputs and outcomes is being applied in developing performance measures.

(Guidance on Performance Management is available on the Intranet)

2.4 Do you regularly receive timely, relevant and reliable reports on progress against targets and take corrective action where necessary?

Yes/No

 

This could take the form of regular reports prepared for consideration at progress meetings or updates provided in the context of regular meetings with managers. Corrective action might involve the reallocation of resources (budgets and staff) and the reordering of priorities.

3. Major Investment

3.1 Has your area been responsible for delivering one or more major investment projects during the past financial year? (If not, please ignore the other questions in this section)

Yes/No

 

Major investment projects are defined in the Major Investment Projects section of the SPFM. All Major Investment Projects must adhere to this guidance. The key principles should be adopted in relation to all investment projects.

3.2 Do / did your project’s governance arrangements align with the Scottish Government’s strategic and sector specific governance procedures?

Yes/No

 

Relevant procedures include the following requirements:

  • Putting arrangements in place to address each of the SG’s Programme and Project Management (PPM) Principles. Information to help with this can be found in Delivery Essentials
  • Ensuring that people appointed to positions within the project’s governance and management structure have the skills, experience and knowledge necessary to fulfil their role.
  • Registering the project on the SG’s Infrastructure Projects Database if it has reached Outline Business Case state and has a capital budget of £5M+ (inclusive of VAT).
  • Complying with the guidance in the Construction Procurement Manual - if a construction project.
  • For Health Sector projects, complying with the guidance in the NHS Scotland Scottish Capital Investment Manual.
  • Complying with the guidance for delivering ICT enabled projects.

3.3 Have you assessed your project(s) in line with the SG’s assurance procedures and engaged with the appropriate assurance process?

Yes/No

 

Relevant procedures include the following requirements:

  • Completing the Risk Potential Assessment Forms to determine the potential complexity of your project(s).
  • Contacting the SG’s PPM Centre of Expertise - if the project is assessed as potentially Medium or High risk.
  • Certain major investment projects may require Key Stage Reviews (KSRs) during key procurement stages. This includes those projects over £20m in value, or of critical importance/unusual scale or nature to the procuring organisation, or revenue funded, or procured through competitive dialogue. KSRs are undertaken by the Scottish Futures Trust.

3.4 Have you appraised your project(s) in accordance with the SG’s guidance and complied with the SG’s procurement guidance?

Yes/No

 

Projects must be appraised in accordance with the Appraisal & Evaluation section of the SPFM. You must also be able to demonstrate compliance with the Procurement Section of the SPFM and the Construction Procurement Manual - if a construction and/or an infrastructure project.

3.5 Have you put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?

Yes/No

 

Necessary arrangements include:

  • Capturing lessons learned to share feedback  with SG’s Scottish Procurement and Commercial Directorate  using- Lessons Learned Templates
  • Conducting on-going evaluation of your project throughout its  life-cycle, including a Post Implementation Review (also known as a Post Occupancy Evaluation for construction and infrastructure projects)/
  • Planning and undertaking a Post Project Evaluation for construction and/or infrastructure projects.

Planning and undertaking a Post Occupancy Evaluation for projects that deliver a building (e.g. an office, hospital, school).

4. Project Management

 

4.1 Has your area been responsible for delivering one or more projects - other than major investment projects – during the past financial year?

Yes/No

 

Projects covered in this section include non-capital projects such as policy delivery projects, business change projects or investment projects that would not meet the definition of major investment in the SPFM.

4.2 Did / does your project’s governance and process align with the SG’s strategic and sector specific procedures?

Yes/No

 

Arrangements must be put in place to address each of the SG’s PPM Principles. Information to help with this can be found in the Delivery Essentials.

The general principles set out in the Major Investment Projects section of the SPFM should be applied, as appropriate, to all investment projects.

5. Financial Management

5.1 Do you ensure that a documented business case has been prepared for any policy proposal and that your Finance Business Partner (or equivalent) and, as necessary, Internal Audit Division is involved at the earliest possible stage in the preparation of all policy proposals etc. which may have resource, control or other finance related implications and that they are kept informed of developments?

(Finance should also be consulted on any novel or contentious spending proposal and any matter which includes issues of financial propriety and regularity.)

Yes/No

 

Guidance on the Role Of Finance is available on the Intranet. The need to involve Finance might also be included in induction material and local desk instructions.

5.2 Do you have procedural instructions, cleared with Finance, about how financial matters are handled within the area, drawing as appropriate from the key principles of the SPFM?

Yes/No

 

Local desk instructions should be in place covering the arrangements for entering into commitments and for approving and processing the resultant payments, including VAT – and ensuring adequate separation of duties. Desk instructions may also cover other matters such as delegated authorities, budget monitoring procedures and the requirement to consult Finance on all proposals that may have resource or other finance related implications.

5.3 Do you have in place processes for regular monitoring of compliance with these instructions?

Yes/No

 

Monitoring of compliance might be achieved by regular management checks and the consideration of financial matters at regular meetings with your managers.

5.4 Do you delegate financial authority to staff at appropriate levels?

Yes/No

 

Delegated financial authority (i.e. where members of your staff have full responsibility for budgets and take decisions without having to refer upwards) will not be appropriate in many Divisions but where it is you should provide details of the broad arrangements e.g. set out in desk instructions, financial responsibility statements. This is separate from Delegated Purchasing Authority (DPA). The authority required to make and authorise payments etc within SEAS and the authority to purchase in EASEbuy are also separate authorities.

(General guidance on Delegated Authority is available in the SPFM. Guidance on the SG Scheme of Delegation is available on the Intranet.)

5.5 Is there adequate separation of duties where required (e.g. authorising and processing payments and receipts, awarding grants)?

Yes/No

 

Again this is separate from the authority required to make and authorise payments etc within SEAS or to purchase within EASEbuy. There may be concerns (e.g. within small units) where the rules on separation of duties cannot practically be achieved. In such circumstances the response should relate to whether the local arrangements (e.g. compensating controls) agreed with Finance are working satisfactorily.

(The requirement for appropriate separation of duties is included in a number of sections of the SPFM, notably those covering Expenditure and Payments and Income Receivable & Receipts.)

5.6 Are staff with financial duties aware of - and adequately trained to discharge - their responsibilities in that regard?

Yes/No

 

This covers all staff involved in the financial process. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions. All staff with responsibility for entering into contracts, raising purchase orders or issuing invoices etc. should have a knowledge of the rules relating to VAT and the ability to recover and or charge VAT.

5.7 Do you have arrangements to ensure that all assets for which the area is responsible are properly managed and safeguarded (e.g. against unauthorised use or disposal)? Do you ensure that Finance (and Property where applicable) are informed of any changes to assets?

Yes/No

 

Only assets for which the area is responsible need to be considered here. This will include those assets on a locally maintained inventory of valuable and attractive items.

(Guidance on Property Management  and Fraud is available in the SPFM.)

5.8 Do you have procedures for ensuring that proper and accurate accounting records are maintained and entries in them are properly authorised?

Yes/No

 

The response to this question needs to reflect both the provision of information needed for accounting purposes (e.g. the proper and timely entry of data into SEAS and/or EASEbuy) and for cash management purposes. The response should also take into account the controls in place within your area to ensure that only authorised personnel have access to the SEAS system.

(Guidance on SEAS and EASEbuy is available on the Intranet.)

5.9 Do you have measures in place to monitor the security and accuracy of financial information?

Yes/No

 

The response should reflect the measures that you have in place to ensure that the SEAS and EASEbuy (or any other financial) system contains accurate and up to date information. Measures might include periodic or regular management checks.

5.10 Do you have procedures in place for monitoring and reviewing those budgets for which you are responsible?

Yes/No

 

 

This question deals with the local arrangements within the area for monitoring and reviewing the administration cost and programme budgets. These might be linked to re-profiling exercises run by Finance. (Guidance on Budget and Financial Management is available on the Intranet.)

5.11 Are agreed budget plans documented and disseminated within your area?

Yes/No

 

The review of the regular financial reports needs to take account of both the review internally within the area as well as external reporting of outcomes and any remedial action required.

5.12 Do you regularly review internal financial reports which report actual against budget outturn and discuss progress with your Director or equivalent?

Yes/No

 

You will wish to consider here the mechanisms in place for communicating budgetary information both at the beginning of the year and changes made in-year whether at the time of formal monthly or quarterly reviews or at other times. This would also cover the transfer of funds between one area and another or between the centre and your area.

5.13 Do you ensure that that the State Aid Unit is consulted on all proposals that may have state aid implications?

Yes/No

 

Guidance on the EC State Aid Rules is included in the SPFM. More detailed guidance is available from the State Aid Unit.

5.14 Do you ensure that any grant proposals and payments follow the relevant guidance in the SPFM?

Yes/No

 

The section of the SPFM on Grant & Grant in Aid includes references to checklists covering the grant proposal, application and assessment processes and a Model Offer and Conditions of Grant document. There is a separate Offer of Grant document for use in relation to grant funding provided to voluntary bodies to assist with their operational costs.

5.15 Is the number of staff authorised and trained to act as EASEbuy approvers consistent with your Division’s needs?

Yes/No

 

Staff who are authorised as EASEbuy approvers need to recognise the importance on the financial information being entered correctly. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions. Details of available training are provided on the Finance Training homepage.

5.16 Do you ensure that staff with Government Procurement Cards (GPCs) are fully trained to discharge their responsibilities and that there are processes to monitor compliance?

Yes/No

 

Monitoring of compliance might be achieved by regular management checks and the consideration of financial matters at regular meetings with your managers.

(Guidance on GPC is available on the Intranet.)

5.17 Do you ensure that staff are complying with the Purchase to Pay process to meet the 10 day payment commitment?

Yes/No

 

Relevant guidance in the Purchase to Pay section of the intranet must be brought to the attention of staff periodically and/or in reviewing training requirements.

6. Fraud

6.1 Are operational managers and other members of staff within your area aware of their responsibilities as set out in the Scottish Government Fraud Policy Statement?

Yes/No

 

Relevant guidance in the section on Fraud in the SPFM might be brought to the attention of staff periodically and / or in induction material.

6.2 Are any cases of suspected fraud within your area dealt with in accordance with the Scottish Government Fraud Response Plan?

Yes/No

 

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Fraud Response Team via email or the Crimestoppers Hotline 08000 15 16 28.

7. Procurement

7.1 Do you ensure that the Scottish Procurement and Commercial Directorate (SPCD) is consulted from the earliest possible stage on any proposals that may involve procurement activity?

Yes/No

 

Guidance on the role of the Scottish Procurement and Commercial Directorate (SPCD), guidance on Buying Goods, Services or Works and the Security Questionnaire is available on the Intranet. The need to consult SPCD might be included in induction material and local desk instructions.

SPCD must be consulted on any novel or contentious spending proposal and any matter which includes issues of procurement propriety or regularity.

7.2  Do you have staff with Delegated Purchasing Authority (DPA) at appropriate levels?

Yes/No

 

It would be useful to know how many staff in your area have DPA. 

DPA is the authority to enter into a contract for goods, services and works and oversee the process leading up to and including the award of a contract and any subsequent contract changes. This is separate from financial authority and the authority to make purchases on EASEbuy.

(Guidance on  DPA is available on the Intranet).

7.3 Is all procurement activity within your area undertaken in accordance with the Procurement section of the SPFM?

Yes/No

 

Management checks on sample contracts / purchases should be carried out to ensure compliance with the relevant guidance.

See the Procurement section of the SPFM and the specific guidance on the operation of the  Government Procurement Card and the  EASEbuy System.

7.4 Does your area’s use of external consultants comply with the  Scottish Government Consultancy Procedures?

Yes/No

 

Contracts for consultancy of up to £10K in value need to be approved at Deputy Director level. Consultancy contracts between £10K and £50K need to be approved at Director General level. Consultancy contracts above £50K must be authorised by the Cabinet Secretary for Infrastructure, Investment and Cities, and the Cabinet Secretary for Finance, Employment and Sustainable Growth. If there have been no such cases during the period then please provide a nil response.

Consultancy expenditure must be coded against the account codes stated in the  Consultancy Procedures.

Management checks on consultancy expenditure on SEAS should be carried out to ensure approval was sought at the appropriate approval level prior to purchase.

7.5 Does your area maintain and report appropriate procurement management information including a contract register?

Yes/No

 

A contract register is required for all contracts for goods, services and works that have been placed in your area during the financial year. This is a key requirement as it underpins sound financial and contractual governance.

(Guidance on maintaining a contract register is available on the Intranet).

8. Human Resources

8.1 Have you considered workforce planning and development across your teams? 

Yes/No

 

SG People Strategy sets the context for people development.

Confidence levels will be shaped by activity such as:

  • working with your HR business partner to determine capacity, capability, succession planning requirements; supporting learning and development planning and activity

8.2 Do you have adequate processes for monitoring and managing the number and cost of all of your staff (whether paid from Administration or Programme budgets and whether permanent or temporary)?

Yes/No

 

The Resources Board take regular reports on workforce numbers and costs.  At a business level you will want to be assured that you have effective processes in place to track and review spend and workforce numbers, particularly for those not paid via payroll or from programme budgets.  Regular HR management information reports are provided to Directors.

8.3 Do you adhere to corporate processes regarding recruitment, absence management, flexible working hours, travel and subsistence and overtime?

Yes/No

 

Advice is available on Saltire on recruitment, absence management, flexible working hours, travel and subsistence and overtime or via the HR Helpdesk (ext. 48500 (option 2).

8.4 Do you take action to improve employee engagement?

Yes/No

 

What evidence do you draw on to inform action, for example employee engagement surveys? Such as the People Survey.

9. Equality & Diversity

9.1 Are all new or revised policies/activities in your area assessed for their impact on equality groups and Equality Impact Assessment (EQIA) results published on the SG website within a reasonable period (as required by legislation)?

Yes/No

 

This question relates to the SG’s responsibilities under the statutory public sector equality duties. You are expected to ensure that new or revised policies and activities in your area are assessed for their impact on equality groups.

An EQIA process helps you to look at how your policy impacts on people because of their age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation.

 Guidance on EQIAs is available on Saltire.

9.2 Are support structures in place to enable staff to undertake and complete impact assessments?

Yes/No

 

You will want to consider what steps you have taken to ensure that your staff are able to and do use the SG's equality impact assessment guidance and toolkit. You will also want to consider what kind of support you are providing for your staff so that they are able to undertake and complete this process successfully.  Please provide some detail on about support structures in place.

9.3 Do you have procedures in place to ensure that equality impact assessments have been completed for all relevant policies/activities?

Yes/No

 

You will want to consider whether you have a robust process in place to ensure that all new or revised policies are equality impact assessed and results of these assessments published.  The EQIA process  should be started early in a policy development cycle, with the results of the assessment informing and shaping policy decisions. Appropriate monitoring arrangements should also be put in place.  Please provide some detail on about support procedures in place.

9.4 Do you ensure that all staff have a meaningful diversity objective and have completed individual diversity monitoring information on e-HR?

Yes/No

 

All staff are required to have a Diversity Objective as part of the annual performance appraisal process. Examples of appropriate objectives are available on Saltire.

Diversity monitoring information can be completed by visiting the intranet page.

10. Information

10.1 Are your information assets registered on an Information Asset Register (IAR)?

Yes/No

 

Information assets are recorded on the corporate Information Asset Register (IAR)

Guidance can be found in the Information Asset Owner (IAO) Handbook and Saltire pages.

If your area do not have any assets then answer as to what you would do if you did (it is, however, very unlikely that a business area will have no assets – see guidance on “What is an Information Asset?” in the IAO Handbook)

10.2 Does your area expressly track information risks across the lifetime of your information assets?

Yes/No

 

SG policies and guidance on Information Risk are available on the Intranet. Compliance with this guidance ensures the SG fulfils its obligations to information assurance standards and legislative requirements. Information assets are recorded on the Information Asset Register (IAR)

Guidance can be found in the Information Asset Owner (IAO) Handbook and Saltire pages

10.3 Can you confirm that information risk assessments have been carried out for all information assets?

Yes/No

 

Information risk assessments should be carried out as appropriate for the classification of the information asset; the restriction of access to information as appropriate; the training of staff in handling sensitive information; the management of processing of personal data; the impacts of loss or corruption of information; and so on. Such risk assessments should extend to procurements and shared services initiatives, and to all delivery partners, suppliers and contractors. Management and monitoring of supplier security and information assurance arrangements must take place.

Mandatory elearning packages (Data Protection and responsible for Information) can be found on the intranet. 

10.4 Are all significant roles in respect of information risk and personal data manned?

Yes/No

 

TORs for the mandatory roles in respect of managing information risk and personal data including Senior Information Risk Owner (SIRO), Information Asset Owners (IAOs) are in place. Staff are available to discharge these roles and have undergone or are undergoing appropriate training.

Guidance on mandatory roles can be found on the intranet.

Elearning packages for each role can also be found on the intranet.

10.5 Are access control mechanisms in place for each system?

Yes/No

 

Access control mechanisms for each system are documented by IAOs. Control Mechanisms are in place for physical access and access to information. Location of information assets are registered on the Information Asset Register.

10.6 Do you have processes in place for dealing with breaches of security / data handling incidents?

Yes/No

 

Process is in place to report, manage and recover from information risk incidents. Lessons have been learnt, and shared, from incidents (if any). Local managers have a responsibility to ensure that staff are aware of and comply with the relevant guidance, to initiate checks where non-compliance is suspected and to monitor suppliers. Managers have a responsibility to ensure that all staff and suppliers are aware of their responsibilities to safeguard Government information.

An IAO checklist for dealing with security incidents can be found on the intranet.

10.7 Have there been any breaches of security / data handling incidents during the financial year?

Yes/No

 

Please include brief details of how many; when; what were the circumstances; whether personal data was involved; was it reported; was it dealt with / resolved satisfactorily?

11. Health & Safety

11.1 Do you have appointed and trained health and safety duty holders to cover your area?

Yes/No

 

Duty holders (such as Health and Safety Liaison Officers (HSLOs), First Aiders, Fire Precautions Officers (where appropriate) and Fire Marshals) perform key health and safety functions which help managers discharge their own responsibilities.

11.2 Has the Risk Assessment procedure been implemented and reviewed as required within your area to ensure that significant risks are adequately controlled?

Yes/No

 

Risk Assessment Teams (appointed by Deputy Directors) to:

  • review and amend generic risk assessments, and generate new assessments as required
  • communicate findings to all affected staff
  • keep assessments under review

11.3 Do HSLOs in your area complete quarterly reports?

Yes/No

 

HSLOs should complete Quarterly Workplace Inspections in February, May, August and November which provides information on their performance against key health and safety tasks from the Health and Safety Management System.

12. Sponsored Bodies

12.1 Is your area responsible for sponsoring any NDPBs or other bodies? (If not, please ignore the other questions in this section.)

Yes/No

 

Please complete for all of the bodies you sponsor answering each question separately and highlight key points of interest (good or bad).

Guidance can be found in the NDPB Sponsorship Guidance Notes. 

12.2 Is there an up to date framework document in place for each of your sponsored body, with appropriate arrangements in place to monitor adherence to the Framework Document?

Yes/No

 

You should be able to confirm that these are finalised or otherwise, that they are up to date, and were subject to proper consultation (including with your Finance Business Partner (or equivalent) and Internal Audit Division). Details of the steps taken to monitor these areas should also be provided.

Governance structures, processes, systems and controls should be in place to ensure robust financial management and monitoring, and compliance with the Scottish Public Finance Manual.

Guidance on the role of the sponsoring team is set out in the Model Framework Document for Executive NDPBs and is provided at Annex 3 of the Scottish Public Finance Manual (SPFM) section on Accountability.

12.3 Does the operations, business planning and objectives of the public body help to achieve the Scottish Government’s Purpose, National Outcomes and Programme for Government?

Yes/No

 

Supporting documents such as the corporate plan, business plan, and framework document should be in place to enable the sponsor team to develop a shared understanding of the joint priorities over the medium term to contribute towards delivery of the National Outcomes, and to ensure that individual bodies’ corporate communications and engagement strategies fully reflect these.

Further guidance on corporate and business plans can be found at Paragraphs 28 and 29 of the Model Framework Document for Executive NDPBs at Annex 3 of the section of the SPFM on Accountability.

12.4 Does your sponsored body have a well communicated fraud policy statement, an up-to-date fraud response plan and effective avenues for reporting suspicions of fraud?

Yes/No

 

Processes should be in place to ensure that policies for fraud response are consistent with SG guidance, including a review of current fraud response activity, whilst ensuring robust reporting procedures have been adopted by sponsored bodies.

Further information can be found in the Fraud section of the SPFM and the SG Counter Fraud Strategy, Policy and Response Plan.

12.5  Does the public body have a corporate procurement strategy, contract register and wave plan in place and does the public body have the appropriate range of skills and expertise to support the above?

Yes/No

 

You should be able to confirm that procurement  is managed and, procurement processes are maintained and proportionate to the organisation’s spend.  Further guidance can be found in the Procurement section of the SPFM and the Scottish Procurement Capability Team Knowledge Hub and The Procurement Journey

12.6   Are you satisfied that business cases for ICT investment are compliant with the Office of the Chief Information Officer (CIO) ICT Assurance Framework, Digital Public Services priorities and shared service options before plans to invest proceed by your sponsored body?

Yes/No

 

Systems should be in place to ensure all business cases are assessed.

Any proposals for IT investment over £1 million should be ratified through the Information Systems Investment Board.

Further advice can be found in the Central Government ICT Projects and Programmes Assurance Framework.

12.7   Is your sponsored body an exemplar as Fair Work employers: demonstrating commitment to fairness, equality, youth employment, engagement and workforce development?           

If your sponsored body is covered by the Scottish Public Finance Manual, does it comply with the oversight processes required for reporting to Parliament on the use of settlement agreements?

Yes/No

 

For example, you may wish to check if the body is an accredited Living Wage employer; has stretching targets for tackling youth employment (e.g. recruiting Modern Apprentices); runs an employee engagement survey and takes action on the results; works in positive partnership with trades unions.

Ensure that your body is adhering to the guidance, particularly on the use of confidentiality clauses.

More generally, ensure that your body is are aware of the high level of transparency and oversight expected on voluntary severance schemes.

12.8 Does your sponsored body have succession plans in place for Chair and member appointments?

Yes/No

 

Ensure that your body is pursuing progress to increasing the diversity of its board by making sure that there is a pool of interested potential applicants,  that its board is seen as accessible and inclusive and that its succession planning is aligned with its strategic planning to ensure that there is a clear forward vision of the skills make-up the board may need to oversee forthcoming business.  Plans may include:

  • offering opportunities such as shadowing, mentoring or ‘apprenticeship’ schemes to help potential applicants become ‘board ready
  • establishing a nominations committee to oversee this work

12.9  Are you satisfied your sponsored body has an up to date publication scheme, that it is sufficiently open and proactive in publishing information of interest to its stakeholders?

Yes/No

 

Ensure that policies have been adopted for open and proactive publication of relevant information, consistent with the Scottish Government’s policy of promoting openness and transparency.

13. Compliance

13.1 Do you have processes in place to ensure compliance with applicable existing, new and updated policies, procedures, laws and regulations – including those referred to separately in this Checklist e.g. the SPFM?

Yes/No

 

Processes might refer to desk instructions, local checklists, retention schedules and/or periodic management checks e.g. relating to the existence of statutory authority for expenditure and the holding / provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the Division.

(Guidance on Data Protection responsibilities and FOI is available on the Intranet.)

13.2 Do you have appropriate arrangements in place to ensure staff are appropriately trained and supported to handle FOI and EIR requests in line with legislative requirements?

Yes/No

 

 

13.3 Are your staff appropriately trained and aware of their Data Protection and information security responsibilities?

Yes/No

 

All staff should have successfully completed the annual DPA eLearning and Responsible for Information eLearning packages (please note : specific  IAO training module)

They should have read and understood the relevant policies and guidance (such as DPA, IT Code of Conduct, Records Management). Local procedures should be in place and all staff should be aware of how to handle requests for personal data including Subject Access Requests as well as those made by 3rd parties and sharing agreements. (Guidance can be found on the Intranet: Subject Access Requests; IT Code of Conduct; Data Protection)

14. Review

14.1 Do you review regularly (at least annually) the effectiveness and efficiency of internal controls in your area?

Yes/No

 

You should be reviewing internal controls in your area at appropriate points in time e.g. when processes change or operational shortcomings come to light.

Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g. has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating?

(Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.)

14.2 Have you taken action to improve controls?

Yes/No

 

 

14.3 Have controls and risks in your area been subject to independent review (e.g. by Internal Audit) in the course of the year?

Yes/No

 

You should provide details of any key weaknesses identified and the steps taken to resolve these.

14.4 Has appropriate action been taken to implement agreed recommendations resulting from such reviews?

Yes/No

 

 

15. Other Issues

15.1 Apart from the issues raised above, are there any significant control matters arising in your area which could adversely affect the signing of the SG’s Governance Statement by the Perm Sec?

Yes/No

 

Provide here details of any other control problems, specific to your area of responsibility, which you have encountered during the year.