We are testing a new beta website for gov.scot go to new site

Certificates of Assurance: Annex 2

INTERNAL CONTROL CHECKLIST

 

The contents of the internal control checklist are as follows:

Section

1

Risk Management

2

Business Planning

3

Major Investment

4

Project Management

5

Financial Management

6

Fraud

7

Procurement

8

Human Resources

9

Equality & Diversity

10

Information

11

Health & Safety

12

Sponsored Bodies

13

Compliance

14

Review

15

Other

ISSUE

RESPONSE

DETAILS, INCLUDING REVIEW WORK YOU HAVE CARRIED OUT TO VERIFY RESPONSE (MANDATORY)

GUIDANCE NOTE (WHERE APPLICABLE)

1. Risk Management

1.1 Do you have in place processes that seek to identify and record key business risks (linked to business objectives and targets) on an on-going basis?

Yes/No

 

This relates to the use of a structured process to manage business risk in line with the SPFM. This will be one that ensures the right people are involved in the process, and that each stage in the process is being actively recorded and managed. It will also be one that revisits the issues periodically to ensure that the assessments reflect current risks. An example of a structured process would be the maintenance of risk registers at divisional / branch / project level as considered appropriate.

(Guidance on the SG Approach to Risk Management is available on the Intranet. Information to help with this can be found in the Delivery Essentials. General guidance is through Risk Management on the SPFM.)

1.2 Is there a systematic approach to identify and prioritise risks and match them with effective resources?

Yes/No

 

 

1.3 Is risk management actively supported and promoted by branch heads and team leaders?

Yes/No

 

 

1.4 Do you receive reports on the management of key risks and control actions taken?

Yes/No

 

 

1.5 Has appropriate consideration been given to business continuity and disaster recovery for key systems (including ICT) upon which your operations depend?

Yes/No

 

Local response to the possible loss of corporate functions (e.g. SCOTS, SEAS, EASEbuy, and accommodation) might be considered in the context of divisional risk management procedures. Where local systems are in operation, including but not exclusively ICT systems, the Division has a responsibility to ensure that consideration has been given to continuity and recovery e.g. back-up discs. Out-stations may have arrangements with local businesses in event of loss of facilities.

(ISIS guidance on Business Continuity is available on the Intranet.)

2. Business Planning

2.1 Does your area have a business plan that contains clear business objectives and outcomes which clearly contribute to the achievement of higher level objectives and outcomes, and have these objectives and outcomes been translated into measurable targets against which performance and progress are measured?

Yes/No

 

Your business objectives / SMART targets should be reflected and documented in the Divisional Plan and performance appraisal forms at all levels.

Plans should be linked to the Directorate Planning process.

2.2 Have new and/or radically changed work programmes been referred to Finance, Procurement and/or Internal Audit for advice?

Yes/No

 

New initiatives or spend, or changed systems should normally be discussed with Finance, Procurement and Internal Audit colleagues before proposals are finalised.

For change initiatives managed as projects or programmes, section 3 (major projects) or 4 (projects) should be completed. The Approaches and methodologies toolkit provides some guidance on the difference between Business As Usual and projects.

In terms of undertaking change, the Improvement Framework is one of the main mechanisms underpinning the Scottish Government’s approach to Public Service Reform. Further guidance can be provided through the Leading Improvement Team.

(Guidance on the Role of Finance is available on the Intranet. General guidance on Procurement and Internal Audit is available in the SPFM.)

2.3 In developing targets, does the area identify performance measures which take account of inputs, outputs and outcomes?

Yes/No

 

This question seeks to find out if the relationship between inputs, outputs and outcomes is being applied in developing staff performance measures.

(Guidance on Performance Management is available on the Intranet)

2.4 Do you regularly receive timely, relevant and reliable reports on progress against targets and take corrective action where necessary?

Yes/No

 

This could take the form of regular reports prepared for consideration at progress meetings or updates provided in the context of regular meetings with managers. Corrective action might involve the reallocation of resources (budgets and staff) and the reordering of priorities.

3. Major Investment

3.1 Has your area been responsible for the initiation or delivery of one or more major investment projects during the past financial year? (If not, please ignore the other questions in this section)

Yes/No

 

Major investment projects are defined in the Major Investment Projects section of the Scottish Public Finance Manual (SPFM) but can also be defined as initiatives:

  • requiring spending over and above departmental expenditure limits

  • requiring primary legislation

  • being innovative or contentious

All Major Investment Projects must adhere to the guidance in the SPFM, and its key principles should be adopted in relation to all investment projects.

3.2 Do / did your project’s governance arrangements align with the Scottish Government’s strategic and sector specific governance procedures?

Yes/No

 

Relevant procedures include the following:

  • Declaring all new major projects to the PPM-CoE by means of the submission of a completed Risk Potential Assessment form (see 3.3).

  • Issuing the SRO with an appointment letter, confirming their responsibilities and the aims, objectives, timescales and funding arrangements for the project.

  • Putting arrangements in place to address each of the SG’s Programme and Project Management (PPM) Principles. Information to help with this can be found in Delivery Essentials

  • For construction and infrastructure projects, complying with the guidance in the Construction Procurement Manual. Further guidance and support is available from the Scottish Government’s Construction Procurement Policy Unit.

  • For IT and digitally enabled projects, registering the project with the Office of the Chief Information Officer and complying with the Technology Assurance Framework; including compliance with the Digital First Service Standard for new digital public services and  Scottish Government corporate systems.  

  • For Health Sector projects, complying with the guidance in the NHS Scotland Scottish Capital Investment Manual.

3.3 Have you assessed your project(s) in line with the SG’s assurance procedures and engaged with the appropriate assurance process?

Yes/No

 

Relevant procedures include the following:

  • Completing the Risk Potential Assessment Forms to determine the potential complexity of your project(s).

  • Submitting the completed RPA to the SG’s PPM Centre of Expertise for review of your project’s assurance needs.

  • Actively engaging with corporate assurance providers, taking advice on board and promptly acting on review recommendations.

  • Major projects over £20m in value, or of critical importance/unusual scale or nature to the procuring organisation, or revenue funded, or procured through competitive dialogue, may require Key Stage Reviews (KSRs) during key procurement stages. KSRs are undertaken by the Scottish Futures Trust.

3.4  Do you have an up-to-date case for change (e.g. business case) demonstrating continued strategic alignment, viability and value added, and providing business justification for each project?

Yes/No

 

Projects must be appraised in accordance with the Appraisal & Evaluation section of the SPFM. This must include clear links to strategic priorities, and an options appraisal supported by solid evidence that the chosen option provides the best commercial value. The five-case model provides a robust and accessible approach to project appraisal and business justification.

You must be able to demonstrate the on-going justification of the need for your project and should regularly review the case for change to ensure its currency.

For projects including a procurement element, you must also be able to demonstrate compliance with the Procurement Section of the SPFM.

For construction and/or an infrastructure project, you must be able to demonstrate compliance with the Construction Procurement Manual. Further guidance and support is available from the Scottish Government’s Construction Procurement Policy Unit.

3.5. Have you assessed your capability and capacity to deliver your project(s) and are you aware of when you need specialist resources and how to secure the specialist resource?

Yes/No

 

Clear roles and responsibilities should be assigned and levels of delegated authority should be clearly defined.

You should ensure that people appointed to positions within the project’s governance and management structure have the skills, experience and knowledge necessary to fulfil their role, using existing performance management and PLP arrangements in accordance with question 8.1.

Internal and external specialist resources required for the successful delivery of the project should be identified and secured at planning stage. For consultants, you must comply with the Scottish Government Consultancy Procedures in accordance with question 7.4.

3.6 Have you put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?

Yes/No

 

Necessary arrangements include:

Ensuring that benefits are identified, plans for the realisation of benefits are put in place, and delivery of benefits is measured to demonstrate that the intended return on investment is being achieved. The IPA has published a “Guide on Effective Benefits Management in Major Projects”.

Capturing lessons during the project lifecycle and sharing as appropriate.  The Lessons Toolkit provides some guidance on how to capture lessons.

As part of the OGC Gateway Review 5, Operations Reviews and Benefits Realisation guidance for Senior Responsible Owners, ensuring that:

A Post Project Review to establish how well the project was managed is carried out.

Post Implementation Reviews (also known as Post Occupancy Reviews for construction projects) to establish if the original project objectives are being achieved are carried out.  This review is likely to be repeated.

All feedback is used to inform future project delivery.

4. Project Management

4.1 Has your area been responsible for one or more projects - other than major investment projects – during the past financial year?

Yes/No

 

This section covers all projects not included in the SPFM definition of a “major project”, including non-capital projects such as new policy delivery or changes to existing policy, business change projects. 

The Approaches and methodologies toolkit provides some guidance on the difference between business as usual and projects.

4.2 Did/do your project’s governance arrangements align with the Scottish Government’s strategic and sector specific procedures?

Yes/No

 

The general principles set out in the Major Investment Projects section of the SPFM should be applied proportionately, as appropriate, to all investment projects.

Relevant procedures include:

For Health Sector projects, complying with the guidance in the NHS Scotland Scottish Capital Investment Manual.

4.3 Have you assessed your project(s) in line with the Scottish Government assurance procedures and engaged with the appropriate assurance process?

Yes/No

 

Relevant procedures include the following options:

Completing the Risk Potential Assessment Forms to determine the potential complexity and risk of your project(s).Submitting the completed RPA to the SG’s PPM Centre of Expertise.

4.4  Do you have an up-to-date case for change (e.g. business case) demonstrating continued strategic alignment, viability and value added, and providing business justification for each project?

Yes/No

 

Projects must be appraised in accordance with the Appraisal & Evaluation section of the SPFM. This must include clear links to strategic priorities, and an options appraisal supported by solid evidence that the chosen option provides the best commercial value. The five-case model provides a robust and accessible approach to project appraisal and business justification.

  • You must be able to demonstrate the on-going justification of the need for your project and should regularly review the case for change to ensure its currency. 

  • For projects including a procurement element, you must also be able to demonstrate compliance with the Procurement Section of the SPFM, should your project include procurement.

  • For construction and/or an infrastructure project, you must be able to demonstrate compliance with the Construction Procurement Manual. Further guidance and support is available from the Scottish Government’s Construction Procurement Policy Unit.

4.5 Have you assessed your capability and capacity to deliver your project(s) and are you aware of when you need specialist resources and how to secure the specialist resource?

Yes/No

 

Clear roles and responsibilities should be assigned and levels of delegated authority should be clearly defined.

You should ensure that people appointed to positions within the project’s governance and management structure have the skills, experience and knowledge necessary to fulfil their role, using existing performance management and PLP arrangements in accordance with question 8.1.

Internal and external specialist resources required for the successful delivery of the project should be identified and secured at planning stage. For consultants, you must comply with the Scottish Government Consultancy Procedures in accordance with question 7.4.

4.6 Have you put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?

Yes/No

 

Recommended arrangements include:

Ensuring that benefits are identified, plans for the realisation of benefits are put in place, and delivery of benefits is measured to demonstrate that the intended return on investment is being achieved. The IPA has published a “Guide on Effective Benefits Management in Major Projects”, which should be applied in a proportionate way.

Capturing lessons during the project lifecycle and sharing as appropriate.  The Lessons Toolkit provides some guidance on how to capture lessons.

Conducting an End of Project Evaluation Review, including the review and handover of benefits identified in the business case to an accountable owner.

5. Financial Management

5.1 Do you ensure that a documented business case has been prepared for any policy proposal? Do you ensure that your Finance Business Partner (or equivalent) and, as necessary, Internal Audit Division is involved at the earliest possible stage in the preparation of all policy proposals etc. which may have resource, control or other finance related implications and that they are kept informed of developments?

Yes/No

 

Finance should also be consulted on any novel or contentious spending proposal and any matter which includes issues of financial propriety and regularity. Further guidance on the Role Of Finance is available on the Intranet. The need to consult Finance might also be included in induction material and local desk instructions.

5.2 Do you have procedural instructions, cleared with Finance, about how financial matters are handled within the area and are processes in place for regular monitoring of compliance with these instructions?

Yes/No

 

Local desk instructions should be drawn, as appropriate, from the key principles of the SPFM. Instructions should be in place covering the arrangements for entering into commitments and for approving and processing the resultant payments, including VAT – and ensuring adequate separation of duties. This may also cover other matters such as delegated authorities, budget monitoring procedures and the requirement to consult Finance on all proposals that may have resource or other finance related implications.

Monitoring of compliance should be supported by regular management checks and the consideration of financial matters at regular meetings with your managers.

5.3 Do you delegate financial authority to staff at appropriate levels?

Yes/No

 

Delegated financial authority (i.e. where members of your staff have full responsibility for budgets and take decisions without having to refer upwards) will not be appropriate in many Divisions but where it is you should provide details of the broad arrangements e.g. set out in desk instructions, financial responsibility statements. This is separate from Delegated Purchasing Authority (DPA). The authority required to make and authorise payments etc within SEAS and the authority to purchase in EASEbuy are also separate authorities.

(General guidance on Delegated Authority is available in the SPFM. Guidance on the Scheme of Delegation is available on the Intranet.)

5.4 Is there adequate separation of duties where required and are staff with these duties adequately trained to discharge their responsibilities in that regard?

Yes/No

 

This should apply to activities such as authorising and processing payments and receipts or awarding grants. There may be concerns (e.g. within small units) where the rules on separation of duties cannot practically be achieved. In such circumstances the response should relate to whether the local arrangements (e.g. compensating controls) agreed with Finance are working satisfactorily.

(The requirement for appropriate separation of duties is included in a number of sections of the SPFM, notably those covering Expenditure and Payments and Income Receivable & Receipts.) This covers all staff involved in the financial process. The level of knowledge and training should be related to the part played by the individual in the financial process. Individual duties should be covered in desk instructions. All staff with responsibility for entering into contracts, raising purchase orders or issuing invoices etc. should have a knowledge of the rules relating to VAT and the ability to recover and or charge VAT.

Note that this is separate from the authority required to make and authorise payments within SEAS or to purchase within EASEbuy.

5.5 Do you have arrangements to ensure that all assets for which the area is responsible are properly managed and safeguarded? Do you ensure that Finance (and Property where applicable) are informed of any changes to assets?

Yes/No

 

Only assets for which the area is responsible need to be considered here. This will include those assets on a locally maintained inventory of valuable and attractive items. The response should consider safeguards such as those against unauthorised use or disposal.

(Guidance on Property Management  and Fraud is available in the SPFM.)

Capitalised expenditure (PPE and Intangibles) must meet the approved corporate thresholds and definitions, and be supported by Asset Addition forms.  Any disposal of previously capitalised assets should be recorded correctly in SEAS and supported by Asset Disposal forms.  Further guidance is available from your Finance Business Partner and via Saltire.

5.6 Do you have effective arrangements in place to ensure that you are managing and monitoring any money due to the Scottish Government and that it is collected within reasonable timescales?

Yes/No

 

Further detail on Debt recovery can be found in the Income receivable and receipts section of the SPFM

5.7 Do you have procedures for ensuring that proper and accurate accounting records are maintained and entries in them are properly authorised?

Yes/No

 

The response to this question needs to reflect both the provision of information needed for accounting purposes (e.g. the proper and timely entry of data into SEAS and/or EASEbuy) and for cash management purposes. The response should also take into account the controls in place within your area to ensure that only authorised personnel have access to the SEAS system.

(Guidance on SEAS and EASEbuy is available on the Intranet.)

5.8 Do you have procedures in place for effective monitoring and reviewing of financial information and budgets for which you are responsible?

Yes/No

 

The response should reflect the following:

  • Measures to ensure that  financial systems contain accurate and up to date information;
  • Measures to monitor the security of financial information; and
  • Local arrangements for monitoring and reviewing administration costs and programme budgets
  • Measures should include regular management checks. Arrangements for reviewing budgets should be consistent with re-profiling information returned to Finance. (Guidance on Budget and Financial Management is available on the Intranet.)

5.9 Are agreed budget plans documented and disseminated within your area?

Yes/No

 

The review of the regular financial reports needs to take account of both the review internally within the area as well as external reporting of outcomes and any remedial action required.

5.10 Do you regularly review internal financial reports which report actual against budget outturn and discuss progress with your Director or equivalent?

Yes/No

 

You will wish to consider here the mechanisms in place for communicating budgetary information both at the beginning of the year and changes made in-year whether at the time of formal monthly or quarterly reviews or at other times. This would also cover the transfer of funds between one area and another or between the centre and your area.

5.11 Do you ensure that that the State Aid Unit is consulted on all proposals that may have state aid implications?

Yes/No

 

Guidance on the EC State Aid Rules is included in the SPFM. More detailed guidance is available from the State Aid Unit.

5.12 Do you ensure that any grant proposals and payments follow the relevant guidance in the SPFM?

Yes/No

 

The section of the SPFM on Grant & Grant in Aid includes references to checklists covering the grant proposal, application and assessment processes and a Model Offer Grant Letter document. There is a separate Offer of Grant document for use in relation to grant funding provided to voluntary bodies to assist with their operational costs.

6. Fraud

6.1 Are operational managers and other members of staff within your area aware of their responsibilities as set out in the Scottish Government Fraud Policy Statement?

Yes/No

 

Relevant guidance in the section on Fraud in the SPFM might be brought to the attention of staff periodically and / or in induction material.

6.2 Are any cases of suspected fraud within your area dealt with in accordance with the Scottish Government Fraud Action Plan?

Yes/No

 

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email or the Crimestoppers Hotline 08000 15 16 28.

7. Procurement

7.1 Do you ensure that the Scottish Procurement and Commercial Directorate (SPCD) are consulted from the earliest possible stage on any proposals that may involve procurement activity?

Yes/No

 

Guidance on the role of the Scottish Procurement and Commercial Directorate (SPCD), guidance on Buying Goods, Services or Works and the Security Questionnaire is available on the Intranet. The need to consult SPCD might be included in induction material and local desk instructions.

SPCD must be consulted on any novel or contentious spending proposal and any matter which includes issues of procurement propriety or regularity.

7.2  Do you have staff with Delegated Purchasing Authority (DPA) at appropriate levels?

Yes/No

 

DPA is the authority from the director of Procurement and should on a personal basis to permit permanents SG members of staff to enter into a contract for goods, services and works and oversee the process leading up to and including the award of a contract and any subsequent contract changes on behalf of the Scottish Ministers. This is separate from financial authority and the authority to make purchases on EASEbuy.

Please confirm how many staff in your area have DPA. 

(Guidance on DPA is available on the Intranet).

7.3 Is all procurement activity within your area undertaken in accordance with the Procurement Policy Manual?

Yes/No

 

Evidence should be provided by staff with DPA to assure Division Heads that all procurement activity has been conducted with the Procurement Policy Manual. Specific guidance on the operation of the electronic Purchasing Card and the EASEbuy System.

7.4 Does your area’s use of external consultants comply with the Scottish Government Consultancy Procedures?

Yes/No

 

Contracts for consultancy of up to £10K in value need to be approved at Deputy Director level. Consultancy contracts between £10K and £50K need to be approved at Director General level. Consultancy contracts above £50K must be authorised by the Cabinet Secretary for Infrastructure, Investment and Cities, and the Cabinet Secretary for Finance, Employment and Sustainable Growth. If there have been no such cases during the period then please provide a nil response.

Consultancy expenditure must be coded against the account codes stated in the Consultancy Procedures.

Management checks on consultancy expenditure on SEAS should be carried out to ensure approval was sought at the appropriate approval level prior to purchase.

7.5 Is the number of staff authorised and trained to act as EASEbuy approvers consistent with your Division’s needs?

Yes/No

 

Staff who are authorised as EASEbuy approvers need to recognise the importance on the financial information being entered correctly. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions. Details of available training are provided on the EASEbuy training page.

7.6 Do you ensure that staff with electronic Purchasing Cards (ePCs) are fully trained to discharge their responsibilities and that there are processes to monitor compliance?

Yes/No

 

Monitoring of compliance might be achieved by regular management checks and the consideration of financial matters at regular meetings with your managers.

(Guidance on ePC is available on the Internet.)

7.7 Do you ensure that staff are complying with the prompt payment of suppliers process to meet the 10 day payment commitment?

Yes/No

 

Relevant guidance regarding the prompt payment of suppliers policy must be brought to the attention of staff periodically and/or in reviewing training requirements.

7.8 Do you have in place appropriate arrangements in your area to ensure effective contract management enabling delivery of both technical and commercial requirements

Yes/No

 

Staff managing contracts should have the knowledge and skills to deliver both the technical and commercial conditions of the contract.  Staff can seek guidance or arrange for Contract Management services to be delivered by the SPCD Contract Management Team. Additional guidance is also available on the Procurement Journey

8. Human Resources

8.1 Do you have workforce and resourcing plans that enable you to match resources to priorities and does they support increased diversity?

Yes/No

 

SG People Strategy sets the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by activity such as:

  • effective processes to monitoring and manage workforce numbers and cost
  • identifying any single points of failure and establishing a response (i.e. succession planning)
  • adherence to corporate processes regarding recruitment
  • actions to increase diversity through recruitment and succession planning

What evidence do you draw on to inform action, e.g. Workforce planning returns (BUD1), People and Finance metrics, diversity monitoring information on eHR.

 

8.2 Do you have processes in place to develop staff and increase capability to support diverse, high performing teams?

 

Yes/No

 

The People Strategy sets the context for people management and development, helping to ensure we have the right skills now and for the future.

Confidence levels will be shaped by activity such as:

  • having personal and divisional learning/capability plans reflecting corporate priorities, local business needs and the diverse needs of your workforce

  • effective processes for identifying and developing talent

  • application of best People Management practice is highly valued, supported and openly recognised

  • adherence to corporate processes regarding performance management (i.e. monthly conversations and development discussions)

What evidence do you draw on to inform action, e.g.: corporate guidance on most effective learning approaches (i.e. 70/20/10)

8.3 Are line managers at all levels skilled in managing performance and supporting the wellbeing of their staff?

 

Yes/No

 

The People Strategy sets the context for people management and development, helping to ensure a workplace culture for individuals to bring their whole selves to work, to thrive and be successful.

Confidence levels will be shaped by activity such as:

  • on-time completion and recording of performance appraisals

  • role modelling of the Civil Service Code, inclusive leadership (SCS Leadership Statement) and the People Strategy behaviours and ways of working at all levels

  • adhering to corporate processes regarding attendance management, conduct and performance management (guidance for SCS)

  • adhering to fairness at work policy and signposting wellbeing support services

  • management and leadership learning and development support

  • using MI to identify and take action where absence rates or reasons raise concern’

  • having in place, and effectively assessing, meaningful diversity objectives at all levels

  • adhering to flexible working policy

  • implementing reasonable adjustments to enable disabled people to fulfil their potential

  • having high diversity declaration rates and analysing and using the information effectively to advance diversity and inclusion

What evidence do you draw on to inform action, e.g. People Survey results, Directors MI pack, Attendance Management Monthly Reports.

9. Equality and Diversity

9.1 Are all new or revised policies/activities/projects in your area assessed for their impact on equality groups and Equality Impact Assessment (EQIA) results published on the SG website within a reasonable period (as required by legislation)?

 

Yes/No

 

This question relates to the SG’s responsibilities under the statutory public sector equality duties. You are expected to ensure that new or revised policies and activities in your area are assessed for their impact on equality groups.

An EQIA process helps you to look at how your policy impacts on people because of their age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation.  Guidance on EQIAs is available on Saltire.

9.2 Do you have support structures in place in your division to enable staff to undertake and complete equality impact assessments?

Yes/No

 

You will want to consider what steps you have taken to ensure that your staff are able to and do use the SG's equality impact assessment guidance and toolkit. You will also want to consider what kind of support you are providing for your staff so that they are able to undertake and complete this process successfully.  Please provide some detail on about support structures in place.

9.3 Do you have procedures in place to ensure that equality impact assessments have been completed for all relevant policies/activities?

Yes/No

 

You will want to consider whether you have a robust process in place to ensure that all new or revised policies are equality impact assessed and results of these assessments published.  The EQIA process should be started early in a policy development cycle, with the results of the assessment informing and shaping policy decisions. Appropriate monitoring arrangements should also be put in place.  Please provide some detail on about support procedures in place.

10. Information

10.1 Are all significant roles in respect of information risk and personal data manned?

Yes/No

 

TORs for the mandatory roles in respect of managing information risk and personal data including Senior Information Risk Owner (SIRO), Information Asset Owners (IAOs) are in place. Staff are available to discharge these roles and have undergone or are undergoing appropriate training. For core SG the SIRO is DG Communities, non-core bodies will have their own SIRO. 

Guidance on mandatory roles can be found on the intranet. 

Mandatory eLearning packages (Data Protection and Responsible for Information) can be found on the intranet.

 

10.2 Has your division made the necessary assessment and any changes required to comply with new data protection legislation?

 

Yes/No

 

The General Data Protection Regulation and Data Protection Act 2018 come into force in May 2018.  All organisations must be well advanced in their compliance activities.  Have you:

- registered your information assets that contain personal data, and reviewed your existing assets

- reviewed the legal basis for any personal data processing

- updated any privacy notices

- updated any contracts with third parties that include personal data processing

- documented any personal data sharing in a data sharing agreement

- conducted a Data Protection Impact Assessment (aka Privacy Impact Assessment) where required

- made sure your staff know what to do if a security incident involving personal data takes place

- identified any personal data processing covered by the Law Enforcement Directive?

10.3 Are access control mechanisms in place for each system?

Yes/No

 

Access control mechanisms for each system are documented by IAOs. Control Mechanisms are in place for physical access and access to information. Location of information assets are registered on the Information Asset Register.

10.4 Do you have processes in place for dealing with breaches of security / data handling incidents?

Yes/No

 

IAOs are aware of and follow the corporate process  in place to report, manage and recover from information risk incidents. Lessons have been learnt, and shared, from incidents (if any). Local managers have a responsibility to ensure that staff are aware of and comply with the relevant guidance, to initiate checks where non-compliance is suspected and to monitor suppliers. Managers have a responsibility to ensure that all staff and suppliers are aware of their responsibilities to safeguard Government information.

An IAO checklist for dealing with security incidents can be found on the intranet.

10.5 Have there been any breaches of security / data handling incidents during the financial year?

Yes/No

 

Please include brief details of how many; when; what were the circumstances; whether personal data was involved; was it reported to Cyber Defence and Integrated Security (CDIS); was it dealt with / resolved satisfactorily? For example, answer YES if you have had a data breach which was reported and resolved to your satisfaction. An IAO checklist for dealing with security incidents can be found on the intranet.

10.6 Do you have any Information Assets in your area?

Yes/No

 

IAOs (usually Deputy Directors) are responsible for ensuring that their information assets are recorded on the corporate Information Asset Register (IAR)

Guidance can be found on the IAR pages on Saltire.

 See guidance on “What is an Information Asset?” in the IAO Handbook.

10.7 Are your information assets registered on an Information Asset Register (IAR)?

Yes/No

 

IAOs (usually Deputy Directors) are responsible for ensuring that their information assets are recorded on the corporate Information Asset Register (IAR)

Guidance can be found on the IAR pages on Saltire.

 See guidance on “What is an Information Asset?” in the IAO Handbook.

10.8 Does your area expressly track information risks across the lifetime of your information assets?

Yes/No

 

IAOs are required to ensure that where appropriate, risk assessments are carried out against their information assets for the duration of that assets lifespan.  Risk management assessments should be developed in line with the SG Risk Appetite.  Risk assessments should extend to procurements and shared services, and consider third parties, delivery partners, suppliers and contractors. Additional guidance can be found on Saltire.

Further guidance on Information Risk is also available on the Intranet. Compliance with this guidance ensures the SG fulfils its obligations to information assurance standards and legislative requirements. Information assets are recorded on the Information Asset Register.

For further assistance, contact the Security and Information Risk team.

10.9 Can you confirm that information risk assessments have been carried out for all information assets?

Yes/No

 

Information risk assessments should be carried out as appropriate for the classification of the information asset; the restriction of access to information as appropriate; the training of staff in handling sensitive information; the management of processing of personal data; the impacts of loss or corruption of information; and so on. Such risk assessments should extend to procurements and shared services initiatives, and to all delivery partners, suppliers and contractors. Management and monitoring of supplier security and information assurance arrangements must take place.

Mandatory eLearning packages (Data Protection and Responsible for Information) can be found on the intranet.

11. Health and Safety

11.1 Do you have appointed and trained health and safety duty holders to cover your area?

Yes/No

 

Duty holders (such as Health and Safety Liaison Officers (HSLOs), First Aiders, Fire Precautions Officers (where appropriate) and Fire Marshals) perform key health and safety functions which help managers discharge their own responsibilities.

11.2 Has the Risk Assessment procedure been implemented and reviewed as required within your area to ensure that significant risks are adequately controlled?

Yes/No

 

Risk Assessment Teams (appointed by Deputy Directors) to:

  • review and amend generic risk assessments, and generate new assessments as required
  • communicate findings to all affected staff
  • keep assessments under review

11.3 Do HSLOs in your area complete quarterly reports?

Yes/No

 

HSLOs should complete Quarterly Workplace Inspections in February, May, August and November which provides information on their performance against key health and safety tasks from the Health and Safety Management System.

12. Sponsored Bodies

12.1 Non Departmental Public Bodies - Is your area responsible for sponsoring any NDPBs or other bodies? (If not, please ignore the other questions in this section.)

Yes/No

 

Please complete for all of the bodies you sponsor answering each question separately and highlight key points of interest (good or bad).

Guidance can be found in the NDPB Sponsorship Guidance Notes. A list of public bodies in Scotland is available on the National Public Bodies Directory.

12.2 National Outcomes - Do the operations, business planning and objectives of the public body help to achieve the Scottish Government’s Purpose, National Outcomes and Programme for Government?

Yes/No

 

Supporting documents such as the corporate plan, business plan, and framework document should be in place to enable the sponsor team to develop a shared understanding of the joint priorities over the medium term to contribute towards delivery of the National Outcomes, and to ensure that individual bodies’ corporate communications and engagement strategies fully reflect these.

Further guidance on corporate and business plans can be found at Paragraphs 28 and 29 of the Model Framework Document for Executive NDPBs at Annex 3 of the section of the SPFM on Accountability.

12.3 Framework Documents - Is there an up to date Framework Document in place, and published, with your sponsored body, with appropriate arrangements in place to monitor adherence to this?

Yes/No

 

You should be able to confirm that Framework Documents are finalised or otherwise, that they are up to date, and were subject to proper consultation (including with Public Bodies Unit, your Finance Business Partner (or equivalent) and Internal Audit Division). Details of the steps taken to monitor these areas should also be provided.

Governance structures, processes, systems and controls should be in place to ensure robust financial management and monitoring, and compliance with the Scottish Public Finance Manual.

Guidance on the role of the sponsoring team is set out in the Model Framework Document for Executive NDPBs and is provided at Annex 3 of the Scottish Public Finance Manual section on Accountability.

12.4 Effective Boards - Are you assured that the Board of your sponsored body is undertaking its functions effectively?

Yes/No

 

The four main functions of public body Boards are: to ensure that the body delivers its functions in accordance with Ministers’ policies and priorities; to provide strategic leadership; to ensure financial stewardship; and to hold the Chief Executive and senior management team to account.  Boards play a vital role in the accountability chain and therefore it is essential that they have the capability and capacity to perform their functions effectively.

12.5 Effective Boards – Has your sponsored body undertaken succession planning as per the guidance notes, for its Chair and board members?

Yes/No

 

The purpose of succession planning is to deliver highly effective, diverse Boards.

In relation to Board diversity and succession planning we mean two distinct, but related, concepts: diversity of members’ skills, experience, knowledge and other relevant attributes, such as personal values; and diversity of members in relation to their relation to their protected characteristics as defined by The Equality Act 2010.

Although the Scottish Ministers are ultimately responsible for making most Board appointments,  public bodies should ensure that, when Chair or Board positions do arise, they are prepared to maximise opportunities to attract candidates that meet the body’s needs.

For example they can:

Develop a thorough understanding of the current skills in the board and the skills needed in the board for the future, within the context of the public body’s strategic plan and the board’s role; map this out . Consider this against a timeline of when individual board members and chairs appointments come to an end or are up for renewal

Have a designated person in the board, or a nominations committee, taking the lead on appointments to the board, including on providing opportunities for potential board members outwith appointment rounds; consider seeking assistance from a senior person (such as a HR professional) in the public body.

Take specific and measurable actions to attract the broadest range of candidates to the work of the Board.

See the Succession Planning Guidance for Public Body Boards (as published in February 2017).

12.6 Relationships – Are arrangements in place to support strong, strategic relationships with the public body to ensure effective collaboration in delivering business/corporate plans?

Yes/No

 

Sponsorship should always be considered a strategic activity, based on strong relationships characterised by openness, trust, respect and mutual support.  The objective is to find ways of working with bodies that engage and empower them in a shared vision and understanding of the strategic environment, while ensuring proportionate arrangements are in place to safeguard public funds and incentivise performance.

It would be helpful if Sponsor Teams could provide some information, commenting specifically on their experiences from adopting this approach to sponsorship.

12.7 Finance – Does your sponsored body demonstrate financial capability by providing accurate and timely financial monitoring and forecasting information to the Scottish Government?

Yes/No

 

Evidence of a body’s financial capability will be provided through activity such as: external audits, CIPFA capability assessments and financial monitoring/forecasting.

It is essential that public bodies provide accurate financial monitoring and forecasting information to the SG as part of the overall management of the Scottish Budget.

12.8   Fair Work - Is your sponsored body an exemplar as a Fair Work employer: demonstrating commitment to fairness through being an accredited Living wage employer, promoting:- equality, youth employment, engagement and workforce development and working to deliver the Fair Work Convention’s Fair Work Framework?

Yes/No

 

For example, you may wish to check if the body is an accredited Living Wage employer; has it got an invest in youth plan with stretching targets to recruit and develop young people (e.g. recruiting Modern Apprentices); runs an employee engagement survey and takes action on the results; works in positive partnership with trades unions. How have you used procurement policies to encourage the living wage and youth employment in your supply chain?   

The Equality Action Plan for Modern Apprenticeships aims to ensure that our Apprenticeship family is open to all in our society. You should look to provide some detailed examples of how your sponsored body (as an employer) is taking action to tackle equality issues and any information that it has taken to register as a living wage and/ or carer positive employer.

Please provide information which will highlight the actions your sponsored body has been doing to support Youth Employment.

12.9 Assurance - Has your sponsored body engaged with the appropriate authority and recorded all relevant projects with the appropriate authority?

Yes/No

 

Systems should be in place to ensure all business cases are assessed.

For all Major Investment Projects as defined in the Scottish Public Finance Manual:

A Risk Potential Assessment Form should be completed and submitted to the SG’s PPM Centre of Expertise

For investment in projects containing an IT or digital elements:

The ICT Investment Checklist and Integrated Assurance and Approval Plans should be completed for projects by your sponsored body.

Projects should be registered on the Project Register, held by the Office of the Chief Information Officer. 

Further advice can be found on the Technology Assurance Framework or by emailing OCIOAssurance@gov.scot

For construction and infrastructure projects:

Projects should be registered on the SG’s Infrastructure Projects Database if it has reached Outline Business Case state and has a capital budget of £5M+ (inclusive of VAT).

12.10 Fraud - Does your sponsored body have effective arrangements to counter fraud, bribery and corruption through a well communicated counter fraud policy, an up-to-date fraud action plan and effective avenues for reporting suspicions of fraud?

Yes/No

 

Processes should be in place to ensure that policies for fraud response are consistent with SG guidance, including a review of current fraud response activity, whilst ensuring robust reporting procedures have been adopted by sponsored bodies.

Further information can be found in the Fraud section of the SPFM and the SG Counter Fraud Strategy, Policy and Response Plan and Protecting Public Resources guidance

12.11  Procurement - Does your sponsored body ensure that procurement processes are maintained, proportionate to the organisation’s spend and comply with current legislation including; increasing contracting with the involvement of small and medium enterprises, third sector bodies and supported businesses in procurement exercises. 

Yes/No

 

Further guidance can be found in the Procurement section of the SPFM and the Scottish Procurement Capability Team Knowledge Hub and The Procurement Journey and Central Government Procurement Competency Framework which can be accessed on the Scottish Government Capability Team knowledge Hub.  

Organisations that meet the financial thresholds of the Procurement Reform Act should be developing their first Annual Procurement Report that requires to be published and Scottish Ministers notified as soon as possible after 31 March  2018.

12.12  Procurement - Does your sponsored body ensure that staff  have the appropriate range of skills and expertise to manage its commercial and procurement activity?

Yes/No

 

 

13. Compliance

13.1 Do you have processes in place to ensure compliance with applicable existing, new and updated policies, procedures, laws and regulations – including those referred to separately in this Checklist e.g. the SPFM?

Yes/No

 

Processes might refer to desk instructions, local checklists, retention schedules and/or periodic management checks e.g. relating to the existence of statutory authority for expenditure and the holding / provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the Division.

(Guidance on Data Protection responsibilities and FOI is available on the Intranet.)

13.2 Do you have appropriate arrangements in place to ensure staff are appropriately trained and supported to handle FOI and EIR requests in line with legislative requirements?

Yes/No

 

 

13.3 Are your staff appropriately trained and aware of their Data Protection and information security responsibilities?

Yes/No

 

IAOs must ensure that their staff successfully complete the mandatory eLearning packages (Data Protection and Responsible for Information)  (please note: specific  IAO training module)

All staff should have read and understood the relevant policies and guidance (such as DPA, IT Code of Conduct, and Records Management). All staff should be aware of how to handle requests for personal data: from individuals (Subject Access Requests) as well as 3rd parties; and when a Data Sharing Agreement is appropriate. (Guidance can be found on the Intranet: Subject Access Requests; Conduct; Data Protection

13.4 How confident are you that your staff are aware of the cyber threats pertinent to your business. Are you and your staff taking all required actions about safeguarding your information assets and the corporate infrastructure? Are any risks of attack known, understood and formally accepted?

Yes/No

 

Staff need to be aware of the main cyber risks and be taking action to mitigate the risk of a cyber incident.

Staff have to be aware of and minimising their cyber risk in the following areas: password protection, building access, social media, workspace – desk area, computer/laptop, remote working – anywhere outside a Scottish Government building including working from home, on transport, in public spaces, the cloud.

Any procurement and business process must take regard of cyber threats. Any risk the business takes in this area must be stated, understood and signed off. Any threat to the corporate infrastructure requires additional clearance.

14. Review

14.1 How confident are you about the robustness of your arrangements for reviewing and improving the effectiveness and efficiency of controls in your area?

Yes/No

 

You should be reviewing internal controls in your area at appropriate points in time e.g. when processes change or operational shortcomings come to light.

Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g. has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating?

(Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.)

14.2 How confident are you that you have a comprehensive picture (eg through an Assurance Map) of the sources of evidence underpinning your assessment of controls?

Yes/No

 

You should provide details of any key weaknesses identified and the steps taken to resolve these.  How confident are you that you and your staff are sufficiently aware of the types of independent review (e.g. Internal Audit, independent assurance and Gateway Review, ICT Assurance Review, Digital First Review, review by external consultants) to support your assurance, and of how to access them?

14.3 Where objectives, risks and controls in your area have been subject to independent review, how confident are you that recommendations arising from these reviews have been acted on in a timely fashion?

Yes/No

 

 

14.4 Based on the assurances you have of whether your objectives, risk management and internal controls are being met and operating successfully, are there any key areas that would benefit from independent review?

Yes/No

 

 

15. Other Issues

15.1 Apart from the issues raised above, are there any significant control matters arising in your area which could adversely affect the signing of the Scottish Government Governance Statement by the Perm Sec?

Yes/No

 

Provide here details of any other control problems, specific to your area of responsibility, which you have encountered during the year.

 

 

 

 

 

 

 

Page Published / Updated: March 2018