Information

Scottish Public Finance Manual

The Scottish Public Finance Manual (SPFM) is issued by the Scottish Ministers to provide guidance on the proper handling and reporting of public funds.


Annex 2: internal control checklist

The contents of the internal control checklist are as follows:

Section

1

Risk Management

2

Business Planning

3

Major Investment

4

Project Management

5

Financial Management

6

Fraud

7

Procurement

8

Human Resources

9

Equality & Diversity

10

Information

11

Health & Safety

12

Sponsored Bodies

13

Compliance

14

Review

15

Other

 

Issue

Response

Details, including review work you have carried out to verify response (mandatory)

Guidance Note (Where Applicable)

1. Risk Management

1.1 Do you have processes in place to ensure that your risks are linked to divisional business plans, (including objectives and targets and that this information is reviewed on an on-going basis?)

 Yes/No               

                               

   

Your objectives will be the focus of any risk management information, so risk identification needs to be undertaken with a clear strategy and clarity of purpose. Risk identification is an important part of business/project planning, managing performance and prioritising effectively.

Confidence levels will be shaped by:

  • the identification and recording of key business risks as part of business planning activity; is regular management discussions objectives and; performance monitoring arrangements
  • processes that ensure the right people are involved in the management of risk and that each stage in the process is being actively recorded and managed
  • you revisit risks periodically to ensure that updates or changes to business planning activity, objectives or projects reflect the current situation
  • the maintenance of risk registers, based on the corporate template, at divisional/branch/project level as considered appropriate and that there is a nominated person within your division/team with responsibility for coordinating the update of the register.
  • Risk Champion within your Directorate that has the responsibility to ensure that systems and processes are in place and are consistent with the SG Risk Management approach

(The SG Risk Management Guide and the SG Template risk register is available on the Intranet. General guidance is available through Risk Management on the SPFM.)

1.2 Do you employ a systematic approach to help the identification and prioritisation of your risks and manage them by allocating resources proportionately in alignment with your business plans?

Yes/No               

 

It doesn’t matter what method you use to help identify your risks but you should take a systematic approach to ensure you have a complete risk profile. 

Confidence levels will be shaped by:

  • using a simple technique that provides a wide scan of areas that may affect objectives such as PESTLES or SWOT Analysis
  • using other sources of data to support risk identification and prioritisation
  • you consider cost, feasibility, probability, risk appetite and the potential impact when determining how to address your risks
  • you utilise diverse perspectives from stakeholders, your teams, division, directorate, project or programme and think about what arrangements are in place in your area to ensure that risk information is supporting your decision–making

(The SG Risk Management Guide and the SG Template risk register is available on the Intranet. General guidance is available through Risk Management on the SPFM.)

1.3 Is risk management activity within your area led from the top, actively promoted and delivered by branch heads and team leaders alongside support from your Directorate’s Risk Champion Yes/No  

Effective communication is vital to effective risk management.

Confidence levels should be shaped by:

  • deputy Directors, Branch Heads and Team Leaders understand their responsibilities and are actively involved in the identification and management of risk
  • the Risk Champions within your Directorate are known and utilised to support the development of your risk management approach
  • all risks, once identified, are assigned to an owner who has responsibility for ensuring that the risk is managed and monitored over time
  • your teams have an understanding of the current risk landscape and that emerging risks are recorded.
  • risk management is viewed as a continual learning process, good practice is shared and communicated allowing your teams to benefit from lessons learned in a project or programme
  • risk is discussed as a regular part of management/senior team discussions
  • you have lines of communication to ensure that relevant teams and colleagues are informed of further action, escalation and the general outcome of discussions

(The SG Risk Management Guide and the SG Template risk register is available on the Intranet. General guidance is available through Risk Management on the SPFM.)

1.4 Are you assured that all staff have undertaken basic risk management training in your area and understand their role in the identification and management of risk? Yes/No   

Ensuring all staff have the right level of skills and training to ensure effective engagement with the risk management process is key. Everyone in the organisation has a role in helping to identify and manage risks, therefore it is essential that all staff have a basic understanding of risk management policy and process. All staff but especially those who lead risk management activity should have some risk management training to ensure a base level of knowledge of the corporate processes.

Confidence levels should be shaped by:

  • all staff, within the core SG should have at minimum completed the appropriate SG Risk Management e-Learning Pathway SG risk management eLearning
  • key staff with particular responsibility or interaction with risk management have undertaken the SG risk management CPD course
  • key staff may have undertaken equivalent training from external training providers such as CIPFA, the Institute of Risk Management (IRM) or Management of Risk (MoR) qualification
  • you actively make sure that lessons are also learned from experience. This applies particularly to perceived failures, e.g. an unforeseen risk or a crystallised risk which turned out more damaging than expected. But it is equally true of successes, especially those where risk was managed well, to see whether there is anything to be gained by repeating effective techniques elsewhere.
  • consideration is given to the recommendations of any internal or external assurance reviews of activity that your team have been involved in

All Business areas should be aware that the SG risk management e-learning is now mandatory for all staff – this came into force in January 2022 therefore areas should in the next 12 months be working towards full completion in their areas.

(The SG Risk Management Guide and the SG Template risk register is available on the Intranet. General guidance is available through Risk Management on the SPFM.)

1.5 Do you regularly review your key risks (including Cyber risks and threats), record them using the standard SG Risk Register format and do you receive reports on the management of those key risks and controls/mitigating actions?

Yes/No               

                               

Each division should have a method in place for recording and managing their key risks. Reporting on your risks however doesn’t always have to mean just using risk registers to record scores and related information.

Confidence levels should be shaped by:

  • having in place a risk register which is compliant with the SG guidance and template
  • processes which utilise risk register detail and the knowledge of wider outside influences to support your understanding of the wider risk landscape and help to recognise current pressures across a project or programme
  • you routinely look across your risk landscape and perform deep dives on key risks
  • risks form a part of regular management discussions with controls, actions, target scores and dates scrutinised
  • you have processes in place to escalate key risks ensuring effective communication, increasing awareness of the risk and highlighting where more senior supportive action is needed
  • you have lines of communication to ensure that relevant teams and colleagues are informed of further action, escalation and the general outcome of discussions
(The SG Risk Management Guide and the SG Template risk register is available on the Intranet. General guidance is available through Risk Management on the SPFM.)
1.6 Have you articulated your appetite to key risks and do you use this to help identify the extent to which you need to address your risks?

Yes/No               

                               

Your risk appetite should reflect the level of risk that you are prepared to accept (and not accept) for different types of risk in order to achieve your objectives. Ensuring you understand your appetite for risk is essential to helping you prioritise risk mitigations, and therefore resources, on those risks outside of your agreed acceptable limits. Risk appetite should be considered within the wider context of your Directorate and DG to ensure that your approach is appropriate

Confidence levels should be shaped by:

  • having clearly articulated risk appetite statements/or equivalent for all types of risk either within projects, programmes or at minimum directorate level
  • having clear definitions that provide lower level examples to clarify meaning for use during day-to-day processes and procedures. This can help guide and advise staff on what is expected of them as part of a programme. For example when staff should avoid actions or particular risks, when they should not allow certain things to happen and where people should look to take more risk
  • having effective measures that can actively monitor performance against the appetite definitions as well as the overall statements. This can be taken from appropriate IT and other systems to support the risk management processes, such as financial information, people information, consultation information etc. All forms of measurement need to be appropriate to the relevant environment
  • using target scoring within your risk register to ensure you risk appetite is reflected in the register, supporting effective discussion when current scores are beyond the target/risk appetite and when risks are close/proximate
(The SG Risk Management Guide and the SG Template risk register is available on the Intranet. General guidance is available through Risk Management on the SPFM.)
1.7 Is there a Business Continuity Plan covering your business area which has been reviewed and updated and exercised in the last year?        

Yes/No               

                               

Every Division should either have a separate Business Continuity Plan in place or be covered within its Directorate Business Continuity Plan. Plans should be regularly reviewed and updated and should be exercised at least annually (to allow for changes in personnel, responsibilities, priorities, working practices, processes and procedures and in the external and internal context; and to apply lessons learned). The plan should describe how essential business across the Division would carry on in the event of losing staff, building access or corporate systems such as ICT. These should consider situations where many staff are working from home and ensure robust communication and incident management arrangements are in place (e.g. sign up to GroupCall as well as local business area-specific arrangements). Exercise scenarios should test these arrangements.

Guidance and support for local business continuity planning activities can be requested from the Security and Business Continuity Unit in Workplace Division. 

1.8 Do you have disaster recovery plans/arrangements in place for the event of the loss of key systems (including corporate ICT systems and line of business applications) upon which your and/or other business operations depend on?  Yes/No                                               

Local response to the possible loss of corporate functions and resources (e.g. accommodation, SCOTS, SEAS, eRDM, e-HR, MiCase, line of business applications) might be considered in the context of divisional risk management, incident management and business continuity processes and procedures. Where local systems are in operation, including but not exclusively ICT systems, the business area has a responsibility to ensure that plans are in place for business continuity and for recovery e.g. back-up data to ensure that services can be fully restored. Business areas with staff in non-main buildings may have local arrangements in place in the event of loss of key facilities and resources. Your recovery plans/arrangements should be tested regularly to ensure they are fit for purpose and meet your needs in the event of a loss or continuity event; your level of confidence should reflect the extent to which you have tested your plans and updated them accordingly.

2. Business Planning               

2.1 Do you have clear business objectives relating to the high priority business objectives of your division (linked to National Performance Outcomes and where appropriate the Programme for Government) and do they relate to those articulated within your Directorate business plan?

Yes/No               

                               

You should have clear business objectives which are linked to key National Performance Outcomes and where appropriate the Programme for Government.

Business plans should be based on a minimum of a three year period but also reviewed annually, they should also form the basis for any risk management information. Confidence levels should be shaped by:

  • your business objectives/SMART targets are reflected and documented in the Divisional Plan and via staff performance appraisal forms at all levels as appropriate
  • plans provide a clear link (golden thread) to your Directorate’s Plan and provide a clear set of priorities
2.2 Have your objectives been translated into short, medium and long term measurable targets of both Business As Usual service delivery (e.g. FOI performance) and change projects (e.g. PfG deliverables), against which performance and progress are measured?

Yes/No               

                               

New initiatives or spend, or changed systems should normally be discussed with Finance, Procurement and Internal Audit colleagues before proposals are finalised. New property requirements should be discussed with Property and Construction Division for advice.

For change initiatives managed as projects or programmes, section 3 (major investment) or 4 (projects) should be completed. The Approaches and methodologies toolkit provides some guidance on the difference between Business As Usual and projects.

Teams should utilise the AO templates for spending decisions per approval limits.

In terms of undertaking change, the Improvement Framework is one of the main mechanisms underpinning the Scottish Government’s approach to Public Service Reform. Further guidance can be provided through the Leading Improvement Team.

(Guidance on the Role of Finance is available on the Intranet. General guidance on Procurement and Internal Audit is available in the SPFM.)

2.3 Are there clear plans for how your division will contribute to Directorate improvements in their performance – in keeping with the vision and values of In the Service of Scotland?

Yes/No               

                               

This question seeks to find out if the relationship between inputs, outputs and outcomes is being applied in developing business and staff performance measures. Our vision - 'In the Service of Scotland' - provides the blueprint for how to successfully operate in an uncertain and evolving world. If you would like to know more about our vision and how you can help shape how we achieve it, contact IntheserviceofScotland@gov.scot.

Additionally, Guidance on Performance Management is available on the intranet.

2.4 Do you regularly receive timely, relevant and reliable reports on progress and performance against key indicators and targets alongside your risk information and take corrective action where necessary?

Yes/No               

                               

This could take the form of regular reports prepared for consideration at progress meetings or updates provided in the context of regular meetings with managers. Corrective action might involve the reprioritisation/reallocation of resources (budgets and staff) and the reordering of key business priorities.

2.5 Does your business plan inform your financial, people, and operational plans and prioritisation?     This could be demonstrated whereby the business plan is used as a reference document when considering new requests that come in to identify opportunity cost and prioritisation advice. There should be a connection between the items in the business plan and assumptions for finance, people and operational decision making – whereby delivery identified within the business plan has resource allocated within financial and people plans, and operational plans about where people are deployed to accommodate the deliverables and schedule within the business plan.

3. Major Investment               

3.1 Has your area been responsible for the initiation or delivery of one or more major investments during the past financial year? (If not, please ignore the other questions in this section)             

Yes/No               

                               

Major investments are defined in the Major Investment Projects section of the Scottish Public Finance Manual (SPFM) but can also be defined as initiatives:

  • requiring spending over and above departmental expenditure limits
  • requiring primary legislation
  • being innovative or contentious

All Major Investments must adhere to the guidance in the SPFM, and its key principles should be adopted in relation to all investment projects.

Any property and construction procurement requirements should be addressed at least 1 year in advance of budget planning and advice sought from Property and Construction Division.         

3.2 Do/did your project’s governance arrangements align with the Scottish Government’s strategy and sector specific governance procedures?

Yes/No               

                               

Relevant procedures include the following:

  • declaring all new major investments to the Portfolio, Programme and Project Assurance Hub by means of the submission of a completion of a Risk Potential Assessment form (see question 3.3)
  • issuing the SRO (Senior Responsible Owner) with an appointment letter, confirming their responsibilities and the aims, objectives, timescales and funding arrangements for the project
  • putting arrangements in place to address each of the SG’s Programme and Project Management (PPM) Principles. Information to help with this can be obtained from the PPM-CoE
  • for construction and infrastructure projects, complying with the guidance in the Client Guide to Construction Projects. Further guidance and support is available from the Scottish Government’s Construction Procurement Policy Unit
  • for IT and digitally enabled projects, registering the project with the Digital Assurance Office and complying with the Technology Assurance Framework; including compliance with the Digital First Service Standard for new digital public services and Scottish Government corporate system
  • for Health Sector projects, complying with the guidance in the NHS Scotland Scottish Capital Investment Manual
3.3 Have you assessed your project(s) in line with the SG’s assurance procedures and engaged with the appropriate assurance process?

Yes/No               

                              

Relevant procedures include the following:

  • completing the Risk Potential Assessment Forms to determine the potential impact and complexity of your investment(s)
  • submitting the completed RPA to the SG’s Portfolio, Programme and Project Assurance Hub for review of your project’s assurance needs
  • actively engaging with corporate assurance providers, taking advice on board and promptly acting on review recommendations
  • major infrastructure projects over £20 million in value, or of critical importance/unusual scale or nature to the procuring organisation, or revenue funded, or procured through competitive dialogue, may require Key Stage Reviews (KSRs) during key procurement stages - KSRs are undertaken by the Scottish Futures Trust
3.4 Do you have an up-to-date case for change (e.g. business case) demonstrating continued strategic alignment, viability and value added, and providing business justification for each project?       

Yes/No               

                               

You must be able to demonstrate the on-going justification of the need for your project and should regularly review the case for change to ensure its currency.

For projects including a procurement element, you must also be able to demonstrate compliance with the Procurement Section of the SPFM.

For construction and/or an infrastructure project, you must be able to demonstrate compliance with Client Guide to Construction Projects. Further guidance and support is available from the Scottish Government’s Construction Procurement Policy Unit.

For property requirements, you must be able to demonstrate compliance with the Property Section of the SPFM. Further guidance and support is available from Property and Construction Division.

3.5. Have you assessed your capability and capacity to deliver your project(s) and are you aware of when you need specialist resources and how to secure the specialist resource?

Yes/No               

                               

The SRO (Senior Responsible Owner) must be appointed at the earliest possible stage of the project. Clear roles and responsibilities should be assigned and levels of delegated authority should be clearly identified and agreed. These should be documented in formal letters of appointment between the Investment Decision Maker and the SRO and between the SRO and various post holders within the Project Management Structure.

You should ensure that people appointed to positions within the project’s governance and management structure have the skills, experience and knowledge necessary to fulfil their role, using existing performance management and PLP arrangements in accordance with question 8.1.

Internal and external specialist resources required for the successful delivery of the project should be identified and secured at planning stage. For consultants, you must comply with the Scottish Government Consultancy Procedures in accordance with COA question 7.4.

3.6 Have you put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?               

Yes/No               

                               

Necessary arrangements include:

  • ensuring that benefits are identified, plans for the realisation of benefits are put in place, and delivery of benefits is measured to demonstrate that the intended return on investment is being achieved - the IPA has published a “Guide on Effective Benefits Management in Major Projects
  • capturing lessons during the project lifecycle and sharing as appropriate. The Lessons Toolkit provides some guidance on how to capture lessons
  • formal contract management arrangements should be put in place, where appropriate including the identified benefits, and implementing the SG’s contract management handbook guidance including recording, monitoring and reporting KPIs

Ensuring that:

  • carrying out a Post Project Review to establish how well the project was managed and benefits realised is carried out (Gate 5 Review – Operations Review and Benefits Realisation)
  • post Implementation Reviews (also known as Post Occupancy Reviews for construction projects) to establish if the original project objectives are being achieved are carried out. This review is likely to be repeated
  • all feedback is used to inform future project delivery     

4. Project Management               

4.1 Has your area been responsible for one or more projects - other than major investment projects – during the past financial year?

Yes/No               

                               

This section covers all projects and investments not covered by the SPFM definition of a “major investment project”, including non-capital projects such as new policy delivery or changes to existing policy, business change projects. 

The Approaches and methodologies toolkit provides some guidance on the difference between business as usual and projects.
4.2 Did/do your project’s governance arrangements align with the Scottish Government’s strategic and sector specific procedures?

Yes/No               

                               

The general principles set out in the Major Investment Projects section of the SPFM should be applied proportionately, as appropriate, to all projects.

Relevant procedures include:

  • putting arrangements in place to address each of the SG’s Programme and Project Management (PPM) Principles. Information to help with this can be obtained from the PPM-CoE
  • for construction and infrastructure projects, complying with the guidance in the Client Guide to Construction Projects. Further guidance and support is available from the Scottish Government’s Construction Procurement Policy Unit
  • for property projects further guidance and support is available from Property and Construction Division
  • for IT and digitally enabled projects, complying with the Technology Assurance Framework, further guidance is available from the Digital Assurance Office
  • for Health Sector projects, complying with the guidance in the NHS Scotland Scottish Capital Investment Manual
4.3 Have you assessed your project(s) in line with the Scottish Government assurance procedures and engaged with the appropriate assurance process?

Yes/No               

                               

Relevant procedures include the following options:

  • completing the Risk Potential Assessment Forms to determine the potential complexity and risk of your project(s)
  • Submitting the completed RPA to the SG’s Portfolio, Programme and Project Assurance Hub
4.4 Do you have an up-to-date case for change (e.g. business case) demonstrating continued strategic alignment, viability and value added, and providing business justification for each project?

Yes/No               

                               

Guidance given states:

  • projects must be appraised in accordance with the Appraisal and Evaluation section of the SPFM (this must include clear links to strategic priorities (strategic case), an options appraisal (economic case) supported by solid evidence that the chosen option provides the best commercial value (commercial case), is affordable (financial case) and is deliverable (management case)) - the five-case model provides a robust and accessible approach to investment appraisal and business justification
  • you must be able to demonstrate the on-going justification of the need for your project and should regularly review the case for change to ensure its currency
  • for projects including a procurement element, you must also be able to demonstrate compliance with the Procurement Section of the SPFM, should your project include procurement
  • for construction and/or an infrastructure project, you must be able to demonstrate compliance with the Client Guide to Construction Projects. Further guidance and support is available from the Scottish Government’s Construction Procurement Policy Unit
  • for property requirements, you must be able to demonstrate compliance with the Property Section of the SPFM. Further guidance and support is available from Property and Construction Division
4.5 Have you assessed your capability and capacity to deliver your project(s) and are you aware of when you need specialist resources and how to secure the specialist resource?

Yes/No               

                               

The SRO must be appointed at the earliest possible stage of the project. Clear roles and responsibilities should be assigned and levels of delegated authority should be clearly identified and agreed. These should be documented in formal letters of appointment between the Investment Decision Maker and the SRO and the SRO and various post holders within the Project Management Structure.

You should ensure that people appointed to positions within the project’s governance and management structure have the skills, experience and knowledge necessary to fulfil their role, using existing performance management and PLP arrangements in accordance with question COA 8.1.

Internal and external specialist resources required for the successful delivery of the project should be identified and secured at planning stage. For consultants, you must comply with the Scottish Government Consultancy Procedures in accordance with question COA 7.4.

4.6 Have you put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?         

Yes/No               

                               

Recommended arrangements include:

  • ensuring that benefits are identified, plans for the realisation of benefits are put in place, and delivery of benefits is measured to demonstrate that the intended return on investment is being achieved. The IPA has published a “Guide on Effective Benefits Management in Major Projects”, which should be applied in a proportionate way
  • capturing lessons during the project lifecycle and sharing as appropriate. The Lessons Toolkit provides some guidance on how to capture lessons
  • conducting an End of Project Evaluation Review, including the review and handover of benefits identified in the business case to an accountable owner

 5. Financial Management               

5.1 Do you ensure that a documented business case has been prepared for all policy proposals and do you ensure that your Finance Business Partner (or equivalent) and, as necessary, Scottish Procurement and Property Directorate SPPD and Internal Audit and Assurance Directorate is involved at the earliest possible stage in its preparation where there are resource, control, procurement, property or other finance related implications and that they are kept informed of developments?         

Yes/No               

                               

Finance should also be consulted on any novel or contentious spending proposal and any matter which includes issues of financial propriety and regularity. The need to consult Finance might also be included in induction material and local desk instructions. We recommend that the relevant UK guidance such as the Green Book is also consulted as part of any policy proposal alongside the SG approach to Risk Management.

5.2 Do you have procedural instructions, cleared with Finance, about how financial matters are handled within the area, including guidance to ensure that proper and accurate accounting records are maintained and entries in them are properly authorised? Are processes in place for regular monitoring of compliance with these instructions? Yes/No               

                               

Local desk instructions should be drawn, as appropriate, from the key principles of the SPFM. Instructions should be in place covering the arrangements for entering into commitments and for approving and processing the resultant payments, including VAT – and ensuring adequate separation of duties. This may also cover other matters such as delegated authorities, budget monitoring procedures and the requirement to consult Finance on all proposals that may have resource or other finance related implications.

Monitoring of compliance should be supported by regular management checks and the consideration of financial matters at regular meetings with your managers. The response to this question needs to reflect both the provision of information needed for accounting purposes (e.g. the proper and timely entry of data into SEAS and/or EASEbuy) and for cash management purposes. The response should also take into account the controls in place within your area to ensure that only authorised personnel have access to the SEAS system.

(Guidance on SEAS and EASEbuy is available on the Intranet.)
5.3 Do you ensure that all staff that have budgetary responsibility have written delegated authority and the appropriate skills and training to discharge their responsibilities for managing public money? Yes/No               

                               

Delegated financial authority (i.e. where members of your staff have full responsibility for budgets and take decisions without having to refer upwards) will not be appropriate in many Divisions but where it is you should provide details of the broad arrangements e.g. set out in desk instructions, financial responsibility statements. This is separate from Delegated Purchasing Authority (DPA). The authority required to make and authorise payments etc. within SEAS and the authority to purchase in EASEbuy are also separate authorities.

(General guidance on Delegated Authority is available in the SPFM. Guidance on the Scheme of Delegation is available on the Intranet.)

(Guidance on Budget and Financial Management is available on the Intranet under Financial Accountability and Assurance and Pathways Digital Learning Platform,)
5.4 Is there adequate separation of duties where required and are staff with these duties adequately trained to discharge their responsibilities in that regard and how do you ensure that this is achieved? Yes/No               

                               

Confidence levels will be shaped by the strength of procedures applied to activities such as authorising and processing payments and receipts or awarding grants. There may be concerns (e.g. within small units) where the rules on separation of duties cannot practically be achieved. In such circumstances the response should relate to whether the local arrangements (e.g. compensating controls) agreed with Finance are working satisfactorily.

(The requirement for appropriate separation of duties is included in a number of sections of the SPFM, notably those covering Expenditure and Payments and Income Receivable and Receipts.) This covers all staff involved in the financial process. The level of knowledge and training should be related to the part played by the individual in the financial process. Individual duties should be covered in desk instructions. All staff with responsibility for entering into contracts, raising purchase orders or issuing invoices etc. should have a knowledge of the rules relating to VAT and the ability to recover and or charge VAT.

Note that this is separate from the authority required to make and authorise payments within SEAS or to purchase within EASEbuy.
5.5 Do you ensure that Finance (and Property where applicable) are informed of any changes to assets as they arise and that SEAS is maintained up to date to reflect the assets held in your area? Yes/No               

                               

Capitalised expenditure (PPE and Intangibles) must meet the approved corporate thresholds and definitions, and be supported by Asset Addition forms. Any disposal of previously capitalised assets should be recorded correctly in SEAS and supported by Asset Disposal forms. Further guidance is available from your Finance Business Partner and via the Intranet.

5.6 Do you have arrangements to ensure that all assets for which the area is responsible are properly managed and safeguarded? How do you ensure this? Yes/No               

                               

Only assets for which the area is responsible need to be considered here. This will include those assets on a locally maintained inventory of valuable and attractive items. The response should consider safeguards such as those against unauthorised use or disposal.

(Guidance on Property Management and Fraud is available in the SPFM.)

5.7 Do you have effective arrangements in place to ensure that you are managing and monitoring any money due to the Scottish Government and that it is collected within reasonable timescales and are procedures written with reference to the SPFM and are they reviewed and updated regularly?

Yes/No               

                               

Further detail on Debt recovery can be found in the Income receivable and receipts section of the SPFM.

Staff should be trained in local procedures/arrangements which should be reviewed and kept up to date. Confidence levels will be shaped by the strength of procedures surrounding:

  • any relevant Statutory Authority for fees and charging and associated VAT
  • appropriate accounting treatment and budgeting treatment of income, receivables, receipts and internal transactions
  • adequate segregation of duties
  • credit control and relevant the monitoring and management
  • debt recovery and uninvoiced income
  • EC Receipts, Excess Receipts, designated receipts, NLF repayments and recoveries from the SCF
5.8 Do you have procedures in place for timeous and effective monitoring and reviewing of financial information and budgets for which you are responsible? Yes/No               

                               

 The response should reflect the following:
  • measures to ensure that financial systems contain accurate and up to date information
  • measures to monitor the security of financial information
  • local arrangements for monitoring and reviewing operating costs and programme budgets
  • measures should include regular management checks. Arrangements for reviewing budgets should be consistent with re-profiling information returned to Finance. (Guidance on Budget and Financial Management is available on the Intranet and the Learning Portal)

5.9 Do you have procedures in place to ensure that budgets are reviewed during the year and that budget transfers are completed and authorised in line with corporate finance deadlines?      

Yes/No               

                               

You will wish to consider here the mechanisms in place for communicating budgetary information both at the beginning of the year and changes made in-year whether at the time of formal monthly or quarterly reviews or at other times. This would also cover the transfer of funds between one area and another or between the centre and your area.

5.10 Do you regularly review internal financial reports which report actual against budget outturn and discuss progress with your Director or equivalent and how do you ensure this is achieved in line with corporate finance deadlines and what action is taken following financial review to ensure a balanced budget is achieved?

Yes/No               

                               

The review of the regular financial reports needs to take account of both forecast outturn positions and year-to-date actual costs against profiled budget spend.

5.11 Do you ensure that that the Subsidy Control Unit is consulted on all proposals that may have subsidy implications? Yes/No    

                               

Guidance on Subsidy Control procedures is included in the SPFM. Detailed guidance on Funding and Subsidy Control during the coronavirus are available on the Intranet. Further detailed guidance is available from the Subsidy Control Team.

5.12 Do you ensure that any grant proposals and payments comply with the guidance in the SPFM and internal guidance?            

Yes/No    

                               

The section of the SPFM on Grant and Grant in Aid includes references to checklists covering the grant proposal, application and assessment processes and a Model Offer Grant Letter document. SG Grant Management guidance can be found on the Intranet.

5.13 Do you ensure that any grants awarded are linked to the National Performance Framework National Outcomes and where applicable any Programme for Government commitments via the Model Offer Agreement, including the contribution the grant is expected to make in achieving these outcomes including how they will be monitored and evaluated?         

Yes/No    

                               

The National Performance Framework (NPF) is Scotland’s well-being framework and was refreshed in 2018. The NPF is intended to inform discussion, collaboration and planning of policy and services across Scotland, encompassing the public sector, businesses, civil society and communities. It broadly sets the strategic direction for non-reserved policy areas, which should be aligned to the NPF and National Outcomes, including the work of Public Bodies.

It also represents a closer partnership approach with local government to the delivery of services in Scotland. The approach to setting, reviewing, and reporting on progress to achieving the National Outcomes, is set out in the Community Empowerment Act 2015. 

Grants awarded should have a shared understanding of the joint priorities to contribute towards the National Outcomes

This should include what public spending supports, what this aims to achieve, the contribution it is expected to make to National Outcomes and evidence for this, how plans are being delivered, and the impact this is having.

Programme for Government (published annually following ‘Summer Recess’ sets out the priorities for government and the legislative programme of the parliamentary year.

5.14 Do you have confidence that all of your staff who are involved in the management of grants have the skills and training to allow them to manage their grants effectively? Yes/No    

                               

Ensuring key staff have the right level of skills and training to ensure effective engagement with the grant management process is key. Confidence levels should be shaped by:

  • staff should complete the Grants Process Training available on Pathways
  • staff regularly refer to the grants guidance on the Intranet before commencing any grant award
  • staff involved in grant management have at minimum undertaken the SG Due Diligence-Grants Process e-Learning on Pathways
  • DG Grant managers are engaged with the Grants Managers network on yammer
  • your grant managers are actively sharing lessons learned within the business area from experience
5.15 Do you have procedures in place to monitor any Losses, Special Payments and Gifts in year?  Yes/No              

                               

Losses, Special Payments and Gifts should be disclosed each year. The SPFM includes guidance on Losses and Special Payments and Gifts giving guidance on the various types of Losses, special payments and gifts and the approval process. You should ensure the guidance is followed to correctly report any of these transactions.
5.16 Do you have year-end procedures in place to ensure all Annual Accounts returns are completed in a timely and accurate manner?

Yes/No               

                               

There are various returns due to finance as part of the annual accounts process. You should have procedures in place to ensure that information requested can be provided to Finance in an accurate and timely manner. Information requested will be used to ensure income and expenditure are recorded in the appropriate financial year and that any assets or liabilities of the Scottish Government are reviewed and appropriately accounted for. This includes consideration of committed and contingent balances (Contingent Liabilities, contingent assets), indemnities and guarantees.

Confidence levels can be shaped by:

  • having an embedded finance team or person who undertakes these key processes for your area
  • ensuring that those staff have the appropriate qualifications/training to undertake this activity
  • the team or staff member has established clear links with the relevant finance team/FBP etc.

6. Fraud               

6.1 Are operational managers and all members of staff within your area aware of their responsibilities with regards to the prevention and detection of Fraud (including Cyber Fraud)? Yes/No      

Confidence levels should be shaped by:

  • awareness of the relevant guidance in the section on Fraud in the SPFM which might be brought to the attention of staff periodically and other relevant local guidance – the SG has a comprehensive guide on the intranet
  • the linking of induction materials to the relevant internal guidance on fraud prevention – there is a comprehensive guide on saltire
  • within the SG ensuring that staff have undertaken the Civil Service Learning on fraud prevention for staff and managers within the last three years

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email Risk_Management_and_Fraud_Response@gov.scot or the Crimestoppers Hotline 08000 15 16 28.

6.2 Are any cases of suspected fraud within your area dealt with in accordance with the Scottish Government Fraud Guidance?

Yes/No               

                               

Confidence levels should be shaped by:

  • awareness of the relevant guidance in the section on Fraud in the SPFM which might be brought to the attention of staff periodically and other relevant local guidance – the SG has a comprehensive guide on the intranet
  • the linking of induction materials to the relevant internal guidance on fraud prevention – there is a comprehensive guide on saltire
  • within the SG ensuring that staff have undertaken relevant civil service learning on fraud prevention for staff and managers accessible via Civil Service Learning
  • established Fraud Management Procedures (linked to a Counter Fraud Management Strategy) documented and accessible to staff
  • fraud being appropriately and systematically recorded and reported to Governance and Risk where applicable and the relevant Audit/Assurance Committee

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email Risk_Management_and_Fraud_Response@gov.scot or the Crimestoppers Hotline 08000 15 16 28.

6.3 When new grant schemes or other spend programmes are being developed do you ensure you are considering whether fraud prevention measures need to be built into your plans, based on appropriate Fraud Risk assessments being in place? Yes/No                          

Within grant schemes confidence levels should be shaped by:

  • awareness of the fraud procedures in place within prospective funding recipient’s business processes
  • ensuring appropriate due diligence checking has been undertaken on applicants to ensure they are legitimate recipients
  • appropriate criteria for determining eligible expenditure are in place
  • payment in advance of need is appropriately assessed by your finance business partner
  • throughout the grants process, decisions, key documentation and evidence should be appropriately recorded to ensure an effective audit trail. This will ensure that you can evidence decisions made and support any internal or external review. You should use the audit trail checklist to ensure you have all of the appropriate documentation to support your grant

Within other spend confidence levels should be shaped by:

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email Risk_Management_and_Fraud_Response@gov.scot or the Crimestoppers Hotline 08000 15 16 28.

7. Procurement

7.1 Do you ensure that the Scottish Procurement and Property Directorate (SPPC) are consulted from the earliest possible stage on any business cases proposals that may involve procurement, commercial and/or property activity? Yes/No  

Guidance on the role of the Scottish Procurement and Property Directorate (SPPD), guidance on Buying Goods, Services or Works and the Security Questionnaire is available on the Intranet. The need to consult SPPD might be included in induction material and local desk instructions.

SPPD must be consulted early on any novel or contentious spending proposal and any matter which includes issues of procurement and/or property propriety or regularity.
7.2 Do you have sufficient staff with Delegated Purchasing Authority (DPA) to meet your business needs? Yes/No  

DPA is the authority from the Director of Procurement and should on a personal basis to permit permanent SG members of staff to enter into a contract for goods, services and works and oversee the process leading up to and including the award of a contract and any subsequent contract changes on behalf of the Scottish Ministers. This is separate from financial authority and the authority to make purchases on EASEbuy.

Please confirm how many staff in your area have DPA and if the number does meet your business needs. 

(Guidance on DPA is available on the Intranet).

7.3 Do you have contracts in place for all procurement spend in your division whether bespoke contracts for your area or corporate contracts available for use across the Scottish Government?

Yes/No  

Divisions should understand if their procurement spend is covered by contract and should be aware of the Scottish Government contract register.

7.4 Is all procurement activity within your area undertaken in accordance with the Procurement Policy Manual? Yes/No   Evidence should be provided by staff with DPA to assure Division Heads that all procurement activity has been conducted with the Procurement Policy Manual. Specific guidance on the operation of the electronic Purchasing Card and the EASEbuy System. Does your business area have a system in place to ensure staff are aware of the latest and any other significant Scottish Public Procurement Notes SPPN’s (Cyber Security, Climate Change)?
7.5 Does your area’s use of external consultants comply with the Scottish Government Consultancy Procedures? This includes using the consultancy account codes on the Purchase Orders that are created in the purchasing system. Yes/No  

Contracts for consultancy of up to £10 000 in value need to be approved at Deputy Director level. Consultancy contracts between £10 000 and £50 000 need to be approved at Director General level. Consultancy contracts above £50 000 must be authorised by the Cabinet Secretary for Finance, Economy and Fair Work. If there have been no such cases during the period then please provide a nil response.

Consultancy expenditure must be coded against the account codes stated in the Consultancy Procedures.

Management checks on consultancy expenditure on SEAS should be carried out to ensure approval was sought at the appropriate approval level prior to purchase.

7.6 Is the number of staff authorised and trained to act as purchasing system requisitioners and approvers consistent with your Division’s needs? Yes/No  

Staff who are authorised as purchasing system requisitioners and approver need to recognise the importance on the financial information being entered correctly. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions. Details of available training are provided on the EASEbuy training page.

7.7 Do you ensure that staff with electronic Purchasing Cards (ePCs) are fully aware of their responsibilities to monitor compliance and meet the ePC policy? Yes/No  

Monitoring of compliance might be achieved by regular management checks and the consideration of financial matters at regular meetings with your managers.

(Guidance on ePC is available on the Internet.)
7.8 Do you ensure that staff are complying with the prompt payment of suppliers’ process to meet the 10 day payment commitment? Yes/No   Relevant guidance regarding the prompt payment of suppliers’ policy must be brought to the attention of staff periodically and/or in reviewing training requirements.
7.9 Do you have in place appropriate arrangements in your area to ensure effective contract management enabling delivery of both technical and commercial requirements? Yes/No   Staff managing contracts should have the knowledge and skills to deliver both the technical and commercial conditions of the contract. Staff can seek guidance or arrange for Contract Management services to be delivered by the SPCD Contract Management Team. Additional guidance is also available on the Procurement Journey.

8. Human Resources

8.1 Do you have, and regularly update, workforce plans linked to resourcing plans that enable you to match resources to priorities and affordability and have they contributed to increased diversity and inclusion? Yes/No  

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by working with your HR Business Partner on activity such as:

  • regular workforce planning discussions with HR Business Partners and Finance Business Partners to monitor and manage workforce numbers and cost
  • keeping baselining/skills information of workforce up to date
  • identifying any roles/skills that are a single points of failure and establishing a response (i.e. succession planning)
  • adherence to corporate processes and timescales regarding recruitment
  • actions to increase diversity through recruitment and succession planning (e.g. completing mandatory training, Diverse Panels, and carefully considering how and where to advertise vacancies)
  • what evidence do you draw on to inform action, e.g. Workforce planning returns (BUD1), People and Finance metrics, diversity monitoring information on eHR
  • using the self-reflection toolkit Equality Self-reflection Guide SG Thrive for leaders and managers making people-related decisions
8.2 Do you have processes in place to develop staff and increase capability to support diverse and inclusive, high performing teams? Yes/No  

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right skills now and for the future.

Confidence levels will be shaped by working with your HR Business Partner on activity such as:

  • having personal and divisional learning/development/capability plans (including relevant professions) reflecting corporate priorities, local business needs and the diverse needs of your workforce
  • having high quality individual diversity objectives which contribute to building a diverse and inclusive culture, and embed D&I in business delivery
  • effective processes, including regular career conversations, for identifying and developing talent
  • the role of line managers in SG’s HR policies is well understood and the application of best People Management practice is highly valued, supported and openly recognised
  • adherence to corporate processes regarding performance management (i.e. monthly conversations, In Year Reviews and End Year Reviews and development discussions)
  • evidencing where you draw from to inform positive action, e.g.: corporate guidance on most effective learning approaches (i.e. 70/20/10)
  • regularly reviewing pathways reporting to help review mandatory learning (e.g. Inclusive Culture/Inclusive Leadership and Culture/Championing an Inclusive Culture)

8.3 Are line managers at all levels skilled in managing performance and supporting the wellbeing of their staff?

Yes/No  

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure a workplace culture for individuals to bring their whole selves to work, to thrive and be successful.

Confidence levels will be shaped by working with your HR Business Partner on activity such as:

  • having induction processes for those new to the role or grade and investing time mentoring and coaching new staff
  • reviewing on-time completion and recording of both the probation process (where applicable) and performance appraisals
  • role modelling of the Civil Service Code and inclusive leadership
  • adhering to corporate processes regarding attendance management, grievance (Fairness at Work) conduct and performance management (noting separate guidance for SCS and probationers)
  • conducting wellbeing conversations and signposting wellbeing support service, promoting diversity of support and opportunities
  • regularly review people management and leadership capability within your team and encourage continuous development
  • using MI to identify and take action where absence rates or reasons raise concern’
  • having in place, and effectively assessing, meaningful diversity and inclusion objectives at all levels to support employer outcomes and Recruitment and Retention Action Plans for race and disabled people
  • adhering to flexible working policy and leave policy
  • understanding employees’ individual needs and implementing workplace adjustments to enable everyone, and particularly disabled people, to fulfil their potential
  • encouraging people to share diversity data on eHR and having high diversity declaration rates and analysing and using the information effectively to advance diversity and inclusion
  • what evidence you draw on to inform positive action, e.g. People Survey results, Directors MI pack, Diversity Packs, Attendance Management Monthly Reports

9. Equality And Diversity

9.1 Are all new, revised or strategically significant policies/activities/projects in your area assessed, in line with legislative requirements, for their impact on people with one or more of the Protected Characteristics listed in the Equality Act 2010 at the earliest possible stage in the policy development process?

Yes/No  

This question relates to the leadership responsibility under the statutory Public Sector Equality Duty (PSED), and the specific duty to assess and review policies and practices. Policy should be understood broadly to embrace the full range of policies, provisions, criteria, functions, practices and activities undertaken by the Scottish Government. You are expected to ensure that, in line with legislative requirements, new or revised policies and practices in your area are assessed for their impact on people with one or more of the protected characteristics in the Equality Act 2010. These are age; disability; gender reassignment; marriage and civil partnership; pregnancy and maternity; race; religion or belief; sex; and sexual orientation. Going beyond statutory obligation, the First Minister and the Permanent Secretary have made clear their ambition for equality and human rights to be embedded in everything SG does.

In terms of process, assessment would typically be done through the EQIA process. Guidance on EQIAs is available on Saltire. Relevant deputy director (or equivalent is required to sign off on EQIAs, and in signing off they are required to ensure the impact of applying the policy has been sufficiently assessed against the three needs of the equality duty and EQIA is robust and addressing all relevant equality issues. In answering, you should be able to demonstrate that you have in place appropriate arrangements for identifying and monitoring EQIA application and for prioritisation of EQIA within policy and practice development and review.

9.2 Are you confident that all staff in your division have the capacity and capability to embed equality within the policies or programmes they are working on? Yes/No  

This question seeks to find out if SG staff have the capacity and capability to deliver on equality obligations. In answering this question you should consider whether staff have had sufficient time, information, training, guidance and support to enable that aim to be realised, considering for example if:

  • they have an appropriate ‘stretch’ Diversity Objective
  • they have good awareness of equality issues; an understanding of the need for good quality impact assessment and how this relates to the development of policy or practices (evidence may include confirmation of training at induction and ongoing training and capacity building updated via appropriate continuous professional development)
  • they know about and use relevant sources of data such as the SG equality evidence finder and relevant employee data
  • they know about and engage with equality advocacy groups and that completed EQIAs evidence the use of evidence from engagement in shaping policy
  • for internal policy and employee-related policies/practices, they are drawing on employee lived experience and insights gathered for example through the People Survey
  • they have sufficient time, which is reflected in their business objectives, to consider equality matters in developing and delivery policy and/or relevant activity
  • they understand the need to ensure that EQIAs in the business area they have responsibility for, should be kept under review and that they are able to demonstrate that this is happening
Equality guidance and tools are available on the Intranet. In answering, you should be able to demonstrate how you are developing staff on an ongoing basis in this area.
9.3 Are you confident that any procedures in place to ensure that equality considerations are embedded into all policies/activities/projects in your area are delivering improved outcomes for people with protected characteristics? Yes/No  

This question relates to the extent to which policies and programmes are delivering meaningful outcomes for the people whose lives the Scottish Government is seeking to improve, which includes those with one or more protected characteristics under the Equality Act 2010.

 Specifically, EQIAs must consider impacts based on the three tests of the Public Sector Equality Duty (PSED) it is required to address:

  • do policies, practices or programmes contribute to reducing or eliminating discrimination for individuals with one or more protected characteristics - This means reducing disadvantage or less favourable treatment
  • do policies, practices or programmes advance equality of opportunity for individuals with one or more protected characteristic? This means understanding and meeting diverse needs, increasing participation of underrepresented groups and, ensuring reasonable/workplace adjustments are implemented
  • does policies, practices or programmes foster good relations between those who share a protected characteristics and those who do not? This means tackling prejudice and promoting understanding

In answering you should consider and reflect the evidence (both quantitative and qualitative) demonstrating improvement in your area and the narrative of how policies and programmes in your area demonstrate active due regard to all three needs of the PSED.

9.4 Are you confident that any schemes operated by your Division for funding the work of external stakeholders meet statutory equality requirements and therefore delivers improved outcomes for people with protected characteristics?    

This question relates to the extent to which funding for partners’ activities and projects (or core funding for partners designated as intermediaries) aligns to statutory requirements under the Equality Act 2010. Where a private or voluntary organisation provides a ‘public function’ it is then subject to the general equality duty. A public function refers to activities that are carried out on behalf of the State not similar in kind to services that could be performed by private people. Public functions can also be carried out by private or voluntary organisations, for example when a private company manages a prison or when a voluntary organisation takes on responsibilities for child protection. In answering this question, you should set out how you are ensuring this is the case in addition to 9.1 and 9.3.

10. Information

10.1 Does your division demonstrate best practice information governance and management including compliance with relevant legislation? Yes/No  

Have you ensured information held in assets complies with the Public Records (S) Act 2011 and the SG records management plan and policy?

The General Data Protection Regulation and Data Protection Act 2018 came into force in May 2018. Have you:

  • registered your information assets that contain personal data, and reviewed your existing assets
  • reviewed the legal basis for any personal data processing
  • updated any privacy notices
  • updated any contracts with third parties that include personal data processing
  • documented any personal data sharing in a data sharing agreement
  • conducted a Data Protection Impact Assessment (aka Privacy Impact Assessment) where required
  • made sure your staff know what to do if a security incident involving personal data takes place
  • identified any personal data processing for law enforcement purposes covered by part 3 of the Data Protection Act 2018? Guide to law enforcement processing
  • identified any personal data being processed outside of the UK
  • there was an Information Management Maturity Assessment benchmarking exercise undertaken at the end of 2021/beginning of 2022 but in future years the questions from that Maturity Assessment will form part of this annual Certificates of Assurance process
  • directorates should therefore assure themselves they are confident that all information within their areas is managed appropriately and in line with current policies and procedures
10.2 Have you reviewed your information assets over the past financial year and updated the Scottish Government Information Asset Register (IAR) accordingly? Yes/No  

The General Data Protection Regulation and Data Protection Act 2018 came into force in May 2018. Have you:

  • registered your information assets that contain personal data, and reviewed your existing assets
  • reviewed the legal basis for any personal data processing
  • updated any privacy notices
  • updated any contracts with third parties that include personal data processing
  • documented any personal data sharing in a data sharing agreement
  • conducted a Data Protection Impact Assessment (aka Privacy Impact Assessment) where required
  • made sure your staff know what to do if a security incident involving personal data takes place
  • identified any personal data processing for law enforcement purposes covered by part 3 of the Data Protection Act 2018 Guide to law enforcement processing
  • identified any personal data being processed outside of the UK

10.3 Are access control mechanisms in place for each system?

Yes/No  

Access control mechanisms for each system are documented by IAOs. Control Mechanisms are in place for physical access and access to information. Location of information assets are registered on the Information Asset Register.

10.4 Has your Information Asset Owner been trained in the role and is this training up to date? Yes/No   IAOs (usually Deputy Directors) are responsible for ensuring that their information assets are recorded on the corporate Information Asset Register (IAR). Guidance can be found on the IAR pages on the Intranet. See guidance on “What is an Information Asset?” in the IAO Handbook.
10.5 Do any supporting staff have an awareness of the role and responsibilities of an IAO and have they been trained in information handling? Yes/No  

Staff are available and appropriately knowledgeable to discharge these roles and have undergone or are undergoing appropriate training. For core SG the SIRO is DG Organisational Development and Operations, non-core bodies will have their own SIRO.

Guidance on mandatory roles can be found on the intranet.

Mandatory eLearning packages (Data Protection and Responsible for Information) can be found on the Intranet.

10.6 Can you confirm that information risk assessments have been carried out for all information assets and do you take all required actions to safeguard your information assets and the corporate infrastructure and regularly/actively consider and manage current and emerging cyber risks and threats pertinent to your business?

Yes/No  

Staff are available to discharge these roles and have undergone or are undergoing appropriate training. For core SG the SIRO is DG Corporate, non-core bodies will have their own SIRO.

Guidance on mandatory roles can be found on the intranet.

Mandatory eLearning packages (Data Protection and Responsible for Information) can be found on the intranet. Confidence levels should be shaped by whether the following has been covered in business areas:

  • IAOs must ensure that their staff successfully complete the mandatory eLearning packages (Data Protection and Responsible for Information) (please note: specific IAO training module)
  • all staff should have read and understood the relevant policies and guidance (such as DPA, IT Code of Conduct, and Records Management)
  • all staff should be aware of how to handle requests for personal data – from individuals (Subject Access Requests) as well as 3rd parties; and when a Data Sharing Agreement is appropriate (Guidance can be found on the Intranet: Subject Access Requests; Conduct; Data Protection
  • senior Managers must consider and manage cyber risks in line with other business risk, with clear ownership and responsibilities
  • all staff should be aware of the dangers posed by phishing and social engineering, guidance on Saltire is available to support this
  • all staff should be aware how to report suspicious email
10.7 Do you have processes in place for dealing with security incidents involving data? Yes/No  

Information risk assessments should be carried out as appropriate for the classification of the information asset; the restriction of access to information as appropriate; the training of staff in handling sensitive information; the management of processing of personal data; the impacts of loss or corruption of information; and so on. Such risk assessments should extend to procurements and shared services initiatives, and to all delivery partners, suppliers and contractors. Management and monitoring of supplier security and information assurance arrangements must take place.

Mandatory eLearning packages (Data Protection and Responsible for Information) can be found on the Intranet.

10.8 Have you had any information security incidents involving data that occurred in your area over the past financial year that you did not record on the corporate security incident reporting tool?

 

Yes/No

 

Incidents would relate to cases where information (both personal and non-personal) may have been accidentally exposed, lost or made unavailable regardless of whether this has resulted in harm to individuals.

IAOs are aware of and follow the corporate process in place to report, manage and recover from information risk incidents. Lessons have been learnt, and shared, from incidents (if any). Local managers have a responsibility to ensure that staff are aware of and comply with the relevant guidance, to initiate checks where non-compliance is suspected and to monitor suppliers. Managers have a responsibility to ensure that all staff and suppliers are aware of their responsibilities to safeguard Government information.

An IAO checklist for dealing with security incidents can be found on the intranet. Please open the document and refer to section 5.

11. Health And Safety

11.1 Have you identified staff undertaking critical business work and completed the relevant Covid-19 risk assessments? Yes/No   Covid-19 occupational risk assessment and Covid-19 Wellbeing form require to be completed and regularly reviewed.

11.2 Are all of your staff aware of the facility to request home working equipment?

Yes/No  

The Covid-19 Homeworking Equipment mailbox should be used for requests. Guidance on Home Working equipment and set up is on the Intranet.

11.3 Do you have an appointed and trained Health and Safety Liaison Officer and has the role and support provided to staff by the HSLO changed to reflect the current homeworking and hybrid work practices operating across SG? Yes/No  

Health and Safety Liaison Officers perform key health and safety functions which help managers discharge their own responsibilities. In particular, local health and safety inductions and first point of contact for Display Screen Equipment queries.

Homeworking policies have been consulted by managers and workplace assessments completed including the Covid-19 occupational risk assessment and Covid-19 Wellbeing form.

11.4 Do you have a mechanism to keep in touch with staff who work for you both at home and the workplace? Yes/No  

Managers are encouraged to stay connected with staff who are working from home.

12. Sponsored Bodies

12.1 Non Departmental Public Bodies - Is your area responsible for sponsoring any NDPBs or other bodies? (If not, please ignore the other questions in this section.) Yes/No  

Please complete for all of the bodies you sponsor answering each question separately and highlight key points of interest (good or bad).

Guidance can be found in the NDPB Sponsorship Guidance Notes. 

A list of public bodies in Scotland is available on the National Public Bodies Directory. Additional information can be obtained from Public Bodies Unit if necessary.

12.2 National Outcomes - Do the operations, business planning and objectives of the public body align with the National Performance Framework (NPF), National Outcomes and Programme for Government? Yes/No  

The National Performance Framework (NPF) is Scotland’s well-being framework and was refreshed in 2018. The NPF is intended to inform discussion, collaboration and planning of policy and services across Scotland, encompassing the public sector, businesses, civil society and communities. It broadly sets the strategic direction for non-reserved policy areas, which should be aligned to the NPF and National Outcomes, including the work of Public Bodies.

It also represents a closer partnership approach with local government to the delivery of services in Scotland. The approach to setting, reviewing, and reporting on progress to achieving the National Outcomes, is set out in the Community Empowerment Act 2015.

Supporting documents such as the corporate plan, business plan, and framework documents should be in place to enable the sponsor team to develop a shared understanding of the joint priorities to contribute towards the National Outcomes, and to ensure that individual bodies’ corporate communications (including annual report) and engagement strategies fully reflect these.

The Scottish Parliament Budget Review Group (SPBRG) has also recommended that Public Bodies should consistently set out how they plan to contribute towards specific National Outcomes in the NPF in their published corporate and business plans, and report on their contribution to National Outcomes through their annual reports, to support parliamentary scrutiny of their activities and public spending. This means providing public information about the strategic direction and operational delivery of public bodies and how this aligns to National Outcomes and the NPF.

This should include what public spending supports, what this aims to achieve, the contribution it is expected to make to National Outcomes and evidence for this, how plans are being delivered, and the impact this is having.

Does the corporate plan, business plan and annual reports clearly set out how the public body contributes to National Outcomes, with a line of sight to the National Performance Framework, including links to planned spending and specific outputs that are expected and how they contribute to achieving National Outcomes?

12.3 Framework Documents - Is there an up to date Framework Document in place, and published, with your sponsored body, with appropriate arrangements in place to monitor adherence to this? Yes/No  

You should be able to confirm that Framework Documents are finalised or otherwise, that they are up to date, and were subject to proper consultation (including with Public Bodies Unit, your Finance Business Partner (or equivalent) and the Directorate for Internal Audit and Assurance. Details of the steps taken to monitor these areas should also be provided.

Guidance on the role of the sponsoring team is set out in the Model Framework Document for Executive NDPBs and is provided at Annex 3 of the Scottish Public Finance Manual section on Accountability.

Governance structures, processes, systems and controls should be in place to ensure robust financial management and monitoring, and compliance with the Scottish Public Finance Manual.

Guidance on the role of the sponsoring team is set out in the Model Framework Document for Executive NDPBs and is provided at Annex 3 of the Scottish Public Finance Manual section on Accountability.

12.4 Effective Boards - Are you assured that the Board of your sponsored body is undertaking its functions effectively? Yes/No  

The four main functions of public body Boards are:

  • to ensure that the body delivers its functions in accordance with Ministers’ policies and priorities
  • to provide strategic leadership
  • to ensure financial stewardship
  • to hold the Chief Executive and senior management team to account

Boards play a vital role in the accountability chain and therefore it is essential that they have the capability and capacity to perform their functions effectively.

12.5 Has your sponsored body carried out a skills audit see succession planning guidance and the Gender Representation on Public Boards (GRPB) guidance and taken steps to build a diverse talent pipeline (shadowing, mentoring, outreach events to support public appointment vacancies)? Yes/No  

Boards should ensure that they maximise opportunities to develop and attract diverse candidates that meet the body’s needs and legislative requirements, See the Succession Planning Guidance for Public Body Boards (as published in February 2017) and the Gender Representation on Public Boards (GRPB) guidance. Confidence levels should be shaped by whether:

  • have you carried out a skills audit
  • have you taken steps to build a diverse talent pipeline (shadowing, mentoring, outreach events to support public appointment vacancies)

Guidance given states:

  • designate a person on the board, or have a nominations committee, to take the lead on board appointments
  • map current skills in the board and the skills needed in the future, within the context of the public body’s strategic plan and the board’s role
  • draw up a timeline of when individual board members’ and chairs’ appointments come to an end or are up for renewal and identify action that can be taken to attract a diverse range of candidates(provide shadowing, mentoring, co-opt potential talent)
  • provide opportunities to develop prospective board members, particularly for people from groups that are under-represented on your board
  • take specific and measurable actions to attract women and meet the Gender Representation Objective - See Guidance here
12.6 Relationships – Are arrangements in place to support strong, strategic relationships with the public body to ensure effective collaboration in delivering business/corporate plans and do you issue an annual letter of strategic engagement to the Sponsored Body? Yes/No  

Sponsorship should always be considered a strategic activity, based on strong relationships characterised by openness, trust, respect and mutual support. The objective is to find ways of working with bodies that engage and empower them in a shared vision and understanding of the strategic environment, while ensuring proportionate arrangements are in place to safeguard public funds and incentivise performance.

Executive Team and Ministers have an agreed approach which has at its core supportive, trusting relationships at a senior level; an appropriate place for the SG in the accountability chain – Ministers holding Chairs to account for the actions of Boards, Boards holding Executives to account for performance - and ensuring proportionate arrangements to safeguard public funds and incentivise performance; and a greater focus on strengthening the Boards and Accountable Officers of public bodies through induction and on-going support.

As part of this Ministers also agreed revised pay policy and procurement controls. The importance of sponsorship and the relationships between sponsors and public bodies is seen as being crucial in empowering public bodies to deliver outcomes.

It would be helpful if Sponsor Teams could provide some information, commenting specifically on their experiences from adopting this approach to sponsorship.
12.7 Finance – Does your sponsored body demonstrate financial capability by providing accurate and timely financial monitoring and forecasting information to the Scottish Government and do you review financial information and liaise with corporate finance colleagues in line with deadlines? Yes/No  

Sponsorship Teams and Public bodies should be aware of formal responsibilities they hold over the stewardship of public funds considering; SPFM, Audit Committee Handbook, The Public Sector Internal Audit Standards (PSIAS), Financial Reporting Manual (FReM), and the relevant NDPB Model Framework Document, Budget Allocation and Monitoring Letters. Other requirements relevant to Sponsorship Teams and Public Bodies include:

  • sponsorship teams and public bodies should work closely in overseeing the management and use of public monies
  • Model Framework Documents should cover the arrangements for funding the body and the conditions attached to the use of those funds
  • the Accountable Officer and the Board should ensure that the public body has in place appropriate systems to support their financial responsibilities
  • ensure appropriate systems in place for managing risks and that these are escalated appropriately
  • check that systems are in place for internal and external audit, an audit committee is in operation and that arrangements are in place for producing a statement on internal control
  • ensure that arrangements are in place for the body to provide regular high quality budget monitoring and forecast information as required by Financial Management Directorate and with support from Finance Business Partners (or equivalent) review annual accounts
  • co-operate with any enquiries initiated by the Auditor General for Scotland or by the Public Audit and Post Legislative Scrutiny Committee of the Scottish Parliament
12.8 FinanceDo you have year-end procedures in place to ensure all Annual Accounts returns are completed by your sponsored body in a timely and accurate manner Yes/No   There are various returns due to finance part of the annual accounts process. You should have procedures in place to ensure that information requested can be provided to Finance in an accurate and timely manner. Information requested will be used to ensure income and expenditure are recorded in the appropriate financial year and that any assets or liabilities of the Scottish Government are reviewed and appropriately accounted for. This includes consideration of committed and contingent balances.
12.9 Fair Work - Is your sponsored body an exemplar as a Fair Work employer: demonstrating commitment to fairness through being an accredited Living Wage employer, promoting:- equality, youth employment, engagement and workforce development and working to deliver the Fair Work Convention’s Fair Work Framework? Yes/No  

Is your sponsored body an accredited Living Wage employer and if not when does the body envisage this will be reached? For example, you may wish to check if the body is an accredited Living Wage employer; has it got an invest in youth plan with stretching targets to recruit and develop young people (e.g. recruiting Apprentices); runs an employee engagement survey and takes action on the results; works in positive partnership with trades unions. How have you used procurement policies to encourage the living wage and youth employment in your supply chain?

The Equality Action Plan for Apprenticeships aims to ensure that our Apprenticeship family is open to all in our society. You should look to provide some detailed examples of how your sponsored body (as an employer) is taking action to tackle equality issues and any information that it has taken to register as a living wage and/or carer positive employer.

Please provide information which will highlight the actions your sponsored body has been doing to support Youth Employment.

As an example; a public body organisation is a disability confident employer, carer positive employer, IYP Gold award employer and a Stonewall Top 100 employer. They are ambitious about diversity and inclusion. They encourage applications from the right candidates regardless of age, disability, race, sex, gender identity, sexual orientation, pregnancy and maternity, religion or belief.

They may also have published an Apprenticeships Equality Action Plan annual report outlining progress and the focus for activity in 2021-22.

12.10 Assurance – Regarding Major Investment(s), has your sponsored body engaged with the appropriate authority and recorded all relevant projects with the appropriate authority? If the answer is yes you should provide information of what investments the public body has and if there is evidence that they have assessed them against the criteria for major investments (including Construction, Infrastructure and IT investments) in the SPFM? Yes/No  

Systems should be in place to ensure all business cases are assessed.

For all Major Investments as defined in the Scottish Public Finance Manual: a Risk Potential Assessment Form should be completed and submitted to the SG’s Portfolio, Programme and Project Assurance Hub

For investment in projects containing an IT or digital elements:

  • integrated Assurance and Approval Plans should be completed for projects by your sponsored body
  • projects should be registered on the Project Register, held by the Digital Assurance Office
  • further advice can be found on the Technology Assurance Framework or by emailing Digital Assurance Office

For construction and infrastructure projects:

  • projects should be registered on the SG’s Infrastructure Projects Database if they have an Outline Business Case prepared and a total capital investment of £5 million or more
12.11 Fraud - Does your sponsored body have effective arrangements to counter fraud (including Cyber Fraud), bribery and corruption through a well communicated counter fraud policy, an up-to-date fraud action plan and effective avenues for reporting suspicions of fraud? Yes/No  

Processes should be in place to ensure that policies for fraud response are consistent with SG guidance, including a review of current fraud response activity, whilst ensuring robust reporting procedures have been adopted by sponsored bodies.

Further information can be found in the Fraud section of the SPFM and the SG Counter Fraud Strategy, Policy and Response Plan and Protecting Public Resources guidance.
12.12 Procurement - How does your sponsored body use public procurement to support a green recovery and wider climate and circular economy ambitions through procurement, embedding climate considerations in organisational procurement related activities. Yes/No  

See Guidance on Protecting Scotland’s Future Chapter 1

Contact procurementcapabilityenquiries@gov.scot (Scottish Procurement and Property Directorate (SPPD):

  • 0141 242 0229
  • 0782 409 7780

A Fairer, Greener Scotland: Programme for Government 2021-22 - gov.scot (www.gov.scot) – Sets out Scotland's ambitions in relation to contribution to climate change, and to restore nature and enhance our climate resilience, in a just and fair way.

Scottish Procurement Policy Note (SPPN) 1/2021 - clarifies expectations with respect to climate and circular economy considerations, aligning climate change reporting duties and current procurement policy and legislation which already requires public bodies to consider and act on opportunities to improve environmental wellbeing. This policy note highlights that public bodies should use their public procurement spend to support climate and circular economy ambitions.

Taking account of climate and circular economy considerations in public procurement: SPPN 1/2021

Sustainable Procurement Tools –These tools have been designed to help public sector organisations identify and address how they can optimise the economic, social and environmental outcomes of their procurement activity.

Training - Sustainable Procurement Tools platform includes access to Climate Literacy eLearning, which comprises of 3 modules: The Climate Challenge; Responding to the Challenge; and Taking Action. The demand led product is designed to encourage and assist public bodies to take account of climate and circular economy in their procurement activity.

12.13 Procurement - What measurable improvements has your sponsored body made to contract management?    

Contact procurementcapabilityenquiries@gov.scot (Scottish Procurement and Property Directorate (SPPD):

  • 0141 242 0229
  • 0782 409 7780

Organisations should build into their contract management activities sufficient checks to ensure suppliers are meeting their contractual obligations.

The purpose of Contract and Supplier Management is to work closely with suppliers and internal customers to:

  • minimise the total cost of ownership
  • to maximise Supply Chain efficiencies throughout the life of the contract
Further details on Contract and Supplier Management and associated Managing and Improving Performance principles can be found on the Procurement Journey: Contract and Supplier Management | Procurement Journey
12.14 Property – how do you ensure your sponsored body plans strategic matters and consults the Property and Construction Division at least six months in advance of any proposed changes or additions to their estate as per SPFM guidance?    

For example do you ensure your sponsored body plans strategic property matters and; consults Property and Construction Division in accordance with the SPFM guidance when required etc.

Contact PropertyandConstructionDivision@gov.scot and PropertyControls@gov.scot

Guidance can be found here in sections on property, construction procurement and best value Scottish Public Finance Manual - gov.scot (www.gov.scot) and also here Client guide to construction projects - gov.scot (www.gov.scot)

13. COMPLIANCE

13.1 Do you have processes in place to ensure compliance with applicable existing, new and updated policies, procedures, laws and regulations – including those referred to separately in this Checklist e.g. the SPFM and any other required Impact assessments outlined on Saltire in relation to Policy Development? Yes/No   Processes might refer to desk instructions, local checklists, retention schedules and/or periodic management checks e.g. relating to the existence of statutory authority for expenditure and the holding/provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the Division. (Guidance on Data Protection responsibilities and FOI is available on the Intranet.)
13.2 Do you have appropriate arrangements in place to ensure staff are appropriately trained and supported to handle FOI and EIR requests in line with legislative requirements? Yes/No   Processes might refer to desk instructions, local checklists, retention schedules and/or periodic management checks e.g. relating to the existence of statutory authority for expenditure and the holding/provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the Division. (Guidance on Data Protection responsibilities and FOI is available on the Intranet.)

13.3 Are your staff appropriately trained and aware of their Data Protection and information security responsibilities?

Yes/No   Training available for Data Protection and Information Security on Pathways.

14. Review

14.1 How confident are you about the robustness of your arrangements for reviewing and improving the effectiveness and efficiency of controls in your area, and are you satisfied that controls in your area support your objectives? Yes/No  

You should be reviewing internal controls in your area at appropriate points in time e.g. when processes change or operational shortcomings come to light.

Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g. has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating?

(Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.)

14.2 How confident are you that you have a comprehensive picture (e.g. through an Assurance Map) of the sources of evidence underpinning your assessment of controls? Yes/No  

You should be reviewing internal controls in your area at appropriate points in time e.g. when processes change or operational shortcomings come to light.

Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g. has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating?

(Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.)

14.3 Where objectives, risks and controls in your area have been subject to independent review, how confident are you that recommendations arising from these reviews have been acted on in a timely fashion? Yes/No  

You should provide details of any key weaknesses identified and the steps taken to resolve these. How confident are you that you and your staff are sufficiently aware of the types of independent review (e.g. Internal Audit, independent assurance and Gateway Review, ICT Assurance Review, Digital First Review, review by external consultants) to support your assurance, and of how to access them?

14.4 Based on the assurances you have of whether your objectives, risk management and internal controls are being met and operating successfully, are there any key areas that would benefit from independent review? Yes/No    

15. Other Issues

15.1 Apart from the issues raised above, are there any significant control matters or contentious issues arising in your area which could impact or adversely affect the signing of the Scottish Government Governance Statement by the Perm Secretary? Yes/No  

Provide here details of any other control problems, specific to your area of responsibility, which you have encountered during the year.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You can download a PDF version of the questions and guidance above.

Page updated: February 2022

 

Back to top