Publication - Advice and guidance

Scottish Public Finance Manual

Last updated: 31 March 2025 - see all updates
Directorate: Financial Management Directorate
Topic: Money and tax, Public sector

The Scottish Public Finance Manual (SPFM) is issued by the Scottish Ministers to provide guidance on the proper handling and reporting of public funds.

Supporting documents

Annex 2: internal control checklist

Certificates of assurance: Annex 2 - Internal Control Checklist

The Contents of the internal control checklist are as follows:

Section

Risk management
Business planning
Major investment
Project management
Financial management
Fraud
Procurement
Human resources
Equality and diversity
Information
Health and safety
Sponsored bodies
Compliance
Review
Other

1. Risk Management	Guidance Notes	Response	Details/Verification
Risk Management 1.1 Risk Management Governance – How confident are you that the arrangements for the identification and management of risk in your area are defined, implemented, integrated, and embedded into your routine ways of working?	Guidance Notes Your area’s approach to risk management should be defined and easily understood by all colleagues within your team. It is vital that there is a supporting structure and governance in place to ensure that the identification and management of risk happens as part of the way your team works. As a minimum, the structure for risk management will be defined at directorate level but, depending on the size and scale of your area, it may also be defined at lower levels e.g. divisions. A ‘substantial’ level of confidence would look like: a risk management approach or protocol document that sets out how risk is identified, reported and discussed within the area, with references to SG risk guidance roles and responsibilities for the identification and management of risk are defined risk management activity is pinned to existing governance processes including management meeting cycles, reporting activity, etc. links identified between risk management activity and other good governance activity e.g. delivery planning, project management, financial management, people management with outputs from these activities feeding into the identification of risks or supporting risk assessments (scoring), controls and actions planned activity and decisions around how risks are escalated and de-escalated are defined the appointment of a risk champion for your directorate to support the implementation of risk activity on behalf of your Director consideration given to proportionality to ensure risk management activity is in line with the size, scale and scope of the area (The SG Risk Guide section, Before you Begin: Risk Management Governance, is available on the intranet. General guidance is available through Risk Management in the SPFM.)	Response	Details/Verification
Risk Management 1.2 Objectives and Risk Identification - To what extent are you satisfied that there are processes in place to identify and manage risks to the delivery of your area’s business plans / priorities / objectives and that this information is reviewed on an on-going basis?	Guidance Notes Your objectives should be the focus of any risk management information; risk identification needs to be undertaken with a clear strategy and clarity of purpose using a systematic method to ensure a complete risk profile is articulated. Risk identification is an important part of business/project planning, managing performance and prioritising effectively. A ‘substantial’ level of confidence would look like: a clear set of defined objectives or priorities including alignment to the Programme for Government periodic formal risk identification sessions using a simple systematic tool for the identification of risk e.g. PESTLES or SWOT to identify both risks related to the delivery of policy / objectives as well as capability risks related to how colleagues work regular, informal identification of risk throughout the year that considers and responds to the current and changing environment utilising diverse perspectives from stakeholders, your teams, division, directorate, project, or programme and think about what arrangements are in place in your area to ensure that risk information is supporting your decision–making using other risk assessment tools such (e.g. Health and Safety risk assessments, security risk assessments, information asset risk assessments, counter fraud risk assessments) or Impact Assessments (e.g. Equality, Local Government, Business) to identify new or changing risks related to specific activities or specialisms consideration of risk and objectives/priorities beside each other alongside other delivery or performance information using available sources of data to support risk identification and prioritisation onducting regular ‘deep dive’ activity on risks where there are concerns that the risk is not correctly articulated or being managed effectively annual, full-scale review of identified risks to ensure they remain fit for purpose and aligned to your area’s objectives / priorities. (The SG Risk Guide and Supplementary Guide: Identifying Risk are available on the intranet. General guidance is available through Risk Management in the SPFM.)	Response	Details/Verification
Risk Management 1.3 Risk Culture – How confident are you that risk management is activity embedded within your area’s normal ways of working and valued as an important aspect of how you deliver on your objectives or priorities?	Guidance Notes Having a clear understanding of why risk management is important and how risk management processes work within your areas is vital to ensuring that risk is actively identified and managed. Risk management activity should be led from the top and delivered by branch heads and team leaders. A substantial level of confidence would look like: deputy directors, branch heads and team leaders understand their responsibilities and are actively involved in the identification and management of risk the Risk Champion(s) within your directorate are known and utilised to support the development of your risk management approach all risks, once identified, are assigned to an owner who has responsibility for ensuring that the risk is managed and monitored over time colleagues at all levels have a clear understanding of the current risk landscape, are empowered to identify, and raise risks for discussion and emerging risks are recorded. Risk management is viewed as a continual learning process, good practice is shared and communicated allowing your teams to benefit from lessons learned in a project or programme risk is discussed as a regular part of management/senior team discussions, lines of communication are clearly articulated and documented to ensure that relevant teams and colleagues are informed of further action, escalation, and the general outcome of discussions risk escalation routes are clearly documented, and risk discussion forms a part of formal (and informal) management and team meetings, with information communicated in both directions to ensure common understanding and feedback on risk matters feedback is provided and risk information is made available at all levels of your area so that colleagues understand what is happening and how risks are being managed. the effectiveness of risk management arrangements and the use of risk management within your area is reviewed periodically and subject to continuous improvement, this may be led within your area and/or a directorate level (The SG Risk Guide and Supplementary Guides for Roles and Responsibilities and Recording, Reviewing, Reporting and Escalating risk are available on the intranet. General guidance is available through Risk Management in the SPFM.)	Response	Details/Verification
Risk Management 1.4 Risk Learning - How confident are you that all staff have undertaken basic risk management training in your area and understand their role in the identification and management of risk?	Guidance Notes Ensuring all staff have the right level of skills and training to ensure effective engagement with the risk management process is key. Everyone in the organisation has a role in helping to identify and manage risks, therefore it is essential that all staff have a basic understanding of risk management policy and process. All staff but especially those who lead risk management activity should have some risk management training to ensure a base level of knowledge of the corporate processes. Confidence levels should be shaped by: all staff within the core SG should have at minimum completed the mandatory SG Risk Management eLearning, your confidence level should reflect the published stats for your area (these can be obtained from your risk champion) key staff with particular responsibility or interaction with risk management have been identified within your area colleagues with particular responsibilities for risk management should have identified where they may require further training, learning or support as part of their development plan (in line with SG performance management guidance) OR be able to demonstrate that they have undertaken further training / learning or have appropriate levels of experience in risk management on the intranet Risk Champions have completed appropriate learning as set out in the SG Risk Champion Role Profile and Support Model on section five of Risk Management intranet pages where your area has project managers, they have (or are working towards) relevant qualifications or certifications in project management skills, including in relation to risk management where necessary, key staff may have undertaken equivalent training from external training providers such as CIPFA, the Institute of Risk Management (IRM) or Management of Risk (MoR) qualification to improve risk management across the area, lessons learned exercises are undertaken to learn from perceived failures (e.g., an unforeseen risk or a crystallised risk which turned out more damaging than expected) and instances where risks have been managed well, to see whether there is anything to be gained by repeating effective techniques elsewhere output from Risk Management Maturity Exercises or Internal Audit reviews that have been accepted and implemented. Information on the implementation of risk maturity recommendations can be sought from your directorate risk champion (The SG Risk Guide is available on the intranet. General guidance is available through Risk Management in the SPFM.)	Response	Details/Verification
Risk Management 1.5 Recording and Reviewing Risk – How confident are you that risk management activity in your area is recorded, reviewed, reported, discussed, and, where required, escalated to the appropriate level?	Guidance Notes Good risk management means documenting and assessing identified risks, implementing controls and actions to reduce risks to within agreed levels. Risk documentation must be reviewed regularly to ensure that appropriate action is being taken and progress documented as well as new risks identified. Risk Registers should be a dynamic means of recording risks, reporting on risks should be undertaken on the basis of proportionality (i.e. with recognition of the size and scale of your team) and include analysis and ask key questions of risk owners – it should not always be a review of the risk register. Confidence levels should be shaped by: risks to the delivery of your area’s objectives are recorded on a risk register that you hold within your area or that is held at directorate level and is done so in line with SG Risk Guide. Risks are reviewed with a regularity that is proportionate to the size, scale and complexity of your area’s deliverables and that the frequency of review is reconsidered throughout the year to ensure it remains proportionate risk information forms part of wider management information and is considered alongside other forms of assurance reporting, e.g. financial information, delivery progress, performance, people information consideration is also given to specialist risk areas or the output of any impact assessments or risk assessments (e.g. EQIAs, health and safety, counter fraud) to ensure that risks in these areas are also considered, recorded centrally and discussed regularly you routinely looking across your risk landscape and perform deep dives on key risks in larger / more complex areas, risk reporting is used to target risk discussions and highlight key risks for management attention, including discussions and scrutiny of with controls, actions, target scores and dates processes in place to escalate key risks ensuring effective communication, increasing awareness of the risk, and highlighting where more senior supportive action is needed – this might be from your team / divisional level to directorate or from your directorate level up to your DG SMT lines of communication are in place to ensure that relevant teams and colleagues are informed of further action, escalation, and the general outcome of discussions decisions are informed by the risks held in your area and consideration given to the impact that decisions might have on other risks that you hold (or that might give rise to new risks) (The SG Risk Guide and Supplementary Guide: Recording, Reviewing, Reporting and Escalating risk are available on the intranet. The Standard Risk Register Template is also available on the intranet. General guidance is available through Risk Management in the SPFM.)	Response	Details/Verification
Risk Management 1.6 Risk Appetite - How confident are you that the SG’s Risk Appetite approach (and any DG level guidance) is considered when identifying and managing your area’s risks.	Guidance Notes Risk appetite is a key component of risk management as it articulates the level of risk that the organisation is willing to accept in pursuit of its objectives. Risk appetite statements have been articulated at SG level for the broad categories of risk included in SG risk register templates. Some DGs have decided to articulate separate appetite statements for some of the categories to provide specific advice within their own area. A substantial level of confidence could look like: colleagues across your area and, in particular, risk owners are aware of and have a clear understanding of the concept of risk appetite and the SG’s approach to risk appetite and levels for each risk category similarly, where DG-specific appetite statements have been articulated, there is an awareness and understanding of these statements and the levels set for the DG (if different) risk appetite levels are used to help identify risks that may need to be recorded on risk registers (e.g. where the level of risk associated with a particular risk category is higher than the agreed appetite level) risk categories are correctly applied to each risk in your risk register or risks that you own on directorate or other risk registers in operation within your area / the SG target risk scores are informed by risk appetite levels and controls / actions identified to bring the risk down to the agreed level of appetite where the appetite level cannot be achieved, this is the subject of discussion at management or leadership meetings to identify additional actions, to support decision making and/or to determine whether the risk should be escalated to the next level for more senior discussion and oversight (The SG Risk Guide and Supplementary Guide: Risk Appetite are available on the intranet. The SG’s approach to risk appetite is set out in the SG Risk Appetite Pack on eRDM. General guidance is available through Risk Management in the SPFM.)	Response	Details/Verification
2. Business Planning	Guidance Notes	Response	Details/Verification
Business Planning 2.1 How confident are you that your business objectives are clear and relate to the high priority business objectives of your division (linked to National Outcomes) and that you can demonstrate their connection to those articulated within your Directorate business plan?	Guidance Notes You should have clear business objectives which are linked to key National Outcomes as outlined in the National Performance Framework and where appropriate the Programme for Government as early as possible in the process so that appropriate advice can be provided. Business plans should be refreshed on a one-year cycle but should include indications of how the business plan will develop over the following two years. Business Plans should also inform risk management information. Confidence levels should be shaped by: your business objectives/SMART targets are reflected and documented in the Divisional Plan and via staff performance appraisal forms at all levels as appropriate plans provide a clear link (golden thread) to your Directorate’s Plan, provide a clear set of priorities and are deliverable within your agreed budget and workforce allocation.	Response	Details/Verification
Business Planning 2.2 How confident are you that your objectives have been translated into short, medium and long term measurable targets of both Business-as-Usual service delivery (e.g., FOI performance) and Scottish Government priorities (e.g., Programme for Government deliverables, against which performance and progress are measured)?	Guidance Notes New initiatives or spend, or changed systems should normally be discussed with Finance, Procurement and Internal Audit colleagues before proposals are finalised. New property requirements should be discussed with Property and Construction Division for advice. For change initiatives managed as projects or programmes, section 3 (major investment) or 4 (projects) should be completed. The Approaches and methodologies toolkit provides some guidance on the difference between Business as Usual and projects. Teams should utilise the AO templates for spending decisions per approval limits. The Strategic Organisational Change Division can advise colleagues planning to undertake change and improvement work aligned to the In the Service of Scotland improvement priorities, and signpost colleagues additional supports available within the Scottish Government. (Guidance on the Role of Finance is available on the intranet and the SPFM. General guidance on Procurement and Internal Audit is also available in the SPFM.)	Response	Details/Verification
Business Planning 2.3 How confident are you that there are clear plans for how your division will contribute to Directorate change and improvement plans – aligned with the In the Service of Scotland vision, values and improvement priorities?	Guidance Notes This question seeks to find out if the relationship between inputs, outputs and outcomes is being applied in developing business and staff performance measures. Our vision - 'In the Service of Scotland' - provides a strategic framework to help direct our change and improvement activity to enable the organisation to operate successfully in an uncertain and evolving world. Additionally, guidance on Performance Management is available on the intranet.	Response	Details/Verification
Business Planning 2.4 How confident are you that you regularly receive timely, relevant, and reliable reports on progress and performance against key indicators and targets alongside your risk information and take corrective action where necessary?	Guidance Notes This could take the form of regular reports prepared for consideration at progress meetings or updates provided in the context of regular meetings with managers. Corrective action might involve the reprioritisation/reallocation of resources (budgets and staff) and the reordering of key business priorities.	Response Confidence Levels	Details/Verification
Business Planning 2.5 How confident are you that your business plan informs your financial, people, and operational plans and prioritisation?	Guidance Notes This could be demonstrated whereby the business plan is used as a reference document when considering new requests that come in to identify opportunity cost and prioritisation advice. There should be a connection between the items in the business plan and assumptions for finance, people and operational decision making – whereby delivery identified within the business plan has resource allocated within financial and people plans, and operational plans about where people are deployed to accommodate the deliverables and schedule within the business plan.	Response	Details/Verification
Business Planning 2.6 Do you have a business continuity plan for the critical functions of your business area, as identified through a business impact analysis, that has been reviewed, updated and exercised in the last year?	Guidance Notes Every directorate should have a business continuity plan. Every division must ensure their functions are reflected in the directorate plan or in their own divisional plan, if appropriate. The plan should describe how essential business across the directorate would carry on in the event of disruption to staff, building access, systems such as information communications technology (ICT), data or organisations you depend on (such as suppliers). These plans should include robust communication (e.g., sign up to GroupCall as well as local business area arrangements) and incident management arrangements. A business impact analysis should be used to determine the critical functions of the directorate and the maximum tolerable period of disruptions and recovery time objectives for these functions. It should identify what is required to carry out those functions (staff, buildings, systems including ICT, other organisations such as suppliers). Plans should be reviewed, updated and exercised at least annually or more frequently to accommodate change in: personnel; responsibilities; priorities; working practices; processes; procedures; the external and internal operating environment; to apply lessons learned. Guidance and support for local business continuity planning activities can be requested from the Security and Business Continuity Unit.	Response	Details/Verification
Business Planning 2.7 Do you have disaster recovery plans in place for serious disruption to ICT systems for which you are responsible?	Guidance Notes Disaster recovery plans should aim to prevent or minimise data loss and business disruption from serious disruptions to your ICT systems. Providers of services have a responsibility to ensure that plans are in place for dealing with systems failure, including both to continue to provide critical services to users and to recover affected systems. Plans should take into account the recovery time objectives and recovery point objectives identified through a business impact analysis. Your recovery plans should be tested regularly to ensure they are fit for purpose and meet your needs in the event of a loss or disruptive event.	Response	Details/Verification
3. Major Investment	Guidance Notes	Response	Details/Verification
Major Investment 3.1 Has your area been responsible for the initiation or delivery of one or more major projects or investments during the past financial year?	Guidance Notes Major investments are defined in the Major Investment Projects section of the Scottish Public Finance Manual (SPFM) but can also be defined as initiatives: have a total anticipated whole-life (capital or revenue) cost of £5 million plus inclusive of fees and VAT or is above your delegated authority limits or could create pressures leading to a potential overspending on portfolio budgets or would entail contractual commitments to significant levels of spending in future years for which plans have not been set or could set a potentially expensive precedent or will be challenging to deliver within existing resources and capability and/or represents a material level of expenditure and/or will have a material ongoing financial impact or is novel, and/or contentious and/or complex, or could impact on the delivery of a Programme for Government commitment or requires primary legislation All Major Investments must adhere to the guidance in the SPFM, and its key principles should be adopted in relation to all investment projects. Any property and construction procurement requirements should be addressed at least one year in advance of budget planning and advice sought from Property and Construction Division. Engaging with Property and Construction Division as early as possible in the process is recommended.	Response	Details/Verification
Major Investment 3.2 How confident are you that your project’s governance arrangements align with the Scottish Government’s strategy and sector specific governance procedures?	Guidance Notes Relevant procedures include the following: declaring all new major investments to the Portfolio, Programme and Project Assurance Hub by means of the submission of a completion of a Risk Potential Assessment form (see question 3.3) issuing the SRO (Senior Responsible Owner) with an appointment letter, confirming their responsibilities and the aims, objectives, timescales, and funding arrangements for the project putting arrangements in place to address each of the SG’s Programme and Project Management (PPM) Principles. Information to help with this can be obtained from the PPM-CoE for construction and infrastructure projects, complying with the guidance in the Client Guide to Construction Projects. Further guidance and support are available from the Scottish Government’s Construction Procurement Policy Unit for IT and digitally enabled projects, registering the project with the Digital Assurance Office and complying with the Technology Assurance Framework; including compliance with the Digital Scotland Service Standard for new digital public services and Scottish Government corporate systems	Response	Details/Verification
Major Investment 3.3 How confident are you that you have assessed your project(s) in line with the SG’s assurance procedures and engaged with the appropriate assurance process?	Guidance Notes Relevant procedures include the following: submitting the completed Risk Potential Assessment to the SG’s Portfolio, Programme and Project Assurance Hub for review of your project’s assurance needs actively engaging with corporate assurance providers, taking advice on board, and promptly acting on review recommendations major infrastructure projects over £20 million in value, or of critical importance/unusual scale or nature to the procuring organisation, or revenue funded, or procured through competitive dialogue, may require Key Stage Reviews (KSRs) during key procurement stages - KSRs are undertaken by the Scottish Futures Trust	Response	Details/Verification
Major Investment 3.4 How confident are you that you have an up-to-date case for change (e.g., business case) that is appropriate for the stage in the project life cycle you are in, demonstrating continued strategic alignment, viability and value adding, and providing business justification for each project?	Guidance Notes You must be able to demonstrate the on-going justification of the need for your project and should regularly review the case for change to ensure its currency. Your business case should encompass relevant data from impact assessments, benefit measures, delivery approaches and optimism bias to allow a proportionate evaluation. For projects including a procurement element, you must also be able to demonstrate compliance with the Procurement Section of the SPFM. For construction and/or an infrastructure project, you must be able to demonstrate compliance with Client Guide to Construction Projects. Further guidance and support are available from the Scottish Government’s Construction Procurement Policy Unit. For property requirements, you must be able to demonstrate compliance with the Property Section of the SPFM. Further guidance and support are available from Property and Construction Division who should be contacted as early as possible in the process.	Response	Details/Verification
Major Investment 3.5 How confident are you that you have assessed your capability and capacity to deliver your project(s) and are you aware of when you need specialist resources and how to secure the specialist resource?	Guidance Notes The SRO (Senior Responsible Owner) must be appointed at the earliest possible stage of the project. Clear roles and responsibilities should be assigned, and levels of delegated authority should be clearly identified and agreed. These should be documented in formal letters of appointment between the Investment Decision Maker and the SRO and between the SRO and various post holders within the Project Management Structure. You should ensure that people appointed to positions within the project’s governance and management structure have the skills, experience, and knowledge necessary to fulfil their role, using existing performance management and PLP arrangements in accordance with question 8.1. All major projects should have undertaken a PPM Maturity Self-Assessment, and these should be reviewed periodically, where additional assurance of capacity or capability is required, an early capability checkpoint review is available from the Portfolio, Programme and Project Assurance team. You should have engaged with relevant professions or cross-functional teams in the planning and scoping stages of your project to ensure they can help inform opportunities and risk assessments at the earliest opportunity to maximise successful outcomes. For example, have you engaged with the following for advice and guidance, and, to embed their expertise in your planning, business case and risk & impact assessment, enabling a whole system approach. Finance Business Partners on funding, budgetary or grant management considerations the Scottish Procurement and Commercial Directorate on driving commercial and sustainable outcomes through procurement, commercial and/or property projects Digital DATS on digital and agile skills and approaches People Directorate on HR considerations Economists, Legal, etc as required Internal and external specialist resources required for the successful delivery of the project should be identified and secured at planning stage. For consultants, you must comply with the Scottish Government Consultancy Procedures in accordance with COA question 7.5.	Response	Details/Verification
Major Investment 3.6 How confident are you that you have put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?	Guidance Notes Necessary arrangements include: ensuring that benefits are identified, plans for the realisation of benefits are put in place, and delivery of benefits is measured to demonstrate that the intended return on investment is being achieved. The IPA has published a “Guide on Effective Benefits Management in Major Projects” capturing lessons during the project lifecycle and sharing as appropriate. The Lessons Toolkit provides some guidance on how to capture lessons formal contract management arrangements should be put in place, where appropriate including the identified benefits, and implementing the SG’s contract management handbook guidance including recording, monitoring, and reporting KPIs Ensuring that: carrying out a Post Project Review to establish how well the project was managed and benefits realised is carried out (Gate 5 Review – Operations Review and Benefits Realisation) post Implementation Reviews (also known as Post Occupancy Reviews for construction projects) to establish if the original project objectives are being achieved are carried out. This review is likely to be repeated all feedback is used to inform future project delivery	Response	Details/Verification
4. Project Management	Guidance Notes	Response	Details/Verification
Project Management 4.1 Has your area been responsible for one or more projects - other than major investment projects – during the past financial year?	Guidance Notes This section covers all projects and investments not covered by the SPFM definition of a major investment project, including digital, business transformation, infrastructure and/or new or changing policy or legislative programmes. The Programme and Project Management Centre of Expertise (PPM-CoE) library of support provides a range of guidance and support to help you provide a proportionate approach to project delivery.	Response	Details/Verification
Project Management 4.2 How confident are you that your project’s governance arrangements align with the Scottish Government’s strategic and sector specific procedures?	Guidance Notes Projects should take a proportionate approach to employing an enabling governance regime based on the principles contained within the major project section of the SPFM. Scottish Government’s Principles for Programme and Project Management set out a framework of activities that should be embedded to enable and control projects.	Response	Details/Verification
Project Management 4.3 How confident are you that you assessed your project(s) in line with the Scottish Government assurance procedures and engaged with the appropriate assurance process?	Guidance Notes Relevant proportionate procedures include the following options: completing the Risk Potential Assessment Forms, available from SG Portfolio, Programme and Project Assurance Hub, to determine the potential complexity and risk of your project(s) and submitting to the SG’s Portfolio, Programme and Project Assurance Hub submitting the completed RPA to the SG’s Portfolio, Programme and Project Assurance Hub engaging in peer review of your projects or aspects of it registering the project with the Digital Assurance Office and complying with the Technology Assurance Framework; including compliance with the Digital Scotland Service Standard for new digital public services and Scottish Government corporate system	Response	Details/Verification
Project Management 4.4 How confident are you that you have an up-to-date case for change (e.g., business case) demonstrating continued strategic alignment, viability and value adding, and providing business justification for each project?	Guidance Notes All projects should articulate an accurate and up-to-date justification, proportionate to the size of the investment. The five cases of the UKG’s Treasury Model should be identifiable though the document may vary in size and complexity.	Response	Details/Verification
Project Management 4.5 How confident are you that you have assessed your capability and capacity to deliver your project(s), knowing when you need specialist resources and how to secure the specialist resource?	Guidance Notes Projects should not be entered into without a viable route to the appropriate capacity and capability to deliver in line with the Management Case of the above model. All projects and project areas are encouraged to undertake a regular PPM Maturity Assessment and plan activities required to close any gap between actual and desired/targeted PPM maturity.	Response	Details/Verification
Project Management 4.6 How confident are you that you have put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?	Guidance Notes Benefits should be specifically described, and measurements applied, and then actively managed to ensure the purpose of the investment can be adequately justified before and during delivery, then measured and assessed post-project, and maximum value can be achieved from the investment. Projects are learning organisations, and they should put proportionate arrangements in place to identify and gather knowledge to improve their delivery and the delivery of other projects across the SG.	Response	Details/Verification
5. Financial Management	Guidance Notes	Response	Details/Verification
Financial Management 5.1 How confident are you that you ensure a documented business case has been prepared for all policy proposals and that your Finance Business Partner (or equivalent) and (as necessary) Scottish Procurement and Property Directorate SPPD and Internal Audit and Assurance Directorate is involved at the earliest possible stage in its preparation where there are resource, control, procurement, property or other finance related implications. Are they kept informed of developments?	Guidance Notes Finance should also be consulted on any novel or contentious spending proposal, in line with the requirements outlined within Financial accountability and assurance guidance on the intranet and any matter which includes issues of financial propriety and regularity. The need to consult Finance might also be included in induction material and local desk instructions. We recommend that the relevant UK guidance such as the Green Book is also consulted as part of any policy proposal alongside the SG approach to Risk Management. Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process.	Response	Details/Verification
Financial Management 5.2 How confident are you that you follow finance policies and procedures, about how financial matters are handled within the area, including guidance to ensure that proper and accurate accounting records are maintained and entries in them are properly authorised? Are processes in place for regular monitoring of compliance with these instructions?	Guidance Notes Central policies and procedures and the key principles of the SPFM should be followed. Instructions should be in place covering the arrangements for entering into commitments and for approving and processing the resultant payments, including VAT – and ensuring adequate separation of duties. This may also cover other matters such as delegated authorities, budget monitoring procedures and the requirement to consult Finance on all proposals that may have resource or other finance related implications. If appropriate, local instructions should be in place for any specific exceptional processes relevant to your particular area, if not already covered in central guidance and systems above. Monitoring of compliance should be supported by regular management checks and the consideration of financial matters at regular meetings with your managers. The response to this question needs to reflect both the provision of information needed for accounting purposes and for cash management purposes. The response should also take into account the controls in place within your area to ensure that adequate authorisation controls are being adhered to.	Response	Details/Verification
Financial Management 5.3 How confident are you that all staff that have budgetary responsibility have written delegated authority and the appropriate skills and training to discharge their responsibilities for managing public money?	Guidance Notes Delegated financial authority (i.e., where members of your staff have full responsibility for budgets and take decisions without having to refer upwards) will not be appropriate in many divisions but where it is you should provide details of the broad arrangements e.g., set out in desk instructions, financial responsibility statements. This is separate from Delegated Purchasing Authority (DPA). The authority required to make and authorise payments and the authority to purchase are also separate authorities. (General guidance on Delegated Authority is available in the SPFM. Guidance on the Scheme of Delegation is available on the intranet.) (Guidance on Budget and Financial Management is available on the intranet under Financial Accountability and Assurance and the Digital Learning Platform.)	Response	Details/Verification
Financial Management 5.4 How confident are you that there is adequate segregation of duties where required and staff with these duties are adequately trained to discharge their responsibilities in that regard and how do you ensure that this is achieved?	Guidance Notes Confidence levels will be shaped by the strength of policy and procedures applied to activities such as authorising and processing payments and receipts or awarding grants. The requirement for appropriate segregation of duties is included in a number of sections of the SPFM, notably those covering Expenditure and Payments and Income Receivable and Receipts. This covers all staff involved in the financial process. The level of knowledge and training should be related to the part played by the individual in the financial process. All staff with responsibility for entering into contracts, raising purchase orders, or issuing invoices etc. should have a knowledge of the rules relating to VAT and the ability to recover and or charge VAT. Note that this is separate from the authority required to add/amend suppliers and make and authorise payments within the relevant finance system.	Response	Details/Verification
Financial Management 5.5 How confident are you that you ensure that Finance (and Property where applicable) are informed of any changes to assets as they arise and that Financial records are maintained and kept up to date to reflect the assets held in your area?	Guidance Notes Capitalised expenditure (PPE and Intangibles) must meet the approved corporate thresholds and definitions and be supported by Asset Addition forms. Any disposal of previously capitalised assets should be recorded correctly in corporate finance systems and supported by Asset Disposal forms. Further guidance is available from the Non-Current Accounts team and on the intranet. Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process.	Response	Details/Verification
Financial Management 5.6 How confident are you that you have arrangements to ensure that all assets for which the area is responsible are properly managed and safeguarded? How do you ensure this?	Guidance Notes This will include assets meeting capitalisation thresholds and definitions and included on the central asset register, and those assets on a locally maintained inventory of valuable and attractive items. The response should consider safeguards such as those against unauthorised use or disposal. (Guidance on Property Management and Fraud is available in the SPFM.). Where appropriate, further guidance and support on property matters is available from Property and Construction Division, who should be contacted as early as possible in the process.	Response	Details/Verification
Financial Management 5.7 How confident are you that you have effective arrangements in place to ensure that you are managing and monitoring any money due to the Scottish Government, that it is collected within reasonable timescales, procedures are written with reference to the SPFM and the relevant finance system policy, and they are reviewed and updated regularly?	Guidance Notes Further detail on Debt recovery can be found on the intranet and Income receivable and receipts section of the SPFM. Staff should be trained in local procedures/arrangements which should be reviewed and kept up to date. Confidence levels will be shaped by the strength of procedures surrounding: any relevant Statutory Authority for fees and charging and associated VAT appropriate accounting treatment and budgeting treatment of income, receivables, receipts, and internal transactions adequate segregation of duties credit control and the relevant monitoring and management debt recovery and uninvoiced income EC Receipts, Excess Receipts, designated receipts, NLF repayments and recoveries from the SCF	Response	Details/Verification
Financial Management 5.8 How confident are you that you have procedures in place for timely and effective monitoring and reviewing of financial information and budgets for which you are responsible to ensure that central finance deadlines are met?	Guidance Notes The response should reflect the following: measures to ensure that financial systems contain accurate and up to date information measures to monitor the security of financial information local arrangements for monitoring and reviewing operating costs and programme budgets measures should include regular management checks. Arrangements for reviewing budgets should be consistent with re-profiling information returned to Finance. (Guidance on Budget and Financial Management is available on the Learning Portal)	Response	Details/Verification
Financial Management 5.9 How confident are you that you have procedures in place to ensure that budgets are regularly reviewed throughout the year and that budget transfers are completed and authorised in line with corporate finance deadlines?	Guidance Notes You will wish to consider here the mechanisms in place for communicating budgetary information both at the beginning of the year and changes made in-year whether at the time of formal monthly or quarterly reviews or at other times. This would also cover the transfer of funds between one area and another or between the centre and your area.	Response	Details/Verification
Financial Management 5.10 How confident are you that you regularly review internal financial reports which report actual against budget outturn and discuss progress with your director or equivalent? How do you ensure this is achieved in line with corporate finance deadlines and what action is taken following financial review to ensure a balanced budget is achieved?	Guidance Notes The review of the regular financial reports needs to take account of both forecast outturn positions and year-to-date actual costs against profiled budget spend.	Response	Details/Verification
Financial Management 5.11 How confident are you that the Subsidy Control Unit is consulted at the earliest possible stage on all proposals that may have subsidy implications?	Guidance Notes Guidance on Subsidy Control procedures is included in the SPFM. Further detailed guidance is available from the Subsidy Control team.	Response	Details/Verification
Financial Management 5.12 How confident are you that any grant proposals and payments comply with the guidance in the SPFM and internal guidance?	Guidance Notes The section of the SPFM on Grant and Grant in Aid includes references to checklists covering the grant proposal, application and assessment processes and a Model Offer Grant Letter template. SG Grant Management guidance can be found on the intranet and support from the Grants Capability & Assurance and/or Commercial Value for Money Teams should be sought (where required) on grant design.	Response	Details/Verification
Financial Management 5.13 How confident are you that the grants awarded are documented in a Model Offer Agreement that illustrates its link to policy outcomes (including, but not limited to: the National Performance Framework and, where applicable, any Programme for Government commitments) and, sets out how the grant is expected to contribute to achieving its outcome(s) together with the approach to monitoring and evaluation?	Guidance Notes The Model Offer letter should be used to detail the specific outcomes the grant is planning to achieve, and business areas should consider (where appropriate) how it will contribute to other key policies and initiatives as detailed in local guidance – guidance on grant making can be found on the intranet. The Model Offer Letter should include (at a minimum): what public spending supports what these aims are to achieve the contribution the grant is expected to make to National Outcomes and evidence for this, how plans are being delivered (including milestones and expectation of the grant recipient) the impact this is having and the approach to monitoring the grant in line with the above	Response	Details/Verification
Financial Management 5.14 How confident are you that all of your staff who are involved in the management of grants have the skills and training to allow them to manage their grants effectively?	Guidance Notes Ensuring key staff have the right level of skills and training to ensure effective engagement with the grant management process is key. Confidence levels should be shaped by the following: staff should complete the Grants Process Training available on the SG learning portal staff regularly refer to the grants guidance on the intranet before commencing any grant award and throughout the lifecycle of their grant scheme/project/programme. Where in doubt, staff are to engage with the Grants Capability & Assurance Team for support on adhering to the SG Grant Policy staff involved in grant management have at minimum undertaken the SG Due Diligence-Grants Process eLearning on the SG learning portal DG Grant managers are engaged with the Grants Managers network on Viva Engage your grant managers are actively sharing lessons learned within the business area from experience	Response	Details/Verification
Financial Management 5.15 How confident are you that you have procedures in place to monitor any Losses, Special Payments, and Gifts in year?	Guidance Notes Losses, Special Payments, and Gifts should be disclosed each year. The SPFM includes guidance on Losses and Special Payments and Gifts giving guidance on the various types of Losses, special payments and gifts and the approval process. You should ensure the guidance is followed to correctly report any of these transactions. Where appropriate, further guidance and support can be obtained from a Finance Business Partner or the Financial Accounts team.	Response	Details/Verification
Financial Management 5.16 How confident are you that you have year-end procedures in place to ensure all Annual Accounts returns are completed in a timely and accurate manner?	Guidance Notes There are various returns due to finance as part of the annual accounts process. You should have procedures in place to ensure that information requested can be provided to Finance in an accurate and timely manner. Information requested will be used to ensure income and expenditure are recorded in the appropriate financial year and that any assets or liabilities of the Scottish Government are reviewed and appropriately accounted for. This includes consideration of committed and contingent balances (Contingent Liabilities, contingent assets), indemnities and guarantees. Confidence levels can be shaped by: having an embedded finance team or person who undertakes these key processes for your area ensuring that those staff have the appropriate qualifications/training to undertake this activity the team or staff member has established clear links with the relevant finance team/FBP etc.	Response	Details/Verification
6. Fraud	Guidance Notes	Response	Details/Verification
Fraud 6.1 How confident are you that operational managers and all members of staff within your area are aware of their responsibilities with regards to the prevention and detection of Fraud (including Cyber Fraud)?	Guidance Notes Confidence levels should be shaped by: awareness of the relevant guidance in the section on Fraud in the SPFM which might be brought to the attention of staff periodically and other relevant local guidance – the Scottish Government (SG) has a comprehensive guide on the intranet the linking of induction materials to the relevant internal guidance on fraud prevention – there is a comprehensive guide on the intranet within the SG ensuring that staff have undertaken relevant Civil Service Learning course on fraud prevention for staff and managers accessible on the learning portal established Fraud Management Procedures (linked to a Counter Fraud Management Strategy) documented and accessible to staff instances of fraud being appropriately and systematically recorded and reported to Governance and Risk and the Counter Fraud Service where applicable and the relevant Audit/Assurance Committee Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email fraudresponseteam@gov.scot.	Response	Details/Verification
Fraud 6.2 Have you had any cases of fraud or suspected fraud within your area in the last year?	Guidance Notes Fraud cases and suspected fraud cases should be reported in accordance with the Scottish Government Fraud Guidance on the intranet please highlight in your response if the fraud or suspected fraud was reported to the Fraud Response Team. Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email fraudresponseteam@gov.scot.	Response	Details/Verification
Fraud 6.3 How confident are you that cases of fraud and suspected fraud in the last year have been reported and recorded accurately?	Guidance Notes Fraud cases and suspected fraud cases should be reported in accordance with the Scottish Government Fraud Guidance please highlight in your response if the fraud or suspected fraud was reported to the Fraud Response Team. Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email fraudresponseteam@gov.scot.	Response	Details/Verification
Fraud 6.4 How confident are you that you have identified and documented the fraud and corruption risks specific to your area, by way of Counter Fraud Toolkit templates or alternative documented assessment, ensuring that, where needed, risks are mitigated with appropriate control activities?	Guidance Notes Confidence levels should be shaped by: exercises carried out to determine risk levels as per the section on Fraud within the SPFM and returned to the Counter Fraud Service risk registers contain reference to fraud and corruption risks and corresponding control activity where appropriate, with active monitoring of these risks ensuring that control activities or improvement plans, are explicit in their targeting of fraud risks and gaps in assurance relating to fraud risk fraud risks are periodically reviewed and updated in terms of increased/decreased fraud threat due to external or environmental factors affecting inherent fraud risk	Response	Details/Verification
Fraud 6.5 How confident are you that when new grant schemes or other spend programmes are being developed you ensure you are considering whether fraud prevention measures need to be built into your plans, based on appropriate documented assessment of fraud risk?	Guidance Notes Within grant schemes, particularly those involving third-party relationships, confidence levels should be shaped by: awareness of the fraud procedures in place within prospective funding recipient’s business processes ensuring appropriate due diligence checking has been undertaken on applicants to ensure they are legitimate recipients appropriate criteria for determining eligible expenditure are in place payment in advance of need is appropriately assessed and approved by your finance business partner throughout the grants process, decisions, key documentation, and evidence should be appropriately recorded to ensure an effective audit trail. This will ensure that you can evidence decisions made and support any internal or external review. You should use the audit trail checklist to ensure you have all the appropriate documentation to support your grant from 01 October 2024, SG core staff who disburse grants either as a ‘Preparer’ or ‘Approver’ must complete mandatory training prior to using the system as directed by the Award to Pay Policy. Within other spend confidence levels should be shaped by: ensuring you are in compliance with the Scottish Procurement Policy Manual Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email fraudresponseteam@gov.scot.	Response	Details/Verification
7. Procurement	Guidance Notes	Response	Details/Verification
Procurement 7.1 How confident are you that the Scottish Procurement and Property Directorate (SPPD) (including DPO’s) - are consulted from the earliest possible stage on any business cases proposals that may involve procurement, commercial and/or property activity?	Guidance Notes Guidance on the role of the Scottish Procurement and Property Directorate (SPPD) (including DPO’s), guidance on Buying and contract management and the Security Questionnaire is available on the intranet. The need to consult SPPD might be included in induction material and local desk instructions. Procurement is also covered in the SPFM. SPPD must be consulted early on any novel or contentious spending proposal and any matter which includes issues of procurement and/or property propriety or regularity and in all instances where purchasing support will be needed from SPPD. For all major programmes and large funds this means involvement in the drafting of Strategic Outline Cases. For initiatives of any size that will involve the third or private sector distributing funds on ministers’ behalf, this means engaging SPPD during policy design. Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process.	Response	Details/Verification
Procurement 7.2 How confident are you that you have sufficient access to staff with Delegated Purchasing Authority (DPA) to meet your business needs?	Guidance Notes DPA is the authority from the Director of Procurement and issued on a personal basis to permit permanent SG members of staff to enter into a contract for goods, services and works and oversee the process leading up to and including the award of a contract. It should not be confused with financial or budgetary authority. You can’t hold delegated purchasing authority if you; are an approver on Purchase to Pay (corporate finance systems) are the budget holder Please confirm how many staff in your area have DPA and if the number meets your business needs. (Guidance on DPA is available on the intranet).	Response	Details/Verification
Procurement 7.3 How confident are you that you have contracts in place for all purchases of goods, services and works in your division whether directorate specific contracts for your area or corporate contracts or SG corporate contracts available for use across the Scottish Government?	Guidance Notes Divisions should understand if their procurement spend is covered by contract and should be aware of the Scottish Government contract register. Contracts can only be placed by officers with Delegated Purchasing Authority (see 7.2 above).	Response	Details/Verification
Procurement 7.4 How confident are you that all procurement activity within your area is undertaken in accordance with the Procurement Policy Manual and all policy initiatives are announced in Scottish Procurement Policy Notes (SPPNs) issued by the Scottish Procurement and Property Directorate?	Guidance Notes Evidence should be provided by staff with DPA to assure division heads that all procurement activity has been conducted with the Procurement Policy Manual. Specific guidance on the operation of the Electronic purchasing card (ePC) are available to support low value purchasing. Does your business area have a system in place to ensure staff are aware of the latest and any other significant Scottish Public Procurement Notes SPPN’s (Cyber Security, Climate Change)?	Response	Details/Verification
Procurement 7.5 How confident are you that your area’s use of external consultants comply with the Scottish Government Consultancy Procedures? This includes using the consultancy account codes on the Purchase Orders that are created in the purchasing system.	Guidance Notes Expenditure for contracts for consultancy below £10,000 in value need to be approved at deputy director level. Expenditure for Consultancy contracts between £10,000 and £50,000 need to be approved at director general level. Above £50,000 submissions for approval must be endorsed by the relevant director general and expenditure must be approved by the Cabinet Secretary for Finance and Economy. If there have been no such cases during the period, then please provide a nil response. Consultancy expenditure must be coded against the account codes stated in the Use of consultants: guidance - gov.scot (www.gov.scot). Management checks on consultancy expenditure should be carried out to ensure approval was sought at the appropriate approval level prior to purchase.	Response	Details/Verification
Procurement 7.6 How confident are you that the number of staff authorised and trained to act as purchasing system requisitioners and approvers are consistent with your division’s needs?	Guidance Notes Staff who are authorised as purchasing system requisitioners and approver need to recognise the importance on the financial information being entered correctly. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions.	Response	Details/Verification
Procurement 7.7 How confident are you that staff with electronic Purchasing Cards (ePCs) are fully aware of their responsibilities to monitor compliance and meet the ePC policy?	Guidance Notes Monitoring of compliance should be achieved by monthly management checks at meetings with your managers, considering the requirement and suitability of using ePC for purchases (were goods received, are contracts for similar products in place, are suppliers set up on corporate finance systems and does the expense description match the goods/services purchased). (Guidance on ePC is available on the intranet.)	Response	Details/Verification
Procurement 7.8 How confident are you that staff are complying with the prompt payment of suppliers’ process to meet the 10-day payment commitment?	Guidance Notes Relevant guidance regarding the prompt payment of suppliers’ policy must be brought to the attention of staff periodically and/or in reviewing training requirements.	Response	Details/Verification
Prpcurement 7.9 How confident are you that you have in place appropriate arrangements in your area to ensure effective contract management enabling delivery of both technical and commercial requirements?	Guidance Notes Staff managing contracts should have the knowledge and skills to deliver both the technical and commercial conditions of the contract, undertaking the required training as mandated in the Scottish Procurement Policy Manual Staff can seek guidance or arrange for Contract Management services to be delivered by the SPPD Contract Management Team. Additional guidance is also available on the Procurement Journey. In addition, Staff responsible for construction projects should be aware of the guidance provided within the Client Guide to Construction Projects and can seek guidance from the CPPU Team.	Response	Details/Verification
8. Human Resources	Guidance Notes	Response	Details/Verification
Human Resources 8.1 How confident are you that you have, and regularly update, workforce plans that enable you to match resources to priorities, ensure affordability and monitor impacts on wellbeing and diversity?	Guidance Notes In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place. Confidence levels will be shaped by working with your Human Resources (HR) Business Partner on activity such as: regular workforce planning discussions with HR Business Partners and Finance Business Partners to monitor and manage workforce numbers and cost against ET agreed projections for the current financial year and future years to March 2027 keeping baselining/skills information of workforce up to date and encouraging completion of diversity data on corporate systems your contribution to the delivery of key actions in your DG People Plans identifying any roles/skills that are a single point of failure and establishing a response (i.e., succession planning) adherence to corporate processes (including through the Resource Assurance Committee approvals process in FY24/25) and timescales regarding recruitment actions to increase diversity through recruitment and succession planning (e.g., seeking and understanding local diversity data, completing mandatory Inclusive Recruitment learning, Diverse Panels, and carefully considering how and where to advertise vacancies) what evidence do you draw on to inform action, including for example: Workforce planning returns, Directors Quarterly MI (Management Information) pack, Workforce Monitoring Dashboards, People and Finance DG Assurance metrics, diversity data on the D+I Dashboard	Response	Details/Verification
Human Resources 8.2 How confident are you that you have processes in place to develop staff and increase capability to support diverse and inclusive, high performing teams?	Guidance Notes In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right skills now and for the future. Confidence levels will be shaped by working with your HR Business Partner on activity such as: having personal and divisional learning/development/capability plans (including relevant professions) reflecting corporate priorities, local business needs and the diverse needs of your workforce and ensuring that time is available for staff to take part in development activities having high quality and mandatory individual diversity objectives which contribute to building a diverse and inclusive culture, and embed Diversity and Inclusion (D&I) in business delivery all staff involved in recruitment should have completed mandatory inclusive recruitment eLearning on the learning portal. your contribution to the delivery of key actions in your DG People Plans attending quarterly all DG staff, D&I events effective processes, including regular career conversations, for identifying and developing talent the role of line managers in SG’s HR policies is well understood and the application of best People Management practice is highly valued, supported and openly recognised adherence to corporate processes regarding performance management (noting separate guidance for Senior Civil Service and probationers) (i.e., monthly conversations, In Year Reviews and End Year Reviews and development discussions) evidencing where you draw from to inform positive action, e.g.: updated intranet guidance on learning approaches regularly reviewing reporting to help review mandatory learning (e.g., Inclusive culture for all staff Inclusive Culture E-Learning on the learning portal) promoting and using the Employee Passport and regular reviewing workplace adjustments to ensure they continue to meet staff and business need using local diversity data to identify and tackle areas of poorer employee experience. (for DG’s and Directors) completing annual Director succession planning exercise and holding quarterly SMT Talent meetings establishing effective hybrid working patterns for teams, applying the current hybrid expectations and principles and drawing on the learning resources available	Response	Details/Verification
Human Resources 8.3 How confident are you that line managers at all levels are skilled in managing performance, ensuring compliance with corporate expectations, and supporting the wellbeing of their staff?	Guidance Notes In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure a workplace culture for individuals to bring their whole selves to work, to thrive and be successful. Confidence levels will be shaped by working with your HR Business Partner on activity such as: ensuring your teams are familiar with and following the probation policy - this includes solid objectives; induction; employee passports; engagement with workplace adjustments service as required; monthly conversations and interim/end probation reviews (access HR early where concerns arise) having induction processes for those new to the role or grade and investing time mentoring and coaching new staff reviewing on-time completion and recording of both the probation process (where applicable) and performance appraisals role modelling of the Civil Service Code and inclusive leadership, including completion of mandatory learning, declaration and management of outside interests and recording of gifts and hospitality adhering to corporate processes regarding attendance management (in particular ensuring absences are opened and closed on the system given the pay impact), grievance conduct and performance management (noting separate guidance for Senior Civil Service and probationers) conducting monthly conversations that focus on performance and wellbeing. Signposting wellbeing support service, promoting the employee passport, promoting diversity of support and opportunities, signposting staff diversity networks as source of peer support regularly reviewing people management and leadership capability within your team and encourage continuous development accessing toolkits and resources to support and develop line management and leadership using MI to identify and take action where absence rates or reasons raise concerns having in place, and effectively assessing, meaningful mandatory diversity and inclusion objectives at all levels to support employer outcomes using the D+I objective framework to support this. Mainstreaming relevant actions from the Diversity and Inclusion Strategy action plan adhering to flexible working policy and leave policy understanding employees’ individual needs using and promoting the employee passport to identify, implement and/or access corporate support to put in place workplace adjustments to enable everyone, and particularly disabled staff, to fulfil their potential by removing barriers stopping them perform at their best while working at home and in the workplace encouraging people to complete their diversity information on corporate systems at a business level and using corporate data produced to effectively advance diversity and inclusion what evidence you draw on to inform positive action, e.g. People Survey results, Directors MI pack, Diversity Packs, Attendance Management Monthly Reports	Response	Details/Verification
9. Equality and Diversity	Guidance Notes	Response	Details/Verification
Equality and Diversity 9.1 How confident are you that all new, revised or strategically significant policies/activities/projects in your area have been assessed, in line with legislative requirements, for their impact on people with one or more of the Protected Characteristics listed in the Equality Act 2010 at the earliest possible stage in the policy development process?	Guidance Notes This question relates to the responsibility under the statutory Public Sector Equality Duty (PSED), and the specific duty to assess and review policies and practices. Policy should be understood broadly to embrace the full range of policies, provisions, criteria, functions, practices, and activities undertaken by the Scottish Government. You are expected to ensure that, in line with legislative requirements, new or revised policies and practices in your area are assessed for their impact on people with one or more of the protected characteristics in the Equality Act 2010. These are age; disability; gender reassignment; marriage and civil partnership; pregnancy and maternity; race; religion or belief; sex; and sexual orientation. Going beyond statutory obligation, the First Minister and the Permanent Secretary have made clear their ambition for equality and human rights to be embedded in everything SG does. In terms of process, assessment would typically be done through the EQIA process. Guidance on EQIAs is available on the intranet. Relevant deputy director (or equivalent) is required to sign off on EQIAs, and in signing off they are required to ensure the impact of applying the policy has been sufficiently assessed against the three needs of the equality duty and EQIA is robust and addressing all relevant equality issues. In answering, you should be able to demonstrate that you have in place appropriate arrangements for identifying and monitoring EQIA application and for prioritisation of EQIA within policy and practice development and review. This also includes an assurance that DD sign-off for situations that are assessed as ‘no EQIA is required,’ are reviewed and evaluated as correct.	Response	Details/Verification
Equality and Diversity 9.2 How confident are you that all staff in your division have the capacity and capability to embed equality within the policies or programmes they are working on?	Guidance Notes This question seeks to find out if SG staff have the capacity and capability to deliver on equality obligations. In answering this question, you should consider whether staff have had sufficient time, information, training, guidance, and support to enable that aim to be realised, considering for example if: they have an appropriate ‘stretch’ Diversity Objective they have good awareness of equality issues; an understanding of the need for good quality impact assessment and how this relates to the development of policy or practices (evidence may include confirmation of training at induction and ongoing training and capacity building updated via appropriate continuous professional development) they know about and use relevant sources of data such as the SG equality evidence finder and relevant employee data they know about and engage with equality advocacy groups and that completed EQIAs evidence the use of evidence from engagement in shaping policy for internal policy and employee-related policies/practices, they are drawing on employee lived experience and insights gathered for example through the People Survey they have sufficient time, which is reflected in their business objectives, to consider equality matters in developing and delivery policy and/or relevant activity they understand the need to ensure that EQIAs in the business area they have responsibility for, should be kept under review and that they are able to demonstrate that this is happening Equality guidance and tools are available on the intranet. In answering, you should be able to demonstrate how you are developing staff on an ongoing basis in this area.	Response	Details/Verification
Equality and Diversity 9.3 How confident are you that any procedures in place ensure that equality considerations are embedded into all policies/activities/projects in your area and are delivering improved outcomes for people with protected characteristics?	Guidance Notes This question relates to the extent to which policies and programmes are delivering meaningful outcomes for the people whose lives the Scottish Government is seeking to improve, which includes those with one or more protected characteristics under the Equality Act 2010. Specifically, EQIAs must consider impacts based on the three tests of the Public Sector Equality Duty (PSED) it is required to address: do policies, practices or programmes contribute to reducing or eliminating discrimination for individuals with one or more protected characteristics - this means reducing disadvantage or less favourable treatment do policies, practices or programmes advance equality of opportunity for individuals with one or more protected characteristic - this means understanding and meeting diverse needs, increasing participation of underrepresented groups and, ensuring reasonable/workplace adjustments are implemented do policies, practices or programmes foster good relations between those who share a protected characteristic and those who do not - this means tackling prejudice and promoting understanding In answering you should consider and reflect the evidence (both quantitative and qualitative) demonstrating improvement in your area and the narrative of how policies and programmes in your area demonstrate active due regard to all three needs of the PSED.	Response	Details/Verification
Equality and Diversity 9.4 How confident are you that any schemes operated by your division for funding the work of external stakeholders, meet statutory equality requirements and therefore delivers improved outcomes for people with protected characteristics?	Guidance Notes This question relates to the extent to which funding for partners’ activities and projects (or core funding for partners designated as intermediaries) aligns to statutory requirements under the Equality Act 2010. Where a private or voluntary organisation provides a ‘public function’ it is then subject to the general equality duty. A public function refers to activities that are carried out on behalf of the State not similar in kind to services that could be performed by private people. Public functions can also be carried out by private or voluntary organisations, for example when a private company manages a prison or when a voluntary organisation takes on responsibilities for child protection. In answering this question, you should set out how you are ensuring this is the case in addition to 9.1 and 9.3.	Response	Details/Verification
10. Information	Guidance Notes	Response	Details/Verification
Information 10.1 How confident are you that your division demonstrate best practice information governance and management including compliance with relevant legislation?	Guidance Notes Have you ensured information held in assets complies with the Public Records (S) Act 2011 and the SG records management plan and policy? The General Data Protection Regulation and Data Protection Act 2018 came into force in May 2018. Have you: registered your information assets that contain personal data, and reviewed your existing assets reviewed the legal basis for any personal data processing and especially where you are using the lawful bases of ‘consent’ or ‘legitimate Interest’ updated any privacy notices updated any contracts with third parties that include personal data processing documented any personal data sharing in a data sharing agreement conducted a Data Protection Impact Assessment (aka Privacy Impact Assessment) where required made sure your staff know what to do if a security incident involving personal data takes place identified any personal data processing for law enforcement purposes covered by part 3 of the Data Protection Act 2018 Guide to Law Enforcement Processing identified any personal data being processed outside of the UK directorates should therefore assure themselves they are confident that all information within their areas is managed appropriately and in line with current policies and procedures	Response	Details/Verification
Information 10.2 How confident are you that access control mechanisms are in place for each system?	Guidance Notes Access control mechanisms for each system are documented by Information asset owners (IAOs). Control Mechanisms are in place for physical access and access to information. Location of information assets are registered on the Information Asset Register. Have you: met with system operators to ensure that they are securely managing the systems role based access is being managed and only authorised persons have access backup and security patching are up to date system incidents are being reported to you as system owner	Response	Details/Verification
Information 10.3 How confident are you that your Information Asset Owner has been trained in the role and is this training up to date?	Guidance Notes IAOs (usually deputy directors but certainly head of division) are responsible for ensuring that their information assets are recorded on the corporate Information Asset Register (IAR) and managed in line with data protection regulations. Guidance can be found on the IAR pages on the intranet. See guidance on “What is an Information Asset?” in the IAO Handbook. Information Asset Owner Risk management responsibilities are covered in the IAO handbook Information asset register and in the IAO training that can be booked on the intranet.	Response	Details/Verification
Information 10.4 How confident are you that any supporting staff have an awareness of the role and responsibilities of an IAO and have they been trained in information handling?	Guidance Notes Staff are available and appropriately knowledgeable to discharge these roles and have undergone or are undergoing appropriate training. For core SG the SIRO is DG Organisational Development and Operations, non-core bodies will have their own SIRO. Guidance on mandatory roles can be found on the intranet. Mandatory eLearning packages (Data Protection and Responsible for Information) can be found on the intranet. Where a deputy IAO is assisting the IAO, have they been trained and understand the role? Please see question 10.16 below. Deputy Information Asset Owner Role training is on the learning portal.	Response	Details/Verification
Information 10.5 How confident are you that information risk assessments have been carried out for all information assets and do you take all required actions to safeguard your information assets and the corporate infrastructure and regularly/actively consider and manage current and emerging cyber risks and threats pertinent to your business?	Guidance Notes IAOs must ensure that their information assets are reviewed annually for necessity, and lawful basis and consider, where consent or legitimate interest is in use, that these remain proportionate. Data protection impact assessments should be reviewed for continued relevance and continued security both within SG and with suppliers if used. All staff should have read and understood the relevant policies and guidance (such as DPA, IT Code of Conduct, and Records Management). Where information assets are managed by external suppliers, IAOs should satisfy themselves that appropriate security and data handling processes set out at procurement time remain in place. The mandatory risk management training is now in place. The learning portal has an e-learning course made up of five modules that cover the key aspects of our risk framework. This course is mandatory for all SG colleagues (there is a course for Band A employees and another for Band B - SCS employees). Information Asset Owner Risk management responsibilities are covered in the IAO handbook Information asset register and in the IAO training that can be booked on the intranet.	Response	Details/Verification
Information 10.6 How confident are you that you have processes in place for dealing with security incidents involving data?	Guidance Notes A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transferred, stored, or otherwise processed. Have you: processes to identify and report data breaches considered reporting near misses to facilitate improvement assessed incidents and know that a serious incident resulting in a risk to individuals may need reported within 72 hours to ICO The security incident reporting tool can be found on the intranet.	Response	Details/Verification
Information 10.7 Have you had any information security incidents involving data that occurred in your area over the past financial year that you did not record on the corporate security incident reporting tool?	Guidance Notes Incidents would relate to cases where information (both personal and non-personal) may have been accidentally exposed, lost or made unavailable regardless of whether this has resulted in harm to individuals. IAOs are aware of and follow the corporate process in place to report, manage and recover from information risk incidents. Lessons have been learnt, and shared, from incidents (if any). Local managers have a responsibility to ensure that staff are aware of and comply with the relevant guidance, to initiate checks where non-compliance is suspected and to monitor suppliers. Managers have a responsibility to ensure that all staff and suppliers are aware of their responsibilities to safeguard Government information. An IAO checklist for dealing with security incidents can be found on the intranet. Please open the document and refer to section 5.	Response	Details/Verification
Information 10.8 How confident are you that all colleagues within your business area use the approved corporate system to store their information for the corporate record?	Guidance Notes The approved corporate system (i.e., electronic Record and Document Management system (eRDM)), is used as the approved repository for corporate information and ensures we manage it in line with the arrangements set out in our records management plan (RMP) and Information Management Strategy.	Response	Details/Verification
Information 10.9 How confident are you that you and your deputy directors personally use the approved corporate system to manage information?	Guidance Notes All staff in the SG should be using the approved corporate information system (eRDM) to store their corporate business documents.	Response	Details/Verification
Information 10.10 How confident are you that colleagues in your business area do not store corporate information in unstructured storage repositories such as local or network drives?	Guidance Notes A review of our corporate information management was published in 2021. A recommendation from this was to manage down the availability and use of unstructured information repositories, such as Public Folders and network shared drives.	Response	Details/Verification
Information 10.11 How confident are you that all colleagues within your business area know of and understand any information management processes and procedures that may be specific to your business area i.e., local practices/responses to specific legislation?	Guidance Notes There may be procedures which are specific in your business areas regarding how you manage your information for example some information may need to be restricted to adhere to information laws or other types of legislation. Your retention timelines may differ from the standard and enhanced restrictions may be required due to sensitivity of topic.	Response	Details/Verification
Information 10.12 If you have any business processes utilised within your business area that prevent your colleagues from using our electronic corporate records and documents management system e.g., databases/GIS/Complex spreadsheets, how confident are you that these are being managed appropriately?	Guidance Notes Some complex applications do not function well within an Electronic and Document Management System and may need to be kept in shared drives e.g., databases/GIS information/databases or complex spreadsheets. Regular snapshots should be taken and saved into the approved corporate record management system (e.g., eRDM) as part of the corporate record.	Response	Details/Verification
Information 10.13 How confident are you that all colleagues in your business area are familiar with the SG Information Management Strategy?	Guidance Notes One of the recommendations of the corporate review of our information management was the creation of an SG Information Management Strategy to ensure everyone in the Scottish Government understands their roles and responsibilities when managing and using information.	Response	Details/Verification
Information 10.14 How confident are you that your colleagues find the relevant information quickly and easily to respond to queries or e.g., Freedom of Information requests?	Guidance Notes If information is being stored correctly in eRDM then the retrieval of that information is more streamlined. This would not be the case if colleagues have to search numerous unstructured data repositories e.g., shared drives, Public Folders, personal storage areas such as OneDrive.	Response	Details/Verification
Information 10.15 How confident are you that your business area monitor compliance in terms of information management governance and legislation?	Guidance Notes Good information and record management is not just about filing it is a requirement of the law. The following are key information laws which apply to the Scottish Government and each of us managing information and records on its behalf: Public Records (Scotland) Act 2011 Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR) Freedom of Information (Scotland) Act 2002 (FOISA) and the Environmental Information (Scotland) Regulations 2004 (EIRs) Inquiries Act 2005	Response	Details/Verification
Information 10.16 How confident are you that all colleagues in your business area familiar with information management key roles and responsibilities?	Guidance Notes There are a number of key roles that should be in place to ensure adequate management of Information. More information on these roles is detailed below. Information Asset Owner: This is an existing role and is usually at head of division/unit level. Information Management Support Officer (IMSO): This is also an existing role, and they are the first point of contact about guidance on the use of our electronic record and document management (eRDM) system. Deputy Information Asset Owner (DIAO): This is a new role which has been highly recommended to encourage, develop and maintain high standards, robust policies and procedures whilst ensuring compliance in knowledge and information management practices within divisions. They will act as a deputy to the IAO and would also provide liaison with IMSOs and the iTECS Knowledge and Information Shared Services Unit [KISS]. DG Information Governance Officer (DG IGO): This is a recommended new role to act on behalf of the DG to champion the Information Management (IM) agenda across the DG. Directorate Information Governance Officer (Dir IGO): This is a recommended new role to act on behalf of the director to champion the Information Management (IM) agenda across the directorate.	Response	Details/Verification
Information 10.17 How confident are you that all colleagues in your business area are aware of the training resources available around information management and which of these are mandatory?	Guidance Notes There are a number of training resources available around information management on the intranet and all colleagues should be aware of these. SG Core staff have access to training surrounding ERDM, Records Management, Information Strategy, Data Protection, Government Security Classifications etc.	Response	Details/Verification
Information 10.18 How confident are you that all colleagues in your business area make sure that the information they work with is processed appropriately and securely to mitigate risk?	Guidance Notes Information is one of the Scottish Government’s most valuable assets and needs to be proportionately protected against loss or compromise. The IT security policy has been written to provide a mechanism to establish procedures to protect the confidentiality, integrity, and availability of our information. It does not in any way amend the requirements placed upon the Scottish Government by the Freedom of Information (Scotland) Act 2002 in relation to the disclosure of official information.	Response	Details/Verification
Information 10.19 How confident are you that your area is aware of the Digital Recording Policy and applying the controls set out there to comply with data protection regulations.	Guidance Notes Microsoft Teams allows participants to make recordings of meetings for storage or further circulation. Meeting organisers are required to carry out a data protection impact assessment before making recordings to make sure it is compliant with data protection regulations. A privacy notice setting out that the meeting is being recorded and what the rights of participants are must be provided before the recording begins.	Response	Details/Verification
11. Health and Safety	Guidance Notes	Response	Details/Verification
Health and Safety 11.1 Do you have an appointed and trained Health and Safety Liaison Officer within your Division?	Guidance Notes The Health and safety liaison officers within your division are known and utilised to support the delivery of your health and safety responsibilities. Health and Safety Liaison Officers perform key health and safety functions, in particular, local health and safety inductions, and workplace inspection and first point of contact for Display Screen Equipment queries.	Response	Details/Verification
Health and Safety 11.2 How confident are you there are Risk Assessments covering each team within your division, including any specific higher risk activities your business area may undertake, and they have been reviewed and updated in the last year?	Guidance Notes Risk Assessment Teams to: review and amend generic risk assessments, identify any specific high-risk activities, and generate new assessments as required communicate findings to all affected staff keep risk assessments under review (General guidance is available on the intranet)	Response	Details/Verification
Health and Safety 11.3 How confident are you that all staff have undertaken mandatory health and safety training in your area and understand their personal responsibilities of health and safety in the workplace?	Guidance Notes For all Scottish Government staff there are a number of Mandatory training courses which need to be completed: Health and Safety – Display Screen Equipment (to be completed by everyone with each significant change) Health and Safety – Driver Safety Awareness (to be completed yearly if you drive on official business) Health and Safety – Fire Safety (to be completed yearly by everyone) Health and Safety – Manual Handling (to be completed once if required for your role) Health and Safety Understanding (to be completed once by all Scottish Government employees)	Response	Details/Verification
Health and Safety 11.4 How confident are you that all your staff are aware of the fire evacuation process and the relevant guidance for the buildings they work from?	Guidance Notes Fire safety management and evacuation procedures changed in 2020. Scottish Government also introduced special fire marshal and fire precaution officer (FPO) procedures. All staff should be aware of and understand local Fire evacuation procedures (sharepoint.com).	Response	Details/Verification
Health and Safety 11.5 How confident are you that your staff are aware of the facility to request home working equipment to support hybrid working?	Guidance Notes Guidance on how to obtain Home Working equipment and workstation set up is available on the intranet.	Response	Details/Verification
12. Sponsored Bodies	Guidance notes	Response	Details/Verification
Sponsored Bodies 12.1 Non-Departmental Public Bodies –Is your area responsible for sponsoring NDPBs, or other bodies? (If not, please ignore the other questions in this section.)	Guidance Notes Please complete for all of the bodies you sponsor answering each question separately and highlight key points of interest (good or bad). Guidance can be found in the NDPB Sponsorship Guidance Notes. A list of public bodies in Scotland is available on the National Public Bodies Directory. Additional information can be obtained from Public Bodies Unit if necessary.	Response	Details/Verification
Sponsored Bodies 12.2 National Outcomes - How confident are you that the operations, business planning and objectives of the public body align with the National Performance Framework (NPF), National Outcomes and Programme for Government?	Guidance Notes The National Performance Framework (NPF) is Scotland’s wellbeing framework, it is refreshed every 5 years and is currently undergoing a refresh, which begun in 2023. The NPF sets out a vision of societal wellbeing through the National Outcomes, and charts progress towards this through a range of social, environmental, and economic indicators. It provides a framework for collaboration and planning of policy and services across the whole spectrum of Scotland’s civic society, including public and private sectors, voluntary organisations, businesses, and communities. The approach to setting, reviewing, and reporting on progress to achieving the National Outcomes, is set out in the Community Empowerment Act 2015. Supporting documents such as the corporate plan, business plan, and framework documents should be in place to enable the sponsor team to develop a shared understanding of the joint priorities to contribute towards the National Outcomes, and to ensure that individual bodies’ corporate communications (including annual report) and engagement strategies fully reflect these. The Scottish Parliament Budget Review Group (SPBRG) has also recommended that Public Bodies should consistently set out how they plan to contribute towards specific National Outcomes in the NPF in their published corporate and business plans, and report on their contribution to National Outcomes through their annual reports, to support parliamentary scrutiny of their activities and public spending. This means providing public information about the strategic direction and operational delivery of public bodies and how this aligns to National Outcomes and the NPF. This should include what public spending supports, what this aims to achieve, the contribution it is expected to make to National Outcomes and evidence for this, how plans are being delivered, and the impact this is having. Do the corporate plan, business plan and annual reports clearly set out how the public body contributes to National Outcomes, with a line of sight to the National Performance Framework, including links to planned spending and specific outputs that are expected and how they contribute to achieving National Outcomes?	Response	Details/Verification
Sponsored Bodies 12.3 Framework Documents – how confident are you that there is evidence of an up-to-date Framework Document in place with your sponsored body that is published on the public bodies website, has been shared with Public Bodies Support Unit to add to the central repository and has appropriate arrangements in place to monitor adherence to?	Guidance Notes Governance Structures, processes, systems, and controls should be in place to ensure robust financial management and monitoring, and compliance with the Scottish Public Finance Manual. You should be able to confirm the date that the Framework Documents are finalised or otherwise, that they are up to date, and were subject to proper consultation (including with Public Bodies Support Unit, your Finance Business Partner (or equivalent) and the Directorate for Internal Audit and Assurance. Details of the steps taken to monitor the areas above should also be provided.	Response	Details/Verification
Sponsored Bodies 12.4 Effective Boards – How assured are you that the Board of your sponsored body is undertaking its functions effectively?	Guidance Notes The four main functions of public body Boards are: to ensure that the body delivers its functions in accordance with Ministers’ policies and priorities to provide strategic leadership to ensure financial stewardship to hold the Chief Executive and senior management team to account Boards play a vital role in the accountability chain and therefore it is essential that they have the capability and capacity to perform their functions effectively.	Response	Details/Verification
Sponsored Bodies 12.5 How confident are you that succession planning is in place for the Board of your sponsored body? For example, has your sponsored body carried out a skills audit and taken steps to build a diverse talent pipeline such as offering shadowing, mentoring and outreach events to support public appointment vacancies?	Guidance Notes Boards should ensure that they maximise opportunities to develop and attract diverse candidates that meet the body’s needs and legislative requirements, See the Succession Planning Guidance for Public Body Boards (as published in February 2017) and the Gender Representation on Public Boards (GBPR) Guidance. Confidence levels should be shaped by whether: have you carried out a skills audit have you taken steps to build a diverse talent pipeline (shadowing, mentoring, outreach events to support public appointment vacancies) Guidance given states: designate a person on the board, or have a nominations committee, to take the lead on board appointments map current skills in the board and the skills needed in the future, within the context of the public body’s strategic plan and the board’s role draw up a timeline of when individual board members’ and chairs’ appointments come to an end or are up for renewal and identify action that can be taken to attract a diverse range of candidates (provide shadowing, mentoring, co-opt potential talent) provide opportunities to develop prospective board members, particularly for people from groups that are under-represented on your board take specific and measurable actions to attract women and meet the Gender Representation Objective - See Guidance here	Response	Details/Verification
Sponsored Bodies 12.6 Relationships – How confident are you that arrangements are in place and able to be evidenced to support strong, strategic relationships with the public body you sponsor to ensure effective collaboration in delivering outcomes based on business/corporate plans and do you issue an annual letter of strategic engagement to the Sponsored Body?	Guidance Notes Sponsorship should always be considered a strategic activity, based on strong relationships characterised by openness, trust, respect and mutual support. The objective is to find ways of working with bodies that engage and empower them in a shared vision and understanding of the strategic environment, while ensuring proportionate arrangements are in place to safeguard public funds and incentivise performance. Executive Team and Ministers have an agreed approach which has at its core supportive, trusting relationships at a senior level; an appropriate place for the SG in the accountability chain – Ministers holding Chairs to account for the actions of Boards, Boards holding Executives to account for performance - and ensuring proportionate arrangements to safeguard public funds and incentivise performance; and a greater focus on strengthening the Boards and Accountable Officers of public bodies through induction and on-going support. As part of this Ministers also agreed revised pay policy and procurement controls. The importance of sponsorship and the relationships between sponsors and public bodies is seen as being crucial in empowering public bodies to deliver outcomes. It would be helpful if Sponsor Teams could provide some information, commenting specifically on their experiences from adopting this approach to sponsorship with reference to which Strategic Sponsorship products they have implemented.	Response	Details/Verification
Sponsored Bodies 12.7 Finance – How confident are you that your sponsored body demonstrates financial capability by providing accurate and timely financial monitoring and forecasting information to the Scottish Government and do you review financial information and liaise with corporate finance colleagues in line with deadlines?	Guidance Notes Sponsorship teams and public bodies should be aware of formal responsibilities they hold over the stewardship of public funds considering; SPFM, Audit Committee Handbook, The Public Sector Internal Audit Standards (PSIAS), Financial Reporting Manual (FReM), and the relevant NDPB Model Framework Document, Budget Allocation and Monitoring Letters. Other requirements relevant to Sponsorship Teams and Public Bodies include: sponsorship teams and public bodies should work closely in overseeing the management and use of public monies, Model Framework Documents should cover the arrangements for funding the body and the conditions attached to the use of those funds the Accountable Officer and the Board should ensure that the public body has in place appropriate systems to support their financial responsibilities ensure appropriate systems in place for managing risks and that these are escalated appropriately check that systems are in place for internal and external audit, an audit committee is in operation and that arrangements are in place for producing a statement on internal control ensure that arrangements are in place for the body to provide regular high quality budget monitoring and forecast information as required by Financial Management Directorate and with support from Finance Business Partners (or equivalent) review annual accounts co-operate with any enquiries initiated by the Auditor General for Scotland or by the Public Audit and Post Legislative Scrutiny Committee of the Scottish Parliament	Response	Details/Verification
Sponsored Bodies 12.8 Finance – How confident are you that you have year-end procedures in place to ensure all Annual Accounts returns are completed by your sponsored body in a timely and accurate manner?	Guidance Notes There are various returns due to finance part of the annual accounts process. You should have procedures in place to ensure that information requested can be provided to Finance in an accurate and timely manner. Information requested will be used to ensure income and expenditure are recorded in the appropriate financial year and that any assets or liabilities of the Scottish Government are reviewed and appropriately accounted for. This includes consideration of committed and contingent balances.	Response	Details/Verification
Sponsored Bodies 12.9 Fair Work – How confident are you that your sponsored body is committed to Fair Work First, including providing payment of at least the real Living Wage and appropriate channels for effective workers’ voice, such as trade union recognition. Employers should promote equality, diversity, youth employment, engagement and workforce development and work to deliver the Fair Work Convention’s Fair Work Framework.	Guidance Notes Sponsored bodies should all be meeting the Fair Work First criteria, providing: payment of at least the real Living Wage appropriate channels for effective workers’ voice, such as trade union recognition investment in workforce development no inappropriate use of zero hours contracts address workplace inequalities, including pay and employment gaps for disabled people, racialised minorities, women and workers aged over 50 offer flexible and family friendly working practices for all workers from day one of their employment oppose the use of fire and rehire practice Effective voice is central to Fair Work and all employers should demonstrate their commitment to including their staff in workplace decisions, and work in positive partnership with trades unions. Employers should also pay at least the real Living Wage, and you may wish to check if the body is an accredited Living Wage employer. Have they got an invest in youth plan with stretching targets to recruit and develop young people (e.g., recruiting Apprentices)? Do they run an employee engagement survey and act on the results? Do they use procurement policies to encourage Fair Work, including payment of the living wage and inclusive employment in their supply chain? Please provide information which will highlight the actions your sponsored body has been doing to support workplace equality, inclusion, and diversity. As an example, they could be a disability confident employer, carer positive employer, IYP Gold award employer and a Stonewall Top 100 employer. They should be ambitious about diversity and inclusion and be able to demonstrate this through workplace practices. All employers should make use of the Fair Work resources available, including the Fair Work First guidance, Employer Support Tool and resources from the CIPD.	Response	Details/Verification
Sponsored Bodies 12.10 Assurance – regarding Major Investment(s), how confident are you that your sponsored body engaged with the appropriate authority and recorded all relevant projects with the appropriate authority? If the answer is yes, you should provide information of what investments the public body has and if there is evidence that they have assessed them against the criteria for major investments (including Construction, Infrastructure, and IT investments) in the SPFM?	Guidance Notes Systems should be in place to ensure all business cases are assessed. For all Major Investments as defined in the Scottish Public Finance Manual: a Risk Potential Assessment Form, available from Portfolio, Programme and Project Assurance Hub, should be completed and submitted to the SG’s Portfolio, Programme and Project Assurance Hub. For investment in projects containing an IT or digital element: integrated Assurance and Approval Plans should be completed for projects by your sponsored body projects should be registered on the Project Register, held by the Digital Assurance Office further advice can be found on the Technology Assurance Framework or by emailing Digital Assurance Office For construction and infrastructure projects: projects should be registered on the SG’s Infrastructure Projects Database if they have an Outline Business Case prepared and a total capital investment of £5 million or more	Response	Details/Verification
Sponsored Bodies 12.11 Fraud – How confident are you that your sponsored body have effective arrangements to counter fraud (including Cyber Fraud), bribery and corruption through a well communicated counter fraud policy, an up-to-date fraud action plan and effective avenues for reporting suspicions of fraud?	Guidance Notes Processes should be in place to ensure that policies for fraud response are consistent with SG guidance, including a review of current fraud response activity, whilst ensuring robust reporting procedures have been adopted by sponsored bodies. Further information can be found in the Fraud section of the SPFM and the SG Counter Fraud Strategy, Policy and Response Plan and Protecting Public Resources guidance.	Response	Details/Verification
Sponsored Bodies 12.12 Procurement - how confident are you that your sponsored body uses public procurement to support a green recovery and wider climate and circular economy ambitions through procurement, embedding climate considerations in local governance arrangements and flowing through to organisational procurement related activities.	Guidance Notes For wider legal and corporate context on this requirement, refer to: Guidance on Protecting Scotland’s Future Chapter 1 https://www.gov.scot/publications/programme-government-2023-24/pages/12/ – setting out Scotland's ambitions in relation to contribution to climate change, and to restore nature and enhance our climate resilience, in a just and fair way To understand and support embedding climate considerations through procurement, including key corporate enablers, along with lessons that can be leveraged for other funding flows, including grants, please refer to: Scottish Procurement Policy Note Taking account of climate and circular economy considerations in public procurement: SPPN 3/2022 which: highlights that public bodies ‘should’ use their public procurement spend to support climate and circular economy ambitions, clarifying expectations aligns climate change reporting duties and current procurement policy and legislation to avoid duplication of effort; and provides practical support and guidance on how to do so Further source of support include: Sustainable Procurement Tools – these tools have been designed to help public sector organisations identify and address how they can optimise the economic, social, and environmental outcomes of their procurement activity training, hosted within the Sustainable Procurement Tools platform, includes access to Climate Literacy eLearning, which comprises of three modules: The Climate Challenge; Responding to the Challenge; and Taking Action - the demand led product is designed to encourage and assist public bodies to take account of climate and circular economy in their procurement activity	Response	Details/Verification
Sponsored Bodies 12.13 Procurement – Has your sponsored body made measurable improvements to contract Management? If yes, please provide details.	Guidance Notes Organisations should build into their contract management activities sufficient checks to ensure suppliers are meeting their contractual obligations. The purpose of Contract and Supplier Management is to work closely with suppliers and internal customers to: minimise the total cost of ownership to maximise Supply Chain efficiencies throughout the life of the contract Further details on Contract and Supplier Management and associated Managing and Improving Performance principles can be found on the Procurement Journey: Contract and Supplier Management \| Procurement Journey.	Response	Details/Verification
Sponsored Bodies 12.14 Property – how confident are you that your sponsored body plans strategic matters appropriately and consults the Property and Construction Division at least six months in advance (as early as possible) of any proposed changes or additions to their estate as per SPFM guidance?	Guidance Note For example, do you ensure your sponsored body appropriately plans strategic property matters and consults Property and Construction Division as early as possible in accordance with the SPFM guidance when required etc. Where appropriate, further guidance and support on property matters is available from Property and Construction Division and should be contacted as early as possible in the process. Guidance can be found here in sections on property and best value on the SPFM.	Response	Details/Verification
Sponsored Bodies 12.15 Property – how confident are you that your sponsored body considers the most cost-effective approach for proposed changes or additions to their estate, and fully considers the principles of the Single Scottish Estate Programme and Public Sector Reform whilst recognising the need to move towards a Net Zero estate, and keep within agreed budgets, as per SPFM guidance?	Guidance Note For example, do you ensure a comprehensive options appraisal is carried out, detailing the pros and cons of any option being considered, including the financial requirement to be within budgets as well as the business need, to support any proposal? How will you ensure that all options to reduce the estate and its cost are reviewed, and leases are ended when they expire or when break options arise unless an exception is approved in advance for exceptional circumstances? Are you ensuring progress is being made by your sponsored body towards a Net Zero estate? Guidance can be found here in sections on property and best value on the SPFM.	Response	Details/Verification
13. Compliance	Guidance notes	Response	Details/Verification
Compliance 13.1 How confident are you that you have processes in place to ensure compliance with applicable existing, new, and updated policies, procedures, laws, and regulations – including those referred to separately in this Checklist e.g., the SPFM and any other required Impact assessments outlined on Saltire in relation to Policy Development?	Guidance Note Processes might refer to desk instructions, local checklists, retention schedules and/or periodic management checks e.g., relating to the existence of statutory authority for expenditure and the holding/provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the division. (Guidance on Data Protection responsibilities, Impact assessments and FOI is available on the intranet.)	Response	Details/Verification
Compliance 13.2 How confident are you that you have appropriate arrangements in place to ensure staff are appropriately trained and supported to handle FOI and EIR requests in line with legislative requirements?	Guidance Note Processes might refer to desk instructions, local checklists, retention schedules and/or periodic management checks e.g., relating to the existence of statutory authority for expenditure and the holding/provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the division. (Guidance on Data Protection responsibilities and FOI is available on the intranet.)	Response	Details/Verification
Compliance 13.3 How confident are you that your staff are appropriately trained and aware of their Data Protection and information security responsibilities?	Guidance Note Training available for Data Protection and Information Security on the intranet.	Response	Details/Verification
Compliance 13.4 How confident are you that your staff are aware and appropriately trained for of their responsibilities under the UNCRC (Incorporation) (Scotland) Act 2024?	Guidance Note Training available for children’s rights on the intranet.	Response	Details/Verification
Compliance 13.5 How confident are you that you have processes in place to ensure compliance with legislative requirements for all statutory and non-statutory Impact Assessments listed on Saltire at the earliest possible stage in the development of all new, revised or strategically significant policies/activities/projects in your area?	Guidance Note This question relates to the duties under varied legislation to assess policies and strategic decisions for their impacts on various groups. Assessments in Scottish Government include the Business Regulatory Impact Assessment, Child Rights and Wellbeing Impact Assessment, Consumer Duty, legislative Data Protection Impact Assessment, Equality Impact Assessment, Fairer Scotland Duty, Island Communities Impact Assessment, and Strategic Environmental Assessment. Guidance on Impact Assessment responsibilities is available on the intranet. Processes might refer to desk instructions, local checklists, planned review at stages throughout or following policy development, sign-off arrangements and/or periodic management checks. Sign-off may be required at DD or Ministerial level depending on the Impact Aassessment.	Response	Details/Verification
Compliance 13.6 How confident are you that you have appropriate arrangements in place to ensure staff are appropriately trained or are aware of how to ensure delivery of all impact assessments with confidence and to a high standard?	Guidance Note This question seeks to find out if SG staff have the capability to ensure delivery of high-quality impact assessments. In answering this question, you should consider whether staff have had sufficient time, information, access to specialist knowledge, training, guidance, and support to enable that aim to be realised. In answering, you should be able to demonstrate how you are developing staff on an ongoing basis in this area. Appropriate arrangements might include questions for new staff to establish their level of understanding, regular team reviews of performance in IAs, or a register of relevant training and impact assessments completed by staff. Guidance on Impact Assessment responsibilities is available on the intranet.	Response	Details/Verification
Compliance 13.7 How confident are you that your staff are appropriately trained and aware of the statutory nature of impact assessments and their responsibilities for them, and able to access information and guidance as necessary?	Guidance Note This question seeks to find out if staff are appropriately aware of which impact assessments are required, on what basis, and under what conditions or criteria. Training is available on the learning portal for assessments including EQIA (Equality Impact Assessments) and CRWIA (Child Rights and Wellbeing Impact Assessment), as well as regular drop-in surgeries on impact assessments.	Response	Details/Verification
14. Review	Guidance notes	Response	Details/Verification
Review 14.1 How confident are you about the robustness of your arrangements for reviewing and improving the effectiveness and efficiency of controls in your area, and are you satisfied that controls in your area support your objectives?	Guidance Note You should be reviewing internal controls in your area at appropriate points in time e.g., when processes change, or operational shortcomings come to light. Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g., has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating? (Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.)	Response	Details/Verification
Review 14.2 How confident are you that you have a comprehensive picture (e.g., through an Assurance Map) of the sources of evidence underpinning your assessment of controls?	Guidance Note You should be reviewing internal controls in your area at appropriate points in time e.g., when processes change, or operational shortcomings come to light. Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g., has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating? (Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.	Response	Details/Verification
Review 14.3 Where objectives, risks and controls in your area have been subject to independent review, how confident are you that recommendations arising from these reviews have been acted on in a timely fashion?	Guidance Note You should provide details of any key weaknesses identified and the steps taken to resolve these. How confident are you that you and your staff are sufficiently aware of the types of independent review (e.g., Internal Audit, independent assurance and Gateway Review, ICT Assurance Review, Digital Scotland Service Standard, review by external consultants) to support your assurance, and of how to access them?	Response	Details/Verification
Review 14.4 Based on the assurances you have of whether your objectives, risk management and internal controls are being met and operating successfully, are there any key areas that would benefit from independent review?	Guidance Note N/A	Response	Details/Verification
15. Other Issues	Guidance notes	Response	Details/Verification
Other Issues 15.1 Apart from the issues raised above, are there any significant control matters or contentious issues arising in your area which could impact or adversely affect the signing of the Scottish Government Governance Statement by the Permanent Secretary?	Guidance Note Provide here details of any other control problems, specific to your area of responsibility, which you have encountered during the year.	Response	Details/Verification

For a downloadable version of the checklist please click here: Checklist

Page updated: February 2025

First published: 23 August 2024
Last updated: 31 March 2025 - show all updates
All updates: 31 March 2025
Update to footnote in the borrowing, lending, and investment section

19 March 2025
Updates to wording of Annex 2 Internal control checklist for Certificates of Assurance.

13 March 2025
New FGN note added - FGN 2025/03 financial memoranda that accompany Scottish Government bills.

6 March 2025
Updates to the following sections following SPFM Strategic Review: Foreword, Accountability (and annexes), risk and subsidy Control. Also the addition of FGN 2025/02 explaining the updates

25 February 2025
Link in point 23 of Settlement, Severance, Early Retirement, Redundancy section updated.

10 February 2025
numbering in Annex 2 Internal control checklist for Certificates of Assurance updated due to a typo

4 February 2025
Updated Annex 2 Internal control checklist for Certificates of Assurance, added FGN 2025/01 re CoA checklist and added in a word version of the checklist.

20 November 2024
updated missing text in document SPFM - Non-Ministerial Offices model framework document July 2024.

29 August 2024
Adding in FGN 2024/03 re the updated AO Spend Control Template and Guidance.

23 August 2024
Updating the SRO Appointment letter in the documents section to include a point on construction projects in the Annex.

9 July 2024
Executive agencies model framework document updated.

8 July 2024
Non-Ministerial Offices model framework document updated.

25 June 2024
Updating the SRO Appointment letter in the documents section to this years dates

20 June 2024
Updated link to 'On Board: A Guide for Members of Statutory Boards' within Governance statements chapter.

18 June 2024
Updates made to model framework document templates.

17 June 2024
Updates made to text within Procurement chapter.

23 May 2024
Replaced non-ministerial office model framework document and advisory non-departmental public bodies model framework with updated versions.

1 May 2024
Document updated with an additional date - Settlement Agreement supporting documentation - final confirmation of terms

5 April 2024
Replaced Non-Ministerial Offices model framework document

7 March 2024
Updates to the Settlement, Severance, Early Retirement and Redundancy section. The main section and Annex's A, B C have all been updated along with updated documents and a Finance Guidance Note to explain the changes

22 February 2024
Updated the Certificates of Assurance chapter, Annex 2 with the CoA checklist questions for 2023/24 and added a Finance Guidance note outling the changes.

8 November 2023
Updates made to proportionate due diligence wording, Accountable Officer tests guidance, risk exposure guidance, public bodies duties, monitoring and management, exit arrangements.

11 September 2023
Procurement chapter updated.

27 January 2023
Updated 'Major investment projects' paragraph 12 and the SRO appointment letter.

Thanks for your feedback

Information

Annex 2: internal control checklist

Certificates of assurance: Annex 2 - Internal Control Checklist

Section