Scottish Public Finance Manual

1.  Risk Management

Guidance Notes

Response

Details/Verification

1.1 Risk Management Governance – How confident are you that the processes for the identification and management of risk in your area are defined, integrated, and embedded into your routine ways of working?

Your area’s approach to risk management should be defined and easily understood by all colleagues within your team. It is vital that there is a supporting structure and governance in place to ensure that the identification and management of risk happens as part of the way your team works. As a minimum, the structure for risk management will be defined at directorate level but, depending on the size and scale of your area, it may also be defined at lower levels e.g. divisions.

A ‘substantial’ level of confidence would look like:

• a risk management approach or protocol document that sets out how risk is identified, reported, and discussed within the area, with references to SG risk guidance
• roles and responsibilities for the identification and management of risk are defined
• risk management activity is pinned to existing governance processes including management meeting cycles, reporting activity, etc.
• links identified between risk management activity and other good governance activity e.g. delivery planning, project management, financial management, people management with outputs from these activities feeding into the identification of risks or supporting risk assessments (scoring), controls, and actions planned
• activity and decisions around how risks are escalated and de-escalated are defined
• the appointment of a risk champion for your directorate to support the implementation of risk activity on behalf of your Director
• consideration given to proportionality to ensure risk management activity is in line with the size, scale, and scope of the area

(The SG Risk Guide section, Before you Begin: Risk Management Governance, is available on the intranet. General guidance is available through Risk Management in the SPFM.)

1.2 Objectives and Risk Identification - To what extent are you satisfied that there are processes in place to identify and manage risks to the delivery of your area’s business plans / priorities / objectives and that this information is reviewed on an on-going basis?

Your objectives should be the focus of any risk management information; risk identification needs to be undertaken with a clear strategy and clarity of purpose using a systematic method to ensure a complete risk profile is articulated. Risk identification is an important part of business/project planning, managing performance and prioritising effectively.

A ‘substantial’ level of confidence would look like:

• a clear set of defined objectives or priorities including alignment to the Programme for Government

• periodic formal risk identification sessions using a simple systematic tool for the identification of risk e.g. PESTLES or SWOT to identify both risks related to the delivery of policy / objectives as well as capability risks related to how colleagues work
• regular, informal identification of risk throughout the year that considers and responds to the current and changing environment
• utilising diverse perspectives from stakeholders, your teams, division, directorate, project, or programme and think about what arrangements are in place in your area to ensure that risk information is supporting your decision–making
• using other risk assessment tools such (e.g. Health and Safety risk assessments, security risk assessments, information asset risk assessments, counter fraud risk assessments) or Impact Assessments (e.g. Equality, Local Government, Business) to identify new or changing risks related to specific activities or specialisms
• consideration of risk and objectives/priorities beside each other alongside other delivery or performance information
• using available sources of data to support risk identification and prioritisation
• onducting regular ‘deep dive’ activity on risks where there are concerns that the risk is not correctly articulated or being managed effectively
• annual, full-scale review of identified risks to ensure they remain fit for purpose and aligned to your area’s objectives / priorities.

(The SG Risk Guide and Supplementary Guide: Identifying Risk are available on the intranet. General guidance is available through Risk Management in the SPFM.)

1.3 Risk Culture – How confident are you that risk management is a vualued important aspect of how you deliver on your objectives or priorities?

Having a clear understanding of why risk management is important and how risk management processes work within your areas is vital to ensuring that risk is actively identified and managed. Risk management activity should be led from the top and delivered by branch heads and team leaders.

A substantial level of confidence would look like:

• deputy directors, branch heads, and team leaders understand their responsibilities and are actively involved in the identification and management of risk
• the Risk Champion(s) within your directorate are known and utilised to support the development of your risk management approach
• all risks, once identified, are assigned to an owner who has responsibility for ensuring that the risk is managed and monitored over time
• colleagues at all levels have a clear understanding of the current risk landscape, are empowered to identify, and raise risks for discussion and emerging risks are recorded. Risk management is viewed as a continual learning process, good practice is shared and communicated allowing your teams to benefit from lessons learned in a project or programme
• risk is discussed as a regular part of management/senior team discussions, lines of communication are clearly articulated and documented to ensure that relevant teams and colleagues are informed of further action, escalation, and the general outcome of discussions
• risk escalation routes are clearly documented, and risk discussion forms a part of formal (and informal) management and team meetings, with information communicated in both directions to ensure common understanding and feedback on risk matters
• feedback is provided and risk information is made available at all levels of your area so that colleagues understand what is happening and how risks are being managed.
• the effectiveness of risk management arrangements and the use of risk management within your area is reviewed periodically and subject to continuous improvement, this may be led within your area and/or a directorate level

(The SG Risk Guide and Supplementary Guides for Roles and Responsibilities and Recording, Reviewing, Reporting and Escalating risk are available on the intranet. General guidance is available through Risk Management in the SPFM.)

1.4 Risk Learning - How confident are you that all staff have undertaken appropriate risk management training commensurate with their role and responsibilities?

Ensuring all staff have the right level of skills and training to ensure effective engagement with the risk management process is important. Everyone in the organisation has a role in helping to identify and manage risks, therefore it is essential that all staff have a basic understanding of risk management policy and process.

A substantial level of confidence would look like:

• all staff within the core SG should have, at minimum, completed the mandatory SG Risk Management eLearning your confidence level should reflect the published stats for your area (these can be obtained from your risk champion)
• key staff with particular responsibility or interaction with risk management have been identified within your area
• colleagues with particular responsibilities for risk management should have identified where they may require further training, learning or support as part of their development plan (in line with SG performance management guidance) OR be able to demonstrate that they have undertaken further training / learning or have appropriate levels of experience in risk management
• Risk Champions have completed appropriate learning as set out in the Risk Champion Role Guide available on the intranet
• where your area has project managers, they have (or are working towards) relevant qualifications or certifications in project management skills, including in relation to risk management
• where necessary, key staff may have undertaken equivalent training from external training providers such as CIPFA, the Institute of Risk Management (IRM) or Management of Risk (MoR) qualification
• to improve risk management across the area, lessons learned exercises are undertaken to learn from perceived failures (e.g., an unforeseen risk or a crystallised risk which turned out more damaging than expected) and instances where risks have been managed well, to see whether there is anything to be gained by repeating effective techniques elsewhere
• output from Risk Management Maturity Exercises or Internal Audit reviews that have been accepted and implemented. Information on the implementation of risk maturity recommendations can be sought from your directorate risk champion.

(The SG Risk Guide is available on the intranet. General guidance is available through Risk Management in the SPFM.)

1.5 Recording and Reviewing Risk – How confident are you that risk management activity in your area is recorded, reviewed, reported, discussed, and, where required, escalated to the appropriate level?

Good risk management means documenting and assessing identified risks, implementing controls and actions to reduce risks to within agreed levels. Risk documentation must be reviewed regularly to ensure that appropriate action is being taken and progress documented as well as new risks identified. Risk Registers should be a dynamic means of recording risks, reporting on risks should be undertaken on the basis of proportionality (i.e. with recognition of the size and scale of your team) and include analysis and ask key questions of risk owners – it should not always be a review of the risk register.

A substantial level of confidence would look like:

• risks to the delivery of your area’s objectives are recorded on a risk register that you hold within your area or that is held at directorate level and is done so in line with SG Risk Guide.
• risks are reviewed with a regularity that is proportionate to the size, scale, and complexity of your area’s deliverables and that the frequency of review is reconsidered throughout the year to ensure it remains proportionate
• risk information forms part of wider management information and is considered alongside other forms of assurance reporting, e.g. financial information, delivery progress, performance, people information
• consideration is also given to specialist risk areas or the output of any impact assessments or risk assessments (e.g. EQIAs, health and safety, counter fraud) to ensure that risks in these areas are also considered, recorded centrally, and discussed regularly
• you routinely look across your risk landscape and perform deep dives on key risks
• in larger / more complex areas, risk reporting is used to target risk discussions and highlight key risks for management attention, including discussions and scrutiny of with controls, actions, target scores and dates
• processes in place to escalate key risks ensuring effective communication, increasing awareness of the risk, and highlighting where more senior supportive action is needed – this might be from your team / divisional level to directorate or from your directorate level up to your DG SMT
• lines of communication are in place to ensure that relevant teams and colleagues are informed of further action, escalation, and the general outcome of discussions
• decisions are informed by the risks held in your area and consideration given to the impact that decisions might have on other risks that you hold (or that might give rise to new risks)

(The SG Risk Guide and Supplementary Guide: Recording, Reviewing, Reporting and Escalating risk are available on the intranet. The Standard Risk Register Template is also available on the intranet. General guidance is available through Risk Management in the SPFM.)

1.6 Risk Appetite - How confident are you that the SG’s Risk Appetite approach (and any DG level guidance) is considered when identifying and managing your area’s risks?

Risk appetite is a key component of risk management as it articulates the level of risk that the organisation is willing to accept in pursuit of its objectives. Risk appetite statements have been articulated at SG level for the broad categories of risk included in SG risk register templates. Some DGs have decided to articulate separate appetite statements for some of the categories to provide specific advice within their own area.  

A substantial level of confidence could look like:

• colleagues across your area and, in particular, risk owners are aware of and have a clear understanding of the concept of risk appetite and the SG’s approach to risk appetite and levels for each risk category
• similarly, where DG-specific appetite statements have been articulated, there is an awareness and understanding of these statements and the levels set for the DG (if different)
• risk appetite levels are used to help identify risks that may need to be recorded on risk registers (e.g. where the level of risk associated with a particular risk category is higher than the agreed appetite level)
• risk categories are correctly applied to each risk in your risk register or risks that you own on directorate or other risk registers in operation within your area / the SG
• target risk scores are informed by risk appetite levels and controls / actions identified to bring the risk down to the agreed level of appetite
• where the appetite level cannot be achieved, this is the subject of discussion at management or leadership meetings to identify additional actions, to support decision making and/or to determine whether the risk should be escalated to the next level for more senior discussion and oversight

(The SG Risk Guide and Supplementary Guide: Risk Appetite are available on the intranet. The SG’s approach to risk appetite is set out in the SG Risk Appetite Pack on eRDM. General guidance is available through Risk Management in the SPFM.)

2.  Business Planning

Guidance Notes

Response

Details/Verification

2.1 How confident are you that your business objectives clearly align with your division’s high-priority objectives and the National Outcomes, and that you can demonstrate this alignment within your Directorate business plan?

You should have clear business objectives which are linked to key National Outcomes as outlined in the National Performance Framework and where appropriate the Programme for Government as early as possible in the process so that appropriate advice can be provided.

Business plans should be refreshed on a one-year cycle but should include indications of how the business plan will develop over the following two years. Business Plans should also inform risk management information. Confidence levels should be shaped by:

• your business objectives/SMART targets are reflected and documented in the Divisional Plan and via staff performance appraisal forms at all levels as appropriate
• plans provide a clear link (golden thread) to your Directorate’s Plan, provide a clear set of priorities and are deliverable within your agreed budget and workforce allocation.

2.2 How confident are you that your objectives have been translated into short, medium and long term measurable targets of both Business-as-Usual service delivery (e.g., FOI performance) and Scottish Government priorities (e.g., Programme for Government deliverables, against which performance and progress are measured)?

New initiatives or spend, or changed systems should normally be discussed with Finance, Procurement, and Internal Audit colleagues before proposals are finalised. All property requirements (including lease events, acquisitions and disposals or investment, including investment in significant works in a leased building) should be discussed with Property and Construction Division for advice as early as possible.

For change initiatives managed as projects or programmes, section 3 (major investment) or 4 (projects) should be completed. The Approaches and methodologies toolkit provides some guidance on the difference between Business as Usual and projects.

Teams should utilise the AO templates for spending decisions per approval limits.

The Strategic Organisational Change Team can advise colleagues planning to undertake change and improvement work aligned to In the Service of Scotland, and signpost colleagues to additional support available within the Scottish Government.

(Guidance on the Role of Finance is available on the intranet and the SPFM. General guidance on Procurement and Internal Audit is also available in the SPFM.)

2.3 How confident are you that there are clear plans for how your division will contribute to Directorate change and improvement plans – aligned with the In the Service of Scotland mission, vision and values?

This question seeks to find out if the relationship between inputs, outputs and outcomes is being applied in developing business and staff performance measures. Our vision - 'In the Service of Scotland' - provides a strategic framework to help direct our change and improvement activity to enable the organisation to operate successfully in an uncertain and evolving world.

Additionally, guidance on Performance Management is available on the intranet.

2.4 How confident are you that you receive timely, relevant, and reliable performance and risk reports, and take corrective action when needed?

This could take the form of regular reports prepared for consideration at progress meetings or updates provided in the context of regular meetings with managers. Corrective action might involve the reprioritisation/reallocation of resources (budgets and staff) and the reordering of key business priorities.

2.5 How confident are you that your business plan informs your financial, workforce, and operational plans and prioritisation?

This could be demonstrated whereby the business plan is used as a reference document when considering new requests that come in to identify opportunity cost and prioritisation advice. There should be a connection between the items in the business plan and assumptions for finance, people and operational decision making – whereby delivery identified within the business plan has resource allocated within financial and workforce plans, and operational plans about where people are deployed to accommodate the deliverables and schedule within the business plan.

2.6 Do you have a business continuity plan for the critical functions of your business area, as identified through a business impact analysis, which has been reviewed, updated, and exercised in the last year?  

Every directorate should have a business continuity plan. Every division must ensure their functions are reflected in the directorate plan or in their own divisional plan, if appropriate.  

The plan should describe how essential business across the directorate would carry on in the event of disruption to staff, building access, systems such as information communications technology (ICT), data, or organisations you depend on (such as suppliers). These plans should include robust communication (e.g., sign up to GroupCall as well as local business area arrangements) and incident management arrangements.  

A business impact analysis should be used to determine the critical functions of the directorate and the maximum tolerable period of disruptions and recovery time objectives for these functions. It should identify what is required to carry out those functions (staff, buildings, systems including ICT, other organisations such as suppliers).  

Plans should be reviewed, updated, and exercised at least annually or more frequently to accommodate change in: personnel; responsibilities; priorities; working practices; processes; procedures; the external and internal operating environment; to apply lessons learned.   

Guidance and support for local business continuity planning activities can be requested from the Security and Business Continuity Unit. Guidance and templates are available on the intranet.

2.7 Do you have disaster recovery plans in place for serious disruption to ICT systems for which you are responsible?  

Disaster recovery plans should aim to prevent or minimise data loss and business disruption from serious disruptions to your ICT systems. Providers of services have a responsibility to ensure that plans are in place for dealing with systems failure, including both to continue to provide critical services to users and to recover affected systems. Plans should take into account the recovery time objectives and recovery point objectives identified through a business impact analysis. Your recovery plans should be tested regularly to ensure they are fit for purpose and meet your needs in the event of a loss or disruptive event.

3.  Major Investment

Guidance Notes

Response

Details/Verification

3.1 Has your area been responsible for the initiation or delivery of one or more major projects or investments during the past financial year?

Major investments are defined in the Major Investment Projects section of the Scottish Public Finance Manual (SPFM) but can also be defined as initiatives:

• have a total anticipated whole-life (capital or revenue) cost of £5 million plus inclusive of fees and VAT or is above your delegated authority limits or
• could create pressures leading to a potential overspending on portfolio budgets or
• would entail contractual commitments to significant levels of spending in future years for which plans have not been set or
• could set a potentially expensive precedent or
• will be challenging to deliver within existing resources and capability and/or
• represents a material level of expenditure and/or
• will have a material ongoing financial impact or
• is novel, and/or contentious and/or complex, or
• could impact on the delivery of a Programme for Government commitment or
• requires primary legislation

All Major Investments must adhere to the guidance in the SPFM, and its key principles should be adopted in relation to all investment projects.

Any property and construction procurement requirements should be addressed at least one year in advance of budget and planning and advice sought from Property and Construction Division. Engaging with Property and Construction Division as early as possible, such as 2 years in advance where possible, in the process is recommended.

3.2 How confident are you that your project’s governance arrangements align with the Scottish Government’s strategy and sector specific governance procedures?

Relevant procedures include the following:

• declaring all new major investments to the Portfolio, Programme and Project Assurance Hub by means of the submission of a completion of a Risk Potential Assessment form (see question 3.3)
• Ensuring all projects meeting the ‘Major’ threshold above, are reported quarterly through the Major Projects Register.
• issuing the SRO (Senior Responsible Owner) with an appointment letter, confirming their responsibilities and the aims, objectives, timescales, and funding arrangements for the project
• putting arrangements in place to address each of the SG’s Programme and Project Management (PPM) Principles. Information to help with this can be obtained from the PPM-CoE
• for construction and infrastructure projects, complying with the guidance in the Client Guide to Construction Projects. Further guidance and support are available from the Scottish Government’s Construction Procurement Policy Unit

for IT and digitally enabled projects, registering the project with the Digital Assurance Office and complying with the Technology Assurance Framework; including compliance with the Digital Scotland Service Standard for new digital public services and Scottish Government corporate systems.

3.3 How confident are you that you have assessed your project(s) in line with the SG’s assurance procedures and engaged with the appropriate assurance process?

Relevant procedures include the following:

• submitting the completed Risk Potential Assessment to the SG’s Portfolio, Programme and Project Assurance Hub for review of your project’s assurance needs
• actively engaging with corporate assurance providers, taking advice on board, and promptly acting on review recommendations
• major infrastructure projects over £20 million in value, or of critical importance/unusual scale or nature to the procuring organisation, or revenue funded, or procured through competitive dialogue, may require Key Stage Reviews (KSRs) during key procurement stages - KSRs are undertaken by the Scottish Futures Trust

3.4 How confident are you that you have an up-to-date case for change (e.g., business case) that is appropriate for the stage in the project life cycle you are in, demonstrating continued strategic alignment, viability and value adding, and providing business justification for each project?

You must be able to demonstrate the on-going justification of the need for your project and should regularly review the case for change to ensure its currency. Your business case should encompass relevant data from impact assessments, benefit measures, delivery approaches and optimism bias to allow a proportionate evaluation.

For projects including a procurement element, you must also be able to demonstrate compliance with the Procurement Section of the SPFM. 

For construction and/or an infrastructure project, you must be able to demonstrate compliance with Client Guide to Construction Projects. Further guidance and support are available from the Scottish Government’s Construction Procurement Policy Unit. 

For property  and construction procurement requirements, you must be able to demonstrate compliance with the Property Section of the SPFM and/or the Client Guide to Construction. Further guidance and support are available from Property and Construction Division who should be contacted as early as possible in the process.

3.5 How confident are you that you have assessed your capacity to deliver projects and know when and how to secure specialist resources?

The SRO (Senior Responsible Owner) must be appointed at the earliest possible stage of the project. Clear roles and responsibilities should be assigned, and levels of delegated authority should be clearly identified and agreed. These should be documented in formal letters of appointment between the Investment Decision Maker and the SRO and between the SRO and various post holders within the Project Management Structure.

You should ensure that people appointed to positions within the project’s governance and management structure have the skills, experience, and knowledge necessary to fulfil their role, using existing performance management and PLP arrangements in accordance with question 8.1.

All major projects should have undertaken a PPM Maturity Self-Assessment, and these should be reviewed periodically, where additional assurance of capacity or capability is required, an early capability checkpoint review is available from the Portfolio, Programme and Project Assurance team.

You should have engaged with relevant professions or cross-functional teams in the planning and scoping stages of your project to ensure they can help inform opportunities and risk assessments at the earliest opportunity to maximise successful outcomes. For example, have you engaged with the following for advice and guidance, and, to embed their expertise in your planning, business case, and risk & impact assessment, enabling a whole system approach.

• Finance Business Partners on funding, budgetary or grant management considerations
• the Scottish Procurement and Commercial Directorate on driving commercial and sustainable outcomes through procurement, commercial and/or property or construction projects
• Digital DATS on digital and agile skills and approaches
• People Directorate on HR considerations
• Economists, Legal, etc as required

Internal and external specialist resources required for the successful delivery of the project should be identified and secured at planning stage. For consultants, you must comply with the Scottish Government Consultancy Procedures in accordance with COA question 7.5.

3.6 How confident are you that you have put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?

Necessary arrangements include:

• ensuring that benefits are identified, plans for the realisation of benefits are put in place, and delivery of benefits is measured to demonstrate that the intended return on investment is being achieved. The IPA has published a “Guide on Effective Benefits Management in Major Projects”
• capturing lessons during the project lifecycle and sharing as appropriate. The Lessons Toolkit provides some guidance on how to capture lessons
• formal contract management arrangements should be put in place, where appropriate including the identified benefits, and implementing the SG’s contract management handbook guidance including recording, monitoring, and reporting KPIs

Ensuring that:

• a Post Project Review is carried out to establish how well the project was managed and benefits realised is carried out (Gate 5 Review – Operations Review and Benefits Realisation).
• post Implementation Reviews (also known as Post Occupancy Reviews for construction projects) to establish if the original project objectives are being achieved are carried out. This review is likely to be repeated

all feedback is used to inform future project delivery

4.  Project Management

Guidance Notes

Response

Details/Verification

4.1 Has your area been responsible for one or more projects - other than major investment projects – during the past financial year?

This section covers all projects and investments not covered by the SPFM definition of a major investment project, including digital, business transformation, infrastructure and/or new or changing policy or legislative programmes.

The Programme and Project Management Centre of Expertise (PPM-CoE) library of support provides a range of guidance and support to help you provide a proportionate approach to project delivery.

4.2 How confident are you that your project’s governance arrangements align with the Scottish Government’s strategic and sector specific procedures?

Projects should take a proportionate approach to employing an enabling governance regime based on the principles contained within the major project section of the SPFM. Scottish Government’s Principles for Programme and Project Management set out a framework of activities that should be embedded to enable and control projects.

4.3 How confident are you that you assessed your project(s) in line with the Scottish Government assurance procedures and engaged with the appropriate assurance process?

Relevant proportionate procedures include the following options:

• completing the Risk Potential Assessment Forms, available from SG Portfolio, Programme and Project Assurance Hub, to determine the potential complexity and risk of your project(s) and submitting to the SG’s Portfolio, Programme and Project Assurance Hub 
• submitting the completed RPA to the SG’s Portfolio, Programme and Project Assurance Hub
• engaging in peer review of your projects or aspects of it
• registering the project with the Digital Assurance Office and complying with the Technology Assurance Framework; including compliance with the Digital Scotland Service Standard for new digital public services and Scottish Government corporate system

4.4 How confident are you that you have an up-to-date case for change (e.g., business case) demonstrating continued strategic alignment, viability and value adding, and providing business justification for each project?

All projects should articulate an accurate and up-to-date justification, proportionate to the size of the investment. The five cases of the UKG’s Treasury Model should be identifiable though the document may vary in size and complexity.

4.5 How confident are you that you have assessed your capability and capacity to deliver your project(s), knowing when you need specialist resources and how to secure the specialist resource?

Projects should not be entered into without a viable route to the appropriate capacity and capability to deliver in line with the Management Case of the above model. 

All projects and project areas are encouraged to undertake a regular PPM Maturity Assessment and plan activities required to close any gap between actual and desired/targeted PPM maturity.

4.6 How confident are you that you have put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?

Benefits should be specifically described, and measurements applied, and then actively managed to ensure the purpose of the investment can be adequately justified before and during delivery, then measured and assessed post-project, and maximum value can be achieved from the investment.

Projects are learning organisations, and they should put proportionate arrangements in place to identify and gather knowledge to improve their delivery and the delivery of other projects across the SG. 

5.  Financial Management

Guidance Notes

Response

Details/Verification

5.1 How confident are you that you that all policy proposals have a documented business case and that relevant partners (Finance, ProcurementProperty, Internal Audit) are involved early and kept informed of developments?

Finance should also be consulted on any novel or contentious spending proposal, in line with the requirements outlined within Financial accountability and assurance guidance on the intranet (including consideration of whether an AO Assessment would apply) and any matter which includes issues of financial propriety and regularity. The need to consult Finance might also be included in induction material and local desk instructions. We recommend that the relevant UK guidance such as the Green Book is also consulted as part of any policy proposal alongside the SG approach to Risk Management.

Where appropriate, further guidance and support on property and construction procurement matters is available from Property and Construction Division who should be contacted as early as possible in the process.

5.2 How confident are you that you follow finance policies and procedures, about how financial matters are handled within the area, including guidance to ensure that proper and accurate accounting records are maintained and entries in them are properly authorised, and that processes are in place for regular monitoring of compliance with these instructions?

Central policies and procedures and the key principles of the SPFM should be followed. Instructions should be in place covering the arrangements for entering into commitments and for approving and processing the resultant payments, including VAT – and ensuring adequate separation of duties. This may also cover other matters such as delegated authorities, budget monitoring procedures and the requirement to consult Finance on all proposals that may have resource or other finance related implications. If appropriate, local instructions should be in place for any specific exceptional  processes relevant to your particular area, if not already covered in central guidance and systems above.

Monitoring of compliance should be supported by regular management checks and the consideration of financial matters at regular meetings with your managers. The response to this question needs to reflect both the provision of information needed for accounting purposes and for cash management purposes. The response should also take into account the controls in place within your area to ensure that adequate authorisation controls are being adhered to. 

5.3 How confident are you that all staff with budgetary responsibility have written delegated authority and the appropriate skills and training to discharge their responsibilities for managing public money?

Delegated financial authority (i.e., where members of your staff have full responsibility for budgets and take decisions without having to refer upwards) will not be appropriate in many divisions but where it is you should provide details of the broad arrangements e.g., set out in desk instructions, financial responsibility statements. This is separate from Delegated Purchasing Authority (DPA). The authority required to make and authorise payments and the authority to purchase are also separate authorities.

(General guidance on Delegated Authority is available in the SPFM. Guidance on the Scheme of Delegation is available on the intranet.)

(Guidance on Budget and Financial Management is available on the intranet under Financial Accountability and Assurance and the Digital Learning Platform.)

5.4  How confident are you that there is adequate segregation of duties where required and that staff are properly trained in these responsibilities? Please detail in the comments section how this is achieved and monitored.

Confidence levels will be shaped by the strength of policy and procedures applied to activities such as authorising and processing payments and receipts or awarding grants.

The requirement for appropriate segregation of duties is included in a number of sections of the SPFM, notably those covering Expenditure and Payments and Income Receivable and Receipts. This covers all staff involved in the financial process. The level of knowledge and training should be related to the part played by the individual in the financial process. All staff with responsibility for entering into contracts, raising purchase orders, or issuing invoices etc. should have a knowledge of the rules relating to VAT and the ability to recover and or charge VAT.

Note that this is separate from the authority required to add/amend suppliers and make and authorise payments within the relevant finance system.

5.5 How confident are you that you ensure that Finance (and Property where applicable) are informed of any changes to assets as they arise and that Financial records are kept up to date to reflect the assets held in your area?

Capitalised expenditure (PPE and Intangibles) must meet the approved corporate thresholds and definitions and be supported by Asset Addition forms. Any disposal of previously capitalised assets should be recorded correctly in corporate finance systems and supported by Asset Disposal forms. Further guidance is available from the Non-Current Accounts team and on the intranet. Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process.

5.6 How confident are you that you have arrangements to ensure that all assets for which the area is responsible are properly managed and safeguarded? Please detail how you ensure this?

This will include assets meeting capitalisation thresholds and definitions and included on the central asset register, and those assets on a locally maintained inventory of valuable and attractive items. The response should consider safeguards such as those against unauthorised use or disposal.

(Guidance on Property Management and Fraud is available in the SPFM.). Where appropriate, further guidance and support on property matters is available from Property and Construction Division, who should be contacted as early as possible in the process.

5.7 How confident are you that you have effective arrangements in place to ensure that you are managing and monitoring any money due to the Scottish Government? (This includes collected within reasonable timescales, procedures written with reference to the SPFM and the relevant finance system policy, and they are reviewed and updated regularly.)

Further detail on Debt recovery can be found on the intranet and Income receivable and receipts section of the SPFM.

Staff should be trained in local procedures/arrangements which should be reviewed and kept up to date. Confidence levels will be shaped by the strength of procedures surrounding:

• any relevant Statutory Authority for fees and charging and associated VAT
• appropriate accounting treatment and budgeting treatment of income, receivables, receipts, and internal transactions
• adequate segregation of duties
• credit control and the relevant monitoring and management
• debt recovery and uninvoiced income
• EC Receipts, Excess Receipts, designated receipts, NLF repayments and recoveries from the SCF

5.8 How confident are you that you have procedures in place for timely and effective monitoring and reviewing of financial information and budgets for which you are responsible to ensure that finance systems are updated  in line with central finance deadlines?

The response should reflect the following:

• measures to ensure that financial systems contain accurate and up to date information
• measures to monitor the security of financial information
• local arrangements for monitoring and reviewing operating costs and programme budgets
• local arrangements to ensure staff are adequately trained in EPM to ensure its benefits are fully derived
• measures should include regular management checks. Arrangements for reviewing budgets should be consistent with re-profiling information returned to Finance. (Guidance on Budget and Financial Management is available on the Learning Portal)

5.9 How confident are you that you have procedures in place to ensure that budgets are regularly reviewed throughout the year and that budget transfers are completed. authorised and processed on finance systems in line with corporate finance deadlines?

You will wish to consider here the mechanisms in place for communicating budgetary information both at the beginning of the year and changes made in-year. Transfers should be confirmed and processed as soon as you are aware of them in order for finance systems to reflect the most up to date budget position, improving financial reporting. This would also cover the transfer of funds between one area and another or between the centre and your area.

5.10 How confident are you that you regularly review internal financial reports which report actual against budget outturn and discuss progress with your director or equivalent on how to ensure this is achieved in line with corporate finance deadlines and what action is to be taken following financial review to ensure a balanced budget is achieved?

The review of the regular financial reports needs to take account of both forecast outturn positions and year-to-date actual costs against profiled budget spend.

5.11 How confident are you that the Subsidy Control Unit is consulted at the earliest possible stage on all proposals that may have subsidy implications?

Guidance on Subsidy Control procedures is included in the SPFM. Further detailed guidance is available from the Subsidy Control team.

5.12 How confident are you that any grant proposals and payments comply with the guidance in the SPFM and internal guidance?

The section of the SPFM on Grant and Grant in Aid includes references to checklists covering the grant proposal, application and assessment processes as well as a Model Offer Grant Letter template. SG Grant Management guidance can be found on the intranet and support from the Grants Capability & Assurance and/or Commercial Value for Money Teams should be sought (where required) on grant design.

All grant disbursement (payment) is required to be made in corporate systems. Applicable staff are required to comply with policy and guidance found on the intranet.

5.13 How confident are you that the grants awarded are documented in a Model Offer Agreement that illustrates its link to policy outcomes (including, but not limited to:  the National Performance Framework and, where applicable, any Programme for Government commitments) and, sets out how the grant is expected to contribute to achieving its outcome(s) together with the approach to monitoring and evaluation?

The Model Offer letter shall be used to document the specific outcomes the grant is planning to achieve. Business areas shall consider (where appropriate) how the grant spend will contribute to other key policies and initiatives as detailed in local guidance – guidance on grant making can be found on the intranet.

The Model Offer Letter should include (at a minimum):

• what public spending supports
• what these aims are to achieve
• the contribution the grant is expected to make to National Outcomes and evidence for this,
• how plans are being delivered (including milestones and expectation of the grant recipient)
• the impact this is having and
• the approach to monitoring the grant in line with the above

5.14 How confident are you that all of your staff who are involved in the management of grants have the skills and training to allow them to manage their grants effectively?

Ensuring key staff have the right level of skills and training to ensure effective engagement with the grant management process is key. Confidence levels should be shaped by the following:

• staff should complete the Grants Process Training available on the SG learning portal
• staff regularly refer to the grants guidance on the intranet before commencing any grant award and throughout the lifecycle of their grant scheme/project/programme. Where in doubt, staff are to engage with the Grants Capability & Assurance Team for support on adhering to the SG Grant Policy
• staff involved in grant management have at minimum undertaken the SG Due Diligence-Grants Process eLearning on the SG learning portal
• DG Grant managers are engaged with the Grants Managers network on Viva Engage
• your grant managers are actively sharing lessons learned within the business area from experience
• staff who disburse grants either as a ‘Preparer’ or ‘Approver’ must complete mandatory training prior to using the system

5.15 How confident are you that you have procedures in place to monitor any Losses, Special Payments, and Gifts in year?

Losses, Special Payments, and Gifts should be disclosed each year. The SPFM includes guidance on Losses and Special Payments and Gifts giving guidance on the various types of Losses, special payments and gifts and the approval process. You should ensure the guidance is followed to correctly report any of these transactions. Where appropriate, further guidance and support can be obtained from a Finance Business Partner or the Financial Accounts team.

5.16 How confident are you that you have year-end procedures in place to ensure all Annual Accounts returns are completed in a timely and accurate manner?

There are various returns due to finance as part of the annual accounts process. You should have procedures in place to ensure that information requested can be provided to Finance in an accurate and timely manner. Information requested will be used to ensure income and expenditure are recorded in the appropriate financial year and that any assets or liabilities of the Scottish Government are reviewed and appropriately accounted for. This includes consideration of committed and contingent balances (Contingent Liabilities, contingent assets), indemnities and guarantees.

Confidence levels can be shaped by:

• having an embedded finance team or person who undertakes these key processes for your area
• ensuring that those staff have the appropriate qualifications/training to undertake this activity
• the team or staff member has established clear links with the relevant finance team/FBP etc.
• accurate and timely Period End processes have been completed throughout the year

5.17 How confident are you that staff with electronic Purchasing Cards (ePCs) are fully aware of their responsibilities to monitor compliance and meet the ePC policy?

Monitoring of compliance should be achieved by monthly management checks at meetings with your managers, considering the requirement and suitability of using ePC for purchases (were goods received, are contracts for similar products in place, are suppliers set up on corporate systems and does the expense description match the goods/services purchased).

Guidance on ePC is available on the intranet.

Relevant guidance regarding the prompt payment of suppliers’ policy must be brought to the attention of staff periodically and/or in reviewing training requirements.

This should include:

• Raising a purchase order as soon as the goods or services are required
• Accurately receipting the purchase order as soon as the goods or services are delivered and not before
• Suppliers sending invoices directly to the Accounts Payable unit specified on the purchase order
• Where invoices are received by a business area, forwarding these promptly to the relevant Accounts Payable unit

6.  Fraud

Guidance Notes

Response

Details/Verification

6.1 How confident are you that operational managers and all members of staff within your area are aware of their responsibilities with regards to the prevention and detection of Fraud (including Cyber Fraud)?

Confidence levels should be shaped by:

• awareness of the relevant guidance in the section on Fraud in the SPFM which might be brought to the attention of staff periodically and other relevant local guidance – the Scottish Government (SG) has a comprehensive guide on the intranet
• the linking of induction materials to the relevant internal guidance on fraud prevention – there is a comprehensive guide on the intranet
• within the SG ensuring that staff have undertaken relevant SG Counter Fraud e-learning and Civil Service Learning courses on fraud prevention for staff and managers
• established Fraud Management Procedures (linked to a Counter Fraud Management Strategy) documented and accessible to staff
• instances of fraud being appropriately and systematically recorded and reported to Governance and Risk and the Counter Fraud Service where applicable and the relevant Audit/Assurance Committee

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Counter Faud Service via counterfraudmailbox@gov.scot

6.2 Have you had any cases of fraud or suspected fraud within your area in the last year?

Fraud cases and suspected fraud cases should be reported in accordance with the Scottish Government Fraud Guidance on the intranet please highlight in your response if the fraud or suspected fraud was reported to the Fraud Response Team.

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Counter Faud Service via counterfraudmailbox@gov.scot

6.3 How confident are you that cases of fraud and suspected fraud in the last year have been reported and recorded accurately?

Fraud cases and suspected fraud cases should be reported in accordance with the Scottish Government Fraud Guidance please highlight in your response if the fraud or suspected fraud was reported to the Fraud Response Team.

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Counter Faud Service via counterfraudmailbox@gov.scot

6.4 How confident are you that you have identified and documented the fraud and corruption risks specific to your area, by way of Counter Fraud Toolkit templates or alternative documented assessment, ensuring that, where needed, risks are mitigated with appropriate control activities?

Confidence levels should be shaped by:

• exercises carried out to determine risk levels as per the section on Fraud within the SPFM and returned to the Counter Fraud Service 
• risk registers contain reference to fraud and corruption risks and corresponding control activity where appropriate, with active monitoring of these risks
• ensuring that control activities or improvement plans, are explicit in their targeting of fraud risks and gaps in assurance relating to fraud risk
• fraud risks are periodically reviewed and updated in terms of increased/decreased fraud threat due to external or environmental factors affecting inherent fraud risk

6.5 How confident are you that when new grant schemes or other spend programmes are being developed you ensure you are considering whether fraud prevention measures need to be built into your plans, based on appropriate documented assessment of fraud risk?

Within grant schemes, particularly those involving third-party relationships, confidence levels should be shaped by:

• awareness of the fraud procedures in place within prospective funding recipient’s business processes
• ensuring appropriate due diligence checking has been undertaken on applicants to ensure they are legitimate recipients
• appropriate criteria for determining eligible expenditure are in place
• payment in advance of need is appropriately assessed and approved by your finance business partner
• throughout the grants process, decisions, key documentation, and evidence should be appropriately recorded to ensure an effective audit trail. This will ensure that you can evidence decisions made and support any internal or external review. You should use the audit trail checklist to ensure you have all the appropriate documentation to support your grant
• from 01 October 2024, SG core staff who disburse grants either as a ‘Preparer’ or ‘Approver’  must complete mandatory training prior to using the system  as directed by the Award to Pay Policy.

Within other spend confidence levels should be shaped by:

• ensuring you are in compliance with the Scottish Procurement Policy Manual

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Counter Faud Service via counterfraudmailbox@gov.scot

7.  Procurement

Guidance Notes

Response

Details/Verification

7.1 How confident are you that the Scottish Procurement and Property Directorate (SPPD) (including DPO’s) - are consulted from the earliest possible stage on any business cases proposals that may involve property or procurement, commercial and/or property activity?

Guidance on the role of the Scottish Procurement and Property Directorate (SPPD) (including DPO’s), guidance on Buying and contract management and the Security Questionnaire is available on the intranet. The need to consult SPPD might be included in induction material and local desk instructions. Procurement is also covered in the SPFM.

SPPD must be consulted early on any novel or contentious spending proposal and any matter which includes issues of procurement and/or property propriety or regularity and in all instances where purchasing support will be needed from SPPD. For all major programmes and large funds this means involvement in the drafting of Strategic Outline Cases. For initiatives of any size that will involve the third or private sector distributing funds on ministers’ behalf, this means engaging SPPD during policy design. Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process.

7.2 How confident are you that you have sufficient access to staff with Delegated Purchasing Authority (DPA) to meet your business needs?

DPA is the authority from the Director of Procurement and issued on a personal basis to permit permanent SG members of staff to enter into a contract for goods, services and works and oversee the process leading up to and including the award of a contract. It should not be confused with financial or budgetary authority.

You cannot hold delegated purchasing authority if you;

• are an approver on Purchase to Pay (corporate finance systems)
• are the budget holder

Please confirm how many staff in your area have DPA and if the number meets your business needs. 

(Guidance on DPA is available on the intranet).

7.3 How confident are you that all purchases of goods, services and works in your division are covered by appropriate contracts (directorate specific contracts for your area, corporate contracts or SG corporate contracts available for use across the Scottish Government)?

Divisions should understand if their procurement spend is covered by contract and should be aware of the Scottish Government contract register. Contracts can only be placed by officers with Delegated Purchasing Authority (see 7.2 above).

7.4 How confident are you, that all procurement activity within your area, is undertaken in accordance with both the Procurement Policy Manual and the policy initiatives contained within the Scottish Procurement Policy Notes (SPPNs) published by the Scottish Procurement and Property Directorate?

Evidence should be provided by staff with DPA to assure division heads that all procurement activity has been conducted with the Procurement Policy Manual. Specific guidance on the operation of the Electronic purchasing card (ePC) are available to support low value purchasing. Does your business area have a system in place to ensure staff are aware of the latest and any other significant Scottish Public Procurement Notes SPPN’s (Cyber Security, Climate Change)?

7.5 How confident are you that your area’s use of external consultants comply with the Scottish Government Consultancy Procedures? This includes using the consultancy account codes on the Purchase Orders that are created in the purchasing system.

Expenditure for contracts for consultancy below £10,000 in value need to be approved at deputy director level. Expenditure for Consultancy contracts between £10,000 and £50,000 need to be approved at director general level. Above £50,000 submissions for approval must be endorsed by the relevant director general and expenditure must be approved by the Cabinet Secretary for Finance and Economy. If there have been no such cases during the period, then please provide a nil response.

Consultancy expenditure must be coded against the account codes stated in the Use of consultants: guidance - gov.scot (www.gov.scot).

Management checks on consultancy expenditure should be carried out to ensure approval was sought at the appropriate approval level prior to purchase.

7.6 How confident are you that the number of staff authorised and trained to act as purchasing system requisitioners and approvers are consistent with your division’s needs?

Staff who are authorised as purchasing system requisitioners and approver need to recognise the importance on the financial information being entered correctly. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions.

7.7 How confident are you that you have in place appropriate arrangements in your area to ensure effective contract management enabling delivery of technical, commercial and wider sustainability requirements?

Staff managing contracts should have the knowledge and skills to deliver both the technical and commercial conditions of the contract, undertaking the required training as mandated in the Scottish Procurement Policy Manual Staff can seek guidance or arrange for Contract Management services  to be delivered by the SPPD Contract Management Team. Additional guidance is also available on the Procurement Journey.

In addition, Staff responsible for construction projects should be aware of the guidance provided within the Client Guide to Construction Projects and can seek guidance from the CPPU Team.

8.  Human Resources

Guidance Notes

Response

8.1 How confident are you that your workforce planning has been effective in enabling you to deliver on your priorities?

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by working with your Human Resources (HR) Business Partner on activities such as:

• having completed, and responded to the annual workforce planning commission and delivered in line with subsequent FTE controls 
• your ability to adapt in year, and manage workforce numbers and cost against ET agreed controls for the current financial year and any future years
• adhering to corporate processes (including the Resource Assurance Committee approvals process in FY25/26) and timescales regarding recruitment
• drawing on evidence to inform action, including for example: workforce planning returns and in year reviews, Directors Quarterly MI (Management Information) pack, Workforce Monitoring Dashboards, People and Finance DG Assurance metrics
• evidencing of effective use of AI, automation, reskilling and restructuring to enable improved workforce management/ workforce capacity
• effective use of position management, presenting evidence of a forward look in planned recruitment
• your contribution to the delivery of key actions in your DG People Plans

8.2 Have you operated within your FTE control?

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by working with your Human Resources (HR) Business Partner on activities such as:

• having completed, and responded to the annual workforce planning commission and delivered in line with subsequent FTE controls 
• your ability to adapt in year, and manage workforce numbers and cost against ET agreed controls for the current financial year and any future years
• adhering to corporate processes (including the Resource Assurance Committee approvals process in FY25/26) and timescales regarding recruitment
• drawing on evidence to inform action, including for example: workforce planning returns and in year reviews, Directors Quarterly MI (Management Information) pack, Workforce Monitoring Dashboards, People and Finance DG Assurance metrics
• evidencing of effective use of AI, automation, reskilling and restructuring to enable improved workforce management/ workforce capacity
• effective use of position management, presenting evidence of a forward look in planned recruitment
• your contribution to the delivery of key actions in your DG People Plans

8.3 How confident are you that line managers at all levels in your business area are monitoring and supporting the wellbeing of their staff?

In the Service of Scotland In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by:

• ensuring staff wellbeing is a regular agenda item discussed at management team meetings
• conducting monthly conversations that focus on performance and wellbeing
• ensuring flexible working policies and leave policies are adhered to
• understanding employees’ individual needs, using and promoting the employee passport to identify, implement and/or access corporate support to put in place workplace adjustments to enable everyone, and particularly disabled staff, to fulfil their potential by removing barriers stopping them perform at their best while working at home and in the workplace
• reviewing flexi data to establish a picture of working hours and ensuring that action is taken to discuss with line managers and staff if excessive hours are being worked

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by:

• actions to increase diversity through recruitment and succession planning (e.g., seeking and understanding local diversity data, completing mandatory Inclusive Recruitment learning, Diverse Panels, and carefully considering how and where to advertise vacancies)
• having in place, and effectively assessing, meaningful mandatory individual diversity objectives at all levels which contribute to building a diverse and inclusive culture and embed Diversity and Inclusion (D&I) in business delivery
• all staff involved in recruitment should have completed mandatory inclusive recruitment eLearning on the intranet
• attending quarterly all DG staff, D&I events
• regularly reviewing eLearning reporting to help review mandatory learning (e.g., Inclusive culture for all staff)
• mainstreaming relevant actions from the Diversity and Inclusion Strategy action plan 
• encouraging people to complete their diversity information on corporate systems at a business level and using the corporate data produced to effectively advance diversity and inclusion
• what evidence you draw on to inform positive action, e.g. People Survey results and diversity data on the D+I Dashboard

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by:

• keeping baselining/skills information of workforce up to date on corporate systems  
• having personal and divisional learning/development/capability plans (including relevant professions) reflecting corporate priorities, local business needs and the diverse needs of your workforce and ensuring that time is available for staff to take part in development activities
• the role of line managers in SG’s HR policies is well understood, and the application of best People Management practice is highly valued, supported and openly recognised 
• evidencing where you draw from to inform positive action, e.g.: updated the intranet guidance on learning approaches, the 2025-8 learning strategy
• regularly reviewing eLearning reporting to help review mandatory learning compliance
• having induction processes and development in place for those new to the role or grade and investing time mentoring and coaching new staff 
• accessing toolkits and resources to support and develop line management and leadership 
• effective processes, including regular career conversations, for identifying and developing talent
• identifying any roles/skills that are a single point of failure and establishing a response (e.g. succession planning/ cross-training) 

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by working with your Human Resources (HR) Business Partner on activity such as:

• your contribution to the delivery of key actions in your DG People Plans
• ensuring Line Managers in your business area are following corporate processes regarding performance management (noting separate guidance for Senior Civil Service and probationers) (i.e., monthly conversations, mid Year Reviews and End Year Reviews and development discussions), and loading mid and end year reviews onto corporate systems
• ensuring your teams are familiar with and following the probation policy - this includes solid objectives; induction; employee passports; engagement with workplace adjustments service as required; monthly conversations and interim/end probation reviews (access HR early where concerns arise)
• reviewing on-time completion and recording of both the probation process (where applicable) and performance appraisals
• having induction processes for those new to the role or grade and investing time mentoring and coaching new staff
• managers are confident in managing staff concerns whether through informal or formal processes (e.g. adhering to corporate processes regarding grievance, conduct or whistleblowing)

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by working with your Human Resources (HR) Business Partner on activity such as:

• do you regularly discuss absence management MI to review absence patterns with your SMT
• are you following up with line managers to ensure that, for example:
  • absences are opened/closed on time including use of corporate systems;
  • return to work conversations are happening;
  • stress reduction toolkit is being used where absence is related to work related stress;
  • trigger letters are being sent for intermittent absences of 11 days +, and
  • training and learning are being undertaken to help manage absence effectively

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by working with your Human Resources (HR) Business Partner on activity such as:

• Line Managers in your area understand and carry out their role in the recording of gifts and hospitality corporate process
• your staff follow the policy and process on declaration and management of outside interests including recording any relevant interests or nil returns as appropriate and  ensuring this is reviewed annually, as a minimum, as part of End Year Review exercise

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by working with your Human Resources (HR) Business Partner on activity such as:

• consideration of requests for workplace or reasonable adjustments, encouraging use of and documenting on the Employee Passport and seeking advice from Workplace adjustments service as appropriate
• consideration of flexible working requests, ensuring that reasons are given for any requests which are rejected

In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place.

Confidence levels will be shaped by:

• all teams have been operating in line with the organisation’s hybrid working policy, and since October 2025 have established and are covered by a team agreement   
• drawing on the learning resources available to achieve effective hybrid working patterns for teams

9.  Equality and Diversity

Guidance Notes

Response

Details/Verification

9.1  How confident are you that all significant policies, activities, or projects are assessed early for their impact on people with Protected Characteristics, in line with Equality Act 2010 requirements?

This question relates to the responsibility under the statutory Public Sector Equality Duty (PSED), and the specific duty to assess and review policies and practices. Policy should be understood broadly to embrace the full range of policies, provisions, criteria, functions, practices, and activities undertaken by the Scottish Government. You are expected to ensure that, in line with legislative requirements, new or revised policies and practices in your area are assessed for their impact on people with one or more of the protected characteristics in the Equality Act 2010. These are age; disability; gender reassignment; marriage and civil partnership; pregnancy and maternity; race; religion or belief; sex; and sexual orientation. Going beyond statutory obligation, the First Minister and the Permanent Secretary have made clear their ambition for equality and human rights to be embedded in everything SG does.

In terms of process, assessment would typically be done through the EQIA process. Guidance on EQIAs is available on the intranet. Relevant deputy director (or equivalent) is required to sign off on EQIAs, and in signing off they are required to ensure the impact of applying the policy has been sufficiently assessed against the three needs of the equality duty and EQIA is robust and addressing all relevant equality issues. In answering, please provide links to the relevant published EQIAs or links to the draft EQIAs if they have not been completed yet or links to the ‘No EQIA required’ statements. You should be able to demonstrate that you have in place appropriate arrangements for identifying and monitoring EQIA application and for prioritisation of EQIA within policy and practice development and review. This also includes an assurance that DD sign-off for situations that are assessed as ‘no EQIA is required,’ are reviewed and evaluated as correct.

9.2 How confident are you that all staff in your division have the capability and capacity to effectively embed equality considerations within the policies and programmes they deliver?

This question seeks to find out if SG staff have the capacity and capability to deliver on equality obligations. In answering this question, you should provide evidence on whether staff have had sufficient time, information, training, guidance, and support to enable that aim to be realised, considering for example if:

• All of your staff have mandatory equality personal objectives. Please provide examples at different pay grades.
• How many of your staff have completed the EQIA training?
• How many of your division have completed their mandatory diversity training?
• Do they have an appropriate ‘stretch’ Diversity Objective?
• Do they have good awareness of equality issues; an understanding of the need for good quality impact assessment and how this relates to the development of policy or practices (evidence may include confirmation of training at induction and ongoing training and capacity building updated via appropriate continuous professional development)?
• Do they know about and use relevant sources of data such as the SG equality evidence finder and relevant employee data?
• Do they know about and engage with equality advocacy groups and that completed EQIAs evidence the use of evidence from engagement in shaping policy?
• for internal policy and employee-related policies/practices, are they drawing on employee lived experience and insights gathered for example through the People Survey?
• Have they had sufficient time, which is reflected in their business objectives, to consider equality matters in developing and delivery policy and/or relevant activity?

• Do they understand the need to ensure that EQIAs in the business area they have responsibility for, should be kept under review and that they are able to demonstrate that this is happening?

Equality guidance and tools are available on the intranet. In answering, you should be able to demonstrate how you are developing staff on an ongoing basis in this area.

9.3 How confident are you that equality procedures are delivering improved outcomes for people with Protected Characteristics?

This question relates to the extent to which policies and programmes are delivering meaningful outcomes for the people whose lives the Scottish Government is seeking to improve, which includes those with one or more protected characteristics under the Equality Act 2010.

Specifically, EQIAs must consider impacts based on the three tests of the Public Sector Equality Duty (PSED) it is required to address:

• do policies, practices or programmes contribute to reducing or eliminating discrimination for individuals with one or more protected characteristics - this means reducing disadvantage or less favourable treatment
• do policies, practices or programmes advance equality of opportunity for individuals with one or more protected characteristic - this means understanding and meeting diverse needs, increasing participation of underrepresented groups and, ensuring reasonable/workplace adjustments are implemented
• do policies, practices or programmes foster good relations between those who share a protected characteristic and those who do not - this means tackling prejudice and promoting understanding

In answering you should provide 2-3 examples of how this has been achieved. Please consider and reflect the evidence (both quantitative and qualitative) demonstrating improvement in your area and the narrative of how policies and programmes in your area demonstrate active due regard to all three needs of the PSED.

9.4 How confident are you that any schemes operated by your division for funding the work of external stakeholders, meet statutory equality requirements and therefore delivers improved outcomes for people with protected characteristics?

This question relates to the extent to which funding for partners’ activities and projects (or core funding for partners designated as intermediaries) aligns to statutory requirements under the Equality Act 2010. Where a private or voluntary organisation provides a ‘public function’ it is then subject to the general equality duty. A public function refers to activities that are carried out on behalf of the State not similar in kind to services that could be performed by private people. Public functions can also be carried out by private or voluntary organisations, for example when a private company manages a prison or when a voluntary organisation takes on responsibilities for child protection. In answering this question, you should provide 2-3 examples of how this has been achieved, setting out how you are ensuring this is the case in addition to 9.1 and 9.3.

10.  Information

Guidance Notes

Response

Details/Verification

10.1 How confident are you that your division demonstrate best practice information governance and management including compliance with relevant legislation?

Ensure all information assets comply with the Public Records (Scotland) Act 2011 and the SG Records Management Plan and Policy.

To comply with Data Protection (GDPR & DPA 2018):

Have you:

• registered all information assets containing personal data and reviewed existing assets
• confirmed the lawful basis for processing personal data, especially where using consent or legitimate interest
• updated privacy notices and contracts with third parties handling personal data
• documented any personal data sharing in a Data Sharing Agreement
• completed a Data Protection Impact Assessment (DPIA) where required
• ensured staff know how to respond to a personal data security incident
• identified any processing for law enforcement purposes under Part 3 of the DPA 2018
• checked if any personal data is processed outside the UK

Directorate Assurance

Directorates must assure themselves that all information within their areas is managed appropriately and in line with current policies and procedures.

10.2 How confident are you that access control mechanisms are in place for each system?

Access control mechanisms for each system are documented by Information asset owners (IAOs). Control Mechanisms are in place for physical access and access to information. The location of information assets are recorded in the Information Asset Register.

As the system owner, have you confirmed that:

• you have met with system operators to ensure systems are being securely managed
• role-based access is enforced, and only authorised individuals have access
• backups and security patching are current and properly maintained

• system incidents are reported to you promptly and in accordance with policy
• are all information assets correctly recorded in the Information Asset Register, including their physical and logical locations

10.3 How confident are you that your Information Asset Owner has been trained in the role and is this training up to date?

IAOs, typically Deputy Directors and always Heads of Division, are responsible for ensuring that all information assets are:

• recorded on the Information Asset Register (IAR)
• managed in compliance with data protection regulations
• guidance is available on the IAR pages on the intranet, including “What is an Information Asset?” in the IAO Handbook
• Risk management responsibilities for IAOs are detailed in:

• the IAO Handbook
• the Information Asset Register guidance
• IAO training, which can be booked via the digital eLearning on the intranet and must be refreshed every two years.

10.4 How confident are you that any supporting staff have an awareness of the role and responsibilities of an IAO and have they been trained in information handling?

Staff are available and appropriately knowledgeable to discharge these roles and have undergone or are undergoing appropriate training. For core SG the Senior Information Risk Owner (SIRO) is DG Corporate, non-core bodies will have their own SIRO.  

Guidance on mandatory roles can be found on the intranet.  

Mandatory eLearning packages including Data Protection can be found on the intranet.

• Evidence: Mandatory Training completion rates

Where a deputy IAO is assisting the IAO, have they been trained and understand the role? Training on the Information Management strategy can be found on the intranet. Please see question 10.16 below.

Deputy Information Asset Owner role eLearning training is available on the intranet.

10.5 How confident are you that all information assets have completed risk assessments, that appropriate safeguards are in place to protect both your assets and the corporate infrastructure, and that current and emerging cyber risks relevant to your business are actively monitored and managed?

IAO Responsibilities and Risk Management:

• IAOs must review information assets yearly for necessity, lawful basis, and proportionality (especially where consent or legitimate interest applies)
• ensure Data Protection Impact Assessments remain relevant, and security controls are effective internally and with suppliers
• all staff must read and understand key policies (Data Protection, IT Code of Conduct, Records Management)
• IAOs must confirm that supplier security and data handling processes agreed at procurement remain in place
• risk management e-learning (five modules) on the learning portal is mandatory for all staff, with separate courses for Band A and Band B–SCS
• risk management responsibilities are detailed in the IAO Handbook, Information asset register guidance, and IAO training (bookable via the learning portal, refreshed every two years)

10.6 How confident are you that you have processes in place for dealing with security incidents involving data?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transferred, stored, or otherwise processed.

Have you:

• processes to identify and report data breaches
• considered reporting near misses to facilitate improvement
• assessed incidents and know that a serious incident resulting in a risk to individuals may need reported within 72 hours to ICO 

The security incident reporting tool can be found on the intranet.

10.7  Have you had any information security incidents involving data that occurred in your area over the past financial year that you did not record on the corporate security incident reporting tool?

Incidents would relate to cases where information (both personal and non-personal) may have been accidentally exposed, lost, or made unavailable regardless of whether this has resulted in harm to individuals.

IAOs are aware of and follow the corporate process in place to report, manage, and recover from information risk incidents. Lessons have been learnt, and shared, from incidents (if any). Local managers have a responsibility to ensure that staff are aware of and comply with the relevant guidance, to initiate checks where non-compliance is suspected and to monitor suppliers. Managers have a responsibility to ensure that all staff and suppliers are aware of their responsibilities to safeguard Government information.

An IAO checklist for dealing with security incidents can be found on the intranet. Please open the document and refer to section 5.

10.8 Do colleagues within your business area use the approved corporate system (eRDM) to store their information for the corporate record?

The approved corporate system (i.e., electronic Record and Document Management system (eRDM)), is used as the approved repository for corporate information and ensures we manage it in line with the arrangements set out in our records management plan (RMP) and Information Management Strategy.

A review of our corporate information management was published in 2021. A recommendation from this was to manage down the availability and use of unstructured information repositories, such as Public Folders and network shared drives.

If no, please explain in more detail the reasons why not and what other repositories are used to store corporate information.

10.9 How confident are you that your deputy directors personally use the approved corporate system to manage information?

All staff in the SG should be using the approved corporate information system (eRDM) to store their corporate business documents.

10.10 How confident are you that all colleagues within your business area are aware of the SG Records Management Plan, Policy and retention arrangements which apply to information held in eRDM?

Your retention timelines may differ from the standard and enhanced restrictions may be required due to sensitivity of topic.

The Public Records Scotland Act 2011 requires the SG to submit a Records Management Plan, and this requires to be agreed with the Keeper of the Records. This plan relates to SG Core and some specific shared service customers who have chosen to use our Records Management services. This document outlines policy statement on records management in terms of how the SG create, manage, use and how long these records are retained for.

The Records Management Policy outlines our responsibilities in relation to records keeping, this is complimented by our Information Management strategy.

10.11 Are there business processes or technical limitations that prevent your business area from using our corporate electronic records and documents management system (e.g. databases, GIS maps, and complex spreadsheets). If yes, please provide specific examples.

Some complex applications do not function well within an Electronic and Document Management System and may need to be kept in shared drives e.g., databases/GIS information/databases or complex spreadsheets. Regular snapshots should be taken and saved into the approved corporate record management system (e.g., eRDM) as part of the corporate record.

If yes, please provide specific examples.

10.12 How confident are you that all colleagues in your business area are familiar with the SG Information Management Strategy?

One of the recommendations of the corporate review of our information management was the creation of an SG Information Management Strategy to ensure everyone in the Scottish Government understands their roles and responsibilities when managing and using information.

10.13 How confident are you that your colleagues are able to use and fully understand the eRDM system to search, query, publish, assign corporate value and apply appropriate document naming conventions to facilitate the return of accurate search results in a timely manner to assist with responses to FOIs or Inquiries?

If information is being stored correctly in eRDM then the retrieval of that information is more streamlined. This would not be the case if colleagues have to search numerous unstructured data repositories e.g., shared drives, personal storage areas such as OneDrive.

Training on eRDM can be found on the learning portal.

10.14 How confident are you that your business area is compliant with information management governance and legislation?

Good information and record management is not just about filing it is a requirement of the law. The following are key information laws which apply to the Scottish Government and each of us managing information and records on its behalf:

• Public Records (Scotland) Act 2011
• Data Protection Act 2018 (DPA) and General Data Protection Regulation (GDPR)
• Freedom of Information (Scotland) Act 2002 (FOISA) and the Environmental Information (Scotland) Regulations 2004 (EIRs) Inquiries Act 2005

10.15 How confident are you that all colleagues in your business area are familiar with key information management key roles and their respective responsibilities?

There are a number of key roles that should be in place to ensure adequate management of Information. More information on these roles is available on the intranet.

Information Asset Owner

This is an existing role and is usually at head of division/unit level.

Information Management Support Officer (IMSO)

This is also an existing role, and they are the first point of contact about guidance on the use of our electronic record and document management (eRDM) system. 

10.16 How confident are you that all colleagues in your business area are aware of the training resources available covering  information management, eRDM, records management and data protection and which of these are mandatory?

There are a number of training resources available on the intranet around information and records management, and all colleagues should be aware of these.

SG Core staff have access to training surrounding ERDM, Records Management, Induction, Information Strategy, Mobile messaging, Data Protection, Government Security Classifications etc.

10.17 How confident are you that all colleagues in your business area make sure that the information they work with is processed appropriately and securely to mitigate risk?

Information is one of the Scottish Government’s most valuable assets and needs to be proportionately protected against loss or compromise. The IT security policy has been written to provide a mechanism to establish procedures to protect the confidentiality, integrity, and availability of our information. It does not in any way amend the requirements placed upon the Scottish Government by the Freedom of Information (Scotland) Act 2002 in relation to the disclosure of official information.

10.18 How confident are you that your area is aware of the Digital Recording Policy and applying the controls set out there to comply with data protection regulations?

Microsoft Teams allows participants to make recordings of meetings for storage or further circulation. Meeting organisers are required to carry out a data protection impact assessment before making recordings to make sure it is compliant with data protection regulations. A privacy notice setting out that the meeting is being recorded and what the rights of participants are must be provided before the recording begins.

10.19 How confident are you that your area is familiar with the new Mobile Messaging Policy and Guidance?

Following Recommendation 12 of Martins Report being implemented, the new Mobile Messaging and Non-Corporate Communications policy and guidance documents were implemented in June 2025.

Further guidance can be found on the intranet.

11.  Health and Safety

Guidance Notes

Response

Details/Verification

11.1 Do you have an appointed and trained Health and Safety Liaison Officer within your Division?

The Health and safety liaison officers within your division are known and utilised to support the delivery of your health and safety responsibilities. Health and Safety Liaison Officers perform key health and safety functions, in particular, local health and safety inductions, and workplace inspection and first point of contact for Display Screen Equipment queries.

11.2 How confident are you that each team within your division has an up-to-date risk assessment, including higher-risk activities, reviewed within the last year? 

Risk Assessment Teams (appointed by Deputy Directors) to:

• review and amend generic risk assessments, identify any specific high-risk activities, and generate new assessments as required
• communicate findings to all affected staff

• keep risk assessments under review

(The SG Risk Management Guide and the SG Template risk register is available on the intranet. General guidance is available on the intranet)

11.3 How confident are you that all staff have undertaken mandatory health and safety training in your area and understand their personal responsibilities of health and safety in the workplace?  

For all Scottish Government staff there are a number of Mandatory training courses which need to be completed:

• Health and Safety – Display Screen Equipment (to be completed by everyone with each significant change)
• Health and Safety – Driver Safety Awareness (to be completed yearly if you drive on official business)
• Health and Safety – Fire Safety (to be completed yearly by everyone)
• Health and Safety – Manual Handling (to be completed once if required for your role)
• Health and Safety Understanding (to be completed once by all Scottish Government employees)

11.4 How confident are you that all your staff are aware of the fire evacuation process and the relevant guidance for the buildings they work from?  

Fire safety management and evacuation procedures changed in 2020. Scottish Government also introduced special fire marshal and fire precaution officer (FPO) procedures.

All staff should be aware of and understand local Fire evacuation procedures (sharepoint.com).

11.5 How confident are you that your staff are aware of the facility to request home working equipment to support hybrid working?  

Guidance on how to obtain Home Working equipment and workstation set up is available on the intranet. 

12.  Sponsored Bodies

Guidance notes

Response

12.1 Non-Departmental Public Bodies –Is your area responsible for sponsoring NDPBs, or other public bodies? If yes, please list the bodies (If no, please ignore the other questions in this section.)

Please complete for all of the bodies you sponsor answering each question separately and highlight key points of interest (good or bad).

Guidance can be found in the NDPB Sponsorship Guidance Notes. 

A list of public bodies in Scotland is available on the National Public Bodies Directory. Additional information can be obtained from Public Bodies Unit if necessary.

12.2 National Outcomes - How confident are you that the operations, business planning and objectives of the public body align with the National Performance Framework (NPF), National Outcomes and Programme for Government?

The National Performance Framework (NPF) is Scotland’s wellbeing framework, it is refreshed every 5 years and is currently undergoing a refresh, which begun in 2023. The NPF sets out a vision of societal wellbeing through the National Outcomes, and charts progress towards this through a range of social, environmental, and economic indicators.

It provides a framework for collaboration and planning of policy and services across the whole spectrum of Scotland’s civic society, including public and private sectors, voluntary organisations, businesses, and communities. The approach to setting, reviewing, and reporting on progress to achieving the National Outcomes, is set out in the Community Empowerment Act 2015.

Supporting documents such as the corporate plan, business plan, and framework documents should be in place to enable the sponsor team to develop a shared understanding of the joint priorities to contribute towards the National Outcomes, and to ensure that individual bodies’ corporate communications (including annual report) and engagement strategies fully reflect these.

The Scottish Parliament Budget Review Group (SPBRG) has also recommended that Public Bodies should consistently set out how they plan to contribute towards specific National Outcomes in the NPF in their published corporate and business plans, and report on their contribution to National Outcomes through their annual reports, to support parliamentary scrutiny of their activities and public spending. This means providing public information about the strategic direction and operational delivery of public bodies and how this aligns to National Outcomes and the NPF. This should include what public spending supports, what this aims to achieve, the contribution it is expected to make to National Outcomes and evidence for this, how plans are being delivered, and the impact this is having.

Do the corporate plan, business plan and annual reports clearly set out how the public body contributes to National Outcomes, with a line of sight to the National Performance Framework, including links to planned spending and specific outputs that are expected and how they contribute to achieving National Outcomes?

12.3 Framework Documents – Is there a Framework Document (updated within the last 3 years) in place, published on the public bodies’ website and shared with the Public Bodies Support Unit to add to the central repository.

Governance Structures, processes, systems, and controls should be in place to ensure robust financial management and monitoring, and compliance with the Scottish Public Finance Manual.

You should be able to confirm the date that the Framework Documents are finalised or otherwise, that they are up to date, and were subject to proper consultation (including with Public Bodies Support Unit, your Finance Business Partner (or equivalent) and the Directorate for Internal Audit and Assurance. Details of the steps taken to monitor the areas above should also be provided.

Governance Structures, processes, systems, and controls should be in place to ensure robust financial management and monitoring, and compliance with the Scottish Public Finance Manual.

You should be able to confirm the date that the Framework Documents are finalised or otherwise, that they are up to date, and were subject to proper consultation (including with Public Bodies Support Unit, your Finance Business Partner (or equivalent) and the Directorate for Internal Audit and Assurance. Details of the steps taken to monitor the areas above should also be provided.

12.5 Framework Documents - How confident are you that your Public Bodies regularly update their framework document (at least every 3 years). Please note in the comment when the FD is due to be updated and give a brief overview including any delays being experienced and any action being taken to rectify this.

Governance Structures, processes, systems, and controls should be in place to ensure robust financial management and monitoring, and compliance with the Scottish Public Finance Manual.

You should be able to confirm the date that the Framework Documents are finalised or otherwise, that they are up to date, and were subject to proper consultation (including with Public Bodies Support Unit, your Finance Business Partner (or equivalent) and the Directorate for Internal Audit and Assurance. Details of the steps taken to monitor the areas above should also be provided.

12.6 Effective Boards – How confident are you that the Board of your sponsored body is undertaking its functions effectively?

The four main functions of public body Boards are:

• to ensure that the body delivers its functions in accordance with Ministers’ policies and priorities
• to provide strategic leadership
• to ensure financial stewardship
• to hold the Chief Executive and senior management team to account

Boards play a vital role in the accountability chain and therefore it is essential that they have the capability and capacity to perform their functions effectively.

12.7 How confident are you that succession planning is in place for the Board of your sponsored body?

Boards should ensure that they maximise opportunities to develop and attract diverse candidates that meet the body’s needs and legislative requirements, see the Succession Planning Guidance for Public Body Boards (as published in February 2017) and the Gender Representation on Public Boards (GBPR) Guidance. Confidence levels should be shaped by whether:

• have you carried out a skills audit
• have you taken steps to build a diverse talent pipeline (shadowing, mentoring, outreach events to support public appointment vacancies)

Guidance given states:

• designate a person on the board, or have a nominations committee, to take the lead on board appointments
• map current skills in the board and the skills needed in the future, within the context of the public body’s strategic plan and the board’s role
• draw up a timeline of when individual board members’ and chairs’ appointments come to an end or are up for renewal and identify action that can be taken to attract a diverse range of candidates (provide shadowing, mentoring, co-opt potential talent)
• provide opportunities to develop prospective board members, particularly for people from groups that are under-represented on your board
• take specific and measurable actions to attract women and meet the Gender Representation Objective - See Guidance here

12.8 Relationships – How confident are you that current engagement activities foster strong, strategic relationships with your sponsored public body? Please detail how you use these activities to support effective collaboration and deliver outcome-focused results, including whether this engagement is formalised through an annual strategic letter.

Sponsorship should always be considered a strategic activity, based on strong relationships characterised by openness, trust, respect and mutual support. The objective is to find ways of working with bodies that engage and empower them in a shared vision and understanding of the strategic environment, while ensuring proportionate arrangements are in place to safeguard public funds and incentivise performance.

Executive Team and Ministers have an agreed approach which has at its core supportive, trusting relationships at a senior level; an appropriate place for the SG in the accountability chain – Ministers holding Chairs to account for the actions of Boards, Boards holding Executives to account for performance - and ensuring proportionate arrangements to safeguard public funds and incentivise performance; and a greater focus on strengthening the Boards and Accountable Officers of public bodies through induction and on-going support.

As part of this Ministers also agreed revised pay policy and procurement controls. The importance of sponsorship and the relationships between sponsors and public bodies is seen as being crucial in empowering public bodies to deliver outcomes.

It would be helpful if Sponsor Teams could provide some information, commenting specifically on their experiences from adopting this approach to sponsorship with reference to which Strategic Sponsorship products they have implemented.

12.9 Finance – How confident are you that your sponsored body demonstrates financial capability by providing accurate and timely financial monitoring and forecasting information to the Scottish Government?

Sponsorship teams and public bodies should be aware of formal responsibilities they hold over the stewardship of public funds considering; SPFM, Audit Committee Handbook, The Public Sector Internal Audit Standards (PSIAS), Financial Reporting Manual (FReM), and the relevant NDPB Model Framework Document, Budget Allocation and Monitoring Letters. Other requirements relevant to Sponsorship Teams and Public Bodies include:

• sponsorship teams and public bodies should work closely in overseeing the management and use of public monies,
• Model Framework Documents should cover the arrangements for funding the body and the conditions attached to the use of those funds
• the Accountable Officer and the Board should ensure that the public body has in place appropriate systems to support their financial responsibilities
• ensure appropriate systems in place for managing risks and that these are escalated appropriately
• check that systems are in place for internal and external audit, an audit committee is in operation and that arrangements are in place for producing a statement on internal control
• ensure that arrangements are in place for the body to provide regular high quality budget monitoring and forecast information as required by Financial Management Directorate and with support from Finance Business Partners (or equivalent) review annual accounts
• co-operate with any enquiries initiated by the Auditor General for Scotland or by the Public Audit and Post Legislative Scrutiny Committee of the Scottish Parliament

Sponsorship teams and public bodies should be aware of formal responsibilities they hold over the stewardship of public funds considering; SPFM, Audit Committee Handbook, The Public Sector Internal Audit Standards (PSIAS), Financial Reporting Manual (FReM), and the relevant NDPB Model Framework Document, Budget Allocation and Monitoring Letters. Other requirements relevant to Sponsorship Teams and Public Bodies include:

• sponsorship teams and public bodies should work closely in overseeing the management and use of public monies
• Model Framework Documents should cover the arrangements for funding the body and the conditions attached to the use of those funds
• the Accountable Officer and the Board should ensure that the public body has in place appropriate systems to support their financial responsibilities
• ensure appropriate systems in place for managing risks and that these are escalated appropriately
• check that systems are in place for internal and external audit, an audit committee is in operation and that arrangements are in place for producing a statement on internal control
• ensure that arrangements are in place for the body to provide regular high quality budget monitoring and forecast information as required by Financial Management Directorate and with support from Finance Business Partners (or equivalent) review annual accounts

12.11 Finance – How confident are you that you have year-end procedures in place to ensure all Annual Accounts returns are completed by your sponsored body in a timely and accurate manner?

There are various returns due to finance part of the annual accounts process. You should have procedures in place to ensure that information requested can be provided to Finance in an accurate and timely manner. Information requested will be used to ensure income and expenditure are recorded in the appropriate financial year and that any assets or liabilities of the Scottish Government are reviewed and appropriately accounted for. This includes consideration of committed and contingent balances.

12.12 Fair Work – How confident are you that your sponsored body is committed to Fair Work First, including payment of at least the real Living Wage and providing appropriate channels for effective workers’ voice, such as trade union recognition?

Employers should promote equality & diversity, security of work, youth employment, staff engagement and workforce development, and work to deliver the Fair Work Convention’s Fair Work Framework.

Sponsored bodies should all be meeting the Fair Work First criteria, follows::

• payment of at least the real Living Wage (see Living Wage Scotland for the current RLW rate, which differs from the National Living/Minimum Wage
• provides appropriate channels for effective workers’ voice, such as trade union recognition
• investment in workforce development
• no inappropriate use of zero hours contracts
• address workplace inequalities, including pay and employment gaps for disabled people, racialised minorities, women and workers aged over 50

• offer flexible and family friendly working practices for all workers from day one of their employment
• oppose the use of fire and rehire practice

Effective voice is central to Fair Work, and all employers should demonstrate their commitment to including their staff in workplace decisions, and work in positive partnership with trades unions or other appropriate worker representatives. Please indicate what effective voice channels are provided at both collective and individual levels within your organisation.

Employers should also pay at least the real Living Wage, and you may wish to check if the body is an accredited Living Wage employer. Have they got an invest in youth plan with stretching targets to recruit and develop young people (e.g., recruiting Apprentices)? Do they run an employee engagement survey and act on the results? Do they use procurement policies to encourage Fair Work, including payment of the real Living Wage and inclusive employment in their supply chain? 

Please provide information which will highlight the actions your sponsored body has been doing to support workplace equality, inclusion, and diversity. As an example, they could be a disability confident employer, carer positive employer, IYP Gold award employer and a Stonewall Top 100 employer. They should be ambitious about diversity and inclusion and be able to demonstrate this through workplace practices.

All employers should make use of the Fair Work resources available, including the Fair Work First guidance, Employer Support Tool and resources from the CIPD.

12.13 Assurance – Regarding Major Investment(s), how confident are you that your sponsored body engaged with the appropriate authority and recorded all relevant projects with the appropriate authority? Please provide information on what investments the public body has and if there is evidence that they have assessed them against the criteria for major investments (including Construction, Infrastructure, and IT investments) in the SPFM.

Systems should be in place to ensure all business cases are assessed.

For all Major Investments as defined in the Scottish Public Finance Manual: a Risk Potential Assessment Form, available from Portfolio, Programme and Project Assurance Hub, should be completed and submitted to the SG’s Portfolio, Programme and Project Assurance Hub.

For investment in projects containing an IT or digital element:

• integrated Assurance and Approval Plans should be completed for projects by your sponsored body
• projects should be registered on the Project Register, held by the Digital Assurance Office
• further advice can be found on the Technology Assurance Framework or by emailing Digital Assurance Office

For construction and infrastructure projects:

projects should be registered on the SG’s Infrastructure Projects Database if they have an Outline Business Case prepared and a total capital investment of £5 million or more​​​​​​

12.14 Fraud – How confident are you that your sponsored body have effective arrangements to counter fraud (including Cyber Fraud), bribery and corruption through a well communicated counter fraud policy, an up-to-date fraud action plan and effective avenues for reporting suspicions of fraud?

Processes should be in place to ensure that policies for fraud response are consistent with SG guidance, including a review of current fraud response activity, whilst ensuring robust reporting procedures have been adopted by sponsored bodies.

Further information can be found in the Fraud section of the SPFM and the SG Counter Fraud Strategy, Policy and Response Plan and Protecting Public Resources guidance.

12.15 Procurement - how confident are you that your sponsored body uses public procurement to support a green recovery and wider climate and circular economy ambitions through procurement, embedding climate considerations in local governance arrangements and flowing through to organisational procurement related activities?

Systems should be in place to ensure all business cases are assessed.

For all Major Investments as defined in the Scottish Public Finance Manual: a Risk Potential Assessment Form, available from Portfolio, Programme and Project Assurance Hub, should be completed and submitted to the SG’s Portfolio, Programme and Project Assurance Hub.

For investment in projects containing an IT or digital element:

• integrated Assurance and Approval Plans should be completed for projects by your sponsored body
• projects should be registered on the Project Register, held by the Digital Assurance Office
• further advice can be found on the Technology Assurance Framework or by emailing Digital Assurance Office

For construction and infrastructure projects:

projects should be registered on the SG’s Infrastructure Projects Database if they have an Outline Business Case prepared and a total capital investment of £5 million or more

12.16 Procurement – Has your sponsored body made measurable improvements to contract Management? If yes, please provide details.

Organisations should build into their contract management activities sufficient checks to ensure suppliers are meeting their contractual obligations.

The purpose of Contract and Supplier Management is to work closely with suppliers and internal customers to:

• minimise the total cost of ownership
• to maximise Supply Chain efficiencies throughout the life of the contract

Further details on Contract and Supplier Management and associated Managing and Improving Performance principles can be found on the Procurement Journey: Contract and Supplier Management | Procurement Journey.

12.17 Property – How confident are you that your sponsored body plans strategic matters appropriately and consults the Property and Construction Division two years in advance (as early as possible) of any proposed changes or additions (including lease events, acquisitions and disposals or investment in property or significant works) to their estate as per SPFM guidance?

For example, do you ensure your sponsored body appropriately plans strategic property matters and consults Property and Construction Division as early as possible in accordance with the SPFM guidance when required etc. Are you confident that your sponsored body is clear on the timescales required to be followed, supporting a wider pipeline of property activity? Where appropriate, further guidance and support on property matters is available from Property and Construction Division and should be contacted as early as possible, in the process.

Guidance can be found here in sections on property and best value on the SPFM.

12.18 Property – How confident are you that your sponsored body considers the most cost-effective approach for proposed changes or additions to their estate, and fully considers and follows the principles of the Single Scottish Estate Programme and Public Service Reform whilst recognising the need to move towards a Net Zero estate, and keep within agreed budgets, as per SPFM guidance?

For example, do you ensure a comprehensive options appraisal is carried out, detailing the pros and cons of any option being considered, including the financial requirement to be within budgets as well as the business need, to support any proposal? How will you ensure that all options to reduce the estate and its cost are reviewed, and leases are ended when they expire or when break options arise unless an exception is approved in advance for exceptional circumstances? Are you ensuring progress is being made by your sponsored body towards a Net Zero estate? Are you ensuring that the Property Controls guidance, published in February 2025, is being followed and templates completed, including timescales to be followed?

Guidance can be found here in sections on property and best value on the SPFM.

13.  Compliance

Guidance notes

Response

13.1 How confident are you that processes are in place to ensure compliance with all relevant policies, procedures, laws, and regulations, including those outlined in the SPFM and required impact assessments?

Processes might refer to desk instructions, local checklists, retention schedules, and/or periodic management checks e.g., relating to the existence of statutory authority for expenditure and the holding/provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the division. (Guidance on Data Protection responsibilities, Impact assessments and FOI is available on the intranet.)

13.2 How confident are you that you have appropriate arrangements in place to ensure staff are appropriately trained and supported to handle FOI and EIR requests in line with legislative requirements?

Processes might refer to desk instructions, local checklists, retention schedules, and/or periodic management checks e.g., relating to the existence of statutory authority for expenditure and the holding/provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the division. (Guidance on Data Protection responsibilities and FOI is available on the intranet.)

13.3 How confident are you that your staff are appropriately trained and aware of their Data Protection and information security responsibilities?

Training available for Data Protection and Information Security on the intranet.

13.4 How confident are you that your staff are aware and appropriately trained for of their responsibilities under the United Nations Convention on the Rights of the Child (UNCRC) (Incorporation) (Scotland) Act 2024?

Training available for children’s rights on the intranet.

13.5 How confident are you that you have processes in place to ensure compliance with legislative requirements for all statutory and non-statutory Impact Assessments listed on Saltire at the earliest possible stage in the development of all new, revised or strategically significant policies/activities/projects in your area?

This question relates to the duties under varied legislation to assess policies and strategic decisions for their impacts on various groups. Assessments in Scottish Government include the Business Regulatory Impact Assessment, Child Rights and Wellbeing Impact Assessment, Consumer Duty, legislative Data Protection Impact Assessment, Equality Impact Assessment, Fairer Scotland Duty, Island Communities Impact Assessment, and Strategic Environmental Assessment. Guidance on Impact Assessment responsibilities is available on the intranet. Processes might refer to desk instructions, local checklists, planned review at stages throughout or following policy development, sign-off arrangements, and/or periodic management checks. Sign-off may be required at DD or Ministerial level depending on the Impact Aassessment.

13.6 How confident are you that arrangements are in place to ensure staff are trained and able to deliver all impact assessments effectively and to a high standard?

This question seeks to find out if SG staff have the capability to ensure delivery of high-quality impact assessments. In answering this question, you should consider whether staff have had sufficient time, information, access to specialist knowledge, training, guidance, and support to enable that aim to be realised. In answering, you should be able to demonstrate how you are developing staff on an ongoing basis in this area. Appropriate arrangements might include questions for new staff to establish their level of understanding, regular team reviews of performance in IAs, or a register of relevant training and impact assessments completed by staff. Guidance on Impact Assessment responsibilities is available on the intranet.

13.7 How confident are you that your staff are appropriately trained and aware of the statutory nature of impact assessments and their responsibilities for them, and able to access information and guidance as necessary?

This question seeks to find out if staff are appropriately aware of which impact assessments are required, on what basis, and under what conditions or criteria. Training is available on the learning portal for assessments including EQIA (Equality Impact Assessments) and CRWIA (Child Rights and Wellbeing Impact Assessment), as well as regular drop-in surgeries on impact assessments.

14.  Review

Guidance notes

Response

Details/Verification

14.1 How confident are you in the robustness of your arrangements for reviewing and improving control effectiveness and efficiency, and that these controls support your objectives?

You should be reviewing internal controls in your area at appropriate points in time e.g., when processes change, or operational shortcomings come to light.

Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g., has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating?

(Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.)

14.2 How confident are you that you have a comprehensive picture (e.g., through an Assurance Map) of the sources of evidence underpinning your assessment of controls?

You should be reviewing internal controls in your area at appropriate points in time e.g., when processes change, or operational shortcomings come to light.

Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g., has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating?

(Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.

14.3 Where objectives, risks and controls in your area have been subject to independent review, how confident are you that recommendations arising from these reviews have been acted on in a timely fashion?

You should provide details of any key weaknesses identified and the steps taken to resolve these. How confident are you that you and your staff are sufficiently aware of the types of independent review (e.g., Internal Audit, independent assurance and Gateway Review, ICT Assurance Review, Digital Scotland Service Standard, review by external consultants) to support your assurance, and of how to access them?

14.4 Based on the assurances you have of whether your objectives, risk management and internal controls are being met and operating successfully, are there any key areas that would benefit from independent review?

N/A

15.  Other Issues

Guidance notes

Response

Details/Verification

15.1 Apart from the issues raised above, are there any significant control matters or contentious issues arising in your area which could impact or adversely affect the signing of the Scottish Government Governance Statement by the Permanent Secretary?

Provide here details of any other control problems, specific to your area of responsibility, which you have encountered during the year.