Certificates of assurance
1. This section gives guidance on the provision of certificates of assurance to support the signing of the governance statements provided by Accountable Officers as part of the annual accounts of all organisations to which the Scottish Public Finance Manual (SPFM) is directly applicable. The assurance framework set out in this guidance relates specifically to constituent parts of the Scottish Administration i.e. the core Scottish Government (SG), the Crown Office and Procurator Fiscal Service, SG Executive Agencies and non-ministerial departments. Other organisations to which the SPFM is directly applicable – including separate accounting bodies sponsored by the SG – should arrange for appropriate assurance frameworks consistent with this guidance to be put in place.
2. It would only be possible to provide assurances without any qualification where best practice and any relevant guidance had been followed throughout the accounting period. Certificates of assurance can provide only reasonable and not absolute assurance.
3. Certificates of assurance from Deputy Directors (or equivalents) should be completed in consultation, as appropriate, with relevant finance officials and internal auditors. It is essential that the Internal Control Checklist is completed in full and with due diligence.
4. Certificates of assurance should be commissioned towards the end of each financial year allowing sufficient time for the completion of the process to meet the timetable for signature of relevant accounts.
5. Accountable Officers are required to prepare Governance Statements as part of the annual accounts for which they are directly responsible. To enable them to sign governance statements Accountable Officers require assurances on the maintenance and review of internal control systems within or affecting their area of responsibility. Internal control systems comprise the whole network of systems established in an organisation to provide assurance that organisational objectives will be achieved, with particular reference to:
- risk management
- the effectiveness of operations
- the economical and efficient use of resources
- compliance with applicable policies, procedures, laws and regulations
- safeguards against losses, including those arising from fraud, irregularity or corruption
- the integrity and reliability of information and data
6. Assurances are required in relation to each financial year but it would only be possible to provide such assurances without any qualification where best practice and any relevant guidance (e.g. the SPFM) had been followed throughout the accounting period. It is recognised however that such assurances can provide only reasonable and not absolute assurance.
7. Assurances from Deputy Directors (or equivalents) to Directors (or equivalents) should be provided in the form set out in Annex 1. Annex 1 should be completed in consultation, as appropriate, with relevant finance officials and internal auditors as to whether any matters had arisen which could affect clear certification. The Internal Control Checklist at Annex 2 has been designed to identify any such matters.
8. It is essential that the Internal Control Checklist is completed in full and with due diligence. In particular, the third column ("details") should record the broad steps taken to confirm/review the existence and adequacy of control, and any significant absence of, or weakness in, the control. Some explanatory notes and guidance on what is required by way of "details" is provided in the final column. It must be stressed, however, that the areas covered by the checklist are not exhaustive and any other significant weaknesses must be reported in the certificate of assurance. Checklists should be reviewed by relevant finance officials who should satisfy themselves that the checklists have been completed in full and that the information provided is consistent with their knowledge of the area concerned. Directors (or equivalent) can then use the completed checklists, the associated certificates, and their own knowledge/review of the control and risk processes in their areas of responsibility when preparing their own certificates of assurance.
9. Completion of Annex 1 by Deputy Directors (or equivalent) with sponsorship responsibilities should take account of any internal control issues that are considered likely to merit inclusion in the governance statements of relevant sponsored bodies. Any additional issues included in the finalised governance statements of sponsored bodies or significant matters arising between these governance statements being finalised and the signing of the SG consolidated accounts, must be reported up the line as and when they come to light. It is for Deputy Directors (or equivalent) with sponsorship responsibilities to decide, in consultation as appropriate with relevant finance officials and internal auditors, what if any form of assurance would be appropriate in relation to any sponsored bodies that are not separate accounting entities and do not therefore complete governance statements.
10. Assurances from Directors (or equivalents) to Accountable Officers should be provided in the form set out in Annex 3. These certificates should to be submitted to relevant audit (and risk) committees together with, as appropriate, either a draft certificate of assurance for the Accountable Officer to provide to the Principal Accountable Officer for the Scottish Administration or a draft governance statement for signature by the Accountable Officer - see the following paragraph.
11. Accountable Officers sign governance statements in respect of the accounts for which they are directly responsible. The Principal Accountable Officer signs the governance statement in respect of the SG consolidated accounts. Assurances to the Principal Accountable Officer from Portfolio Accountable Officers - based on assurances from relevant Directors (or equivalents), should be provided in the form set out in Annex 4. Assurances to the Principal Accountable Officer from the Accountable Officers of the Crown Office and Procurator Fiscal Service (COPFS) and Executive Agencies within the SG accounting boundary should take the form of the governance statements provided alongside the COPFS and Agency accounts. Relevant issues in the governance statements of NHS bodies within the SG accounting boundary should be included in the assurance from the Portfolio Accountable Officer for Health.
12. Assurances on SG corporate services in relation to the consolidated accounts will be provided to the Principal Accountable Officer by the SG Chief Financial Officer and the Director of Digital and the Director of People . These assurances on corporate services should be copied as appropriate to the Accountable Officers of those separate accounting entities (e.g. Executive Agencies, non-ministerial departments and SG sponsored bodies) which rely to varying degrees on corporate services provided by the core SG.
13. Certificates of assurance should be commissioned towards the end of each financial year allowing sufficient time for the completion of the process to meet the timetable for signature of relevant accounts. The provision of assurances on SG corporate services should take account of the timetable for the signature of the accounts for relevant separate accounting entities which is normally earlier than the SG consolidated accounts.
14. The certificates of assurance process, including the completion and review of the Internal Control Checklists, is subject to review by the external auditors as part of their audit of the accounts. Copies of the certificates and the completed checklists should therefore be retained locally for inspection. Internal auditors will also require access to these documents as part of their internal review of governance matters.
Updated: June 2021