Annex 2: internal control checklist
Certificates of assurance: Annex 2 - Internal Control Checklist
The Contents of the internal control checklist are as follows:
Section
- Risk management
- Business planning
- Major investment
- Project management
- Financial management
- Fraud
- Procurement
- Human resources
- Equality and diversity
- Information
- Health and safety
- Sponsored bodies
- Compliance
- Review
- Other
Issue |
Response |
Details, including review work you have carried out to verify response (mandatory) |
Guidance note (where applicable) |
1. Risk Management |
|||
1.1 Risk and Objectives Do you have processes in place to identify and manage risks to the delivery of divisional business plans, (including objectives and targets) and that this information is reviewed on an on-going basis? |
Yes/No |
|
Your objectives should be the focus of any risk management information; risk identification needs to be undertaken with a clear strategy and clarity of purpose. Risk identification is an important part of business/project planning, managing performance and prioritising effectively. Confidence levels will be shaped by:
(The SG Risk Guide and the SG Template risk register is available on the intranet. General guidance is available through Risk Management in the SPFM.) |
1.2 Risk Identification - do you employ a systematic approach to help the identification and prioritisation of your risks and manage them by allocating resources proportionately in alignment with your business plans? |
Yes/No |
A systematic approach to risk identification should be taken to ensure you have a complete risk profile. Confidence levels will be shaped by:
(The SG Risk Guide and Supplementary Guide: Identifying Risk are available on the Intranet. General guidance is available through Risk Management in the SPFM. |
|
1.3 Risk Leadership - is risk management activity within your area led from the top, actively promoted, and delivered by branch heads and team leaders alongside support from your Directorate’s Risk Champion |
Yes/No |
Effective communication is vital to effective risk management. Confidence levels should be shaped by:
(The SG Risk Guide and Supplementary Guides for Roles and Responsibilities and Recording, Reviewing, Reporting and escalating risk are available on the Intranet. General guidance is available through Risk Management in the SPFM.) |
|
1.4 Risk Learning - are you assured that all staff have undertaken basic risk management training in your area and understand their role in the identification and management of risk? |
Yes/No |
Ensuring all staff have the right level of skills and training to ensure effective engagement with the risk management process is key. Everyone in the organisation has a role in helping to identify and manage risks, therefore it is essential that all staff have a basic understanding of risk management policy and process. All staff but especially those who lead risk management activity should have some risk management training to ensure a base level of knowledge of the corporate processes. Confidence levels should be shaped by:
(The SG Risk Guide is available on the Intranet. General guidance is available through Risk Management in the SPFM.) |
|
1.5 Recording and Reviewing Risk - do you regularly review your key risks (including Cyber risks and threats), record them using the standard SG Risk Register format and do you receive reports on the management of those key risks and controls/mitigating actions? |
Yes/No |
|
Good risk management means documenting and assessing identified risks, implementing controls and actions to reduce risks to within agreed levels. Risk documentation must be reviewed regularly to ensure that appropriate action is being taken and progress documented. Risk Registers should be a dynamic means of recording risks, reporting on risks should include analysis and ask key questions of risk owners – it should not always be a review of the risk register. Confidence levels should be shaped by:
(The SG Risk Guide and Supplementary Guide: Recording, Reviewing, Reporting and Escalating risk are available on the Intranet. The Standard Risk Register Template is also available on the intranet. General guidance is available through Risk Management in the SPFM.) |
1.6 Risk Appetite Have you articulated your appetite for key risks and do you use this to help identify the extent to which you need to address your risks? |
Yes/No |
|
Your risk appetite should reflect the level of risk that you are prepared to accept (and not accept) for different types of risk in order to achieve your objectives. Ensuring you understand your appetite for risk is essential to helping you prioritise risk mitigations, and therefore resources, on those risks outside of your agreed acceptable limits. Risk appetite should be considered within the wider context of your Directorate and DG to ensure that your approach is appropriate. Confidence levels should be shaped by:
(The SG Risk Guide and the supplementary Guide: Risk Appetite are available on the Intranet. General guidance is available through Risk Management in the SPFM.) |
1.7 Is there a Business Continuity Plan covering the critical functions of your business area, as identified through a business impact analysis, which has been reviewed and updated and exercised in the last year? |
Yes/No |
|
Every directorate should have a Business Continuity Plan. Every division must ensure their functions are reflected in the directorate plan or in their own divisional plan, if appropriate. The plan should describe how essential business across the directorate would carry on in the event of disruption to staff, building access, systems such as information communications technology (ICT), data or organisations you depend on (such as supppliers). These plans should include robust communication and incident management arrangements are in place (e.g., sign up to GroupCall as well as local business area arrangements) and incident management arrangements. A business impace analysis should be used to determine the critical functions of the directorate and the maximum tolerable period of disruptions and recovery time objectives for these functions. It should identify what is required to carry out those functions (staff, buildings, systems including ICT, other organsiations such as suppliers). Plans should be reviewed, updated and exercised at least annually or more frequently to accommodate change in: personnel; responsibilities; priorities; working practices; processes; procedures; the external and internal operating environment; to apply lessons learned. Your level of confidenct should reflect your confidence in the directorate's ability to continue delivery of critical functions in the event of disruption. Guidance and support for local business continuity planning activities can be requested from the Security and Business Continuity Unit. Guidance and templates are available on the intranet. |
1.8 Do you have disaster recovery plans/arrangements in place for the event of the loss of key systems (including corporate ICT systems and line of business applications) upon which your and/or other business operations depend on? |
Yes/No |
Providers of corporate services must ensure plans are in place for dealing with systems failure, including both to continue to provide critical services to other users and to recover affected systems. Where local systems are in operation, including but not exclusively ICT systems, the business area has a responsiblity to ensure that plans are in place for business continuity and for recovery e.g., back-up data to ensure that services can be fully restored. Local response to the possible loss of corporate functions and resources (e.g., accommodation, SCOTS, SEAS, eRDM, e-HR, MiCase, line of business applications) might be considered in the context of divisional risk management, incident management and business continuity processes and procedures. Business areas with staff in non-main buildings may have local arrangements in place in the event of loss of key facilities and resources. Your recovery plans/arrangements should be tested regularly to ensure they are fit for purpose and meet your needs in the event of a loss or continuity event; your level of confidence should reflect the extent to which you have tested your plans and updated them accordingly. |
|
2. Business planning |
|||
2.1 Do you have clear business objectives relating to the high priority business objectives of your division (linked to National Outcomes) and do they relate to those articulated within your Directorate business plan? |
Yes/No |
|
You should have clear business objectives which are linked to key National Outcomes as outlined in the National Performance Framework and where appropriate the Programme for Government as early as possible in the process so that appropriate advice can be provided. Business plans should be refreshed on a one-year cycle but should include indications of how the business plan will develop over the following two years. Business Plans should also inform risk management information. Confidence levels should be shaped by:
|
2.2 Have your objectives been translated into short, medium and long term measurable targets of both Business-as-Usual service delivery (e.g., FOI performance) and Scottish Government priorities (e.g., Programme for Government deliverables, against which performance and progress are measured)? |
Yes/No |
|
New initiatives or spend, or changed systems should normally be discussed with Finance, Procurement and Internal Audit colleagues before proposals are finalised. New property requirements should be discussed with Property and Construction Division for advice.
For change initiatives managed as projects or programmes, section 3 (major investment) or 4 (projects) should be completed. The Approaches and methodologies toolkit provides some guidance on the difference between Business-as-Usual and projects. Teams should utilise the AO templates for spending decisions per approval limits.
The Organisational Change and Performance Division can support colleagues planning to undertake change and improvement work. The Organisational Change and Performance Division can advise on a range of improvement and change methodologies, and signpost colleagues additional supports available within the Scottish Government. (Guidance on the Role of Finance is available on the Intranet. General guidance on Procurement and Internal Audit is available in the SPFM.) |
2.3 Are there clear plans for how your division will contribute to Directorate improvements in their performance – in keeping with the vision and values of In the Service of Scotland? |
Yes/No |
|
This question seeks to find out if the relationship between inputs, outputs and outcomes is being applied in developing business and staff performance measures. Our vision - 'In the Service of Scotland' - provides the blueprint for how to successfully operate in an uncertain and evolving world. If you would like to know more about our vision and how you can help shape how we achieve it. Additionally, guidance on Performance Management is available on the intranet. |
2.4 Do you regularly receive timely, relevant, and reliable reports on progress and performance against key indicators and targets alongside your risk information and take corrective action where necessary? |
Yes/No |
|
This could take the form of regular reports prepared for consideration at progress meetings or updates provided in the context of regular meetings with managers. Corrective action might involve the reprioritisation/reallocation of resources (budgets and staff) and the reordering of key business priorities. |
2.5 Does your business plan inform your financial, people, and operational plans and prioritisation? |
Yes/No |
This could be demonstrated whereby the business plan is used as a reference document when considering new requests that come in to identify opportunity cost and prioritisation advice. There should be a connection between the items in the business plan and assumptions for finance, people and operational decision making – whereby delivery identified within the business plan has resource allocated within financial and people plans, and operational plans about where people are deployed accommodate the deliverables and schedule within the business plan. |
|
3. Major investment |
|||
3.1 Has your area been responsible for the initiation or delivery of one or more major projects or investments during the past financial year? (If not, please ignore the other questions in this section) |
Yes/No |
|
Major investments are defined in the Major Investment Projects section of the Scottish Public Finance Manual (SPFM) but can also be defined as initiatives:
All Major Investments must adhere to the guidance in the SPFM, and its key principles should be adopted in relation to all investment projects. Any property and construction procurement requirements should be addressed at least one year in advance of budget planning and advice sought from Property and Construction Division. Engaging with Property and Construction Division as early as possible in the process is recommended. |
3.2 Do/did your project’s governance arrangements align with the Scottish Government’s strategy and sector specific governance procedures? |
Yes/No |
|
Relevant procedures include the following:
|
3.3 Have you assessed your project(s) in line with the SG’s assurance procedures and engaged with the appropriate assurance process? |
Yes/No |
|
Relevant procedures include the following:
|
3.4 Do you have an up-to-date case for change (e.g., business case) demonstrating continued strategic alignment, viability and value added, and providing business justification for each project? |
Yes/No |
|
You must be able to demonstrate the on-going justification of the need for your project and should regularly review the case for change to ensure its currency. Your business case should encompass relevant data from impact assessments, benefit measures, delivery approaches and optimism bias to allow a proportionate evaluation. For projects including a procurement element, you must also be able to demonstrate compliance with the Procurement Section of the SPFM. For construction and/or an infrastructure project, you must be able to demonstrate compliance with Client Guide to Construction Projects. Further guidance and support is available from the Scottish Government’s Construction Procurement Policy Unit. For property requirements, you must be able to demonstrate compliance with the Property Section of the SPFM. Further guidance and support is available from Property and Construction Division who should be contacted as early as possible in the process. |
3.5. Have you assessed your capability and capacity to deliver your project(s) and are you aware of when you need specialist resources and how to secure the specialist resource? |
Yes/No |
|
The SRO (Senior Responsible Owner) must be appointed at the earliest possible stage of the project. Clear roles and responsibilities should be assigned and levels of delegated authority should be clearly identified and agreed. These should be documented in formal letters of appointment between the Investment Decision Maker and the SRO and between the SRO and various post holders within the Project Management Structure. You should ensure that people appointed to positions within the project’s governance and management structure have the skills, experience, and knowledge necessary to fulfil their role, using existing performance management and PLP arrangements in accordance with question 8.1. All major projects should have undertaken a PPM Maturity Self-Assessment, and these should be reviewed periodically, where additional assurance of capacity or capability is required, an early capability checkpoint review is available from the Portfolio, Programme and Assurance Team. You should have engaged with relevant professions or cross-functional teams in the planning and scoping stages of your project to ensure they can help inform opportunities and risk assessments at the earliest opportunity to maximise successful outcomes. For example, have you engaged with the following for advice and guidance, and, to embed their expertise in your planning, business case and risk & impact assessment, enabling a whole system approach:
Internal and external specialist resources required for the successful delivery of the project should be identified and secured at planning stage. For consultants, you must comply with the Scottish Government Consultancy Procedures in accordance with COA question 7.5. |
3.6 Have you put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)? |
Yes/No |
Necessary arrangements include:
Ensuring that:
|
|
4. Project management |
|||
4.1 Has your area been responsible for one or more projects - other than major investment projects – during the past financial year? |
Yes/No |
|
This section covers all projects and investments not covered by the SPFM definition of a major investment project, including digital, business transformation, infrastructure and/or new or changing policy or legislative programmes. The Programme and Project Management Centre of Expertise (PPM-CoE) library of support provides a range of guidance and support to help you provide a proportionate approach to project delivery. |
4.2 Did/do your project’s governance arrangements align with the Scottish Government’s strategic and sector specific procedures? |
Yes/No |
|
Projects should take a proportionate approach to employing an enabling governance regime based on the principles contained within the major project section of the SPFM. Scottish Government’s Principles for Programme and Project Management set out a framework of activities that should be embedded to enable and control projects. |
4.3 Have you assessed your project(s) in line with the Scottish Government assurance procedures and engaged with the appropriate assurance process? |
Yes/No |
|
Relevant proportionate procedures include the following options:
|
4.4 Do you have an up-to-date case for change (e.g., business case) demonstrating continued strategic alignment, viability and value added, and providing business justification for each project? |
Yes/No |
|
All projects should articulate an accurate and up-to-date justification, proportionate to the size of the investment. The five cases of the UKG’s Treasury Model should be identifiable though the document may vary in size and complexity. |
4.5 Have you assessed your capability and capacity to deliver your project(s) and are you aware of when you need specialist resources and how to secure the specialist resource? |
Yes/No |
|
Projects should not be entered into without a viable route to the appropriate capacity and capability to deliver in line with the Management Case of the above the model. All projects and project areas are encouraged to undertake a regular PPM Maturity Assessment and plan activities required to close any gap between actual and desired/targeted PPM maturity. |
4.6 Have you put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)? |
Yes/No |
|
Benefits should be specifically described and measurements applied, and then actively managed to ensure the purpose of the investment can be adequately justified before and during delivery, then measured and assessed post-project, and maximum value can be achieved from the investment. Projects are learning organisations and they should put proportionate arrangements in place to identify and gather knowledge to improve their delivery and the delivery of other projects across the SG. |
5. Financial management |
|||
5.1 Do you ensure that a documented business case has been prepared for all policy proposals and do you ensure that your Finance Business Partner (or equivalent) and, as necessary, Scottish Procurement and Property Directorate SPPD and Internal Audit and Assurance Directorate is involved at the earliest possible stage in its preparation where there are resource, control, procurement, property or other finance related implications and that they are kept informed of developments? |
Yes/No |
|
Finance should also be consulted on any novel or contentious spending proposal, in line with the Financial accountability and assurance and any matter which includes issues of financial propriety and regularity. The need to consult Finance might also be included in induction material and local desk instructions. We recommend that the relevant UK guidance such as the Green Book is also consulted as part of any policy proposal alongside the SG approach to Risk Management.
Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process. |
5.2 Do you have procedural instructions, cleared with Finance, about how financial matters are handled within the area, including guidance to ensure that proper and accurate accounting records are maintained and entries in them are properly authorised? Are processes in place for regular monitoring of compliance with these instructions? |
Yes/No |
|
Local desk instructions should be drawn, as appropriate, from the key principles of the SPFM. Instructions should be in place covering the arrangements for entering into commitments and for approving and processing the resultant payments, including VAT – and ensuring adequate separation of duties. This may also cover other matters such as delegated authorities, budget monitoring procedures and the requirement to consult Finance on all proposals that may have resource or other finance related implications.
Monitoring of compliance should be supported by regular management checks and the consideration of financial matters at regular meetings with your managers. The response to this question needs to reflect both the provision of information needed for accounting purposes (e.g., the proper and timely entry of data into SEAS and/or EASEbuy) and for cash management purposes. The response should also take into account the controls in place within your area to ensure that only authorised personnel have access to the SEAS system. (Guidance on SEAS and EASEbuy is available on the Intranet.) |
5.3 Do you ensure that all staff that have budgetary responsibility have written delegated authority and the appropriate skills and training to discharge their responsibilities for managing public money? |
Yes/No |
|
Delegated financial authority (i.e., where members of your staff have full responsibility for budgets and take decisions without having to refer upwards) will not be appropriate in many divisions but where it is you should provide details of the broad arrangements e.g., set out in desk instructions, financial responsibility statements. This is separate from Delegated Purchasing Authority (DPA). The authority required to make and authorise payments etc. within SEAS and the authority to purchase in EASEbuy are also separate authorities.
(General guidance on Delegated Authority is available in the SPFM. Guidance on the Scheme of Delegation is available on the Intranet.)
(Guidance on Budget and Financial Management is available on the Intranet under Financial Accountability and Assurance and Pathways Digital Learning Platform.) |
5.4 Is there adequate separation of duties where required and are staff with these duties adequately trained to discharge their responsibilities in that regard and how do you ensure that this is achieved? |
Yes/No |
|
Confidence levels will be shaped by the strength of procedures applied to activities such as authorising and processing payments and receipts or awarding grants. There may be concerns (e.g., within small units) where the rules on separation of duties cannot practically be achieved. In such circumstances the response should relate to whether the local arrangements (e.g., compensating controls) agreed with Finance are working satisfactorily.
(The requirement for appropriate separation of duties is included in a number of sections of the SPFM, notably those covering Expenditure and Payments and Income Receivable and Receipts.) This covers all staff involved in the financial process. The level of knowledge and training should be related to the part played by the individual in the financial process. Individual duties should be covered in desk instructions. All staff with responsibility for entering into contracts, raising purchase orders, or issuing invoices etc. should have a knowledge of the rules relating to VAT and the ability to recover and or charge VAT.
Note that this is separate from the authority required to add/amend suppliers and make and authorise payments within SEAS or to purchase within EASEbuy. |
5.5 Do you ensure that Finance (and Property where applicable) are informed of any changes to assets as they arise and that SEAS is maintained up to date to reflect the assets held in your area? |
Yes/No |
|
Capitalised expenditure (PPE and Intangibles) must meet the approved corporate thresholds and definitions and be supported by Asset Addition forms. Any disposal of previously capitalised assets should be recorded correctly in SEAS and supported by Asset Disposal forms. Further guidance is available from your Finance Business Partner and via the Intranet. Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process. |
5.6 Do you have arrangements to ensure that all assets for which the area is responsible are properly managed and safeguarded? How do you ensure this? |
Yes/No |
|
Only assets for which the area is responsible need to be considered here. This will include those assets on a locally maintained inventory of valuable and attractive items. The response should consider safeguards such as those against unauthorised use or disposal. (Guidance on Property Management and Fraud is available in the SPFM.). Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process.
|
5.7 Do you have effective arrangements in place to ensure that you are managing and monitoring any money due to the Scottish Government and that it is collected within reasonable timescales and are procedures written with reference to the SPFM and are they reviewed and updated regularly? |
Yes/No |
|
Further detail on Debt recovery can be found in the Income receivable and receipts section of the SPFM. Staff should be trained in local procedures/arrangements which should be reviewed and kept up to date. Confidence levels will be shaped by the strength of procedures surrounding:
|
5.8 Do you have procedures in place for timeous and effective monitoring and reviewing of financial information and budgets for which you are responsible to ensure that central finance deadlines are met? |
Yes/No |
|
The response should reflect the following:
|
5.9 Do you have procedures in place to ensure that budgets are regularly reviewed throughout the year and that budget transfers are completed and authorised in line with corporate finance deadlines? |
Yes/No |
|
You will wish to consider here the mechanisms in place for communicating budgetary information both at the beginning of the year and changes made in-year whether at the time of formal monthly or quarterly reviews or at other times. This would also cover the transfer of funds between one area and another or between the centre and your area. |
5.10 Do you regularly review internal financial reports which report actual against budget outturn and discuss progress with your director or equivalent? How do you ensure this is achieved in line with corporate finance deadlines and what action is taken following financial review to ensure a balanced budget is achieved? |
Yes/No |
|
The review of the regular financial reports needs to take account of both forecast outturn positions and year-to-date actual costs against profiled budget spend. |
5.11 Do you ensure that that the Subsidy Control Unit is consulted at the earliest possible stage on all proposals that may have subsidy implications? |
Yes/No |
|
Guidance on Subsidy Control procedures is included in the SPFM. Further detailed guidance is available from SG's Subsidy Control Team. |
5.12 Do you ensure that any grant proposals and payments comply with the guidance in the SPFM and internal guidance? |
Yes/No |
|
The section of the SPFM on Grant and Grant in Aid includes references to checklists covering the grant proposal, application and assessment processes and a Model Offer Grant Letter document. SG Grant Management guidance can be found on the Intranet. |
5.13 Do you ensure that any grants awarded are linked to the National Outcomes as outlined in the National Performance Framework and where applicable any Programme for Government commitments via the Model Offer Agreement, including the contribution the grant is expected to make in achieving these outcomes including how they will be monitored and evaluated? |
Yes/No |
|
The Model Offer letter should detail the specific outcomes the grant is planning to achieve, and business areas should consider (where appropriate) how it will contribute to other key policies and initiatives as detailed in local guidance – guidance on grant making can be found on the intranet. This should include what public spending supports, what this aims to achieve, the contribution it is expected to make to National Outcomes and evidence for this, how plans are being delivered, and the impact this is having. |
5.14 Do you have confidence that all of your staff who are involved in the management of grants have the skills and training to allow them to manage their grants effectively? |
Yes/No |
Ensuring key staff have the right level of skills and training to ensure effective engagement with the grant management process is key. Confidence levels should be shaped by:
|
|
5.15 Do you have procedures in place to monitor any Losses, Special Payments, and Gifts in year? |
Yes/No |
Losses, Special Payments, and Gifts should be disclosed each year. The SPFM includes guidance on Losses and Special Payments and Gifts giving guidance on the various types of Losses, special payments and gifts and the approval process. You should ensure the guidance is followed to correctly report any of these transactions. |
|
5.16 Do you have year-end procedures in place to ensure all Annual Accounts returns are completed in a timely and accurate manner? |
Yes/No |
There are various returns due to finance as part of the annual accounts process. You should have procedures in place to ensure that information requested can be provided to Finance in an accurate and timely manner. Information requested will be used to ensure income and expenditure are recorded in the appropriate financial year and that any assets or liabilities of the Scottish Government are reviewed and appropriately accounted for. This includes consideration of committed and contingent balances (Contingent Liabilities, contingent assets), indemnities and guarantees. Confidence levels can be shaped by:
|
|
6. Fraud |
|||
6.1 Are operational managers and all members of staff within your area aware of their responsibilities with regards to the prevention and detection of Fraud (including Cyber Fraud)? |
Confidence levels should be shaped by:
|
||
6.2 Have you had any cases of fraud or suspected fraud within your area in the last year? |
Fraud cases and suspected fraud cases should be reported in accordance with the Scottish Government Fraud Guidance please highlight in your response if the fraud or suspected fraud was reported to the Fraud Response Team. Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email fraudresponseteam@gov.scot or the Crimestoppers Hotline 08000 15 16 28. |
||
6.3 Have you identified and documented the fraud and corruption risks specific to your area, by way of fraud risk assessments, ensuring that, where needed, risks are mitigated with appropriate control activities? |
Confidence levels should be shaped by:
|
||
6.4 When new grant schemes or other spend programmes are being developed do you ensure you are considering whether fraud prevention measures need to be built into your plans, based on appropriate Fraud Risk assessments being in place? |
Within grant schemes confidence levels should be shaped by:
Within other spend confidence levels should be shaped by:
Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Governance and Risk Team via email fraudresponseteam@gov.scot or the Crimestoppers Hotline 08000 15 16 28. |
||
7. Procurement |
|||
7.1 Do you ensure that the Scottish Procurement and Property Directorate (SPPD)- are consulted from the earliest possible stage on any business cases proposals that may involve procurement, commercial and/or property activity? |
Yes/No |
Guidance on the role of the Scottish Procurement and Property Directorate (SPPD), guidance on Buying Goods, Services or Works and the Security Questionnaire is available on the intranet. The need to consult SPPD might be included in induction material and local desk instructions. SPPD must be consulted early on any novel or contentious spending proposal and any matter which includes issues of procurement and/or property propriety or regularity and in all instances where purchasing support will be needed from SPPD. For all major programmes and large funds this means involvement in the drafting of Strategic Outline Cases. For initiatives of any size that will involve the third or private sector distributing funds on ministers' behalf, this means engaging SPPD during policy design. Where appropriate, further guidance and support on property matters is available from Property and Construction Division who should be contacted as early as possible in the process. |
|
7.2 Do you have sufficient access to staff with Delegated Purchasing Authority (DPA) to meet your business needs? |
Yes/No |
DPA is the authority from the Director of Procurement and should on a personal basis to permit permanent SG members of staff to enter into a contract for goods, services and works and oversee the process leading up to and including the award of a contract and active management of the contract after award. This is separate from financial authority and the authority to make purchases on EASEbuy. Please confirm how many staff in your area have DPA and if the number does meet your business needs. (Guidance on DPA is available on the intranet). |
|
7.3 Do you have contracts in place for all purchases of goods, services and works in your division whether bespoke contracts for your area or corporate contracts available for use across the Scottish Government? |
Yes/No |
Divisions should understand if their procurement spend is covered by contract and should be aware of the Scottish Government contract register. Contracts can only be placed by officers with Delegated Purchasing Authority (see 7.2 above) |
|
7.4 Is all procurement activity within your area undertaken in accordance with the Procurement Policy Manual and all policy initiatives announced in Scottish Procurement Policy Notes (SPPNs) issued by the Scottish Procurement and Property Directorate? |
Yes/No |
Evidence should be provided by staff with DPA to assure Division Heads that all procurement activity has been conducted with the Procurement Policy Manual. Specific guidance on the operation of the electronic Purchasing Card and the EASEbuy System is available for staff making purchases using ePC. Does your business area have a system in place to ensure staff are aware of the latest and any other significant Scottish Public Procurement Notes SPPN’s (Cyber Security, Climate Change)? |
|
7.5 Does your area’s use of external consultants comply with the Scottish Government Consultancy Procedures? This includes using the consultancy account codes on the Purchase Orders that are created in the purchasing system. |
Yes/No |
Expenditure for contracts for consultancy below £10,000 in value need to be approved at Deputy Director level. Expenditure for consultancy contracts between £10,000 and £50,000 need to be approved at Director General level. Above £50,000 submissions for approval must be endorsed by the relevant Director General and expenditure must be approved by the Cabinet Secretary for Finance and Economy. If there have been no such cases during the period, then please provide a nil response. Consultancy expenditure must be coded against the account codes stated in the Consultancy Procedures. Management checks on consultancy expenditure on SEAS should be carried out to ensure approval was sought at the appropriate approval level prior to purchase. |
|
7.6 Is the number of staff authorised and trained to act as purchasing system requisitioners and approvers consistent with your division’s needs? |
Yes/No |
Staff who are authorised as purchasing system requisitioners and approver need to recognise the importance on the financial information being entered correctly. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions. Details of available training are provided on the EASEbuy training page. |
|
7.7 Do you ensure that staff with electronic Purchasing Cards (ePCs) are fully aware of their responsibilities to monitor compliance and meet the ePC policy? |
Yes/No |
Monitoring of compliance might be achieved by regular management checks and the consideration of financial matters at regular meetings with your managers. (Guidance on ePC is available on the intranet.) |
|
7.8 Do you ensure that staff are complying with the prompt payment of suppliers’ process to meet the 10-day payment commitment? |
Yes/No |
Relevant guidance regarding the prompt payment of suppliers’ policy must be brought to the attention of staff periodically and/or in reviewing training requirements. |
|
7.9 Do you have in place appropriate arrangements in your area to ensure effective contract management enabling delivery of both technical and commercial requirements? |
Yes/No |
Staff managing contracts should have the knowledge and skills to deliver both the technical and commercial conditions of the contract. Staff can seek guidance or arrange for Contract Management services to be delivered by the SPPD Contract Management Team. Additional guidance is also available on the Procurement Journey. In addition, Staff responsible for construction projects should be aware of the guidance provided within the Client Guide to Construction Projects and can seek guidance from the CPPU Team. |
|
8. Human resources |
|||
8.1 Do you have, and regularly update, workforce plans linked to resourcing plans that enable you to match resources to priorities and affordability and have they contributed to increased diversity and inclusion? | Yes/No |
In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right people in the right place. Confidence levels will be shaped by working with your HR Business Partner on activity such as:
|
|
8.2 Do you have processes in place to develop staff and increase capability to support diverse and inclusive, high performing teams? |
Yes/No |
In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure we have the right skills now and for the future. Confidence levels will be shaped by working with your HR Business Partner on activity such as:
|
|
8.3 Are line managers at all levels skilled in managing performance and supporting the wellbeing of their staff? | Yes/No |
In the Service of Scotland sets our vision and values, and the context for people management and development, helping to ensure a workplace culture for individuals to bring their whole selves to work, to thrive and be successful. Confidence levels will be shaped by working with your HR Business Partner on activity such as:
|
|
9. Equality and diversity |
|||
9.1 Are all new, revised or strategically significant policies/activities/projects in your area assessed, in line with legislative requirements, for their impact on people with one or more of the Protected Characteristics listed in the Equality Act 2010 at the earliest possible stage in the policy development process? |
Yes/No |
This question relates to the leadership responsibility under the statutory Public Sector Equality Duty (PSED), and the specific duty to assess and review policies and practices. Policy should be understood broadly to embrace the full range of policies, provisions, criteria, functions, practices, and activities undertaken by the Scottish Government. You are expected to ensure that, in line with legislative requirements, new or revised policies and practices in your area are assessed for their impact on people with one or more of the protected characteristics in the Equality Act 2010. These are age; disability; gender reassignment; marriage and civil partnership; pregnancy and maternity; race; religion or belief; sex; and sexual orientation. Going beyond statutory obligation, the First Minister and the Permanent Secretary have made clear their ambition for equality and human rights to be embedded in everything SG does.
In terms of process, assessment would typically be done through the EQIA process. Guidance on EQIAs is available on the intranet. Relevant deputy director (or equivalent is required to sign off on EQIAs, and in signing off they are required to ensure the impact of applying the policy has been sufficiently assessed against the three needs of the equality duty and EQIA is robust and addressing all relevant equality issues. In answering, you should be able to demonstrate that you have in place appropriate arrangements for identifying and monitoring EQIA application and for prioritisation of EQIA within policy and practice development and review. This also includes an assurance that DD sign-off for situations that are assessed as 'no EQIA is required' are reviewed and evaluated as correct |
|
9.2 Are you confident that all staff in your division have the capacity and capability to embed equality within the policies or programmes they are working on? |
Yes/No |
This question seeks to find out if SG staff have the capacity and capability to deliver on equality obligations. In answering this question, you should consider whether staff have had sufficient time, information, training, guidance, and support to enable that aim to be realised, considering for example if:
Equality guidance and tools are available on the intranet. In answering, you should be able to demonstrate how you are developing staff on an ongoing basis in this area. |
|
9.3 Are you confident that any procedures in place to ensure that equality considerations are embedded into all policies/activities/projects in your area are delivering improved outcomes for people with protected characteristics? |
Yes/No |
This question relates to the extent to which policies and programmes are delivering meaningful outcomes for the people whose lives the Scottish Government is seeking to improve, which includes those with one or more protected characteristics under the Equality Act 2010.
Specifically, EQIAs must consider impacts based on the three tests of the Public Sector Equality Duty (PSED) it is required to address:
In answering you should consider and reflect the evidence (both quantitative and qualitative) demonstrating improvement in your area and the narrative of how policies and programmes in your area demonstrate active due regard to all three needs of the PSED. |
|
9.4 Are you confident that any schemes operated by your division for funding the work of external stakeholders meet statutory equality requirements and therefore delivers improved outcomes for people with protected characteristics? |
Yes/No |
This question relates to the extent to which funding for partners’ activities and projects (or core funding for partners designated as intermediaries) aligns to statutory requirements under the Equality Act 2010. Where a private or voluntary organisation provides a ‘public function’ it is then subject to the general equality duty. A public function refers to activities that are carried out on behalf of the State not similar in kind to services that could be performed by private people. Public functions can also be carried out by private or voluntary organisations, for example when a private company manages a prison or when a voluntary organisation takes on responsibilities for child protection. In answering this question, you should set out how you are ensuring this is the case in addition to 9.1 and 9.3. |
|
10. Information |
|||
10.1 Does your division demonstrate best practice information governance and management including compliance with relevant legislation? |
Yes/No |
Have you ensured information held in assets complies with the Public Records (S) Act 2011 and the SG records management plan and policy? The General Data Protection Regulation and Data Protection Act 2018 came into force in May 2018. Have you:
|
|
10.2 Are access control mechanisms in place for each system? |
Yes/No |
Access control mechanisms for each system are documented by IAOs. Control Mechanisms are in place for physical access and access to information. Location of information assets are registered on the Information Asset Register. Have you:
|
|
10.3 Has your Information Asset Owner been trained in the role and is this training up to date? |
Yes/No |
IAOs (usually Deputy Directors but certainly head of division) are responsible for ensuring that their information assets are recorded on the corporate Information Asset Register (IAR) and managed in line with data protection regulations. Guidance can be found on the IAR pages on the intranet. See guidance on “What is an Information Asset?” in the IAO Handbook. information Asset Owner Risk management responsibilities are covered in the IAO handbook Information asset register and in the IAO training that can be booked on the intranet. |
|
10.4 Do any supporting staff have an awareness of the role and responsibilities of an IAO and have they been trained in information handling? |
Yes/No |
Staff are available and appropriately knowledgeable to discharge these roles and have undergone or are undergoing appropriate training. For core SG the SIRO is DG Organisational Development and Operations, non-core bodies will have their own SIRO. Guidance on mandatory roles can be found on the intranet. Mandatory eLearning packages (Data Protection and Responsible for Information) can be found on the intranet. Where a Deputy IAO is assisting the IAO, have they been trained and understand the role? Please see question 10.16 below. Deputy Information Asset Owner Role training is on pathways. |
|
10.5 Can you confirm that information risk assessments have been carried out for all information assets and do you take all required actions to safeguard your information assets and the corporate infrastructure and regularly/actively consider and manage current and emerging cyber risks and threats pertinent to your business? | Yes/No |
IAOs must ensure that their information assets are reviewed annually for necessity, and lawful basis and consider, where consent or legitimate interest is in use, that these remain proportionate. Data protection impact assessments should be reviewed for continued relevance and continued security both within SG and with suppliers if used. All staff should have read and understood the relevant policies and guidance (such as DPA, IT Code of Conduct, and Records Management). Where information assets are managed by external suppliers, IAOs should satisfy themselves that appropriate security and data handling processes set out at procurement time remain in place. The mandatory risk management training is now in place: Pathways has an e-learning course made up of five modules that cover the key aspects of our risk framework. This course is mandatory for all colleagues. There is a course for Band A employees and another for Band B - SCS employees. Information Asset Owner Risk management responsibilities are covered in the IAO handbook Information asset register and in the IAO training that can be booked on the intranet. |
|
10.6 Do you have processes in place for dealing with security incidents involving data? | Yes/No |
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transferred, stored, or otherwise processed. Have you:
The security incident reporting tool can be found on the the intranet. |
|
10.7 Have you had any information security incidents involving data that occurred in your area over the past financial year that you did not record on the corporate security incident reporting tool? | Yes/No |
Incidents would relate to cases where information (both personal and non-personal) may have been accidentally exposed, lost or made unavailable regardless of whether this has resulted in harm to individuals. IAOs are aware of and follow the corporate process in place to report, manage and recover from information risk incidents. Lessons have been learnt, and shared, from incidents (if any). Local managers have a responsibility to ensure that staff are aware of and comply with the relevant guidance, to initiate checks where non-compliance is suspected and to monitor suppliers. Managers have a responsibility to ensure that all staff and suppliers are aware of their responsibilities to safeguard Government information. |
|
10.8 Can you confirm all colleagues within your business area use the approved corporate system to store their information for the corporate record? | Yes/No |
|
The approved corporate system (i.e., electronic Record and Document Management system (eRDM)), is used as the approved repository for corporate information and ensures we manage it in line with the arrangements set out in our records management plan (RMP) and Information Management Strategy. |
10.9 Do you and your Deputy Directors personally use the approved corporate system to manage information? | Yes/No |
All staff in the SG should be using the approved corporate information system (eRDM) to store their corporate business documents. |
|
10.10 Do colleagues in your business area store corporate information in unmanaged storage repositories such as local or network drives? | Yes/No | A review of our corporate information management was published in 2021. A recommendation from this was to manage down the availability and use of unstructured information repositories, such as Public Folders and network shared drives. | |
10.11 Do all colleagues within your business area know of and understand any information management processes and procedures that may be specific to your business area i.e., local practices/responses to specific legislation? | Yes/No |
There may be procedures which are specific in your business areas regarding how you manage your information for example some information may need to be restricted to adhere to information laws or other types of legislation. Your retention timelines may differ from the standard and enhanced restrictions may be required due to sensitivity of topic. |
|
10.12 Are there any business processes utilised within your business area that prevent your colleagues from using our electronic corporate records and documents management system e.g., databases/GIS/Complex spreadsheets? | Yes/No | Some complex applications do not function well within an Electronic and Document Management System and may need to be kept in shared drives e.g., databases/GIS information/databases or complex spreadsheets. Regular snapshots should be taken and saved into the approved corporate record management system (e.g., eRDM) as part of the corporate record. | |
10.13 Are all colleagues in your business area familiar with the SG Information Management Strategy? | Yes/No |
One of the recommendations of the corporate review of our information management was the creation of an SG Information Management Strategy to ensure everyone in the Scottish Government understands their roles and responsibilities when managing and using information. |
|
10.14 Can your colleagues find the relevant information quickly and easily to respond to queries or e.g., Freedom of Information requests? | Yes/No | If information is being stored correctly in eRDM then the retrieval of that information is more streamlined. This would not be the case if colleagues have to search numerous unstructured data repositories e.g., shared drives, Public Folders, personal storage areas such as OneDrive. | |
10.15 Does your business area monitor compliance in terms of information management governance and legislation? | Yes/No |
Good information and record management isn’t just about filing it is a requirement of the law. The following are key information laws which apply to the Scottish Government and each of us managing information and records on its behalf:
|
|
10.16 Are all colleagues in your business area familiar with information management key roles and responsibilities? | Yes/No |
There are a number of key roles that should be in place to ensure adequate management of Information. More information on these roles is detailed below. Information Asset Owner This is an existing role and is usually at Head of Division/Unit level. Information Management Support Officer (IMSO) This is also an existing role, and they are the first point of contact about guidance on the use of our electronic record and document management (eRDM) system. Deputy Information Asset Owner (DIAO) This is a new role which has been highly recommended to encourage, develop and maintain high standards, robust policies and procedures whilst ensuring compliance in knowledge and information management practices within divisions. They will act as a deputy to the IAO and would also provide liaison with IMSOs and the iTECS Knowledge and Information Shared Services Unit [KISS]. DG Information Governance Officer (DG IGO) This is a recommended new role to act on behalf of the DG to champion the Information Management (IM) agenda across the DG. Directorate Information Governance Officer (Dir IGO) This is a recommended new role to act on behalf of the Director to champion the Information Management (IM) agenda across the Directorate. |
|
10.17 Are all colleagues in your business area aware of the training resources available around information management and which of these are mandatory? | Yes/No |
There are a number of training resources available around information management and all colleagues should be aware of these. SG Core staff have access to training surrounding ERDM, Records Management, Information Strategy, Data Protection etc. |
|
10.18 Do all colleagues in your business area make sure that the information they work with is processed appropriately and securely to mitigate risk? | Yes/No |
Information is one of the Scottish Government’s most valuable assets and needs to be proportionately protected against loss or compromise. The IT security policy has been written to provide a mechanism to establish procedures to protect the confidentiality, integrity, and availability of our information. It does not in any way amend the requirements placed upon the Scottish Government by the Freedom of Information (Scotland) Act 2002 in relation to the disclosure of official information. |
|
11. Health and safety |
|||
11.1 Do you have an appointed and trained Health and Safety Liaison Officer? |
Yes/No |
Health and Safety Liaison Officers perform key health and safety functions which help managers discharge their own responsibilities. In particular, local health and safety inductions and first point of contact for Display Screen Equipment queries. |
|
11.2 Are all of your staff aware of the facility to request home working equipment to support Hybrid Working? |
Yes/No |
Health and safety when working from home should be used for requests. Guidance on Home Working equipment and set up is on the intranet. |
|
11.3 Has all mandatory health and safety training been undertaken by all your staff? |
Yes/No |
For all Scottish Government staff there are a number of Mandatory training courses which need to be completed:
|
|
11.4 Do you have a mechanism to keep in contact with staff who work for you both at home and the workplace? | Yes/No |
Managers are encouraged to stay connected with staff who are working from home. |
|
11.5 Has the Risk Assessment procedure been implemented and reviewed as required within your area to ensure that significant risks are adequately controlled? | Yes/No |
Risk Assessment Teams (appointed by Deputy Directors) to:
(The SG Risk Management Guide and the SG Template risk register is available on the intranet. General guidance is available through Risk Management in the SPFM.) |
|
12. Sponsored bodies |
|||
12.1 Non Departmental Public Bodies - Which NDPBs, or other bodies, is your area responsible for sponsoring? (If none, please ignore the other questions in this section.) | Yes/No |
Please complete for all of the bodies you sponsor answering each question separately and highlight key points of interest (good or bad). Guidance can be found in the NDPB Sponsorship Guidance Notes. A list of public bodies in Scotland is available on the National Public Bodies Directory. Additional information can be obtained from Public Bodies Unit if necessary. |
|
12.2 National Outcomes - Do the operations, business planning and objectives of the public body align with the National Performance Framework (NPF), National Outcomes and Programme for Government? | Yes/No |
The National Performance Framework (NPF) is Scotland’s wellbeing framework and was refreshed in 2018. The next NPF review is due to commence in 2023. The NPF is intended to inform discussion, collaboration and planning of policy and services across Scotland, encompassing the public sector, businesses, civil society, and communities. It broadly sets the strategic direction for non-reserved policy areas, which should be aligned to the NPF and National Outcomes, including the work of Public Bodies.
It also represents a closer partnership approach with local government to the delivery of services in Scotland. The approach to setting, reviewing, and reporting on progress to achieving the National Outcomes, is set out in the Community Empowerment Act 2015. Supporting documents such as the corporate plan, business plan, and framework documents should be in place to enable the sponsor team to develop a shared understanding of the joint priorities to contribute towards the National Outcomes, and to ensure that individual bodies’ corporate communications (including annual report) and engagement strategies fully reflect these.
The Scottish Parliament Budget Review Group (SPBRG) has also recommended that Public Bodies should consistently set out how they plan to contribute towards specific National Outcomes in the NPF in their published corporate and business plans, and report on their contribution to National Outcomes through their annual reports, to support parliamentary scrutiny of their activities and public spending. This means providing public information about the strategic direction and operational delivery of public bodies and how this aligns to National Outcomes and the NPF. This should include what public spending supports, what this aims to achieve, the contribution it is expected to make to National Outcomes and evidence for this, how plans are being delivered, and the impact this is having. Does the corporate plan, business plan and annual reports clearly set out how the public body contributes to National Outcomes, with a line of sight to the National Performance Framework, including links to planned spending and specific outputs that are expected and how they contribute to achieving National Outcomes? |
|
12.3 Framework Documents - Is there an up-to-date Framework Document in place, with your sponsored body and appropriate arrangements in place to monitor adherence to this? If yes, when was this last revisited, is it published on the public body's website, and has this been shared with Public Bodies Support Unit to add to the central repository? | Yes/No |
Governance Structures, processes, systems, and controls should be in place to ensure robust financial management and monitoring, and compliance with the Scottish Public Finance Manual. You should be able to confirm that Framework Documents are finalised or otherwise, that they are up to date, and were subject to proper consultation (including with Public Bodies Support Unit, your Finance Business Partner (or equivalent) and the Directorate for Internal Audit and Assurance. Details of the steps taken to monitor these areas should also be provided. Guidance on the role of the sponsoring team is set out in the framework documents for Executive NDPBs, Executive Agencies, NMOs and Advisory NDPBs which are available to download. |
|
12.4 Effective Boards - Are you assured that the Board of your sponsored body is undertaking its functions effectively? | Yes/No |
The four main functions of public body Boards are:
Boards play a vital role in the accountability chain and therefore it is essential that they have the capability and capacity to perform their functions effectively. |
|
12.5 What succession planning is in place for the Board? For example, has your sponsored body carried out a skills audit and taken steps to build a diverse talent pipeline such as offering shadowing, mentoring and outreach events to support public appointment vacancies? | Yes/No |
Boards should ensure that they maximise opportunities to develop and attract diverse candidates that meet the body’s needs and legislative requirements, See the Succession Planning Guidance for Public Body Boards (as published in February 2017) and the Gender Representation on Public Boards (GRPB) guidance. Confidence levels should be shaped by whether:
Guidance given states:
|
|
12.6 Relationships – Are arrangements in place to support strong, strategic relationships with the public body to ensure effective collaboration in delivering oucomes based on business/corporate plans and do you issue an annual letter of strategic engagement to the Sponsored Body? |
Sponsorship should always be considered a strategic activity, based on strong relationships characterised by openness, trust, respect and mutual support. The objective is to find ways of working with bodies that engage and empower them in a shared vision and understanding of the strategic environment, while ensuring proportionate arrangements are in place to safeguard public funds and incentivise performance.
Executive Team and Ministers have an agreed approach which has at its core supportive, trusting relationships at a senior level; an appropriate place for the SG in the accountability chain – Ministers holding Chairs to account for the actions of Boards, Boards holding Executives to account for performance - and ensuring proportionate arrangements to safeguard public funds and incentivise performance; and a greater focus on strengthening the Boards and Accountable Officers of public bodies through induction and on-going support.
As part of this Ministers also agreed revised pay policy and procurement controls. The importance of sponsorship and the relationships between sponsors and public bodies is seen as being crucial in empowering public bodies to deliver outcomes. It would be helpful if Sponsor Teams could provide some information, commenting specifically on their experiences from adopting this approach to sponsorship with reference to which Strategic Sponsorship products they have implemented. |
||
12.7 Finance – Does your sponsored body demonstrate financial capability by providing accurate and timely financial monitoring and forecasting information to the Scottish Government and do you review financial information and liaise with corporate finance colleagues in line with deadlines? | Yes/No |
Sponsorship Teams and Public bodies should be aware of formal responsibilities they hold over the stewardship of public funds considering; SPFM, Audit Committee Handbook, The Public Sector Internal Audit Standards (PSIAS), Financial Reporting Manual (FReM), and the relevant NDPB Model Framework Document, Budget Allocation and Monitoring Letters. Other requirements relevant to Sponsorship Teams and Public Bodies include:
|
|
12.8 Finance – Do you have year-end procedures in place to ensure all Annual Accounts returns are completed by your sponsored body in a timely and accurate manner. | Yes/No |
There are various returns due to finance part of the annual accounts process. You should have procedures in place to ensure that information requested can be provided to Finance in an accurate and timely manner. Information requested will be used to ensure income and expenditure are recorded in the appropriate financial year and that any assets or liabilities of the Scottish Government are reviewed and appropriately accounted for. This includes consideration of committed and contingent balances. |
|
12.9 Fair Work - is your sponsored body an exemplar Fair Work employer, providing appropriate channels for effective voice, e.g., through trade unions, and demonstrating a commitment to fairness through being an accredited Living Wage employer? Employers should promote equality, diversity, youth employment, engagement and workforce development and work to deliver the Fair Work Convention’s Fair Work Framework. | Yes/No |
Sponsored bodies should all be meeting the Fair Work First criteria, providing:
Effective voice is central to Fair Work and all employers should demonstrate their commitment to including their staff in workplace decisions, and work in positive partnership with trades unions. Employers should also pay at least the real Living Wage, and you may wish to check if the body is an accredited Living Wage employer. Have they got an invest in youth plan with stretching targets to recruit and develop young people (e.g., recruiting Apprentices)? Do they run an employee engagement survey and act on the results? Do they use procurement policies to encourage Fair Work, including payment of the living wage and inclusive employment in their supply chain? Please provide information which will highlight the actions your sponsored body has been doing to support workplace equality, inclusion and diversity. As an example, they could be a disability confident employer, carer positive employer, IYP Gold award employer and a Stonewall Top 100 employer. They should be ambitious about diversity and inclusion and be able to demonstrate this through workplace practices. All employers should make use of the Fair Work resources available, including the Fair Work First guidance, Employer Support Tool and resources from the CIPD. |
|
12.10 Assurance – Regarding Major Investment(s), has your sponsored body engaged with the appropriate authority and recorded all relevant projects with the appropriate authority? If the answer is yes, you should provide information of what investments the public body has and if there is evidence that they have assessed them against the criteria for major investments (including Construction, Infrastructure, and IT investments) in the SPFM? | Yes/No |
Systems should be in place to ensure all business cases are assessed. For all Major Investments as defined in the Scottish Public Finance Manual: a Risk Potential Assessment Form, available from Portfolio, Programme and Project Assurance Hub, should be completed and submitted to the SG’s Portfolio, Programme and Project Assurance Hub For investment in projects containing an IT or digital elements:
For construction and infrastructure projects: projects should be registered on the SG’s Infrastructure Projects Database if they have an Outline Business Case prepared and a total capital investment of £5 million or more |
|
12.11 Fraud - Does your sponsored body have effective arrangements to counter fraud (including Cyber Fraud), bribery and corruption through a well communicated counter fraud policy, an up-to-date fraud action plan and effective avenues for reporting suspicions of fraud? | Yes/No |
Processes should be in place to ensure that policies for fraud response are consistent with SG guidance, including a review of current fraud response activity, whilst ensuring robust reporting procedures have been adopted by sponsored bodies. Further information can be found in the Fraud section of the SPFM and the SG Counter Fraud Strategy, Policy and Response Plan and Protecting Public Resources guidance |
|
12.12 Procurement - How does your sponsored body use public procurement to support a green recovery and wider climate and circular economy ambitions through procurement, embedding climate considerations in local governance arrangements and flowing through to organisational procurement related activities. | Yes/No |
For wider legal and corporate context on this requirement, refer to:
To understand and support embedding climate considerations through procurement, including key corporate enablers, along with lessons that can be leveraged for other funding flows, including grants, please refer to:
Further source of support include:
|
|
12.13 Procurement - What measurable improvements has your sponsored body made to contract management? | Yes/No |
Organisations should build into their contract management activities sufficient checks to ensure suppliers are meeting their contractual obligations. The purpose of Contract and Supplier Management is to work closely with suppliers and internal customers to:
Further details on Contract and Supplier Management and associated Managing and Improving Performance principles can be found on the Procurement Journey: Contract and Supplier Management | Procurement Journey. |
|
12.14 Property – how do you ensure your sponsored body plans strategic matters appropriately and consults the Property and Construction Division at least six months in advance (as early as possible) of any proposed changes or additions to their estate as per SPFM guidance? | Yes/No |
For example, do you ensure your sponsored body appropriately plans strategic property matters and consults Property and Construction Division as early as possible in accordance with the SPFM guidance when required etc. Where appropriate, further guidance and support on property matters is available from Property and Construction Division and should be contacted as early as possible in the process. Guidance can be found here in sections on property and best value on the SPFM. |
|
12.15 Property – how do you ensure your sponsored body considers the most cost-effective approach for proposed changes or additions to their estate, and fully considers the principles of the Single Scottish Estate Programme and Public Sector Reform whilst recognising the need to move towards a Net Zero estate, and keep within agreed budgets, as per SPFM guidance? | Yes/No |
For example, do you ensure a comprehensive options appraisal is carried out, detailing the pros and cons of any option being considered, including the financial requirement to be within budgets as well as the business need, to support any proposal? How will you ensure that all options to reduce the estate and its cost are reviewed and leases are ended when they expire or when break options arise unless an exception is approved in advance for exceptional circumstances? Are you ensuring progress is being made by your sponsored body towards a Net Zero estate? Guidance can be found here in sections on property and best value on the SPFM. |
|
13. Compliance |
|||
13.1 Do you have processes in place to ensure compliance with applicable existing, new, and updated policies, procedures, laws, and regulations – including those referred to separately in this Checklist e.g. the SPFM and any other required Impact assessments outlined on the intranet (Saltire) in relation to Policy Development? |
Yes/No | Processes might refer to desk instructions, local checklists, retention schedules and/or periodic management checks e.g., relating to the existence of statutory authority for expenditure and the holding/provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the Division. (Guidance on Data Protection responsibilities and FOI is available on the intranet.) | |
13.2 Do you have appropriate arrangements in place to ensure staff are appropriately trained and supported to handle FOI and EIR requests in line with legislative requirements? |
Yes/No | Processes might refer to desk instructions, local checklists, retention schedules and/or periodic management checks e.g., relating to the existence of statutory authority for expenditure and the holding/provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the Division. (Guidance on Data Protection responsibilities and FOI is available on the intranet.) | |
13.3 Are your staff appropriately trained and aware of their Data Protection and information security responsibilities? |
Yes/No | Training available for Data Protection and Information Security on Pathways. | |
13.4 Do you have processes in place to ensure compliance with legislative requirements for all statutory and non-statutory Impact Assessments listed on the intranet (Saltire) at the earliest possible stage in the development of all new, revised or strategically significant policies/activities/projects in your area? |
Yes/No | This question relates to the Duties under varied legislation to assess policies and strategic decisions for their impacts on various groups. Assessments in Scottish Government include the Business Regulatory Impact Assessment, Child Rights and Wellbeing Impact Assessment, legislative DPIA, EQIA, Fairer Scotland Duty, Island Communities Impact Assessment, and Strategic Environmental Assessment. Guidance on Impact Assessment responsibilities is available on the intranet. Processes might refer to desk instructions, local checklists, planned review at stages throughout or following policy development, sign-off arrangements and/or periodic management checks. Sign-off may be required at DD or Ministerial level depending on the IA. | |
13.5 Do you have appropriate arrangements in place to ensure staff are appropriately trained or are aware how to ensure delivery of all impact assessments with confidence and to a high standard? |
Yes/No | This question seeks to find out if SG staff have the capability to ensure delivery of high-quality impact assessments. In answering this question, you should consider whether staff have had sufficient time, information, access to specialist knowledge, training, guidance, and support to enable that aim to be realised. In answering, you should be able to demonstrate how you are developing staff on an ongoing basis in this area. Appropriate arrangements might include questions for new staff to establish their level of understanding, regular team reviews of performance in IAs, or a register of relevant training and impact assessments completed by staff. Guidance on Impact Assessment responsibilities is available on the intranet. | |
13.6 Are your staff appropriately trained and aware of the statutory nature of impact assessments and their responsibilities for them, and able to access information and guidance as necessary? | This question seeks to find out if staff are appropriately aware of which impact assessments are required, on what basis, and under what conditions or criteria. Training is available on Pathways for assessments including EQIA (Equality Impact Assessments) and CRWIA (Child Rights and Wellbeing Impact Assessment). | ||
14. Review |
|||
14.1 How confident are you about the robustness of your arrangements for reviewing and improving the effectiveness and efficiency of controls in your area, and are you satisfied that controls in your area support your objectives? |
Yes/No |
You should be reviewing internal controls in your area at appropriate points in time e.g., when processes change, or operational shortcomings come to light.
Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g., has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating?
(Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.) |
|
14.2 How confident are you that you have a comprehensive picture (e.g., through an Assurance Map) of the sources of evidence underpinning your assessment of controls? |
Yes/No |
You should be reviewing internal controls in your area at appropriate points in time e.g., when processes change, or operational shortcomings come to light.
Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g., has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating?
(Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.) |
|
14.3 Where objectives, risks and controls in your area have been subject to independent review, how confident are you that recommendations arising from these reviews have been acted on in a timely fashion? |
Yes/No |
You should provide details of any key weaknesses identified and the steps taken to resolve these. How confident are you that you and your staff are sufficiently aware of the types of independent review (e.g., Internal Audit, independent assurance and Gateway Review, ICT Assurance Review, Digital Scotland Service Standard, review by external consultants) to support your assurance, and of how to access them? |
|
14.4 Based on the assurances you have of whether your objectives, risk management and internal controls are being met and operating successfully, are there any key areas that would benefit from independent review? |
Yes/No | ||
15. Other Issues |
|||
15.1 Apart from the issues raised above, are there any significant control matters or contentious issues arising in your area which could impact or adversely affect the signing of the Scottish Government Governance Statement by the Perm Secretary? | Yes/No | Provide here details of any other control problems, specific to your area of responsibility, which you have encountered during the year. |
Page updated: February 2024