1. Risk Management | | | |
1.1 Do you have in place processes that seek to identify and record key business risks (linked to business objectives and targets) on an on-going basis? | Yes / No | | This relates to the use of a structured process to manage business risk in line with the SPFM. This will be one that ensures the right people are involved in the process, and that each stage in the process is being actively recorded and managed. It will also be one that revisits the issues periodically to ensure that the assessments reflect current risks. An example of a structured process would be the maintenance of risk registers at divisional / branch / project level as considered appropriate. (Guidance on Risk Management is available in the SPFM.) |
1.2 Have these risks been evaluated and prioritised? | Yes / No | |
1.3 Has the management of each risk been allocated to a relevant manager? | Yes / No | |
1.4 Do you receive reports on the management of key risks and control actions taken? | Yes / No | |
1.5 Has appropriate consideration been given to business continuity and disaster recovery for key systems (including ICT) upon which your operations depend? | Yes / No | | Local response to the possible loss of corporate functions (e.g. SCOTS, SEAS, EASEbuy, accommodation) might be considered in the context of divisional risk management procedures. Where local systems are in operation, including but not exclusively ICT systems, the Division has a responsibility to ensure that consideration has been given to continuity and recovery e.g. back-up discs. Out-stations may have arrangements with local businesses in event of loss of facilities. (Guidance on Business Continuity is available on the Intranet.) |
2. Business Planning | | | |
2.1 Does your area have clear business objectives and outcomes which contribute to the achievement of higher level objectives and outcomes, and have they been translated into measurable targets against which performance and progress are measured? | Yes / No | | Your business objectives / SMART targets should be reflected in the Divisional Plan and performance appraisal forms at all levels. (Guidance on the Business Planning Tool is available on the Intranet) |
2.2 Have new and/or radically changed work programmes been referred to Finance, Procurement and/or Internal Audit for advice? | Yes / No | | New initiatives or changed systems should normally be referred thus. (Guidance on the Role of Finance is available on the Intranet. Guidance on Procurement and Internal Audit is available in the SPFM.) |
2.3 In developing targets, does the area identify performance measures which take account of inputs, outputs and outcomes? | Yes / No | | This question seeks to find out if the relationship between inputs, outputs and outcomes is being applied in developing performance measures. (Guidance on Business Planning and Performance Management is available on the Intranet) |
2.4 Do you regularly receive timely, relevant and reliable reports on progress against targets and take corrective action where necessary? | Yes / No | | This could take the form of regular reports prepared for consideration at progress meetings or updates provided in the context of regular meetings with managers. Corrective action might involve the reallocation of resources (budgets and staff) and the reordering of priorities. |
3. Major Investment | | | |
3.1 Has your area been responsible for delivering one or more Major Investment Projects during the past financial year? (If not, please ignore the other questions in this section) | Yes / No | | Major Investment Projects are defined in the Major Investment section of the SPFM. All Major Investment Projects must adhere to this guidance. |
3.2 Do / did your project's governance arrangements align with the Scottish Government's (SG's) strategic and sector specific governance procedures? | Yes / No | | Relevant procedures include the following requirements: - Putting arrangements in place to address each of the SG's Project and Programme Management (PPM) Principles.
- Ensuring that people appointed to positions within the project's governance and management structure have the skills, experience and knowledge necessary to fulfil their role.
- Registering the project on the SG's Infrastructure Projects Database if it has reached Outline Business Case state and has a capital budget of £5M+ (inclusive of VAT).
- Complying with the guidance in the Construction Procurement Manual - if a construction project.
- For Health Sector projects, complying with the guidance in the NHS Scotland Scottish Capital Investment Manual.
- Complying with the guidance on the Intranet for delivering ICT enabled projects.
|
3.3 Have you assessed your project(s) in line with the SG's assurance procedures and engaged with the appropriate assurance process? | Yes / No | | Relevant procedures include the following requirements: - Completing the SG's Risk Potential Assessment Forms to determine the potential complexity of your project(s).
- Contacting the SG's PPM Centre of Expertise - if the project is assessed as potentially High risk.
- Contacting the Scottish Futures Trust if the project has a budget of £20M+ (inclusive of VAT), or regardless of budget if the project is of critical importance / unusual scale or nature to the buying organisation.
|
3.4 Have you appraised your project(s) in accordance with the SG's guidance and complied with the SG's procurement guidance? | Yes / No | | Projects must be appraised in accordance with the Appraisal & Evaluation section of the SPFM. You must also be able to demonstrate compliance with the Procurement Section of the SPFM and the Construction Procurement Manual - if a construction project. |
3.5 Have you put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)? | Yes / No | | Necessary arrangements include: - Conducting a Post Implementation Review for your project(s).
- Planning and undertaking a Post Project Evaluation for construction projects.
- Planning and undertaking a Post Occupancy Evaluation for projects that deliver a building (e.g an office, hospital, school).
|
4. Project Management | | | |
4.1 Has your area been responsible for delivering one or more projects - other than major investment projects - during the past financial year? | Yes / No | | Projects covered in this section include non-capital projects such as policy delivery projects, business change projects or investment projects that would not meet the definition of major investment in the SPFM. |
4.2 Did / does your project's governance and process align with the SG's strategic and sector specific procedures? | Yes / No | | Arrangements must be put in place to address each of the SG's PPM Principles. The general principles set out in the Major Investment section of the SPFM should be applied, as appropriate, to all investment projects. |
5. Financial Management | | | |
5.1 Do you ensure that your Finance Business Partner (or equivalent) and, as necessary, Internal Audit Division is involved at the earliest possible stage in the preparation of all policy proposals etc which may have resource, control or other finance related implications and that they are kept informed of developments? (Finance should also be consulted on any novel or contentious spending proposal and any matter which includes issues of financial propriety and regularity.) | Yes / No | | Guidance on the Role of Finance is available on the Intranet. The need to involve Finance might also be included in induction material and local desk instructions. |
5.2 Do you have procedural instructions, cleared with Finance, about how financial matters are handled within the area, drawing as appropriate from the key principles of the SPFM? | Yes / No | | Local desk instructions should be in place covering the arrangements for entering into commitments and for approving and processing the resultant payments - and ensuring adequate separation of duties. Desk instructions may also cover other matters such as delegated authorities, budget monitoring procedures and the requirement to consult Finance on all proposals that may have resource or other finance related implications. |
5.3 Do you have in place processes for regular monitoring of compliance with these instructions? | Yes / No | | Monitoring of compliance might be achieved by regular management checks and the consideration of financial matters at regular meetings with your managers. |
5.4 Do you delegate financial authority to staff at appropriate levels? | Yes / No | | Delegated financial authority (i.e. where members of your staff have full responsibility for budgets and take decisions without having to refer upwards) will not be appropriate in many Divisions but where it is you should provide details of the broad arrangements e.g. set out in desk instructions, financial responsibility statements. This is separate from Delegated Purchasing Authority (DPA). The authority required to make and authorise payments etc within SEAS and the authority to purchase in EASEbuy are also separate authorities. (General guidance on Delegated Authority is available in the SPFM. Guidance on the SG Scheme of Delegation is available on the Intranet.) |
5.5 Is there adequate separation of duties where required (e.g. authorising and processing payments and receipts, awarding grants)? | Yes / No | | Again this is separate from the authority required to make and authorise payments etc within SEAS or to purchase within EASEbuy. There may be concerns (e.g. within small units) where the rules on separation of duties cannot practically be achieved. In such circumstances the response should relate to whether the local arrangements (e.g. compensating controls) agreed with Finance are working satisfactorily. (The requirement for appropriate separation of duties is included in a number of sections of the SPFM, notably those covering Expenditure and Payments and Income Receivable & Receipts.) |
5.6 Are staff with financial duties aware of - and adequately trained to discharge - their responsibilities in that regard? | Yes / No | | This covers all staff involved in the financial process. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions. |
5.7 Do you have arrangements to ensure that all assets for which the area is responsible are properly managed and safeguarded (e.g. against unauthorised use or disposal)? | Yes / No | | Only assets for which the area is responsible need to be considered here. This will include those assets on a locally maintained inventory of valuable and attractive items. (Guidance on Management of Assets, Disposal of Property and Fraud is available in the SPFM.) |
5.8 Do you have procedures for ensuring that proper and accurate accounting records are maintained and entries in them are properly authorised? | Yes / No | | The response to this question needs to reflect both the provision of information needed for accounting purposes (e.g. the proper and timely entry of data into SEAS and/or EASEbuy) and for cash management purposes. The response should also take into account the controls in place within your area to ensure that only authorised personnel have access to the SEAS system. (Guidance on SEAS and EASEbuy is available on the Intranet.) |
5.9 Do you have measures in place to monitor the security and accuracy of financial information? | Yes / No | | The response should reflect the measures that you have in place to ensure that the SEAS and EASEbuy (or any other financial) system contains accurate and up to date information. Measures might include periodic or regular management checks. |
5.10 Do you have procedures in place for monitoring and reviewing those budgets for which you are responsible? | Yes / No | | This question deals with the local arrangements within the area for monitoring and reviewing the administration cost and programme budgets. These might be linked to re-profiling exercises run by Finance. (Guidance on Budget and Financial Management is available on the Intranet.) |
5.11 Are agreed budget plans documented and disseminated within your area? | Yes / No | | The review of the regular financial reports needs to take account of both the review internally within the area as well as external reporting of outcomes and any remedial action required. |
5.12 Do you regularly review internal financial reports which report actual against budget outturn and discuss progress with your Director or equivalent? | Yes / No | | You will wish to consider here the mechanisms in place for communicating budgetary information both at the beginning of the year and changes made in-year whether at the time of formal monthly or quarterly reviews or at other times. This would also cover the transfer of funds between one area and another or between the centre and your area. |
5.13 Do you ensure that that the State Aid Unit is consulted on all proposals that may have state aid implications? | Yes / No | | Guidance on the EC State Aid Rules is included in the SPFM. More detailed guidance is available from the State Aid Unit. |
5.14 Do you ensure that any grant proposals and payments follow the relevant guidance in the SPFM? | Yes / No | | The section of the SPFM on Grant & Grant in Aid includes references to checklist covering the grant proposal, application and assessment processes and a Model Offer and Conditions of Grant document. There is a separate Offer of Grant document for use in relation to grant funding provided to voluntary bodies to assist with their operational costs. |
5.15 Does the EASEbuy structure on the number of staff authorised and trained to act as approvers consistent with your Division's needs? | Yes/No | | Staff who are authorised as EASEbuy approvers need to recognise the importance on the financial information being entered correctly. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions. |
5.16 Do you ensure that staff with Government Procurement Cards (GPCs) are fully trained to discharge their responsibilities and that there are processes to monitor compliance? | Yes/No | | Monitoring of compliance might be achieved by regular management checks and the consideration of financial matters at regular meetings with your managers. (Guidance on GPC is available on the Intranet.) |
5.17 Do you ensure that staff are complying with the Purchase to Pay process to meet the 10 day payment commitment? | Yes/No | | Relevant guidance in the Purchase to Pay section of the intranet must be brought to the attention of staff periodically and/or in reviewing training requirements. |
6. Fraud | | | |
6.1 Are operational managers and other members of staff within your area aware of their responsibilities as set out in the Scottish Government Fraud Policy Statement? | Yes / No | | Relevant guidance in the section on Fraud in the SPFM might be brought to the attention of staff periodically and / or in induction material. |
6.2 Are any cases of suspected fraud within your area dealt with in accordance with the Scottish Government Fraud Response Plan? | Yes / No | | Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Fraud Response Co-ordinator. |
7. Procurement | | | |
7.1 Do you ensure that the Scottish Procurement and Commercial Directorate (SPCD) is consulted from the earliest possible stage on any proposals that may involve procurement activity? | Yes / No | | Guidance on the role of the Scottish Procurement and Commercial Directorate (SPCD) is available on the Intranet. The need to consult SPCD might be included in induction material and local desk instructions. SPCD must be consulted on any novel or contentious spending proposal and any matter which includes issues of procurement propriety or regularity. |
7.2 Do you have staff with Delegated Purchasing Authority (DPA) at appropriate levels? | Yes / No | | DPA is the authority to enter into a contract for goods, services and works and oversee the process leading up to and including the award of a contract and any subsequent contract changes. This is separate from financial authority and the authority to make purchases on EASEbuy. (Guidance on DPA is available on the Intranet). |
7.3 Is all procurement activity within your area undertaken in accordance with the Procurement section of the SPFM? | Yes / No | | Management checks on sample contracts / purchases should be carried out to ensure compliance with the relevant guidance. See the Procurement section of the SPFM and the Intranet guidance on the operation of the GPC and EASEbuy. |
7.4 Does your area's use of external consultants comply with the Scottish Government Consultancy Procedures? | Yes/No | | Contracts for consultancy of up to £10K in value need to be approved at Deputy Director level. Consultancy contracts between £10K and £50K need to be approved at Director General level. Consultancy contracts above £50K must be authorised by the Cabinet Secretary for Infrastructure and Capital Investment on the recommendation of the relevant Director General. If there have been no such cases during the period then just say so. Consultancy expenditure must be coded against the account codes stated in the Consultancy Procedures. |
7.5 Does your area maintain and report appropriate procurement management information including a contract register? | Yes/No | | A contract register is required for all contracts for goods, services and works that have been placed in your area during the financial year. This is a key requirement as it underpins sound financial and contractual governance. (Guidance on maintaining a contract register is available on the Intranet). |
8. Human Resources | | | |
8.1 Are staff aware of their responsibilities? | Yes / No | | Awareness would normally be achieved through job specifications/descriptions and, where appropriate, formal delegations. |
8.2 Do you have adequate procedures for disseminating guidance and instructions? | Yes / No | | This could be achieved through e-mail and divisional / team meetings. |
8.3 Do you adhere to the corporate procedures re recruitment / induction; Personal Learning Plans and training provision; and absence management, FWH, T&S and overtime? | Yes / No | | You should be able to confirm that a divisional Induction Pack and Learning Plan are in place and that the Division adheres to relevant guidance on the completion of PLPs, absence management, FWH etc. (Guidance on induction, the Annual Divisional Learning Plan and eHR is available on the Intranet.) |
8.4 Do people in the area (and any providers of out-sourced services) have the knowledge, skills and tools to support the achievement of directorate objectives and to manage effectively risks to their achievement? | Yes / No | | Internally, the response to this question might be informed by Skills for Success Profiles, PLPs and the Divisional Learning Plan. External assurance might be provided by adherence to relevant procurement guidance and through performance targets and monitoring. |
9. Equality and Diversity | | | |
9.1 Are key policies/activities in your area assessed for their impact on equality groups (as required by legislation)? | Yes / No | | This question relates to the SG's responsibilities under the statutory public sector equality duties. You are expected to ensure that key policies and activities in your area are assessed for their impact on equality. |
9.2 Are support structures in place to enable staff to undertake and complete impact assessments? | Yes / No | | You will want to consider what steps you have taken to ensure that your staff are able to and do use the SG's equality impact assessment guidance and toolkit. You will also want to consider what kind of support you are providing for your staff so that they are able to undertake and complete this process successfully. |
9.3 Do you have procedures in place to ensure that equality impact assessments have been completed for all relevant policies/activities? | Yes / No | | The Equality Impact Assessment Tool is available to all staff via the Intranet. |
9.4 Do you ensure that all staff objectives take account of the mainstreaming diversity agenda? | Yes / No | | All staff are required to have a diversity objective as part of the annual performance appraisal process. Examples of appropriate objectives are available on the Intranet. |
10. Information | | | |
| | | |
10.1 Does your area expressly track information risks? | Yes / No | | SG policies and guidance on information risk are available on the Intranet. Compliance with this guidance ensures the SG fulfils its obligations to meet centrally prescribed information assurance standards and requirements, e.g. Cabinet Office's Security Policy Framework (SPF), e-services security assurance requirements (including accreditation) and ISO 27000 series. |
10.2 Can you confirm that information risk assessments have been carried out? | Yes / No | | Information risk assessments should be carried out in relation to the correct protective marking of information assets; the restriction of access to information; the training of staff in handling sensitive information; the scanning of information received in hardcopy format; the purposes and management of processing of personal data; the impacts of loss or corruption of information; and so on. Such risk assessments should extend to all delivery partners and others in the information supply chain. |
10.3 Are all significant roles in respect of information risk and personal data manned? | Yes / No | | TORs for the mandatory roles defined within the SPF in respect of managing information risk and personal data (including Senior Information Risk Owner (SIRO), Information Asset Owners (IAOs) and, where appropriate, Information Management Support Officers (IMSOs)) are in place, staff are available to discharge these roles and have undergone or are undergoing appropriate training. |
10.4 Are access control mechanisms in place for each system? | Yes / No | | Access control mechanisms for each system are documented by IAOs. |
10.5 Do you have processes in place for dealing with breaches of security / data handling incidents? | Yes / No | | Process is in place to report, manage and recover from information risk incidents. Lessons have been learnt, and shared, from incidents (if any). Local managers have a responsibility to ensure that staff are aware of and comply with the relevant guidance and to initiate checks where non compliance is suspected. Managers have a responsibility to ensure that all suspected or actual information security breaches are reported to IT Security. |
10.6 Have there been any breaches of security / data handling incidents during the financial year? | Yes / No | | |
11. Health & Safety | | | |
11.1 Does your area have processes in place to ensure compliance with Health and Safety policy? | Yes / No | | This could involve ensuring that there is someone with designated responsibility for monitoring processes in your area, and for confirming compliance. (Guidance on the Health & Safety Management System is available on the Intranet.) |
11.2 Have there been any breaches against H&S regulations during the year? | Yes / No | |
11.3 If you are not operating in a main building, does your area have appropriate emergency procedures in place relating to all office accommodation it occupies? | Yes / No | | Are you happy that procedures effectively deal with any potential emergencies? |
12. Sponsored Bodies | | | |
12.1 Is your area responsible for sponsoring any NDPBs or other bodies? (If no, please ignore the other questions in this section.) | Yes / No | | Guidance for sponsor teams is available on the Intranet. |
12.2 Is there an up to date framework document in place for each of your sponsored bodies? | Yes / No | | You should be in a position to confirm that these are finalised or otherwise, that they are up to date, and that they were subject to proper consultation (including with your Finance Business Partner (or equivalent) and Internal Audit Division. (A model framework document for executive NDPBs is provided at Annex 3 of the section of the SPFM on Accountability.) |
12.3 Do you have appropriate arrangements in place to monitor adherence to the framework document? | Yes / No | | You should provide broad details of the steps you take to monitor these areas. Guidance on the role of the sponsoring team is set out in the model framework document for executive NDPBs in the SPFM. |
12.4 Are you satisfied that the sponsored bodies have been adhering to the framework document? | Yes / No | |
12.5 Do you contribute to and/or approve the Corporate Plans and Performance Measures of the sponsored bodies, and review outturn against these measures? | Yes / No | |
12.6 Are you satisfied with the arrangements adopted by the sponsored bodies with regards risk management and fraud? | Yes / No | |
13. Compliance | | | |
13.1 Do you have processes in place to ensure compliance with applicable policies, procedures, laws and regulations - including those referred to separately in this Checklist e.g. the SPFM? | Yes / No | | Processes might refer to desk instructions, local checklists and/or periodic management checks e.g. relating to the existence of statutory authority for expenditure and the holding / provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the Division. (Guidance on Data Protection and FOI is available on the Intranet.) |
14. Review | | | |
14.1 Do you review from time to time the effectiveness of internal controls in your area? | Yes / No | | You should be reviewing internal controls in your area at appropriate points in time e.g. when processes change or operational shortcomings come to light. Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g. has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating? (Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.) |
14.2 Have you taken action to improve controls? | Yes / No | |
14.3 Have controls and risks in your area been subject to independent review (e.g. by Internal Audit) in the course of the year? | Yes / No | | You should provide details of any key weaknesses identified and the steps taken to resolve these. |
14.4 Has appropriate action been taken to implement agreed recommendations resulting from such reviews? | Yes / No | |
15. Other Issues | | | |
15.1 Apart from the issues raised above, are there any significant control matters arising in your area which could adversely affect the signing of the SIC / Governance Statement? | Yes / No | | Provide here details of any significant control problems, specific to your area of responsibility, which you have encountered during the year. |