Certificates of Assurance: Annex 2

INTERNAL CONTROL CHECKLIST

 

The contents of the internal control checklist are as follows:

Section

1

Risk Management

2

Business Planning

3

Major Investment

4

Project Management

5

Financial Management

6

Fraud

7

Procurement

8

Human Resources

9

Equality

10

Information

11

Health & Safety

12

Sponsored Bodies

13

Compliance

14

Review

15

Other

ISSUE

RESPONSE

DETAILS, INCLUDING REVIEW WORK YOU HAVE CARRIED OUT TO VERIFY RESPONSE (MANDATORY)

GUIDANCE NOTE (WHERE APPLICABLE)

1. Risk Management

     

1.1 Do you have in place processes that seek to identify and record key business risks (linked to business objectives and targets) on an on-going basis?

Yes / No

 

This relates to the use of a structured process to manage business risk in line with the SPFM.  This will be one that ensures the right people are involved in the process, and that each stage in the process is being actively recorded and managed.  It will also be one that revisits the issues periodically to ensure that the assessments reflect current risks. An example of a structured process would be the maintenance of risk registers at divisional / branch / project level as considered appropriate.

(Guidance on the SG Approach to Risk Management is available on the Intranet.  Information to help with this can be found in the Delivery Essentials. General guidance is through Risk Management on the SPFM.)

1.2 Is there a systematic approach to identify and prioritise risks and match them with effective resources?

Yes / No

 

1.3 Is risk management actively supported and promoted by branch heads and team leaders?

Yes / No

 

1.4 Do you receive reports on the management of key risks and control actions taken?

Yes / No

 

1.5 Has appropriate consideration been given to business continuity and disaster recovery for key systems (including ICT) upon which your operations depend?

Yes / No

 

Local response to the possible loss of corporate functions (e.g. SCOTS, SEAS, EASEbuy, accommodation) might be considered in the context of divisional risk management procedures. Where local systems are in operation, including but not exclusively ICT systems, the Division has a responsibility to ensure that consideration has been given to continuity and recovery e.g. back-up discs.  Out-stations may have arrangements with local businesses in event of loss of facilities.

(ISIS guidance on Business Continuity is available on the Intranet.)

2. Business Planning

     

2.1 Does your area have clear business objectives and outcomes which clearly contribute to the achievement of higher level objectives and outcomes, including your divisional plan, and have they been translated into measurable targets against which performance and progress are measured?

Yes / No

 

Your business objectives / SMART targets should be reflected in the Divisional Plan and performance appraisal forms at all levels.

 

Plans should be linked to the Business Strategy through the Directorate Planning process.

 

2.2 Have new and/or radically changed work programmes been referred to Finance, Procurement and/or Internal Audit for advice?

Yes / No

 

New initiatives or spend, or changed systems should normally be discussed with Finance, Procurement and Internal Audit colleagues before proposals are finalised.

In terms of undertaking change, the Improvement Framework is one of the main mechanisms underpinning the Scottish Government’s approach to Public Service Reform. Further guidance can be provided through the Leading Improvement Team.

(Guidance on the Role of Finance is available on the Intranet. General guidance on Procurement and Internal Audit is available in the SPFM.)

2.3 In developing targets, does the area identify performance measures which take account of inputs, outputs and outcomes?

Yes / No

 

This question seeks to find out if the relationship between inputs, outputs and outcomes is being applied in developing performance measures.

(Guidance on Performance Management is available on the Intranet)

2.4 Do you regularly receive timely, relevant and reliable reports on progress against targets and take corrective action where necessary?

Yes / No

 

This could take the form of regular reports prepared for consideration at progress meetings or updates provided in the context of regular meetings with managers.  Corrective action might involve the reallocation of resources (budgets and staff) and the reordering of priorities.

3. Major Investment

     

3.1 Has your area been responsible for delivering one or more major investment projects during the past financial year?  (If not, please ignore the other questions in this section)

Yes / No

 

Major investment projects are defined in the Major Investment Projects section of the SPFM. All Major Investment Projects must adhere to this guidance.  The key principles should be adopted in relation to all investment projects.

3.2 Do / did your project’s governance arrangements align with the Scottish Government’s strategic and sector specific governance procedures?

Yes / No

 

Relevant procedures include the following requirements:

  • Putting arrangements in place to address each of the SG’s Programme and ProjectManagement (PPM) Principles.  Information to help with this can be found in Delivery Essentials
  • Ensuring that people appointed to positions within the project’s governance and management structure have the skills, experience and knowledge necessary to fulfil their role.
  • Registering the project on the SG’s Infrastructure Projects Database if it has reached Outline Business Case state and has a capital budget of £5M+ (inclusive of VAT).
  • Complying with the guidance in the Construction Procurement Manual - if a construction project.
  • For Health Sector projects, complying with the guidance in the NHS Scotland Scottish Capital Investment Manual.
  • Complying with the guidance for delivering ICT enabled projects.

3.3 Have you assessed your project(s) in line with the SG’s assurance procedures and engaged with the appropriate assurance process?

 

Yes / No

 

Relevant procedures include the following requirements:

  • Completing the Risk Potential Assessment Forms to determine the potential complexity of your project(s).
  • Contacting the SG’s PPM Centre of Expertise - if the project is assessed as potentially Medium or High risk.
  • Contacting the Scottish Futures Trust if the project has a budget of £20M+ (inclusive of VAT), or regardless of budget if the project is of critical importance / unusual scale or nature to the buying organisation.

3.4 Have you appraised your project(s) in accordance with the SG’s guidance and complied with the SG’s procurement guidance?

 

Yes / No

 

Projects must be appraised in accordance with the Appraisal & Evaluation section of the SPFM.  You must also be able to demonstrate compliance with the Procurement Section of the SPFM and the Construction Procurement Manual - if a construction project.

3.5 Have you put all necessary arrangements in place to assess the realisation of benefits and capture lessons from the delivery of your project(s)?

 

Yes / No

 

Necessary arrangements include:

  • Capturing lessons learned to share knowledge with other projects - Lessons Learned Templates
  • Conducting a Post Implementation Review for your project(s).
  • Planning and undertaking a Post Project Evaluation for construction projects.

Planning and undertaking a Post Occupancy Evaluation for projects that deliver a building (e.g. an office, hospital, school).

4. Project Management

     

4.1 Has your area been responsible for delivering one or more projects - other than major investment projects – during the past financial year?

Yes / No

 

Projects covered in this section include non-capital projects such as policy delivery projects, business change projects or investment projects that would not meet the definition of major investment in the SPFM.

4.2 Did / does your project’s governance and process align with the SG’s strategic and sector specific procedures?

 

Yes / No

 

Arrangements must be put in place to address each of the SG’s PPM Principles.  Information to help with this can be found in  the Delivery Essentials

The general principles set out in the Major Investment Projects section of the SPFM should be applied, as appropriate, to all investment projects.

5. Financial Management

     

5.1 Do you ensure that your Finance Business Partner (or equivalent) and, as necessary, Internal Audit Division is involved at the earliest possible stage in the preparation of all policy proposals etc which may have resource, control or other finance related implications and that they are kept informed of developments?

(Finance should also be consulted on any novel or contentious spending proposal and any matter which includes issues of financial propriety and regularity.)

Yes / No

 

Guidance on the Role Of Finance is available on the Intranet.  The need to involve Finance might also be included in induction material and local desk instructions.

5.2 Do you have procedural instructions, cleared with Finance, about how financial matters are handled within the area, drawing as appropriate from the key principles of the SPFM?

Yes / No

 

Local desk instructions should be in place covering the arrangements for entering into commitments and for approving and processing the resultant payments – and ensuring adequate separation of duties.  Desk instructions may also cover other matters such as delegated authorities, budget monitoring procedures and the requirement to consult Finance on all proposals that may have resource or other finance related implications.

5.3 Do you have in place processes for regular monitoring of compliance with these instructions?

Yes / No

 

Monitoring of compliance might be achieved by regular management checks and the consideration of financial matters at regular meetings with your managers.

5.4 Do you delegate financial authority to staff at appropriate levels?

Yes / No

 

Delegated financial authority (i.e. where members of your staff have full responsibility for budgets and take decisions without having to refer upwards) will not be appropriate in many Divisions but where it is you should provide details of the broad arrangements e.g. set out in desk instructions, financial responsibility statements. This is separate from Delegated Purchasing Authority (DPA).  The authority required to make and authorise payments etc within SEAS and the authority to purchase in EASEbuy are also separate authorities.

(General guidance on Delegated Authority is available in the SPFM. Guidance on the SG Scheme of Delegation is available on the Intranet.)

5.5 Is there adequate separation of duties where required (e.g. authorising and processing payments and receipts, awarding grants)?

Yes / No

 

Again this is separate from the authority required to make and authorise payments etc within SEAS or to purchase within EASEbuy. There may be concerns (e.g. within small units) where the rules on separation of duties cannot practically be achieved. In such circumstances the response should relate to whether the local arrangements (e.g. compensating controls) agreed with Finance are working satisfactorily.

(The requirement for appropriate separation of duties is included in a number of sections of the SPFM, notably those covering Expenditure and Payments and Income Receivable & Receipts.)

5.6 Are staff with financial duties aware of - and adequately trained to discharge - their responsibilities in that regard?

Yes / No

 

This covers all staff involved in the financial process. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions.

5.7 Do you have arrangements to ensure that all assets for which the area is responsible are properly managed and safeguarded (e.g. against unauthorised use or disposal)?

Yes / No

 

Only assets for which the area is responsible need to be considered here. This will include those assets on a locally maintained inventory of valuable and attractive items.

(Guidance on Management of Assets, Disposal of Property and Fraud is available in the SPFM.)

5.8 Do you have procedures for ensuring that proper and accurate accounting records are maintained and entries in them are properly authorised?

Yes / No

 

The response to this question needs to reflect both the provision of information needed for accounting purposes (e.g. the proper and timely entry of data into SEAS and/or EASEbuy) and for cash management purposes. The response should also take into account the controls in place within your area to ensure that only authorised personnel have access to the SEAS system.

(Guidance on SEAS and EASEbuy is available on the Intranet.)

5.9 Do you have measures in place to monitor the security and accuracy of financial information?

Yes / No

 

The response should reflect the measures that you have in place to ensure that the SEAS and EASEbuy (or any other financial) system contains accurate and up to date information. Measures might include periodic or regular management checks.

5.10 Do you have procedures in place for monitoring and reviewing those budgets for which you are responsible?

Yes / No

 

This question deals with the local arrangements within the area for monitoring and reviewing the administration cost and programme budgets.  These might be linked to re-profiling exercises run by Finance. (Guidance on Budget and Financial Management is available on the Intranet.)

5.11 Are agreed budget plans documented and disseminated within your area?

Yes / No

 

The review of the regular financial reports needs to take account of both the review internally within the area as well as external reporting of outcomes and any remedial action required.

5.12 Do you regularly review internal financial reports which report actual against budget outturn and discuss progress with your Director or equivalent?

Yes / No

 

You will wish to consider here the mechanisms in place for communicating budgetary information both at the beginning of the year and changes made in-year whether at the time of formal monthly or quarterly reviews or at other times. This would also cover the transfer of funds between one area and another or between the centre and your area.

5.13 Do you ensure that that the State Aid Unit is consulted on all proposals that may have state aid implications?

Yes / No

 

Guidance on the EC State Aid Rules is included in the SPFM. More detailed guidance is available from the State Aid Unit.

5.14 Do you ensure that any grant proposals and payments follow the relevant guidance in the SPFM?

Yes / No

 

The section of the SPFM on Grant & Grant in Aid includes references to checklists covering the grant proposal, application and assessment processes and a Model Offer and Conditions of Grant document.  There is a separate Offer of Grant document for use in relation to grant funding provided to voluntary bodies to assist with their operational costs.

5.15 Is the number of staff authorised and trained to act as EASEbuy approvers consistent with your Division’s needs?

Yes/No

 

Staff who are authorised as EASEbuy approvers need to recognise the importance on the financial information being entered correctly. The amount of knowledge and training does, of course, need to be related to the part played by the individual in the financial process. Individual duties might be covered in desk instructions. Details of available training are provided on the Finance Training homepage.

5.16 Do you ensure that staff with Government Procurement Cards (GPCs) are fully trained to discharge their responsibilities and that there are processes to monitor compliance?

Yes/No

 

Monitoring of compliance might be achieved by regular management checks and the consideration of financial matters at regular meetings with your managers.

(Guidance on GPC is available on the Intranet.)

5.17 Do you ensure that staff are complying with the Purchase to Pay process to meet the 10 day payment commitment?

Yes/No

 

Relevant guidance in the Purchase to Pay section of the intranet must be brought to the attention of staff periodically and/or in reviewing training requirements.

6. Fraud

     

6.1 Are operational managers and other members of staff within your area aware of their responsibilities as set out in the Scottish Government Fraud Policy Statement?

Yes / No

 

Relevant guidance in the section on Fraud in the SPFM might be brought to the attention of staff periodically and / or in induction material.

6.2 Are any cases of suspected fraud within your area dealt with in accordance with the Scottish Government Fraud Response Plan?

Yes / No

 

Unless separate prescribed procedures are in place any suspicion of fraud (internal or external) should be reported to the SG Fraud Response Team.

7. Procurement

     

7.1 Do you ensure that the Scottish Procurement and Commercial Directorate (SPCD) is consulted from the earliest possible stage on any proposals that may involve procurement activity?

Yes / No

 

Guidance on the role of the Scottish Procurement and Commercial Directorate (SPCD), guidance on Buying Goods, Services or Works and the Security Questionnaire is available on the Intranet.  The need to consult SPCD might be included in induction material and local desk instructions.

SPCD must be consulted on any novel or contentious spending proposal and any matter which includes issues of procurement propriety or regularity.

7.2 Do you have staff with Delegated Purchasing Authority (DPA) at appropriate levels?

Yes / No

 

DPA is the authority to enter into a contract for goods, services and works and oversee the process leading up to and including the award of a contract and any subsequent contract changes. This is separate from financial authority and the authority to make purchases on EASEbuy.

(Guidance on DPA is available on the Intranet).

7.3 Is all procurement activity within your area undertaken in accordance with the Procurement section of the SPFM?

 

Yes / No

 

Management checks on sample contracts / purchases should be carried out to ensure compliance with the relevant guidance.

See the Procurement section of the SPFM and the specific guidance on the operation of the Government Procurement Card and the EASEbuy System.

7.4 Does your area’s use of external consultants comply with the Scottish Government Consultancy Procedures?

Yes/No

 

Contracts for consultancy of up to £10K in value need to be approved at Deputy Director level.  Consultancy contracts between £10K and £50K need to be approved at Director General level. Consultancy contracts above £50K must be authorised by the Cabinet Secretary for Infrastructure, Investment and Cities, and the Cabinet Secretary for Finance, Employment and Sustainable Growth. If there have been no such cases during the period then just say so.

Consultancy expenditure must be coded against the account codes stated in the Consultancy Procedures.

7.5 Does your area maintain and report appropriate procurement management information including a contract register?

Yes/No

 

A contract register is required for all contracts for goods, services and works that have been placed in your area during the financial year.  This is a key requirement as it underpins sound financial and contractual governance.

(Guidance on maintaining a contract register is available on the Intranet).

8. Human Resources

     

8.1 Are staff aware of their responsibilities?

Yes / No

 

Awareness would normally be achieved through job specifications/descriptions, monthly conversations and, where appropriate, formal delegations.

8.2 Do you have adequate procedures for disseminating guidance and instructions?

Yes / No

 

This could be achieved through e-mail and divisional / team meetings and monthly conversations.

8.3 Do you adhere to the corporate procedures re recruitment / induction; Personal Learning Plans and training provision; and absence management,  FWH, T&S and overtime?

 

Yes / No

 

You should be able to confirm that a divisional Induction Pack is in place and that the Division adheres to relevant guidance on the recruitment, absence management (including “back to work” interviews), FWH, T&S and mandatory monthly conversations.

(Guidance on Induction and eHR is available on the Intranet.)

8.4 Do people in the area (and any providers of out-sourced services) have the knowledge, skills and tools to support the achievement of directorate objectives and to manage effectively risks to their achievement?

Yes / No

 

This question relates to the responsibility to create conditions for consistently good people management, engagement and development.  See link to Business Strategy,  People Strategy and Capability Plan.

You should be able to confirm that you have effective processes to identify, address and evaluate capability needs.  This might be informed by PLPs, a Divisional Learning/Capability Plan or the ‘how’ part of the Directorate Plan and supported by an active and valued learning & development structure.

9. Equality and Diversity

     

9.1 Are policies/activities in your area assessed for their impact on equality groups (as required by legislation)?

Yes / No

 

This question relates to the SG’s responsibilities under the statutory public sector equality duties. You are expected to ensure that policies and activities in your area are assessed for their impact on equality.

9.2 Are support structures in place to enable staff to undertake and complete impact assessments?

Yes / No

 

You will want to consider what steps you have taken to ensure that your staff are able to and do use the SG's equality impact assessment guidance and toolkit. You will also want to consider what kind of support you are providing for your staff so that they are able to undertake and complete this process successfully.

9.3 Do you have procedures in place to ensure that equality impact assessments have been completed for all relevant policies/activities?

Yes / No

 

The Equality Impact Assessment Tool is available to all staff via the Intranet.

9.4 Do you ensure that all staff objectives take account of the mainstreaming diversity agenda?

Yes / No

 

All staff are required to have a Diversity Objective as part of the annual performance appraisal process. Examples of appropriate objectives are available on the Intranet.

10. Information

     
       

10.1 Does your area expressly track information risks across the lifetime of your information assets?

Yes / No

 

SG policies and guidance on Information Risk are available on the Intranet.  Compliance with this guidance ensures the SG fulfils its obligations to meet centrally prescribed information assurance standards and requirements, e.g. Cabinet Office’s Security Policy Framework (SPF), and ISO 27000 series.

10.2 Can you confirm that information risk assessments have been carried out for all information assets?

Yes / No

 

Information risk assessments should be carried out in relation to the correct classification of information assets; the restriction of access to information as appropriate; the training of staff in handling sensitive information; the purposes and management of processing of personal data; the impacts of loss or corruption of information; and so on. Such risk assessments should extend to procurements and shared services initiatives, and to all delivery partners, suppliers and contractors.  Management and monitoring of supplier security and information assurance arrangements must take place.

10.3 Are all significant roles in respect of information risk and personal data manned?

Yes / No

 

TORs for the mandatory roles defined within the SPF in respect of managing information risk and personal data (including Senior Information Risk Owner (SIRO), Information Asset Owners (IAOs) and, where appropriate, Information Management Support Officers (IMSOs)) are in place, staff are available to discharge these roles and have undergone or are undergoing appropriate training.

10.4 Are access control mechanisms in place for each system?

Yes / No

 

Access control mechanisms for each system are documented by IAOs. Control Mechanisms are in place for physical access and access to information.

10.5 Do you have processes in place for dealing with breaches of security / data handling incidents?

Yes / No

 

Process is in place to report, manage and recover from information risk incidents.   Lessons have been learnt, and shared, from incidents (if any). Local managers have a responsibility to ensure that staff are aware of and comply with the relevant guidance, to initiate checks where non-compliance is suspected and to monitor suppliers.  Managers have a responsibility to ensure that all suppliers are aware of their responsibilities to safeguard Government information.

10.6 Have there been any breaches of security / data handling incidents during the financial year?

Yes / No

   

11. Health & Safety

     

11.1 Do you have appointed and trained health and safety duty holders to cover your area?

Yes / No

 

Duty holders (such as Health and Safety Liaison Officers (HSLOs), First Aiders, Fire Precautions Officers (where appropriate) and Fire Marshals) perform key health and safety functions which help managers discharge their own responsibilities.

11.2 Has the Risk Assessment procedure been implemented and reviewed as required within your area to ensure that significant risks are adequately controlled?

Yes / No

 

Risk Assessment Teams (appointed by Deputy Directors) to:

  • review and amend generic risk assessments, and generate new assessments as required
  • communicate findings to all affected staff
  • keep assessments under review

11.3 Do HSLOs in your area complete quarterly reports?

Yes / No

  HSLOs should complete Quarterly Workplace Inspections in February, May, August and November which provides information on their performance against key health and safety tasks from the Health and Safety Management System.

12. Sponsored Bodies

     

12.1 Is your area responsible for sponsoring any NDPBs or other bodies? (If not, please ignore the other questions in this section.)

Yes / No

 

Guidance can be found in the NDPB Sponsorship Guidance Notes.

 

12.2 Is there an up to date framework document in place for each of your sponsored bodies, with appropriate arrangements in place to monitor adherence to the framework document?

 

Yes / No

 

You should be in a position to confirm that these are finalised or otherwise, that they are up to date, and were subject to proper consultation (including with your Finance Business Partner (or equivalent) and Internal Audit Division). Details of the steps taken to monitor these areas should also be provided. Guidance on the role of the sponsoring team is set out in the model framework document for Executive NDPBs and is provided at Annex 3 of the SPFM section on Accountability.

12.3 Do the operations, business planning and objectives of the public body align to the Scottish Government’s Purpose and the National Outcomes?

 

Yes / No

 

Processes such as the Corporate Plan, Business Plan, and Framework Document should be in place to enable the sponsor team to develop a shared understanding of the joint priorities over the medium term to contribute towards delivery of the National Outcomes, and to ensure that individual bodies’ corporate communications and engagement strategies fully reflect these.

Further guidance on corporate and business plans can be found at Paragraphs 28, 29 of the  model framework document for Executive NDPBs at Annex 3 of the section of the SPFM on Accountability.

12.4 Do your sponsored bodies have a well communicated fraud policy statement, an up-to-date fraud response plan and effective avenues for reporting suspicions of fraud?

Yes / No

 

Processes should be in place to ensure that policies for counter-fraud are consistent with SG guidance, including a review of current counter fraud activity, whilst ensuring robust reporting procedures have been adopted by sponsored bodies.

 

Further information can be found in the Fraud section of the SPFM and the SG Counter Fraud Strategy, Policy and Response Plan.

12.5 Do your sponsored bodies maintain accurate records detailing contracts awarded, performance of contracts and anticipating future contracting activity?

Yes / No

 

Check there are systems in place to accurately record levels of procurement activity, maintained to meet appropriate levels of the organisation’s spend. Assurance should be sought to ensure Scottish Procurement agree to procurement improvement plans.

 

Further guidance can be found in the Procurement section of the SPFM.

12.6 Are you satisfied that business cases for shared service options are assessed before plans to invest in corporate ICT systems proceed by your sponsored bodies?

 

Yes / No

 

Systems should be in place to ensure all business cases are assessed.

Any proposals for IT investment over £1 million should be ratified through the Information Systems Investment Board.

Further advice can be found in the Central Government ICT Projects and Programmes Assurance Framework

12.7 Do your sponsored bodies have a workforce plan in place?

Do your sponsored bodies measure levels of employee engagement and take action in response?

 

Yes / No

 

Ensure, that if there is a workforce plan in place, that staffing baselines/projections, turnover/vacancy assumptions, skills needs and succession planning are covered in this plan.

 

Check the mechanisms your sponsored body undertakes e.g. staff survey to measure levels of employee engagement.

12.8 Do your sponsored bodies have arrangements in place to ensure compliance with the Code of Practice for Ministerial Appointments to Public Bodies in Scotland?

Yes / No

 

Ensure that your sponsored body works with sponsor teams and PACE to ensure appointment rounds and other appointment activity is conducted in line with the Code of Practice for Ministerial Appointments to Public Bodies in Scotland

 

Further guidance can be found in the NDPB Sponsorship Guidance Notes

12.9 Are you satisfied your sponsored body has an up to date publication scheme, that it is sufficiently open and proactive in publishing information of interest to its stakeholders?    

Ensure that policies have been adopted for open and proactive publication of relevant information, consistent with the Scottish Government’s policy of promoting openness and transparency.

 

13. Compliance

     

13.1 Do you have processes in place to ensure compliance with applicable existing, new and updated policies, procedures, laws and regulations – including those referred to separately in this Checklist e.g. the SPFM?

Yes / No

 

Processes might refer to desk instructions, local checklists, retention schedules and/or periodic management checks e.g. relating to the existence of statutory authority for expenditure and the holding / provision of information under the Data Protection and Freedom of Information Acts. The level of response should reflect the work of the Division.

(Guidance on Data Protection responsibilities and FOI is available on the Intranet.)

13.2 Do you have appropriate arrangements in place to ensure staff are appropriately trained and supported to handle FOI and EIR requests in line with legislative requirements?

Yes / No

   
13.3 Are your staff appropriately trained and aware of their Data Protection and information security responsibilities?

Yes / No

  All staff should have successfully completed the annual DPA eLearning and Protecting Information eLearning packages. They should have read and understood the relevant policies and guidance (such as DPA, IT Code of Conduct, Records Management). Local procedures should be in place and all staff should be aware of how to handle requests for personal data including Subject Access Requests as well as those made by 3rd parties and sharing agreements. (Guidance can be found on the Intranet: Subject Access Requests; IT Code of Conduct;  Data Protection)

14. Review

     

14.1 Do you review regularly (at least annually) the effectiveness and efficiency of internal controls in your area?

 

Yes / No

 

You should be reviewing internal controls in your area at appropriate points in time e.g. when processes change or operational shortcomings come to light.

Has anything happened during the course of the financial year that has raised questions about the controls that you have in place? E.g. has the running of the regular financial monitoring exercises suggested any shortcomings? Have there been any particular queries that may lead to doubts about how the controls are operating?

(Guidance on internal controls is provided in the main section of the SPFM on Certificates of Assurance.)

14.2 Have you taken action to improve controls?

Yes / No

 

14.3 Have controls and risks in your area been subject to independent review (e.g.  by Internal Audit) in the course of the year?

Yes / No

 

You should provide details of any key weaknesses identified and the steps taken to resolve these.

14.4 Has appropriate action been taken to implement agreed recommendations resulting from such reviews?

Yes / No

 

15. Other Issues

     

15.1 Apart from the issues raised above, are there any significant control matters arising in your area which could adversely affect the signing of the SG’s Governance Statement by the Perm Sec?

Yes / No

 

Provide here details of any other control problems, specific to your area of responsibility, which you have encountered during the year.