Visit Scotland | Alba

1. Why have a policy?

Guidance issued by the Scottish Ministers to public bodies like VisitScotland on the proper handling and reporting of public funds includes a requirement to have a policy statement and response plan to address the likelihood of fraud.

2. Introduction

This policy gives guidance on the prevention, detection, reporting and handling of fraud within VisitScotland. VisitScotland is committed to ensuring that opportunities for fraud - both internal and external - are reduced to the lowest possible level of risk.

Staff are required at all times to act honestly and with integrity and to safeguard the public resources for which they are responsible.

VisitScotland will not accept any level of fraud and any case will be thoroughly investigated and dealt with appropriately.

3. Definition of fraud

The term "fraud" is used to describe such acts as deception, bribery, forgery, extortion, theft, conspiracy, embezzlement, misappropriation, false representation, concealment of material facts, financial or professional malpractice and collusion. Fraud is usually used to describe depriving someone of something by deceit, which might either be straight theft, misuse of funds or other resources, or more complicated crimes like false accounting and the supply of false information.

Computer fraud is where IT equipment has been used to manipulate programs or data dishonestly (for example, by altering, substituting or destroying records, or creating spurious records), or where the use of an IT system was a material factor in the perpetration of fraud. Theft of data or fraudulent use of computer time and resources is included in this definition. Staff are directed to the Data Protection policies to be found on the hub and the IT Acceptable Use Policy, which prohibit the use of USB “flash drives” for any extraction of personal or business sensitive data.

Historically, most internal fraud in organisations such as VisitScotland has been linked to claims for travel and subsistence and overtime, recording of cash receipts, irregularities in procurement procedures and the abuse of flexible working hours. Examples of external fraud include providing false information in applications for grants or other forms of assistance, suppliers offering bribes or inducements and submitting bogus invoices.

The Bribery Act 2010 requires organisations to demonstrate that they have “adequate procedures” in place to prevent bribery. This topic is addressed in VisitScotland’s separate over-arching Anti-Bribery & Corruption Policy, which embraces a number of other more detailed policies, as mentioned below.

4. Prevention

Managers and staff must always be alert to the risk of fraud, other forms of theft. Danger signs of internal fraud include evidence of excessive spending by staff engaged in cash or contract work, inappropriate relationships with suppliers, reluctance of staff to take leave, requests for unusual patterns of overtime and where there seems undue possessiveness of records. Junior staff should resist any pressure from line managers to circumvent internal controls or to over-ride control mechanisms. Such action could be indicative of fraudulent activity and should be reported.

A key preventative measure in the fight against fraud is to take effective steps at the recruitment stage. Written references will always be taken up and independent confirmation of any professional qualifications will be obtained before offers of employment are made.

VisitScotland is committed to ensuring that it takes effective measures for implementing and maintaining effective and efficient internal controls in computer systems. There is a need to ensure that the risks associated with new technology such as hacking, virus infections and fraud arising from the use of networks (whether local, national or international) are addressed.

Other measures designed to prevent and detect fraud include clear financial procedures, control systems, reconciliations, segregation of duties, supervisory checks and authorisations and an internal audit programme.

5. Avenues for reporting fraud

VisitScotland has clear avenues for reporting suspicions of fraud. Staff should report such suspicions to their line managers in the first instance, and if appropriate they should refer to the VisitScotland Fraud Response Plan and report direct to VisitScotland's Fraud Response Co-ordinator. All matters will be dealt with in confidence and in strict accordance with the terms of the Public Interest Disclosure Act 1998. This statute protects the legitimate personal interests of staff. VisitScotland also has a Whistleblowing Policy which encourages staff to raise concerns about issues such as malpractice, unlawful activities or dangers to colleagues and the public.

6. Responsibilities

The Scottish Ministers are responsible for issuing relevant guidance in the Scottish Public Finance Manual (SPFM) on the prevention, detection, reporting and handling of fraud. As a public body VisitScotland must implement this guidance and put appropriate procedures in place to prevent and detect fraud.

The Board has corporate responsibility for ensuring that VisitScotland follows guidance issued by Scottish Ministers. It addresses key financial and other risks such as fraud through the Audit & Risk Committee.

The Audit & Risk Committee oversees the risk management framework and governance arrangements on behalf of the Board. The Audit & Risk Committee therefore has a general responsibility for monitoring the operation and effectiveness of anti-fraud arrangements and requires regular reports on fraud activity. 

VisitScotland’s Chief Executive is responsible for establishing and maintaining sound systems of internal control to support our policies, aims and objectives. The systems of internal control are designed to respond to and manage the whole range of risks that VisitScotland faces. Managing fraud risk will be seen in the context of the management of this wider range of risks.

The Leadership Group support the Chief Executive by identifying those operational areas where the risk of fraud or other loss is greatest. This will help inform internal audit activities and should also provide pointers to where line managers should target their counter fraud measures.

The Fraud Response Co-ordinator is a nominated member of the HR team and is the first point of contact for any suspected fraud within VisitScotland. This individual leads on all fraud investigations ensuring that the investigation is prompt and thorough.

The Head of Finance has been delegated overall responsibility for ensuring that necessary controls are in place for managing the risk of fraud in VisitScotland. Responsibilities include:

  • preparing relevant guidance on the prevention, detection, reporting and handling of fraud for issue to staff.
  • establishing and reviewing an effective anti-fraud policy and fraud response plan.
  • ensuring that core financial systems are designed and operated so as to minimise the risk of fraud.
  • coordinating assurances about the effectiveness of anti-fraud policies to support the Statement on Internal Control.
  • ensuring that appropriate anti-fraud training and development opportunities are available to appropriate staff.
  • ensuring that appropriate action is taken to minimise the risk of similar fraud’s occurring in future.
  • ensuring with the Head of Procurement that adequate supplier take-on and monitoring controls are in operation with appropriate internal segregation of duties.

The Internal Audit Contractor is responsible for:

  • delivering an opinion to the Board through the Audit & Risk Committee on the adequacy of arrangements for risk, control and governance (including those for managing the risk of fraud) and ensuring that VisitScotland as a whole promotes an anti- fraud culture.
  • assisting in the deterrence and prevention of fraud by examining and evaluating the effectiveness of controls commensurate with the extent of the potential exposure/risk in the various segments of VisitScotland's operations.
  • ensuring that management has reviewed its risk exposures and identified the possibility of fraud as a business risk.
  • assisting management in conducting fraud investigations.

Managers across the organisation are responsible for:

  • ensuring that controls operate effectively and as intended within their areas of responsibility.
  • assessing the types of risk involved in the operations for which they are responsible.
  • regularly reviewing and testing the control systems for which they are responsible.
  • ensuring that controls are being complied with and their systems continue to operate effectively.
  • implementing new controls to reduce the risk of similar fraud occurring where frauds have taken place.
  • contacting their Director and the Fraud Response Co-ordinator when suspicions of fraud are brought to their notice (managers should undertake some preliminary work to establish relevant facts).

All Members of staff are responsible for:

  • acting with propriety in the use of official resources and the handling and use of public funds whether they are involved with cash or payments systems, receipts or dealing with suppliers
  • conducting themselves in accordance with VisitScotland’s Employee Handbook and the values of the organisation.
  • observing all current guidance contained within both the HR and Corporate Services Policies and Procedures sections on the Hub intranet, in particular those relating to buying goods and services, travel expenses and the IT Acceptable Use Policy.
  • being alert to the possibility that unusual events or transactions could be indicators of fraud.
  • reporting details immediately through the appropriate channel if they suspect that a fraud has been committed or see any suspicious acts or events.
  • co-operating fully with whoever is conducting internal checks or reviews or fraud investigations.

7. The provision, or acceptance, of gifts or hospitality

Working relationships may bring staff into contact with outside organisations where it is normal business practice or social convention to offer hospitality, and sometimes gifts. Offers of this kind can place staff in a difficult position.

No employee or any member of his or her immediate family should provide or accept from a supplier, customer or other person doing business with VisitScotland, payments of money under any circumstances, or special considerations, such as discounts or gifts of materials, equipment, services, facilities, excessive hospitality or anything else of value unless:

  • they are in each instance the nature of customary courtesies usually associated with accepted business practice
  • their public disclosure would not embarrass VisitScotland or the employee

For all information on the provision or acceptance of gifts or hospitality staff should consult the gifts and hospitality policy.

8. Notification and reporting

Any instance of suspected fraud should be reported to the Fraud Response Co-ordinator immediately.

Details of losses due to fraud or theft must be submitted to the Head of Finance for recording correctly as a loss or write-off in the financial statements.

For any instance of fraud, an incident report will be prepared and submitted to the ARC for reporting to the Board and the Accountable Officer.

The Head of Finance provides an annual report to the Audit & Risk Committee, Board Scottish Government, Accountable Officer and external auditors detailing all instances of fraud detected during the year.

9. Conclusion

VisitScotland will not accept any level of fraud and any case will be thoroughly investigated and dealt with appropriately.

Related links

Our whistleblowing policy

Our whistleblowing policy ensures that any fraud, misconduct, or wrongdoing by employees or officers of the organisation is reported and properly…