Skip to main content
Visit Scotland | Alba

Help shape the future of business support on visitscotland.org. Giving feedback through our short survey only takes a few minutes.

1. Why have a policy?

Guidance issued by the Scottish Ministers to public bodies like VisitScotland on the proper handling and reporting of public funds includes a requirement to have a policy statement and response plan to address the likelihood of fraud.  

2. Introduction

This policy gives guidance on the prevention, detection, reporting and handling of fraud within VisitScotland. VisitScotland is committed to ensuring that opportunities for fraud - both internal and external - are reduced to the lowest possible level of risk.

Staff are required at all times to act honestly and with integrity and to safeguard the public resources for which they are responsible. VisitScotland will not accept any level of fraud and any case will be thoroughly investigated and dealt with appropriately.

3. Definition of fraud

The term "fraud" is used to describe such acts as deception, bribery, forgery, extortion, theft, conspiracy, embezzlement, misappropriation, false representation, concealment of material facts, financial or professional malpractice and collusion.

Fraud is usually used to describe depriving someone of something by deceit, which might either be straight theft, misuse of funds or other resources, or more complicated crimes like false accounting and the supply of false information.

Computer fraud is where IT equipment (including the use of AI) has been used to manipulate programs or data dishonestly (for example, by altering, substituting or destroying records, or creating spurious records), or where the use of an IT system (including the use of AI) was a material factor in the perpetration of fraud.

Theft of data or fraudulent use of computer time and resources is included in this definition.

Staff are directed to the Data Protection Policy, and the IT Acceptable Use Policy, which prohibit the use of USB “flash drives” for any extraction of personal or business sensitive data and the Generative Artificial Intelligence (AI) Policy.

Historically, most internal fraud in organisations such as VisitScotland has been linked to claims for travel and subsistence and overtime, recording of cash receipts, irregularities in procurement procedures and the abuse of flexible working hours.

Examples of external fraud include providing false information in applications for grants or other forms of assistance, suppliers offering bribes or inducements and submitting bogus invoices.

The Bribery Act 2010 requires organisations to demonstrate that they have “adequate procedures” in place to prevent bribery. This topic is addressed in VisitScotland’s separate over-arching Anti-Bribery & Corruption Policy, which embraces a number of other more detailed policies, as mentioned on this page.

4. Prevention

Managers and staff must always be alert to the risk of fraud, and other forms of theft.

Danger signs of internal fraud include evidence of excessive spending by staff engaged in cash or contract work, inappropriate relationships with suppliers, reluctance of staff to take leave, requests for unusual patterns of overtime and where there seems undue possessiveness of records.

Junior staff should resist any pressure from line managers to circumvent internal controls or to over-ride control mechanisms. Such action could be indicative of fraudulent activity and should be reported.

A key preventative measure in the fight against fraud is to take effective steps at the recruitment stage. Written references will always be taken up and independent confirmation of any professional qualifications will be obtained before offers of employment are made.

VisitScotland is committed to ensuring that it takes effective measures for implementing and maintaining effective and efficient internal controls in computer systems.

There is a need to ensure that the risks associated with new technology such as hacking, virus infections and fraud arising from the use of networks (whether local, national or international) are addressed.

Further information can be found within The Information Security Policy and IT Acceptable Use Policy.

Other measures designed to prevent and detect fraud include clear financial procedures, control systems, reconciliations, segregation of duties, supervisory checks and authorisations and an internal audit programme.

As requested, VisitScotland participates in the National Fraud Initiative (normally bi-annually) with data of our suppliers and employees uploaded to the NFI database where it is cross checked against records held by other public sector bodies, including Local Authorities.

Any matches flagged on VisitScotland data are investigated by the Finance team with appropriate steps taken depending on the outcome of these investigations. If further action is required by VisitScotland in relation to potential frauds these are processed through the Fraud Response Plan.

VisitScotland’s participation in the NFI exercises supports our counter-fraud approach.

5. Avenues for reporting fraud

VisitScotland has clear avenues for reporting suspicions of fraud. Staff should report such suspicions to the Fraud Response co-ordinator and should refer to the VisitScotland Fraud Response Plan (which is held in a different document and available on the Hub).

All matters will be dealt with in confidence and in strict accordance with the terms of the Public Interest Disclosure Act 1998.

This statute protects the legitimate personal interests of staff. VisitScotland also has a Whistleblowing Policy which encourages staff to raise concerns about issues such as malpractice, unlawful activities or dangers to colleagues and the public.

6. Responsibilities

The Scottish Ministers are responsible for issuing relevant guidance in the Scottish Public Finance Manual (SPFM) on the prevention, detection, reporting and handling of fraud.

As a public body VisitScotland must implement this guidance and put appropriate procedures in place to prevent and detect fraud.

The Board has corporate responsibility for ensuring that VisitScotland follows guidance issued by Scottish Ministers. It addresses key financial and other risks such as fraud through the Audit & Risk Committee.

The Audit & Risk Committee oversees the risk management framework and governance arrangements on behalf of the Board.

Therefore, the Audit & Risk Committee has a general responsibility for monitoring the operation and effectiveness of anti-fraud arrangements and requires regular reports on fraud activity.

VisitScotland’s Chief Executive is responsible for establishing and maintaining sound systems of internal control to support our policies, aims and objectives.

The systems of internal control are designed to respond to and manage the whole range of risks that VisitScotland faces. Managing fraud risk will be seen in the context of the management of this wider range of risks.

The Leadership Group support the Chief Executive by identifying those operational areas where the risk of fraud or other loss is greatest. This will help inform internal audit activities and should also provide pointers to where line managers should target their counter fraud measures.

The Fraud Response Co-ordinator is a nominated member of the Legal team and is the first point of contact for any suspected fraud within VisitScotland. This individual leads on all fraud investigations ensuring that the investigation is prompt and thorough.

The Head of Financial Services has been delegated overall responsibility for ensuring that necessary controls are in place for managing the risk of fraud in VisitScotland. Responsibilities include:

  • preparing relevant guidance on the prevention, detection, reporting and handling of fraud for issue to staff.
  • establishing and reviewing an effective anti-fraud policy and fraud response plan.
  • ensuring that core financial systems are designed and operated so as to minimise the risk of fraud.
  • coordinating assurances about the effectiveness of anti-fraud policies to support the Statement on Internal Control.
  • ensuring that appropriate anti-fraud training and development opportunities are available to appropriate staff.
  • ensuring that appropriate action is taken to minimise the risk of similar frauds occurring in future.
  • Ensuring with the Head of Procurement that adequate supplier take-on and monitoring controls are in operation with appropriate internal segregation of duties.

The Internal Audit Contractor is responsible for:

  • delivering an opinion to the Board through the Audit & Risk Committee on the adequacy of arrangements for risk, control and governance (including those for managing the risk of fraud).
  • Promoting anti-fraud and anti-bribery best practice within VisitScotland and facilitating corporate learning.
  • Considering fraud and corruption risks within their audit work, reviewing fraud prevention controls and detection processes put in place by management and making recommendations to improve those processes.
  • ensuring that management has reviewed its risk exposures and identified the possibility of fraud as a business risk.
  • assisting management in conducting fraud investigations.

Managers across the organisation are responsible for:

  • ensuring that controls operate effectively and as intended, within their areas of responsibility.
  • assessing the types of risk involved in the operations for which they are responsible.
  • regularly reviewing and testing the control systems for which they are responsible.
  • ensuring that controls are being complied with and their systems continue to operate effectively.
  • implementing new controls to reduce the risk of similar fraud occurring where frauds have taken place.
  • contacting the Fraud Response Co-ordinator, in line with Section 5 above, when suspicions of fraud are brought to their attention (managers should undertake some preliminary work to establish relevant facts).

All Members of staff are responsible for:

  • acting with propriety in the use of official resources and the handling and use of public funds whether they are involved with cash or payments systems, receipts or dealing with suppliers.
  • conducting themselves in accordance with their terms and conditions of employment, VisitScotland’s policies and the values of the organisation.
  • observing all current guidance contained within the Policies and Procedures sections on the Hub intranet, in particular those relating to buying goods and services, travel expenses, the IT Acceptable Use Policy and the Generative Artificial Intelligence (AI) Policy.
  • being alert to the possibility that unusual events or transactions could be indicators of fraud.
  • reporting details immediately through the appropriate channel if they suspect that a fraud has been committed or see any suspicious acts or events.
  • co-operating fully with whoever is conducting internal checks or reviews or fraud investigations.

7. The provision, or acceptance, of gifts or hospitality

Working relationships may bring staff into contact with outside organisations where it is normal business practice or social convention to offer hospitality, and sometimes gifts. Offers of this kind can place staff in a difficult position.

No employee or any member of his or her immediate family should provide or accept from a supplier, customer or other person doing business with VisitScotland, payments of money under any circumstances, or special considerations, such as discounts or gifts of materials, equipment, services, facilities, excessive hospitality or anything else of value unless:

  • they are in each instance the nature of customary courtesies usually associated with accepted business practice
  • their public disclosure would not embarrass VisitScotland or the employee

For all information on the provision or acceptance of gifts or hospitality staff should consult the Gifts & Hospitality Policy.

8. Notification and reporting

Any instance of suspected fraud should be reported to the Fraud Response Co-ordinator immediately.

Details of losses due to fraud or theft must be submitted to the Head of Financial Services for recording correctly as a loss or write-off in the financial statements.

For any instance of fraud, an incident report will be prepared and submitted to the ARC for reporting to the Board and the Accountable Officer.

All instances of external fraud will be reported to Police Scotland. VisitScotland reserves the right to report instances of internal fraud to Police Scotland, with the Accountable Officer reviewing this position on a case-by-case basis.

The Head of Financial Services provides an annual report to the Audit & Risk Committee, VisitScotland Board, Scottish Government, Accountable Officer and external auditors detailing all instances of fraud detected during the year.

9. Conclusion

VisitScotland will not accept any level of fraud and any case will be thoroughly investigated and dealt with appropriately. 

Related links