Guidance issued by the Scottish Ministers to public bodies like VisitScotland on the proper handling and reporting of public funds includes a requirement to have a policy statement and response plan to address the likelihood of fraud.
This policy gives guidance on the prevention, detection, reporting and handling of fraud within VisitScotland. VisitScotland is committed to ensuring that opportunities for fraud - both internal and external - are reduced to the lowest possible level of risk.
Staff are required at all times to act honestly and with integrity and to safeguard the public resources for which they are responsible. VisitScotland will not accept any level of fraud and any case will be thoroughly investigated and dealt with appropriately.
The term "fraud" is used to describe such acts as deception, bribery, forgery, extortion, theft, conspiracy, embezzlement, misappropriation, false representation, concealment of material facts, financial or professional malpractice and collusion.
Fraud is usually used to describe depriving someone of something by deceit, which might either be straight theft, misuse of funds or other resources, or more complicated crimes like false accounting and the supply of false information.
Computer fraud is where IT equipment (including the use of AI) has been used to manipulate programs or data dishonestly (for example, by altering, substituting or destroying records, or creating spurious records), or where the use of an IT system (including the use of AI) was a material factor in the perpetration of fraud.
Theft of data or fraudulent use of computer time and resources is included in this definition.
Staff are directed to the Data Protection Policy, and the IT Acceptable Use Policy, which prohibit the use of USB “flash drives” for any extraction of personal or business sensitive data and the Generative Artificial Intelligence (AI) Policy.
Historically, most internal fraud in organisations such as VisitScotland has been linked to claims for travel and subsistence and overtime, recording of cash receipts, irregularities in procurement procedures and the abuse of flexible working hours.
Examples of external fraud include providing false information in applications for grants or other forms of assistance, suppliers offering bribes or inducements and submitting bogus invoices.
The Bribery Act 2010 requires organisations to demonstrate that they have “adequate procedures” in place to prevent bribery. This topic is addressed in VisitScotland’s separate over-arching Anti-Bribery & Corruption Policy, which embraces a number of other more detailed policies, as mentioned on this page.
Managers and staff must always be alert to the risk of fraud, and other forms of theft.
Danger signs of internal fraud include evidence of excessive spending by staff engaged in cash or contract work, inappropriate relationships with suppliers, reluctance of staff to take leave, requests for unusual patterns of overtime and where there seems undue possessiveness of records.
Junior staff should resist any pressure from line managers to circumvent internal controls or to over-ride control mechanisms. Such action could be indicative of fraudulent activity and should be reported.
A key preventative measure in the fight against fraud is to take effective steps at the recruitment stage. Written references will always be taken up and independent confirmation of any professional qualifications will be obtained before offers of employment are made.
VisitScotland is committed to ensuring that it takes effective measures for implementing and maintaining effective and efficient internal controls in computer systems.
There is a need to ensure that the risks associated with new technology such as hacking, virus infections and fraud arising from the use of networks (whether local, national or international) are addressed.
Further information can be found within The Information Security Policy and IT Acceptable Use Policy.
Other measures designed to prevent and detect fraud include clear financial procedures, control systems, reconciliations, segregation of duties, supervisory checks and authorisations and an internal audit programme.
As requested, VisitScotland participates in the National Fraud Initiative (normally bi-annually) with data of our suppliers and employees uploaded to the NFI database where it is cross checked against records held by other public sector bodies, including Local Authorities.
Any matches flagged on VisitScotland data are investigated by the Finance team with appropriate steps taken depending on the outcome of these investigations. If further action is required by VisitScotland in relation to potential frauds these are processed through the Fraud Response Plan.
VisitScotland’s participation in the NFI exercises supports our counter-fraud approach.
VisitScotland has clear avenues for reporting suspicions of fraud. Staff should report such suspicions to the Fraud Response co-ordinator and should refer to the VisitScotland Fraud Response Plan (which is held in a different document and available on the Hub).
All matters will be dealt with in confidence and in strict accordance with the terms of the Public Interest Disclosure Act 1998.
This statute protects the legitimate personal interests of staff. VisitScotland also has a Whistleblowing Policy which encourages staff to raise concerns about issues such as malpractice, unlawful activities or dangers to colleagues and the public.
The Scottish Ministers are responsible for issuing relevant guidance in the Scottish Public Finance Manual (SPFM) on the prevention, detection, reporting and handling of fraud.
As a public body VisitScotland must implement this guidance and put appropriate procedures in place to prevent and detect fraud.
The Board has corporate responsibility for ensuring that VisitScotland follows guidance issued by Scottish Ministers. It addresses key financial and other risks such as fraud through the Audit & Risk Committee.
The Audit & Risk Committee oversees the risk management framework and governance arrangements on behalf of the Board.
Therefore, the Audit & Risk Committee has a general responsibility for monitoring the operation and effectiveness of anti-fraud arrangements and requires regular reports on fraud activity.
VisitScotland’s Chief Executive is responsible for establishing and maintaining sound systems of internal control to support our policies, aims and objectives.
The systems of internal control are designed to respond to and manage the whole range of risks that VisitScotland faces. Managing fraud risk will be seen in the context of the management of this wider range of risks.
The Leadership Group support the Chief Executive by identifying those operational areas where the risk of fraud or other loss is greatest. This will help inform internal audit activities and should also provide pointers to where line managers should target their counter fraud measures.
The Fraud Response Co-ordinator is a nominated member of the Legal team and is the first point of contact for any suspected fraud within VisitScotland. This individual leads on all fraud investigations ensuring that the investigation is prompt and thorough.
The Head of Financial Services has been delegated overall responsibility for ensuring that necessary controls are in place for managing the risk of fraud in VisitScotland. Responsibilities include:
The Internal Audit Contractor is responsible for:
Managers across the organisation are responsible for:
All Members of staff are responsible for:
Working relationships may bring staff into contact with outside organisations where it is normal business practice or social convention to offer hospitality, and sometimes gifts. Offers of this kind can place staff in a difficult position.
No employee or any member of his or her immediate family should provide or accept from a supplier, customer or other person doing business with VisitScotland, payments of money under any circumstances, or special considerations, such as discounts or gifts of materials, equipment, services, facilities, excessive hospitality or anything else of value unless:
For all information on the provision or acceptance of gifts or hospitality staff should consult the Gifts & Hospitality Policy.
Any instance of suspected fraud should be reported to the Fraud Response Co-ordinator immediately.
Details of losses due to fraud or theft must be submitted to the Head of Financial Services for recording correctly as a loss or write-off in the financial statements.
For any instance of fraud, an incident report will be prepared and submitted to the ARC for reporting to the Board and the Accountable Officer.
All instances of external fraud will be reported to Police Scotland. VisitScotland reserves the right to report instances of internal fraud to Police Scotland, with the Accountable Officer reviewing this position on a case-by-case basis.
The Head of Financial Services provides an annual report to the Audit & Risk Committee, VisitScotland Board, Scottish Government, Accountable Officer and external auditors detailing all instances of fraud detected during the year.
VisitScotland will not accept any level of fraud and any case will be thoroughly investigated and dealt with appropriately.