Assurance Framework for Digital and ICT Investments

Key principles for good assurance

Every in-scope investment, regardless of tier, is required to apply the Key Principles for Good Assurance when planning for and delivering assurance. When applied effectively, these principles help provide confidence that digital and ICT investments will achieve their objectives, without leading to excessive levels of assurance. 

The principles were developed drawing on the DTA’s experience as well as the experience of leading digital governments and organisations including the New Zealand Government, the Government of the United Kingdom, the New South Wales Government, Victorian Government and various private sector organisations.

1. Plan for assurance 

Prepare and maintain a fit for purpose Assurance Plan.

This means: 

• Have a formal plan for assurance, monitor and iterate the plan during delivery and as the risk posture of the investment changes. 
• Budget for assurance activities in your business case. 
• Ensure all sources of assurance are coordinated, avoiding duplication and overlap and focussing assurance on the most important areas. 
• Ensure your Assurance Plan is informed by experience in similar investments. 
• Have clear roles and responsibilities for assurance, including for your governance bodies and SRO. 

2. Drive good decisions 

Assurance should provide timely, reliable information to inform key decisions.

This means: 

• Assurance is grounded in the agreed investment outcomes and expected benefits, and presents clear assessments of delivery confidence. 
• Assurance is organised around key decisions points such as go-live points, key milestones, and funding release points. 
• Assurance information is unambiguous, supports informed decision-making and uses consistent definitions and standards to support comparisons over time (e.g. using common delivery confidence ratings and priority ratings for recommendations). 
• Governance bodies and central agencies have unimpeded access to full assurance opinions and reports and use assurance information to focus their support and attention where it is most needed.

3. Expert-led and independent 

Assurance should be provided by credible and suitably independent reviewers with the right skills and experience to assure an investment of your scale and complexity.

This means: 

• Assurance activities are carefully scoped, and the review team’s skills and experience assessed to ensure they are suitably skilled and experienced. 
• Conflicts of interest for the review team are identified and managed, with the governance committee and SRO ensuring that the provider has necessary independence and objectivity. 
• The provider is supported in accessing the people and resources they require, and the evidentiary standard for their assessments/evaluations is clearly identified in their reporting. 
• The provider adopts relevant reporting standards, including, for example, the use of the DTA’s delivery confidence scale included at Assurance Implementation Requirements. 

4. Culture and tone at the top 

Investment leadership engages positively with assurance and drives a culture of continuous improvement and transparency welcoming of constructive challenge.

This means: 

• There is clear accountability for achieving and maintaining a fit for purpose assurance approach, and assurance is actively promoted as a valuable partner in securing successful delivery. 
• There is an openness displayed by responsible senior executives to external scrutiny and constructive challenge, and this outlook is expected of their teams. 
• Implementation of agreed recommendations is actively monitored and escalated when agreed timeframes are not being met. 
• The SRO and key governance committee/s actively engage with assurance planning and outcomes, with a focus on ensuring the assurance regime remains fit for purpose during the delivery phase. 

5. Focus on risk and outcomes 

Assurance activities should focus on assessing key risks to successful delivery and impact on success.

This means: 

• Assurance activities should always be mapped to key risks to realising investment objectives. 
• Assurance should always be forward-looking and focus on supporting the investment to maintain delivery confidence. 
• Assurance should help governance committees and the SRO stay across the most important risks and prioritise their efforts and attention on the most important aspects for successful delivery.