Assurance on Digital & ICT Investments Factsheet
Background & Context
From 1 July 2021, the DTA has whole-of-government responsibility for managing strategic coordination and oversight functions for Australian Government’s digital and ICT investments across their project lifecycle. To give effect to the DTA’s mandate, the Government has agreed to the Whole-of-Government Digital and ICT Investment Oversight Framework (IOF).
Aligning to the Government’s Budget cycles, the IOF provides a way for the DTA to engage and support the Government in effectively overseeing its digital and ICT-enabled investment portfolio. The IOF outlines six states across the investment lifecycle where agencies are required to engage with the DTA: Strategic Planning, Prioritisation, Contestability, Assurance, Sourcing and Operations.
Assurance Framework
Agencies bringing forward or implementing digital and ICT investments must plan for and implement assurance arrangements which meet the requirements of the Assurance Framework.
The Assurance Framework must be adhered to if:
- The agency responsible is a non-corporate Commonwealth entity
- The agency’s proposed investment meets the definition for a digital investment (this generally includes investments which use technology as the primary lever for achieving expected outcomes and benefits).
What is assurance?
The Assurance Framework defines assurance as 'independent and objective assessments and evaluations undertaken by people and entities separate to the delivery team and the Senior Responsible Official (SRO), to support decision-making'.
DTA’s assurance oversight role
The DTA is responsible for providing Ministers, the Secretaries’ Digital and Data Committee and other key stakeholders with confidence that digital investments are being designed well, are optimised to deliver value – and if funded, will achieve their investment objectives. This is achieved through the DTA’s assurance oversight role during key states of the investment.
During the proposal stage, the DTA will engage to support the agency to develop and agree an Assurance Plan. During the delivery stage, the DTA will engage to ensure proposed assurance is mobilised and to monitor those assurance activities and their outputs.
Assurance engagement process
To ensure fit-for-purpose assurance is planned for digital and ICT investments, agencies are required to engage with the DTA during the Contestability state. Planning also continues throughout the Assurance state. This engagement follows a four-step process outlined in the Assurance Framework:
Contestability State
Step 1 Confirm the applicable investment tier: The Tier of an investment is determined by the DTA, in consultation with the agency and in context of the risk, complexity and strategic importance.
Step 2 Plan for assurance: Applying the Key Principles for Good Assurance, agencies are required to plan for assurance, addressing the minimum requirements applicable to the investment’s Tier rating.
Assurance State
Step 3 Use assurance effectively during delivery: Agencies must deliver according to the approved Assurance Plan, continue to apply the Key Principles for Good Assurance, and meet ongoing reporting and engagement requirements.
Step 4 Follow the escalation protocols (if required): Investments which encounter difficulty during delivery will receive additional DTA oversight and support.
Investment Tiers
The tier determined during the Contestability state will drive the assurance requirements for that investment.
3 Investment Tiers
- Tier 1 Flagship digital investments: Government’s most complex and strategically significant digital investments, responsible for transforming the experience of people and businesses.
- Tier 2 Strategically significant digital investments: Complex and strategically significant digital investments which may not have the same whole-of-government emphasis or the same criticality to the digital agenda as Tier 1 investments.
- Tier 3 Significant digital investments: Significant digital investments, that are likely focussed on meeting the needs of one agency or, sometimes, a small group of agencies
Regardless of tier, all in-scope investments are required to agree an Assurance Plan with the DTA prior to Cabinet decision (some exceptions apply) – which drives the mobilising and monitoring of assurance during delivery.
Tier 1 – Assurance Requirements
Tier 1 investments must show that assurance is being applied effectively during delivery, aligning to the Key Principles for Good Assurance, by meeting the following minimum requirements:
- include DTA representation on your investment’s governance committee
- agree terms of reference for external assurance activities with the DTA prior to commencement
- when approaching the market for independent assurance providers, agree approach to market materials with the DTA
- review and update your Assurance Plan through the governance committee with DTA representation every six (6) months (or as otherwise stated in your Assurance Plan), and provide the updated version to the DTA for review and agreement
- provide draft and final assurance reports containing a Delivery Confidence Assessment (DCA) rating on the overall health of the investment to the DTA quarterly. (Note that Gateway Review reports will be handled in accordance with agreed protocols for the handling of Gateway material.)
- ensure governance bodies with DTA representation receive regular reporting on progress implementing agreed assurance recommendations
- advise the DTA when there is a material variation from planned assurance arrangements.
Tier 2 – Assurance Requirements
Tier 2 investments must show that assurance is being applied effectively during delivery, aligning to the Key Principles for Good Assurance by meeting the following minimum requirements:
- provide terms of reference for external assurance activities as endorsed by the SRO to the DTA for comment, prior to delivery commencement
- review and update your Assurance Plan through your governance body at least every 12 months, and provide the updated version to the DTA for review
- provide final assurance reports containing a DCA rating to the DTA biannually for oversight purposes. (Note that Gateway Review reports will be handled in accordance with agreed protocols for the handling of Gateway material).
- provide summary reporting to the DTA on recommendation implementation progress
- advise the DTA when there is a material variation from planned assurance arrangements.
Tier 3 – Assurance Requirements
Tier 3 investments must show that assurance is being applied effectively during delivery, aligning to the Key Principles for Good Assurance by meeting the following minimum requirements:
- review and update your Assurance Plan through your governance body as needed to maintain its currency, and provide the updated version to the DTA for review
- provide final assurance opinions and reports to the DTA for oversight purposes. This may include a DCA rating on the overall health of the investment. (Note that Gateway Review reports will be handled in accordance with agreed protocols for the handling of Gateway material.)
- advise the DTA when there is a material variation from planned assurance arrangements.
Mobilising for Assurance – with DTA
Once an investment is funded by Cabinet through a Budget cycle, the DTA’s focus turns to monitoring the implementation of agreed assurance arrangements and to ensuring minimum assurance requirements (aligning to the Tier) are met.
The DTA will start its assurance oversight engagement when delivery of an approved investment commences (or when an in-flight program/project adopts the Assurance Framework requirements). The DTA will request the relevant SRO and investment delivery team to:
- confirm key details to support the DTA in commencing its oversight of assurance arrangements during delivery, such as approved scope and funding, proposed delivery approach, schedule, and governance.
- ensure proposed assurance activities are initiated in line with the Assurance Plan and that assurance accountabilities are clear and understood.
- acknowledge the ongoing assurance monitoring and reporting activities, aligning this to the investment’s Tier requirements e.g., For Tier-1 investment, inclusion of the DTA on the relevant governance committee.
Further information and enquiries: