• Purpose, background and overview

  • Key principles for good assurance

  • SRO requirements and tiering investments

  • Assurance planning requirements

  • Assurance implementation requirements

  • Escalation protocols

  • Further information

    Assurance Plan Templates and Guidance 

    Guidance documents including Assurance Plan templates and samples for Tier 1, Tier 2 and Tier 3 investments are also available on request from the DTA.

    Benefits Management Policy

    The Benefits Management Policy (BMP) defines how benefits must be managed across the Australian Government digital and ICT portfolio. The Policy supports agencies to deliver digital and ICT outcomes by detailing investment oversight requirements and providing guidance on benefits management. 

    The BMP ensures that agencies understand the requirements to successfully deliver the outcomes that Australians need by enabling effective oversight and reporting of investment outcomes across the Government’s digital and ICT investment portfolio

    Contacts and Feedback 

    For further information and the latest versions of the DTA’s guidance documents and templates please visit Assurance.

    You can also contact us about the following topics:

    We also value your feedback and ideas to help improve our processes and information. If you have any comments regarding this document, please share your thoughts with us at portfolio.assurance@dta.gov.au

  • Purpose and scope 

    The Australian Government’s Assurance Framework for Digital and ICT Investments (the Assurance Framework) ensures a robust assurance regime is achieved and maintained for in-scope investments. 

    While assurance is not in itself responsible for delivering outcomes, effective risk management and assurance are critical to good governance and ensuring investments deliver expected outcomes.

    Scope 

    The Assurance Framework must be adhered to if both the following apply: 

    As a guiding principle, a digital or ICT investment is an investment which uses technology as the primary lever for achieving expected outcomes and benefits. This includes investments which are:

    1. transforming the way people and businesses interact with the Australian Government 
    2. improving the efficiency and effectiveness of Australian Government operations, including through automation. 

    The Digital Transformation Agency determines whether your investment meets the definition of a digital or ICT investment. If you are unsure whether your investment meets this definition, you must contact investment@dta.gov.au

    Even if this framework does not apply to your agency or to your investment, agencies are encouraged to follow the 5 Key Principles for Good Assurance and apply the framework to the extent it is relevant to your circumstances.

  • Global learnings and experience 

    Independent assurance, such as gateway reviews, can provide vital challenge and support for key decisions and progress points across the project life. To work well, independent assurance should be planned in advance … [and] should be co-ordinated.

    Principles for a digital future: Lessons learned from public sector ICT projects

    Audit Scotland

  • Background 

    From 1 July 2021, the Digital Transformation Agency was given whole-of-government responsibility for managing strategic coordination and oversight functions for digital and ICT investments, including during the delivery phase. 

    In delivering its new mandate, the DTA is required to provide Ministers, the Secretaries Digital and Data Committee and other key stakeholders with confidence that digital and ICT investments are being well designed, are optimised to deliver value for the APS Enterprise as well as for individual agencies and, if funded, will achieve their investment objectives. 

    This Assurance Framework’s goal is to maximise the value of assurance to successful delivery of digital and ICT investments, drawing on global experience and learnings. To achieve this, the framework aims to:

    • Achieve carefully planned, targeted and fit for purpose assurance for all in-scope investments, with assurance information applied effectively to improve the quality of decisions by Senior Responsible Officials (SROs) and governance boards. 
    • Maximise the value of assurance in supporting successful delivery, including through ensuring agreed recommendations are implemented in a timely manner.
    • Realise clear escalation processes which help agencies take decisive early action to recover investments at higher risk of not delivering expected benefits. 
    • Achieve a steady flow of reliable information on the condition of major investments for central agencies, supporting reporting and analysis for Cabinet and Ministers on the investment portfolio. 

    Importantly, the framework does not dilute accountability for delivery which remains with agencies leading delivery. 

    Learn more about the DTA’s broader digital and ICT investment oversight role.

  • Global learnings and experience 

    Assurance provides information to those who finance, sponsor, govern and manage a project. It informs decisions that can reduce project failure, promote conditions for success and increase the chance of delivering the required outcome cost-effectively.

    Assurance for major projects

    National Audit Office (United Kingdom)

  • Definition of assurance 

    In the Assurance Framework, assurance is defined as independent and objective assessments and evaluations undertaken by people and entities separate to the delivery team and SRO to support decision-making. 

    This definition of assurance includes: 

    • project health checks undertaken by your agency’s Enterprise Project Management Office 
    • audits undertaken by your agency’s internal audit function 
    • Australian Government Assurance Reviews (including Gateway Reviews) commissioned by Ministers and coordinated by the Department of Finance 
    • delivery assurance from independent assurance providers. 

    The words ‘independent and objective’ in the definition above are very important. Assurance received from sources also providing advisory or delivery services to your investment will not meet this definition. The framework focusses on ensuring assurance is sourced from suitably independent and objective sources. 

    How will the DTA assess independence and objectivity? 

    The DTA will start from the position that, to be relied upon, a source of assurance advice and information needs to feel truly free to reflect openly about the investment they have been asked to assess or evaluate. 

    The independence and objectivity of a source of assurance will be assessed through several lenses including if a source of assurance has had prior involvement with an investment in a delivery or advisory capacity and whether there are any other actual or perceived conflicts of interest for the source of assurance. 

    What are some examples of assurance activities likely to meet the definition? 

    • Health check: An independent, lightweight assessment of how the investment is tracking against its benefits by an external specialist assurer. 
    • SRO adviser: An independent advisor to the SRO with experience in similar investments. 
    • Integrated assurance: An independent assurance team which has an ongoing presence within the investment to provide confidence in delivery. 
    • Gateway assurance: Commissioned by the Government for high-risk and high-value investments. 
    • Go-Live assessment: An independent review to provide additional confidence prior to a go-live decision being made. 
    • Independent board member: An independent, experienced board member who helps the board keep the investment on track. 
    • Targeted review: A review of key areas of risk or an area critical to successful delivery by a specialist independent external team. 
    • Internal audit: A review by the internal audit function of an agency, usually for high-risk investments or investments expected to make a key contribution to the achievement of the agency’s mission.

    Assurance Framework overview

    The DTA is responsible for providing Ministers and other key stakeholders with confidence that assurance is being applied effectively to support successful delivery of digital and ICT investments. 

    The Assurance Framework helps us do this by: 

    • Ensuring agencies plan for assurance, by requiring investments brought forward for decision by Government apply the 5 Key Principles for Good Assurance and meet minimum requirements 
    • Overseeing assurance arrangements during delivery, including ensuring agencies continue to adhere to the 5 Key Principles for Good Assurance and their approved Assurance Plans 
    • Supporting funding release decisions, by ensuring reliable assurance information is available at the right moments for Ministers and agencies 
    • Triggering escalation protocols to support remediation efforts when an investment’s delivery confidence falls below certain levels. 

    If your agency is bringing forward an in-scope investment (see ‘Purpose and Scope’ above), you must follow the steps below. 

    Step 1: Confirm the applicable investment tier 

    Under the Assurance Framework, proposed investments are assigned a tier rating, to provide the greatest support in applying the 5 Key Principles for Good Assurance to the most strategically important, valuable and risky investments. 

    The tier of an investment is determined by the DTA through an assessment against a number of factors, including the strategic significance of the investment, agency delivery history, the availability of required skills, and the maturity of the agency’s oversight arrangements. 

    Step 2: Plan for assurance 

    Agencies are required to plan for assurance. 

    This means you must apply the 5 Key Principles for Good Assurance and meet minimum assurance requirements applicable to the tier of the investment. The resultant Assurance Plan agreed with the DTA will be submitted to Cabinet for approval as part of the proposed investment. 

    Step 3: Use assurance effectively during delivery 

    Throughout the delivery of your investment, you must continue to use assurance effectively. 

    This means you must deliver according to your approved Assurance Plan, continue to apply the 5 Key Principles for Good Assurance and meet ongoing reporting and engagement requirements. 

    Step 4: Follow the escalation protocols (if required) 

    Investments which encounter difficulty during delivery receive additional oversight and support. This can include assistance in preparing an evidence-based remediation plan, undertaking independent health checks and/or expert-led investment reviews. Depending on the tier and condition of an investment, as well as whether the Enhanced Notification Process applies, different escalation protocols apply. The DTA will support agencies in understanding the requirements applicable to their investments.

  • 5 key principles for good assurance

    Next page

  • 5 Key principles for good assurance

    Every in-scope investment, regardless of tier, is required to apply the Key Principles for Good Assurance when planning for and delivering assurance. When applied effectively, these principles help provide confidence that digital and ICT investments will achieve their objectives, without leading to excessive levels of assurance. 

    The principles were developed drawing on the DTA’s experience as well as the experience of leading digital governments and organisations including the New Zealand Government, the Government of the United Kingdom, the New South Wales Government, the Victorian Government and various private sector organisations.

    1. Plan for assurance 

    Prepare and maintain a fit-for-purpose Assurance Plan.

    This means: 

    • Have a formal plan for assurance, monitor and iterate the plan during delivery and as the risk posture of the investment changes. 
    • Budget for assurance activities in your business case. 
    • Ensure all sources of assurance are coordinated, avoiding duplication and overlap and focussing assurance on the most important areas. 
    • Ensure your Assurance Plan is informed by experience in similar investments. 
    • Have clear roles and responsibilities for assurance, including for your governance bodies and SRO. 

    2. Drive good decisions 

    Assurance should provide timely, reliable information to inform key decisions.

    This means: 

    • Assurance is grounded in the agreed investment outcomes and expected benefits, and presents clear assessments of delivery confidence. 
    • Assurance is organised around key decisions points such as go-live points, key milestones, and funding release points. 
    • Assurance information is unambiguous, supports informed decision-making and uses consistent definitions and standards to support comparisons over time (e.g. using common delivery confidence ratings and priority ratings for recommendations). 
    • Governance bodies and central agencies have unimpeded access to full assurance opinions and reports and use assurance information to focus their support and attention where it is most needed.

    3. Expert-led and independent 

    Assurance should be provided by credible and suitably independent reviewers with the right skills and experience to assure an investment of your scale and complexity.

    This means: 

    • Assurance activities are carefully scoped, and the review team’s skills and experience assessed to ensure they are suitably skilled and experienced. 
    • Conflicts of interest for the review team are identified and managed, with the governance committee and SRO ensuring that the provider has necessary independence and objectivity. 
    • The provider is supported in accessing the people and resources they require, and the evidentiary standard for their assessments/evaluations is clearly identified in their reporting. 
    • The provider adopts relevant reporting standards, including, for example, the use of the DTA’s delivery confidence scale included at Assurance Implementation Requirements

    4. Culture and tone at the top 

    Investment leadership engages positively with assurance and drives a culture of continuous improvement and transparency welcoming of constructive challenge.

    This means: 

    • There is clear accountability for achieving and maintaining a fit-for-purpose assurance approach, and assurance is actively promoted as a valuable partner in securing successful delivery. 
    • There is an openness displayed by responsible senior executives to external scrutiny and constructive challenge, and this outlook is expected of their teams. 
    • Implementation of agreed recommendations is actively monitored and escalated when agreed timeframes are not being met. 
    • The SRO and key governance committee/s actively engage with assurance planning and outcomes, with a focus on ensuring the assurance regime remains fit for purpose during the delivery phase. 

    5. Focus on risk and outcomes 

    Assurance activities should focus on assessing key risks to successful delivery, and impact on success.

    This means: 

    • Assurance activities should always be mapped to key risks to realising investment objectives. 
    • Assurance should always be forward-looking and focus on supporting the investment to maintain delivery confidence. 
    • Assurance should help governance committees and the SRO stay across the most important risks and prioritise their efforts and attention on the most important aspects for successful delivery.

  • SRO requirements and tiering investments

    Next page

  • Global learnings and experience 

    Government ICT projects are often too ambitious and too complex… A project that is too complex lacks balance between the ambitions and the available human, financial and time resources…

    Lessons Learned from Government ICT Projects Part A

    Dutch Court of Audit

  • SRO requirements 

    Leadership, particularly of major digital investments, can be complex and challenging. The SRO of a digital investment plays a vital role in the system of assurance that supports successful delivery. 

    As the official with ultimate accountability for the investment’s delivery, SROs are required to champion assurance that is fit-for-purpose and aligned to risk and complexity. This is reflected through one of the 5 Key Principles of Good Assurance, as ‘culture and tone at the top’ – requiring senior executives to drive a culture of continuous improvement and transparency through fit-for-purpose assurance arrangements. 

    Often, SROs are stretched across multiple strategic priorities with many dependencies and risks. Carefully planned and executed assurance will prove to be a valuable partner to a busy SRO, helping them stay on top of the critical issues and to inform better decisions, increasing their chances of success. 

    To guide the successful delivery of a digital investment, an SRO needs to: 

    • Promote assurance as a valuable partner of the project through the relevant governance body. 
    • Actively engage in assurance planning and monitoring, providing advice and escalating when required. 
    • Acknowledge their own skills, project needs and knowledge gaps and structure the governance body and project team accordingly. 
    • Ensure the Assurance Plan is reviewed by the governance body at regular intervals and at least as often as the relevant tier requires. This is key to ensuring the plan continues to be fit-for-purpose. 
    • Ensure assurance providers are suitably skilled, independent and objective. 
    • Ensure assurance activities are providing high quality assurance information to support decision-making. 
    • Monitor the implementation of assurance recommendations. 

    It is important that SROs receive appropriate support and capability development to help navigate the challenges faced delivering a digital investment. The criticality of the SRO role in supporting the success of digital projects means that the DTA will generally not support proposals which have more than one SRO or have the core responsibilities of an SRO delegated to another person.

  • Global learnings and experience

    Strong leadership with clear accountability is a key element of successful project delivery... the overriding requirement is that the SRO is able to devote the necessary time to the project to execute their responsibilities in full.

    The role of the SRO

    UK Government Project Delivery Function

  • Tiering of investments 

    Each in-scope investment will be assigned one of 3 tiers under the DTA’s Investment Tiering Model. This model is designed to focus oversight attention and support for applying the 5 Key Principles for Good Assurance on the most important investments. The model also helps ensure lower risk and lower value investments are not unnecessarily burdened by excessive levels of oversight of their assurance arrangements. 

    The tier of an investment is determined by the DTA in consultation with the proponent agency for an in-scope digital or ICT investment. Tiers are determined during the contestability stage of the investment lifecycle before proposals are brought forward for an investment decision by Cabinet.

    • Tier 1 – Flagship digital investments: Tier 1 investments represent the Australian Government’s most complex and strategically significant digital or ICT investments, responsible for transforming the experience of people and business and realising the APS Enterprise view by improving the efficiency and effectiveness of government operations.
    • Tier 2 – Strategically significant digital investments: Tier 2 investments are usually complex and strategically significant digital or ICT investments but may not have the same whole-of-government emphasis or the same criticality to the digital agenda as Tier 1 investments or, if they do, they are of lower estimated total cost.
    • Tier 3 – Significant digital investments: Tier 3 investments are significant digital or ICT investments. They are likely focussed on meeting the needs of one agency or, sometimes, a small group of agencies. They generally represent lower risk.

    The tier is determined through a combination of a weighted priority score and the estimated total cost to implement the proposal. The weighted priority score is calculated through a DTA-led assessment of more than 16 factors which canvass implementation risk and complexity, strategic importance, and the consequences of delivery failure. The DTA conducts this assessment in consultation with relevant agencies.

     Estimated total cost and respective tier
    Weighted priority score$0 to $10 million$11–$50 million$51–$150 million$151–$400 million>$400 million
    0.0–1.933322
    2.0–2.433222
    2.5–2.932221
    3.0–3.422211
    3.5–3.922111
    4.0–5.021111
  • Image description

    Text

    Off

  • Depending on the tier your investment is assigned, different minimum assurance planning, assurance implementation and escalation protocol requirements will apply. To confirm your investment tier, please contact investment@dta.gov.au.

  • Assurance planning requirements

    Next page

Connect with the digital community

Share, build or learn digital experience and skills with training and events, and collaborate with peers across government.

Join the Digital Profession