All-of-Government Portfolio, Programme and Project Assurance Framework
The purpose of the All-of-Government (AoG) Portfolio, Programme and Project Assurance Framework is to support agencies to implement a fit-for-purpose assurance approach for digital investments.
‘Effective assurance provides confidence to the Chief Executive and other key stakeholders, including Ministers, that the expected investment outcomes and benefits will be achieved.’
The framework is supported by detailed guidance and templates to help agencies apply the principles of good assurance.
The target audience for the framework is:
- Senior Responsible Owners (SROs) and governance bodies
- Project and programme managers
- Internal Audit functions
- Enterprise Portfolio or Programme Management Offices.
Our definition of assurance
‘An independent and objective assessment that provides credible information to support decision-making.’
The key words in our definition are ‘independent and objective’. There are varying degrees of independence and objectivity but assurance is most effective when it is integrated across all ‘three lines of defence’:
- The first line of defence is the day-to-day project management processes and controls you have in place, including quality management.
- The second line of defence is the governance and oversight arrangements that exist, including clear and signed-off terms of reference for all governance bodies.
- The third line of defence is the independent assurance you obtain from internal (such as Internal Audit) and third party assurance providers.
The focus of our framework is on assurance that is performed by competent and impartial people outside of the delivery team (that is, at the second and third lines of defence). Examples of assurance activities within the scope of our framework include:
- Regular governance and oversight activities, such as governance meetings, executive project status reports, Audit and Risk Committee oversight
- Health checks performed by an internal EPMO
- Risk reviews performed by an internal Risk function
- Internal audit reviews
- Third party assurance reviews, including Independent Quality Assurance (IQA) and Technical Quality Assurance (TQA) reviews
- Quantitative risk analysis
- Gateway reviews.
The framework is mandated for the following agencies:
- Public service departments
- Non-public service departments
- District health boards
- Certain crown entities (ACC, EQC, NZQA, NZTA, HNZC, NZTE, TEC).
Note that the framework is not limited to the above agencies. It can be used by any agency or organisation as a guide to good assurance practice to support the successful delivery of investments to grow New Zealand’s economy and enhance the wellbeing of its people.
The framework applies to all digital investments. As a guiding principle:
‘An investment is defined as a digital investment if it utilises technology as the primary lever for achieving the expected outcomes.’
This is typically an investment that has a significant technology component. Note that for the purposes of the framework, digital investments are assumed to include the following types of investments:
- Investments that are looking to transform the way in which citizens interact with government – these investments will likely use technology to provide services in new and innovative ways
- Investments that are looking to improve the efficiency and effectiveness of business operations – these investments will likely use technology in more traditional ways to automate tasks.
GCDO assurance oversight role
The GCDO has a core responsibility to provide Ministers and other key stakeholders with confidence that the system of assurance supporting digital government outcomes is effective. To enable the GCDO to fulfil this responsibility, the System Assurance team has an independent assurance oversight role over high risk digital investments to ensure:
- They have fit-for-purpose assurance plans in place
- They obtain high quality assurance information to support decision-making.
This requires us to work closely with SROs and the monitoring agencies of high risk digital investments to provide assurance planning advice and support.
Whether an investment falls into the high risk category will be assessed as part of the Treasury’s Risk Profile Assessment (RPA) process. While the RPA process assesses the inherent risk to the system, we encourage agencies to follow the principles of good assurance and supporting guidance and templates for all of their digital investments, regardless of whether they are high risk or not.
Core expectations of agencies
The following core expectations of agencies apply to high risk digital investments. However, the System Assurance team is happy to provide assurance planning advice and support to agencies for non-high risk digital investments. In particular, we encourage agencies with an Investor Confidence Rating of C or below to contact us.
All high risk digital investments must:
- Attend an initial SRO briefing with the System Assurance team and agree an ongoing engagement plan
- Have an up-to-date and fit-for-purpose assurance plan in place that has been endorsed by the governance body and Internal Audit and approved by the SRO
- Submit the following artefacts to the System Assurance team for a quality review to ensure that they are fit-for-purpose and meet the GCDO’s quality standards:
- Assurance plans
- Terms of reference for independent assurance reviews
- Assurance reports
- Use the GCDO Assurance Services Panel for third party assurance reviews (all applicable agencies are required to use the GCDO Assurance Services Panel regardless of whether the digital investment is high risk or not).