Principles of good assurance
In moving to a principles-based framework, assurance becomes less about compliance and more about demonstrating good assurance thinking based on a clear understanding of risk and the outcomes being sought.
Our pocket guide to the principles of good assurance summarises the information on this page.
Pocket guide to the principles of good assurance (PDF 723KB)
The System Assurance team has developed a set of principles for good assurance practice based on our lessons learned. When applied, these principles support agencies with good practice assurance planning.
The principles should be tailored to enable a fit-for-purpose assurance approach based on the risk and complexity of the initiative.
‘A principles-based approach provides confidence in the delivery of outcomes without resulting in excessive levels of assurance.’
‘Assurance is not a one-time activity. It’s the way we do things here…’
- Assurance is planned from the outset and is monitored and iterated throughout the investment lifecycle.
- All business cases are supported by an assurance plan.
- Assurance activities are budgeted for in your business case!
- Assurance is integrated and operating effectively across all ‘three lines of defence’:
- The first line of defence is the day-to-day project management processes and controls you have in place, including quality management.
- The second line of defence is the governance and oversight arrangements that exist, including clear and signed-off terms of reference for all governance bodies.
- The third line of defence is the independent assurance you obtain from internal (such as Internal Audit) and third party assurance providers.
- Lessons learned from similar initiatives are incorporated into the assurance approach.
- Roles and responsibilities across assurance providers are clearly defined and coordinated to reduce the compliance burden on delivery teams.
- Risk assessments are undertaken when designing new systems, processes and policy, including for core delivery partner activities.
‘Assurance is adaptable to meet changes in scope, approach, solution or risk profile.’
Significant changes to the scope, approach, solution, or risk profile of the initiative trigger a review of the assurance plan by the governance body.
Assurance is tailored to the delivery approach. For example, in an agile or DevOps environment there may be greater reliance on assurance activities embedded into day-to-day project management and governance activities.
The results of assurance activities are used to inform the forward assurance plan.
Assurance covers inter-agency, sector and All-of-Government impacts, including stakeholder engagement activities, where a change initiative goes beyond the boundaries of the lead agency.
The assurance plan is regularly reviewed by the governance body to ensure that it continues to be fit-for-purpose and that the agreed assurance activities are undertaken.
‘Assurance provides timely, credible information to inform key decisions.’
- There is a clear relationship between the planned assurance activities and key decision points:
critical milestones / off-ramps
contract stage gates
Assurance reports are unambiguous and support informed decision-making based on an assessment of delivery confidence.
Ongoing viability and alignment to strategic outcomes is assessed before moving to the next phase.
Technical quality assurance is vital in assessing progress and quality, and should be planned for as early as possible in the lifecycle.
Assurance covers business readiness to accept the change as well as technical implementation readiness.
‘Assurance assesses the risks to successful delivery and their impact on outcomes.’
- Assurance is risk-based; there is a clear link between the risks to achieving the investment outcomes and the planned assurance activities.
- Assurance is forward-looking and assesses delivery confidence rather than focusing solely on adherence to methodology.
- Due diligence is undertaken on vendors to identify risks to delivery such as capacity, capability, overreliance on key people, location of vendor (offshore, onshore), etc.
- Delivery is phased with clear and agreed off-ramps and acceptance criteria that measure real progress against outcomes.
- The governance body regularly reviews risks to ensure they are being managed in accordance with the agency’s risk tolerance level.
‘Assurance is performed by competent people outside of the delivery team who are not unduly influenced by key stakeholders.’
- Key members of the review team are identified in the terms of reference that have the experience to effectively assure an investment of your scale and complexity.
- Third party assurance providers are subject to formal procurement processes.
- Any conflicts of interest are clearly identified and effectively managed, including:
- personal relationships between agency and provider personnel
- performing an assurance review where the provider has or is currently providing project management or technical services
- fixing issues identified during the course of an assurance review.
‘Assurance roles and responsibilities at the governance level are understood.’
- Assurance roles and responsibilities are clearly documented in the governance body terms of reference.
- The composition of the governance body is regularly reviewed to ensure that it has the right skills and experience.
- Assurance artefacts (such as assurance plans, terms of reference for independent assurance reviews and assurance reports) are endorsed by the governance body and approved by the SRO.
- The SRO includes a management response to accept the findings in the assurance report or to record if there is a disagreement over a finding or recommendation.
- The governing body receives copies of all assurance reports in full.
- The status of issues raised in assurance reports is tracked and regularly reported to the governance body.