Assurance engagement terms of reference
As the complexity and risks of digital investments continues to grow, the importance of a well-developed engagement terms of reference is critical to ensure high quality assurance reports.
The System Assurance team plays a key role in ensuring the quality of assurance services provided to agencies by third party assurance providers.
As part of this role, we review the quality of terms of reference for high risk digital investments. We have identified the following lessons learned from our reviews to help you avoid some of the common pitfalls that we see.
- Be clear about the purpose of the review – avoid a long list of objectives and ensure they are focused, unambiguous and pertinent to the current delivery phase.
- Frame the terms of reference around specific risks – insist on a tailored and insightful review that assesses the impact of these risks on outcomes.
- Think about the questions that you want answered by the review – what areas of concern have been raised by the Senior Responsible Owner (SRO) and other key stakeholders and how will these be answered by the review.
- Be clear about the scope and more importantly what is out of scope.
- Consider the particular skills and experience you want in a Lead Reviewer and/or review team and ensure that they have the requisite subject matter knowledge and expertise for the review. For example, do they have experience in the delivery methodology?
- Ensure the deliverables are clearly defined in the terms of reference – in particular, how will delivery confidence be assessed and recommendations prioritised? Refer to the GCDO’s report rating system if you don’t have your own.
- Ensure the terms of reference is approved at an appropriate level within the organisation – this should be the SRO or equivalent, such as Head of Internal Audit or Head of relevant Enterprise Portfolio or Programme Management Office.