Chapter 6 explores Assurance as a post-budget state of the IOF, focused on delivering digital and ICT investments in a timely, cost-effective manner that realises the intended benefits. It will analyse the state’s strengths in monitoring and reporting for early identification of at-risk projects, escalation protocols in the Assurance Framework, and consideration of benefits realisation during project delivery. It will also analyse opportunities to better support agency compliance with the IOF, build a more proactive monitoring regime, and secure more sustainable funding for escalation protocols.
Digital Government in Australia
Enhancing Digital Investment
Abstract
Assurance is one of the post-budget states of the IOF, which is focused on the delivery of digital and ICT investments in a way that is timely, cost-effective, and realises the intended benefits of the investment. The strengths of the Assurance state include its monitoring and reporting for early identification of projects at-risk, inclusion of and activation of escalation protocols during project delivery, and its consideration for benefits realisation at the delivery stage of a digital or ICT project. As the DTA looks to further develop the IOF, there is an opportunity to further mature its Assurance state by supporting agencies’ compliance, building a more proactive monitoring regime, and in securing more sustainable funding for the escalation protocols.
Assurance is one of the post-budget states of the IOF, which is focused on the delivery of digital and ICT investments in a way that is timely, cost-effective, and realises the intended benefits of the investment (DTA, 2024[1]). This is done through the development of agency Assurance Plans (see Box 6.1) and Assurance Framework (see Box 6.2) that were developed based on global best practices to enable the DTA to create a system of risk-based assurance for digital and ICT investments, with monitoring and regular reporting to Government. In this way, the Assurance state works to (DTA, 2024[1]):
implement (and revise) the assurance plans defined in the Contestability state throughout deliver.
work with agencies to set tailored governance for more successful project delivery.
maintain clear escalation protocols for early remediation of any projects of concern.
provide robust reporting of the status of in-flight projects across the public administration.
However, it is important to note that this process does not start once an investment is already in the delivery phase – rather planning for this started in Prioritisation state, and then was formalised in the Contestability state as part of the Assurance Plan that was assessed alongside the funding proposal (DTA, 2023[2]). Further detail on the use of Assurance Plans is provided in Box 6.1 below:
A key integration between the Contestability and Assurance states, the Assurance Plans ensure that the agencies will implement robust assurance measures to support the successful delivery of their digital and ICT investments. Developed with the DTA in the Contestability state, agencies develop Assurance Plans for consideration prior to an investment proposal being submitted to Cabinet for approval and funding. As the proposal moves into a project delivery phase, the DTA then works with agencies to ensure that the Assurance Plans are being followed and that agencies meet their ongoing reporting and engagement requirements outlined in the plans.
There are 3 different templates for the Assurance Plans, which the DTA has tailored with minimum requirements according to the size and complexity of a digital or ICT investment (see Figure 6.1). To complete these templates, the agencies provide an overview of the investment and its expected outcomes, the governance structure for the project, approach to assurance, demonstration of lessons learned from previous projects, management of key risks and issues, and the activities, timeline, and roles and responsibilities for an effective assurance framework.
Source: Documents provided by the DTA.
As part of the Assurance state, the DTA will monitor the implementation of funded digital or ICT investments that are within the scope of the IOF. These investments are classified into three tiers based on their risk profile (DTA, 2023[3]). These tiers include:
Tier 1 – Flagship Digital Investments: for the most complex and strategically significant digital investments, responsible for transforming the experience of people and businesses.
Tier 2 – Strategically Significant Digital Investments: for complex and strategically significant digital investments which may not have the same whole-of-government emphasis or the same criticality to the digital agenda as Tier 1 investments.
Tier 3 – Significant Digital Investments: for significant digital investments, that are likely focussed on meeting the needs of one agency or, sometimes, a small group of agencies.
For each of these tiers, there are then a set of minimum requirements for agencies to comply with to provide the DTA with the necessary oversight to monitor the delivery of the investments and provide advice to Government on its status. These requirements are outlined in Figure 6.1 and include regular updates to their Assurance plans (with frequency varying based on the classification), Delivery Confidence Assessment (with frequency varying based on the classification), reporting on any material variations to the assurance arrangements, and DTA’s involvement in the governance and sourcing arrangements for those investments in the top tiers (DTA, 2024[4]). By making the minimum requirements commensurate with the scale of the overall investment, the DTA minimises unnecessary administrative burden for those investments that are smaller and considered to have a lower risk profile.
Source: (DTA, 2024[4])
More information on these requirements is included in Box 6.2 below:
The DTA’s Assurance Framework provides a robust assurance regime that includes:
Principles for good assurance, to encourage agencies to plan for assurance, drive good decisions, have expert-led and independent assurance, set culture and tone at the top, and focus on risks and outcomes.
Defining a senior responsible officer, to provide accountability and champion assurance.
Classification of investments into 3 ‘tiers’ based on the size, risk, and priority of investment.
Planning and Implementation requirements, tailored to the different tiers and \a delivery confidence assessment for in-flight projects (see Figure 6.2).
Escalation protocols for at-risk investments to either help remediate issues, provide an independent health check, or to have a formal review to decide whether to rework, suspend, or terminate an investment.
Source: (DTA, 2024[4])
Finally, as part of this Assurance Framework, the DTA will monitor delivery confidence based on the independent assurance activities and Delivery Confidence Assessment (DCA) which provide an indication of the likelihood of successful delivery of a project based on its progress towards delivering its intended outcomes and benefits. The different ratings (shown in Figure 6.2) provide a model for consistent and objective assessments of these projects, including to identify when the escalation protocols (discussed in the followings section) should be triggered (DTA, 2024[4]).
Source: (DTA, 2024[4])
This DCA is supported by guidance to agencies on ‘Assessing Delivery Confidence of Digital Projects’ that was developed with the University of Sydney’s John Grill Institute for Project Leadership to provide best practice guidance to maximise the success delivery of digital and ICT projects. This guidance aims to enhance the consistency and understanding of DCA ratings for digital or ICT projects by addressing challenges, providing guidelines for assurance reviewers, defining tolerance levels for rating categories, and improving the capability of users such as Senior Responsible Officers and steering committees (DTA, 2024[5]).
The strengths of the Assurance state include its monitoring and reporting for early identification of projects at-risk, inclusion of escalation protocols in the Assurance Framework, and its consideration for benefits realisation at the delivery stage of a digital or ICT project.
Monitoring and reporting for early identification of projects at-risk
As part of the DTA’s reporting to the Government, the DTA reports biannually on the state of the digital and ICT investment portfolio, which is provided to the Government and senior portfolio officials. The reports draw on a range of data from across the states of the IOF and the agencies’ Assurance Plans, which is then used to identify any issues or common delivery challenges that need to be addressed – both for in-flight projects at-risk, but also to feed this information into the planning for future investments. The reporting also ensures that there is access to high-quality information that feeds back into the Strategic Planning, Prioritisation, and Contestability states (DTA, 2023[2]). This biannual reporting is also supported at the Assurance state by frequent internal reporting to the Minister for Finance on the status of projects experiencing delivery challenges, and annual public reporting through the Major Digital Projects Report, detailing each of the digital projects captured under the Assurance Framework.
Further, a strength of this monitoring framework is the state’s tiering of investments based on risk, cost and complexity (see Figure 6.1) to ensure that the assurance requirements are proportionate to the profile of the investments, as well as setting clear requirements that are then integrated into the governance of these projects to improve their overall likelihood of success.
Inclusion of escalation protocols in the Assurance Framework
A key part of the Assurance Framework is the inclusion of escalation protocols, which mean that investments which encounter difficulty during delivery will receive additional DTA oversight and support. These Assurance escalation protocols focus on supporting agencies in the timely resolution of delivery challenges experienced by their investments, as well as keeping Ministers and senior leaders informed of digital projects that are experiencing delivery challenges (DTA, 2023[6]). Before applying the protocols, the DTA will engage with the lead agency to further understand sources of stress and how the DTA can best support recovery. This stage, known as triage, will ultimately determine whether escalations protocols are necessary and which protocol is the most appropriate. Escalation protocols are triggered based on an investment’s Delivery Confidence Assessments (DCAs) and other relevant assurance information. If still required, there are three escalation protocols that be applied, including:
Remediation Plan: where the agency prepares a structured, evidence-based plan to restore delivery confidence. The plan must be action-oriented, with clear individual accountability for implementation, which is assessed by the DTA
Independent Health Check: where an independent assurer is engaged by the agency (in consultation with the DTA), to independently assess the viability of recovering the project based on its Remediation Plan, recommending any changes to the plan if required. The health check is triggered at the DTA’s discretion when efforts to remediate the investment (including application of the Remediation Plan) have been unsuccessful and delivery confidence is Medium-Low or below.
Investment Review Meeting: where the DTA would convene – as a final measure – a meeting of the delivery agency and representatives from across the public administration to review the project and recommend to the Government whether to terminate, suspend, or continue to remediate.
Consideration for benefits realisation
A key focus of Assurance is also to monitor how the expected benefits of a digital or ICT investment are being realised through its delivery. In line with the DTA’s Benefits Management policy (see Chapter 2) and the OECD’s work on benefits realisation, agencies are asked to ensure that these benefits are considered at the different decision points throughout the investment lifecycle. This includes managing and reporting on investment outcomes to deliver a return on the Government’s investment (DTA, 2023[2]). This is key to ensure both that the investments deliver what they were intended to deliver, but also to provide strong delivery confidence for future digital and ICT investments. It is a key indicator of a mature model for managing digital government investments.
As the DTA looks to further develop the IOF, there is an opportunity to further mature its Assurance state by supporting agencies’ compliance, building a more proactive monitoring regime, and in securing more sustainable funding for the escalation protocols.
Supporting agencies’ compliance with the Assurance state
Despite its mature approach, internal stakeholders raised that the Assurance state still faces limitations due to agencies’ buy-in and compliance that it will need to continue trying to improve over time. These stakeholders reported challenges in getting timely and meaningful reporting from agencies before projects are considered to be at risk. External stakeholders also raised that the Assurance state may require additional resourcing to provide the level of assurance that is expected, including with the right expertise in technology, finance, assurance, delivery of large projects, and government processes.
Challenges were also raised around agencies’ internal capacity to comply with the system of assurance. In addition to the DTA’s training with agencies – and particularly the value external stakeholders see in the training for Senior Responsible Officers – the DTA’s work to streamline processes, minimise data requirements, and modernising its technology should help to address this issue, demonstrating the value of the Assurance state as a genuinely supportive mechanism, fostering early and constructive engagement between agencies and the DTA.
Building a more proactive monitoring regime
Internal stakeholders raised that the DTA could further develop the Assurance state by building a more proactive monitoring regime. The system of assurance is currently dependent on the self-reporting done by agencies These stakeholders also identified opportunities through automated data ingestion from other sources to provide a fuller picture of the state of an investment, involving the DTA in assurance of demos or pilots early in the delivery stages, becoming more involved in assessing what is being delivered, and in conducting more root-cause analysis of delivery issues that arise.
To this end, the DTA is currently conducting a trial of a new Project Data Reporting Standard with agencies to streamline the collection of data, introduce minimum viable project data collection, and increase the quality, consistency and viability of critical project information. This has been achieved by standardising inputs into governance board meeting papers, which the DTA can then ingest for more accurate and real-time information on the status of projects. The DTA is also considering how AI could also be used organise these data inputs into structured data sets. This is a positive example of process modernisation that leverages data and technologies to streamline and simplify the requirements on agencies, and the DTA should therefore continue these efforts to finalise its implementation.
However, this is likely to require a significant uplift in the DTA’s role that would require additional support and funding from the Government should it be supportive of such an approach. Therefore, the DTA could build a a more proactive monitoring regime with automated data ingestion from more diverse sources, the use of pilots or demos to assess feasibility and readiness prior to full-scale development, and more root-cause analysis of delivery issues that arise. Further, it could also use this opportunity to build the case for an expanded Assurance regime by building an evidence base to demonstrate to what extent it improves the delivery of projects, including by demonstrating the impact on government and to citizens with the potential failure of digital and ICT investments. One approach could be to build the case for this expanded model by running an A/B trial to collect evidence around whether delivery outcomes for digital and ICT projects improved by involving the DTA in this way.
Securing more sustainable funding for the escalation protocols
While the inclusion of the escalation protocol is a strength, internal stakeholders highlighted that the use of the Independent Health Check is currently limited significantly due to a lack of sustainable funding.
More stable and centralised funding would ensure that the escalation protocols are enforceable and would avoid unnecessary funding pressure on projects that could already be experiencing funding pressures. This fund could help the DTA compete in the market for independent and qualified assurers for which there is currently a resource gap. This could also be supported by growing the capability in the market – supported by a training and accreditation program – for which this funding would also be necessary.
An alternative approach would be the French model described in Box 6.3, which uses either an internal team of assessors that is funded through DINUM’s annual appropriation, or a committee of representatives from different agencies – again based on existing resource allocation. As a contrast, the New Zealand example maintains reliance on the private sector for independent assurers but has created a procurement panel with pre-vetted assurers to make it easier for agencies to leverage this capability.
Therefore, the DTA could secure more sustainable funding for the escalation protocol for the Independent Health Check, either through an assurance levy to fund external assessors or with an increased annual appropriation to fund an internal team of assessors.
Monitoring over the lifecycle of France’s digital and ICT projects
France’s Interministerial Digital Directorate (DINUM) was tasked by the Prime Minister to guide, lead, support and co-ordinate the actions of France’s public administration to improve the quality, effectiveness, efficiency and reliability of its digital and ICT system. Each digital or ICT project with a value above EUR 9 million must be submitted to DINUM to assess the proposals, including their scope, objectives, resources, and delivery approach.
In the delivery phase of investments, DINUM continues to monitor projects through regular reporting (see Chapter 8). Where there are cases of concern over the delivery of major investments, DINUM can request that the responsible minister or Prime Minister authorise the Directorate to audit the project and issue tailored recommendations (provided back to the minister or Prime Minister) to resolve any issues. This is provided by an internal team within DINUM, which is funded through the Directorate’s standard budget allocation.
There is also another mechanism available where the risk level of a project is particularly high, whereby a council of representatives from different ministries (usually members of specialised audit teams) can be established to audit the project. This body is able to stop a project or cancel its budget, though the project manager would generally follow the advice of the council to rectify the issues before this is necessary. In this case, the resource cost of the council is borne by the agencies that agree to send a representative to be part of the body.
New Zealand’s System Assurance
In New Zealand, the Department of Internal Affair’s System Assurance team works collaboratively with government organisations to lift risk management and assurance capability. Part of this work is to provide independent assurance oversight over high-risk digital investments, which is funded internally. The intent of this is to have an oversight function “performed by competent people independent of the operation of the process or control who are not unduly influenced by key stakeholders.” (NZ Government, 2019[9])
The Department also manages a dynamic purchasing system for the procurement of 3rd party assurance services – the Government Chief Digital Officer Assurance Services Panel (GCDO Panel) – which gives agencies easy access to highly-qualified and independent assessors. This could provide the DTA with a model to more-easily identify similar assessors in the Australian market by having a procurement arrangement of pre-vetted assurance providers.
Source: (DIA, 2024[10]; DIA, 2023[11])
References
[8] beta.gouv.fr (2025), Discover the program, https://beta.gouv.fr/approche.
[10] DIA (2024), GCDO Assurance Services Panel, https://www.digital.govt.nz/standards-and-guidance/governance/system-assurance/gcdo-assurance-services-panel.
[11] DIA (2023), Role of the System Assurance team, https://www.digital.govt.nz/standards-and-guidance/governance/system-assurance/role-of-the-system-assurance-team.
[7] DINUM (2024), Panorama des grands projets numériques de l’État, https://www.numerique.gouv.fr/publications/panorama-grands-projets-si/.
[5] DTA (2024), Assessing Delivery Confidence of Digital Projects, https://www.digital.gov.au/sites/default/files/documents/2024-10/Assessing%20delivery%20confidence%20of%20digital%20projects%20v1.1.pdf.
[1] DTA (2024), Assurance, https://www.dta.gov.au/advice/digital-and-ict-investments/assurance.
[4] DTA (2024), Minimum Assurance requirements for investment tiers, https://www.dta.gov.au/sites/default/files/2023-03/Assurance_Minimum%20Reqts%20by%20Tier_March%202023_DTA_Acc.pdf.
[6] DTA (2023), Assurance Framework for Digital & ICT Investments, https://www.dta.gov.au/sites/default/files/2022-12/Assurance%20Framework_DTA_V2.1_091222_ACC.pdfhttps://www.dta.gov.au/sites/default/files/2022-12/Assurance%20Framework_DTA_V2.1_091222_ACC.pdf.
[3] DTA (2023), Assurance on Digital & ICT Investments (V2), https://www.dta.gov.au/sites/default/files/2022-07/Delivery%20Assurance%20on%20Digital%20Investments.pdf.
[2] DTA (2023), Ensuring digital investments have the best chance of success, https://www.dta.gov.au/blogs/ensuring-digital-investments-have-best-chance-success.
[9] NZ Government (2019), Assuring Digital Governemnt Outcomes, https://www.digital.govt.nz/assets/Documents/All-of-Government-ICT-Operations-Assurance-Framework.pdf.