Click here and type document title

Queensland Government Enterprise Architecture

ICT program and project assurance framework

Final

June 2016

V2.0.0

PUBLIC

Document details

Security classification

PUBLIC

Date of review of security classification

June 2016

Authority

Queensland Government Chief Information Officer

Author

Queensland Government Chief Information Office (QGCIO)

Documentation status

Working draft

Consultation release

Final version

Contact for enquiries and proposed changes

All enquiries regarding this document should be directed in the first instance to:

Queensland Government Chief Information Officeqgcio@qgcio.qld.gov.au

Acknowledgements

This version of the ICT program and project assurance framework was developed and updated by the Queensland Government Chief Information Office.

Feedback was also received from a number of agencies, which was greatly appreciated.

Copyright

ICT program and project assurance framework

Copyright The State of Queensland (Department of Science, Information Technology and Innovation) 2016

Licence

This work is licensed under a Creative Commons Attribution 4.0 International licence. To view the terms of this licence, visit http://creativecommons.org/licenses/by/4.0/. For permissions beyond the scope of this licence, contact qgcio@qgcio.qld.gov.au.

To attribute this material, cite the Queensland Government Chief Information Office.

The licence does not apply to any branding or images.

Information security

This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the requirements of the QGISCF.

Contents

1Introduction5

1.1Purpose5

2Assurance profiling5

2.1Purpose5

2.2Process5

2.2.1Assurance profiling assessment criteria5

2.2.2Assurance levels6

Level 1 assurance - Internal6

Level 2 assurance External to project7

Level 3 assurance External to department7

Level 4 assurance External to government7

2.3Practice7

3Assurance planning7

3.1Purpose7

3.2Process7

3.2.1Reviews within the assurance plan8

3.3Practice8

4Assurance reviews8

4.1Purpose8

4.2Process9

4.3Practice9

4.3.1Programs9

Gate 0 - Strategic assessment9

4.3.2Projects9

Gate 1 - Preliminary evaluation10

Gate 2 Readiness for market10

Gate 3 Investment decision10

Gate 4 - Readiness for service10

Gate 5 Benefits realisation10

4.3.3Agile projects10

4.3.4Gateway overview11

4.3.5Review timeframe11

4.3.6Review team numbers11

5Assurance reporting12

5.1Purpose12

5.2Process12

5.3Practice12

5.3.1QGCIO reporting requirement12

5.3.2Overall Assurance report RAG status13

5.3.3Assurance report recommendation RAG status13

6References13

QGEAPUBLICICT program and project assurance framework

Final | v2.0.0 | June 2016Page 13 of 13

PUBLIC

Introduction

The establishment of consistent assurance processes provides confidence that programs and projects are committed to the successful delivery of initiatives and services across the Queensland Government.

The Queensland Government ICT program and project assurance framework provides a mechanism for independently reviewing and advising on ICT and ICT-enabled initiatives to ensure they represent value for money, are viable and are appropriately governed.

Please note, the use of the word initiative throughout this document is intended to mean either program or project.

Purpose

This framework provides information on the process of assurance profiling, planning, reviews and reporting. Every program and project is different, and assurance should be applied sensibly and appropriately. Following the recommended actions for approaching assurance should result in timely initiative reviews that provide tailored advice and help to identify opportunities for successful delivery.

This document is broken down into the following sections that align with the recommended actions for approaching assurance:

assurance profiling

assurance planning

reviews

reporting.

Assurance profilingPurpose

Assurance profiling is the first step to determine the appropriate assurance level and the degree of independence and scrutiny required to adequately address the complexity and impact implications that the program or project represent to service delivery.

Minor initiatives will attract an assurance level of 1, while critical initiatives will attract level4. Therefore, as the assurance level increases, so too does the requirement for independent assurance analysis. This levelling will ensure appropriate assurance is applied to the initiative, therefore avoiding over or under assuring.

ProcessAssurance profiling assessment criteria

The assurance profiling process analyses nine criteria to calculate an initiatives assurance level. Robust discussion with the Senior Responsible Owner (SRO) (and/or Project Executive) surrounding these characteristics will assist in understanding the benefits of assuring the initiative as well as increase focus on areas of concern.

Finance: The initiative is a significant financial investment. It involves significant time constrained funding.

Government policy: The initiative contributes to a major public service or government policy outcome, possibly involving legislative or policy changes.

Service delivery: The initiative is likely to directly impact front line or community government services and attract external (including media) interest.

Organisational change: The initiative involves substantial organisational change management considerations. It involves stakeholders outside of agency direct control whose buy-in and/or support may be required.

Duration: The initiative will be undertaken over an extended period or there are potential delivery challenges regarding duration. Example: the solution is not well-defined or has immovable dates.

Complexity: The initiative is innovative and not typical of an initiative undertaken by the agency. Example: it requires complex technology support and skills not available within the agency.

Security: The initiative involves sensitive information or operations requiring higher than normal security and business continuity considerations.

Stakeholder management: Delivery is regarded as challenging. Cross agency support may be required for successful delivery of initiative and realisation of benefits.

Governance: The complexity of the initiative is likely to require an increased governance, scrutiny and specialist management capability.

Assurance levels

Four assurance levels are defined. Each progressive assurance level supports an increasing level of assurance activity, scrutiny, and independence. The table below provides a summary of how assurance can be applied for each level and more detail is provided in the summaries following.

Assurance

Within project

Within dept.

External to dept.

Supplier for major initiatives

QldTreasury

Supplier for critical initiatives

Level 1internal

Level 2external to project

Level 3external to department

Level 4external to government

Level 1 assurance - Internal

Level 1 represents the standard agency project level of assurance, primarily involving the Project Board and internal business area/s staff. This assurance level requires minimal assurance however reviews will still be scheduled and assurance planning still required.

The reviews can be completed by staff working closely with the initiative or staff in the agencys portfolio/program/project office (PMO), etc.

Level 2 assurance External to project

Reviews can still be conducted from within the agency, but must be external to the initiative to ensure quality levels are maintained. For example, reviews may be performed by a PMO, internal audit team or a suitable governing body. Involvement from senior management, independent from the business area, may also be required.

Level 3 assurance External to department

External assurance is required at this level. You may consider:

using another department with an established assurance service team to undertake your assurance

the Queensland Treasury Gateway delivery function is suitable for initiatives with an assurance Level 3 - it is important to note that only reviews organised by the Queensland Treasury Gateway unit can use the term Gateway Review.

the Department of Science, Information Technology and Innovation (DSITI) also maintain the ICT services standing offer arrangement (Queensland Government employees only) which contains a list of suppliers under Program and Project Gated Assurance (major initiatives).

Level 4 assurance External to government

This is the highest assurance level and requires external to government, independent providers of assurance services for critical initiatives.

DSITI maintain the ICT services standing offer arrangement (Queensland Government employees only) which contains a list of suppliers under Program and Project Gated Assurance (critical initiatives).

Practice

Assurance profiling takes place when a new initiative is identified or when s