KEVSTEMPLATES.COM
Table of Contents
- Assurance
Assurance
Assurance provides confidence that a project or programme is on track to deliver its objectives, that risks are being managed, and that governance is functioning effectively. It is a critical element of project governance that protects investment and supports informed decision-making.
What is Assurance?
Definition: Assurance is the systematic process of providing evidence-based confidence to stakeholders that a project or programme will deliver its intended outcomes within agreed tolerances.
Assurance vs Audit
These terms are often confused but serve different purposes.
| Aspect | Assurance | Audit |
|---|---|---|
| Purpose | Confidence that things are on track | Compliance with rules and standards |
| Timing | Ongoing and forward-looking | Point-in-time and backward-looking |
| Tone | Supportive, improvement-focused | Investigative, compliance-focused |
| Output | Recommendations and confidence levels | Findings and compliance ratings |
| Relationship | Collaborative | Independent |
| Frequency | Continuous or at key stages | Periodic, often annual |
Important: Assurance is not about catching people out. It is about identifying risks early, sharing good practice, and giving stakeholders confidence. An adversarial approach will cause teams to hide problems rather than surface them.
The Three Lines Model
Modern assurance is structured around three lines of defence (or, more recently, the Three Lines Model endorsed by the Institute of Internal Auditors).
flowchart LR
A[1st Line:
Management
Controls] --> B[2nd Line:
Oversight &
Challenge] B --> C[3rd Line:
Independent
Assurance] classDef blue fill:#108BB9,stroke:none,color:#fff class A,B,C blue
Management
Controls] --> B[2nd Line:
Oversight &
Challenge] B --> C[3rd Line:
Independent
Assurance] classDef blue fill:#108BB9,stroke:none,color:#fff class A,B,C blue
Lines of Assurance Explained
| Line | Provider | Activities | Independence |
|---|---|---|---|
| 1st Line | Project team, project manager | Self-assessment, quality reviews, team retrospectives, checkpoint reports | Low – assuring own work |
| 2nd Line | PMO, programme office, functional management | Standards compliance, health checks, peer reviews, dashboard reviews | Medium – within the organisation |
| 3rd Line | Internal audit, external reviewers, IPA | Independent reviews, gateway reviews, audits | High – fully independent |
Best Practice: All three lines should be active. Relying solely on 3rd line assurance means problems are found too late. Strong 1st and 2nd line assurance catches issues early when they are cheaper to fix.
Assurance Planning
An Assurance Plan (sometimes called an Assurance Strategy) sets out how assurance will be applied across the lifecycle of a project or programme.
Assurance Plan Content
| Section | Description |
|---|---|
| Scope | What is being assured (project, programme, portfolio) |
| Objectives | What the assurance aims to achieve |
| Approach | Methods to be used (reviews, health checks, audits) |
| Schedule | When assurance activities will take place |
| Roles | Who will conduct and commission assurance |
| Reporting | How findings will be reported and to whom |
| Escalation | How critical findings will be escalated |
| Budget | Resources allocated for assurance activities |
Assurance Across the Lifecycle
| Stage | Assurance Focus | Typical Activities |
|---|---|---|
| Startup / Initiation | Is the project set up for success? | Business case review, mandate review, initial risk assessment |
| Planning | Are plans robust and achievable? | Plan review, resource validation, dependency analysis |
| Delivery | Is the project on track? | Health checks, stage gate reviews, quality reviews |
| Transition | Is the output ready for service? | Readiness assessments, go/no-go reviews |
| Closure | Were objectives met? Lessons captured? | Post-implementation review, benefits review, lessons learned |
Gate Reviews
Gate reviews (also called stage gates or decision gates) are formal assurance checkpoints at key transition points in the project lifecycle.
Purpose of Gate Reviews
Gate reviews provide a structured opportunity to:
- Assess whether the project should proceed to the next stage
- Confirm that deliverables from the current stage are complete and of sufficient quality
- Validate that the business case remains viable
- Confirm stakeholder support and resource availability
- Identify and address risks before they escalate
Gate Review Process
flowchart LR
A[Prepare
Evidence Pack] --> B[Review Panel
Convenes] B --> C[Team Presents
& Panel Questions] C --> D{Decision} D -->|Proceed| E[Approve with
Conditions] D -->|Rework| F[Return for
Remediation] D -->|Stop| G[Close or
Pause Project] classDef blue fill:#108BB9,stroke:none,color:#fff class A,B,C,D,E,F,G blue
Evidence Pack] --> B[Review Panel
Convenes] B --> C[Team Presents
& Panel Questions] C --> D{Decision} D -->|Proceed| E[Approve with
Conditions] D -->|Rework| F[Return for
Remediation] D -->|Stop| G[Close or
Pause Project] classDef blue fill:#108BB9,stroke:none,color:#fff class A,B,C,D,E,F,G blue
Gate Review Outcomes
| Outcome | Meaning | Action |
|---|---|---|
| Green – Proceed | Confidence that the project is on track | Proceed to next stage |
| Amber/Green – Proceed with conditions | Minor concerns that need addressing | Proceed; address conditions by agreed date |
| Amber/Red – Conditional proceed | Significant concerns; proceed at risk | Remediation plan required before substantive progress |
| Red – Do not proceed | Critical issues; project should not continue | Stop; major rework or closure decision required |
Health Checks
Health checks are lighter-touch assurance activities that assess the overall health of a project at a point in time. They are less formal than gate reviews and can be conducted more frequently.
Health Check Dimensions
| Dimension | What to Assess |
|---|---|
| Leadership and governance | SRO engagement, board effectiveness, decision-making quality |
| Scope and requirements | Clarity, stability, change control |
| Planning and scheduling | Realism, resource alignment, critical path management |
| Risk and issue management | Risk identification, mitigation effectiveness, issue resolution |
| Stakeholder engagement | Satisfaction, communication effectiveness, buy-in |
| Financial management | Budget tracking, forecasting accuracy, value for money |
| Benefits management | Benefit identification, tracking, realisation planning |
| Team capability | Skills, capacity, morale, retention |
| Delivery progress | Milestone achievement, quality of deliverables |
RAG Rating Criteria
| Rating | Criteria |
|---|---|
| Green | On track; no significant issues; high confidence in delivery |
| Amber | Some concerns; risks to delivery exist but are being managed; remedial action in place |
| Red | Significant concerns; delivery at serious risk; intervention required |
Peer Reviews
Peer reviews bring experienced practitioners from other projects or organisations to provide an independent perspective.
Benefits of peer reviews:
- Fresh eyes identify blind spots the team has become accustomed to
- Sharing of good practice across the organisation
- Less formal and less threatening than external assurance
- Professional development for both reviewers and the team
Conducting a peer review:
- Define the scope and questions the review should address
- Select reviewers with relevant experience (not from the same project)
- Provide documentation in advance (PID, plans, risk register, reports)
- Schedule interviews with key team members and stakeholders
- Reviewers produce a findings report with recommendations
- Team creates an action plan to address findings
Independent Assurance
Independent assurance is provided by parties with no connection to the project delivery. This includes internal audit, external consultants, and government bodies.
IPA Framework (UK Government)
The Infrastructure and Projects Authority (IPA) conducts assurance reviews on major government projects and programmes. The IPA framework is widely regarded as good practice and can be adapted for any organisation.
| IPA Review | Timing | Focus |
|---|---|---|
| Starting Gate | Before formal approval | Is the initiative viable? Is the business case sound? |
| Gate 0 – Strategic Assessment | Programme level | Is the programme set up correctly? |
| Gate 1 – Business Justification | End of initiation | Is the business case robust? |
| Gate 2 – Delivery Strategy | End of planning | Is the delivery approach sound? |
| Gate 3 – Investment Decision | Before major spend | Should the investment proceed? |
| Gate 4 – Readiness for Service | Before go-live | Is the solution ready? Is the organisation ready? |
| Gate 5 – Operations Review | Post-implementation | Are benefits being realised? |
IPA Delivery Confidence Assessment (DCA)
The IPA uses a Delivery Confidence Assessment to rate projects.
| DCA Rating | Description |
|---|---|
| Green | Successful delivery of the project to time, cost and quality appears highly likely |
| Amber/Green | Successful delivery appears probable; however, constant attention will be needed |
| Amber | Successful delivery appears feasible but significant issues exist requiring management attention |
| Amber/Red | Successful delivery is in doubt with major risks or issues apparent in several key areas |
| Red | Successful delivery appears to be unachievable; there are major issues which, at this stage, do not appear to be manageable or resolvable |
Assurance Reporting
Assurance findings must be reported clearly and acted upon to have value.
Reporting Principles
- Be honest – assurance is worthless if it tells stakeholders what they want to hear
- Be specific – vague findings lead to vague responses
- Be constructive – pair findings with practical recommendations
- Be proportionate – focus on material issues, not trivia
- Be timely – late findings cannot influence decisions
Assurance Report Structure
| Section | Content |
|---|---|
| Executive summary | Key findings and overall confidence level |
| Scope and methodology | What was reviewed and how |
| Findings | Issues identified, categorised by severity |
| Recommendations | Specific, actionable suggestions for improvement |
| Good practice | What is working well (essential for credibility and morale) |
| Action plan | Agreed responses to recommendations with owners and dates |
Common Assurance Findings
The following issues are frequently identified across projects and programmes.
| Finding | Description | Typical Recommendation |
|---|---|---|
| Weak business case | Benefits not quantified, assumptions untested | Strengthen the business case with evidence-based benefits |
| Optimism bias | Plans are unrealistic on cost, time, or benefits | Apply reference class forecasting; add contingency |
| Inadequate risk management | Risks generic, mitigations weak, register not maintained | Refresh the risk register; assign owners; review regularly |
| Scope creep | Scope expanding without formal change control | Implement change control process; re-baseline if needed |
| Stakeholder disengagement | Key stakeholders not involved or not supportive | Refresh the stakeholder engagement plan; sponsor intervention |
| Resource gaps | Critical roles unfilled or under-skilled | Recruit, upskill, or procure; escalate if unresolved |
| Poor governance | Boards not meeting, decisions not recorded, escalation absent | Strengthen governance framework; terms of reference for boards |
| No benefits management | Benefits identified but not tracked or owned | Appoint benefits owners; create a benefits realisation plan |
Assurance Maturity
Organisations can assess the maturity of their assurance capability using a maturity model.
| Level | Name | Characteristics |
|---|---|---|
| 1 | Initial | Ad hoc assurance; no formal plan; reactive approach |
| 2 | Developing | Some assurance activities in place; inconsistent application |
| 3 | Defined | Assurance plan in place; consistent methods; regular reporting |
| 4 | Managed | Assurance integrated into governance; lessons learned applied; metrics tracked |
| 5 | Optimising | Continuous improvement; benchmarking against best practice; assurance drives strategic decisions |
Target: Most project-based organisations should aim for Level 3 as a minimum. Levels 4 and 5 are aspirational targets for mature portfolio environments.
Assurance Checklist
| Criteria | Yes / No |
|---|---|
| An Assurance Plan exists and has been agreed by the SRO | |
| All three lines of assurance are active and resourced | |
| Gate reviews are scheduled at key lifecycle transition points | |
| Health checks are conducted at regular intervals | |
| Assurance findings are reported to the project board | |
| Recommendations are tracked with owners and due dates | |
| The assurance approach is proportionate to the project’s risk and complexity | |
| Peer reviews are used to share good practice | |
| Independent assurance has been commissioned where appropriate | |
| The team views assurance as supportive, not adversarial |
Related Resources
- Meeting Management – running effective governance meetings and boards
- Organisational Structure – governance structures and reporting lines
- Project Healthcheck – conducting project health checks
- Quality Planning – quality management for projects
- Risk Register – risk identification and management
- End of Project Report – closure reporting and lessons learned
Last updated: 19 March 2026