CIO Upfront: Independent Assurance on ICT projects: A legal perspective

CIO Upfront: Independent Assurance on ICT projects: A legal perspective

Michael Bywell, a lawyer with Minter Ellison Rudd Watts, considers the New Zealand government’s renewed focus on ICT project assurance and some of the key challenges when commissioning and undertaking this sort of work.

Smoking guns

This is another area to keep an eye on.

Legal questions could arise over the status of reports and other documents produced during the review process, particularly where they contain potentially damaging material: for example, admissions of fault (by interviewees) for problems experienced.

Are interview notes and reports (including drafts) protected by legal professional privilege or any other type of confidentiality?

Could the material be the subject of a successful Official Information Act (OIA) request?

What about production in any future legal proceedings between the agency or department and third parties?

These are not straight-forward questions to answer and review teams should seek the appropriate guidance, preferably before work begins (and before documents are generated).

At the same time, great care should be taken not to undermine the fundamental purpose of the exercise which is to report on an “open and candid” basis (to borrow and repeat the wording from the Major Projects Authority principles).

Problem areas need to be identified and flushed out in order that they can be addressed before it is too late.

Are interview notes and reports (including drafts) protected by legal professional privilege or any other type of confidentiality?

Australian support for assurance regimes

In Australia, support for the use of assurance regimes can be found in comments by The Hon Richard Chesterman QC in his 2013 report into the (disastrous) Queensland Health payroll system project: “[My recommendation is that] The Queensland Government apply an appropriate structure to oversee large ICT projects...

Whatever form of project management is adopted, it ought to have the following attributes:

... 2. they [i.e., the body and individuals given this responsibility] be vested with the authority to probe and report...

3. they have the ability to report to very senior public officials...and make recommendations, especially if deficiencies in project or contract management are detected

It should essentially have an assurance function [my emphasis added].”

See also the Australian government’s approach to assurance reviews and risk assessments generally.

I mention this for completeness because it fits with and supports the renewed focus on assurance here in New Zealand.

In conclusion, the New Zealand government’s renewed focus on assurance is a welcome move.

Independent assurance reviews are a handy risk management tool and should have a positive effect in this regard.

Independence is crucial and reports should be objective, open and candid.

The UK experience is instructive - it makes sense that those charged with responsibility for assurance reviews should have the power to drive change and that senior government officials should be asked to explain any decisions not to follow advice or recommendations made.

In setting up reviews, those involved should keep in mind that documents produced may not be protected by confidentiality at the end of the day – but, at the same time, ensure that reports remain open and candid in order that the purpose of the review exercise is not undermined.

Success on major projects is more likely where problems or issues are forced out and resolved at an early stage. History tells us that, in many cases, ICT failures could have been avoided (or at least mitigated) if steps had been taken at an early stage to face up to problems and, where required, re-set or re-baseline the program.

Michael Bywell is a consultant at law firm Minter Ellison Rudd Watts (

Send comments and contributions to CIO Upfront to

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags government CIOGovernment ICTpublic sector ciowellington

More about AssuranceFacebookGatewayMinter EllisonQueensland GovernmentQueensland Health

Show Comments