Digital and technology spend control version 6
Published 23 February 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/digital-and-technology-spend-control-version-6/digital-and-technology-spend-control-version-6
What the digital and technology spend control is for and how it works
Spend controls exist to provide functional assurance of central government spending. This is in order to achieve greater efficiency and better outcomes across the whole of government. This is explained more in the Cabinet Office controls policy.
The Central Digital and Data Office (CDDO) is responsible for the digital and technology spend control with assurance that focuses on:
- following digital standards to make services better and cheaper to run
- eliminating duplication of digital spend across government and organisations
- making sure that activities are aligned with the government’s digital strategy
- helping novel, complex and high-risk activities succeed
Your department may have extra internal controls that you must comply with as well. You should ask for advice from your departmental assurance teams for guidance and to find out if there are other requirements that your organisation wants you to meet.
Pipelines
The digital and technology spend control is based on central government organisations maintaining a forward looking pipeline of planned digital and technology spend.
Your organisation’s assurance function will provide assurance of your plans and activities. They will consider risks and how well the proposed activity and your approach complies with digital and technology standards used for assurance. These standards are intended to make sure projects are successful in meeting their objectives. You must follow these standards from the outset in order to put yourself in a good position for getting approval for your spend request.
Check when spend approval is needed
You must make sure that you get spend approval before committing to any digital or technology spend which are above the spend thresholds.
Spend thresholds to be aware of
CDDO has certain thresholds that apply depending on what it is you want to do and how much you want to spend. This applies to all spend requests, including business as usual (BAU) activities.
The thresholds apply to the spend amount that you want approval for. If this amount is not the full anticipated cost, then you need to make clear any potential projected spend in the supporting information you provide with the spend request. If your spend request is below the threshold but the potential whole life cost is above the threshold, then you must also submit your spend request for approval.
| Your spend is related to | You must get approval if you’re planning to spend more than |
| A public facing service | £100,000 |
| All other digital, data and technology products and services | £1,000,000 |
| Crypt-Key in accordance with the Crypt-Key Control | £0 |
If you are not sure which of the above thresholds apply to your spend, please get in touch with your organisation’s internal assurance team or your nominated CDDO adviser. You can contact the CDDO assurance team using the following email address: cddoassurance@digital.cabinet-office.gov.uk.
Spend approval points
You need to get approval at important points of your planned spend timeline. Approvals must be sought at the following stages:
- Strategic Outline Case (SOC) or Programme Business Case (PBC) if you already are planning to spend any money at that stage
- Outline Business Case (OBC)
- when you are buying something, before you start your procurement in going out to market
- when you are buying something, after you finished your procurement but before you award the contract
- at the start of each agile delivery phase (discovery, alpha, and beta), after each phase before you move to the next one
- at the start of any non-agile project or programme and at agreed milestones thereafter
Any approval you ask for will be based on your progress to date and includes any changes you’ve made to your planned approach going forward.
Digital and technology standards used for assurance
Digital and technology assurers will apply their professional judgement when reviewing cases, whether they are part of your organisation’s assurance function or CDDO’s.
They will take into consideration the value for money of the proposal and the following standards and guidance:
- Risk and importance rating of the proposed spend activity
- Technology Code of Practice
- Alignment to strategic commitments that check how well the spend is aligned with the government’s digital strategy
If you are building a service, you should check if you need to meet the Service Standard or get an assessment.
The level of detail in the evidence you provide should be proportionate to the risk, size and complexity of your spend activity. This will help digital and technology assurers easily find the important information they need to review your spend case.
Assurers may ask you follow-up questions or ask for more information. This can be necessary before giving you a response to your approval request. It is important that you answer their requests in full and in a timely manner to avoid delays.
How to get approval to spend
You must submit your digital and technology case on the get approval to spend service when you start to plan or up to 12 months before you expect to start spending. You can continue to add information as you develop your plans.
Your organisation will have the option to bulk upload cases through your internal assurance team. The service also allows for any appropriate person from the organisation to load individual cases. This might be a delivery professional with budget responsibilities, someone they delegate to, or an assurance professional.
You will use the get approval to spend service and go through the steps to determine a:
- risk and importance rating which will determine a high, medium or low rating of your case
- assurance rating which will establish if your spend is meeting standards and help determine whether your case is rated as assure, monitor, control or pending
An assurance board will review your information and you will be given a spend approval decision with an outcome of either approved or rejected.
If your case needs to be reviewed by CDDO then there is a 28 day service level agreement (SLA) in place. This starts at the point at which CDDO is satisfied that sufficient information has been provided for assurance. If CDDO has any clarification questions, the 28 day SLA will pause, only starting again when CDDO is happy that they have a full answer.
Risk and importance rating
Cases are scored against the risk and importance criteria using the risk and importance framework on the get approval to spend service. These ratings form part of the overall assessment for a digital and technology case, helping to determine how the case will ultimately be assured and approved.
Your case will be given one of these risk and importance ratings:
- high
- medium
- low
The rating is calculated automatically as part of the submission. You will be told if your case has a high, medium or low rating.
High risk and importance
If your request is scored as being of high risk and importance, CDDO needs to be consulted in the assurance rating. This will include supporting your organisation’s assurance function and helping to decide what level of assurance a case receives.
Medium risk and importance
If your request is scored as being of medium risk and importance, CDDO needs to be involved in the assurance rating. The only exception is if CDDO has granted your organisation greater autonomy for spend assurance decisions. The get approval to spend service will tell you if this applies to your organisation.
Low risk and importance
If your request is scored as being of low risk and importance, no further assurance is needed from CDDO. You can proceed with the spend in accordance with any internal governance or assurance processes.
For the vast majority of cases these are areas of low complexity, repeat, commoditised or routine spend that are required to support business as usual (BAU) activities.
Assurance rating
After the risk and importance rating is determined, the digital and technology assurers will assign an assurance rating. The ratings applied are as follows:
- assure
- monitor
- control
Assure
A rating of ‘assure’ means that a spend case meets digital standards and there are no concerns about the successful delivery of the expected outcome.
Monitor
A rating of ‘monitor’ means a spend case has delivery or technical challenges which need further action before it can be classed as ‘assure’.
Control
A rating of ‘control’ means a case is novel, complex or contentious which will need further assurance to approve.
If your case does not have enough detail, or more information is needed to assess the case, it will remain as a ‘draft’.
When you are notified of the outcomes of your spend request, the assurance rating may come with conditions. For example you may be asked to do something else such as a service assessment. If there are conditions, you will be asked to report on progress and demonstrate that you have met them.
High risk or control cases
Cases that are high or medium risk will be assured by your organisation’s assurance board involving your CDDO adviser. This could result in the rating being changed to ‘control’. An example is a case that is misaligned to standards or is contentious.
Control cases will be assured in more detail by your organisation’s assurance function against the strategic commitments, and if the spend relates to a service, the service standards.
Earned autonomy is where CDDO gives greater autonomy in digital and technology spending to organisations with a high level of assurance capability, for low and medium risk cases as described in the risk and importance framework. This means that the organisation’s assurance function does not need CDDO involvement in approving low and medium risk cases.
If your organisation is operating with Earned Autonomy you still need to complete a service assessment where necessary. You can check if you need to meet the Service Standard or get an assessment.
Cases that are submitted to CDDO will be approved by either your organisation’s CDDO adviser or the CDDO assurance board depending on the level of risk of that case.
Outcomes of your spend request
The possible outcomes of your digital and technology spend request are:
- approved
- approved with conditions
- rejected
Request approved
Your case has been approved with no conditions and you can proceed with the spend.
Request approved with conditions
Your case has been approved with conditions that will need to be met to improve the planned spend. You will need to complete the conditions before you apply for approvals again.
Request rejected
Your case has been rejected. You may need to resubmit your case with additional detail or explore different ways to do what you were planning.
Your CDDO adviser will support you through this resubmission.
If your assurance board provides you with an outcome rated as assure or monitor, and there are no conditions that must be met prior to starting work, you may proceed with spending. Cases rated as control will require further scrutiny by CDDO.
Ministerial cases and process
Certain cases that represent significant risk, expenditure or are highly contentious may be flagged to a Cabinet Office minister for spend approval.
Your CDDO adviser will manage the ministerial approval process for you and communicate the results.
Control cases that are determined by CDDO to need Cabinet Office ministerial approval will be assessed at the ministerial spend control panel. CDDO will provide advice and recommendations to the minister for approval.
Setting up a digital assurance function
Your organisation is expected to set up an assurance function as outlined in the digital functional standard.
This expectation includes partner organisations that have capacity to assure their digital programmes.
If your organisation does not have its own assurance function or can’t use another organisation’s, you still use the get approval to spend service for approvals. CDDO will review the case and engage with you directly on managing the assurance of the case.
To use the digital and technology spend control process, your organisation’s assurance function must:
- create a digital and technology spend controls pipeline in the get approval to spend service
- set up a spend controls assurance board that will decide on spend approvals
- manage and follow internal and external approval routes
- manage processes to re-evaluate spend activity if there are changes to a case after it is initially assessed
- work with CDDO to review spend activity
- record and track stated conditions from the spend approval process
- ensure you are seeking approval from all relevant Cabinet Office functional assurance teams should your spend hit the thresholds for multiple spend controls
Crypt-Key Control
Within the digital and technology spend control process, the Cabinet Office monitors all investment in Crypt-Key above a threshold of £0. Any spend on Crypt-Key needs to be assured by the National Cyber Security Centre’s National Crypt-Key Centre, to make sure that spend is aligned with the National Crypt-Key strategy. This is in addition to the digital and technology assurance as defined in the rest of this policy.
If this applies to you, contact your organisation’s Crypt-Key lead and CDDO adviser to ensure compliance with the Crypt-Key spend controls. You can contact spendcontrols@ncsc.gov.uk if you do not know who your Crypt-Key organisational lead is.
Contact
Email cddoassurance@digital.cabinet-office.gov.uk for questions on the digital and technology spend control process.