Guidance

Quick Guide Central Government’s Assurance Directory

Updated 3 June 2025

Introduction

Welcome to the Central Government’s Assurance Directory (CGAD) guide. This quick guide supports the CGAD as found on GOV.UK Orange Book Suite, and Part II of the Orange Book: Management of Principles and Concepts - the Risk Control Framework. It provides information on the contents of the CGAD, how to navigate each part and offers practical tips for its effective use.

The CGAD is your go to, ‘one-stop’, excel spreadsheet intended to cover all the standards, codes and guidance documents currently issued by the centre of government. First launched, as the ‘RCF – Bank of Questions’ in April 23, it references, on a “best endeavours” basis, the most up to date versions of those documents or provides links to the latest web-browser HTML version.

Like the Orange Book, “one size does not fit all” when undertaking risk and assurance activities and the question sets contained within the CGAD are not meant to be exhaustive. Instead, each organisation should adopt the assurance approach that best suits its own circumstances and environment, as determined by the Ministers, Permanent Secretaries, Accounting Officers (AOs) and Boards who direct, manage, and control their organisations.  

Use the CGAD as a ‘guiding hand’ to help navigate those numerous standards, codes and guidance documents issued by the centre. Remember, the CGAD does not introduce new requirements; it simply facilitates the navigation of existing ones. 

For queries on the directory, its composition, or background to the RCF, please contact the Risk Centre of Excellence (RCoE), RiskCoe@hmtreasury.gov.uk, who own the CGAD. For queries related to the documents themselves, such as the functional standards, or other guidance documents within the CGAD, please contact the respective document owner. Contact details are provided within the directory.

Risk Centre of Excellence, Government Risk Profession

1. ‘At a Glance Guide’ to the Central Government’s Assurance Directory

• The Central Government’s Assurance Directory (CGAD) is structured in 6 parts covering the Orange Book, the supplementary suite of risk management guidance, the Risk Control Framework, Functional Standards, other codes of conduct, standards and guidance, and Spotlight items.

• The process below provides an ‘at-a-glance’ representation of the CGAD. Follow the sequence of blocks to help understand the relationship between the different parts. More details on using the directory, how to navigate the excel spreadsheet and the directory contents are provided on the following pages.

1.1 Central Government’s Assurance Dore

Download the CGAD from Orange Book on GOV.UK. The spreadsheet contains the names of (and links to) assurance documents and relevant high-level assurance questions.

Part 1 Orange Book Principles

Use to structure your OB assurance and comply/ explain statements. Contains 75 questions.  These are the recommended minimum questions to ask.

Parts 2 to 6 Granular Questions

Use these to produce more granular evidence which may assist in answering the questions in Part 1 with greater confidence.

Part 2 Orange Book Guidance Documents

Questions relating to the OB guidance suite on GOV.UK. Greater granularity on Risk Appetite, Risk Reporting, Risk Management Skills & Capability, and Portfolio Risk Mgt.

Part 3 RCF Specific

More granular (but still high level) questions for each component - pillar and block - of the RCF.

Part 4 Functional Standards

Questions relating to the Functional Standards More detailed assurance questions might also be provided by the Function/ Profession leads (where known, hyperlinks are provided).

Part 5 Other Codes & Guidance

Questions covering aspects of 40+ other codes, standards and guidance issued by the centre of government.

Part 6 Spotlight Items

These might otherwise appear in Part 4 & 5 but are currently given more profile as ‘spotlight items’.

Having decided what questions you want to ask, start gathering relevant evidence as part of the next phase of work.

2. Using The Directory:  Central Government’s Assurance Directory (CGAD)

Why is the CGAD helpful for the Risk Control Framework (RCF)?

To help organisations have an effective and efficient approach to risk control, the Risk Control Framework (RCF) sets out a structure to make it easier for accounting officers (AOs) to navigate the many government control requirements they are currently expected to adhere to - see Para 9 and Annex A for more information on the RCF. The CGAD has been created to help clarify this landscape. Capturing the centrally issued standards, codes and guidance into one directory should create efficiency through a more precise view of what controls are needed to suit risk appetite and tolerance.

Benefits of the CGAD include: * it provides a systematic approach to aid assurance mapping. * it streamlines compliance-related activities, making it easier to access policy documents. * it strengthens current assurance practices by using a common language, leading to greater consistency. * it increases efficiency by consolidating information in one place, avoiding duplication of effort. * it is adaptable to meet future compliance requirements including the potential for rationalisation/consolidation of existing documents.

Who might use the CGAD?

The CGAD is designed to assist anyone involved in assurance activities:

1. Accounting Officers

• assess the effectiveness of their risk management frameworks in achieving organisational objectives.
• navigate and ensure organisational compliance with control requirements, relevant for the Annual Governance Statement ‘comply or explain’ disclosure requirements within Annual Accounts and Reports.

2. Senior Management /Heads of Functions

• provide oversight of risk and assurance activities within their organisation and assist AOs in meeting their obligations.

3. First Line² roles who own and manage risk - operational

• to understand their operational requirements as owners of risk, responsible and accountable for their management including providing appropriate assurance on the control measures in place.

4. Second Line² roles – functions that oversee or specialise in risk management

• monitor and facilitate the implementation of effective risk management/ assurance practices to AOs, Senior Management, Boards, Audit and Risk Assurance Committees and Auditors (internal/external).
• Provide assistance and support to risk owners in managing risks effectively.

5. Third Line Functions ²

• in providing a structure for internal/external auditors audits and reviews.

6. ARACs³

• to oversee and monitor compliance with governance, risk and assurance activities.

7. Other stakeholders

• gain a view of risk, control, and assurance activities across government.

²Orange Book Annex 2: The Three Lines Model Pg 46

³Orange Book: Audit and Risk Assurance Committee Pg 45

3. Getting Started – How to Navigate the Directory

To access the CGAD – excel spreadsheet, visit the GOV.UK website. Use the search function to locate the CGAD or use the link here to reach The Orange Book webpage. The CGAD is updated bi-annually: Spring and Autumn. Enable the edit function to modify the content once downloaded.

The High-Level Assurance Question Sets

The CGAD is divided into 6 ‘parts’ containing high-level questions designed to help assess the quality and effectiveness of risk and assurance activities. The questions are intended to be detailed enough to be useful but sufficiently high level to be pragmatic in approach allowing for flexibility and adaptability. While they aim to provide coverage, they are not exhaustive and may not be applicable in all circumstances or situations. The question sets should help to:

• evaluate an organisations adherence and compliance to the many central government documents.
• provide early warning signs on any emerging risks, control failures/areas that should be monitored.
• identify areas for improvement for example if there are gaps in responses to the questions or answers to the questions raise concerns, further assurance evidence may be needed.

4. Contents of the Directory

Part 1: Orange Book Principles

Part 1 of the CGAD contains the recommended 75 minimum high-level questions covering the Orange Book: Management of Risk Principles & Concepts. They are designed to support AOs and organisations in meeting their ‘comply or explain’ disclosure requirements. The question set covers the 5 Orange Book principles and at least one specific question for each component of the Risk Control Framework. They serve as a foundation for the ‘comply or explain’ disclosure requirement, as they help provide more granularity in support of those disclosure statements.

Use this question set to:

• help complete the ‘comply or explain’ disclosure requirement as part of Accounting Officer responsibilities within annual governance statements.
• ensure the organisational risk management framework is being adhered to both from a 1st and 2nd line perspective.
• assist the organisation’s attestations on risk and risk management.
• help assess and evaluate the effectiveness of the Risk Function.

Part 2: Other Published Orange Book Guidance

Part 2 contains questions relating to the supplementary Orange Book guidance which can be found on GOV.UK Orange Book Suite. They can be used in conjunction with Part 1 to provide further granularity for example on:

• Risk Appetite – how is it set, understood, and informing decision-making.
• Good Practice Guide: Risk Reporting – how risk reporting is supporting decision making.
• Risk Management Skills & Capabilities Framework – how the Risk Function and risk management frameworks are operating.
• Portfolio Risk Management Guidance - how are project and programmes risks managed within portfolios.

Use this question set to:

• provide further detailed and more granular evidence on the specific risk management related topics.
• help gather insights into their effectiveness and application.
• to support responses to Part 1 particularly with the ‘comply or explain’ disclosure requirement.
• help assess and evaluate the effectiveness of the Risk Function.

Part 3: Risk Control Framework

Part 3 contains high-level questions from the Cabinet Office and the Government Internal Audit Agency - Key lines of Enquiry v.July 2022. The questions are linked to each ‘pillar and block’ of the RCF. Use these questions to help support responses in Part 1. They help ensure that consideration is given to each aspect of the RCF. They also provide an insight into the types of questions internal auditors may use in evaluating the effectiveness, efficient and compliance of the different assurance activities.

For more background information on the RCF and the ‘pillars’ and ‘blocks’ of the framework see Annexes A & B. The RCF acts as a structure through which organisational risks, how they are being managed, where and by whom, can be understood and assured as a cohesive whole.

Use this question set to:

• help assess, improve, and assure compliance with individual pillars and block components of the RCF.
• ensure compliance with public sector legal and regulatory requirements.
• ensure compliance with local organisation controls and regulatory requirements.
• help assess and evaluate Risk Functions/Other functions.

Part 4: Functional Standards

Part 4 contains high-level questions covering the suite of GOV.UK Functional Standards. These standards are mandated for use across central government (departments and their arm’s length bodies) through Managing Public Money and promote consistent and coherent ways of working across government . Each functional standard includes a number of principles (section 2 of each standard); the questions contained within Part 4 are based on the principles.

Use this question set to:

• determine which functional standard should be evaluated and reviewed ranging from FS002 to FS015 (there is no FS012)
• determine whether more evidence is needed particularly on mandatory (shalls) and what is strongly advisory (shoulds).

Part 5: Other Standards, Codes & Guidance

Part 5 contains high-level questions to cover the many other central standards, codes and guidance documents in government. The main landing page contains information on each document, a brief description of its purpose plus links to the latest versions. Also make use of the Matrix tab, which shows how these documents link to the components of the RCF.

Use this question set to: * ensure all ‘other codes, guidance and standards are considered as part of the RCF block and pillar. * provide more granular evidence. * evaluate the organisations adherence to the codes, * help identify areas of concern/improvement.

Part 6: Spotlight Items

Part 6 highlights ‘spotlight’ items that might otherwise be included in Parts 4 or 5. These items are given greater prominence as specific areas of risk or emerging risk that may require more focused attention. This section will adapt over time to reflect changing requirements.

Use this question set to:

• focus on specific and topical subject areas.
• increase awareness, draw attention to these specific areas.
• help encourage engagement, stay-up to date with key topics.
• drive improvements in these areas.

Annexes - Background Information

Annex A: Part 2 Orange Book

The new Part II of the Orange Book was created in April 2023 as part of the Golden Thread project led by Sir Nigel Boardman, the Risk Centre of Excellence, Treasury Officer of Accounts and the Government Internal Audit Agency to help AOs gain greater confidence and a better understanding of the responsibilities they face in relation to control and assurance activities, and adherence to the many existing standards, codes and guidance across government.

Part II outlines the RCF, based on a ‘house’ structure - four ‘pillars’ containing four sub-components ‘blocks’ - which aims to make it easier for AOs to navigate all those standards, codes and standards. Part II also contains guidance on assurance and assurance mapping.  It does not mandate one particular approach. It acknowledges that there is ‘no one-size-that-fits-all’ instead it sets out different methods which allow for departmental flexibility and judgement in the design, implementation and operation of assurance activities with the overall aim of providing a consolidated view of the risk and assurance landscape.

Background on the ‘Comply or Explain’ Disclosure Requirement

The Orange Book ‘comply or explain’ disclosure requirement forms part of the Accounting Officer Annual Governance Statement.  Its requirement has been in the Orange Book and FReM since 2020. As set out in Managing Public Money May 23, each public sector organisation should have systems for managing risk suited to business, circumstances and risk appetite.   The Orange Book (May 23) lays out the principles for managing risk (including taking good risks) that departments are expected to comply with or explain reasons for non-compliance.

One of the commitments made to the Public Accounts Committee in January 2022 was that the RCoE would start to review, audit, and enforce the requirement to make a disclosure on compliance with the Orange Book’s five main principles, including a clear and careful explanation of any areas of non-compliance.  The RCF can help support your organisations with that ‘comply or explain’ requirement as it provides a structure to support the disclosure (including the evidence needed in support of those statements). It can help to identify gaps and areas of control that may need further assurance, and/or further improvement.

Annex B – More information on the RCF Pillars and Blocks

Pillar: Governance and Management Framework: Each organisation shall have a governance framework which complies with government and departmental policies and directives (as applicable) and the functional standards.

Propriety & Ethics	The Seven Principles of Public Life apply to anyone who works as a public office-holder. The Ministerial Code and Civil Service Code sets out the standards of conduct expected of ministers and how they discharge their duties respectively.
Governance Statement & AO System Statement	The governance statement manifests how the accounting officer’s duties have been carried out in the course of the year. In addition, each central government department is required to have an accounting officer system statement (AOSS) which provides a single statement setting out all of the accountability relationships and processes within a department group.
Boards	The accounting officer in each central government organisation should be supported by a board structured in line with the Corporate Governance Code.
Arm’s Length Bodies & Joint Ventures	The principal accounting officer of a department needs to be confident that its arm’s length bodies are in turn maintaining appropriate internal controls that support the achievement of their objectives and obligations.

Pillar: Roles & Accountabilities: Roles and accountabilities shall be defined in the relevant governance and management framework and assigned to people with appropriate seniority, skills and experience.

AOs	The AO is directly and personally accountable to Parliament for stewardship of their organisation’s resources.
All staff	Individual staff members have a responsibility to perform their roles in accordance with the Civil Service Code.
Functional Roles	Each function has a Head, accountable for managing the function across government.
SROs for Major Projects	The Senior Responsible Owner (SRO) of a project or programme within the government major projects portfolio (GMPP), is accountable to their own organisation’s management, also to Parliament.

Pillar: Strategy, Planning & Reporting: Public sector organisations take both medium-term and shorter-term approaches to planning, while the reporting process should be designed and operated to enable performance monitoring.

Medium-term Planning	Each department is required to develop, have approved and maintain a strategic plan, setting out its objectives for the duration of Parliament.
Annual Planning	The strategic plan provides the starting point for each annual plan. The purpose of annual planning is to determine and set out publicly a department’s funding and how it allocates its budgets.
Processes	The senior officer responsible for finance should maintain policies and processes to control and manage use of resources in the organisation’s activities. Similar expectations and management should be in place for processes for other functional, delivery or project areas.
Reporting	The AO should be satisfied, and shall sign, that the accounts, annual report and governance statement have been properly prepared. Within the organisation, the reporting process should be designed and operated to enable performance monitoring.

Extract – The Golden Thread Project – Steering Group Update, November 2022

Annex C: References

Useful links, Publications and Websites

Accounting Officer’s Guide	AO Comply or Explain Guide
Central Government’s Assurance Directory	Central Government’s Assurance Directory April 25
Central Government’s Assurance Directory Video – Risk Centre of Excellence Toolbox	Risk Toolbox
Government Financial Reporting Manual (FReM)	Government Financial Reporting Manual 23/24
Government Functional Standards	Government Functional Standard - GovS 001: Government functions
IIA Three Lines Model	IIA’s Three Lines Model - July 2020
Managing Public Money	Managing Public Money May 23
The Orange Book Suite	Orange Book (May 23)
Portfolio Risk Management Guidance	Portfolio Risk Management Guidance
Risk Centre of Excellence	Risk Centre of Excellence
Risk Improvement Finder	Risk Toolbox
Risk Appetite Guidance Note	Risk Appetite Guidance Note
Risk Reporting – Good Practice Guide	Good Practice Guide Risk Reporting V1.0
Risk Management: Skills & Capability Framework	Risk Management Skills and Capabilities Framework V1.0