Assurance
Independent project controls assurance.
An outside view of whether the controls are actually working — schedule logic, cost baseline integrity, QRA methodology and risk register maturity. Written for programme directors who need more than a RAG status.
Project controls assurance is the independent function that answers the question programme directors rarely want to ask: are our controls telling us the truth? A schedule that passes a DCMA 14-point health check. A cost baseline that holds up to challenge. A QRA that reflects the risks the programme actually faces — not the numbers that fit the approved budget. Controls assurance is what separates a controls function that looks right from one that works.
What a controls assurance review covers
Schedule assurance
We apply the DCMA 14-point methodology to every schedule we review — testing logic integrity, constraint usage, float distribution, critical path continuity, baseline execution index and near-term credibility. Beyond the metrics, we look at whether the schedule is being maintained as a living delivery tool or has become a static record of past intent. We report both the technical findings and the judgement: whether the planning function is adding value.
Cost baseline assurance
We review cost baselines for structural integrity — whether the WBS is correctly decomposed, whether the estimate has buried contingency that distorts QRA inputs, whether the earned value baseline is tracking genuine physical progress or is being managed to look acceptable. We check the link between the cost baseline and the schedule: cost and schedule that are maintained independently will always disagree at the wrong moment.
QRA methodology review
A QRA output is only as reliable as the methodology that produced it. We review QRA models for: correct separation of base estimate uncertainty from discrete risk events; credible three-point estimates (not copied from the register row above); realistic correlation assumptions; and a critical path that actually drives the schedule outputs. We have reviewed QRAs that have passed and failed IPA gateway reviews, which means we know what reviewers actually test.
Risk register maturity
A risk register with fifty risks and identical probability-impact scores is not a risk management tool — it is a compliance artefact. We assess whether the register reflects the risks the programme actually faces, whether owners are active, whether mitigations are changing the risk profile over time, and whether the register is connected to the QRA model or maintained in parallel as a separate document.
Controls maturity assessment
For clients who want a broader view across a portfolio or a programme office, we conduct a structured maturity assessment — rating the controls function against a defined capability framework and producing a ranked improvement plan. The output is a practical roadmap, not an academic scoring exercise.
Gateway review preparation
IPA gateway reviews, MoD MPRP gates, Ofwat assurance submissions and HS2 supply chain controls reviews all assess the controls function against defined standards. We prepare programmes for these reviews by conducting an assurance review in advance — identifying findings before the reviewer does, and giving the programme team time to remediate. A dry run, not a surprise.
How we start
A 30-minute discovery call. We listen to what the programme director needs to know and what they are worried about. If the shape of the question matches the shape of our work, we come back within one working day with a short scoping note — what we will look at, how long it will take, and indicative cost.
Frequently asked
Project controls assurance — questions we get asked
- What is project controls assurance?
- Project controls assurance is an independent review of whether a programme's schedule, cost and risk controls are fit for purpose — whether they are structured correctly, populated honestly, and capable of giving the programme director the early-warning signals they need. It differs from a standard controls review in that the reviewer is independent of the team that built the system, and the output is a formal finding with a ranked improvement plan.
- When should an organisation commission a controls assurance review?
- The most common triggers are: ahead of a gateway review where the controls maturity will be assessed; following a programme that overran cost or schedule and left questions about whether the controls could have caught it earlier; at the start of a new major programme where the client wants assurance that the contractor's controls are adequate; or as a periodic health check on a long-running programme to confirm the controls are still fit for purpose as the programme evolves.
- How long does a project controls assurance review take?
- A focused single-programme review — covering schedule quality (DCMA 14-point), cost baseline integrity, risk register maturity and QRA methodology — typically takes two to four weeks from data access to final report. A full controls maturity assessment across multiple programmes or a portfolio takes four to eight weeks. We scope the review to the specific questions the client needs answered rather than applying a fixed template.
- What does SOMA look at in a schedule assurance review?
- We apply the DCMA 14-point methodology to assess schedule logic, constraint usage, float distribution, critical path integrity, baseline execution index and near-term milestone credibility. We also look beyond the metrics — at whether the schedule is being maintained as a living delivery tool or is drifting into a static record of past events. We report findings at two levels: technical (metric scores) and judgement (whether the controls are actually working).
- Can SOMA provide assurance on a third-party contractor's controls?
- Yes. Client-side assurance of a contractor's project controls is one of our most common engagements. We can review the contractor's schedule, cost and risk systems against the contract requirements and the client's standards, produce a findings report for the programme director, and recommend specific remediation steps. We do this in a way that is constructive rather than adversarial — the goal is a controls function that works, not a list of problems.
Need an independent view of your controls?
Most assurance reviews start with a short scoping call. We work out what the programme director needs to know, then come back with a clear scope and indicative cost.