NOM-005 — SAFECHAIN™ Audit & Assurance Framework™

SAFECHAIN™  |  NATIONAL OPERATING MODEL™  |  NOM™ SERIES

NOM™ — Publication No. NOM-005

SAFECHAIN™ AUDIT AND

ASSURANCE FRAMEWORK™

The Comprehensive Audit Methodology, Assurance Standards, and Continuous Improvement Governance for NOM™ Compliance

Document Reference: NOM-005

Series: National Operating Model™ (NOM™)

Series Position: Audit and Assurance Standards Paper

Foundational Papers: NOM-001, NOM-002, NOM-003, NOM-004 — read first

Author: Samantha Avril-Andreassen FRSA

Status: Published — First Edition

Version: 1.0

Date: June 2026

Publisher: SAFECHAINN Ltd (Company No. 12038453)

Executive Summary

The SAFECHAIN™ Audit and Assurance Framework™ (SAAF™) is the comprehensive audit methodology, assurance standards, and continuous improvement governance through which NOM™ compliance is independently assessed, verified, and reported at institutional, multi-agency, regulatory, and national levels. It is the operational assurance infrastructure that makes the NOM-001 constitutional operating doctrine governable — providing the specific audit tools, assurance standards, and reporting requirements through which governance is not merely declared but demonstrated.

Audit without assurance is documentation. Assurance without audit is aspiration. The SAAF™ integrates both — creating the complete governance cycle through which NOM™ compliance is assessed with rigour, reported with transparency, improved with evidence, and held accountable with authority. It is the operating methodology that gives the Trust Authority's Constitutional Integrity Audit its evidential foundation, the SAF™ accreditation process its assessment methodology, and the Governance Council's annual parliamentary report its substantive content.

1. Introduction: Why Audit and Assurance Are Distinct

1.1 The Audit-Assurance Distinction

Audit and assurance are related but distinct governance functions. Audit is the systematic, independent assessment of an institution's governance practice against defined standards — the examination of what is actually happening compared with what the operating doctrine requires. Assurance is the governance function that provides confidence — to the institution, to its regulators, to its service users, and to the public — that the audit findings represent a reliable picture of governance quality and that the governance systems in place are adequate to maintain that quality over time.

The SAAF™ treats audit and assurance as a continuous cycle rather than periodic events: continuous self-audit through the Trust Score and internal QA systems; periodic independent audit through the SAF™ assessment process and regulatory inspection; and strategic assurance through the Trust Authority's Constitutional Integrity Audit and the Governance Council's annual parliamentary reporting. Together, these three levels of audit and assurance create a governance picture that is always current, always independent, and always actionable.

2. The Three-Level Audit Architecture

Level 1: Continuous Self-Audit

Level 1 is the continuous self-audit that every NOM™-participating institution conducts through its internal governance systems. The Trust Score's six dimensions (T1 through T6, defined in NVI-005) are the primary self-audit metric — updated quarterly, publicly reported, and used internally for governance improvement. Internal QA under VVS™ D5.3 provides the intelligence quality self-audit. The IAR™ accountability record provides the decision and omission self-audit. And the institution's annual ITF™ Compliance Report provides the structured self-audit narrative that contextualises the quantitative Trust Score data.

Level 1 self-audit does not require external resource. It is an operational function of the NOM™ operating system — the governance records that the Intelligence Engine generates automatically provide the data that Level 1 self-audit requires. The institution's role is to review, interpret, and act on that data rather than to generate it separately.

Level 2: Independent Institutional Audit

Level 2 is the periodic independent audit conducted by SAF™ assessors through the NOM-003 accreditation process and by the institution's regulatory body through NOM™-integrated inspection. Level 2 audit occurs at defined intervals — triennial for Foundation Certified institutions, biennial for Advanced, triennial for Excellence — and is triggered additionally where Level 1 self-audit identifies significant compliance gaps or where an ITF™ accountability threshold of Level 2 or above is reached.

Level 2 audit methodology covers five domains: Intelligence Engine Integrity (are all ten stages operational and generating appropriate governance records?); Six Operating Principle Fidelity (are the NOM-001 principles applied consistently in operational practice?); Rights and Consent Compliance (is the NVI-002 consent architecture operating as designed?); Verification Quality (is the VVS™ standard being met consistently and is remediation effective?); and Continuous Improvement Evidence (is the institution demonstrably improving its NOM™ compliance over time, or merely maintaining it?).

Level 3: Constitutional Assurance Audit

Level 3 is the annual Constitutional Integrity Audit conducted by the Trust Authority (NOM-002, Section 3) — the strategic governance assessment of the NOM™ operating system as a whole. Level 3 audit does not audit individual institutions; it audits the operating system — assessing whether the Intelligence Engine is functioning correctly at network level, whether the constitutional stack is being consistently applied across the full participant network, and whether the governance architecture established in NOM-001 through NOM-004 is operating as constitutionally designed.

Level 3 audit generates the Trust Authority's Annual Constitutional Integrity Report — the most authoritative public assessment of the NOM™ operating system's governance health. The Report is the primary evidential foundation for the Governance Council's annual parliamentary report and the primary input to the standards evolution process that the NVI™ Standards Board manages.

3. The SAAF™ Audit Methodology

3.1 Evidence Standards

The SAAF™ establishes four categories of evidence for audit purposes, each with defined quality requirements and defined weight in the audit assessment:

Evidence Category

Description

Audit Weight

Primary Documentary Evidence

IAR™ records, VVS™ Verification Certificates, CIF™ submissions, Trust Score data, ITF™ Compliance Reports — generated automatically by the NOM™ operating system.

High — this is the operating system's own accountability record.

Practitioner Evidence

Structured practitioner conversations, case file review with practitioner, recognition assessment observation — direct assessment of operational practice.

High — tests whether documentation reflects genuine practice.

Governance Documentation Evidence

Board minutes, safeguarding reports, internal QA records, quality improvement plans — institutional self-representation of governance quality.

Medium — contextualises primary evidence but cannot substitute for it.

Outcome Evidence

Safeguarding outcome data, continuity breach rates, serious incident records, complaint outcomes — evidence of what the governance system produces.

High — the ultimate test of whether the operating model is working.

3.2 The Audit Cycle

1.     Planning: Audit scope defined, evidence sources identified, audit team assigned, institution notified, pre-audit self-assessment requested.

2.     Evidence Assembly: Primary documentary evidence collected from IAR™, VVS™, and Trust Score systems. Governance documentation requested from institution.

3.     Practitioner Assessment: On-site or remote structured conversations with frontline practitioners, supervisors, and safeguarding leads.

4.     Outcome Review: Anonymised case file sample reviewed against Intelligence Engine lifecycle standards. Continuity breach analysis conducted.

5.     Findings Synthesis: Audit team produces draft findings against all five Level 2 audit domains. Institution invited to respond to factual errors.

6.     Audit Report: Final audit report produced, incorporating institution's factual response. Report includes: domain findings; overall NOM™ compliance rating; specific improvement recommendations; outstanding compliance gaps; and the audit team's assessment of improvement trajectory.

7.     Improvement Planning: Institution produces Improvement Plan in response to audit findings. Plan is assessed by auditors for adequacy before audit process is concluded.

8.     Follow-Up: Six-month follow-up review of Improvement Plan implementation. Findings inform the institution's Trust Score and the next audit planning cycle.

4. Assurance Reporting

4.1 The Four Assurance Reports

The SAAF™ produces four categories of assurance report, each serving a distinct governance audience:

•       Institutional Assurance Report: Produced for each audited institution following Level 2 audit. Confidential to the institution and its regulator. Contains full audit findings, compliance ratings, and improvement recommendations.

•       Regulatory Assurance Summary: An anonymised, aggregated summary of audit findings for all institutions within a regulated sector, produced annually for each regulatory body. Provides regulators with a sector-wide picture of NOM™ compliance quality for integration into their inspection planning.

•       National Assurance Report: Produced annually by the SAAF™ Office for the Trust Authority's Constitutional Integrity Audit. Covers network-level compliance patterns, improvement trends, systemic governance gaps, and emerging compliance challenges. The primary evidential input to the Trust Authority's annual report.

•       Parliamentary Assurance Digest: A public-facing summary of the National Assurance Report, produced for the Governance Council's parliamentary report and published simultaneously on the SAFECHAIN™ Trust Register and the NVI™ Oversight Body's public register.

4.2 Reporting Standards

All SAAF™ assurance reports are produced to defined reporting standards: factual accuracy (all findings supported by documented evidence); proportionality (findings assessed in context of institutional size, resource, and implementation maturity); constructiveness (improvement recommendations specific, actionable, and resourced); transparency (all methodology explained, all evidence sources identified); and accountability (all findings attributable to specific evidence, all recommendations attributable to specific audit findings). Reports that do not meet these standards are returned to the producing audit team for revision before publication.

5. Continuous Improvement Governance

5.1 The Learning Loop

The SAAF™'s most significant governance contribution is the Learning Loop — the systematic mechanism through which audit findings at every level feed back into the standards, training, and operating protocols that determine future compliance. The Learning Loop operates at three levels: institutional (Improvement Plans that address specific audit findings and are reviewed at six-month follow-up); network (Standards Board updates triggered by aggregate audit findings across multiple institutions, identifying systemic quality challenges that require standards evolution); and constitutional (Trust Authority findings from the Constitutional Integrity Audit that trigger constitutional evolution proposals where systemic operating doctrine gaps are identified).

5.2 The Improvement Evidence Standard

The SAAF™ establishes the Improvement Evidence Standard — the requirement that every NOM™-participating institution demonstrate, through its Level 1 self-audit data and its Level 2 audit findings, that it is improving its NOM™ compliance over time. Stagnation — maintaining compliance at a fixed level without improvement — is not sufficient under the SAAF™. The operating system is a continuous improvement system; institutions that are not improving are, in effect, falling behind a system that is constantly developing. The Excellence Certification requirement that institutions demonstrate documented improvement trajectory is the SAAF™ Improvement Evidence Standard's most visible expression.

6. SAAF™ and the NOM™ Governance Bodies

The SAAF™ connects all four NOM™ governance bodies through the assurance data it produces:

•       Trust Authority (NOM-002): The SAAF™'s National Assurance Report is the primary evidential input to the Trust Authority's Constitutional Integrity Audit. The SAAF™ auditors operate under Trust Authority constitutional authority when conducting Level 3 audits.

•       SAF™ Accreditation (NOM-003): The SAAF™ audit methodology is the assessment methodology applied in SAF™ accreditation visits. Level 2 audit findings determine accreditation outcomes.

•       Governance Council (NOM-004): The Parliamentary Assurance Digest is the primary safeguarding assurance input to the Governance Council's annual parliamentary report.

•       NVI™ Oversight Body: The SAAF™'s Regulatory Assurance Summaries inform the Oversight Body's accountability threshold decisions and Trust Score monitoring.

Conclusion: Audit That Improves, Assurance That Protects

The SAFECHAIN™ Audit and Assurance Framework™ is the governance instrument that ensures the NOM™ is more than a constitutional document. It is the mechanism through which the constitutional operating doctrine of NOM-001 is tested against operational reality, reported with transparency, and improved with evidence — continuously, independently, and accountably.

Good governance is not self-certifying. The NOM™ operating system knows this — it is built on the understanding that accountability requires demonstration, not declaration. The SAAF™ is how that demonstration is made: rigorously, independently, publicly, and with the continuous improvement imperative that distinguishes a living operating system from a governance document that institutions file and forget.

Audit improves the system. Assurance protects the people it serves. The SAAF™ does both.

This paper is NOM-005, the final foundational paper of the NOM™ series. NOM-006 onwards addresses sector-specific operating model implementation, cross-jurisdictional governance, and the long-term constitutional development of the SAFECHAIN™ operating system. Cross-references are maintained in the SAFECHAIN™ Master Publication Register™. Contact: samantha@safe-chain.org

COPYRIGHT NOTICE

© 2026 Samantha Avril-Andreassen. All rights reserved.

SAFECHAINN Ltd (Company No. 12038453).

SAFECHAIN™, National Operating Model™, NOM™, Recognition Intelligence™, Continuity Intelligence™, Vulnerability Intelligence™, Accountability Intelligence™, Predictive Safeguarding™, National Vulnerability Verification Infrastructure™, Specialist Safeguarding Architecture™, Safeguarding Intelligence Series™, Governance Series™, National Infrastructure Series™, Trust Authority Framework™, Accreditation Framework™, Governance Council™, Audit and Assurance Framework™, and all associated frameworks, methodologies, governance architectures, operating models, implementation systems, terminology and intellectual property are proprietary works authored and developed by Samantha Avril-Andreassen.

No part of this publication may be reproduced, adapted, implemented, commercialised, incorporated into software or AI systems, used for training artificial intelligence models, or deployed within organisational governance frameworks without the prior written permission of Samantha Avril-Andreassen and SAFECHAINN Ltd.

The SAFECHAIN™ Master Publication Register™ remains the sole authoritative source of publication status, architecture lineage, governance authority, terminology control, implementation hierarchy, version control and intellectual property provenance.