Portfolios are responsible for the assurance of their sub-portfolios and will be assured by their parent portfolio (if they have one).
Assurance should be by exception based on a long-term business case (or equivalent) that defines the portfolio scope and measures of success, the long-term vision and strategy, an initial view of the portfolio objectives and roadmap and the required budget (and guardrails) and headcount to deliver these, and finally how the portfolio will be lead, governed and make decisions (see internal approvals).
If portfolios are delivering to forecast and operating within their guardrails then should be deemed to be performant and not require further assuring. However, if guardrails are breached or performance issues occur, then formal assurance and support may be invoked. This means that there is no assurance or review done on the annual reporting – this should be for information only (but may trigger assurance if they indicate an exception).