Our Governance

Internal controls and assurance

Internal controls and assurance

Strategy Icon

“NSSF has established a robust Internal Audit (IA) function since its inception in 1985, playing a key role in enhancing governance and operational effectiveness. Over the years, IA has evolved, adopting a risk-based approach and embracing technological innovations to improve efficiency. The function is focused on aligning with organisational goals and adapting to emerging risks while providing valuable insights as a strategic advisor.

The Quality Assurance and Improvement Programme (QAIP) ensures compliance with global standards through ongoing assessments. As we continue to advance, we aim to enhance our capabilities in data analytics, process improvement, and critical thinking to remain agile in a dynamic environment.” ~Mr. Geoffrey Barigye

Our vision statement

To be a trusted advisor, providing objective assurance and value-added insights that enhance organisational effectiveness and accountability.

Our purpose

To enhance and protect Fund value by providing risk-based and objective assurance, advice, insight and foresight.

Governance and structure

NSSF is a statutory institution established by the National Social Security Fund Act (Chapter 230) of Uganda, aimed at providing social security benefits to its members. The Fund is governed by a Board of Directors that oversees the IA function, which is essential for providing objective assurance on internal controls, governance and risk management processes.

Detailed in the Governance chapter of our integrated report, effective organisational governance ensures that NSSF's objectives are achieved transparently and responsibly, underpinned by accountability and a focus on long-term sustainability.

Evolution of Internal Audit

1985:

The IA function is created when NSSF is established as a parastatal entity, initially staffed with a Principal Internal Auditor and a Senior Internal Auditor from the Department of Social Security.

1992:

The IA team expands with the addition of a new staff member to ensure compliance with procedures and handle pre-audits for administrative transactions.

1999:

The Board elevates the IA function to departmental status, appointing a Chief Internal Auditor to enhance oversight and align the reporting structure.

2003:

The Audit Committee is formed, tasked with overseeing the IA function and improving governance and accountability.

2006:

A risk-based auditing approach is adopted, prioritising the identification and assessment of risks, although pre-audit activities continue, impacting independence.

2007:

IA begins automating processes to enhance efficiency and modernise audit practices.

2011-2020:

IA exits pre-audit activities, restoring independence and improving objectivity. An Internal Audit Charter is developed to outline the function’s scope and responsibilities, while Computer-Assisted Audit Techniques (CAATs) are implemented to streamline data analysis.

Internal Audit strategic planning and future opportunities

In alignment with auditing standards, IA has implemented a strategic plan for FY21 to FY25, aiming to adapt to changing expectations and organisational objectives. This plan will continue with a new strategy for FY25 to FY30, emphasising the need for IA to operate as a trusted advisor that provides objective assurance and valuable insights.

To further enhance its contributions, IA is focused on expanding its mandate to address emerging risks, broadening its scope to include new technologies and market trends, and enhancing competency requirements. This includes skills in technology, risk management, process improvement, critical thinking, data analytics, and industry knowledge.

IA continually seeks to enhance its efficiency and responsiveness, embracing technological advancements and exploring opportunities in data analytics. Working remotely has highlighted the value of exception-based monitoring and analytics-driven process analysis, facilitating timely insights and proactive risk management.

As part of the IA's evolution, there will be a focus on auditor rotations and an increased emphasis on core audit skills, particularly in IT, to improve adaptability and readiness to tackle new challenges.

Step Details
Step
1
Expanding IA mandate
Details
  • Emerging risks
  • Balancing assurance and advisory
  • Providing business insights
  • Becoming a strategic advisor
Step
2
Increasing the scope
Details
  • Emerging risks
  • Technology
  • Emerging market
  • Thematic audits
Step
3
Increasing competency requirements
Details
  • Technology, Risk management, Process improvement
  • Critical thinking, Data Analytics, Verbal communication
  • Business strategy, Relationship management, Industry knowledge
Step
4
Evolving IA function
Details
  • Experience Internal Auditor
  • Auditor rotation
  • Core audit Skills (includes IT)

Quality assurance and improvement programme (QAIP)

The QAIP is designed to ensure conformity with Global Internal Audit Standards and involves ongoing internal assessments alongside periodic monitoring. Annually, IA reports its internal assessment results to the Audit and Risk Assurance Committee (ARC). An independent external quality assessment conducted during FY25 confirmed that IA generally conforms to the International Internal Audit (IIA) standards, with the next assessment scheduled for FY30.

External auditors

The appointment of external auditors for public institutions such as NSSF is under the remit of the Office of the Auditor General of Uganda (OAG), as specified in the National Audit Act. The Auditor General also has the authority to appoint private auditors to assist with their functions. In accordance with Section 32(2) of the NSSF Act, KPMG has been re-appointed to conduct the annual audit for the financial year ending 30 June 2025. The ARC plays a key role in reviewing the external audit plan and ensuring coordination between internal and external auditors.

Combined assurance

The Board ensures that assurance services and functions contribute to a robust control environment, thereby enhancing the integrity of information used for internal decision-making and external reporting.

Combined Assurance model

The Fund has a "three lines of defence" model, where the Enterprise Risk Management, Legal, and Internal Auditing teams collaborate to provide a comprehensive view of risk, compliance, and internal controls.

This model ensures the reliability of governance structures and comprehensive coverage of all assurance activities for both financial and non-financial information.

Key elements relevant to governance, risk management, and controls within the integrated report receive focused assurance, with all assurance providers working cohesively while preserving the independence of Internal Audit. This approach eliminates duplication of efforts and ensures complete coverage.

Role of the Audit and Risk Assurance Committee in assurance

The ARC plays an important role in overseeing assurance processes, which include planning for internal and external audits, evaluating results, and supervising corrective action implementation. Quarterly reports to the ARC maintain transparent oversight of these activities.

Monitoring and addressing assurance outcomes

The Board and management actively review outputs from both internal and external assurance providers, ensuring that necessary remedial actions are taken to strengthen the internal control environment.

The relationship between these actions and their corresponding assurances is detailed in the integrated report for 2024/5 and the Auditors' Report within the Annual Financial Statements, ensuring accountability and fostering continuous improvement in the Fund's operations. See our combined assurance model.

Remuneration report
40 YEARS OF BUILDING THE FUTURE: POWERING GROWTH, EMPOWERING GENERATIONS