The implementation of audit findings and recommendations are time bound and monitored.

There is a periodic performance assessment of the internal audit unit. A set of clearly defined indicators measures its efficiency and effectiveness in improving the institution’s performance.

When auditing the institution’s reports, the internal auditor and actuary communicate clearly and effectively. The exchange of information between them neither compromises nor impinges upon their respective independence.

The board or management establishes the internal audit charter of the internal audit unit. The charter sets out the nature, role, responsibility, status and authority of the unit and outlines the scope of its work.

Internal audit is the central unit that undertakes independent and objective reviews of all areas of operation of the institution, and verifies and certifies compliance with all pertinent laws, rules and regulations. The scope of its work is comprehensive. By undertaking independent and objective reviews of policies, operations, systems and procedures, internal controls, risk management, information management, ICT systems and governance processes, it promotes a disciplined approach to the overall management of the institution.

The management aligns and coordinates risk management activities across the institution to maximize synergies, avoid gaps and prevent duplication of effort.

There is clarity in the line of authority and decision-making, and staff roles and responsibilities to ensure coordinated, appropriate and timely responses to the incidence of risk. There is clear understanding of the risk to be contained and the corrective measures to be implemented.

To manage or prevent risks in real time, there is ongoing monitoring of the institution’s internal and external environment. Risk scenarios are analysed to keep the institution constantly alert and ready.

A process model is developed for each administrative area to identify the potential points of failure, the internal or external events which can trigger risk, and the corrective measures to be implemented. There is ownership of responsibility for the potential points of failure.

Risk management involves having policies, measures and approaches to manage, mitigate or prevent the detrimental effects of risks faced by the institution. Whether risks arise from internal or external factors, the goal is to defuse their detrimental effects on the administration of the social security programme, including its financial sustainability; fund investments; the management of coverage and contributions, and the delivery of member benefits and services; and human and ICT resources capacities.