The board or management establishes the internal audit charter of the internal audit unit. The charter sets out the nature, role, responsibility, status and authority of the unit and outlines the scope of its work.

Internal audit is the central unit that undertakes independent and objective reviews of all areas of operation of the institution, and verifies and certifies compliance with all pertinent laws, rules and regulations. The scope of its work is comprehensive. By undertaking independent and objective reviews of policies, operations, systems and procedures, internal controls, risk management, information management, ICT systems and governance processes, it promotes a disciplined approach to the overall management of the institution.

The management aligns and coordinates risk management activities across the institution to maximize synergies, avoid gaps and prevent duplication of effort.

There is clarity in the line of authority and decision-making, and staff roles and responsibilities to ensure coordinated, appropriate and timely responses to the incidence of risk. There is clear understanding of the risk to be contained and the corrective measures to be implemented.

To manage or prevent risks in real time, there is ongoing monitoring of the institution’s internal and external environment. Risk scenarios are analysed to keep the institution constantly alert and ready.

A process model is developed for each administrative area to identify the potential points of failure, the internal or external events which can trigger risk, and the corrective measures to be implemented. There is ownership of responsibility for the potential points of failure.

Risk management involves having policies, measures and approaches to manage, mitigate or prevent the detrimental effects of risks faced by the institution. Whether risks arise from internal or external factors, the goal is to defuse their detrimental effects on the administration of the social security programme, including its financial sustainability; fund investments; the management of coverage and contributions, and the delivery of member benefits and services; and human and ICT resources capacities.

The effectiveness of the strategic plan to advance the institutional mandate is evaluated. There is an assessment of lessons learnt from achieved goals, delivered targets and proven strategies, as well as unsuccessful initiatives. The performance review serves as input to the next cycle of planning activities.

The strategic plan is cascaded to all units of the institution. Implementation is regularly monitored and assessed. The strategic plan is revisited, evaluated and fine-tuned, if necessary. Management aligns the performance trinity of strategy and vision, leadership and management, and institutional culture and values in implementing the strategic plan.

The strategic plan spells out the institution’s plan of action, goals, targets, milestones and deliverables to achieve its vision. It articulates the programmes and activities to be implemented, and the management environment that would ensure coherence and maximize synergies within the institution. The formulation process ensures the consistency of the strategic plan with the institution’s mandate.