Corporate governance aligned to King IV principles

Principle 14:
Remuneration Governance

King IV principles and our activities
  • Principle 14 – The governing body should ensure that the organisation remunerates fairly, responsibly, and transparently to promote the achievement of strategic objectives and positive outcomes in the short-, medium- and long-term
  • The Board, through the Staff Administration and Corporate Affairs Committee has established human resource policies governing the terms and conditions of employment, remuneration, training, promotions, discipline, and other benefits which are fair and will attract, motivate, and retain high calibre staff
Desired outcome:

Governance of fair, responsible, and transparent remuneration.

  • The reward and remuneration structures are linked to KPIs defined under each strategic objective, ensuring performance is linked to business performance as well as individual performance, thereby promoting a high-performance culture and achievement of strategy
  • Sustainable reward is carried out responsibly and the Fund’s reward framework is flexible to meet the changing needs of both the business and economy
Summary of the arrangements for governing remuneration
  • Remuneration and Employment Policy
  • Non-Executive Director Remuneration Policy
  • A Staff Administration and Corporate Affairs Committee (SACA) to ensure fair, responsible, and transparent remuneration practices
  • Quarterly remuneration reporting to SACA
  • Remuneration benchmarking
Key areas of focus during the reporting period
Measures taken to monitor remuneration and how the outcomes were addressed
  • Board receives summary reports from SACA
  • The Board approves business targets at the beginning of every financial year and reviews the results at the end of the year before making a final decision regarding payment of any incentives
Planned areas of future focus

Principle 15:

King IV principles and our activities
  • Principle 15 – The governing body should ensure that assurance services and functions enable an effective control environment, and that these support the integrity of information for internal decision-making and of the organisation’s external reports
Internal Audit (IA)
  • IA supports the Board and Management to execute their mandate by providing independent objective assurance of the Fund’s operations
  • Technology has been leveraged to incorporate data consistency and integrity, stronger collaboration among functions, concise information, and real-time visibility to help identify key areas of focus and opportunities to create and protect strategic business value
Combined assurance

The three lines of defence play a complementary role to each other:

  • Enterprise Risk Management, Legal and Internal Audit, work collaboratively to provide combined assurance on risk, compliance, and internal controls
External Auditors
  • The ARC reviews the external audit plan with the External Auditor and discusses their approach, nature and scope of work, audit and reporting obligations before the audit commences
  • In addition, the ARC oversees the relationship between the Internal and External Auditors and ensures that the external audit is coordinated with the internal audit programmes. See Head of Internal Audit Report
Desired outcome:

Assurance on the effectiveness of internal controls and integrity of information for internal decision-making and external reporting purposes.

  • Assurance that governance structures remain appropriate and functional for the Fund
  • Assurance is provided on financial and non-financial information
  • Key components of the integrated report, such as governance, risk management and controls are assured
  • Accountability is clear within the three lines of defence model, with assurance providers working together to provide coordinated assurance. (The coordination with assurance providers does not impair the independence of IA)
  • Combined assurance ensures that there is comprehensiveness in terms of coverage, and avoidance of duplication
Summary of the arrangements for governing assurance
  • Well embedded Combined Assurance Model
  • Audit Committee oversees assurance:
    • Assurance Plans (internal and external audits)
    • Results of assurance reviews/audits
    • Implementation of agreed remedial actions
  • Quarterly assurance reporting to the ARC
Key areas of focus during the reporting period
Measures taken to monitor assurance and how the outcomes were addressed
  • Considered results of internal and external assurance provider reports
  • Oversee the implementation of agreed remedial actions for improvements required in the internal control environment (processes and systems etc.)
  • Assurance provided on the 2023 Integrated Report. See Internal Audit's role in Integrated reporting
  • Auditors report in the Annual Financial Statements
Planned areas of future focus

Building Resilience for Inclusive Prosperity – The internal Audit Perspective

The Mandate of Internal Audit

Internal Audit (IA) supports the Board and Management to execute their mandate by providing independent and objective assurance, thereby protecting and creating value for a better life. Internal Audit provides an independent, objective, and continuous evaluation of the Fund’s operations and system of internal controls.

The function reviews, appraises and reports on:

  • The effectiveness and adequacy of internal controls, risk management and governance processes, and
  • The reliability of financial and other management information

The Internal Audit Charter approved by the Board of Directors, provides the framework that guides activities, purpose, authority, and responsibility of the IA function. IA reports functionally to the Board and administratively to the Managing Director. The annual risk-based IA audit plan and budget are developed in consultation with Management and approved by the Audit and Risk Assurance Committee of the Board (ARC).

Issues raised in various audit assignments, are reported to both Management for remediation and to the Board Audit Committee (ARC) for oversight. IA makes value adding recommendations to Management and all remedial actions are followed up to completion and independently validated.

Mr. Geofrey Barigye

Building Resilience for Internal Audit

During this time of unparalleled change, it is more important than ever that IA continues to provide assurance and advise both Management and the Board on internal controls and risk. Managing change and developing resilience has consequently become an important topic for IA function at the Fund.

Subsequently, the IA team at the Fund has embraced continuous risk assessment, exploratory analytics, automated controls testing, and agile methods as a way of decreasing costs and adding advisory value in the environment.

In the long-term, we recognise that a deeper digital transformation is a requirement. New digital tools and automation technologies are creating a world in which remote internal auditing does not mean compromised quality or plan reductions. Instead, it implies a higher level of functioning.

Revisiting the Risk Assessment Methodology

As the Fund adjusts its operations to cope with the impact of changes, we reprioritise and reassess our audit plans and revisit the risk assessment methodology to respond to the changing landscape. This includes dialogue and collaboration with key stakeholders to identify emerging, shifting or net-new risks and determining how to work with the business most effectively in planning mitigation strategies. Considering the dynamic environment at the Fund, IA has embraced a dynamic risk assessment which refers to the continuous monitoring of business operations, functions and processes enabled by automation.

The Dynamic Risk Assessment has so far helped us to:

  • Generate new insights to inform risk professionals as well as new alternatives on how to respond
  • Eliminate audit approaches that are manual, fragmented, often unrepeatable, or largely based upon gut instinct and replaces them with repeatable, standardised tools and methods
  • Transform the audit-planning process and annual risk assessment by enabling continuous risk monitoring and adjustment to the audit plan

Key emerging risk areas or those that may be significantly altered include:

Refreshing and Re-assessing Current IA Plans

We have reprioritised the audit plan as soon as possible to provide assurance over the most consequential risks while being cognisant of the impact on operations. This includes determining which audits can be performed remotely versus those that absolutely require an in-person presence.

From an assurance perspective, we have also considered how operational changes will affect the audit timeline. For instance, process owners may need to move their controls to a virtual environment, which takes time.

Defining Collaboration Tools for Audit Execution

By utilising tools that enable collaboration and establishing mutually agreed upon protocols, IA has efficiently worked with process owners to gather, and review requested documentation in a remote environment.

Identifying and Exploring Opportunities for Digital Analytics and Continuous Monitoring Capabilities

As our audit team members find themselves working remotely, the value of exception-based monitoring and analytics-driven process analysis is becoming readily apparent. The IA department has developed capabilities for the audit team to demonstrate greater resiliency and flexibility in the dynamic environment and the team provides inspiration for others to continue their digital journeys.

Re-defining Reporting and Communication Model

As the IA mindset shifts towards a virtual operating model, it is imperative that its communication strategies shift as well. We are therefore reviewing our frameworks to modify the frequency and means of communicating with our key stakeholders.

To remain resilient and relevant, the audit team will continue to focus on the key risks and provide assurance where it is most needed by the key stakeholders.

Consequently, the IA team is:

  • Performing the same audit cheaper: For example, connecting the auditor directly to the process, through exploratory analytics and data visualization, drives a more focused audit, while still testing 100% of the population
  • Performing better audits: For example, combining data from inside and outside the Fund adds new richness and granularity to insights and understanding of risk. Benchmarks, comparative analysis, and trending enhance on-the-job learning and development while delivering a more impactful result to business stakeholders
Quality Assurance and Improvement Programme (QAIP) and Performance Monitoring

The implementation of a QAIP is to ensure conformance with the definition of IA, the Code of Ethics for internal auditors and the Auditing Standards.

Internal assessments include a comprehensive ongoing and periodic monitoring. The programme incorporates quality assurance processes in the stages of planning, engagement, and reporting. Annually, the function conducts and reports the results of the internal assessment to the ARC.

Independent and objective external quality assessment evaluates conformance of the IA with the Internal Audit Charter, Code of Ethics, and auditing standards. The last external assessment was conducted in 2018 and the next assessment has been planned for in the FY 2023/24.

External Auditors

The powers to appoint external auditors for Public Institutions (like NSSF) is vested in the Office of the Auditor General of Uganda (OAG). In line with Section 23 of the National Audit Act (2008), the Auditor General may appoint private auditors to assist him/her in the performance of his/her functions under this Act.

Section 32(2) of the NSSF Act gives the Auditor General the mandate to audit its financial statements or by an Auditor appointed by the Auditor General. Accordingly, the Auditor General re-appointed PricewaterhouseCoopers Limited (PwC) to conduct an annual audit of NSSF for the year ending 30 June 2023. The length of service of external auditors is determined by the appointing authority and the general practice has been for a duration of three years.

The ARC reviews the external audit plan and oversees the relationship between the internal and external auditors to ensure efforts are coordinated. Financial information used in the report is sourced from the Annual Financial Statements which is assured by our External Auditors.