By CPA Samson Sowate
Key Highlight: Bridging the gap between traditional compliance auditing and outcome-driven assurance through the Government Outcomes-Focused Risk-Based Internal Audit Methodology and the Outcome, Risk and Capability Nexus.
This article addresses the urgent need to transform public sector internal audit from a compliance-focused function to a strategic driver of Public Financial Management (PFM) effectiveness. It introduces the Government Outcomes-Focused Risk-Based Internal Audit Methodology and the Outcome, Risk and Capability Nexus as practical frameworks for future-proofing internal audit in Uganda.
The nexus is built on three dimensions: Outcome (what PFM seeks to achieve), Risk (what threatens that outcome), and Capability (whether the entity has the right people, processes, systems, and culture to manage those risks). Traditional risk-based auditing misses strategic failures because it defines risk too narrowly, prioritises likelihood over impact, and ignores capability assessment.
The nexus directs audit resources to the intersection of high-outcome importance, high risk, and weak capability. A five-action roadmap is provided for PFM leaders. The Institute of Certified Public Accountants of Uganda (ICPAU), the Ministry of Finance, and public sector entities are called upon to adopt this methodology as a strategic PFM pillar.
1. Beyond the Balance Sheet
For decades, internal audit in the public sector has focused on compliance—verifying transactions and ensuring expenditures follow approved budgets. While important, this is no longer sufficient. PFM in Uganda faces new disruptions: climate finance, digital payments, cybersecurity threats, donor fragmentation, and post-pandemic fiscal pressures. The cost of audit inertia is real.
When internal audit remains backward-looking, it fails to warn decision-makers about strategic risks that undermine service delivery. This article introduces the Government Outcomes-Focused Risk-Based Internal Audit Methodology and the Outcome, Risk and Capability Nexus as tools for future-proofing the audit function. Embrace change, or risk irrelevance.
2. The Shifting Landscape of PFM Risks
The most consequential risks to PFM are no longer isolated frauds but systemic threats. Four drivers stand out: fiscal decentralisation (local governments lack capacity to match new mandates); public-private partnerships (complex risk structures ill-understood by traditional audit); cybersecurity threats (most audit units have no IT capability); and post-pandemic fiscal pressures (increased risk of off-budget expenditures). Internal audit must evolve from fraud detection to building systemic resilience.
3. The Core Framework: The Outcome, Risk and Capability Nexus
The nexus shifts the audit lens from transactions to outcomes. It has three dimensions:
- Outcome: What PFM seeks to achieve (e.g., reduced maternal mortality).
- Risk: What threatens that outcome (e.g., medicine stock-outs, worker absenteeism).
- Capability: Whether the entity has the right people, processes, systems, and culture to manage those risks.
The power of the nexus lies in the interaction. Internal audit should not automatically rush to the highest-risk areas. It should rush to the intersection of high-outcome importance, high risk, and weak capability—because that is where the greatest threat to PFM effectiveness lies.
Why Traditional Risk-Based Auditing Falls Short: It defines risk too narrowly (missing strategic failures), equates high-risk with high-impact (ignoring catastrophic low-probability events), and ignores capability assessment (treating strong and weak entities the same).
Applying the Nexus in Audit Planning – Four Steps:
- Define the intended government outcome.
- Identify risks that would materially undermine that outcome.
- Assess capability gaps across people, processes, systems, and culture.
- Prioritise engagements where low capability meets high outcome risk.
Example: A district road maintenance programme. Traditional audit would prioritise fund diversion (adequate capability). The nexus prioritises contractor performance and routine maintenance culture (weak capability with high outcome risk).
4. Technology as an Enabler
Technology transforms the nexus from a planning tool into an operational system. CAATs, ACL, IDEA, and open-source analytics enable real-time outcome-risk mapping, continuous risk indicators, and data-driven capability scoring. Automated reconciliations match transactions across systems daily. Blockchain offers immutable procurement audit trails and smart contracts. However, none of this is possible without IT audit capacity. Every public entity needs at least one certified IT auditor. ICPAU should prioritise IT audit in Continuing Professional Development (CPD) programmes.
5. Competency Shifts: From Checklist to Strategic Advisor
The future-ready auditor needs six competencies: data literacy (reading and analysing data); forensic skills (investigating fraud indicators); outcome-risk mapping (linking outcomes, risks, and capability); critical thinking (questioning assumptions, seeking disconfirming evidence); communication with audit committees (plain language, dashboards, actionable recommendations); and CPD (ICPAU should reform CPD to include mandatory nexus training).
6. Governance and Independence: Making the Nexus Mandated
The nexus must be embedded in governance frameworks. Alignment with the Global Internal Audit Standards (2024) is essential—these Standards are principles-based and outcome-focused, highly compatible with the Nexus. Audit charters should be revised to mandate the nexus methodology, outcome focus, capability assessment, technology access, and competency requirements.
PFM regulations should require outcome-focused audit planning, nexus-based reporting, and IT access. Auditor autonomy must be strengthened across administrative, scope, access, and reporting dimensions. Reporting lines should place internal audit functionally under the Audit Committee (not the Accounting Officer), aligned with Global Standards.
7. Collaborative Assurance: Breaking Silos
Nexus insights lose value if confined to a single audit unit. Coordination with the Office of the Accountant General (OAG) enables joint planning, shared risk registries, and reliance on internal audit work. Nexus findings inform value-for-money audits by highlighting programs with high-outcome importance and weak capability. Reporting to the Public Accounts Committee (PAC) should use a Nexus format (outcome, risk, capability gap, required action) rather than dense compliance paragraphs. Coordination with anti-corruption agencies allows referral of capability gaps that enable fraud. Shared audit platforms (unified data access, shared workpapers, dashboards) are the technological backbone of collaborative assurance.
8. Practical Roadmap: Five Actions for PFM Leaders
- Pilot the nexus on one high-priority government program within 14 weeks.
- Develop a simple capability scoring matrix (1–5) for key PFM processes across people, processes, systems, and culture.
- Train audit staff on outcome-risk mapping and capability assessment (minimum 5 days; ICPAU-accredited).
- Integrate Nexus findings into quarterly audit committee reports using a dashboard and heat map format.
- Review and refine based on feedback from Accounting Officers and PAC through an annual methodology review.
9. The Auditor as a Catalyst for PFM Reform
The traditional audit model—backward-looking, compliance-focused, transaction-based is obsolete. The nexus-enabled auditor provides not just assurance on the past, but insight into the present and foresight about the future. ICPAU is called upon to adopt the nexus as recommended practice, integrate it into professional qualifications, accredit training, and establish a public sector audit community of practice. The Ministry of Finance must revise PFM regulations, mandate nexus-based reporting, allocate resources, and establish a central internal audit support unit. Accounting Officers and Audit Committees must champion the nexus, respond to capability gaps, invest in audit capacity, and focus on impact. The methodology is ready. The roadmap is clear. The only question is: Will you embrace change?
Future proofing internal audit for PFM effectiveness will be addressed in detail at the 4th Public Finance Management (PFM) Conference scheduled for 6 – 8 May 2026. To participate in this conversation, register for the Conference via https://www.icpau.co.ug/icpau-events/4th-pfm-annual-conference
