Sector guides

What does SASRA expect from a SACCO's internal audit function?

SASRA, the SACCO Societies Regulatory Authority, expects every regulated SACCO to maintain an internal audit function that is independent of management and reports to the board, usually through an audit committee. In practice that means a risk-based audit plan the board approves, regular fieldwork across the SACCO's main risks, findings tracked to closure, and reporting the board can act on. Smaller SACCOs often cannot staff this fully on their own, which is where co-sourcing helps. This guide explains what is expected, and how to deliver it without overreaching your budget.


Murikah

Independent assurance and AI governance

For many SACCOs, the hard part is not understanding that internal audit is expected. It is delivering a credible function on a tight budget, with people who are stretched. The good news is that the expectation is about substance, not size.

What SASRA requires

SASRA, the SACCO Societies Regulatory Authority, regulates deposit-taking and specified non-deposit-taking SACCOs in Kenya. It expects a SACCO to maintain an internal audit function that is independent of management and reports to the board. Independence and reporting line are the heart of it: the board needs assurance it can trust, from someone who does not answer to the managers being reviewed.

What a SACCO internal audit covers

A good plan is risk-based, which means it starts from your SACCO’s real risks rather than a generic list. In practice it usually spans:

  • Lending, credit appraisal and loan classification
  • Savings, deposits and member data
  • The core banking system, user access and IT general controls
  • Cash handling and reconciliations
  • Governance, and compliance with SASRA rules and the Data Protection Act

The board approves the plan, and the work through the year gives the board evidence that controls are actually operating.

Co-sourcing when you cannot staff it fully

Most SACCOs do not need, and cannot justify, a large in-house audit department. Co-sourced internal audit lets you deliver the full plan with an experienced partner, at a cost that matches your size. You keep ownership and the board reporting line; we bring the method, the people and the platform. As your SACCO grows, you can take more of the work in-house. If you are weighing the options, our guide on co-sourced or outsourced internal audit lays out the choice.

Reporting to the board and the audit committee

Reporting is where internal audit earns its keep. Findings should be rated, owned and tracked to closure, and the board pack should be clear enough to act on without wading through detail. Running the work on Assurance OS means the quarterly board report comes from live data rather than a scramble of spreadsheets.

How Murikah supports SACCOs

We deliver co-sourced and outsourced internal audit for SACCOs, aligned to SASRA expectations and the IIA Global Internal Audit Standards, on a platform your board and your regulator can rely on. The aim is a function that is credible, affordable, and genuinely useful to your board.

This is general information, not regulatory advice. Confirm specific obligations with SASRA and qualified advisers.

Frequently asked questions

Does SASRA require SACCOs to have internal audit?

Yes. Regulated SACCOs are expected to have an internal audit function that is independent of day-to-day management and reports to the board, normally through an audit committee. The point is assurance: the board needs an independent view of whether controls are working, separate from the managers who run them.

What should a SACCO internal audit cover?

A risk-based plan typically covers lending and credit, savings and deposits, the core banking system and IT controls, cash handling, governance, and compliance with SASRA requirements and the Data Protection Act. The plan should be driven by where the real risks are for your SACCO, not a generic checklist, and the board should approve it.

We are a small SACCO and cannot afford a full team. What are our options?

Co-sourcing is the usual answer. Rather than hiring a full internal audit department, you bring in a partner to deliver the plan with you, keeping costs proportionate to your size. You still report to your board as if the function were in-house, because in effect it is, and you can take more of it in-house as you grow.

Who should internal audit report to in a SACCO?

Functionally to the board, usually through the audit committee, and only administratively to management. That reporting line is what protects the function's independence, so that auditors can raise uncomfortable findings without pressure from the people they are auditing.

Read more about Assurance →