Pension risk for internal auditors

This blog post takes a quick look at pension risk for experienced internal auditors. It is a specialist area, although some aspects such as pension scheme governance are well within the remit of generalist internal auditors.


Internal audit's enhanced role in pension scheme auditing

EU Directive 2016/2341 (commonly known as “IORP II”) became European Union law at the beginning of 2017 with a requirement for the UK Government to implement it into UK law by 13 January 2019. It sets common standards for ensuring the soundness of occupational pensions and better protects pension scheme members and beneficiaries. Included within this is the requirement for trustees to have in place “an effective system of governance which provides for sounds and prudent management……and shall be subject to regular internal review. The EU Directive also requires occupational pension schemes to have an internal audit function.

But what is the role of internal audit within pension schemes? As per article 26, “the internal audit function shall include an evaluation of the adequacy and effectiveness of the internal control system and other elements of the system of governance, including where applicable, outsourced activities.”

Internal audit can have a much wider scope than the statutory audit, covering non-financial processes and controls that are not directly relevant to financial reporting for example member communications and trustee governance. The scope and nature of internal audit work can be tailored to meet trustee requirements.


Where should Internal Auditors go to understand expectations?

There are two great sources of information for pension risk.

Firstly, an ICAEW paper published in March 2019 called Occupational Pension Scheme Governance – Assurance about Internal Controls. The paper describes how independent audit assurance can play a part in the governance of UK pension arrangements and identifies seven key questions to help assess trustee assurance arrangements. The paper also recognises the need for assurance mapping to ensure that internal audit is not used as a substitute for the first and second lines where resource are limited.

The seven key questions are:

  1. Does your scheme have a risk register which addresses key risks, mitigating controls and sources of assurance?
  2. Have you considered developing an assurance map to evaluate the required quality and quantity of assurance over each key risk in the trustee arrangements?
  3. Do you understand the scope and limitations of the statutory audit?
  4. Can your statutory auditor provide additional assurance services?
  5. Have you considered appointing an internal auditor?
  6. Does your internal audit function have a clear remit, for example an internal audit charter?
  7. Do your service organisations provide internal controls assurance reports and if so, do you understand the scope of these reports, the extent to which they apply to your scheme and their limitations?

Secondly, the Pensions Regulator website sets out expectations in terms of what the regulator deems to be good governance. In 2017, the Pensions Regulator launched their 21st century trusteeship campaign. This was launched to provide increased support to trustees by being clearer in terms of the regulator’s expectations. In order to improve the governance process across pension schemes, the regulator has focused on the following areas:

  • clear roles and responsibilities and clear strategic objectives
  • a skilled, engaged and diverse board led by an effective chair
  • close relationships with employers, advisers and others involved in running the scheme
  • sound structures and processes focused on outcomes
  • a robust risk management framework focused on key risks

The regulator's website provides more details for each of the bullets captured above. Furthermore, the regulator's website also includes a section on the nine internal controls that satisfy the regulators expectations on how occupational pension schemes should satisfy the legal requirement to have adequate internal controls in place.

There is good information readily available for internal auditors. So there really is no justification for internal audit not to be able to provide assurance based on what good pension scheme governance looks like and what the expectations of the regulator are. Don’t forget to assess your own competency before starting any work in this area though - remember Standard 1210! 

Content reviewed: 13 May 2021