This blog post takes a quick look at pension risk for experienced internal auditors. It is a specialist area, although some aspects such as pension scheme governance are well within the remit of generalist internal auditors.
EU Directive 2016/2341 (commonly known as “IORP II”) became European Union law at the beginning of 2017 with a requirement for the UK Government to implement it into UK law by 13 January 2019. It sets common standards for ensuring the soundness of occupational pensions and better protects pension scheme members and beneficiaries. Included within this is the requirement for trustees to have in place “an effective system of governance which provides for sounds and prudent management……and shall be subject to regular internal review. The EU Directive also requires occupational pension schemes to have an internal audit function.
But what is the role of internal audit within pension schemes? As per article 26, “the internal audit function shall include an evaluation of the adequacy and effectiveness of the internal control system and other elements of the system of governance, including where applicable, outsourced activities.”
Internal audit can have a much wider scope than the statutory audit, covering non-financial processes and controls that are not directly relevant to financial reporting for example member communications and trustee governance. The scope and nature of internal audit work can be tailored to meet trustee requirements.
There are two great sources of information for pension risk.
Firstly, an ICAEW paper published in March 2019 called Occupational Pension Scheme Governance – Assurance about Internal Controls. The paper describes how independent audit assurance can play a part in the governance of UK pension arrangements and identifies seven key questions to help assess trustee assurance arrangements. The paper also recognises the need for assurance mapping to ensure that internal audit is not used as a substitute for the first and second lines where resource are limited.
The seven key questions are:
Secondly, the Pensions Regulator website sets out expectations in terms of what the regulator deems to be good governance. In 2017, the Pensions Regulator launched their 21st century trusteeship campaign. This was launched to provide increased support to trustees by being clearer in terms of the regulator’s expectations. In order to improve the governance process across pension schemes, the regulator has focused on the following areas:
The regulator's website provides more details for each of the bullets captured above. Furthermore, the regulator's website also includes a section on the nine internal controls that satisfy the regulators expectations on how occupational pension schemes should satisfy the legal requirement to have adequate internal controls in place.
There is good information readily available for internal auditors. So there really is no justification for internal audit not to be able to provide assurance based on what good pension scheme governance looks like and what the expectations of the regulator are. Don’t forget to assess your own competency before starting any work in this area though - remember Standard 1210!