Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Maintenance of IT systems


Early draft of the code of practice

This code is not in force yet. It is an early version for the new code of practice consultation.

To give us feedback on issues such as the design, usability and navigation of this code, email us at

You can also read more information about the consultation.

Published: 17 March 2021

Governing bodies should ensure they have a process for ensuring transmission of information. Having put the appropriate IT systems in place (see also Financial transactions and Scheme records) it is important that they are reviewed and maintained regularly.

Under section 249A of the Pensions Act 2004,MI1 governing bodies of certain schemes must establish and operate an effective system of governance (see Scheme governance) including internal controls (see Managing risk using internal controls). However, there are certain exemptions.MI2

Under section 249B of the Pensions Act 2004,MI3 scheme managers of public service pension schemesMI4 are required to establish and operate internal controls which are adequate for the purpose of securing that the scheme is administered and managed in accordance with the scheme rules,MI5 and with the requirements of the law.

Internal controls processes should ensure that IT systems are able to meet the scheme’s current needs and legal requirements. Governing bodies should take steps to ensure that their service providers are able to demonstrate they meet our expectations for maintaining IT systems as listed below.

Standards for maintaining IT systems

  • Ensure cyber security measures and procedures are in place and functioning. Learn more in Cyber controls.
  • Record evidence of how changes are planned and executed within the system.
  • Put a written policy in place for maintaining, upgrading, and replacing hardware and software.
  • Provide evidence to show there is a schedule for the system to be replaced or updated, such as changes to tax thresholds.
  • Assign adequate and sufficient hardware and personnel resources, with appropriate functionality and/or skills, to carry out the work.
  • Secure evidence that the IT system can meet the current and anticipated physical system requirements.
  • Manage planned and potential future upgrades within the administration system.

Glossary and legal references

Internal controls

  • arrangements and procedures to be followed in the administration and management of the scheme,
  • systems and arrangements for monitoring that administration and management, and
  • arrangements and procedures to be followed for the safe custody and security of the assets of the scheme (Section 249A of the Pensions Act 2004)


Information technology. The systems (especially computers and telecommunications) used for storing, retrieving, and sending information.

MI1Articles 226A of The Pensions (Northern Ireland) Order 2005

MI2Section 249A(3) of the Pensions Act 2004
[Article 226A(3) of The Pensions (Northern Ireland) Order 2005]

MI3Articles 226B of The Pensions (Northern Ireland) Order 2005

MI4As defined in section 318(1) of the Pensions Act 2004
[Article 2(2) of The Pensions (Northern Ireland) Order 2005]

MI5As defined in Section 318(2) of the Pensions Act 2004
[Article 2(3) of The Pensions (Northern Ireland) Order 2005]