Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Assurance of governance and internal controls


Early draft of the code of practice

This code is not in force yet. It is an early version for the new code of practice consultation.

To give us feedback on issues such as the design, usability and navigation of this code, email us at

You can also read more information about the consultation.

Published: 17 March 2021

Under section 249A of the Pensions Act 2004,AS1 governing bodies of certain schemes must establish and operate an effective system of governance (see Scheme governance) including internal controls (see Managing risk using internal controls). However, there are certain exemptions.AS2

Under section 249B of the Pensions Act 2004, scheme managers of public service pension schemesAS3 are required to establish and operate internal controls which are adequate for the purpose of securing that the scheme is administered and managed in accordance with the scheme rules,AS4 and with the requirements of the law.

In relation to public service pensions schemes, governing bodies in this module refer to scheme managers but not to pensions boards.

There are various assurance frameworks suitable for use in relation to pension scheme operations. Governing bodies should understand the limits of each type of assurance, and the limits to the scope of any assurance process and how each can play a part in the internal controls framework of a scheme.

For each assurance report, the governing body should:

  • consider the process for appointing service providers. See Managing advisers and service providers.
  • understand the scope, methodology and supporting evidence used in making an assurance report
  • recognise the control objectives that have been included, excluded or modified in any assessment and how the scope is relevant to their scheme
  • understand the level of interrogation that has been carried out in assessing the scheme, for example if a site visit was carried out
  • identify and act upon any issues or concerns they consider to be material

Statutory audit

Most governing bodies of occupational pension schemes will be familiar with the annual statutory auditAS5 (see Audit requirements). But governing bodies should not solely rely on the output of the audit as a means of assurance reporting. It provides assurance about a limited number of financial elements, but it does not, for example, communicate that benefits are being paid correctly.

Under certain circumstances, the statutory auditor may be prepared and able to undertake an audit with a wider scope. However, this may be limited by their profession’s ethical guidelines. For example, statutory auditors cannot hold the office of ‘internal auditor’.

Internal audit

The scope and nature of internal audit work can be tailored to meet the requirements of the governing body. The audit may include financial and non-financial processes and controls. When selecting a suitable internal auditor, the governing body should consider:

  • the candidate’s independence
  • any actual or potential conflicts of interest (See Conflicts of interest)
  • the candidate’s knowledge of the subject

Governing bodies may have access to internal auditors within a participating employer who could provide similar scrutiny to an independent external assessment. This is a different role to the internal audit function that we discuss in Managing risk using internal controls.

Note: Not all internal auditors within a sponsoring employer will have sufficient pensions knowledge to perform an adequate assessment of all scheme operations.

Assurance reporting by service providers

Some service providers may be able to supply assurance reports about their own operations. The governing body should satisfy themselves of the scope of such reports and the degree to which these are applicable. For example, whether the reports cover the specific team or office providing services to the scheme.

Glossary and legal references

Governing bodies

Trustees or managers of an occupational pension scheme which is subject to the requirements under section 249A of the Pensions Act 2004. In the case of a public service pension scheme subject to the requirements under section 249B of the Pensions Act 2004, governing bodies refer to scheme managers.

Internal controls

  • arrangements and procedures to be followed in the administration and management of the scheme
  • systems and arrangements for monitoring that administration and management, and
  • arrangements and procedures to be followed for the safe custody and security of the assets of the scheme. See Section 249A of the Pensions Act 2004.

AS1Articles 226A of the Pensions (Northern Ireland) Order 2005

AS2Section 249A(3) of the Pensions Act 2004
[Article 226A(3) of The Pensions (Northern Ireland) Order 2005]

AS3As defined in in section 318(1) of the Pensions Act 2004
[Article 2(2) of The Pensions (Northern Ireland) Order 2005]

AS4As defined in Section 318(2) of the Pensions Act 2004
[Article 2(2) of The Pensions (Norther Ireland) Order 2005]

AS5Section 47(1)(a) of the Pensions Act 1995 with exemptions in Regulation 3 of the Occupational Pension Schemes (Scheme Administration) Regulations 1996 (SI 1996/1715)
[Exemption in The Occupational Pension Schemes (Scheme Administration) Regulations (Northern Ireland) 1997 (SR 1997 No. 94 N.I.)]