Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Assurance reports on internal controls

General code in force: 28 March 2024

  1. Under section 249A of the Pensions Act 20041, governing bodies of certain schemes must establish and operate an effective system of governance (see Systems of governance) including internal controls (see Internal controls). However, there are certain exemptions2. The system of governance must be proportionate to the size, nature, scale, and complexity of the activities of the scheme.
  2. Under section 249B of the Pensions Act 20043, scheme managers of public service pension schemes4 are required to establish and operate internal controls, which are adequate for the purpose of securing that the scheme is administered and managed in accordance with the scheme rules5 and with the requirements of the law.
  3. Assurance reporting is the process through which the different processes, procedures, and the operations of an entity are analysed. The governing body may consider using assurance reports to assess whether the scheme or a service provider meets the relevant legislative requirements on internal controls.
  4. Assurance reporting may be carried out by resources that the governing body has available in-house or by a participating employer(s). Service providers may be able to provide assurance reporting on their own internal controls. It is also possible for the governing body or service providers to commission assurance reporting from independent third parties.
  5. There are various assurance frameworks that may be suitable for use for aspects of pension scheme operations. We set out some examples of assurance reporting the governing body may choose to use below.

Statutory audit

  1. The governing body of most occupational pension schemes will be familiar with the annual statutory audit6 (see Audit requirements). But the governing body should not rely solely on the output of the audit as a means of assurance reporting. It provides assurance about a limited number of financial elements, but it does not for example, communicate that benefits are being paid correctly.
  2. Under certain circumstances, the statutory auditor may be prepared and able to carry out an audit with a wider scope. However, this may be limited by their profession’s ethical guidelines. For example, a statutory auditor cannot hold the office of ‘internal auditor’.

Internal audit

  1. Some governing bodies may have access to internal auditors within a participating employer, or within the scheme, who could provide scrutiny to a similar level as an independent external assessment.
  2. The scope and nature of internal audit work can be tailored to meet the requirements of the governing body. This type of audit may include financial and non-financial processes and controls. If selecting a suitable internal auditor, the governing body should consider:
    1. the candidate’s independence
    2. any actual or potential conflicts of interest (see Conflicts of interest)
    3. the candidate’s knowledge of the subject
    Note: Not all internal auditors within a sponsoring employer will have sufficient pensions knowledge to perform an adequate assessment of all scheme operations.

Assurance reporting by service providers

  1. Some service providers may be able to supply assurance reports about their own operations. The governing body should read and understand assurance reports provided by service providers to establish if the controls used by the organisations that they outsource various functions to are adequate. This will also include assurance reports produced by the scheme’s investment manager and custodian.
  2. The governing body should satisfy themselves of the scope of such reports and the degree to which these are applicable. For example, whether the reports cover the specific team or office providing services to the scheme.

Assurance reporting commissioned by the governing body

  1. The governing body may, from time to time, decide to commission assurance reports for some aspect of scheme operation. Before commissioning or relying on any assurance report, the governing body should understand the limits of each type of assurance, the limits to the scope of any assurance process, and how any assurance might play a part in the scheme’s internal controls framework.
  2. For each assurance report, the governing body should:
    1. consider the process for appointing service providers. See Managing advisers and service providers.
    2. understand the scope, methodology and supporting evidence used as the basis for the assurance report
    3. recognise the control objectives that have been included, excluded, or modified in any assessment, and how the scope is relevant to the scheme
    4. understand the level of interrogation that has been carried out in assessing the scheme, for example if a site visit was carried out
    5. identify and act upon any issues or concerns they consider to be material

Legal references

1 Articles 226A of The Pensions (Northern Ireland) Order 2005

2 Section 249A(3) of the Pensions Act 2004 [Article 226A(3) of The Pensions (Northern Ireland) Order 2005]

3 Articles 226B of The Pensions (Northern Ireland) Order 2005

4 As defined in section 318(1) of the Pensions Act 2004 [Article 2(2) of The Pensions (Northern Ireland) Order 2005]

5 As defined in Section 318(2) of the Pensions Act 2004 [Article 2(3) of The Pensions (Northern Ireland) Order 2005]

6 Section 47(1)(a) of the Pensions Act 1995 with exemptions in Regulation 3 of the Occupational Pension Schemes (Scheme Administration) Regulations 1996 (SI 1996/1715) [Exemption in Regulation 3 of the Occupational Pension Schemes (Scheme Administration) Regulations (Northern Ireland) 1997 (SR 1997 No. 94 N.I.)]