Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Managing risk using internal controls


Early draft of the code of practice

This code is not in force yet. It is an early version for the new code of practice consultation.

To give us feedback on issues such as the design, usability and navigation of this code, email us at

You can also read more information about the consultation.

Published: 17 March 2021

Under section 249A of the Pensions Act 2004,MN1 governing bodies of certain schemes must establish and operate an effective system of governance (see Scheme governance) including internal controls. However, there are certain exemptions.MN2

Under section 249B of the Pensions Act 2004, scheme managers of public service pension schemesMN3 are required to establish and operate internal controls which are adequate for the purpose of securing that the scheme is administered and managed in accordance with the scheme rules,MN4 and with the requirements of the law.

Internal controls refer to all the following:

  • the arrangements and procedures to be followed in the administration and management of the scheme
  • the systems and arrangements for monitoring that administration and management
  • the arrangements and procedures to be followed for the safe custody and security of the assets of the scheme

The legal responsibility in relation to internal controls rests with the governing body. In relation to public service pension schemes, “governing bodies” in this module refers to scheme managers. Even if functions or activities are delegated to advisers or service providers, accountability still resides with the governing body. Learn more in Managing advisers and service providers.

Governing bodies should ensure that their internal controls are documented. The extent of documentation will depend on the size, scale nature and complexities of the activities of the scheme.

A scheme’s internal controls should be reviewed at least annually. However, the review of controls can be staggered if they address different areas of a scheme’s operations or governance. Reviews should also be carried out when substantial changes take place. These include changes to pension scheme personnel, service providers, scheme advisors, or administration and other IT systems. Similarly, reviews should take place if a control is not working as intended or if there is a deterioration in funding in schemes which are subject to Part 3 of the Pensions Act 2004.

A persistent failure to put in place internal controls could be a cause of an administrative breach. If this failure is likely to be of material significance to TPR in carrying out any of our functions, we would expect to receive a breach of law report. Learn more about reporting breaches in Decision to report.

Governing bodies should carry out a prior risk assessment to understand the various risks facing the scheme and its members. We also expect that the process for monitoring, recording and mitigating risk is closely integrated with the operation of internal controls (see Identifying and assessing risks).

Governing bodies should ensure they design internal controls that ensure the scheme is managed in accordance with the law and the scheme rules. The internal controls should also:

  • include a clear separation of duties for those performing them, and processes for escalation and decision-making
  • require the exercise of judgement where appropriate, in assessing the risk profile of the scheme and in designing appropriate controls
  • be integrated into the decision-making processes of the governing body

The rest of our expectations for internal controls can be found below.

Maintaining internal controls

When designing internal controls consider:

  • how the control will be implemented and the skills of the person performing the control
  • the level of reliance that can be placed on information technology solutions where processes are not automated
  • whether a control is capable of preventing future recurrence or merely detecting an event that has already happened
  • the frequency and timeliness of a control process
  • how the control will ensure that data are managed securely
  • the process for identifying errors or control failures, and approval and authorisation controls

Glossary and legal references

Governing bodies

Trustees or managers of an occupational pension scheme which is subject to the requirements under section 249A of the Pensions Act 2004. In the case of a public service pension scheme subject to the requirements under section 249B of the Pensions Act 2004, governing bodies refer to scheme managers.

Public service pension scheme

A scheme established under section 1 of the Public Service Pensions Act 2013

Sponsoring employer

The employer, or employers, responsible for making payments to a pension scheme. See our Statement on identifying your statutory employer.

MN1Articles 226A of the Pensions (Northern Ireland) Order 2005

MN2Section 249A(3) of the Pensions Act 2004
[Article 226A (3) of The Pensions (Northern Ireland) Order 2005]

MN3As defined in section 318(1) of the Pensions Act 2004
[Article 2(2) of The Pensions (Northern Ireland) Order 2005]

MN4As defined in Section 318(2) of the Pensions Act 2004
[Article 2(3) of The Pensions (Northern Ireland) Order 2005]