The European Pensions Directive IORP II (“the Directive”) requires occupational pension schemes to have an internal audit function. The Directive came into effect in UK law in January 2019 with regulations requiring schemes to have an effective documented system of governance including a requirement to have internal controls proportionate to the size and complexity of the scheme, and to the nature of the risks to which it is exposed. This applies to schemes set up under trust and regulated by the Pensions Regulator (TPR).
The Directive identifies details for consideration under the heading of internal controls as including the custody and control of assets, internal audit and reporting lines.
Internal controls are not a new concept for trustees of UK occupational pension schemes; tPR’s expectations are already enshrined in Code of Practice 9, which came into force in November 2006. TPR will review its Code of Practice and set out how trustees can meet the requirements of the new Directive; guidance is expected later in 2019. One of the key new aspects of governance on its way is internal audit.
So what does the Directive mean by ‘internal audit’? Firstly, internal audit should not be confused with the statutory external audit, where a scheme’s auditor provides an independent opinion on the statutory financial statements of the pension scheme. It is important for trustees to understand the extent and scope of the statutory audit, which does not automatically extend to include confirmation that benefits paid are correct. Auditors may offer to extend the scope of the statutory audit to provide some assurances on calculations.
An internal audit of the type envisaged by the Directive has a far wider scope and includes non-financial processes and controls such as member communication and trustee governance. Trustees will need to decide on the scope of their internal audit and identify a suitable audit provider taking into account conflicts of interest, independence, knowledge of pensions and professional and technical experience in undertaking audits. It is likely that areas of review will be tackled over more than one scheme year, the trustees having prioritised the risks to the scheme. The internal audit review could be provided by an ‘in-house’ function provided by the scheme sponsor or independently by an external third party giving assurance e.g. an audit firm.
The Institute of Chartered Accountants in England a Wales (ICAEW) suggests that trustees establish an internal audit charter with its internal audit function in order to describe what activities will be carried out and the value this adds to the scheme.
Whilst we all await guidance from TPR, trustees can begin to consider the steps they will take to comply:
+ Annually review their providers’ independent audit reports? For example, many third party administrators and investment managers produce AAF 01/06 reports, which include an independent assurance report from an audit firm; and
+ Ensure their risk register covers key risks and mitigations. These should be reviewed frequently and given sufficient management time as risks can change. Actions flowing out of risk register reviews must be recorded, responsibility allocated, followed up and completed; and
+ Identify the priority areas to be reviewed, consider budgets and investigate sources of independent audit assurance.
Associate and Senior Pension Management Consultant
Barnett Waddingham LLP