This guide addresses pension schemes regulated by the Pensions Regulator (TPR) that are run by a governing body. The governing body may consist of trustees or, in the case of a public service pension scheme, the scheme manager.

TPR’s General Code of Practice (General Code) sets out how the governing body should establish an effective system of governance (ESOG), including robust internal controls. For schemes with more than 100 members, the governing body is required to prepare a triennial own risk assessment (ORA). Authorised master trusts must submit annual supervisory returns to TPR instead of preparing an ORA.

It is important to understand the different sources of reporting and the extent to which they play a part in the assessment of controls designed to mitigate risk. This guide describes the role of independent audit and assurance in the governance of UK pension arrangements, including financial statements audit, internal audit and other sources of assurance. It concludes with key questions for governing bodies to consider. 

Financial statements audit

For the purposes of this guidance, financial statements audit refers to the audit of the financial statements of a pension scheme (as opposed to the audit of sponsor entity financial statements). 

A financial statements audit is designed to provide the governing body with an independent opinion about the pension scheme’s annual financial statements and, in most cases, an opinion about contributions payable to the scheme.

The financial statements audit has a limited scope and, to properly understand the assurance it provides, it is important that the governing body communicates effectively with its auditor. The auditor can explain concepts such as ‘true and fair’ and ‘materiality’ to the governing body. Furthermore, pension scheme financial statements do not include liabilities to pay pensions and benefits after the end of the scheme year, so these liabilities are not within the audit scope.

For example, it is a common misconception that the financial statements audit confirms that the benefits paid are correct. This is a very wide assertion, which in many respects is beyond the scope of the financial statements audit required by legislation. There are also different levels of materiality to consider. The level of materiality of the financial statements (the threshold above which misstatements could influence the decisions of their users) can be very different to a governing body’s risk appetite (such as the risk of incorrect payments being made to individual members) in respect of benefit calculations. Similarly, the governing body should understand the asset valuation materiality that is relevant to the financial statements audit.

To understand the audit’s scope, the governing body should also be clear about the difference between the audit of the financial statements and ‘other information’ included in the annual report.

However, there are circumstances in which the financial statements auditor can be instructed to offer extended assurance services to the governing body over and above the financial statements audit. It is important that the financial statements auditor explains the extent to which this can be provided without breaching auditor independence requirements.

Internal audit

An internal audit can have a much wider scope than the financial statements audit, covering non-financial processes and controls that are not directly relevant to financial reporting (or are directly relevant but have different thresholds of materiality). The scope and nature of internal audit work can be tailored to meet the governing body’s requirements.

Examples might include:

• board effectiveness;
• risk management;
• stakeholder communication;
• benefit calculations;
• record keeping;
• treasury management; and
• cyber security.

Ethical standards prevent the financial statements auditor from holding the office of internal auditor. In selecting a suitable candidate for the internal auditor position, the governing body should consider conflicts of interest, independence, knowledge of the subject matter and professional experience in auditing and reporting techniques. The required skills may be different to those for a financial statements audit and are likely to be broader than financial reporting. The scheme sponsor’s internal audit function may be able to provide staffing.

Only the largest schemes are likely to have their own in-house, full-time internal audit function. Therefore, the use of the sponsor’s internal audit function or co-sourcing arrangements with third-party auditors and other specialists can be considered.

Every pension scheme is different and has unique objectives, challenges and risks. As explained in the General Code, the risk management function is likely to have a good understanding of these and it may be appropriate for it to agree an internal audit charter with the internal audit function. A charter is one way to agree and describe how the internal audit function will provide value to the scheme, the nature of the services it will provide, and the specific focus or emphasis required to help the scheme achieve its objectives. Where a risk management function is not required, an internal audit charter could be agreed with the governing body directly.

Having an internal audit charter also formalises the internal audit role within the scheme. This includes:

• the reporting lines; 
• authorising access to records, personnel and physical properties relevant to the performance of engagements; and 
• defining the scope of internal audit activities. 

This can be important for a number of the governing body’s duties, including in relation to data privacy and data sharing. It can also be a reference point for measuring the internal audit function’s effectiveness.

Other independent assurance and alternatives

ICAEW has produced Technical Releases that provide guidance on other types of assurance engagements commonly used in the pension sector. If reliance is to be placed on these reports, it is important that users read them in full to understand their scope, the extent to which they provide assurance, as well as their limitations. ICAEW Chartered Accountants undertaking this work are expected to demonstrate the highest standards of professional conduct and are bound by a Code of Ethics.

The governing body may also receive assurance reports from their service organisations, such as the pensions administrator, investment managers and investment custodians. These reports are typically produced annually by the service organisation and include an assurance report from an independent service auditor. See ICAEW’s Assurance reports on internal controls of service organisations made available to third parties.

Many trustees of master trusts have adopted governance assurance reporting. These reports are typically produced annually by the trustees and include an assurance report from an independent service auditor. See ICAEW’s Assurance reporting on master trusts.

Some professional trustee organisations obtain assurance reports over their administrative and accounting procedures in relation to their own business operations for providing pensions trustee services. These reports are typically produced annually by the trustees and include an assurance report from an independent service auditor. See ICAEW’s Assurance reporting on relevant trustees.

An alternative to an assurance report might be an ‘agreed upon procedures’ engagement under ISRS 4400 (Revised), whereby those charged with governance might agree a specific set of procedures. This can be a valuable alternative source of assurance to the pension scheme governing body.

The pension scheme governing body may also gain comfort from relevant industry accreditations obtained by those supplying services to their scheme. These may include, for example: 

• International Organization for Standardization (ISO) certifications (such as for IT/Cyber, business continuity and quality management systems);
• Cyber Essentials (IT/Cyber);
• System and Organisation Controls Type 2 (SOC 2) reporting (IT/Cyber).

Risk management framework and assurance mapping

A trustee board can agree a risk management framework to define risk tolerance, responsibilities and activities, and set the timetable for reviewing and monitoring controls. It could, therefore, set out how the actions required under the General Code module for identifying, evaluating and recording risks are performed.

Assurance mapping is a mechanism that can link assurance obtained from various sources to the risks that threaten the achievement of the pension scheme’s outcomes and objectives. Maps can be produced at various levels of detail, dependent on scope, and can include details of different kinds of assurance going beyond that which is provided from external and internal audit alone.

The three lines of defence model can help to identify and understand the contributions the various sources can provide.

• First line of defence: functions that own and manage risks. This line is made up of operational management who are responsible for identifying, assessing, controlling and mitigating risks on a day-to-day basis.
• Second line of defence: the various risk control and compliance oversight functions established by management.
• Third line of defence: functions that provide independent assurance. Independent auditors provide assurance to the governing body and pension management team on the effectiveness of governance, risk management and internal controls, including the way in which the first and second lines of defence are working.

This approach ensures that independent audit is not used as a substitute for the first two lines of defence where internal resources are limited.

Defining the sources of assurance in three broad categories may help governing bodies to understand how each contributes to the overall level of assurance provided, as well as how best they can be integrated and mutually supportive. Using the three lines of defence model can also show whether there may be a need to redirect audit and other resources in a different way using a properly shaped assurance framework.

Sometimes, when an existing internal audit function is operating in the entity as the third line, external independent auditors are described as the fourth line of defence.