tPR General Code

Background

The Code is both a consolidation of 10 out of 15 existing codes of practice, as well as a significant update of the existing codes. The main two updates within the code are to establish and operate an Effective System of Governance (ESoG) and conduct an Own Risk Assessment (ORA). The 2018 regulations and subsequent general Code outline requirements, which includes the ESoG to be subject to regular internal review. There is also a need for occupational pension schemes to have ’a function which internally evaluates adequacy and effectiveness of the system of governance’ as one of three key functions alongside the risk management and actuarial functions.

With the Code coming into force in March and the impact it will have on pension schemes to regularly review the system of governance, it’s important for internal audit to consider how the function can act as a strategic partner providing support, insight, and innovation for schemes, and how to demonstrate the existence of an ESoG.

Internal audit is a provider of assurance
 

A widely utilised vehicle for obtaining assurance on the design and operating effectiveness of internal controls is through the implementation of an internal audit function. A number of large occupational schemes either have this in place already or rely on the internal audit function of the sponsoring employer.

Often referred to as the Third Line of Defence, internal audit is primarily a provider of assurance aiming to add value and improve operations by challenging and improving risk management, control, and governance effectiveness in an independent and objective manner.

What’s important for pension schemes is that the Code specifically references internal audit as an option for the provision of assurance over the effectiveness of internal controls. It highlights that although schemes may be relying on the internal audit functions of sponsoring employers to provide this assurance currently, these functions may not have sufficient pensions knowledge to perform an adequate assessment of a scheme’s operations.

How internal audit can support ESOGs
 

There are a range of internal audit structures available depending on the extent to which a scheme already has access to an internal audit function, and this may be driven by the size or complexity of the scheme. These internal audit structure options range from a fully outsourced internal audit service to a more bespoke, targeted service where assurance reviews are conducted in specific specialist areas on behalf of the governing body, often considered to be high complexity or risk, and outside of the skillset available internally. By leveraging internal audit resources, pension schemes can enhance their compliance with the Code, strengthen risk management, improve governance practices, and ultimately achieve their strategic objectives.

Internal audit structure options
 

As mentioned above, there are various options for structuring internal audit provision ranging from a fully in-house function through to an entirely outsourced internal audit function, here are some key considerations to ensure the correct function is in place following from the Code requirements.

In-house
 

As set out in the Code, there is an expectation that governing bodies need to demonstrate that their internal auditors have appropriate skills and knowledge of pensions to perform an adequate assessment of the scheme’s operations. This may mean that the skills residing within the sponsoring employers internal audit function may not be sufficient for the schemes needs.

Co-source
 

Supporting as an extended arm to an in-house internal audit function, co-sourcing can provide skills which can be supplemented with specialist resources to help deliver audit work requiring deep subject matter expertise in areas such as benefit administration, cyber security or risk management. Support can also be leveraged to help fill short term resource limitations.

Targeted assurance
 

For schemes where the governing body concludes that it is not proportionate to have an internal audit function, by virtue of scale or complexity of the scheme, governing bodies can commission individual targeted assurance reviews in areas of greatest risk or focus or where the scheme does not have access to these skillsets internally.

Outsourcing
 

Outsourcing internal audit activities and resources are undertaken by an outsource provider. This includes all aspects of internal audit such as planning and reporting as well as the responsibility for achieving the strategic objectives of internal audit. Outsourcing the internal audit function can provide a range of benefits, including cost savings, access to specialised expertise, increased efficiency, reduced risk and improved quality.

What should internal audit be doing?
 

For schemes to sufficiently meet the requirements of the Code and to establish and operate an ESoG, governing bodies such as Trustees will need to have confidence in how key risks are managed , and the extent to which the associated controls are designed and that they are operating effectively. The ability of internal audit to provide assurance to governing bodies over the design and effectiveness of these key controls can form an integral part of a scheme’s assurance framework.

How we can help
 

Deloitte offers a range of internal audit services for all schemes captured by the Code’s requirements regardless of the size or level of complexity. We would be delighted to discuss your internal audit and assurance needs with you.

Please contact Aaron Oxborough, Rob Scott or Kayleigh Sodhi.