Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Internal controls

General code in force: 28 March 2024

This module forms part of our expectations for trustees of those schemes required to operate an effective system of governance, see Systems of governance.

  1. Under section 249A of the Pensions Act 20041, governing bodies of certain schemes must establish and operate an effective system of governance (see Systems of governance) including internal controls. However, there are certain exemptions2. The system of governance must be proportionate to the size, nature, scale, and complexity of the activities of the scheme.
  2. Under section 249B of the Pensions Act 20043, scheme managers of public service pension schemes4 are required to establish and operate internal controls, which are adequate for the purpose of securing that the scheme is administered and managed in accordance with the scheme rules5 and with the requirements of the law.
  3. The legal obligations, in certain areas such as scheme funding and scheme investment, are different for public service pension schemes6. However, as far as these matters are either set out in the scheme rules7 or in the requirements of the law, scheme managers of public service pension schemes must establish and operate adequate internal controls in relation to them.
  4. Internal controls refer to all the following:
    • the arrangements and procedures to be followed in the administration and management of the scheme
    • the systems and arrangements for monitoring that administration and management, and
    • arrangements and procedures to be followed for the safe custody and security of the assets of the scheme.
  5. Before designing internal controls, the governing body should identify risks, record them, review them regularly, and evaluate them. See Identifying, evaluating and recording risks. The evaluation of risks will help the governing body to determine which risks require internal controls to be put in place to reduce their incidence and impact.
  6. The governing body should design internal controls which ensure that the scheme is administered and managed in accordance with the requirements of the law and the scheme rules. The scheme’s internal controls should also:
    1. include a clear separation of duties for those performing them, and processes for escalation and decision-making
    2. require the exercise of judgement, where appropriate, in assessing the risk profile of the scheme and in designing appropriate controls.
  7. The governing body should then make sure that their internal controls are documented.
  8. A scheme’s internal controls should be reviewed:
    1. in line with the timescales for own risk assessments for the governing body, who are required to carry out such assessments, see own risk assessment
    2. at least annually for governing bodies of public service pension schemes
  9. However, the review of controls can be staggered if they address different areas of a scheme’s operations or governance.
  10. In addition, reviews should also be carried out when:
    1. substantial changes to the scheme take place. These include changes to pension scheme personnel, service providers, scheme advisors, or administration and other IT systems
    2. a control is not working to the standard required by the law.
  11. A persistent failure to put internal controls in place could be a cause of an administrative breach. If this failure is likely to be of material significance to us in carrying out any of our functions, the governing body should submit a breach of law report. See also Decision to report.
  12. The governing body should be aware that an internal controls framework is not infallible and will not eliminate error or fraud from pension schemes. At any stage in a process where judgement is involved, the possibility of error remains. Similarly, a failure to understand how or why a particular control is operating or, more seriously, collusion to circumvent a control, is a risk that cannot be entirely removed.
  13. It is not necessary, nor possible, to eliminate all risks from a pension scheme. For example, some investment risks may be accepted by the governing body in their desire to seek greater returns.
  14. The governing body should decide what internal controls are appropriate to mitigate the key risks they have identified and how best to monitor them. They should exercise judgement, both in assessing the scheme risk profile and in designing appropriate controls to mitigate such key risks.
  15. The legal responsibility for internal controls always rests with the governing body, even if functions or activities are delegated to advisers or service providers. See also Managing advisers and service providers.
  16. The rest of our expectations for internal controls can be found in paragraphs 17 and 18 below.
  17. When designing internal controls, governing bodies should consider:
    1. how the control will be implemented and the skills of the person performing the control
    2. the level of reliance that can be placed on information technology processes (whether fully automated or not) and the testing of such processes
    3. whether a control can prevent future recurrence or merely detect an event that has already happened
    4. the frequency and timeliness of a control process
    5. how the control will ensure secure data management
    6. processes for identifying errors or control failures
    7. what would be appropriate approval and authorisation controls
    8. whether professional advice is needed when designing internal controls
  18. To maintain internal controls governing bodies should:
    1. regularly consider the performance of internal controls in mitigating risks, and where appropriate, achieving long-term strategic aims
    2. consider obtaining independent or third-party assurance about controls. See Assurance reports on internal controls.
    3. obtain assurance that service providers are meeting their own standards for internal controls. See Managing advisers and service providers.

Glossary and legal references

Public service pension scheme

Schemes as defined in s318(1) of the Pensions Act 2004, established under section 1 of the Public Service Pensions Act 2013, new public body pension schemes and other statutory pension schemes which are connected to those schemes.

Sponsoring employer

The employer, or employers, responsible for making payments to a pension scheme (see our Statement on identifying your statutory employer).

1 Article 226A of The Pensions (Northern Ireland) Order 2005

2 Section 249A(3) of the Pensions Act 2004 [Article 226A (3) of The Pensions (Northern Ireland) Order 2005]

3 Article 226B of The Pensions (Northern Ireland) Order 2005

4 As defined in section 318(1) of the Pensions Act 2004 [Article 2(2) of The Pensions [Northern Ireland) Order 2005]

5 As defined in Section 318(2) of the Pensions Act 2004 [Article 2(3) of The Pensions [Northern Ireland) Order 2005]

6 As defined in section 318(1) of the Pensions Act 2004 [Article 2(2) of The Pensions (Northern Ireland) Order 2005]

7 As defined in section 318(2) Pensions Act 2004 [Article 2(3) of The Pensions (Northern Ireland) Order 2005]