Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Internal controls and managing risks

Public service pension schemes need to have good internal controls. They are a key characteristic of a well-run scheme and will enable risks to the scheme to be managed effectively.

The scheme manager must establish and operate adequate internal controls.

Key points

The scheme manager must establish and operate adequate internal controls that enable them to manage risks that relate to their scheme.

Your scheme should have a process to identify, evaluate and manage risks on an ongoing basis.

Internal controls

The scheme manager must establish and operate adequate internal controls to enable them to administer and manage their scheme in accordance with the scheme rules and the law.

Internal controls are systems, arrangements and procedures for:

  • scheme administration and management
  • monitoring that administration and management
  • the safe custody and security of scheme assets

Risk management process

You should use a risk-based approach and invest sufficient time and attention in identifying, evaluating and managing risks. You should also monitor controls to ensure that they are effective.

Identifying risks

You should use sources of information such as audit reports, service contracts, complaints and administration reports to help you identify areas of risk which could be detrimental to the scheme or members.

You should record the risks you identify in a risk register. See our example risk register:

Example risk register for public service schemes (PDF, 64kb, 3 pages)

Evaluating risks and establishing adequate internal controls

You should develop a process to evaluate the risks, in order to identify those that are critical to your scheme.

Your evaluation process should enable you to consider the impact and likelihood of a risk materialising.

The process should then enable you to implement controls to mitigate risks that would have a high impact and a high likelihood of occurring.

Managing risks

You should consider issues such as the following when designing internal controls to manage risks identified:

  • how the control is performed and the skills of the person performing the control
  • the level of reliance on information technology solutions
  • whether the control will stop something happening or detect something that has already happened
  • the frequency and timeliness of a control process
  • the process for reporting errors or control failures

Monitoring risk management controls

You should continually review exposure to new and emerging risks. This includes significant changes in or affecting the scheme.

You should review your risk register regularly and evaluate risk assessment arrangements, procedures and systems, including where there are significant changes in or affecting the scheme.

Public Service toolkit online learning

You can learn about internal controls and how to identify, evaluate, manage and monitor scheme risks in the 'Managing risk and internal controls' course. You must log in or sign up to use the Public Service toolkit.

Go to the Public Service toolkit

Check your internal controls

Use our checklist to evaluate your scheme's internal controls:

Internal controls checklist for public service schemes (PDF, 35kb, 1 page)