Pension Fund Internal Audit - Extracting added value from the three lines of defense model

Whilst the IORP II Directive is not prescriptive of the structure of the IA function and we await further guidance from the Pensions Authority, it does require that the function must assess to what extent the internal control system and other parts of the governance system are adequate and effective. The function must be objective and independent of the other key functions and of executive functions, with appropriate reporting to the Trustee Board. 

Challenges that we see in the implementation of the internal audit function with pension funds

A number of considerations will be required by Trustees and employers when setting up their function.

1. Given their size, it will not be possible for a large number of pension funds to set up an IA function internally with the required combination of professional qualifications, expertise and skills. Organisations will need to consider whether or not this is a function to outsource or create inhouse.
2. The likely number of internal audits to be carried out and the nature of these will mean that in many cases they do not result in sufficient work for a full-time officer. Organisations will need to consider what volume of work is required and the appropriate staffing requirements to ensure they meet the requirements of IORP II.
3. The IA function is required to be independent and impartial. Organisations will need to ensure that their function is designed to enable this. 
4. It is plausible that the Pensions Authority, as with other types of institutions within the financial sector, will also look at the qualitative implementation of the IA function. A leading market standard used in such testing is the International Professional Practices Framework of the Institute of Internal Auditors (IIA). In order to effectively achieve this, organisations need to consider:

• Are there resources available for IA to deliver quality work and invest in, for example, innovation and automation?

• How to attract and retain qualified, expert and motivated personnel

• How to achieve the required quality assurance through reviews of internal audit activities by a second auditor, resulting in one auditor being unsatisfactory

•  How to meet the requirements for objectivity, independence, expertise and file management

• How to ensure the function contains the knowledge of the areas within the scope of the IA plan, for example knowledge of the sector, the business processes, relevant laws and regulations and IT.

Completion of all eight Internal Audit characteristics is important for effective implementation of the Internal Audit function. 

Our experience with IA and research among heads of IA and their stakeholders shows that an effective internal audit function has eight characteristics; 

• Business Alignment;

• Quality and Innovation;

• Risk Focus;

• Talent Model

• Stakeholder Management;

• Cost Optimisation; 

• Technology; and 

• Service Culture. 

By giving substance to these eight aspects, not only does the quality increase, but the stakeholders see more added value in their IA function.

What are the benefits?

On the one hand, you will now see the setting up of an IA function as an obligation to comply with IORP II legislation. On the other hand, an IA function structured in the right manner can add value for pension funds through:

1. A cost-efficient implementation of the IA function that meets generally applicable quality criteria for Internal Audit;
2. Providing insight for the Trustees and employers of the most important pension fund risks. Based on this, Trustees can make an informed decision whether or not to further explore a particular research topic;
3. More transparency and therefore more comfort for pension fund stakeholders; and
4. Raising risk awareness.

The key actions to consider now

With Trustees being required to issue a first compliance statement by 31 January 2022, now is the time for Trustees and employers to consider the following:

Assess your current Internal Audit function

Determine if your current in-house Internal Audit function has sufficient size, scale and expertise to meet and exceed the expectations of trustees.

Some pension funds may already have an IA function that can be leveraged to meet the requirements for IORP II, other funds may require more work to achieve compliance.

Set up and organise the Internal Audit function

When setting up the IA function, a number of adjustments will have to be made to the governance structure and specific documents will have to be drawn up from the pension fund, such as an internal audit charter, annual internal audit plan and standards for file management. Whether or not Trustees outsource the IA function or build it up in-house, it is important to set it up specifically from within the pension fund. 

A small internal audit function should also pay attention to the development of its quality. By (partially) outsourcing the IA function, it is easy to meet the expectations of the stakeholders, but also the quality requirements of the PA and IIA.

Execute risk based Internal Audit activity

Once the risks which impact the pension funds are defined through the risk management function, the audit activity will need to be planned on an annual basis to ensure that the function is addressing the key risks that the pension fund faces. Since audits within a pension fund can affect a diversity of components and expertise, we will provide IA experience, knowledge and expertise and specific knowledge of the subject matter of the audit. This can be both for incidental audits where your own IA function lacks specific knowledge and / or capacity, or if you choose to outsource your entire IA function.

Trustee training

Upskilling trustees will be vital in the effectiveness of the lines of defence model, understanding risks as well as the combined assurance obtained from these lines of defence. 

We are here to help you

PwC has extensive experience in the field of Internal Audit and the unique composition of pension funds. Where necessary, specialist knowledge can be deployed on parts of the IA process from our large, international network of experts. In addition, our historical focus on providing assurance ensures that we can efficiently and effectively help your pension fund fulfill its IA function. This means that the required assessment of the effectiveness of the internal control and governance system within your pension fund meets the necessary quality requirements as imposed by market standards. PwC can help your pension fund: 

• By helping employers and Trustees source candidates for the Key Function Holder roles as well as supporting the development and maintenance of an integrated risk and IA framework. 

• With setting up an IA function that is appropriate in the context of a pension fund by either providing specialist support to an existing function or acting as an outsource provider and acting as IA Key Function Holder (or Head of Internal Audit).

• By providing specialist pension, actuarial, outsourcing, IT security and other expertise to support IA functions or as outsourced reviews.

• By providing training and ongoing support to trustees as they look to obtain the most value out of their IA function.